コード例 #1
0
 /**
  * {@inheritDoc}
  */
 public static function instance($prototype = null)
 {
     $instance = parent::instance($prototype);
     $instance->add('AutoFormat.LinkifyWithTextLengthLimit.Limit', null, 'mixed', true);
     $instance->add('AutoFormat.LinkifyWithTextLengthLimit.Suffix', ' ...', 'string', true);
     $instance->add('AutoFormat.LinkifyWithTextLengthLimit.RemoveProtocol', true, 'bool', false);
     return $instance;
 }
コード例 #2
0
 /**
  * Retrieves an instance of the application-wide configuration definition.
  */
 public static function instance($prototype = null)
 {
     if ($prototype !== null) {
         HTMLPurifier_ConfigSchema::$singleton = $prototype;
     } elseif (HTMLPurifier_ConfigSchema::$singleton === null || $prototype === true) {
         HTMLPurifier_ConfigSchema::$singleton = HTMLPurifier_ConfigSchema::makeFromSerial();
     }
     return HTMLPurifier_ConfigSchema::$singleton;
 }
コード例 #3
0
 public function register(Application $app)
 {
     parent::register($app);
     $app['form.secret'] = $app->share(function () use($app) {
         return md5('form_secret' . $app['salt']);
     });
     $app['html_purifier.allowed_elements'] = ['p', 'ul', 'ol', 'li', 'b', 'i', 'strong', 'em', 'img', 'sub', 'sup', 'blockquote', 'table', 'thead', 'tbody', 'tr', 'th', 'td', 'a', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'address', 'br', 'dl', 'dt', 'dd'];
     $app['html_purifier.allowed_attributes'] = ['*.class', 'img.src', 'img.alt', 'a.href', 'a.title', 'td.abbr', 'td.colspan', 'td.rowspan', 'th.abbr', 'th.colspan', 'th.rowspan', 'table.summary'];
     $app['html_purifier.config'] = $app->share(function () use($app) {
         $config = new \HTMLPurifier_Config(\HTMLPurifier_ConfigSchema::instance());
         $config->set('HTML.Doctype', 'XHTML 1.0 Strict');
         $config->set('HTML.AllowedElements', implode(',', $app['html_purifier.allowed_elements']));
         $config->set('HTML.AllowedAttributes', implode(',', $app['html_purifier.allowed_attributes']));
         $config->set('AutoFormat.RemoveEmpty', true);
         $config->set('AutoFormat.AutoParagraph', true);
         $config->set('AutoFormat.RemoveEmpty.RemoveNbsp', true);
         $cachePath = $app['paths.cache'] . '/htmlpurifier';
         if (!is_dir($cachePath)) {
             mkdir($cachePath, 0777, true);
         }
         $config->set('Cache.SerializerPath', $cachePath);
         return $config;
     });
     $app['html_purifier'] = $app->share(function () use($app) {
         return new \HTMLPurifier($app['html_purifier.config']);
     });
     $app['form.html_purifier'] = $app->share(function () use($app) {
         return new HtmlPurifier($app['html_purifier']);
     });
     $app['form.html_extension'] = $app->share(function () use($app) {
         return new HtmlExtension(new HtmlType($app['form.html_purifier']), new HtmlTypeGuesser($app['annotations.reader']));
     });
     $app['form.extensions'] = $app->share($app->extend('form.extensions', function (array $extensions) use($app) {
         $extensions[] = new DoctrineOrmExtension($app['orm.manager_registry']);
         $extensions[] = $app['form.html_extension'];
         return $extensions;
     }));
     $app['form.type.extensions'] = $app->share($app->extend('form.type.extensions', function (array $extensions) use($app) {
         $extensions[] = new FormTypeExtension();
         $extensions[] = new DateTypeExtension();
         $extensions[] = new TimeTypeExtension();
         return $extensions;
     }));
 }
コード例 #4
0
