function format_to_post($content) { global $post_autobr, $comment_autobr; $content = addslashes($content); if ($post_autobr || $comment_autobr) { $content = autobrize($content); } return $content; }
function format_to_post($content) { $content = addslashes($content); if ($GLOBALS['post_autobr'] || $GLOBALS['comment_autobr']) { $content = autobrize($content); } $content = apply_filters('format_to_post', $content); return $content; }
function start_b2() { global $row, $id, $postdata, $authordata, $day, $preview, $page, $pages, $multipage, $more, $numpages; global $preview_userid, $preview_date, $preview_content, $preview_title, $preview_category, $preview_notify, $preview_make_clickable, $preview_autobr; global $pagenow; global $HTTP_GET_VARS; if (!$preview) { $id = $row->ID; $postdata = get_postdata2($id); } else { $id = 0; $postdata = array('ID' => 0, 'Author_ID' => $HTTP_GET_VARS['preview_userid'], 'Date' => $HTTP_GET_VARS['preview_date'], 'Content' => $HTTP_GET_VARS['preview_content'], 'Title' => $HTTP_GET_VARS['preview_title'], 'Category' => $HTTP_GET_VARS['preview_category'], 'Notify' => 1, 'Clickable' => 1, 'Karma' => 0); if (!empty($HTTP_GET_VARS['preview_autobr'])) { $postdata['Content'] = autobrize($postdata['Content']); } } $authordata = get_userdata($postdata['Author_ID']); $day = mysql2date('d.m.y', $postdata['Date']); $currentmonth = mysql2date('m', $postdata['Date']); $numpages = 1; if (!$page) { $page = 1; } if (isset($p)) { $more = 1; } $content = $postdata['Content']; if (preg_match('/<!--nextpage-->/', $postdata['Content'])) { if ($page > 1) { $more = 1; } $multipage = 1; $content = stripslashes($postdata['Content']); $content = str_replace("\n<!--nextpage-->\n", '<!--nextpage-->', $content); $content = str_replace("\n<!--nextpage-->", '<!--nextpage-->', $content); $content = str_replace("<!--nextpage-->\n", '<!--nextpage-->', $content); $pages = explode('<!--nextpage-->', $content); $numpages = count($pages); } else { $pages[0] = stripslashes($postdata['Content']); $multipage = 0; } return true; }
continue; } $row = mysql_fetch_object($result); $user_level = $row->user_level; $post_author = $row->ID; if ($user_level > 0) { $post_title = xmlrpc_getposttitle($content); $post_category = xmlrpc_getpostcategory($content); if ($post_title == '') { $post_title = $subject; } if ($post_category == '') { $post_category = $default_category; } if ($autobr) { $content = autobrize($content); } if (!$thisisforfunonly) { $post_title = addslashes(trim($post_title)); $content = addslashes(trim($content)); $sql = "INSERT INTO {$tableposts} (post_author, post_date, post_content, post_title, post_category) VALUES ({$post_author}, '{$post_date}', '{$content}', '{$post_title}', {$post_category})"; $result = mysql_query($sql) or die('Couldn\'t add post: ' . mysql_error()); $post_ID = mysql_insert_id(); if (isset($sleep_after_edit) && $sleep_after_edit > 0) { sleep($sleep_after_edit); } $blog_ID = 1; rss_update($blog_ID); pingWeblogs($blog_ID); pingCafelog($cafelogID, $post_title, $post_ID); pingBlogs($blog_ID);
/** * Check raw HTML input for different levels of sanity including: * - XHTML validation * - Javascript injection * - antispam * * Also cleans up the content on some levels: * - trimming * - balancing tags * * WARNING: this does *NOT* (necessarilly) make the HTML code safe. * It only checks on it and produces error messages. * It is NOT (necessarily) safe to use the output. * * @param string The content to format * @param string * @param integer Create automated <br /> tags? * @param string Encoding (used for SafeHtmlChecker() only!); defaults to $io_charset * @return boolean|string */ function check_html_sanity($content, $context = 'posting', $autobr = false, $encoding = NULL) { global $use_balanceTags, $admin_url; global $io_charset, $use_xhtmlvalidation_for_comments, $comment_allowed_tags, $comments_allow_css_tweaks; global $Messages; /** * @var User */ global $current_User; switch ($context) { case 'posting': case 'xmlrpc_posting': $Group =& $current_User->get_Group(); if ($context == 'posting') { $xhtmlvalidation = $Group->perm_xhtmlvalidation == 'always'; } else { $xhtmlvalidation = $Group->perm_xhtmlvalidation_xmlrpc == 