mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2025-08-06 14:16:32 +02:00
[1.7.0] Add native support for required elements
- Factored out large portion of ValidateAttributes to AttrValidator - Implemented ValidateAttributes armor - Fix clear cache bug - Implement armoring for ValidateAttributes git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1174 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang
@@ -5,6 +5,8 @@ require_once 'HTMLPurifier/HTMLDefinition.php';
|
||||
require_once 'HTMLPurifier/Generator.php';
|
||||
require_once 'HTMLPurifier/TagTransform.php';
|
||||
|
||||
require_once 'HTMLPurifier/AttrValidator.php';
|
||||
|
||||
HTMLPurifier_ConfigSchema::define(
|
||||
'Core', 'RemoveInvalidImg', true, 'bool',
|
||||
'This directive enables pre-emptive URI checking in <code>img</code> '.
|
||||
@@ -41,6 +43,8 @@ class HTMLPurifier_Strategy_RemoveForeignElements extends HTMLPurifier_Strategy
|
||||
$remove_invalid_img = $config->get('Core', 'RemoveInvalidImg');
|
||||
$remove_script_contents = $config->get('Core', 'RemoveScriptContents');
|
||||
|
||||
$attr_validator = new HTMLPurifier_AttrValidator();
|
||||
|
||||
// removes tokens until it reaches a closing tag with its value
|
||||
$remove_until = false;
|
||||
|
||||
@@ -65,24 +69,23 @@ class HTMLPurifier_Strategy_RemoveForeignElements extends HTMLPurifier_Strategy
|
||||
}
|
||||
|
||||
if (isset($definition->info[$token->name])) {
|
||||
// leave untouched, except for a few special cases:
|
||||
|
||||
// hard-coded image special case, pre-emptively drop
|
||||
// if not available. Probably not abstract-able
|
||||
if ( $token->name == 'img' && $remove_invalid_img ) {
|
||||
if (!isset($token->attr['src'])) {
|
||||
continue;
|
||||
// mostly everything's good, but
|
||||
// we need to make sure required attributes are in order
|
||||
if (
|
||||
$definition->info[$token->name]->required_attr &&
|
||||
($token->name != 'img' || $remove_invalid_img) // ensure config option still works
|
||||
) {
|
||||
$token = $attr_validator->validateToken($token, $config, $context);
|
||||
$ok = true;
|
||||
foreach ($definition->info[$token->name]->required_attr as $name) {
|
||||
if (!isset($token->attr[$name])) {
|
||||
$ok = false;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!isset($definition->info['img']->attr['src'])) {
|
||||
continue;
|
||||
}
|
||||
$token->attr['src'] =
|
||||
$definition->
|
||||
info['img']->
|
||||
attr['src']->
|
||||
validate($token->attr['src'],
|
||||
$config, $context);
|
||||
if ($token->attr['src'] === false) continue;
|
||||
if (!$ok) continue;
|
||||
$token->armor['ValidateAttributes'] = true;
|
||||
}
|
||||
|
||||
} elseif ($escape_invalid_tags) {
|
||||
|
||||
@@ -4,6 +4,8 @@ require_once 'HTMLPurifier/Strategy.php';
|
||||
require_once 'HTMLPurifier/HTMLDefinition.php';
|
||||
require_once 'HTMLPurifier/IDAccumulator.php';
|
||||
|
||||
require_once 'HTMLPurifier/AttrValidator.php';
|
||||
|
||||
HTMLPurifier_ConfigSchema::define(
|
||||
'Attr', 'IDBlacklist', array(), 'list',
|
||||
'Array of IDs not allowed in the document.');
|
||||
@@ -17,16 +19,13 @@ class HTMLPurifier_Strategy_ValidateAttributes extends HTMLPurifier_Strategy
|
||||
|
||||
function execute($tokens, $config, &$context) {
|
||||
|
||||
$definition = $config->getHTMLDefinition();
|
||||
|
||||
// setup id_accumulator context
|
||||
$id_accumulator = new HTMLPurifier_IDAccumulator();
|
||||
$id_accumulator->load($config->get('Attr', 'IDBlacklist'));
|
||||
$context->register('IDAccumulator', $id_accumulator);
|
||||
|
||||
// create alias to global definition array, see also $defs
|
||||
// DEFINITION CALL
|
||||
$d_defs = $definition->info_global_attr;
|
||||
// setup validator
|
||||
