diff options
| author |   Henry Sudhof <kellanved@phpbb.com> | 2010-02-21 11:35:45 +0000 |
|---|---|---|
| committer | Henry Sudhof <kellanved@phpbb.com> | 2010-02-21 11:35:45 +0000 |
| commit | 9aa4a822efac6763c0de22d5d62fe7e6b3c9c31a (patch) | |
| tree | 9c77fbc3b7155f096eeeac6e768964e0e9f642fa | |
| parent | propdel (diff) | |
| download | phpbb-9aa4a822efac6763c0de22d5d62fe7e6b3c9c31a.tar.gz phpbb-9aa4a822efac6763c0de22d5d62fe7e6b3c9c31a.tar.bz2 phpbb-9aa4a822efac6763c0de22d5d62fe7e6b3c9c31a.zip | |
Enter stage left: the INTTEXT token (merge)
git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_7@10517 89ea8834-ac86-4346-8a33-228a782c2dd0
| -rw-r--r-- | phpBB/docs/CHANGELOG.html | 3 | ||||
| -rw-r--r-- | phpBB/includes/acp/acp_bbcodes.php | 8 | ||||
| -rw-r--r-- | phpBB/includes/bbcode.php | 2 | ||||
| -rw-r--r-- | phpBB/language/en/acp/posting.php | 5 |
4 files changed, 14 insertions, 4 deletions
diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 7204f15110..218ed0b90e 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -179,7 +179,10 @@ <li>[Change] Tweak Q&A CAPTCHA garbage collection.</li> <li>[Change] Show a proper preview for the Q&A CAPTCHA. (Bug #56365)</li> <li>[Change] Speed up topic move operation by adding an index for topic_id on the topics track table. (Bug #56545)</li> + <li>[Change] Warn users about potentially dangerous BBcodes.</li> <li>[Feature] Ability to use HTTP authentication in ATOM feeds by passing the GET parameter "auth=http".</li> + <li>[Feature] Add INTTEXT token type to custom bbcodes to allow non-ASCII letters in html attributes.</li> + </ul> <a name="v305"></a><h3>1.ii. Changes since 3.0.5</h3> diff --git a/phpBB/includes/acp/acp_bbcodes.php b/phpBB/includes/acp/acp_bbcodes.php index 681794c972..ab042f15bf 100644 --- a/phpBB/includes/acp/acp_bbcodes.php +++ b/phpBB/includes/acp/acp_bbcodes.php @@ -315,6 +315,7 @@ class acp_bbcodes { $bbcode_match = trim($bbcode_match); $bbcode_tpl = trim($bbcode_tpl); + $utf8 = strpos($bbcode_match, 'INTTEXT') !== false; $fp_match = preg_quote($bbcode_match, '!'); $fp_replace = preg_replace('#^\[(.*?)\]#', '[$1:$uid]', $bbcode_match); @@ -342,6 +343,9 @@ class acp_bbcodes 'SIMPLETEXT' => array( '!([a-zA-Z0-9-+.,_ ]+)!' => "$1" ), + 'INTTEXT' => array( + '!([\p{L}\p{N}+-,_.\s]+)!u' => "$1" + ), 'IDENTIFIER' => array( '!([a-zA-Z0-9-_]+)!' => "$1" ), @@ -359,6 +363,7 @@ class acp_bbcodes 'EMAIL' => '(' . get_preg_expression('email') . ')', 'TEXT' => '(.*?)', 'SIMPLETEXT' => '([a-zA-Z0-9-+.,_ ]+)', + 'INTTEXT' => '([\p{L}\p{N}+-,_.\s]+)', 'IDENTIFIER' => '([a-zA-Z0-9-_]+)', 'COLOR' => '([a-zA-Z]+|#[0-9abcdefABCDEF]+)', 'NUMBER' => '([0-9]+)', @@ -366,7 +371,8 @@ class acp_bbcodes $pad = 0; $modifiers = 'i'; - + $modifiers .= ($utf8) ? 'u' : ''; + if (preg_match_all('/\{(' . implode('|', array_keys($tokens)) . ')[0-9]*\}/i', $bbcode_match, $m)) { foreach ($m[0] as $n => $token) diff --git a/phpBB/includes/bbcode.php b/phpBB/includes/bbcode.php index f58852c00b..304191e38d 100644 --- a/phpBB/includes/bbcode.php +++ b/phpBB/includes/bbcode.php @@ -360,7 +360,7 @@ class bbcode // In order to use templates with custom bbcodes we need // to replace all {VARS} to corresponding backreferences // Note that backreferences are numbered from bbcode_match - if (preg_match_all('/\{(URL|LOCAL_URL|EMAIL|TEXT|SIMPLETEXT|IDENTIFIER|COLOR|NUMBER)[0-9]*\}/', $rowset[$bbcode_id]['bbcode_match'], $m)) + if (preg_match_all('/\{(URL|LOCAL_URL|EMAIL|TEXT|SIMPLETEXT|INTTEXT|IDENTIFIER|COLOR|NUMBER)[0-9]*\}/', $rowset[$bbcode_id]['bbcode_match'], $m)) { foreach ($m[0] as $i => $tok) { diff --git a/phpBB/language/en/acp/posting.php b/phpBB/language/en/acp/posting.php index 74cd29ffee..443f4a3ea2 100644 --- a/phpBB/language/en/acp/posting.php +++ b/phpBB/language/en/acp/posting.php @@ -41,7 +41,7 @@ $lang = array_merge($lang, array( 'ACP_BBCODES_EXPLAIN' => 'BBCode is a special implementation of HTML offering greater control over what and how something is displayed. From this page you can add, remove and edit custom BBCodes.', 'ADD_BBCODE' => 'Add a new BBCode', - 'BBCODE_DANGER' => 'The BBCode you are trying to add seems to use a {TEXT} token inside a HTML attribute. This is a possible XSS security issue. Try using the more restrictive {SIMPLETEXT} type instead. Only proceed if you understand the risks involved and you consider the use of {TEXT} absolutely unavoidable.', + 'BBCODE_DANGER' => 'The BBCode you are trying to add seems to use a {TEXT} token inside a HTML attribute. This is a possible XSS security issue. Try using the more restrictive {SIMPLETEXT} or {INTTEXT} types instead. Only proceed if you understand the risks involved and you consider the use of {TEXT} absolutely unavoidable.', 'BBCODE_DANGER_PROCEED' => 'Proceed', //'I understand the risk', 'BBCODE_ADDED' => 'BBCode added successfully.', @@ -76,8 +76,9 @@ $lang = array_merge($lang, array( 'TOO_MANY_BBCODES' => 'You cannot create any more BBCodes. Please remove one or more BBCodes then try again.', 'tokens' => array( - 'TEXT' => 'Any text, including foreign characters, numbers, etc… You should not use this token in HTML tags. Instead try to use IDENTIFIER or SIMPLETEXT.', + 'TEXT' => 'Any text, including foreign characters, numbers, etc… You should not use this token in HTML tags. Instead try to use IDENTIFIER, INTTEXT or SIMPLETEXT.', 'SIMPLETEXT' => 'Characters from the latin alphabet (A-Z), numbers, spaces, commas, dots, minus, plus, hyphen and underscore', + 'INTTEXT' => 'Unicode letter characters, numbers, spaces, commas, dots, minus, plus, hyphen, underscore and whitespaces.', 'IDENTIFIER' => 'Characters from the latin alphabet (A-Z), numbers, hyphen and underscore', 'NUMBER' => 'Any series of digits', 'EMAIL' => 'A valid e-mail address', |