function format_to_post($content)
{
global $post_autobr, $comment_autobr;
$content = addslashes($content);
if ($post_autobr || $comment_autobr) {
$content = autobrize($content);
}
return $content;
}
function format_to_post($content)
{
$content = addslashes($content);
if ($GLOBALS['post_autobr'] || $GLOBALS['comment_autobr']) {
$content = autobrize($content);
}
$content = apply_filters('format_to_post', $content);
return $content;
}
function start_b2()
{
global $row, $id, $postdata, $authordata, $day, $preview, $page, $pages, $multipage, $more, $numpages;
global $preview_userid, $preview_date, $preview_content, $preview_title, $preview_category, $preview_notify, $preview_make_clickable, $preview_autobr;
global $pagenow;
global $HTTP_GET_VARS;
if (!$preview) {
$id = $row->ID;
$postdata = get_postdata2($id);
} else {
$id = 0;
$postdata = array('ID' => 0, 'Author_ID' => $HTTP_GET_VARS['preview_userid'], 'Date' => $HTTP_GET_VARS['preview_date'], 'Content' => $HTTP_GET_VARS['preview_content'], 'Title' => $HTTP_GET_VARS['preview_title'], 'Category' => $HTTP_GET_VARS['preview_category'], 'Notify' => 1, 'Clickable' => 1, 'Karma' => 0);
if (!empty($HTTP_GET_VARS['preview_autobr'])) {
$postdata['Content'] = autobrize($postdata['Content']);
}
}
$authordata = get_userdata($postdata['Author_ID']);
$day = mysql2date('d.m.y', $postdata['Date']);
$currentmonth = mysql2date('m', $postdata['Date']);
$numpages = 1;
if (!$page) {
$page = 1;
}
if (isset($p)) {
$more = 1;
}
$content = $postdata['Content'];
if (preg_match('/<!--nextpage-->/', $postdata['Content'])) {
if ($page > 1) {
$more = 1;
}
$multipage = 1;
$content = stripslashes($postdata['Content']);
$content = str_replace("\n<!--nextpage-->\n", '<!--nextpage-->', $content);
$content = str_replace("\n<!--nextpage-->", '<!--nextpage-->', $content);
$content = str_replace("<!--nextpage-->\n", '<!--nextpage-->', $content);
$pages = explode('<!--nextpage-->', $content);
$numpages = count($pages);
} else {
$pages[0] = stripslashes($postdata['Content']);
$multipage = 0;
}
return true;
}
continue;
}
$row = mysql_fetch_object($result);
$user_level = $row->user_level;
$post_author = $row->ID;
if ($user_level > 0) {
$post_title = xmlrpc_getposttitle($content);
$post_category = xmlrpc_getpostcategory($content);
if ($post_title == '') {
$post_title = $subject;
}
if ($post_category == '') {
$post_category = $default_category;
}
if ($autobr) {
$content = autobrize($content);
}
if (!$thisisforfunonly) {
$post_title = addslashes(trim($post_title));
$content = addslashes(trim($content));
$sql = "INSERT INTO {$tableposts} (post_author, post_date, post_content, post_title, post_category) VALUES ({$post_author}, '{$post_date}', '{$content}', '{$post_title}', {$post_category})";
$result = mysql_query($sql) or die('Couldn\'t add post: ' . mysql_error());
$post_ID = mysql_insert_id();
if (isset($sleep_after_edit) && $sleep_after_edit > 0) {
sleep($sleep_after_edit);
}
$blog_ID = 1;
rss_update($blog_ID);
pingWeblogs($blog_ID);
pingCafelog($cafelogID, $post_title, $post_ID);
pingBlogs($blog_ID);
/**
* Check raw HTML input for different levels of sanity including:
* - XHTML validation
* - Javascript injection
* - antispam
*
* Also cleans up the content on some levels:
* - trimming
* - balancing tags
*
* WARNING: this does *NOT* (necessarilly) make the HTML code safe.
* It only checks on it and produces error messages.
* It is NOT (necessarily) safe to use the output.
*
* @param string The content to format
* @param string
* @param integer Create automated <br /> tags?
* @param string Encoding (used for SafeHtmlChecker() only!); defaults to $io_charset
* @return boolean|string
*/
function check_html_sanity($content, $context = 'posting', $autobr = false, $encoding = NULL)
{
global $use_balanceTags, $admin_url;
global $io_charset, $use_xhtmlvalidation_for_comments, $comment_allowed_tags, $comments_allow_css_tweaks;
global $Messages;
/**
* @var User
*/
global $current_User;
switch ($context) {
case 'posting':
case 'xmlrpc_posting':
$Group =& $current_User->get_Group();
if ($context == 'posting') {
$xhtmlvalidation = $Group->perm_xhtmlvalidation == 'always';
} else {
$xhtmlvalidation = $Group->perm_xhtmlvalidation_xmlrpc == 'always';
}
$allow_css_tweaks = $Group->perm_xhtml_css_tweaks;
$allow_javascript = $Group->perm_xhtml_javascript;
$allow_iframes = $Group->perm_xhtml_iframes;
$allow_objects = $Group->perm_xhtml_objects;
$bypass_antispam = $Group->perm_bypass_antispam;
break;
case 'commenting':
$xhtmlvalidation = $use_xhtmlvalidation_for_comments;
$allow_css_tweaks = $comments_allow_css_tweaks;
$allow_javascript = false;
$allow_iframes = false;
$allow_objects = false;
// fp> I don't know if it makes sense to bypass antispam in commenting context if the user has that kind of permissions.
