Elgg  Version 6.3
ValidateInputHandler.php
Go to the documentation of this file.
1 <?php
2 
3 namespace Elgg\Input;
4 
11 
27  public function __invoke(\Elgg\Event $event) {
28  $var = $event->getValue();
29  if ((!is_string($var) && !is_array($var)) || empty($var)) {
30  return $var;
31  }
32 
33  $config = [
34  // seems to handle about everything we need.
35  'safe' => true,
36 
37  // remove comments/CDATA instead of converting to text
38  'comment' => 1,
39  'cdata' => 1,
40 
41  // do not check for unique ids as the full input stack could be checked multiple times
42  // @see https://github.com/Elgg/Elgg/issues/12934
43  'unique_ids' => 0,
44 
45  'elements' => '*-applet-button-form-input-textarea-iframe-script-style-embed-object',
46  'deny_attribute' => 'class, on*, formaction',
47  'hook_tag' => '_elgg_htmlawed_tag_post_processor',
48 
49  'schemes' => '*:http,https,ftp,news,mailto,rtsp,teamspeak,gopher,mms,callto',
50  ];
51 
52  // add nofollow to all links on output
53  if (!elgg_in_context('input')) {
54  $config['anti_link_spam'] = ['/./', ''];
55  }
56 
57  $config = elgg_trigger_event_results('config', 'htmlawed', [], $config);
58  $spec = elgg_trigger_event_results('spec', 'htmlawed', [], '');
59 
60  if (!is_array($var)) {
61  return $this->htmlawed($var, $config, $spec);
62  }
63 
64  $callback = function (&$v, $k, $config_spec) {
65  if (!is_string($v) || empty($v)) {
66  return;
67  }
68 
69  list ($config, $spec) = $config_spec;
70  $v = $this->htmlawed($v, $config, $spec);
71  };
72 
73  array_walk_recursive($var, $callback, [$config, $spec]);
74 
75  return $var;
76  }
77 
89  protected function htmlawed(string $value, ?array $config = null, $spec = null): string {
90  if ($config === null) {
91  $config = [
92  'anti_link_spam' => ['`.`', ''],
93  'balance' => 1,
94  'cdata' => 3,
95  'safe' => 1,
96  'comment' => 1,
97  'css_expression' => 0,
98  'deny_attribute' => 'on*,style',
99  'direct_list_nest' => 1,
100  'elements' => '*-applet-button-form-input-textarea-iframe-script-style-embed-object',
101  'keep_bad' => 0,
102  'schemes' => 'classid:clsid; href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https', // clsid allowed in class
103  'unique_ids' => 0,
104  'valid_xhtml' => 0,
105  ];
106  }
107 
108  if (isset($config['spec']) && !$spec) {
109  $spec = $config['spec'];
110  }
111 
112  if ($spec === null) {
113  $spec = [
114  'object=-classid-type, -codebase',
115  'embed=type(oneof=application/x-shockwave-flash)'
116  ];
117  }
118 
119  return htmLawed($value, $config, $spec);
120  }
121 
131  public static function sanitizeStyles(\Elgg\Event $event) {
132  $attributes = $event->getValue();
133  $style = elgg_extract('style', $attributes);
134  if (empty($style)) {
135  return;
136  }
137 
138  $allowed_styles = [
139  'color', 'cursor', 'text-align', 'vertical-align', 'font-size',
140  'font-weight', 'font-style', 'border', 'border-top', 'background-color',
141  'border-bottom', 'border-left', 'border-right',
142  'margin', 'margin-top', 'margin-bottom', 'margin-left',
143  'margin-right', 'padding', 'float', 'text-decoration',
144  ];
145 
146  $allowed_styles = elgg_trigger_event_results('allowed_styles', 'htmlawed', ['tag' => $event->getParam('tag')], $allowed_styles);
147 
148  $styles = explode(';', $style);
149 
150  $style_str = '';
151  foreach ($styles as $style) {
152  if (!trim($style) || !str_contains($style, ':')) {
153  continue;
154  }
155 
156  list($style_attr, $style_value) = explode(':', trim($style));
157  $style_attr = trim($style_attr);
158  $style_value = trim($style_value);
159 
160  if (in_array($style_attr, $allowed_styles)) {
161  $style_str .= "{$style_attr}: {$style_value}; ";
162  }
163  }
164 
165  if (empty($style_str)) {
166  unset($attributes['style']);
167  } else {
168  $attributes['style'] = trim($style_str);
169  }
170 
171  return $attributes;
172  }
173 }
$attributes
Elgg AJAX loader.
Definition: ajax_loader.php:10
Models an event passed to event handlers.
Definition: Event.php:11
Validates input using htmlawed.
__invoke(\Elgg\Event $event)
htmLawed filtering of data
static sanitizeStyles(\Elgg\Event $event)
Sanitizes style attribute.
htmlawed(string $value, ?array $config=null, $spec=null)
Filters the HTML.
elgg_in_context(string $context)
Check if this context exists anywhere in the stack.
Definition: context.php:78
$config
Advanced site settings, debugging section.
Definition: debugging.php:6
elgg_extract($key, $array, $default=null, bool $strict=true)
Checks for $array[$key] and returns its value if it exists, else returns $default.
Definition: elgglib.php:240
$value
Definition: generic.php:51
elgg_trigger_event_results(string $event, string $type, array $params=[], $returnvalue=null)
Triggers an event where it is expected that the mixed return value could be manipulated by event call...
Definition: events.php:117
$style
Definition: full.php:95
if(parse_url(elgg_get_site_url(), PHP_URL_PATH) !=='/') if(file_exists(elgg_get_root_path() . 'robots.txt'))
Set robots.txt.
Definition: robots.php:10