Skip to:
Content

bbPress.org

Changeset 4866


Ignore:
Timestamp:
04/26/2013 11:00:38 AM (12 years ago)
Author:
johnjamesjacoby
Message:

Audit procedure for posting pre-formatted code in topics and replies:

  • Invert code-trick & code-trick-reverse filters to happen pre-save and on output.
  • Use esc_html() filter rather than esc_textarea() for textarea output when editing content, to prevent double escaping after above code-trick-reversal.
  • Introduce bbp_rel_nofollow() and callback, to handle this on output rather than input, to prevent mucking up preformatted code, and replace wp_rel_nofollow() usages with this.
  • Disable visual-editor by default. It's causing code formatting issues when switching between editor types (enable at your own risk in a plugin for now.)
  • Fixes #1967 (trunk)
Location:
trunk/includes
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/includes/common/formatting.php

    r4733 r4866  
    121121    // Setup variables
    122122    $openers = array( '<p>', '<br />' );
    123     $content    = preg_replace_callback( "!(<pre><code>|<code>)(.*?)(</code></pre>|</code>)!s", 'bbp_decode_callback', $content );
     123    $content = preg_replace_callback( "!(<pre><code>|<code>)(.*?)(</code></pre>|</code>)!s", 'bbp_decode_callback', $content );
    124124
    125125    // Do the do
    126     $content    = str_replace( $openers,       '',       $content );
    127     $content    = str_replace( '</p>',         "\n",     $content );
    128     $content    = str_replace( '<coded_br />', '<br />', $content );
    129     $content    = str_replace( '<coded_p>',    '<p>',    $content );
    130     $content    = str_replace( '</coded_p>',   '</p>',   $content );
     126    $content = str_replace( $openers,       '',       $content );
     127    $content = str_replace( '</p>',         "\n",     $content );
     128    $content = str_replace( '<coded_br />', '<br />', $content );
     129    $content = str_replace( '<coded_p>',    '<p>',    $content );
     130    $content = str_replace( '</coded_p>',   '</p>',   $content );
    131131
    132132    return $content;
     
    158158    );
    159159
    160     // Add 'p' and 'br' tags to allowed array, so they are not encoded
    161     $allowed['p']  = array();
    162     $allowed['br'] = array();
    163 
    164160    // Loop through allowed tags and compare for empty and normal tags
    165161    foreach ( $allowed as $tag => $args ) {
    166162        $preg = $args ? "{$tag}(?:\s.*?)?" : $tag;
    167163
    168         // Which walker to use based on the tag and argments
     164        // Which walker to use based on the tag and arguments
    169165        if ( isset( $empty[$tag] ) ) {
    170166            array_walk( $content, 'bbp_encode_empty_callback',  $preg );
     
    189185 */
    190186function bbp_encode_callback( $matches = array() ) {
    191     $content = trim( $matches[2] );
     187
     188    // Trim inline code, not pre blocks (to prevent removing indentation)
     189    if ( "`" == $matches[1] ) {
     190        $content = trim( $matches[2] );
     191    } else {
     192        $content = $matches[2];
     193    }
     194
     195    // Do some replacing
    192196    $content = htmlspecialchars( $content, ENT_QUOTES );
    193197    $content = str_replace( array( "\r\n", "\r" ), "\n", $content );
     
    196200    $content = str_replace( '&amp;lt;',  '&lt;',  $content );
    197201    $content = str_replace( '&amp;gt;',  '&gt;',  $content );
     202
     203    // Wrap in code tags
    198204    $content = '<code>' . $content . '</code>';
    199205
    200     if ( "`" != $matches[1] )
     206    // Wrap blocks in pre tags
     207    if ( "`" != $matches[1] ) {
    201208        $content = '<pre>' . $content . '</pre>';
     209    }
    202210
    203211    return $content;
     
    262270    }
    263271}
     272
     273/** No Follow *****************************************************************/
     274
     275/**
     276 * Catches links so rel=nofollow can be added (on output, not save)
     277 *
     278 * @since bbPress (r4865)
     279 * @param string $text Post text
     280 * @return string $text Text with rel=nofollow added to any links
     281 */
     282function bbp_rel_nofollow( $text = '' ) {
     283    return preg_replace_callback( '|<a (.+?)>|i', 'bbp_rel_nofollow_callback', $text );
     284}
     285
     286/**
     287 * Adds rel=nofollow to a link
     288 *
     289 * @since bbPress (r4865)
     290 * @param array $matches
     291 * @return string $text Link with rel=nofollow added
     292 */
     293function bbp_rel_nofollow_callback( $matches = array() ) {
     294    $text = $matches[1];
     295    $text = str_replace( array( ' rel="nofollow"', " rel='nofollow'" ), '', $text );
     296    return "<a $text rel=\"nofollow\">";
     297}
  • trunk/includes/common/template-tags.php

    r4833 r4866  
    16781678            'tabfocus_elements' => 'bbp_topic_title,bbp_topic_tags',
    16791679            'editor_class'      => 'bbp-the-content',
    1680             'tinymce'           => true,
     1680            'tinymce'           => false,
    16811681            'teeny'             => true,
    16821682            'quicktags'         => true,
     