 public function build($interchange)
 {
     $schema = new HTMLPurifier_ConfigSchema();
     foreach ($interchange->namespaces as $n) {
         $schema->addNamespace($n->namespace);
     }
     foreach ($interchange->directives as $d) {
         $schema->add($d->id->namespace, $d->id->directive, $d->default, $d->type, $d->typeAllowsNull);
         if ($d->allowed !== null) {
             $schema->addAllowedValues($d->id->namespace, $d->id->directive, $d->allowed);
         }
         foreach ($d->aliases as $alias) {
             $schema->addAlias($alias->namespace, $alias->directive, $d->id->namespace, $d->id->directive);
         }
         if ($d->valueAliases !== null) {
             $schema->addValueAliases($d->id->namespace, $d->id->directive, $d->valueAliases);
         }
     }
     $schema->postProcess();
     return $schema;
 }
コード例 #5
0
ファイル: ChildDef.php プロジェクト: jbzdak/wikidot
<?php

// HTMLPurifier_ChildDef and inheritance have three types of output:
// true = leave nodes as is
// false = delete parent node and all children
// array(...) = replace children nodes with these
HTMLPurifier_ConfigSchema::define('Core', 'EscapeInvalidChildren', false, 'bool', 'When true, a child is found that is not allowed in the context of the ' . 'parent element will be transformed into text as if it were ASCII. When ' . 'false, that element and all internal tags will be dropped, though text ' . 'will be preserved.  There is no option for dropping the element but ' . 'preserving child nodes.');
/**
 * Defines allowed child nodes and validates tokens against it.
 */
class HTMLPurifier_ChildDef
{
    /**
     * Type of child definition, usually right-most part of class name lowercase.
     * Used occasionally in terms of context.
     */
    public $type;
    /**
     * Bool that indicates whether or not an empty array of children is okay
     * 
     * This is necessary for redundant checking when changes affecting
     * a child node may cause a parent node to now be disallowed.
     */
    public $allow_empty;
    /**
     * Lookup array of all elements that this definition could possibly allow
     */
    public $elements = array();
    /**
     * Validates nodes according to definition and returns modification.
     * 
コード例 #6
0
    <strong>Warning:</strong> If another directive conflicts with the 
    elements here, <em>that</em> directive will win and override. For 
    example, %HTML.EnableAttrID will take precedence over *.id in this 
    directive.  You must set that directive to true before you can use 
    IDs at all. This directive has been available since 1.3.0.
</p>
');
HTMLPurifier_ConfigSchema::define('HTML', 'Allowed', null, 'itext/null', '
<p>
    This is a convenience directive that rolls the functionality of
    %HTML.AllowedElements and %HTML.AllowedAttributes into one directive.
    Specify elements and attributes that are allowed using:
    <code>element1[attr1|attr2],element2...</code>. You can also use
    newlines instead of commas to separate elements.
</p>
<p>
    <strong>Warning</strong>:
    All of the constraints on the component directives are still enforced.
    The syntax is a <em>subset</em> of TinyMCE\'s <code>valid_elements</code>
    whitelist: directly copy-pasting it here will probably result in
    broken whitelists. If %HTML.AllowedElements or %HTML.AllowedAttributes
    are set, this directive has no effect.
    This directive has been available since 2.0.0.
</p>
');
/**
 * Definition of the purified HTML that describes allowed children,
 * attributes, and many other things.
