diff options
| author | Steven Wittens <steven@10.no-reply.drupal.org> | 2004-02-06 19:41:00 +0000 |
|---|---|---|
| committer | Steven Wittens <steven@10.no-reply.drupal.org> | 2004-02-06 19:41:00 +0000 |
| commit | 0a8535eeefba6e94ee92027a00460ac280c0cdf3 (patch) | |
| tree | 35ed9a6fa4958cd7f7cc5a35f5805e6d75c5f264 | |
| parent | 3e5d74983816af3385a2ac980fcd7fc9b037722d (diff) | |
| download | brdo-0a8535eeefba6e94ee92027a00460ac280c0cdf3.tar.gz brdo-0a8535eeefba6e94ee92027a00460ac280c0cdf3.tar.bz2 | |
- Fix: do not call prepare hook when the admin has chosen to escape everything
- Code style: use constants to prevent confusing configuration options
| -rw-r--r-- | modules/filter.module | 32 | ||||
| -rw-r--r-- | modules/filter/filter.module | 32 |
2 files changed, 42 insertions, 22 deletions
diff --git a/modules/filter.module b/modules/filter.module index ca7431882..f3ec76311 100644 --- a/modules/filter.module +++ b/modules/filter.module @@ -1,6 +1,13 @@ <?php // $Id$ +define('FILTER_HTML_DONOTHING', 0); +define('FILTER_HTML_STRIP', 1); +define('FILTER_HTML_ESCAPE', 2); + +define('FILTER_STYLE_ALLOW', 0); +define('FILTER_STYLE_STRIP', 1); + function filter_help($section = "admin/help#filter") { switch ($section) { case 'admin/system/modules#description': @@ -15,7 +22,7 @@ function filter_help($section = "admin/help#filter") { <p>Filters are executed from top-to-bottom. You can use the weight column to rearrange them: heavier filters 'sink' to the bottom. Standard HTML filtering is always run first.</p>"); case 'filter#long-tip': case 'filter#short-tip': - switch (variable_get("filter_html", 1)) { + switch (variable_get("filter_html", FILTER_HTML_DONOTHING)) { case 0: return t("All HTML tags allowed"); break; @@ -49,7 +56,7 @@ function filter_admin_order() { $op = $_POST["op"]; if ($op == t("Save configuration")) { foreach ($edit as $module => $filter) { - db_query("UPDATE {filters} SET weight = '%d' WHERE module = '%s'", $filter["weight"], $module); + db_query("UPDATE {filters} SET weight = %d WHERE module = '%s'", $filter["weight"], $module); } } @@ -114,7 +121,7 @@ function filter_refresh() { if (module_hook($module, "filter")) { $weight = $filters[$module]["weight"]; - db_query("INSERT INTO {filters} (module, weight) VALUES ('%s','%d')", $module, $weight); + db_query("INSERT INTO {filters} (module, weight) VALUES ('%s', %d)", $module, $weight); } } @@ -143,9 +150,12 @@ function check_output($text) { // Filter content on output: $filters = filter_list(); - // Give filters the chance to escape HTML-like data before being passed to the HTML stripper - foreach ($filters as $module => $filter) { - $text = module_invoke($module, "filter", "prepare", $text); + // Give filters the chance to escape HTML-like data such as code or formulas + // (from this point on, the input can be treated as HTML) + if (variable_get("filter_html", FILTER_HTML_DONOTHING) != FILTER_HTML_ESCAPE) { + foreach ($filters as $module => $filter) { + $text = module_invoke($module, "filter", "prepare", $text); + } } // HTML handling is done before all regular filtering activities @@ -172,16 +182,16 @@ function check_output($text) { } function filter_default($text) { - if (variable_get("filter_html", 0) == 1) { + if (variable_get("filter_html", FILTER_HTML_DONOTHING) == FILTER_HTML_STRIP) { // Allow users to enter HTML, but filter it $text = strip_tags($text, variable_get("allowed_html", "")); - if (variable_get("filter_style", 1)) { + if (variable_get("filter_style", FILTER_STYLE_STRIP)) { $text = preg_replace("/\Wstyle\s*=[^>]+?