Index: modules/filter/filter.module =================================================================== --- modules/filter/filter.module (revision 971) +++ modules/filter/filter.module (working copy) @@ -1073,6 +1073,12 @@ '#default_value' => variable_get("filter_html_nofollow_$format", FALSE), '#description' => t('If enabled, Drupal will add rel="nofollow" to all links, as a measure to reduce the effectiveness of spam links. Note: this will also prevent valid links from being followed by search engines, therefore it is likely most effective when enabled for anonymous users.'), ); + $form['filter_html']["allow_html_comments_$format"] = array( + '#type' => 'checkbox', + '#title' => t('Allow HTML Comments'), + '#default_value' => variable_get("allow_html_comments_$format", FALSE), + '#description' => t('If enabled, Drupal will allow HTML comments.'), + ); return $form; } @@ -1082,7 +1088,8 @@ function _filter_html($text, $format) { if (variable_get("filter_html_$format", FILTER_HTML_STRIP) == FILTER_HTML_STRIP) { $allowed_tags = preg_split('/\s+|<|>/', variable_get("allowed_html_$format", '
    1. '), -1, PREG_SPLIT_NO_EMPTY); - $text = filter_xss($text, $allowed_tags); + $allow_comments = variable_get("allow_html_comments_$format", FALSE); + $text = filter_xss($text, $allowed_tags, $allow_comments); } if (variable_get("filter_html_$format", FILTER_HTML_STRIP) == FILTER_HTML_ESCAPE) { @@ -1265,10 +1272,13 @@ * an XSS attack. * @param $allowed_tags * An array of allowed tags. + * @param $allow_comments + * If TRUE, HTML comments will be allowed in the output. + * Defaults to FALSE * @param $format * The format to use. */ -function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) { +function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd'), $allow_comments = FALSE) { // Only operate on valid UTF-8 strings. This is necessary to prevent cross // site scripting issues on Internet Explorer 6. if (!drupal_validate_utf8($string)) { @@ -1276,6 +1286,8 @@ } // Store the input format _filter_xss_split($allowed_tags, TRUE); + // Store our html comment filter status + _filter_xss_split($allow_comments, 'allow_comments'); // Remove NUL characters (ignored by some browsers) $string = str_replace(chr(0), '', $string); // Remove Netscape 4 JS entities @@ -1293,11 +1305,17 @@ return preg_replace_callback('% ( - <(?=[^a-zA-Z!/]) # a lone < - | # or - <[^>]*(>|$) # a string that starts with a <, up until the > or the end of the string - | # or - > # just a > + <(?=[^a-zA-Z!/]) # a lone < + | # or + (?:-->)? # start IE conditional comments + | # or + # end IE conditional comments + | # or + # regular HTML comments + | # or + <[^>]*(>|$) # a string that starts with a <, up until the > or the end of the string + | # or + > # just a > )%x', '_filter_xss_split', $string); } @@ -1316,22 +1334,37 @@ */ function _filter_xss_split($m, $store = FALSE) { static $allowed_html; + static $allow_comments; - if ($store) { + if ($store === TRUE) { $allowed_html = array_flip($m); return; } + if ($store === 'allow_comments') { + $allow_comments = $m; + return; + } $string = $m[1]; - if (substr($string, 0, 1) != '<') { + if ($string[0] !== '<') { // We matched a lone ">" character return '>'; } - else if (strlen($string) == 1) { + if (strlen($string) === 1) { // We matched a lone "<" character return '<'; } + if ($allow_comments) { + if (preg_match('%((?:-->)?|)%', $string)) { + // IE conditional comments + return $string; + } + if (preg_match('%%', $string)) { + // regular HTML comments + return $string; + } + } if (!preg_match('%^<\s*(/\s*)?([a-zA-Z0-9]+)([^>]*)>?$%', $string, $matches)) { // Seriously malformed