mirror/php-htmlpurifier
1
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-08-04 13:18:00 +02:00
Code Issues Releases Wiki Activity

Compare commits

base: mirror:v3.2.0
Branches Tags
mirror:master mirror:disable84 mirror:estrict mirror:php8.4 mirror:chmod-msg mirror:fix-ci mirror:revert-339-semantic-release
mirror:v4.18.0 mirror:v4.17.0 mirror:v4.16.0 mirror:v4.15.0 mirror:v4.14.0 mirror:v4.13.0 mirror:v4.12.0 mirror:v4.11.0 mirror:v4.10.0 mirror:v4.9.3 mirror:v4.9.2 mirror:v4.9.1 mirror:v4.8.0 mirror:4.8.0 mirror:v4.7.0 mirror:v4.6.0 mirror:gusev mirror:v4.5.0 mirror:v4.4.0 mirror:v4.3.0 mirror:v4.2.0 mirror:v4.1.1 mirror:v4.1.0 mirror:v4.0.0 mirror:v3.3.0 mirror:v3.2.0 mirror:v3.1.1.2 mirror:v3.1.1.1 mirror:v2.1.5 mirror:v3.1.1 mirror:v2.1.4 mirror:v3.1.0 mirror:v3.1.0rc1 mirror:v3.0.0 mirror:v2.1.3-strict mirror:v2.1.3 mirror:v2.1.2-strict mirror:v2.1.2 mirror:v2.1.1-strict mirror:v2.1.1 mirror:v2.1.0-strict mirror:v2.1.0 mirror:v2.0.1-strict mirror:v2.0.1 mirror:v2.0.0-strict mirror:v2.0.0 mirror:v1.6.1-strict mirror:v1.6.1 mirror:v1.6.0-strict mirror:v1.6.0 mirror:v1.5.0-strict mirror:v1.5.0 mirror:v1.4.1-strict mirror:v1.4.1 mirror:v1.4.0-strict mirror:v1.4.0 mirror:v1.3.2 mirror:v1.3.1 mirror:v1.3.0 mirror:v1.2.0 mirror:v1.1.2 mirror:v1.1.1 mirror:v1.1.0 mirror:v1.0.1 mirror:v1.0.0 mirror:v1.0.0beta
..
compare: mirror:v4.2.0
Branches Tags
mirror:master mirror:disable84 mirror:estrict mirror:php8.4 mirror:chmod-msg mirror:fix-ci mirror:revert-339-semantic-release
mirror:v4.18.0 mirror:v4.17.0 mirror:v4.16.0 mirror:v4.15.0 mirror:v4.14.0 mirror:v4.13.0 mirror:v4.12.0 mirror:v4.11.0 mirror:v4.10.0 mirror:v4.9.3 mirror:v4.9.2 mirror:v4.9.1 mirror:v4.8.0 mirror:4.8.0 mirror:v4.7.0 mirror:v4.6.0 mirror:gusev mirror:v4.5.0 mirror:v4.4.0 mirror:v4.3.0 mirror:v4.2.0 mirror:v4.1.1 mirror:v4.1.0 mirror:v4.0.0 mirror:v3.3.0 mirror:v3.2.0 mirror:v3.1.1.2 mirror:v3.1.1.1 mirror:v2.1.5 mirror:v3.1.1 mirror:v2.1.4 mirror:v3.1.0 mirror:v3.1.0rc1 mirror:v3.0.0 mirror:v2.1.3-strict mirror:v2.1.3 mirror:v2.1.2-strict mirror:v2.1.2 mirror:v2.1.1-strict mirror:v2.1.1 mirror:v2.1.0-strict mirror:v2.1.0 mirror:v2.0.1-strict mirror:v2.0.1 mirror:v2.0.0-strict mirror:v2.0.0 mirror:v1.6.1-strict mirror:v1.6.1 mirror:v1.6.0-strict mirror:v1.6.0 mirror:v1.5.0-strict mirror:v1.5.0 mirror:v1.4.1-strict mirror:v1.4.1 mirror:v1.4.0-strict mirror:v1.4.0 mirror:v1.3.2 mirror:v1.3.1 mirror:v1.3.0 mirror:v1.2.0 mirror:v1.1.2 mirror:v1.1.1 mirror:v1.1.0 mirror:v1.0.1 mirror:v1.0.0 mirror:v1.0.0beta

115 Commits
v3.2.0 ... v4.2.0

Author SHA1 Message Date
Edward Z. Yang
882ffed9ba Release 4.2.0. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-09-15 02:52:57 -04:00
Edward Z. Yang
86990a21f1 Rename newline normalization directive to something better. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-09-15 02:50:39 -04:00
Tomasz Muras
9573f0933d Make newline normalization optional. 2010-09-14 23:49:28 -04:00
Edward Z. Yang
632bf2bbd4 Shift to 4.2.0 release cycle. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-09-14 23:38:51 -04:00
Edward Z. Yang
ec86598446 Add support for file:// URI scheme. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-09-09 00:01:26 -04:00
Edward Z. Yang
b6c3f5e89b Update TODO. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-09-08 23:42:05 -04:00
Edward Z. Yang
7c91104532 Implement HTML.FlashAllowFullScreen. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-09-08 23:39:20 -04:00
Edward Z. Yang
eac628f490 Add %CSS.ForbiddenProperties directive. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-09-04 02:59:03 -04:00
Edward Z. Yang
92913bc816 Add documentation about configuration directive types. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-09-04 02:28:53 -04:00
Edward Z. Yang
479d793562 Reword documentation to be clearer, and give warning on common user error. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-09-04 01:31:20 -04:00
Edward Z. Yang
e2c15f1c98 Fix Mac Snow Leopard APC bug. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-08-26 21:40:58 -07:00
Edward Z. Yang
57ced3f361 Tighten up ignore spec. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-06-30 06:00:45 -07:00
Edward Z. Yang
c04a441b3e Actually make URI.DisableResources do something. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-06-30 05:59:17 -07:00
Edward Z. Yang
1bed8b6d5f Added %Core.RemoveProcessingInstructions. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-06-20 18:26:44 -07:00
Edward Z. Yang
33afd7d9e0 Fix improper handling of IE conditional comments. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-06-18 06:08:54 -07:00
Edward Z. Yang
18e538317a Release 4.1.1. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-05-31 20:17:31 -07:00
Edward Z. Yang
96a4193fc9 Fix undefined index warnings in maintenance scripts. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-05-31 20:07:27 -07:00
Edward Z. Yang
00c66fa9cb Fix bug in parsing single attribute with entities. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-05-31 19:44:18 -07:00
Edward Z. Yang
d3abcb90e3 Rewrite CSS url() and font-family output logic. 
The new logic is as follows:

* Given a URL to insert into url(), check that it is properly URL
  encoded (in particular, a doublequote and backslash never occurs
  within it) and then place it as url("http://example.com").

* Given a font name, if it is strictly alphanumeric, it is safe to omit
  quotes. Otherwise, wrap in double quotes and replace '"' with '\22 '
  (note trailing space) and '\' with '\5C ' (ditto).

We introduce expandCSSEscape() which is a hack for common parsing
idioms in CSS; this means that CSS escapes are now recognized inside
URLs as well as unquoted font names.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-05-31 18:45:21 -07:00
Edward Z. Yang
df3100b1b3 Make test script less chatty when log_errors is on. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-05-20 21:50:44 -04:00
Edward Z. Yang
143e1ad718 Remove shebang and +x from test script. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-05-20 21:21:26 -04:00
Edward Z. Yang
875b0febde Fix infinite loop involving wrapping formedness. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-05-17 23:22:51 -04:00
Edward Z. Yang
3166b8a10f Fix bug in background-position with center keyword. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-05-05 15:08:57 -04:00
Edward Z. Yang
1a70bffd5a Emit errors when body is extracted. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-05-04 13:41:09 -04:00
Edward Z. Yang
f4c6e10ff7 Release 4.1.0. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-04-26 18:31:40 -04:00
Edward Z. Yang
c1cbd9e565 Mute STRICT errors from CSSTidy and don't run PEARSax3 on PHP 5.3. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-04-26 18:27:32 -04:00
Edward Z. Yang
da94d3d6ac Always quote the contents of url() in CSS. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-04-26 12:10:15 -04:00
Edward Z. Yang
80793e925e Remove +x bit from RemoveSpansWithoutAttributes.php 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-04-17 00:23:09 -04:00
Edward Z. Yang
8ef4fb22db Support for flashvars in HTML.SafeEmbed. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-03-30 13:33:13 -04:00
Edward Z. Yang
70a7a3f5dd Handle <ol><ol> properly by adding missing <li> tag. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-03-10 00:58:37 -05:00
Edward Z. Yang
4d612d5a77 Improve handling of malformed object parameters. 
When specifying source material for <object> tags, you must use
data inside the object tag as well as specify movie in a param.
If you specify a src (which is the appropriate markup for <embed>)
we now convert and fill in the other attributes appropriately.

Also, fix a PHP warning in Generator code.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-03-09 17:29:38 -05:00
Edward Z. Yang
63a854ee5d Remove call-time pass-by-reference. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-03-08 03:45:11 -05:00
Edward Z. Yang
0229458f8f Implement Internet Explorer compatibility code for embedded content. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-03-08 01:56:40 -05:00
Edward Z. Yang
baa477ac08 Truncate alt text from src if it's too long. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-03-08 01:22:21 -05:00
Edward Z. Yang
dc90e8e85b Support flashvars. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-03-08 01:16:57 -05:00
Edward Z. Yang
97125ed18b Implement data URI scheme. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-03-07 21:45:39 -05:00
Paul Stone
9a9036c689 Implement auto-formatter that removes empty span tags. 
Signed-off-by: Paul Stone <patches@pdjs.co.uk>
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-03-07 18:59:33 -05:00
Edward Z. Yang
aea7d02dfe Support YouTube slideshow embedding. 
YouTube slideshows contain a /cp/, not a /v/, in their URL;
relax the YouTube filter to allow them.

Signed-off-by: Nigel McNie <nigel@catalyst.net.nz>
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-03-07 18:57:22 -05:00
Brian DeRocher
b3ca1498c2 Add boolean value flag for PEARSax3 for testing if a token is empty. 
Signed-off-by: Brian DeRocher <brian@derocher.org>
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-02-26 21:36:51 -05:00
Edward Z. Yang
ac18672aba Fix extant broken PEARSax3 parsing patterns. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-02-26 21:14:52 -05:00
Edward Z. Yang
faf28682ad Manually work around PEARSax3 E_STRICT errors. 
Previously, my development environment was not running the PEARSax3
tests because my environment was set to E_STRICT error handling, and
thus the tests were skipped.  Relax this requirement by making the
wrapper class E_STRICT safe.  This introduces a few failing tests.

Also update TODO and add another fresh test.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-02-26 20:42:42 -05:00
Edward Z. Yang
e2cd852bcf Add shebang line to tests index script. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-02-15 02:55:43 -05:00
Edward Z. Yang
694583259c Fix autoparagraph bug with non-inline elements. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-02-15 02:55:33 -05:00
Edward Z. Yang
bde4de3c78 Update TODO. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2009-08-27 20:17:41 -04:00
Edward Z. Yang
5b4e5c983e Support proprietary height attribute on table. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2009-08-27 20:17:24 -04:00
Edward Z. Yang
1ad8fd5ce9 Gracefully deal with null injectors. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2009-08-27 20:03:31 -04:00
Edward Z. Yang
6bdf161afd Update TODO. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2009-07-15 14:50:52 -04:00
Edward Z. Yang
af45a6c191 Release Phorum module 4.0.0. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2009-07-09 21:12:35 -04:00
Edward Z. Yang
2b72d0445f Add 4.1.0 release NEWS entry. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2009-07-09 21:03:46 -04:00
Edward Z. Yang
d7b3117678 Add doxygen doc scripts, and fix package.php 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2009-07-08 22:11:15 -04:00
Edward Z. Yang
53ff3e2744 Release 4.0.0. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2009-07-07 22:41:01 -04:00
Edward Z. Yang
6776efccdd Update configuration scanner to parse new format. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2009-07-07 22:32:44 -04:00
Edward Z. Yang
ba9fd175d7 Make extractBody not terminate prematurely on first </body>. 
Previously, if two </body> tags were present, HTML Purifier
would truncate everything after the first </body>.  This is
not ideal behavior; so HTML Purifier has been changed to
match up to the last </body>.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2009-07-07 22:19:04 -04:00
Edward Z. Yang
4d27906b02 Make %URI.Munge respect %URI.Host (don't munge). 
%URI.Munge incorrectly munged URIs that pointed to the
same host as the current website (it did, however, have
the correct behavior for when the munge URL was on the
same server).

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2009-07-06 22:04:51 -04:00
Edward Z. Yang
8f573df3dc XHTML 2 is dead. Long live XHTML 2. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2009-07-02 15:43:42 -04:00
Edward Z. Yang
c7594487a2 Fix inability to totally override content model. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-06-10 18:24:52 -04:00
Edward Z. Yang
733a5ce5c3 Fix allowsElement() bug manifesting in LinkifyTest. 
Thanks frank farmer for reporting.

Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-06-10 18:11:34 -04:00
Edward Z. Yang
e8abd5953c Fix prototype impedance in HTMLDefinition and typo in 
docs/enduser-customize.html
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-06-07 16:05:46 -04:00
Edward Z. Yang
1b8c8865b2 Fix PHP 5.3.0 problem with numeric indices causing -0 problem. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-06-07 16:04:07 -04:00
Edward Z. Yang
6e66dc9cad Add HTMLPurifier_config->serialize() 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-05-30 00:25:14 -04:00
Edward Z. Yang
77b60a4206 Update documentation to new configuration format. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-05-29 23:46:40 -04:00
Edward Z. Yang
5bf7ac4e9f Add docs and facilities for having separate directories of schemas. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-05-29 22:16:35 -04:00
Edward Z. Yang
a025203b18 Minor updates to Config and TODO items thereof. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-05-29 18:03:57 -04:00
Edward Z. Yang
809da84ae1 Ignore tags files (from exuberant ctags) 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-05-29 18:03:44 -04:00
Edward Z. Yang
777781a95c Don't have mute error handler be private. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-05-29 17:59:30 -04:00
Edward Z. Yang
4a87f732ca Fix two minor bugs, updating Phorum and removing unused $dir variable. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-05-27 01:17:23 -04:00
Edward Z. Yang
a2885181df Update TODO file. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-05-26 12:55:09 -04:00
Edward Z. Yang
84abae08f5 Relax allowed values of class for certain doctypes, see %Attr.ClassUseCDATA 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-05-26 01:07:40 -04:00
Edward Z. Yang
10e2d32a79 Lock configuration objects to a single namespace, to help prevent bugs. 
* Also, fix a slight bug with URI definition clearing.

Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-05-25 23:38:49 -04:00
Edward Z. Yang
baf053b016 Implement %Attr.AllowedClasses and %Attr.ForbiddenClasses. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-05-25 22:08:45 -04:00
Edward Z. Yang
bf71c3f392 Add documents on how to restructure configuration directives. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-05-25 21:54:43 -04:00
Edward Z. Yang
bfbe29d5a1 Rename ExtractStyleBlocks configuration parameters. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-05-25 21:54:39 -04:00
Edward Z. Yang
e194b8efc6 Rename AutoFormatParam.PurifierLinkifyDocURL. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-05-25 21:51:08 -04:00
Edward Z. Yang
4214ac9d67 Update TODO list. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-05-22 14:52:43 -04:00
Edward Z. Yang
24f761d84a Remove PHP4 cruft from URISchemeRegistry. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-05-13 16:14:57 -04:00
Edward Z. Yang
41c9226f3d Style refresh: add/remove vimlines, fix minor factual errors. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-04-09 12:47:10 -04:00
Edward Z. Yang
e3c2063f69 Implement %AutoFormat.RemoveEmpty.RemoveNbsp, by popular demand. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-04-09 00:53:19 -04:00
Edward Z. Yang
398a02039e Implement %HTML.Attr.Name.UseCDATA which relaxes name validation rules. 
Sponsored-by: Ian Cook <thinkspill@gmail.com>
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-03-20 19:34:38 -04:00
Edward Z. Yang
84e2e141fc Fix bad configuration call in NameSyncTest.php. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-03-14 19:18:02 -04:00
Edward Z. Yang
47bbbad000 Fix typo in YouTube docs. Thanks vbMark for reporting. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-03-13 13:33:51 -04:00
Edward Z. Yang
eaa906f8fc Implement configuration inheritance. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-02-21 03:01:02 -05:00
Edward Z. Yang
86ca784da3 Convert all to new configuration get/set format. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-02-21 03:00:34 -05:00
Edward Z. Yang
b107eec452 Revamp configuration backend. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-02-21 03:00:33 -05:00
Edward Z. Yang
fcbf724e6e Make name="" and id="" play nicely together. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-02-21 02:58:30 -05:00
Edward Z. Yang
92344cc83a Add 4.0.0 release information. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-02-16 22:00:22 -05:00
Edward Z. Yang
e9f529e78f Release 3.3.0. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-02-16 17:18:31 -05:00
Edward Z. Yang
e802065b65 Punt Lexer test entirely for 5.0.5. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-02-16 17:18:30 -05:00
Edward Z. Yang
1d70929eba Add text parameter to unit tests, forces text output. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-02-16 17:18:30 -05:00
Edward Z. Yang
77f57aa264 Fix CSSDefinition Printer problems with important decorator. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-02-15 14:11:22 -05:00
Edward Z. Yang
db218c7b2b Fix YouTube rendering problem on versions of Firefox. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-02-15 14:11:21 -05:00
Edward Z. Yang
762c089431 Ignore generated test-schema.html file in smoketests. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-02-15 14:11:20 -05:00
Edward Z. Yang
07ed1bbf8c Fix broken trusted comments functionality. 
This fix is slightly hackish, as we simply treat comments as whitespace.
This should largely be correct, and breaks no current test cases,
although it could result in noncompliant behavior.

Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-02-05 18:04:10 -05:00
Edward Z. Yang
b9094d5ec8 Convert HTMLPurifier_Config to use property list backend. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-02-02 18:42:23 -05:00
Edward Z. Yang
b31f280d41 Ignore htmlt.ini files. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-02-02 18:18:10 -05:00
Edward Z. Yang
1b962e68f0 Downgrade directory not found and permissions errors to warnings. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-02-02 10:08:37 -05:00
Edward Z. Yang
0c9dc02d4a Use default configuration when resetting; prevents zombie defaults for encodings from carrying over. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2009-01-30 17:42:41 -05:00
Edward Z. Yang
bfe474042f Implement "carryover" functionality, requested by Kinderlehrer <bitweaver@7doves.com> 
This commit is a limited implementation of the "active formatting
elements" algorithm implemented in HTML5, which preserves certain
formatting elements such as <a> and <b> when exiting or entering nodes.

Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2008-12-20 13:06:00 -05:00
Edward Z. Yang
119ebcda71 Implement user-friendly links to test-cases on web tester. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2008-12-20 13:01:20 -05:00
Edward Z. Yang
3dfcd016d3 Fix standards-compliance issue with YouTube filter with double hyphens. 
Thanks Pierre Attar for reporting.

Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2008-12-12 16:27:23 -05:00
Edward Z. Yang
0c9dfc6c3d Don't add vimline to auto-generated files. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2008-12-12 15:44:13 -05:00
Edward Z. Yang
33a873f5cb Fix missing numbers when pass/fail count is zero. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2008-12-06 16:08:09 -05:00
Edward Z. Yang
12b811d749 Add vim modelines to all files. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2008-12-06 04:24:59 -05:00
Edward Z. Yang
781f9a4084 Update PH5P.patch, and add NEWS entry for trailing whitespace purge. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2008-12-06 02:30:52 -05:00
Edward Z. Yang
2c955af135 Remove trailing whitespace. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2008-12-06 02:28:20 -05:00
Edward Z. Yang
3a6b63dff1 Generic implementation of property-lists. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2008-12-06 00:43:42 -05:00
Edward Z. Yang
90110a4e3a Fix broken test-suite in early versions of PHP. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2008-12-05 15:50:59 -05:00
Edward Z. Yang
d67e17a69c Remove unnecessary svn wrapper include. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2008-12-03 12:45:31 -05:00
Edward Z. Yang
5cfecebb33 Fix bug involving whitespace-only nodes. Thanks Eric Wald for reporting. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2008-12-02 20:13:47 -05:00
Edward Z. Yang
f5cd2c07ea Implement 'overflow' CSS property. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2008-11-27 16:14:50 -05:00
Edward Z. Yang
6691676666 Fix newline issues in tests. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2008-11-26 15:30:59 -05:00
Edward Z. Yang
e128c09132 Fix bug with testEncodingSupportsASCII() with strange iconv 
implementations.

Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2008-11-26 15:17:09 -05:00
Edward Z. Yang
527f154d3d Add verbose mode to command line test runner. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2008-11-23 20:45:21 -05:00
Edward Z. Yang
778ddf7c96 Turn on unit tests for UnitConverter. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2008-11-23 20:43:58 -05:00
Edward Z. Yang
c5d4b1ec93 Fix missing version number in config directive, and add TODO item. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2008-11-05 02:56:13 -05:00
Edward Z. Yang
6fe6cc8901 Update gitignore with post-release files, new NEWS entry and spellcheck UTF-8. 
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
 2008-11-01 01:51:51 -04:00
773 changed files with 10412 additions and 7284 deletions
Expand all files Collapse all files

9
.gitignore vendored
View File

@@ -1,13 +1,22 @@
tags
conf/ conf/
test-settings.php test-settings.php
config-schema.php
library/HTMLPurifier/DefinitionCache/Serializer/*/ library/HTMLPurifier/DefinitionCache/Serializer/*/
library/standalone/ library/standalone/
library/HTMLPurifier.standalone.php library/HTMLPurifier.standalone.php
library/HTMLPurifier*.tgz
library/package*.xml
smoketests/test-schema.html
configdoc/*.html configdoc/*.html
configdoc/configdoc.xml configdoc/configdoc.xml
docs/doxygen*
*.phpt.diff *.phpt.diff
*.phpt.exp *.phpt.exp
*.phpt.log *.phpt.log
*.phpt.out *.phpt.out
*.phpt.php *.phpt.php
*.phpt.skip.php *.phpt.skip.php
*.htmlt.ini
*.patch
/*.php

2
CREDITS
View File

@@ -5,3 +5,5 @@ Almost everything written by Edward Z. Yang (Ambush Commander). Lots of thanks
to the DevNetwork Community for their help (see docs/ref-devnetwork.html for to the DevNetwork Community for their help (see docs/ref-devnetwork.html for
more details), Feyd especially (namely IPv6 and optimization). Thanks to RSnake more details), Feyd especially (namely IPv6 and optimization). Thanks to RSnake
for letting me package his fantastic XSS cheatsheet for a smoketest. for letting me package his fantastic XSS cheatsheet for a smoketest.
vim: et sw=4 sts=4

1060
Doxyfile
View File

File diff suppressed because it is too large Load Diff

2
FOCUS
View File

@@ -1,4 +1,4 @@
5 - Major feature enhancements 4 - Minor feature enhancements
[ Appendix A: Release focus IDs ] [ Appendix A: Release focus IDs ]
0 - N/A 0 - N/A

87
INSTALL
View File

@@ -2,8 +2,8 @@
Install Install
How to install HTML Purifier How to install HTML Purifier
HTML Purifier is designed to run out of the box, so actually using the HTML Purifier is designed to run out of the box, so actually using the
library is extremely easy. (Although... if you were looking for a library is extremely easy. (Although... if you were looking for a
step-by-step installation GUI, you've downloaded the wrong software!) step-by-step installation GUI, you've downloaded the wrong software!)
While the impatient can get going immediately with some of the sample While the impatient can get going immediately with some of the sample
@@ -15,11 +15,9 @@ with these contents.
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
1. Compatibility 1. Compatibility
HTML Purifier is PHP 5 only, and is actively tested from PHP 5.0.5 and HTML Purifier is PHP 5 only, and is actively tested from PHP 5.0.5 and
up. It has no core dependencies with other libraries. PHP up. It has no core dependencies with other libraries. PHP
4 support was deprecated on December 31, 2007 with HTML Purifier 3.0.0. 4 support was deprecated on December 31, 2007 with HTML Purifier 3.0.0.
Essential security fixes will be issued for the 2.1.x branch until
August 8, 2008.
These optional extensions can enhance the capabilities of HTML Purifier: These optional extensions can enhance the capabilities of HTML Purifier:
@@ -96,32 +94,32 @@ Autoload compatibility
HTML Purifier attempts to be as smart as possible when registering an HTML Purifier attempts to be as smart as possible when registering an
autoloader, but there are some cases where you will need to change autoloader, but there are some cases where you will need to change
your own code to accomodate HTML Purifier. These are those cases: your own code to accomodate HTML Purifier. These are those cases:
PHP VERSION IS LESS THAN 5.1.2, AND YOU'VE DEFINED __autoload PHP VERSION IS LESS THAN 5.1.2, AND YOU'VE DEFINED __autoload
Because spl_autoload_register() doesn't exist in early versions Because spl_autoload_register() doesn't exist in early versions
of PHP 5, HTML Purifier has no way of adding itself to the autoload of PHP 5, HTML Purifier has no way of adding itself to the autoload
stack. Modify your __autoload function to test stack. Modify your __autoload function to test
HTMLPurifier_Bootstrap::autoload($class) HTMLPurifier_Bootstrap::autoload($class)
For example, suppose your autoload function looks like this: For example, suppose your autoload function looks like this:
function __autoload($class) { function __autoload($class) {
require str_replace('_', '/', $class) . '.php'; require str_replace('_', '/', $class) . '.php';
return true; return true;
} }
A modified version with HTML Purifier would look like this: A modified version with HTML Purifier would look like this:
function __autoload($class) { function __autoload($class) {
if (HTMLPurifier_Bootstrap::autoload($class)) return true; if (HTMLPurifier_Bootstrap::autoload($class)) return true;
require str_replace('_', '/', $class) . '.php'; require str_replace('_', '/', $class) . '.php';
return true; return true;
} }
Note that there *is* some custom behavior in our autoloader; the Note that there *is* some custom behavior in our autoloader; the
original autoloader in our example would work for 99% of the time, original autoloader in our example would work for 99% of the time,
but would fail when including language files. but would fail when including language files.
AN __autoload FUNCTION IS DECLARED AFTER OUR AUTOLOADER IS REGISTERED AN __autoload FUNCTION IS DECLARED AFTER OUR AUTOLOADER IS REGISTERED
spl_autoload_register() has the curious behavior of disabling spl_autoload_register() has the curious behavior of disabling
the existing __autoload() handler. Users need to explicitly the existing __autoload() handler. Users need to explicitly
@@ -131,14 +129,14 @@ Autoload compatibility
HTML Purifier will register the function for you. But if it is HTML Purifier will register the function for you. But if it is
declared afterwards, it will mysteriously not work. This declared afterwards, it will mysteriously not work. This
snippet of code (after your autoloader is defined) will fix it: snippet of code (after your autoloader is defined) will fix it:
spl_autoload_register('__autoload') spl_autoload_register('__autoload')
Users should also be on guard if they use a version of PHP previous Users should also be on guard if they use a version of PHP previous
to 5.1.2 without an autoloader--HTML Purifier will define __autoload() to 5.1.2 without an autoloader--HTML Purifier will define __autoload()
for you, which can collide with an autoloader that was added by *you* for you, which can collide with an autoloader that was added by *you*
later. later.
For better performance For better performance
---------------------- ----------------------
@@ -147,18 +145,18 @@ For better performance
with large amounts of code (HTML Purifier included), don't like with large amounts of code (HTML Purifier included), don't like
autoloaders. We offer an include file that includes all of HTML Purifier's autoloaders. We offer an include file that includes all of HTML Purifier's
files in one go in an opcode cache friendly manner: files in one go in an opcode cache friendly manner:
// If /path/to/library isn't already in your include path, uncomment // If /path/to/library isn't already in your include path, uncomment
// the below line: // the below line:
// require '/path/to/library/HTMLPurifier.path.php'; // require '/path/to/library/HTMLPurifier.path.php';
require 'HTMLPurifier.includes.php'; require 'HTMLPurifier.includes.php';
Optional components still need to be included--you'll know if you try to Optional components still need to be included--you'll know if you try to
use a feature and you get a class doesn't exists error! The autoloader use a feature and you get a class doesn't exists error! The autoloader
can be used in conjunction with this approach to catch classes that are can be used in conjunction with this approach to catch classes that are
missing. Simply add this afterwards: missing. Simply add this afterwards:
require 'HTMLPurifier.autoload.php'; require 'HTMLPurifier.autoload.php';
Standalone version Standalone version
@@ -169,22 +167,22 @@ Standalone version
maintenance/generate-standalone.php . The standalone version has the maintenance/generate-standalone.php . The standalone version has the
benefit of having most of its code in one file, so parsing is much benefit of having most of its code in one file, so parsing is much
faster and the library is easier to manage. faster and the library is easier to manage.
If HTMLPurifier.standalone.php exists in the library directory, you If HTMLPurifier.standalone.php exists in the library directory, you
can use it like this: can use it like this:
require '/path/to/HTMLPurifier.standalone.php'; require '/path/to/HTMLPurifier.standalone.php';
This is equivalent to including HTMLPurifier.includes.php, except that This is equivalent to including HTMLPurifier.includes.php, except that
the contents of standalone/ will be added to your path. To override this the contents of standalone/ will be added to your path. To override this
behavior, specify a new HTMLPURIFIER_PREFIX where standalone files can behavior, specify a new HTMLPURIFIER_PREFIX where standalone files can
be found (usually, this will be one directory up, the "true" library be found (usually, this will be one directory up, the "true" library
directory in full distributions). Don't forget to set your path too! directory in full distributions). Don't forget to set your path too!
The autoloader can be added to the end to ensure the classes are The autoloader can be added to the end to ensure the classes are
loaded when necessary; otherwise you can manually include them. loaded when necessary; otherwise you can manually include them.
To use the autoloader, use this: To use the autoloader, use this:
require 'HTMLPurifier.autoload.php'; require 'HTMLPurifier.autoload.php';
For advanced users For advanced users
@@ -192,14 +190,14 @@ For advanced users
HTMLPurifier.auto.php performs a number of operations that can be done HTMLPurifier.auto.php performs a number of operations that can be done
individually. These are: individually. These are:
HTMLPurifier.path.php HTMLPurifier.path.php
Puts /path/to/library in the include path. For high performance, Puts /path/to/library in the include path. For high performance,
this should be done in php.ini. this should be done in php.ini.
HTMLPurifier.autoload.php HTMLPurifier.autoload.php
Registers our autoload handler HTMLPurifier_Bootstrap::autoload($class). Registers our autoload handler HTMLPurifier_Bootstrap::autoload($class).
You can do these operations by yourself--in fact, you must modify your own You can do these operations by yourself--in fact, you must modify your own
autoload handler if you are using a version of PHP earlier than PHP 5.1.2 autoload handler if you are using a version of PHP earlier than PHP 5.1.2
(See "Autoload compatibility" above). (See "Autoload compatibility" above).
@@ -233,12 +231,12 @@ HTML Purifier uses iconv to support other character encodings, as such,
any encoding that iconv supports <http://www.gnu.org/software/libiconv/> any encoding that iconv supports <http://www.gnu.org/software/libiconv/>
HTML Purifier supports with this code: HTML Purifier supports with this code:
$config->set('Core', 'Encoding', /* put your encoding here */); $config->set('Core.Encoding', /* put your encoding here */);
An example usage for Latin-1 websites (the most common encoding for English An example usage for Latin-1 websites (the most common encoding for English
websites): websites):
$config->set('Core', 'Encoding', 'ISO-8859-1'); $config->set('Core.Encoding', 'ISO-8859-1');
Note that HTML Purifier's support for non-Unicode encodings is crippled by the Note that HTML Purifier's support for non-Unicode encodings is crippled by the
fact that any character not supported by that encoding will be silently fact that any character not supported by that encoding will be silently
@@ -253,7 +251,7 @@ reason, I do not include the solution in this document).
For those of you using HTML 4.01 Transitional, you can disable For those of you using HTML 4.01 Transitional, you can disable
XHTML output like this: XHTML output like this:
$config->set('HTML', 'Doctype', 'HTML 4.01 Transitional'); $config->set('HTML.Doctype', 'HTML 4.01 Transitional');
Other supported doctypes include: Other supported doctypes include:
@@ -279,14 +277,14 @@ are, respectively, %HTML.Allowed, %URI.MakeAbsolute and %URI.Base, and
%AutoFormat.AutoParagraph. The %Namespace.Directive naming convention %AutoFormat.AutoParagraph. The %Namespace.Directive naming convention
translates to: translates to:
$config->set('Namespace', 'Directive', $value); $config->set('Namespace.Directive', $value);
E.g. E.g.
$config->set('HTML', 'Allowed', 'p,b,a[href],i'); $config->set('HTML.Allowed', 'p,b,a[href],i');
$config->set('URI', 'Base', 'http://www.example.com'); $config->set('URI.Base', 'http://www.example.com');
$config->set('URI', 'MakeAbsolute', true); $config->set('URI.MakeAbsolute', true);
$config->set('AutoFormat', 'AutoParagraph', true); $config->set('AutoFormat.AutoParagraph', true);
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
@@ -320,11 +318,11 @@ If you are unable or unwilling to give write permissions to the cache
directory, you can either disable the cache (and suffer a performance directory, you can either disable the cache (and suffer a performance
hit): hit):
$config->set('Core', 'DefinitionCache', null); $config->set('Core.DefinitionCache', null);
Or move the cache directory somewhere else (no trailing slash): Or move the cache directory somewhere else (no trailing slash):
$config->set('Cache', 'SerializerPath', '/home/user/absolute/path'); $config->set('Cache.SerializerPath', '/home/user/absolute/path');
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
@@ -354,7 +352,7 @@ If your website is in UTF-8 and XHTML Transitional, use this code:
<?php <?php
require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php'; require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php';
$purifier = new HTMLPurifier(); $purifier = new HTMLPurifier();
$clean_html = $purifier->purify($dirty_html); $clean_html = $purifier->purify($dirty_html);
?> ?>
@@ -363,12 +361,13 @@ If your website is in a different encoding or doctype, use this code:
<?php <?php
require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php'; require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault(); $config = HTMLPurifier_Config::createDefault();
$config->set('Core', 'Encoding', 'ISO-8859-1'); // replace with your encoding $config->set('Core.Encoding', 'ISO-8859-1'); // replace with your encoding
$config->set('HTML', 'Doctype', 'HTML 4.01 Transitional'); // replace with your doctype $config->set('HTML.Doctype', 'HTML 4.01 Transitional'); // replace with your doctype
$purifier = new HTMLPurifier($config); $purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($dirty_html); $clean_html = $purifier->purify($dirty_html);
?> ?>
vim: et sw=4 sts=4

12
INSTALL.fr.utf8
View File

@@ -20,7 +20,7 @@ ce document pour quelques choses.
HTML Purifier fonctionne dans PHP 5. PHP 5.0.5 est le dernier HTML Purifier fonctionne dans PHP 5. PHP 5.0.5 est le dernier
version que je le testais. Il ne dépend de les autre librairies. version que je le testais. Il ne dépend de les autre librairies.
Les extensions optionnel est iconv (en général déjà installer) et Les extensions optionnel est iconv (en général déjà installer) et
tidy (répandu aussi). Si vous utilisez UTF-8 et ne voulez pas tidy (répandu aussi). Si vous utilisez UTF-8 et ne voulez pas
l'indentation, vous pouvez utiliser HTML Purifier sans ces extensions. l'indentation, vous pouvez utiliser HTML Purifier sans ces extensions.
@@ -48,7 +48,7 @@ Si votre site web est en UTF-8 et XHTML Transitional, utilisez:
<?php <?php
require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php'; require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php';
$purificateur = new HTMLPurifier(); $purificateur = new HTMLPurifier();
$html_propre = $purificateur->purify($html_salle); $html_propre = $purificateur->purify($html_salle);
?> ?>
@@ -57,11 +57,13 @@ Sinon, utilisez:
<?php <?php
require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php'; require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault(); $config = HTMLPurifier_Config::createDefault();
$config->set('Core', 'Encoding', 'ISO-8859-1'); //remplacez avec votre encoding $config->set('Core', 'Encoding', 'ISO-8859-1'); //remplacez avec votre encoding
$config->set('Core', 'XHTML', true); //remplacez avec false si HTML 4.01 $config->set('Core', 'XHTML', true); //remplacez avec false si HTML 4.01
$purificateur = new HTMLPurifier($config); $purificateur = new HTMLPurifier($config);
$html_propre = $purificateur->purify($html_salle); $html_propre = $purificateur->purify($html_salle);
?> ?>
vim: et sw=4 sts=4

4
LICENSE
View File

@@ -146,7 +146,7 @@ such a program is covered only if its contents constitute a work based
on the Library (independent of the use of the Library in a tool for on the Library (independent of the use of the Library in a tool for
writing it). Whether that is true depends on what the Library does writing it). Whether that is true depends on what the Library does
and what the program that uses the Library does. and what the program that uses the Library does.
1. You may copy and distribute verbatim copies of the Library's 1. You may copy and distribute verbatim copies of the Library's
complete source code as you receive it, in any medium, provided that complete source code as you receive it, in any medium, provided that
you conspicuously and appropriately publish on each copy an you conspicuously and appropriately publish on each copy an
@@ -501,4 +501,4 @@ necessary. Here is a sample; alter the names:
That's all there is to it! That's all there is to it!
vim: et sw=4 sts=4

