mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2025-08-05 13:47:24 +02:00
Compare commits
19 Commits
v2.1.2
...
v2.1.2-str
| Author | SHA1 | Date | |
|---|---|---|---|
|
b3f0e6c86c | ||
|
|
80c60bb9b5 | ||
|
|
503e76081b | ||
|
|
678a593e62 | ||
|
|
495164e938 | ||
|
|
42858ad594 | ||
|
|
5ecb11f19a | ||
|
|
0101311193 | ||
|
|
c35eb3e95f | ||
|
|
b829e76bbf | ||
|
|
e967680250 | ||
|
|
dd2fd06591 | ||
|
|
cec7a1c087 | ||
|
|
c2d3d5b859 | ||
|
|
9a84e11f34 | ||
|
|
37ea1673dd | ||
|
|
5395d8b4bd | ||
|
|
c980e76197 | ||
|
|
2bf912d528 |
12
INSTALL
12
INSTALL
@@ -1,4 +1,3 @@
|
||||
|
||||
Install
|
||||
How to install HTML Purifier
|
||||
|
||||
@@ -9,6 +8,8 @@ down to the bottom of this INSTALL document to see the code, but you really
|
||||
should make sure a few things are properly done.
|
||||
|
||||
|
||||
|
||||
|
||||
1. Compatibility
|
||||
|
||||
HTML Purifier works in both PHP 4 and PHP 5, from PHP 4.3.2 and up. It has no
|
||||
@@ -69,6 +70,10 @@ the doctype from this code in your HTML documents:
|
||||
For legacy codebases these declarations may be missing. If that is the case,
|
||||
STOP, and read docs/enduser-utf8.html
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
You may currently be vulnerable to XSS and other security threats, and HTML
|
||||
Purifier won't be able to fix that.
|
||||
|
||||
@@ -118,6 +123,9 @@ reason, I do not include the solution in this document).
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
4.2. Setting a different doctype
|
||||
|
||||
For those of you using HTML 4.01 Transitional, you can disable
|
||||
@@ -127,6 +135,7 @@ XHTML output like this:
|
||||
|
||||
Other supported doctypes include:
|
||||
|
||||
|
||||
* HTML 4.01 Strict
|
||||
* HTML 4.01 Transitional
|
||||
* XHTML 1.0 Strict
|
||||
@@ -227,4 +236,3 @@ hit):
|
||||
Or move the cache directory somewhere else (no trailing slash):
|
||||
|
||||
$config->set('Cache', 'SerializerPath', '/home/user/absolute/path');
|
||||
|
||||
|
||||
4
NEWS
4
NEWS
@@ -249,6 +249,8 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
|
||||
%Attr.IDBlacklistRegexp
|
||||
- Error messages are emitted when you attempt to "allow" elements or
|
||||
attributes that HTML Purifier does not support
|
||||
|
||||
|
||||
- Fix segfault in unit test. The problem is not very reproduceable and
|
||||
I don't know what causes it, but a six line patch fixed it.
|
||||
|
||||
@@ -447,4 +449,4 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
|
||||
! First public release, most functionality implemented. Notable omissions are:
|
||||
+ Shorthand CSS properties
|
||||
+ Table CSS properties
|
||||
+ Deprecated attribute transformations
|
||||
+ Deprecated attribute transformations
|
||||
@@ -199,10 +199,10 @@ class HTMLPurifier
|
||||
/**
|
||||
* Singleton for enforcing just one HTML Purifier in your system
|
||||
*/
|
||||
function &getInstance($prototype = null) {
|
||||
static function &getInstance($prototype = null) {
|
||||
static $htmlpurifier;
|
||||
if (!$htmlpurifier || $prototype) {
|
||||
if (is_a($prototype, 'HTMLPurifier')) {
|
||||
if ($prototype instanceof HTMLPurifier) {
|
||||
$htmlpurifier = $prototype;
|
||||
} elseif ($prototype) {
|
||||
$htmlpurifier = new HTMLPurifier($prototype);
|
||||
|
||||
@@ -99,11 +99,8 @@ class HTMLPurifier_Config
|
||||
* or a string filename of an ini file.