 * 
 * Conventions:
 * 
 * All member variables that are prefixed with info
コード例 #7
0
ファイル: testSchema.php プロジェクト: hasshy/sahana-tw
<?php

// overload default configuration schema temporarily
$custom_schema = new HTMLPurifier_ConfigSchema();
$old = HTMLPurifier_ConfigSchema::instance();
$custom_schema =& HTMLPurifier_ConfigSchema::instance($custom_schema);
HTMLPurifier_ConfigSchema::defineNamespace('Element', 'Chemical substances that cannot be further decomposed');
HTMLPurifier_ConfigSchema::define('Element', 'Abbr', 'H', 'string', 'Abbreviation of element name.');
HTMLPurifier_ConfigSchema::define('Element', 'Name', 'hydrogen', 'istring', 'Full name of atoms.');
HTMLPurifier_ConfigSchema::define('Element', 'Number', 1, 'int', 'Atomic number, is identity.');
HTMLPurifier_ConfigSchema::define('Element', 'Mass', 1.00794, 'float', 'Atomic mass.');
HTMLPurifier_ConfigSchema::define('Element', 'Radioactive', false, 'bool', 'Does it have rapid decay?');
HTMLPurifier_ConfigSchema::define('Element', 'Isotopes', array('1' => true, '2' => true, '3' => true), 'lookup', 'What numbers of neutrons for this element have been observed?');
HTMLPurifier_ConfigSchema::define('Element', 'Traits', array('nonmetallic', 'odorless', 'flammable'), 'list', 'What are general properties of the element?');
HTMLPurifier_ConfigSchema::define('Element', 'IsotopeNames', array('1' => 'protium', '2' => 'deuterium', '3' => 'tritium'), 'hash', 'Lookup hash of neutron counts to formal names.');
HTMLPurifier_ConfigSchema::defineNamespace('Instrument', 'Of the musical type.');
HTMLPurifier_ConfigSchema::define('Instrument', 'Manufacturer', 'Yamaha', 'string', 'Who made it?');
HTMLPurifier_ConfigSchema::defineAllowedValues('Instrument', 'Manufacturer', array('Yamaha', 'Conn-Selmer', 'Vandoren', 'Laubin', 'Buffet', 'other'));
HTMLPurifier_ConfigSchema::defineValueAliases('Instrument', 'Manufacturer', array('Selmer' => 'Conn-Selmer'));
HTMLPurifier_ConfigSchema::define('Instrument', 'Family', 'woodwind', 'istring', 'What family is it?');
HTMLPurifier_ConfigSchema::defineAllowedValues('Instrument', 'Family', array('brass', 'woodwind', 'percussion', 'string', 'keyboard', 'electronic'));
HTMLPurifier_ConfigSchema::defineValueAliases('Instrument', 'Family', array('synth' => 'electronic'));
HTMLPurifier_ConfigSchema::defineNamespace('ReportCard', 'It is for grades.');
HTMLPurifier_ConfigSchema::define('ReportCard', 'English', null, 'string/null', 'Grade from English class.');
HTMLPurifier_ConfigSchema::define('ReportCard', 'Absences', 0, 'int', 'How many times missing from school?');
HTMLPurifier_ConfigSchema::defineNamespace('Text', 'This stuff is long, boring, and English.');
HTMLPurifier_ConfigSchema::define('Text', 'AboutUs', 'Nothing much, but this should be decently long so that a textarea would be better', 'text', 'Who are we? What are we up to?');
HTMLPurifier_ConfigSchema::define('Text', 'Hash', "not-case-sensitive\nstill-not-case-sensitive\nsuper-not-case-sensitive", 'itext', 'This is of limited utility, but of course it ends up being used.');
コード例 #8
0
');
HTMLPurifier_ConfigSchema::define('Core', 'RemoveScriptContents', null, 'bool/null', '
<p>
  This directive enables HTML Purifier to remove not only script tags
  but all of their contents. This directive has been deprecated since 2.1.0,
  and when not set the value of %Core.HiddenElements will take
  precedence. This directive has been available since 2.0.0, and can be used to 
  revert to pre-2.0.0 behavior by setting it to false.
</p>
');
HTMLPurifier_ConfigSchema::define('Core', 'HiddenElements', array('script' => true, 'style' => true), 'lookup', '
<p>
  This directive is a lookup array of elements which should have their
  contents removed when they are not allowed by the HTML definition.
  For example, the contents of a <code>script</code> tag are not 
  normally shown in a document, so if script tags are to be removed,
  their contents should be removed to. This is opposed to a <code>b</code>
  tag, which defines some presentational changes but does not hide its
  contents.
</p>
');
/**
 * Removes all unrecognized tags from the list of tokens.
 * 
 * This strategy iterates through all the tokens and removes unrecognized
 * tokens. If a token is not recognized but a TagTransform is defined for
 * that element, the element will be transformed accordingly.
