some security improvements
This commit is contained in:
parent
c458bdddf1
commit
d5927f7186
@ -27,7 +27,8 @@ class WhatDidTheySayAdmin {
|
||||
'home' => true,
|
||||
'single' => false
|
||||
),
|
||||
'transcript_effects' => false
|
||||
'transcript_effects' => false,
|
||||
'allow_html' => false
|
||||
);
|
||||
|
||||
var $capabilities = array();
|
||||
@ -514,12 +515,32 @@ class WhatDidTheySayAdmin {
|
||||
if (isset($info['module'])) {
|
||||
$method_name = "handle_update_" . str_replace("-", "_", $info['module']);
|
||||
if (method_exists($this, $method_name)) {
|
||||
$info = $this->_clean_child($info);
|
||||
|
||||
$result = $this->{$method_name}($info);
|
||||
if (!empty($result)) { $this->notices[] = $result; }
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function _clean_child($node) {
|
||||
if (is_array($node)) {
|
||||
$new_nodes = array();
|
||||
foreach ($node as $key => $n) {
|
||||
$new_nodes[$key] = $this->_clean_child($n);
|
||||
}
|
||||
return $new_nodes;
|
||||
} else {
|
||||
$options = get_option('what-did-they-say-options');
|
||||
|
||||
$node = (string)$node;
|
||||
foreach (array('script', 'style', 'link') as $tag) { $node = preg_replace("#<${tag}.*/${tag}>#", '', $node); }
|
||||
if (!$options['allow_html']) { $node = strip_tags($node); }
|
||||
|
||||
return $node;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Handle updates to queued transcripts.
|
||||
* @param array $info The part of the $_POST array for What Did They Say?!?
|
||||
|
@ -36,6 +36,14 @@
|
||||
<?php _e('Turn transcript line breaks into HTML new lines (nl2br())', 'what-did-they-say') ?>
|
||||
</label>
|
||||
|
||||
<label>
|
||||
<input type="checkbox"
|
||||
name="wdts[allow_html]"
|
||||
value="yes"
|
||||
<?php echo ($options['allow_html'] ? 'checked="checked"' : '') ?> />
|
||||
<?php _e('Allow HTML in transcripts. If disabled, only short codes are allowed. Script and style tags are always filtered out.', 'what-did-they-say') ?>
|
||||
</label>
|
||||
|
||||
<p>By default, transcripts should be hidden on these types of pages:</p>
|
||||
|
||||
<div style="margin: 0 2em">
|
||||
|
@ -80,6 +80,7 @@ $$('.wdts-transcript-container').each(function(d) {
|
||||
|
||||
if (opener && closer) {
|
||||
opener.observe('click', function(e) {
|
||||
Event.stop(e);
|
||||
opener.hide(); closer.show();
|
||||
if (WhatDidTheySay.use_transcript_effects) {
|
||||
new Effect.BlindDown(bundle, { duration: 0.25 });
|
||||
@ -89,6 +90,7 @@ $$('.wdts-transcript-container').each(function(d) {
|
||||
});
|
||||
|
||||
closer.observe('click', function(e) {
|
||||
Event.stop(e);
|
||||
closer.hide(); opener.show();
|
||||
if (WhatDidTheySay.use_transcript_effects) {
|
||||
new Effect.BlindUp(bundle, { duration: 0.25 });
|
||||
|
Loading…
Reference in New Issue
Block a user