150
NEWS
View File

@@ -9,6 +9,126 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
. Internal change . Internal change
========================== ==========================
4.2.0, released 2010-09-15
! Added %Core.RemoveProcessingInstructions, which lets you remove
<? ... ?> statements.
! Added %URI.DisableResources functionality; the directive originally
did nothing. Thanks David Rothstein for reporting.
! Add documentation about configuration directive types.
! Add %CSS.ForbiddenProperties configuration directive.
! Add %HTML.FlashAllowFullScreen to permit embedded Flash objects
to utilize full-screen mode.
! Add optional support for the <code>file</code> URI scheme, enable
by explicitly setting %URI.AllowedSchemes.
! Add %Core.NormalizeNewlines options to allow turning off newline
normalization.
- Fix improper handling of Internet Explorer conditional comments
by parser. Thanks zmonteca for reporting.
- Fix missing attributes bug when running on Mac Snow Leopard and APC.
Thanks sidepodcast for the fix.
- Warn if an element is allowed, but an attribute it requires is
not allowed.
4.1.1, released 2010-05-31
- Fix undefined index warnings in maintenance scripts.
- Fix bug in DirectLex for parsing elements with a single attribute
with entities.
- Rewrite CSS output logic for font-family and url(). Thanks Mario
Heiderich <mario.heiderich@googlemail.com> for reporting and Takeshi
Terada <t-terada@violet.plala.or.jp> for suggesting the fix.
- Emit an error for CollectErrors if a body is extracted
- Fix bug where in background-position for center keyword handling.
- Fix infinite loop when a wrapper element is inserted in a context
where it's not allowed. Thanks Lars <lars@renoz.dk> for reporting.
- Remove +x bit and shebang from index.php; only supported mode is to
explicitly call it with php.
- Make test script less chatty when log_errors is on.
4.1.0, released 2010-04-26
! Support proprietary height attribute on table element
! Support YouTube slideshows that contain /cp/ in their URL.
! Support for data: URI scheme; not enabled by default, add it using
%URI.AllowedSchemes
! Support flashvars when using %HTML.SafeObject and %HTML.SafeEmbed.
! Support for Internet Explorer compatibility with %HTML.SafeObject
using %Output.FlashCompat.
! Handle <ol><ol> properly, by inserting the necessary <li> tag.
- Always quote the insides of url(...) in CSS.
4.0.0, released 2009-07-07
# APIs for ConfigSchema subsystem have substantially changed. See
docs/dev-config-bcbreaks.txt for details; in essence, anything that
had both namespace and directive now have a single unified key.
# Some configuration directives were renamed, specifically:
%AutoFormatParam.PurifierLinkifyDocURL -> %AutoFormat.PurifierLinkify.DocURL
%FilterParam.ExtractStyleBlocksEscaping -> %Filter.ExtractStyleBlocks.Escaping
%FilterParam.ExtractStyleBlocksScope -> %Filter.ExtractStyleBlocks.Scope
%FilterParam.ExtractStyleBlocksTidyImpl -> %Filter.ExtractStyleBlocks.TidyImpl
As usual, the old directive names will still work, but will throw E_NOTICE
errors.
# The allowed values for class have been relaxed to allow all of CDATA for
doctypes that are not XHTML 1.1 or XHTML 2.0. For old behavior, set
%Attr.ClassUseCDATA to false.
# Instead of appending the content model to an old content model, a blank
element will replace the old content model. You can use #SUPER to get
the old content model.
! More robust support for name="" and id=""
! HTMLPurifier_Config::inherit($config) allows you to inherit one
configuration, and have changes to that configuration be propagated
to all of its children.
! Implement %HTML.Attr.Name.UseCDATA, which relaxes validation rules on
the name attribute when set. Use with care. Thanks Ian Cook for
sponsoring.
! Implement %AutoFormat.RemoveEmpty.RemoveNbsp, which removes empty
tags that contain non-breaking spaces as well other whitespace. You
can also modify which tags should have &nbsp; maintained with
%AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions.
! Implement %Attr.AllowedClasses, which allows administrators to restrict
classes users can use to a specified finite set of classes, and
%Attr.ForbiddenClasses, which is the logical inverse.
! You can now maintain your own configuration schema directories by
creating a config-schema.php file or passing an extra argument. Check
docs/dev-config-schema.html for more details.
! Added HTMLPurifier_Config->serialize() method, which lets you save away
your configuration in a compact serial file, which you can unserialize
and use directly without having to go through the overhead of setup.
- Fix bug where URIDefinition would not get cleared if it's directives got
changed.
- Fix fatal error in HTMLPurifier_Encoder on certain platforms (probably NetBSD 5.0)
- Fix bug in Linkify autoformatter involving <a><span>http://foo</span></a>
- Make %URI.Munge not apply to links that have the same host as your host.
- Prevent stray </body> tag from truncating output, if a second </body>
is present.
. Created script maintenance/rename-config.php for renaming a configuration
directive while maintaining its alias. This script does not change source code.
. Implement namespace locking for definition construction, to prevent
bugs where a directive is used for definition construction but is not
used to construct the cache hash.
3.3.0, released 2009-02-16
! Implement CSS property 'overflow' when %CSS.AllowTricky is true.
! Implement generic property list classess
- Fix bug with testEncodingSupportsASCII() algorithm when iconv() implementation
does not do the "right thing" with characters not supported in the output
set.
- Spellcheck UTF-8: The Secret To Character Encoding
- Fix improper removal of the contents of elements with only whitespace. Thanks
Eric Wald for reporting.
- Fix broken test suite in versions of PHP without spl_autoload_register()
- Fix degenerate case with YouTube filter involving double hyphens.
Thanks Pierre Attar for reporting.
- Fix YouTube rendering problem on certain versions of Firefox.
- Fix CSSDefinition Printer problems with decorators
- Add text parameter to unit tests, forces text output
. Add verbose mode to command line test runner, use (--verbose)
. Turn on unit tests for UnitConverter
. Fix missing version number in configuration %Attr.DefaultImageAlt (added 3.2.0)
. Fix newline errors that caused spurious failures when CRLF HTML Purifier was
tested on Linux.
. Removed trailing whitespace from all text files, see
remote-trailing-whitespace.php maintenance script.
. Convert configuration to use property list backend.
3.2.0, released 2008-10-31 3.2.0, released 2008-10-31
# Using %Core.CollectErrors forces line number/column tracking on, whereas # Using %Core.CollectErrors forces line number/column tracking on, whereas
previously you could theoretically turn it off. previously you could theoretically turn it off.
@@ -18,7 +138,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
deal with a bug in FCKEditor. Requested by frank farmer. deal with a bug in FCKEditor. Requested by frank farmer.
! Enable HTML comments when %HTML.Trusted is on. Requested by Waldo Jaquith. ! Enable HTML comments when %HTML.Trusted is on. Requested by Waldo Jaquith.
! Proper support for name attribute. It is now allowed and equivalent to the id ! Proper support for name attribute. It is now allowed and equivalent to the id
attribute in a and img tags, and is only converted to id when %HTML.TidyLevel attribute in a and img tags, and is only converted to id when %HTML.TidyLevel
is heavy (for all doctypes). is heavy (for all doctypes).
! %AutoFormat.RemoveEmpty to remove some empty tags from documents. Please don't ! %AutoFormat.RemoveEmpty to remove some empty tags from documents. Please don't
use on hand-written HTML. use on hand-written HTML.
@@ -29,7 +149,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
! Test scripts now have a 'type' parameter, which lets you say 'htmlpurifier', ! Test scripts now have a 'type' parameter, which lets you say 'htmlpurifier',
'phpt', 'vtest', etc. in order to only execute those tests. This supercedes 'phpt', 'vtest', etc. in order to only execute those tests. This supercedes
the --only-phpt parameter, although for backwards-compatibility the flag the --only-phpt parameter, although for backwards-compatibility the flag
will still work. will still work.
! AutoParagraph auto-formatter will now preserve double-newlines upon output. ! AutoParagraph auto-formatter will now preserve double-newlines upon output.
Users who are not performing inbound filtering, this may seem a little Users who are not performing inbound filtering, this may seem a little
useless, but as a bonus, the test suite and handling of edge cases is also useless, but as a bonus, the test suite and handling of edge cases is also
@@ -73,7 +193,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
for more interesting filter-backtracking for more interesting filter-backtracking
. New HTMLPurifier_Injector->rewind() functionality, allows injectors to rewind . New HTMLPurifier_Injector->rewind() functionality, allows injectors to rewind
index to reprocess tokens. index to reprocess tokens.
. StringHashParser now allows for multiline sections with "empty" content; . StringHashParser now allows for multiline sections with "empty" content;
previously the section would remain undefined. previously the section would remain undefined.
. Added --quick option to multitest.php, which tests only the most recent . Added --quick option to multitest.php, which tests only the most recent
release for each series. release for each series.
@@ -82,7 +202,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
3.1.1, released 2008-06-19 3.1.1, released 2008-06-19
# %URI.Munge now, by default, does not munge resources (for example, <img src="">) # %URI.Munge now, by default, does not munge resources (for example, <img src="">)
In order to enable this again, please set %URI.MungeResources to true. In order to enable this again, please set %URI.MungeResources to true.
! More robust imagecrash protection with height/width CSS with %CSS.MaxImgLength, ! More robust imagecrash protection with height/width CSS with %CSS.MaxImgLength,
and height/width HTML with %HTML.MaxImgLength. and height/width HTML with %HTML.MaxImgLength.
! %URI.MungeSecretKey for secure URI munging. Thanks Chris ! %URI.MungeSecretKey for secure URI munging. Thanks Chris
@@ -92,7 +212,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
%URI.MungeSecretKey and and %URI.SecureMunge => %URI.Munge) %URI.MungeSecretKey and and %URI.SecureMunge => %URI.Munge)
! Implemented post URI filtering. Set member variable $post to true to set ! Implemented post URI filtering. Set member variable $post to true to set
a URIFilter as such. a URIFilter as such.
! Allow modules to define injectors via $info_injector. Injectors are ! Allow modules to define injectors via $info_injector. Injectors are
automatically disabled if injector's needed elements are not found. automatically disabled if injector's needed elements are not found.
! Support for "safe" objects added, use %HTML.SafeObject and %HTML.SafeEmbed. ! Support for "safe" objects added, use %HTML.SafeObject and %HTML.SafeEmbed.
Thanks Chris for sponsoring. If you've been using ad hoc code from the Thanks Chris for sponsoring. If you've been using ad hoc code from the
@@ -139,10 +259,10 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
consult changes to HTMLPurifier_Config for details. consult changes to HTMLPurifier_Config for details.
. Variable parsing types now are magic integers instead of strings . Variable parsing types now are magic integers instead of strings
. Added benchmark for ConfigSchema . Added benchmark for ConfigSchema
. HTMLPurifier_Generator requires $config and $context parameters. If you . HTMLPurifier_Generator requires $config and $context parameters. If you
don't know what they should be, use HTMLPurifier_Config::createDefault() don't know what they should be, use HTMLPurifier_Config::createDefault()
and new HTMLPurifier_Context(). and new HTMLPurifier_Context().
. Printers now properly distinguish between output configuration, and . Printers now properly distinguish between output configuration, and
target configuration. This is not applicable to scripts using target configuration. This is not applicable to scripts using
the Printers for HTML Purifier related tasks. the Printers for HTML Purifier related tasks.
. HTML/CSS Printers must be primed with prepareGenerator($gen_config), otherwise . HTML/CSS Printers must be primed with prepareGenerator($gen_config), otherwise
@@ -229,7 +349,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
enabled using %Filter.$filter_name or by setting your own filters using enabled using %Filter.$filter_name or by setting your own filters using
%Filter.Custom %Filter.Custom
# Directive-level safety properties superceded in favor of module-level # Directive-level safety properties superceded in favor of module-level
safety. Internal method HTMLModule->addElement() has changed, although safety. Internal method HTMLModule->addElement() has changed, although
the externally visible HTMLDefinition->addElement has *not* changed. the externally visible HTMLDefinition->addElement has *not* changed.
! Extra utility classes for testing and non-library operations can ! Extra utility classes for testing and non-library operations can
be found in extras/. Specifically, these are FSTools and ConfigDoc. be found in extras/. Specifically, these are FSTools and ConfigDoc.
@@ -269,7 +389,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
. Dry runs now supported in SimpleTest; testing facilities improved . Dry runs now supported in SimpleTest; testing facilities improved
. Bootstrap class added for handling autoloading functionality . Bootstrap class added for handling autoloading functionality
. Implemented recursive glob at FSTools->globr . Implemented recursive glob at FSTools->globr
. ConfigSchema now has instance methods for all corresponding define* . ConfigSchema now has instance methods for all corresponding define*
static methods. static methods.
. A couple of new historical maintenance scripts were added. . A couple of new historical maintenance scripts were added.
. HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php split into two files . HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php split into two files
@@ -290,7 +410,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
. HTMLPurifier_ConfigSchema->validate() deprecated in favor of . HTMLPurifier_ConfigSchema->validate() deprecated in favor of
HTMLPurifier_VarParser->parse() HTMLPurifier_VarParser->parse()
. Integers auto-cast into float type by VarParser. . Integers auto-cast into float type by VarParser.
. HTMLPURIFIER_STRICT removed; no validation is performed on runtime, only . HTMLPURIFIER_STRICT removed; no validation is performed on runtime, only
during cache generation during cache generation
. Reordered script calls in maintenance/flush.php . Reordered script calls in maintenance/flush.php
. Command line scripts now honor exit codes . Command line scripts now honor exit codes
@@ -332,7 +452,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
script (you must provide this script!) script (you must provide this script!)
- Fixed poor include ordering for Email URI AttrDefs, causes fatal errors - Fixed poor include ordering for Email URI AttrDefs, causes fatal errors
on some systems. on some systems.
- Injector algorithm further refined: off-by-one error regarding skip - Injector algorithm further refined: off-by-one error regarding skip
counts for dormant injectors fixed counts for dormant injectors fixed
- Corrective blockquote definition now enabled for HTML 4.01 Strict - Corrective blockquote definition now enabled for HTML 4.01 Strict
- Fatal error when <img> tag (or any other element with required attributes) - Fatal error when <img> tag (or any other element with required attributes)
@@ -357,7 +477,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
facilities in PHP 5 facilities in PHP 5
- Make ErrorCollectorEMock work in both PHP 4 and PHP 5 - Make ErrorCollectorEMock work in both PHP 4 and PHP 5
- Make PH5P work with PHP 5.0 by removing unnecessary array parameter typedef - Make PH5P work with PHP 5.0 by removing unnecessary array parameter typedef
. %Core.AcceptFullDocuments renamed to %Core.ConvertDocumentToFragment . %Core.AcceptFullDocuments renamed to %Core.ConvertDocumentToFragment
to better communicate its purpose to better communicate its purpose
. Error unit tests can now specify the expectation of no errors. Future . Error unit tests can now specify the expectation of no errors. Future
iterations of the harness will be extremely strict about what errors iterations of the harness will be extremely strict about what errors
@@ -516,7 +636,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
and better modularization and better modularization
# Configuration object now finalizes itself when a read operation is # Configuration object now finalizes itself when a read operation is
performed on it, ensuring that its internal state stays consistent. performed on it, ensuring that its internal state stays consistent.
To revert this behavior, you can set the $autoFinalize member variable To revert this behavior, you can set the $autoFinalize member variable
off, but it's not recommended. off, but it's not recommended.
# New compact syntax for AttrDef objects that can be used to instantiate # New compact syntax for AttrDef objects that can be used to instantiate
new objects via make() new objects via make()
@@ -600,7 +720,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
AttrTransform_EnumToCSS, refer to HTMLModule/TransformToStrict.php to AttrTransform_EnumToCSS, refer to HTMLModule/TransformToStrict.php to
see how the new equivalent is implemented see how the new equivalent is implemented
. Unit tests now use exclusively assertIdentical . Unit tests now use exclusively assertIdentical
1.6.0, released 2007-04-01 1.6.0, released 2007-04-01
! Support for most common deprecated attributes via transformations: ! Support for most common deprecated attributes via transformations:
+ bgcolor in td, th, tr and table + bgcolor in td, th, tr and table
@@ -814,3 +934,5 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
+ Shorthand CSS properties + Shorthand CSS properties
+ Table CSS properties + Table CSS properties
+ Deprecated attribute transformations + Deprecated attribute transformations
vim: et sw=4 sts=4

18
README
View File

@@ -2,15 +2,15 @@
README README
All about HTML Purifier All about HTML Purifier
HTML Purifier is an HTML filtering solution that uses a unique combination HTML Purifier is an HTML filtering solution that uses a unique combination
of robust whitelists and agressive parsing to ensure that not only are of robust whitelists and agressive parsing to ensure that not only are
XSS attacks thwarted, but the resulting HTML is standards compliant. XSS attacks thwarted, but the resulting HTML is standards compliant.
HTML Purifier is oriented towards richly formatted documents from HTML Purifier is oriented towards richly formatted documents from
untrusted sources that require CSS and a full tag-set. This library can untrusted sources that require CSS and a full tag-set. This library can
be configured to accept a more restrictive set of tags, but it won't be be configured to accept a more restrictive set of tags, but it won't be
as efficient as more bare-bones parsers. It will, however, do the job as efficient as more bare-bones parsers. It will, however, do the job
right, which may be more important. right, which may be more important.
Places to go: Places to go:
@@ -20,3 +20,5 @@ Places to go:
* See WYSIWYG for information on editors like TinyMCE and FCKeditor * See WYSIWYG for information on editors like TinyMCE and FCKeditor
HTML Purifier can be found on the web at: http://htmlpurifier.org/ HTML Purifier can be found on the web at: http://htmlpurifier.org/
vim: et sw=4 sts=4

101
TODO
View File

@@ -11,84 +11,81 @@ If no interest is expressed for a feature that may require a considerable
amount of effort to implement, it may get endlessly delayed. Do not be amount of effort to implement, it may get endlessly delayed. Do not be
afraid to cast your vote for the next feature to be implemented! afraid to cast your vote for the next feature to be implemented!
- Investigate how early internal structures can be accessed; this would Things to do as soon as possible:
prevent structures from being parsed and serialized multiple times.
- Built-in support for target="_blank" on all external links - Think about allowing explicit order of operations hooks for transforms
- Allow <a id="asdf" name="asdf"> - Inputs don't do the right thing with submit
- Implement overflow CSS property (as per jlp09550) - Fix "<.<" bug (trailing < is removed if not EOD)
- Build in better internal state dumps and debugging tools for remote
debugging
- Allowed/Allowed* have strange interactions when both set
- Transform lone embeds into object tags
- Deprecated config options that emit warnings when you set them (with'
a way of muting the warning if you really want to)
- Make HTML.Trusted work with Output.FlashCompat
FUTURE VERSIONS FUTURE VERSIONS
--------------- ---------------
3.3 release [It's All About Trust] (floating) 4.3 release [OMG CONFIG PONIES]
! Fix Printer. It's from the old days when we didn't have decent XML classes
! Factor demo.php into a set of Printer classes, and then create a stub
file for users here (inside the actual HTML Purifier library)
- Fix error handling with form construction
- Do encoding validation in Printers, or at least, where user data comes in
- Config: Add examples to everything (make built-in which also automatically
gives output)
- Add "register" field to config schemas to eliminate dependence on
naming conventions (try to remember why we ultimately decided on tihs)
5.0 release [HTML 5]
# Swap out code to use html5lib tokenizer and tree-builder
! Allow turning off of FixNesting and required attribute insertion
5.1 release [It's All About Trust] (floating)
# Implement untrusted, dangerous elements/attributes # Implement untrusted, dangerous elements/attributes
# Implement IDREF support (harder than it seems, since you cannot have # Implement IDREF support (harder than it seems, since you cannot have
IDREFs to non-existent IDs) IDREFs to non-existent IDs)
- Implement <area> (client and server side image maps are blocking
on IDREF support)
# Frameset XHTML 1.0 and HTML 4.01 doctypes # Frameset XHTML 1.0 and HTML 4.01 doctypes
- Implement <area>
- Figure out how to simultaneously set %CSS.Trusted and %HTML.Trusted (?) - Figure out how to simultaneously set %CSS.Trusted and %HTML.Trusted (?)
3.4 release [Error'ed] 5.2 release [Error'ed]
# Error logging for filtering/cleanup procedures # Error logging for filtering/cleanup procedures
- XSS-attempt detection--certain errors are flagged XSS-like
3.5 release [Do What I Mean, Not What I Say]
# Additional support for poorly written HTML # Additional support for poorly written HTML
- Microsoft Word HTML cleaning (i.e. MsoNormal, but research essential!) - Microsoft Word HTML cleaning (i.e. MsoNormal, but research essential!)
- Friendly strict handling of <address> (block -> <br>) - Friendly strict handling of <address> (block -> <br>)
? Remove redundant tags, ex. <u><u>Underlined</u></u>. Implementation notes: - XSS-attempt detection--certain errors are flagged XSS-like
1. Analyzing which tags to remove duplicants
2. Ensure attributes are merged into the parent tag
3. Extend the tag exclusion system to specify whether or not the
contents should be dropped or not (currently, there's code that could do
something like this if it didn't drop the inner text too.)
- Remove <span> tags that don't do anything (no attributes)
- Append something to duplicate IDs so they're still usable (impl. note: the - Append something to duplicate IDs so they're still usable (impl. note: the
dupe detector would also need to detect the suffix as well) dupe detector would also need to detect the suffix as well)
- Externalize inline CSS to promote clean HTML, proposed by Sander Tekelenburg
4.0 release [Beyond HTML] 6.0 release [Beyond HTML]
# Legit token based CSS parsing (will require revamping almost every # Legit token based CSS parsing (will require revamping almost every
AttrDef class). Probably will use CSSTidy class? AttrDef class). Probably will use CSSTidy
# More control over allowed CSS properties using a modularization # More control over allowed CSS properties using a modularization
# HTML 5 support
# IRI support (this includes IDN) # IRI support (this includes IDN)
- Standardize token armor for all areas of processing - Standardize token armor for all areas of processing
- Convert RTL/LTR override characters to <bdo> tags, or vice versa on demand.
Also, enable disabling of directionality
5.0 release [To XML and Beyond] 7.0 release [To XML and Beyond]
- Extended HTML capabilities based on namespacing and tag transforms (COMPLEX) - Extended HTML capabilities based on namespacing and tag transforms (COMPLEX)
- Hooks for adding custom processors to custom namespaced tags and - Hooks for adding custom processors to custom namespaced tags and
attributes, offer default implementation attributes, offer default implementation
- Lots of documentation and samples - Lots of documentation and samples
Ongoing Ongoing
- More refactoring to take advantage of PHP5's facilities - More refactoring to take advantage of PHP5's facilities
- Refactor unit tests into lots of test methods - Refactor unit tests into lots of test methods
- Plugins for major CMSes (COMPLEX) - Plugins for major CMSes (COMPLEX)
- phpBB - phpBB
- Drupal needs loving! - Also, a FAQ for extension writers with HTML Purifier
- Phorum need loving!
- more! (look for ones that use WYSIWYGs)
- Also, maybe a FAQ for extension writers with HTML Purifier
AutoFormat AutoFormat
- Smileys - Smileys
- Syntax highlighting (with GeSHi) with <pre> and possibly <?php - Syntax highlighting (with GeSHi) with <pre> and possibly <?php
- Look at http://drupal.org/project/Modules/category/63 for ideas - Look at http://drupal.org/project/Modules/category/63 for ideas
Optimizations
- Reduce size of internal data-structures (esp. HTMLDefinition)
- Research memory usage of objects versus arrays
- Combine multiple strategies into a single, single-pass strategy
- Get PH5P working with the latest versions of DOM, which have much more
stringent error checking procedures. Maybe convert straight to tokens.
- Get rid of set_include_path(). Save this for another major release.
Neat feature related Neat feature related
! Factor demo.php into a set of Printer classes, and then create a stub
file for users here (inside the actual HTML Purifier library)
! Support exporting configuration, so users can easily tweak settings ! Support exporting configuration, so users can easily tweak settings
in the demo, and then copy-paste into their own setup in the demo, and then copy-paste into their own setup
- Advanced URI filtering schemes (see docs/proposal-new-directives.txt) - Advanced URI filtering schemes (see docs/proposal-new-directives.txt)
@@ -105,14 +102,28 @@ Neat feature related
- Full set of color keywords. Also, a way to add onto them without - Full set of color keywords. Also, a way to add onto them without
finalizing the configuration object. finalizing the configuration object.
- Write a var_export and memcached DefinitionCache - Denis - Write a var_export and memcached DefinitionCache - Denis
- Allow restriction of allowed class values - Built-in support for target="_blank" on all external links
- Convert RTL/LTR override characters to <bdo> tags, or vice versa on demand.
Also, enable disabling of directionality
? Externalize inline CSS to promote clean HTML, proposed by Sander Tekelenburg
? Remove redundant tags, ex. <u><u>Underlined</u></u>. Implementation notes:
1. Analyzing which tags to remove duplicants
2. Ensure attributes are merged into the parent tag
3. Extend the tag exclusion system to specify whether or not the
contents should be dropped or not (currently, there's code that could do
something like this if it didn't drop the inner text too.)
Maintenance related (slightly boring) Maintenance related (slightly boring)
# CHMOD install script for PEAR installs # CHMOD install script for PEAR installs
! Factor out command line parser into its own class, and unit test it ! Factor out command line parser into its own class, and unit test it
! Nested configuration namespaces - Reduce size of internal data-structures (esp. HTMLDefinition)
- Distinguish between default settings and explicitly set settings, so - Allow merging configurations. Thus,
configurations can be merged a -> b -> default
c -> d -> default
becomes
a -> b -> c -> d -> default
Maybe allow more fine-grained tuning of this behavior. Alternatively,
encourage people to use short plist depths before building them up.
- Time PHPT tests - Time PHPT tests
ChildDef related (very boring) ChildDef related (very boring)
@@ -126,3 +137,5 @@ Wontfix
- Pretty-printing HTML: users can use Tidy on the output on entire page - Pretty-printing HTML: users can use Tidy on the output on entire page
- Native content compression, whitespace stripping: use gzip if this is - Native content compression, whitespace stripping: use gzip if this is
really important really important
vim: et sw=4 sts=4

2
VERSION
View File

@@ -1 +1 @@
3.2.0 4.2.0

14
WHATSNEW
View File

@@ -1,6 +1,8 @@
HTML Purifier 3.2.0 is an amalgamation of new features and fixes that HTML Purifier 4.2.0 is a minor release that implements a number of
have accumulated over a four month period. Some notable features feature requests accumulated over half a year. New configuration
include %AutoFormat.RemoveEmpty, column tracking for tokens, options include %Core.RemoveProcessingInstructions,
%AutoFormat.DisplayLinkURI and %Attr.DefaultImageAlt. There were also %CSS.ForbiddenProperties, %HTML.FlashAllowFullScreen and
major improvements to the test suite interface, error collection output %Core.NormalizeNewlines. Additionally,%URI.DisableResources is
and the auto-formatter framework. now functional and file: is an optionally supported URI scheme.
There are also some minor bugfixes, usability improvements and
documentation updates.

2
WYSIWYG
View File

@@ -16,3 +16,5 @@ trouble. Therein lies the solution:
HTML Purifier is perfect for filtering pure-HTML input from WYSIWYG editors. HTML Purifier is perfect for filtering pure-HTML input from WYSIWYG editors.
Enough said. Enough said.
vim: et sw=4 sts=4

2
benchmarks/ConfigSchema.php
View File

@@ -12,3 +12,5 @@ $begin = xdebug_memory_usage();
$schema = HTMLPurifier_ConfigSchema::makeFromSerial(); $schema = HTMLPurifier_ConfigSchema::makeFromSerial();
echo xdebug_memory_usage() - $begin; echo xdebug_memory_usage() - $begin;
// vim: et sw=4 sts=4

47
benchmarks/Lexer.php
View File

@@ -9,7 +9,7 @@ require_once 'Text/Password.php'; // for generating random input
$LEXERS = array(); $LEXERS = array();
$RUNS = isset($GLOBALS['HTMLPurifierTest']['Runs']) $RUNS = isset($GLOBALS['HTMLPurifierTest']['Runs'])
? $GLOBALS['HTMLPurifierTest']['Runs'] : 2; ? $GLOBALS['HTMLPurifierTest']['Runs'] : 2;
require_once 'HTMLPurifier/Lexer/DirectLex.php'; require_once 'HTMLPurifier/Lexer/DirectLex.php';
$LEXERS['DirectLex'] = new HTMLPurifier_Lexer_DirectLex(); $LEXERS['DirectLex'] = new HTMLPurifier_Lexer_DirectLex();
@@ -22,48 +22,48 @@ if (version_compare(PHP_VERSION, '5', '>=')) {
// custom class to aid unit testing // custom class to aid unit testing
class RowTimer extends Benchmark_Timer class RowTimer extends Benchmark_Timer
{ {
var $name; var $name;
function RowTimer($name, $auto = false) { function RowTimer($name, $auto = false) {
$this->name = htmlentities($name); $this->name = htmlentities($name);
$this->Benchmark_Timer($auto); $this->Benchmark_Timer($auto);
} }
function getOutput() { function getOutput() {
$total = $this->TimeElapsed(); $total = $this->TimeElapsed();
$result = $this->getProfiling(); $result = $this->getProfiling();
$dashes = ''; $dashes = '';
$out = '<tr>'; $out = '<tr>';
$out .= "<td>{$this->name}</td>"; $out .= "<td>{$this->name}</td>";
$standard = false; $standard = false;
foreach ($result as $k => $v) { foreach ($result as $k => $v) {
if ($v['name'] == 'Start' || $v['name'] == 'Stop') continue; if ($v['name'] == 'Start' || $v['name'] == 'Stop') continue;
//$perc = (($v['diff'] * 100) / $total); //$perc = (($v['diff'] * 100) / $total);
//$tperc = (($v['total'] * 100) / $total); //$tperc = (($v['total'] * 100) / $total);
//$out .= '<td align="right">' . $v['diff'] . '</td>'; //$out .= '<td align="right">' . $v['diff'] . '</td>';
if ($standard == false) $standard = $v['diff']; if ($standard == false) $standard = $v['diff'];
$perc = $v['diff'] * 100 / $standard; $perc = $v['diff'] * 100 / $standard;
$bad_run = ($v['diff'] < 0); $bad_run = ($v['diff'] < 0);
$out .= '<td align="right"'. $out .= '<td align="right"'.
($bad_run ? ' style="color:#AAA;"' : ''). ($bad_run ? ' style="color:#AAA;"' : '').
'>' . number_format($perc, 2, '.', '') . '>' . number_format($perc, 2, '.', '') .
'%</td><td>'.number_format($v['diff'],4,'.','').'</td>'; '%</td><td>'.number_format($v['diff'],4,'.','').'</td>';
} }
$out .= '</tr>'; $out .= '</tr>';
return $out; return $out;
} }
} }
@@ -80,18 +80,18 @@ function print_lexers() {
function do_benchmark($name, $document) { function do_benchmark($name, $document) {
global $LEXERS, $RUNS; global $LEXERS, $RUNS;
$config = HTMLPurifier_Config::createDefault(); $config = HTMLPurifier_Config::createDefault();
$context = new HTMLPurifier_Context(); $context = new HTMLPurifier_Context();
$timer = new RowTimer($name); $timer = new RowTimer($name);
$timer->start(); $timer->start();
foreach($LEXERS as $key => $lexer) { foreach($LEXERS as $key => $lexer) {
for ($i=0; $i<$RUNS; $i++) $tokens = $lexer->tokenizeHTML($document, $config, $context); for ($i=0; $i<$RUNS; $i++) $tokens = $lexer->tokenizeHTML($document, $config, $context);
$timer->setMarker($key); $timer->setMarker($key);
} }
$timer->stop(); $timer->stop();
$timer->display(); $timer->display();
} }
@@ -118,11 +118,11 @@ foreach ($LEXERS as $key => $value) {
$dir = 'samples/Lexer'; $dir = 'samples/Lexer';
$dh = opendir($dir); $dh = opendir($dir);
while (false !== ($filename = readdir($dh))) { while (false !== ($filename = readdir($dh))) {
if (strpos($filename, '.html') !== strlen($filename) - 5) continue; if (strpos($filename, '.html') !== strlen($filename) - 5) continue;
$document = file_get_contents($dir . '/' . $filename); $document = file_get_contents($dir . '/' . $filename);
do_benchmark("File: $filename", $document); do_benchmark("File: $filename", $document);
} }
// crashers, caused infinite loops before // crashers, caused infinite loops before
@@ -153,3 +153,6 @@ echo '<div>Random input was: ' .
</body></html> </body></html>
<?php
// vim: et sw=4 sts=4

2
benchmarks/Trace.php
View File

@@ -17,3 +17,5 @@ $data = $purifier->purify(file_get_contents('samples/Lexer/4.html'));
xdebug_stop_trace(); xdebug_stop_trace();
echo "Trace finished."; echo "Trace finished.";
// vim: et sw=4 sts=4

9
benchmarks/samples/Lexer/1.html
View File

@@ -28,7 +28,7 @@
<li>HX Edison Taiji Club <a href="http://www.taijiclub.org/downloads/Taiji_club_regulation_.pdf">by-law</a> effective 3/28/2006</li> <li>HX Edison Taiji Club <a href="http://www.taijiclub.org/downloads/Taiji_club_regulation_.pdf">by-law</a> effective 3/28/2006</li>
<li>A new email account for our club: HXEdisontaijiclub@yahoo.com</li> <li>A new email account for our club: HXEdisontaijiclub@yahoo.com</li>
<li>Workshop conducted by <a href="http://www.taijiclub.org/ch/Digest/LiDeyin">?????</a> Li Deyin is set on June 4, 2006 at Clarion Hotel in Edison from 9:30am-12pm; <a href="http://www.taijiclub.org/en/Registration">Registration</a></li> <li>Workshop conducted by <a href="http://www.taijiclub.org/ch/Digest/LiDeyin">?????</a> Li Deyin is set on June 4, 2006 at Clarion Hotel in Edison from 9:30am-12pm; <a href="http://www.taijiclub.org/en/Registration">Registration</a></li>
</ul> </ul>
@@ -36,7 +36,7 @@
<p><i>Taiji</i> is an ancient Chinese tradition of movement systems that is associated with philosophy, physiology, psychology, geometry and dynamics. It is the slowest form of martial arts and is meant to improve the internal spirit. It is soothing to the soul and extremely invigorating. </p> <p><i>Taiji</i> is an ancient Chinese tradition of movement systems that is associated with philosophy, physiology, psychology, geometry and dynamics. It is the slowest form of martial arts and is meant to improve the internal spirit. It is soothing to the soul and extremely invigorating. </p>
<p>The founder of Taiji was Zhang Sanfeng (Chang San-feng), who was a monk of the Wu Dang (Wu Tang) Monastery and lived in the period from 1391 to 1459. His exercises stressed suppleness and elasticity as opposed to the hardness and force of other martial art styles. Several centuries old, Taiji was originally developed as a form of self-defense, emphasizing strength, balance, flexibility and speed. Tai Chi also differs from other martial arts in that it is based on the Taoist religion and aims to avoid aggressive forces. </p> <p>The founder of Taiji was Zhang Sanfeng (Chang San-feng), who was a monk of the Wu Dang (Wu Tang) Monastery and lived in the period from 1391 to 1459. His exercises stressed suppleness and elasticity as opposed to the hardness and force of other martial art styles. Several centuries old, Taiji was originally developed as a form of self-defense, emphasizing strength, balance, flexibility and speed. Tai Chi also differs from other martial arts in that it is based on the Taoist religion and aims to avoid aggressive forces. </p>
@@ -50,4 +50,7 @@
<div style="text-align:center;">Click on photo to see HR version</div></div> <div style="text-align:center;">Click on photo to see HR version</div></div>
</body> </body>
</html> </html>
<!-- vim: et sw=4 sts=4
-->

