Singleton for enforcing just one HTML Purifier in your system
| public static instance ( HTMLPurifier | HTMLPurifier_Config $prototype = null ) : HTMLPurifier | ||
| $prototype | HTMLPurifier | HTMLPurifier_Config | Optional prototype HTMLPurifier instance to overload singleton with, or HTMLPurifier_Config instance to configure the generated version with. |
| return | HTMLPurifier | |
/**
* Passes markup through HTMLPurifier making it safe to output to end user
*
* @param string $content
* @param array|null $config
* @return string
*/
public static function process($content, $config = null)
{
$configInstance = \HTMLPurifier_Config::create($config);
$configInstance->autoFinalize = false;
$purifier = \HTMLPurifier::instance($configInstance);
$purifier->config->set('Cache.SerializerPath', \Yii::$app->getRuntimePath());
return $purifier->purify($content);
}
/**
* @param string $html
* @param array $config
* @return string
*/
protected function purifyHTML($html, $config)
{
$configInstance = \HTMLPurifier_Config::create($config);
$configInstance->autoFinalize = false;
$purifier = \HTMLPurifier::instance($configInstance);
$purifier->config->set('Cache.SerializerPath', $this->tmpPath);
return $purifier->purify($html);
}
/**
* Passes markup through HTMLPurifier making it safe to output to end user
*
* @param string $content The HTML content to purify
* @param array|\Closure|null $config The config to use for HtmlPurifier.
* If not specified or `null` the default config will be used.
* You can use an array or an anonymous function to provide configuration options:
*
* - An array will be passed to the `HTMLPurifier_Config::create()` method.
* - An anonymous function will be called after the config was created.
* The signature should be: `function($config)` where `$config` will be an
* instance of `HTMLPurifier_Config`.
*
* Here is a usage example of such a function:
*
* ~~~
* // Allow the HTML5 data attribute `data-type` on `img` elements.
* $content = HtmlPurifier::process($content, function ($config) {
* $config->getHTMLDefinition(true)
* ->addAttribute('img', 'data-type', 'Text');
* });
* ~~~
*
* @return string the purified HTML content.
*/
public static function process($content, $config = null)
{
$configInstance = \HTMLPurifier_Config::create($config instanceof \Closure ? null : $config);
$configInstance->autoFinalize = false;
$purifier = \HTMLPurifier::instance($configInstance);
$purifier->config->set('Cache.SerializerPath', Application::$app->getRuntimePath());
if ($config instanceof \Closure) {
call_user_func($config, $configInstance);
}
return $purifier->purify($content);
}
/**
* Singleton for enforcing just one HTML Purifier in your system
*
* @param HTMLPurifier|HTMLPurifier_Config $prototype Optional prototype
* HTMLPurifier instance to overload singleton with,
* or HTMLPurifier_Config instance to configure the
* generated version with.
*
* @return HTMLPurifier
* @note Backwards compatibility, see instance()
*/
public static function getInstance($prototype = null)
{
return HTMLPurifier::instance($prototype);
}
/**
* HTMLPurifier cross site scripting filter. This version assumes the
* existence of the "Standalone Distribution" htmlpurifier library, and is set to not tidy
* input.
