diff --git a/plugins/phorum/Changelog b/plugins/phorum/Changelog new file mode 100644 index 00000000..b0e00725 --- /dev/null +++ b/plugins/phorum/Changelog @@ -0,0 +1,19 @@ +Changelog HTMLPurifier : Phorum Mod +||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + += KEY ==================== + # Breaks back-compat + ! Feature + - Bugfix + + Sub-comment + . Internal change +========================== + +Version 3.0.0 for Phorum 5.2, released January 12, 2008 +# WYSIWYG and suppress_message options are now configurable via web + interface. +- Module now compatible with Phorum 5.2, primary bugs were in migration + code as well as signature and edit message handling. This module is NOT + compatible with Phorum 5.1. +- Buggy WYSIWYG mode refined +. AutoFormatParam added to list of default configuration namespaces diff --git a/plugins/phorum/install.txt b/plugins/phorum/README similarity index 50% rename from plugins/phorum/install.txt rename to plugins/phorum/README index bf0e285e..ac5515f0 100644 --- a/plugins/phorum/install.txt +++ b/plugins/phorum/README @@ -13,15 +13,31 @@ BBCode formatting, simply move migrate.bbcode.php to that place; for other markup languages, consult said file for instructions on how to adapt it to your needs. + -- NOTE ------------------------------------------------- + You can also run this module in parallel with another + formatting module; this module attempts to place itself + at the end of the filtering chain. However, if any + previous modules produce insecure HTML (for instance, + a JavaScript email obfuscator) they will get cleaned. + This module will not work if 'migrate.php' is not created, and an improperly made migration file may *CORRUPT* Phorum, so please take your time to do this correctly. It should go without saying to *BACKUP YOUR DATABASE* -before attempting anything here. +before attempting anything here. If no migration is necessary, you can +simply create a blank migrate.php file. HTML Purifier is smart and will +not re-migrate already processed messages. However, the original code +is irretrievably lost (we may change this in the future.) This module will not automatically migrate user signatures, because this process may take a long time. After installing the HTML Purifier module and then configuring 'migrate.php', navigate to Settings and click 'Migrate -Signatures' to migrate all user signatures. +Signatures' to migrate all user signatures to HTML. -Visit HTML Purifier at . May the force -be with you. +All of HTML Purifier's usual functions are configurable via the mod settings +page. If you require custom configuration, create config.php file in +the mod directory that edits a $config variable. Be sure, also, to +set $PHORUM['mod_htmlpurifier']['wysiwyg'] to TRUE if you are using a +WYSIWYG editor (you can do this through a common hook or the web +configuration form). + +Visit HTML Purifier at . diff --git a/plugins/phorum/htmlpurifier.php b/plugins/phorum/htmlpurifier.php index a79d45e1..512280bd 100644 --- a/plugins/phorum/htmlpurifier.php +++ b/plugins/phorum/htmlpurifier.php @@ -17,8 +17,7 @@ * administrators who need to edit other people's comments may be at * risk for some nasty attacks. * - * Tested with Phorum 5.1.22. This module will almost definitely need - * to be upgraded when Phorum 6 rolls