some security improvements

2009-10-05 21:35:49 -04:00 · 2009-10-05 21:35:49 -04:00 · d5927f7186
parent c458bdddf1
commit d5927f7186
3 changed files with 32 additions and 1 deletions
--- a/classes/WhatDidTheySayAdmin.inc
+++ b/classes/WhatDidTheySayAdmin.inc
@ -27,7 +27,8 @@ class WhatDidTheySayAdmin {
      'home' => true,
      'single' => false
    ),
-    'transcript_effects' => false
+    'transcript_effects' => false,
+    'allow_html' => false
  );
  
  var $capabilities = array();
@ -514,12 +515,32 @@ class WhatDidTheySayAdmin {
    if (isset($info['module'])) {
      $method_name = "handle_update_" . str_replace("-", "_", $info['module']);
      if (method_exists($this, $method_name)) {
+        $info = $this->_clean_child($info);
+      
        $result = $this->{$method_name}($info);
        if (!empty($result)) { $this->notices[] = $result; }
      }
    }
  }

+  function _clean_child($node) {
+    if (is_array($node)) {
+      $new_nodes = array();
+      foreach ($node as $key => $n) {
+        $new_nodes[$key] = $this->_clean_child($n);
+      }
+      return $new_nodes;
+    } else {
+      $options = get_option('what-did-they-say-options');
+
+      $node = (string)$node;
+      foreach (array('script', 'style', 'link') as $tag) { $node = preg_replace("#<${tag}.*/${tag}>#", '', $node); }
+      if (!$options['allow_html']) { $node = strip_tags($node); }
+      
+      return $node;
+    }
+  }
+
  /**
   * Handle updates to queued transcripts.
   * @param array $info The part of the $_POST array for What Did They Say?!?
--- a/classes/partials/_default-styles.inc
+++ b/classes/partials/_default-styles.inc
@ -36,6 +36,14 @@
        <?php _e('Turn transcript line breaks into HTML new lines (nl2br())', 'what-did-they-say') ?>
      </label>

+      <label>
+        <input type="checkbox"
+               name="wdts[allow_html]"
+               value="yes"
+               <?php echo ($options['allow_html'] ? 'checked="checked"' : '') ?> />
+        <?php _e('Allow HTML in transcripts. If disabled, only short codes are allowed. Script and style tags are always filtered out.', 'what-did-they-say') ?>
+      </label>
+
      <p>By default, transcripts should be hidden on these types of pages:</p>

      <div style="margin: 0 2em">
--- a/js/toggle-transcript.js
+++ b/js/toggle-transcript.js
@ -80,6 +80,7 @@ $$('.wdts-transcript-container').each(function(d) {

    if (opener && closer) {
      opener.observe('click', function(e) {
+        Event.stop(e);
        opener.hide(); closer.show();
        if (WhatDidTheySay.use_transcript_effects) {
          new Effect.BlindDown(bundle, { duration: 0.25 });
@ -89,6 +90,7 @@ $$('.wdts-transcript-container').each(function(d) {
      });

      closer.observe('click', function(e) {
+        Event.stop(e);
        closer.hide(); opener.show();
        if (WhatDidTheySay.use_transcript_effects) {
          new Effect.BlindUp(bundle, { duration: 0.25 });