[3.1.0] Implement %HTML.Forbidden*

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1671 48356398-32a2-884e-a903-53898d9a118a
2025-08-05 21:57:26 +02:00 · 2008-04-22 07:16:49 +00:00
parent d3710518ce
commit 4fe475c57f
9 changed files with 77 additions and 8 deletions
--- a/library/HTMLPurifier/ConfigSchema/schema.ser
+++ b/library/HTMLPurifier/ConfigSchema/schema.ser
--- a/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedElements.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedElements.txt
@@ -3,16 +3,13 @@ TYPE: lookup/null
 VERSION: 1.3.0
 DEFAULT: NULL
 --DESCRIPTION--
-
 <p>
    If HTML Purifier's tag set is unsatisfactory for your needs, you 
    can overload it with your own list of tags to allow.  Note that this 
-    method is subtractive: it does its job by taking away from HTML
-Purifier 
+    method is subtractive: it does its job by taking away from HTML Purifier 
    usual feature set, so you cannot add a tag that HTML Purifier never 
    supported in the first place (like embed, form or head).  If you 
    change this, you probably also want to change %HTML.AllowedAttributes.
-
 </p>
 <p>
    <strong>Warning:</strong> If another directive conflicts with the 
--- a/library/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenAttributes.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenAttributes.txt
@@ -0,0 +1,10 @@
+HTML.ForbiddenAttributes
+TYPE: lookup
+VERSION: 3.1.0
+DEFAULT: array()
+--DESCRIPTION--
+<p>
+    This directive complements %HTML.ForbiddenElements and is the inverse of
+    %HTML.AllowedAttributes. Please see the former for a discussion of why you
+    should think twice before using this directive.
+</p>
--- a/library/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenElements.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenElements.txt
@@ -0,0 +1,19 @@
+HTML.ForbiddenElements
+TYPE: lookup
+VERSION: 3.1.0
+DEFAULT: array()
+--DESCRIPTION--
+<p>
+    This was, perhaps, the most requested feature ever in HTML
+    Purifier. Please don't abuse it! This is the logical inverse of
+    %HTML.AllowedElements, and it will override that directive, or any
+    other directive.
+</p>
+<p>
+    If possible, %HTML.Allowed is recommended over this directive, because it
+    can sometimes be difficult to tell whether or not you've forbidden all of
+    the behavior you would like to disallow. If you forbid <code>img</code>
+    with the expectation of preventing images on your site, you'll be in for
+    a nasty surprise when people start using the <code>background-image</code>
+    CSS property.
+</p>
--- a/library/HTMLPurifier/HTMLDefinition.php
+++ b/library/HTMLPurifier/HTMLDefinition.php
@@ -296,6 +296,24 @@ class HTMLPurifier_HTMLDefinition extends HTMLPurifier_Definition
                        E_USER_WARNING);
                }
            }
+            
+        }
+        
+        // setup forbidden elements
+        $forbidden_elements = $config->get('HTML', 'ForbiddenElements');
+        $forbidden_attributes = $config->get('HTML', 'ForbiddenAttributes');
+        
+        foreach ($this->info as $tag => $info) {
+            if (isset($forbidden_elements[$tag])) {
+                unset($this->info[$tag]);
+                continue;
+            }
+            foreach ($info->attr as $name => $def) {
+                if (isset($forbidden_attributes["$tag.$name"])) {
+                    unset($this->info[$tag]->attr[$name]);
+                    continue;
+                }
+            }
        }
        
    }