Update of /cvsroot/phpwiki/phpwiki/lib In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv18752/lib Modified Files: stdlib.php InlineParser.php Log Message: handle allowed inlined objects within INLINE_IMAGES Index: stdlib.php =================================================================== RCS file: /cvsroot/phpwiki/phpwiki/lib/stdlib.php,v retrieving revision 1.239 retrieving revision 1.240 diff -u -2 -b -p -d -r1.239 -r1.240 --- stdlib.php 1 Apr 2005 16:11:42 -0000 1.239 +++ stdlib.php 23 Apr 2005 11:15:49 -0000 1.240 @@ -330,4 +330,5 @@ function PossiblyGlueIconToText($proto_o * Determines if the url passed to function is safe, by detecting if the characters * '<', '>', or '"' are present. + * Check against their urlencoded values also. * * @param string $url URL to check for unsafe characters. @@ -335,5 +336,5 @@ function PossiblyGlueIconToText($proto_o */ function IsSafeURL($url) { - return !preg_match('/[<>"]/', $url); + return !preg_match('/([<>"])|(%3C)|(%3E)|(%22)/', $url); } @@ -364,8 +365,15 @@ function LinkURL($url, $linktext = '') { /** - * FIXME: disallow sizes which are too small. + * Inline Images + * + * Syntax: [image.png size=50% border=n align= hspace= vspace= width= height=] + * Disallows sizes which are too small. * Spammers may use such (typically invisible) image attributes to higher their GoogleRank. + * + * Handle embeddable objects, like svg, class, vrml, swf, svgz, pdf especially. */ function LinkImage($url, $alt = false) { + $force_img = "png|jpg|gif|jpeg|bmp|pl|cgi"; + // Disallow tags in img src urls. Typical CSS attacks. // FIXME: Is this needed (or sufficient?) if(! IsSafeURL($url)) { @@ -374,4 +382,6 @@ function LinkImage($url, $alt = false) { } else { // support new syntax: [image.jpg size=50% border=n] + if (!preg_match("/\.(".$force_img.")/i", $url)) + $ori_url = $url; $arr = split(' ',$url); if (count($arr) > 1) { @@ -379,5 +389,5 @@ function LinkImage($url, $alt = false) { } if (empty($alt)) $alt = basename($url); - $link = HTML::img(array('src' => $url, 'alt' => $alt)); + $link = HTML::img(array('src' => $url, 'alt' => $alt, 'title' => $alt)); if (count($arr) > 1) { array_shift($arr); @@ -401,5 +411,5 @@ function LinkImage($url, $alt = false) { } } - // check width and height as spam countermeasure + // Check width and height as spam countermeasure if (($width = $link->getAttr('width')) and ($height = $link->getAttr('height'))) { //$width = (int) $width; // px or % or other suffix @@ -409,5 +419,5 @@ function LinkImage($url, $alt = false) { ($height < 7 and $width < 7)) { - trigger_error(_("Invalid image size"), E_USER_NOTICE); + trigger_error(_("Invalid image size"), E_USER_WARNING); return ''; } @@ -426,5 +436,5 @@ function LinkImage($url, $alt = false) { or ($height < 7 and $width < 7)) { - trigger_error(_("Invalid image size"), E_USER_NOTICE); + trigger_error(_("Invalid image size"), E_USER_WARNING); return ''; } @@ -433,7 +443,53 @@ function LinkImage($url, $alt = false) { } $link->setAttr('class', 'inlineimage'); + + /* Check for inlined objects. Everything allowed in INLINE_IMAGES besides + * png|jpg|gif|jpeg|bmp|pl|cgi + * Note: Allow cgi's (pl,cgi) returning images. + */ + if (!preg_match("/\.(".$force_img.")/i", $url)) { + //HTML::img(array('src' => $url, 'alt' => $alt, 'title' => $alt)); + // => HTML::object(array('src' => $url)) ...; + return ImgObject($link, $ori_url); + } return $link; } +/** + * <object> / <embed> tags instead of <img> for all non-image extensions allowed via INLINE_IMAGES + * Called by LinkImage(), not directly. + * Syntax: [image.svg size=50% border=n align= hspace= vspace= width= height=] + * $alt may be an alternate img + * TODO: Need to unify with WikiPluginCached::embedObject() + * + * Note that Safari 1.0 will crash with <object>, use only <embed> + * http://www.alleged.org.uk/pdc/2002/svg-object.html + */ +function ImgObject($img, $url) { + // get the url args: data="sample.svgz" type="image/svg+xml" width="400" height="300" + $args = split(' ', $url); + if (count($args) >= 1) { + $url = array_shift($args); + foreach ($args as $attr) { + if (preg_match('/^type=(\S+)$/',$attr,$m)) + $img->setAttr('type', $m[1]); + if (preg_match('/^data=(\S+)$/',$attr,$m)) + $img->setAttr('data', $m[1]); + } + } + $type = $img->getAttr('type'); + if (!$type) { + // TODO: map extension to mime-types if type is not given and php < 4.3 + if (function_exists('mime_content_type')) + $type = mime_content_type($url); + } + $link = HTML::object(array_merge($img->_attr, array('src' => $url, 'type' => $type))); + $link->setAttr('class', 'inlineobject'); + if (isBrowserSafari()) { + return HTML::embed($link->_attr); + } + $link->pushContent(HTML::embed($link->_attr)); + return $link; +} @@ -1970,4 +2026,7 @@ function getMemoryUsage() { // $Log$ +// Revision 1.240 2005年04月23日 11:15:49 rurban +// handle allowed inlined objects within INLINE_IMAGES +// // Revision 1.239 2005年04月01日 16:11:42 rurban // just whitespace Index: InlineParser.php =================================================================== RCS file: /cvsroot/phpwiki/phpwiki/lib/InlineParser.php,v retrieving revision 1.65 retrieving revision 1.66 diff -u -2 -b -p -d -r1.65 -r1.66 --- InlineParser.php 27 Mar 2005 18:24:17 -0000 1.65 +++ InlineParser.php 23 Apr 2005 11:15:49 -0000 1.66 @@ -395,9 +395,14 @@ function LinkBracketLink($bracketlink) { * [what a pic|File:my_image.gif] shows a named inter-wiki link to the gif * [File:my_image.gif|what a pic] shows a inlimed image linked to the page "what a pic" + * + * Note that for simplicity we will accept embedded object tags (non-images) + * here also, and seperate them later in LinkImage() */ - elseif (strstr($link,':') and - ($intermap = getInterwikiMap()) and - preg_match("/^" . $intermap->getRegexp() . ":/", $link)) { - if (empty($label) && isImageLink($link)) { + elseif (strstr($link,':') + and ($intermap = getInterwikiMap()) + and preg_match("/^" . $intermap->getRegexp() . ":/", $link)) + { + // trigger_error("label: $label link: $link", E_USER_WARNING); + if (empty($label) and isImageLink($link)) { // if without label => inlined image [File:xx.gif] $imgurl = $intermap->link($link); @@ -813,4 +818,7 @@ function TransformLinks($text, $markup = // $Log$ +// Revision 1.66 2005年04月23日 11:15:49 rurban +// handle allowed inlined objects within INLINE_IMAGES +// // Revision 1.65 2005年03月27日 18:24:17 rurban // add Log