/**
* This function checks html tags.
*
* Checks to see that the HTML tags are on the approved list and
* removes them if not.
*
* @param string $str HTML to check
* @param string $permissions comma-separated list of rights which identify the current user as an "Admin"
* @return string Filtered HTML
*
*/
function COM_checkHTML($str, $permissions = 'story.edit')
{
global $_CONF, $_USER;
// replace any \ with \ (HTML equiv)
$str = str_replace('\\', '\', COM_stripslashes($str));
// Get rid of any newline characters
$str = preg_replace("/\n/", '', $str);
// Replace any $ with $ (HTML equiv)
$str = str_replace('$', '$', $str);
// handle [code] ... [/code]
do {
$start_pos = MBYTE_strpos(MBYTE_strtolower($str), '[code]');
if ($start_pos !== false) {
$end_pos = MBYTE_strpos(MBYTE_strtolower($str), '[/code]');
if ($end_pos !== false) {
$encoded = COM_handleCode(MBYTE_substr($str, $start_pos + 6, $end_pos - ($start_pos + 6)));
$encoded = '<pre><code>' . $encoded . '</code></pre>';
$str = MBYTE_substr($str, 0, $start_pos) . $encoded . MBYTE_substr($str, $end_pos + 7);
} else {
// Treat the rest of the text as code (so as not to lose any
// special characters). However, the calling entity should
// better be checking for missing [/code] before calling this
// function ...
$encoded = COM_handleCode(MBYTE_substr($str, $start_pos + 6));
$encoded = '<pre><code>' . $encoded . '</code></pre>';
$str = MBYTE_substr($str, 0, $start_pos) . $encoded;
}
}
} while ($start_pos !== false);
// handle [raw] ... [/raw]
do {
$start_pos = MBYTE_strpos(MBYTE_strtolower($str), '[raw]');
if ($start_pos !== false) {
$end_pos = MBYTE_strpos(MBYTE_strtolower($str), '[/raw]');
if ($end_pos !== false) {
$encoded = COM_handleCode(MBYTE_substr($str, $start_pos + 5, $end_pos - ($start_pos + 5)));
// [raw2] to avoid infinite loop. Not HTML comment as we strip
// them later.
$encoded = '[raw2]' . $encoded . '[/raw2]';
$str = MBYTE_substr($str, 0, $start_pos) . $encoded . MBYTE_substr($str, $end_pos + 6);
} else {
// Treat the rest of the text as raw (so as not to lose any
// special characters). However, the calling entity should
// better be checking for missing [/raw] before calling this
// function ...
$encoded = COM_handleCode(MBYTE_substr($str, $start_pos + 5));
// [raw2] to avoid infinite loop. Not HTML comment as we strip
// them later.
$encoded = '[raw2]' . $encoded . '[/raw2]';
$str = MBYTE_substr($str, 0, $start_pos) . $encoded;
}
}
} while ($start_pos !== false);
$has_skiphtmlfilterPermissions = SEC_hasRights('htmlfilter.skip');
if ($has_skiphtmlfilterPermissions || isset($_CONF['skip_html_filter_for_root']) && $_CONF['skip_html_filter_for_root'] == 1 && SEC_inGroup('Root')) {
return $str;
}
// strip_tags() gets confused by HTML comments ...
$str = preg_replace('/<!--.+?-->/', '', $str);
$filter = new kses4();
if (isset($_CONF['allowed_protocols']) && is_array($_CONF['allowed_protocols']) && count($_CONF['allowed_protocols']) > 0) {
$filter->SetProtocols($_CONF['allowed_protocols']);
} else {
$filter->SetProtocols(array('http:', 'https:', 'ftp:'));
}
if (empty($permissions) || !SEC_hasRights($permissions) || empty($_CONF['admin_html'])) {
$html = $_CONF['user_html'];
} else {
if ($_CONF['advanced_editor'] && $_USER['advanced_editor']) {
$html = array_merge_recursive($_CONF['user_html'], $_CONF['admin_html'], $_CONF['advanced_html']);
} else {
$html = array_merge_recursive($_CONF['user_html'], $_CONF['admin_html']);
}
}
foreach ($html as $tag => $attr) {
$filter->AddHTML($tag, $attr);
}
/* Replace [raw][/raw] with <!--raw--><!--/raw-->, note done "late" because
* of the above noted // strip_tags() gets confused by HTML comments ...
*/
$str = $filter->Parse($str);
$str = str_replace('[raw2]', '<!--raw--><span class="raw">', $str);
$str = str_replace('[/raw2]', '</span><!--/raw-->', $str);
return $str;
}
public function testHandleCode()
{
// Line 2890
$this->assertEquals('&a\b<c>d[e]', COM_handleCode('&a\\b<c>d[e]'));
}
