public function Format($Html)
{
$Attributes = C('Garden.Html.BlockedAttributes', 'on*');
$Config = array('anti_link_spam' => array('`.`', ''), 'comment' => 1, 'cdata' => 3, 'css_expression' => 1, 'deny_attribute' => $Attributes, 'unique_ids' => 0, 'elements' => '*-applet-form-input-textarea-iframe-script-style-embed-object', 'keep_bad' => 0, 'schemes' => 'classid:clsid; href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https', 'valid_xhtml' => 0, 'direct_list_nest' => 1, 'balance' => 1);
// Turn embedded videos into simple links (legacy workaround)
$Html = Gdn_Format::UnembedContent($Html);
// We check the flag within Gdn_Format to see
// if htmLawed should place rel="nofollow" links
// within output or not.
// A plugin can set this flag (for example).
// The default is to show rel="nofollow" on all links.
if (Gdn_Format::$DisplayNoFollow) {
// display rel="nofollow" on all links.
$Config['anti_link_spam'] = array('`.`', '');
} else {
// never display rel="nofollow"
$Config['anti_link_spam'] = array('', '');
}
if ($this->SafeStyles) {
// Deny all class and style attributes.
// A lot of damage can be done by hackers with these attributes.
$Config['deny_attribute'] .= ',style';
// } else {
// $Config['hook_tag'] = 'HTMLawedHookTag';
}
$Spec = 'object=-classid-type, -codebase; embed=type(oneof=application/x-shockwave-flash)';
$Result = htmLawed($Html, $Config, $Spec);
return $Result;
}
public function Format($Html)
{
$Attributes = C('Garden.Html.BlockedAttributes', 'on*');
$Config = array('anti_link_spam' => array('`.`', ''), 'comment' => 1, 'cdata' => 3, 'css_expression' => 1, 'deny_attribute' => $Attributes, 'unique_ids' => 1, 'elements' => '*-applet-form-input-textarea-iframe-script-style-embed-object-select-option-button-fieldset-optgroup-legend', 'keep_bad' => 0, 'schemes' => 'classid:clsid; href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https', 'valid_xhtml' => 0, 'direct_list_nest' => 1, 'balance' => 1);
// Turn embedded videos into simple links (legacy workaround)
$Html = Gdn_Format::UnembedContent($Html);
// We check the flag within Gdn_Format to see
// if htmLawed should place rel="nofollow" links
// within output or not.
// A plugin can set this flag (for example).
// The default is to show rel="nofollow" on all links.
if (Gdn_Format::$DisplayNoFollow) {
// display rel="nofollow" on all links.
$Config['anti_link_spam'] = array('`.`', '');
} else {
// never display rel="nofollow"
$Config['anti_link_spam'] = array('', '');
}
if ($this->SafeStyles) {
// Deny all class and style attributes.
// A lot of damage can be done by hackers with these attributes.
$Config['deny_attribute'] .= ',style';
// } else {
// $Config['hook_tag'] = 'HTMLawedHookTag';
}
// Block some IDs so you can't break Javascript
$GLOBALS['hl_Ids'] = array('Bookmarks' => 1, 'CommentForm' => 1, 'Content' => 1, 'Definitions' => 1, 'DiscussionForm' => 1, 'Foot' => 1, 'Form_Comment' => 1, 'Form_User_Password' => 1, 'Form_User_SignIn' => 1, 'Head' => 1, 'HighlightColor' => 1, 'InformMessageStack' => 1, 'Menu' => 1, 'PagerMore' => 1, 'Panel' => 1, 'Status' => 1);
$Spec = 'object=-classid-type, -codebase; embed=type(oneof=application/x-shockwave-flash); a=class(noneof=Hijack|Dismiss|MorePager/nomatch=%pop[in|up|down]|flyout|ajax%i)';
$Result = htmLawed($Html, $Config, $Spec);
return $Result;
}
