--- drupal-6\filter\filter.module 2008-06-20 09:44:50.856500000 -0400 +++ filter.module 2008-06-20 11:16:06.356500000 -0400 @@ -87,6 +87,14 @@ function filter_menu() { 'weight' => 1, 'file' => 'filter.admin.inc', ); + $items['admin/settings/filters/xss'] = array( + 'title' => 'XSS filter settings', + 'page callback' => 'filter_admin_xss_page', + 'access arguments' => array('administer filters'), + 'type' => MENU_LOCAL_TASK, + 'weight' => 1, + 'file' => 'filter.admin.inc', + ); $items['admin/settings/filters/delete'] = array( 'title' => 'Delete input format', 'page callback' => 'drupal_get_form', @@ -948,20 +956,26 @@ function filter_xss_admin($string) { * - Makes sure all HTML tags and attributes are well-formed * - Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:) * + * The allowed tags array may be set in the "XSS filter settings" tab of the + * admin >> settings >> filters (Input formats) page. + * * @param $string * The string with raw HTML in it. It will be stripped of everything that can cause * an XSS attack. * @param $allowed_tags * An array of allowed tags. - * @param $format - * The format to use. */ -function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) { +function filter_xss($string, $allowed_tags = array()) { // Only operate on valid UTF-8 strings. This is necessary to prevent cross // site scripting issues on Internet Explorer 6. if (!drupal_validate_utf8($string)) { return ''; } + // Check if the allowed_tags parameter was used, else get the defaults. + if (empty($allowed_tags)) { + $allowed_tags = variable_get('allowed_html_xss', array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')); + } + // Store the input format _filter_xss_split($allowed_tags, TRUE); // Remove NUL characters (ignored by some browsers) --- drupal-6\filter\filter.admin.inc 2008-06-20 09:14:04.106500000 -0400 +++ filter.admin.inc 2008-06-20 10:52:35.544000000 -0400 @@ -396,4 +396,46 @@ function filter_admin_order_submit($form /** * Allow admin settings for Filter_XSS. */ -function \ No newline at end of file +function filter_admin_xss_page() { + drupal_set_title('XSS filter settings'); + return drupal_get_form('filter_admin_xss_form'); +} + +/** + * Allow admin settings for Filter_XSS. + */ +function filter_admin_xss_form() { + $form = array(); + $current_array = variable_get('allowed_html_xss', array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')); + $current = '<'. implode('> <', $current_array) .'>'; + + $form['allowed_tags'] = array( + '#type' => 'textarea', + '#rows' => 2, + '#title' => t('Allowed tags'), + '#description' => t('These HTML tags will not be removed by the filter_xss function. Be sure that you trust your users to make proper use of all allowed tags.'), + '#default_value' => $current, + ); + + $form['buttons']['submit'] = array('#type' => 'submit', '#value' => t('Save configuration') ); + $form['buttons']['reset'] = array('#type' => 'submit', '#value' => t('Reset to defaults') ); + return $form; +} + +/** + * Handle settings submit for Filter_XSS. + */ +function filter_admin_xss_form_submit($form, &$form_state) { + $op = $form_state['clicked_button']['#value']; + switch ($op) { + case t('Save configuration'): + $text = $form_state['values']['allowed_tags']; + $tags = preg_split('/\s+|<|>/', $text, -1, PREG_SPLIT_NO_EMPTY); + variable_set('allowed_html_xss', $tags); + break; + + case t('Reset to defaults'): + variable_set('allowed_html_xss', array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')); + break; + } +}