From ca5154a3342fae745161f6aac8524c1f2a210ada Mon Sep 17 00:00:00 2001 From: Matthias Schmidt Date: Sun, 2 Jun 2013 12:35:22 +0200 Subject: [PATCH] Adds BBCode permission validation for message previews --- wcfsetup/install/files/js/WCF.Message.js | 32 ++++++++++++++++++- .../bbcode/MessagePreviewAction.class.php | 22 +++++++++++-- .../lib/data/user/UserProfileAction.class.php | 4 ++- .../files/lib/form/MessageForm.class.php | 7 ++-- .../system/option/MessageOptionType.class.php | 5 +-- 5 files changed, 61 insertions(+), 9 deletions(-) diff --git a/wcfsetup/install/files/js/WCF.Message.js b/wcfsetup/install/files/js/WCF.Message.js index c90533e58c..f84f2207d9 100644 --- a/wcfsetup/install/files/js/WCF.Message.js +++ b/wcfsetup/install/files/js/WCF.Message.js @@ -169,6 +169,7 @@ WCF.Message.Preview = Class.extend({ this._previewButton.click($.proxy(this._click, this)); this._proxy = new WCF.Action.Proxy({ + failure: $.proxy(this._failure, this), success: $.proxy(this._success, this) }); }, @@ -252,6 +253,9 @@ WCF.Message.Preview = Class.extend({ // restore preview button this._previewButton.html(this._previewButtonLabel).enable(); + // remove error message + this._messageField.parent().children('small.innerError').remove(); + // evaluate message this._handleResponse(data); }, @@ -261,7 +265,33 @@ WCF.Message.Preview = Class.extend({ * * @param object data */ - _handleResponse: function(data) { } + _handleResponse: function(data) { }, + + /** + * Handles errors during preview requests. + * + * The return values indicates if the default error overlay is shown. + * + * @param object data + * @return boolean + */ + _failure: function(data) { + if (data === null || data.returnValues === undefined || data.returnValues.errorType === undefined) { + return true; + } + + // restore preview button + this._previewButton.html(this._previewButtonLabel).enable(); + + var $innerError = this._messageField.next('small.innerError').empty(); + if (!$innerError.length) { + $innerError = $('').appendTo(this._messageField.parent()); + } + + $innerError.html(data.returnValues.errorType); + + return false; + } }); /** diff --git a/wcfsetup/install/files/lib/data/bbcode/MessagePreviewAction.class.php b/wcfsetup/install/files/lib/data/bbcode/MessagePreviewAction.class.php index c62d29a3c2..3a31a5dfa9 100644 --- a/wcfsetup/install/files/lib/data/bbcode/MessagePreviewAction.class.php +++ b/wcfsetup/install/files/lib/data/bbcode/MessagePreviewAction.class.php @@ -7,13 +7,14 @@ use wcf\system\bbcode\MessageParser; use wcf\system\bbcode\PreParser; use wcf\system\exception\UserInputException; use wcf\system\WCF; +use wcf\util\ArrayUtil; use wcf\util\StringUtil; /** * Provides a default message preview action. * * @author Marcel Werk - * @copyright 2001-2012 WoltLab GmbH + * @copyright 2001-2013 WoltLab GmbH * @license GNU Lesser General Public License * @package com.woltlab.wcf.message * @subpackage data.message @@ -50,11 +51,23 @@ class MessagePreviewAction extends BBCodeAction { $enableSmilies = (isset($this->parameters['options']['enableSmilies'])) ? 1 : 0; $preParse = (isset($this->parameters['options']['preParse'])) ? 1 : 0; + $allowedBBCodesPermission = (isset($this->parameters['allowedBBCodesPermission'])) ? $this->parameters['allowedBBCodesPermission'] : 'user.message.allowedBBCodes'; + // validate permissions for options if ($enableBBCodes && !WCF::getSession()->getPermission('user.message.canUseBBCodes')) $enableBBCodes = 0; if ($enableHtml && !WCF::getSession()->getPermission('user.message.canUseHtml')) $enableHtml = 0; if ($enableSmilies && !WCF::getSession()->getPermission('user.message.canUseSmilies')) $enableSmilies = 0; + // check if disallowed bbcode are used + if ($enableBBCodes && $allowedBBCodesPermission) { + $disallowedBBCodes = MessageParser::getInstance()->validateBBCodes($this->parameters['data']['message'], ArrayUtil::trim(explode(',', WCF::getSession()->getPermission($allowedBBCodesPermission)))); + if (!empty($disallowedBBCodes)) { + throw new UserInputException('message', WCF::getLanguage()->getDynamicVariable('wcf.message.error.disallowedBBCodes', array( + 'disallowedBBCodes' => $disallowedBBCodes + ))); + } + } + // get attachments if (!empty($this->parameters['attachmentObjectType'])) { $attachmentList = new GroupedAttachmentList($this->parameters['attachmentObjectType']); @@ -93,7 +106,12 @@ class MessagePreviewAction extends BBCodeAction { // parse URLs if ($preParse && $enableBBCodes) { - $message = PreParser::getInstance()->parse($message); + if ($allowedBBCodesPermission) { + $message = PreParser::getInstance()->parse($message, ArrayUtil::trim(explode(',', WCF::getSession()->getPermission($allowedBBCodesPermission)))); + } + else { + $message = PreParser::getInstance()->parse($message); + } } // parse message diff --git a/wcfsetup/install/files/lib/data/user/UserProfileAction.class.php b/wcfsetup/install/files/lib/data/user/UserProfileAction.class.php index c5689725b5..7e7546d9d3 100644 --- a/wcfsetup/install/files/lib/data/user/UserProfileAction.class.php +++ b/wcfsetup/install/files/lib/data/user/UserProfileAction.class.php @@ -46,7 +46,9 @@ class UserProfileAction extends UserAction { if (isset($this->parameters['options']['enableBBCodes']) && WCF::getSession()->getPermission('user.signature.canUseBBCodes')) { $disallowedBBCodes = BBCodeParser::getInstance()->validateBBCodes($this->parameters['data']['message'], explode(',', WCF::getSession()->getPermission('user.signature.allowedBBCodes'))); if (!empty($disallowedBBCodes)) { - throw new UserInputException('message', 'disallowedBBCodes', $disallowedBBCodes); + throw new UserInputException('message', WCF::getLanguage()->getDynamicVariable('wcf.message.error.disallowedBBCodes', array( + 'disallowedBBCodes' => $disallowedBBCodes + ))); } } } diff --git a/wcfsetup/install/files/lib/form/MessageForm.class.php b/wcfsetup/install/files/lib/form/MessageForm.class.php index d029cfd798..0b3f0e20f4 100644 --- a/wcfsetup/install/files/lib/form/MessageForm.class.php +++ b/wcfsetup/install/files/lib/form/MessageForm.class.php @@ -8,6 +8,7 @@ use wcf\system\exception\UserInputException; use wcf\system\language\LanguageFactory; use wcf\system\message\censorship\Censorship; use wcf\system\WCF; +use wcf\util\ArrayUtil; use wcf\util\MessageUtil; use wcf\util\StringUtil; @@ -256,7 +257,7 @@ abstract class MessageForm extends RecaptchaForm { } if ($this->enableBBCodes && $this->allowedBBCodesPermission) { - $disallowedBBCodes = BBCodeParser::getInstance()->validateBBCodes($this->text, explode(',', WCF::getSession()->getPermission($this->allowedBBCodesPermission))); + $disallowedBBCodes = BBCodeParser::getInstance()->validateBBCodes($this->text, ArrayUtil::trim(explode(',', WCF::getSession()->getPermission($this->allowedBBCodesPermission)))); if (!empty($disallowedBBCodes)) { WCF::getTPL()->assign('disallowedBBCodes', $disallowedBBCodes); throw new UserInputException('text', 'disallowedBBCodes'); @@ -298,7 +299,7 @@ abstract class MessageForm extends RecaptchaForm { // BBCodes are enabled if ($this->enableBBCodes) { if ($this->allowedBBCodesPermission) { - $this->text = PreParser::getInstance()->parse($this->text, explode(',', WCF::getSession()->getPermission($this->allowedBBCodesPermission))); + $this->text = PreParser::getInstance()->parse($this->text, ArrayUtil::trim(explode(',', WCF::getSession()->getPermission($this->allowedBBCodesPermission)))); } else { $this->text = PreParser::getInstance()->parse($this->text); @@ -378,7 +379,7 @@ abstract class MessageForm extends RecaptchaForm { )); if ($this->allowedBBCodesPermission) { - WCF::getTPL()->assign('allowedBBCodes', explode(',', WCF::getSession()->getPermission($this->allowedBBCodesPermission))); + WCF::getTPL()->assign('allowedBBCodes', explode(',', ArrayUtil::trim(WCF::getSession()->getPermission($this->allowedBBCodesPermission)))); } } } diff --git a/wcfsetup/install/files/lib/system/option/MessageOptionType.class.php b/wcfsetup/install/files/lib/system/option/MessageOptionType.class.php index 2e59fb21e0..e09a041a3d 100644 --- a/wcfsetup/install/files/lib/system/option/MessageOptionType.class.php +++ b/wcfsetup/install/files/lib/system/option/MessageOptionType.class.php @@ -6,12 +6,13 @@ use wcf\data\smiley\SmileyCache; use wcf\system\bbcode\BBCodeParser; use wcf\system\exception\UserInputException; use wcf\system\WCF; +use wcf\util\ArrayUtil; /** * Option type implementation for message. * * @author Marcel Werk - * @copyright 2001-2012 WoltLab GmbH + * @copyright 2001-2013 WoltLab GmbH * @license GNU Lesser General Public License * @package com.woltlab.wcf.user * @subpackage system.option @@ -47,7 +48,7 @@ class MessageOptionType extends TextareaOptionType { parent::validate($option, $newValue); if ($option->allowedbbcodepermission) { - $disallowedBBCodes = BBCodeParser::getInstance()->validateBBCodes($newValue, explode(',', WCF::getSession()->getPermission($option->allowedbbcodepermission))); + $disallowedBBCodes = BBCodeParser::getInstance()->validateBBCodes($newValue, explode(',', ArrayUtil::trim(WCF::getSession()->getPermission($option->allowedbbcodepermission)))); if (!empty($disallowedBBCodes)) { WCF::getTPL()->assign('disallowedBBCodes', $disallowedBBCodes); throw new UserInputException($option->optionName, 'disallowedBBCodes'); -- 2.20.1