Типа я (zilogic) wrote in changelog,
Типа я
zilogic
changelog

[livejournal] r21309: LJSUP-11455: bad view variable mediaplac...

Committer: amyshkin
LJSUP-11455: bad view variable mediaplaceholder.loading in russian
U   trunk/cgi-bin/cleanhtml.pl
Modified: trunk/cgi-bin/cleanhtml.pl
===================================================================
--- trunk/cgi-bin/cleanhtml.pl	2012-03-06 14:15:41 UTC (rev 21308)
+++ trunk/cgi-bin/cleanhtml.pl	2012-03-06 14:22:50 UTC (rev 21309)
@@ -604,6 +604,7 @@
                     or return 1;
                 return $code->($htmlcleaner, $seq, $attr);
             };
+
             next if !$@ && !$clean_res;
 
             # this is so the rte converts its source to the standard ljuser html
@@ -622,6 +623,7 @@
                 $attr->{'title'} = $ljuser_text;
 
             }
+
             # stupid hack to remove the class='ljcut' from divs when we're
             # disabling them, so we account for the open div normally later.
             my $ljcut_div = $tag eq "div" && lc $attr->{class} eq "ljcut";
@@ -927,167 +929,171 @@
                     delete $hash->{'action'} if $deny;
                 }
 
-              ATTR:
-                foreach my $attr (keys %$hash)
-                {
-                    if ($remove_all_attribs || $remove_attribs{$attr}) {
-                        delete $hash->{$attr};
-                        next;
-                    }
+                if ( $remove_all_attribs ) {
+                    $hash = {};
+                }
+                else {
+                  ATTR:
+                    foreach my $attr (keys %$hash) {
+                        if ( $remove_attribs{$attr} ) {
+                            delete $hash->{$attr};
+                            next;
+                        }
 
-                    if ($attr =~ /^(?:on|dynsrc)/) {
-                        delete $hash->{$attr};
-                        next;
-                    }
+                        if ($attr =~ /^(?:on|dynsrc)/) {
+                            delete $hash->{$attr};
+                            next;
+                        }
 
-                    if ($attr eq "data") {
-                        delete $hash->{$attr} unless $tag eq "object";
-                        next;
-                    }
+                        if ($attr eq "data") {
+                            delete $hash->{$attr} unless $tag eq "object";
+                            next;
+                        }
 
-                    if ($attr eq 'width' || $attr eq 'height' ) {
-                        if ($hash->{$attr} > 1024*2) {
-                            $hash->{$attr} = 1024*2;
+                        if ($attr eq 'width' || $attr eq 'height' ) {
+                            if ($hash->{$attr} > 1024*2) {
+                                $hash->{$attr} = 1024*2;
+                            }
                         }
-                    }
 
-                    ## warning: in commets left by anonymous users, <img src="something">
-                    ## is replaced by <a href="something"> (see 'extractimages' param)
-                    ## If "something" is "data:<script ...", we'll get a vulnerability
-                    if (($attr eq "href" || $attr eq 'src') && $hash->{$attr} =~ /^data/) {
-                        delete $hash->{$attr};
-                        next;
-                    }
+                        ## warning: in commets left by anonymous users, <img src="something">
+                        ## is replaced by <a href="something"> (see 'extractimages' param)
+                        ## If "something" is "data:<script ...", we'll get a vulnerability
+                        if (($attr eq "href" || $attr eq 'src') && $hash->{$attr} =~ /^data/) {
+                            delete $hash->{$attr};
+                            next;
+                        }
 
-                    if ($attr =~ /(?:^=)|[\x0b\x0d]/) {
-                        # Cleaner attack:  <p ='>' onmouseover="javascript:alert(document/**/.cookie)" >
-                        # is returned by HTML::Parser as P_tag("='" => "='") Text( onmouseover...)
-                        # which leads to reconstruction of valid HTML.  Clever!
-                        # detect this, and fail.
-                        $total_fail->("$tag $attr");
-                        last TOKEN;
-                    }
+                        if ($attr =~ /(?:^=)|[\x0b\x0d]/) {
+                            # Cleaner attack:  <p ='>' onmouseover="javascript:alert(document/**/.cookie)" >
+                            # is returned by HTML::Parser as P_tag("='" => "='") Text( onmouseover...)
+                            # which leads to reconstruction of valid HTML.  Clever!
+                            # detect this, and fail.
+                            $total_fail->("$tag $attr");
+                            last TOKEN;
+                        }
 