|
||||
* @return Configured HTMLPurifier_Config object
|
||||
*/
|
||||
function create($config) {
|
||||
if (is_a($config, 'HTMLPurifier_Config')) {
|
||||
// pass-through
|
||||
return $config;
|
||||
}
|
||||
static function create($config) {
|
||||
if ($config instanceof HTMLPurifier_Config) return $config;
|
||||
$ret = HTMLPurifier_Config::createDefault();
|
||||
if (is_string($config)) $ret->loadIni($config);
|
||||
elseif (is_array($config)) $ret->loadArray($config);
|
||||
@@ -115,7 +112,7 @@ class HTMLPurifier_Config
|
||||
* @static
|
||||
* @return Default HTMLPurifier_Config object.
|
||||
*/
|
||||
function createDefault() {
|
||||
static function createDefault() {
|
||||
$definition =& HTMLPurifier_ConfigSchema::instance();
|
||||
$config = new HTMLPurifier_Config($definition);
|
||||
return $config;
|
||||
@@ -368,7 +365,7 @@ class HTMLPurifier_Config
|
||||
* @param $allowed List of allowed namespaces/directives
|
||||
* @static
|
||||
*/
|
||||
function getAllowedDirectivesForForm($allowed) {
|
||||
static function getAllowedDirectivesForForm($allowed) {
|
||||
$schema = HTMLPurifier_ConfigSchema::instance();
|
||||
if ($allowed !== true) {
|
||||
if (is_string($allowed)) $allowed = array($allowed);
|
||||
@@ -413,7 +410,7 @@ class HTMLPurifier_Config
|
||||
* @param $mq_fix Boolean whether or not to enable magic quotes fix
|
||||
* @static
|
||||
*/
|
||||
function loadArrayFromForm($array, $index, $allowed = true, $mq_fix = true) {
|
||||
static function loadArrayFromForm($array, $index, $allowed = true, $mq_fix = true) {
|
||||
$ret = HTMLPurifier_Config::prepareArrayFromForm($array, $index, $allowed, $mq_fix);
|
||||
$config = HTMLPurifier_Config::create($ret);
|
||||
return $config;
|
||||
@@ -433,7 +430,7 @@ class HTMLPurifier_Config
|
||||
* strict parts of HTMLPurifier_Config
|
||||
* @static
|
||||
*/
|
||||
function prepareArrayFromForm($array, $index, $allowed = true, $mq_fix = true) {
|
||||
static function prepareArrayFromForm($array, $index, $allowed = true, $mq_fix = true) {
|
||||
$array = (isset($array[$index]) && is_array($array[$index])) ? $array[$index] : array();
|
||||
$mq = get_magic_quotes_gpc() && $mq_fix;
|
||||
|
||||
|
||||
@@ -82,7 +82,7 @@ class HTMLPurifier_ConfigSchema {
|
||||
* Retrieves an instance of the application-wide configuration definition.
|
||||
* @static
|
||||
*/
|
||||
function &instance($prototype = null) {
|
||||
static function &instance($prototype = null) {
|
||||
static $instance;
|
||||
if ($prototype !== null) {
|
||||
$instance = $prototype;
|
||||
@@ -104,7 +104,7 @@ class HTMLPurifier_ConfigSchema {
|
||||
* HTMLPurifier_DirectiveDef::$type for allowed values
|
||||
* @param $description Description of directive for documentation
|
||||
*/
|
||||
function define($namespace, $name, $default, $type, $description) {
|
||||
static function define($namespace, $name, $default, $type, $description) {
|
||||
$def =& HTMLPurifier_ConfigSchema::instance();
|
||||
|
||||
// basic sanity checks
|
||||
@@ -177,7 +177,7 @@ class HTMLPurifier_ConfigSchema {
|
||||
* @param $namespace Namespace's name
|
||||
* @param $description Description of the namespace
|
||||
*/
|
||||
function defineNamespace($namespace, $description) {
|
||||
static function defineNamespace($namespace, $description) {
|
||||
$def =& HTMLPurifier_ConfigSchema::instance();
|
||||
if (HTMLPURIFIER_SCHEMA_STRICT) {
|
||||
if (isset($def->info[$namespace])) {
|
||||
@@ -212,7 +212,7 @@ class HTMLPurifier_ConfigSchema {
|
||||
* @param $alias Name of aliased value
|
||||
* @param $real Value aliased value will be converted into
|
||||
*/
|
||||
function defineValueAliases($namespace, $name, $aliases) {
|
||||
static function defineValueAliases($namespace, $name, $aliases) {