'always'; } $allow_css_tweaks = $Group->perm_xhtml_css_tweaks; $allow_javascript = $Group->perm_xhtml_javascript; $allow_iframes = $Group->perm_xhtml_iframes; $allow_objects = $Group->perm_xhtml_objects; $bypass_antispam = $Group->perm_bypass_antispam; break; case 'commenting': $xhtmlvalidation = $use_xhtmlvalidation_for_comments; $allow_css_tweaks = $comments_allow_css_tweaks; $allow_javascript = false; $allow_iframes = false; $allow_objects = false; // fp> I don't know if it makes sense to bypass antispam in commenting context if the user has that kind of permissions. // If so, then we also need to bypass in several other places. $bypass_antispam = false; break; default: debug_die('unknown context: ' . $context); } $error = false; // Replace any & that is not a character or entity reference with & $content = preg_replace('/&(?!#[0-9]+;|#x[0-9a-fA-F]+;|[a-zA-Z_:][a-zA-Z0-9._:-]*;)/', '&', $content); // ANTISPAM check: if (!$bypass_antispam && ($block = antispam_check($content))) { if ($context == 'xmlrpc_posting') { $errmsg = $context == 'commenting' ? T_('Illegal content found (spam?)') : sprintf(T_('Illegal content found: blacklisted word "%s"'), $block); } else { $errmsg = $context == 'commenting' ? T_('Illegal content found (spam?)') : sprintf(T_('Illegal content found: blacklisted word «%s»'), htmlspecialchars($block)); } $Messages->add($errmsg, 'error'); $error = true; } if ($autobr) { // Auto <br />: // may put brs in the middle of multiline tags... // TODO: this may create "<br />" tags in "<UL>" (outside of <LI>) and make the HTML invalid! -> use autoP pugin? $content = autobrize($content); } $content = trim($content); if ($use_balanceTags) { // Auto close open tags: $content = balance_tags($content); } if ($xhtmlvalidation) { // We want to validate XHTML: load_class('xhtml_validator/_xhtml_validator.class.php'); $XHTML_Validator =& new XHTML_Validator($context, $allow_css_tweaks, $allow_iframes, $allow_javascript, $allow_objects, $encoding); if (!$XHTML_Validator->check($content)) { $error = true; } } else { // We do not WANT to validate XHTML, fall back to basic security checking: // This is only as strong as its regexps can parse xhtml. This is significantly inferior to the XHTML checker above. // The only advantage of this checker is that it can check for a little security without requiring VALID XHTML. if ($context == 'commenting') { // DEPRECATED but still... // echo 'allowed tags:',htmlspecialchars($comment_allowed_tags); $content = strip_tags($content, $comment_allowed_tags); } // Security checking: $check = $content; // Open comments or '<![CDATA[' are dangerous $check = str_replace('<!', '<', $check); // # # are delimiters // i modifier at the end means caseless // CHECK Styling restictions: if (!$allow_css_tweaks && preg_match('#\\s((style|class|id)\\s*=)#i', $check, $matches)) { $Messages->add(T_('Illegal CSS markup found: ') . htmlspecialchars($matches[1]), 'error'); $error = true; } // CHECK JAVASCRIPT: if (!$allow_javascript && (preg_match('¤( < \\s* //? \\s* (script|noscript) )¤xi', $check, $matches) || preg_match('#\\s((on[a-z]+)\\s*=)#i', $check, $matches) || preg_match('#=["\'\\s]*((javascript|vbscript|about):)#i', $check, $matches))) { $Messages->add(T_('Illegal javascript markup found: ') . htmlspecialchars($matches[1]), 'error'); $error = true; } // CHECK IFRAMES: if (!$allow_iframes && preg_match('¤( < \\s* //? \\s* (frame|iframe) )¤xi', $check, $matches)) { $Messages->add(T_('Illegal frame markup found: ') . htmlspecialchars($matches[1]), 'error'); $error = true; } // CHECK OBJECTS: if (!$allow_objects && preg_match('¤( < \\s* //? \\s* (applet|object|param|embed) )¤xi', $check, $matches)) { $Messages->add(T_('Illegal object markup found: ') . htmlspecialchars($matches[1]), 'error'); $error = true; } } if ($error) { if (!empty($current_User) && !empty($Group) && $current_User->check_perm('users', 'edit', false)) { $Messages->add(sprintf(T_('(Note: To get rid of the above validation warnings, you can deactivate unwanted validation rules in your <a %s>Group settings</a>.)'), 'href="' . $admin_url . '?ctrl=users&grp_ID=' . $Group->ID . '"'), 'error'); } return false; } // Return sanitized content return $content; }