5
benchmarks/samples/Lexer/2.html
View File

@@ -14,4 +14,7 @@ function rwt(el,ct,cd,sg){var e = window.encodeURIComponent ? encodeURIComponent
<form action=/search name=f><script><!-- <form action=/search name=f><script><!--
function qs(el) {if (window.RegExp && window.encodeURIComponent) {var ue=el.href;var qe=encodeURIComponent(document.f.q.value);if(ue.indexOf("q=")!=-1){el.href=ue.replace(new RegExp("q=[^&$]*"),"q="+qe);}else{el.href=ue+"&q="+qe;}}return 1;} function qs(el) {if (window.RegExp && window.encodeURIComponent) {var ue=el.href;var qe=encodeURIComponent(document.f.q.value);if(ue.indexOf("q=")!=-1){el.href=ue.replace(new RegExp("q=[^&$]*"),"q="+qe);}else{el.href=ue+"&q="+qe;}}return 1;}
// --> // -->
</script><table border=0 cellspacing=0 cellpadding=4><tr><td nowrap><font size=-1><b>Web</b>&nbsp;&nbsp;&nbsp;&nbsp;<a id=1a class=q href="/imghp?hl=en&tab=wi" onClick="return qs(this);">Images</a>&nbsp;&nbsp;&nbsp;&nbsp;<a id=2a class=q href="http://groups.google.com/grphp?hl=en&tab=wg" onClick="return qs(this);">Groups</a>&nbsp;&nbsp;&nbsp;&nbsp;<a id=4a class=q href="http://news.google.com/nwshp?hl=en&tab=wn" onClick="return qs(this);">News</a>&nbsp;&nbsp;&nbsp;&nbsp;<a id=5a class=q href="http://froogle.google.com/frghp?hl=en&tab=wf" onClick="return qs(this);">Froogle</a>&nbsp;&nbsp;&nbsp;&nbsp;<a id=8a class=q href="/lochp?hl=en&tab=wl" onClick="return qs(this);">Local</a>&nbsp;&nbsp;&nbsp;&nbsp;<b><a href="/intl/en/options/" class=q>more&nbsp;&raquo;</a></b></font></td></tr></table><table cellspacing=0 cellpadding=0><tr><td width=25%>&nbsp;</td><td align=center><input type=hidden name=hl value=en><input maxlength=2048 size=55 name=q value="" title="Google Search"><br><input type=submit value="Google Search" name=btnG><input type=submit value="I'm Feeling Lucky" name=btnI></td><td valign=top nowrap width=25%><font size=-2>&nbsp;&nbsp;<a href=/advanced_search?hl=en>Advanced Search</a><br>&nbsp;&nbsp;<a href=/preferences?hl=en>Preferences</a><br>&nbsp;&nbsp;<a href=/language_tools?hl=en>Language Tools</a></font></td></tr></table></form><br><br><font size=-1><a href="/ads/">Advertising&nbsp;Programs</a> - <a href=/services/>Business Solutions</a> - <a href=/about.html>About Google</a></font><p><font size=-2>&copy;2006 Google</font></p></center></body></html> </script><table border=0 cellspacing=0 cellpadding=4><tr><td nowrap><font size=-1><b>Web</b>&nbsp;&nbsp;&nbsp;&nbsp;<a id=1a class=q href="/imghp?hl=en&tab=wi" onClick="return qs(this);">Images</a>&nbsp;&nbsp;&nbsp;&nbsp;<a id=2a class=q href="http://groups.google.com/grphp?hl=en&tab=wg" onClick="return qs(this);">Groups</a>&nbsp;&nbsp;&nbsp;&nbsp;<a id=4a class=q href="http://news.google.com/nwshp?hl=en&tab=wn" onClick="return qs(this);">News</a>&nbsp;&nbsp;&nbsp;&nbsp;<a id=5a class=q href="http://froogle.google.com/frghp?hl=en&tab=wf" onClick="return qs(this);">Froogle</a>&nbsp;&nbsp;&nbsp;&nbsp;<a id=8a class=q href="/lochp?hl=en&tab=wl" onClick="return qs(this);">Local</a>&nbsp;&nbsp;&nbsp;&nbsp;<b><a href="/intl/en/options/" class=q>more&nbsp;&raquo;</a></b></font></td></tr></table><table cellspacing=0 cellpadding=0><tr><td width=25%>&nbsp;</td><td align=center><input type=hidden name=hl value=en><input maxlength=2048 size=55 name=q value="" title="Google Search"><br><input type=submit value="Google Search" name=btnG><input type=submit value="I'm Feeling Lucky" name=btnI></td><td valign=top nowrap width=25%><font size=-2>&nbsp;&nbsp;<a href=/advanced_search?hl=en>Advanced Search</a><br>&nbsp;&nbsp;<a href=/preferences?hl=en>Preferences</a><br>&nbsp;&nbsp;<a href=/language_tools?hl=en>Language Tools</a></font></td></tr></table></form><br><br><font size=-1><a href="/ads/">Advertising&nbsp;Programs</a> - <a href=/services/>Business Solutions</a> - <a href=/about.html>About Google</a></font><p><font size=-2>&copy;2006 Google</font></p></center></body></html>
<!-- vim: et sw=4 sts=4
-->

23
benchmarks/samples/Lexer/3.html
View File

@@ -67,21 +67,21 @@ if (objAdMgr.isSlotAvailable("leaderboard")) {
</table> </table>
<table width="86%" border="0" cellspacing="0" cellpadding="2"> <table width="86%" border="0" cellspacing="0" cellpadding="2">
<tr> <tr>
<td height="388" width="19%" bgcolor="#FFCCFF" valign="top"> <td height="388" width="19%" bgcolor="#FFCCFF" valign="top">
<p>May 1, 2000</p> <p>May 1, 2000</p>
<p><b>Pop Culture</b> </p> <p><b>Pop Culture</b> </p>
<p>by. H. Finkelstein</p> <p>by. H. Finkelstein</p>
</td> </td>
<td height="388" width="52%" valign="top"> <td height="388" width="52%" valign="top">
<p>Welcome to the <b>Anime Digi-Lib</b>, a virtual index to anime on the <p>Welcome to the <b>Anime Digi-Lib</b>, a virtual index to anime on the
internet. This site strives to house a comprehensive index to both personal internet. This site strives to house a comprehensive index to both personal
and commercial websites and provides reviews to these sites. We hope to and commercial websites and provides reviews to these sites. We hope to
be a gateway for people who've never imagined they'd ever be interested be a gateway for people who've never imagined they'd ever be interested
in Japanese Animation. </p> in Japanese Animation. </p>
<table width="99%" border="1" cellspacing="0" cellpadding="2" height="320" name="Searchnservices"> <table width="99%" border="1" cellspacing="0" cellpadding="2" height="320" name="Searchnservices">
<tr> <tr>
<td height="263" valign="top" width="58%"> <td height="263" valign="top" width="58%">
<p>&nbsp; </p> <p>&nbsp; </p>
<p>&nbsp;</p> <p>&nbsp;</p>
@@ -107,15 +107,15 @@ if (objAdMgr.isSlotAvailable("leaderboard")) {
</form> </form>
<td> <td>
<table border="0" cellpadding="0" cellspacing="0" width="100%"> <table border="0" cellpadding="0" cellspacing="0" width="100%">
<tr><td><font face="verdana,geneva" color="#000011" size="1">What is better, subtitled or dubbed anime?</font></td></tr> <tr><td><font face="verdana,geneva" color="#000011" size="1">What is better, subtitled or dubbed anime?</font></td></tr>
<tr><td><input type="radio" name="rd" value="1"><font face="verdana" size="2" color="#000011">Subtitled</font></td></tr> <tr><td><input type="radio" name="rd" value="1"><font face="verdana" size="2" color="#000011">Subtitled</font></td></tr>
<tr><td align="middle"><font face="verdana" size="1"><a href="http://pub.alxnet.com/poll?id=2079873&q=view">Current results</a></font></td></tr> <tr><td align="middle"><font face="verdana" size="1"><a href="http://pub.alxnet.com/poll?id=2079873&q=view">Current results</a></font></td></tr>
</table></td></tr> </table></td></tr>
<tr> <tr>
<td><font face="verdana" size="1"><a href="http://www.alxnet.com/services/poll/">Free <td><font face="verdana" size="1"><a href="http://www.alxnet.com/services/poll/">Free
Web Polls</a></font></td> Web Polls</a></font></td>
</tr> </tr>
</table></form> </table></form>
@@ -126,3 +126,6 @@ if (objAdMgr.isSlotAvailable("leaderboard")) {
</body> </body>
</html> </html>
<!-- vim: et sw=4 sts=4
-->

31
benchmarks/samples/Lexer/4.html
View File

@@ -138,7 +138,7 @@
</table> </table>
<p><script type="text/javascript"> <p><script type="text/javascript">
//<![CDATA[ //<![CDATA[
if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); } if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); }
//]]> //]]>
</script></p> </script></p>
<div class="editsection" style="float:right;margin-left:5px;">[<a href="/w/index.php?title=Tai_Chi_Chuan&amp;action=edit&amp;section=1" title="Edit section: Overview">edit</a>]</div> <div class="editsection" style="float:right;margin-left:5px;">[<a href="/w/index.php?title=Tai_Chi_Chuan&amp;action=edit&amp;section=1" title="Edit section: Overview">edit</a>]</div>
@@ -279,19 +279,19 @@ Yang Small Frame | <a href="/wik
| | | |
<a href="/w/index.php?title=Wu_Ta-kuei&amp;action=edit" class="new" title="Wu Ta-kuei">Wu Ta-kuei</a> <a href="/w/index.php?title=Sun_Hsing-i&amp;action=edit" class="new" title="Sun Hsing-i">Sun Hsing-i</a> <a href="/w/index.php?title=Wu_Ta-kuei&amp;action=edit" class="new" title="Wu Ta-kuei">Wu Ta-kuei</a> <a href="/w/index.php?title=Sun_Hsing-i&amp;action=edit" class="new" title="Sun Hsing-i">Sun Hsing-i</a>
1923-1970 1891-1929 1923-1970 1891-1929
<b>MODERN FORMS</b> <b>MODERN FORMS</b>
from Yang Ch`eng-fu from Yang Ch`eng-fu
| |
| |
| |
+--------------+ +--------------+
| | | |
<a href="/wiki/Cheng_Man-ch%27ing" title="Cheng Man-ch'ing">Cheng Man-ch'ing</a> | <a href="/wiki/Cheng_Man-ch%27ing" title="Cheng Man-ch'ing">Cheng Man-ch'ing</a> |
1901-1975 | 1901-1975 |
Short (37) Form | Short (37) Form |
| |
Chinese Sports Commission Chinese Sports Commission
1956 1956
@@ -538,3 +538,6 @@ Retrieved from "<a href="http://en.wikipedia.org/wiki/Tai_Chi_Chuan">http://en.w
<!-- Served by srv25 in 0.089 secs. --> <!-- Served by srv25 in 0.089 secs. -->
</body></html> </body></html>
<!-- vim: et sw=4 sts=4
-->

4
benchmarks/samples/Lexer/DISCLAIMER.txt
View File

@@ -2,4 +2,6 @@ Disclaimer:
The HTML used in these samples are taken from random websites. I claim The HTML used in these samples are taken from random websites. I claim
no copyright over these and assert that I may use them like this under no copyright over these and assert that I may use them like this under
fair use. fair use.
vim: et sw=4 sts=4

19
configdoc/generate.php
View File

@@ -18,22 +18,24 @@ TODO:
if (version_compare(PHP_VERSION, '5.2', '<')) exit('PHP 5.2+ required.'); if (version_compare(PHP_VERSION, '5.2', '<')) exit('PHP 5.2+ required.');
error_reporting(E_ALL | E_STRICT); error_reporting(E_ALL | E_STRICT);
chdir(dirname(__FILE__));
// load dual-libraries // load dual-libraries
require_once '../extras/HTMLPurifierExtras.auto.php'; require_once dirname(__FILE__) . '/../extras/HTMLPurifierExtras.auto.php';
require_once '../library/HTMLPurifier.auto.php'; require_once dirname(__FILE__) . '/../library/HTMLPurifier.auto.php';
// setup HTML Purifier singleton // setup HTML Purifier singleton
HTMLPurifier::getInstance(array( HTMLPurifier::getInstance(array(
'AutoFormat.PurifierLinkify' => true 'AutoFormat.PurifierLinkify' => true
)); ));
$interchange = HTMLPurifier_ConfigSchema_InterchangeBuilder::buildFromDirectory(); $builder = new HTMLPurifier_ConfigSchema_InterchangeBuilder();
$interchange = new HTMLPurifier_ConfigSchema_Interchange();
$builder->buildDir($interchange);
$loader = dirname(__FILE__) . '/../config-schema.php';
if (file_exists($loader)) include $loader;
$interchange->validate(); $interchange->validate();
$style = 'plain'; // use $_GET in the future, careful to validate! $style = 'plain'; // use $_GET in the future, careful to validate!
$configdoc_xml = 'configdoc.xml'; $configdoc_xml = dirname(__FILE__) . '/configdoc.xml';
$xml_builder = new HTMLPurifier_ConfigSchema_Builder_Xml(); $xml_builder = new HTMLPurifier_ConfigSchema_Builder_Xml();
$xml_builder->openURI($configdoc_xml); $xml_builder->openURI($configdoc_xml);
@@ -50,12 +52,13 @@ if (!$output) {
} }
// write out // write out
file_put_contents("$style.html", $output); file_put_contents(dirname(__FILE__) . "/$style.html", $output);
if (php_sapi_name() != 'cli') { if (php_sapi_name() != 'cli') {
// output (instant feedback if it's a browser) // output (instant feedback if it's a browser)
echo $output; echo $output;
} else { } else {
echo 'Files generated successfully.'; echo "Files generated successfully.\n";
} }
// vim: et sw=4 sts=4

2
configdoc/styles/plain.css
View File

@@ -40,3 +40,5 @@ h4 {font-family:sans-serif; font-size:0.9em; font-weight:bold; }
.deprecated {color: #CCC;} .deprecated {color: #CCC;}
.deprecated table.constraints th {background:#FFF;} .deprecated table.constraints th {background:#FFF;}
.deprecated-notice {color: #000; text-align:center; margin-bottom: 1em;} .deprecated-notice {color: #000; text-align:center; margin-bottom: 1em;}
/* vim: et sw=4 sts=4 */

50
configdoc/styles/plain.xsl
View File

@@ -14,13 +14,13 @@
/> />
<xsl:param name="css" select="'styles/plain.css'"/> <xsl:param name="css" select="'styles/plain.css'"/>
<xsl:param name="title" select="'Configuration Documentation'"/> <xsl:param name="title" select="'Configuration Documentation'"/>
<xsl:variable name="typeLookup" select="document('../types.xml')/types" /> <xsl:variable name="typeLookup" select="document('../types.xml')/types" />
<xsl:variable name="usageLookup" select="document('../usage.xml')/usage" /> <xsl:variable name="usageLookup" select="document('../usage.xml')/usage" />
<!-- Twiddle this variable to get the columns as even as possible --> <!-- Twiddle this variable to get the columns as even as possible -->
<xsl:variable name="maxNumberAdjust" select="2" /> <xsl:variable name="maxNumberAdjust" select="2" />
<xsl:template match="/"> <xsl:template match="/">
<html lang="en" xml:lang="en"> <html lang="en" xml:lang="en">
<head> <head>
@@ -40,12 +40,26 @@
</xsl:apply-templates> </xsl:apply-templates>
</ul> </ul>
</div> </div>
<div id="typesContainer">
<h2>Types</h2>
<xsl:apply-templates select="$typeLookup" mode="types" />
</div>
<xsl:apply-templates /> <xsl:apply-templates />
</div> </div>
</body> </body>
</html> </html>
</xsl:template> </xsl:template>
<xsl:template match="type" mode="types">
<div class="type-block">
<xsl:attribute name="id">type-<xsl:value-of select="@id" /></xsl:attribute>
<h3><code><xsl:value-of select="@id" /></code>: <xsl:value-of select="@name" /></h3>
<div class="type-description">
<xsl:copy-of xmlns:xhtml="http://www.w3.org/1999/xhtml" select="xhtml:div/node()" />
</div>
</div>
</xsl:template>
<xsl:template match="title" mode="toc" /> <xsl:template match="title" mode="toc" />
<xsl:template match="namespace" mode="toc"> <xsl:template match="namespace" mode="toc">
<xsl:param name="overflowNumber" /> <xsl:param name="overflowNumber" />
@@ -83,9 +97,9 @@
</li> </li>
</xsl:if> </xsl:if>
</xsl:template> </xsl:template>
<xsl:template match="title" /> <xsl:template match="title" />
<xsl:template match="namespace"> <xsl:template match="namespace">
<div class="namespace"> <div class="namespace">
<xsl:apply-templates /> <xsl:apply-templates />
@@ -102,7 +116,7 @@
<xsl:copy-of xmlns:xhtml="http://www.w3.org/1999/xhtml" select="xhtml:div/node()" /> <xsl:copy-of xmlns:xhtml="http://www.w3.org/1999/xhtml" select="xhtml:div/node()" />
</div> </div>
</xsl:template> </xsl:template>
<xsl:template match="directive"> <xsl:template match="directive">
<div> <div>
<xsl:attribute name="class"><!-- <xsl:attribute name="class"><!--
@@ -122,10 +136,10 @@
<xsl:template match="alias" mode="anchor"> <xsl:template match="alias" mode="anchor">
<a id="{.}"></a> <a id="{.}"></a>
</xsl:template> </xsl:template>
<!-- Do not pass through --> <!-- Do not pass through -->
<xsl:template match="alias"></xsl:template> <xsl:template match="alias"></xsl:template>
<xsl:template match="directive/constraints"> <xsl:template match="directive/constraints">
<xsl:param name="id" /> <xsl:param name="id" />
<table class="constraints"> <table class="constraints">
@@ -179,7 +193,7 @@
</xsl:for-each> </xsl:for-each>
</li> </li>
</xsl:template> </xsl:template>
<xsl:template match="constraints/version"> <xsl:template match="constraints/version">
<tr> <tr>
<th>Version added</th> <th>Version added</th>
@@ -192,10 +206,13 @@
<td> <td>
<xsl:variable name="type" select="text()" /> <xsl:variable name="type" select="text()" />
<xsl:attribute name="class">type type-<xsl:value-of select="$type" /></xsl:attribute> <xsl:attribute name="class">type type-<xsl:value-of select="$type" /></xsl:attribute>
<xsl:value-of select="$typeLookup/type[@id=$type]/text()" /> <a>
<xsl:if test="@allow-null='yes'"> <xsl:attribute name="href">#type-<xsl:value-of select="$type" /></xsl:attribute>
(or null) <xsl:value-of select="$typeLookup/type[@id=$type]/@name" />
</xsl:if> <xsl:if test="@allow-null='yes'">
(or null)
</xsl:if>
</a>
</td> </td>
</tr> </tr>
</xsl:template> </xsl:template>
@@ -229,5 +246,8 @@
<xsl:template match="constraints/external/project"> <xsl:template match="constraints/external/project">
<li><xsl:value-of select="." /></li> <li><xsl:value-of select="." /></li>
</xsl:template> </xsl:template>
</xsl:stylesheet> </xsl:stylesheet>
<!-- vim: et sw=4 sts=4
-->

77
configdoc/types.xml
View File

@@ -1,14 +1,69 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<types> <types>
<type id="string">String</type> <type id="string" name="String"><div xmlns="http://www.w3.org/1999/xhtml">
<type id="istring">Case-insensitive string</type> A <a
<type id="text">Text</type> href="http://docs.php.net/manual/en/language.types.string.php">sequence
<type id="itext">Case-insensitive text</type> of characters</a>.
<type id="int">Integer</type> </div></type>
<type id="float">Float</type> <type id="istring" name="Case-insensitive string"><div xmlns="http://www.w3.org/1999/xhtml">
<type id="bool">Boolean</type> A series of case-insensitive characters. Internally, upper-case
<type id="lookup">Lookup array</type> ASCII characters will be converted to lower-case.
<type id="list">Array list</type> </div></type>
<type id="hash">Associative array</type> <type id="text" name="Text"><div xmlns="http://www.w3.org/1999/xhtml">
<type id="mixed">Mixed</type> A series of characters that may contain newlines. Text tends to
indicate human-oriented text, as opposed to a machine format.
</div></type>
<type id="itext" name="Case-insensitive text"><div xmlns="http://www.w3.org/1999/xhtml">
A series of case-insensitive characters that may contain newlines.
</div></type>
<type id="int" name="Integer"><div xmlns="http://www.w3.org/1999/xhtml">
An <a
href="http://docs.php.net/manual/en/language.types.integer.php">
integer</a>. You are alternatively permitted to pass a string of
digits instead, which will be cast to an integer using
<code>(int)</code>.
</div></type>
<type id="float" name="Float"><div xmlns="http://www.w3.org/1999/xhtml">
A <a href="http://docs.php.net/manual/en/language.types.float.php">
floating point number</a>. You are alternatively permitted to
pass a numeric string (as defined by <code>is_numeric()</code>),
which will be cast to a float using <code>(float)</code>.
</div></type>
<type id="bool" name="Boolean"><div xmlns="http://www.w3.org/1999/xhtml">
A <a
href="http://docs.php.net/manual/en/language.types.boolean.php">boolean</a>.
You are alternatively permitted to pass an integer <code>0</code> or
<code>1</code> (other integers are not permitted) or a string
<code>"on"</code>, <code>"true"</code> or <code>"1"</code> for
<code>true</code>, and <code>"off"</code>, <code>"false"</code> or
<code>"0"</code> for <code>false</code>.
</div></type>
<type id="lookup" name="Lookup array"><div xmlns="http://www.w3.org/1999/xhtml">
An array whose values are <code>true</code>, e.g. <code>array('key'
=> true, 'key2' => true)</code>. You are alternatively permitted
to pass an array list of the keys <code>array('key', 'key2')</code>
or a comma-separated string of keys <code>"key, key2"</code>. If
you pass an array list of values, ensure that your values are
strictly numerically indexed: <code>array('key1', 2 =>
'key2')</code> will not do what you expect and emits a warning.
</div></type>
<type id="list" name="Array list"><div xmlns="http://www.w3.org/1999/xhtml">
An array which has consecutive integer indexes, e.g.
<code>array('val1', 'val2')</code>. You are alternatively permitted
to pass a comma-separated string of keys <code>"val1, val2"</code>.
If your array is not in this form, <code>array_values</code> is run
on the array and a warning is emitted.
</div></type>
<type id="hash" name="Associative array"><div xmlns="http://www.w3.org/1999/xhtml">
An array which is a mapping of keys to values, e.g.
<code>array('key1' => 'val1', 'key2' => 'val2')</code>. You are
alternatively permitted to pass a comma-separated string of
key-colon-value strings, e.g. <code>"key1: val1, key2: val2"</code>.
</div></type>
<type id="mixed" name="Mixed"><div xmlns="http://www.w3.org/1999/xhtml">
An arbitrary PHP value of any type.
</div></type>
</types> </types>
<!-- vim: et sw=4 sts=4
-->

104
configdoc/usage.xml
View File

@@ -6,6 +6,7 @@
</file> </file>
<file name="HTMLPurifier/Lexer.php"> <file name="HTMLPurifier/Lexer.php">
<line>81</line> <line>81</line>
<line>284</line>
</file> </file>
<file name="HTMLPurifier/Lexer/DirectLex.php"> <file name="HTMLPurifier/Lexer/DirectLex.php">
<line>53</line> <line>53</line>
@@ -38,7 +39,12 @@
</directive> </directive>
<directive id="CSS.AllowedProperties"> <directive id="CSS.AllowedProperties">
<file name="HTMLPurifier/CSSDefinition.php"> <file name="HTMLPurifier/CSSDefinition.php">
<line>274</line> <line>275</line>
</file>
</directive>
<directive id="CSS.ForbiddenProperties">
<file name="HTMLPurifier/CSSDefinition.php">
<line>289</line>
</file> </file>
</directive> </directive>
<directive id="Cache.DefinitionImpl"> <directive id="Cache.DefinitionImpl">
@@ -85,22 +91,35 @@
</directive> </directive>
<directive id="Output.CommentScriptContents"> <directive id="Output.CommentScriptContents">
<file name="HTMLPurifier/Generator.php"> <file name="HTMLPurifier/Generator.php">
<line>45</line> <line>56</line>
</file> </file>
</directive> </directive>
<directive id="Output.SortAttr"> <directive id="Output.SortAttr">
<file name="HTMLPurifier/Generator.php"> <file name="HTMLPurifier/Generator.php">
<line>46</line> <line>57</line>
</file>
</directive>
<directive id="Output.FlashCompat">
<file name="HTMLPurifier/Generator.php">
<line>58</line>
</file> </file>
</directive> </directive>
<directive id="Output.TidyFormat"> <directive id="Output.TidyFormat">
<file name="HTMLPurifier/Generator.php"> <file name="HTMLPurifier/Generator.php">
<line>75</line> <line>87</line>
</file>
</directive>
<directive id="Core.NormalizeNewlines">
<file name="HTMLPurifier/Generator.php">
<line>101</line>
</file>
<file name="HTMLPurifier/Lexer.php">
<line>266</line>
</file> </file>
</directive> </directive>
<directive id="Output.Newline"> <directive id="Output.Newline">
<file name="HTMLPurifier/Generator.php"> <file name="HTMLPurifier/Generator.php">
<line>89</line> <line>102</line>
</file> </file>
</directive> </directive>
<directive id="HTML.BlockWrapper"> <directive id="HTML.BlockWrapper">
@@ -130,12 +149,12 @@
</directive> </directive>
<directive id="HTML.ForbiddenElements"> <directive id="HTML.ForbiddenElements">
<file name="HTMLPurifier/HTMLDefinition.php"> <file name="HTMLPurifier/HTMLDefinition.php">
<line>337</line> <line>342</line>
</file> </file>
</directive> </directive>
<directive id="HTML.ForbiddenAttributes"> <directive id="HTML.ForbiddenAttributes">
<file name="HTMLPurifier/HTMLDefinition.php"> <file name="HTMLPurifier/HTMLDefinition.php">
<line>338</line> <line>343</line>
</file> </file>
</directive> </directive>
<directive id="HTML.Trusted"> <directive id="HTML.Trusted">
@@ -143,7 +162,7 @@
<line>202</line> <line>202</line>
</file> </file>
<file name="HTMLPurifier/Lexer.php"> <file name="HTMLPurifier/Lexer.php">
<line>258</line> <line>271</line>
</file> </file>
<file name="HTMLPurifier/HTMLModule/Image.php"> <file name="HTMLPurifier/HTMLModule/Image.php">
<line>27</line> <line>27</line>
@@ -205,7 +224,20 @@
</directive> </directive>
<directive id="Core.ConvertDocumentToFragment"> <directive id="Core.ConvertDocumentToFragment">
<file name="HTMLPurifier/Lexer.php"> <file name="HTMLPurifier/Lexer.php">
<line>267</line> <line>282</line>
</file>
</directive>
<directive id="Core.RemoveProcessingInstructions">
<file name="HTMLPurifier/Lexer.php">
<line>303</line>
</file>
</directive>
<directive id="URI.">
<file name="HTMLPurifier/URIDefinition.php">
<line>55</line>
</file>
<file name="HTMLPurifier/URIFilter/Munge.php">
<line>12</line>
</file> </file>
</directive> </directive>
<directive id="URI.Host"> <directive id="URI.Host">
@@ -225,12 +257,12 @@
</directive> </directive>
<directive id="URI.AllowedSchemes"> <directive id="URI.AllowedSchemes">
<file name="HTMLPurifier/URISchemeRegistry.php"> <file name="HTMLPurifier/URISchemeRegistry.php">
<line>42</line> <line>41</line>
</file> </file>
</directive> </directive>
<directive id="URI.OverrideAllowedSchemes"> <directive id="URI.OverrideAllowedSchemes">
<file name="HTMLPurifier/URISchemeRegistry.php"> <file name="HTMLPurifier/URISchemeRegistry.php">
<line>43</line> <line>42</line>
</file> </file>
</directive> </directive>
<directive id="URI.Disable"> <directive id="URI.Disable">
@@ -246,6 +278,16 @@
<line>12</line> <line>12</line>
</file> </file>
</directive> </directive>
<directive id="Attr.AllowedClasses">
<file name="HTMLPurifier/AttrDef/HTML/Class.php">
<line>18</line>
</file>
</directive>
<directive id="Attr.ForbiddenClasses">
<file name="HTMLPurifier/AttrDef/HTML/Class.php">
<line>19</line>
</file>
</directive>
<directive id="Attr.AllowedFrameTargets"> <directive id="Attr.AllowedFrameTargets">
<file name="HTMLPurifier/AttrDef/HTML/FrameTarget.php"> <file name="HTMLPurifier/AttrDef/HTML/FrameTarget.php">
<line>15</line> <line>15</line>
@@ -272,6 +314,11 @@
<line>54</line> <line>54</line>
</file> </file>
</directive> </directive>
<directive id="Attr.">
<file name="HTMLPurifier/AttrDef/HTML/LinkTypes.php">
<line>30</line>
</file>
</directive>
<directive id="Attr.DefaultTextDir"> <directive id="Attr.DefaultTextDir">
<file name="HTMLPurifier/AttrTransform/BdoDir.php"> <file name="HTMLPurifier/AttrTransform/BdoDir.php">
<line>13</line> <line>13</line>
@@ -297,12 +344,25 @@
</directive> </directive>
<directive id="Attr.DefaultInvalidImageAlt"> <directive id="Attr.DefaultInvalidImageAlt">
<file name="HTMLPurifier/AttrTransform/ImgRequired.php"> <file name="HTMLPurifier/AttrTransform/ImgRequired.php">
<line>32</line> <line>33</line>
</file>
</directive>
<directive id="HTML.Attr.Name.UseCDATA">
<file name="HTMLPurifier/AttrTransform/Name.php">
<line>11</line>
</file>
<file name="HTMLPurifier/HTMLModule/Name.php">
<line>13</line>
</file>
</directive>
<directive id="HTML.FlashAllowFullScreen">
<file name="HTMLPurifier/AttrTransform/SafeParam.php">
<line>37</line>
</file> </file>
</directive> </directive>
<directive id="Core.EscapeInvalidChildren"> <directive id="Core.EscapeInvalidChildren">
<file name="HTMLPurifier/ChildDef/Required.php"> <file name="HTMLPurifier/ChildDef/Required.php">
<line>55</line> <line>62</line>
</file> </file>
</directive> </directive>
<directive id="Cache.SerializerPath"> <directive id="Cache.SerializerPath">
@@ -310,17 +370,17 @@
<line>91</line> <line>91</line>
</file> </file>
</directive> </directive>
<directive id="FilterParam.ExtractStyleBlocksTidyImpl"> <directive id="Filter.ExtractStyleBlocks.TidyImpl">
<file name="HTMLPurifier/Filter/ExtractStyleBlocks.php"> <file name="HTMLPurifier/Filter/ExtractStyleBlocks.php">
<line>41</line> <line>41</line>
</file> </file>
</directive> </directive>
<directive id="FilterParam.ExtractStyleBlocksScope"> <directive id="Filter.ExtractStyleBlocks.Scope">
<file name="HTMLPurifier/Filter/ExtractStyleBlocks.php"> <file name="HTMLPurifier/Filter/ExtractStyleBlocks.php">
<line>65</line> <line>65</line>
</file> </file>
</directive> </directive>
<directive id="FilterParam.ExtractStyleBlocksEscaping"> <directive id="Filter.ExtractStyleBlocks.Escaping">
<file name="HTMLPurifier/Filter/ExtractStyleBlocks.php"> <file name="HTMLPurifier/Filter/ExtractStyleBlocks.php">
<line>123</line> <line>123</line>
</file> </file>
@@ -351,11 +411,21 @@
<line>50</line> <line>50</line>
</file> </file>
</directive> </directive>
<directive id="AutoFormatParam.PurifierLinkifyDocURL"> <directive id="AutoFormat.PurifierLinkify.DocURL">
<file name="HTMLPurifier/Injector/PurifierLinkify.php"> <file name="HTMLPurifier/Injector/PurifierLinkify.php">
<line>15</line> <line>15</line>
</file> </file>
</directive> </directive>
<directive id="AutoFormat.RemoveEmpty.RemoveNbsp">
<file name="HTMLPurifier/Injector/RemoveEmpty.php">
<line>12</line>
</file>
</directive>
<directive id="AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions">
<file name="HTMLPurifier/Injector/RemoveEmpty.php">
<line>13</line>
</file>
</directive>
<directive id="Core.AggressivelyFixLt"> <directive id="Core.AggressivelyFixLt">
<file name="HTMLPurifier/Lexer/DOMLex.php"> <file name="HTMLPurifier/Lexer/DOMLex.php">
<line>44</line> <line>44</line>

198
docs/dev-advanced-api.html
View File

@@ -17,200 +17,10 @@
<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div> <div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<p> <p>
<strong>Warning:</strong> This document may be out-of-date. When in doubt, Please see <a href="enduser-customize.html">Customize!</a>
consult the source code documentation.
</p> </p>
<p>HTML Purifier currently natively supports only a subset of HTML's
allowed elements, attributes, and behavior; specifically, this subset
is the set of elements that are safe for untrusted users to use.
However, HTML Purifier is often utilized to ensure standards-compliance
from input that is trusted (making it a sort of Tidy substitute),
and often users need to define new elements or attributes. The
advanced API is oriented specifically for these use-cases.</p>
<p>Our goals are to let the user:</p>
<dl>
<dt>Select</dt>
<dd><ul>
<li>Doctype</li>
<!-- <li>Filterset</li> -->
<li>Elements / Attributes / Modules</li>
<li>Tidy</li>
</ul></dd>
<dt>Customize</dt>
<dd><ul>
<li>Attributes</li>
<li>Elements</li>
<!--<li>Doctypes</li>-->
</ul></dd>
</dl>
<h2>Select</h2>
<p>For basic use, the user will have to specify some basic parameters. This
is not strictly necessary, as HTML Purifier's default setting will always
output safe code, but is required for standards-compliant output.</p>
<h3>Selecting a Doctype</h3>
<p>The first thing to select is the <strong>doctype</strong>. This
is essential for standards-compliant output.</p>
<p class="technical">This identifier is based
on the name the W3C has given to the document type and <em>not</em>
the DTD identifier.</p>
<p>This parameter is set via the configuration object:</p>
<pre>$config->set('HTML', 'Doctype', 'XHTML 1.0 Transitional');</pre>
<p>Due to historical reasons, the default doctype is XHTML 1.0
Transitional, however, we really shouldn't be guessing what the user's
doctype is. Fortunantely, people who can't be bothered to set this won't
be bothered when their pages stop validating.</p>
<h3>Selecting Elements / Attributes / Modules</h3>
<p>HTML Purifier will, by default, allow as many elements and attributes
as possible. However, a user may decide to roll their own filterset by
selecting modules, elements and attributes to allow for their own
specific use-case. This can be done using %HTML.Allowed:</p>
<pre>$config->set('HTML', 'Allowed', 'a[href|title],em,p,blockquote');</pre>
<p class="technical">The directive %HTML.Allowed is a convenience feature
that may be fully expressed with the legacy interface.</p>
<p>We currently support another interface from older versions:</p>
<pre>$config->set('HTML', 'AllowedElements', 'a,em,p,blockquote');
$config->set('HTML', 'AllowedAttributes', 'a.href,a.title');</pre>
<p>A user may also choose to allow modules using a specialized
directive:</p>
<pre>$config->set('HTML', 'AllowedModules', 'Hypertext,Text,Lists');</pre>
<p>But it is not expected that this feature will be widely used.</p>
<p class="technical">Module selection will work slightly differently
from the other AllowedElements and AllowedAttributes directives by
directly modifying the doctype you are operating in, in the spirit of
XHTML 1.1's modularization. We stop users from shooting themselves in the
foot by mandating the modules in %HTML.CoreModules be used.</p>
<p class="technical">Modules are distinguished from regular elements by the
case of their first letter. While XML distinguishes between and allows
lower and uppercase letters in element names, XHTML uses only lower-case
element names for sake of consistency.</p>
<h3>Selecting Tidy</h3>
<p>The name of this segment of functionality is inspired off of Dave
Ragget's program HTML Tidy, which purported to help clean up HTML. In
HTML Purifier, Tidy functionality involves turning unsupported and
deprecated elements into standards-compliant ones, maintaining
backwards compatibility, and enforcing best practices.</p>
<p>This is a complicated feature, and is explained more in depth at
<a href="enduser-tidy.html">the Tidy documentation page</a>.</p>
<!--
<h3>Unified selector</h3>
<p>Because selecting each and every one of these configuration options
is a chore, we may wish to offer a specialized configuration method
for selecting a filterset. Possibility:</p>
<pre>function selectFilter($doctype, $filterset, $tidy)</pre>
<p>...which is simply a light wrapper over the individual configuration
calls. A custom config file format or text format could also be adopted.</p>
-->
<h2>Customize</h2>
<p>By reviewing topic posts in the support forum, we determined that
there were two primarily demanded customization features people wanted:
to add an attribute to an existing element, and to add an element.
Thus, we'll want to create convenience functions for these common
use-cases.</p>
<p>Note that the functions described here are only available if
a raw copy of <code>HTMLPurifier_HTMLDefinition</code> was retrieved.
Furthermore, caching may prevent your changes from immediately
being seen: consult <a href="enduser-customize.html">enduser-customize.html</a> on how
to work around this.</p>
<h3>Attributes</h3>
<p>An attribute is bound to an element by a name and has a specific
<code>AttrDef</code> that validates it. The interface is therefore:</p>
<pre>function addAttribute($element, $attribute, $attribute_def);</pre>
<p>Example of the functionality in action:</p>
<pre>$def->addAttribute('a', 'rel', 'Enum#nofollow');</pre>
<p>The <code>$attribute_def</code> value is flexible,
to make things simpler. It can be a literal object or:</p>
<ul>
<!--<li>Class name: We'll instantiate it for you</li>
<li>Function name: We'll create an <code>HTMLPurifier_AttrDef_Anonymous</code>
class with that function registered as a callback.</li>-->
<li>String attribute type: We'll use <code>HTMLPurifier_AttrTypes</code>
to resolve it for you. Any data that follows a hash mark (#) will
be used to customize the attribute type: in the example above,
we specify which values for Enum to allow.</li>
</ul>
<h3>Elements</h3>
<p>An element requires certain information as specified by
<code>HTMLPurifier_ElementDef</code>. However, not all of it is necessary,
the usual things required are:</p>
<ul>
<li>Attributes</li>
<li>Content model/type</li>
<li>Registration in a content set</li>
</ul>
<p>This suggests an API like this:</p>
<pre>function addElement($element, $type, $contents,
$attr_collections = array(); $attributes = array());</pre>
<p>Each parameter explained in depth:</p>
<dl>
<dt><code>$element</code></dt>
<dd>Element name, ex. 'label'</dd>
<dt><code>$type</code></dt>
<dd>Content set to register in, ex. 'Inline' or 'Flow'</dd>
<dt><code>$contents</code></dt>
<dd>Description of allowed children. This is a merged form of
<code>HTMLPurifier_ElementDef</code>'s member variables
<code>$content_model</code> and <code>$content_model_type</code>,
where the form is <q>Type: Model</q>, ex. 'Optional: Inline'.
There are also a number of predefined templates one may use.</dd>
<dt><code>$attr_collections</code></dt>
<dd>Array (or string if only one) of attribute collection(s) to
merge into the attributes array.</dd>
<dt><code>$attributes</code></dt>
<dd>Array of attribute names to attribute definitions, much like
the above-described attribute customization.</dd>
</dl>
<p>A possible usage:</p>
<pre>$def->addElement('font', 'Inline', 'Optional: Inline', 'Common',
array('color' => 'Color'));</pre>
<p>See <code>HTMLPurifier/HTMLModule.php</code> for details.</p>
</body></html> </body></html>
<!-- vim: et sw=4 sts=4
-->

2
docs/dev-code-quality.txt
View File

@@ -25,3 +25,5 @@ URIScheme - needs to have callable generic checks
mailto - doesn't validate emails, doesn't validate querystring mailto - doesn't validate emails, doesn't validate querystring
news - doesn't validate opaque path news - doesn't validate opaque path
nntp - doesn't constrain path nntp - doesn't constrain path
vim: et sw=4 sts=4