|
||||
$def =& HTMLPurifier_ConfigSchema::instance();
|
||||
if (HTMLPURIFIER_SCHEMA_STRICT && !isset($def->info[$namespace][$name])) {
|
||||
trigger_error('Cannot set value alias for non-existant directive',
|
||||
@@ -245,7 +245,7 @@ class HTMLPurifier_ConfigSchema {
|
||||
* @param $name Name of directive
|
||||
* @param $allowed_values Arraylist of allowed values
|
||||
*/
|
||||
function defineAllowedValues($namespace, $name, $allowed_values) {
|
||||
static function defineAllowedValues($namespace, $name, $allowed_values) {
|
||||
$def =& HTMLPurifier_ConfigSchema::instance();
|
||||
if (HTMLPURIFIER_SCHEMA_STRICT && !isset($def->info[$namespace][$name])) {
|
||||
trigger_error('Cannot define allowed values for undefined directive',
|
||||
@@ -285,7 +285,7 @@ class HTMLPurifier_ConfigSchema {
|
||||
* @param $new_namespace
|
||||
* @param $new_name Directive that the alias will be to
|
||||
*/
|
||||
function defineAlias($namespace, $name, $new_namespace, $new_name) {
|
||||
static function defineAlias($namespace, $name, $new_namespace, $new_name) {
|
||||
$def =& HTMLPurifier_ConfigSchema::instance();
|
||||
if (HTMLPURIFIER_SCHEMA_STRICT) {
|
||||
if (!isset($def->info[$namespace])) {
|
||||
@@ -428,7 +428,7 @@ class HTMLPurifier_ConfigSchema {
|
||||
*/
|
||||
function isError($var) {
|
||||
if (!is_object($var)) return false;
|
||||
if (!is_a($var, 'HTMLPurifier_Error')) return false;
|
||||
if (!($var instanceof HTMLPurifier_Error)) return false;
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -40,7 +40,7 @@ class HTMLPurifier_DefinitionCacheFactory
|
||||
* Retrieves an instance of global definition cache factory.
|
||||
* @static
|
||||
*/
|
||||
function &instance($prototype = null) {
|
||||
static function &instance($prototype = null) {
|
||||
static $instance;
|
||||
if ($prototype !== null) {
|
||||
$instance = $prototype;
|
||||
|
||||
@@ -110,7 +110,7 @@ class HTMLPurifier_ElementDef
|
||||
* Low-level factory constructor for creating new standalone element defs
|
||||
* @static
|
||||
*/
|
||||
function create($safe, $content_model, $content_model_type, $attr) {
|
||||
static function create($safe, $content_model, $content_model_type, $attr) {
|
||||
$def = new HTMLPurifier_ElementDef();
|
||||
$def->safe = (bool) $safe;
|
||||
$def->content_model = $content_model;
|
||||
|
||||
@@ -88,7 +88,7 @@ class HTMLPurifier_Encoder
|
||||
* would need that, and I'm probably not going to implement them.
|
||||
* Once again, PHP 6 should solve all our problems.
|
||||
*/
|
||||
function cleanUTF8($str, $force_php = false) {
|
||||
static function cleanUTF8($str, $force_php = false) {
|
||||
|
||||
static $non_sgml_chars = array();
|
||||
if (empty($non_sgml_chars)) {
|
||||
@@ -271,7 +271,7 @@ class HTMLPurifier_Encoder
|
||||
// | 00000000 | 00010000 | 11111111 | 11111111 | Defined upper limit of legal scalar codes
|
||||
// +----------+----------+----------+----------+
|
||||
|
||||
function unichr($code) {
|
||||
static function unichr($code) {
|
||||
if($code > 1114111 or $code < 0 or
|
||||
($code >= 55296 and $code <= 57343) ) {
|
||||
// bits are set outside the "valid" range as defined
|
||||
@@ -312,7 +312,7 @@ class HTMLPurifier_Encoder
|
||||
* Converts a string to UTF-8 based on configuration.
|
||||
* @static
|
||||
*/
|
||||
function convertToUTF8($str, $config, &$context) {
|
||||
static function convertToUTF8($str, $config, &$context) {
|
||||
static $iconv = null;
|
||||
if ($iconv === null) $iconv = function_exists('iconv');
|
||||
$encoding = $config->get('Core', 'Encoding');
|
||||
@@ -331,7 +331,7 @@ class HTMLPurifier_Encoder
|
||||
* @note Currently, this is a lossy conversion, with unexpressable
|
||||
* characters being omitted.
