From 3b9d8697ed2eca0494de191ea425734d3d8052eb Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Fri, 19 Jan 2018 15:24:39 +0100 Subject: [PATCH 1/3] Introduce class Icinga\Web\Helper\HtmlPurifier refs #2641 --- library/Icinga/Web/Helper/HtmlPurifier.php | 93 ++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 library/Icinga/Web/Helper/HtmlPurifier.php diff --git a/library/Icinga/Web/Helper/HtmlPurifier.php b/library/Icinga/Web/Helper/HtmlPurifier.php new file mode 100644 index 000000000..525972e2d --- /dev/null +++ b/library/Icinga/Web/Helper/HtmlPurifier.php @@ -0,0 +1,93 @@ +set('Core.EscapeNonASCIICharacters', true); + $purifierConfig->set('Attr.AllowedFrameTargets', array('_blank')); + // This avoids permission problems: + // $purifierConfig->set('Core.DefinitionCache', null); + $purifierConfig->set('Cache.DefinitionImpl', null); + // TODO: Use a cache directory: + // $purifierConfig->set('Cache.SerializerPath', '/var/spool/whatever'); + // $purifierConfig->set('URI.Base', 'http://www.example.com'); + // $purifierConfig->set('URI.MakeAbsolute', true); + + $this->configure($purifierConfig); + + if ($config instanceof Closure) { + call_user_func($config, $purifierConfig); + } elseif (is_array($config)) { + $purifierConfig->loadArray($config); + } elseif ($config !== null) { + throw new InvalidArgumentException('$config must be either a Closure or array'); + } + + $this->purifier = new \HTMLPurifier($purifierConfig); + } + + /** + * Apply additional default configuration + * + * May be overwritten by more concrete purifier implementations. + * + * @param \HTMLPurifier_Config $config + */ + protected function configure($config) + { + } + + /** + * Purify and return the given HTML string + * + * @param string $html + * @param array|Closure $config Configuration to use instead of the default + * + * @return string + */ + public function purify($html, $config = null) + { + return $this->purifier->purify($html, $config); + } + + /** + * Purify and return the given HTML string + * + * Convenience method to bypass object creation. + * + * @param string $html + * @param array|Closure $config Additional configuration + * + * @return string + */ + public static function process($html, $config = null) + { + $purifier = new static($config); + + return $purifier->purify($html); + } +} From e59fa13786f1690dbe54646775b10170166d5323 Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Fri, 19 Jan 2018 15:25:09 +0100 Subject: [PATCH 2/3] Announcements: Render HTML in announcment messages refs #2641 --- library/Icinga/Web/Widget/Announcements.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/library/Icinga/Web/Widget/Announcements.php b/library/Icinga/Web/Widget/Announcements.php index 8481a2856..979dd4b56 100644 --- a/library/Icinga/Web/Widget/Announcements.php +++ b/library/Icinga/Web/Widget/Announcements.php @@ -8,6 +8,7 @@ use Icinga\Data\Filter\Filter; use Icinga\Forms\Announcement\AcknowledgeAnnouncementForm; use Icinga\Web\Announcement\AnnouncementCookie; use Icinga\Web\Announcement\AnnouncementIniRepository; +use Icinga\Web\Helper\HtmlPurifier; /** * Render announcements @@ -35,12 +36,13 @@ class Announcements extends AbstractWidget $announcements = $repo->findActive(); $announcements->applyFilter($acked); if ($announcements->hasResult()) { + $purifier = new HtmlPurifier(array('HTML.Allowed' => 'b,a[href|target],i,*[class]')); $html = '