mirror of
https://github.com/Lastorder-DC/rhymix.git
synced 2026-01-09 03:32:00 +09:00
Merge branch 'develop' into pr/delete-empty-folders
This commit is contained in:
Kijin Sung
commit
2cb5c460f9
5 changed files with 84 additions and 36 deletions
|
|
@ -70,22 +70,38 @@ class HTMLFilter
|
|||
* Filter HTML content to block XSS attacks.
|
||||
*
|
||||
* @param string $input
|
||||
* @param array|bool $allow_classes (optional)
|
||||
* @param bool $allow_editor_components (optional)
|
||||
* @param bool $allow_widgets (optional)
|
||||
* @return string
|
||||
*/
|
||||
public static function clean($input, $allow_editor_components = true, $allow_widgets = false)
|
||||
public static function clean($input, $allow_classes = false, $allow_editor_components = true, $allow_widgets = false)
|
||||
{
|
||||
foreach (self::$_preproc as $callback)
|
||||
{
|
||||
$input = $callback($input);
|
||||
}
|
||||
|
||||
if ($allow_classes === true)
|
||||
{
|
||||
$allowed_classes = null;
|
||||
}
|
||||
else
|
||||
{
|
||||
if (is_array($allow_classes))
|
||||
{
|
||||
$allowed_classes = array_values($allow_classes);
|
||||
}
|
||||
else
|
||||
{
|
||||
$allowed_classes = Config::get('mediafilter.classes') ?: array();
|
||||
}
|
||||
|
||||
if ($allow_widgets)
|
||||
{
|
||||
$allowed_classes[] = 'zbxe_widget_output';
|
||||
}
|
||||
}
|
||||
|
||||
$input = self::_preprocess($input, $allow_editor_components, $allow_widgets);
|
||||
$output = self::getHTMLPurifier($allowed_classes)->purify($input);
|
||||
|
|
@ -102,14 +118,17 @@ class HTMLFilter
|
|||
/**
|
||||
* Get an instance of HTMLPurifier.
|
||||
*
|
||||
* @param array $allowed_classes (optional)
|
||||
* @param array|null $allowed_classes (optional)
|
||||
* @return object
|
||||
*/
|
||||
public static function getHTMLPurifier($allowed_classes = array())
|
||||
public static function getHTMLPurifier($allowed_classes = null)
|
||||
{
|
||||
// Keep separate instances for different sets of allowed classes.
|
||||
if ($allowed_classes !== null)
|
||||
{
|
||||
$allowed_classes = array_unique($allowed_classes);
|
||||
sort($allowed_classes);
|
||||
}
|
||||
$key = sha1(serialize($allowed_classes));
|
||||
|
||||
// Create an instance with reasonable defaults.
|
||||
|
|
@ -242,6 +261,7 @@ class HTMLFilter
|
|||
));
|
||||
|
||||
// Support additional properties.
|
||||
$def->addAttribute('i', 'aria-hidden', 'Text');
|
||||
$def->addAttribute('img', 'srcset', 'Text');
|
||||
$def->addAttribute('iframe', 'allowfullscreen', 'Bool');
|
||||
}
|
||||
|
|
|
|||
|
|
@ -313,12 +313,27 @@ jQuery(function($) {
|
|||
};
|
||||
|
||||
/**
|
||||
* @brief string prototype으로 trim 함수 추가
|
||||
* @brief string prototype으로 escape 함수 추가
|
||||
**/
|
||||
String.prototype.trim = function() {
|
||||
return this.replace(/(^\s*)|(\s*$)/g, "");
|
||||
String.prototype.escape = function(double_escape) {
|
||||
var map = { '&': '&', '<': '<', '>': '>', '"': '"', "'": ''' };
|
||||
var revmap = { '&amp;': '&', '&lt;': '<', '&gt;': '>', '&quot;': '"', "&#039;": ''' };
|
||||
var result = String(this).replace(/[&<>"']/g, function(m) { return map[m]; });
|
||||
if (double_escape === false) {
|
||||
return result.replace(/&(amp|lt|gt|quot|#039);/g, function(m) { return revmap[m]; });
|
||||
} else {
|
||||
return result;
|
||||
}
|
||||
};
|
||||
|
||||
/**
|
||||
* @brief string prototype으로 trim 함수 추가
|
||||
**/
|
||||
if (!String.prototype.trim) {
|
||||
String.prototype.trim = function() {
