Make sure styles are filtered if they're not specified in the semantics.

semantics-font
Frode Petterson 2015-05-11 14:15:16 +02:00
parent e404c3ac68
commit cee887901b
1 changed files with 26 additions and 13 deletions

View File

@ -2475,8 +2475,25 @@ class H5PContentValidator {
$tags[] = 's'; $tags[] = 's';
} }
// Determine allowed style tags
$stylePatterns = array();
if (isset($semantics->font)) {
if (isset($semantics->font->size) && $semantics->font->size) {
$stylePatterns[] = '/^font-size: *[0-9.]+(em|px|%) *;?$/i';
}
if (isset($semantics->font->family) && $semantics->font->family) {
$stylePatterns[] = '/^font-family: *[a-z0-9," ]+;?$/i';
}
if (isset($semantics->font->color) && $semantics->font->color) {
$stylePatterns[] = '/^color: *(#[a-f0-9]{3}[a-f0-9]{3}?|rgba?\([0-9, ]+\)) *;?$/i';
}
if (isset($semantics->font->background) && $semantics->font->background) {
$stylePatterns[] = '/^background-color: *(#[a-f0-9]{3}[a-f0-9]{3}?|rgba?\([0-9, ]+\)) *;?$/i';
}
}
// Strip invalid HTML tags. // Strip invalid HTML tags.
$text = $this->filter_xss($text, $tags); $text = $this->filter_xss($text, $tags, $stylePatterns);
} }
else { else {
// Filter text to plain text. // Filter text to plain text.
@ -2899,7 +2916,7 @@ class H5PContentValidator {
* *
* @ingroup sanitization * @ingroup sanitization
*/ */
private function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) { private function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd'), $allowedStyles = FALSE) {
if (strlen($string) == 0) { if (strlen($string) == 0) {
return $string; return $string;
} }
@ -2910,6 +2927,8 @@ class H5PContentValidator {
return ''; return '';
} }
$this->allowedStyles = $allowedStyles;
// Store the text format. // Store the text format.
$this->_filter_xss_split($allowed_tags, TRUE); $this->_filter_xss_split($allowed_tags, TRUE);
// Remove NULL characters (ignored by some browsers). // Remove NULL characters (ignored by some browsers).
@ -3003,7 +3022,7 @@ class H5PContentValidator {
$xhtml_slash = $count ? ' /' : ''; $xhtml_slash = $count ? ' /' : '';
// Clean up attributes. // Clean up attributes.
$attr2 = implode(' ', $this->_filter_xss_attributes($attrlist, $elem === 'span')); $attr2 = implode(' ', $this->_filter_xss_attributes($attrlist, ($elem === 'span' ? $this->allowedStyles : FALSE)));
$attr2 = preg_replace('/[<>]/', '', $attr2); $attr2 = preg_replace('/[<>]/', '', $attr2);
$attr2 = strlen($attr2) ? ' ' . $attr2 : ''; $attr2 = strlen($attr2) ? ' ' . $attr2 : '';
@ -3016,7 +3035,7 @@ class H5PContentValidator {
* @return * @return
* Cleaned up version of the HTML attributes. * Cleaned up version of the HTML attributes.
*/ */
private function _filter_xss_attributes($attr, $allowStyles = FALSE) { private function _filter_xss_attributes($attr, $allowedStyles = FALSE) {
$attrarr = array(); $attrarr = array();
$mode = 0; $mode = 0;
$attrname = ''; $attrname = '';
@ -3056,18 +3075,12 @@ class H5PContentValidator {
case 2: case 2:
// Attribute value, a URL after href= for instance. // Attribute value, a URL after href= for instance.
if (preg_match('/^"([^"]*)"(\s+|$)/', $attr, $match)) { if (preg_match('/^"([^"]*)"(\s+|$)/', $attr, $match)) {
if ($allowedStyles && $attrname === 'style') {
if ($allowStyles && $attrname === 'style') {
// Allow certain styles // Allow certain styles
$patterns = array( foreach ($allowedStyles as $pattern) {
'/^font-size: *[0-9.]+(em|px|%) *;?$/i',
'/^font-family: *[a-z0-9," ]+;?$/i',
'/^color: *(#[a-f0-9]{3}[a-f0-9]{3}?|rgba?\([0-9, ]+\)) *;?$/i',
'/^background-color: *(#[a-f0-9]{3}[a-f0-9]{3}?|rgba?\([0-9, ]+\)) *;?$/i',
);
foreach ($patterns as $pattern) {
if (preg_match($pattern, $match[1])) { if (preg_match($pattern, $match[1])) {
$attrarr[] = 'style="' . $match[1] . '"'; $attrarr[] = 'style="' . $match[1] . '"';
break;
} }
} }
break; break;