Merge lp:~tblue/quam-plures/bug13_fix_credits_disp into lp:quam-plures
- bug13_fix_credits_disp
- Merge into trunk
Status: | Merged |
---|---|
Merged at revision: | 7634 |
Proposed branch: | lp:~tblue/quam-plures/bug13_fix_credits_disp |
Merge into: | lp:quam-plures |
Diff against target: |
137 lines (+22/-19) 2 files modified
qp_templates/_credits.disp.php (+11/-10) qp_templates/basic/_credits.disp.php (+11/-9) |
To merge this branch: | bzr merge lp:~tblue/quam-plures/bug13_fix_credits_disp |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Lee Turner (community) | Approve | ||
EdB | Approve | ||
Review via email: mp+74485@code.launchpad.net |
Commit message
Description of the change
Fixes http://
- 7630. By Tilman Blumenbach
-
Merged trunk r7632
Looks good, installs without issue, cures the common cold. Yay!
Lee Turner (leeturner) wrote : | # |
I just have a few quick questions on this one:
Should we be formatting the output to allow all html or should we be restricting it to only allow a limited amount or none at all?
If it is to allow all html but not let it get messed up with bad encoding and/or bad html (as the description of the branch admittedly says) then all is cool and I can approve. However, I have just embedded a youtube video in the long description of a plugin which appears in the credits page via an iframe which seems a little wrong to me. I could embed anything in that iframe really.
Also, all of these things apply to the admin as well. None of the descriptions etc have the 'format_to_output' applied to them in the admin code. Admittedly it is not as bigger problem as the admin is limited in access but still - the youtube videos still display.
Lee Turner (leeturner) wrote : | # |
I guess in summary, what I am asking is whether we should be doing:
format_to_output( $a_plugin-
so no html is allowed but just displayed as is?
L
Tilman Blumenbach (tblue) wrote : | # |
The reason I chose 'htmlbody' for the output filter is that we use it in other places where we output plugin descriptions etc. as well, so I thought it was appropriate. Admittedly, it allows all HTML and only makes sure things like the charset are correct.
Of course it would be better to restrict the HTML tags that can be used -- not only on the credits page but in the admin interface as well. 'entityencoded' should work, let me check. I will change the code to use that filter if everything works.
What would be wrong with a youtube video in a template credit? Or a link or a list or an image? As long as it is properly formed and thus doesn't break the page, and as long as we're scrubbing for malicious intent I can't see why we would want to restrict. Well, other than restricting to what works inside a definition list since that is a current use of that info.
Tilman Blumenbach (tblue) wrote : | # |
Hm. I figured that a template author can sneak in malicious content anyway. Same is true for plugin authors, just use the appropriate hook and output your bad HTML.
Tilman Blumenbach (tblue) wrote : | # |
...so I guess using 'entityencoded' does not make that much sense after all...?
Hey wait. So ... what your saying is a bad person might take advantage of our hooks to do bad things? Like, they might just pop in through the wide open front door? And here I thought all we had to do was worry about then looking for sneaky back-door methods to do evil deeds.
:)
I'm quite happy with this branch as-is. We are sanitizing bits that should be, without worrying about OMG they might be evil ... not that concern is inappropriate.
OFF TOPIC: never mind I'll go off topic in a forum thread.
Lee Turner (leeturner) wrote : | # |
Cool, just thought I would ask.
