First stab redoing argument loading for TinyMCE (to avoid hacking checks for all notice saves everywhere)

This commit is contained in:
Brion Vibber 2010-08-10 16:55:03 -07:00
parent e54d441af0
commit 3a85318bd0
2 changed files with 33 additions and 30 deletions

View File

@ -203,6 +203,7 @@ class NewnoticeAction extends Action
$options = array_merge($options, $locOptions); $options = array_merge($options, $locOptions);
} }
Event::handle('SaveNewNoticeWeb', array($this, $user, &$content_shortened, &$options));
$notice = Notice::saveNew($user->id, $content_shortened, 'web', $options); $notice = Notice::saveNew($user->id, $content_shortened, 'web', $options);
if (isset($upload)) { if (isset($upload)) {

View File

@ -78,36 +78,48 @@ class TinyMCEPlugin extends Plugin
return true; return true;
} }
function onArgsInitialize(&$args) /**
* Sanitize HTML input and strip out potentially dangerous bits.
*
* @param string $raw HTML
* @return string HTML
*/
private function sanitizeHtml($raw)
{ {
if (!array_key_exists('action', $args) ||
$args['action'] != 'newnotice') {
return true;
}
$raw = $this->_scrub($args['status_textarea']);
require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php'; require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php';
$config = array('safe' => 1, $config = array('safe' => 1,
'deny_attribute' => 'id,style,on*'); 'deny_attribute' => 'id,style,on*');
$this->html = htmLawed($raw, $config); return htmLawed($raw, $config);
$text = html_entity_decode(strip_tags($this->html));
$args['status_textarea'] = $text;
return true;
} }
function onStartNoticeSave($notice) /**
* Strip HTML to plaintext string
*
* @param string $html HTML
* @return string plaintext, single line
*/
private function stripHtml($html)
{ {
if (!empty($this->html)) { return str_replace("\n", " ", html_entity_decode(strip_tags($html)));
// Stomp on any rendering
$notice->rendered = $this->html;
} }
/**
* Hook for new-notice form processing to take our HTML goodies;
* won't affect API posting etc.
*
* @param NewNoticeAction $action
* @param User $user
* @param string $content
* @param array $options
* @return boolean hook return
*/
function onSaveNewNoticeWeb($action, $user, &$content, &$options)
{
$html = $this->sanitizeHtml($action->arg('status_textarea'));
$options['rendered'] = $html;
$content = $this->stripHtml($html);
return true; return true;
} }
@ -135,15 +147,5 @@ END_OF_SCRIPT;
return $scr; return $scr;
} }
function _scrub($txt)
{
$strip = get_magic_quotes_gpc();
if ($strip) {
return stripslashes($txt);
} else {
return $txt;
}
}
} }