/** * Encodes mixed params before they are sent to the database. * * @param mixed $data The unencoded object/array/string/etc * @return mixed The encoded version */ static function encode(&$data) { if (is_object($data) || is_array($data)) { // skip the ilp_flexible_table if (!is_a($data, 'ilp_flexible_table')) { foreach ($data as $index => &$datum) { //we will skip any index with the prefix binary if (substr($index, 0, 7) != 'binary_') { $datum = ilp_db::encode($datum); } } } return $data; } else { // decode any special characters prevent malicious code slipping through $data = ilp_db::decode_htmlchars($data, ENT_QUOTES); // purify all data (e.g. validate html, remove js and other bad stuff) //I have had to remove the purify call as it was causing pages to timeout in 1.9 //this should be put back in once the ilp is moodle 2.0 only $data = purify_html($data); // encode the purified string $data = trim(preg_replace('/\\\\/', '\', htmlentities($data, ENT_QUOTES, 'utf-8', false))); // convert the empty string into null as such values break nullable FK fields return $data == '' ? null : $data; } }
public static function toArray($pin) { $result = array(); $result['link'] = purify_url($pin['link']); $result['title'] = purify_html($pin['title']); $result['created_on'] = strtotime($pin['created_on']); return $result; }
/** * Tests the installation of event handlers from file */ function test_our_tags() { $text = '<nolink>xxx<em>xx</em><div>xxx</div></nolink>'; $this->assertIdentical($text, purify_html($text)); $text = '<tex>xxxxxx</tex>'; $this->assertIdentical($text, purify_html($text)); $text = '<algebra>xxxxxx</algebra>'; $this->assertIdentical($text, purify_html($text)); $text = '<span lang="de_DU" class="multilang">asas</span>'; $this->assertIdentical($text, purify_html($text)); $text = '<lang lang="de_DU">xxxxxx</lang>'; $this->assertIdentical($text, purify_html($text)); $text = "\n\raa\rsss\nsss\r"; $this->assertIdentical($text, purify_html($text)); }
public function test_getfeed() { $feed = new moodle_simplepie($this->getExternalTestFileUrl('/rsstest.xml'), self::TIMEOUT); $this->assertInstanceOf('moodle_simplepie', $feed); $this->assertNull($feed->error(), "Failed to load the sample RSS file. Please check your proxy settings in Moodle. %s"); $this->assertSame('Moodle News', $feed->get_title()); $this->assertSame('http://moodle.org/mod/forum/view.php?f=1', $feed->get_link()); $this->assertSame("General news about Moodle.\n\nMoodle is a leading open-source course management system (CMS) - a software package designed to help educators create quality online courses. Such e-learning systems are sometimes also called Learning Management Systems (LMS) or Virtual Learning Environments (VLE). One of the main advantages of Moodle over other systems is a strong grounding in social constructionist pedagogy.", $feed->get_description()); $this->assertSame('&#169; 2007 moodle', $feed->get_copyright()); $this->assertSame('http://moodle.org/pix/i/rsssitelogo.gif', $feed->get_image_url()); $this->assertSame('moodle', $feed->get_image_title()); $this->assertSame('http://moodle.org/', $feed->get_image_link()); $this->assertEquals('140', $feed->get_image_width()); $this->assertEquals('35', $feed->get_image_height()); $this->assertNotEmpty($items = $feed->get_items()); $this->assertCount(15, $items); $this->assertNotEmpty($itemone = $feed->get_item(0)); $this->assertSame('Google HOP contest encourages pre-University students to work on Moodle', $itemone->get_title()); $this->assertSame('http://moodle.org/mod/forum/discuss.php?d=85629', $itemone->get_link()); $this->assertSame('http://moodle.org/mod/forum/discuss.php?d=85629', $itemone->get_id()); $description = <<<EOD by Martin Dougiamas. <p><p><img src="http://code.google.com/opensource/ghop/2007-8/images/ghoplogosm.jpg" align="right" style="margin:10px" />After their very successful <a href="http://code.google.com/soc/2007/">Summer of Code</a> program for University students, Google just announced their new <a href="http://code.google.com/opensource/ghop/2007-8/">Highly Open Participation contest</a>, designed to encourage pre-University students to get involved with open source projects via much smaller and diverse contributions.<br /> <br /> I'm very proud that Moodle has been selected as one of only <a href="http://code.google.com/opensource/ghop/2007-8/projects.html">ten open source projects</a> to take part in the inaugural year of this new contest.<br /> <br /> We have a <a href="http://code.google.com/p/google-highly-open-participation-moodle/issues/list">long list of small tasks</a> prepared already for students, but we would definitely like to see the Moodle community come up with more - so if you have any ideas for things you want to see done, please <a href="http://code.google.com/p/google-highly-open-participation-moodle/">send them to us</a>! Just remember they can't take more than five days.<br /> <br /> Google will pay students US\$100 for every three tasks they successfully complete, plus send a cool T-shirt. There are also grand prizes including an all-expenses-paid trip to Google HQ in Mountain View, California. If you are (or know) a young student with an interest in Moodle then give it a go! <br /> <br /> You can find out all the details on the <a href="http://code.google.com/p/google-highly-open-participation-moodle/">Moodle/GHOP contest site</a>.</p></p> EOD; $description = purify_html($description); $this->assertSame($description, $itemone->get_description()); // TODO fix this so it uses $CFG by default. $this->assertSame(1196412453, $itemone->get_date('U')); // Last item. $this->assertNotEmpty($feed->get_item(14)); // Past last item. $this->assertEmpty($feed->get_item(15)); }
static function getArrayInfo($raw_data, $full = false){ if(config_option("wysiwyg_tasks")){ if($raw_data['type_content'] == "text"){ $desc = nl2br(htmlspecialchars($raw_data['text'])); }else{ $desc = purify_html(nl2br($raw_data['text'])); } }else{ if($raw_data['type_content'] == "text"){ $desc = htmlspecialchars($raw_data['text']); }else{ $desc = html_to_text(html_entity_decode(nl2br($raw_data['text']), null, "UTF-8")); } } $member_ids = ObjectMembers::instance()->getCachedObjectMembers($raw_data['id']); $tmp_task = new ProjectTask(); $tmp_task->setObjectId($raw_data['id']); $tmp_task->setId($raw_data['id']); $tmp_task->setAssignedToContactId($raw_data['assigned_to_contact_id']); $result = array( 'id' => $raw_data['id'], 't' => $raw_data['name'], 'desc' => $desc, 'members' => $member_ids, 'c' => strtotime($raw_data['created_on']), 'cid' => (int)$raw_data['created_by_id'], 'otype' => $raw_data['object_subtype'], 'pc' => (int)$raw_data['percent_completed'], 'memPath' => str_replace('"',"'", str_replace("'", "\'", json_encode($tmp_task->getMembersToDisplayPath($member_ids)))) ); if ($full) { $result['description'] = $raw_data['text']; } $result['mas'] = (int)array_var($raw_data, 'multi_assignment'); if ($raw_data['completed_by_id'] > 0) { $result['s'] = 1; } if ($raw_data['parent_id'] > 0) { $result['pid'] = (int)$raw_data['parent_id']; } //if ($this->getPriority() != 200) $result['pr'] = (int)$raw_data['priority']; if ($raw_data['milestone_id'] > 0) { $result['mid'] = (int)$raw_data['milestone_id']; } if ($raw_data['assigned_to_contact_id'] > 0) { $result['atid'] = (int)$raw_data['assigned_to_contact_id']; } $result['atName'] = $tmp_task->getAssignedToName(); if ($raw_data['completed_by_id'] > 0) { $result['cbid'] = (int)$raw_data['completed_by_id']; $result['con'] = strtotime($raw_data['completed_on']);; } if ($raw_data['due_date'] != EMPTY_DATETIME) { $result['dd'] = strtotime($raw_data['due_date']) + logged_user()->getTimezone() * 3600; $result['udt'] = $raw_data['use_due_time'] ? 1 : 0; } if ($raw_data['start_date'] != EMPTY_DATETIME) { $result['sd'] = strtotime($raw_data['start_date']) + logged_user()->getTimezone() * 3600; $result['ust'] = $raw_data['use_start_time'] ? 1 : 0; } $time_estimate = $raw_data['time_estimate']; $result['te'] = $raw_data['time_estimate']; if ($time_estimate > 0) $result['et'] = DateTimeValue::FormatTimeDiff(new DateTimeValue(0), new DateTimeValue($time_estimate * 60), 'hm', 60) ; $result['tz'] = logged_user()->getTimezone() * 3600; $ot = $tmp_task->getOpenTimeslots(); if ($ot){ $users = array(); $time = array(); $paused = array(); foreach ($ot as $t){ if (!$t instanceof Timeslot) continue; $time[] = $t->getSeconds(); $users[] = $t->getContactId(); $paused[] = $t->isPaused()?1:0; if ($t->isPaused() && $t->getContactId() == logged_user()->getId()) { $result['wpt'] = $t->getPausedOn()->getTimestamp(); } } $result['wt'] = $time; $result['wid'] = $users; $result['wp'] = $paused; } if ($raw_data['repeat_forever'] > 0 || $raw_data['repeat_num'] > 0 || $raw_data['repeat_end'] != EMPTY_DATETIME) { $result['rep'] = 1; } return $result; }
