Changeset 4866

Timestamp:

04/26/2013 11:00:38 AM (12 years ago)

Author:

johnjamesjacoby

Message:

Audit procedure for posting pre-formatted code in topics and replies:

• Invert code-trick & code-trick-reverse filters to happen pre-save and on output.
• Use esc_html() filter rather than esc_textarea() for textarea output when editing content, to prevent double escaping after above code-trick-reversal.
• Introduce bbp_rel_nofollow() and callback, to handle this on output rather than input, to prevent mucking up preformatted code, and replace wp_rel_nofollow() usages with this.
• Disable visual-editor by default. It's causing code formatting issues when switching between editor types (enable at your own risk in a plugin for now.)
• Fixes #1967 (trunk)

Location:

trunk/includes

Files:

• common/formatting.php (modified) (5 diffs)
• common/template-tags.php (modified) (2 diffs)
• core/filters.php (modified) (3 diffs)
• replies/template-tags.php (modified) (1 diff)
• topics/template-tags.php (modified) (1 diff)

trunk/includes/common/formatting.php

@@ -121 +121 @@
     // Setup variables
     $openers = array( '<p>', '<br />' );
-    $content    = preg_replace_callback( "!(<pre><code>|<code>)(.*?)(</code></pre>|</code>)!s", 'bbp_decode_callback', $content );
+    $content = preg_replace_callback( "!(<pre><code>|<code>)(.*?)(</code></pre>|</code>)!s", 'bbp_decode_callback', $content );
 
     // Do the do
-    $content    = str_replace( $openers,       '',       $content );
-    $content    = str_replace( '</p>',         "\n",     $content );
-    $content    = str_replace( '<coded_br />', '<br />', $content );
-    $content    = str_replace( '<coded_p>',    '<p>',    $content );
-    $content    = str_replace( '</coded_p>',   '</p>',   $content );
+    $content = str_replace( $openers,       '',       $content );
+    $content = str_replace( '</p>',         "\n",     $content );
+    $content = str_replace( '<coded_br />', '<br />', $content );
+    $content = str_replace( '<coded_p>',    '<p>',    $content );
+    $content = str_replace( '</coded_p>',   '</p>',   $content );
 
     return $content;
@@ -158 +158 @@
     );
 
-    // Add 'p' and 'br' tags to allowed array, so they are not encoded
-    $allowed['p']  = array();
-    $allowed['br'] = array();
-
     // Loop through allowed tags and compare for empty and normal tags
     foreach ( $allowed as $tag => $args ) {
         $preg = $args ? "{$tag}(?:\s.*?)?" : $tag;
 
-        // Which walker to use based on the tag and argments
+        // Which walker to use based on the tag and arguments
         if ( isset( $empty[$tag] ) ) {
             array_walk( $content, 'bbp_encode_empty_callback',  $preg );
@@ -189 +185 @@
  */
 function bbp_encode_callback( $matches = array() ) {
-    $content = trim( $matches[2] );
+
+    // Trim inline code, not pre blocks (to prevent removing indentation)
+    if ( "`" == $matches[1] ) {
+        $content = trim( $matches[2] );
+    } else {
+        $content = $matches[2];
+    }
+
+    // Do some replacing
     $content = htmlspecialchars( $content, ENT_QUOTES );
     $content = str_replace( array( "\r\n", "\r" ), "\n", $content );
@@ -196 +200 @@
     $content = str_replace( '&amp;lt;',  '&lt;',  $content );
     $content = str_replace( '&amp;gt;',  '&gt;',  $content );
+
+    // Wrap in code tags
     $content = '<code>' . $content . '</code>';
 
-    if ( "`" != $matches[1] )
+    // Wrap blocks in pre tags
+    if ( "`" != $matches[1] ) {
         $content = '<pre>' . $content . '</pre>';
+    }
 
     return $content;
@@ -262 +270 @@
     }
 }
+
+/** No Follow *****************************************************************/
+
+/**
+ * Catches links so rel=nofollow can be added (on output, not save)
+ *
+ * @since bbPress (r4865)
+ * @param string $text Post text
+ * @return string $text Text with rel=nofollow added to any links
+ */
+function bbp_rel_nofollow( $text = '' ) {
+    return preg_replace_callback( '|<a (.+?)>|i', 'bbp_rel_nofollow_callback', $text );
+}
+
+/**
+ * Adds rel=nofollow to a link
+ *
+ * @since bbPress (r4865)
+ * @param array $matches
+ * @return string $text Link with rel=nofollow added
+ */
+function bbp_rel_nofollow_callback( $matches = array() ) {
+    $text = $matches[1];
+    $text = str_replace( array( ' rel="nofollow"', " rel='nofollow'" ), '', $text );
+    return "<a $text rel=\"nofollow\">";
+}

trunk/includes/common/template-tags.php

@@ -1678 +1678 @@
             'tabfocus_elements' => 'bbp_topic_title,bbp_topic_tags',
             'editor_class'      => 'bbp-the-content',
-            'tinymce'           => true,
+            'tinymce'           => false,
             'teeny'             => true,
             'quicktags'         => true,
@@ -1705 +1705 @@
 
