Skip to:
Content

bbPress.org


Ignore:
Timestamp:
04/26/2013 11:00:38 AM (12 years ago)
Author:
johnjamesjacoby
Message:

Audit procedure for posting pre-formatted code in topics and replies:

  • Invert code-trick & code-trick-reverse filters to happen pre-save and on output.
  • Use esc_html() filter rather than esc_textarea() for textarea output when editing content, to prevent double escaping after above code-trick-reversal.
  • Introduce bbp_rel_nofollow() and callback, to handle this on output rather than input, to prevent mucking up preformatted code, and replace wp_rel_nofollow() usages with this.
  • Disable visual-editor by default. It's causing code formatting issues when switching between editor types (enable at your own risk in a plugin for now.)
  • Fixes #1967 (trunk)
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/includes/core/filters.php

    r4780 r4866  
    8484
    8585// Links
    86 add_filter( 'paginate_links',            'bbp_add_view_all' );
    87 add_filter( 'bbp_get_topic_permalink',   'bbp_add_view_all' );
    88 add_filter( 'bbp_get_reply_permalink',   'bbp_add_view_all' );
    89 add_filter( 'bbp_get_forum_permalink',   'bbp_add_view_all' );
     86add_filter( 'paginate_links',          'bbp_add_view_all' );
     87add_filter( 'bbp_get_topic_permalink', 'bbp_add_view_all' );
     88add_filter( 'bbp_get_reply_permalink', 'bbp_add_view_all' );
     89add_filter( 'bbp_get_forum_permalink', 'bbp_add_view_all' );
    9090
    9191// wp_filter_kses on new/edit topic/reply title
    92 add_filter( 'bbp_new_reply_pre_title',    'wp_filter_kses'  );
    93 add_filter( 'bbp_new_topic_pre_title',    'wp_filter_kses'  );
    94 add_filter( 'bbp_edit_reply_pre_title',   'wp_filter_kses'  );
    95 add_filter( 'bbp_edit_topic_pre_title',   'wp_filter_kses'  );
    96 
    97 // Code filters on output (hooked in early for plugin compatibility)
    98 add_filter( 'bbp_get_reply_content', 'bbp_code_trick', 3 );
    99 add_filter( 'bbp_get_topic_content', 'bbp_code_trick', 3 );
    100 
    101 // Code filters on input
    102 add_filter( 'bbp_new_reply_pre_content',  'bbp_code_trick_reverse' );
    103 add_filter( 'bbp_edit_reply_pre_content', 'bbp_code_trick_reverse' );
    104 add_filter( 'bbp_new_topic_pre_content',  'bbp_code_trick_reverse' );
    105 add_filter( 'bbp_edit_topic_pre_content', 'bbp_code_trick_reverse' );
    106 
    107 // balanceTags, wp_filter_kses and wp_rel_nofollow on new/edit topic/reply text
    108 add_filter( 'bbp_new_reply_pre_content',  'wp_rel_nofollow'    );
    109 add_filter( 'bbp_new_reply_pre_content',  'bbp_filter_kses'    );
    110 add_filter( 'bbp_new_reply_pre_content',  'balanceTags',    50 );
    111 add_filter( 'bbp_new_topic_pre_content',  'wp_rel_nofollow'    );
    112 add_filter( 'bbp_new_topic_pre_content',  'bbp_filter_kses'    );
    113 add_filter( 'bbp_new_topic_pre_content',  'balanceTags',    50 );
    114 add_filter( 'bbp_edit_reply_pre_content', 'wp_rel_nofollow'    );
    115 add_filter( 'bbp_edit_reply_pre_content', 'bbp_filter_kses'    );
    116 add_filter( 'bbp_edit_reply_pre_content', 'balanceTags',    50 );
    117 add_filter( 'bbp_edit_topic_pre_content', 'wp_rel_nofollow'    );
    118 add_filter( 'bbp_edit_topic_pre_content', 'bbp_filter_kses'    );
    119 add_filter( 'bbp_edit_topic_pre_content', 'balanceTags',    50 );
     92add_filter( 'bbp_new_reply_pre_title',  'wp_filter_kses'  );
     93add_filter( 'bbp_new_topic_pre_title',  'wp_filter_kses'  );
     94add_filter( 'bbp_edit_reply_pre_title', 'wp_filter_kses'  );
     95add_filter( 'bbp_edit_topic_pre_title', 'wp_filter_kses'  );
     96
     97// Prevent posting malicious or malformed content on new/edit topic/reply
     98add_filter( 'bbp_new_reply_pre_content',  'bbp_encode_bad',  10 );
     99add_filter( 'bbp_new_reply_pre_content',  'bbp_code_trick',  20 );
     100add_filter( 'bbp_new_reply_pre_content',  'bbp_filter_kses', 30 );
     101add_filter( 'bbp_new_reply_pre_content',  'balanceTags',     40 );
     102add_filter( 'bbp_new_topic_pre_content',  'bbp_encode_bad',  10 );
     103add_filter( 'bbp_new_topic_pre_content',  'bbp_code_trick',  20 );
     104add_filter( 'bbp_new_topic_pre_content',  'bbp_filter_kses', 30 );
     105add_filter( 'bbp_new_topic_pre_content',  'balanceTags',     40 );
     106add_filter( 'bbp_edit_reply_pre_content', 'bbp_encode_bad',  10 );
     107add_filter( 'bbp_edit_reply_pre_content', 'bbp_code_trick',  20 );
     108add_filter( 'bbp_edit_reply_pre_content', 'bbp_filter_kses', 30 );
     109add_filter( 'bbp_edit_reply_pre_content', 'balanceTags',     40 );
     110add_filter( 'bbp_edit_topic_pre_content', 'bbp_encode_bad',  10 );
     111add_filter( 'bbp_edit_topic_pre_content', 'bbp_code_trick',  20 );
     112add_filter( 'bbp_edit_topic_pre_content', 'bbp_filter_kses', 30 );
     113add_filter( 'bbp_edit_topic_pre_content', 'balanceTags',     40 );
    120114
    121115// No follow and stripslashes on user profile links
    122 add_filter( 'bbp_get_reply_author_link',      'wp_rel_nofollow' );
    123 add_filter( 'bbp_get_reply_author_link',      'stripslashes'    );
    124 add_filter( 'bbp_get_topic_author_link',      'wp_rel_nofollow' );
    125 add_filter( 'bbp_get_topic_author_link',      'stripslashes'    );
    126 add_filter( 'bbp_get_user_favorites_link',    'wp_rel_nofollow' );
    127 add_filter( 'bbp_get_user_favorites_link',    'stripslashes'    );
    128 add_filter( 'bbp_get_user_subscribe_link',    'wp_rel_nofollow' );
    129 add_filter( 'bbp_get_user_subscribe_link',    'stripslashes'    );
    130 add_filter( 'bbp_get_user_profile_link',      'wp_rel_nofollow' );
    131 add_filter( 'bbp_get_user_profile_link',      'stripslashes'    );
    132 add_filter( 'bbp_get_user_profile_edit_link', 'wp_rel_nofollow' );
    133 add_filter( 'bbp_get_user_profile_edit_link', 'stripslashes'    );
     116add_filter( 'bbp_get_reply_author_link',      'bbp_rel_nofollow' );
     117add_filter( 'bbp_get_reply_author_link',      'stripslashes'     );
     118add_filter( 'bbp_get_topic_author_link',      'bbp_rel_nofollow' );
     119add_filter( 'bbp_get_topic_author_link',      'stripslashes'     );
     120add_filter( 'bbp_get_user_favorites_link',    'bbp_rel_nofollow' );
     121add_filter( 'bbp_get_user_favorites_link',    'stripslashes'     );
     122add_filter( 'bbp_get_user_subscribe_link',    'bbp_rel_nofollow' );
     123add_filter( 'bbp_get_user_subscribe_link',    'stripslashes'     );
     124add_filter( 'bbp_get_user_profile_link',      'bbp_rel_nofollow' );
     125add_filter( 'bbp_get_user_profile_link',      'stripslashes'     );
     126add_filter( 'bbp_get_user_profile_edit_link', 'bbp_rel_nofollow' );
     127add_filter( 'bbp_get_user_profile_edit_link', 'stripslashes'     );
    134128
    135129// Run filters on reply content
     