Preview Diff
1 | === modified file 'qp_templates/_credits.disp.php' | |||
2 | --- qp_templates/_credits.disp.php 2011-08-29 14:22:24 +0000 | |||
3 | +++ qp_templates/_credits.disp.php 2011-09-13 14:47:22 +0000 | |||
4 | @@ -10,7 +10,6 @@ | |||
5 | 10 | * @copyright (c) 2010 by the Quam Plures developers - {@link http://quamplures.net/} | 10 | * @copyright (c) 2010 by the Quam Plures developers - {@link http://quamplures.net/} |
6 | 11 | * @license http://quamplures.net/license.html GNU General Public License (GPL) | 11 | * @license http://quamplures.net/license.html GNU General Public License (GPL) |
7 | 12 | * @package templates | 12 | * @package templates |
8 | 13 | * | ||
9 | 14 | */ | 13 | */ |
10 | 15 | if( !defined('QP_MAIN_INIT') ) die( 'Please, do not access this page directly.' ); | 14 | if( !defined('QP_MAIN_INIT') ) die( 'Please, do not access this page directly.' ); |
11 | 16 | 15 | ||
12 | @@ -33,11 +32,11 @@ | |||
13 | 33 | 32 | ||
14 | 34 | foreach( $credits as $linkback ) | 33 | foreach( $credits as $linkback ) |
15 | 35 | { | 34 | { |
18 | 36 | echo '<dt>'.format_to_output( $linkback['pre'], 'htmlbody').'</dt>'; | 35 | echo '<dt>'.format_to_output( $linkback['pre'], 'htmlbody' ).'</dt>'; |
19 | 37 | echo '<dd><a href="', $linkback['url'].'" title="'; | 36 | echo '<dd><a href="'.format_to_output( $linkback['url'], 'htmlattr' ).'" title="'; |
20 | 38 | echo format_to_output( $linkback['title'], 'htmlattr' ).'">'; | 37 | echo format_to_output( $linkback['title'], 'htmlattr' ).'">'; |
21 | 39 | echo format_to_output( $linkback['text'], 'text' ).'</a></dd><dd>'; | 38 | echo format_to_output( $linkback['text'], 'text' ).'</a></dd><dd>'; |
23 | 40 | echo format_to_output( $linkback['post'], 'htmlbody')."</dd>\n"; | 39 | echo format_to_output( $linkback['post'], 'htmlbody' )."</dd>\n"; |
24 | 41 | } | 40 | } |
25 | 42 | 41 | ||
26 | 43 | echo '</dl></dd>'."\n"; | 42 | echo '</dl></dd>'."\n"; |
27 | @@ -59,19 +58,21 @@ | |||
28 | 59 | $p_name = format_to_output( $a_plugin->name, 'htmlbody' ); | 58 | $p_name = format_to_output( $a_plugin->name, 'htmlbody' ); |
29 | 60 | if( $a_plugin->help_url != '' ) | 59 | if( $a_plugin->help_url != '' ) |
30 | 61 | { | 60 | { |
32 | 62 | $p_name = '<a href="'.$a_plugin->help_url.'" title="'.T_('visit this plugins web page').'">'.$p_name.'</a>'; | 61 | $p_name = '<a href="'.format_to_output( $a_plugin->help_url, 'htmlattr' ).'" title="'.format_to_output( T_('visit this plugins web page'), 'htmlattr' ).'">'.$p_name.'</a>'; |
33 | 63 | } | 62 | } |
34 | 64 | 63 | ||
35 | 65 | $a_name = format_to_output( $a_plugin->author, 'htmlbody' ); | 64 | $a_name = format_to_output( $a_plugin->author, 'htmlbody' ); |
36 | 66 | if( $a_plugin->author_url != '' ) | 65 | if( $a_plugin->author_url != '' ) |
37 | 67 | { | 66 | { |
39 | 68 | $a_name = '<a href="'.$a_plugin->author_url.'" title="'.T_('visit the authors website').'">'.$a_name.'</a>'; | 67 | $a_name = '<a href="'.format_to_output( $a_plugin->author_url, 'htmlattr' ).'" title="'.format_to_output( T_('visit the authors website'), 'htmlattr' ).'">'.$a_name.'</a>'; |
40 | 69 | } | 68 | } |
41 | 70 | 69 | ||
42 | 71 | $credits[ strtolower( $a_plugin->name ) ] = array( | 70 | $credits[ strtolower( $a_plugin->name ) ] = array( |
43 | 72 | 'p_name' => $p_name, | 71 | 'p_name' => $p_name, |
44 | 73 | 'a_name' => $a_name, | 72 | 'a_name' => $a_name, |
46 | 74 | 'desc' => $a_plugin->long_desc, | 73 | // Looks like we usually allow HTML in plugin descriptions. |
47 | 74 | // We still need to make sure no bad chars mess up the template/encoding. | ||
48 | 75 | 'desc' => format_to_output( $a_plugin->long_desc, 'htmlbody' ), | ||
49 | 75 | ); | 76 | ); |