-                    # ignore attributes that do not fit this strict scheme
-                    unless ($attr =~ /^[\w_:-]+$/) {
-                        $total_fail->("$tag " . (%$hash > 1 ? "[...] " : "") . "$attr");
-                        last TOKEN;
-                    }
+                        # ignore attributes that do not fit this strict scheme
+                        unless ($attr =~ /^[\w_:-]+$/) {
+                            $total_fail->("$tag " . (%$hash > 1 ? "[...] " : "") . "$attr");
+                            last TOKEN;
+                        }
 
-                    $hash->{$attr} =~ s/[\t\n]//g;
+                        $hash->{$attr} =~ s/[\t\n]//g;
 
-                    # IE ignores the null character, so strip it out
-                    $hash->{$attr} =~ s/\x0//g;
+                        # IE ignores the null character, so strip it out
+                        $hash->{$attr} =~ s/\x0//g;
 
-                    # IE sucks:
-                    my $nowhite = $hash->{$attr};
-                    $nowhite =~ s/[\s\x0b]+//g;
-                    if ($nowhite =~ /(?:jscript|livescript|javascript|vbscript|about):/ix) {
-                        delete $hash->{$attr};
-                        next;
-                    }
+                        # IE sucks:
+                        my $nowhite = $hash->{$attr};
+                        $nowhite =~ s/[\s\x0b]+//g;
+                        if ($nowhite =~ /(?:jscript|livescript|javascript|vbscript|about):/ix) {
+                            delete $hash->{$attr};
+                            next;
+                        }
 
-                    if ($attr eq 'style') {
-                        if ($opts->{'cleancss'}) {
-                            # css2 spec, section 4.1.3
-                            # position === p\osition  :(
-                            # strip all slashes no matter what.
-                            $hash->{style} =~ s/\\//g;
+                        if ($attr eq 'style') {
+                            if ($opts->{'cleancss'}) {
+                                # css2 spec, section 4.1.3
+                                # position === p\osition  :(
+                                # strip all slashes no matter what.
+                                $hash->{style} =~ s/\\//g;
 
-                            # and catch the obvious ones ("[" is for things like document["coo"+"kie"]
-                            foreach my $css ("/*", "[", qw(absolute fixed expression eval behavior cookie document window javascript -moz-binding)) {
-                                if ($hash->{style} =~ /\Q$css\E/i) {
-                                    delete $hash->{style};
-                                    next ATTR;
+                                # and catch the obvious ones ("[" is for things like document["coo"+"kie"]
+                                foreach my $css ("/*", "[", qw(absolute fixed expression eval behavior cookie document window javascript -moz-binding)) {
+                                    if ($hash->{style} =~ /\Q$css\E/i) {
+                                        delete $hash->{style};
+                                        next ATTR;
+                                    }
                                 }
-                            }
 
