public function outputFilter(GenericEvent $event) { if (System::getVar('outputfilter') > 1) { return; } // recursive call for arrays // [removed as it's duplicated in datautil] // prepare htmlpurifier class static $safecache; $purifier = SecurityCenterUtil::getpurifier(); $md5 = md5($event->data); // check if the value is in the safecache if (isset($safecache[$md5])) { $event->data = $safecache[$md5]; } else { // save renderer delimiters $event->data = str_replace('{', '%VIEW_LEFT_DELIMITER%', $event->data); $event->data = str_replace('{', '%VIEW_RIGHT_DELIMITER%', $event->data); $event->data = $purifier->purify($event->data); // restore renderer delimiters $event->data = str_replace('%VIEW_LEFT_DELIMITER%', '{', $event->data); $event->data = str_replace('%VIEW_RIGHT_DELIMITER%', '}', $event->data); // cache the value $safecache[$md5] = $event->data; } return $event->data; }
/** * initialise the SecurityCenter module * This function is only ever called once during the lifetime of a particular * module instance * @return bool true on success, false otherwise */ public function install() { // create the table try { DoctrineHelper::createSchema($this->entityManager, array('SecurityCenterModule\\Entity\\Intrusion')); } catch (\Exception $e) { return false; } // Set up an initial value for a module variable. $this->setVar('itemsperpage', 10); // We use config vars for the rest of the configuration as config vars System::setVar('updatecheck', 1); System::setVar('updatefrequency', 7); System::setVar('updatelastchecked', 0); System::setVar('updateversion', Core::VERSION_NUM); System::setVar('keyexpiry', 0); System::setVar('sessionauthkeyua', false); System::setVar('secure_domain', ''); System::setVar('signcookies', 1); System::setVar('signingkey', sha1(mt_rand(0, time()))); System::setVar('seclevel', 'Medium'); System::setVar('secmeddays', 7); System::setVar('secinactivemins', 20); System::setVar('sessionstoretofile', 0); System::setVar('sessionsavepath', ''); System::setVar('gc_probability', 100); System::setVar('anonymoussessions', 1); System::setVar('sessionrandregenerate', true); System::setVar('sessionregenerate', true); System::setVar('sessionregeneratefreq', 10); System::setVar('sessionipcheck', 0); System::setVar('sessionname', '_zsid'); System::setVar('sessioncsrftokenonetime', 0); // 1 means use same token for entire session System::setVar('filtergetvars', 1); System::setVar('filterpostvars', 1); System::setVar('filtercookievars', 1); System::setVar('outputfilter', 1); // Location of HTML Purifier System::setVar('htmlpurifierlocation', __DIR__ . '/vendor/htmlpurifier/'); // HTML Purifier cache dir $purifierCacheDir = CacheUtil::getLocalDir() . '/purifierCache'; if (!file_exists($purifierCacheDir)) { CacheUtil::clearLocalDir('purifierCache'); } // HTML Purifier default settings $purifierDefaultConfig = SecurityCenterUtil::getpurifierconfig(array('forcedefault' => true)); $this->setVar('htmlpurifierConfig', serialize($purifierDefaultConfig)); // create vars for phpids usage System::setVar('useids', 0); System::setVar('idsmail', 0); System::setVar('idsrulepath', __DIR__ . '/Resources/config/phpids_zikula_default.xml'); System::setVar('idssoftblock', 1); // do not block requests, but warn for debugging System::setVar('idsfilter', 'xml'); // filter type System::setVar('idsimpactthresholdone', 1); // db logging System::setVar('idsimpactthresholdtwo', 10); // mail admin System::setVar('idsimpactthresholdthree', 25); // block request System::setVar('idsimpactthresholdfour', 75); // kick user, destroy session System::setVar('idsimpactmode', 1); // per request per default System::setVar('idshtmlfields', array('POST.