diff options
| -rw-r--r-- | modules/node.module | 19 | ||||
| -rw-r--r-- | modules/node/node.module | 19 | ||||
| -rw-r--r-- | modules/poll.module | 4 | ||||
| -rw-r--r-- | modules/poll/poll.module | 4 |
4 files changed, 34 insertions, 12 deletions
diff --git a/modules/node.module b/modules/node.module index b165709ac..5a13cfc4b 100644 --- a/modules/node.module +++ b/modules/node.module @@ -507,10 +507,14 @@ function node_settings() { } function node_conf_filters() { - $output .= form_radios(t("Filter HTML tags"), "filter_html", variable_get("filter_html", 0), array(0 => t("Do not filter"), 1 => t("Strip tags"), 2 => t("Escape tags")), t("How to deal with HTML and PHP tags in user-contributed content. If set to \"Strip tags\", dangerous tags are removed. If set to \"Escape tags\", all HTML is escaped and presented as it was typed.")); - $output .= form_textfield(t("Allowed HTML tags"), "allowed_html", variable_get("allowed_html", "<a> <b> <dd> <dl> <dt> <i> <li> <ol> <u> <ul>"), 64, 255, t("If \"Strip tags\" is selected, optionally specify tags which should not be stripped. 'STYLE' attributes, 'ON*' attributes and unclosed tags are always stripped.")); - $output .= form_radios(t("Rewrite old URLs"), "rewrite_old_urls", variable_get("rewrite_old_urls", 0), array(t("Disabled"), t("Enabled")), t("The introduction of 'clean URLs' in Drupal 4.2.0 breaks internal URLs that date back from Drupal 4.1.0 and before. If enabled, this filter will attempt to rewrite the old style URLs to avoid broken links. If <code>mod_rewrite</code> is available on your system, use the rewrite rules in Drupal's <code>.htaccess</code> file instead as these will also correct external referrers.")); - $output .= "<hr />"; + $group1 .= form_radios(t("Filter HTML tags"), "filter_html", variable_get("filter_html", 0), array(0 => t("Do not filter"), 1 => t("Strip tags"), 2 => t("Escape tags")), t("How to deal with HTML and PHP tags in user-contributed content. If set to \"Strip tags\", dangerous tags are removed (see below). If set to \"Escape tags\", all HTML is escaped and presented as it was typed.")); + $group1 .= form_textfield(t("Allowed HTML tags"), "allowed_html", variable_get("allowed_html", "<a> <b> <dd> <dl> <dt> <i> <li> <ol> <u> <ul>"), 64, 255, t("If \"Strip tags\" is selected, optionally specify tags which should not be stripped. 'ON*' attributes and unclosed tags are always stripped.")); + $group1 .= form_radios(t("HTML style attributes"), "filter_style", variable_get("filter_style", 1), array(t("Allowed"), t("Removed")), t("If \"Strip tags\" is selected, you can choose whether 'STYLE' attributes are allowed or removed from input.")); + $output .= form_group("HTML filtering", $group1); + + $group2 .= form_radios(t("Rewrite old URLs"), "rewrite_old_urls", variable_get("rewrite_old_urls", 0), array(t("Disabled"), t("Enabled")), t("The introduction of 'clean URLs' in Drupal 4.2.0 breaks internal URLs that date back from Drupal 4.1.0 and before. If enabled, this filter will attempt to rewrite the old style URLs to avoid broken links. If <code>mod_rewrite</code> is available on your system, use the rewrite rules in Drupal's <code>.htaccess</code> file instead as these will also correct external referrers.")); + $output .= form_group("Legacy filtering", $group2); + return $output; } @@ -520,6 +524,13 @@ function node_escape_html($text) { function node_filter_html($text) { $text = strip_tags($text, variable_get("allowed_html", "")); + + if (variable_get("filter_style", 1)) { + $text = preg_replace("/\Wstyle\s*=[^>]+?>/i", ">", $text); + } + + $text = preg_replace("/\Won[a-z]+\s*=[^>]+?>/i", ">", $text); + return $text; } diff --git a/modules/node/node.module b/modules/node/node.module index b165709ac..5a13cfc4b 100644 --- a/modules/node/node.module +++ b/modules/node/node.module @@ -507,10 +507,14 @@ function node_settings() { } function node_conf_filters() { - $output .= form_radios(t("Filter HTML tags"), "filter_html", variable_get("filter_html", 0), array(0 => t("Do not filter"), 1 => t("Strip tags"), 2 => t("Escape tags")), t("How to deal with HTML and PHP tags in user-contributed content. If set to \"Strip tags\", dangerous tags are removed. If set to \"Escape tags\", all HTML is escaped and presented as it was typed.")); - $output .= form_textfield(t("Allowed HTML tags"), "allowed_html", variable_get("allowed_html", "<a> <b> <dd> <dl> <dt> <i> <li> <ol> <u> <ul>"), 64, 255, t("If \"Strip tags\" is selected, optionally specify tags which should not be stripped. 'STYLE' attributes, 'ON*' attributes and unclosed tags are always stripped.")); - $output .