[1.3.0] More control of URIs granted

# Invalid images are now removed, rather than replaced with a dud <img src="" alt="Invalid image" />. Previous behavior can be restored with new directive %Core.RemoveInvalidImg set to false. ! New directives %URI.DisableExternalResources and %URI.DisableResources ! New directive %Attr.DisableURI, which eliminates all hyperlinking - Missing "Available since" documentation added git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@575 48356398-32a2-884e-a903-53898d9a118a
2025-08-05 13:47:24 +02:00 · 2006-11-23 23:59:20 +00:00
parent 61b6ee7183
commit 49cb2a4a7c
10 changed files with 168 additions and 50 deletions
--- a/library/HTMLPurifier/Strategy/RemoveForeignElements.php
+++ b/library/HTMLPurifier/Strategy/RemoveForeignElements.php
@@ -5,6 +5,14 @@ require_once 'HTMLPurifier/HTMLDefinition.php';
 require_once 'HTMLPurifier/Generator.php';
 require_once 'HTMLPurifier/TagTransform.php';

+HTMLPurifier_ConfigSchema::define(
+    'Core', 'RemoveInvalidImg', true, 'bool',
+    'This directive enables pre-emptive URI checking in <code>img</code> '.
+    'tags, as the attribute validation strategy is not authorized to '.
+    'remove elements from the document.  This directive has been available '.
+    'since 1.3.0, revert to pre-1.3.0 behavior by setting to false.'
+);
+
 /**
 * Removes all unrecognized tags from the list of tokens.
 * 
@@ -25,7 +33,23 @@ class HTMLPurifier_Strategy_RemoveForeignElements extends HTMLPurifier_Strategy
            if (!empty( $token->is_tag )) {
                // DEFINITION CALL
                if (isset($definition->info[$token->name])) {
-                    // leave untouched
+                    // leave untouched, except for a few special cases:
+                    
+                    // hard-coded image special case, pre-emptively drop
+                    // if not available. Probably not abstract-able
+                    if ( $token->name == 'img' ) {
+                        if (!isset($token->attr['src'])) continue;
+                        if (!isset($definition->info['img']->attr['src'])) {
+                            continue;
+                        }
+                        $token->attr['src'] =
+                            $definition->
+                                info['img']->
+                                    attr['src']->
+                                        validate($token->attr['src']);
+                        if ($token->attr['src'] === false) continue;
+                    }
+                    
                } elseif (
                    isset($definition->info_tag_transform[$token->name])
                ) {