forked from GNUsocial/gnu-social
First stab redoing argument loading for TinyMCE (to avoid hacking checks for all notice saves everywhere)
This commit is contained in:
Brion Vibber
parent
e54d441af0
commit
3a85318bd0
@ -203,6 +203,7 @@ class NewnoticeAction extends Action
|
|||||||
$options = array_merge($options, $locOptions);
|
$options = array_merge($options, $locOptions);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Event::handle('SaveNewNoticeWeb', array($this, $user, &$content_shortened, &$options));
|
||||||
$notice = Notice::saveNew($user->id, $content_shortened, 'web', $options);
|
$notice = Notice::saveNew($user->id, $content_shortened, 'web', $options);
|
||||||
|
|
||||||
if (isset($upload)) {
|
if (isset($upload)) {
|
||||||
|
|||||||
@ -78,36 +78,48 @@ class TinyMCEPlugin extends Plugin
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
function onArgsInitialize(&$args)
|
/**
|
||||||
|
* Sanitize HTML input and strip out potentially dangerous bits.
|
||||||
|
*
|
||||||
|
* @param string $raw HTML
|
||||||
|
* @return string HTML
|
||||||
|
*/
|
||||||
|
private function sanitizeHtml($raw)
|
||||||
{
|
{
|
||||||
if (!array_key_exists('action', $args) ||
|
|
||||||
$args['action'] != 'newnotice') {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
$raw = $this->_scrub($args['status_textarea']);
|
|
||||||
|
|
||||||
require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php';
|
require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php';
|
||||||
|
|
||||||
$config = array('safe' => 1,
|
$config = array('safe' => 1,
|
||||||
'deny_attribute' => 'id,style,on*');
|
'deny_attribute' => 'id,style,on*');
|
||||||
|
|
||||||
$this->html = htmLawed($raw, $config);
|
return htmLawed($raw, $config);
|
||||||
|
|
||||||
$text = html_entity_decode(strip_tags($this->html));
|
|
||||||
|
|
||||||
$args['status_textarea'] = $text;
|
|
||||||
|
|
||||||
return true;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function onStartNoticeSave($notice)
|
/**
|
||||||
|
* Strip HTML to plaintext string
|
||||||
|
*
|
||||||
|
* @param string $html HTML
|
||||||
|
* @return string plaintext, single line
|
||||||
|
*/
|
||||||
|
private function stripHtml($html)
|
||||||
{
|
{
|
||||||
if (!empty($this->html)) {
|
return str_replace("\n", " ", html_entity_decode(strip_tags($html)));
|
||||||
// Stomp on any rendering
|
}
|
||||||
$notice->rendered = $this->html;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Hook for new-notice form processing to take our HTML goodies;
|
||||||
|
* won't affect API posting etc.
|
||||||
|
*
|
||||||
|
* @param NewNoticeAction $action
|
||||||
|
* @param User $user
|
||||||
|
* @param string $content
|
||||||
|
* @param array $options
|
||||||
|
* @return boolean hook return
|
||||||
|
*/
|
||||||
|
function onSaveNewNoticeWeb($action, $user, &$content, &$options)
|
||||||
|
{
|
||||||
|
$html = $this->sanitizeHtml($action->arg('status_textarea'));
|
||||||
|
$options['rendered'] = $html;
|
||||||
|
$content = $this->stripHtml($html);
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -135,15 +147,5 @@ END_OF_SCRIPT;
|
|||||||
|
|
||||||
return $scr;
|
return $scr;
|
||||||
}
|
}
|
||||||
|
|
||||||
function _scrub($txt)
|
|
||||||
{
|
|
||||||
$strip = get_magic_quotes_gpc();
|
|
||||||
if ($strip) {
|
|
||||||
return stripslashes($txt);
|
|
||||||
} else {
|
|
||||||
return $txt;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user