From 369a69d5335eeac2018f9b901705babb1f6d4005 Mon Sep 17 00:00:00 2001 From: "Edward Z. Yang" Date: Wed, 11 Jun 2008 17:43:48 +0000 Subject: [PATCH] [2.1.5] [MFH] Fix stray backslashes in font-family. git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/branches/php4@1790 48356398-32a2-884e-a903-53898d9a118a --- NEWS | 2 ++ library/HTMLPurifier/AttrDef/CSS/FontFamily.php | 8 +++++--- tests/HTMLPurifier/AttrDef/CSS/FontFamilyTest.php | 1 + tests/HTMLPurifier/AttrDef/CSS/URITest.php | 1 - 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index e602f617..91892389 100644 --- a/NEWS +++ b/NEWS @@ -22,6 +22,8 @@ ERRATA code from directly modifying CurrentToken when they're not supposed to. - Percent encoding checks enabled for URI query and fragment - Disable percent height/width attributes for img +- Fix stray backslashes in font-family; CSS Unicode character escapes are + now properly resolved (although *only* in font-family). . Added HTMLPurifier_UnitConverter and HTMLPurifier_Length for convenient handling of CSS-style lengths. HTMLPurifier_AttrDef_CSS_Length now uses this class. diff --git a/library/HTMLPurifier/AttrDef/CSS/FontFamily.php b/library/HTMLPurifier/AttrDef/CSS/FontFamily.php index dfd89b95..9b18edca 100644 --- a/library/HTMLPurifier/AttrDef/CSS/FontFamily.php +++ b/library/HTMLPurifier/AttrDef/CSS/FontFamily.php @@ -38,9 +38,11 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef $quote = $font[0]; if ($font[$length - 1] !== $quote) continue; $font = substr($font, 1, $length - 2); - // double-backslash processing is buggy + // double-backslash processing is buggy. Namely, it doesn't allow + // fonts that contain an adjacent quote, backslash, or comma $font = str_replace("\\$quote", $quote, $font); // de-escape quote - $font = str_replace("\\\n", "\n", $font); // de-escape newlines + $font = str_replace("\\\n", '', $font); // de-escape newlines + $font = str_replace("\\\\", "\\", $font); // de-escape double backslashes } // $font is a pure representation of the font name @@ -53,8 +55,8 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef // complicated font, requires quoting // armor single quotes and new lines + $font = str_replace("\\", "\\\\", $font); $font = str_replace("'", "\\'", $font); - $font = str_replace("\n", "\\\n", $font); $final .= "'$font', "; } $final = rtrim($final, ', '); diff --git a/tests/HTMLPurifier/AttrDef/CSS/FontFamilyTest.php b/tests/HTMLPurifier/AttrDef/CSS/FontFamilyTest.php index 25571128..b57d074f 100644 --- a/tests/HTMLPurifier/AttrDef/CSS/FontFamilyTest.php +++ b/tests/HTMLPurifier/AttrDef/CSS/FontFamilyTest.php @@ -20,6 +20,7 @@ class HTMLPurifier_AttrDef_CSS_FontFamilyTest extends HTMLPurifier_AttrDefHarnes $this->assertDef("John's Font", $d); $this->assertDef($d = "'\xE5\xAE\x8B\xE4\xBD\x93'"); $this->assertDef("\xE5\xAE\x8B\xE4\xBD\x93", $d); + $this->assertDef("'\\','f'", "'\\\\', f"); } diff --git a/tests/HTMLPurifier/AttrDef/CSS/URITest.php b/tests/HTMLPurifier/AttrDef/CSS/URITest.php index 97e547c8..152771d6 100644 --- a/tests/HTMLPurifier/AttrDef/CSS/URITest.php +++ b/tests/HTMLPurifier/AttrDef/CSS/URITest.php @@ -29,7 +29,6 @@ class HTMLPurifier_AttrDef_CSS_URITest extends HTMLPurifier_AttrDefHarness // escaping $this->assertDef("url(http://www.example.com/foo,bar\))", "url(http://www.example.com/foo\,bar\))"); - } }