} echo render_object_link_form($task, $pre_linked_objects) ?> </fieldset> </div> <?php } // if ?> <div> <?php if(config_option("wysiwyg_tasks")){ if(array_var($task_data, 'type_content') == "text"){ $ckEditorContent = purify_html(nl2br(array_var($task_data, 'text'))); }else{ $ckEditorContent = purify_html(nl2br(array_var($task_data, 'text'))); } ?> <?php echo label_tag(lang('description'), $genid . 'taskListFormDescription') ?> <div id="<?php echo $genid ?>ckcontainer" style="height: 100%"> <textarea cols="80" id="<?php echo $genid ?>ckeditor" name="task[text]" rows="10"><?php echo clean($ckEditorContent) ?></textarea> </div> <script> var h = document.getElementById("<?php echo $genid ?>ckcontainer").offsetHeight; if (h > 300) { h = 280; $("#<?php echo $genid ?>ckcontainer").css('height', (h+20)+'px'); } var editor = CKEDITOR.replace('<?php echo $genid ?>ckeditor', { height: h, enterMode: CKEDITOR.ENTER_DIV,
/** * @param object $feed * @param array $item * @param[out] array $author * @return multitype:multitype: string NULL number Ambigous <NULL, string, number> Ambigous <mixed, string> Ambigous <multitype:multitype:string Ambigous <NULL, string> , multitype:multitype:string unknown > multitype:NULL unknown */ function get_atom_elements($feed, $item, &$author) { //$best_photo = array(); $res = array(); $found_author = $item->get_author(); if ($found_author) { $author['author_name'] = unxmlify($found_author->get_name()); $author['author_link'] = unxmlify($found_author->get_link()); $author['author_is_feed'] = false; } else { $author['author_name'] = unxmlify($feed->get_title()); $author['author_link'] = unxmlify($feed->get_permalink()); $author['author_is_feed'] = true; } if (substr($author['author_link'], -1, 1) == '/') { $author['author_link'] = substr($author['author_link'], 0, -1); } $res['mid'] = base64url_encode(unxmlify($item->get_id())); $res['title'] = unxmlify($item->get_title()); $res['body'] = unxmlify($item->get_content()); $res['plink'] = unxmlify($item->get_link(0)); $res['item_flags'] = ITEM_RSS; // removing the content of the title if its identically to the body // This helps with auto generated titles e.g. from tumblr if (title_is_body($res["title"], $res["body"])) { $res['title'] = ""; } if ($res['plink']) { $base_url = implode('/', array_slice(explode('/', $res['plink']), 0, 3)); } else { $base_url = ''; } // look for a photo. We should check media size and find the best one, // but for now let's just find any author photo $rawauthor = $item->get_item_tags(SIMPLEPIE_NAMESPACE_ATOM_10, 'author'); if ($rawauthor && $rawauthor[0]['child'][SIMPLEPIE_NAMESPACE_ATOM_10]['link']) { $base = $rawauthor[0]['child'][SIMPLEPIE_NAMESPACE_ATOM_10]['link']; foreach ($base as $link) { if (!x($author, 'author_photo') || !$author['author_photo']) { if ($link['attribs']['']['rel'] === 'photo' || $link['attribs']['']['rel'] === 'avatar') { $author['author_photo'] = unxmlify($link['attribs']['']['href']); } } } } $rawactor = $item->get_item_tags(NAMESPACE_ACTIVITY, 'actor'); if ($rawactor && activity_match($rawactor[0]['child'][NAMESPACE_ACTIVITY]['obj_type'][0]['data'], ACTIVITY_OBJ_PERSON)) { $base = $rawactor[0]['child'][SIMPLEPIE_NAMESPACE_ATOM_10]['link']; if ($base && count($base)) { foreach ($base as $link) { if ($link['attribs']['']['rel'] === 'alternate' && !$res['author_link']) { $author['author_link'] = unxmlify($link['attribs']['']['href']); } if (!x($author, 'author_photo') || !$author['author_photo']) { if ($link['attribs']['']['rel'] === 'avatar' || $link['attribs']['']['rel'] === 'photo') { $author['author_photo'] = unxmlify($link['attribs']['']['href']); } } } } } // check for a yahoo media element (github etc.) if (!$author['author_photo']) { $rawmedia = $item->get_item_tags(NAMESPACE_YMEDIA, 'thumbnail'); if ($rawmedia && $rawmedia[0]['attribs']['']['url']) { $author['author_photo'] = strip_tags(unxmlify($rawmedia[0]['attribs']['']['url'])); } } // No photo/profile-link on the item - look at the feed level if (!x($author, 'author_link') || !x($author, 'author_photo')) { $rawauthor = $feed->get_feed_tags(SIMPLEPIE_NAMESPACE_ATOM_10, 'author'); if ($rawauthor && $rawauthor[0]['child'][SIMPLEPIE_NAMESPACE_ATOM_10]['link']) { $base = $rawauthor[0]['child'][SIMPLEPIE_NAMESPACE_ATOM_10]['link']; foreach ($base as $link) { if ($link['attribs']['']['rel'] === 'alternate' && !$author['author_link']) { $author['author_link'] = unxmlify($link['attribs']['']['href']); $author['author_is_feed'] = true; } if (!$author['author_photo']) { if ($link['attribs']['']['rel'] === 'photo' || $link['attribs']['']['rel'] === 'avatar') { $author['author_photo'] = unxmlify($link['attribs']['']['href']); } } } } $rawactor = $feed->get_feed_tags(NAMESPACE_ACTIVITY, 'subject'); if ($rawactor && activity_match($rawactor[0]['child'][NAMESPACE_ACTIVITY]['obj_type'][0]['data'], ACTIVITY_OBJ_PERSON)) { $base = $rawactor[0]['child'][SIMPLEPIE_NAMESPACE_ATOM_10]['link']; if ($base && count($base)) { foreach ($base as $link) { if ($link['attribs']['']['rel'] === 'alternate' && !$res['author_link']) { $author['author_link'] = unxmlify($link['attribs']['']['href']); } if (!x($author, 'author_photo')) { if ($link['attribs']['']['rel'] === 'avatar' || $link['attribs']['']['rel'] === 'photo') { $author['author_photo'] = unxmlify($link['attribs']['']['href']); } } } } } } $apps = $item->get_item_tags(NAMESPACE_STATUSNET, 'notice_info'); if ($apps && $apps[0]['attribs']['']['source']) { $res['app'] = strip_tags(unxmlify($apps[0]['attribs']['']['source'])); } /* * If there's a copy of the body content which is guaranteed to have survived mangling in transit, use it. */ $have_real_body = false; $rawenv = $item->get_item_tags(NAMESPACE_DFRN, 'env'); if ($rawenv) { $have_real_body = true; $res['body'] = $rawenv[0]['data']; $res['body'] = str_replace(array(' ', "\t", "\r", "\n"), array('', '', '', ''), $res['body']); // make sure nobody is trying to sneak some html tags by us $res['body'] = notags(base64url_decode($res['body'])); // We could probably turn these old Friendica bbcode bookmarks into bookmark tags but we'd have to // create a term table item for them. For now just make sure they stay as links. $res['body'] = preg_replace('/\\[bookmark(.*?)\\](.*?)\\[\\/bookmark\\]/', '[url$1]$2[/url]', $res['body']); } $res['body'] = limit_body_size($res['body']); // It isn't certain at this point whether our content is plaintext or html and we'd be foolish to trust // the content type. Our own network only emits text normally, though it might have been converted to // html if we used a pubsubhubbub transport. But if we see even one html tag in our text, we will // have to assume it is all html and needs to be purified. // It doesn't matter all that much security wise - because before this content is used anywhere, we are // going to escape any tags we find regardless, but this lets us import a limited subset of html from // the wild, by sanitising it and converting supported tags to bbcode before we rip out any remaining // html. if (strpos($res['body'], '<') !== false && strpos($res['body'], '>') !== false) { $res['body'] = reltoabs($res['body'], $base_url); $res['body'] = html2bb_video($res['body']); $res['body'] = oembed_html2bbcode($res['body']); $res['body'] = purify_html($res['body']); $res['body'] = @html2bbcode($res['body']); } elseif (!$have_real_body) { // it's not one of our messages and it has no tags // so it's probably just text. We'll escape it just to be safe. $res['body'] = escape_tags($res['body']); } if ($res['plink'] && $res['title']) { $res['body'] = '#^[url=' . $res['plink'] . ']' . $res['title'] . '[/url]' . "\n\n" . $res['body']; $terms = array(); $terms[] = array('otype' => TERM_OBJ_POST, 'type' => TERM_BOOKMARK, 'url' => $res['plink'], 'term' => $res['title']); } elseif ($res['plink']) { $res['body'] = '#^[url]' . $res['plink'] . '[/url]' . "\n\n" . $res['body']; $terms = array(); $terms[] = array('otype' => TERM_OBJ_POST, 'type' => TERM_BOOKMARK, 'url' => $res['plink'], 'term' => $res['plink']); } $private = $item->get_item_tags(NAMESPACE_DFRN, 'private'); if ($private && intval($private[0]['data']) > 0) { $res['item_private'] = intval($private[0]['data']) ? 1 : 0; } else { $res['item_private'] = 0; } $rawlocation = $item->get_item_tags(NAMESPACE_DFRN, 'location'); if ($rawlocation) { $res['location'] = unxmlify($rawlocation[0]['data']); } $rawcreated = $item->get_item_tags(SIMPLEPIE_NAMESPACE_ATOM_10, 'published'); if ($rawcreated) { $res['created'] = unxmlify($rawcreated[0]['data']); } $rawedited = $item->get_item_tags(SIMPLEPIE_NAMESPACE_ATOM_10, 'updated'); if ($rawedited) { $res['edited'] = unxmlify($rawedited[0]['data']); } if (x($res, 'edited') && !x($res, 'created')) { $res['created'] = $res['edited']; } if (!