makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-28 06:08:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

Enter stage left: the INTTEXT token

Browse source 
git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@10516 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Henry Sudhof 2010-02-21 11:33:29 +00:00
parent 6b99b85c8f
commit 22621e0439
4 changed files with 14 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
phpBB/docs/CHANGELOG.html
View file

@ -193,7 +193,10 @@
<li>[Change] Tweak Q&amp;A CAPTCHA garbage collection.</li> <li>[Change] Tweak Q&amp;A CAPTCHA garbage collection.</li>
<li>[Change] Show a proper preview for the Q&amp;A CAPTCHA. (Bug #56365)</li> <li>[Change] Show a proper preview for the Q&amp;A CAPTCHA. (Bug #56365)</li>
<li>[Change] Speed up topic move operation by adding an index for topic_id on the topics track table. (Bug #56545)</li> <li>[Change] Speed up topic move operation by adding an index for topic_id on the topics track table. (Bug #56545)</li>
<li>[Change] Warn users about potentially dangerous BBcodes.</li>
<li>[Feature] Ability to use HTTP authentication in ATOM feeds by passing the GET parameter &quot;auth=http&quot;.</li> <li>[Feature] Ability to use HTTP authentication in ATOM feeds by passing the GET parameter &quot;auth=http&quot;.</li>
<li>[Feature] Add INTTEXT token type to custom bbcodes to allow non-ASCII letters in html attributes.</li>
</ul> </ul>
<a name="v305"></a><h3>1.iii. Changes since 3.0.5</h3> <a name="v305"></a><h3>1.iii. Changes since 3.0.5</h3>

6
phpBB/includes/acp/acp_bbcodes.php
View file

@ -315,6 +315,7 @@ class acp_bbcodes
{ {
$bbcode_match = trim($bbcode_match); $bbcode_match = trim($bbcode_match);
$bbcode_tpl = trim($bbcode_tpl); $bbcode_tpl = trim($bbcode_tpl);
$utf8 = strpos($bbcode_match, 'INTTEXT') !== false;
$fp_match = preg_quote($bbcode_match, '!'); $fp_match = preg_quote($bbcode_match, '!');
$fp_replace = preg_replace('#^\[(.*?)\]#', '[$1:$uid]', $bbcode_match); $fp_replace = preg_replace('#^\[(.*?)\]#', '[$1:$uid]', $bbcode_match);
@ -342,6 +343,9 @@ class acp_bbcodes
'SIMPLETEXT' => array( 'SIMPLETEXT' => array(
'!([a-zA-Z0-9-+.,_ ]+)!' => "$1" '!([a-zA-Z0-9-+.,_ ]+)!' => "$1"
), ),
'INTTEXT' => array(
'!([\p{L}\p{N}+-,_.\s]+)!u' => "$1"
),
'IDENTIFIER' => array( 'IDENTIFIER' => array(
'!([a-zA-Z0-9-_]+)!' => "$1" '!([a-zA-Z0-9-_]+)!' => "$1"
), ),
@ -359,6 +363,7 @@ class acp_bbcodes
'EMAIL' => '(' . get_preg_expression('email') . ')', 'EMAIL' => '(' . get_preg_expression('email') . ')',
'TEXT' => '(.*?)', 'TEXT' => '(.*?)',
'SIMPLETEXT' => '([a-zA-Z0-9-+.,_ ]+)', 'SIMPLETEXT' => '([a-zA-Z0-9-+.,_ ]+)',
'INTTEXT' => '([\p{L}\p{N}+-,_.\s]+)',
'IDENTIFIER' => '([a-zA-Z0-9-_]+)', 'IDENTIFIER' => '([a-zA-Z0-9-_]+)',
'COLOR' => '([a-zA-Z]+|#[0-9abcdefABCDEF]+)', 'COLOR' => '([a-zA-Z]+|#[0-9abcdefABCDEF]+)',
'NUMBER' => '([0-9]+)', 'NUMBER' => '([0-9]+)',
@ -366,6 +371,7 @@ class acp_bbcodes
$pad = 0; $pad = 0;
$modifiers = 'i'; $modifiers = 'i';
$modifiers .= ($utf8) ? 'u' : '';
if (preg_match_all('/\{(' . implode('|', array_keys($tokens)) . ')[0-9]*\}/i', $bbcode_match, $m)) if (preg_match_all('/\{(' . implode('|', array_keys($tokens)) . ')[0-9]*\}/i', $bbcode_match, $m))
{ {

