From d5927f718617e1e7099971d35c4b64ef84f198df Mon Sep 17 00:00:00 2001 From: John Bintz Date: Mon, 5 Oct 2009 21:35:49 -0400 Subject: [PATCH] some security improvements --- classes/WhatDidTheySayAdmin.inc | 23 ++++++++++++++++++++++- classes/partials/_default-styles.inc | 8 ++++++++ js/toggle-transcript.js | 2 ++ 3 files changed, 32 insertions(+), 1 deletion(-) diff --git a/classes/WhatDidTheySayAdmin.inc b/classes/WhatDidTheySayAdmin.inc index 83fcfab..5ffe141 100644 --- a/classes/WhatDidTheySayAdmin.inc +++ b/classes/WhatDidTheySayAdmin.inc @@ -27,7 +27,8 @@ class WhatDidTheySayAdmin { 'home' => true, 'single' => false ), - 'transcript_effects' => false + 'transcript_effects' => false, + 'allow_html' => false ); var $capabilities = array(); @@ -514,12 +515,32 @@ class WhatDidTheySayAdmin { if (isset($info['module'])) { $method_name = "handle_update_" . str_replace("-", "_", $info['module']); if (method_exists($this, $method_name)) { + $info = $this->_clean_child($info); + $result = $this->{$method_name}($info); if (!empty($result)) { $this->notices[] = $result; } } } } + function _clean_child($node) { + if (is_array($node)) { + $new_nodes = array(); + foreach ($node as $key => $n) { + $new_nodes[$key] = $this->_clean_child($n); + } + return $new_nodes; + } else { + $options = get_option('what-did-they-say-options'); + + $node = (string)$node; + foreach (array('script', 'style', 'link') as $tag) { $node = preg_replace("#<${tag}.*/${tag}>#", '', $node); } + if (!$options['allow_html']) { $node = strip_tags($node); } + + return $node; + } + } + /** * Handle updates to queued transcripts. * @param array $info The part of the $_POST array for What Did They Say?!? diff --git a/classes/partials/_default-styles.inc b/classes/partials/_default-styles.inc index b43046e..5cc777e 100644 --- a/classes/partials/_default-styles.inc +++ b/classes/partials/_default-styles.inc @@ -36,6 +36,14 @@ + +

By default, transcripts should be hidden on these types of pages:

diff --git a/js/toggle-transcript.js b/js/toggle-transcript.js index 8239614..fde0526 100644 --- a/js/toggle-transcript.js +++ b/js/toggle-transcript.js @@ -80,6 +80,7 @@ $$('.wdts-transcript-container').each(function(d) { if (opener && closer) { opener.observe('click', function(e) { + Event.stop(e); opener.hide(); closer.show(); if (WhatDidTheySay.use_transcript_effects) { new Effect.BlindDown(bundle, { duration: 0.25 }); @@ -89,6 +90,7 @@ $$('.wdts-transcript-container').each(function(d) { }); closer.observe('click', function(e) { + Event.stop(e); closer.hide(); opener.show(); if (WhatDidTheySay.use_transcript_effects) { new Effect.BlindUp(bundle, { duration: 0.25 });