79
docs/dev-config-bcbreaks.txt Normal file
View File

@@ -0,0 +1,79 @@
Configuration Backwards-Compatibility Breaks
In version 4.0.0, the configuration subsystem (composed of the outwards
facing Config class, as well as the ConfigSchema and ConfigSchema_Interchange
subsystems), was significantly revamped to make use of property lists.
While most of the changes are internal, some internal APIs were changed for the
sake of clarity. HTMLPurifier_Config was kept completely backwards compatible,
although some of the functions were retrofitted with an unambiguous alternate
syntax. Both of these changes are discussed in this document.
1. Outwards Facing Changes
--------------------------------------------------------------------------------
The HTMLPurifier_Config class now takes an alternate syntax. The general rule
is:
If you passed $namespace, $directive, pass "$namespace.$directive"
instead.
An example:
$config->set('HTML', 'Allowed', 'p');
becomes:
$config->set('HTML.Allowed', 'p');
New configuration options may have more than one namespace, they might
look something like %Filter.YouTube.Blacklist. While you could technically
set it with ('HTML', 'YouTube.Blacklist'), the logical extension
('HTML', 'YouTube', 'Blacklist') does not work.
The old API will still work, but will emit E_USER_NOTICEs.
2. Internal API Changes
--------------------------------------------------------------------------------
Some overarching notes: we've completely eliminated the notion of namespace;
it's now an informal construct for organizing related configuration directives.
Also, the validation routines for keys (formerly "$namespace.$directive")
have been completely relaxed. I don't think it really should be necessary.
2.1 HTMLPurifier_ConfigSchema
First off, if you're interfacing with this class, you really shouldn't.
HTMLPurifier_ConfigSchema_Builder_ConfigSchema is really the only class that
should ever be creating HTMLPurifier_ConfigSchema, and HTMLPurifier_Config the
only class that should be reading it.
All namespace related methods were removed; they are completely unnecessary
now. Any $namespace, $name arguments must be replaced with $key (where
$key == "$namespace.$name"), including for addAlias().
The $info and $defaults member variables are no longer indexed as
[$namespace][$name]; they are now indexed as ["$namespace.$name"].
All deprecated methods were finally removed, after having yelled at you as
an E_USER_NOTICE for a while now.
2.2 HTMLPurifier_ConfigSchema_Interchange
Member variable $namespaces was removed.
2.3 HTMLPurifier_ConfigSchema_Interchange_Id
Member variable $namespace and $directive removed; member variable $key added.
Any method that took $namespace, $directive now takes $key.
2.4 HTMLPurifier_ConfigSchema_Interchange_Namespace
Removed.
vim: et sw=4 sts=4

164
docs/dev-config-naming.txt Normal file
View File

@@ -0,0 +1,164 @@
Configuration naming
HTML Purifier 4.0.0 features a new configuration naming system that
allows arbitrary nesting of namespaces. While there are certain cases
in which using two namespaces is obviously better (the canonical example
is where we were using AutoFormatParam to contain directives for AutoFormat
parameters), it is unclear whether or not a general migration to highly
namespaced directives is a good idea or not.
== Case studies ==
=== Attr.* ===
We have a dead duck HTML.Attr.Name.UseCDATA which migrated before we decided
to think this out thoroughly.
We currently have a large number of directives in the Attr.* namespace.
These directives tweak the behavior of some HTML attributes. They have
the properties:
* While they apply to only one attribute at a time, the attribute can
span over multiple elements (not necessarily all attributes, either).
The information of which elements it impacts is either omitted or
informally stated (EnableID applies to all elements, DefaultImageAlt
applies to <img> tags, AllowedRev doesn't say but only applies to a tags).
* There is a certain degree of clustering that could be applied, especially
to the ID directives. The clustering could be done with respect to
what element/attribute was used, i.e.
*.id -> EnableID, IDBlacklistRegexp, IDBlacklist, IDPrefixLocal, IDPrefix
img.src -> DefaultInvalidImage
img.alt -> DefaultImageAlt, DefaultInvalidImageAlt
bdo.dir -> DefaultTextDir
a.rel -> AllowedRel
a.rev -> AllowedRev
a.target -> AllowedFrameTargets
a.name -> Name.UseCDATA
* The directives often reference generic attribute types that were specified
in the DTD/specification. However, some of the behavior specifically relies
on the fact that other use cases of the attribute are not, at current,
supported by HTML Purifier.
AllowedRel, AllowedRev -> heavily <a> specific; if <link> ends up being
allowed, we will also have to give users specificity there (we also
want to preserve generality) DTD %Linktypes, HTML5 distinguishes
between <link> and <a>/<area>
AllowedFrameTargets -> heavily <a> specific, but also used by <area>
and <form>. Transitional DTD %FrameTarget, not present in strict,
HTML5 calls them "browsing contexts"
Default*Image* -> as a default parameter, is almost entirely exlcusive
to <img>
EnableID -> global attribute
Name.UseCDATA -> heavily <a> specific, but has heavy other usage by
many things
== AutoFormat.* ==
These have the fairly normal pluggable architecture that lends itself to
large amounts of namespaces (pluggability may be the key to figuring
out when gratuitous namespacing is good.) Properties:
* Boolean directives are fair game for being namespaced: for example,
RemoveEmpty.RemoveNbsp triggers RemoveEmpty.RemoveNbsp.Exceptions,
the latter of which only makes sense when RemoveEmpty.RemoveNbsp
is set to true. (The same applies to RemoveNbsp too)
The AutoFormat string is a bit long, but is the only bit of repeated
context.
== Core.* ==
Core is the potpourri of directives, mostly regarding some minor behavioral
tweaks for HTML handling abilities.
AggressivelyFixLt
ConvertDocumentToFragment
DirectLexLineNumberSyncInterval
LexerImpl
MaintainLineNumbers
Lexer
CollectErrors
Language
Error handling (Language is ostensibly a little more general, but
it's only used for error handling right now)
ColorKeywords
CSS and HTML
Encoding
EscapeNonASCIICharacters
Character encoding
EscapeInvalidChildren
EscapeInvalidTags
HiddenElements
RemoveInvalidImg
Lexing/Output
RemoveScriptContents
Deprecated
== HTML.* ==
AllowedAttributes
AllowedElements
AllowedModules
Allowed
ForbiddenAttributes
ForbiddenElements
Element set tuning
BlockWrapper
Child def advanced twiddle
CoreModules
CustomDoctype
Advanced HTMLModuleManager twiddles
DefinitionID
DefinitionRev
Caching
Doctype
Parent
Strict
XHTML
Global environment
MaxImgLength
Attribute twiddle? (applies to two attributes)
Proprietary
SafeEmbed
SafeObject
Trusted
Extra functionality/tagsets
TidyAdd
TidyLevel
TidyRemove
Tidy
== Output.* ==
These directly affect the output of Generator. These are all advanced
twiddles.
== URI.* ==
AllowedSchemes
OverrideAllowedSchemes
Scheme tuning
Base
DefaultScheme
Host
Global environment
DefinitionID
DefinitionRev
Caching
DisableExternalResources
DisableExternal
DisableResources
Disable
Contextual/authority tuning
HostBlacklist
Authority tuning
MakeAbsolute
MungeResources
MungeSecretKey
Munge
Transformation behavior (munge can be grouped)

112
docs/dev-config-schema.html
View File

@@ -9,29 +9,29 @@
<title>Config Schema - HTML Purifier</title> <title>Config Schema - HTML Purifier</title>
</head> </head>
<body> <body>
<h1>Config Schema</h1> <h1>Config Schema</h1>
<div id="filing">Filed under Development</div> <div id="filing">Filed under Development</div>
<div id="index">Return to the <a href="index.html">index</a>.</div> <div id="index">Return to the <a href="index.html">index</a>.</div>
<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div> <div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<p> <p>
HTML Purifier has a fairly complex system for configuration. Users HTML Purifier has a fairly complex system for configuration. Users
interact with a <code>HTMLPurifier_Config</code> object to interact with a <code>HTMLPurifier_Config</code> object to
set configuration directives. The values they set are validated according set configuration directives. The values they set are validated according
to a configuration schema, <code>HTMLPurifier_ConfigSchema</code>. to a configuration schema, <code>HTMLPurifier_ConfigSchema</code>.
</p> </p>
<p> <p>
The schema is mostly transparent to end-users, but if you're doing development The schema is mostly transparent to end-users, but if you're doing development
work for HTML Purifier and need to define a new configuration directive, work for HTML Purifier and need to define a new configuration directive,
you'll need to interact with it. We'll also talk about how to define you'll need to interact with it. We'll also talk about how to define
userspace configuration directives at the very end. userspace configuration directives at the very end.
</p> </p>
<h2>Write a directive file</h2> <h2>Write a directive file</h2>
<p> <p>
Directive files define configuration directives to be used by Directive files define configuration directives to be used by
HTML Purifier. They are placed in <code>library/HTMLPurifier/ConfigSchema/schema/</code> HTML Purifier. They are placed in <code>library/HTMLPurifier/ConfigSchema/schema/</code>
@@ -42,7 +42,7 @@
<a href="http://qa.php.net/write-test.php">PHPT</a> tests. Here's a <a href="http://qa.php.net/write-test.php">PHPT</a> tests. Here's a
sample directive file, <code>Test.Sample.txt</code>: sample directive file, <code>Test.Sample.txt</code>:
</p> </p>
<pre>Test.Sample <pre>Test.Sample
TYPE: string/null TYPE: string/null
DEFAULT: NULL DEFAULT: NULL
@@ -54,11 +54,11 @@ This is a sample configuration directive for the purposes of the
&lt;code&gt;dev-config-schema.html&lt;code&gt; documentation. &lt;code&gt;dev-config-schema.html&lt;code&gt; documentation.
--ALIASES-- --ALIASES--
Test.Example</pre> Test.Example</pre>
<p> <p>
Each of these segments has a specific meaning: Each of these segments has a specific meaning:
</p> </p>
<table class="table"> <table class="table">
<thead> <thead>
<tr> <tr>
@@ -114,7 +114,7 @@ Test.Example</pre>
</tr> </tr>
<tr> <tr>
<td>VALUE-ALIASES</td> <td>VALUE-ALIASES</td>
<td>'baz' => 'bar'</td> <td>'baz' =&gt; 'bar'</td>
<td><em>Optional</em>. Mapping of one value to another, and <td><em>Optional</em>. Mapping of one value to another, and
should be a comma separated list of keypair duples. This should be a comma separated list of keypair duples. This
is only allowed string, istring, text and itext TYPEs.</td> is only allowed string, istring, text and itext TYPEs.</td>
@@ -143,11 +143,11 @@ Test.Example</pre>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p> <p>
Some notes on format and style: Some notes on format and style:
</p> </p>
<ul> <ul>
<li> <li>
Each of these keys can be expressed in the short format Each of these keys can be expressed in the short format
@@ -162,11 +162,11 @@ Test.Example</pre>
not rely on editor word-wrapping. not rely on editor word-wrapping.
</li> </li>
</ul> </ul>
<p> <p>
Also, as promised, here is the set of possible types: Also, as promised, here is the set of possible types:
</p> </p>
<table class="table"> <table class="table">
<thead> <thead>
<tr> <tr>
@@ -213,7 +213,7 @@ Test.Example</pre>
</tr> </tr>
<tr> <tr>
<td>lookup</td> <td>lookup</td>
<td>array('key' => true)</td> <td>array('key' =&gt; true)</td>
<td>Lookup array, used with <code>isset($var[$key])</code></td> <td>Lookup array, used with <code>isset($var[$key])</code></td>
</tr> </tr>
<tr> <tr>
@@ -223,7 +223,7 @@ Test.Example</pre>
</tr> </tr>
<tr> <tr>
<td>hash</td> <td>hash</td>
<td>array('key' => 'val')</td> <td>array('key' =&gt; 'val')</td>
<td>Associative array of keys to values</td> <td>Associative array of keys to values</td>
</tr> </tr>
<tr> <tr>
@@ -233,7 +233,7 @@ Test.Example</pre>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p> <p>
The examples represent what will be returned out of the configuration The examples represent what will be returned out of the configuration
object; users have a little bit of leeway when setting configuration object; users have a little bit of leeway when setting configuration
@@ -242,7 +242,7 @@ Test.Example</pre>
in <a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/VarParser.php"> in <a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/VarParser.php">
library/HTMLPurifier/VarParser.php</a>. library/HTMLPurifier/VarParser.php</a>.
</p> </p>
<p> <p>
For more information on what values are allowed, and how they are parsed, For more information on what values are allowed, and how they are parsed,
consult <a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php"> consult <a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php">
@@ -251,9 +251,9 @@ Test.Example</pre>
library/HTMLPurifier/ConfigSchema/Interchange/Directive.php</a> for library/HTMLPurifier/ConfigSchema/Interchange/Directive.php</a> for
the semantics of the parsed values. the semantics of the parsed values.
</p> </p>
<h2>Refreshing the cache</h2> <h2>Refreshing the cache</h2>
<p> <p>
You may have noticed that your directive file isn't doing anything You may have noticed that your directive file isn't doing anything
yet. That's because it hasn't been added to the runtime yet. That's because it hasn't been added to the runtime
@@ -262,14 +262,49 @@ Test.Example</pre>
If there were no errors, you're good to go! Don't forget to add If there were no errors, you're good to go! Don't forget to add
some unit tests for your functionality! some unit tests for your functionality!
</p> </p>
<p> <p>
If you ever make changes to your configuration directives, you If you ever make changes to your configuration directives, you
will need to run this script again. will need to run this script again.
</p> </p>
<h2>Adding in-house schema definitions</h2>
<p>
Placing stuff directly in HTML Purifier's source tree is generally not a
good idea, so HTML Purifier 4.0.0+ has some facilities in place to make your
life easier.
</p>
<p>
The first is to pass an extra parameter to <code>maintenance/generate-schema-cache.php</code>
with the location of your directory (relative or absolute path will do). For example,
if I'm storing my custom definitions in <em>/var/htmlpurifier/myschema</em>, run:
<code>php maintenance/generate-schema-cache.php /var/htmlpurifier/myschema</code>.
</p>
<p>
Alternatively, you can create a small loader PHP file in the HTML Purifier base
directory named <code>config-schema.php</code> (this is the same directory
you would place a <code>test-settings.php</code> file). In this file, add
the following line for each directory you want to load:
</p>
<pre>$builder-&gt;buildDir($interchange, '/var/htmlpurifier/myschema');</pre>
<p>You can even load a single file using:</p>
<pre>$builder-&gt;buildFile($interchange, '/var/htmlpurifier/myschema/MyApp.Directive.txt');</pre>
<p>Storing custom definitions that you don't plan on sending back upstream in
a separate directory is <em>definitely</em> a good idea! Additionally, picking
a good namespace can go a long way to saving you grief if you want to use
someone else's change, but they picked the same name, or if HTML Purifier
decides to add support for a configuration directive that has the same name.</p>
<!-- TODO: how to name directives that rely on naming conventions -->
<h2>Errors</h2> <h2>Errors</h2>
<p> <p>
All directive files go through a rigorous validation process All directive files go through a rigorous validation process
through <a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ConfigSchema/Validator.php"> through <a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ConfigSchema/Validator.php">
@@ -279,16 +314,16 @@ Test.Example</pre>
can give some general tips for interpreting error messages. can give some general tips for interpreting error messages.
There are two types of errors: builder errors and validation errors. There are two types of errors: builder errors and validation errors.
</p> </p>
<h3>Builder errors</h3> <h3>Builder errors</h3>
<blockquote> <blockquote>
<p> <p>
<strong>Exception:</strong> Expected type string, got <strong>Exception:</strong> Expected type string, got
integer in DEFAULT in directive hash 'Ns.Dir' integer in DEFAULT in directive hash 'Ns.Dir'
</p> </p>
</blockquote> </blockquote>
<p> <p>
You can identify a builder error by the keyword "directive hash." You can identify a builder error by the keyword "directive hash."
These are the easiest to deal with, because they directly correspond These are the easiest to deal with, because they directly correspond
@@ -298,28 +333,28 @@ Test.Example</pre>
This particular error would occur if your default value is not the same This particular error would occur if your default value is not the same
type as TYPE. type as TYPE.
</p> </p>
<h3>Validation errors</h3> <h3>Validation errors</h3>
<blockquote> <blockquote>
<p> <p>
<strong>Exception:</strong> Alias 3 in valueAliases in directive <strong>Exception:</strong> Alias 3 in valueAliases in directive
'Ns.Dir' must be a string 'Ns.Dir' must be a string
</p> </p>
</blockquote> </blockquote>
<p> <p>
These are a little trickier, because we're not actually validating These are a little trickier, because we're not actually validating
your directive file, or even the direct string hash representation. your directive file, or even the direct string hash representation.
We're validating an Interchange object, and the error messages do We're validating an Interchange object, and the error messages do
not mention any string hash keys. not mention any string hash keys.
</p> </p>
<p> <p>
Nevertheless, it's not difficult to figure out what went wrong. Nevertheless, it's not difficult to figure out what went wrong.
Read the "context" statements in reverse: Read the "context" statements in reverse:
</p> </p>
<dl> <dl>
<dt>in directive 'Ns.Dir'</dt> <dt>in directive 'Ns.Dir'</dt>
<dd>This means we need to look at the directive file <code>Ns.Dir.txt</code></dd> <dd>This means we need to look at the directive file <code>Ns.Dir.txt</code></dd>
@@ -329,12 +364,12 @@ Test.Example</pre>
<dt>Alias 3</dt> <dt>Alias 3</dt>
<dd>The value alias that is equal to 3 is the culprit.</dd> <dd>The value alias that is equal to 3 is the culprit.</dd>
</dl> </dl>
<p> <p>
In this particular case, you're not allowed to alias integers values to In this particular case, you're not allowed to alias integers values to
strings values. strings values.
</p> </p>
<p> <p>
The most difficult part is translating the Interchange member variable (valueAliases) The most difficult part is translating the Interchange member variable (valueAliases)
into a directive file key (VALUE-ALIASES), but there's a one-to-one into a directive file key (VALUE-ALIASES), but there's a one-to-one
@@ -342,9 +377,9 @@ Test.Example</pre>
will be described in <a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php"> will be described in <a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php">
library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php</a>. library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php</a>.
</p> </p>
<h2>Internals</h2> <h2>Internals</h2>
<p> <p>
Much of the configuration schema framework's codebase deals with Much of the configuration schema framework's codebase deals with
shuffling data from one format to another, and doing validation on this shuffling data from one format to another, and doing validation on this
@@ -352,7 +387,7 @@ Test.Example</pre>
The keystone of all of this is the <code>HTMLPurifier_ConfigSchema_Interchange</code> The keystone of all of this is the <code>HTMLPurifier_ConfigSchema_Interchange</code>
class, which represents the purest, parsed representation of the schema. class, which represents the purest, parsed representation of the schema.
</p> </p>
<p> <p>
Hand-writing this data is unwieldy, however, so we write directive files. Hand-writing this data is unwieldy, however, so we write directive files.
These directive files are parsed by <code>HTMLPurifier_StringHashParser</code> These directive files are parsed by <code>HTMLPurifier_StringHashParser</code>
@@ -360,7 +395,7 @@ Test.Example</pre>
are run through <code>HTMLPurifier_ConfigSchema_InterchangeBuilder</code> are run through <code>HTMLPurifier_ConfigSchema_InterchangeBuilder</code>
to construct the interchange object. to construct the interchange object.
</p> </p>
<p> <p>
From the interchange object, the data can be siphoned into other forms From the interchange object, the data can be siphoned into other forms
using <code>HTMLPurifier_ConfigSchema_Builder</code> subclasses. using <code>HTMLPurifier_ConfigSchema_Builder</code> subclasses.
@@ -372,3 +407,6 @@ Test.Example</pre>
</body> </body>
</html> </html>
<!-- vim: et sw=4 sts=4
-->

3
docs/dev-flush.html
View File

@@ -63,3 +63,6 @@
</p> </p>
</body></html> </body></html>
<!-- vim: et sw=4 sts=4
-->

8
docs/dev-includes.txt
View File

@@ -91,14 +91,14 @@ use the stub for all cases (which might not be a bad idea).
Deprecated Deprecated
---------- ----------
One of the things I'd like to do is have the code search for any classes One of the things I'd like to do is have the code search for any classes
that are explicitly mentioned in the code. If a class isn't mentioned, I that are explicitly mentioned in the code. If a class isn't mentioned, I
get to assume that it is "optional," i.e. included via introspection. get to assume that it is "optional," i.e. included via introspection.
The choice is either to use PHP's tokenizer or use regexps; regexps would The choice is either to use PHP's tokenizer or use regexps; regexps would
be faster but a tokenizer would be more correct. If this ends up being be faster but a tokenizer would be more correct. If this ends up being
unfeasible, adding dependency comments isn't a bad idea. (This could unfeasible, adding dependency comments isn't a bad idea. (This could
even be done automatically by search/replacing require_once, although even be done automatically by search/replacing require_once, although
we'd have to manually inspect the results for the optional requires.) we'd have to manually inspect the results for the optional requires.)
NOTE: This ends up not being necessary, as we're going to make the user NOTE: This ends up not being necessary, as we're going to make the user
figure out all the extra classes they need, and only include the core figure out all the extra classes they need, and only include the core
which is predetermined. which is predetermined.
@@ -193,7 +193,7 @@ configuration directives would be used to generate our key (meta-directives!)
mechanism works better. However, we can uniquely identify the mechanism works better. However, we can uniquely identify the
schema based on the directories they loaded, so there's no need schema based on the directories they loaded, so there's no need
for a DefinitionId until we give them full programmatic control. for a DefinitionId until we give them full programmatic control.
These variables should be directly incorporated into ConfigSchema, These variables should be directly incorporated into ConfigSchema,
and ConfigSchema should handle serialization. Some refactoring will be and ConfigSchema should handle serialization. Some refactoring will be
necessary for the DefinitionCache classes, as they are built with necessary for the DefinitionCache classes, as they are built with
@@ -277,3 +277,5 @@ DEPRECATED-VERSION: If the directive was deprecated, when was it deprecated?
DEPRECATED-USE: If the directive was deprecated, what should the user use now? DEPRECATED-USE: If the directive was deprecated, what should the user use now?
REQUIRES: What classes does this configuration directive require, but are REQUIRES: What classes does this configuration directive require, but are
not part of the HTML Purifier core? not part of the HTML Purifier core?
vim: et sw=4 sts=4

7
docs/dev-naming.html
View File

@@ -35,7 +35,7 @@ help you find the correct functionality more quickly. Here they are:</p>
<dt>Harness and Test are reserved class names for unit tests</dt> <dt>Harness and Test are reserved class names for unit tests</dt>
<dd>The suffix <code>Test</code> indicates that the class is a subclass of UnitTestCase <dd>The suffix <code>Test</code> indicates that the class is a subclass of UnitTestCase
(of the Simpletest library) and is testable. "Harness" indicates a subclass (of the Simpletest library) and is testable. "Harness" indicates a subclass
of UnitTestCase that is not meant to be run but to be extended into of UnitTestCase that is not meant to be run but to be extended into
concrete test cases and contains custom test methods (i.e. assert*())</dd> concrete test cases and contains custom test methods (i.e. assert*())</dd>
<dt>Class names do not necessarily represent inheritance hierarchies</dt> <dt>Class names do not necessarily represent inheritance hierarchies</dt>
@@ -51,7 +51,7 @@ help you find the correct functionality more quickly. Here they are:</p>
all must be present in order for proper functioning.</dd> all must be present in order for proper functioning.</dd>
<dt>Abbreviations are avoided</dt> <dt>Abbreviations are avoided</dt>
<dd>We try to avoid abbreviations as much as possible, but in some cases, <dd>We try to avoid abbreviations as much as possible, but in some cases,
abbreviated version is more readable than the full version. Here, we abbreviated version is more readable than the full version. Here, we
list common abbreviations: list common abbreviations:
<ul> <ul>
@@ -78,3 +78,6 @@ help you find the correct functionality more quickly. Here they are:</p>
</dl> </dl>
</body></html> </body></html>
<!-- vim: et sw=4 sts=4
-->

3
docs/dev-optimization.html
View File

@@ -28,3 +28,6 @@ that itch, put it here!</p>
</ul> </ul>
</body></html> </body></html>
<!-- vim: et sw=4 sts=4
-->

3
docs/dev-progress.html
View File

@@ -304,3 +304,6 @@ Mozilla on inside and needs -moz-outline, no IE support.</td></tr>
</table> </table>
</body></html> </body></html>
<!-- vim: et sw=4 sts=4
-->

89
docs/enduser-customize.html
View File

@@ -18,12 +18,11 @@
<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div> <div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<p> <p>
You may have heard of the <a href="dev-advanced-api.html">Advanced API</a>. HTML Purifier has this quirk where if you try to allow certain elements or
If you're interested in reading dry prose and boring functional attributes, HTML Purifier will tell you that it's not supported, and that
specifications, feel free to click that link to get a no-nonsense overview you should go to the forums to find out how to implement it. Well, this
on the Advanced API. For the rest of us, there's this tutorial. By the time document is how to implement elements and attributes which HTML Purifier
you're finished reading this, you should have a pretty good idea on doesn't support out of the box.
how to implement custom tags and attributes that HTML Purifier may not have.
</p> </p>
<h2>Is it necessary?</h2> <h2>Is it necessary?</h2>
@@ -84,17 +83,6 @@
limited to translations) above or below other corresponding text. limited to translations) above or below other corresponding text.
</p> </p>
<h3>XHTML 2.0</h3>
<p>
<a href="http://www.w3.org/TR/xhtml2/">XHTML 2.0</a> is still a
working draft, so any elements introduced in the
specification have not been implemented and will not be implemented
until we get a recommendation or proposal. Because XHTML 2.0 is
an entirely new markup language, implementing rules for it will be
no easy task.
</p>
<h3>HTML 5</h3> <h3>HTML 5</h3>
<p> <p>
@@ -156,9 +144,9 @@
</p> </p>
<pre>$config = HTMLPurifier_Config::createDefault(); <pre>$config = HTMLPurifier_Config::createDefault();
$config->set('HTML', 'DefinitionID', 'enduser-customize.html tutorial'); $config-&gt;set('HTML.DefinitionID', 'enduser-customize.html tutorial');
$config->set('HTML', 'DefinitionRev', 1); $config-&gt;set('HTML.DefinitionRev', 1);
$def = $config->getHTMLDefinition(true);</pre> $def = $config-&gt;getHTMLDefinition(true);</pre>
<p> <p>
Assuming that HTML Purifier has already been properly loaded (hint: Assuming that HTML Purifier has already been properly loaded (hint:
@@ -206,15 +194,15 @@ $def = $config->getHTMLDefinition(true);</pre>
<h2>Turn off caching</h2> <h2>Turn off caching</h2>
<p> <p>
To make development easier, we're going to temporarily turn off To make development easier, we're going to temporarily turn off
definition caching: definition caching:
</p> </p>
<pre>$config = HTMLPurifier_Config::createDefault(); <pre>$config = HTMLPurifier_Config::createDefault();
$config->set('HTML', 'DefinitionID', 'enduser-customize.html tutorial'); $config-&gt;set('HTML.DefinitionID', 'enduser-customize.html tutorial');
$config->set('HTML', 'DefinitionRev', 1); $config-&gt;set('HTML.DefinitionRev', 1);
<strong>$config->set('Cache', 'DefinitionImpl', null); // remove this later!</strong> <strong>$config-&gt;set('Cache.DefinitionImpl', null); // TODO: remove this later!</strong>
$def = $config->getHTMLDefinition(true);</pre> $def = $config-&gt;getHTMLDefinition(true);</pre>
<p> <p>
A few things should be mentioned about the caching mechanism before A few things should be mentioned about the caching mechanism before
@@ -267,10 +255,10 @@ $def = $config->getHTMLDefinition(true);</pre>
</p> </p>
<pre>$config = HTMLPurifier_Config::createDefault(); <pre>$config = HTMLPurifier_Config::createDefault();
$config->set('HTML', 'DefinitionID', 'enduser-customize.html tutorial'); $config-&gt;set('HTML.DefinitionID', 'enduser-customize.html tutorial');
$config->set('HTML', 'DefinitionRev', 1); $config-&gt;set('HTML.DefinitionRev', 1);
$config->set('Cache', 'DefinitionImpl', null); // remove this later! $config-&gt;set('Cache.DefinitionImpl', null); // remove this later!
$def = $config->getHTMLDefinition(true); $def = $config-&gt;getHTMLDefinition(true);
<strong>$def->addAttribute('a', 'target', 'Enum#_blank,_self,_target,_top');</strong></pre> <strong>$def->addAttribute('a', 'target', 'Enum#_blank,_self,_target,_top');</strong></pre>
<p> <p>
@@ -385,11 +373,11 @@ $def = $config->getHTMLDefinition(true);
</p> </p>
<pre>$config = HTMLPurifier_Config::createDefault(); <pre>$config = HTMLPurifier_Config::createDefault();
$config->set('HTML', 'DefinitionID', 'enduser-customize.html tutorial'); $config-&gt;set('HTML.DefinitionID', 'enduser-customize.html tutorial');
$config->set('HTML', 'DefinitionRev', 1); $config-&gt;set('HTML.DefinitionRev', 1);
$config->set('Cache', 'DefinitionImpl', null); // remove this later! $config-&gt;set('Cache.DefinitionImpl', null); // remove this later!
$def = $config->getHTMLDefinition(true); $def = $config-&gt;getHTMLDefinition(true);
<strong>$def->addAttribute('a', 'target', new HTMLPurifier_AttrDef_Enum( <strong>$def-&gt;addAttribute('a', 'target', new HTMLPurifier_AttrDef_Enum(
array('_blank','_self','_target','_top') array('_blank','_self','_target','_top')
));</strong></pre> ));</strong></pre>
@@ -401,8 +389,8 @@ $def = $config->getHTMLDefinition(true);
<p> <p>
Adding attributes is really small-fry stuff, though, and it was possible Adding attributes is really small-fry stuff, though, and it was possible
to add them (albeit a bit more wordy) prior to 2.0. The real gem of to add them (albeit a bit more wordy) prior to 2.0. The real gem of
the Advanced API is adding elements. There are five questions to the Advanced API is adding elements. There are five questions to
ask when adding a new element: ask when adding a new element:
</p> </p>
@@ -493,9 +481,9 @@ $def = $config->getHTMLDefinition(true);
<p> <p>
The <code>(%flow;)*</code> indicates the allowed children of the The <code>(%flow;)*</code> indicates the allowed children of the
<code>li</code> tag: <code>li</code> allows any number of flow <code>li</code> tag: <code>li</code> allows any number of flow
elements as its children. (The <code>- O</code> allows the closing tag to be elements as its children. (The <code>- O</code> allows the closing tag to be
omitted, though in XML this is not allowed.) In HTML Purifier, omitted, though in XML this is not allowed.) In HTML Purifier,
we'd write it like <code>Flow</code> (here's where the content sets we'd write it like <code>Flow</code> (here's where the content sets
we were discussing earlier come into play). There are three shorthand we were discussing earlier come into play). There are three shorthand
content models you can specify: content models you can specify:
</p> </p>
@@ -596,7 +584,7 @@ $def = $config->getHTMLDefinition(true);
be nuked. This is why there is are specific content model types like be nuked. This is why there is are specific content model types like
Optional and Required: while they could be implemented as <code>Custom: Optional and Required: while they could be implemented as <code>Custom:
(valid | elements)*</code>, the custom classes contain special recovery (valid | elements)*</code>, the custom classes contain special recovery
measures that make sure as much of the user's original content gets measures that make sure as much of the user's original content gets
through. HTML Purifier's core, as a rule, does not use Custom. through. HTML Purifier's core, as a rule, does not use Custom.
</p> </p>
@@ -676,7 +664,7 @@ $def = $config->getHTMLDefinition(true);
href="http://www.w3.org/TR/xhtml-modularization/abstract_modules.html#s_commonatts">abstract href="http://www.w3.org/TR/xhtml-modularization/abstract_modules.html#s_commonatts">abstract
modules of the XHTML Modularization 1.1</a>. We believe this section modules of the XHTML Modularization 1.1</a>. We believe this section
to be in error, as <code>br</code> permits the use of the <code>style</code> to be in error, as <code>br</code> permits the use of the <code>style</code>
attribute even though it uses the <code>Core</code> collection, and attribute even though it uses the <code>Core</code> collection, and
the DTD and XML Schemas supplied by W3C support our interpretation. the DTD and XML Schemas supplied by W3C support our interpretation.
</p> </p>
@@ -724,7 +712,7 @@ $def = $config->getHTMLDefinition(true);
or more flow elements, but no nested <code>form</code>s</strong></li> or more flow elements, but no nested <code>form</code>s</strong></li>
<li>What attributes does the element allow that are general? <strong>Common</strong></li> <li>What attributes does the element allow that are general? <strong>Common</strong></li>
<li>What attributes does the element allow that are specific to this element? <strong>A whole bunch, see ATTLIST; <li>What attributes does the element allow that are specific to this element? <strong>A whole bunch, see ATTLIST;
we're going to the vital ones: <code>action</code>, <code>method</code> and <code>name</code></strong></li> we're going to do the vital ones: <code>action</code>, <code>method</code> and <code>name</code></strong></li>
</ol> </ol>
<p> <p>
@@ -732,14 +720,14 @@ $def = $config->getHTMLDefinition(true);
</p> </p>
<pre>$config = HTMLPurifier_Config::createDefault(); <pre>$config = HTMLPurifier_Config::createDefault();
$config->set('HTML', 'DefinitionID', 'enduser-customize.html tutorial'); $config-&gt;set('HTML.DefinitionID', 'enduser-customize.html tutorial');
$config->set('HTML', 'DefinitionRev', 1); $config-&gt;set('HTML.DefinitionRev', 1);
$config->set('Cache', 'DefinitionImpl', null); // remove this later! $config-&gt;set('Cache.DefinitionImpl', null); // remove this later!
$def = $config->getHTMLDefinition(true); $def = $config-&gt;getHTMLDefinition(true);
$def->addAttribute('a', 'target', new HTMLPurifier_AttrDef_Enum( $def-&gt;addAttribute('a', 'target', new HTMLPurifier_AttrDef_Enum(
array('_blank','_self','_target','_top') array('_blank','_self','_target','_top')
)); ));
<strong>$form = $def->addElement( <strong>$form = $def-&gt;addElement(
'form', // name 'form', // name
'Block', // content set 'Block', // content set
'Flow', // allowed children 'Flow', // allowed children
@@ -750,7 +738,7 @@ $def->addAttribute('a', 'target', new HTMLPurifier_AttrDef_Enum(
'name' => 'ID' 'name' => 'ID'
) )
); );
$form->excludes = array('form' => true);</strong></pre> $form-&gt;excludes = array('form' => true);</strong></pre>
<p> <p>
Each of the parameters corresponds to one of the questions we asked. Each of the parameters corresponds to one of the questions we asked.
@@ -794,3 +782,6 @@ $form->excludes = array('form' => true);</strong></pre>
</ul> </ul>
</body></html> </body></html>
<!-- vim: et sw=4 sts=4
-->

17
docs/enduser-id.html
View File

@@ -31,7 +31,7 @@ by default.</p>
<p>IDs, however, are quite useful functionality to have, so if users start <p>IDs, however, are quite useful functionality to have, so if users start
complaining about broken anchors you'll probably want to turn them back on complaining about broken anchors you'll probably want to turn them back on
with %HTML.EnableAttrID. But before you go mucking around with the config with %Attr.EnableID. But before you go mucking around with the config
object, it's probably worth to take some precautions to keep your page object, it's probably worth to take some precautions to keep your page
validating. Why?</p> validating. Why?</p>
@@ -56,8 +56,8 @@ validating. Why?</p>
deal with the most obvious solution: preventing users from using any IDs that deal with the most obvious solution: preventing users from using any IDs that
appear elsewhere on the document. The method is simple:</p> appear elsewhere on the document. The method is simple:</p>
<pre>$config->set('HTML', 'EnableAttrID', true); <pre>$config-&gt;set('Attr.EnableID', true);
$config->set('Attr', 'IDBlacklist' array( $config-&gt;set('Attr.IDBlacklist' array(
'list', 'of', 'attribute', 'values', 'that', 'are', 'forbidden' 'list', 'of', 'attribute', 'values', 'that', 'are', 'forbidden'
));</pre> ));</pre>
@@ -88,8 +88,8 @@ all, they might have simply specified a duplicate ID by accident.</p>
<p>This method, too, is quite simple: add a prefix to all user IDs. With this <p>This method, too, is quite simple: add a prefix to all user IDs. With this
code:</p> code:</p>
<pre>$config->set('HTML', 'EnableAttrID', true); <pre>$config-&gt;set('Attr.EnableID', true);
$config->set('Attr', 'IDPrefix', 'user_');</pre> $config-&gt;set('Attr.IDPrefix', 'user_');</pre>
<p>...this:</p> <p>...this:</p>
@@ -109,7 +109,7 @@ user_ to the beginning.&quot;</p>
nothing about multiple HTML Purifier outputs on one page. Thus, we have nothing about multiple HTML Purifier outputs on one page. Thus, we have
a second configuration value to piggy-back off of: %Attr.IDPrefixLocal:</p> a second configuration value to piggy-back off of: %Attr.IDPrefixLocal:</p>
<pre>$config->set('Attr', 'IDPrefixLocal', 'comment' . $id . '_');</pre> <pre>$config-&gt;set('Attr.IDPrefixLocal', 'comment' . $id . '_');</pre>
<p>This new attributes does nothing but append on to regular IDPrefix, but is <p>This new attributes does nothing but append on to regular IDPrefix, but is
special in that it is volatile: it's value is determined at run-time and special in that it is volatile: it's value is determined at run-time and
@@ -137,9 +137,12 @@ anchors is beyond me.</p>
<p>To revert back to pre-1.2.0 behavior, simply:</p> <p>To revert back to pre-1.2.0 behavior, simply:</p>
<pre>$config->set('HTML', 'EnableAttrID', true);</pre> <pre>$config-&gt;set('Attr.EnableID', true);</pre>
<p>Don't come crying to me when your page mysteriously stops validating, though.</p> <p>Don't come crying to me when your page mysteriously stops validating, though.</p>
</body> </body>
</html> </html>
<!-- vim: et sw=4 sts=4
-->

