reply: accept html input from admins

Forgo html formatting if text starts with an element such as <p>.
Restricted for safety since it's not validated.  Intermediate solution to
support rich contents (wysiwyg editor can be added later for accessibility).

diff --git a/upload.inc.php b/upload.inc.php
index afaa047303b3cf420872460325303056d791adf9..74219ed0043c01e77a3db61026e5c09dc0fe1036 100644 (file)
--- a/upload.inc.php
+++ b/upload.inc.php
@@ -41,9 +41,13 @@ function userupload($input, $target = NULL, $filename = NULL)
 function messagehtml($input)
 {
        # convert user textarea post to formatted html
+       global $User;
        if (empty($input)) {
                return;
        }
+       if ($User and $User->admin and preg_match('/\A<[a-z][^>]*>/', $input)) {
+               return $input;  # allow html input as is if privileged
+       }
        $html = preg_replace(
                ["/\r?\n/", "'(?:<br />\n?){2}'"],
                ["<br />\n", "</p>\n\n<p>"],