Révision 0695d136
Ajouté par Assos Assos il y a plus de 9 ans
| drupal7/sites/all/modules/ckeditor/includes/ckeditor.page.inc | ||
|---|---|---|
| 223 | 223 |
* AJAX callback - XSS filter |
| 224 | 224 |
*/ |
| 225 | 225 |
function ckeditor_filter_xss() {
|
| 226 |
header('Content-Type: text/html; charset=utf-8');
|
|
| 226 |
header('Content-Type: text/plain; charset=utf-8');
|
|
| 227 | 227 |
$GLOBALS['devel_shutdown'] = FALSE; |
| 228 | 228 |
|
| 229 |
if (!isset($_POST['text']) || !is_string($_POST['text']) || !isset($_POST['input_format']) || !is_string($_POST['input_format']) || !isset($_POST['token']) || !drupal_valid_token($_POST['token'], 'ckeditorAjaxCall', TRUE)) {
|
|
| 229 |
if (!isset($_POST['text']) || !is_string($_POST['text']) || !isset($_POST['input_format']) || !is_string($_POST['input_format']) || !isset($_POST['token']) || !drupal_valid_token($_POST['token'], 'ckeditorAjaxCall', FALSE)) {
|
|
| 230 | 230 |
exit; |
| 231 | 231 |
} |
| 232 | 232 |
|
| ... | ... | |
| 236 | 236 |
} |
| 237 | 237 |
|
| 238 | 238 |
module_load_include('inc', 'ckeditor', 'includes/ckeditor.lib');
|
| 239 |
$profile = ckeditor_get_profile($_POST['input_format']); |
|
| 240 | 239 |
|
| 241 | 240 |
$text = $_POST['text']; |
| 242 | 241 |
$filters = filter_get_filters(); |
| ... | ... | |
| 250 | 249 |
continue; |
| 251 | 250 |
} |
| 252 | 251 |
|
| 253 |
//Call default CKEditor built-in filter
|
|
| 252 |
// Built-in filter module, a special case where we would like to strip XSS and nothing more
|
|
| 254 | 253 |
if ($name == 'filter_html' && $security_filters['filters']['filter_html'] == 1) {
|
| 255 | 254 |
preg_match_all("|</?([a-z][a-z0-9]*)(?:\b[^>]*)>|i", $text, $matches);
|
| 256 | 255 |
if ($matches[1]) {
|
| 257 |
$tags = array_unique(array_merge($matches[1], array('!--')));
|
|
| 258 |
$tags = array_map('strtolower', $tags);
|
|
| 256 |
|
|
| 257 |
// Sources of inspiration: |
|
| 258 |
// http://www.w3.org/TR/html4/index/elements.html |
|
| 259 |
// http://www.w3.org/TR/html-markup/elements.html |
|
| 260 |
// https://developer.mozilla.org/en-US/docs/Web/HTML/Element |
|
| 261 |
|
|
| 262 |
$base_allowed_tags = array('a','abbr','acronym','address','area','article','aside','audio','b','base','basefont',
|
|
| 263 |
'bdi','bdo','big','blockquote','body','br','button','canvas','caption','center','cite','code','col','colgroup', |
|
| 264 |
'command','datalist','dd','del','details','dfn','dialog','dir','div','dl','dt','em','fieldset','figcaption', |
|
| 265 |
'figure','font','footer','form','h1','h2','h3','h4','h5','h6','head','header','hgroup','hr','html','i','img', |
|
| 266 |
'input','ins','isindex','kbd','keygen','label','legend','li','main','map','mark','menu','menuitem','meter', |
|
| 267 |
'nav','noframes','noscript','ol','optgroup','option','output','p','param','pre','progress','q','rp','rt', |
|
| 268 |
'ruby','s','samp','section','select','small','source','span','strike','strong','sub','summary','sup','table', |
|
| 269 |
'tbody','td','textarea','tfoot','th','thead','time','title','tr','track','tt','u','ul','var','video','wbr', |
|
| 270 |
); |
|
| 271 |
|
|
| 272 |
// Get tags allowed in filter settings |
|
| 273 |
$filter_allowed_tags = preg_split('/\s+|<|>/', $object->settings['allowed_html'], -1, PREG_SPLIT_NO_EMPTY);
|
|
| 274 |
|
|
| 275 |
// Combine allowed tags |
|
| 276 |
$tags = array_merge($base_allowed_tags, $filter_allowed_tags); |
|
| 277 |
|
|
| 278 |
// Tags provided by hook |
|
| 279 |
$hooks_allowed_tags = module_invoke_all('ckeditor_filter_xss_allowed_tags');
|
|
| 280 |
if (!empty($hooks_allowed_tags) && is_array($hooks_allowed_tags)){
|
|
| 281 |
foreach($hooks_allowed_tags as $tag ){
|
|
| 282 |
if (!empty($tag) && is_string($tag) && !in_array($tag,$tags)){
|
|
| 283 |
array_push($tags,$tag); |
|
| 284 |
} |
|
| 285 |
} |
|
| 286 |
} |
|
| 287 |
|
|
| 259 | 288 |
$text = filter_xss($text, $tags); |
| 260 | 289 |
} |
| 261 | 290 |
continue; |
Formats disponibles : Unified diff
Weekly update of contrib modules