-                            if ($opts->{'strongcleancss'}) {
-                                if ($hash->{style} =~ /-moz-|absolute|relative|outline|z-index|(?<!-)(?:top|left|right|bottom)\s*:|filter|-webkit-/io) {
-                                    delete $hash->{style};
-                                    next ATTR;
+                                if ($opts->{'strongcleancss'}) {
+                                    if ($hash->{style} =~ /-moz-|absolute|relative|outline|z-index|(?<!-)(?:top|left|right|bottom)\s*:|filter|-webkit-/io) {
+                                        delete $hash->{style};
+                                        next ATTR;
+                                    }
                                 }
+
+                                # remove specific CSS definitions
+                                if ($remove_colors) {
+                                    $hash->{style} =~ s/(?:background-)?color:.*?(?:;|$)//gi;
+                                }
+                                if ($remove_sizes) {
+                                    $hash->{style} =~ s/font-size:.*?(?:;|$)//gi;
+                                }
+                                if ($remove_fonts) {
+                                    $hash->{style} =~ s/font-family:.*?(?:;|$)//gi;
+                                }
+                                if ($remove_positioning) {
+                                    $hash->{style} =~ s/margin.*?(?:;|$)//gi;
+                                    $hash->{style} =~ s/height\s*?:.*?(?:;|$)//gi;
+                                    # strip excessive padding
+                                    $hash->{style} =~ s/padding[^:]*?:\D*\d{3,}[^;]*(?:;|$)//gi;
+                                }
                             }
 
-                            # remove specific CSS definitions
-                            if ($remove_colors) {
-                                $hash->{style} =~ s/(?:background-)?color:.*?(?:;|$)//gi;
+                            if ($opts->{'clean_js_css'} && ! $LJ::DISABLED{'css_cleaner'}) {
+                                # and then run it through a harder CSS cleaner that does a full parse
+                                my $css = LJ::CSS::Cleaner->new;
+                                $hash->{style} = $css->clean_property($hash->{style});
                             }
-                            if ($remove_sizes) {
-                                $hash->{style} =~ s/font-size:.*?(?:;|$)//gi;
-                            }
-                            if ($remove_fonts) {
-                                $hash->{style} =~ s/font-family:.*?(?:;|$)//gi;
-                            }
-                            if ($remove_positioning) {
-                                $hash->{style} =~ s/margin.*?(?:;|$)//gi;
-                                $hash->{style} =~ s/height\s*?:.*?(?:;|$)//gi;
-                                # strip excessive padding
-                                $hash->{style} =~ s/padding[^:]*?:\D*\d{3,}[^;]*(?:;|$)//gi;
-                            }
                         }
 
-                        if ($opts->{'clean_js_css'} && ! $LJ::DISABLED{'css_cleaner'}) {
-                            # and then run it through a harder CSS cleaner that does a full parse
-                            my $css = LJ::CSS::Cleaner->new;
-                            $hash->{style} = $css->clean_property($hash->{style});
+                        if (
+                            lc $tag ne 'lj-embed' &&
+                            ( $attr eq 'class' || $attr eq 'id' ) &&
+                            $opts->{'strongcleancss'} )
+                        {
+                            delete $hash->{$attr};
+                            next;
                         }
-                    }
 
-                    if (
-                        lc $tag ne 'lj-embed' &&
-                        ( $attr eq 'class' || $attr eq 'id' ) &&
-                        $opts->{'strongcleancss'} )
-                    {
-                        delete $hash->{$attr};
-                        next;
-                    }
-
-                    # reserve ljs_* ids for divs, etc so users can't override them to replace content
-                    if ($attr eq 'id' && $hash->{$attr} =~ /^ljs_/i) {
-                        delete $hash->{$attr};
-                        next;
-                    }
-
-                    if ($s1var) {
-                        if ($attr =~ /%%/) {
+                        # reserve ljs_* ids for divs, etc so users can't override them to replace content
+                        if ($attr eq 'id' && $hash->{$attr} =~ /^ljs_/i) {
                             delete $hash->{$attr};
-                            next ATTR;
+                            next;
                         }
 
-                        my $props = $LJ::S1::PROPS->{$s1var};
+                        if ($s1var) {
+                            if ($attr =~ /%%/) {
+                                delete $hash->{$attr};
+                                next ATTR;
+                            }
 