$res['created']) { $res['created'] = $item->get_date('c'); } if (!$res['edited']) { $res['edited'] = $item->get_date('c'); } // Disallow time travelling posts $d1 = strtotime($res['created']); $d2 = strtotime($res['edited']); $d3 = strtotime('now'); if ($d1 > $d3) { $res['created'] = datetime_convert(); } if ($d2 > $d3) { $res['edited'] = datetime_convert(); } $res['created'] = datetime_convert('UTC', 'UTC', $res['created']); $res['edited'] = datetime_convert('UTC', 'UTC', $res['edited']); $rawowner = $item->get_item_tags(NAMESPACE_DFRN, 'owner'); if (!$rawowner) { $rawowner = $item->get_item_tags(NAMESPACE_ZOT, 'owner'); } if ($rawowner[0]['child'][SIMPLEPIE_NAMESPACE_ATOM_10]['name'][0]['data']) { $author['owner_name'] = unxmlify($rawowner[0]['child'][SIMPLEPIE_NAMESPACE_ATOM_10]['name'][0]['data']); } elseif ($rawowner[0]['child'][NAMESPACE_DFRN]['name'][0]['data']) { $author['owner_name'] = unxmlify($rawowner[0]['child'][NAMESPACE_DFRN]['name'][0]['data']); } if ($rawowner[0]['child'][SIMPLEPIE_NAMESPACE_ATOM_10]['uri'][0]['data']) { $author['owner_link'] = unxmlify($rawowner[0]['child'][SIMPLEPIE_NAMESPACE_ATOM_10]['uri'][0]['data']); } elseif ($rawowner[0]['child'][NAMESPACE_DFRN]['uri'][0]['data']) { $author['owner_link'] = unxmlify($rawowner[0]['child'][NAMESPACE_DFRN]['uri'][0]['data']); } if ($rawowner[0]['child'][SIMPLEPIE_NAMESPACE_ATOM_10]['link']) { $base = $rawowner[0]['child'][SIMPLEPIE_NAMESPACE_ATOM_10]['link']; foreach ($base as $link) { if (!x($author, 'owner_photo') || !$author['owner_photo']) { if ($link['attribs']['']['rel'] === 'photo' || $link['attribs']['']['rel'] === 'avatar') { $author['owner_photo'] = unxmlify($link['attribs']['']['href']); } } } } $rawgeo = $item->get_item_tags(NAMESPACE_GEORSS, 'point'); if ($rawgeo) { $res['coord'] = unxmlify($rawgeo[0]['data']); } $rawverb = $item->get_item_tags(NAMESPACE_ACTIVITY, 'verb'); // select between supported verbs if ($rawverb) { $res['verb'] = unxmlify($rawverb[0]['data']); } // translate OStatus unfollow to activity streams if it happened to get selected if (x($res, 'verb') && $res['verb'] === 'http://ostatus.org/schema/1.0/unfollow') { $res['verb'] = ACTIVITY_UNFOLLOW; } $cats = $item->get_categories(); if ($cats) { if (is_null($terms)) { $terms = array(); } foreach ($cats as $cat) { $term = $cat->get_term(); if (!$term) { $term = $cat->get_label(); } $scheme = $cat->get_scheme(); $termurl = ''; if ($scheme && $term && stristr($scheme, 'X-DFRN:')) { $termtype = substr($scheme, 7, 1) === '#' ? TERM_HASHTAG : TERM_MENTION; $termurl = unxmlify(substr($scheme, 9)); } else { $termtype = TERM_CATEGORY; } $termterm = notags(trim(unxmlify($term))); if ($termterm) { $terms[] = array('otype' => TERM_OBJ_POST, 'type' => $termtype, 'url' => $termurl, 'term' => $termterm); } } } if (!is_null($terms)) { $res['term'] = $terms; } $attach = $item->get_enclosures(); if ($attach) { $res['attach'] = array(); foreach ($attach as $att) { $len = intval($att->get_length()); $link = str_replace(array(',', '"'), array('%2D', '%22'), notags(trim(unxmlify($att->get_link())))); $title = str_replace(array(',', '"'), array('%2D', '%22'), notags(trim(unxmlify($att->get_title())))); $type = str_replace(array(',', '"'), array('%2D', '%22'), notags(trim(unxmlify($att->get_type())))); if (strpos($type, ';')) { $type = substr($type, 0, strpos($type, ';')); } if (!$link || strpos($link, 'http') !== 0) { continue; } if (!$title) { $title = ' '; } if (!$type) { $type = 'application/octet-stream'; } $res['attach'][] = array('href' => $link, 'length' => $len, 'type' => $type, 'title' => $title); } } $rawobj = $item->get_item_tags(NAMESPACE_ACTIVITY, 'object'); if ($rawobj) { $obj = array(); $child = $rawobj[0]['child']; if ($child[NAMESPACE_ACTIVITY]['obj_type'][0]['data']) { $res['obj_type'] = $child[NAMESPACE_ACTIVITY]['obj_type'][0]['data']; $obj['type'] = $child[NAMESPACE_ACTIVITY]['obj_type'][0]['data']; } if (x($child[SIMPLEPIE_NAMESPACE_ATOM_10], 'id') && $child[SIMPLEPIE_NAMESPACE_ATOM_10]['id'][0]['data']) { $obj['id'] = $child[SIMPLEPIE_NAMESPACE_ATOM_10]['id'][0]['data']; } if (x($child[SIMPLEPIE_NAMESPACE_ATOM_10], 'link') && $child[SIMPLEPIE_NAMESPACE_ATOM_10]['link']) { $obj['link'] = encode_rel_links($child[SIMPLEPIE_NAMESPACE_ATOM_10]['link']); } if (x($child[SIMPLEPIE_NAMESPACE_ATOM_10], 'title') && $child[SIMPLEPIE_NAMESPACE_ATOM_10]['title'][0]['data']) { $obj['title'] = $child[SIMPLEPIE_NAMESPACE_ATOM_10]['title'][0]['data']; } if (x($child[SIMPLEPIE_NAMESPACE_ATOM_10], 'content') && $child[SIMPLEPIE_NAMESPACE_ATOM_10]['content'][0]['data']) { $body = $child[SIMPLEPIE_NAMESPACE_ATOM_10]['content'][0]['data']; if (!$body) { $body = $child[SIMPLEPIE_NAMESPACE_ATOM_10]['summary'][0]['data']; } // preserve a copy of the original body content in case we later need to parse out any microformat information, e.g. events $obj['orig'] = xmlify($body); if (strpos($body, '<') !== false || strpos($body, '>') !== false) { $body = purify_html($body); $body = html2bbcode($body); } $obj['content'] = $body; } $res['object'] = $obj; } $rawobj = $item->get_item_tags(NAMESPACE_ACTIVITY, 'target'); if ($rawobj) { $obj = array(); $child = $rawobj[0]['child']; if ($child[NAMESPACE_ACTIVITY]['obj_type'][0]['data']) { $res['tgt_type'] = $child[NAMESPACE_ACTIVITY]['obj_type'][0]['data']; $obj['type'] = $child[NAMESPACE_ACTIVITY]['obj_type'][0]['data']; } if (x($child[SIMPLEPIE_NAMESPACE_ATOM_10], 'id') && $child[SIMPLEPIE_NAMESPACE_ATOM_10]['id'][0]['data']) { $obj['id'] = $child[SIMPLEPIE_NAMESPACE_ATOM_10]['id'][0]['data']; } if (x($child[SIMPLEPIE_NAMESPACE_ATOM_10], 'link') && $child[SIMPLEPIE_NAMESPACE_ATOM_10]['link']) { $obj['link'] = encode_rel_links($child[SIMPLEPIE_NAMESPACE_ATOM_10]['link']); } if (x($child[SIMPLEPIE_NAMESPACE_ATOM_10], 'title') && $child[SIMPLEPIE_NAMESPACE_ATOM_10]['title'][0]['data']) { $obj['title'] = $child[SIMPLEPIE_NAMESPACE_ATOM_10]['title'][0]['data']; } if (x($child[SIMPLEPIE_NAMESPACE_ATOM_10], 'content') && $child[SIMPLEPIE_NAMESPACE_ATOM_10]['content'][0]['data']) { $body = $child[SIMPLEPIE_NAMESPACE_ATOM_10]['content'][0]['data']; if (!$body) { $body = $child[SIMPLEPIE_NAMESPACE_ATOM_10]['summary'][0]['data']; } // preserve a copy of the original body content in case we later need to parse out any microformat information, e.g. events $obj['orig'] = xmlify($body); if (strpos($body, '<') !== false || strpos($body, '>') !== false) { $body = purify_html($body); $body = html2bbcode($body); } $obj['content'] = $body; } $res['target'] = $obj; } $res['public_policy'] = 'specific'; $res['comment_policy'] = 'none'; $arr = array('feed' => $feed, 'item' => $item, 'result' => $res); call_hooks('parse_atom', $arr); logger('get_atom_elements: author: ' . print_r($author, true), LOGGER_DATA); logger('get_atom_elements: ' . print_r($res, true), LOGGER_DATA); return $res; }
} else { $real_start = $event_start; } if ($event->getDueDate() instanceof DateTimeValue) { $real_duration = new DateTimeValue($event->getDueDate()->getTimestamp() + 3600 * logged_user()->getTimezone()); } else { $real_duration = $event_duration; } } } $pre_tf = $real_start->getDay() == $real_duration->getDay() ? '' : 'D j, '; $ev_hour_text = format_date($real_start, $pre_tf . $timeformat, 0) . " - " . format_date($real_duration, $pre_tf . $timeformat, 0); $assigned = ""; if ($event instanceof ProjectTask && $event->getAssignedToContactId() > 0) { $assigned = "<br>" . lang('assigned to') . ': ' . $event->getAssignedToName(); $tipBody = purify_html($event->getText()); } else { $tipBody = $ev_hour_text . $assigned . (trim(clean($event->getDescription())) != '' ? '<br><br>' . clean($event->getDescription()) : ''); $tipBody = str_replace(array("\r", "\n"), array(' ', '<br>'), $tipBody); } if (strlen_utf($tipBody) > 200) { $tipBody = substr_utf($tipBody, 0, strpos($tipBody, ' ', 200)) . ' ...'; } ?> <script> if (<?php echo $top; ?> < scroll_to || scroll_to == -1) { scroll_to = <?php echo $top;
<div class="print-view-message"> <div class="header"> <h1><?php echo clean($message->getObjectName()); ?></h1> <b><?php echo lang('from') ?>:</b> <?php echo clean($message->getCreatedByDisplayName()) ?><br /> <b><?php echo lang('date') ?>:</b> <?php echo format_datetime($message->getUpdatedOn(), null, logged_user()->getTimezone()) ?><br /> <b><?php /*FIXME echo lang('workspace') ?>:</b> <?php echo clean($message->getWorkspacesNamesCSV()) */?><br /> </div> <div class="body"> <?php if($message->getTypeContent() == "text"){ echo escape_html_whitespace(convert_to_links(clean($message->getText()))); }else{ echo purify_html(nl2br($message->getText())); } ?> </div> <?php $i = 0; $comments = $message->getComments(); if (count($comments) > 0) { ?> <div class="comments"> <h2><?php echo lang("comments") ?></h2> <?php foreach ($comments as $comment) { $i++; ?> <div class="comment">