             // Output the editor
-            wp_editor( htmlspecialchars_decode( $post_content, ENT_QUOTES ), 'bbp_' . $r['context'] . '_content', array(
+            wp_editor( $post_content, 'bbp_' . $r['context'] . '_content', array(
                 'wpautop'           => $r['wpautop'],
                 'media_buttons'     => $r['media_buttons'],

trunk/includes/core/filters.php

@@ -84 +84 @@
 
 // Links
-add_filter( 'paginate_links',            'bbp_add_view_all' );
-add_filter( 'bbp_get_topic_permalink',   'bbp_add_view_all' );
-add_filter( 'bbp_get_reply_permalink',   'bbp_add_view_all' );
-add_filter( 'bbp_get_forum_permalink',   'bbp_add_view_all' );
+add_filter( 'paginate_links',          'bbp_add_view_all' );
+add_filter( 'bbp_get_topic_permalink', 'bbp_add_view_all' );
+add_filter( 'bbp_get_reply_permalink', 'bbp_add_view_all' );
+add_filter( 'bbp_get_forum_permalink', 'bbp_add_view_all' );
 
 // wp_filter_kses on new/edit topic/reply title
-add_filter( 'bbp_new_reply_pre_title',    'wp_filter_kses'  );
-add_filter( 'bbp_new_topic_pre_title',    'wp_filter_kses'  );
-add_filter( 'bbp_edit_reply_pre_title',   'wp_filter_kses'  );
-add_filter( 'bbp_edit_topic_pre_title',   'wp_filter_kses'  );
-
-// Code filters on output (hooked in early for plugin compatibility)
-add_filter( 'bbp_get_reply_content', 'bbp_code_trick', 3 );
-add_filter( 'bbp_get_topic_content', 'bbp_code_trick', 3 );
-
-// Code filters on input
-add_filter( 'bbp_new_reply_pre_content',  'bbp_code_trick_reverse' );
-add_filter( 'bbp_edit_reply_pre_content', 'bbp_code_trick_reverse' );
-add_filter( 'bbp_new_topic_pre_content',  'bbp_code_trick_reverse' );
-add_filter( 'bbp_edit_topic_pre_content', 'bbp_code_trick_reverse' );
-
-// balanceTags, wp_filter_kses and wp_rel_nofollow on new/edit topic/reply text
-add_filter( 'bbp_new_reply_pre_content',  'wp_rel_nofollow'    );
-add_filter( 'bbp_new_reply_pre_content',  'bbp_filter_kses'    );
-add_filter( 'bbp_new_reply_pre_content',  'balanceTags',    50 );
-add_filter( 'bbp_new_topic_pre_content',  'wp_rel_nofollow'    );
-add_filter( 'bbp_new_topic_pre_content',  'bbp_filter_kses'    );
-add_filter( 'bbp_new_topic_pre_content',  'balanceTags',    50 );
-add_filter( 'bbp_edit_reply_pre_content', 'wp_rel_nofollow'    );
-add_filter( 'bbp_edit_reply_pre_content', 'bbp_filter_kses'    );
-add_filter( 'bbp_edit_reply_pre_content', 'balanceTags',    50 );
-add_filter( 'bbp_edit_topic_pre_content', 'wp_rel_nofollow'    );
-add_filter( 'bbp_edit_topic_pre_content', 'bbp_filter_kses'    );
-add_filter( 'bbp_edit_topic_pre_content', 'balanceTags',    50 );
+add_filter( 'bbp_new_reply_pre_title',  'wp_filter_kses'  );
+add_filter( 'bbp_new_topic_pre_title',  'wp_filter_kses'  );
+add_filter( 'bbp_edit_reply_pre_title', 'wp_filter_kses'  );
+add_filter( 'bbp_edit_topic_pre_title', 'wp_filter_kses'  );
+
+// Prevent posting malicious or malformed content on new/edit topic/reply
+add_filter( 'bbp_new_reply_pre_content',  'bbp_encode_bad',  10 );
+add_filter( 'bbp_new_reply_pre_content',  'bbp_code_trick',  20 );
+add_filter( 'bbp_new_reply_pre_content',  'bbp_filter_kses', 30 );
+add_filter( 'bbp_new_reply_pre_content',  'balanceTags',     40 );
+add_filter( 'bbp_new_topic_pre_content',  'bbp_encode_bad',  10 );
+add_filter( 'bbp_new_topic_pre_content',  'bbp_code_trick',  20 );
+add_filter( 'bbp_new_topic_pre_content',  'bbp_filter_kses', 30 );
+add_filter( 'bbp_new_topic_pre_content',  'balanceTags',     40 );
+add_filter( 'bbp_edit_reply_pre_content', 'bbp_encode_bad',  10 );
+add_filter( 'bbp_edit_reply_pre_content', 'bbp_code_trick',  20 );
+add_filter( 'bbp_edit_reply_pre_content', 'bbp_filter_kses', 30 );
+add_filter( 'bbp_edit_reply_pre_content', 'balanceTags',     40 );
+add_filter( 'bbp_edit_topic_pre_content', 'bbp_encode_bad',  10 );
+add_filter( 'bbp_edit_topic_pre_content', 'bbp_code_trick',  20 );
+add_filter( 'bbp_edit_topic_pre_content', 'bbp_filter_kses', 30 );
+add_filter( 'bbp_edit_topic_pre_content', 'balanceTags',     40 );
 
