Changeset 12067

Timestamp:

05/06/2018 10:47:08 AM (6 years ago)

Author:

imath

Message:

BP Nouveau: restrict the allowed HTML tags for Messages.

BP Nouveau is using the WP Editor to improve the user experience of the Messages component when people are writing a new message or replying to a thread. So far allowed HTML tags for the messages content *when BP Nouveau is the active template pack* were the same than WordPress Posts. When BP Nouveau is not the active template pack, the allowed tags are those of the WordPress global .

This commit is introducing a new function that is used to filter the allowed HTML tags for activity content and message content. It extends the with new tags (img, span, ul, ol & li) and leaves specific functions to the 2 components to include filters so that it is possible to restrict/extend allowed HTML tags for both content types or one of them. It also restricts the WP Editor available buttons when used into the BP Nouveau Messages UI so that they are consistent with the allowed HTML tags.

Props DJPaul

Fixes #7795

Location:

trunk/src

Files:

• bp-activity/bp-activity-filters.php (modified) (2 diffs)
• bp-core/bp-core-functions.php (modified) (1 diff)
• bp-messages/bp-messages-filters.php (modified) (5 diffs)
• bp-templates/bp-nouveau/buddypress/common/js-templates/messages/index.php (modified) (2 diffs)
• bp-templates/bp-nouveau/css/buddypress-rtl.css (modified) (2 diffs)
• bp-templates/bp-nouveau/css/buddypress.css (modified) (2 diffs)
• bp-templates/bp-nouveau/includes/messages/functions.php (modified) (2 diffs)
• bp-templates/bp-nouveau/includes/messages/loader.php (modified) (1 diff)
• bp-templates/bp-nouveau/sass/_nouveau_messages.scss (modified) (2 diffs)

trunk/src/bp-activity/bp-activity-filters.php

@@ -203 +203 @@
  */
 function bp_activity_filter_kses( $content ) {
-    global $allowedtags;
-
-    $activity_allowedtags = $allowedtags;
-    $activity_allowedtags['a']['aria-label']      = array();
-    $activity_allowedtags['a']['class']           = array();
-    $activity_allowedtags['a']['data-bp-tooltip'] = array();
-    $activity_allowedtags['a']['id']              = array();
-    $activity_allowedtags['a']['rel']             = array();
-    $activity_allowedtags['a']['title']           = array();
-
-    $activity_allowedtags['b']    = array();
-    $activity_allowedtags['code'] = array();
-    $activity_allowedtags['i']    = array();
-
-    $activity_allowedtags['img']           = array();
-    $activity_allowedtags['img']['src']    = array();
-    $activity_allowedtags['img']['alt']    = array();
-    $activity_allowedtags['img']['width']  = array();
-    $activity_allowedtags['img']['height'] = array();
-    $activity_allowedtags['img']['class']  = array();
-    $activity_allowedtags['img']['id']     = array();
-
-    $activity_allowedtags['span']                   = array();
-    $activity_allowedtags['span']['class']          = array();
-    $activity_allowedtags['span']['data-livestamp'] = array();
-
-    $activity_allowedtags['ul'] = array();
-    $activity_allowedtags['ol'] = array();
-    $activity_allowedtags['li'] = array();
-
     /**
      * Filters the allowed HTML tags for BuddyPress Activity content.
@@ -240 +210 @@
      * @param array $value Array of allowed HTML tags and attributes.
      */
-    $activity_allowedtags = apply_filters( 'bp_activity_allowed_tags', $activity_allowedtags );
+    $activity_allowedtags = apply_filters( 'bp_activity_allowed_tags', bp_get_allowedtags() );
     return wp_kses( $content, $activity_allowedtags );
 }

trunk/src/bp-core/bp-core-functions.php

@@ -3804 +3804 @@
     return (array) apply_filters( 'bp_email_get_unsubscribe_type_schema', $emails );
 }
+
+/**
+ * Get BuddyPress content allowed tags.
+ *
+ * @since  3.0.0
+ *
+ * @global array $allowedtags KSES allowed HTML elements.
+ * @return array              BuddyPress content allowed tags.
+ */
+function bp_get_allowedtags() {
+    global $allowedtags;
+
+    return array_merge_recursive( $allowedtags, array(
+        'a' => array(
+            'aria-label'      => array(),
+            'class'           => array(),
+            'data-bp-tooltip' => array(),
+            'id'              => array(),
+            'rel'             => array(),
+        ),
+        'img' => array(
+            'src'    => array(),
+            'alt'    => array(),
+            'width'  => array(),
+            'height' => array(),
+            'class'  => array(),
+            'id'     => array(),
+        ),
+        'span'=> array(
+            'class'          => array(),
+            'data-livestamp' => array(),
+        ),
+        'ul' => array(),
+        'ol' => array(),
+        'li' => array(),
+    ) );
+}

trunk/src/bp-messages/bp-messages-filters.php

@@ -19 +19 @@
 add_filter( 'bp_get_messages_subject_value',        'wp_filter_kses', 1 );
 add_filter( 'bp_get_messages_content_value',        'wp_filter_kses', 1 );
-add_filter( 'bp_get_the_thread_message_content',    'wp_filter_kses', 1 );
+add_filter( 'messages_message_subject_before_save', 'wp_filter_kses', 1 );
+add_filter( 'messages_notice_subject_before_save',  'wp_filter_kses', 1 );
+add_filter( 'bp_get_the_thread_subject',            'wp_filter_kses', 1 );
 