// If so, then we also need to bypass in several other places.
$bypass_antispam = false;
break;
default:
debug_die('unknown context: ' . $context);
}
$error = false;
// Replace any & that is not a character or entity reference with &
$content = preg_replace('/&(?!#[0-9]+;|#x[0-9a-fA-F]+;|[a-zA-Z_:][a-zA-Z0-9._:-]*;)/', '&', $content);
// ANTISPAM check:
if (!$bypass_antispam && ($block = antispam_check($content))) {
if ($context == 'xmlrpc_posting') {
$errmsg = $context == 'commenting' ? T_('Illegal content found (spam?)') : sprintf(T_('Illegal content found: blacklisted word "%s"'), $block);
} else {
$errmsg = $context == 'commenting' ? T_('Illegal content found (spam?)') : sprintf(T_('Illegal content found: blacklisted word «%s»'), htmlspecialchars($block));
}
$Messages->add($errmsg, 'error');
$error = true;
}
if ($autobr) {
// Auto <br />:
// may put brs in the middle of multiline tags...
// TODO: this may create "<br />" tags in "<UL>" (outside of <LI>) and make the HTML invalid! -> use autoP pugin?
$content = autobrize($content);
}
$content = trim($content);
if ($use_balanceTags) {
// Auto close open tags:
$content = balance_tags($content);
}
if ($xhtmlvalidation) {
// We want to validate XHTML:
load_class('xhtml_validator/_xhtml_validator.class.php');
$XHTML_Validator =& new XHTML_Validator($context, $allow_css_tweaks, $allow_iframes, $allow_javascript, $allow_objects, $encoding);
if (!$XHTML_Validator->check($content)) {
$error = true;
}
} else {
// We do not WANT to validate XHTML, fall back to basic security checking:
// This is only as strong as its regexps can parse xhtml. This is significantly inferior to the XHTML checker above.
// The only advantage of this checker is that it can check for a little security without requiring VALID XHTML.
if ($context == 'commenting') {
// DEPRECATED but still...
// echo 'allowed tags:',htmlspecialchars($comment_allowed_tags);
$content = strip_tags($content, $comment_allowed_tags);
}
// Security checking:
$check = $content;
// Open comments or '<![CDATA[' are dangerous
$check = str_replace('<!', '<', $check);
// # # are delimiters
// i modifier at the end means caseless
// CHECK Styling restictions:
if (!$allow_css_tweaks && preg_match('#\\s((style|class|id)\\s*=)#i', $check, $matches)) {
$Messages->add(T_('Illegal CSS markup found: ') . htmlspecialchars($matches[1]), 'error');
$error = true;
}
// CHECK JAVASCRIPT:
if (!$allow_javascript && (preg_match('¤( < \\s* //? \\s* (script|noscript) )¤xi', $check, $matches) || preg_match('#\\s((on[a-z]+)\\s*=)#i', $check, $matches) || preg_match('#=["\'\\s]*((javascript|vbscript|about):)#i', $check, $matches))) {
$Messages->add(T_('Illegal javascript markup found: ') . htmlspecialchars($matches[1]), 'error');
$error = true;
}
// CHECK IFRAMES:
if (!$allow_iframes && preg_match('¤( < \\s* //? \\s* (frame|iframe) )¤xi', $check, $matches)) {
$Messages->add(T_('Illegal frame markup found: ') . htmlspecialchars($matches[1]), 'error');
$error = true;
}
// CHECK OBJECTS:
if (!$allow_objects && preg_match('¤( < \\s* //? \\s* (applet|object|param|embed) )¤xi', $check, $matches)) {
$Messages->add(T_('Illegal object markup found: ') . htmlspecialchars($matches[1]), 'error');
$error = true;
}
}
if ($error) {
if (!empty($current_User) && !empty($Group) && $current_User->check_perm('users', 'edit', false)) {
$Messages->add(sprintf(T_('(Note: To get rid of the above validation warnings, you can deactivate unwanted validation rules in your <a %s>Group settings</a>.)'), 'href="' . $admin_url . '?ctrl=users&grp_ID=' . $Group->ID . '"'), 'error');
}
return false;
}
// Return sanitized content
return $content;
}