-                        if ($hash->{$attr} =~ /^%%([\w:]+:)?(\S+?)%%$/ && $props->{$2} =~ /[aud]/) {
-                            # don't change it.
-                        } elsif ($hash->{$attr} =~ /^%%cons:\w+%%[^\%]*$/) {
-                            # a site constant with something appended is also fine.
-                        } elsif ($hash->{$attr} =~ /%%/) {
-                            my $clean_var = sub {
-                                my ($mods, $prop) = @_;
-                                # HTML escape and kill line breaks
-                                $mods = "attr:$mods" unless
-                                    $mods =~ /^(color|cons|siteroot|sitename|img):/ ||
-                                    $props->{$prop} =~ /[ud]/;
-                                return '%%' . $mods . $prop . '%%';
-                            };
+                            my $props = $LJ::S1::PROPS->{$s1var};
 
-                            $hash->{$attr} =~ s/[\n\r]//g;
-                            $hash->{$attr} =~ s/%%([\w:]+:)?(\S+?)%%/$clean_var->(lc($1), $2)/eg;
+                            if ($hash->{$attr} =~ /^%%([\w:]+:)?(\S+?)%%$/ && $props->{$2} =~ /[aud]/) {
+                                # don't change it.
+                            } elsif ($hash->{$attr} =~ /^%%cons:\w+%%[^\%]*$/) {
+                                # a site constant with something appended is also fine.
+                            } elsif ($hash->{$attr} =~ /%%/) {
+                                my $clean_var = sub {
+                                    my ($mods, $prop) = @_;
+                                    # HTML escape and kill line breaks
+                                    $mods = "attr:$mods" unless
+                                        $mods =~ /^(color|cons|siteroot|sitename|img):/ ||
+                                        $props->{$prop} =~ /[ud]/;
+                                    return '%%' . $mods . $prop . '%%';
+                                };
 
-                            if ($attr =~ /^(href|src|lowsrc|style)$/) {
-                                $hash->{$attr} = "\%\%[attr[$hash->{$attr}]]\%\%";
+                                $hash->{$attr} =~ s/[\n\r]//g;
+                                $hash->{$attr} =~ s/%%([\w:]+:)?(\S+?)%%/$clean_var->(lc($1), $2)/eg;
+
+                                if ($attr =~ /^(href|src|lowsrc|style)$/) {
+                                    $hash->{$attr} = "\%\%[attr[$hash->{$attr}]]\%\%";
+                                }
                             }
+
                         }
 
+                        # remove specific attributes
+                        if (($remove_colors && ($attr eq "color" || $attr eq "bgcolor" || $attr eq "fgcolor" || $attr eq "text")) ||
+                            ($remove_sizes && $attr eq "size") ||
+                            ($remove_fonts && $attr eq "face")) {
+                            delete $hash->{$attr};
+                            next ATTR;
+                        }
                     }
-
-                    # remove specific attributes
-                    if (($remove_colors && ($attr eq "color" || $attr eq "bgcolor" || $attr eq "fgcolor" || $attr eq "text")) ||
-                        ($remove_sizes && $attr eq "size") ||
-                        ($remove_fonts && $attr eq "face")) {
-                        delete $hash->{$attr};
-                        next ATTR;
-                    }
                 }
 
                 ## attribute lj-sys-message-close is used in SiteMessage's only
@@ -1177,8 +1183,8 @@
                             '<span class="b-mediaplaceholder-outer">' .
                             '<span class="b-mediaplaceholder-inner">' .
                             '<i class="b-mediaplaceholder-pic"></i>' .
-                            '<span class="b-mediaplaceholder-label b-mediaplaceholder-view">' . LJ::Lang::ml("mediaplaceholder.viewimage") . '</span>'.
-                            '<span class="b-mediaplaceholder-label b-mediaplaceholder-loading">' . LJ::Lang::ml("mediaplaceholder.loading") . '</span>'.
+                            '<span class="b-mediaplaceholder-label b-mediaplaceholder-view">' . Encode::decode_utf8(LJ::Lang::ml("mediaplaceholder.viewimage")) . '</span>'.
+                            '<span class="b-mediaplaceholder-label b-mediaplaceholder-loading">' . Encode::decode_utf8(LJ::Lang::ml("mediaplaceholder.loading")) . '</span>'.
                             '</span>' .
                             '</span>' .
                             '</a>';
@@ -1186,7 +1192,7 @@
                             '<a href="' . $href_b_link .'" class="b-mediaplaceholder-external" title="' . LJ::Lang::ml("mediaplaceholder.link") . '">' .
                             '<i class="b-mediaplaceholder-bg"></i>' .
                             '<i class="b-mediaplaceholder-pic"></i>' .
-                            '<span class="b-mediaplaceholder-inner">' . LJ::Lang::ml("mediaplaceholder.link") . '</span>' .
+                            '<span class="b-mediaplaceholder-inner">' . Encode::decode_utf8(LJ::Lang::ml("mediaplaceholder.link")) . '</span>' .
                             '</a>' : '';
                         $alt_output = 1;
                         $opencount{"img"}++;
@@ -1254,9 +1260,9 @@
                     }
                 }
 
