forked from GNUsocial/gnu-social
better management of HTML input
This commit is contained in:
parent
06ac0f9e9e
commit
4c5d583403
@ -118,12 +118,13 @@ class Blog_entry extends Managed_DataObject
|
|||||||
$be = new Blog_entry();
|
$be = new Blog_entry();
|
||||||
$be->id = (string) new UUID();
|
$be->id = (string) new UUID();
|
||||||
$be->profile_id = $profile->id;
|
$be->profile_id = $profile->id;
|
||||||
$be->title = htmlspecialchars($title);
|
$be->title = $title; // Note: not HTML-protected
|
||||||
$be->content = $content;
|
$be->content = self::purify($content);
|
||||||
|
|
||||||
if (array_key_exists('summary', $options)) {
|
if (array_key_exists('summary', $options)) {
|
||||||
$be->summary = $options['summary'];
|
$be->summary = self::purify($options['summary']);
|
||||||
} else {
|
} else {
|
||||||
|
// Already purified
|
||||||
$be->summary = self::summarize($content);
|
$be->summary = self::summarize($content);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -175,13 +176,10 @@ class Blog_entry extends Managed_DataObject
|
|||||||
XMLStringer::estring('a', array('href' => $url,
|
XMLStringer::estring('a', array('href' => $url,
|
||||||
'class' => 'blog-entry'),
|
'class' => 'blog-entry'),
|
||||||
_('More...'));
|
_('More...'));
|
||||||
$content = html_entity_decode(strip_tags($text), ENT_QUOTES, 'UTF-8');
|
$content = html_entity_decode(strip_tags($be->summary), ENT_QUOTES, 'UTF-8');
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
$options['rendered'] = $be->content . ' ' .
|
$options['rendered'] = $be->content;
|
||||||
XMLStringer::estring('a', array('href' => $url,
|
$content = html_entity_decode(strip_tags($be->content), ENT_QUOTES, 'UTF-8');
|
||||||
'class' => 'blog-entry'),
|
|
||||||
_('More...'));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -244,4 +242,15 @@ class Blog_entry extends Managed_DataObject
|
|||||||
|
|
||||||
return $obj;
|
return $obj;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Clean up input HTML
|
||||||
|
*/
|
||||||
|
static function purify($html)
|
||||||
|
{
|
||||||
|
require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php';
|
||||||
|
$config = array('safe' => 1,
|
||||||
|
'deny_attribute' => 'id,style,on*');
|
||||||
|
return htmLawed($html, $config);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -72,10 +72,14 @@ class BlogEntryListItem extends NoticeListItemAdapter
|
|||||||
$out->elementEnd('h4');
|
$out->elementEnd('h4');
|
||||||
|
|
||||||
if (!empty($entry->summary)) {
|
if (!empty($entry->summary)) {
|
||||||
$out->element('div', 'blog-entry-summary', $entry->summary);
|
$out->elementStart('div', 'blog-entry-summary');
|
||||||
|
$out->raw($entry->summary);
|
||||||
|
$out->elementEnd('div');
|
||||||
} else {
|
} else {
|
||||||
// XXX: hide content initially; click More... for full text.
|
// XXX: hide content initially; click More... for full text.
|
||||||
$out->element('div', 'blog-entry-content', $entry->content);
|
$out->elementStart('div', 'blog-entry-content');
|
||||||
|
$out->raw($entry->content);
|
||||||
|
$out->elementEnd('div');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user