2
docs/enduser-overview.txt
View File

@@ -55,3 +55,5 @@ HTML tags. Things like blog comments are, in all likelihood, most appropriately
written in an extremely restrictive set of markup that doesn't require written in an extremely restrictive set of markup that doesn't require
all this functionality (or not written in HTML at all), although this may all this functionality (or not written in HTML at all), although this may
be changing in the future with the addition of levels of filtering. be changing in the future with the addition of levels of filtering.
vim: et sw=4 sts=4

2
docs/enduser-security.txt
View File

@@ -14,3 +14,5 @@ to be effective. Things to remember:
4. CSS: document pending 4. CSS: document pending
Explain which CSS styles we blocked and why. Explain which CSS styles we blocked and why.
vim: et sw=4 sts=4

51
docs/enduser-slow.html
View File

@@ -17,25 +17,25 @@
<div id="index">Return to the <a href="index.html">index</a>.</div> <div id="index">Return to the <a href="index.html">index</a>.</div>
<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div> <div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div>
<p>HTML Purifier is a very powerful library. But with power comes great <p>HTML Purifier is a very powerful library. But with power comes great
responsibility, in the form of longer execution times. Remember, this responsibility, in the form of longer execution times. Remember, this
library isn't lightly grazing over submitted HTML: it's deconstructing library isn't lightly grazing over submitted HTML: it's deconstructing
the whole thing, rigorously checking the parts, and then putting it back the whole thing, rigorously checking the parts, and then putting it back
together. </p> together. </p>
<p>So, if it so turns out that HTML Purifier is kinda too slow for outbound <p>So, if it so turns out that HTML Purifier is kinda too slow for outbound
filtering, you've got a few options: </p> filtering, you've got a few options: </p>
<h2>Inbound filtering</h2> <h2>Inbound filtering</h2>
<p>Perform filtering of HTML when it's submitted by the user. Since the <p>Perform filtering of HTML when it's submitted by the user. Since the
user is already submitting something, an extra half a second tacked on user is already submitting something, an extra half a second tacked on
to the load time probably isn't going to be that huge of a problem. to the load time probably isn't going to be that huge of a problem.
Then, displaying the content is a simple a manner of outputting it Then, displaying the content is a simple a manner of outputting it
directly from your database/filesystem. The trouble with this method is directly from your database/filesystem. The trouble with this method is
that your user loses the original text, and when doing edits, will be that your user loses the original text, and when doing edits, will be
handling the filtered text. While this may be a good thing, especially handling the filtered text. While this may be a good thing, especially
if you're using a WYSIWYG editor, it can also result in data-loss if a if you're using a WYSIWYG editor, it can also result in data-loss if a
user makes a typo. </p> user makes a typo. </p>
<p>Example (non-functional):</p> <p>Example (non-functional):</p>
@@ -66,14 +66,14 @@ user makes a typo. </p>
<h2>Caching the filtered output</h2> <h2>Caching the filtered output</h2>
<p>Accept the submitted text and put it unaltered into the database, but <p>Accept the submitted text and put it unaltered into the database, but
then also generate a filtered version and stash that in the database. then also generate a filtered version and stash that in the database.
Serve the filtered version to readers, and the unaltered version to Serve the filtered version to readers, and the unaltered version to
editors. If need be, you can invalidate the cache and have the cached editors. If need be, you can invalidate the cache and have the cached
filtered version be regenerated on the first page view. Pros? Full data filtered version be regenerated on the first page view. Pros? Full data
retention. Cons? It's more complicated, and opens other editors up to retention. Cons? It's more complicated, and opens other editors up to
XSS if they are using a WYSIWYG editor (to fix that, they'd have to be XSS if they are using a WYSIWYG editor (to fix that, they'd have to be
able to get their hands on the *really* original text served in able to get their hands on the *really* original text served in
plaintext mode). </p> plaintext mode). </p>
<p>Example (non-functional):</p> <p>Example (non-functional):</p>
@@ -108,10 +108,13 @@ plaintext mode). </p>
<p>In short, inbound filtering is the simple option and caching is the <p>In short, inbound filtering is the simple option and caching is the
robust option (albeit with bigger storage requirements). </p> robust option (albeit with bigger storage requirements). </p>
<p>There is a third option, independent of the two we've discussed: profile <p>There is a third option, independent of the two we've discussed: profile
and optimize HTMLPurifier yourself. Be sure to report back your results and optimize HTMLPurifier yourself. Be sure to report back your results
if you decide to do that! Especially if you port HTML Purifier to C++. if you decide to do that! Especially if you port HTML Purifier to C++.
<tt>;-)</tt></p> <tt>;-)</tt></p>
</body> </body>
</html> </html>
<!-- vim: et sw=4 sts=4
-->

19
docs/enduser-tidy.html
View File

@@ -50,7 +50,7 @@ not need Tidy installed on your PHP to use these features!</strong></p>
<h2>What are levels?</h2> <h2>What are levels?</h2>
<p>Levels describe how aggressive the Tidy module should be when <p>Levels describe how aggressive the Tidy module should be when
cleaning up HTML. There are four levels to pick: none, light, medium cleaning up HTML. There are four levels to pick: none, light, medium
and heavy. Each of these levels has a well-defined set of behavior and heavy. Each of these levels has a well-defined set of behavior
associated with it, although it may change depending on your doctype.</p> associated with it, although it may change depending on your doctype.</p>
@@ -76,7 +76,7 @@ associated with it, although it may change depending on your doctype.</p>
change the level of cleaning by setting the %HTML.TidyLevel configuration change the level of cleaning by setting the %HTML.TidyLevel configuration
directive:</p> directive:</p>
<pre>$config->set('HTML', 'TidyLevel', 'heavy'); // burn baby burn!</pre> <pre>$config-&gt;set('HTML.TidyLevel', 'heavy'); // burn baby burn!</pre>
<h2>Is the light level really light?</h2> <h2>Is the light level really light?</h2>
@@ -165,17 +165,17 @@ smoketest</a>.</p>
so happy about the br@clear implementation. That's perfectly fine! so happy about the br@clear implementation. That's perfectly fine!
HTML Purifier will make accomodations:</p> HTML Purifier will make accomodations:</p>
<pre>$config->set('HTML', 'Doctype', 'XHTML 1.0 Transitional'); <pre>$config-&gt;set('HTML.Doctype', 'XHTML 1.0 Transitional');
$config->set('HTML', 'TidyLevel', 'heavy'); // all changes, minus... $config-&gt;set('HTML.TidyLevel', 'heavy'); // all changes, minus...
<strong>$config->set('HTML', 'TidyRemove', 'br@clear');</strong></pre> <strong>$config-&gt;set('HTML.TidyRemove', 'br@clear');</strong></pre>
<p>That third line does the magic, removing the br@clear fix <p>That third line does the magic, removing the br@clear fix
from the module, ensuring that <code>&lt;br clear="both" /&gt;</code> from the module, ensuring that <code>&lt;br clear="both" /&gt;</code>
will pass through unharmed. The reverse is possible too:</p> will pass through unharmed. The reverse is possible too:</p>
<pre>$config->set('HTML', 'Doctype', 'XHTML 1.0 Transitional'); <pre>$config-&gt;set('HTML.Doctype', 'XHTML 1.0 Transitional');
$config->set('HTML', 'TidyLevel', 'none'); // no changes, plus... $config-&gt;set('HTML.TidyLevel', 'none'); // no changes, plus...
<strong>$config->set('HTML', 'TidyAdd', 'p@align');</strong></pre> <strong>$config-&gt;set('HTML.TidyAdd', 'p@align');</strong></pre>
<p>In this case, all transformations are shut off, except for the p@align <p>In this case, all transformations are shut off, except for the p@align
one, which you found handy.</p> one, which you found handy.</p>
@@ -226,3 +226,6 @@ Other than that, don't worry about it: this all works silently and
effectively in the background.</p> effectively in the background.</p>
</body></html> </body></html>
<!-- vim: et sw=4 sts=4
-->

26
docs/enduser-uri-filter.html
View File

@@ -92,7 +92,7 @@
</tbody></table> </tbody></table>
<p> <p>
Because the URI is presented to us in this form, and not Because the URI is presented to us in this form, and not
<code>http://bob@example.com:8080/foo.php?q=string#hash</code>, it saves us <code>http://bob@example.com:8080/foo.php?q=string#hash</code>, it saves us
a lot of trouble in having to parse the URI every time we want to filter a lot of trouble in having to parse the URI every time we want to filter
it. For the record, the above URI has the following components: it. For the record, the above URI has the following components:
@@ -160,27 +160,14 @@
</p> </p>
<pre>$uri = $config->getDefinition('URI'); <pre>$uri = $config->getDefinition('URI');
$uri->addFilter(new HTMLPurifier_URIFilter_<strong>NameOfFilter</strong>());</pre> $uri->addFilter(new HTMLPurifier_URIFilter_<strong>NameOfFilter</strong>(), $config);</pre>
<p> <p>
If you want to be really fancy, you can define a configuration directive After adding a filter, you won't be able to set configuration directives.
for your filter and have HTML Purifier automatically manage whether or Structure your code accordingly.
not your filter gets loaded or not (this is how internal filters manage
things):
</p> </p>
<pre>HTMLPurifier_ConfigSchema::define( <!-- XXX: link to new documentation system -->
'URI', '<strong>NameOfFilter</strong>', false, 'bool',
'<strong>What your filter does.</strong>'
);
$uri = $config->getDefinition('URI', true);
$uri->registerFilter(new HTMLPurifier_URIFilter_<strong>NameOfFilter</strong>());
</pre>
<p>
Now, your filter will only be called when %URI.<strong>NameOfFilter</strong>
is set to true.
</p>
<h2>Post-filter</h2> <h2>Post-filter</h2>
@@ -212,3 +199,6 @@ $uri->registerFilter(new HTMLPurifier_URIFilter_<strong>NameOfFilter</strong>())
</p> </p>
</body></html> </body></html>
<!-- vim: et sw=4 sts=4
-->

53
docs/enduser-utf8.html
View File

@@ -106,7 +106,7 @@ there are now many character encodings floating around.</p>
interpret raw zeroes and ones into real characters. It interpret raw zeroes and ones into real characters. It
usually does this by pairing numbers with characters.</p> usually does this by pairing numbers with characters.</p>
<p>There are many different types of character encodings floating <p>There are many different types of character encodings floating
around, but the ones we deal most frequently with are ASCII, around, but the ones we deal most frequently with are ASCII,
8-bit encodings, and Unicode-based encodings.</p> 8-bit encodings, and Unicode-based encodings.</p>
<ul> <ul>
<li><strong>ASCII</strong> is a 7-bit encoding based on the <li><strong>ASCII</strong> is a 7-bit encoding based on the
@@ -306,7 +306,7 @@ languages</a>. The appropriate code is:</p>
<p>...replacing UTF-8 with whatever your embedded encoding is. <p>...replacing UTF-8 with whatever your embedded encoding is.
This code must come before any output, so be careful about This code must come before any output, so be careful about
stray whitespace in your application (i.e., any whitespace before stray whitespace in your application (i.e., any whitespace before
output excluding whitespace within &lt;?php ?&gt; tags).</p> output excluding whitespace within &lt;?php ?&gt; tags).</p>
<h4 id="fixcharset-server-phpini">PHP ini directive</h4> <h4 id="fixcharset-server-phpini">PHP ini directive</h4>
@@ -366,9 +366,9 @@ to send anything at all:</p>
<pre><a href="http://httpd.apache.org/docs/1.3/mod/core.html#adddefaultcharset">AddDefaultCharset</a> Off</pre> <pre><a href="http://httpd.apache.org/docs/1.3/mod/core.html#adddefaultcharset">AddDefaultCharset</a> Off</pre>
<p>...making your internal charset declaration (usually the <code>META</code> tags) <p>...making your internal charset declaration (usually the <code>META</code> tags)
the sole source of character encoding the sole source of character encoding
information. In these cases, it is <em>especially</em> important to make information. In these cases, it is <em>especially</em> important to make
sure you have valid <code>META</code> tags on your pages and all the sure you have valid <code>META</code> tags on your pages and all the
text before them is ASCII.</p> text before them is ASCII.</p>
<blockquote class="aside"><p>These directives can also be <blockquote class="aside"><p>These directives can also be
@@ -443,9 +443,9 @@ Declarations. They look like:</p>
<p>For XHTML, this XML Declaration theoretically <p>For XHTML, this XML Declaration theoretically
overrides the <code>META</code> tag. In reality, this happens only when the overrides the <code>META</code> tag. In reality, this happens only when the
XHTML is actually served as legit XML and not HTML, which is almost always XHTML is actually served as legit XML and not HTML, which is almost always
never due to Internet Explorer's lack of support for never due to Internet Explorer's lack of support for
<code>application/xhtml+xml</code> (even though doing so is often <code>application/xhtml+xml</code> (even though doing so is often
argued to be <a href="http://www.hixie.ch/advocacy/xhtml">good argued to be <a href="http://www.hixie.ch/advocacy/xhtml">good
practice</a> and is required by the XHTML 1.1 specification).</p> practice</a> and is required by the XHTML 1.1 specification).</p>
<p>For XML, however, this XML Declaration is extremely important. <p>For XML, however, this XML Declaration is extremely important.
@@ -456,7 +456,7 @@ ISO-8859-1 encoding (you see this in garbled RSS feeds).</p>
<p>In short, if you use XHTML and have gone through the <p>In short, if you use XHTML and have gone through the
trouble of adding the XML Declaration, make sure it jives trouble of adding the XML Declaration, make sure it jives
with your <code>META</code> tags (which should only be present with your <code>META</code> tags (which should only be present
if served in text/html) and HTTP headers.</p> if served in text/html) and HTTP headers.</p>
<h3 id="fixcharset-internals">Inside the process</h3> <h3 id="fixcharset-internals">Inside the process</h3>
@@ -481,7 +481,7 @@ if we don't know it's character encoding? And how do we figure out
the character encoding, if we don't know the contents of the the character encoding, if we don't know the contents of the
<code>META</code> tag?</p> <code>META</code> tag?</p>
<p>Fortunantely for us, the characters we need to write the <p>Fortunately for us, the characters we need to write the
<code>META</code> are in ASCII, which is pretty much universal <code>META</code> are in ASCII, which is pretty much universal
over every character encoding that is in common use today. So, over every character encoding that is in common use today. So,
all the web-browser has to do is parse all the way down until all the web-browser has to do is parse all the way down until
@@ -489,7 +489,7 @@ it gets to the Content-Type tag, extract the character encoding
tag, then re-parse the document according to this new information.</p> tag, then re-parse the document according to this new information.</p>
<p>Obviously this is complicated, so browsers prefer the simpler <p>Obviously this is complicated, so browsers prefer the simpler
and more efficient solution: get the character encoding from a and more efficient solution: get the character encoding from a
somewhere other than the document itself, i.e. the HTTP headers, somewhere other than the document itself, i.e. the HTTP headers,
much to the chagrin of HTML authors who can't set these headers.</p> much to the chagrin of HTML authors who can't set these headers.</p>
@@ -526,7 +526,7 @@ you don't have to use those user-unfriendly entities.</p>
<h3 id="whyutf8-user">User-friendly</h3> <h3 id="whyutf8-user">User-friendly</h3>
<p>Websites encoded in Latin-1 (ISO-8859-1) which ocassionally need <p>Websites encoded in Latin-1 (ISO-8859-1) which occasionally need
a special character outside of their scope often will use a character a special character outside of their scope often will use a character
entity reference to achieve the desired effect. For instance, &theta; can be entity reference to achieve the desired effect. For instance, &theta; can be
written <code>&amp;theta;</code>, regardless of the character encoding's written <code>&amp;theta;</code>, regardless of the character encoding's
@@ -578,13 +578,13 @@ files.</p>
<a href="http://web.archive.org/web/20060427015200/ppewww.ph.gla.ac.uk/~flavell/charset/form-i18n.html"> <a href="http://web.archive.org/web/20060427015200/ppewww.ph.gla.ac.uk/~flavell/charset/form-i18n.html">
<code>FORM</code> submission and i18n</a>. That document contains lots <code>FORM</code> submission and i18n</a>. That document contains lots
of useful information, but is written in a rambly manner, so of useful information, but is written in a rambly manner, so
here I try to get right to the point. (Note: the original has here I try to get right to the point. (Note: the original has
disappeared off the web, so I am linking to the Web Archive copy.)</p> disappeared off the web, so I am linking to the Web Archive copy.)</p>
<h4 id="whyutf8-forms-urlencoded"><code>application/x-www-form-urlencoded</code></h4> <h4 id="whyutf8-forms-urlencoded"><code>application/x-www-form-urlencoded</code></h4>
<p>This is the Content-Type that GET requests must use, and POST requests <p>This is the Content-Type that GET requests must use, and POST requests
use by default. It involves the ubiquituous percent encoding format that use by default. It involves the ubiquitous percent encoding format that
looks something like: <code>%C3%86</code>. There is no official way of looks something like: <code>%C3%86</code>. There is no official way of
determining the character encoding of such a request, since the percent determining the character encoding of such a request, since the percent
encoding operates on a byte level, so it is usually assumed that it encoding operates on a byte level, so it is usually assumed that it
@@ -674,7 +674,7 @@ it up to the module iconv to do the dirty work.</p>
<p>This approach, however, is not perfect. iconv is blithely unaware <p>This approach, however, is not perfect. iconv is blithely unaware
of HTML character entities. HTML Purifier, in order to of HTML character entities. HTML Purifier, in order to
protect against sophisticated escaping schemes, normalizes all character protect against sophisticated escaping schemes, normalizes all character
and numeric entitie references before processing the text. This leads to and numeric entity references before processing the text. This leads to
one important ramification:</p> one important ramification:</p>
<p><strong>Any character that is not supported by the target character <p><strong>Any character that is not supported by the target character
@@ -770,7 +770,7 @@ the text when you try to convert it to UTF-8. You'll have to convert
it to a binary field, convert it to a Shift-JIS field (the real encoding), it to a binary field, convert it to a Shift-JIS field (the real encoding),
and then finally to UTF-8. Many a website had pages irreversibly mangled and then finally to UTF-8. Many a website had pages irreversibly mangled
because they didn't realize that they'd been deluding themselves about because they didn't realize that they'd been deluding themselves about
the character encoding all along, don't become the next victim.</p> the character encoding all along; don't become the next victim.</p>
<p>For <a href="http://www.postgresql.org/docs/8.2/static/multibyte.html">PostgreSQL</a>, there appears to be no direct way to change the <p>For <a href="http://www.postgresql.org/docs/8.2/static/multibyte.html">PostgreSQL</a>, there appears to be no direct way to change the
encoding of a database (as of 8.2). You will have to dump the data, and then reimport encoding of a database (as of 8.2). You will have to dump the data, and then reimport
@@ -790,7 +790,7 @@ usually supported).</p>
<h4 id="migrate-db-binary">Binary</h4> <h4 id="migrate-db-binary">Binary</h4>
<p>Due to the abovementioned compatibility issues, a more interoperable <p>Due to the aforementioned compatibility issues, a more interoperable
way of storing UTF-8 text is to stuff it in a binary datatype. way of storing UTF-8 text is to stuff it in a binary datatype.
<code>CHAR</code> becomes <code>BINARY</code>, <code>VARCHAR</code> becomes <code>CHAR</code> becomes <code>BINARY</code>, <code>VARCHAR</code> becomes
<code>VARBINARY</code> and <code>TEXT</code> becomes <code>BLOB</code>. <code>VARBINARY</code> and <code>TEXT</code> becomes <code>BLOB</code>.
@@ -886,7 +886,7 @@ sure the page is saved WITHOUT the BOM.</p>
</blockquote> </blockquote>
<p>If you are reading in text files to insert into the middle of another <p>If you are reading in text files to insert into the middle of another
page, it is strongly advised (but not strictly necessary) that you replace out the UTF-8 byte page, it is strongly advised (but not strictly necessary) that you replace out the UTF-8 byte
sequence for BOM <code>&quot;\xEF\xBB\xBF&quot;</code> before inserting it in, sequence for BOM <code>&quot;\xEF\xBB\xBF&quot;</code> before inserting it in,
via:</p> via:</p>
@@ -917,8 +917,8 @@ anyway. So we'll deal with the other two edge cases.</p>
would like to read your website but get heaps of question marks or would like to read your website but get heaps of question marks or
other meaningless characters. Fixing this problem requires the other meaningless characters. Fixing this problem requires the
installation of a font or language pack which is often highly installation of a font or language pack which is often highly
dependent on what the language is. <a href="http://bn.wikipedia.org/wiki/%E0%A6%89%E0%A6%87%E0%A6%95%E0%A6%BF%E0%A6%AA%E0%A7%87%E0%A6%A1%E0%A6%BF%E0%A6%AF%E0%A6%BC%E0%A6%BE:Bangla_script_display_help">Here is an example</a> dependent on what the language is. <a href="http://bn.wikipedia.org/wiki/%E0%A6%89%E0%A6%87%E0%A6%95%E0%A6%BF%E0%A6%AA%E0%A7%87%E0%A6%A1%E0%A6%BF%E0%A6%AF%E0%A6%BC%E0%A6%BE:Bangla_script_display_and_input_help">Here is an example</a>
of such a help file for the Bengali language, I am sure there are of such a help file for the Bengali language; I am sure there are
others out there too. You just have to point users to the appropriate others out there too. You just have to point users to the appropriate
help file.</p> help file.</p>
@@ -928,7 +928,7 @@ help file.</p>
characters embedded in what otherwise would be very bland ASCII are characters embedded in what otherwise would be very bland ASCII are
letters of the letters of the
<a href="http://en.wikipedia.org/wiki/International_Phonetic_Alphabet">International <a href="http://en.wikipedia.org/wiki/International_Phonetic_Alphabet">International
Phonetic Alphabet (IPA)</a>, use to designate pronounciations in a very standard Phonetic Alphabet (IPA)</a>, use to designate pronunciations in a very standard
manner (you probably see them all the time in your dictionary). Your manner (you probably see them all the time in your dictionary). Your
average font probably won't have support for all of the IPA characters average font probably won't have support for all of the IPA characters
like &#664; (bilabial click) or &#658; (voiced postalveolar fricative). like &#664; (bilabial click) or &#658; (voiced postalveolar fricative).
@@ -941,15 +941,15 @@ most widely used browser in the entire world? Microsoft IE 6
is not smart enough to borrow from other fonts when a character isn't is not smart enough to borrow from other fonts when a character isn't
present, so more often than not you'll be slapped with a nice big &#65533;. present, so more often than not you'll be slapped with a nice big &#65533;.
To get things to work, MSIE 6 needs a little nudge. You could configure it To get things to work, MSIE 6 needs a little nudge. You could configure it
to use a different font to render the text, but you can acheive the same to use a different font to render the text, but you can achieve the same
effect by selectively changing the font for blocks of special characters effect by selectively changing the font for blocks of special characters
to known good Unicode fonts.</p> to known good Unicode fonts.</p>
<p>Fortunantely, the folks over at Wikipedia have already done all the <p>Fortunately, the folks over at Wikipedia have already done all the
heavy lifting for you. Get the CSS from the horses mouth here: heavy lifting for you. Get the CSS from the horses mouth here:
<a href="http://en.wikipedia.org/wiki/MediaWiki:Common.css">Common.css</a>, <a href="http://en.wikipedia.org/wiki/MediaWiki:Common.css">Common.css</a>,
and search for &quot;.IPA&quot; There are also a smattering of and search for &quot;.IPA&quot; There are also a smattering of
other classes you can use for other purposes, check out other classes you can use for other purposes, check out
<a href="http://meta.wikimedia.org/wiki/Help:Special_characters#Displaying_Special_Characters">this page</a> <a href="http://meta.wikimedia.org/wiki/Help:Special_characters#Displaying_Special_Characters">this page</a>
for more details. For you lazy ones, this should work:</p> for more details. For you lazy ones, this should work:</p>
@@ -972,7 +972,7 @@ users.</p>
<h3 id="migrate-variablewidth">Dealing with variable width in functions</h3> <h3 id="migrate-variablewidth">Dealing with variable width in functions</h3>
<p>When people claim that PHP6 will solve all our Unicode problems, they're <p>When people claim that PHP6 will solve all our Unicode problems, they're
misinformed. It will not fix any of the abovementioned troubles. It will, misinformed. It will not fix any of the aforementioned troubles. It will,
however, fix the problem we are about to discuss: processing UTF-8 text however, fix the problem we are about to discuss: processing UTF-8 text
in PHP.</p> in PHP.</p>
@@ -1035,7 +1035,7 @@ directory.</p>
<p>Well, that's it. Hopefully this document has served as a very <p>Well, that's it. Hopefully this document has served as a very
practical springboard into knowledge of how UTF-8 works. You may have practical springboard into knowledge of how UTF-8 works. You may have
decided that you don't want to migrate yet: that's fine, just know decided that you don't want to migrate yet: that's fine, just know
what will happen to your output and what bug reports you may recieve.</p> what will happen to your output and what bug reports you may receive.</p>
<p>Many other developers have already discussed the subject of Unicode, <p>Many other developers have already discussed the subject of Unicode,
UTF-8 and internationalization, and I would like to defer to them for UTF-8 and internationalization, and I would like to defer to them for
@@ -1055,3 +1055,6 @@ a more in-depth look into character sets and encodings.</p>
</body> </body>
</html> </html>
<!-- vim: et sw=4 sts=4
-->

7
docs/enduser-youtube.html
View File

@@ -67,7 +67,7 @@ into your documents. YouTube's code goes like this:</p>
</ol> </ol>
<p>What point 2 means is that if we have code like <code>&lt;span <p>What point 2 means is that if we have code like <code>&lt;span
class=&quot;embed-youtube&quot;&gt;AyPzM5WK8ys&lt;/span&gt;</code> your class=&quot;youtube-embed&quot;&gt;AyPzM5WK8ys&lt;/span&gt;</code> your
application can reconstruct the full object from this small snippet that application can reconstruct the full object from this small snippet that
passes through HTML Purifier <em>unharmed</em>. passes through HTML Purifier <em>unharmed</em>.
<a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/Filter/YouTube.php">Show me the code!</a></p> <a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/Filter/YouTube.php">Show me the code!</a></p>
@@ -75,7 +75,7 @@ passes through HTML Purifier <em>unharmed</em>.
<p>And the corresponding usage:</p> <p>And the corresponding usage:</p>
<pre>&lt;?php <pre>&lt;?php
$config->set('Filter', 'YouTube', true); $config-&gt;set('Filter.YouTube', true);
?&gt;</pre> ?&gt;</pre>
<p>There is a bit going in the two code snippets, so let's explain.</p> <p>There is a bit going in the two code snippets, so let's explain.</p>
@@ -148,3 +148,6 @@ with the core!</p>
</body> </body>
</html> </html>
<!-- vim: et sw=4 sts=4
-->

5
docs/examples/basic.php
View File

@@ -8,8 +8,8 @@ require_once '../../library/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault(); $config = HTMLPurifier_Config::createDefault();
// configuration goes here: // configuration goes here:
$config->set('Core', 'Encoding', 'UTF-8'); // replace with your encoding $config->set('Core.Encoding', 'UTF-8'); // replace with your encoding
$config->set('HTML', 'Doctype', 'XHTML 1.0 Transitional'); // replace with your doctype $config->set('HTML.Doctype', 'XHTML 1.0 Transitional'); // replace with your doctype
$purifier = new HTMLPurifier($config); $purifier = new HTMLPurifier($config);
@@ -20,3 +20,4 @@ $pure_html = $purifier->purify($html);
echo '<pre>' . htmlspecialchars($pure_html) . '</pre>'; echo '<pre>' . htmlspecialchars($pure_html) . '</pre>';
// vim: et sw=4 sts=4

3
docs/fixquotes.htc
View File

@@ -4,3 +4,6 @@ function init() {
element.innerHTML = '&#8220;'+element.innerHTML+'&#8221;'; element.innerHTML = '&#8220;'+element.innerHTML+'&#8221;';
} }
</script> </script>
<!-- vim: et sw=4 sts=4
-->

9
docs/index.html
View File

@@ -117,6 +117,12 @@ the code. They may be upgraded to HTML files or stay as TXT scratchpads.</p>
<td>Common security issues that may still arise (half-baked).</td> <td>Common security issues that may still arise (half-baked).</td>
</tr> </tr>
<tr>
<td>Development</td>
<td><a href="dev-config-bcbreaks.txt">Config BC Breaks</a></td>
<td>Backwards-incompatible changes in HTML Purifier 4.0.0</td>
</tr>
<tr> <tr>
<td>Development</td> <td>Development</td>
<td><a href="dev-code-quality.txt">Code Quality Issues</a></td> <td><a href="dev-code-quality.txt">Code Quality Issues</a></td>
@@ -177,3 +183,6 @@ the code. They may be upgraded to HTML files or stay as TXT scratchpads.</p>
</body> </body>
</html> </html>
<!-- vim: et sw=4 sts=4
-->

3
docs/proposal-colors.html
View File

@@ -44,3 +44,6 @@ something like that?</li>
</body> </body>
</html> </html>
<!-- vim: et sw=4 sts=4
-->

2
docs/proposal-config.txt
View File

@@ -19,3 +19,5 @@ Definition objects are complex datatypes influenced by their respective
directive namespaces (HTMLDefinition with HTML and CSSDefinition with CSS). directive namespaces (HTMLDefinition with HTML and CSSDefinition with CSS).
If any of these directives is updated, HTML Purifier forces the definition If any of these directives is updated, HTML Purifier forces the definition
to be regenerated. to be regenerated.
vim: et sw=4 sts=4

2
docs/proposal-css-extraction.txt
View File

@@ -30,3 +30,5 @@ Beyond that, HTML Purifier can magically merge common CSS values together,
and a whole manner of other heuristic things. HTML Purifier should also and a whole manner of other heuristic things. HTML Purifier should also
make it easy for an admin to re-style the HTML semantically. Speed is not make it easy for an admin to re-style the HTML semantically. Speed is not
an issue. Also, better WYSIWYG editors are needed. an issue. Also, better WYSIWYG editors are needed.
vim: et sw=4 sts=4

40
docs/proposal-errors.txt
View File

@@ -2,7 +2,7 @@ Considerations for ErrorCollection
Presently, HTML Purifier takes a code-execution centric approach to handling Presently, HTML Purifier takes a code-execution centric approach to handling
errors. Errors are organized and grouped according to which segment of the errors. Errors are organized and grouped according to which segment of the
code triggers them, not necessarily the portion of the input document that code triggers them, not necessarily the portion of the input document that
triggered the error. This means that errors are pseudo-sorted by category, triggered the error. This means that errors are pseudo-sorted by category,
rather than location in the document. rather than location in the document.
@@ -13,7 +13,7 @@ can report errors still process the document mostly linearly. Furthermore,
not only do they process linearly, but the way they pass off operations to not only do they process linearly, but the way they pass off operations to
sub-systems mirrors that of the document. For example, AttrValidator will sub-systems mirrors that of the document. For example, AttrValidator will
linearly proceed through elements, and on each element will use AttrDef to linearly proceed through elements, and on each element will use AttrDef to
validate those contents. From there, the attribute might have more validate those contents. From there, the attribute might have more
sub-components, which have execution passed off accordingly. sub-components, which have execution passed off accordingly.
In fact, each strategy handles a very specific class of "error." In fact, each strategy handles a very specific class of "error."
@@ -56,7 +56,7 @@ set it as a document-wide error. And actually, nothing needs to be done here.
Something interesting to consider is whether or not we care about the locations Something interesting to consider is whether or not we care about the locations
of attributes and CSS properties, i.e. the sub-objects that compose these things. of attributes and CSS properties, i.e. the sub-objects that compose these things.
In terms of consistency, at the very least attributes should have column/line In terms of consistency, at the very least attributes should have column/line
numbers attached to them. However, this may be overkill, as attributes are numbers attached to them. However, this may be overkill, as attributes are
uniquely identifiable. You could go even further, with CSS, but they are also uniquely identifiable. You could go even further, with CSS, but they are also
uniquely identifiable. uniquely identifiable.
@@ -80,12 +80,12 @@ cases).
4. Setup ErrorCollector to use context information to setup hierarchies. 4. Setup ErrorCollector to use context information to setup hierarchies.
This may require a different internal format. Use objects if it gets This may require a different internal format. Use objects if it gets
complex. [DONE] complex. [DONE]
ASIDE ASIDE
More on this topic: since we are now binding errors to lines More on this topic: since we are now binding errors to lines
and columns, a particular error can have three relationships to that and columns, a particular error can have three relationships to that
specific location: specific location:
1. The token at that location directly 1. The token at that location directly
RemoveForeignElements RemoveForeignElements
AttrValidator (transforms) AttrValidator (transforms)
@@ -95,50 +95,50 @@ cases).
3. A modification to that node (i.e. contents from start to end 3. A modification to that node (i.e. contents from start to end
token) as a whole token) as a whole
FixNesting FixNesting
This needs to be marked accordingly. In the presentation, it might This needs to be marked accordingly. In the presentation, it might
make sense keep (3) separate, have (2) a sublist of (1). (1) can make sense keep (3) separate, have (2) a sublist of (1). (1) can
be a closing tag, in which case (3) makes no sense at all, OR it be a closing tag, in which case (3) makes no sense at all, OR it
should be related with its opening tag (this may not necessarily should be related with its opening tag (this may not necessarily
be possible before MakeWellFormed is run). be possible before MakeWellFormed is run).
So, the line and column counts as our identifier, so: So, the line and column counts as our identifier, so:
$errors[$line][$col] = ... $errors[$line][$col] = ...
Then, we need to identify case 1, 2 or 3. They are identified as Then, we need to identify case 1, 2 or 3. They are identified as
such: such:
1. Need some sort of semaphore in RemoveForeignElements, etc. 1. Need some sort of semaphore in RemoveForeignElements, etc.
2. If CurrentAttr/CurrentCssProperty is non-null 2. If CurrentAttr/CurrentCssProperty is non-null
3. Default (FixNesting, MakeWellFormed) 3. Default (FixNesting, MakeWellFormed)
One consideration about (1) is that it usually is actually a One consideration about (1) is that it usually is actually a
(3) modification, but we have no way of knowing about that because (3) modification, but we have no way of knowing about that because
of various optimizations. However, they can probably be treated of various optimizations. However, they can probably be treated
the same. The other difficulty is that (3) is never a line and the same. The other difficulty is that (3) is never a line and
column; rather, it is a range (i.e. a duple) and telling the user column; rather, it is a range (i.e. a duple) and telling the user
the very start of the range may confuse them. For example, the very start of the range may confuse them. For example,
<b>Foo<div>bar</div></b> <b>Foo<div>bar</div></b>
^ ^ ^ ^
The node being operated on is <b>, so the error would be assigned The node being operated on is <b>, so the error would be assigned
to the first caret, with a "node reorganized" error. Then, the to the first caret, with a "node reorganized" error. Then, the
ChildDef would have submitted its own suggestions and errors with ChildDef would have submitted its own suggestions and errors with
regard to what's going in the internals. So I suppose this is regard to what's going in the internals. So I suppose this is
ok. :-) ok. :-)
Now, the structure of the earlier mentioned ... would be something Now, the structure of the earlier mentioned ... would be something
like this: like this:
object { object {
type = (token|attr|property), type = (token|attr|property),
value, // appropriate for type value, // appropriate for type
errors => array(), errors => array(),
sub-errors = [recursive], sub-errors = [recursive],
} }
This helps us keep things agnostic. It is also sufficiently complex This helps us keep things agnostic. It is also sufficiently complex
enough to warrant an object. enough to warrant an object.
@@ -173,7 +173,7 @@ Then we setup suggestions.
5. Setup a separate error class which tells the user any modifications 5. Setup a separate error class which tells the user any modifications
HTML Purifier made. HTML Purifier made.
Some information about this: Some information about this:
Our current paradigm is to tell the user what HTML Purifier did to the HTML. Our current paradigm is to tell the user what HTML Purifier did to the HTML.
@@ -187,7 +187,7 @@ the correct version isn't a bad idea, but problems arise when:
- The user has such bad HTML we do something odd, when we should have just - The user has such bad HTML we do something odd, when we should have just
flagged the HTML as an error. Such examples are when we do things like flagged the HTML as an error. Such examples are when we do things like
remove text from directly inside a <table> tag. It was probably meant to remove text from directly inside a <table> tag. It was probably meant to
be in a <td> tag or be outside the table, but we're not smart enough to be in a <td> tag or be outside the table, but we're not smart enough to
realize this so we just remove it. In such a case, we should tell the user realize this so we just remove it. In such a case, we should tell the user
that there was foreign data in the table, but then we shouldn't "demand" that there was foreign data in the table, but then we shouldn't "demand"
the user remove the data; it's more of a "here's a possible way of the user remove the data; it's more of a "here's a possible way of
@@ -204,6 +204,8 @@ Don't forget to spruce up output.
6. Output needs to automatically give line and column numbers, basically 6. Output needs to automatically give line and column numbers, basically
"at line" on steroids. Look at W3C's output; it's ok. [PARTIALLY DONE] "at line" on steroids. Look at W3C's output; it's ok. [PARTIALLY DONE]
- We need a standard CSS to apply (check demo.css for some starting - We need a standard CSS to apply (check demo.css for some starting
styling; some buttons would also be hip) styling; some buttons would also be hip)
vim: et sw=4 sts=4

2
docs/proposal-filter-levels.txt
View File

@@ -133,3 +133,5 @@ Dramatic - border, list-style-position (list-style), margin, padding,
Dramatic elements substantially change the look of text in ways that should Dramatic elements substantially change the look of text in ways that should
probably have been reserved to other areas. probably have been reserved to other areas.
vim: et sw=4 sts=4

