--- a/includes/functions.php Fri Oct 05 01:57:00 2007 -0400
+++ b/includes/functions.php Sat Oct 06 13:01:46 2007 -0400
@@ -1789,6 +1789,26 @@
function sanitize_html($html, $filter_php = true)
{
+ // Random seed for substitution
+ $rand_seed = md5( sha1(microtime()) . mt_rand() );
+
+ // Strip out comments that are already escaped
+ preg_match_all('/<!--(.*?)-->/', $html, $comment_match);
+ $i = 0;
+ foreach ( $comment_match[0] as $comment )
+ {
+ $html = str_replace_once($comment, "{HTMLCOMMENT:$i:$rand_seed}", $html);
+ $i++;
+ }
+
+ // Strip out code sections that will be postprocessed by Text_Wiki
+ preg_match_all(';^<code(\s[^>]*)?>((?:(?R)|.)*?)\n</code>(\s|$);msi', $html, $code_match);
+ $i = 0;
+ foreach ( $code_match[0] as $code )
+ {
+ $html = str_replace_once($code, "{TW_CODE:$i:$rand_seed}", $html);
+ $i++;
+ }
$html = preg_replace('#<([a-z]+)([\s]+)([^>]+?)'.htmlalternatives('javascript:').'(.+?)>(.*?)</\\1>#is', '<\\1\\2\\3javascript:\\59>\\60</\\1>', $html);
$html = preg_replace('#<([a-z]+)([\s]+)([^>]+?)'.htmlalternatives('javascript:').'(.+?)>#is', '<\\1\\2\\3javascript:\\59>', $html);
@@ -1900,6 +1920,22 @@
// Unstrip comments
$html = preg_replace('/<!--([^>]*?)-->/i', '', $html);
+
+ // Restore stripped comments
+ $i = 0;
+ foreach ( $comment_match[0] as $comment )
+ {
+ $html = str_replace_once("{HTMLCOMMENT:$i:$rand_seed}", $comment, $html);
+ $i++;
+ }
+
+ // Restore stripped code
+ $i = 0;
+ foreach ( $code_match[0] as $code )
+ {
+ $html = str_replace_once("{TW_CODE:$i:$rand_seed}", $code, $html);
+ $i++;
+ }
return $html;