__wysiwyg')); System::setVar('idsjsonfields', array('POST.__jsondata')); System::setVar('idsexceptions', array('GET.__utmz', 'GET.__utmc', 'REQUEST.linksorder', 'POST.linksorder', 'REQUEST.fullcontent', 'POST.fullcontent', 'REQUEST.summarycontent', 'POST.summarycontent', 'REQUEST.filter.page', 'POST.filter.page', 'REQUEST.filter.value', 'POST.filter.value')); // now lets set the default mail message contents // file is read from includes directory $summarycontent = implode('', __DIR__ . '/vendor/summary.txt'); System::setVar('summarycontent', $summarycontent); $fullcontent = implode('', __DIR__ . '/vendor/full.txt'); System::setVar('fullcontent', $fullcontent); // cci vars, see pndocs/ccisecuritystrings.txt System::setVar('usehtaccessbans', 0); System::setVar('extrapostprotection', 0); System::setVar('extragetprotection', 0); System::setVar('checkmultipost', 0); System::setVar('maxmultipost', 4); System::setVar('cpuloadmonitor', 0); System::setVar('cpumaxload', 10.0); System::setVar('ccisessionpath', ''); System::setVar('htaccessfilelocation', '.htaccess'); System::setVar('nocookiebanthreshold', 10); System::setVar('nocookiewarningthreshold', 2); System::setVar('fastaccessbanthreshold', 40); System::setVar('fastaccesswarnthreshold', 10); System::setVar('javababble', 0); System::setVar('javaencrypt', 0); System::setVar('preservehead', 0); System::setVar('filterarrays', 1); System::setVar('htmlentities', '1'); // default values for AllowableHTML $defhtml = array('!--' => 2, 'a' => 2, 'abbr' => 1, 'acronym' => 1, 'address' => 1, 'applet' => 0, 'area' => 0, 'article' => 1, 'aside' => 1, 'audio' => 0, 'b' => 1, 'base' => 0, 'basefont' => 0, 'bdo' => 0, 'big' => 0, 'blockquote' => 2, 'br' => 2, 'button' => 0, 'canvas' => 0, 'caption' => 1, 'center' => 2, 'cite' => 1, 'code' => 0, 'col' => 1, 'colgroup' => 1, 'command' => 0, 'datalist' => 0, 'dd' => 1, 'del' => 0, 'details' => 1, 'dfn' => 0, 'dir' => 0, 'div' => 2, 'dl' => 1, 'dt' => 1, 'em' => 2, 'embed' => 0, 'fieldset' => 1, 'figcaption' => 0, 'figure' => 0, 'footer' => 0, 'font' => 0, 'form' => 0, 'h1' => 1, 'h2' => 1, 'h3' => 1, 'h4' => 1, 'h5' => 1, 'h6' => 1, 'header' => 0, 'hgroup' => 0, 'hr' => 2, 'i' => 1, 'iframe' => 0, 'img' => 2, 'input' => 0, 'ins' => 0, 'keygen' => 0, 'kbd' => 0, 'label' => 1, 'legend' => 1, 'li' => 2, 'map' => 0, 'mark' => 0, 'menu' => 0, 'marquee' => 0, 'meter' => 0, 'nav' => 0, 'nobr' => 0, 'object' => 0, 'ol' => 2, 'optgroup' => 0, 'option' => 0, 'output' => 0, 'p' => 2, 'param' => 0, 'pre' => 2, 'progress' => 0, 'q' => 0, 'rp' => 0, 'rt' => 0, 'ruby' => 0, 's' => 0, 'samp' => 0, 'script' => 0, 'section' => 0, 'select' => 0, 'small' => 0, 'source' => 0, 'span' => 2, 'strike' => 0, 'strong' => 2, 'sub' => 1, 'summary' => 1, 'sup' => 0, 'table' => 2, 'tbody' => 1, 'td' => 2, 'textarea' => 0, 'tfoot' => 1, 'th' => 2, 'thead' => 0, 'time' => 0, 'tr' => 2, 'tt' => 2, 'u' => 0, 'ul' => 2, 'var' => 0, 'video' => 0, 'wbr' => 0); System::setVar('AllowableHTML', $defhtml); // Initialisation successful return true; }
