From 18bd8b57d9236f48e6d8ac97bd5cf6217e8739bc Mon Sep 17 00:00:00 2001 From: Rick Ellis Date: Wed, 10 Sep 2008 23:40:35 +0000 Subject: Added support for removing javascript event handlers from tags, for security reasons --- system/libraries/Typography.php | 35 +++++++++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 4 deletions(-) (limited to 'system/libraries') diff --git a/system/libraries/Typography.php b/system/libraries/Typography.php index 83f8973d0..dabf7a625 100644 --- a/system/libraries/Typography.php +++ b/system/libraries/Typography.php @@ -35,6 +35,8 @@ class CI_Typography { // Tags we want the parser to completely ignore when splitting the string. var $ignore_elements = 'a|b|i|em|strong|span|img|li'; + // Whether to allow Javascript event handlers to be sumitted inside tags + var $allow_js_event_handlers = FALSE; /** * Main Processing Function @@ -65,6 +67,17 @@ class CI_Typography { */ $str = preg_replace("/\n\n+/", "\n\n", $str); + /* + * Do we allow JavaScript event handlers? + * + * If not, we strip them from within all tags + */ + if ($this->allow_js_event_handlers == FALSE) + { + $event_handlers = array('[^a-z_\-]on\w*','xmlns'); + $str = preg_replace("#<([^><]+?)(".implode('|', $event_handlers).")(\s*=\s*[^><]*)([><]*)#i", "<\\1\\4", $str); + } + /* * Convert quotes within tags to temporary marker * @@ -82,9 +95,8 @@ class CI_Typography { $str); } } - - /* + /* * Add closing/opening paragraph tags before/after "block" elements * * Since block elements (like ,
, etc.) do not get
@@ -187,7 +199,7 @@ class CI_Typography {
 
 		// If the user submitted their own paragraph tags with class data
 		// in them we will retain them instead of using our tags.
-		$str = preg_replace('#()

#', "\\1", $str); + $str = preg_replace('#()

#', "\\1", $str); // \\2\\3", $str); return '

'.$str.'

'; - } + } + + // -------------------------------------------------------------------- + + /** + * Allow JavaScript Event Handlers? + * + * For security reasons, by default we disallow JS event handlers + * + */ + function allow_js_event_handlers($val = FALSE) + { + $this->allow_js_event_handlers = ($val === FALSE) ? FALSE : TRUE; + } + + } // END Typography Class -- cgit v1.2.3-24-g4f1b