$message ) { if (isset ( $message ['body'] )) { if ($message_id) { // we're dealing with a real message, not a fake, so // there a number of shortcuts that can be taken if (isset ( $message ['meta'] ['htmlpurifier_light'] )) { // format hook was called outside of Phorum's normal // functions, do the abridged purification $data [$message_id] ['body'] = $purifier->purify ( $message ['body'] ); continue; } if (! empty ( $PHORUM ['args'] ['purge'] )) { // purge the cache, must be below the following if unset ( $message ['meta'] ['body_cache'] ); } if (isset ( $message ['meta'] ['body_cache'] ) && isset ( $message ['meta'] ['body_cache_serial'] ) && $message ['meta'] ['body_cache_serial'] == $cache_serial) { // cached version is present, bail out early $data [$message_id] ['body'] = base64_decode ( $message ['meta'] ['body_cache'] ); continue; } } // migration might edit this array, that's why it's defined // so early $updated_message = array (); // create the $body variable if ($message_id && // message must be real to migrate ! isset ( $message ['meta'] ['body_cache_serial'] )) { // perform migration $fake_data = array (); list ( $signature, $edit_message ) = phorum_htmlpurifier_remove_sig_and_editmessage ( $message ); $fake_data [$message_id] = $message; $fake_data = phorum_htmlpurifier_migrate ( $fake_data ); $body = $fake_data [$message_id] ['body']; $body = str_replace ( "\n", "\n", $body ); $updated_message ['body'] = $body; // save it in $body .= $signature . $edit_message; // add it back in } else { // reverse Phorum's pre-processing $body = $message ['body']; // order is important $body = str_replace ( "\n", "\n", $body ); $body = str_replace ( array ( '<', '>', '&', '"' ), array ( '<', '>', '&', '"' ), $body ); if (! $message_id && defined ( 'PHORUM_CONTROL_CENTER' )) { // we're in control.php, so it was double-escaped $body = str_replace ( array ( '<', '>', '&', '"' ), array ( '<', '>', '&', '"' ), $body ); } } $body = $purifier->purify ( $body ); // dynamically update the cache (MUST BE DONE HERE!) // this is inefficient because it's one db call per // cache miss, but once the cache is in place things are // a lot zippier. if ($message_id) { // make sure it's not a fake id $updated_message ['meta'] = $message ['meta']; $updated_message ['meta'] ['body_cache'] = base64_encode ( $body ); $updated_message ['meta'] ['body_cache_serial'] = $cache_serial; phorum_db_update_message ( $message_id, $updated_message ); } // must not get overloaded until after we cache it, otherwise // we'll inadvertently change the original text $data [$message_id] ['body'] = $body; } } return $data; } // ----------------------------------------------------------------------- // This is fragile code, copied from read.php:596 (Phorum 5.2.6). Please // keep this code in-sync with Phorum /** * Generates a signature based on a message array */ function phorum_htmlpurifier_generate_sig($row) { $phorum_sig = ''; if (isset ( $row ["user"] ["signature"] ) && isset ( $row ['meta'] ['show_signature'] ) && $row ['meta'] ['show_signature'] == 1) { $phorum_sig = trim ( $row ["user"] ["signature"] ); if (! empty ( $phorum_sig )) { $phorum_sig = "\n\n$phorum_sig"; } } return $phorum_sig; } /** * Generates an edit message based on a message array */ function phorum_htmlpurifier_generate_editmessage($row) { $PHORUM = $GLOBALS ['PHORUM']; $editmessage = ''; if (isset ( $row ['meta'] ['edit_count'] ) && $row ['meta'] ['edit_count'] > 0) { $editmessage = str_replace ( "%count%", $row ['meta'] ['edit_count'], $PHORUM ["DATA"] ["LANG"] ["EditedMessage"] ); $editmessage = str_replace ( "%lastedit%", phorum_date ( $PHORUM ["short_date_time"], $row ['meta'] ['edit_date'] ), $editmessage ); $editmessage = str_replace ( "%lastuser%", $row ['meta'] ['edit_username'], $editmessage ); $editmessage = "\n\n\n\n$editmessage"; } return $editmessage; } // End fragile code // ----------------------------------------------------------------------- /** * Removes the signature and edit message from a message * * @param $row Message * passed by reference */ function phorum_htmlpurifier_remove_sig_and_editmessage(&$row) { $signature = phorum_htmlpurifier_generate_sig ( $row ); $editmessage = phorum_htmlpurifier_generate_editmessage ( $row ); $replacements = array (); // we need to remove add as that is the form these // extra bits are in. if ($signature) $replacements [str_replace ( "\n", "\n", $signature )] = ''; if ($editmessage) $replacements [str_replace ( "\n", "\n", $editmessage )] = ''; $row ['body'] = strtr ( $row ['body'], $replacements ); return array ( $signature, $editmessage ); } /** * Indicate that data is fully HTML and not from migration, invalidate * previous caches * @note This function could generate the actual cache entries, but * since there's data missing that must be deferred to the first read */ function phorum_htmlpurifier_posting($message) { $PHORUM = $GLOBALS ["PHORUM"]; unset ( $message ['meta'] ['body_cache'] ); // invalidate the cache $message ['meta'] ['body_cache_serial'] = $PHORUM ['mod_htmlpurifier'] ['body_cache_serial']; return $message; } /** * Overload quoting mechanism to prevent default, mail-style quote from happening */ function phorum_htmlpurifier_quote($array) { $PHORUM = $GLOBALS ["PHORUM"]; $purifier = & HTMLPurifier::getInstance (); $text = $purifier->purify ( $array [1] ); $source = htmlspecialchars ( $array [0] ); return "

