diff --git a/include/bbcode.php b/include/bbcode.php index 2293cfc7f..9f41804ba 100644 --- a/include/bbcode.php +++ b/include/bbcode.php @@ -1324,11 +1324,9 @@ function bbcode($Text, $options = []) { // Replace any html brackets with HTML Entities to prevent executing HTML or script // Don't use strip_tags here because it breaks [url] search by replacing & with amp - // experimental.... not yet working - // $Text = purify_html($Text); - -// $Text = str_replace("<", "<", $Text); -// $Text = str_replace(">", ">", $Text); + // These are no longer needed since we run the content through purify_html() + // $Text = str_replace("<", "<", $Text); + // $Text = str_replace(">", ">", $Text); // Check for [code] text here, before the linefeeds are messed with. @@ -1359,7 +1357,7 @@ function bbcode($Text, $options = []) { $Text = preg_replace_callback("/\[code(.*?)\](.*?)\[\/code\]/ism", 'bb_code_preprotect', $Text); - $Text = purify_html($Text); + $Text = purify_html($Text, [ 'escape' ]); // Perform some markdown conversions before translating linefeeds so as to keep the regexes manageable diff --git a/include/oembed.php b/include/oembed.php index bc5069cb5..601b76da2 100644 --- a/include/oembed.php +++ b/include/oembed.php @@ -263,7 +263,7 @@ function oembed_fetch_url($embedurl){ // logger('frame src: ' . $j['html'], LOGGER_DATA); - $j['html'] = purify_html($j['html'],$allow_position); + $j['html'] = purify_html($j['html'], (($allow_position) ? [ 'allow_position' ] : [])); if($j['html'] != $orig) { // logger('oembed html was purified. original: ' . $orig . ' purified: ' . $j['html'], LOGGER_DEBUG, LOG_INFO); } diff --git a/include/text.php b/include/text.php index a5a8019a5..5d74ee036 100644 --- a/include/text.php +++ b/include/text.php @@ -150,7 +150,7 @@ function z_input_filter($s,$type = 'text/bbcode',$allow_code = false) { * @param boolean $allow_position allow CSS position * @return string standards compliant filtered HTML */ -function purify_html($s, $allow_position = false) { +function purify_html($s, $opts = []) { /** * @FIXME this function has html output, not bbcode - so safely purify these @@ -163,6 +163,15 @@ function purify_html($s, $allow_position = false) { $config->set('Cache.DefinitionImpl', null); $config->set('Attr.EnableID', true); + // This will escape invalid tags in the output instead of removing. + // This is necessary for mixed format (text+bbcode+html+markdown) messages or + // some angle brackets in plaintext may get stripped if they look like an HTML tag + + if (in_array('escape',$opts)) { + $config->set('Core.EscapeInvalidChildren', true); + $config->set('Core.EscapeInvalidTags', true); + } + // If enabled, target=blank attributes are added to all links. //$config->set('HTML.TargetBlank', true); //$config->set('Attr.AllowedFrameTargets', ['_blank', '_self', '_parent', '_top']); @@ -190,7 +199,7 @@ function purify_html($s, $allow_position = false) { //responsive navigation $def->info_global_attr['data-responsive-menu'] = new HTMLPurifier_AttrDef_Text; $def->info_global_attr['data-responsive-toggle'] = new HTMLPurifier_AttrDef_Text; - //magellan + //magellan $def->info_global_attr['data-magellan'] = new HTMLPurifier_AttrDef_Text; $def->info_global_attr['data-magellan-target'] = new HTMLPurifier_AttrDef_Text; @@ -285,7 +294,7 @@ function purify_html($s, $allow_position = false) { $def->addElement('button', 'Inline', 'Inline', 'Common'); - if($allow_position) { + if(in_array('allow_position', $opts)) { $cssDefinition = $config->getCSSDefinition(); $cssDefinition->info['position'] = new HTMLPurifier_AttrDef_Enum(array('absolute', 'fixed', 'relative', 'static', 'inherit'), false);