 // No follow and stripslashes on user profile links
-add_filter( 'bbp_get_reply_author_link',      'wp_rel_nofollow' );
-add_filter( 'bbp_get_reply_author_link',      'stripslashes'    );
-add_filter( 'bbp_get_topic_author_link',      'wp_rel_nofollow' );
-add_filter( 'bbp_get_topic_author_link',      'stripslashes'    );
-add_filter( 'bbp_get_user_favorites_link',    'wp_rel_nofollow' );
-add_filter( 'bbp_get_user_favorites_link',    'stripslashes'    );
-add_filter( 'bbp_get_user_subscribe_link',    'wp_rel_nofollow' );
-add_filter( 'bbp_get_user_subscribe_link',    'stripslashes'    );
-add_filter( 'bbp_get_user_profile_link',      'wp_rel_nofollow' );
-add_filter( 'bbp_get_user_profile_link',      'stripslashes'    );
-add_filter( 'bbp_get_user_profile_edit_link', 'wp_rel_nofollow' );
-add_filter( 'bbp_get_user_profile_edit_link', 'stripslashes'    );
+add_filter( 'bbp_get_reply_author_link',      'bbp_rel_nofollow' );
+add_filter( 'bbp_get_reply_author_link',      'stripslashes'     );
+add_filter( 'bbp_get_topic_author_link',      'bbp_rel_nofollow' );
+add_filter( 'bbp_get_topic_author_link',      'stripslashes'     );
+add_filter( 'bbp_get_user_favorites_link',    'bbp_rel_nofollow' );
+add_filter( 'bbp_get_user_favorites_link',    'stripslashes'     );
+add_filter( 'bbp_get_user_subscribe_link',    'bbp_rel_nofollow' );
+add_filter( 'bbp_get_user_subscribe_link',    'stripslashes'     );
+add_filter( 'bbp_get_user_profile_link',      'bbp_rel_nofollow' );
+add_filter( 'bbp_get_user_profile_link',      'stripslashes'     );
+add_filter( 'bbp_get_user_profile_edit_link', 'bbp_rel_nofollow' );
+add_filter( 'bbp_get_user_profile_edit_link', 'stripslashes'     );
 
 // Run filters on reply content
@@ -142 +136 @@
 add_filter( 'bbp_get_reply_content', 'force_balance_tags', 30   );
 add_filter( 'bbp_get_reply_content', 'wpautop',            40   );
+add_filter( 'bbp_get_reply_content', 'bbp_rel_nofollow',   50   );
 
 // Run filters on topic content
@@ -152 +147 @@
 add_filter( 'bbp_get_topic_content', 'force_balance_tags', 30   );
 add_filter( 'bbp_get_topic_content', 'wpautop',            40   );
+add_filter( 'bbp_get_topic_content', 'bbp_rel_nofollow',   50   );
+
+// Form textarea output - undo the code-trick done pre-save, and sanitize
+add_filter( 'bbp_get_form_reply_content', 'bbp_code_trick_reverse' );
+add_filter( 'bbp_get_form_reply_content', 'esc_html'               );
+add_filter( 'bbp_get_form_reply_content', 'trim'                   );
+add_filter( 'bbp_get_form_topic_content', 'bbp_code_trick_reverse' );
+add_filter( 'bbp_get_form_topic_content', 'esc_html'               );
+add_filter( 'bbp_get_form_topic_content', 'trim'                   );
 
 // Add number format filter to functions requiring numeric output

trunk/includes/replies/template-tags.php

@@ -2104 +2104 @@
         }
 
-        return apply_filters( 'bbp_get_form_reply_content', esc_textarea( $reply_content ) );
+        return apply_filters( 'bbp_get_form_reply_content', $reply_content );
     }
 

trunk/includes/topics/template-tags.php

@@ -3401 +3401 @@
         }
 
-        return apply_filters( 'bbp_get_form_topic_content', esc_textarea( $topic_content ) );
+        return apply_filters( 'bbp_get_form_topic_content', $topic_content );
     }