 */
class HTMLPurifier_Strategy_RemoveForeignElements extends HTMLPurifier_Strategy
{
    function execute($tokens, $config, &$context)
コード例 #9
0
 /** @see HTMLPurifier_ConfigSchema->addAlias() */
 public static function defineAlias($namespace, $name, $new_namespace, $new_name)
 {
     HTMLPurifier_ConfigSchema::deprecated(__METHOD__);
     $def = HTMLPurifier_ConfigSchema::instance();
     $def->addAlias($namespace, $name, $new_namespace, $new_name);
 }
コード例 #10
0
ファイル: Config.php プロジェクト: annickvdp/Chamilo1.9.10
 /**
  * Returns a list of array(namespace, directive) for all directives
  * that are allowed in a web-form context as per an allowed
  * namespaces/directives list.
  * @param $allowed List of allowed namespaces/directives
  */
 public static function getAllowedDirectivesForForm($allowed, $schema = null)
 {
     if (!$schema) {
         $schema = HTMLPurifier_ConfigSchema::instance();
     }
     if ($allowed !== true) {
         if (is_string($allowed)) {
             $allowed = array($allowed);
         }
         $allowed_ns = array();
         $allowed_directives = array();
         $blacklisted_directives = array();
         foreach ($allowed as $ns_or_directive) {
             if (strpos($ns_or_directive, '.') !== false) {
                 // directive
                 if ($ns_or_directive[0] == '-') {
                     $blacklisted_directives[substr($ns_or_directive, 1)] = true;
                 } else {
                     $allowed_directives[$ns_or_directive] = true;
                 }
             } else {
                 // namespace
                 $allowed_ns[$ns_or_directive] = true;
             }
         }
     }
     $ret = array();
     foreach ($schema->info as $key => $def) {
         list($ns, $directive) = explode('.', $key, 2);
         if ($allowed !== true) {
             if (isset($blacklisted_directives["{$ns}.{$directive}"])) {
                 continue;
             }
             if (!isset($allowed_directives["{$ns}.{$directive}"]) && !isset($allowed_ns[$ns])) {
                 continue;
             }
         }
         if (isset($def->isAlias)) {
             continue;
         }
         if ($directive == 'DefinitionID' || $directive == 'DefinitionRev') {
             continue;
         }
         $ret[] = array($ns, $directive);
     }
     return $ret;
 }
コード例 #11
0
define('HTMLPURIFIER_PREFIX', dirname(__FILE__));
// almost every class has an undocumented dependency to these, so make sure
// they get included
require_once 'HTMLPurifier/ConfigSchema.php';
// important
require_once 'HTMLPurifier/Config.php';
require_once 'HTMLPurifier/Context.php';
require_once 'HTMLPurifier/Lexer.php';
require_once 'HTMLPurifier/Generator.php';
require_once 'HTMLPurifier/Strategy/Core.php';
require_once 'HTMLPurifier/Encoder.php';
require_once 'HTMLPurifier/ErrorCollector.php';
require_once 'HTMLPurifier/LanguageFactory.php';
HTMLPurifier_ConfigSchema::define('Core', 'CollectErrors', false, 'bool', '
Whether or not to collect errors found while filtering the document. This
is a useful way to give feedback to your users. CURRENTLY NOT IMPLEMENTED.
This directive has been available since 2.0.0.
');
/**
 * Main library execution class.
 * 
 * Facade that performs calls to the HTMLPurifier_Lexer,
 * HTMLPurifier_Strategy and HTMLPurifier_Generator subsystems in order to
 * purify HTML.
 * 
 * @todo We need an easier way to inject strategies, it'll probably end
 *       up getting done through config though.