-add_filter( 'messages_message_content_before_save', 'wp_filter_kses', 1 );
-add_filter( 'messages_message_subject_before_save', 'wp_filter_kses', 1 );
-add_filter( 'messages_notice_message_before_save',  'wp_filter_kses', 1 );
-add_filter( 'messages_notice_subject_before_save',  'wp_filter_kses', 1 );
-
-add_filter( 'bp_get_the_thread_message_content',    'wp_filter_kses', 1 );
-add_filter( 'bp_get_the_thread_subject',            'wp_filter_kses', 1 );
+add_filter( 'bp_get_the_thread_message_content',    'bp_messages_filter_kses', 1 );
+add_filter( 'messages_message_content_before_save', 'bp_messages_filter_kses', 1 );
+add_filter( 'messages_notice_message_before_save',  'bp_messages_filter_kses', 1 );
+add_filter( 'bp_get_message_thread_content',        'bp_messages_filter_kses', 1 );
 
 add_filter( 'messages_message_content_before_save', 'force_balance_tags' );
@@ -46 +45 @@
 add_filter( 'bp_get_message_thread_excerpt',     'wptexturize' );
 add_filter( 'bp_get_the_thread_message_content', 'wptexturize' );
+add_filter( 'bp_get_message_thread_content',     'wptexturize' );
 
 add_filter( 'bp_get_message_notice_subject',     'convert_smilies', 2 );
@@ -52 +52 @@
 add_filter( 'bp_get_message_thread_excerpt',     'convert_smilies', 2 );
 add_filter( 'bp_get_the_thread_message_content', 'convert_smilies', 2 );
+add_filter( 'bp_get_message_thread_content',     'convert_smilies', 2 );
 
 add_filter( 'bp_get_message_notice_subject',     'convert_chars' );
@@ -58 +59 @@
 add_filter( 'bp_get_message_thread_excerpt',     'convert_chars' );
 add_filter( 'bp_get_the_thread_message_content', 'convert_chars' );
+add_filter( 'bp_get_message_thread_content',     'convert_chars' );
 
 add_filter( 'bp_get_message_notice_text',        'make_clickable', 9 );
 add_filter( 'bp_get_the_thread_message_content', 'make_clickable', 9 );
+add_filter( 'bp_get_message_thread_content',     'make_clickable', 9 );
 
 add_filter( 'bp_get_message_notice_text',        'wpautop' );
 add_filter( 'bp_get_the_thread_message_content', 'wpautop' );
+add_filter( 'bp_get_message_thread_content',     'wpautop' );
 
-add_filter( 'bp_get_message_notice_subject',          'stripslashes_deep' );
-add_filter( 'bp_get_message_notice_text',             'stripslashes_deep' );
-add_filter( 'bp_get_message_thread_subject',          'stripslashes_deep' );
-add_filter( 'bp_get_message_thread_excerpt',          'stripslashes_deep' );
-add_filter( 'bp_get_message_get_recipient_usernames', 'stripslashes_deep' );
-add_filter( 'bp_get_messages_subject_value',          'stripslashes_deep' );
-add_filter( 'bp_get_messages_content_value',          'stripslashes_deep' );
-add_filter( 'bp_get_the_thread_message_content',      'stripslashes_deep' );
-add_filter( 'bp_get_the_thread_subject',              'stripslashes_deep' );
+add_filter( 'bp_get_message_notice_subject',          'stripslashes_deep'    );
+add_filter( 'bp_get_message_notice_text',             'stripslashes_deep'    );
+add_filter( 'bp_get_message_thread_subject',          'stripslashes_deep'    );
+add_filter( 'bp_get_message_thread_excerpt',          'stripslashes_deep'    );
+add_filter( 'bp_get_message_get_recipient_usernames', 'stripslashes_deep'    );
+add_filter( 'bp_get_messages_subject_value',          'stripslashes_deep'    );
+add_filter( 'bp_get_messages_content_value',          'stripslashes_deep'    );
+add_filter( 'bp_get_the_thread_message_content',      'stripslashes_deep'    );
+add_filter( 'bp_get_the_thread_subject',              'stripslashes_deep'    );
+add_filter( 'bp_get_message_thread_content',          'stripslashes_deep', 1 );
 