2
phpBB/includes/bbcode.php
View file

@ -360,7 +360,7 @@ class bbcode
// In order to use templates with custom bbcodes we need // In order to use templates with custom bbcodes we need
// to replace all {VARS} to corresponding backreferences // to replace all {VARS} to corresponding backreferences
// Note that backreferences are numbered from bbcode_match // Note that backreferences are numbered from bbcode_match
if (preg_match_all('/\{(URL|LOCAL_URL|EMAIL|TEXT|SIMPLETEXT|IDENTIFIER|COLOR|NUMBER)[0-9]*\}/', $rowset[$bbcode_id]['bbcode_match'], $m)) if (preg_match_all('/\{(URL|LOCAL_URL|EMAIL|TEXT|SIMPLETEXT|INTTEXT|IDENTIFIER|COLOR|NUMBER)[0-9]*\}/', $rowset[$bbcode_id]['bbcode_match'], $m))
{ {
foreach ($m[0] as $i => $tok) foreach ($m[0] as $i => $tok)
{ {

5
phpBB/language/en/acp/posting.php
View file

@ -41,7 +41,7 @@ $lang = array_merge($lang, array(
'ACP_BBCODES_EXPLAIN' => 'BBCode is a special implementation of HTML offering greater control over what and how something is displayed. From this page you can add, remove and edit custom BBCodes.', 'ACP_BBCODES_EXPLAIN' => 'BBCode is a special implementation of HTML offering greater control over what and how something is displayed. From this page you can add, remove and edit custom BBCodes.',
'ADD_BBCODE' => 'Add a new BBCode', 'ADD_BBCODE' => 'Add a new BBCode',
'BBCODE_DANGER' => 'The BBCode you are trying to add seems to use a {TEXT} token inside a HTML attribute. This is a possible XSS security issue. Try using the more restrictive {SIMPLETEXT} type instead. Only proceed if you understand the risks involved and you consider the use of {TEXT} absolutely unavoidable.', 'BBCODE_DANGER' => 'The BBCode you are trying to add seems to use a {TEXT} token inside a HTML attribute. This is a possible XSS security issue. Try using the more restrictive {SIMPLETEXT} or {INTTEXT} types instead. Only proceed if you understand the risks involved and you consider the use of {TEXT} absolutely unavoidable.',
'BBCODE_DANGER_PROCEED' => 'Proceed', //'I understand the risk', 'BBCODE_DANGER_PROCEED' => 'Proceed', //'I understand the risk',
'BBCODE_ADDED' => 'BBCode added successfully.', 'BBCODE_ADDED' => 'BBCode added successfully.',
@ -76,8 +76,9 @@ $lang = array_merge($lang, array(
'TOO_MANY_BBCODES' => 'You cannot create any more BBCodes. Please remove one or more BBCodes then try again.', 'TOO_MANY_BBCODES' => 'You cannot create any more BBCodes. Please remove one or more BBCodes then try again.',
'tokens' => array( 'tokens' => array(
'TEXT' => 'Any text, including foreign characters, numbers, etc… You should not use this token in HTML tags. Instead try to use IDENTIFIER or SIMPLETEXT.', 'TEXT' => 'Any text, including foreign characters, numbers, etc… You should not use this token in HTML tags. Instead try to use IDENTIFIER, INTTEXT or SIMPLETEXT.',
'SIMPLETEXT' => 'Characters from the latin alphabet (A-Z), numbers, spaces, commas, dots, minus, plus, hyphen and underscore', 'SIMPLETEXT' => 'Characters from the latin alphabet (A-Z), numbers, spaces, commas, dots, minus, plus, hyphen and underscore',
'INTTEXT' => 'Unicode letter characters, numbers, spaces, commas, dots, minus, plus, hyphen, underscore and whitespaces.',
'IDENTIFIER' => 'Characters from the latin alphabet (A-Z), numbers, hyphen and underscore', 'IDENTIFIER' => 'Characters from the latin alphabet (A-Z), numbers, hyphen and underscore',
'NUMBER' => 'Any series of digits', 'NUMBER' => 'Any series of digits',
'EMAIL' => 'A valid e-mail address', 'EMAIL' => 'A valid e-mail address',