 */
class HTMLPurifier
{
    var $version = '2.1.2';
コード例 #12
0
ファイル: Tidy.php プロジェクト: fferriere/web
    lack of support in doctype</dd>
    <dt>medium</dt>
    <dd>Enforce best practices</dd>
    <dt>heavy</dt>
    <dd>Transform all deprecated elements and attributes to standards
    compliant equivalents</dd>
</dl>
<p>This directive has been available since 2.0.0</p>
');
HTMLPurifier_ConfigSchema::defineAllowedValues('HTML', 'TidyLevel', array('none', 'light', 'medium', 'heavy'));
HTMLPurifier_ConfigSchema::define('HTML', 'TidyAdd', array(), 'lookup', '
Fixes to add to the default set of Tidy fixes as per your level. This
directive has been available since 2.0.0.
');
HTMLPurifier_ConfigSchema::define('HTML', 'TidyRemove', array(), 'lookup', '
Fixes to remove from the default set of Tidy fixes as per your level. This
directive has been available since 2.0.0.
');
/**
 * Abstract class for a set of proprietary modules that clean up (tidy)
 * poorly written HTML.
 */
class HTMLPurifier_HTMLModule_Tidy extends HTMLPurifier_HTMLModule
{
    /**
     * List of supported levels. Index zero is a special case "no fixes"
     * level.
     */
    var $levels = array(0 => 'none', 'light', 'medium', 'heavy');
    /**
     * Default level to place all fixes in. Disabled by default
     */
コード例 #13
0
ファイル: URISchemeRegistry.php プロジェクト: jbzdak/wikidot
<?php

require_once 'HTMLPurifier/URIScheme/http.php';
require_once 'HTMLPurifier/URIScheme/https.php';
require_once 'HTMLPurifier/URIScheme/mailto.php';
require_once 'HTMLPurifier/URIScheme/ftp.php';
require_once 'HTMLPurifier/URIScheme/nntp.php';
require_once 'HTMLPurifier/URIScheme/news.php';
HTMLPurifier_ConfigSchema::define('URI', 'AllowedSchemes', array('http' => true, 'https' => true, 'mailto' => true, 'ftp' => true, 'nntp' => true, 'news' => true), 'lookup', 'Whitelist that defines the schemes that a URI is allowed to have.  This ' . 'prevents XSS attacks from using pseudo-schemes like javascript or mocha.');
HTMLPurifier_ConfigSchema::define('URI', 'OverrideAllowedSchemes', true, 'bool', 'If this is set to true (which it is by default), you can override ' . '%URI.AllowedSchemes by simply registering a HTMLPurifier_URIScheme ' . 'to the registry.  If false, you will also have to update that directive ' . 'in order to add more schemes.');
/**
 * Registry for retrieving specific URI scheme validator objects.
 */
class HTMLPurifier_URISchemeRegistry
{
    /**
     * Retrieve sole instance of the registry.
     * @param $prototype Optional prototype to overload sole instance with,
     *                   or bool true to reset to default registry.
     * @note Pass a registry object $prototype with a compatible interface and
     *       the function will copy it and return it all further times.
     */
    public static function instance($prototype = null)
    {
        static $instance = null;
        if ($prototype !== null) {
            $instance = $prototype;
        } elseif ($instance === null || $prototype == true) {
            $instance = new HTMLPurifier_URISchemeRegistry();
        }
        return $instance;
コード例 #14
0
<?php

require_once HTML_PURIFIER_LIB_PATH . '/HTMLPurifier/Doctype.php';
// Legacy directives for doctype specification
HTMLPurifier_ConfigSchema::define('HTML', 'Strict', false, 'bool', 'Determines whether or not to use Transitional (loose) or Strict rulesets. ' . 'This directive is deprecated in favor of %HTML.Doctype. ' . 'This directive has been available since 1.3.0.');
HTMLPurifier_ConfigSchema::define('HTML', 'XHTML', true, 'bool', 'Determines whether or not output is XHTML 1.0 or HTML 4.01 flavor. ' . 'This directive is deprecated in favor of %HTML.Doctype. ' . 'This directive was available since 1.1.');
HTMLPurifier_ConfigSchema::defineAlias('Core', 'XHTML', 'HTML', 'XHTML');