 /**
@@ -99 +104 @@
 }
 add_filter( 'bp_after_has_message_threads_parse_args', 'bp_messages_enforce_current_user', 5 );
+
+/**
+ * Custom kses filtering for message content.
+ *
+ * @since 3.0.0
+ *
+ * @param string $content The message content.
+ * @return string         The filtered message content.
+ */
+function bp_messages_filter_kses( $content ) {
+    $messages_allowedtags      = bp_get_allowedtags();
+    $messages_allowedtags['p'] = array();
+
+    /**
+     * Filters the allowed HTML tags for BuddyPress Messages content.
+     *
+     * @since 3.0.0
+     *
+     * @param array $value Array of allowed HTML tags and attributes.
+     */
+    $messages_allowedtags = apply_filters( 'bp_messages_allowed_tags', $messages_allowedtags );
+    return wp_kses( $content, $messages_allowedtags );
+}

trunk/src/bp-templates/bp-nouveau/buddypress/common/js-templates/messages/index.php

@@ -42 +42 @@
 <script type="text/html" id="tmpl-bp-messages-editor">
     <?php
-    // Temporarily filter the editor
-    add_filter( 'mce_buttons', 'bp_nouveau_mce_buttons', 10, 1 );
+    // Add a temporary filter on editor buttons
+    add_filter( 'mce_buttons', 'bp_nouveau_messages_mce_buttons', 10, 1 );
 
     wp_editor(
@@ -59 +59 @@
         )
     );
-    // Temporarily filter the editor
-    remove_filter( 'mce_buttons', 'bp_nouveau_mce_buttons', 10, 1 );
+    // Remove the temporary filter on editor buttons
+    remove_filter( 'mce_buttons', 'bp_nouveau_messages_mce_buttons', 10, 1 );
     ?>
 </script>

trunk/src/bp-templates/bp-nouveau/css/buddypress-rtl.css

@@ -3070 +3070 @@
 
 .bp-messages-content #thread-preview .preview-message {
-    clear: both;
+    overflow: hidden;
 }
 
@@ -3139 +3139 @@
 
 .bp-messages-content #bp-message-thread-list .message-content {
-    clear: both;
+    overflow: hidden;
     margin: 1em auto 0;
     width: 90%;

trunk/src/bp-templates/bp-nouveau/css/buddypress.css

@@ -3070 +3070 @@
 
 .bp-messages-content #thread-preview .preview-message {
-    clear: both;
+    overflow: hidden;
 }
 
@@ -3139 +3139 @@
 
 .bp-messages-content #bp-message-thread-list .message-content {
-    clear: both;
+    overflow: hidden;
     margin: 1em auto 0;
     width: 90%;

trunk/src/bp-templates/bp-nouveau/includes/messages/functions.php

@@ -300 +300 @@
 
 /**
- * @since 3.0.0
- */
-function bp_nouveau_mce_buttons( $buttons = array() ) {
+ * Disable the WP Editor buttons not allowed in messages content.
+ *
+ * @since 3.0.0
+ *
+ * @param array $buttons The WP Editor buttons list.
+ * @param array          The filtered WP Editor buttons list.
+ */
+function bp_nouveau_messages_mce_buttons( $buttons = array() ) {
     $remove_buttons = array(
         'wp_more',
@@ -308 +313 @@
         'wp_adv',
         'fullscreen',
+        'alignleft',
+        'alignright',
+        'aligncenter',
+        'formatselect',
     );
 

trunk/src/bp-templates/bp-nouveau/includes/messages/loader.php

@@ -103 +103 @@
         // Messages
         add_filter( 'bp_messages_admin_nav', 'bp_nouveau_messages_adjust_admin_nav', 10, 1 );
-
-        remove_filter( 'messages_notice_message_before_save', 'wp_filter_kses', 1 );
-        remove_filter( 'messages_message_content_before_save', 'wp_filter_kses', 1 );
-        remove_filter( 'bp_get_the_thread_message_content', 'wp_filter_kses', 1 );
-
-        add_filter( 'messages_notice_message_before_save', 'wp_filter_post_kses', 1 );
-        add_filter( 'messages_message_content_before_save', 'wp_filter_post_kses', 1 );
-        add_filter( 'bp_get_the_thread_message_content', 'wp_filter_post_kses', 1 );
-        add_filter( 'bp_get_message_thread_content', 'wp_filter_post_kses', 1 );
-        add_filter( 'bp_get_message_thread_content', 'wptexturize' );
-        add_filter( 'bp_get_message_thread_content', 'stripslashes_deep', 1 );
-        add_filter( 'bp_get_message_thread_content', 'convert_smilies', 2 );
-        add_filter( 'bp_get_message_thread_content', 'convert_chars' );
-        add_filter( 'bp_get_message_thread_content', 'make_clickable', 9 );
-        add_filter( 'bp_get_message_thread_content', 'wpautop' );
     }
 }

trunk/src/bp-templates/bp-nouveau/sass/_nouveau_messages.scss

@@ -193 +193 @@
 
         .preview-message {
-            clear: both;
+            overflow: hidden;
         }
 
@@ -264 +264 @@
 
         .message-content {
-            clear: both;
+            overflow: hidden;
             margin: 1em auto 0;
             width: 90%;