Add option to clean raw html on save

core.php

@@ -607,6 +607,11 @@ function parse_page_source($source)
 	if(!isset($parsers->{$settings->parser}))
 		exit(page_renderer::render_main("Parsing error - $settings->sitename", "<p>Parsing some page source data failed. This is most likely because $settings->sitename has the parser setting set incorrectly. Please contact <a href='mailto:" . hide_email($settings->admindetails["email"]) . "'>" . $settings->admindetails["name"] . "</a>, your Administrator."));
 	
+/* Not needed atm because escaping happens when saving, not when rendering *
+	if($settings->clean_raw_html)
+		$source = htmlentities($source, ENT_QUOTES | ENT_HTML5);
+*/
+	
 	return $parsers->{$settings->parser}($source);
 }
 

modules/page-edit.php

@@ -118,7 +118,11 @@ register_module([
 				mkdir(dirname("$env->page.md"), null, true);
 			}
 			
-			$pagedata = htmlentities($_POST["content"], ENT_QUOTES);
+			
+			$pagedata = $_POST["content"];
+			
+			if($settings->clean_raw_html)
+				$pagedata = htmlentities($pagedata, ENT_QUOTES);
 			
 			if(file_put_contents("$env->page.md", $pagedata) !== false)
 			{

settings.fragment.php

@@ -38,6 +38,13 @@ $settings->editing = true;
 // 135,000 characters, which is about 50 pages.
 $settings->maxpagesize = 135000;
 
+// Whether page sources should be cleaned of HTML before rendering. If set to
+// true any raw HTML will be escaped before rendering. Note that this shouldn't
+// affect code blocks - they should alwys be escaped. It is STRONGLY
+// recommended that you keep this option turned on, *ESPECIALLY* if you allow
+// anonymous edits as no sanitizing what so ever is performed on the HTML.
+$settings->clean_raw_html = true;
+
 // Determined whether users who aren't logged in are allowed to edit your wiki.
 // Set to true to allow anonymous users to log in.
 $settings->anonedits = false;