/** * Given raw text (eg typed in by a user), this function cleans it up * and removes any nasty tags that could mess up Moodle pages. * * @uses FORMAT_MOODLE * @uses FORMAT_PLAIN * @uses ALLOWED_TAGS * @param string $text The text to be cleaned * @param int $format Identifier of the text format to be used * (FORMAT_MOODLE, FORMAT_HTML, FORMAT_PLAIN, FORMAT_WIKI, FORMAT_MARKDOWN) * @return string The cleaned up text */ function clean_text($text, $format = FORMAT_MOODLE) { global $ALLOWED_TAGS, $CFG; if (empty($text) or is_numeric($text)) { return (string) $text; } switch ($format) { case FORMAT_PLAIN: case FORMAT_MARKDOWN: return $text; default: if (!empty($CFG->enablehtmlpurifier)) { $text = purify_html($text); } else { /// Fix non standard entity notations $text = preg_replace('/(&#[0-9]+)(;?)/', "\\1;", $text); $text = preg_replace('/(&#x[0-9a-fA-F]+)(;?)/', "\\1;", $text); /// Remove tags that are not allowed $text = strip_tags($text, $ALLOWED_TAGS); /// Clean up embedded scripts and , using kses $text = cleanAttributes($text); /// Again remove tags that are not allowed $text = strip_tags($text, $ALLOWED_TAGS); } /// Remove potential script events - some extra protection for undiscovered bugs in our code $text = eregi_replace("([^a-z])language([[:space:]]*)=", "\\1Xlanguage=", $text); $text = eregi_replace("([^a-z])on([a-z]+)([[:space:]]*)=", "\\1Xon\\2=", $text); return $text; } }
<fieldset> <legend><?php echo lang('linked objects') ?></legend> <?php echo render_object_link_form($object) ?> </fieldset> </div> <?php } // if ?> <?php if(config_option("wysiwyg_messages")){ if($message->isNew()) { $ckEditorContent = ''; } else { if(array_var($message_data, 'type_content') == "text"){ $ckEditorContent = nl2br(htmlspecialchars(array_var($message_data, 'text'))); }else{ $ckEditorContent = purify_html(nl2br(array_var($message_data, 'text'))); } } ?> <div> <?php echo label_tag(lang('text'), $genid . 'messageFormText', false) ?> <div id="<?php echo $genid ?>ckcontainer" style="height: 350px"> <textarea cols="80" id="<?php echo $genid ?>ckeditor" name="message[text]" rows="10"><?php echo clean($ckEditorContent) ?></textarea> </div> </div> <script> var h = document.getElementById("<?php echo $genid ?>ckcontainer").offsetHeight; var editor = CKEDITOR.replace('<?php echo $genid ?>ckeditor', { height: (h-60) + 'px', enterMode: CKEDITOR.ENTER_DIV,
function display_content() { $file = ProjectFiles::findById(get_id()); if (!$file instanceof ProjectFile) { die(lang("file dnx")); } if (!$file->canView(logged_user())) { die(lang("no access permissions")); } if (defined('SANDBOX_URL')) { $html_content = $file->getFileContentWithRealUrls(); } else { $html_content = purify_html($file->getFileContentWithRealUrls()); } $charset = ""; if ($file->getTypeString() == "text/html") { $encoding = detect_encoding($html_content, array('UTF-8', 'ISO-8859-1', 'WINDOWS-1252')); $charset = ";charset=".$encoding; } if ($file->getTypeString() == 'text/html') { // Include stylesheet from FCK Editor $css = '<style type="text/css">'; $css .= file_get_contents(ROOT.'/public/assets/javascript/ckeditor/contents.css'); $css .= '</style>'; $html_content = $css.$html_content; } header("Expires: " . gmdate("D, d M Y H:i:s", mktime(date("H") + 2, date("i"), date("s"), date("m"), date("d"), date("Y"))) . " GMT"); header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); header("Content-Type: " . $file->getTypeString() . $charset); header("Content-Length: " . (string) strlen($html_content)); print($html_content); die(); }
public function test_allowed_schemes() { // First standard schemas. $text = '<a href="http://www.example.com/course/view.php?id=5">link</a>'; $this->assertSame($text, purify_html($text)); $text = '<a href="https://www.example.com/course/view.php?id=5">link</a>'; $this->assertSame($text, purify_html($text)); $text = '<a href="ftp://user@ftp.example.com/some/file.txt">link</a>'; $this->assertSame($text, purify_html($text)); $text = '<a href="nntp://example.com/group/123">link</a>'; $this->assertSame($text, purify_html($text)); $text = '<a href="news:groupname">link</a>'; $this->assertSame($text, purify_html($text)); $text = '<a href="mailto:user@example.com">link</a>'; $this->assertSame($text, purify_html($text)); // Extra schemes allowed in moodle. $text = '<a href="irc://irc.example.com/3213?pass">link</a>'; $this->assertSame($text, purify_html($text)); $text = '<a href="rtsp://www.example.com/movie.mov">link</a>'; $this->assertSame($text, purify_html($text)); $text = '<a href="rtmp://www.example.com/video.f4v">link</a>'; $this->assertSame($text, purify_html($text)); $text = '<a href="teamspeak://speak.example.com/?par=val?par2=val2">link</a>'; $this->assertSame($text, purify_html($text)); $text = '<a href="gopher://gopher.example.com/resource">link</a>'; $this->assertSame($text, purify_html($text)); $text = '<a href="mms://www.example.com/movie.mms">link</a>'; $this->assertSame($text, purify_html($text)); // Now some borked or dangerous schemes. $text = '<a href="javascript://www.example.com">link</a>'; $this->assertSame('<a>link</a>', purify_html($text)); $text = '<a href="hmmm://www.example.com">link</a>'; $this->assertSame('<a>link</a>', purify_html($text)); }
$img_url = image_url('/16x16/task_end.png'); $tip_pre = 'end_'; } else { $tip_title = lang('start of task'); $img_url = image_url('/16x16/task_start.png'); $tip_pre = 'st_'; } } $tip_pre .= gen_id() . "_"; $count++; if ($count <= $max_events_to_show) { $color = 'B1BFAC'; $subject = clean($task->getObjectName()) . '- <span class="italic">' . lang('task') . '</span>'; $cal_text = clean($task->getObjectName()); $tip_text = str_replace("\r", '', lang('assigned to') . ': ' . clean($task->getAssignedToName()) . (trim($task->getText()) == '' ? '' : '<br><br>' . html_to_text($task->getText()))); $tip_text = purify_html(str_replace("\n", '<br>', $tip_text)); if (strlen_utf($tip_text) > 200) { $tip_text = substr_utf($tip_text, 0, strpos($tip_text, ' ', 200)) . ' ...'; } ?> <div id="m_ta_div_<?php echo $tip_pre . $task->getId(); ?> " class="<?php echo "og-wsname-color-{$ws_color}"; ?> " style="height:20px;margin: 1px;padding-left:1px;padding-bottom:0px;border-radius:4px;border: 1px solid;border-color:<?php echo $border_color; ?> ;<?php echo $extra_style;
public function test_purify_html_ruby() { $this->resetAfterTest(); $ruby = "<p><ruby><rb>京都</rb><rp>(</rp><rt>きょうと</rt><rp>)</rp></ruby>は" . "<ruby><rb>日本</rb><rp>(</rp><rt>にほん</rt><rp>)</rp></ruby>の" . "<ruby><rb>都</rb><rp>(</rp><rt>みやこ</rt><rp>)</rp></ruby>です。</p>"; $illegal = '<script src="//code.jquery.com/jquery-1.11.3.min.js"></script>'; $cleaned = purify_html($ruby . $illegal); $this->assertEquals($ruby, $cleaned); }
protected function clean_up($text) { return purify_html($text, FORMAT_HTML); }
} if ($message->canDelete(logged_user())) { if ($message->isTrashed()) { add_page_action(lang('restore from trash'), "javascript:if(confirm(lang('confirm restore objects'))) og.openLink('" . $message->getUntrashUrl() . "');", 'ico-restore', null, null, true); add_page_action(lang('delete permanently'), "javascript:if(confirm(lang('confirm delete permanently'))) og.openLink('" . $message->getDeletePermanentlyUrl() . "');", 'ico-delete', null, null, true); } else { add_page_action(lang('move to trash'), "javascript:if(confirm(lang('confirm move to trash'))) og.openLink('" . $message->getTrashUrl() . "');", 'ico-trash', null, null, true); } } // if add_page_action(lang('print view'), $message->getPrintViewUrl(), "ico-print", "_blank"); ?> <div style="padding:7px"> <div class="message"> <?php if ($message->getTypeContent() == "text") { $content = escape_html_whitespace(convert_to_links(clean($message->getText()))); } else { $content = '<div class="wysiwyg-description">' . convert_to_links(purify_html(nl2br($message->getText()))) . '</div>'; } tpl_assign("content", $content); tpl_assign("object", $message); tpl_assign('iconclass', $message->isTrashed() ? 'ico-large-message-trashed' : ($message->isArchived() ? 'ico-large-message-archived' : 'ico-large-message')); $this->includeTemplate(get_template_path('view', 'co')); ?> </div> </div> <?php } //if isset
