From 9b83a835471b730040c302dc23af8c472805599d Mon Sep 17 00:00:00 2001 From: rurban Date: Sat, 23 Apr 2005 11:15:49 +0000 Subject: [PATCH] handle allowed inlined objects within INLINE_IMAGES git-svn-id: svn://svn.code.sf.net/p/phpwiki/code/trunk@4679 96ab9672-09ca-45d6-a79d-3d69d39ca109 --- config/config-dist.ini | 11 +++++-- lib/InlineParser.php | 18 ++++++++--- lib/stdlib.php | 73 ++++++++++++++++++++++++++++++++++++++---- 3 files changed, 88 insertions(+), 14 deletions(-) diff --git a/config/config-dist.ini b/config/config-dist.ini index 8558ed57e..6484810de 100644 --- a/config/config-dist.ini +++ b/config/config-dist.ini @@ -438,6 +438,10 @@ DATABASE_TIMEOUT = 5 ; the page metadata for the preceding version (summary, mtime, ...) ; is not changed. ; +; Let all revisions be stored. Default since 1.3.11 +;MAJOR_MIN_KEEP = 2147483647 +;MINOR_MIN_KEEP = 2147483647 + ; Keep up to 8 major edits, but keep them no longer than a month. MAJOR_MAX_AGE = 32 MAJOR_KEEP = 8 @@ -804,7 +808,7 @@ CHARSET = iso-8859-1 ; Part Five: Mark-up options. ;========================================================================= ; -; allowed protocols for links - be careful not to allow "javascript:" +; Allowed protocols for links - be careful not to allow "javascript:" ; URL of these types will be automatically linked. ; within a named link [name|uri] one more protocol is defined: phpwiki ; Separate each of the protocol names with a vertical pipe, and ensure there @@ -812,7 +816,10 @@ CHARSET = iso-8859-1 ;ALLOWED_PROTOCOLS = "http|https|mailto|ftp|news|nntp|ssh|gopher" ; URLs ending with the following extension should be inlined as images. -; Specify as per ALLOWED_PROTOCOLS +; Specify as per ALLOWED_PROTOCOLS. +; Note that you can now also allow class|svg|svgz|vrml|swf ..., +; which will create embedded instead of . +; Typical CGI extensions as pl or cgi maybe allowed too, but those two will be enforced to ;INLINE_IMAGES = "png|jpg|gif" ; Perl regexp for WikiNames ("bumpy words") diff --git a/lib/InlineParser.php b/lib/InlineParser.php index ff6719543..b81ee40a6 100644 --- a/lib/InlineParser.php +++ b/lib/InlineParser.php @@ -1,5 +1,5 @@ * Copyright (C) 2004,2005 Reini Urban * @@ -394,11 +394,16 @@ function LinkBracketLink($bracketlink) { * File:my_image.gif shows a plain inter-wiki link, * [what a pic|File:my_image.gif] shows a named inter-wiki link to the gif * [File:my_image.gif|what a pic] shows a inlimed image linked to the page "what a pic" + * + * Note that for simplicity we will accept embedded object tags (non-images) + * here also, and seperate them later in LinkImage() */ - elseif (strstr($link,':') and - ($intermap = getInterwikiMap()) and - preg_match("/^" . $intermap->getRegexp() . ":/", $link)) { - if (empty($label) && isImageLink($link)) { + elseif (strstr($link,':') + and ($intermap = getInterwikiMap()) + and preg_match("/^" . $intermap->getRegexp() . ":/", $link)) + { + // trigger_error("label: $label link: $link", E_USER_WARNING); + if (empty($label) and isImageLink($link)) { // if without label => inlined image [File:xx.gif] $imgurl = $intermap->link($link); return LinkImage($imgurl->getAttr('href'), $label); @@ -812,6 +817,9 @@ function TransformLinks($text, $markup = 2.0, $basepage = false) { } // $Log: not supported by cvs2svn $ +// Revision 1.65 2005/03/27 18:24:17 rurban +// add Log +// // (c-file-style: "gnu") // Local Variables: diff --git a/lib/stdlib.php b/lib/stdlib.php index 2fa49fc57..bc81c7190 100644 --- a/lib/stdlib.php +++ b/lib/stdlib.php @@ -1,4 +1,4 @@ -', or '"' are present. + * Check against their urlencoded values also. * * @param string $url URL to check for unsafe characters. * @return boolean True if same, false else. */ function IsSafeURL($url) { - return !preg_match('/[<>"]/', $url); + return !preg_match('/([<>"])|(%3C)|(%3E)|(%22)/', $url); } /** @@ -363,22 +364,31 @@ function LinkURL($url, $linktext = '') { } /** - * FIXME: disallow sizes which are too small. + * Inline