    142136add_filter( 'bbp_get_reply_content', 'force_balance_tags', 30   );
    143137add_filter( 'bbp_get_reply_content', 'wpautop',            40   );
     138add_filter( 'bbp_get_reply_content', 'bbp_rel_nofollow',   50   );
    144139
    145140// Run filters on topic content
     
    152147add_filter( 'bbp_get_topic_content', 'force_balance_tags', 30   );
    153148add_filter( 'bbp_get_topic_content', 'wpautop',            40   );
     149add_filter( 'bbp_get_topic_content', 'bbp_rel_nofollow',   50   );
     150
     151// Form textarea output - undo the code-trick done pre-save, and sanitize
     152add_filter( 'bbp_get_form_reply_content', 'bbp_code_trick_reverse' );
     153add_filter( 'bbp_get_form_reply_content', 'esc_html'               );
     154add_filter( 'bbp_get_form_reply_content', 'trim'                   );
     155add_filter( 'bbp_get_form_topic_content', 'bbp_code_trick_reverse' );
     156add_filter( 'bbp_get_form_topic_content', 'esc_html'               );
     157add_filter( 'bbp_get_form_topic_content', 'trim'                   );
    154158
    155159// Add number format filter to functions requiring numeric output
Note: See TracChangeset for help on using the changeset viewer.