2
docs/proposal-language.txt
View File

@@ -60,3 +60,5 @@ Neat functionality:
- Roman numeral formatting - Roman numeral formatting
Items marked with a + likely need to be addressed by HTML Purifier Items marked with a + likely need to be addressed by HTML Purifier
vim: et sw=4 sts=4

3
docs/proposal-new-directives.txt
View File

@@ -16,7 +16,7 @@ implemented, give us a ring, and we'll move it up the priority chain.
%Attr.ClassBlacklist. When it's Whitelist, only allow those in %Attr.ClassBlacklist. When it's Whitelist, only allow those in
%Attr.ClassWhitelist. %Attr.ClassWhitelist.
%Attr.MaxWidth, %Attr.MaxWidth,
%Attr.MaxHeight - caps for width and height related checks. %Attr.MaxHeight - caps for width and height related checks.
(the hack in Pixels for an image crashing attack could be replaced by this) (the hack in Pixels for an image crashing attack could be replaced by this)
@@ -41,3 +41,4 @@ implemented, give us a ring, and we'll move it up the priority chain.
absolute DNS. While this is actually the preferred method according to absolute DNS. While this is actually the preferred method according to
the RFC, most people opt to use a relative domain name relative to . (root). the RFC, most people opt to use a relative domain name relative to . (root).
vim: et sw=4 sts=4

218
docs/proposal-plists.txt Normal file
View File

@@ -0,0 +1,218 @@
THE UNIVERSAL DESIGN PATTERN: PROPERTIES
Steve Yegge
Implementation:
get(name)
put(name, value)
has(name)
remove(name)
iteration, with filtering [this will be our namespaces]
parent
Representations:
- Keys are strings
- It's nice to not need to quote keys (if we formulate our own language,
consider this)
- Property not present representation (key missing)
- Frequent removal/re-add may have null help. If null is valid, use
another value. (PHP semantics are weird here)
Data structures:
- LinkedHashMap is wonderful (O(1) access and maintains order)
- Using a special property that points to the parent is usual
- Multiple inheritance possible, need rules for which to lookup first
- Iterative inheritance is best
- Consider performance!
Deletion
- Tricky problem with inheritance
- Distinguish between "not found" and "look in my parent for the property"
[Maybe HTML Purifier won't allow deletion]
Read/write asymmetry (it's correct!)
Read-only plists
- Allow ability to freeze [this is what we have already]
- Don't overuse it
Performance:
- Intern strings (PHP does this already)
- Don't be case-insensitive
- If all properties in a plist are known a-priori, you can use a "perfect"
hash function. Often overkill.
- Copy-on-read caching "plundering" reduces lookup, but uses memory and can
grow stale. Use as last resort.
- Refactoring to fields. Watch for API compatibility, system complexity,
and lack of flexibility.
- Refrigerator: external data-structure to hold plists
Transient properties:
[Don't need to worry about this]
- Use a separate plist for transient properties
- Non-numeric override; numeric should ADD
- Deletion: removeTransientProperty() and transientlyRemoveProperty()
Persistence:
- XML/JSON are good
- Text-based is good for readability, maintainability and bootstrapping
- Compressed binary format for network transport [not necessary]
- RDBMS or XML database
Querying: [not relevant]
- XML database is nice for XPath/XQuery
- jQuery for JSON
- Just load it all into a program
Backfills/Data integrity:
- Use usual methods
- Lazy backfill is a nice hack
Type systems:
- Flags: ReadOnly, Permanent, DontEnum
- Typed properties isn't that useful [It's also Not-PHP]
- Seperate meta-list of directive properties IS useful
- Duck typing is useful for systems designed fully around properties pattern
Trade-off:
+ Flexibility
+ Extensibility
+ Unit-testing/prototype-speed
- Performance
- Data integrity
- Navagability/Query-ability
- Reversability (hard to go back)
HTML Purifier
We are not happy with our current system of defining configuration directives,
because it has become clear that things will get a lot nicer if we allow
multiple namespaces, and there are some features that naturally lend themselves
to inheritance, which we do not really support well.
One of the considered implementation changes would be to go from a structure
like:
array(
'Namespace' => array(
'Directive' => 'val1',
'Directive2' => 'val2',
)
)
to:
array(
'Namespace.Directive' => 'val1',
'Namespace.Directive2' => 'val2',
)
The below implementation takes more memory, however, and it makes it a bit
complicated to grab all values from a namespace.
The alternate implementation choice is to allow nested plists. This keeps
iteration easy, but is problematic for inheritance (it would be difficult
to distinguish a plist from an array) and retrieval (when specifying multiple
namespaces we would need some multiple de-referencing).
----
We can bite the performance hit, and just do iteration with filter
(the strncmp call should be relatively cheap). Then, users should be able
to optimize doing something like:
$config = HTMLPurifier_Config::createDefault();
if (!file_exists('config.php')) {
// set up $config
$config->save('config.php');
} else {
$config->load('config.php');
}
Or maybe memcache, or something. This means that "// set up $config" must
not have any dynamic parts, or the user has to invalidate the cache when
they do update it. We have to think about this a little more carefully; the
file call might be more expensive.
----
This might get expensive, however, when we actually care about iterating
over the configuration and want the actual values. So what about nesting the
lists?
"ns.sub.directive" => values['ns']['sub']['directive']
We can distinguish between plists and arrays by using ArrayObjects for the
plists, and regular arrays for the arrays? Alternatively, use ArrayObjects
for the arrays, and regular arrays for the plists.
----
Implementation demands, and what has caused them:
1. DefinitionCache, the HTML, CSS and URI namespaces have caches attached to them
Results:
- getBatchSerial()
- getBatch() : in general, the ability to traverse just a namespace
2. AutoFormat/Filter, this is a plugin architecture, directives not hard-coded
- getBatch()
3. Configuration form
- Namespaces used to organize directives
Other than that, we have a pure plist. PERHAPS we should maintain separate things
for these different demands.
Issue 2: Directives for configuring the plugins are regular plists, but
when enabling them, while it's "plist-ish", what you're really doing is adding
them to an array of "autoformatters"/"filters" to enable. We can setup
magic BC as well as in the new interface, but there should also be an
add('AutoFormat', 'AutoParagraph'); which does the right thing.
One thing to consider is whether or not inheritance rules will apply to these.
I'd say yes. That means that they're still plisty, in fact, the underlying
implementation will probably be a plist. However, they will get their OWN
plists, and will NOT support nesting.
Issue 1: Our current implementation is generally not efficient; md5(serialize($foo))
is pretty expensive. So, I don't think there will be any problems if it
gets "less" efficient, as long as we give users a properly fast alternative;
DefinitionRev gives us a way to do this, by simply telling the user they must
update it whenever they update Configuration directives as well. (There are
obvious BC concerns here).
In such a case, we simply iterate over our plist (performing full retrievals
for each value), grab the entries we care about, and then serialize and hash.
It's going to be slow either way, due to the ability of plists to inherit.
If we ksort(), we don't have to traverse the entire array, however, the
cost of a ksort() call may not be worth it.
At this point, last time, I started worrying about the performance implications
of allowing inheritance, and wondering whether or not I wanted to squash
the plist. At first blush, our code might be under the assumption that
accessing properties is cheap; but actually we prefer to copy out the value
into a member variable if it's going to be used many times. With this is mind
I don't think CPU consumption from a few nested function calls is going to
be a problem. We *are* going to enforce a function only interface.
The next issue at hand is how we're going to manage the "special" plists,
which should still be able to be inherited. Basically, it means that multiple
plists would be attached to the configuration object, which is not the
best for memory performance. The alternative is to keep them all in one
big plist, and then eat the one-time cost of traversing the entire plist
to grab the appropriate values.
I think at this point we can write the generic interface, and then set up separate
plists if that ends up being necessary for performance (it probably won't.) Now
lets code our generic plist implementation.
----
Iterating over the plist presents some problems. The way we've chosen to solve
this is to squash all of the parents.
----
But I don't need iteration.
vim: et sw=4 sts=4

2
docs/ref-content-models.txt
View File

@@ -46,3 +46,5 @@ is eliminated completely, in the latter case, the text of the node
would is preserved (as the parent node does allow PCDATA). Custom would is preserved (as the parent node does allow PCDATA). Custom
content model implementations probably are not the best way of handling content model implementations probably are not the best way of handling
these cases, instead, node bubbling should be implemented instead. these cases, instead, node bubbling should be implemented instead.
vim: et sw=4 sts=4

4
docs/ref-css-length.txt
View File

@@ -22,7 +22,9 @@ Relative:
1 ex ~= 0.5 em, though Mozilla Firefox says 1 ex = 6px 1 ex ~= 0.5 em, though Mozilla Firefox says 1 ex = 6px
1 px ~= 1 pt 1 px ~= 1 pt
Watch out: font-sizes can also be nested to get successively larger Watch out: font-sizes can also be nested to get successively larger
(although I do not relish having to keep track of context font-sizes, (although I do not relish having to keep track of context font-sizes,
this may be necessary, especially for some of the more advanced features this may be necessary, especially for some of the more advanced features
for preventing things like white on white). for preventing things like white on white).
vim: et sw=4 sts=4

3
docs/ref-devnetwork.html
View File

@@ -42,3 +42,6 @@ the development of this library in these forum threads:</p>
</body> </body>
</html> </html>
<!-- vim: et sw=4 sts=4
-->

4
docs/ref-html-modularization.txt
View File

@@ -121,7 +121,7 @@ a proprietary system called ChildDef for performance and flexibility
reasons, but this does not line up very well with W3C's notion of reasons, but this does not line up very well with W3C's notion of
regexps for defining the allowed children of an element. regexps for defining the allowed children of an element.
HTMLPurifier->elements[$element]->content_model and HTMLPurifier->elements[$element]->content_model and
HTMLPurifier->elements[$element]->content_model_type store information HTMLPurifier->elements[$element]->content_model_type store information
about the final ChildDef that will be stored in about the final ChildDef that will be stored in
HTMLPurifier->elements[$element]->child (we use a different variable HTMLPurifier->elements[$element]->child (we use a different variable
@@ -162,3 +162,5 @@ array of content set names to content set contents. If the content set
already exists, your values are appended on to it (great for, say, already exists, your values are appended on to it (great for, say,
registering the font tag as an inline element), otherwise it is registering the font tag as an inline element), otherwise it is
created. They are substituted into content_model. created. They are substituted into content_model.
vim: et sw=4 sts=4

2
docs/ref-proprietary-tags.txt
View File

@@ -22,3 +22,5 @@ HTML Purifier context.
These should be put into their own Tidy module, not loaded by default(?). These These should be put into their own Tidy module, not loaded by default(?). These
all qualify as "lenient" transforms. all qualify as "lenient" transforms.
vim: et sw=4 sts=4

4
docs/ref-whatwg.txt
View File

@@ -18,7 +18,9 @@ committing ourselves till the spec stabilizes, though.
More immediately speaking though, however, is the well-defined parsing More immediately speaking though, however, is the well-defined parsing
behavior that HTML 5 adds. While I have little interest in writing behavior that HTML 5 adds. While I have little interest in writing
another DirectLex parser, other parsers like ph5p another DirectLex parser, other parsers like ph5p
<http://jero.net/lab/ph5p/> can be adapted to DOMLex to support much more <http://jero.net/lab/ph5p/> can be adapted to DOMLex to support much more
flexible HTML parsing (a cool feature I've seen is how they resolve flexible HTML parsing (a cool feature I've seen is how they resolve
<b>bold<i>both</b>italic</i>). <b>bold<i>both</b>italic</i>).
vim: et sw=4 sts=4

2
docs/specimens/LICENSE
View File

@@ -6,3 +6,5 @@ windows-live-mail-desktop-beta.html - donated by laacz, public domain
img.png - LGPL, from <http://commons.wikimedia.org/wiki/Image:Pastille_chrome.png> img.png - LGPL, from <http://commons.wikimedia.org/wiki/Image:Pastille_chrome.png>
All other files are by me, and are licensed under LGPL. All other files are by me, and are licensed under LGPL.
vim: et sw=4 sts=4

2
docs/specimens/html-align-to-css.html
View File

@@ -162,4 +162,4 @@ div.segment {width:250px; float:left; margin-top:1em;}
</div> </div>
</body> </body>
</html> </html>

90
docs/specimens/windows-live-mail-desktop-beta.html
View File

@@ -4,71 +4,71 @@
<STYLE></STYLE> <STYLE></STYLE>
<META content="MSHTML 6.00.6000.16414" name=GENERATOR></HEAD> <META content="MSHTML 6.00.6000.16414" name=GENERATOR></HEAD>
<BODY id=MailContainerBody <BODY id=MailContainerBody
style="PADDING-RIGHT: 10px; PADDING-LEFT: 10px; FONT-SIZE: 10pt; COLOR: #000000; PADDING-TOP: 15px; FONT-FAMILY: Arial" style="PADDING-RIGHT: 10px; PADDING-LEFT: 10px; FONT-SIZE: 10pt; COLOR: #000000; PADDING-TOP: 15px; FONT-FAMILY: Arial"
bgColor=#ff6600 leftMargin=0 background="" topMargin=0 bgColor=#ff6600 leftMargin=0 background="" topMargin=0
name="Compose message area" acc_role="text" CanvasTabStop="false"> name="Compose message area" acc_role="text" CanvasTabStop="false">
<DIV <DIV
style="BORDER-TOP: #dddddd 1px solid; FONT-SIZE: 10pt; WIDTH: 100%; MARGIN-RIGHT: 10px; PADDING-TOP: 5px; BORDER-BOTTOM: #dddddd 1px solid; FONT-FAMILY: Verdana; HEIGHT: 25px; BACKGROUND-COLOR: #ffffff"><NOBR><SPAN style="BORDER-TOP: #dddddd 1px solid; FONT-SIZE: 10pt; WIDTH: 100%; MARGIN-RIGHT: 10px; PADDING-TOP: 5px; BORDER-BOTTOM: #dddddd 1px solid; FONT-FAMILY: Verdana; HEIGHT: 25px; BACKGROUND-COLOR: #ffffff"><NOBR><SPAN
title="View a slideshow of the pictures in this e-mail message." title="View a slideshow of the pictures in this e-mail message."
style="PADDING-RIGHT: 20px"><A style="COLOR: #0088e4" style="PADDING-RIGHT: 20px"><A style="COLOR: #0088e4"
href="http://g.msn.com/5meen_us/171?path=/photomail/{6fc0065f-ffdd-4ca6-9a4c-cc5a93dc122f}&amp;image=47D7B182CFEFB10!127&amp;imagehi=47D7B182CFEFB10!125&amp;CID=323550092004883216">Play href="http://g.msn.com/5meen_us/171?path=/photomail/{6fc0065f-ffdd-4ca6-9a4c-cc5a93dc122f}&amp;image=47D7B182CFEFB10!127&amp;imagehi=47D7B182CFEFB10!125&amp;CID=323550092004883216">Play
slideshow </A></SPAN><SPAN style="COLOR: #909090"><SPAN>|</SPAN><SPAN slideshow </A></SPAN><SPAN style="COLOR: #909090"><SPAN>|</SPAN><SPAN
style="PADDING-LEFT: 20px"> Download the highest quality version of a picture by style="PADDING-LEFT: 20px"> Download the highest quality version of a picture by
clicking the + above it </SPAN></SPAN></NOBR></DIV> clicking the + above it </SPAN></SPAN></NOBR></DIV>
<DIV <DIV
style="PADDING-RIGHT: 5px; PADDING-LEFT: 7px; PADDING-BOTTOM: 2px; WIDTH: 100%; PADDING-TOP: 2px"> style="PADDING-RIGHT: 5px; PADDING-LEFT: 7px; PADDING-BOTTOM: 2px; WIDTH: 100%; PADDING-TOP: 2px">
<OL> <OL>
<LI><IMG title="Angry smile emoticon" <LI><IMG title="Angry smile emoticon"
style="FLOAT: none; MARGIN: 0px; POSITION: static" tabIndex=-1 style="FLOAT: none; MARGIN: 0px; POSITION: static" tabIndex=-1
alt="Angry smile emoticon" src="cid:49F0C856199E4D688D2D740680733D74@wc" alt="Angry smile emoticon" src="cid:49F0C856199E4D688D2D740680733D74@wc"
MSNNonUserImageOrEmoticon="true">Un ka <FONT style="BACKGROUND-COLOR: #800000" MSNNonUserImageOrEmoticon="true">Un ka <FONT style="BACKGROUND-COLOR: #800000"
color=#cc99ff><STRONG>Tev</STRONG></FONT> iet, un ko tu dari? color=#cc99ff><STRONG>Tev</STRONG></FONT> iet, un ko tu dari?
<LI>Aha!</LI></OL> <LI>Aha!</LI></OL>
<UL> <UL>
<LI>Buletets <LI>Buletets
<LI> <LI>
<DIV align=justify><A title=http://laacz.lv/blog/ <DIV align=justify><A title=http://laacz.lv/blog/
href="http://laacz.lv/blog/">http://laacz.lv/blog/</A> un <A href="http://laacz.lv/blog/">http://laacz.lv/blog/</A> un <A
title=http://google.com/ href="http://google.com/">gugle</A></DIV> title=http://google.com/ href="http://google.com/">gugle</A></DIV>
<LI>Sarakstucitis</LI></UL></DIV><SPAN><SPAN xmlns:canvas="canvas-namespace-id" <LI>Sarakstucitis</LI></UL></DIV><SPAN><SPAN xmlns:canvas="canvas-namespace-id"
layoutEmptyTextWellFont="Tahoma"><SPAN layoutEmptyTextWellFont="Tahoma"><SPAN
style="MARGIN-BOTTOM: 15px; OVERFLOW: visible; HEIGHT: 16px"></SPAN><SPAN style="MARGIN-BOTTOM: 15px; OVERFLOW: visible; HEIGHT: 16px"></SPAN><SPAN
style="MARGIN-BOTTOM: 25px; VERTICAL-ALIGN: top; OVERFLOW: visible; MARGIN-RIGHT: 25px; HEIGHT: 234px"> style="MARGIN-BOTTOM: 25px; VERTICAL-ALIGN: top; OVERFLOW: visible; MARGIN-RIGHT: 25px; HEIGHT: 234px">
<TABLE style="DISPLAY: inline"> <TABLE style="DISPLAY: inline">
<TBODY> <TBODY>
<TR> <TR>
<TD> <TD>
<DIV <DIV
style="FONT-WEIGHT: bold; FONT-SIZE: 12pt; FONT-FAMILY: arial; TEXT-ALIGN: center"><A style="FONT-WEIGHT: bold; FONT-SIZE: 12pt; FONT-FAMILY: arial; TEXT-ALIGN: center"><A
id=HiresARef id=HiresARef
title="Click here to view or download a high resolution version of this picture" title="Click here to view or download a high resolution version of this picture"
style="COLOR: #0088e4; TEXT-DECORATION: none" style="COLOR: #0088e4; TEXT-DECORATION: none"
href="http://byfiles.storage.msn.com/x1pMvt0I80jTgT6DuaCpEMbprX3nk3jNv_vjigxV_EYVSMyM_PKgEvDEUtuNhQC-F-23mTTcKyqx6eGaeK2e_wMJ0ikwpDdFntk4SY7pfJUv2g2Ck6R2S2vAA?download">+</A></DIV> href="http://byfiles.storage.msn.com/x1pMvt0I80jTgT6DuaCpEMbprX3nk3jNv_vjigxV_EYVSMyM_PKgEvDEUtuNhQC-F-23mTTcKyqx6eGaeK2e_wMJ0ikwpDdFntk4SY7pfJUv2g2Ck6R2S2vAA?download">+</A></DIV>
<DIV <DIV
title="Click here to view the full image using the online photo viewer." title="Click here to view the full image using the online photo viewer."
style="DISPLAY: inline; OVERFLOW: hidden; WIDTH: 140px; HEIGHT: 140px"><A style="DISPLAY: inline; OVERFLOW: hidden; WIDTH: 140px; HEIGHT: 140px"><A
href="http://g.msn.com/5meen_us/171?path=/photomail/{6fc0065f-ffdd-4ca6-9a4c-cc5a93dc122f}&amp;image=47D7B182CFEFB10!127&amp;imagehi=47D7B182CFEFB10!125&amp;CID=323550092004883216" href="http://g.msn.com/5meen_us/171?path=/photomail/{6fc0065f-ffdd-4ca6-9a4c-cc5a93dc122f}&amp;image=47D7B182CFEFB10!127&amp;imagehi=47D7B182CFEFB10!125&amp;CID=323550092004883216"
border="0"><IMG border="0"><IMG
style="MARGIN-TOP: 15px; DISPLAY: inline-block; MARGIN-LEFT: 0px" style="MARGIN-TOP: 15px; DISPLAY: inline-block; MARGIN-LEFT: 0px"
height=109 src="cid:006A71303B80404E9FB6184E55D6A446@wc" width=140 height=109 src="cid:006A71303B80404E9FB6184E55D6A446@wc" width=140
border=0></A></DIV></TD></TR> border=0></A></DIV></TD></TR>
<TR> <TR>
<TD> <TD>
<DIV <DIV
style="FONT-SIZE: 10pt; WIDTH: 140px; FONT-FAMILY: verdana; TEXT-ALIGN: center"><EM><STRONG>This style="FONT-SIZE: 10pt; WIDTH: 140px; FONT-FAMILY: verdana; TEXT-ALIGN: center"><EM><STRONG>This
<U>is </U></STRONG><U>tit</U>le</EM> fo<STRONG>r <FONT <U>is </U></STRONG><U>tit</U>le</EM> fo<STRONG>r <FONT
face="Arial Black">t<FONT color=#800000 size=7>h<U>i</U></FONT>s face="Arial Black">t<FONT color=#800000 size=7>h<U>i</U></FONT>s
</FONT>picture</STRONG></DIV></TD></TR></TBODY></TABLE></SPAN></SPAN></SPAN> </FONT>picture</STRONG></DIV></TD></TR></TBODY></TABLE></SPAN></SPAN></SPAN>
<DIV <DIV
style="PADDING-RIGHT: 5px; PADDING-LEFT: 7px; PADDING-BOTTOM: 2px; WIDTH: 100%; PADDING-TOP: 2px; HEIGHT: 50px"> style="PADDING-RIGHT: 5px; PADDING-LEFT: 7px; PADDING-BOTTOM: 2px; WIDTH: 100%; PADDING-TOP: 2px; HEIGHT: 50px">
<DIV>&nbsp;</DIV></DIV> <DIV>&nbsp;</DIV></DIV>
<DIV <DIV
style="BORDER-TOP: #dddddd 1px solid; FONT-SIZE: 10pt; MARGIN-BOTTOM: 10px; WIDTH: 100%; COLOR: #909090; MARGIN-RIGHT: 10px; PADDING-TOP: 9px; FONT-FAMILY: Verdana; HEIGHT: 42px; BACKGROUND-COLOR: #ffffff"><NOBR><SPAN style="BORDER-TOP: #dddddd 1px solid; FONT-SIZE: 10pt; MARGIN-BOTTOM: 10px; WIDTH: 100%; COLOR: #909090; MARGIN-RIGHT: 10px; PADDING-TOP: 9px; FONT-FAMILY: Verdana; HEIGHT: 42px; BACKGROUND-COLOR: #ffffff"><NOBR><SPAN
title="Join Windows Live to share photos using Windows Live Photo E-mail.">Online title="Join Windows Live to share photos using Windows Live Photo E-mail.">Online
pictures are available for 30 days. <A style="COLOR: #0088e4" pictures are available for 30 days. <A style="COLOR: #0088e4"
href="http://g.msn.com/5meen_us/175">Get Windows Live Mail desktop to create href="http://g.msn.com/5meen_us/175">Get Windows Live Mail desktop to create
your own photo e-mails. </A></SPAN></NOBR></DIV></BODY></HTML> your own photo e-mails. </A></SPAN></NOBR></DIV></BODY></HTML>

2
docs/style.css
View File

@@ -72,3 +72,5 @@ q:after {
.fixme:before {content:"Fix me: "; font-weight:bold; color:#C00; } .fixme:before {content:"Fix me: "; font-weight:bold; color:#C00; }
#applicability {margin: 1em 5%; font-style:italic;} #applicability {margin: 1em 5%; font-style:italic;}
/* vim: et sw=4 sts=4 */

21
extras/ConfigDoc/HTMLXSLTProcessor.php
View File

@@ -5,17 +5,17 @@
*/ */
class ConfigDoc_HTMLXSLTProcessor class ConfigDoc_HTMLXSLTProcessor
{ {
/** /**
* Instance of XSLTProcessor * Instance of XSLTProcessor
*/ */
protected $xsltProcessor; protected $xsltProcessor;
public function __construct($proc = false) { public function __construct($proc = false) {
if ($proc === false) $proc = new XSLTProcessor(); if ($proc === false) $proc = new XSLTProcessor();
$this->xsltProcessor = $proc; $this->xsltProcessor = $proc;
} }
/** /**
* @note Allows a string $xsl filename to be passed * @note Allows a string $xsl filename to be passed
*/ */
@@ -27,7 +27,7 @@ class ConfigDoc_HTMLXSLTProcessor
} }
return $this->xsltProcessor->importStylesheet($xsl); return $this->xsltProcessor->importStylesheet($xsl);
} }
/** /**
* Transforms an XML file into compatible XHTML based on the stylesheet * Transforms an XML file into compatible XHTML based on the stylesheet
* @param $xml XML DOM tree, or string filename * @param $xml XML DOM tree, or string filename
@@ -42,12 +42,12 @@ class ConfigDoc_HTMLXSLTProcessor
$dom = $xml; $dom = $xml;
} }
$out = $this->xsltProcessor->transformToXML($dom); $out = $this->xsltProcessor->transformToXML($dom);
// fudges for HTML backwards compatibility // fudges for HTML backwards compatibility
// assumes that document is XHTML // assumes that document is XHTML
$out = str_replace('/>', ' />', $out); // <br /> not <br/> $out = str_replace('/>', ' />', $out); // <br /> not <br/>
$out = str_replace(' xmlns=""', '', $out); // rm unnecessary xmlns $out = str_replace(' xmlns=""', '', $out); // rm unnecessary xmlns
if (class_exists('Tidy')) { if (class_exists('Tidy')) {
// cleanup output // cleanup output
$config = array( $config = array(
@@ -60,10 +60,10 @@ class ConfigDoc_HTMLXSLTProcessor
$tidy->cleanRepair(); $tidy->cleanRepair();
$out = (string) $tidy; $out = (string) $tidy;
} }
return $out; return $out;
} }
/** /**
* Bulk sets parameters for the XSL stylesheet * Bulk sets parameters for the XSL stylesheet
* @param array $options Associative array of options to set * @param array $options Associative array of options to set
@@ -73,13 +73,14 @@ class ConfigDoc_HTMLXSLTProcessor
$this->xsltProcessor->setParameter('', $name, $value); $this->xsltProcessor->setParameter('', $name, $value);
} }
} }
/** /**
* Forward any other calls to the XSLT processor * Forward any other calls to the XSLT processor
*/ */
public function __call($name, $arguments) { public function __call($name, $arguments) {
call_user_func_array(array($this->xsltProcessor, $name), $arguments); call_user_func_array(array($this->xsltProcessor, $name), $arguments);
} }
} }
// vim: et sw=4 sts=4

34
extras/FSTools.php
View File

@@ -3,15 +3,15 @@
/** /**
* Filesystem tools not provided by default; can recursively create, copy * Filesystem tools not provided by default; can recursively create, copy
* and delete folders. Some template methods are provided for extensibility. * and delete folders. Some template methods are provided for extensibility.
* *
* @note This class must be instantiated to be used, although it does * @note This class must be instantiated to be used, although it does
* not maintain state. * not maintain state.
*/ */
class FSTools class FSTools
{ {
private static $singleton; private static $singleton;
/** /**
* Returns a global instance of FSTools * Returns a global instance of FSTools
*/ */
@@ -19,7 +19,7 @@ class FSTools
if (empty(FSTools::$singleton)) FSTools::$singleton = new FSTools(); if (empty(FSTools::$singleton)) FSTools::$singleton = new FSTools();
return FSTools::$singleton; return FSTools::$singleton;
} }
/** /**
* Sets our global singleton to something else; useful for overloading * Sets our global singleton to something else; useful for overloading
* functions. * functions.
@@ -27,7 +27,7 @@ class FSTools
static public function setSingleton($singleton) { static public function setSingleton($singleton) {
FSTools::$singleton = $singleton; FSTools::$singleton = $singleton;
} }
/** /**
* Recursively creates a directory * Recursively creates a directory
* @param string $folder Name of folder to create * @param string $folder Name of folder to create
@@ -51,7 +51,7 @@ class FSTools
$base .= DIRECTORY_SEPARATOR; $base .= DIRECTORY_SEPARATOR;
} }
} }
/** /**
* Copy a file, or recursively copy a folder and its contents; modified * Copy a file, or recursively copy a folder and its contents; modified
* so that copied files, if PHP, have includes removed * so that copied files, if PHP, have includes removed
@@ -85,17 +85,17 @@ class FSTools
$dir->close(); $dir->close();
return true; return true;
} }
/** /**
* Overloadable function that tests a filename for copyability. By * Overloadable function that tests a filename for copyability. By
* default, everything should be copied; you can restrict things to * default, everything should be copied; you can restrict things to
* ignore hidden files, unreadable files, etc. This function * ignore hidden files, unreadable files, etc. This function
* applies to copyr(). * applies to copyr().
*/ */
public function copyable($file) { public function copyable($file) {
return true; return true;
} }
/** /**
* Delete a file, or a folder and its contents * Delete a file, or a folder and its contents
* @note Adapted from http://aidanlister.com/repos/v/function.rmdirr.php * @note Adapted from http://aidanlister.com/repos/v/function.rmdirr.php
@@ -106,12 +106,12 @@ class FSTools
if (!$this->file_exists($dirname)) { if (!$this->file_exists($dirname)) {
return false; return false;
} }
// Simple delete for a file // Simple delete for a file
if ($this->is_file($dirname) || $this->is_link($dirname)) { if ($this->is_file($dirname) || $this->is_link($dirname)) {
return $this->unlink($dirname); return $this->unlink($dirname);
} }
// Loop through the folder // Loop through the folder
$dir = $this->dir($dirname); $dir = $this->dir($dirname);
while (false !== $entry = $dir->read()) { while (false !== $entry = $dir->read()) {
@@ -122,12 +122,12 @@ class FSTools
// Recurse // Recurse
$this->rmdirr($dirname . DIRECTORY_SEPARATOR . $entry); $this->rmdirr($dirname . DIRECTORY_SEPARATOR . $entry);
} }
// Clean up // Clean up
$dir->close(); $dir->close();
return $this->rmdir($dirname); return $this->rmdir($dirname);
} }
/** /**
* Recursively globs a directory. * Recursively globs a directory.
*/ */
@@ -140,9 +140,9 @@ class FSTools
$sub_files = $this->globr($sub_dir, $pattern, $flags); $sub_files = $this->globr($sub_dir, $pattern, $flags);
$files = array_merge($files, $sub_files); $files = array_merge($files, $sub_files);
} }
return $files; return $files;
} }
/** /**
* Allows for PHP functions to be called and be stubbed. * Allows for PHP functions to be called and be stubbed.
* @warning This function will not work for functions that need * @warning This function will not work for functions that need
@@ -151,5 +151,7 @@ class FSTools
public function __call($name, $args) { public function __call($name, $args) {
return call_user_func_array($name, $args); return call_user_func_array($name, $args);
} }
} }
// vim: et sw=4 sts=4

44
extras/FSTools/File.php
View File

@@ -9,16 +9,16 @@
*/ */
class FSTools_File class FSTools_File
{ {
/** Filename of file this object represents */ /** Filename of file this object represents */
protected $name; protected $name;
/** Handle for the file */ /** Handle for the file */
protected $handle = false; protected $handle = false;
/** Instance of FSTools for interfacing with filesystem */ /** Instance of FSTools for interfacing with filesystem */
protected $fs; protected $fs;
/** /**
* Filename of file you wish to instantiate. * Filename of file you wish to instantiate.
* @note This file need not exist * @note This file need not exist
@@ -27,13 +27,13 @@ class FSTools_File
$this->name = $name; $this->name = $name;
$this->fs = $fs ? $fs : FSTools::singleton(); $this->fs = $fs ? $fs : FSTools::singleton();
} }
/** Returns the filename of the file. */ /** Returns the filename of the file. */
public function getName() {return $this->name;} public function getName() {return $this->name;}
/** Returns directory of the file without trailing slash */ /** Returns directory of the file without trailing slash */
public function getDirectory() {return $this->fs->dirname($this->name);} public function getDirectory() {return $this->fs->dirname($this->name);}
/** /**
* Retrieves the contents of a file * Retrieves the contents of a file
* @todo Throw an exception if file doesn't exist * @todo Throw an exception if file doesn't exist
@@ -41,27 +41,27 @@ class FSTools_File
public function get() { public function get() {
return $this->fs->file_get_contents($this->name); return $this->fs->file_get_contents($this->name);
} }
/** Writes contents to a file, creates new file if necessary */ /** Writes contents to a file, creates new file if necessary */
public function write($contents) { public function write($contents) {
return $this->fs->file_put_contents($this->name, $contents); return $this->fs->file_put_contents($this->name, $contents);
} }
/** Deletes the file */ /** Deletes the file */
public function delete() { public function delete() {
return $this->fs->unlink($this->name); return $this->fs->unlink($this->name);
} }
/** Returns true if file exists and is a file. */ /** Returns true if file exists and is a file. */
public function exists() { public function exists() {
return $this->fs->is_file($this->name); return $this->fs->is_file($this->name);
} }
/** Returns last file modification time */ /** Returns last file modification time */
public function getMTime() { public function getMTime() {
return $this->fs->filemtime($this->name); return $this->fs->filemtime($this->name);
} }
/** /**
* Chmod a file * Chmod a file
* @note We ignore errors because of some weird owner trickery due * @note We ignore errors because of some weird owner trickery due
@@ -70,14 +70,14 @@ class FSTools_File
public function chmod($octal_code) { public function chmod($octal_code) {
return @$this->fs->chmod($this->name, $octal_code); return @$this->fs->chmod($this->name, $octal_code);
} }
/** Opens file's handle */ /** Opens file's handle */
public function open($mode) { public function open($mode) {
if ($this->handle) $this->close(); if ($this->handle) $this->close();
$this->handle = $this->fs->fopen($this->name, $mode); $this->handle = $this->fs->fopen($this->name, $mode);
return true; return true;
} }
/** Closes file's handle */ /** Closes file's handle */
public function close() { public function close() {
if (!$this->handle) return false; if (!$this->handle) return false;
@@ -85,40 +85,42 @@ class FSTools_File
$this->handle = false; $this->handle = false;
return $status; return $status;
} }
/** Retrieves a line from an open file, with optional max length $length */ /** Retrieves a line from an open file, with optional max length $length */
public function getLine($length = null) { public function getLine($length = null) {
if (!$this->handle) $this->open('r'); if (!$this->handle) $this->open('r');
if ($length === null) return $this->fs->fgets($this->handle); if ($length === null) return $this->fs->fgets($this->handle);
else return $this->fs->fgets($this->handle, $length); else return $this->fs->fgets($this->handle, $length);
} }
/** Retrieves a character from an open file */ /** Retrieves a character from an open file */
public function getChar() { public function getChar() {
if (!$this->handle) $this->open('r'); if (!$this->handle) $this->open('r');
return $this->fs->fgetc($this->handle); return $this->fs->fgetc($this->handle);
} }
/** Retrieves an $length bytes of data from an open data */ /** Retrieves an $length bytes of data from an open data */
public function read($length) { public function read($length) {
if (!$this->handle) $this->open('r'); if (!$this->handle) $this->open('r');
return $this->fs->fread($this->handle, $length); return $this->fs->fread($this->handle, $length);
} }
/** Writes to an open file */ /** Writes to an open file */
public function put($string) { public function put($string) {
if (!$this->handle) $this->open('a'); if (!$this->handle) $this->open('a');
return $this->fs->fwrite($this->handle, $string); return $this->fs->fwrite($this->handle, $string);
} }
/** Returns TRUE if the end of the file has been reached */ /** Returns TRUE if the end of the file has been reached */
public function eof() { public function eof() {
if (!$this->handle) return true; if (!$this->handle) return true;
return $this->fs->feof($this->handle); return $this->fs->feof($this->handle);
} }
public function __destruct() { public function __destruct() {
if ($this->handle) $this->close(); if ($this->handle) $this->close();
} }
} }
// vim: et sw=4 sts=4

2
extras/HTMLPurifierExtras.auto.php
View File

@@ -7,3 +7,5 @@
set_include_path(dirname(__FILE__) . PATH_SEPARATOR . get_include_path() ); set_include_path(dirname(__FILE__) . PATH_SEPARATOR . get_include_path() );
require_once 'HTMLPurifierExtras.php'; require_once 'HTMLPurifierExtras.php';
require_once 'HTMLPurifierExtras.autoload.php'; require_once 'HTMLPurifierExtras.autoload.php';
// vim: et sw=4 sts=4

4
extras/HTMLPurifierExtras.autoload.php
View File

@@ -3,7 +3,7 @@
/** /**
* @file * @file
* Convenience file that registers autoload handler for HTML Purifier. * Convenience file that registers autoload handler for HTML Purifier.
* *
* @warning * @warning
* This autoloader does not contain the compatibility code seen in * This autoloader does not contain the compatibility code seen in
* HTMLPurifier_Bootstrap; the user is expected to make any necessary * HTMLPurifier_Bootstrap; the user is expected to make any necessary
@@ -21,3 +21,5 @@ if (function_exists('spl_autoload_register')) {
return HTMLPurifierExtras::autoload($class); return HTMLPurifierExtras::autoload($class);
} }
} }
// vim: et sw=4 sts=4

