some security improvements
This commit is contained in:
parent
c458bdddf1
commit
d5927f7186
@ -27,7 +27,8 @@ class WhatDidTheySayAdmin {
|
|||||||
'home' => true,
|
'home' => true,
|
||||||
'single' => false
|
'single' => false
|
||||||
),
|
),
|
||||||
'transcript_effects' => false
|
'transcript_effects' => false,
|
||||||
|
'allow_html' => false
|
||||||
);
|
);
|
||||||
|
|
||||||
var $capabilities = array();
|
var $capabilities = array();
|
||||||
@ -514,12 +515,32 @@ class WhatDidTheySayAdmin {
|
|||||||
if (isset($info['module'])) {
|
if (isset($info['module'])) {
|
||||||
$method_name = "handle_update_" . str_replace("-", "_", $info['module']);
|
$method_name = "handle_update_" . str_replace("-", "_", $info['module']);
|
||||||
if (method_exists($this, $method_name)) {
|
if (method_exists($this, $method_name)) {
|
||||||
|
$info = $this->_clean_child($info);
|
||||||
|
|
||||||
$result = $this->{$method_name}($info);
|
$result = $this->{$method_name}($info);
|
||||||
if (!empty($result)) { $this->notices[] = $result; }
|
if (!empty($result)) { $this->notices[] = $result; }
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function _clean_child($node) {
|
||||||
|
if (is_array($node)) {
|
||||||
|
$new_nodes = array();
|
||||||
|
foreach ($node as $key => $n) {
|
||||||
|
$new_nodes[$key] = $this->_clean_child($n);
|
||||||
|
}
|
||||||
|
return $new_nodes;
|
||||||
|
} else {
|
||||||
|
$options = get_option('what-did-they-say-options');
|
||||||
|
|
||||||
|
$node = (string)$node;
|
||||||
|
foreach (array('script', 'style', 'link') as $tag) { $node = preg_replace("#<${tag}.*/${tag}>#", '', $node); }
|
||||||
|
if (!$options['allow_html']) { $node = strip_tags($node); }
|
||||||
|
|
||||||
|
return $node;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Handle updates to queued transcripts.
|
* Handle updates to queued transcripts.
|
||||||
* @param array $info The part of the $_POST array for What Did They Say?!?
|
* @param array $info The part of the $_POST array for What Did They Say?!?
|
||||||
|
@ -36,6 +36,14 @@
|
|||||||
<?php _e('Turn transcript line breaks into HTML new lines (nl2br())', 'what-did-they-say') ?>
|
<?php _e('Turn transcript line breaks into HTML new lines (nl2br())', 'what-did-they-say') ?>
|
||||||
</label>
|
</label>
|
||||||
|
|
||||||
|
<label>
|
||||||
|
<input type="checkbox"
|
||||||
|
name="wdts[allow_html]"
|
||||||
|
value="yes"
|
||||||
|
<?php echo ($options['allow_html'] ? 'checked="checked"' : '') ?> />
|
||||||
|
<?php _e('Allow HTML in transcripts. If disabled, only short codes are allowed. Script and style tags are always filtered out.', 'what-did-they-say') ?>
|
||||||
|
</label>
|
||||||
|
|
||||||
<p>By default, transcripts should be hidden on these types of pages:</p>
|
<p>By default, transcripts should be hidden on these types of pages:</p>
|
||||||
|
|
||||||
<div style="margin: 0 2em">
|
<div style="margin: 0 2em">
|
||||||
|
@ -80,6 +80,7 @@ $$('.wdts-transcript-container').each(function(d) {
|
|||||||
|
|
||||||
if (opener && closer) {
|
if (opener && closer) {
|
||||||
opener.observe('click', function(e) {
|
opener.observe('click', function(e) {
|
||||||
|
Event.stop(e);
|
||||||
opener.hide(); closer.show();
|
opener.hide(); closer.show();
|
||||||
if (WhatDidTheySay.use_transcript_effects) {
|
if (WhatDidTheySay.use_transcript_effects) {
|
||||||
new Effect.BlindDown(bundle, { duration: 0.25 });
|
new Effect.BlindDown(bundle, { duration: 0.25 });
|
||||||
@ -89,6 +90,7 @@ $$('.wdts-transcript-container').each(function(d) {
|
|||||||
});
|
});
|
||||||
|
|
||||||
closer.observe('click', function(e) {
|
closer.observe('click', function(e) {
|
||||||
|
Event.stop(e);
|
||||||
closer.hide(); opener.show();
|
closer.hide(); opener.show();
|
||||||
if (WhatDidTheySay.use_transcript_effects) {
|
if (WhatDidTheySay.use_transcript_effects) {
|
||||||
new Effect.BlindUp(bundle, { duration: 0.25 });
|
new Effect.BlindUp(bundle, { duration: 0.25 });
|
||||||
|
Loading…
Reference in New Issue
Block a user