    17051705
    17061706            // Output the editor
    1707             wp_editor( htmlspecialchars_decode( $post_content, ENT_QUOTES ), 'bbp_' . $r['context'] . '_content', array(
     1707            wp_editor( $post_content, 'bbp_' . $r['context'] . '_content', array(
    17081708                'wpautop'           => $r['wpautop'],
    17091709                'media_buttons'     => $r['media_buttons'],
  • trunk/includes/core/filters.php

    r4780 r4866  
    8484
    8585// Links
    86 add_filter( 'paginate_links',            'bbp_add_view_all' );
    87 add_filter( 'bbp_get_topic_permalink',   'bbp_add_view_all' );
    88 add_filter( 'bbp_get_reply_permalink',   'bbp_add_view_all' );
    89 add_filter( 'bbp_get_forum_permalink',   'bbp_add_view_all' );
     86add_filter( 'paginate_links',          'bbp_add_view_all' );
     87add_filter( 'bbp_get_topic_permalink', 'bbp_add_view_all' );
     88add_filter( 'bbp_get_reply_permalink', 'bbp_add_view_all' );
     89add_filter( 'bbp_get_forum_permalink', 'bbp_add_view_all' );
    9090
    9191// wp_filter_kses on new/edit topic/reply title
    92 add_filter( 'bbp_new_reply_pre_title',    'wp_filter_kses'  );
    93 add_filter( 'bbp_new_topic_pre_title',    'wp_filter_kses'  );
    94 add_filter( 'bbp_edit_reply_pre_title',   'wp_filter_kses'  );
    95 add_filter( 'bbp_edit_topic_pre_title',   'wp_filter_kses'  );
    96 
    97 // Code filters on output (hooked in early for plugin compatibility)
    98 add_filter( 'bbp_get_reply_content', 'bbp_code_trick', 3 );
    99 add_filter( 'bbp_get_topic_content', 'bbp_code_trick', 3 );
    100 
    101 // Code filters on input
    102 add_filter( 'bbp_new_reply_pre_content',  'bbp_code_trick_reverse' );
    103 add_filter( 'bbp_edit_reply_pre_content', 'bbp_code_trick_reverse' );
    104 add_filter( 'bbp_new_topic_pre_content',  'bbp_code_trick_reverse' );
    105 add_filter( 'bbp_edit_topic_pre_content', 'bbp_code_trick_reverse' );
    106 
    107 // balanceTags, wp_filter_kses and wp_rel_nofollow on new/edit topic/reply text
    108 add_filter( 'bbp_new_reply_pre_content',  'wp_rel_nofollow'    );
    109 add_filter( 'bbp_new_reply_pre_content',  'bbp_filter_kses'    );
    110 add_filter( 'bbp_new_reply_pre_content',  'balanceTags',    50 );
    111 add_filter( 'bbp_new_topic_pre_content',  'wp_rel_nofollow'    );
    112 add_filter( 'bbp_new_topic_pre_content',  'bbp_filter_kses'    );
    113 add_filter( 'bbp_new_topic_pre_content',  'balanceTags',    50 );
    114 add_filter( 'bbp_edit_reply_pre_content', 'wp_rel_nofollow'    );
    115 add_filter( 'bbp_edit_reply_pre_content', 'bbp_filter_kses'    );
    116 add_filter( 'bbp_edit_reply_pre_content', 'balanceTags',    50 );
    117 add_filter( 'bbp_edit_topic_pre_content', 'wp_rel_nofollow'    );
    118 add_filter( 'bbp_edit_topic_pre_content', 'bbp_filter_kses'    );
    119 add_filter( 'bbp_edit_topic_pre_content', 'balanceTags',    50 );
     92add_filter( 'bbp_new_reply_pre_title',  'wp_filter_kses'  );
     93add_filter( 'bbp_new_topic_pre_title',  'wp_filter_kses'  );
     94add_filter( 'bbp_edit_reply_pre_title', 'wp_filter_kses'  );
     95add_filter( 'bbp_edit_topic_pre_title', 'wp_filter_kses'  );
     96
     97// Prevent posting malicious or malformed content on new/edit topic/reply
     98add_filter( 'bbp_new_reply_pre_content',  'bbp_encode_bad',  10 );
     99add_filter( 'bbp_new_reply_pre_content',  'bbp_code_trick',  20 );
     100add_filter( 'bbp_new_reply_pre_content',  'bbp_filter_kses', 30 );
     101add_filter( 'bbp_new_reply_pre_content',  'balanceTags',     40 );
     102add_filter( 'bbp_new_topic_pre_content',  'bbp_encode_bad',  10 );
     103add_filter( 'bbp_new_topic_pre_content',  'bbp_code_trick',  20 );
     104add_filter( 'bbp_new_topic_pre_content',  'bbp_filter_kses', 30 );
     105add_filter( 'bbp_new_topic_pre_content',  'balanceTags',     40 );
     106add_filter( 'bbp_edit_reply_pre_content', 'bbp_encode_bad',  10 );
     107add_filter( 'bbp_edit_reply_pre_content', 'bbp_code_trick',  20 );
     108add_filter( 'bbp_edit_reply_pre_content', 'bbp_filter_kses', 30 );
     109add_filter( 'bbp_edit_reply_pre_content', 'balanceTags',     40 );
     110add_filter( 'bbp_edit_topic_pre_content', 'bbp_encode_bad',  10 );
     111add_filter( 'bbp_edit_topic_pre_content', 'bbp_code_trick',  20 );
     112add_filter( 'bbp_edit_topic_pre_content', 'bbp_filter_kses', 30 );
     113add_filter( 'bbp_edit_topic_pre_content', 'balanceTags',     40 );
    120114
    121115// No follow and stripslashes on user profile links
    122 add_filter( 'bbp_get_reply_author_link',      'wp_rel_nofollow' );
    123 add_filter( 'bbp_get_reply_author_link',      'stripslashes'    );
    124 add_filter( 'bbp_get_topic_author_link',      'wp_rel_nofollow' );
    125 add_filter( 'bbp_get_topic_author_link',      'stripslashes'    );
    126 add_filter( 'bbp_get_user_favorites_link',    'wp_rel_nofollow' );
    127 add_filter( 'bbp_get_user_favorites_link',    'stripslashes'    );
    128 add_filter( 'bbp_get_user_subscribe_link',    'wp_rel_nofollow' );
    129 add_filter( 'bbp_get_user_subscribe_link',    'stripslashes'    );
    130 add_filter( 'bbp_get_user_profile_link',      'wp_rel_nofollow' );
    131 add_filter( 'bbp_get_user_profile_link',      'stripslashes'    );
    132 add_filter( 'bbp_get_user_profile_edit_link', 'wp_rel_nofollow' );
    133 add_filter( 'bbp_get_user_profile_edit_link', 'stripslashes'    );
     116add_filter( 'bbp_get_reply_author_link',      'bbp_rel_nofollow' );
     117add_filter( 'bbp_get_reply_author_link',      'stripslashes'     );
     118add_filter( 'bbp_get_topic_author_link',      'bbp_rel_nofollow' );
     119add_filter( 'bbp_get_topic_author_link',      'stripslashes'     );
     120add_filter( 'bbp_get_user_favorites_link',    'bbp_rel_nofollow' );
     121add_filter( 'bbp_get_user_favorites_link',    'stripslashes'     );
     122add_filter( 'bbp_get_user_subscribe_link',    'bbp_rel_nofollow' );
     123add_filter( 'bbp_get_user_subscribe_link',    'stripslashes'     );
     124add_filter( 'bbp_get_user_profile_link',      'bbp_rel_nofollow' );
     125add_filter( 'bbp_get_user_profile_link',      'stripslashes'     );
     126add_filter( 'bbp_get_user_profile_edit_link', 'bbp_rel_nofollow' );
     127add_filter( 'bbp_get_user_profile_edit_link', 'stripslashes'     );
    134128
    135129// Run filters on reply content
     