|
||||
return String(this).replace(/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g, '');
|
||||
};
|
||||
}
|
||||
})();
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -1884,29 +1884,32 @@ class menuAdminController extends menu
|
|||
$names = $oMenuAdminModel->getMenuItemNames($node->name, $site_srl);
|
||||
foreach($names as $key => $val)
|
||||
{
|
||||
$name_arr_str .= sprintf('"%s"=>\'%s\',',$key, str_replace(array('\\', '\''), array('\\\\', '\\\''), $val));
|
||||
$name_arr_str .= sprintf('"%s"=>%s,', $key, var_export($val, true));
|
||||
}
|
||||
$name_str = sprintf('$_names = array(%s); print $_names[$lang_type];', $name_arr_str);
|
||||
|
||||
$url = str_replace(array('&','"','<','>'),array('&','"','<','>'),$node->url);
|
||||
$desc = str_replace(array('&','"',"'"),array('&','"','\\\''),$node->desc);
|
||||
$url = escape($node->url);
|
||||
$desc = escape($node->desc, false);
|
||||
if(preg_match('/^([0-9a-zA-Z\_\-]+)$/', $node->url))
|
||||
{
|
||||
$href = "getSiteUrl('$domain', '','mid','$node->url')";
|
||||
}
|
||||
else $href = sprintf('"%s"', $url);
|
||||
else
|
||||
{
|
||||
$href = var_export($url, true);
|
||||
}
|
||||
$is_shortcut = $node->is_shortcut;
|
||||
$open_window = $node->open_window;
|
||||
$expand = $node->expand;
|
||||
|
||||
$normal_btn = $node->normal_btn;
|
||||
if($normal_btn && strncasecmp('./files/attach/menu_button', $normal_btn, 26) === 0) $normal_btn = str_replace(array('&','"','<','>'),array('&','"','<','>'),$normal_btn);
|
||||
if($normal_btn && strncasecmp('./files/attach/menu_button', $normal_btn, 26) === 0) $normal_btn = escape($normal_btn);
|
||||
else $normal_btn = '';
|
||||
$hover_btn = $node->hover_btn;
|
||||
if($hover_btn && strncasecmp('./files/attach/menu_button', $hover_btn, 26) === 0) $hover_btn = str_replace(array('&','"','<','>'),array('&','"','<','>'),$hover_btn);
|
||||
if($hover_btn && strncasecmp('./files/attach/menu_button', $hover_btn, 26) === 0) $hover_btn = escape($hover_btn);
|
||||
else $hover_btn = '';
|
||||
$active_btn = $node->active_btn;
|
||||
if($active_btn && strncasecmp('./files/attach/menu_button', $active_btn, 26) === 0) $active_btn = str_replace(array('&','"','<','>'),array('&','"','<','>'),$active_btn);
|
||||
if($active_btn && strncasecmp('./files/attach/menu_button', $active_btn, 26) === 0) $active_btn = escape($active_btn);
|
||||
else $active_btn = '';
|
||||
|
||||
$group_srls = $node->group_srls;
|
||||
|
|
@ -1987,7 +1990,7 @@ class menuAdminController extends menu
|
|||
}
|
||||
else
|
||||
{
|
||||
$name_arr_str .= sprintf('"%s"=>\'%s\',', $key, str_replace(array('\\','\''), array('\\\\','\\\''), strip_tags($val)));
|
||||
$name_arr_str .= sprintf('"%s"=>%s,', $key, var_export(Rhymix\Framework\Filters\HTMLFilter::clean($val, true), true));
|
||||
}
|
||||
}
|
||||
$name_str = sprintf('$_menu_names[%d] = array(%s); %s', $node->menu_item_srl, $name_arr_str, $child_output['name']);
|
||||
|
|
@ -2000,19 +2003,22 @@ class menuAdminController extends menu
|
|||
else $group_check_code = "true";
|
||||
|
||||
// List variables
|
||||
$href = str_replace(array('&','"','<','>'),array('&','"','<','>'),$node->href);
|
||||
$url = str_replace(array('&','"','<','>'),array('&','"','<','>'),$node->url);
|
||||
$desc = str_replace(array('&','"',"'"),array('&','"','\\\''),$node->desc);
|
||||
$href = escape($node->href);
|
||||
$url = escape($node->url);
|
||||
$desc = escape($node->desc, false);
|
||||
