diff options
| author | Rick Ellis <rick.ellis@ellislab.com> | 2008-09-11 01:40:35 +0200 |
|---|---|---|
| committer | Rick Ellis <rick.ellis@ellislab.com> | 2008-09-11 01:40:35 +0200 |
| commit | 18bd8b57d9236f48e6d8ac97bd5cf6217e8739bc (patch) | |
| tree | 1d13524b9146b65b293570a9ebcb3dfb7547f3d3 /system | |
| parent | 4c938ae25016ef7ebfb8681bdccb61d9e5abcccb (diff) | |
Added support for removing javascript event handlers from tags, for security reasons
Diffstat (limited to 'system')
| -rw-r--r-- | system/libraries/Typography.php | 35 |
1 files changed, 31 insertions, 4 deletions
diff --git a/system/libraries/Typography.php b/system/libraries/Typography.php index 83f8973d0..dabf7a625 100644 --- a/system/libraries/Typography.php +++ b/system/libraries/Typography.php @@ -35,6 +35,8 @@ class CI_Typography { // Tags we want the parser to completely ignore when splitting the string. var $ignore_elements = 'a|b|i|em|strong|span|img|li'; + // Whether to allow Javascript event handlers to be sumitted inside tags + var $allow_js_event_handlers = FALSE; /** * Main Processing Function @@ -66,6 +68,17 @@ class CI_Typography { $str = preg_replace("/\n\n+/", "\n\n", $str); /* + * Do we allow JavaScript event handlers? + * + * If not, we strip them from within all tags + */ + if ($this->allow_js_event_handlers == FALSE) + { + $event_handlers = array('[^a-z_\-]on\w*','xmlns'); + $str = preg_replace("#<([^><]+?)(".implode('|', $event_handlers).")(\s*=\s*[^><]*)([><]*)#i", "<\\1\\4", $str); + } + + /* * Convert quotes within tags to temporary marker * * We don't want quotes converted within @@ -82,9 +95,8 @@ class CI_Typography { $str); } } - - /* + /* * Add closing/opening paragraph tags before/after "block" elements * * Since block elements (like <blockquotes>, <pre>, etc.) do not get @@ -187,7 +199,7 @@ class CI_Typography { // If the user submitted their own paragraph tags with class data // in them we will retain them instead of using our tags. - $str = preg_replace('#(<p.*?>)<p>#', "\\1", $str); + $str = preg_replace('#(<p.*?>)<p>#', "\\1", $str); // <?php BBEdit syntax coloring fix // Final clean up $str = str_replace( @@ -474,7 +486,22 @@ class CI_Typography { $str = preg_replace("/([^\n])(\n)([^\n])/", "\\1<br />\\2\\3", $str); return '<p>'.$str.'</p>'; - } + } + + // -------------------------------------------------------------------- + + /** + * Allow JavaScript Event Handlers? + * + * For security reasons, by default we disallow JS event handlers + * + */ + function allow_js_event_handlers($val = FALSE) + { + $this->allow_js_event_handlers = ($val === FALSE) ? FALSE : TRUE; + } + + } // END Typography Class |