Issue #732992: make the list of allowed tags in filter_xss(), filter_xss_admin() pluggeable.

From: Damien Tournoud <damien@commerceguys.com>


---
 includes/common.inc |   28 ++++++++++++++++++++++++++--
 1 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/includes/common.inc b/includes/common.inc
index eb68850..c0b9816 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -1282,6 +1282,27 @@ function check_url($uri) {
 }
 
 /**
+ * Get the default list of allowed tags.
+ *
+ * @param $type
+ *   (optional) Set to 'admin' to get a more permissive list.
+ * @return
+ *   An array of HTML tags.
+ */
+function filter_xss_allowed_tags($type = 'standard') {
+  static $allowed_tags;
+  if (!isset($allowed_tags)) {
+    $allowed_tags = array(
+      'standard' => array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd'),
+      'admin' => array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'ol', 'p', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var'),
+    );
+
+    drupal_alter('filter_xss_allowed_tags', $allowed_tags);
+  }
+  return isset($allowed_tags[$type]) ? $allowed_tags[$type] : array();
+}
+
+/**
  * Very permissive XSS/HTML filter for admin-only use.
  *
  * Use only for fields where it is impractical to use the
@@ -1292,7 +1313,7 @@ function check_url($uri) {
  * for scripts and styles.
  */
 function filter_xss_admin($string) {
-  return filter_xss($string, array('a', 'abbr', 'acronym', 'address', 'b', 'bdo', 'big', 'blockquote', 'br', 'caption', 'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'div', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'ins', 'kbd', 'li', 'ol', 'p', 'pre', 'q', 'samp', 'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'ul', 'var'));
+  return filter_xss($string, filter_xss_allowed_tags('admin'));
 }
 
 /**
@@ -1321,7 +1342,10 @@ function filter_xss_admin($string) {
  * @see drupal_validate_utf8()
  * @ingroup sanitization
  */
-function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'blockquote', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) {
+function filter_xss($string, $allowed_tags = NULL) {
+  if (!isset($allowed_tags)) {
+    $allowed_tags = filter_xss_allowed_tags();
+  }
   // Only operate on valid UTF-8 strings. This is necessary to prevent cross
   // site scripting issues on Internet Explorer 6.
   if (!drupal_validate_utf8($string)) {