fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-09 03:32:00 +09:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'develop' into pr/delete-empty-folders

Browse source
This commit is contained in:
Kijin Sung 2017-01-31 13:54:38 +09:00
commit 2cb5c460f9
5 changed files with 84 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

36
common/framework/filters/htmlfilter.php
View file

@ -70,21 +70,37 @@ class HTMLFilter
* Filter HTML content to block XSS attacks. * Filter HTML content to block XSS attacks.
* *
* @param string $input * @param string $input
* @param array|bool $allow_classes (optional)
* @param bool $allow_editor_components (optional) * @param bool $allow_editor_components (optional)
* @param bool $allow_widgets (optional) * @param bool $allow_widgets (optional)
* @return string * @return string
*/ */
public static function clean($input, $allow_editor_components = true, $allow_widgets = false) public static function clean($input, $allow_classes = false, $allow_editor_components = true, $allow_widgets = false)
{ {
foreach (self::$_preproc as $callback) foreach (self::$_preproc as $callback)
{ {
$input = $callback($input); $input = $callback($input);
} }
$allowed_classes = Config::get('mediafilter.classes') ?: array(); if ($allow_classes === true)
if ($allow_widgets)
{ {
$allowed_classes[] = 'zbxe_widget_output'; $allowed_classes = null;
}
else
{
if (is_array($allow_classes))
{
$allowed_classes = array_values($allow_classes);
}
else
{
$allowed_classes = Config::get('mediafilter.classes') ?: array();
}
if ($allow_widgets)
{
$allowed_classes[] = 'zbxe_widget_output';
}
} }
$input = self::_preprocess($input, $allow_editor_components, $allow_widgets); $input = self::_preprocess($input, $allow_editor_components, $allow_widgets);
@ -102,14 +118,17 @@ class HTMLFilter
/** /**
* Get an instance of HTMLPurifier. * Get an instance of HTMLPurifier.
* *
* @param array $allowed_classes (optional) * @param array|null $allowed_classes (optional)
* @return object * @return object
*/ */
public static function getHTMLPurifier($allowed_classes = array()) public static function getHTMLPurifier($allowed_classes = null)
{ {
// Keep separate instances for different sets of allowed classes. // Keep separate instances for different sets of allowed classes.
$allowed_classes = array_unique($allowed_classes); if ($allowed_classes !== null)
sort($allowed_classes); {
$allowed_classes = array_unique($allowed_classes);
sort($allowed_classes);
}
$key = sha1(serialize($allowed_classes)); $key = sha1(serialize($allowed_classes));
// Create an instance with reasonable defaults. // Create an instance with reasonable defaults.
@ -242,6 +261,7 @@ class HTMLFilter
)); ));
// Support additional properties. // Support additional properties.
$def->addAttribute('i', 'aria-hidden', 'Text');
$def->addAttribute('img', 'srcset', 'Text'); $def->addAttribute('img', 'srcset', 'Text');
$def->addAttribute('iframe', 'allowfullscreen', 'Bool'); $def->addAttribute('iframe', 'allowfullscreen', 'Bool');
} }

21
common/js/common.js
View file

@ -313,12 +313,27 @@ jQuery(function($) {
}; };
/** /**
* @brief string prototype으로 trim 함수 추가 * @brief string prototype으로 escape 함수 추가
**/ **/
String.prototype.trim = function() { String.prototype.escape = function(double_escape) {
return this.replace(/(^\s*)|(\s*$)/g, ""); var map = { '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#039;' };
var revmap = { '&amp;amp;': '&amp;', '&amp;lt;': '&lt;', '&amp;gt;': '&gt;', '&amp;quot;': '&quot;', "&amp;#039;": '&#039;' };
var result = String(this).replace(/[&<>"']/g, function(m) { return map[m]; });
if (double_escape === false) {
return result.replace(/&amp;(amp|lt|gt|quot|#039);/g, function(m) { return revmap[m]; });
} else {
return result;
}
}; };
/**
* @brief string prototype으로 trim 함수 추가
**/
if (!String.prototype.trim) {
String.prototype.trim = function() {
return String(this).replace(/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g, '');
};
}
})(); })();
/** /**

