Révision 0695d136
Ajouté par Assos Assos il y a plus de 9 ans
drupal7/sites/all/modules/ckeditor/includes/ckeditor.page.inc | ||
---|---|---|
223 | 223 |
* AJAX callback - XSS filter |
224 | 224 |
*/ |
225 | 225 |
function ckeditor_filter_xss() { |
226 |
header('Content-Type: text/html; charset=utf-8');
|
|
226 |
header('Content-Type: text/plain; charset=utf-8');
|
|
227 | 227 |
$GLOBALS['devel_shutdown'] = FALSE; |
228 | 228 |
|
229 |
if (!isset($_POST['text']) || !is_string($_POST['text']) || !isset($_POST['input_format']) || !is_string($_POST['input_format']) || !isset($_POST['token']) || !drupal_valid_token($_POST['token'], 'ckeditorAjaxCall', TRUE)) {
|
|
229 |
if (!isset($_POST['text']) || !is_string($_POST['text']) || !isset($_POST['input_format']) || !is_string($_POST['input_format']) || !isset($_POST['token']) || !drupal_valid_token($_POST['token'], 'ckeditorAjaxCall', FALSE)) {
|
|
230 | 230 |
exit; |
231 | 231 |
} |
232 | 232 |
|
... | ... | |
236 | 236 |
} |
237 | 237 |
|
238 | 238 |
module_load_include('inc', 'ckeditor', 'includes/ckeditor.lib'); |
239 |
$profile = ckeditor_get_profile($_POST['input_format']); |
|
240 | 239 |
|
241 | 240 |
$text = $_POST['text']; |
242 | 241 |
$filters = filter_get_filters(); |
... | ... | |
250 | 249 |
continue; |
251 | 250 |
} |
252 | 251 |
|
253 |
//Call default CKEditor built-in filter
|
|
252 |
// Built-in filter module, a special case where we would like to strip XSS and nothing more
|
|
254 | 253 |
if ($name == 'filter_html' && $security_filters['filters']['filter_html'] == 1) { |
255 | 254 |
preg_match_all("|</?([a-z][a-z0-9]*)(?:\b[^>]*)>|i", $text, $matches); |
256 | 255 |
if ($matches[1]) { |
257 |
$tags = array_unique(array_merge($matches[1], array('!--'))); |
|
258 |
$tags = array_map('strtolower', $tags); |
|
256 |
|
|
257 |
// Sources of inspiration: |
|
258 |
// http://www.w3.org/TR/html4/index/elements.html |
|
259 |
// http://www.w3.org/TR/html-markup/elements.html |
|
260 |
// https://developer.mozilla.org/en-US/docs/Web/HTML/Element |
|
261 |
|
|
262 |
$base_allowed_tags = array('a','abbr','acronym','address','area','article','aside','audio','b','base','basefont', |
|
263 |
'bdi','bdo','big','blockquote','body','br','button','canvas','caption','center','cite','code','col','colgroup', |
|
264 |
'command','datalist','dd','del','details','dfn','dialog','dir','div','dl','dt','em','fieldset','figcaption', |
|
265 |
'figure','font','footer','form','h1','h2','h3','h4','h5','h6','head','header','hgroup','hr','html','i','img', |
|
266 |
'input','ins','isindex','kbd','keygen','label','legend','li','main','map','mark','menu','menuitem','meter', |
|
267 |
'nav','noframes','noscript','ol','optgroup','option','output','p','param','pre','progress','q','rp','rt', |
|
268 |
'ruby','s','samp','section','select','small','source','span','strike','strong','sub','summary','sup','table', |
|
269 |
'tbody','td','textarea','tfoot','th','thead','time','title','tr','track','tt','u','ul','var','video','wbr', |
|
270 |
); |
|
271 |
|
|
272 |
// Get tags allowed in filter settings |
|
273 |
$filter_allowed_tags = preg_split('/\s+|<|>/', $object->settings['allowed_html'], -1, PREG_SPLIT_NO_EMPTY); |
|
274 |
|
|
275 |
// Combine allowed tags |
|
276 |
$tags = array_merge($base_allowed_tags, $filter_allowed_tags); |
|
277 |
|
|
278 |
// Tags provided by hook |
|
279 |
$hooks_allowed_tags = module_invoke_all('ckeditor_filter_xss_allowed_tags'); |
|
280 |
if (!empty($hooks_allowed_tags) && is_array($hooks_allowed_tags)){ |
|
281 |
foreach($hooks_allowed_tags as $tag ){ |
|
282 |
if (!empty($tag) && is_string($tag) && !in_array($tag,$tags)){ |
|
283 |
array_push($tags,$tag); |
|
284 |
} |
|
285 |
} |
|
286 |
} |
|
287 |
|
|
259 | 288 |
$text = filter_xss($text, $tags); |
260 | 289 |
} |
261 | 290 |
continue; |
Formats disponibles : Unified diff
Weekly update of contrib modules