around. + * Tested with Phorum 5.2.6. */ // Note: Cache data is base64 encoded because Phorum insists on flinging @@ -121,8 +120,8 @@ function phorum_htmlpurifier_format($data) } // ----------------------------------------------------------------------- -// This is fragile code, copied from read.php:596 (Phorum 5.2.6). It will break if -// that is changed +// This is fragile code, copied from read.php:596 (Phorum 5.2.6). Please +// keep this code in-sync with Phorum /** * Generates a signature based on a message array @@ -162,11 +161,11 @@ function phorum_htmlpurifier_generate_editmessage($row) { * @param $row Message passed by reference */ function phorum_htmlpurifier_remove_sig_and_editmessage(&$row) { - // attempt to remove the Phorum's pre-processing: - // we must not process the signature or editmessage $signature = phorum_htmlpurifier_generate_sig($row); $editmessage = phorum_htmlpurifier_generate_editmessage($row); $replacements = array(); + // we need to remove add as that is the form these + // extra bits are in. if ($signature) $replacements[str_replace("\n", "\n", $signature)] = ''; if ($editmessage) $replacements[str_replace("\n", "\n", $editmessage)] = ''; $row['body'] = strtr($row['body'], $replacements); @@ -176,7 +175,7 @@ function phorum_htmlpurifier_remove_sig_and_editmessage(&$row) { /** * Indicate that data is fully HTML and not from migration, invalidate * previous caches - * @note This function used to generate the actual cache entries, but + * @note This function could generate the actual cache entries, but * since there's data missing that must be deferred to the first read */ function phorum_htmlpurifier_posting($message) { @@ -222,24 +221,6 @@ function phorum_htmlpurifier_common() { exit; } - // see if our hooks need to be bubbled to the end - phorum_htmlpurifier_bubble_hook('format'); - -} - -function phorum_htmlpurifier_bubble_hook($hook) { - global $PHORUM; - $our_idx = null; - $last_idx = null; - if (!isset($PHORUM['hooks'][$hook]['mods'])) return; - foreach ($PHORUM['hooks'][$hook]['mods'] as $idx => $mod) { - if ($mod == 'htmlpurifier') $our_idx = $idx; - $last_idx = $idx; - } - list($mod) = array_splice($PHORUM['hooks'][$hook]['mods'], $our_idx, 1); - $PHORUM['hooks'][$hook]['mods'][] = $mod; - list($func) = array_splice($PHORUM['hooks'][$hook]['funcs'], $our_idx, 1); - $PHORUM['hooks'][$hook]['funcs'][] = $func; } /** @@ -253,9 +234,10 @@ function phorum_htmlpurifier_before_editor($message) { // de-entity-ize contents $body = str_replace(array('<','>','&'), array('<','>','&'), $body); $purifier =& HTMLPurifier::getInstance(); - $body = $purifier->purify($message['body']); + $body = $purifier->purify($body); // re-entity-ize contents $body = htmlspecialchars($body, ENT_QUOTES, $GLOBALS['PHORUM']['DATA']['CHARSET']); + $message['body'] = $body; } } return $message; @@ -264,7 +246,22 @@ function phorum_htmlpurifier_before_editor($message) { function phorum_htmlpurifier_editor_after_subject() { // don't show this message if it's a WYSIWYG editor, since it will // then be handled automatically - if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg'])) return; + if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg'])) { + $i = $GLOBALS['PHORUM']['DATA']['MODE']; + if ($i == 'quote' || $i == 'edit' || $i == 'moderation') { + ?> +
+

