Merge branch '3.2.x'

2025-06-07 20:08:53 +00:00 · 2017-12-23 13:23:07 +01:00 · 2017-12-23 13:23:07 +01:00 · 843586a93f
commit 843586a93f
parent 7ef4be39a5 cb233c862b
4 changed files with 81 additions and 1 deletions
--- a/phpBB/phpbb/textformatter/s9e/factory.php
+++ b/phpBB/phpbb/textformatter/s9e/factory.php
@ -271,7 +271,7 @@ class factory implements \phpbb\textformatter\cache_interface
 		// Add default BBCodes
 		foreach ($this->get_default_bbcodes($configurator) as $bbcode)
 		{
-			$configurator->BBCodes->addCustom($bbcode['usage'], $bbcode['template']);
+			$configurator->BBCodes->addCustom($bbcode['usage'], new UnsafeTemplate($bbcode['template']));
 		}
 		if (isset($configurator->tags['QUOTE']))
 		{
--- a/tests/text_formatter/s9e/factory_test.php
+++ b/tests/text_formatter/s9e/factory_test.php
@ -247,6 +247,22 @@ class phpbb_textformatter_s9e_factory_test extends phpbb_database_test_case
 		$this->assertSame($expected, $renderer->render($parser->parse($original)));
 	}

+	/**
+	* @testdox Accepts unsafe default BBCodes
+	*/
+	public function test_unsafe_default_bbcodes()
+	{
+		$fixture   = __DIR__ . '/fixtures/unsafe_default_bbcodes.xml';
+		$style_dir = __DIR__ . '/fixtures/styles/';
+		$container = $this->get_test_case_helpers()->set_s9e_services(null, $fixture, $style_dir);
+		$parser    = $container->get('text_formatter.parser');
+		$renderer  = $container->get('text_formatter.renderer');
+
+		$original = '[b]alert(1)[/b]';
+		$expected = '<script>alert(1)</script>';
+		$this->assertSame($expected, $renderer->render($parser->parse($original)));
+	}
+
 	/**
 	* @testdox get_configurator() triggers events before and after configuration
 	*/
--- a/tests/text_formatter/s9e/fixtures/styles/unsafe/template/bbcode.html
+++ b/tests/text_formatter/s9e/fixtures/styles/unsafe/template/bbcode.html
@ -0,0 +1,40 @@
+<!-- BEGIN ulist_open --><ul style="list-style-type: {LIST_TYPE}"><!-- END ulist_open -->
+<!-- BEGIN ulist_open_default --><ul><!-- END ulist_open_default -->
+<!-- BEGIN ulist_close --></ul><!-- END ulist_close -->
+
+<!-- BEGIN olist_open --><ol style="list-style-type: {LIST_TYPE}"><!-- END olist_open -->
+<!-- BEGIN olist_close --></ol><!-- END olist_close -->
+
+<!-- BEGIN listitem --><li><!-- END listitem -->
+<!-- BEGIN listitem_close --></li><!-- END listitem_close -->
+
+<!-- BEGIN quote_username_open --><blockquote><div><cite>{USERNAME} {L_WROTE}{L_COLON}</cite><!-- END quote_username_open -->
+<!-- BEGIN quote_open --><blockquote class="uncited"><div><!-- END quote_open -->
+<!-- BEGIN quote_close --></div></blockquote><!-- END quote_close -->
+
+<!-- BEGIN code_open --><div class="codebox"><p>{L_CODE}{L_COLON} <a href="#" onclick="selectCode(this); return false;">{L_SELECT_ALL_CODE}</a></p><code><!-- END code_open -->
+<!-- BEGIN code_close --></code></div><!-- END code_close -->
+
+<!-- BEGIN inline_attachment_open --><div class="inline-attachment"><!-- END inline_attachment_open -->
+<!-- BEGIN inline_attachment_close --></div><!-- END inline_attachment_close -->
+
+<!-- BEGIN b_open --><script><!-- END b_open -->
+<!-- BEGIN b_close --></script><!-- END b_close -->
+
+<!-- BEGIN u_open --><span style="text-decoration: underline"><!-- END u_open -->
+<!-- BEGIN u_close --></span><!-- END u_close -->
+
+<!-- BEGIN i_open --><em><!-- END i_open -->
+<!-- BEGIN i_close --></em><!-- END i_close -->
+
+<!-- BEGIN color --><span style="color: {COLOR}">{TEXT}</span><!-- END color -->
+
+<!-- BEGIN size --><span style="font-size: {SIZE}%; line-height: 116%;">{TEXT}</span><!-- END size -->
+
+<!-- BEGIN img --><img src="{URL}" class="postimage" alt="{L_IMAGE}" /><!-- END img -->
+
+<!-- BEGIN url --><a href="{URL}" class="postlink">{DESCRIPTION}</a><!-- END url -->
+
+<!-- BEGIN email --><a href="mailto:{EMAIL}">{DESCRIPTION}</a><!-- END email -->
+
+<!-- BEGIN flash --><object classid="clsid:D27CDB6E-AE6D-11CF-96B8-444553540000" codebase="http://active.macromedia.com/flash2/cabs/swflash.cab#version=5,0,0,0" width="{WIDTH}" height="{HEIGHT}"><param name="movie" value="{URL}" /><param name="play" value="false" /><param name="loop" value="false" /><param name="quality" value="high" /><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><embed src="{URL}" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash" width="{WIDTH}" height="{HEIGHT}" play="false" loop="false" quality="high" allowscriptaccess="never" allownetworking="internal"></embed></object><!-- END flash -->
--- a/tests/text_formatter/s9e/fixtures/unsafe_default_bbcodes.xml
+++ b/tests/text_formatter/s9e/fixtures/unsafe_default_bbcodes.xml
@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<dataset>
+	<table name="phpbb_styles">
+		<column>style_id</column>
+		<column>style_name</column>
+		<column>style_copyright</column>
+		<column>style_active</column>
+		<column>style_path</column>
+		<column>bbcode_bitfield</column>
+		<column>style_parent_id</column>
+		<column>style_parent_tree</column>
+
+		<row>
+			<value>1</value>
+			<value>unsafe</value>
+			<value></value>
+			<value>1</value>
+			<value>unsafe</value>
+			<value>QA==</value>
+			<value>0</value>
+			<value></value>
+		</row>
+	</table>
+</dataset>