Images + * + * Syntax: [image.png size=50% border=n align= hspace= vspace= width= height=] + * Disallows sizes which are too small. * Spammers may use such (typically invisible) image attributes to higher their GoogleRank. + * + * Handle embeddable objects, like svg, class, vrml, swf, svgz, pdf especially. */ function LinkImage($url, $alt = false) { + $force_img = "png|jpg|gif|jpeg|bmp|pl|cgi"; + // Disallow tags in img src urls. Typical CSS attacks. // FIXME: Is this needed (or sufficient?) if(! IsSafeURL($url)) { $link = HTML::strong(HTML::u(array('class' => 'baduri'), _("BAD URL -- remove all of <, >, \""))); } else { // support new syntax: [image.jpg size=50% border=n] + if (!preg_match("/\.(".$force_img.")/i", $url)) + $ori_url = $url; $arr = split(' ',$url); if (count($arr) > 1) { $url = $arr[0]; } if (empty($alt)) $alt = basename($url); - $link = HTML::img(array('src' => $url, 'alt' => $alt)); + $link = HTML::img(array('src' => $url, 'alt' => $alt, 'title' => $alt)); if (count($arr) > 1) { array_shift($arr); foreach ($arr as $attr) { @@ -400,7 +410,7 @@ function LinkImage($url, $alt = false) { $link->setAttr('vspace',$m[1]); } } - // check width and height as spam countermeasure + // Check width and height as spam countermeasure if (($width = $link->getAttr('width')) and ($height = $link->getAttr('height'))) { //$width = (int) $width; // px or % or other suffix //$height = (int) $height; @@ -408,7 +418,7 @@ function LinkImage($url, $alt = false) { ($height < 3 and $width < 20) or ($height < 7 and $width < 7)) { - trigger_error(_("Invalid image size"), E_USER_NOTICE); + trigger_error(_("Invalid image size"), E_USER_WARNING); return ''; } } else { @@ -425,16 +435,62 @@ function LinkImage($url, $alt = false) { or ($height < 3 and $width < 20) or ($height < 7 and $width < 7)) { - trigger_error(_("Invalid image size"), E_USER_NOTICE); + trigger_error(_("Invalid image size"), E_USER_WARNING); return ''; } } } } $link->setAttr('class', 'inlineimage'); + + /* Check for inlined objects. Everything allowed in INLINE_IMAGES besides + * png|jpg|gif|jpeg|bmp|pl|cgi + * Note: Allow cgi's (pl,cgi) returning images. + */ + if (!preg_match("/\.(".$force_img.")/i", $url)) { + //HTML::img(array('src' => $url, 'alt' => $alt, 'title' => $alt)); + // => HTML::object(array('src' => $url)) ...; + return ImgObject($link, $ori_url); + } return $link; } +/** + * / tags instead of for all non-image extensions allowed via INLINE_IMAGES + * Called by LinkImage(), not directly. + * Syntax: [image.svg size=50% border=n align= hspace= vspace= width= height=] + * $alt may be an alternate img + * TODO: Need to unify with WikiPluginCached::embedObject() + * + * Note that Safari 1.0 will crash with , use only + * http://www.alleged.org.uk/pdc/2002/svg-object.html + */ +function ImgObject($img, $url) { + // get the url args: data="sample.svgz" type="image/svg+xml" width="400" height="300" + $args = split(' ', $url); + if (count($args) >= 1) { + $url = array_shift($args); + foreach ($args as $attr) { + if (preg_match('/^type=(\S+)$/',$attr,$m)) + $img->setAttr('type', $m[1]); + if (preg_match('/^data=(\S+)$/',$attr,$m)) + $img->setAttr('data', $m[1]); + } + } + $type = $img->getAttr('type'); + if (!$type) { + // TODO: map extension to mime-types if type is not given and php < 4.3 + if (function_exists('mime_content_type')) + $type = mime_content_type($url); + } + $link = HTML::object(array_merge($img->_attr, array('src' => $url, 'type' => $type))); + $link->setAttr('class', 'inlineobject'); + if (isBrowserSafari()) { + return HTML::embed($link->_attr); + } + $link->pushContent(HTML::embed($link->_attr)); + return $link; +} class Stack { @@ -1969,6 +2025,9 @@ function getMemoryUsage() { } // $Log: not supported by cvs2svn $ +// Revision 1.239 2005/04/01 16:11:42 rurban +// just whitespace +// // Revision 1.238 2005/03/04 16:29:14 rurban // Fixed bug #994994 (escape / in glob) // Optimized glob_to_pcre within fileSet() matching. -- 2.45.0