if(preg_match('/^([0-9a-zA-Z\_\-]+)$/i', $node->url))
|
||||
{
|
||||
$href = "getSiteUrl('$domain', '','mid','$node->url')";
|
||||
}
|
||||
else $href = sprintf('"%s"', $url);
|
||||
else
|
||||
{
|
||||
$href = var_export($url, true);
|
||||
}
|
||||
$is_shortcut = $node->is_shortcut;
|
||||
$open_window = $node->open_window;
|
||||
$normal_btn = str_replace(array('&','"','<','>'),array('&','"','<','>'),$node->normal_btn);
|
||||
$hover_btn = str_replace(array('&','"','<','>'),array('&','"','<','>'),$node->hover_btn);
|
||||
$active_btn = str_replace(array('&','"','<','>'),array('&','"','<','>'),$node->active_btn);
|
||||
$normal_btn = escape($node->normal_btn);
|
||||
$hover_btn = escape($node->hover_btn);
|
||||
$active_btn = escape($node->active_btn);
|
||||
|
||||
foreach($child_output['url_list'] as $key =>$val)
|
||||
{
|
||||
|
|
@ -2024,18 +2030,17 @@ class menuAdminController extends menu
|
|||
$expand = $node->expand;
|
||||
|
||||
$normal_btn = $node->normal_btn;
|
||||
if($normal_btn && strncasecmp('./files/attach/menu_button', $normal_btn, 26) === 0) $normal_btn = str_replace(array('&','"','<','>'),array('&','"','<','>'),$normal_btn);
|
||||
if($normal_btn && strncasecmp('./files/attach/menu_button', $normal_btn, 26) === 0) $normal_btn = escape($normal_btn);
|
||||
else $normal_btn = '';
|
||||
|
||||
$hover_btn = $node->hover_btn;
|
||||
if($hover_btn && strncasecmp('./files/attach/menu_button', $hover_btn, 26) === 0) $hover_btn = str_replace(array('&','"','<','>'),array('&','"','<','>'),$hover_btn);
|
||||
if($hover_btn && strncasecmp('./files/attach/menu_button', $hover_btn, 26) === 0) $hover_btn = escape($hover_btn);
|
||||
else $hover_btn = '';
|
||||
|
||||
$active_btn = $node->active_btn;
|
||||
if($active_btn && strncasecmp('./files/attach/menu_button', $active_btn, 26) === 0) $active_btn = str_replace(array('&','"','<','>'),array('&','"','<','>'),$active_btn);
|
||||
if($active_btn && strncasecmp('./files/attach/menu_button', $active_btn, 26) === 0) $active_btn = escape($active_btn);
|
||||
else $active_btn = '';
|
||||
|
||||
|
||||
$group_srls = $node->group_srls;
|
||||
|
||||
if($normal_btn)
|
||||
|
|
|
|||
|
|
@ -1943,8 +1943,7 @@ jQuery(function($){
|
|||
$(this).addClass('page');
|
||||
}
|
||||
|
||||
//$(this).find('#menuName').val(htInfo.sText);
|
||||
$(this).find('#menuName').val(htInfo.sMenuNameKey);
|
||||
$(this).find('#menuName').val(htInfo.sMenuNameKey.match(/\$user_lang->/) ? htInfo.sMenuNameKey : htInfo.sText);
|
||||
$(this).find('#menuDesc').val(htInfo.desc);
|
||||
//menu_name_key
|
||||
|
||||
|
|
|
|||
|
|
@ -154,6 +154,15 @@ class HTMLFilterTest extends \Codeception\TestCase\Test
|
|||
$source = '<p class="mytest">Hello World</p>';
|
||||
$target = '<p class="mytest">Hello World</p>';
|
||||
$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source));
|
||||
|
||||
config('mediafilter.classes', array());
|
||||
$source = '<p class="whatever">Hello World</p>';
|
||||
$target = '<p class="whatever">Hello World</p>';
|
||||
$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, true));
|
||||
|
||||
$source = '<p class="foobar whatever">Hello World</p>';
|
||||
$target = '<p class="foobar">Hello World</p>';
|
||||
$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, array('foobar')));
|
||||
}
|
||||
|
||||
public function testHTMLFilterEditorComponent()
|
||||
|
|
@ -176,11 +185,11 @@ class HTMLFilterTest extends \Codeception\TestCase\Test
|
|||
|
||||