-                unless ($alt_output)
-                {
+                unless ($alt_output) {
                     my $allow;
+
                     if ($mode eq "allow") {
                         $allow = 1;
                         if ($action{$tag} eq "deny") { $allow = 0; }
@@ -1265,8 +1271,9 @@
                         if ($action{$tag} eq "allow") { $allow = 1; }
                     }
 
-                    if ($allow && ! $remove{$tag})
-                    {
+                    my $newtag = '';
+
+                    if ($allow && ! $remove{$tag}) {
                         if ($opts->{'tablecheck'}) {
 
                             $allow = 0 if
@@ -1281,13 +1288,13 @@
                                 ($tag eq 'table' && @tablescope && ! grep { $tablescope[-1]->{$_} } qw(td th));
                         }
 
-                        if ($allow) { $newdata .= "<$tag"; }
-                        else { $newdata .= "&lt;$tag"; }
+                        if ($allow) { $newtag .= "<$tag"; }
+                        else { $newtag .= "&lt;$tag"; }
 
                         # output attributes in original order, but only those
                         # that are allowed (by still being in %$hash after cleaning)
                         foreach (@$attrs) {
-                            $newdata .= " $_=\"" . LJ::ehtml($hash->{$_}) . "\""
+                            $newtag .= " $_=\"" . LJ::ehtml($hash->{$_}) . "\""
                                 if exists $hash->{$_};
                         }
 
@@ -1295,12 +1302,12 @@
                         # actually close itself. Otherwise, a tag like <em /> can pass through as valid
                         # even though some browsers just render it as an opening tag
                         if ($slashclose && $tag =~ $slashclose_tags) {
-                            $newdata .= " /";
+                            $newtag .= " /";
                             $opencount{$tag}--;
                             $tablescope[-1]->{$tag}-- if $opts->{'tablecheck'} && @tablescope;
                         }
                         if ($allow) {
-                            $newdata .= ">";
+                            $newtag .= ">";
                             $opencount{$tag}++;
 
                             # maintain current table scope
@@ -1317,7 +1324,31 @@
                             }
 
                         }
-                        else { $newdata .= "&gt;"; }
+                        else { $newtag .= "&gt;"; }
+
+                        # change iframe with video to placeholder according to user settings
+                        if ( lc $tag eq 'iframe' && $opts->{video_placeholders} ) {
+                            my $width  = $hash->{width};
+                            my $height = $hash->{height};
+                            $width  =~ s/px$//;
+                            $height =~ s/px$//;
+                            $width  = 960 if $width  > 960;
+                            $height = 750 if $height > 750;
+
+                            $width  = $width  =~ /^\d+$/ ? $width  : 320;
+                            $height = $height =~ /^\d+$/ ? $height : 240;
+
+                            $newdata .= LJ::placeholder_link(
+                                placeholder_html   => $newtag,
+                                width              => $width,
+                                height             => $height,
+                                img                => "$LJ::IMGPREFIX/videoplaceholder.png",
+                                remove_video_sizes => $opts->{remove_video_sizes},
+                            );
+                        }
+                        else {
+                            $newdata .= $newtag;
+                        }
                     }
                 }
             }

Tags: amyshkin, livejournal, pl, zilogic
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 0 comments