50 | 76 | } | 77 | } |
51 | 77 | 78 | ||
52 | @@ -103,7 +104,7 @@ | |||
53 | 103 | echo '<dd><dl>'."\n"; | 104 | echo '<dd><dl>'."\n"; |
54 | 104 | foreach( $_hic_sunt_dracones as $dracone ) | 105 | foreach( $_hic_sunt_dracones as $dracone ) |
55 | 105 | { | 106 | { |
57 | 106 | echo '<dt><a href="'.$dracone['homepage'].'" title="'; | 107 | echo '<dt><a href="'.format_to_output( $dracone['homepage'], 'htmlattr' ).'" title="'; |
58 | 107 | echo format_to_output( $dracone['homepage'], 'htmlattr' ).'">'; | 108 | echo format_to_output( $dracone['homepage'], 'htmlattr' ).'">'; |
59 | 108 | echo format_to_output( $dracone['name'], 'text' ).'</a></dt><dd>'; | 109 | echo format_to_output( $dracone['name'], 'text' ).'</a></dt><dd>'; |
60 | 109 | locale_flag( $dracone['locale'], 'h10px', 'leftmargin' ); | 110 | locale_flag( $dracone['locale'], 'h10px', 'leftmargin' ); |
61 | @@ -115,9 +116,9 @@ | |||
62 | 115 | // Finally: QP's only linkback | 116 | // Finally: QP's only linkback |
63 | 116 | if( isset( $Template ) ) | 117 | if( isset( $Template ) ) |
64 | 117 | { | 118 | { |
66 | 118 | echo '<dt>'.$Template->poweredby_linkback['pre'].':</dt>'."\n"; | 119 | echo '<dt>'.format_to_output( $Template->poweredby_linkback['pre'], 'htmlbody' ).':</dt>'."\n"; |
67 | 119 | echo '<dd><dl>', "\n"; | 120 | echo '<dd><dl>', "\n"; |
69 | 120 | echo '<dt><a href="', $Template->poweredby_linkback['url'], '" title="'; | 121 | echo '<dt><a href="'.format_to_output( $Template->poweredby_linkback['url'], 'htmlattr' ).'" title="'; |
70 | 121 | echo format_to_output( $Template->poweredby_linkback['title'], 'htmlattr' ), '">'; | 122 | echo format_to_output( $Template->poweredby_linkback['title'], 'htmlattr' ), '">'; |
71 | 122 | echo format_to_output( $Template->poweredby_linkback['text'], 'text' ), '</a></dt><dd>'; | 123 | echo format_to_output( $Template->poweredby_linkback['text'], 'text' ), '</a></dt><dd>'; |
72 | 123 | echo format_to_output( $Template->poweredby_linkback['post'], 'htmlbody'), "</dd>\n"; | 124 | echo format_to_output( $Template->poweredby_linkback['post'], 'htmlbody'), "</dd>\n"; |
73 | 124 | 125 | ||
74 | === modified file 'qp_templates/basic/_credits.disp.php' | |||
75 | --- qp_templates/basic/_credits.disp.php 2011-08-29 14:22:24 +0000 | |||
76 | +++ qp_templates/basic/_credits.disp.php 2011-09-13 14:47:22 +0000 | |||
77 | @@ -38,11 +38,11 @@ | |||
78 | 38 | echo '<dd><dl>'."\n"; | 38 | echo '<dd><dl>'."\n"; |
79 | 39 | foreach( $credits as $linkback ) | 39 | foreach( $credits as $linkback ) |
80 | 40 | { | 40 | { |
83 | 41 | echo '<dt>'.format_to_output( $linkback['pre'], 'htmlbody').'</dt>'; | 41 | echo '<dt>'.format_to_output( $linkback['pre'], 'htmlbody' ).'</dt>'; |
84 | 42 | echo '<dd><a href="', $linkback['url'].'" title="'; | 42 | echo '<dd><a href="'.format_to_output( $linkback['url'], 'htmlattr' ).'" title="'; |
85 | 43 | echo format_to_output( $linkback['title'], 'htmlattr' ).'">'; | 43 | echo format_to_output( $linkback['title'], 'htmlattr' ).'">'; |
86 | 44 | echo format_to_output( $linkback['text'], 'text' ).'</a></dd><dd>'; | 44 | echo format_to_output( $linkback['text'], 'text' ).'</a></dd><dd>'; |
88 | 45 | echo format_to_output( $linkback['post'], 'htmlbody')."</dd>\n"; | 45 | echo format_to_output( $linkback['post'], 'htmlbody' )."</dd>\n"; |
89 | 46 | } | 46 | } |
90 | 47 | echo '</dl></dd>'."\n"; | 47 | echo '</dl></dd>'."\n"; |
91 | 48 | } | 48 | } |
92 | @@ -63,19 +63,21 @@ | |||
93 | 63 | $p_name = format_to_output( $a_plugin->name, 'htmlbody' ); | 63 | $p_name = format_to_output( $a_plugin->name, 'htmlbody' ); |
94 | 64 | if( $a_plugin->help_url != '' ) | 64 | if( $a_plugin->help_url != '' ) |