8
extras/HTMLPurifierExtras.php
View File

@@ -6,14 +6,14 @@
*/ */
class HTMLPurifierExtras class HTMLPurifierExtras
{ {
public static function autoload($class) { public static function autoload($class) {
$path = HTMLPurifierExtras::getPath($class); $path = HTMLPurifierExtras::getPath($class);
if (!$path) return false; if (!$path) return false;
require $path; require $path;
return true; return true;
} }
public static function getPath($class) { public static function getPath($class) {
if ( if (
strncmp('FSTools', $class, 7) !== 0 && strncmp('FSTools', $class, 7) !== 0 &&
@@ -23,5 +23,7 @@ class HTMLPurifierExtras
// Standard implementation: // Standard implementation:
return str_replace('_', '/', $class) . '.php'; return str_replace('_', '/', $class) . '.php';
} }
} }
// vim: et sw=4 sts=4

4
extras/README
View File

@@ -24,7 +24,9 @@ the filesystem. It currently consists of two classes:
to call arbitrary native PHP functions through it like $FS->fopen(...). to call arbitrary native PHP functions through it like $FS->fopen(...).
This makes it a lot simpler to mock these filesystem calls for unit testing. This makes it a lot simpler to mock these filesystem calls for unit testing.
- FSTools_File: This object represents a single file, and has almost any - FSTools_File: This object represents a single file, and has almost any
method imaginable one would need. method imaginable one would need.
Check the files themselves for more information. Check the files themselves for more information.
vim: et sw=4 sts=4

2
library/HTMLPurifier.auto.php
View File

@@ -7,3 +7,5 @@
set_include_path(dirname(__FILE__) . PATH_SEPARATOR . get_include_path() ); set_include_path(dirname(__FILE__) . PATH_SEPARATOR . get_include_path() );
require_once 'HTMLPurifier/Bootstrap.php'; require_once 'HTMLPurifier/Bootstrap.php';
require_once 'HTMLPurifier.autoload.php'; require_once 'HTMLPurifier.autoload.php';
// vim: et sw=4 sts=4

2
library/HTMLPurifier.autoload.php
View File

@@ -17,3 +17,5 @@ if (function_exists('spl_autoload_register') && function_exists('spl_autoload_un
return HTMLPurifier_Bootstrap::autoload($class); return HTMLPurifier_Bootstrap::autoload($class);
} }
} }
// vim: et sw=4 sts=4

1
library/HTMLPurifier.func.php
View File

@@ -20,3 +20,4 @@ function HTMLPurifier($html, $config = null) {
return $purifier->purify($html, $config); return $purifier->purify($html, $config);
} }
// vim: et sw=4 sts=4

18
library/HTMLPurifier.includes.php
View File

@@ -6,13 +6,13 @@
* the core files required by HTML Purifier. Use this if performance is a * the core files required by HTML Purifier. Use this if performance is a
* primary concern and you are using an opcode cache. PLEASE DO NOT EDIT THIS * primary concern and you are using an opcode cache. PLEASE DO NOT EDIT THIS
* FILE, changes will be overwritten the next time the script is run. * FILE, changes will be overwritten the next time the script is run.
* *
* @version 3.2.0 * @version 4.2.0
* *
* @warning * @warning
* You must *not* include any other HTML Purifier files before this file, * You must *not* include any other HTML Purifier files before this file,
* because 'require' not 'require_once' is used. * because 'require' not 'require_once' is used.
* *
* @warning * @warning
* This file requires that the include path contains the HTML Purifier * This file requires that the include path contains the HTML Purifier
* library directory; this is not auto-set. * library directory; this is not auto-set.
@@ -55,6 +55,8 @@ require 'HTMLPurifier/LanguageFactory.php';
require 'HTMLPurifier/Length.php'; require 'HTMLPurifier/Length.php';
require 'HTMLPurifier/Lexer.php'; require 'HTMLPurifier/Lexer.php';
require 'HTMLPurifier/PercentEncoder.php'; require 'HTMLPurifier/PercentEncoder.php';
require 'HTMLPurifier/PropertyList.php';
require 'HTMLPurifier/PropertyListIterator.php';
require 'HTMLPurifier/Strategy.php'; require 'HTMLPurifier/Strategy.php';
require 'HTMLPurifier/StringHash.php'; require 'HTMLPurifier/StringHash.php';
require 'HTMLPurifier/StringHashParser.php'; require 'HTMLPurifier/StringHashParser.php';
@@ -96,6 +98,8 @@ require 'HTMLPurifier/AttrDef/CSS/Percentage.php';
require 'HTMLPurifier/AttrDef/CSS/TextDecoration.php'; require 'HTMLPurifier/AttrDef/CSS/TextDecoration.php';
require 'HTMLPurifier/AttrDef/CSS/URI.php'; require 'HTMLPurifier/AttrDef/CSS/URI.php';
require 'HTMLPurifier/AttrDef/HTML/Bool.php'; require 'HTMLPurifier/AttrDef/HTML/Bool.php';
require 'HTMLPurifier/AttrDef/HTML/Nmtokens.php';
require 'HTMLPurifier/AttrDef/HTML/Class.php';
require 'HTMLPurifier/AttrDef/HTML/Color.php'; require 'HTMLPurifier/AttrDef/HTML/Color.php';
require 'HTMLPurifier/AttrDef/HTML/FrameTarget.php'; require 'HTMLPurifier/AttrDef/HTML/FrameTarget.php';
require 'HTMLPurifier/AttrDef/HTML/ID.php'; require 'HTMLPurifier/AttrDef/HTML/ID.php';
@@ -103,7 +107,6 @@ require 'HTMLPurifier/AttrDef/HTML/Pixels.php';
require 'HTMLPurifier/AttrDef/HTML/Length.php'; require 'HTMLPurifier/AttrDef/HTML/Length.php';
require 'HTMLPurifier/AttrDef/HTML/LinkTypes.php'; require 'HTMLPurifier/AttrDef/HTML/LinkTypes.php';
require 'HTMLPurifier/AttrDef/HTML/MultiLength.php'; require 'HTMLPurifier/AttrDef/HTML/MultiLength.php';
require 'HTMLPurifier/AttrDef/HTML/Nmtokens.php';
require 'HTMLPurifier/AttrDef/URI/Email.php'; require 'HTMLPurifier/AttrDef/URI/Email.php';
require 'HTMLPurifier/AttrDef/URI/Host.php'; require 'HTMLPurifier/AttrDef/URI/Host.php';
require 'HTMLPurifier/AttrDef/URI/IPv4.php'; require 'HTMLPurifier/AttrDef/URI/IPv4.php';
@@ -121,6 +124,7 @@ require 'HTMLPurifier/AttrTransform/Input.php';
require 'HTMLPurifier/AttrTransform/Lang.php'; require 'HTMLPurifier/AttrTransform/Lang.php';
require 'HTMLPurifier/AttrTransform/Length.php'; require 'HTMLPurifier/AttrTransform/Length.php';
require 'HTMLPurifier/AttrTransform/Name.php'; require 'HTMLPurifier/AttrTransform/Name.php';
require 'HTMLPurifier/AttrTransform/NameSync.php';
require 'HTMLPurifier/AttrTransform/SafeEmbed.php'; require 'HTMLPurifier/AttrTransform/SafeEmbed.php';
require 'HTMLPurifier/AttrTransform/SafeObject.php'; require 'HTMLPurifier/AttrTransform/SafeObject.php';
require 'HTMLPurifier/AttrTransform/SafeParam.php'; require 'HTMLPurifier/AttrTransform/SafeParam.php';
@@ -172,6 +176,7 @@ require 'HTMLPurifier/Injector/DisplayLinkURI.php';
require 'HTMLPurifier/Injector/Linkify.php'; require 'HTMLPurifier/Injector/Linkify.php';
require 'HTMLPurifier/Injector/PurifierLinkify.php'; require 'HTMLPurifier/Injector/PurifierLinkify.php';
require 'HTMLPurifier/Injector/RemoveEmpty.php'; require 'HTMLPurifier/Injector/RemoveEmpty.php';
require 'HTMLPurifier/Injector/RemoveSpansWithoutAttributes.php';
require 'HTMLPurifier/Injector/SafeObject.php'; require 'HTMLPurifier/Injector/SafeObject.php';
require 'HTMLPurifier/Lexer/DOMLex.php'; require 'HTMLPurifier/Lexer/DOMLex.php';
require 'HTMLPurifier/Lexer/DirectLex.php'; require 'HTMLPurifier/Lexer/DirectLex.php';
@@ -191,9 +196,12 @@ require 'HTMLPurifier/Token/Start.php';
require 'HTMLPurifier/Token/Text.php'; require 'HTMLPurifier/Token/Text.php';
require 'HTMLPurifier/URIFilter/DisableExternal.php'; require 'HTMLPurifier/URIFilter/DisableExternal.php';
require 'HTMLPurifier/URIFilter/DisableExternalResources.php'; require 'HTMLPurifier/URIFilter/DisableExternalResources.php';
require 'HTMLPurifier/URIFilter/DisableResources.php';
require 'HTMLPurifier/URIFilter/HostBlacklist.php'; require 'HTMLPurifier/URIFilter/HostBlacklist.php';
require 'HTMLPurifier/URIFilter/MakeAbsolute.php'; require 'HTMLPurifier/URIFilter/MakeAbsolute.php';
require 'HTMLPurifier/URIFilter/Munge.php'; require 'HTMLPurifier/URIFilter/Munge.php';
require 'HTMLPurifier/URIScheme/data.php';
require 'HTMLPurifier/URIScheme/file.php';
require 'HTMLPurifier/URIScheme/ftp.php'; require 'HTMLPurifier/URIScheme/ftp.php';
require 'HTMLPurifier/URIScheme/http.php'; require 'HTMLPurifier/URIScheme/http.php';
require 'HTMLPurifier/URIScheme/https.php'; require 'HTMLPurifier/URIScheme/https.php';

8
library/HTMLPurifier.kses.php
View File

@@ -17,12 +17,14 @@ function kses($string, $allowed_html, $allowed_protocols = null) {
$allowed_attributes["$element.$attribute"] = true; $allowed_attributes["$element.$attribute"] = true;
} }
} }
$config->set('HTML', 'AllowedElements', $allowed_elements); $config->set('HTML.AllowedElements', $allowed_elements);
$config->set('HTML', 'AllowedAttributes', $allowed_attributes); $config->set('HTML.AllowedAttributes', $allowed_attributes);
$allowed_schemes = array(); $allowed_schemes = array();
if ($allowed_protocols !== null) { if ($allowed_protocols !== null) {
$config->set('URI', 'AllowedSchemes', $allowed_protocols); $config->set('URI.AllowedSchemes', $allowed_protocols);
} }
$purifier = new HTMLPurifier($config); $purifier = new HTMLPurifier($config);
return $purifier->purify($string); return $purifier->purify($string);
} }
// vim: et sw=4 sts=4

2
library/HTMLPurifier.path.php
View File

@@ -7,3 +7,5 @@
*/ */
set_include_path(dirname(__FILE__) . PATH_SEPARATOR . get_include_path() ); set_include_path(dirname(__FILE__) . PATH_SEPARATOR . get_include_path() );
// vim: et sw=4 sts=4

87
library/HTMLPurifier.php
View File

@@ -1,11 +1,11 @@
<?php <?php
/*! @mainpage /*! @mainpage
* *
* HTML Purifier is an HTML filter that will take an arbitrary snippet of * HTML Purifier is an HTML filter that will take an arbitrary snippet of
* HTML and rigorously test, validate and filter it into a version that * HTML and rigorously test, validate and filter it into a version that
* is safe for output onto webpages. It achieves this by: * is safe for output onto webpages. It achieves this by:
* *
* -# Lexing (parsing into tokens) the document, * -# Lexing (parsing into tokens) the document,
* -# Executing various strategies on the tokens: * -# Executing various strategies on the tokens:
* -# Removing all elements not in the whitelist, * -# Removing all elements not in the whitelist,
@@ -13,13 +13,13 @@
* -# Fixing the nesting of the nodes, and * -# Fixing the nesting of the nodes, and
* -# Validating attributes of the nodes; and * -# Validating attributes of the nodes; and
* -# Generating HTML from the purified tokens. * -# Generating HTML from the purified tokens.
* *
* However, most users will only need to interface with the HTMLPurifier * However, most users will only need to interface with the HTMLPurifier
* and HTMLPurifier_Config. * and HTMLPurifier_Config.
*/ */
/* /*
HTML Purifier 3.2.0 - Standards Compliant HTML Filtering HTML Purifier 4.2.0 - Standards Compliant HTML Filtering
Copyright (C) 2006-2008 Edward Z. Yang Copyright (C) 2006-2008 Edward Z. Yang
This library is free software; you can redistribute it and/or This library is free software; you can redistribute it and/or
@@ -39,44 +39,44 @@
/** /**
* Facade that coordinates HTML Purifier's subsystems in order to purify HTML. * Facade that coordinates HTML Purifier's subsystems in order to purify HTML.
* *
* @note There are several points in which configuration can be specified * @note There are several points in which configuration can be specified
* for HTML Purifier. The precedence of these (from lowest to * for HTML Purifier. The precedence of these (from lowest to
* highest) is as follows: * highest) is as follows:
* -# Instance: new HTMLPurifier($config) * -# Instance: new HTMLPurifier($config)
* -# Invocation: purify($html, $config) * -# Invocation: purify($html, $config)
* These configurations are entirely independent of each other and * These configurations are entirely independent of each other and
* are *not* merged (this behavior may change in the future). * are *not* merged (this behavior may change in the future).
* *
* @todo We need an easier way to inject strategies using the configuration * @todo We need an easier way to inject strategies using the configuration
* object. * object.
*/ */
class HTMLPurifier class HTMLPurifier
{ {
/** Version of HTML Purifier */ /** Version of HTML Purifier */
public $version = '3.2.0'; public $version = '4.2.0';
/** Constant with version of HTML Purifier */ /** Constant with version of HTML Purifier */
const VERSION = '3.2.0'; const VERSION = '4.2.0';
/** Global configuration object */ /** Global configuration object */
public $config; public $config;
/** Array of extra HTMLPurifier_Filter objects to run on HTML, for backwards compatibility */ /** Array of extra HTMLPurifier_Filter objects to run on HTML, for backwards compatibility */
private $filters = array(); private $filters = array();
/** Single instance of HTML Purifier */ /** Single instance of HTML Purifier */
private static $instance; private static $instance;
protected $strategy, $generator; protected $strategy, $generator;
/** /**
* Resultant HTMLPurifier_Context of last run purification. Is an array * Resultant HTMLPurifier_Context of last run purification. Is an array
* of contexts if the last called method was purifyArray(). * of contexts if the last called method was purifyArray().
*/ */
public $context; public $context;
/** /**
* Initializes the purifier. * Initializes the purifier.
* @param $config Optional HTMLPurifier_Config object for all instances of * @param $config Optional HTMLPurifier_Config object for all instances of
@@ -86,13 +86,13 @@ class HTMLPurifier
* HTMLPurifier_Config::create() supports. * HTMLPurifier_Config::create() supports.
*/ */
public function __construct($config = null) { public function __construct($config = null) {
$this->config = HTMLPurifier_Config::create($config); $this->config = HTMLPurifier_Config::create($config);
$this->strategy = new HTMLPurifier_Strategy_Core(); $this->strategy = new HTMLPurifier_Strategy_Core();
} }
/** /**
* Adds a filter to process the output. First come first serve * Adds a filter to process the output. First come first serve
* @param $filter HTMLPurifier_Filter object * @param $filter HTMLPurifier_Filter object
@@ -101,10 +101,10 @@ class HTMLPurifier
trigger_error('HTMLPurifier->addFilter() is deprecated, use configuration directives in the Filter namespace or Filter.Custom', E_USER_WARNING); trigger_error('HTMLPurifier->addFilter() is deprecated, use configuration directives in the Filter namespace or Filter.Custom', E_USER_WARNING);
$this->filters[] = $filter; $this->filters[] = $filter;
} }
/** /**
* Filters an HTML snippet/document to be XSS-free and standards-compliant. * Filters an HTML snippet/document to be XSS-free and standards-compliant.
* *
* @param $html String of HTML to purify * @param $html String of HTML to purify
* @param $config HTMLPurifier_Config object for this operation, if omitted, * @param $config HTMLPurifier_Config object for this operation, if omitted,
* defaults to the config object specified during this * defaults to the config object specified during this
@@ -113,38 +113,38 @@ class HTMLPurifier
* @return Purified HTML * @return Purified HTML
*/ */
public function purify($html, $config = null) { public function purify($html, $config = null) {
// :TODO: make the config merge in, instead of replace // :TODO: make the config merge in, instead of replace
$config = $config ? HTMLPurifier_Config::create($config) : $this->config; $config = $config ? HTMLPurifier_Config::create($config) : $this->config;
// implementation is partially environment dependant, partially // implementation is partially environment dependant, partially
// configuration dependant // configuration dependant
$lexer = HTMLPurifier_Lexer::create($config); $lexer = HTMLPurifier_Lexer::create($config);
$context = new HTMLPurifier_Context(); $context = new HTMLPurifier_Context();
// setup HTML generator // setup HTML generator
$this->generator = new HTMLPurifier_Generator($config, $context); $this->generator = new HTMLPurifier_Generator($config, $context);
$context->register('Generator', $this->generator); $context->register('Generator', $this->generator);
// set up global context variables // set up global context variables
if ($config->get('Core', 'CollectErrors')) { if ($config->get('Core.CollectErrors')) {
// may get moved out if other facilities use it // may get moved out if other facilities use it
$language_factory = HTMLPurifier_LanguageFactory::instance(); $language_factory = HTMLPurifier_LanguageFactory::instance();
$language = $language_factory->create($config, $context); $language = $language_factory->create($config, $context);
$context->register('Locale', $language); $context->register('Locale', $language);
$error_collector = new HTMLPurifier_ErrorCollector($context); $error_collector = new HTMLPurifier_ErrorCollector($context);
$context->register('ErrorCollector', $error_collector); $context->register('ErrorCollector', $error_collector);
} }
// setup id_accumulator context, necessary due to the fact that // setup id_accumulator context, necessary due to the fact that
// AttrValidator can be called from many places // AttrValidator can be called from many places
$id_accumulator = HTMLPurifier_IDAccumulator::build($config, $context); $id_accumulator = HTMLPurifier_IDAccumulator::build($config, $context);
$context->register('IDAccumulator', $id_accumulator); $context->register('IDAccumulator', $id_accumulator);
$html = HTMLPurifier_Encoder::convertToUTF8($html, $config, $context); $html = HTMLPurifier_Encoder::convertToUTF8($html, $config, $context);
// setup filters // setup filters
$filter_flags = $config->getBatch('Filter'); $filter_flags = $config->getBatch('Filter');
$custom_filters = $filter_flags['Custom']; $custom_filters = $filter_flags['Custom'];
@@ -152,6 +152,7 @@ class HTMLPurifier
$filters = array(); $filters = array();
foreach ($filter_flags as $filter => $flag) { foreach ($filter_flags as $filter => $flag) {
if (!$flag) continue; if (!$flag) continue;
if (strpos($filter, '.') !== false) continue;
$class = "HTMLPurifier_Filter_$filter"; $class = "HTMLPurifier_Filter_$filter";
$filters[] = new $class; $filters[] = new $class;
} }
@@ -161,13 +162,13 @@ class HTMLPurifier
} }
$filters = array_merge($filters, $this->filters); $filters = array_merge($filters, $this->filters);
// maybe prepare(), but later // maybe prepare(), but later
for ($i = 0, $filter_size = count($filters); $i < $filter_size; $i++) { for ($i = 0, $filter_size = count($filters); $i < $filter_size; $i++) {
$html = $filters[$i]->preFilter($html, $config, $context); $html = $filters[$i]->preFilter($html, $config, $context);
} }
// purified HTML // purified HTML
$html = $html =
$this->generator->generateFromTokens( $this->generator->generateFromTokens(
// list of tokens // list of tokens
$this->strategy->execute( $this->strategy->execute(
@@ -179,16 +180,16 @@ class HTMLPurifier
$config, $context $config, $context
) )
); );
for ($i = $filter_size - 1; $i >= 0; $i--) { for ($i = $filter_size - 1; $i >= 0; $i--) {
$html = $filters[$i]->postFilter($html, $config, $context); $html = $filters[$i]->postFilter($html, $config, $context);
} }
$html = HTMLPurifier_Encoder::convertFromUTF8($html, $config, $context); $html = HTMLPurifier_Encoder::convertFromUTF8($html, $config, $context);
$this->context =& $context; $this->context =& $context;
return $html; return $html;
} }
/** /**
* Filters an array of HTML snippets * Filters an array of HTML snippets
* @param $config Optional HTMLPurifier_Config object for this operation. * @param $config Optional HTMLPurifier_Config object for this operation.
@@ -204,7 +205,7 @@ class HTMLPurifier
$this->context = $context_array; $this->context = $context_array;
return $array_of_html; return $array_of_html;
} }
/** /**
* Singleton for enforcing just one HTML Purifier in your system * Singleton for enforcing just one HTML Purifier in your system
* @param $prototype Optional prototype HTMLPurifier instance to * @param $prototype Optional prototype HTMLPurifier instance to
@@ -223,12 +224,14 @@ class HTMLPurifier
} }
return self::$instance; return self::$instance;
} }
/** /**
* @note Backwards compatibility, see instance() * @note Backwards compatibility, see instance()
*/ */
public static function getInstance($prototype = null) { public static function getInstance($prototype = null) {
return HTMLPurifier::instance($prototype); return HTMLPurifier::instance($prototype);
} }
} }
// vim: et sw=4 sts=4

12
library/HTMLPurifier.safe-includes.php
View File

@@ -6,7 +6,7 @@
* the core files required by HTML Purifier. This is a convenience stub that * the core files required by HTML Purifier. This is a convenience stub that
* includes all files using dirname(__FILE__) and require_once. PLEASE DO NOT * includes all files using dirname(__FILE__) and require_once. PLEASE DO NOT
* EDIT THIS FILE, changes will be overwritten the next time the script is run. * EDIT THIS FILE, changes will be overwritten the next time the script is run.
* *
* Changes to include_path are not necessary. * Changes to include_path are not necessary.
*/ */
@@ -49,6 +49,8 @@ require_once $__dir . '/HTMLPurifier/LanguageFactory.php';
require_once $__dir . '/HTMLPurifier/Length.php'; require_once $__dir . '/HTMLPurifier/Length.php';
require_once $__dir . '/HTMLPurifier/Lexer.php'; require_once $__dir . '/HTMLPurifier/Lexer.php';
require_once $__dir . '/HTMLPurifier/PercentEncoder.php'; require_once $__dir . '/HTMLPurifier/PercentEncoder.php';
require_once $__dir . '/HTMLPurifier/PropertyList.php';
require_once $__dir . '/HTMLPurifier/PropertyListIterator.php';
require_once $__dir . '/HTMLPurifier/Strategy.php'; require_once $__dir . '/HTMLPurifier/Strategy.php';
require_once $__dir . '/HTMLPurifier/StringHash.php'; require_once $__dir . '/HTMLPurifier/StringHash.php';
require_once $__dir . '/HTMLPurifier/StringHashParser.php'; require_once $__dir . '/HTMLPurifier/StringHashParser.php';
@@ -90,6 +92,8 @@ require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Percentage.php';
require_once $__dir . '/HTMLPurifier/AttrDef/CSS/TextDecoration.php'; require_once $__dir . '/HTMLPurifier/AttrDef/CSS/TextDecoration.php';
require_once $__dir . '/HTMLPurifier/AttrDef/CSS/URI.php'; require_once $__dir . '/HTMLPurifier/AttrDef/CSS/URI.php';
require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Bool.php'; require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Bool.php';
require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Nmtokens.php';
require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Class.php';
require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Color.php'; require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Color.php';
require_once $__dir . '/HTMLPurifier/AttrDef/HTML/FrameTarget.php'; require_once $__dir . '/HTMLPurifier/AttrDef/HTML/FrameTarget.php';
require_once $__dir . '/HTMLPurifier/AttrDef/HTML/ID.php'; require_once $__dir . '/HTMLPurifier/AttrDef/HTML/ID.php';
@@ -97,7 +101,6 @@ require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Pixels.php';
require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Length.php'; require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Length.php';
require_once $__dir . '/HTMLPurifier/AttrDef/HTML/LinkTypes.php'; require_once $__dir . '/HTMLPurifier/AttrDef/HTML/LinkTypes.php';
require_once $__dir . '/HTMLPurifier/AttrDef/HTML/MultiLength.php'; require_once $__dir . '/HTMLPurifier/AttrDef/HTML/MultiLength.php';
require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Nmtokens.php';
require_once $__dir . '/HTMLPurifier/AttrDef/URI/Email.php'; require_once $__dir . '/HTMLPurifier/AttrDef/URI/Email.php';
require_once $__dir . '/HTMLPurifier/AttrDef/URI/Host.php'; require_once $__dir . '/HTMLPurifier/AttrDef/URI/Host.php';
require_once $__dir . '/HTMLPurifier/AttrDef/URI/IPv4.php'; require_once $__dir . '/HTMLPurifier/AttrDef/URI/IPv4.php';
@@ -115,6 +118,7 @@ require_once $__dir . '/HTMLPurifier/AttrTransform/Input.php';
require_once $__dir . '/HTMLPurifier/AttrTransform/Lang.php'; require_once $__dir . '/HTMLPurifier/AttrTransform/Lang.php';
require_once $__dir . '/HTMLPurifier/AttrTransform/Length.php'; require_once $__dir . '/HTMLPurifier/AttrTransform/Length.php';
require_once $__dir . '/HTMLPurifier/AttrTransform/Name.php'; require_once $__dir . '/HTMLPurifier/AttrTransform/Name.php';
require_once $__dir . '/HTMLPurifier/AttrTransform/NameSync.php';
require_once $__dir . '/HTMLPurifier/AttrTransform/SafeEmbed.php'; require_once $__dir . '/HTMLPurifier/AttrTransform/SafeEmbed.php';
require_once $__dir . '/HTMLPurifier/AttrTransform/SafeObject.php'; require_once $__dir . '/HTMLPurifier/AttrTransform/SafeObject.php';
require_once $__dir . '/HTMLPurifier/AttrTransform/SafeParam.php'; require_once $__dir . '/HTMLPurifier/AttrTransform/SafeParam.php';
@@ -166,6 +170,7 @@ require_once $__dir . '/HTMLPurifier/Injector/DisplayLinkURI.php';
require_once $__dir . '/HTMLPurifier/Injector/Linkify.php'; require_once $__dir . '/HTMLPurifier/Injector/Linkify.php';
require_once $__dir . '/HTMLPurifier/Injector/PurifierLinkify.php'; require_once $__dir . '/HTMLPurifier/Injector/PurifierLinkify.php';
require_once $__dir . '/HTMLPurifier/Injector/RemoveEmpty.php'; require_once $__dir . '/HTMLPurifier/Injector/RemoveEmpty.php';
require_once $__dir . '/HTMLPurifier/Injector/RemoveSpansWithoutAttributes.php';
require_once $__dir . '/HTMLPurifier/Injector/SafeObject.php'; require_once $__dir . '/HTMLPurifier/Injector/SafeObject.php';
require_once $__dir . '/HTMLPurifier/Lexer/DOMLex.php'; require_once $__dir . '/HTMLPurifier/Lexer/DOMLex.php';
require_once $__dir . '/HTMLPurifier/Lexer/DirectLex.php'; require_once $__dir . '/HTMLPurifier/Lexer/DirectLex.php';
@@ -185,9 +190,12 @@ require_once $__dir . '/HTMLPurifier/Token/Start.php';
require_once $__dir . '/HTMLPurifier/Token/Text.php'; require_once $__dir . '/HTMLPurifier/Token/Text.php';
require_once $__dir . '/HTMLPurifier/URIFilter/DisableExternal.php'; require_once $__dir . '/HTMLPurifier/URIFilter/DisableExternal.php';
require_once $__dir . '/HTMLPurifier/URIFilter/DisableExternalResources.php'; require_once $__dir . '/HTMLPurifier/URIFilter/DisableExternalResources.php';
require_once $__dir . '/HTMLPurifier/URIFilter/DisableResources.php';
require_once $__dir . '/HTMLPurifier/URIFilter/HostBlacklist.php'; require_once $__dir . '/HTMLPurifier/URIFilter/HostBlacklist.php';
require_once $__dir . '/HTMLPurifier/URIFilter/MakeAbsolute.php'; require_once $__dir . '/HTMLPurifier/URIFilter/MakeAbsolute.php';
require_once $__dir . '/HTMLPurifier/URIFilter/Munge.php'; require_once $__dir . '/HTMLPurifier/URIFilter/Munge.php';
require_once $__dir . '/HTMLPurifier/URIScheme/data.php';
require_once $__dir . '/HTMLPurifier/URIScheme/file.php';
require_once $__dir . '/HTMLPurifier/URIScheme/ftp.php'; require_once $__dir . '/HTMLPurifier/URIScheme/ftp.php';
require_once $__dir . '/HTMLPurifier/URIScheme/http.php'; require_once $__dir . '/HTMLPurifier/URIScheme/http.php';
require_once $__dir . '/HTMLPurifier/URIScheme/https.php'; require_once $__dir . '/HTMLPurifier/URIScheme/https.php';

29
library/HTMLPurifier/AttrCollections.php
View File

@@ -6,12 +6,12 @@
class HTMLPurifier_AttrCollections class HTMLPurifier_AttrCollections
{ {
/** /**
* Associative array of attribute collections, indexed by name * Associative array of attribute collections, indexed by name
*/ */
public $info = array(); public $info = array();
/** /**
* Performs all expansions on internal data for use by other inclusions * Performs all expansions on internal data for use by other inclusions
* It also collects all attribute collection extensions from * It also collects all attribute collection extensions from
@@ -45,7 +45,7 @@ class HTMLPurifier_AttrCollections
$this->expandIdentifiers($this->info[$name], $attr_types); $this->expandIdentifiers($this->info[$name], $attr_types);
} }
} }
/** /**
* Takes a reference to an attribute associative array and performs * Takes a reference to an attribute associative array and performs
* all inclusions specified by the zero index. * all inclusions specified by the zero index.
@@ -72,7 +72,7 @@ class HTMLPurifier_AttrCollections
} }
unset($attr[0]); unset($attr[0]);
} }
/** /**
* Expands all string identifiers in an attribute array by replacing * Expands all string identifiers in an attribute array by replacing
* them with the appropriate values inside HTMLPurifier_AttrTypes * them with the appropriate values inside HTMLPurifier_AttrTypes
@@ -80,17 +80,17 @@ class HTMLPurifier_AttrCollections
* @param $attr_types HTMLPurifier_AttrTypes instance * @param $attr_types HTMLPurifier_AttrTypes instance
*/ */
public function expandIdentifiers(&$attr, $attr_types) { public function expandIdentifiers(&$attr, $attr_types) {
// because foreach will process new elements we add, make sure we // because foreach will process new elements we add, make sure we
// skip duplicates // skip duplicates
$processed = array(); $processed = array();
foreach ($attr as $def_i => $def) { foreach ($attr as $def_i => $def) {
// skip inclusions // skip inclusions
if ($def_i === 0) continue; if ($def_i === 0) continue;
if (isset($processed[$def_i])) continue; if (isset($processed[$def_i])) continue;
// determine whether or not attribute is required // determine whether or not attribute is required
if ($required = (strpos($def_i, '*') !== false)) { if ($required = (strpos($def_i, '*') !== false)) {
// rename the definition // rename the definition
@@ -98,21 +98,21 @@ class HTMLPurifier_AttrCollections
$def_i = trim($def_i, '*'); $def_i = trim($def_i, '*');
$attr[$def_i] = $def; $attr[$def_i] = $def;
} }
$processed[$def_i] = true; $processed[$def_i] = true;
// if we've already got a literal object, move on // if we've already got a literal object, move on
if (is_object($def)) { if (is_object($def)) {
// preserve previous required // preserve previous required
$attr[$def_i]->required = ($required || $attr[$def_i]->required); $attr[$def_i]->required = ($required || $attr[$def_i]->required);
continue; continue;
} }
if ($def === false) { if ($def === false) {
unset($attr[$def_i]); unset($attr[$def_i]);
continue; continue;
} }
if ($t = $attr_types->get($def)) { if ($t = $attr_types->get($def)) {
$attr[$def_i] = $t; $attr[$def_i] = $t;
$attr[$def_i]->required = $required; $attr[$def_i]->required = $required;
@@ -120,8 +120,9 @@ class HTMLPurifier_AttrCollections
unset($attr[$def_i]); unset($attr[$def_i]);
} }
} }
} }
} }
// vim: et sw=4 sts=4

63
library/HTMLPurifier/AttrDef.php
View File

@@ -2,53 +2,53 @@
/** /**
* Base class for all validating attribute definitions. * Base class for all validating attribute definitions.
* *
* This family of classes forms the core for not only HTML attribute validation, * This family of classes forms the core for not only HTML attribute validation,
* but also any sort of string that needs to be validated or cleaned (which * but also any sort of string that needs to be validated or cleaned (which
* means CSS properties and composite definitions are defined here too). * means CSS properties and composite definitions are defined here too).
* Besides defining (through code) what precisely makes the string valid, * Besides defining (through code) what precisely makes the string valid,
* subclasses are also responsible for cleaning the code if possible. * subclasses are also responsible for cleaning the code if possible.
*/ */
abstract class HTMLPurifier_AttrDef abstract class HTMLPurifier_AttrDef
{ {
/** /**
* Tells us whether or not an HTML attribute is minimized. Has no * Tells us whether or not an HTML attribute is minimized. Has no
* meaning in other contexts. * meaning in other contexts.
*/ */
public $minimized = false; public $minimized = false;
/** /**
* Tells us whether or not an HTML attribute is required. Has no * Tells us whether or not an HTML attribute is required. Has no
* meaning in other contexts * meaning in other contexts
*/ */
public $required = false; public $required = false;
/** /**
* Validates and cleans passed string according to a definition. * Validates and cleans passed string according to a definition.
* *
* @param $string String to be validated and cleaned. * @param $string String to be validated and cleaned.
* @param $config Mandatory HTMLPurifier_Config object. * @param $config Mandatory HTMLPurifier_Config object.
* @param $context Mandatory HTMLPurifier_AttrContext object. * @param $context Mandatory HTMLPurifier_AttrContext object.
*/ */
abstract public function validate($string, $config, $context); abstract public function validate($string, $config, $context);
/** /**
* Convenience method that parses a string as if it were CDATA. * Convenience method that parses a string as if it were CDATA.
* *
* This method process a string in the manner specified at * This method process a string in the manner specified at
* <http://www.w3.org/TR/html4/types.html#h-6.2> by removing * <http://www.w3.org/TR/html4/types.html#h-6.2> by removing
* leading and trailing whitespace, ignoring line feeds, and replacing * leading and trailing whitespace, ignoring line feeds, and replacing
* carriage returns and tabs with spaces. While most useful for HTML * carriage returns and tabs with spaces. While most useful for HTML
* attributes specified as CDATA, it can also be applied to most CSS * attributes specified as CDATA, it can also be applied to most CSS
* values. * values.
* *
* @note This method is not entirely standards compliant, as trim() removes * @note This method is not entirely standards compliant, as trim() removes
* more types of whitespace than specified in the spec. In practice, * more types of whitespace than specified in the spec. In practice,
* this is rarely a problem, as those extra characters usually have * this is rarely a problem, as those extra characters usually have
* already been removed by HTMLPurifier_Encoder. * already been removed by HTMLPurifier_Encoder.
* *
* @warning This processing is inconsistent with XML's whitespace handling * @warning This processing is inconsistent with XML's whitespace handling
* as specified by section 3.3.3 and referenced XHTML 1.0 section * as specified by section 3.3.3 and referenced XHTML 1.0 section
* 4.7. However, note that we are NOT necessarily * 4.7. However, note that we are NOT necessarily
@@ -60,7 +60,7 @@ abstract class HTMLPurifier_AttrDef
$string = str_replace(array("\n", "\t", "\r"), ' ', $string); $string = str_replace(array("\n", "\t", "\r"), ' ', $string);
return $string; return $string;
} }
/** /**
* Factory method for creating this class from a string. * Factory method for creating this class from a string.
* @param $string String construction info * @param $string String construction info
@@ -73,7 +73,7 @@ abstract class HTMLPurifier_AttrDef
// to clone or instantiate new copies. (Instantiation is safer.) // to clone or instantiate new copies. (Instantiation is safer.)
return $this; return $this;
} }
/** /**
* Removes spaces from rgb(0, 0, 0) so that shorthand CSS properties work * Removes spaces from rgb(0, 0, 0) so that shorthand CSS properties work
* properly. THIS IS A HACK! * properly. THIS IS A HACK!
@@ -81,6 +81,43 @@ abstract class HTMLPurifier_AttrDef
protected function mungeRgb($string) { protected function mungeRgb($string) {
return preg_replace('/rgb\((\d+)\s*,\s*(\d+)\s*,\s*(\d+)\)/', 'rgb(\1,\2,\3)', $string); return preg_replace('/rgb\((\d+)\s*,\s*(\d+)\s*,\s*(\d+)\)/', 'rgb(\1,\2,\3)', $string);
} }
/**
* Parses a possibly escaped CSS string and returns the "pure"
* version of it.
*/
protected function expandCSSEscape($string) {
// flexibly parse it
$ret = '';
for ($i = 0, $c = strlen($string); $i < $c; $i++) {
if ($string[$i] === '\\') {
$i++;
if ($i >= $c) {
$ret .= '\\';
break;
}
if (ctype_xdigit($string[$i])) {
$code = $string[$i];
for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
if (!ctype_xdigit($string[$i])) break;
$code .= $string[$i];
}
// We have to be extremely careful when adding
// new characters, to make sure we're not breaking
// the encoding.
$char = HTMLPurifier_Encoder::unichr(hexdec($code));
if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue;
$ret .= $char;
if ($i < $c && trim($string[$i]) !== '') $i--;
continue;
}
if ($string[$i] === "\n") continue;
}
$ret .= $string[$i];
}
return $ret;
}
} }
// vim: et sw=4 sts=4