43
modules/menu/menu.admin.controller.php
View file

@ -1884,29 +1884,32 @@ class menuAdminController extends menu
$names = $oMenuAdminModel->getMenuItemNames($node->name, $site_srl); $names = $oMenuAdminModel->getMenuItemNames($node->name, $site_srl);
foreach($names as $key => $val) foreach($names as $key => $val)
{ {
$name_arr_str .= sprintf('"%s"=>\'%s\',',$key, str_replace(array('\\', '\''), array('\\\\', '\\\''), $val)); $name_arr_str .= sprintf('"%s"=>%s,', $key, var_export($val, true));
} }
$name_str = sprintf('$_names = array(%s); print $_names[$lang_type];', $name_arr_str); $name_str = sprintf('$_names = array(%s); print $_names[$lang_type];', $name_arr_str);
$url = str_replace(array('&','"','<','>'),array('&amp;','&quot;','&lt;','&gt;'),$node->url); $url = escape($node->url);
$desc = str_replace(array('&','"',"'"),array('&amp;','&quot;','\\\''),$node->desc); $desc = escape($node->desc, false);
if(preg_match('/^([0-9a-zA-Z\_\-]+)$/', $node->url)) if(preg_match('/^([0-9a-zA-Z\_\-]+)$/', $node->url))
{ {
$href = "getSiteUrl('$domain', '','mid','$node->url')"; $href = "getSiteUrl('$domain', '','mid','$node->url')";
} }
else $href = sprintf('"%s"', $url); else
{
$href = var_export($url, true);
}
$is_shortcut = $node->is_shortcut; $is_shortcut = $node->is_shortcut;
$open_window = $node->open_window; $open_window = $node->open_window;
$expand = $node->expand; $expand = $node->expand;
$normal_btn = $node->normal_btn; $normal_btn = $node->normal_btn;
if($normal_btn && strncasecmp('./files/attach/menu_button', $normal_btn, 26) === 0) $normal_btn = str_replace(array('&','"','<','>'),array('&amp;','&quot;','&lt;','&gt;'),$normal_btn); if($normal_btn && strncasecmp('./files/attach/menu_button', $normal_btn, 26) === 0) $normal_btn = escape($normal_btn);
else $normal_btn = ''; else $normal_btn = '';
$hover_btn = $node->hover_btn; $hover_btn = $node->hover_btn;
if($hover_btn && strncasecmp('./files/attach/menu_button', $hover_btn, 26) === 0) $hover_btn = str_replace(array('&','"','<','>'),array('&amp;','&quot;','&lt;','&gt;'),$hover_btn); if($hover_btn && strncasecmp('./files/attach/menu_button', $hover_btn, 26) === 0) $hover_btn = escape($hover_btn);
else $hover_btn = ''; else $hover_btn = '';
$active_btn = $node->active_btn; $active_btn = $node->active_btn;
if($active_btn && strncasecmp('./files/attach/menu_button', $active_btn, 26) === 0) $active_btn = str_replace(array('&','"','<','>'),array('&amp;','&quot;','&lt;','&gt;'),$active_btn); if($active_btn && strncasecmp('./files/attach/menu_button', $active_btn, 26) === 0) $active_btn = escape($active_btn);
else $active_btn = ''; else $active_btn = '';
$group_srls = $node->group_srls; $group_srls = $node->group_srls;
@ -1987,7 +1990,7 @@ class menuAdminController extends menu
} }
else else
{ {
$name_arr_str .= sprintf('"%s"=>\'%s\',', $key, str_replace(array('\\','\''), array('\\\\','\\\''), strip_tags($val))); $name_arr_str .= sprintf('"%s"=>%s,', $key, var_export(Rhymix\Framework\Filters\HTMLFilter::clean($val, true), true));
} }
} }