95 | 65 | { | 65 | { |
97 | 66 | $p_name = '<a href="'.$a_plugin->help_url.'" title="'.T_('visit this plugins web page').'">'.$p_name.'</a>'; | 66 | $p_name = '<a href="'.format_to_output( $a_plugin->help_url, 'htmlattr' ).'" title="'.format_to_output( T_('visit this plugins web page'), 'htmlattr' ).'">'.$p_name.'</a>'; |
98 | 67 | } | 67 | } |
99 | 68 | 68 | ||
100 | 69 | $a_name = format_to_output( $a_plugin->author, 'htmlbody' ); | 69 | $a_name = format_to_output( $a_plugin->author, 'htmlbody' ); |
101 | 70 | if( $a_plugin->author_url != '' ) | 70 | if( $a_plugin->author_url != '' ) |
102 | 71 | { | 71 | { |
104 | 72 | $a_name = '<a href="'.$a_plugin->author_url.'" title="'.T_('visit the authors website').'">'.$a_name.'</a>'; | 72 | $a_name = '<a href="'.format_to_output( $a_plugin->author_url, 'htmlattr' ).'" title="'.format_to_output( T_('visit the authors website'), 'htmlattr' ).'">'.$a_name.'</a>'; |
105 | 73 | } | 73 | } |
106 | 74 | 74 | ||
107 | 75 | $credits[ strtolower( $a_plugin->name ) ] = array( | 75 | $credits[ strtolower( $a_plugin->name ) ] = array( |
108 | 76 | 'p_name' => $p_name, | 76 | 'p_name' => $p_name, |
109 | 77 | 'a_name' => $a_name, | 77 | 'a_name' => $a_name, |
111 | 78 | 'desc' => $a_plugin->long_desc, | 78 | // Looks like we usually allow HTML in plugin descriptions. |
112 | 79 | // We still need to make sure no bad chars mess up the template/encoding. | ||
113 | 80 | 'desc' => format_to_output( $a_plugin->long_desc, 'htmlbody' ), | ||
114 | 79 | ); | 81 | ); |
115 | 80 | } | 82 | } |
116 | 81 | 83 | ||
117 | @@ -107,7 +109,7 @@ | |||
118 | 107 | echo '<dd><dl>'."\n"; | 109 | echo '<dd><dl>'."\n"; |
119 | 108 | foreach( $_hic_sunt_dracones as $dracone ) | 110 | foreach( $_hic_sunt_dracones as $dracone ) |
120 | 109 | { | 111 | { |
122 | 110 | echo '<dt><a href="'.$dracone['homepage'].'" title="'; | 112 | echo '<dt><a href="'.format_to_output( $dracone['homepage'], 'htmlattr' ).'" title="'; |
123 | 111 | echo format_to_output( $dracone['homepage'], 'htmlattr' ).'">'; | 113 | echo format_to_output( $dracone['homepage'], 'htmlattr' ).'">'; |
124 | 112 | echo format_to_output( $dracone['name'], 'text' ).'</a></dt><dd>'; | 114 | echo format_to_output( $dracone['name'], 'text' ).'</a></dt><dd>'; |
125 | 113 | locale_flag( $dracone['locale'], 'h10px', 'leftmargin' ); | 115 | locale_flag( $dracone['locale'], 'h10px', 'leftmargin' ); |
126 | @@ -119,9 +121,9 @@ | |||
127 | 119 | // Finally: QP's only linkback | 121 | // Finally: QP's only linkback |
128 | 120 | if( isset( $Template ) ) | 122 | if( isset( $Template ) ) |
129 | 121 | { | 123 | { |
131 | 122 | echo '<dt>'.$Template->poweredby_linkback['pre'].':</dt>'."\n"; | 124 | echo '<dt>'.format_to_output( $Template->poweredby_linkback['pre'], 'htmlbody' ).':</dt>'."\n"; |
132 | 123 | echo '<dd><dl>', "\n"; | 125 | echo '<dd><dl>', "\n"; |
134 | 124 | echo '<dt><a href="', $Template->poweredby_linkback['url'], '" title="'; | 126 | echo '<dt><a href="'.format_to_output( $Template->poweredby_linkback['url'], 'htmlattr' ).'" title="'; |
135 | 125 | echo format_to_output( $Template->poweredby_linkback['title'], 'htmlattr' ), '">'; | 127 | echo format_to_output( $Template->poweredby_linkback['title'], 'htmlattr' ), '">'; |
136 | 126 | echo format_to_output( $Template->poweredby_linkback['text'], 'text' ), '</a></dt><dd>'; | 128 | echo format_to_output( $Template->poweredby_linkback['text'], 'text' ), '</a></dt><dd>'; |
137 | 127 | echo format_to_output( $Template->poweredby_linkback['post'], 'htmlbody'), "</dd>\n"; | 129 | echo format_to_output( $Template->poweredby_linkback['post'], 'htmlbody'), "</dd>\n"; |
will get this done today (mtz)