/**
* Filter provided HTML through htmlLawed and return the result.
*
* @param string $html String of HTML to filter.
* @return string Returns the filtered HTML.
*/
public function format($html)
{
$attributes = c('Garden.Html.BlockedAttributes', 'on*');
$config = ['anti_link_spam' => ['`.`', ''], 'balance' => 1, 'cdata' => 3, 'comment' => 1, 'css_expression' => 1, 'deny_attribute' => $attributes, 'direct_list_nest' => 1, 'elements' => '*-applet-form-input-textarea-iframe-script-style-embed-object-select-option-button-fieldset-optgroup-legend', 'keep_bad' => 0, 'schemes' => 'classid:clsid; href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https', 'unique_ids' => 1, 'valid_xhtml' => 0];
// Turn embedded videos into simple links (legacy workaround)
$html = Gdn_Format::unembedContent($html);
// We check the flag within Gdn_Format to see
// if htmLawed should place rel="nofollow" links
// within output or not.
// A plugin can set this flag (for example).
// The default is to show rel="nofollow" on all links.
if (Gdn_Format::$DisplayNoFollow) {
// display rel="nofollow" on all links.
$config['anti_link_spam'] = ['`.`', ''];
} else {
// never display rel="nofollow"
$config['anti_link_spam'] = ['', ''];
}
// Deny all class and style attributes.
// A lot of damage can be done by hackers with these attributes.
$config['deny_attribute'] .= ',style,class';
// Block some IDs so you can't break Javascript
$GLOBALS['hl_Ids'] = ['Bookmarks' => 1, 'CommentForm' => 1, 'Content' => 1, 'Definitions' => 1, 'DiscussionForm' => 1, 'Foot' => 1, 'Form_Comment' => 1, 'Form_User_Password' => 1, 'Form_User_SignIn' => 1, 'Head' => 1, 'HighlightColor' => 1, 'InformMessageStack' => 1, 'Menu' => 1, 'PagerMore' => 1, 'Panel' => 1, 'Status' => 1];
$spec = 'object=-classid-type, -codebase; embed=type(oneof=application/x-shockwave-flash); ';
// Define elements allowed to have a `class`.
$spec .= implode(',', $this->classedElements);
// Whitelist classes we allow.
$spec .= '=class(oneof=' . implode('|', $this->allowedClasses) . '); ';
return Htmlawed::filter($html, $config, $spec);
}
/**
*
*
* @param $string
* @return mixed|string
*/
public function format($string)
{
$string = str_replace(array('"', ''', ':', 'Â'), array('"', "'", ':', ''), $string);
$string = str_replace('<#EMO_DIR#>', 'default', $string);
$string = str_replace('<{POST_SNAPBACK}>', '<span class="SnapBack">»</span>', $string);
// There is an issue with using uppercase code blocks, so they're forced to lowercase here
$string = str_replace(array('[CODE]', '[/CODE]'), array('[code]', '[/code]'), $string);
/**
* IPB inserts line break markup tags at line breaks. They need to be removed in code blocks.
* The original newline/line break should be left intact, so whitespace will be preserved in the pre tag.
*/
$string = preg_replace_callback('/\\[code\\].*?\\[\\/code\\]/is', function ($codeBlocks) {
return str_replace(array('<br />'), array(''), $codeBlocks[0]);
}, $string);
/**
* IPB formats some quotes as HTML. They're converted here for the sake of uniformity in presentation.
* Attribute order seems to be standard. Spacing between the opening of the tag and the first attribute is variable.
*/
$string = preg_replace_callback('#<blockquote\\s+(class="ipsBlockquote" )?data-author="([^"]+)" data-cid="(\\d+)" data-time="(\\d+)">(.*?)</blockquote>#is', function ($blockQuotes) {
$author = $blockQuotes[2];
$cid = $blockQuotes[3];
$time = $blockQuotes[4];
$quoteContent = $blockQuotes[5];
// $Time will over as a timestamp. Convert it to a date string.
$date = date('F j Y, g:i A', $time);
return "[quote name=\"{$author}\" url=\"{$cid}\" date=\"{$date}\"]{$quoteContent}[/quote]";
}, $string);
// If there is a really long string, it could cause a stack overflow in the bbcode parser.
// Not much we can do except try and chop the data down a touch.
// 1. Remove html comments.
$string = preg_replace('/<!--(.*)-->/Uis', '', $string);
// 2. Split the string up into chunks.
$strings = (array) $string;
$result = '';
foreach ($strings as $string) {
$result .= $this->nbbc()->parse($string);
}
// Linkify URLs in content
$result = Gdn_Format::links($result);
// Parsing mentions
$result = Gdn_Format::mentions($result);
// Handling emoji
$result = Emoji::instance()->translateToHtml($result);
// Make sure to clean filter the html in the end.
$config = array('anti_link_spam' => array('`.`', ''), 'comment' => 1, 'cdata' => 3, 'css_expression' => 1, 'deny_attribute' => 'on*', 'elements' => '*-applet-form-input-textarea-iframe-script-style', 'keep_bad' => 0, 'schemes' => 'classid:clsid; href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https', 'valid_xml' => 2);
$spec = 'object=-classid-type, -codebase; embed=type(oneof=application/x-shockwave-flash)';
$result = Htmlawed::filter($result, $config, $spec);
return $result;
}