27
library/HTMLPurifier/AttrDef/CSS.php
View File

@@ -13,28 +13,28 @@
*/ */
class HTMLPurifier_AttrDef_CSS extends HTMLPurifier_AttrDef class HTMLPurifier_AttrDef_CSS extends HTMLPurifier_AttrDef
{ {
public function validate($css, $config, $context) { public function validate($css, $config, $context) {
$css = $this->parseCDATA($css); $css = $this->parseCDATA($css);
$definition = $config->getCSSDefinition(); $definition = $config->getCSSDefinition();
// we're going to break the spec and explode by semicolons. // we're going to break the spec and explode by semicolons.
// This is because semicolon rarely appears in escaped form // This is because semicolon rarely appears in escaped form
// Doing this is generally flaky but fast // Doing this is generally flaky but fast
// IT MIGHT APPEAR IN URIs, see HTMLPurifier_AttrDef_CSSURI // IT MIGHT APPEAR IN URIs, see HTMLPurifier_AttrDef_CSSURI
// for details // for details
$declarations = explode(';', $css); $declarations = explode(';', $css);
$propvalues = array(); $propvalues = array();
/** /**
* Name of the current CSS property being validated. * Name of the current CSS property being validated.
*/ */
$property = false; $property = false;
$context->register('CurrentCSSProperty', $property); $context->register('CurrentCSSProperty', $property);
foreach ($declarations as $declaration) { foreach ($declarations as $declaration) {
if (!$declaration) continue; if (!$declaration) continue;
if (!strpos($declaration, ':')) continue; if (!strpos($declaration, ':')) continue;
@@ -66,21 +66,22 @@ class HTMLPurifier_AttrDef_CSS extends HTMLPurifier_AttrDef
if ($result === false) continue; if ($result === false) continue;
$propvalues[$property] = $result; $propvalues[$property] = $result;
} }
$context->destroy('CurrentCSSProperty'); $context->destroy('CurrentCSSProperty');
// procedure does not write the new CSS simultaneously, so it's // procedure does not write the new CSS simultaneously, so it's
// slightly inefficient, but it's the only way of getting rid of // slightly inefficient, but it's the only way of getting rid of
// duplicates. Perhaps config to optimize it, but not now. // duplicates. Perhaps config to optimize it, but not now.
$new_declarations = ''; $new_declarations = '';
foreach ($propvalues as $prop => $value) { foreach ($propvalues as $prop => $value) {
$new_declarations .= "$prop:$value;"; $new_declarations .= "$prop:$value;";
} }
return $new_declarations ? $new_declarations : false; return $new_declarations ? $new_declarations : false;
} }
} }
// vim: et sw=4 sts=4

8
library/HTMLPurifier/AttrDef/CSS/AlphaValue.php
View File

@@ -2,11 +2,11 @@
class HTMLPurifier_AttrDef_CSS_AlphaValue extends HTMLPurifier_AttrDef_CSS_Number class HTMLPurifier_AttrDef_CSS_AlphaValue extends HTMLPurifier_AttrDef_CSS_Number
{ {
public function __construct() { public function __construct() {
parent::__construct(false); // opacity is non-negative, but we will clamp it parent::__construct(false); // opacity is non-negative, but we will clamp it
} }
public function validate($number, $config, $context) { public function validate($number, $config, $context) {
$result = parent::validate($number, $config, $context); $result = parent::validate($number, $config, $context);
if ($result === false) return $result; if ($result === false) return $result;
@@ -15,5 +15,7 @@ class HTMLPurifier_AttrDef_CSS_AlphaValue extends HTMLPurifier_AttrDef_CSS_Numbe
if ($float > 1.0) $result = '1'; if ($float > 1.0) $result = '1';
return $result; return $result;
} }
} }
// vim: et sw=4 sts=4

29
library/HTMLPurifier/AttrDef/CSS/Background.php
View File

@@ -6,13 +6,13 @@
*/ */
class HTMLPurifier_AttrDef_CSS_Background extends HTMLPurifier_AttrDef class HTMLPurifier_AttrDef_CSS_Background extends HTMLPurifier_AttrDef
{ {
/** /**
* Local copy of component validators. * Local copy of component validators.
* @note See HTMLPurifier_AttrDef_Font::$info for a similar impl. * @note See HTMLPurifier_AttrDef_Font::$info for a similar impl.
*/ */
protected $info; protected $info;
public function __construct($config) { public function __construct($config) {
$def = $config->getCSSDefinition(); $def = $config->getCSSDefinition();
$this->info['background-color'] = $def->info['background-color']; $this->info['background-color'] = $def->info['background-color'];
@@ -21,29 +21,29 @@ class HTMLPurifier_AttrDef_CSS_Background extends HTMLPurifier_AttrDef
$this->info['background-attachment'] = $def->info['background-attachment']; $this->info['background-attachment'] = $def->info['background-attachment'];
$this->info['background-position'] = $def->info['background-position']; $this->info['background-position'] = $def->info['background-position'];
} }
public function validate($string, $config, $context) { public function validate($string, $config, $context) {
// regular pre-processing // regular pre-processing
$string = $this->parseCDATA($string); $string = $this->parseCDATA($string);
if ($string === '') return false; if ($string === '') return false;
// munge rgb() decl if necessary // munge rgb() decl if necessary
$string = $this->mungeRgb($string); $string = $this->mungeRgb($string);
// assumes URI doesn't have spaces in it // assumes URI doesn't have spaces in it
$bits = explode(' ', strtolower($string)); // bits to process $bits = explode(' ', strtolower($string)); // bits to process
$caught = array(); $caught = array();
$caught['color'] = false; $caught['color'] = false;
$caught['image'] = false; $caught['image'] = false;
$caught['repeat'] = false; $caught['repeat'] = false;
$caught['attachment'] = false; $caught['attachment'] = false;
$caught['position'] = false; $caught['position'] = false;
$i = 0; // number of catches $i = 0; // number of catches
$none = false; $none = false;
foreach ($bits as $bit) { foreach ($bits as $bit) {
if ($bit === '') continue; if ($bit === '') continue;
foreach ($caught as $key => $status) { foreach ($caught as $key => $status) {
@@ -64,23 +64,24 @@ class HTMLPurifier_AttrDef_CSS_Background extends HTMLPurifier_AttrDef
break; break;
} }
} }
if (!$i) return false; if (!$i) return false;
if ($caught['position'] !== false) { if ($caught['position'] !== false) {
$caught['position'] = $this->info['background-position']-> $caught['position'] = $this->info['background-position']->
validate($caught['position'], $config, $context); validate($caught['position'], $config, $context);
} }
$ret = array(); $ret = array();
foreach ($caught as $value) { foreach ($caught as $value) {
if ($value === false) continue; if ($value === false) continue;
$ret[] = $value; $ret[] = $value;
} }
if (empty($ret)) return false; if (empty($ret)) return false;
return implode(' ', $ret); return implode(' ', $ret);
} }
} }
// vim: et sw=4 sts=4

66
library/HTMLPurifier/AttrDef/CSS/BackgroundPosition.php
View File

@@ -7,7 +7,7 @@
[ [
<percentage> | <length> | left | center | right <percentage> | <length> | left | center | right
] ]
[ [
<percentage> | <length> | top | center | bottom <percentage> | <length> | top | center | bottom
]? ]?
] | ] |
@@ -28,10 +28,10 @@
/* QuirksMode says: /* QuirksMode says:
keyword + length/percentage must be ordered correctly, as per W3C keyword + length/percentage must be ordered correctly, as per W3C
Internet Explorer and Opera, however, support arbitrary ordering. We Internet Explorer and Opera, however, support arbitrary ordering. We
should fix it up. should fix it up.
Minor issue though, not strictly necessary. Minor issue though, not strictly necessary.
*/ */
@@ -43,27 +43,28 @@
*/ */
class HTMLPurifier_AttrDef_CSS_BackgroundPosition extends HTMLPurifier_AttrDef class HTMLPurifier_AttrDef_CSS_BackgroundPosition extends HTMLPurifier_AttrDef
{ {
protected $length; protected $length;
protected $percentage; protected $percentage;
public function __construct() { public function __construct() {
$this->length = new HTMLPurifier_AttrDef_CSS_Length(); $this->length = new HTMLPurifier_AttrDef_CSS_Length();
$this->percentage = new HTMLPurifier_AttrDef_CSS_Percentage(); $this->percentage = new HTMLPurifier_AttrDef_CSS_Percentage();
} }
public function validate($string, $config, $context) { public function validate($string, $config, $context) {
$string = $this->parseCDATA($string); $string = $this->parseCDATA($string);
$bits = explode(' ', $string); $bits = explode(' ', $string);
$keywords = array(); $keywords = array();
$keywords['h'] = false; // left, right $keywords['h'] = false; // left, right
$keywords['v'] = false; // top, bottom $keywords['v'] = false; // top, bottom
$keywords['c'] = false; // center $keywords['ch'] = false; // center (first word)
$keywords['cv'] = false; // center (second word)
$measures = array(); $measures = array();
$i = 0; $i = 0;
$lookup = array( $lookup = array(
'top' => 'v', 'top' => 'v',
'bottom' => 'v', 'bottom' => 'v',
@@ -71,55 +72,62 @@ class HTMLPurifier_AttrDef_CSS_BackgroundPosition extends HTMLPurifier_AttrDef
'right' => 'h', 'right' => 'h',
'center' => 'c' 'center' => 'c'
); );
foreach ($bits as $bit) { foreach ($bits as $bit) {
if ($bit === '') continue; if ($bit === '') continue;
// test for keyword // test for keyword
$lbit = ctype_lower($bit) ? $bit : strtolower($bit); $lbit = ctype_lower($bit) ? $bit : strtolower($bit);
if (isset($lookup[$lbit])) { if (isset($lookup[$lbit])) {
$status = $lookup[$lbit]; $status = $lookup[$lbit];
if ($status == 'c') {
if ($i == 0) {
$status = 'ch';
} else {
$status = 'cv';
}
}
$keywords[$status] = $lbit; $keywords[$status] = $lbit;
$i++; $i++;
} }
// test for length // test for length
$r = $this->length->validate($bit, $config, $context); $r = $this->length->validate($bit, $config, $context);
if ($r !== false) { if ($r !== false) {
$measures[] = $r; $measures[] = $r;
$i++; $i++;
} }
// test for percentage // test for percentage
$r = $this->percentage->validate($bit, $config, $context); $r = $this->percentage->validate($bit, $config, $context);
if ($r !== false) { if ($r !== false) {
$measures[] = $r; $measures[] = $r;
$i++; $i++;
} }
} }
if (!$i) return false; // no valid values were caught if (!$i) return false; // no valid values were caught
$ret = array(); $ret = array();
// first keyword // first keyword
if ($keywords['h']) $ret[] = $keywords['h']; if ($keywords['h']) $ret[] = $keywords['h'];
elseif (count($measures)) $ret[] = array_shift($measures); elseif ($keywords['ch']) {
elseif ($keywords['c']) { $ret[] = $keywords['ch'];
$ret[] = $keywords['c']; $keywords['cv'] = false; // prevent re-use: center = center center
$keywords['c'] = false; // prevent re-use: center = center center
} }
if ($keywords['v']) $ret[] = $keywords['v'];
elseif (count($measures)) $ret[] = array_shift($measures); elseif (count($measures)) $ret[] = array_shift($measures);
elseif ($keywords['c']) $ret[] = $keywords['c'];
if ($keywords['v']) $ret[] = $keywords['v'];
elseif ($keywords['cv']) $ret[] = $keywords['cv'];
elseif (count($measures)) $ret[] = array_shift($measures);
if (empty($ret)) return false; if (empty($ret)) return false;
return implode(' ', $ret); return implode(' ', $ret);
} }
} }
// vim: et sw=4 sts=4

9
library/HTMLPurifier/AttrDef/CSS/Border.php
View File

@@ -5,19 +5,19 @@
*/ */
class HTMLPurifier_AttrDef_CSS_Border extends HTMLPurifier_AttrDef class HTMLPurifier_AttrDef_CSS_Border extends HTMLPurifier_AttrDef
{ {
/** /**
* Local copy of properties this property is shorthand for. * Local copy of properties this property is shorthand for.
*/ */
protected $info = array(); protected $info = array();
public function __construct($config) { public function __construct($config) {
$def = $config->getCSSDefinition(); $def = $config->getCSSDefinition();
$this->info['border-width'] = $def->info['border-width']; $this->info['border-width'] = $def->info['border-width'];
$this->info['border-style'] = $def->info['border-style']; $this->info['border-style'] = $def->info['border-style'];
$this->info['border-top-color'] = $def->info['border-top-color']; $this->info['border-top-color'] = $def->info['border-top-color'];
} }
public function validate($string, $config, $context) { public function validate($string, $config, $context) {
$string = $this->parseCDATA($string); $string = $this->parseCDATA($string);
$string = $this->mungeRgb($string); $string = $this->mungeRgb($string);
@@ -37,6 +37,7 @@ class HTMLPurifier_AttrDef_CSS_Border extends HTMLPurifier_AttrDef
} }
return rtrim($ret); return rtrim($ret);
} }
} }
// vim: et sw=4 sts=4

19
library/HTMLPurifier/AttrDef/CSS/Color.php
View File

@@ -5,18 +5,18 @@
*/ */
class HTMLPurifier_AttrDef_CSS_Color extends HTMLPurifier_AttrDef class HTMLPurifier_AttrDef_CSS_Color extends HTMLPurifier_AttrDef
{ {
public function validate($color, $config, $context) { public function validate($color, $config, $context) {
static $colors = null; static $colors = null;
if ($colors === null) $colors = $config->get('Core', 'ColorKeywords'); if ($colors === null) $colors = $config->get('Core.ColorKeywords');
$color = trim($color); $color = trim($color);
if ($color === '') return false; if ($color === '') return false;
$lower = strtolower($color); $lower = strtolower($color);
if (isset($colors[$lower])) return $colors[$lower]; if (isset($colors[$lower])) return $colors[$lower];
if (strpos($color, 'rgb(') !== false) { if (strpos($color, 'rgb(') !== false) {
// rgb literal handling // rgb literal handling
$length = strlen($color); $length = strlen($color);
@@ -68,10 +68,11 @@ class HTMLPurifier_AttrDef_CSS_Color extends HTMLPurifier_AttrDef
if ($length !== 3 && $length !== 6) return false; if ($length !== 3 && $length !== 6) return false;
if (!ctype_xdigit($hex)) return false; if (!ctype_xdigit($hex)) return false;
} }
return $color; return $color;
} }
} }
// vim: et sw=4 sts=4

11
library/HTMLPurifier/AttrDef/CSS/Composite.php
View File

@@ -2,7 +2,7 @@
/** /**
* Allows multiple validators to attempt to validate attribute. * Allows multiple validators to attempt to validate attribute.
* *
* Composite is just what it sounds like: a composite of many validators. * Composite is just what it sounds like: a composite of many validators.
* This means that multiple HTMLPurifier_AttrDef objects will have a whack * This means that multiple HTMLPurifier_AttrDef objects will have a whack
* at the string. If one of them passes, that's what is returned. This is * at the string. If one of them passes, that's what is returned. This is
@@ -11,20 +11,20 @@
*/ */
class HTMLPurifier_AttrDef_CSS_Composite extends HTMLPurifier_AttrDef class HTMLPurifier_AttrDef_CSS_Composite extends HTMLPurifier_AttrDef
{ {
/** /**
* List of HTMLPurifier_AttrDef objects that may process strings * List of HTMLPurifier_AttrDef objects that may process strings
* @todo Make protected * @todo Make protected
*/ */
public $defs; public $defs;
/** /**
* @param $defs List of HTMLPurifier_AttrDef objects * @param $defs List of HTMLPurifier_AttrDef objects
*/ */
public function __construct($defs) { public function __construct($defs) {
$this->defs = $defs; $this->defs = $defs;
} }
public function validate($string, $config, $context) { public function validate($string, $config, $context) {
foreach ($this->defs as $i => $def) { foreach ($this->defs as $i => $def) {
$result = $this->defs[$i]->validate($string, $config, $context); $result = $this->defs[$i]->validate($string, $config, $context);
@@ -32,6 +32,7 @@ class HTMLPurifier_AttrDef_CSS_Composite extends HTMLPurifier_AttrDef
} }
return false; return false;
} }
} }
// vim: et sw=4 sts=4

6
library/HTMLPurifier/AttrDef/CSS/DenyElementDecorator.php
View File

@@ -5,8 +5,8 @@
*/ */
class HTMLPurifier_AttrDef_CSS_DenyElementDecorator extends HTMLPurifier_AttrDef class HTMLPurifier_AttrDef_CSS_DenyElementDecorator extends HTMLPurifier_AttrDef
{ {
protected $def, $element; public $def, $element;
/** /**
* @param $def Definition to wrap * @param $def Definition to wrap
* @param $element Element to deny * @param $element Element to deny
@@ -24,3 +24,5 @@ class HTMLPurifier_AttrDef_CSS_DenyElementDecorator extends HTMLPurifier_AttrDef
return $this->def->validate($string, $config, $context); return $this->def->validate($string, $config, $context);
} }
} }
// vim: et sw=4 sts=4

10
library/HTMLPurifier/AttrDef/CSS/Filter.php
View File

@@ -7,13 +7,13 @@
*/ */
class HTMLPurifier_AttrDef_CSS_Filter extends HTMLPurifier_AttrDef class HTMLPurifier_AttrDef_CSS_Filter extends HTMLPurifier_AttrDef
{ {
protected $intValidator; protected $intValidator;
public function __construct() { public function __construct() {
$this->intValidator = new HTMLPurifier_AttrDef_Integer(); $this->intValidator = new HTMLPurifier_AttrDef_Integer();
} }
public function validate($value, $config, $context) { public function validate($value, $config, $context) {
$value = $this->parseCDATA($value); $value = $this->parseCDATA($value);
if ($value === 'none') return $value; if ($value === 'none') return $value;
@@ -48,5 +48,7 @@ class HTMLPurifier_AttrDef_CSS_Filter extends HTMLPurifier_AttrDef
$ret_function = "$function($ret_parameters)"; $ret_function = "$function($ret_parameters)";
return $ret_function; return $ret_function;
} }
} }
// vim: et sw=4 sts=4

27
library/HTMLPurifier/AttrDef/CSS/Font.php
View File

@@ -5,17 +5,17 @@
*/ */
class HTMLPurifier_AttrDef_CSS_Font extends HTMLPurifier_AttrDef class HTMLPurifier_AttrDef_CSS_Font extends HTMLPurifier_AttrDef
{ {
/** /**
* Local copy of component validators. * Local copy of component validators.
* *
* @note If we moved specific CSS property definitions to their own * @note If we moved specific CSS property definitions to their own
* classes instead of having them be assembled at run time by * classes instead of having them be assembled at run time by
* CSSDefinition, this wouldn't be necessary. We'd instantiate * CSSDefinition, this wouldn't be necessary. We'd instantiate
* our own copies. * our own copies.
*/ */
protected $info = array(); protected $info = array();
public function __construct($config) { public function __construct($config) {
$def = $config->getCSSDefinition(); $def = $config->getCSSDefinition();
$this->info['font-style'] = $def->info['font-style']; $this->info['font-style'] = $def->info['font-style'];
@@ -25,9 +25,9 @@ class HTMLPurifier_AttrDef_CSS_Font extends HTMLPurifier_AttrDef
$this->info['line-height'] = $def->info['line-height']; $this->info['line-height'] = $def->info['line-height'];
$this->info['font-family'] = $def->info['font-family']; $this->info['font-family'] = $def->info['font-family'];
} }
public function validate($string, $config, $context) { public function validate($string, $config, $context) {
static $system_fonts = array( static $system_fonts = array(
'caption' => true, 'caption' => true,
'icon' => true, 'icon' => true,
@@ -36,27 +36,27 @@ class HTMLPurifier_AttrDef_CSS_Font extends HTMLPurifier_AttrDef
'small-caption' => true, 'small-caption' => true,
'status-bar' => true 'status-bar' => true
); );
// regular pre-processing // regular pre-processing
$string = $this->parseCDATA($string); $string = $this->parseCDATA($string);
if ($string === '') return false; if ($string === '') return false;
// check if it's one of the keywords // check if it's one of the keywords
$lowercase_string = strtolower($string); $lowercase_string = strtolower($string);
if (isset($system_fonts[$lowercase_string])) { if (isset($system_fonts[$lowercase_string])) {
return $lowercase_string; return $lowercase_string;
} }
$bits = explode(' ', $string); // bits to process $bits = explode(' ', $string); // bits to process
$stage = 0; // this indicates what we're looking for $stage = 0; // this indicates what we're looking for
$caught = array(); // which stage 0 properties have we caught? $caught = array(); // which stage 0 properties have we caught?
$stage_1 = array('font-style', 'font-variant', 'font-weight'); $stage_1 = array('font-style', 'font-variant', 'font-weight');
$final = ''; // output $final = ''; // output
for ($i = 0, $size = count($bits); $i < $size; $i++) { for ($i = 0, $size = count($bits); $i < $size; $i++) {
if ($bits[$i] === '') continue; if ($bits[$i] === '') continue;
switch ($stage) { switch ($stage) {
// attempting to catch font-style, font-variant or font-weight // attempting to catch font-style, font-variant or font-weight
case 0: case 0:
foreach ($stage_1 as $validator_name) { foreach ($stage_1 as $validator_name) {
@@ -72,7 +72,7 @@ class HTMLPurifier_AttrDef_CSS_Font extends HTMLPurifier_AttrDef
// all three caught, continue on // all three caught, continue on
if (count($caught) >= 3) $stage = 1; if (count($caught) >= 3) $stage = 1;
if ($r !== false) break; if ($r !== false) break;
// attempting to catch font-size and perhaps line-height // attempting to catch font-size and perhaps line-height
case 1: case 1:
$found_slash = false; $found_slash = false;
@@ -126,7 +126,7 @@ class HTMLPurifier_AttrDef_CSS_Font extends HTMLPurifier_AttrDef
break; break;
} }
return false; return false;
// attempting to catch font-family // attempting to catch font-family
case 2: case 2:
$font_family = $font_family =
@@ -143,6 +143,7 @@ class HTMLPurifier_AttrDef_CSS_Font extends HTMLPurifier_AttrDef
} }
return false; return false;
} }
} }
// vim: et sw=4 sts=4

63
library/HTMLPurifier/AttrDef/CSS/FontFamily.php
View File

@@ -6,7 +6,7 @@
*/ */
class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
{ {
public function validate($string, $config, $context) { public function validate($string, $config, $context) {
static $generic_names = array( static $generic_names = array(
'serif' => true, 'serif' => true,
@@ -15,7 +15,7 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
'fantasy' => true, 'fantasy' => true,
'cursive' => true 'cursive' => true
); );
// assume that no font names contain commas in them // assume that no font names contain commas in them
$fonts = explode(',', $string); $fonts = explode(',', $string);
$final = ''; $final = '';
@@ -34,56 +34,39 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
$quote = $font[0]; $quote = $font[0];
if ($font[$length - 1] !== $quote) continue; if ($font[$length - 1] !== $quote) continue;
$font = substr($font, 1, $length - 2); $font = substr($font, 1, $length - 2);
$new_font = '';
for ($i = 0, $c = strlen($font); $i < $c; $i++) {
if ($font[$i] === '\\') {
$i++;
if ($i >= $c) {
$new_font .= '\\';
break;
}
if (ctype_xdigit($font[$i])) {
$code = $font[$i];
for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
if (!ctype_xdigit($font[$i])) break;
$code .= $font[$i];
}
// We have to be extremely careful when adding
// new characters, to make sure we're not breaking
// the encoding.
$char = HTMLPurifier_Encoder::unichr(hexdec($code));
if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue;
$new_font .= $char;
if ($i < $c && trim($font[$i]) !== '') $i--;
continue;
}
if ($font[$i] === "\n") continue;
}
$new_font .= $font[$i];
}
$font = $new_font;
} }
$font = $this->expandCSSEscape($font);
// $font is a pure representation of the font name // $font is a pure representation of the font name
if (ctype_alnum($font) && $font !== '') { if (ctype_alnum($font) && $font !== '') {
// very simple font, allow it in unharmed // very simple font, allow it in unharmed
$final .= $font . ', '; $final .= $font . ', ';
continue; continue;
} }
// bugger out on whitespace. form feed (0C) really
// shouldn't show up regardless
$font = str_replace(array("\n", "\t", "\r", "\x0C"), ' ', $font);
// These ugly transforms don't pose a security
// risk (as \\ and \" might). We could try to be clever and
// use single-quote wrapping when there is a double quote
// present, but I have choosen not to implement that.
// (warning: this code relies on the selection of quotation
// mark below)
$font = str_replace('\\', '\\5C ', $font);
$font = str_replace('"', '\\22 ', $font);
// complicated font, requires quoting // complicated font, requires quoting
$final .= "\"$font\", "; // note that this will later get turned into &quot;
// armor single quotes and new lines
$font = str_replace("\\", "\\\\", $font);
$font = str_replace("'", "\\'", $font);
$final .= "'$font', ";
} }
$final = rtrim($final, ', '); $final = rtrim($final, ', ');
if ($final === '') return false; if ($final === '') return false;
return $final; return $final;
} }
} }
// vim: et sw=4 sts=4

6
library/HTMLPurifier/AttrDef/CSS/ImportantDecorator.php
View File

@@ -5,8 +5,8 @@
*/ */
class HTMLPurifier_AttrDef_CSS_ImportantDecorator extends HTMLPurifier_AttrDef class HTMLPurifier_AttrDef_CSS_ImportantDecorator extends HTMLPurifier_AttrDef
{ {
protected $def, $allow; public $def, $allow;
/** /**
* @param $def Definition to wrap * @param $def Definition to wrap
* @param $allow Whether or not to allow !important * @param $allow Whether or not to allow !important
@@ -36,3 +36,5 @@ class HTMLPurifier_AttrDef_CSS_ImportantDecorator extends HTMLPurifier_AttrDef
return $string; return $string;
} }
} }
// vim: et sw=4 sts=4

17
library/HTMLPurifier/AttrDef/CSS/Length.php
View File

@@ -5,9 +5,9 @@
*/ */
class HTMLPurifier_AttrDef_CSS_Length extends HTMLPurifier_AttrDef class HTMLPurifier_AttrDef_CSS_Length extends HTMLPurifier_AttrDef
{ {
protected $min, $max; protected $min, $max;
/** /**
* @param HTMLPurifier_Length $max Minimum length, or null for no bound. String is also acceptable. * @param HTMLPurifier_Length $max Minimum length, or null for no bound. String is also acceptable.
* @param HTMLPurifier_Length $max Maximum length, or null for no bound. String is also acceptable. * @param HTMLPurifier_Length $max Maximum length, or null for no bound. String is also acceptable.
@@ -16,18 +16,18 @@ class HTMLPurifier_AttrDef_CSS_Length extends HTMLPurifier_AttrDef
$this->min = $min !== null ? HTMLPurifier_Length::make($min) : null; $this->min = $min !== null ? HTMLPurifier_Length::make($min) : null;
$this->max = $max !== null ? HTMLPurifier_Length::make($max) : null; $this->max = $max !== null ? HTMLPurifier_Length::make($max) : null;
} }
public function validate($string, $config, $context) { public function validate($string, $config, $context) {
$string = $this->parseCDATA($string); $string = $this->parseCDATA($string);
// Optimizations // Optimizations
if ($string === '') return false; if ($string === '') return false;
if ($string === '0') return '0'; if ($string === '0') return '0';
if (strlen($string) === 1) return false; if (strlen($string) === 1) return false;
$length = HTMLPurifier_Length::make($string); $length = HTMLPurifier_Length::make($string);
if (!$length->isValid()) return false; if (!$length->isValid()) return false;
if ($this->min) { if ($this->min) {
$c = $length->compareTo($this->min); $c = $length->compareTo($this->min);
if ($c === false) return false; if ($c === false) return false;
@@ -38,9 +38,10 @@ class HTMLPurifier_AttrDef_CSS_Length extends HTMLPurifier_AttrDef
if ($c === false) return false; if ($c === false) return false;
if ($c > 0) return false; if ($c > 0) return false;
} }
return $length->toString(); return $length->toString();
} }
} }
// vim: et sw=4 sts=4

33
library/HTMLPurifier/AttrDef/CSS/ListStyle.php
View File

@@ -6,37 +6,37 @@
*/ */
class HTMLPurifier_AttrDef_CSS_ListStyle extends HTMLPurifier_AttrDef class HTMLPurifier_AttrDef_CSS_ListStyle extends HTMLPurifier_AttrDef
{ {
/** /**
* Local copy of component validators. * Local copy of component validators.
* @note See HTMLPurifier_AttrDef_CSS_Font::$info for a similar impl. * @note See HTMLPurifier_AttrDef_CSS_Font::$info for a similar impl.
*/ */
protected $info; protected $info;
public function __construct($config) { public function __construct($config) {
$def = $config->getCSSDefinition(); $def = $config->getCSSDefinition();
$this->info['list-style-type'] = $def->info['list-style-type']; $this->info['list-style-type'] = $def->info['list-style-type'];
$this->info['list-style-position'] = $def->info['list-style-position']; $this->info['list-style-position'] = $def->info['list-style-position'];
$this->info['list-style-image'] = $def->info['list-style-image']; $this->info['list-style-image'] = $def->info['list-style-image'];
} }
public function validate($string, $config, $context) { public function validate($string, $config, $context) {
// regular pre-processing // regular pre-processing
$string = $this->parseCDATA($string); $string = $this->parseCDATA($string);
if ($string === '') return false; if ($string === '') return false;
// assumes URI doesn't have spaces in it // assumes URI doesn't have spaces in it
$bits = explode(' ', strtolower($string)); // bits to process $bits = explode(' ', strtolower($string)); // bits to process
$caught = array(); $caught = array();
$caught['type'] = false; $caught['type'] = false;
$caught['position'] = false; $caught['position'] = false;
$caught['image'] = false; $caught['image'] = false;
$i = 0; // number of catches $i = 0; // number of catches
$none = false; $none = false;
foreach ($bits as $bit) { foreach ($bits as $bit) {
if ($i >= 3) return; // optimization bit if ($i >= 3) return; // optimization bit
if ($bit === '') continue; if ($bit === '') continue;
@@ -54,24 +54,25 @@ class HTMLPurifier_AttrDef_CSS_ListStyle extends HTMLPurifier_AttrDef
break; break;
} }
} }
if (!$i) return false; if (!$i) return false;
$ret = array(); $ret = array();
// construct type // construct type
if ($caught['type']) $ret[] = $caught['type']; if ($caught['type']) $ret[] = $caught['type'];
// construct image // construct image
if ($caught['image']) $ret[] = $caught['image']; if ($caught['image']) $ret[] = $caught['image'];
// construct position // construct position
if ($caught['position']) $ret[] = $caught['position']; if ($caught['position']) $ret[] = $caught['position'];
if (empty($ret)) return false; if (empty($ret)) return false;
return implode(' ', $ret); return implode(' ', $ret);
} }
} }
// vim: et sw=4 sts=4

15
library/HTMLPurifier/AttrDef/CSS/Multiple.php
View File

@@ -2,30 +2,30 @@
/** /**
* Framework class for strings that involve multiple values. * Framework class for strings that involve multiple values.
* *
* Certain CSS properties such as border-width and margin allow multiple * Certain CSS properties such as border-width and margin allow multiple
* lengths to be specified. This class can take a vanilla border-width * lengths to be specified. This class can take a vanilla border-width
* definition and multiply it, usually into a max of four. * definition and multiply it, usually into a max of four.
* *
* @note Even though the CSS specification isn't clear about it, inherit * @note Even though the CSS specification isn't clear about it, inherit
* can only be used alone: it will never manifest as part of a multi * can only be used alone: it will never manifest as part of a multi
* shorthand declaration. Thus, this class does not allow inherit. * shorthand declaration. Thus, this class does not allow inherit.
*/ */
class HTMLPurifier_AttrDef_CSS_Multiple extends HTMLPurifier_AttrDef class HTMLPurifier_AttrDef_CSS_Multiple extends HTMLPurifier_AttrDef
{ {
/** /**
* Instance of component definition to defer validation to. * Instance of component definition to defer validation to.
* @todo Make protected * @todo Make protected
*/ */
public $single; public $single;
/** /**
* Max number of values allowed. * Max number of values allowed.
* @todo Make protected * @todo Make protected
*/ */
public $max; public $max;
/** /**
* @param $single HTMLPurifier_AttrDef to multiply * @param $single HTMLPurifier_AttrDef to multiply
* @param $max Max number of values allowed (usually four) * @param $max Max number of values allowed (usually four)
@@ -34,7 +34,7 @@ class HTMLPurifier_AttrDef_CSS_Multiple extends HTMLPurifier_AttrDef
$this->single = $single; $this->single = $single;
$this->max = $max; $this->max = $max;
} }
public function validate($string, $config, $context) { public function validate($string, $config, $context) {
$string = $this->parseCDATA($string); $string = $this->parseCDATA($string);
if ($string === '') return false; if ($string === '') return false;
@@ -52,6 +52,7 @@ class HTMLPurifier_AttrDef_CSS_Multiple extends HTMLPurifier_AttrDef
if ($final === '') return false; if ($final === '') return false;
return rtrim($final); return rtrim($final);
} }
} }
// vim: et sw=4 sts=4

31
library/HTMLPurifier/AttrDef/CSS/Number.php
View File

@@ -5,30 +5,30 @@
*/ */
class HTMLPurifier_AttrDef_CSS_Number extends HTMLPurifier_AttrDef class HTMLPurifier_AttrDef_CSS_Number extends HTMLPurifier_AttrDef
{ {
/** /**
* Bool indicating whether or not only positive values allowed. * Bool indicating whether or not only positive values allowed.
*/ */
protected $non_negative = false; protected $non_negative = false;
/** /**
* @param $non_negative Bool indicating whether negatives are forbidden * @param $non_negative Bool indicating whether negatives are forbidden
*/ */
public function __construct($non_negative = false) { public function __construct($non_negative = false) {
$this->non_negative = $non_negative; $this->non_negative = $non_negative;
} }
/** /**
* @warning Some contexts do not pass $config, $context. These * @warning Some contexts do not pass $config, $context. These
* variables should not be used without checking HTMLPurifier_Length * variables should not be used without checking HTMLPurifier_Length
*/ */
public function validate($number, $config, $context) { public function validate($number, $config, $context) {
$number = $this->parseCDATA($number); $number = $this->parseCDATA($number);
if ($number === '') return false; if ($number === '') return false;
if ($number === '0') return '0'; if ($number === '0') return '0';
$sign = ''; $sign = '';
switch ($number[0]) { switch ($number[0]) {
case '-': case '-':
@@ -37,32 +37,33 @@ class HTMLPurifier_AttrDef_CSS_Number extends HTMLPurifier_AttrDef
case '+': case '+':
$number = substr($number, 1); $number = substr($number, 1);
} }
if (ctype_digit($number)) { if (ctype_digit($number)) {
$number = ltrim($number, '0'); $number = ltrim($number, '0');
return $number ? $sign . $number : '0'; return $number ? $sign . $number : '0';
} }
// Period is the only non-numeric character allowed // Period is the only non-numeric character allowed
if (strpos($number, '.') === false) return false; if (strpos($number, '.') === false) return false;
list($left, $right) = explode('.', $number, 2); list($left, $right) = explode('.', $number, 2);
if ($left === '' && $right === '') return false; if ($left === '' && $right === '') return false;
if ($left !== '' && !ctype_digit($left)) return false; if ($left !== '' && !ctype_digit($left)) return false;
$left = ltrim($left, '0'); $left = ltrim($left, '0');
$right = rtrim($right, '0'); $right = rtrim($right, '0');
if ($right === '') { if ($right === '') {
return $left ? $sign . $left : '0'; return $left ? $sign . $left : '0';
} elseif (!ctype_digit($right)) { } elseif (!ctype_digit($right)) {
return false; return false;
} }
return $sign . $left . '.' . $right; return $sign . $left . '.' . $right;
} }
} }
// vim: et sw=4 sts=4

19
library/HTMLPurifier/AttrDef/CSS/Percentage.php
View File

@@ -5,35 +5,36 @@
*/ */
class HTMLPurifier_AttrDef_CSS_Percentage extends HTMLPurifier_AttrDef class HTMLPurifier_AttrDef_CSS_Percentage extends HTMLPurifier_AttrDef
{ {
/** /**
* Instance of HTMLPurifier_AttrDef_CSS_Number to defer number validation * Instance of HTMLPurifier_AttrDef_CSS_Number to defer number validation
*/ */
protected $number_def; protected $number_def;
/** /**
* @param Bool indicating whether to forbid negative values * @param Bool indicating whether to forbid negative values
*/ */
public function __construct($non_negative = false) { public function __construct($non_negative = false) {
$this->number_def = new HTMLPurifier_AttrDef_CSS_Number($non_negative); $this->number_def = new HTMLPurifier_AttrDef_CSS_Number($non_negative);
} }
public function validate($string, $config, $context) { public function validate($string, $config, $context) {
$string = $this->parseCDATA($string); $string = $this->parseCDATA($string);
if ($string === '') return false; if ($string === '') return false;
$length = strlen($string); $length = strlen($string);
if ($length === 1) return false; if ($length === 1) return false;
if ($string[$length - 1] !== '%') return false; if ($string[$length - 1] !== '%') return false;
$number = substr($string, 0, $length - 1); $number = substr($string, 0, $length - 1);
$number = $this->number_def->validate($number, $config, $context); $number = $this->number_def->validate($number, $config, $context);
if ($number === false) return false; if ($number === false) return false;
return "$number%"; return "$number%";
} }
} }
// vim: et sw=4 sts=4

Some files were not shown because too many files have changed in this diff Show More