/**
* Inline Images
*
* Syntax: [image.png size=50% border=n align= hspace= vspace= width= height=]
* Disallows sizes which are too small.
* Spammers may use such (typically invisible) image attributes to raise their GoogleRank.
*
* Handle embeddable objects, like svg, class, vrml, swf, svgz, pdf, avi, wmv especially.
*/
function LinkImage($url, $alt = "")
{
$force_img = "png|jpg|gif|jpeg|bmp|pl|cgi";
// Disallow tags in img src urls. Typical CSS attacks.
// FIXME: Is this needed (or sufficient?)
// FIXED: This was broken for moniker:TP30 test/image.png => url="moniker:TP30" attr="test/image.png"
$ori_url = $url;
// support new syntax: [prefix/image.jpg size=50% border=n]
if (empty($alt)) {
$alt = "";
}
// Extract URL
$arr = explode(' ', $url);
if (!empty($arr)) {
$url = $arr[0];
}
if (!IsSafeURL($url)) {
$link = HTML::span(array('class' => 'error'), _("BAD URL -- remove all of <, >, \""));
return $link;
}
// spaces in inline images must be %20 encoded!
$link = HTML::img(array('src' => $url));
// Extract attributes
$arr = parse_attributes(strstr($ori_url, " "));
foreach ($arr as $attr => $value) {
// These attributes take strings: lang, id, title, alt
if ($attr == "lang" || $attr == "id" || $attr == "title" || $attr == "alt") {
$link->setAttr($attr, $value);
} elseif ($attr == "align" && ($value == "bottom" || $value == "middle" || $value == "top" || $value == "left" || $value == "right")) {
$link->setAttr($attr, $value);
} elseif (($attr == "border" || $attr == "hspace" || $attr == "vspace") && is_numeric($value)) {
$link->setAttr($attr, (int) $value);
} elseif (($attr == "height" || $attr == "width") && preg_match('/\\d+[%p]?x?/', $value)) {
$link->setAttr($attr, $value);
} elseif ($attr == "size") {
if (preg_match('/(\\d+%)/', $value, $m)) {
$link->setAttr('width', $m[1]);
$link->setAttr('height', $m[1]);
} elseif (preg_match('/(\\d+)x(\\d+)/', $value, $m)) {
$link->setAttr('width', $m[1]);
$link->setAttr('height', $m[2]);
}
} else {
$link = HTML::span(array('class' => 'error'), sprintf(_("Invalid image attribute \"%s\" %s=%s"), $url, $attr, $value));
return $link;
}
}
// Correct silently the most common error
if ($url != $ori_url and empty($arr) and !preg_match("/^http/", $url)) {
// space belongs to the path
$file = NormalizeLocalFileName($ori_url);
if (file_exists($file)) {
$link = HTML::img(array('src' => $ori_url));
trigger_error(sprintf(_("Invalid image link fixed %s => %s. Spaces must be quoted with %%20."), $url, $ori_url), E_USER_WARNING);
} elseif (string_starts_with($ori_url, getUploadDataPath())) {
$file = substr($file, strlen(getUploadDataPath()));
$path = getUploadFilePath() . $file;
if (file_exists($path)) {
trigger_error(sprintf(_("Invalid image link fixed \"%s\" => \"%s\".\n Spaces must be quoted with %%20."), $url, $ori_url), E_USER_WARNING);
$link->setAttr('src', getUploadDataPath() . $file);
$url = $ori_url;
}
}
}
if (!$link->getAttr('alt')) {
$link->setAttr('alt', $alt);
}
// Check width and height as spam countermeasure
if ($width = $link->getAttr('width') and $height = $link->getAttr('height')) {
//$width = (int) $width; // px or % or other suffix
//$height = (int) $height;
if ($width < 3 and $height < 10 or $height < 3 and $width < 20 or $height < 7 and $width < 7) {
$link = HTML::span(array('class' => 'error'), _("Invalid image size"));
return $link;
}
} else {
$size = 0;
// Prepare for getimagesize($url)
// $url only valid for external urls, otherwise local path
if (DISABLE_GETIMAGESIZE) {
} elseif (!preg_match("/\\.{$force_img}\$/i", $url)) {
} elseif (preg_match("/^http/", $url)) {
// external url
$size = @getimagesize($url);
} else {
// local file
if (file_exists($file = NormalizeLocalFileName($url))) {
// here
$size = @getimagesize($file);
} elseif (file_exists(NormalizeLocalFileName(urldecode($url)))) {
$size = @getimagesize($file);
$link->setAttr('src', rawurldecode($url));
} elseif (string_starts_with($url, getUploadDataPath())) {
// there
$file = substr($file, strlen(getUploadDataPath()));
$path = getUploadFilePath() . rawurldecode($file);
$size = @getimagesize($path);
$link->setAttr('src', getUploadDataPath() . rawurldecode($file));
} else {
// elsewhere
global $request;
$size = @getimagesize($request->get('DOCUMENT_ROOT') . urldecode($url));
}
}
if ($size) {
$width = $size[0];
$height = $size[1];
if ($width < 3 and $height < 10 or $height < 3 and $width < 20 or $height < 7 and $width < 7) {
$link = HTML::span(array('class' => 'error'), _("Invalid image size"));
return $link;
}
}
}
$link->setAttr('class', 'inlineimage');
/* Check for inlined objects. Everything allowed in INLINE_IMAGES besides
* png|jpg|gif|jpeg|bmp|pl|cgi. If no image it is an object to embed.