function mod_8_settings($b) { global $config, $mod; //if ($b === 'infinity' && $mod['type'] !== ADMIN) // error('Settings temporarily disabled for this board.'); if (!in_array($b, $mod['boards']) and $mod['boards'][0] != '*') { error($config['error']['noaccess']); } if (!hasPermission($config['mod']['edit_settings'], $b)) { error($config['error']['noaccess']); } if (!openBoard($b)) { error("Could not open board!"); } $possible_languages = array_diff(scandir('inc/locale/'), array('..', '.', '.tx', 'README.md')); if ($_SERVER['REQUEST_METHOD'] == 'POST') { $board_type = $_POST['board_type']; $imgboard = $board_type == 'imgboard'; $txtboard = $board_type == 'txtboard'; $fileboard = $board_type == 'fileboard'; $title = $_POST['title']; $subtitle = $_POST['subtitle']; $country_flags = isset($_POST['country_flags']) ? 'true' : 'false'; $field_disable_name = isset($_POST['field_disable_name']) ? 'true' : 'false'; $enable_embedding = isset($_POST['enable_embedding']) ? 'true' : 'false'; $force_image_op = $imgboard && isset($_POST['force_image_op']) ? 'true' : 'false'; $disable_images = $txtboard ? 'true' : 'false'; $poster_ids = isset($_POST['poster_ids']) ? 'true' : 'false'; $show_sages = isset($_POST['show_sages']) ? 'true' : 'false'; $auto_unicode = isset($_POST['auto_unicode']) ? 'true' : 'false'; $strip_combining_chars = isset($_POST['strip_combining_chars']) ? 'true' : 'false'; $allow_roll = isset($_POST['allow_roll']) ? 'true' : 'false'; $image_reject_repost = isset($_POST['image_reject_repost']) ? 'true' : 'false'; $image_reject_repost_in_thread = isset($_POST['image_reject_repost_in_thread']) ? 'true' : 'false'; $early_404 = isset($_POST['early_404']) ? 'true' : 'false'; $allow_delete = isset($_POST['allow_delete']) ? 'true' : 'false'; $allow_flash = $imgboard && isset($_POST['allow_flash']) ? '$config[\'allowed_ext_files\'][] = \'swf\';' : ''; $allow_pdf = $imgboard && isset($_POST['allow_pdf']) ? '$config[\'allowed_ext_files\'][] = \'pdf\';' : ''; $code_tags = isset($_POST['code_tags']) ? '$config[\'additional_javascript\'][] = \'js/code_tags/run_prettify.js\';$config[\'markup\'][] = array("/\\[code\\](.+?)\\[\\/code\\]/ms", "<code><pre class=\'prettyprint\' style=\'display:inline-block\'>\\$1</pre></code>");' : ''; $katex = isset($_POST['katex']) ? '$config[\'katex\'] = true;$config[\'additional_javascript\'][] = \'js/katex/katex.min.js\'; $config[\'markup\'][] = array("/\\[tex\\](.+?)\\[\\/tex\\]/ms", "<span class=\'tex\'>\\$1</span>"); $config[\'additional_javascript\'][] = \'js/katex-enable.js\';' : ''; $user_flags = isset($_POST['user_flags']) ? "if (file_exists('{$b}/flags.php')) { include 'flags.php'; }\n" : ''; $captcha = isset($_POST['captcha']) ? 'true' : 'false'; $force_subject_op = isset($_POST['force_subject_op']) ? 'true' : 'false'; $force_flag = isset($_POST['force_flag']) ? 'true' : 'false'; $tor_posting = isset($_POST['tor_posting']) ? 'true' : 'false'; $tor_image_posting = isset($_POST['tor_image_posting']) ? 'true' : 'false'; $robot_enable = isset($_POST['robot_enable']) ? 'true' : 'false'; $new_thread_capt = isset($_POST['new_thread_capt']) ? 'true' : 'false'; $oekaki = ($imgboard || $fileboard) && isset($_POST['oekaki']) ? 'true' : 'false'; $view_bumplock = isset($_POST['view_bumplock']) ? '-1' : 'MOD'; if ($tor_image_posting === 'true' && isset($_POST['meta_noindex'])) { error('Please index your board to enable this.'); } if ($_POST['locale'] !== 'en' && in_array($_POST['locale'], $possible_languages)) { $locale = "\$config['locale'] = '{$_POST['locale']}.UTF-8';"; } else { $locale = ''; } if (isset($_POST['max_images']) && (int) $_POST['max_images'] && (int) $_POST['max_images'] <= 5) { $_POST['max_images'] = (int) $_POST['max_images']; $multiimage = "\$config['max_images'] = {$_POST['max_images']};\n\t\t\t\t\t \$config['additional_javascript'][] = 'js/multi-image.js';"; } else { $multiimage = ''; } if (isset($_POST['custom_assets'])) { $assets = "\$config['custom_assets'] = true;\n\t\t\t\t \$config['spoiler_image'] = 'static/assets/{$b}/spoiler.png';\n\t\t\t\t \$config['image_deleted'] = 'static/assets/{$b}/deleted.png';\n\t\t\t\t \$config['no_file_image'] = 'static/assets/{$b}/no-file.png';\n\t\t\t\t"; } else { $assets = ''; } $file_board = ''; if ($fileboard) { $force_image_op = true; $file_board = "\$config['threads_per_page'] = 30;\n\t\t\t\t\t \$config['file_board'] = true;\n\t\t\t\t\t \$config['threads_preview'] = 0;\n\t\t\t\t \$config['threads_preview_sticky'] = 0;\n\t\t\t\t\t \$config['allowed_ext_files'] = array();\n"; if (isset($_POST['allowed_type'])) { foreach ($_POST['allowed_type'] as $val) { if (in_array($val, $config['fileboard_allowed_types'])) { $file_board .= "\$config['allowed_ext_files'][] = '{$val}';\n"; } } } if (isset($_POST['allowed_ext_op'])) { $file_board .= "\$config['allowed_ext_op'] = \$config['allowed_ext_files'];\n"; if (isset($_POST['allowed_ext_op_video'])) { $file_board .= "\$config['allowed_ext_op'][] = 'webm';\n\t\t\t\t\t\t\t\t\$config['allowed_ext_op'][] = 'mp4';\n"; } } if (isset($_POST['tag_id'])) { $file_board .= "\$config['allowed_tags'] = array();\n"; foreach ($_POST['tag_id'] as $id => $v) { $file_board .= "\$config['allowed_tags']["; $file_board .= 'base64_decode("'; $file_board .= base64_encode($_POST['tag_id'][$id]); $file_board .= '")'; $file_board .= "] = "; $file_board .= 'base64_decode("'; $file_board .= base64_encode($_POST['tag_desc'][$id]); $file_board .= '")'; $file_board .= ";\n"; } } } $anal_filenames = $fileboard && isset($_POST['anal_filenames']) ? "\$config['filename_func'] = 'filename_func';\n" : ''; $anonymous = base64_encode($_POST['anonymous']); $blotter = base64_encode(purify_html(html_entity_decode($_POST['blotter']))); $add_to_config = @file_get_contents($b . '/extra_config.php'); $replace = ''; if (isset($_POST['replace'])) { if (sizeof($_POST['replace']) > 200 || sizeof($_POST['with']) > 200) { error(_('Sorry, max 200 wordfilters allowed.')); } if (count($_POST['replace']) == count($_POST['with'])) { foreach ($_POST['replace'] as $i => $r) { if ($r !== '') { $w = $_POST['with'][$i]; if (strlen($w) > 255) { error(sprintf(_('Sorry, %s is too long. Max replacement is 255 characters'), utf8tohtml($w))); } $replace .= '$config[\'wordfilters\'][] = array(base64_decode(\'' . base64_encode($r) . '\'), base64_decode(\'' . base64_encode($w) . '\'));'; } } } if (is_billion_laughs($_POST['replace'], $_POST['with'])) { error(_('Wordfilters may not wordfilter previous wordfilters. For example, if a filters to bb and b filters to cc, that is not allowed.')); } } if (isset($_POST['hour_max_threads']) && (int) $_POST['hour_max_threads'] > 0 && (int) $_POST['hour_max_threads'] < 101) { $hour_max_threads = (int) $_POST['hour_max_threads']; } else { $hour_max_threads = 'false'; } if (isset($_POST['max_pages'])) { $mp = (int) $_POST['max_pages']; if ($mp > 25 || $mp < 1) { $max_pages = 15; } else { $max_pages = $mp; } } else { $max_pages = 15; } if (isset($_POST['reply_limit'])) { $rl = (int) $_POST['reply_limit']; if ($rl > 750 || $rl < 250 || $rl % 25) { $reply_limit = 250; } else { $reply_limit = $rl; } } else { $reply_limit = 250; } if (isset($_POST['max_newlines'])) { $mn = (int) $_POST['max_newlines']; if ($mn < 20 || $mn > 300) { $max_newlines = 0; } else { $max_newlines = $mn; } } else { $max_newlines = 0; } if (isset($_POST['min_body'])) { $mb = (int) $_POST['min_body']; if ($mb < 0 || $mb > 1024) { $min_body = 0; } else { $min_body = $mb; } } else { $min_body = 0; } if (!(strlen($title) < 40)) { error('Invalid title'); } if (!(strlen($subtitle) < 200)) { error('Invalid subtitle'); } $query = prepare('UPDATE ``boards`` SET `title` = :title, `subtitle` = :subtitle, `indexed` = :indexed, `public_bans` = :public_bans, `public_logs` = :public_logs, `8archive` = :8archive WHERE `uri` = :uri'); $query->bindValue(':title', $title); $query->bindValue(':subtitle', $subtitle); $query->bindValue(':uri', $b); $query->bindValue(':indexed', !isset($_POST['meta_noindex'])); $query->bindValue(':public_bans', isset($_POST['public_bans'])); $query->bindValue(':public_logs', (int) $_POST['public_logs']); $query->bindValue(':8archive', isset($_POST['8archive'])); $query->execute() or error(db_error($query)); $config_file = <<<EOT <?php \$config['country_flags'] = {$country_flags}; \$config['field_disable_name'] = {$field_disable_name}; \$config['enable_embedding'] = {$enable_embedding}; \$config['force_image_op'] = {$force_image_op}; \$config['disable_images'] = {$disable_images}; \$config['poster_ids'] = {$poster_ids}; \$config['show_sages'] = {$show_sages}; \$config['auto_unicode'] = {$auto_unicode}; \$config['strip_combining_chars'] = {$strip_combining_chars}; \$config['allow_roll'] = {$allow_roll}; \$config['image_reject_repost'] = {$image_reject_repost}; \$config['image_reject_repost_in_thread'] = {$image_reject_repost_in_thread}; \$config['early_404'] = {$early_404}; \$config['allow_delete'] = {$allow_delete}; \$config['anonymous'] = base64_decode('{$anonymous}'); \$config['blotter'] = base64_decode('{$blotter}'); \$config['stylesheets']['Custom'] = 'board/{$b}.css'; \$config['default_stylesheet'] = array('Custom', \$config['stylesheets']['Custom']); \$config['captcha']['enabled'] = {$captcha}; \$config['force_subject_op'] = {$force_subject_op}; \$config['force_flag'] = {$force_flag}; \$config['tor_posting'] = {$tor_posting}; \$config['tor_image_posting'] = {$tor_image_posting}; \$config['robot_enable'] = {$robot_enable}; \$config['new_thread_capt'] = {$new_thread_capt}; \$config['hour_max_threads'] = {$hour_max_threads}; \$config['reply_limit'] = {$reply_limit}; \$config['max_pages'] = {$max_pages}; \$config['max_newlines'] = {$max_newlines}; \$config['oekaki'] = {$oekaki}; \$config['min_body'] = {$min_body}; \$config['mod']['view_bumplock'] = {$view_bumplock}; {$code_tags} {$katex} {$replace} {$multiimage} {$allow_flash} {$allow_pdf} {$user_flags} {$assets} {$locale} {$anal_filenames} {$file_board} if (\$config['disable_images']) \t\$config['max_pages'] = 10000; {$add_to_config} EOT; // Clean up our CSS...no more expression() or off-site URLs. $clean_css = preg_replace('/expression\\s*\\(/', '', $_POST['css']); $matched = array(); preg_match_all("#{$config['link_regex']}#im", $clean_css, $matched); if (isset($matched[0])) { foreach ($matched[0] as $match) { $match_okay = false; foreach ($config['allowed_offsite_urls'] as $allowed_url) { if (strpos($match, $allowed_url) !