Elgg  Version master
ValidateInputHandler.php
Go to the documentation of this file.
1 <?php
2 
3 namespace Elgg\Input;
4 
11 
27  public function __invoke(\Elgg\Event $event) {
28  $var = $event->getValue();
29  if ((!is_string($var) && !is_array($var)) || empty($var)) {
30  return $var;
31  }
32 
33  $config = [
34  // seems to handle about everything we need.
35  'safe' => true,
36 
37  // remove comments/CDATA instead of converting to text
38  'comment' => 1,
39  'cdata' => 1,
40 
41  // do not check for unique ids as the full input stack could be checked multiple times
42  // @see https://github.com/Elgg/Elgg/issues/12934
43  'unique_ids' => 0,
44 
45  'elements' => '*-applet-button-form-input-textarea-iframe-script-style-embed-object',
46  'deny_attribute' => 'class, on*, formaction',
47  'hook_tag' => '_elgg_htmlawed_tag_post_processor',
48 
49  'schemes' => '*:http,https,ftp,news,mailto,rtsp,teamspeak,gopher,mms,callto',
50  ];
51 
52  // add nofollow to all links on output
53  if (!elgg_in_context('input')) {
54  $config['anti_link_spam'] = ['/./', ''];
55  }
56 
57  $config = elgg_trigger_event_results('config', 'htmlawed', [], $config);
58  $spec = elgg_trigger_event_results('spec', 'htmlawed', [], '');
59 
60  if (!is_array($var)) {
61  return \Htmlawed::filter($var, $config, $spec);
62  }
63 
64  $callback = function (&$v, $k, $config_spec) {
65  if (!is_string($v) || empty($v)) {
66  return;
67  }
68 
69  list ($config, $spec) = $config_spec;
70  $v = \Htmlawed::filter($v, $config, $spec);
71  };
72 
73  array_walk_recursive($var, $callback, [$config, $spec]);
74 
75  return $var;
76  }
77 
87  public static function sanitizeStyles(\Elgg\Event $event) {
88  $attributes = $event->getValue();
89  $style = elgg_extract('style', $attributes);
90  if (empty($style)) {
91  return;
92  }
93 
94  $allowed_styles = [
95  'color', 'cursor', 'text-align', 'vertical-align', 'font-size',
96  'font-weight', 'font-style', 'border', 'border-top', 'background-color',
97  'border-bottom', 'border-left', 'border-right',
98  'margin', 'margin-top', 'margin-bottom', 'margin-left',
99  'margin-right', 'padding', 'float', 'text-decoration',
100  ];
101 
102  $allowed_styles = elgg_trigger_event_results('allowed_styles', 'htmlawed', ['tag' => $event->getParam('tag')], $allowed_styles);
103 
104  $styles = explode(';', $style);
105 
106  $style_str = '';
107  foreach ($styles as $style) {
108  if (!trim($style) || !str_contains($style, ':')) {
109  continue;
110  }
111 
112  list($style_attr, $style_value) = explode(':', trim($style));
113  $style_attr = trim($style_attr);
114  $style_value = trim($style_value);
115 
116  if (in_array($style_attr, $allowed_styles)) {
117  $style_str .= "{$style_attr}: {$style_value}; ";
118  }
119  }
120 
121  if (empty($style_str)) {
122  unset($attributes['style']);
123  } else {
124  $attributes['style'] = trim($style_str);
125  }
126 
127  return $attributes;
128  }
129 }
elgg_in_context(string $context)
Check if this context exists anywhere in the stack.
Definition: context.php:78
elgg_trigger_event_results(string $event, string $type, array $params=[], $returnvalue=null)
Triggers an event where it is expected that the mixed return value could be manipulated by event call...
Definition: events.php:117
static sanitizeStyles(\Elgg\Event $event)
Sanitizes style attribute.
elgg_extract($key, $array, $default=null, bool $strict=true)
Checks for $array[$key] and returns its value if it exists, else returns $default.
Definition: elgglib.php:254
$config
Advanced site settings, debugging section.
Definition: debugging.php:6
function filter(array, term)
__invoke(\Elgg\Event $event)
htmLawed filtering of data
$style
Definition: full.php:95
$attributes
Elgg AJAX loader.
Definition: ajax_loader.php:10
Models an event passed to event handlers.
Definition: Event.php:11
Validates input using htmlawed.