$validator = new HTMLPurifier_AttrValidator();
|
||||
|
||||
foreach ($tokens as $key => $token) {
|
||||
|
||||
@@ -34,91 +33,12 @@ class HTMLPurifier_Strategy_ValidateAttributes extends HTMLPurifier_Strategy
|
||||
// namely start and empty tags
|
||||
if ($token->type !== 'start' && $token->type !== 'empty') continue;
|
||||
|
||||
// copy out attributes for easy manipulation
|
||||
$attr = $token->attr;
|
||||
// skip tokens that are armored
|
||||
if (!empty($token->armor['ValidateAttributes'])) continue;
|
||||
|
||||
// do global transformations (pre)
|
||||
// nothing currently utilizes this
|
||||
foreach ($definition->info_attr_transform_pre as $transform) {
|
||||
$attr = $transform->transform($attr, $config, $context);
|
||||
}
|
||||
|
||||
// do local transformations only applicable to this element (pre)
|
||||
// ex. <p align="right"> to <p style="text-align:right;">
|
||||
foreach ($definition->info[$token->name]->attr_transform_pre
|
||||
as $transform
|
||||
) {
|
||||
$attr = $transform->transform($attr, $config, $context);
|
||||
}
|
||||
|
||||
// create alias to this element's attribute definition array, see
|
||||
// also $d_defs (global attribute definition array)
|
||||
// DEFINITION CALL
|
||||
$defs = $definition->info[$token->name]->attr;
|
||||
|
||||
// iterate through all the attribute keypairs
|
||||
// Watch out for name collisions: $key has previously been used
|
||||
foreach ($attr as $attr_key => $value) {
|
||||
|
||||
// call the definition
|
||||
if ( isset($defs[$attr_key]) ) {
|
||||
// there is a local definition defined
|
||||
if ($defs[$attr_key] === false) {
|
||||
// We've explicitly been told not to allow this element.
|
||||
// This is usually when there's a global definition
|
||||
// that must be overridden.
|
||||
// Theoretically speaking, we could have a
|
||||
// AttrDef_DenyAll, but this is faster!
|
||||
$result = false;
|
||||
} else {
|
||||
// validate according to the element's definition
|
||||
$result = $defs[$attr_key]->validate(
|
||||
$value, $config, $context
|
||||
);
|
||||
}
|
||||
} elseif ( isset($d_defs[$attr_key]) ) {
|
||||
// there is a global definition defined, validate according
|
||||
// to the global definition
|
||||
$result = $d_defs[$attr_key]->validate(
|
||||
$value, $config, $context
|
||||
);
|
||||
} else {
|
||||
// system never heard of the attribute? DELETE!
|
||||
$result = false;
|
||||
}
|
||||
|
||||
// put the results into effect
|
||||
if ($result === false || $result === null) {
|
||||
// remove the attribute
|
||||
unset($attr[$attr_key]);
|
||||
} elseif (is_string($result)) {
|
||||
// simple substitution
|
||||
$attr[$attr_key] = $result;
|
||||
}
|
||||
|
||||
// we'd also want slightly more complicated substitution
|
||||
// involving an array as the return value,
|
||||
// although we're not sure how colliding attributes would
|
||||
// resolve (certain ones would be completely overriden,
|
||||
// others would prepend themselves).
|
||||
}
|
||||
|
||||
// post transforms
|
||||
|
||||
// ex. <x lang="fr"> to <x lang="fr" xml:lang="fr">
|
||||
foreach ($definition->info_attr_transform_post as $transform) {
|
||||
$attr = $transform->transform($attr, $config, $context);
|
||||
}
|
||||
|
||||
// ex. <bdo> to <bdo dir="ltr">
|
||||
foreach ($definition->info[$token->name]->attr_transform_post as $transform) {
|
||||
$attr = $transform->transform($attr, $config, $context);
|
||||
}
|
||||
|
||||
// commit changes
|
||||
// could interfere with flyweight implementation
|
||||
$tokens[$key]->attr = $attr;
|
||||
$tokens[$key] = $validator->validateToken($token, $config, $context);
|
||||
}
|
||||
|
||||
$context->destroy('IDAccumulator');
|
||||
|
||||
return $tokens;
|
||||
|
||||
Reference in New Issue
Block a user