diff --git a/actions/newnotice.php b/actions/newnotice.php index 748d104ff9..5e682ffd05 100644 --- a/actions/newnotice.php +++ b/actions/newnotice.php @@ -203,6 +203,7 @@ class NewnoticeAction extends Action $options = array_merge($options, $locOptions); } + Event::handle('SaveNewNoticeWeb', array($this, $user, &$content_shortened, &$options)); $notice = Notice::saveNew($user->id, $content_shortened, 'web', $options); if (isset($upload)) { diff --git a/plugins/TinyMCE/TinyMCEPlugin.php b/plugins/TinyMCE/TinyMCEPlugin.php index 3a7656d32c..8dc1d8a582 100644 --- a/plugins/TinyMCE/TinyMCEPlugin.php +++ b/plugins/TinyMCE/TinyMCEPlugin.php @@ -78,36 +78,48 @@ class TinyMCEPlugin extends Plugin return true; } - function onArgsInitialize(&$args) + /** + * Sanitize HTML input and strip out potentially dangerous bits. + * + * @param string $raw HTML + * @return string HTML + */ + private function sanitizeHtml($raw) { - if (!array_key_exists('action', $args) || - $args['action'] != 'newnotice') { - return true; - } - - $raw = $this->_scrub($args['status_textarea']); - require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php'; $config = array('safe' => 1, 'deny_attribute' => 'id,style,on*'); - $this->html = htmLawed($raw, $config); - - $text = html_entity_decode(strip_tags($this->html)); - - $args['status_textarea'] = $text; - - return true; + return htmLawed($raw, $config); } - function onStartNoticeSave($notice) + /** + * Strip HTML to plaintext string + * + * @param string $html HTML + * @return string plaintext, single line + */ + private function stripHtml($html) { - if (!empty($this->html)) { - // Stomp on any rendering - $notice->rendered = $this->html; - } + return str_replace("\n", " ", html_entity_decode(strip_tags($html))); + } + /** + * Hook for new-notice form processing to take our HTML goodies; + * won't affect API posting etc. + * + * @param NewNoticeAction $action + * @param User $user + * @param string $content + * @param array $options + * @return boolean hook return + */ + function onSaveNewNoticeWeb($action, $user, &$content, &$options) + { + $html = $this->sanitizeHtml($action->arg('status_textarea')); + $options['rendered'] = $html; + $content = $this->stripHtml($html); return true; } @@ -135,15 +147,5 @@ END_OF_SCRIPT; return $scr; } - - function _scrub($txt) - { - $strip = get_magic_quotes_gpc(); - if ($strip) { - return stripslashes($txt); - } else { - return $txt; - } - } }