*
* @param string data to clean
* @return string
*/
protected function xss_filter_htmlpurifier($data)
{
/**
* @todo License should go here, http://htmlpurifier.org/
*/
if (!class_exists('HTMLPurifier_Config', FALSE)) {
// Load HTMLPurifier
require Kohana::find_file('vendor', 'htmlpurifier/HTMLPurifier.standalone', TRUE);
}
// Set configuration
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.TidyLevel', 'none');
// Only XSS cleaning now
$cache = Kohana::config('html_purifier.cache');
if ($cache and is_string($cache)) {
$config->set('Cache.SerializerPath', $cache);
}
// Run HTMLPurifier
$data = HTMLPurifier::instance($config)->purify($data);
return $data;
}
<input type="hidden" id="<?php
echo $genid;
?>
commentsRequired" value="<?php
echo config_option('file_revision_comments_required') ? '1' : '0';
?>
"/>
<?php
tpl_display(get_template_path('form_errors'));
if ($file->isNew()) {
$ckEditorContent = '';
} else {
$content = $file->getFileContentWithRealUrls();
require_once LIBRARY_PATH . "/htmlpurifier/HTMLPurifier.standalone.php";
$ckEditorContent = HTMLPurifier::instance()->purify($content);
}
if (config_option('checkout_for_editing_online')) {
ajx_on_leave("og.openLink('" . get_url('files', 'release_file', array('id' => $file->getId())) . "')");
add_page_action(lang("checkin file"), "javascript:(function(){ var form = document.getElementById('{$genid}form'); form.checkin.value = '1'; form.new_revision_document.value = 'checked'; form.rename = false; form.onsubmit(); })()", "ico-checkin");
}
add_page_action(lang("save"), "javascript:(function(){ var form = document.getElementById('{$genid}form'); form.new_revision_document.value = 'checked'; form.rename = false; form.onsubmit(); })()", "save");
add_page_action(lang("save as"), "javascript:(function(){ var form = document.getElementById('{$genid}form'); form.new_revision_document.value = 'checked'; form.rename = true; form.onsubmit(); })()", "save_as");
?>
<div>
<input type="hidden" id="fileContent" name="fileContent" value="" />
<input type="hidden" id="fileid" name="file[id]" value="<?php
if (!$file->isNew()) {
echo $file->getId();
}
/**
* Used to sanitize user-inputed HTML from any XSS code.
* Use this function when you want to use HTML-code inputed by users safely.
*
* @param string $raw_html Input HTML code
*
* @return string Sanitized HTML ready to be safely displayed on page.
*/
public static function sanitizeHtml($raw_html)
{
try {
$cache_dir = fn_get_cache_path(false) . 'html_purifier/';
if (!is_dir($cache_dir)) {
fn_mkdir($cache_dir);
}
$config_instance = \HTMLPurifier_Config::createDefault();
$config_instance->set('HTML.DefinitionID', PRODUCT_NAME . '_' . PRODUCT_VERSION);
$config_instance->set('HTML.DefinitionRev', 1);
$config_instance->set('Cache.SerializerPath', $cache_dir);
$config_instance->set('Cache.SerializerPermissions', DEFAULT_DIR_PERMISSIONS);
$config_instance->autoFinalize = false;
/**
* Allows to configure HTMLPurifier before it purifies given HTML.
*
* @param \HTMLPurifier_Config $config_instance Instance of HTMLPurifier_Config
* @param string $raw_html HTML to be purified
*/
fn_set_hook('sanitize_html', $config_instance, $raw_html);
/** @var \HTMLPurifier_HTMLDefinition $html_definition */
if ($html_definition = $config_instance->maybeGetRawHTMLDefinition()) {
$html_definition->addAttribute('a', 'target', new \HTMLPurifier_AttrDef_Enum(array('_blank', '_self', '_target', '_top')));
}
$purifier_instance = \HTMLPurifier::instance($config_instance);
$html_purify = $purifier_instance->purify($raw_html);
return html_entity_decode($html_purify, ENT_QUOTES, 'UTF-8');
} catch (\Exception $e) {
throw new DeveloperException($e->getMessage());
}
}
/**
* Used to sanitize user-inputed HTML from any XSS code.
* Use this function when you want to use HTML-code inputed by users safely.
*
* @param string $raw_html Input HTML code
*
* @return string Sanitized HTML ready to be safely displayed on page.