>/i", ">", $text); } $text = preg_replace("/\Won[a-z]+\s*=[^>]+?>/i", ">", $text); } - if (variable_get("filter_html", 0) == 2) { + if (variable_get("filter_html", FILTER_HTML_DONOTHING) == FILTER_HTML_ESCAPE) { // Escape HTML $text = htmlspecialchars($text); } @@ -190,9 +200,9 @@ function filter_default($text) { } function filter_default_settings() { - $group = form_radios(t("Filter HTML tags"), "filter_html", variable_get("filter_html", 0), array(0 => t("Do not filter"), 1 => t("Strip tags"), 2 => t("Escape tags")), t("How to deal with HTML and PHP tags in user-contributed content. If set to \"Strip tags\", dangerous tags are removed (see below). If set to \"Escape tags\", all HTML is escaped and presented as it was typed.")); + $group = form_radios(t("Filter HTML tags"), "filter_html", variable_get("filter_html", FILTER_HTML_DONOTHING), array(FILTER_HTML_DONOTHING => t("Do not filter"), FILTER_HTML_STRIP => t("Strip tags"), FILTER_HTML_ESCAPE => t("Escape tags")), t("How to deal with HTML and PHP tags in user-contributed content. If set to \"Strip tags\", dangerous tags are removed (see below). If set to \"Escape tags\", all HTML is escaped and presented as it was typed.")); $group .= form_textfield(t("Allowed HTML tags"), "allowed_html", variable_get("allowed_html", "<a> <b> <dd> <dl> <dt> <i> <li> <ol> <u> <ul>"), 64, 255, t("If \"Strip tags\" is selected, optionally specify tags which should not be stripped. 'ON*' attributes and unclosed tags are always stripped.")); - $group .= form_radios(t("HTML style attributes"), "filter_style", variable_get("filter_style", 1), array(t("Allowed"), t("Removed")), t("If \"Strip tags\" is selected, you can choose whether 'STYLE' attributes are allowed or removed from input.")); + $group .= form_radios(t("HTML style attributes"), "filter_style", variable_get("filter_style", FILTER_STYLE_STRIP), array(FILTER_STYLE_ALLOW => t("Allowed"), FILTER_STYLE_STRIP => t("Removed")), t("If \"Strip tags\" is selected, you can choose whether 'STYLE' attributes are allowed or removed from input.")); $output .= form_group(t("HTML filtering"), $group); return $output; diff --git a/modules/filter/filter.module b/modules/filter/filter.module index ca7431882..f3ec76311 100644 --- a/modules/filter/filter.module +++ b/modules/filter/filter.module @@ -1,6 +1,13 @@ <?php // $Id$ +define('FILTER_HTML_DONOTHING', 0); +define('FILTER_HTML_STRIP', 1); +define('FILTER_HTML_ESCAPE', 2); + +define('FILTER_STYLE_ALLOW', 0); +define('FILTER_STYLE_STRIP', 1); + function filter_help($section = "admin/help#filter") { switch ($section) { case 'admin/system/modules#description': @@ -15,7 +22,7 @@ function filter_help($section = "admin/help#filter") { <p>Filters are executed from top-to-bottom. You can use the weight column to rearrange them: heavier filters 'sink' to the bottom. Standard HTML filtering is always run first.</p>"); case 'filter#long-tip': case 'filter#short-tip': - switch (variable_get("filter_html", 1)) { + switch (variable_get("filter_html", FILTER_HTML_DONOTHING)) { case 0: return t("All HTML tags allowed"); break; @@ -49,7 +56,7 @@ function filter_admin_order() { $op = $_POST["op"]; if ($op == t("Save configuration")) { foreach ($edit as $module => $filter) { - db_query("UPDATE {filters} SET weight = '%d' WHERE module = '%s'", $filter["weight"], $module); + db_query("UPDATE {filters} SET weight = %d WHERE module = '%s'", $filter["weight"], $module); } } @@ -114,7 +121,7 @@ function filter_refresh() { if (module_hook($module, "filter")) { $weight = $filters[$module]["weight"]; - db_query("INSERT INTO {filters} (module, weight) VALUES ('%s','%d')", $module, $weight); + db_query("INSERT INTO {filters} (module, weight) VALUES ('%s', %d)", $module, $weight); } } @@ -143,9 +150,12 @@ function check_output($text) { // Filter content on output: $filters = filter_list(); - // Give filters the chance to escape HTML-like data before being passed to the HTML stripper - foreach ($filters as $module => $filter) { - $text = module_invoke($module, "filter", "prepare", $text); + // Give filters the chance to escape HTML-like data such as code or formulas + // (from this point on, the input can be treated as HTML) + if (variable_get("filter_html", FILTER_HTML_DONOTHING) != FILTER_HTML_ESCAPE) { + foreach ($filters as $module => $filter) { + $text = module_invoke($module, "filter", "prepare", $text); + } } // HTML handling is done before all regular filtering activities @@ -172,16 +182,16 @@ function check_output($text) { } function filter_default($text) { - if (variable_get("filter_html", 0) == 1) { + if (variable_get("filter_html", FILTER_HTML_DONOTHING) == FILTER_HTML_STRIP) { // Allow users to enter HTML, but filter it $text = strip_tags($text, variable_get("allowed_html", "")); - if (variable_get("filter_style", 1)) { + if (variable_get("filter_style", FILTER_STYLE_STRIP)) { $text = preg_replace("/\Wstyle\s*=[^>]+?>/i", ">", $text); } $text = preg_replace("/\Won[a-z]+\s*=[^>]+?>/i", ">", $text); } - if (variable_get("filter_html", 0) == 2) { + if (variable_get("filter_html", FILTER_HTML_DONOTHING) == FILTER_HTML_ESCAPE) { // Escape HTML $text = htmlspecialchars($text); } @@ -190,9 +200,9 @@ function filter_default($text) { } function filter_default_settings() { - $group = form_radios(t("Filter HTML tags"), "filter_html", variable_get("filter_html", 0), array(0 => t("Do not filter"), 1 => t("Strip tags"), 2 => t("Escape tags")), t("How to deal with HTML and PHP tags in user-contributed content. If set to \"Strip tags\", dangerous tags are removed (see below). If set to \"Escape tags\", all HTML is escaped and presented as it was typed.")); + $group = form_radios(t("Filter HTML tags"), "filter_html", variable_get("filter_html", FILTER_HTML_DONOTHING), array(FILTER_HTML_DONOTHING => t("Do not filter"), FILTER_HTML_STRIP => t("Strip tags"), FILTER_HTML_ESCAPE => t("Escape tags")), t("How to deal with HTML and PHP tags in user-contributed content. If set to \"Strip tags\", dangerous tags are removed (see below). If set to \"Escape tags\", all HTML is escaped and presented as it was typed.")); $group .= form_textfield(t("Allowed HTML tags"), "allowed_html", variable_get("allowed_html", "<a> <b> <dd> <dl> <dt> <i> <li> <ol> <u> <ul>"), 64, 255, t("If \"Strip tags\" is selected, optionally specify tags which should not be stripped. 'ON*' attributes and unclosed tags are always stripped.")); - $group .= form_radios(t("HTML style attributes"), "filter_style", variable_get("filter_style", 1), array(t("Allowed"), t("Removed")), t("If \"Strip tags\" is selected, you can choose whether 'STYLE' attributes are allowed or removed from input.")); + $group .= form_radios(t("HTML style attributes"), "filter_style", variable_get("filter_style", FILTER_STYLE_STRIP), array(FILTER_STYLE_ALLOW => t("Allowed"), FILTER_STYLE_STRIP => t("Removed")), t("If \"Strip tags\" is selected, you can choose whether 'STYLE' attributes are allowed or removed from input.")); $output .= form_group(t("HTML filtering"), $group); return $output; |