/** * Update HTMLPurifier configuration. * * @return void */ public function updatepurifierconfigAction() { $this->checkCsrfToken(); // Security check if (!SecurityUtil::checkPermission('SecurityCenter::', '::', ACCESS_ADMIN)) { throw new \Zikula\Framework\Exception\ForbiddenException(); } // Load HTMLPurifier Classes $purifier = SecurityCenterUtil::getpurifier(); // Update module variables. $config = $this->request->request->get('purifierConfig', null); $config = \HTMLPurifier_Config::prepareArrayFromForm($config, false, true, true, $purifier->config->def); //echo "\r\n\r\n<pre>" . print_r($config, true) . "</pre>\r\n\r\n"; $allowed = \HTMLPurifier_Config::getAllowedDirectivesForForm(true, $purifier->config->def); foreach ($allowed as $allowedDirective) { list($namespace, $directive) = $allowedDirective; $directiveKey = $namespace . '.' . $directive; $def = $purifier->config->def->info[$directiveKey]; if (isset($config[$namespace]) && array_key_exists($directive, $config[$namespace]) && is_null($config[$namespace][$directive])) { unset($config[$namespace][$directive]); if (count($config[$namespace]) <= 0) { unset($config[$namespace]); } } if (isset($config[$namespace]) && isset($config[$namespace][$directive])) { if (is_int($def)) { $directiveType = abs($def); } else { $directiveType = isset($def->type) ? $def->type : 0; } switch ($directiveType) { case \HTMLPurifier_VarParser::LOOKUP: $value = explode(PHP_EOL, $config[$namespace][$directive]); $config[$namespace][$directive] = array(); foreach ($value as $val) { $val = trim($val); if (!empty($val)) { $config[$namespace][$directive][$val] = true; } } if (empty($config[$namespace][$directive])) { unset($config[$namespace][$directive]); } break; case \HTMLPurifier_VarParser::ALIST: $value = explode(PHP_EOL, $config[$namespace][$directive]); $config[$namespace][$directive] = array(); foreach ($value as $val) { $val = trim($val); if (!empty($val)) { $config[$namespace][$directive][] = $val; } } if (empty($config[$namespace][$directive])) { unset($config[$namespace][$directive]); } break; case \HTMLPurifier_VarParser::HASH: $value = explode(PHP_EOL, $config[$namespace][$directive]); $config[$namespace][$directive] = array(); foreach ($value as $val) { list($i, $v) = explode(':', $val); $i = trim($i); $v = trim($v); if (!empty($i) && !empty($v)) { $config[$namespace][$directive][$i] = $v; } } if (empty($config[$namespace][$directive])) { unset($config[$namespace][$directive]); } break; } } if (isset($config[$namespace]) && array_key_exists($directive, $config[$namespace]) && is_null($config[$namespace][$directive])) { unset($config[$namespace][$directive]); if (count($config[$namespace]) <= 0) { unset($config[$namespace]); } } } //echo "\r\n\r\n<pre>" . print_r($config, true) . "</pre>\r\n\r\n"; exit; $this->setVar('htmlpurifierConfig', serialize($config)); $purifier = SecurityCenterUtil::getpurifier(true); // clear all cache and compile directories ModUtil::apiFunc('SettingsModule', 'admin', 'clearallcompiledcaches'); // the module configuration has been updated successfuly LogUtil::registerStatus($this->__('Done! Saved HTMLPurifier configuration.')); // This function generated no output, and so now it is complete we redirect // the user to an appropriate page for them to carry on their work return $this->redirect(ModUtil::url('SecurityCenter', 'admin', 'modifyconfig')); }