|
||||
*/
|
||||
function convertFromUTF8($str, $config, &$context) {
|
||||
static function convertFromUTF8($str, $config, &$context) {
|
||||
static $iconv = null;
|
||||
if ($iconv === null) $iconv = function_exists('iconv');
|
||||
$encoding = $config->get('Core', 'Encoding');
|
||||
@@ -364,7 +364,7 @@ class HTMLPurifier_Encoder
|
||||
* @note Sort of with cleanUTF8() but it assumes that $str is
|
||||
* well-formed UTF-8
|
||||
*/
|
||||
function convertToASCIIDumbLossless($str) {
|
||||
static function convertToASCIIDumbLossless($str) {
|
||||
$bytesleft = 0;
|
||||
$result = '';
|
||||
$working = 0;
|
||||
|
||||
@@ -29,7 +29,7 @@ class HTMLPurifier_EntityLookup {
|
||||
* @static
|
||||
* @param Optional prototype of custom lookup table to overload with.
|
||||
*/
|
||||
function instance($prototype = false) {
|
||||
static function instance($prototype = false) {
|
||||
// no references, since PHP doesn't copy unless modified
|
||||
static $instance = null;
|
||||
if ($prototype) {
|
||||
|
||||
@@ -113,7 +113,7 @@ class HTMLPurifier_Language
|
||||
$generator = false;
|
||||
foreach ($args as $i => $value) {
|
||||
if (is_object($value)) {
|
||||
if (is_a($value, 'HTMLPurifier_Token')) {
|
||||
if ($value instanceof HTMLPurifier_Token) {
|
||||
// factor this out some time
|
||||
if (!$generator) $generator = $this->context->get('Generator');
|
||||
if (isset($value->name)) $subst['$'.$i.'.Name'] = $value->name;
|
||||
|
||||
@@ -65,7 +65,7 @@ class HTMLPurifier_LanguageFactory
|
||||
* @param $prototype Optional prototype to overload sole instance with,
|
||||
* or bool true to reset to default factory.
|
||||
*/
|
||||
function &instance($prototype = null) {
|
||||
static function &instance($prototype = null) {
|
||||
static $instance = null;
|
||||
if ($prototype !== null) {
|
||||
$instance = $prototype;
|
||||
|
||||
@@ -145,9 +145,9 @@ class HTMLPurifier_Lexer
|
||||
* @param $prototype Optional prototype lexer or configuration object
|
||||
* @return Concrete lexer.
|
||||
*/
|
||||
function create($config) {
|
||||
static function create($config) {
|
||||
|
||||
if (!is_a($config, 'HTMLPurifier_Config')) {
|
||||
if (!($config instanceof HTMLPurifier_Config)) {
|
||||
$lexer = $config;
|
||||
trigger_error("Passing a prototype to
|
||||
HTMLPurifier_Lexer::create() is deprecated, please instead
|
||||
@@ -275,7 +275,7 @@ class HTMLPurifier_Lexer
|
||||
* @param $string HTML string to process.
|
||||
* @returns HTML with CDATA sections escaped.
|
||||
*/
|
||||
function escapeCDATA($string) {
|
||||
static function escapeCDATA($string) {
|
||||
return preg_replace_callback(
|
||||
'/<!\[CDATA\[(.+?)\]\]>/s',
|
||||
array('HTMLPurifier_Lexer', 'CDATACallback'),
|
||||
@@ -304,7 +304,7 @@ class HTMLPurifier_Lexer
|
||||
* and 1 the inside of the CDATA section.
|
||||
* @returns Escaped internals of the CDATA section.