*/
public static function sanitizeHtml($raw_html)
{
try {
$cache_dir = Registry::get('config.dir.cache_misc') . 'html_purifier/';
if (!is_dir($cache_dir)) {
fn_mkdir($cache_dir);
}
$config_instance = \HTMLPurifier_Config::createDefault();
$config_instance->set('HTML.DefinitionID', PRODUCT_NAME . '_' . PRODUCT_VERSION);
$config_instance->set('HTML.DefinitionRev', 1);
$config_instance->set('Cache.SerializerPath', $cache_dir);
$config_instance->set('Cache.SerializerPermissions', DEFAULT_DIR_PERMISSIONS);
$config_instance->autoFinalize = false;
if ($html_definition = $config_instance->maybeGetRawHTMLDefinition()) {
$html_definition->addAttribute('a', 'target', new \HTMLPurifier_AttrDef_Enum(array('_blank', '_self', '_target', '_top')));
}
$purifier_instance = \HTMLPurifier::instance($config_instance);
$html_purify = $purifier_instance->purify($raw_html);
return html_entity_decode($html_purify, ENT_QUOTES, 'UTF-8');
} catch (\Exception $e) {
throw new DeveloperException($e->getMessage());
}
}
function &getInstance($prototype = null)
{
return HTMLPurifier::instance($prototype);
}
/**
* @param array $allowedHtmlElements An array of strings representing
* allowed HTML elements
* @param array $allowedHtmlAttributes An array of strings representing
* allowed HTML attributes
* @return HTMLPurifier
**/
public static function createHtmlPurifier($allowedHtmlElements = null, $allowedHtmlAttributes = null)
{
// Require the HTML Purfier autoloader.
require_once 'htmlpurifier/HTMLPurifier.auto.php';
// Get the allowed HTML elements from the configuration file
// Setting this as NULL allows a subest of TinyMCE's
// valid_elements whitelist. Setting this as an empty string disallows
// all HTML elements.
if ($allowedHtmlElements === null) {
$allowedHtmlElements = explode(',', get_option('html_purifier_allowed_html_elements'));
}
// Get the allowed HTML attributes from the configuration file
if ($allowedHtmlAttributes === null) {
$allowedHtmlAttributes = explode(',', get_option('html_purifier_allowed_html_attributes'));
}
// Filter the allowed html attributes of any attributes that are
// missing elements.
// For example, if there is no 'a' element then filter out the
// attribute 'a.href' and any other attribute associated with the 'a'
// element
$allowedHtmlAttributes = self::filterAttributesWithMissingElements($allowedHtmlAttributes, $allowedHtmlElements);
$purifierConfig = HTMLPurifier_Config::createDefault();
foreach (self::$_purifierConfig as $key => $value) {
$purifierConfig->set($key, $value);
}
$purifierConfig->set('HTML.AllowedElements', $allowedHtmlElements);
$purifierConfig->set('HTML.AllowedAttributes', $allowedHtmlAttributes);
$purifier = HTMLPurifier::instance($purifierConfig);
return $purifier;
}
public static function purify($html)
{
return HTMLPurifier::instance()->purify($html);
}
public function purify($html)
{
$purifier = HTMLPurifier::instance();
$purifying = $purifier->purify($html);
//AutoFormat.AutoParagraph doesn't provide <br />
$purified = nl2br($purifying);
return $purified;
}
/**
* Marks up a string with paragraphs and automatically links any urls.
*
* This function marks up the output with paragraph tags and auto-links any URLs that are found.
* The resulting output is suitable for display in any web-browser, but must have
* paragraph and extra html tags removed before it's ready for editing.
*
* Content is XSS cleaned and stripped of all but a few tags (specified by implementation.)
*
* @param string $string The HTML string to format
* @param string $allowedTags (optional) A comma-separated list of allowed tags.
