diff --git a/composer.json b/composer.json index 08f960c..0061d5d 100644 --- a/composer.json +++ b/composer.json @@ -11,6 +11,7 @@ "firebase/php-jwt": "2.*", "abraham/twitteroauth": "*", "andreyco/instagram": "3.*", + "ezyang/htmlpurifier": "4.*", "p3k/multipart": "*", "tantek/cassis": "*", "p3k/timezone": "*" diff --git a/composer.lock b/composer.lock index ec0f1ff..4cdfe08 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], - "content-hash": "4ec77b1fe4974da5d6a392ec0d362858", + "content-hash": "1eb78fb0a7afe487cc3c9dd58d35532e", "packages": [ { "name": "abraham/twitteroauth", @@ -143,6 +143,50 @@ "description": "Cleans up microformats2 array structures", "time": "2014-10-06T23:11:15+00:00" }, + { + "name": "ezyang/htmlpurifier", + "version": "v4.8.0", + "source": { + "type": "git", + "url": "https://github.com/ezyang/htmlpurifier.git", + "reference": "d0c392f77d2f2a3dcf7fcb79e2a1e2b8804e75b2" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/ezyang/htmlpurifier/zipball/d0c392f77d2f2a3dcf7fcb79e2a1e2b8804e75b2", + "reference": "d0c392f77d2f2a3dcf7fcb79e2a1e2b8804e75b2", + "shasum": "" + }, + "require": { + "php": ">=5.2" + }, + "type": "library", + "autoload": { + "psr-0": { + "HTMLPurifier": "library/" + }, + "files": [ + "library/HTMLPurifier.composer.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "LGPL" + ], + "authors": [ + { + "name": "Edward Z. Yang", + "email": "admin@htmlpurifier.org", + "homepage": "http://ezyang.com" + } + ], + "description": "Standards compliant HTML filter written in PHP", + "homepage": "http://htmlpurifier.org/", + "keywords": [ + "html" + ], + "time": "2016-07-16T12:58:58+00:00" + }, { "name": "firebase/php-jwt", "version": "v2.2.0", diff --git a/controllers/editor.php b/controllers/editor.php index 81703f6..9016d1d 100644 --- a/controllers/editor.php +++ b/controllers/editor.php @@ -14,8 +14,11 @@ $app->post('/editor/publish', function() use($app) { $content = $params['body']; + // Clean up the HTML from the editor + $content = sanitize_editor_html($content); + if($user->micropub_optin_html_content) { - $content = ['html' => $params['body']]; + $content = ['html' => $content]; } $micropub_request = array( diff --git a/lib/helpers.php b/lib/helpers.php index 4a4da11..26faf49 100644 --- a/lib/helpers.php +++ b/lib/helpers.php @@ -380,3 +380,50 @@ function correct_photo_rotation($filename) { $image->writeImage($filename); } } + +function sanitize_editor_html($html) { + $config = HTMLPurifier_Config::createDefault(); + $config->set('Cache.DefinitionImpl', null); + $config->set('HTML.AllowedElements', [ + 'a', + 'abbr', + 'b', + 'code', + 'del', + 'em', + 'i', + 'img', + 'q', + 'strike', + 'strong', + 'blockquote', + 'pre', + 'p', + 'h1', + 'h2', + 'h3', + 'h4', + 'h5', + 'h6', + 'ul', + 'li', + 'ol' + ]); + + // Allow data: URIs + $config->set('URI.AllowedSchemes', array('data' => true, 'http' => true, 'https' => true)); + + // Strip all classes from elements + $config->set('Attr.AllowedClasses', ''); + + // $def = $config->getHTMLDefinition(true); + $purifier = new HTMLPurifier($config); + $sanitized = $purifier->purify($html); + $sanitized = str_replace(" ","\r",$sanitized); + + # Remove empty paragraphs + $sanitized = str_replace('