better management of HTML input

This commit is contained in:
Evan Prodromou 2011-06-20 11:01:50 -04:00
parent 06ac0f9e9e
commit 4c5d583403
2 changed files with 24 additions and 11 deletions

View File

@ -118,12 +118,13 @@ class Blog_entry extends Managed_DataObject
$be = new Blog_entry(); $be = new Blog_entry();
$be->id = (string) new UUID(); $be->id = (string) new UUID();
$be->profile_id = $profile->id; $be->profile_id = $profile->id;
$be->title = htmlspecialchars($title); $be->title = $title; // Note: not HTML-protected
$be->content = $content; $be->content = self::purify($content);
if (array_key_exists('summary', $options)) { if (array_key_exists('summary', $options)) {
$be->summary = $options['summary']; $be->summary = self::purify($options['summary']);
} else { } else {
// Already purified
$be->summary = self::summarize($content); $be->summary = self::summarize($content);
} }
@ -175,13 +176,10 @@ class Blog_entry extends Managed_DataObject
XMLStringer::estring('a', array('href' => $url, XMLStringer::estring('a', array('href' => $url,
'class' => 'blog-entry'), 'class' => 'blog-entry'),
_('More...')); _('More...'));
$content = html_entity_decode(strip_tags($text), ENT_QUOTES, 'UTF-8'); $content = html_entity_decode(strip_tags($be->summary), ENT_QUOTES, 'UTF-8');
} else { } else {
$options['rendered'] = $be->content . ' ' . $options['rendered'] = $be->content;
XMLStringer::estring('a', array('href' => $url, $content = html_entity_decode(strip_tags($be->content), ENT_QUOTES, 'UTF-8');
'class' => 'blog-entry'),
_('More...'));
} }
@ -244,4 +242,15 @@ class Blog_entry extends Managed_DataObject
return $obj; return $obj;
} }
/**
* Clean up input HTML
*/
static function purify($html)
{
require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php';
$config = array('safe' => 1,
'deny_attribute' => 'id,style,on*');
return htmLawed($html, $config);
}
} }

View File

@ -72,10 +72,14 @@ class BlogEntryListItem extends NoticeListItemAdapter
$out->elementEnd('h4'); $out->elementEnd('h4');
if (!empty($entry->summary)) { if (!empty($entry->summary)) {
$out->element('div', 'blog-entry-summary', $entry->summary); $out->elementStart('div', 'blog-entry-summary');
$out->raw($entry->summary);
$out->elementEnd('div');
} else { } else {
// XXX: hide content initially; click More... for full text. // XXX: hide content initially; click More... for full text.
$out->element('div', 'blog-entry-content', $entry->content); $out->elementStart('div', 'blog-entry-content');
$out->raw($entry->content);
$out->elementEnd('div');
} }
} }
} }