/** * This function checks html tags. * * Checks to see that the HTML tags are on the approved list and * removes them if not. * * @param string $str HTML to check * @param string $permissions comma-separated list of rights which identify the current user as an "Admin" * @return string Filtered HTML * */ function COM_checkHTML($str, $permissions = 'story.edit') { global $_CONF, $_USER; // replace any \ with \ (HTML equiv) $str = str_replace('\\', '\', COM_stripslashes($str)); // Get rid of any newline characters $str = preg_replace("/\n/", '', $str); // Replace any $ with $ (HTML equiv) $str = str_replace('$', '$', $str); // handle [code] ... [/code] do { $start_pos = MBYTE_strpos(MBYTE_strtolower($str), '[code]'); if ($start_pos !== false) { $end_pos = MBYTE_strpos(MBYTE_strtolower($str), '[/code]'); if ($end_pos !== false) { $encoded = COM_handleCode(MBYTE_substr($str, $start_pos + 6, $end_pos - ($start_pos + 6))); $encoded = '<pre><code>' . $encoded . '</code></pre>'; $str = MBYTE_substr($str, 0, $start_pos) . $encoded . MBYTE_substr($str, $end_pos + 7); } else { // Treat the rest of the text as code (so as not to lose any // special characters). However, the calling entity should // better be checking for missing [/code] before calling this // function ... $encoded = COM_handleCode(MBYTE_substr($str, $start_pos + 6)); $encoded = '<pre><code>' . $encoded . '</code></pre>'; $str = MBYTE_substr($str, 0, $start_pos) . $encoded; } } } while ($start_pos !== false); // handle [raw] ... [/raw] do { $start_pos = MBYTE_strpos(MBYTE_strtolower($str), '[raw]'); if ($start_pos !== false) { $end_pos = MBYTE_strpos(MBYTE_strtolower($str), '[/raw]'); if ($end_pos !== false) { $encoded = COM_handleCode(MBYTE_substr($str, $start_pos + 5, $end_pos - ($start_pos + 5))); // [raw2] to avoid infinite loop. Not HTML comment as we strip // them later. $encoded = '[raw2]' . $encoded . '[/raw2]'; $str = MBYTE_substr($str, 0, $start_pos) . $encoded . MBYTE_substr($str, $end_pos + 6); } else { // Treat the rest of the text as raw (so as not to lose any // special characters). However, the calling entity should // better be checking for missing [/raw] before calling this // function ... $encoded = COM_handleCode(MBYTE_substr($str, $start_pos + 5)); // [raw2] to avoid infinite loop. Not HTML comment as we strip // them later. $encoded = '[raw2]' . $encoded . '[/raw2]'; $str = MBYTE_substr($str, 0, $start_pos) . $encoded; } } } while ($start_pos !== false); $has_skiphtmlfilterPermissions = SEC_hasRights('htmlfilter.skip'); if ($has_skiphtmlfilterPermissions || isset($_CONF['skip_html_filter_for_root']) && $_CONF['skip_html_filter_for_root'] == 1 && SEC_inGroup('Root')) { return $str; } // strip_tags() gets confused by HTML comments ... $str = preg_replace('/<!--.+?-->/', '', $str); $filter = new kses4(); if (isset($_CONF['allowed_protocols']) && is_array($_CONF['allowed_protocols']) && count($_CONF['allowed_protocols']) > 0) { $filter->SetProtocols($_CONF['allowed_protocols']); } else { $filter->SetProtocols(array('http:', 'https:', 'ftp:')); } if (empty($permissions) || !SEC_hasRights($permissions) || empty($_CONF['admin_html'])) { $html = $_CONF['user_html']; } else { if ($_CONF['advanced_editor'] && $_USER['advanced_editor']) { $html = array_merge_recursive($_CONF['user_html'], $_CONF['admin_html'], $_CONF['advanced_html']); } else { $html = array_merge_recursive($_CONF['user_html'], $_CONF['admin_html']); } } foreach ($html as $tag => $attr) { $filter->AddHTML($tag, $attr); } /* Replace [raw][/raw] with <!--raw--><!--/raw-->, note done "late" because * of the above noted // strip_tags() gets confused by HTML comments ... */ $str = $filter->Parse($str); $str = str_replace('[raw2]', '<!--raw--><span class="raw">', $str); $str = str_replace('[/raw2]', '</span><!--/raw-->', $str); return $str; }
public function testHandleCode() { // Line 2890 $this->assertEquals('&a\b<c>d[e]', COM_handleCode('&a\\b<c>d[e]')); }