github-migration
/
what-did-they-say
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

some security improvements

This commit is contained in:
John Bintz 2009-10-05 21:35:49 -04:00
parent c458bdddf1
commit d5927f7186
3 changed files with 32 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
classes/WhatDidTheySayAdmin.inc
View File

@ -27,7 +27,8 @@ class WhatDidTheySayAdmin {
'home' => true, 'home' => true,
'single' => false 'single' => false
), ),
'transcript_effects' => false 'transcript_effects' => false,
'allow_html' => false
); );
var $capabilities = array(); var $capabilities = array();
@ -514,12 +515,32 @@ class WhatDidTheySayAdmin {
if (isset($info['module'])) { if (isset($info['module'])) {
$method_name = "handle_update_" . str_replace("-", "_", $info['module']); $method_name = "handle_update_" . str_replace("-", "_", $info['module']);
if (method_exists($this, $method_name)) { if (method_exists($this, $method_name)) {
$info = $this->_clean_child($info);
$result = $this->{$method_name}($info); $result = $this->{$method_name}($info);
if (!empty($result)) { $this->notices[] = $result; } if (!empty($result)) { $this->notices[] = $result; }
} }
} }
} }
function _clean_child($node) {
if (is_array($node)) {
$new_nodes = array();
foreach ($node as $key => $n) {
$new_nodes[$key] = $this->_clean_child($n);
}
return $new_nodes;
} else {
$options = get_option('what-did-they-say-options');
$node = (string)$node;
foreach (array('script', 'style', 'link') as $tag) { $node = preg_replace("#<${tag}.*/${tag}>#", '', $node); }
if (!$options['allow_html']) { $node = strip_tags($node); }
return $node;
}
}
/** /**
* Handle updates to queued transcripts. * Handle updates to queued transcripts.
* @param array $info The part of the $_POST array for What Did They Say?!? * @param array $info The part of the $_POST array for What Did They Say?!?

8
classes/partials/_default-styles.inc
View File

@ -36,6 +36,14 @@
<?php _e('Turn transcript line breaks into HTML new lines (nl2br())', 'what-did-they-say') ?> <?php _e('Turn transcript line breaks into HTML new lines (nl2br())', 'what-did-they-say') ?>
</label> </label>
<label>
<input type="checkbox"
name="wdts[allow_html]"
value="yes"
<?php echo ($options['allow_html'] ? 'checked="checked"' : '') ?> />
<?php _e('Allow HTML in transcripts. If disabled, only short codes are allowed. Script and style tags are always filtered out.', 'what-did-they-say') ?>
</label>
<p>By default, transcripts should be hidden on these types of pages:</p> <p>By default, transcripts should be hidden on these types of pages:</p>
<div style="margin: 0 2em"> <div style="margin: 0 2em">

2
js/toggle-transcript.js
View File

@ -80,6 +80,7 @@ $$('.wdts-transcript-container').each(function(d) {
if (opener && closer) { if (opener && closer) {
opener.observe('click', function(e) { opener.observe('click', function(e) {
Event.stop(e);
opener.hide(); closer.show(); opener.hide(); closer.show();
if (WhatDidTheySay.use_transcript_effects) { if (WhatDidTheySay.use_transcript_effects) {
new Effect.BlindDown(bundle, { duration: 0.25 }); new Effect.BlindDown(bundle, { duration: 0.25 });
@ -89,6 +90,7 @@ $$('.wdts-transcript-container').each(function(d) {
}); });
closer.observe('click', function(e) { closer.observe('click', function(e) {
Event.stop(e);
closer.hide(); opener.show(); closer.hide(); opener.show();
if (WhatDidTheySay.use_transcript_effects) { if (WhatDidTheySay.use_transcript_effects) {
new Effect.BlindUp(bundle, { duration: 0.25 }); new Effect.BlindUp(bundle, { duration: 0.25 });