When serving html files smaller than 1M, always display the filter message and...

When serving html files smaller than 1M, always display the filter message and link to download the original

When serving html files smaller than 1M, always display the filter message and...
When serving html files smaller than 1M, always display the filter message and link to download the original
06994961 · Richard Mansfield · 3e68c3d7 · 06994961 · 06994961 · 06994961
Commit 06994961 authored Jan 14, 2008 by Richard Mansfield
4 changed files
--- a/htdocs/lang/en.utf8/mahara.php
+++ b/htdocs/lang/en.utf8/mahara.php
@@ -510,7 +510,7 @@ $string['youraccounthasbeenunsuspended'] = 'Your account has been unsuspended';
 $string['youraccounthasbeenunsuspendedtext'] = 'Your account has been unsuspended'; // @todo: more info?

 // Display of purified html
-$string['htmlremovedmessage'] = 'Some potentially malicious content was detected and removed from this file.';
+$string['htmlremovedmessage'] = 'The file displayed below has been filtered to remove malicious content.';
 $string['downloadoriginalversion'] = 'Download the original version';

 // size of stuff

--- a/htdocs/lib/file.php
+++ b/htdocs/lib/file.php
@@ -72,22 +72,14 @@ function serve_file($path, $filename, $options=array()) {

    if ($mimetype == 'text/html') {
        if (isset($options['cleanhtmlparams']) && $filesize < 1024 * 1024) {
-            // Read file contents, clean if necessary
-            $originalhtml = file_get_contents($path);
-            $purifyresult = clean_text($originalhtml, true);
-            if ($purifyresult->purified) {
-                display_cleaned_html($purifyresult->html, $options['cleanhtmlparams']);
-                exit;
-            }
-            $fileoutput = $originalhtml;
-        }
-        else {
-            $options['forcedownload'] = true;
-            $mimetype = 'application/octet-stream';
+            display_cleaned_html(file_get_contents($path), $options['cleanhtmlparams']);
+            exit;
        }
+        $options['forcedownload'] = true;
+        $mimetype = 'application/octet-stream';
    }

-    if (!$mimetype || (!is_image_mime_type($mimetype) && (isset($_SERVER['HTTP_USER_AGENT']) && false !== strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE'))) && !isset($fileoutput)) {
+    if (!$mimetype || (!is_image_mime_type($mimetype) && (isset($_SERVER['HTTP_USER_AGENT']) && false !== strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE')))) {
        $mimetype = 'application/forcedownload';
    }

@@ -184,12 +176,7 @@ function serve_file($path, $filename, $options=array()) {
    }
    header('Content-Length: ' . $filesize);
    while (@ob_end_flush()); //flush the buffers - save memory and disable sid rewrite
-    if (isset($fileoutput)) {
-        echo $fileoutput;
-    }
-    else {
-        readfile_chunked($path);
-    }
+    readfile_chunked($path);
    exit;
 }


--- a/htdocs/lib/htmlpurifier/HTMLPurifier.php
+++ b/htdocs/lib/htmlpurifier/HTMLPurifier.php
@@ -131,7 +131,7 @@ class HTMLPurifier
     *                that HTMLPurifier_Config::create() supports.
     * @return Purified HTML
     */
-    public function purify($html, $config = null, $test = false) {
+    public function purify($html, $config = null) {
        
        // todo: make the config merge in, instead of replace
        $config = $config ? HTMLPurifier_Config::create($config) : $this->config;
@@ -168,21 +168,27 @@ class HTMLPurifier
            $html = $this->filters[$i]->preFilter($html, $config, $context);
        }
        
-        $dirtytokens = $lexer->tokenizeHTML($html, $config, $context);
-        $cleantokens = $this->strategy->execute($dirtytokens, $config, $context);
-
        // purified HTML
-        $html = $this->generator->generateFromTokens($cleantokens, $config, $context);
-
+        $html = 
+            $this->generator->generateFromTokens(
+                // list of tokens
+                $this->strategy->execute(
+                    // list of un-purified tokens
+                    $lexer->tokenizeHTML(
+                        // un-purified HTML
+                        $html, $config, $context
+                    ),
+                    $config, $context
+                ),
+                $config, $context
+            );
+        
        for ($i = $size - 1; $i >= 0; $i--) {
            $html = $this->filters[$i]->postFilter($html, $config, $context);
        }
        
        $html = HTMLPurifier_Encoder::convertFromUTF8($html, $config, $context);
        $this->context =& $context;
-        if ($test) {
-            return (object) array('html' => $html, 'purified' => $dirtytokens != $cleantokens);
-        }
        return $html;
    }
    

--- a/htdocs/lib/web.php
+++ b/htdocs/lib/web.php
@@ -1969,15 +1969,14 @@ function format_introduction($introduction) {
 * and removes any nasty tags that could mess up pages.
 *
 * @param string $text The text to be cleaned
- * @param string $test Test whether anything was cleaned
 * @return string The cleaned up text
 */
-function clean_text($text, $test = false) {
+function clean_text($text) {
    require_once('htmlpurifier/HTMLPurifier.auto.php');
    $config = HTMLPurifier_Config::createDefault();
    $config->set('Cache', 'SerializerPath', get_config('dataroot') . 'htmlpurifier');
    $purifier = new HTMLPurifier($config);
-    return $purifier->purify($text, null, $test);
+    return $purifier->purify($text);
 }


@@ -1991,7 +1990,7 @@ function clean_text($text, $test = false) {
 function display_cleaned_html($html, $params) {
    $smarty = smarty_core();
    $smarty->assign('params', $params);
-    $smarty->assign('content', $html);
+    $smarty->assign('content', clean_text($html));
    $smarty->display('cleanedhtml.tpl');
    exit;
 }