From 0a8535eeefba6e94ee92027a00460ac280c0cdf3 Mon Sep 17 00:00:00 2001 From: Steven Wittens Date: Fri, 6 Feb 2004 19:41:00 +0000 Subject: - Fix: do not call prepare hook when the admin has chosen to escape everything - Code style: use constants to prevent confusing configuration options --- modules/filter.module | 32 +++++++++++++++++++++----------- modules/filter/filter.module | 32 +++++++++++++++++++++----------- 2 files changed, 42 insertions(+), 22 deletions(-) (limited to 'modules') diff --git a/modules/filter.module b/modules/filter.module index ca7431882..f3ec76311 100644 --- a/modules/filter.module +++ b/modules/filter.module @@ -1,6 +1,13 @@ Filters are executed from top-to-bottom. You can use the weight column to rearrange them: heavier filters 'sink' to the bottom. Standard HTML filtering is always run first.

"); case 'filter#long-tip': case 'filter#short-tip': - switch (variable_get("filter_html", 1)) { + switch (variable_get("filter_html", FILTER_HTML_DONOTHING)) { case 0: return t("All HTML tags allowed"); break; @@ -49,7 +56,7 @@ function filter_admin_order() { $op = $_POST["op"]; if ($op == t("Save configuration")) { foreach ($edit as $module => $filter) { - db_query("UPDATE {filters} SET weight = '%d' WHERE module = '%s'", $filter["weight"], $module); + db_query("UPDATE {filters} SET weight = %d WHERE module = '%s'", $filter["weight"], $module); } } @@ -114,7 +121,7 @@ function filter_refresh() { if (module_hook($module, "filter")) { $weight = $filters[$module]["weight"]; - db_query("INSERT INTO {filters} (module, weight) VALUES ('%s','%d')", $module, $weight); + db_query("INSERT INTO {filters} (module, weight) VALUES ('%s', %d)", $module, $weight); } } @@ -143,9 +150,12 @@ function check_output($text) { // Filter content on output: $filters = filter_list(); - // Give filters the chance to escape HTML-like data before being passed to the HTML stripper - foreach ($filters as $module => $filter) { - $text = module_invoke($module, "filter", "prepare", $text); + // Give filters the chance to escape HTML-like data such as code or formulas + // (from this point on, the input can be treated as HTML) + if (variable_get("filter_html", FILTER_HTML_DONOTHING) != FILTER_HTML_ESCAPE) { + foreach ($filters as $module => $filter) { + $text = module_invoke($module, "filter", "prepare", $text); + } } // HTML handling is done before all regular filtering activities @@ -172,16 +182,16 @@ function check_output($text) { } function filter_default($text) { - if (variable_get("filter_html", 0) == 1) { + if (variable_get("filter_html", FILTER_HTML_DONOTHING) == FILTER_HTML_STRIP) { // Allow users to enter HTML, but filter it $text = strip_tags($text, variable_get("allowed_html", "")); - if (variable_get("filter_style", 1)) { + if (variable_get("filter_style", FILTER_STYLE_STRIP)) { $text = preg_replace("/\Wstyle\s*=[^>]+?>/i", ">", $text); } $text = preg_replace("/\Won[a-z]+\s*=[^>]+?>/i", ">", $text); } - if (variable_get("filter_html", 0) == 2) { + if (variable_get("filter_html", FILTER_HTML_DONOTHING) == FILTER_HTML_ESCAPE) { // Escape HTML $text = htmlspecialchars($text); } @@ -190,9 +200,9 @@ function filter_default($text) { } function filter_default_settings() { - $group = form_radios(t("Filter HTML tags"), "filter_html", variable_get("filter_html", 0), array(0 => t("Do not filter"), 1 => t("Strip tags"), 2 => t("Escape tags")), t("How to deal with HTML and PHP tags in user-contributed content. If set to \"Strip tags\", dangerous tags are removed (see below). If set to \"Escape tags\", all HTML is escaped and presented as it was typed.")); + $group = form_radios(t("Filter HTML tags"), "filter_html", variable_get("filter_html", FILTER_HTML_DONOTHING), array(FILTER_HTML_DONOTHING => t("Do not filter"), FILTER_HTML_STRIP => t("Strip tags"), FILTER_HTML_ESCAPE => t("Escape tags")), t("How to deal with HTML and PHP tags in user-contributed content. If set to \"Strip tags\", dangerous tags are removed (see below). If set to \"Escape tags\", all HTML is escaped and presented as it was typed.")); $group .= form_textfield(t("Allowed HTML tags"), "allowed_html", variable_get("allowed_html", "