+ Notice: HTML has been scrubbed for your safety. + If you would like to see the original, turn off WYSIWYG mode + (consult your administrator for details.) +

+
+

HTML input is enabled. Make sure you escape all HTML and diff --git a/plugins/phorum/info.txt b/plugins/phorum/info.txt index ed2f4ae5..6dea41d5 100644 --- a/plugins/phorum/info.txt +++ b/plugins/phorum/info.txt @@ -1,8 +1,16 @@ +title: HTML Purifier Phorum Mod +desc: This module enables standards-compliant HTML filtering on Phorum. Please check migrate.bbcode.php before enabling this mod. +author: Edward Z. Yang +url: http://htmlpurifier.org/ +version: 3.0.0 + hook: format|phorum_htmlpurifier_format hook: quote|phorum_htmlpurifier_quote hook: posting_custom_action|phorum_htmlpurifier_posting hook: common|phorum_htmlpurifier_common hook: before_editor|phorum_htmlpurifier_before_editor hook: tpl_editor_after_subject|phorum_htmlpurifier_editor_after_subject -title: HTML Purifier Phorum Mod -desc: This module enables standards-compliant HTML filtering on Phorum. Please check migrate.bbcode.php before enabling this mod. \ No newline at end of file + +# This module is meant to be a drop-in for bbcode, so make it run last. +priority: run module after * +priority: run hook format after * diff --git a/plugins/phorum/migrate.bbcode.php b/plugins/phorum/migrate.bbcode.php index 80180876..0727fb47 100644 --- a/plugins/phorum/migrate.bbcode.php +++ b/plugins/phorum/migrate.bbcode.php @@ -11,7 +11,8 @@ * If you do NOT want to have any migration performed (for instance, you * are installing the module on a new forum with no posts), simply remove * phorum_htmlpurifier_migrate() function. You still need migrate.php - * present, otherwise the module won't work. + * present, otherwise the module won't work. This ensures that the user + * explicitly says, "No, I do not need to migrate." */ if(!defined("PHORUM")) exit; diff --git a/plugins/phorum/settings.php b/plugins/phorum/settings.php index 4754d8b0..0ce5e5f8 100644 --- a/plugins/phorum/settings.php +++ b/plugins/phorum/settings.php @@ -38,7 +38,7 @@ $PHORUM['mod_htmlpurifier']['directives'] = array( 'HTML.Allowed', 'AutoFormat', '-AutoFormat.Custom', - '-AutoFormat.PurifierLinkify', + 'AutoFormatParam', 'Output.TidyFormat', ); diff --git a/plugins/phorum/settings/form.php b/plugins/phorum/settings/form.php index b957b8d2..4382965f 100644 --- a/plugins/phorum/settings/form.php +++ b/plugins/phorum/settings/form.php @@ -17,9 +17,20 @@ function phorum_htmlpurifier_show_form() { if (!empty($error)){ echo "$error
"; } - + $frm->addbreak("Edit settings for the HTML Purifier module"); + $frm->addMessage('

The box below sets $PHORUM[\'mod_htmlpurifier\'][\'wysiwyg\']. + When checked, contents sent for edit are now purified and the + informative message is disabled. If your WYSIWYG editor is disabled for + admin edits, you can safely keep this unchecked.

'); + $frm->addRow('Use WYSIWYG?', $frm->checkbox('wysiwyg', '1', '', $PHORUM['mod_htmlpurifier']['wysiwyg'])); + + $frm->addMessage('

The box below sets $PHORUM[\'mod_htmlpurifier\'][\'suppress_message\'], + which removes the big how-to use + HTML Purifier message.

'); + $frm->addRow('Suppress information?', $frm->checkbox('suppress_message', '1', '', $PHORUM['mod_htmlpurifier']['suppress_message'])); + $frm->addMessage('

Click on directive links to read what each option does (links do not open in new windows).

For more flexibility (for instance, you want to edit the full @@ -63,6 +74,8 @@ function phorum_htmlpurifier_show_config_info() { A config.php file exists in your mods/htmlpurifier/ directory. This file contains your custom configuration: in order to change it, please navigate to that file and edit it accordingly. + You can also set $GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg'] + or $GLOBALS['PHORUM']['mod_htmlpurifier']['suppress_message']

To use the web interface, delete config.php (or rename it to diff --git a/plugins/phorum/settings/save.php b/plugins/phorum/settings/save.php index a08b8314..1d3fc3aa 100644 --- a/plugins/phorum/settings/save.php +++ b/plugins/phorum/settings/save.php @@ -9,11 +9,13 @@ function phorum_htmlpurifier_save_settings() { $config = phorum_htmlpurifier_get_config(); if (!isset($_POST['reset'])) $config->mergeArrayFromForm($_POST, 'config', $PHORUM['mod_htmlpurifier']['directives']); $PHORUM['mod_htmlpurifier']['config'] = $config->getAll(); - if(!phorum_htmlpurifier_commit_settings()){ - $error="Database error while updating settings."; - } else { - echo "Settings Updated
"; - } + } + $PHORUM['mod_htmlpurifier']['wysiwyg'] = !empty($_POST['wysiwyg']); + $PHORUM['mod_htmlpurifier']['suppress_message'] = !empty($_POST['suppress_message']); + if(!phorum_htmlpurifier_commit_settings()){ + $error="Database error while updating settings."; + } else { + echo "Settings Updated
"; } }