|
||||
*/
|
||||
function CDATACallback($matches) {
|
||||
static function CDATACallback($matches) {
|
||||
// not exactly sure why the character set is needed, but whatever
|
||||
return htmlspecialchars($matches[1], ENT_COMPAT, 'UTF-8');
|
||||
}
|
||||
|
||||
@@ -158,7 +158,7 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
|
||||
* Callback function for undoing escaping of stray angled brackets
|
||||
* in comments
|
||||
*/
|
||||
function callbackUndoCommentSubst($matches) {
|
||||
static public function callbackUndoCommentSubst($matches) {
|
||||
return '<!--' . strtr($matches[1], array('&'=>'&','<'=>'<')) . $matches[2];
|
||||
}
|
||||
|
||||
@@ -166,7 +166,7 @@ class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer
|
||||
* Callback function that entity-izes ampersands in comments so that
|
||||
* callbackUndoCommentSubst doesn't clobber them
|
||||
*/
|
||||
function callbackArmorCommentEntities($matches) {
|
||||
static public function callbackArmorCommentEntities($matches) {
|
||||
return '<!--' . str_replace('&', '&', $matches[1]) . $matches[2];
|
||||
}
|
||||
|
||||
|
||||
@@ -40,7 +40,7 @@ class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer
|
||||
* @param $matches, in form of array(opening tag, contents, closing tag)
|
||||
* @static
|
||||
*/
|
||||
function scriptCallback($matches) {
|
||||
static function scriptCallback($matches) {
|
||||
return $matches[1] . htmlspecialchars($matches[2], ENT_COMPAT, 'UTF-8') . $matches[3];
|
||||
}
|
||||
|
||||
|
||||
@@ -44,7 +44,7 @@ class HTMLPurifier_URISchemeRegistry
|
||||
* @note Pass a registry object $prototype with a compatible interface and
|
||||
* the function will copy it and return it all further times.
|
||||
*/
|
||||
function &instance($prototype = null) {
|
||||
static function &instance($prototype = null) {
|
||||
static $instance = null;
|
||||
if ($prototype !== null) {
|
||||
$instance = $prototype;
|
||||
|
||||
@@ -7,7 +7,7 @@ if (!isset($_GET['standalone'])) {
|
||||
} else {
|
||||
require_once '../library/HTMLPurifier.standalone.php';
|
||||
}
|
||||
error_reporting(E_ALL);
|
||||
error_reporting(E_ALL | E_STRICT);
|
||||
|
||||
function escapeHTML($string) {
|
||||
$string = HTMLPurifier_Encoder::cleanUTF8($string);
|
||||
|
||||
@@ -86,7 +86,7 @@ class Debugger
|
||||
/**
|
||||
* @static
|
||||
*/
|
||||
function &instance() {
|
||||
static function &instance() {
|
||||
static $soleInstance = false;
|
||||
if (!$soleInstance) $soleInstance = new Debugger();
|
||||
return $soleInstance;
|
||||
|
||||
@@ -2,11 +2,12 @@
|
||||
|
||||
require_once 'HTMLPurifier/AttrCollections.php';
|
||||
|
||||
Mock::generatePartial(
|
||||
'HTMLPurifier_AttrCollections',
|
||||
'HTMLPurifier_AttrCollections_TestForConstruct',
|
||||
array('performInclusions', 'expandIdentifiers')
|
||||
);
|
||||
class HTMLPurifier_AttrCollectionsTest_NoConstructor extends HTMLPurifier_AttrCollections
|
||||
{
|
||||
function HTMLPurifier_AttrCollectionsTest_NoConstructor() {}
|
||||
function expandIdentifiers(&$a, $b) {}
|
||||
function performInclusions(&$a) {}
|
||||
}
|
||||
|
||||
class HTMLPurifier_AttrCollectionsTest extends HTMLPurifier_Harness
|
||||
{
|
||||
@@ -15,7 +16,7 @@ class HTMLPurifier_AttrCollectionsTest extends HTMLPurifier_Harness
|
||||
|
||||
generate_mock_once('HTMLPurifier_AttrTypes');
|
||||
|
||||
$collections = new HTMLPurifier_AttrCollections_TestForConstruct();
|
||||
$collections = new HTMLPurifier_AttrCollectionsTest_NoConstructor();
|
||||
|
||||
$types = new HTMLPurifier_AttrTypesMock();
|
||||
|
||||
|
||||
@@ -25,7 +25,7 @@ class HTMLPurifier_ErrorCollectorEMock extends HTMLPurifier_ErrorCollectorMock
|
||||
$this->_expected_context_at[$step][$key] = $value;
|
||||
}
|
||||
|
||||
function send() {
|
||||
function send($severity, $msg) {
|
||||
// test for context
|
||||
$test = &$this->_getCurrentTestCase();
|
||||
foreach ($this->_expected_context as $key => $value) {
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
// call one file using /?f=FileTest.php , see $test_files array for
|
||||
// valid values
|
||||
|
||||
error_reporting(E_ALL);
|
||||
error_reporting(E_ALL | E_STRICT);
|
||||
define('HTMLPurifierTest', 1);
|
||||
define('HTMLPURIFIER_SCHEMA_STRICT', true); // validate schemas
|
||||
|
||||
|
||||
Reference in New Issue
Block a user