Merge branch 'semantics-font' into release

redesign-copyrights
Svein-Tore Griff With 2015-05-13 14:06:56 +02:00
commit e2b6f3527e
1 changed files with 35 additions and 4 deletions

View File

@ -2475,8 +2475,26 @@ class H5PContentValidator {
if (in_array('del', $tags) || in_array('strike', $tags) && ! in_array('s', $tags)) { if (in_array('del', $tags) || in_array('strike', $tags) && ! in_array('s', $tags)) {
$tags[] = 's'; $tags[] = 's';
} }
// Determine allowed style tags
$stylePatterns = array();
if (isset($semantics->font)) {
if (isset($semantics->font->size) && $semantics->font->size) {
$stylePatterns[] = '/^font-size: *[0-9.]+(em|px|%) *;?$/i';
}
if (isset($semantics->font->family) && $semantics->font->family) {
$stylePatterns[] = '/^font-family: *[a-z0-9," ]+;?$/i';
}
if (isset($semantics->font->color) && $semantics->font->color) {
$stylePatterns[] = '/^color: *(#[a-f0-9]{3}[a-f0-9]{3}?|rgba?\([0-9, ]+\)) *;?$/i';
}
if (isset($semantics->font->background) && $semantics->font->background) {
$stylePatterns[] = '/^background-color: *(#[a-f0-9]{3}[a-f0-9]{3}?|rgba?\([0-9, ]+\)) *;?$/i';
}
}
// Strip invalid HTML tags. // Strip invalid HTML tags.
$text = $this->filter_xss($text, $tags); $text = $this->filter_xss($text, $tags, $stylePatterns);
} }
else { else {
// Filter text to plain text. // Filter text to plain text.
@ -2899,7 +2917,7 @@ class H5PContentValidator {
* *
* @ingroup sanitization * @ingroup sanitization
*/ */
private function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) { private function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd'), $allowedStyles = FALSE) {
if (strlen($string) == 0) { if (strlen($string) == 0) {
return $string; return $string;
} }
@ -2910,6 +2928,8 @@ class H5PContentValidator {
return ''; return '';
} }
$this->allowedStyles = $allowedStyles;
// Store the text format. // Store the text format.
$this->_filter_xss_split($allowed_tags, TRUE); $this->_filter_xss_split($allowed_tags, TRUE);
// Remove NULL characters (ignored by some browsers). // Remove NULL characters (ignored by some browsers).
@ -3003,7 +3023,7 @@ class H5PContentValidator {
$xhtml_slash = $count ? ' /' : ''; $xhtml_slash = $count ? ' /' : '';
// Clean up attributes. // Clean up attributes.
$attr2 = implode(' ', $this->_filter_xss_attributes($attrlist)); $attr2 = implode(' ', $this->_filter_xss_attributes($attrlist, ($elem === 'span' ? $this->allowedStyles : FALSE)));
$attr2 = preg_replace('/[<>]/', '', $attr2); $attr2 = preg_replace('/[<>]/', '', $attr2);
$attr2 = strlen($attr2) ? ' ' . $attr2 : ''; $attr2 = strlen($attr2) ? ' ' . $attr2 : '';
@ -3016,7 +3036,7 @@ class H5PContentValidator {
* @return * @return
* Cleaned up version of the HTML attributes. * Cleaned up version of the HTML attributes.
*/ */
private function _filter_xss_attributes($attr) { private function _filter_xss_attributes($attr, $allowedStyles = FALSE) {
$attrarr = array(); $attrarr = array();
$mode = 0; $mode = 0;
$attrname = ''; $attrname = '';
@ -3056,6 +3076,17 @@ class H5PContentValidator {
case 2: case 2:
// Attribute value, a URL after href= for instance. // Attribute value, a URL after href= for instance.
if (preg_match('/^"([^"]*)"(\s+|$)/', $attr, $match)) { if (preg_match('/^"([^"]*)"(\s+|$)/', $attr, $match)) {
if ($allowedStyles && $attrname === 'style') {
// Allow certain styles
foreach ($allowedStyles as $pattern) {
if (preg_match($pattern, $match[1])) {
$attrarr[] = 'style="' . $match[1] . '"';
break;
}
}
break;
}
$thisval = $this->filter_xss_bad_protocol($match[1]); $thisval = $this->filter_xss_bad_protocol($match[1]);
if (!$skip) { if (!$skip) {