$source = '<img somekey="somevalue" otherkey="othervalue" onmouseover="alert(\'xss\');" editor_component="component_name" src="./foo/bar.jpg" alt="My Picture" style="width:320px;height:240px;" width="320" height="240" />';
|
||||
$target = '<img src="./foo/bar.jpg" alt="My Picture" style="width:320px;height:240px;" width="320" height="240" />';
|
||||
$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, false));
|
||||
$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, false, false));
|
||||
|
||||
$source = '<img somekey="somevalue" otherkey="othervalue" onkeypress="alert(\'xss\');" editor_component="component_name" />';
|
||||
$target = '';
|
||||
$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, false));
|
||||
$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, false, false));
|
||||
}
|
||||
|
||||
public function testHTMLFilterWidgetCode()
|
||||
|
|
@ -191,11 +200,11 @@ class HTMLFilterTest extends \Codeception\TestCase\Test
|
|||
|
||||
$source = '<p>Hello World</p><img class="zbxe_widget_output" widget="content" skin="default" colorset="white" widget_sequence="1234" widget_cache="1m" content_type="document" module_srls="56" list_type="normal" tab_type="none" markup_type="table" page_count="1" option_view="title,regdate,nickname" show_browser_title="Y" show_comment_count="Y" show_trackback_count="Y" show_category="Y" show_icon="Y" show_secret="N" order_target="regdate" order_type="desc" thumbnail_type="crop" />';
|
||||
$target = '<p>Hello World</p><img widget="content" skin="default" colorset="white" widget_sequence="1234" widget_cache="1m" content_type="document" module_srls="56" list_type="normal" tab_type="none" markup_type="table" page_count="1" option_view="title,regdate,nickname" show_browser_title="Y" show_comment_count="Y" show_trackback_count="Y" show_category="Y" show_icon="Y" show_secret="N" order_target="regdate" order_type="desc" thumbnail_type="crop" src="" class="zbxe_widget_output" alt="" />';
|
||||
$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, true, true));
|
||||
$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, true, true, true));
|
||||
|
||||
$source = '<p>Hello World</p><img class="zbxe_widget_output" widget="content" onmouseover="alert(\'xss\');" skin="default" colorset="white" widget_sequence="1234" widget_cache="1m" content_type="document" module_srls="56" list_type="normal" tab_type="none" markup_type="table" page_count="1" option_view="title,regdate,nickname" show_browser_title="Y" show_comment_count="Y" show_trackback_count="Y" show_category="Y" show_icon="Y" show_secret="N" order_target="regdate" order_type="desc" thumbnail_type="crop" />';
|
||||
$target = '<p>Hello World</p><img widget="content" skin="default" colorset="white" widget_sequence="1234" widget_cache="1m" content_type="document" module_srls="56" list_type="normal" tab_type="none" markup_type="table" page_count="1" option_view="title,regdate,nickname" show_browser_title="Y" show_comment_count="Y" show_trackback_count="Y" show_category="Y" show_icon="Y" show_secret="N" order_target="regdate" order_type="desc" thumbnail_type="crop" src="" class="zbxe_widget_output" alt="" />';
|
||||
$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, true, true));
|
||||
$this->assertEquals($target, Rhymix\Framework\Filters\HTMLFilter::clean($source, true, true, true));
|
||||
}
|
||||
|
||||
public function testHTMLFilterUserContentID()
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue