Relax allowed values of class for certain doctypes, see %Attr.ClassUseCDATA

Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
2025-08-01 11:50:28 +02:00 · 2009-05-26 01:07:40 -04:00
parent 10e2d32a79
commit 84abae08f5
8 changed files with 64 additions and 7 deletions
--- a/library/HTMLPurifier/AttrDef/HTML/Class.php
+++ b/library/HTMLPurifier/AttrDef/HTML/Class.php
@@ -5,6 +5,15 @@
 */
 class HTMLPurifier_AttrDef_HTML_Class extends HTMLPurifier_AttrDef_HTML_Nmtokens
 {
+    protected function split($string, $config, $context) {
+        // really, this twiddle should be lazy loaded
+        $name = $config->getDefinition('HTML')->doctype->name;
+        if ($name == "XHTML 1.1" || $name == "XHTML 2.0") {
+            return parent::split($string, $config, $context);
+        } else {
+            return preg_split('/\s+/', $string);
+        }
+    }
    protected function filter($tokens, $config, $context) {
        $allowed = $config->get('Attr.AllowedClasses');
        $forbidden = $config->get('Attr.ForbiddenClasses');
@@ -14,9 +23,9 @@ class HTMLPurifier_AttrDef_HTML_Class extends HTMLPurifier_AttrDef_HTML_Nmtokens
                ($allowed === null || isset($allowed[$token])) &&
                !isset($forbidden[$token])
            ) {
-                $ret[] = $token;
+                $ret[$token] = true;
            }
        }
-        return $ret;
+        return array_keys($ret);
    }
 }
--- a/library/HTMLPurifier/AttrDef/HTML/Nmtokens.php
+++ b/library/HTMLPurifier/AttrDef/HTML/Nmtokens.php
@@ -13,7 +13,7 @@ class HTMLPurifier_AttrDef_HTML_Nmtokens extends HTMLPurifier_AttrDef
        // early abort: '' and '0' (strings that convert to false) are invalid
        if (!$string) return false;

-        $tokens = $this->split($string);
+        $tokens = $this->split($string, $config, $context);
        $tokens = $this->filter($tokens, $config, $context);
        if (empty($tokens)) return false;
        return implode(' ', $tokens);
@@ -23,7 +23,7 @@ class HTMLPurifier_AttrDef_HTML_Nmtokens extends HTMLPurifier_AttrDef
    /**
     * Splits a space separated list of tokens into its constituent parts.
     */
-    protected function split($string) {
+    protected function split($string, $config, $context) {
        // OPTIMIZABLE!
        // do the preg_match, capture all subpatterns for reformulation