$name_str = sprintf('$_menu_names[%d] = array(%s); %s', $node->menu_item_srl, $name_arr_str, $child_output['name']); $name_str = sprintf('$_menu_names[%d] = array(%s); %s', $node->menu_item_srl, $name_arr_str, $child_output['name']);
@ -2000,19 +2003,22 @@ class menuAdminController extends menu
else $group_check_code = "true"; else $group_check_code = "true";
// List variables // List variables
$href = str_replace(array('&','"','<','>'),array('&amp;','&quot;','&lt;','&gt;'),$node->href); $href = escape($node->href);
$url = str_replace(array('&','"','<','>'),array('&amp;','&quot;','&lt;','&gt;'),$node->url); $url = escape($node->url);
$desc = str_replace(array('&','"',"'"),array('&amp;','&quot;','\\\''),$node->desc); $desc = escape($node->desc, false);
if(preg_match('/^([0-9a-zA-Z\_\-]+)$/i', $node->url)) if(preg_match('/^([0-9a-zA-Z\_\-]+)$/i', $node->url))
{ {
$href = "getSiteUrl('$domain', '','mid','$node->url')"; $href = "getSiteUrl('$domain', '','mid','$node->url')";
} }
else $href = sprintf('"%s"', $url); else
{
$href = var_export($url, true);
}
$is_shortcut = $node->is_shortcut; $is_shortcut = $node->is_shortcut;
$open_window = $node->open_window; $open_window = $node->open_window;
$normal_btn = str_replace(array('&','"','<','>'),array('&amp;','&quot;','&lt;','&gt;'),$node->normal_btn); $normal_btn = escape($node->normal_btn);
$hover_btn = str_replace(array('&','"','<','>'),array('&amp;','&quot;','&lt;','&gt;'),$node->hover_btn); $hover_btn = escape($node->hover_btn);
$active_btn = str_replace(array('&','"','<','>'),array('&amp;','&quot;','&lt;','&gt;'),$node->active_btn); $active_btn = escape($node->active_btn);
foreach($child_output['url_list'] as $key =>$val) foreach($child_output['url_list'] as $key =>$val)
{ {
@ -2024,18 +2030,17 @@ class menuAdminController extends menu
$expand = $node->expand; $expand = $node->expand;
$normal_btn = $node->normal_btn; $normal_btn = $node->normal_btn;
if($normal_btn && strncasecmp('./files/attach/menu_button', $normal_btn, 26) === 0) $normal_btn = str_replace(array('&','"','<','>'),array('&amp;','&quot;','&lt;','&gt;'),$normal_btn); if($normal_btn && strncasecmp('./files/attach/menu_button', $normal_btn, 26) === 0) $normal_btn = escape($normal_btn);
else $normal_btn = ''; else $normal_btn = '';
$hover_btn = $node->hover_btn; $hover_btn = $node->hover_btn;
if($hover_btn && strncasecmp('./files/attach/menu_button', $hover_btn, 26) === 0) $hover_btn = str_replace(array('&','"','<','>'),array('&amp;','&quot;','&lt;','&gt;'),$hover_btn); if($hover_btn && strncasecmp('./files/attach/menu_button', $hover_btn, 26) === 0) $hover_btn = escape($hover_btn);
else $hover_btn = ''; else $hover_btn = '';
$active_btn = $node->active_btn; $active_btn = $node->active_btn;
if($active_btn && strncasecmp('./files/attach/menu_button', $active_btn, 26) === 0) $active_btn = str_replace(array('&','"','<','>'),array('&amp;','&quot;','&lt;','&gt;'),$active_btn); if($active_btn && strncasecmp('./files/attach/menu_button', $active_btn, 26) === 0) $active_btn = escape($active_btn);
else $active_btn = ''; else $active_btn = '';
$group_srls = $node->group_srls; $group_srls = $node->group_srls;
if($normal_btn) if($normal_btn)