*
* @return string A nicely-formatted version of the input text, with automatic paragraphs and urls in place
*
* @see unAutoParagraph()
*/
public function autoParagraph($string, $allowedTags = null, $linkUrls = true)
{
if (is_null($allowedTags)) {
$allowedTags = $this->defaultAllowedTags;
}
if (is_null($this->purifier)) {
require_once PATH_SYSTEM . '/vendors/HTMLPurifier.php';
$this->purifier = HTMLPurifier::instance();
FileSystemUtils::recursiveMkdir($this->vendorCacheDirectory . '/purifier/');
}
if ($this->injectors == null && $linkUrls) {
$this->injectors = array(new CF_HTMLPurifier_Injector_Linkify());
}
$purifierConfig = array('Core.Encoding' => $this->charset, 'AutoFormat.AutoParagraph' => true, 'HTML.TidyLevel' => 'none', 'HTML.Allowed' => $allowedTags, 'Cache.SerializerPath' => $this->vendorCacheDirectory);
if (!is_null($this->injectors)) {
$purifierConfig['AutoFormat.Custom'] = $this->injectors;
}
$string = $this->purifier->purify($string, $purifierConfig);
$string = str_replace("\n\n", '[DBLBR]', $string);
$string = str_replace("\n", '<br/>', $string);
$string = str_replace('[DBLBR]', "\n\n", $string);
// trim links
$string = preg_replace_callback("/\\<a\\s+href\\=\"(" . URLUtils::URL_MATCH . ")\"\\>\\1<\\/a\\>/Uix", array($this, 'trimCallback'), $string);
// trim all words longer than 60 chars that aren't URLs, ignoring tags
if (preg_match_all("/\\S60/", strip_tags(preg_replace('/(\\<(\\/?[^\\>]+)\\>)/', ' $1', $string)), $m)) {
foreach ($m[0] as $n) {
if (!preg_match("/" . URLUtils::URL_MATCH . "/", $n)) {
$string = str_replace($n, trim(substr($n, 0, 60 - 3), '.') . '...', $string);
}
}
}
return $string;
}
public function AddComment($comment_title, $comment_content, $comment_parent = null, $comment_author = null)
{
// check to see if author exists
if ($comment_author == null) {
$comment_author = User::GetCurrent();
}
if ($comment_author == null) {
return false;
}
// HTMLPurify the parameters
$comment_title = HTMLPurifier::instance()->purify($comment_title);
$comment_content = HTMLPurifier::instance()->purify($comment_content);
global $MySQL;
$query = "INSERT INTO " . System::$Configuration["Database.TablePrefix"] . "journal_entry_comments (journal_entry_id, author_id, comment_parent_id, comment_title, comment_content, comment_timestamp_created) VALUES (" . $this->ID . ", " . $comment_author->ID . ", " . ($comment_parent == null ? "NULL" : $comment_parent->ID) . ", " . "'" . $MySQL->real_escape_string($comment_title) . "', " . "'" . $MySQL->real_escape_string($comment_content) . "', " . "NOW()" . ")";
$result = $MySQL->query($query);
$success = $MySQL->errno == 0;
if ($success) {
// notify the user that we commented on their journal
Notification::Create($this->Journal->Creator, "I commented on <a href=\"" . $this->Journal->GetURL() . "/entries/" . $this->Name . "\">" . $this->Title . "</a>!", "\"" . $comment_content . "\"", User::GetCurrent());
}
return $success;
}
public static function Create($sender, $receiver, $content)
{
$content = HTMLPurifier::instance()->purify($content);
$query = "INSERT INTO phpmmo_shoutout_messages (message_sender_id, message_receiver_id, message_content, message_timestamp) VALUES (" . $sender->ID . ", " . $receiver->ID . ", " . "'" . mysql_real_escape_string($content) . "', " . "NOW()" . ");";
$result = mysql_query($query);
$success = mysql_errno() == 0;
if ($success) {
// notify the user that we sent them a shoutout
Notification::Create($receiver, "I wrote you a Shoutout message!", "\"" . $content . "\"", $sender);
}
return $success;
}
public function AddComment($title, $content, $author = null, $reply_comment_id = null)
{
if ($author == null) {
$author = User::GetCurrent();
}
$title = HTMLPurifier::instance()->purify($title);
$content = HTMLPurifier::instance()->purify($content);
global $MySQL;
$query = "INSERT INTO " . System::$Configuration["Database.TablePrefix"] . "GroupTopicComments (grouptopiccomment_TopicID, grouptopiccomment_CreationUserID, grouptopiccomment_Title, grouptopiccomment_Content, grouptopiccomment_ReplyCommentID, grouptopiccomment_CreationTimestamp) VALUES (" . $topic->ID . ", " . $author->ID . ", " . "'" . $MySQL->real_escape_string($title) . "', " . "'" . $MySQL->real_escape_string($content) . "', " . ($reply_to == null ? "NULL" : $reply_comment_id) . ", " . "NOW()" . ");";
$result = $MySQL->query($query);
return $MySQL->errno == 0;
}