    142136add_filter( 'bbp_get_reply_content', 'force_balance_tags', 30   );
    143137add_filter( 'bbp_get_reply_content', 'wpautop',            40   );
     138add_filter( 'bbp_get_reply_content', 'bbp_rel_nofollow',   50   );
    144139
    145140// Run filters on topic content
     
    152147add_filter( 'bbp_get_topic_content', 'force_balance_tags', 30   );
    153148add_filter( 'bbp_get_topic_content', 'wpautop',            40   );
     149add_filter( 'bbp_get_topic_content', 'bbp_rel_nofollow',   50   );
     150
     151// Form textarea output - undo the code-trick done pre-save, and sanitize
     152add_filter( 'bbp_get_form_reply_content', 'bbp_code_trick_reverse' );
     153add_filter( 'bbp_get_form_reply_content', 'esc_html'               );
     154add_filter( 'bbp_get_form_reply_content', 'trim'                   );
     155add_filter( 'bbp_get_form_topic_content', 'bbp_code_trick_reverse' );
     156add_filter( 'bbp_get_form_topic_content', 'esc_html'               );
     157add_filter( 'bbp_get_form_topic_content', 'trim'                   );
    154158
    155159// Add number format filter to functions requiring numeric output
  • trunk/includes/replies/template-tags.php

    r4844 r4866  
    21042104        }
    21052105
    2106         return apply_filters( 'bbp_get_form_reply_content', esc_textarea( $reply_content ) );
     2106        return apply_filters( 'bbp_get_form_reply_content', $reply_content );
    21072107    }
    21082108
  • trunk/includes/topics/template-tags.php

    r4845 r4866  
    34013401        }
    34023402
    3403         return apply_filters( 'bbp_get_form_topic_content', esc_textarea( $topic_content ) );
     3403        return apply_filters( 'bbp_get_form_topic_content', $topic_content );
    34043404    }
    34053405
Note: See TracChangeset for help on using the changeset viewer.