= form_radios(t("Rewrite old URLs"), "rewrite_old_urls", variable_get("rewrite_old_urls", 0), array(t("Disabled"), t("Enabled")), t("The introduction of 'clean URLs' in Drupal 4.2.0 breaks internal URLs that date back from Drupal 4.1.0 and before. If enabled, this filter will attempt to rewrite the old style URLs to avoid broken links. If <code>mod_rewrite</code> is available on your system, use the rewrite rules in Drupal's <code>.htaccess</code> file instead as these will also correct external referrers.")); - $output .= "<hr />"; + $group1 .= form_radios(t("Filter HTML tags"), "filter_html", variable_get("filter_html", 0), array(0 => t("Do not filter"), 1 => t("Strip tags"), 2 => t("Escape tags")), t("How to deal with HTML and PHP tags in user-contributed content. If set to \"Strip tags\", dangerous tags are removed (see below). If set to \"Escape tags\", all HTML is escaped and presented as it was typed.")); + $group1 .= form_textfield(t("Allowed HTML tags"), "allowed_html", variable_get("allowed_html", "<a> <b> <dd> <dl> <dt> <i> <li> <ol> <u> <ul>"), 64, 255, t("If \"Strip tags\" is selected, optionally specify tags which should not be stripped. 'ON*' attributes and unclosed tags are always stripped.")); + $group1 .= form_radios(t("HTML style attributes"), "filter_style", variable_get("filter_style", 1), array(t("Allowed"), t("Removed")), t("If \"Strip tags\" is selected, you can choose whether 'STYLE' attributes are allowed or removed from input.")); + $output .= form_group("HTML filtering", $group1); + + $group2 .= form_radios(t("Rewrite old URLs"), "rewrite_old_urls", variable_get("rewrite_old_urls", 0), array(t("Disabled"), t("Enabled")), t("The introduction of 'clean URLs' in Drupal 4.2.0 breaks internal URLs that date back from Drupal 4.1.0 and before. If enabled, this filter will attempt to rewrite the old style URLs to avoid broken links. If <code>mod_rewrite</code> is available on your system, use the rewrite rules in Drupal's <code>.htaccess</code> file instead as these will also correct external referrers.")); + $output .= form_group("Legacy filtering", $group2); + return $output; } @@ -520,6 +524,13 @@ function node_escape_html($text) { function node_filter_html($text) { $text = strip_tags($text, variable_get("allowed_html", "")); + + if (variable_get("filter_style", 1)) { + $text = preg_replace("/\Wstyle\s*=[^>]+?>/i", ">", $text); + } + + $text = preg_replace("/\Won[a-z]+\s*=[^>]+?>/i", ">", $text); + return $text; } diff --git a/modules/poll.module b/modules/poll.module index 6e8d16501..8f1710223 100644 --- a/modules/poll.module +++ b/modules/poll.module @@ -286,7 +286,7 @@ function poll_view_voting(&$node, $main, $block, $links) { if ($node->choice) { foreach ($node->choice as $key => $value) { if ($value != "") { - $output .= "<div><input type=\"radio\" name=\"pollvote[$node->nid]\" value=\"$key\" />". filter($value) ."</div>"; + $output .= "<div><input type=\"radio\" name=\"pollvote[$node->nid]\" value=\"$key\" />". check_output($value) ."</div>"; } } } @@ -317,7 +317,7 @@ function poll_view_results(&$node, $main, $block, $links) { if ($value != "") { $width = round($node->chvotes[$key] * 100 / max($votestotal, 1)); $percentage = round($node->chvotes[$key] * 100 / max($votestotal, 1)); - $output .= "<div class=\"text\">". filter($value) ."</div>"; + $output .= "<div class=\"text\">". check_output($value) ."</div>"; $output .= "<div class=\"bar\">"; $output .= "<div style=\"width: ". $width ."%;\" class=\"foreground\"></div>"; $output .= "<div style=\"width: ". (100 - $width) ."%;\" class=\"background\"></div>"; diff --git a/modules/poll/poll.module b/modules/poll/poll.module index 6e8d16501..8f1710223 100644 --- a/modules/poll/poll.module +++ b/modules/poll/poll.module @@ -286,7 +286,7 @@ function poll_view_voting(&$node, $main, $block, $links) { if ($node->choice) { foreach ($node->choice as $key => $value) { if ($value != "") { - $output .= "<div><input type=\"radio\" name=\"pollvote[$node->nid]\" value=\"$key\" />". filter($value) ."</div>"; + $output .= "<div><input type=\"radio\" name=\"pollvote[$node->nid]\" value=\"$key\" />". check_output($value) ."</div>"; } } } @@ -317,7 +317,7 @@ function poll_view_results(&$node, $main, $block, $links) { if ($value != "") { $width = round($node->chvotes[$key] * 100 / max($votestotal, 1)); $percentage = round($node->chvotes[$key] * 100 / max($votestotal, 1)); - $output .= "<div class=\"text\">". filter($value) ."</div>"; + $output .= "<div class=\"text\">". check_output($value) ."</div>"; $output .= "<div class=\"bar\">"; $output .= "<div style=\"width: ". $width ."%;\" class=\"foreground\"></div>"; $output .= "<div style=\"width: ". (100 - $width) ."%;\" class=\"background\"></div>"; |