* Note: Allow cgi's (pl,cgi) returning images.
*/
if (!preg_match("/\\.(" . $force_img . ")/i", $url)) {
// HTML::img(array('src' => $url, 'alt' => $alt, 'title' => $alt));
// => HTML::object(array('src' => $url)) ...;
return ImgObject($link, $ori_url);
}
return $link;
}
/**
* Inline Images
*
* Syntax: [image.png size=50% border=n align= hspace= vspace= width= height=]
* Disallows sizes which are too small.
* Spammers may use such (typically invisible) image attributes to higher their GoogleRank.
*
* Handle embeddable objects, like svg, class, vrml, swf, svgz, pdf, avi, wmv especially.
*/
function LinkImage($url, $alt = false)
{
$force_img = "png|jpg|gif|jpeg|bmp|pl|cgi";
// Disallow tags in img src urls. Typical CSS attacks.
// FIXME: Is this needed (or sufficient?)
if (!IsSafeURL($url)) {
$link = HTML::strong(HTML::u(array('class' => 'baduri'), _("BAD URL -- remove all of <, >, \"")));
} else {
// support new syntax: [image.jpg size=50% border=n]
if (!preg_match("/\\.(" . $force_img . ")/i", $url)) {
$ori_url = $url;
}
$arr = split(' ', $url);
if (count($arr) > 1) {
$url = $arr[0];
}
if (empty($alt)) {
$alt = basename($url);
}
$link = HTML::img(array('src' => $url, 'alt' => $alt, 'title' => $alt));
if (count($arr) > 1) {
array_shift($arr);
foreach ($arr as $attr) {
if (preg_match('/^size=(\\d+%)$/', $attr, $m)) {
$link->setAttr('width', $m[1]);
$link->setAttr('height', $m[1]);
}
if (preg_match('/^size=(\\d+)x(\\d+)$/', $attr, $m)) {
$link->setAttr('width', $m[1]);
$link->setAttr('height', $m[2]);
}
if (preg_match('/^border=(\\d+)$/', $attr, $m)) {
$link->setAttr('border', $m[1]);
}
if (preg_match('/^align=(\\w+)$/', $attr, $m)) {
$link->setAttr('align', $m[1]);
}
if (preg_match('/^hspace=(\\d+)$/', $attr, $m)) {
$link->setAttr('hspace', $m[1]);
}
if (preg_match('/^vspace=(\\d+)$/', $attr, $m)) {
$link->setAttr('vspace', $m[1]);
}
}
}
// Check width and height as spam countermeasure
if ($width = $link->getAttr('width') and $height = $link->getAttr('height')) {
//$width = (int) $width; // px or % or other suffix
//$height = (int) $height;
if ($width < 3 and $height < 10 or $height < 3 and $width < 20 or $height < 7 and $width < 7) {
trigger_error(_("Invalid image size"), E_USER_WARNING);
return '';
}
} else {
// Older php versions crash here with certain png's:
// confirmed for 4.1.2, 4.1.3, 4.2.3; 4.3.2 and 4.3.7 are ok
// http://phpwiki.sourceforge.net/demo/themes/default/images/http.png
// See http://bugs.php.net/search.php?cmd=display&search_for=getimagesize
if (!check_php_version(4, 3) and preg_match("/^http.+\\.png\$/i", $url)) {
} elseif (!DISABLE_GETIMAGESIZE and $size = @getimagesize($url)) {
$width = $size[0];
$height = $size[1];
if ($width < 3 and $height < 10 or $height < 3 and $width < 20 or $height < 7 and $width < 7) {
trigger_error(_("Invalid image size"), E_USER_WARNING);
return '';
}
}
}
}
$link->setAttr('class', 'inlineimage');
/* Check for inlined objects. Everything allowed in INLINE_IMAGES besides
* png|jpg|gif|jpeg|bmp|pl|cgi
* Note: Allow cgi's (pl,cgi) returning images.
*/
if (!preg_match("/\\.(" . $force_img . ")/i", $url)) {
//HTML::img(array('src' => $url, 'alt' => $alt, 'title' => $alt));
// => HTML::object(array('src' => $url)) ...;
return ImgObject($link, $ori_url);
}
return $link;
}