From cfc4ee1faf9e340a29b93d21590ea306140c6b71 Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang" <ezyang@mit.edu>
Date: Fri, 12 Nov 2010 18:45:03 +0000
Subject: [PATCH] Add initial implementation of CSS.Trusted.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
---
 NEWS                                          |   2 ++
 configdoc/usage.xml                           |  11 ++++++---
 library/HTMLPurifier/CSSDefinition.php        |  21 ++++++++++++++++++
 library/HTMLPurifier/ConfigSchema/schema.ser  | Bin 13776 -> 13845 bytes
 .../ConfigSchema/schema/CSS.Trusted.txt       |   9 ++++++++
 .../ConfigSchema/schema/HTML.Trusted.txt      |   1 +
 tests/HTMLPurifier/AttrDef/CSSTest.php        |   9 ++++++++
 7 files changed, 50 insertions(+), 3 deletions(-)
 create mode 100644 library/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt

diff --git a/NEWS b/NEWS
index a0d2084b..7cb9ba57 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,8 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 4.2.1, unknown release date
 ! Added %HTML.Nofollow to add rel="nofollow" to external links.
 ! More types of SPL autoloaders allowed on later versions of PHP.
+! Implementations for position, top, left, right, bottom, z-index
+  when %CSS.Trusted is on.
 - Make removal of conditional IE comments ungreedy; thanks Bernd
   for reporting.
 - Escape CDATA before removing Internet Explorer comments.
diff --git a/configdoc/usage.xml b/configdoc/usage.xml
index d97dc6c9..42e60aa6 100644
--- a/configdoc/usage.xml
+++ b/configdoc/usage.xml
@@ -32,19 +32,24 @@
    <line>218</line>
   </file>
  </directive>
- <directive id="CSS.AllowImportant">
+ <directive id="CSS.Trusted">
   <file name="HTMLPurifier/CSSDefinition.php">
    <line>222</line>
   </file>
  </directive>
+ <directive id="CSS.AllowImportant">
+  <file name="HTMLPurifier/CSSDefinition.php">
+   <line>226</line>
+  </file>
+ </directive>
  <directive id="CSS.AllowedProperties">
   <file name="HTMLPurifier/CSSDefinition.php">
-   <line>275</line>
+   <line>296</line>
   </file>
  </directive>
  <directive id="CSS.ForbiddenProperties">
   <file name="HTMLPurifier/CSSDefinition.php">
-   <line>289</line>
+   <line>310</line>
   </file>
  </directive>
  <directive id="Cache.DefinitionImpl">
diff --git a/library/HTMLPurifier/CSSDefinition.php b/library/HTMLPurifier/CSSDefinition.php
index f0257da0..91619f5d 100644
--- a/library/HTMLPurifier/CSSDefinition.php
+++ b/library/HTMLPurifier/CSSDefinition.php
@@ -219,6 +219,10 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
             $this->doSetupTricky($config);
         }
 
+        if ($config->get('CSS.Trusted')) {
+            $this->doSetupTrusted($config);
+        }
+
         $allow_important = $config->get('CSS.AllowImportant');
         // wrap all attr-defs with decorator that handles !important
         foreach ($this->info as $k => $v) {
@@ -260,6 +264,23 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
         $this->info['overflow'] = new HTMLPurifier_AttrDef_Enum(array('visible', 'hidden', 'auto', 'scroll'));
     }
 
+    protected function doSetupTrusted($config) {
+        $this->info['position'] = new HTMLPurifier_AttrDef_Enum(array(
+            'static', 'relative', 'absolute', 'fixed'
+        ));
+        $this->info['top'] =
+        $this->info['left'] =
+        $this->info['right'] =
+        $this->info['bottom'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
+            new HTMLPurifier_AttrDef_CSS_Length(),
+            new HTMLPurifier_AttrDef_CSS_Percentage(),
+            new HTMLPurifier_AttrDef_Enum(array('auto')),
+        ));
+        $this->info['z-index'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
+            new HTMLPurifier_AttrDef_Integer(),
+            new HTMLPurifier_AttrDef_Enum(array('auto')),
+        ));
+    }
 
     /**
      * Performs extra config-based processing. Based off of
diff --git a/library/HTMLPurifier/ConfigSchema/schema.ser b/library/HTMLPurifier/ConfigSchema/schema.ser
index 1f99bb9b4035daafbfd4aa486149cdb94c709110..7946aad437a294c9ab028ca27cc6cc214d4ef3a6 100644
GIT binary patch
delta 102
zcmcbRJvC>7IiuO+Kt<WjZv`?~_zexMl$?Wu^+JkDi%U{dHv5WR;-1_t;DKKaGY_NX
P=0L?9Rt)`H)uj0W!L1-`

delta 56
zcmbQ5b0K?zIiu<1dPUidp&2ZjudoR5pm0xdPxe(bWVF~^ub9I+`3j5FW*POLd;mY@
B6RrRN

diff --git a/library/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt b/library/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt
new file mode 100644
index 00000000..e733a61e
--- /dev/null
+++ b/library/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt
@@ -0,0 +1,9 @@
+CSS.Trusted
+TYPE: bool
+VERSION: 4.2.1
+DEFAULT: false
+--DESCRIPTION--
+Indicates whether or not the user's CSS input is trusted or not. If the
+input is trusted, a more expansive set of allowed properties.  See
+also %HTML.Trusted.
+--# vim: et sw=4 sts=4
diff --git a/library/HTMLPurifier/ConfigSchema/schema/HTML.Trusted.txt b/library/HTMLPurifier/ConfigSchema/schema/HTML.Trusted.txt
index 89133b1a..1db9237e 100644
--- a/library/HTMLPurifier/ConfigSchema/schema/HTML.Trusted.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/HTML.Trusted.txt
@@ -5,4 +5,5 @@ DEFAULT: false
 --DESCRIPTION--
 Indicates whether or not the user input is trusted or not. If the input is
 trusted, a more expansive set of allowed tags and attributes will be used.
+See also %CSS.Trusted.
 --# vim: et sw=4 sts=4
diff --git a/tests/HTMLPurifier/AttrDef/CSSTest.php b/tests/HTMLPurifier/AttrDef/CSSTest.php
index 619a78c9..72a17e1a 100644
--- a/tests/HTMLPurifier/AttrDef/CSSTest.php
+++ b/tests/HTMLPurifier/AttrDef/CSSTest.php
@@ -150,6 +150,15 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
         $this->assertDef('text-align:right;');
     }
 
+    function testTrusted() {
+        $this->config->set('CSS.Trusted', true);
+        $this->assertDef('position:relative;');
+        $this->assertDef('left:2px;');
+        $this->assertDef('right:100%;');
+        $this->assertDef('top:auto;');
+        $this->assertDef('z-index:-2;');
+    }
+
 }
 
 // vim: et sw=4 sts=4