diff --git a/lib/default.php b/lib/default.php index e9382a86bc..c0d559e1cc 100644 --- a/lib/default.php +++ b/lib/default.php @@ -285,6 +285,11 @@ $default = array('handle' => false, // whether to handle sessions ourselves 'debug' => false, // debugging output for sessions 'gc_limit' => 1000), // max sessions to expire at a time + 'htmlfilter' => array( // purify HTML through htmLawed + 'img' => true, + 'video' => true, + 'audio' => true, + ), 'notice' => array('contentlimit' => null, 'defaultscope' => null, // null means 1 if site/private, 0 otherwise diff --git a/lib/util.php b/lib/util.php index f29507f846..14cfd96ee1 100644 --- a/lib/util.php +++ b/lib/util.php @@ -580,9 +580,18 @@ function common_purify($html) { require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php'; - $config = array('safe' => 1, + $config = array('safe' => 1, // means that elements=* means elements=*-applet-embed-iframe-object-script or so + 'elements' => '*', 'deny_attribute' => 'id,style,on*'); + // Remove more elements than what the 'safe' filter gives (elements must be '*' before this) + // http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s3.6 + foreach (common_config('htmlfilter') as $tag=>$filter) { + if ($filter === true) { + $config['elements'] .= "-{$tag}"; + } + } + $html = common_remove_unicode_formatting($html); return htmLawed($html, $config); @@ -1929,9 +1938,14 @@ function common_negotiate_type($cprefs, $sprefs) return $besttype; } -function common_config($main, $sub) +function common_config($main, $sub=null) { global $config; + if (is_null($sub)) { + // Return the config category array + return array_key_exists($main, $config) ? $config[$main] : array(); + } + // Return the config value return (array_key_exists($main, $config) && array_key_exists($sub, $config[$main])) ? $config[$main][$sub] : false; }