\n$text\n

"; } /** * Ensure that our format hook is processed last. * Also, loads the library. * @credits */ function phorum_htmlpurifier_common() { require_once (dirname ( __FILE__ ) . '/htmlpurifier/HTMLPurifier.auto.php'); require (dirname ( __FILE__ ) . '/init-config.php'); $config = phorum_htmlpurifier_get_config (); HTMLPurifier::getInstance ( $config ); // increment revision.txt if you want to invalidate the cache $GLOBALS ['PHORUM'] ['mod_htmlpurifier'] ['body_cache_serial'] = $config->getSerial (); // load migration if (file_exists ( dirname ( __FILE__ ) . '/migrate.php' )) { include (dirname ( __FILE__ ) . '/migrate.php'); } else { echo 'Error: No migration path specified for HTML Purifier, please check modes/htmlpurifier/migrate.bbcode.php for instructions on how to migrate from your previous markup language.'; exit (); } if (! function_exists ( 'phorum_htmlpurifier_migrate' )) { // Dummy function function phorum_htmlpurifier_migrate($data) { return $data; } } } /** * Pre-emptively performs purification if it looks like a WYSIWYG editor * is being used */ function phorum_htmlpurifier_before_editor($message) { if (! empty ( $GLOBALS ['PHORUM'] ['mod_htmlpurifier'] ['wysiwyg'] )) { if (! empty ( $message ['body'] )) { $body = $message ['body']; // de-entity-ize contents $body = str_replace ( array ( '<', '>', '&' ), array ( '<', '>', '&' ), $body ); $purifier = & HTMLPurifier::getInstance (); $body = $purifier->purify ( $body ); // re-entity-ize contents $body = htmlspecialchars ( $body, ENT_QUOTES, $GLOBALS ['PHORUM'] ['DATA'] ['CHARSET'] ); $message ['body'] = $body; } } return $message; } function phorum_htmlpurifier_editor_after_subject() { // don't show this message if it's a WYSIWYG editor, since it will // then be handled automatically if (! empty ( $GLOBALS ['PHORUM'] ['mod_htmlpurifier'] ['wysiwyg'] )) { $i = $GLOBALS ['PHORUM'] ['DATA'] ['MODE']; if ($i == 'quote' || $i == 'edit' || $i == 'moderation') { ?>

Notice: HTML has been scrubbed for your safety. If you would like to see the original, turn off WYSIWYG mode (consult your administrator for details.)

HTML input is enabled. Make sure you escape all HTML and angled brackets with < and > .

config; if ($config->get ( 'AutoFormat.AutoParagraph' )) { ?>

Auto-paragraphing is enabled. Double newlines will be converted to paragraphs; for single newlines, use the pre tag.

getDefinition ( 'HTML' ); $allowed = array (); foreach ( $html_definition->info as $name => $x ) $allowed [] = "$name"; sort ( $allowed ); $allowed_text = implode ( ', ', $allowed ); ?>

Allowed tags: .

For inputting literal code such as HTML and PHP for display, use CDATA tags to auto-escape your angled brackets, and pre to preserve newlines:

<pre><![CDATA[
Place code here
]]></pre>

Power users, you can hide this notice with:

.htmlpurifier-help {display:none;}