From 7ab0309d0c8d931d7ab48396e91b23d603ab4dc3 Mon Sep 17 00:00:00 2001
From: Frank Ronny Larsen <frank.larsen@amendor.no>
Date: Wed, 10 Jul 2013 09:59:35 +0200
Subject: [PATCH] OPPG-413: If using defaults, add extra tags for table etc.
 too. + Extra validation for image/video/audio

---
 h5p.classes.php | 101 ++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 84 insertions(+), 17 deletions(-)

diff --git a/h5p.classes.php b/h5p.classes.php
index 6dd6577..9a99983 100644
--- a/h5p.classes.php
+++ b/h5p.classes.php
@@ -1152,6 +1152,7 @@ class H5PContentValidator {
       'boolean' => 'validateBoolean',
       'list' => 'validateList',
       'group' => 'validateGroup',
+      'file' => 'validateFile',
       'image' => 'validateImage',
       'video' => 'validateVideo',
       'audio' => 'validateAudio',
@@ -1193,26 +1194,27 @@ class H5PContentValidator {
       // Build allowed tag list, based in $semantics->tags and known defaults.
       // These four are always allowed.
       $tags = array('div', 'span', 'p', 'br');
-      if (isset($semantics->tags)) {
-        $tags = array_merge($tags, $semantics->tags);
-        // Add related tags for table etc.
-        if (in_array('table', $semantics->tags)) {
-          $tags = array_merge($tags, array('tr', 'td', 'th', 'colgroup', 'thead', 'tbody', 'tfoot'));
-        }
-        if (in_array('b', $semantics->tags)) {
-          $tags[] = 'strong';
-        }
-        if (in_array('i', $semantics->tags)) {
-          $tags[] = 'em';
-        }
-        if (in_array('ul', $semantics->tags) || in_array('ol', $semantics->tags)) {
-          $tags[] = 'li';
-        }
-      }
-      else {
+      if (! isset($semantics->tags)) {
         // Add defaults used in javascript.
         $tags = array_merge($tags, array('strong', 'em', 'del', 'h2', 'h3', 'a', 'ul', 'ol', 'table', 'hr'));
       }
+      else {
+        $tags = array_merge($tags, $semantics->tags);
+      }
+
+      // Add related tags for table etc.
+      if (in_array('table', $semantics->tags)) {
+        $tags = array_merge($tags, array('tr', 'td', 'th', 'colgroup', 'thead', 'tbody', 'tfoot'));
+      }
+      if (in_array('b', $semantics->tags)) {
+        $tags[] = 'strong';
+      }
+      if (in_array('i', $semantics->tags)) {
+        $tags[] = 'em';
+      }
+      if (in_array('ul', $semantics->tags) || in_array('ol', $semantics->tags)) {
+        $tags[] = 'li';
+      }
       $allowedtags = implode('', array_map(array($this, 'bracketTags'), $tags));
 
       // Strip invalid HTML tags.
@@ -1322,6 +1324,26 @@ class H5PContentValidator {
     }
   }
 
+  /**
+   * Validate given file data
+   */
+  public function validateFile(&$file, $semantics) {
+    $file->path = htmlspecialchars($file->path);
+    $file->mime = htmlspecialchars($file->mime);
+
+    // Remove attributes that should not exist, they may contain JSON escape
+    // code.
+    $validkeys = array('path', 'mime');
+    if (isset($semantics->extraAttributes)) {
+      $validkeys = array_merge($validkeys, $semantics->extraAttributes);
+    }
+    foreach ($image as $key => $value) {
+      if (!in_array($key, $validkeys)) {
+        unset($image->$key);
+      }
+    }
+  }
+
   /**
    * Validate given image data
    */
@@ -1330,6 +1352,21 @@ class H5PContentValidator {
     if (isset($image->mime) && substr($image->mime, 0, 5) !== 'image') {
       unset($image->mime);
     }
+    else {
+      $file->mime = htmlspecialchars($file->mime);
+    }
+
+    // Remove attributes that should not exist, they may contain JSON escape
+    // code.
+    $validkeys = array('path', 'mime', 'width', 'height');
+    if (isset($semantics->extraAttributes)) {
+      $validkeys = array_merge($validkeys, $semantics->extraAttributes);
+    }
+    foreach ($image as $key => $value) {
+      if (!in_array($key, $validkeys)) {
+        unset($image->$key);
+      }
+    }
   }
 
   /**
@@ -1341,6 +1378,21 @@ class H5PContentValidator {
       if (isset($variant->mime) && substr($variant->mime, 0, 5) !== 'video') {
         unset($variant->mime);
       }
+      else {
+        $variant->mime = htmlspecialchars($variant->mime);
+      }
+
+      // Remove attributes that should not exist, they may contain JSON escape
+      // code.
+      $validkeys = array('path', 'mime', 'width', 'height');
+      if (isset($semantics->extraAttributes)) {
+        $validkeys = array_merge($validkeys, $semantics->extraAttributes);
+      }
+      foreach ($variant as $key => $value) {
+        if (!in_array($key, $validkeys)) {
+          unset($variant->$key);
+        }
+      }
     }
   }
 
@@ -1353,6 +1405,21 @@ class H5PContentValidator {
       if (isset($variant->mime) && substr($variant->mime, 0, 5) !== 'audio') {
         unset($variant->mime);
       }
+      else {
+        $variant->mime = htmlspecialchars($variant->mime);
+      }
+
+      // Remove attributes that should not exist, they may contain JSON escape
+      // code.
+      $validkeys = array('path', 'mime');
+      if (isset($semantics->extraAttributes)) {
+        $validkeys = array_merge($validkeys, $semantics->extraAttributes);
+      }
+      foreach ($variant as $key => $value) {
+        if (!in_array($key, $validkeys)) {
+          unset($variant->$key);
+        }
+      }
     }
   }