== false && strpos($match, '#') === false && strpos($match, '?') === false && strpos($match, ';') === false) { $match_okay = true; } } if ($match_okay !== true) { error(sprintf(_("Off-site link \"%s\" is not allowed in the board stylesheet"), $match)); } } } //Filter out imports from sites with potentially unsafe content $match_imports = '@import[^;]*'; $matched = array(); preg_match_all("#{$match_imports}#im", $clean_css, $matched); $unsafe_import_urls = array('https://a.pomf.se/'); if (isset($matched[0])) { foreach ($matched[0] as $match) { $match_okay = true; foreach ($unsafe_import_urls as $unsafe_import_url) { if (strpos($match, $unsafe_import_url) !== false && strpos($match, '#') === false) { $match_okay = false; } } if ($match_okay !== true) { error(sprintf(_("Potentially unsafe import \"%s\" is not allowed in the board stylesheet"), $match)); } } } $query = query('SELECT `uri`, `title`, `subtitle` FROM ``boards`` WHERE `8archive` = TRUE'); file_write('8archive.json', json_encode($query->fetchAll(PDO::FETCH_ASSOC))); file_write($b . '/config.php', $config_file); file_write('stylesheets/board/' . $b . '.css', $clean_css); $_config = $config; unset($config['wordfilters']); // Faster than openBoard and bypasses cache...we're trusting the PHP output // to be safe enough to run with every request, we can eval it here. eval(str_replace('flags.php', "{$b}/flags.php", preg_replace('/^\\<\\?php$/m', '', $config_file))); // czaks: maybe reconsider using it, now that config is cached? // be smarter about rebuilds...only some changes really require us to rebuild all threads if ($_config['captcha']['enabled'] != $config['captcha']['enabled'] || $_config['new_thread_capt'] != $config['new_thread_capt'] || $_config['captcha']['extra'] != $config['captcha']['extra'] || $_config['blotter'] != $config['blotter'] || $_config['field_disable_name'] != $config['field_disable_name'] || $_config['show_sages'] != (isset($config['show_sages']) && $config['show_sages'])) { buildIndex(); $query = query(sprintf("SELECT `id` FROM ``posts_%s`` WHERE `thread` IS NULL", $b)) or error(db_error()); while ($post = $query->fetch(PDO::FETCH_ASSOC)) { buildThread($post['id']); } } modLog('Edited board settings', $b); } $query = prepare('SELECT * FROM boards WHERE uri = :board'); $query->bindValue(':board', $b); $query->execute() or error(db_error($query)); $board = $query->fetchAll()[0]; // Clean the cache if ($config['cache']['enabled']) { cache::delete('board_' . $board['uri']); cache::delete('all_boards'); cache::delete('config_' . $board['uri']); cache::delete('events_' . $board['uri']); unlink('tmp/cache/locale_' . $board['uri']); } $css = @file_get_contents('stylesheets/board/' . $board['uri'] . '.css'); mod_page(_('Board configuration'), 'mod/settings.html', array('board' => $board, 'css' => prettify_textarea($css), 'token' => make_secure_link_token('settings/' . $board['uri']), 'languages' => $possible_languages, 'allowed_urls' => $config['allowed_offsite_urls'])); }
function scrub_html($html) { // FIXME return purify_html($html); }
/** * Test internal function used for clean_text() speedup. * @return void */ function test_is_purify_html_necessary() { // first our shortcuts $text = ""; $this->assertFalse(is_purify_html_necessary($text)); $this->assertSame($text, purify_html($text)); $text = "666"; $this->assertFalse(is_purify_html_necessary($text)); $this->assertSame($text, purify_html($text)); $text = "abc\ndef \" ' "; $this->assertFalse(is_purify_html_necessary($text)); $this->assertSame($text, purify_html($text)); $text = "abc\n<p>def</p>efg<p>hij</p>"; $this->assertFalse(is_purify_html_necessary($text)); $this->assertSame($text, purify_html($text)); $text = "<br />abc\n<p>def<em>efg</em><strong>hi<br />j</strong></p>"; $this->assertFalse(is_purify_html_necessary($text)); $this->assertSame($text, purify_html($text)); // now failures $text = " "; $this->assertTrue(is_purify_html_necessary($text)); $text = "Gin & Tonic"; $this->assertTrue(is_purify_html_necessary($text)); $text = "Gin > Tonic"; $this->assertTrue(is_purify_html_necessary($text)); $text = "Gin < Tonic"; $this->assertTrue(is_purify_html_necessary($text)); $text = "<div>abc</div>"; $this->assertTrue(is_purify_html_necessary($text)); $text = "<span>abc</span>"; $this->assertTrue(is_purify_html_necessary($text)); $text = "<br>abc"; $this->assertTrue(is_purify_html_necessary($text)); $text = "<p class='xxx'>abc</p>"; $this->assertTrue(is_purify_html_necessary($text)); $text = "<p>abc<em></p></em>"; $this->assertTrue(is_purify_html_necessary($text)); $text = "<p>abc"; $this->assertTrue(is_purify_html_necessary($text)); }
/** * Find project objects in commit message, make them links and * save the relations to database * * @param string $commit_message * @param string $commit_author * @param integer $revision * @param Repository $repository * @param Project $project * @return string */ function analyze_message($commit_message, $commit_author, $revision, $repository, $project) { if (define('PURIFY_HTML') && PURIFY_HTML) { $commit_message = purify_html($commit_message); // Clean! } // if $pattern = '/((complete[d]*)[\\s]+)?(ticket|milestone|discussion|task)[s]*[\\s]+[#]*\\d+/i'; if (preg_match_all($pattern, $commit_message, $matches)) { $i = 0; $search = array(); $replace = array(); $matches_unique = array_unique($matches['0']); foreach ($matches_unique as $key => $match) { $match_data = preg_split('/[\\s,]+/', $match, null, PREG_SPLIT_NO_EMPTY); // check if the object got completed by this commit $object_completed = false; if (strpos(strtolower($match_data['0']), 'complete') !== false) { $object_completed = true; unset($match_data['0']); $match_data = array_values($match_data); } // if $object_class_name = $match_data['0']; $module_name = Inflector::pluralize($object_class_name); $object_id = trim($match_data['1'], '#'); $search[$i] = $match; if (class_exists($module_name) && class_exists($object_class_name)) { $object = null; switch (strtolower($module_name)) { case 'tickets': $object = Tickets::findByTicketId($project, $object_id); break; case 'discussions': $object = Discussions::findById($object_id); break; case 'milestones': $object = Milestones::findById($object_id); break; case 'tasks': $object = Tasks::findById($object_id); break; } // switch if (instance_of($object, $object_class_name)) { $link_already_created = CommitProjectObjects::count("object_id = '" . $object->getId() . "' AND revision = '{$revision}'") > 0; if (!$link_already_created) { $comit_project_object = new CommitProjectObject(); $comit_project_object->setProjectId($object->getProjectId()); $comit_project_object->setObjectId($object->getId()); $comit_project_object->setObjectType(ucfirst($object_class_name)); $comit_project_object->setRepositoryId($repository->getId()); $comit_project_object->setRevision($revision); db_begin_work(); $save = $comit_project_object->save(); if ($save && !is_error($save)) { db_commit(); } else { db_rollback(); } // if save } // if $replace[$i] = ($object_completed ? 'Completed ' : '') . '<a href="' . $object->getViewUrl() . '">' . $match_data['0'] . ' ' . $match_data['1'] . '</a>'; // set the object as completed if ($object_completed && !instance_of($object, 'Discussion')) { $completed_by = $repository->getMappedUser($commit_author); $object->complete($completed_by); } // if } else { $replace[$i] = ($object_completed ? 'Completed ' : '') . '<a href="#" class="project_object_missing" title="' . lang('Project object does not exist in this project') . '">' . $match_data['0'] . ' ' . $match_data['1'] . '</a>'; } // if instance_of $i++; } // if module loaded } // foreach return str_ireplace($search, $replace, htmlspecialchars($commit_message)); // linkify } // if preg_match return $commit_message; }
