mirror of
				https://github.com/ezyang/htmlpurifier.git
				synced 2025-10-25 10:36:59 +02:00 
			
		
		
		
	- Destroy some zombie context variables - Reorganize some TODO items git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1347 48356398-32a2-884e-a903-53898d9a118a
		
			
				
	
	
		
			44 lines
		
	
	
		
			1.9 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			44 lines
		
	
	
		
			1.9 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| 
 | |
| Configuration Ideas
 | |
| 
 | |
| Here are some theoretical configuration ideas that we could implement some
 | |
| time.  Note the naming convention: %Namespace.Directive. If you want one
 | |
| implemented, give us a ring, and we'll move it up the priority chain.
 | |
| 
 | |
| %Attr.RewriteFragments - if there's %Attr.IDPrefix we may want to transparently
 | |
|     rewrite the URLs we parse too.  However, we can only do it when it's a pure
 | |
|     anchor link, so it's not foolproof
 | |
| 
 | |
| %Attr.ClassBlacklist,
 | |
| %Attr.ClassWhitelist,
 | |
| %Attr.ClassPolicy - determines what classes are allowed. When
 | |
|     %Attr.ClassPolicy is set to Blacklist, only allow those not in
 | |
|     %Attr.ClassBlacklist. When it's Whitelist, only allow those in
 | |
|     %Attr.ClassWhitelist.
 | |
| 
 | |
| %Attr.MaxWidth, 
 | |
| %Attr.MaxHeight - caps for width and height related checks.
 | |
|     (the hack in Pixels for an image crashing attack could be replaced by this)
 | |
| 
 | |
| %URI.AddRelNofollow - will add rel="nofollow" to all links, preventing the
 | |
|     spread of ill-gotten pagerank
 | |
| 
 | |
| %URI.HostBlacklistRegex - regexes that if matching the host are disallowed
 | |
| %URI.HostWhitelist - domain names that are excluded from the host blacklist
 | |
| %URI.HostPolicy - determines whether or not its reject all and then whitelist
 | |
|     or allow all in then do specific blacklists with whitelist intervening.
 | |
|     'DenyAll' or 'AllowAll' (default)
 | |
| 
 | |
| %URI.DisableIPHosts - URIs that have IP addresses for hosts are disallowed.
 | |
|     Be sure to also grab unusual encodings (dword, hex and octal), which may
 | |
|     be currently be caught by regular DNS
 | |
| %URI.DisableIDN - Disallow raw internationalized domain names. Punycode
 | |
|     will still be permitted.
 | |
| 
 | |
| %URI.ConvertUnusualIPHosts - transform dword/hex/octal IP addresses to the
 | |
|     regular form
 | |
| %URI.ConvertAbsoluteDNS - Remove extra dots after host names that trigger
 | |
|     absolute DNS.  While this is actually the preferred method according to
 | |
|     the RFC, most people opt to use a relative domain name relative to . (root).
 | |
| 
 |