3
modules/menu/tpl/sitemap.html
View file

@ -1943,8 +1943,7 @@ jQuery(function($){
$(this).addClass('page'); $(this).addClass('page');
} }
//$(this).find('#menuName').val(htInfo.sText); $(this).find('#menuName').val(htInfo.sMenuNameKey.match(/\$user_lang->/) ? htInfo.sMenuNameKey : htInfo.sText);
$(this).find('#menuName').val(htInfo.sMenuNameKey);
$(this).find('#menuDesc').val(htInfo.desc); $(this).find('#menuDesc').val(htInfo.desc);
//menu_name_key //menu_name_key

17
tests/unit/framework/filters/HTMLFilterTest.php
View file

@ -154,6 +154,15 @@ class HTMLFilterTest extends \Codeception\TestCase\Test
$source = '<p class="mytest">Hello World</p>'; $source = '<p class="mytest">Hello World</p>';
$target = '<p class="mytest">Hello World</p>'; $target = '<p class="mytest">Hello World</p>';
$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source)); $this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source));
config('mediafilter.classes', array());
$source = '<p class="whatever">Hello World</p>';
$target = '<p class="whatever">Hello World</p>';
$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, true));
$source = '<p class="foobar whatever">Hello World</p>';
$target = '<p class="foobar">Hello World</p>';
$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, array('foobar')));
} }
public function testHTMLFilterEditorComponent() public function testHTMLFilterEditorComponent()
@ -176,11 +185,11 @@ class HTMLFilterTest extends \Codeception\TestCase\Test
$source = '<img somekey="somevalue" otherkey="othervalue" onmouseover="alert(\'xss\');" editor_component="component_name" src="./foo/bar.jpg" alt="My Picture" style="width:320px;height:240px;" width="320" height="240" />'; $source = '<img somekey="somevalue" otherkey="othervalue" onmouseover="alert(\'xss\');" editor_component="component_name" src="./foo/bar.jpg" alt="My Picture" style="width:320px;height:240px;" width="320" height="240" />';
$target = '<img src="./foo/bar.jpg" alt="My Picture" style="width:320px;height:240px;" width="320" height="240" />'; $target = '<img src="./foo/bar.jpg" alt="My Picture" style="width:320px;height:240px;" width="320" height="240" />';
$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, false)); $this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, false, false));
$source = '<img somekey="somevalue" otherkey="othervalue" onkeypress="alert(\'xss\');" editor_component="component_name" />'; $source = '<img somekey="somevalue" otherkey="othervalue" onkeypress="alert(\'xss\');" editor_component="component_name" />';
$target = ''; $target = '';
$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, false)); $this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, false, false));
} }
public function testHTMLFilterWidgetCode() public function testHTMLFilterWidgetCode()
@ -191,11 +200,11 @@ class HTMLFilterTest extends \Codeception\TestCase\Test
$source = '<p>Hello World</p><img class="zbxe_widget_output" widget="content" skin="default" colorset="white" widget_sequence="1234" widget_cache="1m" content_type="document" module_srls="56" list_type="normal" tab_type="none" markup_type="table" page_count="1" option_view="title,regdate,nickname" show_browser_title="Y" show_comment_count="Y" show_trackback_count="Y" show_category="Y" show_icon="Y" show_secret="N" order_target="regdate" order_type="desc" thumbnail_type="crop" />'; $source = '<p>Hello World</p><img class="zbxe_widget_output" widget="content" skin="default" colorset="white" widget_sequence="1234" widget_cache="1m" content_type="document" module_srls="56" list_type="normal" tab_type="none" markup_type="table" page_count="1" option_view="title,regdate,nickname" show_browser_title="Y" show_comment_count="Y" show_trackback_count="Y" show_category="Y" show_icon="Y" show_secret="N" order_target="regdate" order_type="desc" thumbnail_type="crop" />';
$target = '<p>Hello World</p><img widget="content" skin="default" colorset="white" widget_sequence="1234" widget_cache="1m" content_type="document" module_srls="56" list_type="normal" tab_type="none" markup_type="table" page_count="1" option_view="title,regdate,nickname" show_browser_title="Y" show_comment_count="Y" show_trackback_count="Y" show_category="Y" show_icon="Y" show_secret="N" order_target="regdate" order_type="desc" thumbnail_type="crop" src="" class="zbxe_widget_output" alt="" />'; $target = '<p>Hello World</p><img widget="content" skin="default" colorset="white" widget_sequence="1234" widget_cache="1m" content_type="document" module_srls="56" list_type="normal" tab_type="none" markup_type="table" page_count="1" option_view="title,regdate,nickname" show_browser_title="Y" show_comment_count="Y" show_trackback_count="Y" show_category="Y" show_icon="Y" show_secret="N" order_target="regdate" order_type="desc" thumbnail_type="crop" src="" class="zbxe_widget_output" alt="" />';
$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, true, true)); $this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, true, true, true));
$source = '<p>Hello World</p><img class="zbxe_widget_output" widget="content" onmouseover="alert(\'xss\');" skin="default" colorset="white" widget_sequence="1234" widget_cache="1m" content_type="document" module_srls="56" list_type="normal" tab_type="none" markup_type="table" page_count="1" option_view="title,regdate,nickname" show_browser_title="Y" show_comment_count="Y" show_trackback_count="Y" show_category="Y" show_icon="Y" show_secret="N" order_target="regdate" order_type="desc" thumbnail_type="crop" />'; $source = '<p>Hello World</p><img class="zbxe_widget_output" widget="content" onmouseover="alert(\'xss\');" skin="default" colorset="white" widget_sequence="1234" widget_cache="1m" content_type="document" module_srls="56" list_type="normal" tab_type="none" markup_type="table" page_count="1" option_view="title,regdate,nickname" show_browser_title="Y" show_comment_count="Y" show_trackback_count="Y" show_category="Y" show_icon="Y" show_secret="N" order_target="regdate" order_type="desc" thumbnail_type="crop" />';
$target = '<p>Hello World</p><img widget="content" skin="default" colorset="white" widget_sequence="1234" widget_cache="1m" content_type="document" module_srls="56" list_type="normal" tab_type="none" markup_type="table" page_count="1" option_view="title,regdate,nickname" show_browser_title="Y" show_comment_count="Y" show_trackback_count="Y" show_category="Y" show_icon="Y" show_secret="N" order_target="regdate" order_type="desc" thumbnail_type="crop" src="" class="zbxe_widget_output" alt="" />'; $target = '<p>Hello World</p><img widget="content" skin="default" colorset="white" widget_sequence="1234" widget_cache="1m" content_type="document" module_srls="56" list_type="normal" tab_type="none" markup_type="table" page_count="1" option_view="title,regdate,nickname" show_browser_title="Y" show_comment_count="Y" show_trackback_count="Y" show_category="Y" show_icon="Y" show_secret="N" order_target="regdate" order_type="desc" thumbnail_type="crop" src="" class="zbxe_widget_output" alt="" />';
$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, true, true)); $this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, true, true, true));
} }
public function testHTMLFilterUserContentID() public function testHTMLFilterUserContentID()