function workEstimate(ProjectTask $task) { tpl_assign('task_assigned', $task); if (!$task->getAssignedTo() instanceof Contact) { return true; // not assigned to user } if (!is_valid_email($task->getAssignedTo()->getEmailAddress())) { return true; } $locale = $task->getAssignedTo()->getLocale(); Localization::instance()->loadSettings($locale, ROOT . '/language'); tpl_assign('title', $task->getObjectName()); tpl_assign('by', $task->getAssignedBy()->getObjectName()); tpl_assign('asigned', $task->getAssignedTo()->getObjectName()); $text = ""; if (config_option("wysiwyg_tasks")) { $text = purify_html(nl2br($task->getDescription())); } else { $text = escape_html_whitespace($task->getDescription()); } tpl_assign('description', $text); //descripction tpl_assign('description_title', lang("new task work estimate to you desc", $task->getObjectName(), $task->getAssignedBy()->getObjectName())); //description_title //priority if ($task->getPriority()) { if ($task->getPriority() >= ProjectTasks::PRIORITY_URGENT) { $priorityColor = "#FF0000"; $priority = lang('urgent priority'); } else { if ($task->getPriority() >= ProjectTasks::PRIORITY_HIGH) { $priorityColor = "#FF9088"; $priority = lang('high priority'); } else { if ($task->getPriority() <= ProjectTasks::PRIORITY_LOW) { $priorityColor = "white"; $priority = lang('low priority'); } else { $priorityColor = "#DAE3F0"; $priority = lang('normal priority'); } } } tpl_assign('priority', array($priority, $priorityColor)); } //context $contexts = array(); $members = $task->getMembers(); if (count($members) > 0) { foreach ($members as $member) { $dim = $member->getDimension(); if ($dim->getIsManageable()) { /* @var $member Member */ $parent_members = $member->getAllParentMembersInHierarchy(); $parents_str = ''; foreach ($parent_members as $pm) { /* @var $pm Member */ if (!$pm instanceof Member) { continue; } $parents_str .= '<span style="' . get_workspace_css_properties($pm->getMemberColor()) . '">' . $pm->getName() . '</span>'; } if ($dim->getCode() == "customer_project" || $dim->getCode() == "customers") { $obj_type = ObjectTypes::findById($member->getObjectTypeId()); if ($obj_type instanceof ObjectType) { $contexts[$dim->getCode()][$obj_type->getName()][] = $parents_str . '<span style="' . get_workspace_css_properties($member->getMemberColor()) . '">' . $member->getName() . '</span>'; } } else { $contexts[$dim->getCode()][] = $parents_str . '<span style="' . get_workspace_css_properties($member->getMemberColor()) . '">' . $member->getName() . '</span>'; } } } } tpl_assign('contexts', $contexts); //workspaces //start date, due date or start if ($task->getStartDate() instanceof DateTimeValue) { $date = Localization::instance()->formatDescriptiveDate($task->getStartDate(), $task->getAssignedTo()->getTimezone()); $time = Localization::instance()->formatTime($task->getStartDate(), $task->getAssignedTo()->getTimezone()); if ($time > 0) { $date .= " " . $time; } tpl_assign('start_date', $date); //start_date } if ($task->getDueDate() instanceof DateTimeValue) { $date = Localization::instance()->formatDescriptiveDate($task->getDueDate(), $task->getAssignedTo()->getTimezone()); $time = Localization::instance()->formatTime($task->getDueDate(), $task->getAssignedTo()->getTimezone()); if ($time > 0) { $date .= " " . $time; } tpl_assign('due_date', $date); //due_date } $attachments = array(); try { $content = FileRepository::getBackend()->getFileContent(owner_company()->getPictureFile()); if ($content) { $file_path = ROOT . "/tmp/logo_empresa.png"; $handle = fopen($file_path, 'wb'); if ($handle) { fwrite($handle, $content); fclose($handle); $attachments['logo'] = array('cid' => gen_id() . substr($task->getAssignedBy()->getEmailAddress(), strpos($task->getAssignedBy()->getEmailAddress(), '@')), 'path' => $file_path, 'type' => 'image/png', 'disposition' => 'inline', 'name' => 'logo_empresa.png'); } } } catch (FileNotInRepositoryError $e) { unset($attachments['logo']); } tpl_assign('attachments', $attachments); // attachments //ALL SUBSCRIBERS if ($task->getSubscribers()) { $subscribers = $task->getSubscribers(); $string_subscriber = ''; $total_s = count($subscribers); $c = 0; foreach ($subscribers as $subscriber) { $c++; if ($c == $total_s && $total_s > 1) { $string_subscriber .= lang('and'); } else { if ($c > 1) { $string_subscriber .= ", "; } } $string_subscriber .= $subscriber->getFirstName(); if ($subscriber->getSurname() != "") { $string_subscriber .= " " . $subscriber->getSurname(); } } tpl_assign('subscribers', $string_subscriber); // subscribers } if ($task->getAssignedById() == $task->getAssignedToContactId()) { if (!$task->getAssignedBy()->getDisabled()) { $emails[] = array("to" => array(self::prepareEmailAddress($task->getAssignedBy()->getEmailAddress(), $task->getAssignedBy()->getObjectName())), "from" => self::prepareEmailAddress($task->getUpdatedBy()->getEmailAddress(), $task->getUpdatedByDisplayName()), "subject" => lang('work estimate title'), "body" => tpl_fetch(get_template_path('work_estimate', 'notifier')), "attachments" => $attachments); } } else { if (!$task->getAssignedBy()->getDisabled()) { $emails[] = array("to" => array(self::prepareEmailAddress($task->getAssignedBy()->getEmailAddress(), $task->getAssignedBy()->getObjectName())), "from" => self::prepareEmailAddress($task->getUpdatedBy()->getEmailAddress(), $task->getUpdatedByDisplayName()), "subject" => lang('work estimate title'), "body" => tpl_fetch(get_template_path('work_estimate', 'notifier')), "attachments" => $attachments); } if (!$task->getAssignedTo()->getDisabled()) { $emails[] = array("to" => array(self::prepareEmailAddress($task->getAssignedTo()->getEmailAddress(), $task->getAssignedTo()->getObjectName())), "from" => self::prepareEmailAddress($task->getUpdatedBy()->getEmailAddress(), $task->getUpdatedByDisplayName()), "subject" => lang('work estimate title'), "body" => tpl_fetch(get_template_path('work_estimate', 'notifier')), "attachments" => $attachments); } } self::queueEmails($emails); $locale = logged_user() instanceof Contact ? logged_user()->getLocale() : DEFAULT_LOCALIZATION; Localization::instance()->loadSettings($locale, ROOT . '/language'); }
function z_input_filter($channel_id, $s, $type = 'text/bbcode') { if ($type === 'text/bbcode') { return escape_tags($s); } if ($type === 'text/markdown') { return escape_tags($s); } if ($type == 'text/plain') { return escape_tags($s); } if ($type == 'application/x-pdl') { return escape_tags($s); } $a = get_app(); if ($a->is_sys) { return $s; } $r = q("select account_id, account_roles, channel_pageflags from account left join channel on channel_account_id = account_id where channel_id = %d limit 1", intval($channel_id)); if ($r) { if ($r[0]['account_roles'] & ACCOUNT_ROLE_ALLOWCODE || $r[0]['channel_pageflags'] & PAGE_ALLOWCODE) { if (local_channel() && get_account_id() == $r[0]['account_id']) { return $s; } } } if ($type === 'text/html') { return purify_html($s); } return escape_tags($s); }
function diff($from_lines, $to_lines) { // remove HTML Tags (nadavkav) $removethesetags = array("<br />", "<hr />", "<p>", "</p>", "<div>", "</div>", "<font>", "</font>", "<strong>", "</strong>", "<h2>", "</h2>", "<h1>", "</h1>", "<span>", "</span>", "<h3>", "</h3>", "<a>", "</a>", "<em>", "</em>"); foreach ($from_lines as $fromline) { $from_lines_clean[] = str_replace($removethesetags, "", purify_html($fromline)); } foreach ($to_lines as $toline) { $to_lines_clean[] = str_replace($removethesetags, "", purify_html($toline)); } unset($from_lines); $from_lines = $from_lines_clean; unset($to_lines); $to_lines = $to_lines_clean; $n_from = sizeof($from_lines); $n_to = sizeof($to_lines); $this->xchanged = $this->ychanged = array(); $this->xv = $this->yv = array(); $this->xind = $this->yind = array(); unset($this->seq); unset($this->in_seq); unset($this->lcs); // Skip leading common lines. for ($skip = 0; $skip < $n_from && $skip < $n_to; $skip++) { if ($from_lines[$skip] != $to_lines[$skip]) { break; } $this->xchanged[$skip] = $this->ychanged[$skip] = false; } // Skip trailing common lines. $xi = $n_from; $yi = $n_to; for ($endskip = 0; --$xi > $skip && --$yi > $skip; $endskip++) { if ($from_lines[$xi] != $to_lines[$yi]) { break; } $this->xchanged[$xi] = $this->ychanged[$yi] = false; } // Ignore lines which do not exist in both files. for ($xi = $skip; $xi < $n_from - $endskip; $xi++) { $xhash[$from_lines[$xi]] = 1; } for ($yi = $skip; $yi < $n_to - $endskip; $yi++) { $line = $to_lines[$yi]; if ($this->ychanged[$yi] = empty($xhash[$line])) { continue; } $yhash[$line] = 1; $this->yv[] = $line; $this->yind[] = $yi; } for ($xi = $skip; $xi < $n_from - $endskip; $xi++) { $line = $from_lines[$xi]; if ($this->xchanged[$xi] = empty($yhash[$line])) { continue; } $this->xv[] = $line; $this->xind[] = $xi; } // Find the LCS. $this->_compareseq(0, sizeof($this->xv), 0, sizeof($this->yv)); // Merge edits when possible $this->_shift_boundaries($from_lines, $this->xchanged, $this->ychanged); $this->_shift_boundaries($to_lines, $this->ychanged, $this->xchanged); // Compute the edit operations. $edits = array(); $xi = $yi = 0; while ($xi < $n_from || $yi < $n_to) { USE_ASSERTS_IN_WIKI && assert($yi < $n_to || $this->xchanged[$xi]); USE_ASSERTS_IN_WIKI && assert($xi < $n_from || $this->ychanged[$yi]); // Skip matching "snake". $copy = array(); while ($xi < $n_from && $yi < $n_to && !$this->xchanged[$xi] && !$this->ychanged[$yi]) { $copy[] = $from_lines[$xi++]; ++$yi; } if ($copy) { $edits[] = new _WikiDiffOp_Copy($copy); } // Find deletes & adds. $delete = array(); while ($xi < $n_from && $this->xchanged[$xi]) { $delete[] = $from_lines[$xi++]; } $add = array(); while ($yi < $n_to && $this->ychanged[$yi]) { $add[] = $to_lines[$yi++]; } if ($delete && $add) { $edits[] = new _WikiDiffOp_Change($delete, $add); } elseif ($delete) { $edits[] = new _WikiDiffOp_Delete($delete); } elseif ($add) { $edits[] = new _WikiDiffOp_Add($add); } } return $edits; }
