From 0f19b11f4e72ea8a630ef3a1d5f42e13a378e7fd Mon Sep 17 00:00:00 2001
From: Cyperghost <olaf_schmitz_1@t-online.de>
Date: Mon, 17 Jun 2024 12:27:59 +0200
Subject: [PATCH] Check for disallowed BB codes in the content

---
 .../files/acp/templates/articleAdd.tpl        |  2 ++
 .../lib/acp/form/ArticleAddForm.class.php     | 27 +++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/wcfsetup/install/files/acp/templates/articleAdd.tpl b/wcfsetup/install/files/acp/templates/articleAdd.tpl
index aeccb5ccf6..437d15ff08 100644
--- a/wcfsetup/install/files/acp/templates/articleAdd.tpl
+++ b/wcfsetup/install/files/acp/templates/articleAdd.tpl
@@ -531,6 +531,8 @@
 									<small class="innerError">
 										{if $errorType == 'empty'}
 											{lang}wcf.global.form.error.empty{/lang}
+										{elseif $errorType == 'disallowedBBCodes'}
+											{lang}wcf.message.error.disallowedBBCodes{/lang}
 										{else}
 											{lang}wcf.acp.article.content.error.{@$errorType}{/lang}
 										{/if}
diff --git a/wcfsetup/install/files/lib/acp/form/ArticleAddForm.class.php b/wcfsetup/install/files/lib/acp/form/ArticleAddForm.class.php
index cba609b822..f67271a278 100644
--- a/wcfsetup/install/files/lib/acp/form/ArticleAddForm.class.php
+++ b/wcfsetup/install/files/lib/acp/form/ArticleAddForm.class.php
@@ -13,6 +13,7 @@ use wcf\data\media\ViewableMediaList;
 use wcf\data\smiley\SmileyCache;
 use wcf\data\user\User;
 use wcf\form\AbstractForm;
+use wcf\system\bbcode\BBCodeHandler;
 use wcf\system\cache\builder\ArticleCategoryLabelCacheBuilder;
 use wcf\system\exception\UserInputException;
 use wcf\system\html\input\HtmlInputProcessor;
@@ -390,6 +391,8 @@ class ArticleAddForm extends AbstractForm
             }
         }
 
+        $this->setDisallowedBBCodes();
+
         if ($this->isMultilingual) {
             foreach (LanguageFactory::getInstance()->getLanguages() as $language) {
                 // title
@@ -407,6 +410,12 @@ class ArticleAddForm extends AbstractForm
                     'com.woltlab.wcf.article.content',
                     0
                 );
+
+                $disallowedBBCodes = $this->htmlInputProcessors[$language->languageID]->validate();
+                if (!empty($disallowedBBCodes)) {
+                    WCF::getTPL()->assign('disallowedBBCodes', $disallowedBBCodes);
+                    throw new UserInputException('content', 'disallowedBBCodes');
+                }
             }
         } else {
             // title
@@ -420,6 +429,12 @@ class ArticleAddForm extends AbstractForm
 
             $this->htmlInputProcessors[0] = new HtmlInputProcessor();
             $this->htmlInputProcessors[0]->process($this->content[0], 'com.woltlab.wcf.article.content', 0);
+
+            $disallowedBBCodes = $this->htmlInputProcessors[0]->validate();
+            if (!empty($disallowedBBCodes)) {
+                WCF::getTPL()->assign('disallowedBBCodes', $disallowedBBCodes);
+                throw new UserInputException('content', 'disallowedBBCodes');
+            }
         }
 
         $this->validateLabelIDs();
@@ -564,6 +579,8 @@ class ArticleAddForm extends AbstractForm
                 }
             }
         }
+
+        $this->setDisallowedBBCodes();
     }
 
     /**
@@ -617,4 +634,14 @@ class ArticleAddForm extends AbstractForm
             'labelGroupsToCategories' => $this->labelGroupsToCategories,
         ]);
     }
+
+    protected function setDisallowedBBCodes(): void
+    {
+        BBCodeHandler::getInstance()->setDisallowedBBCodes(
+            \explode(
+                ',',
+                WCF::getSession()->getPermission('user.message.disallowedBBCodes')
+            )
+        );
+    }
 }
-- 
2.20.1