/** * Cleans raw text removing nasties. * * Given raw text (eg typed in by a user) this function cleans it up and removes any nasty tags that could mess up * Moodle pages through XSS attacks. * * The result must be used as a HTML text fragment, this function can not cleanup random * parts of html tags such as url or src attributes. * * NOTE: the format parameter was deprecated because we can safely clean only HTML. * * @param string $text The text to be cleaned * @param int|string $format deprecated parameter, should always contain FORMAT_HTML or FORMAT_MOODLE * @param array $options Array of options; currently only option supported is 'allowid' (if true, * does not remove id attributes when cleaning) * @return string The cleaned up text */ function clean_text($text, $format = FORMAT_HTML, $options = array()) { $text = (string) $text; if ($format != FORMAT_HTML and $format != FORMAT_HTML) { // TODO: we need to standardise cleanup of text when loading it into editor first. // debugging('clean_text() is designed to work only with html');. } if ($format == FORMAT_PLAIN) { return $text; } if (is_purify_html_necessary($text)) { $text = purify_html($text, $options); } // Originally we tried to neutralise some script events here, it was a wrong approach because // it was trivial to work around that (for example using style based XSS exploits). // We must not give false sense of security here - all developers MUST understand how to use // rawurlencode(), htmlentities(), htmlspecialchars(), p(), s(), moodle_url, html_writer and friends!!! return $text; }
<p><b><?php echo lang('assigned to') ?>:</b> <?php echo clean($task->getAssignedToName()) ?></p> <?php } // if ?> <?php if ($task->getMilestone() instanceof ProjectMilestone) { ?> <p><b><?php echo lang('milestone') ?>:</b> <?php echo clean($task->getMilestone()->getObjectName()) ?></p> <?php } // if ?> <?php if ($task->getText() != '') { ?> <p><b><?php echo lang('description') ?>:</b></p> <div style="margin-left:14px;padding:6px;border:1px solid #AAA"> <?php if($task->getTypeContent() == "text"){ echo escape_html_whitespace(convert_to_links(clean($task->getText()))); }else{ echo purify_html(nl2br($task->getText())); } ?> </div> <?php } // if ?> <?php $hasIncompleteSubtasks = is_array($task->getOpenSubTasks()) && count($task->getOpenSubTasks()) > 0; $hasCompletedSubtasks = is_array($task->getCompletedSubTasks()) && count($task->getCompletedSubTasks()) > 0; if ($hasIncompleteSubtasks || $hasCompletedSubtasks) { ?> <div style="margin-bottom:0px;margin-top:20px"><img src="public/assets/themes/default/images/16x16/tasks.png"/> <b><?php echo lang('subtasks') ?>:</b></div> <ul style="margin-top:2px"> <?php if ($hasIncompleteSubtasks) { $otArray = $task->getOpenSubTasks(); foreach ($otArray as $ot){
} if($email->getBodyHtml() != ''){ if (defined('SANDBOX_URL')) { $html_content = $email->getBodyHtml(); // prevent some outlook malformed tags if(substr_count($html_content, "<style") != substr_count($html_content, "</style>") && substr_count($html_content, "/* Font Definitions */") >= 1) { $p1 = strpos($html_content, "/* Font Definitions */", 0); $html_content1 = substr($html_content, 0, $p1); $p0 = strrpos($html_content1, "</style>"); $html_content = ($p0 >= 0 ? substr($html_content1, 0, $p0) : $html_content1) . substr($html_content, $p1); $html_content = str_replace_first("/* Font Definitions */","<style>",$html_content); } } else { $html_content = purify_html($email->getBodyHtml()); } if (strpos($html_content, "<html") === false) { if (strpos($html_content, "<body") === false) { $html_content = "<body>" . $html_content . "</body>"; } if (strpos($html_content, "<head") === false) { $html_content = "<head></head>" . $html_content; } $html_content = "<html>" . $html_content . "</html>"; } //$html_content = convert_to_links($html_content); // commented because it can break HTML (e.g. if an URL or email is found on the title of an element) // links must open in a new tab or window $html_content = preg_replace('/<a\s/', '<a target="_blank" ', $html_content); //remove attributes from body
public function sanitize($data, $type, $base = '') { $data = trim($data); if ($data === '') { return ''; } if ($type & SIMPLEPIE_CONSTRUCT_BASE64) { $data = base64_decode($data); } if ($type & SIMPLEPIE_CONSTRUCT_MAYBE_HTML) { if (preg_match('/(&(#(x[0-9a-fA-F]+|[0-9]+)|[a-zA-Z0-9]+)|<\\/[A-Za-z][^\\x09\\x0A\\x0B\\x0C\\x0D\\x20\\x2F\\x3E]*' . SIMPLEPIE_PCRE_HTML_ATTRIBUTE . '>)/', $data)) { $type |= SIMPLEPIE_CONSTRUCT_HTML; } else { $type |= SIMPLEPIE_CONSTRUCT_TEXT; } } if ($type & SIMPLEPIE_CONSTRUCT_IRI) { $absolute = $this->registry->call('Misc', 'absolutize_url', array($data, $base)); if ($absolute !== false) { $data = $absolute; } $data = clean_param($data, PARAM_URL); } if ($type & (SIMPLEPIE_CONSTRUCT_TEXT | SIMPLEPIE_CONSTRUCT_IRI)) { $data = htmlspecialchars($data, ENT_COMPAT, 'UTF-8'); } $data = purify_html($data); if ($this->remove_div) { $data = preg_replace('/^<div' . SIMPLEPIE_PCRE_XML_ATTRIBUTE . '>/', '', $data); $data = preg_replace('/<\\/div>$/', '', $data); } else { $data = preg_replace('/^<div' . SIMPLEPIE_PCRE_XML_ATTRIBUTE . '>/', '<div>', $data); } if ($this->output_encoding !== 'UTF-8') { textlib::convert($data, 'UTF-8', $this->output_encoding); } return $data; }
/** * Given raw text (eg typed in by a user), this function cleans it up * and removes any nasty tags that could mess up Moodle pages. * * NOTE: the format parameter was deprecated because we can safely clean only HTML. * * @param string $text The text to be cleaned * @param int $format deprecated parameter, should always contain FORMAT_HTML or FORMAT_MOODLE * @param array $options Array of options; currently only option supported is 'allowid' (if true, * does not remove id attributes when cleaning) * @return string The cleaned up text */ function clean_text($text, $format = FORMAT_HTML, $options = array()) { global $ALLOWED_TAGS, $CFG; if (empty($text) or is_numeric($text)) { return (string) $text; } if ($format != FORMAT_HTML and $format != FORMAT_HTML) { // TODO: we need to standardise cleanup of text when loading it into editor first //debugging('clean_text() is designed to work only with html'); } if ($format == FORMAT_PLAIN) { return $text; } if (!empty($CFG->enablehtmlpurifier)) { $text = purify_html($text, $options); } else { /// Fix non standard entity notations $text = fix_non_standard_entities($text); /// Remove tags that are not allowed $text = strip_tags($text, $ALLOWED_TAGS); /// Clean up embedded scripts and , using kses $text = cleanAttributes($text); /// Again remove tags that are not allowed $text = strip_tags($text, $ALLOWED_TAGS); } // Remove potential script events - some extra protection for undiscovered bugs in our code $text = preg_replace("~([^a-z])language([[:space:]]*)=~i", "\$1Xlanguage=", $text); $text = preg_replace("~([^a-z])on([a-z]+)([[:space:]]*)=~i", "\$1Xon\$2=", $text); return $text; }
function wiki_save_page($arr) { $pageUrlName = array_key_exists('pageUrlName', $arr) ? $arr['pageUrlName'] : ''; $content = array_key_exists('content', $arr) ? purify_html($arr['content']) : ''; $resource_id = array_key_exists('resource_id', $arr) ? $arr['resource_id'] : ''; $w = wiki_get_wiki($resource_id); if (!$w['path']) { return array('message' => 'Error reading wiki', 'success' => false); } $page_path = $w['path'] . '/' . $pageUrlName . '.md'; if (is_writable($page_path) === true) { if (!file_put_contents($page_path, $content)) { return array('message' => 'Error writing to page file', 'success' => false); } return array('message' => '', 'success' => true); } else { return array('message' => 'Page file not writable', 'success' => false); } }