class HTMLPurifier_DoctypeRegistry
{
    /**
     * Hash of doctype names to doctype objects
     * @protected
     */
    var $doctypes;
    /**
     * Lookup table of aliases to real doctype names
     * @protected
     */
    var $aliases;
    /**
     * Registers a doctype to the registry
     * @note Accepts a fully-formed doctype object, or the
     *       parameters for constructing a doctype object
     * @param $doctype Name of doctype or literal doctype object
     * @param $modules Modules doctype will load
     * @param $modules_for_modes Modules doctype will load for certain modes
     * @param $aliases Alias names for doctype
     * @return Reference to registered doctype (usable for further editing)
     */
    function &register($doctype, $xml = true, $modules = array(), $tidy_modules = array(), $aliases = array(), $dtd_public = null, $dtd_system = null)
    {
コード例 #15
0
<?php

require_once HTML_PURIFIER_LIB_PATH . '/HTMLPurifier/AttrDef.php';
HTMLPurifier_ConfigSchema::define('Attr', 'AllowedRel', array(), 'lookup', 'List of allowed forward document relationships in the rel attribute. ' . 'Common values may be nofollow or print. By default, this is empty, ' . 'meaning that no document relationships are allowed. This directive ' . 'was available since 1.6.0.');
HTMLPurifier_ConfigSchema::define('Attr', 'AllowedRev', array(), 'lookup', 'List of allowed reverse document relationships in the rev attribute. ' . 'This attribute is a bit of an edge-case; if you don\'t know what it ' . 'is for, stay away. This directive was available since 1.6.0.');
/**
 * Validates a rel/rev link attribute against a directive of allowed values
 * @note We cannot use Enum because link types allow multiple
 *       values.
 * @note Assumes link types are ASCII text
 */
class HTMLPurifier_AttrDef_HTML_LinkTypes extends HTMLPurifier_AttrDef
{
    /** Name config attribute to pull. */
    var $name;
    function HTMLPurifier_AttrDef_HTML_LinkTypes($name)
    {
        $configLookup = array('rel' => 'AllowedRel', 'rev' => 'AllowedRev');
        if (!isset($configLookup[$name])) {
            trigger_error('Unrecognized attribute name for link ' . 'relationship.', E_USER_ERROR);
            return;
        }
        $this->name = $configLookup[$name];
    }
    function validate($string, $config, &$context)
    {
        $allowed = $config->get('Attr', $this->name);
        if (empty($allowed)) {
            return false;
        }
        $string = $this->parseCDATA($string);
コード例 #16
0
ファイル: CSSDefinition.php プロジェクト: hasshy/sahana-tw
require_once 'HTMLPurifier/AttrDef/CSS/Border.php';
require_once 'HTMLPurifier/AttrDef/CSS/Color.php';
require_once 'HTMLPurifier/AttrDef/CSS/Composite.php';
require_once 'HTMLPurifier/AttrDef/CSS/Font.php';
require_once 'HTMLPurifier/AttrDef/CSS/FontFamily.php';
require_once 'HTMLPurifier/AttrDef/CSS/Length.php';
require_once 'HTMLPurifier/AttrDef/CSS/ListStyle.php';
require_once 'HTMLPurifier/AttrDef/CSS/Multiple.php';
require_once 'HTMLPurifier/AttrDef/CSS/Percentage.php';
require_once 'HTMLPurifier/AttrDef/CSS/TextDecoration.php';
require_once 'HTMLPurifier/AttrDef/CSS/URI.php';
require_once 'HTMLPurifier/AttrDef/Enum.php';
HTMLPurifier_ConfigSchema::define('CSS', 'DefinitionRev', 1, 'int', '
<p>
    Revision identifier for your custom definition. See
    %HTML.DefinitionRev for details. This directive has been available
    since 2.0.0.
</p>
');
/**
 * Defines allowed CSS attributes and what their values are.
 * @see HTMLPurifier_HTMLDefinition
 */
class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
{
    var $type = 'CSS';
    /**
     * Assoc array of attribute name to definition object.
     */
    var $info = array();
    /**
コード例 #17
0
ファイル: MakeAbsolute.php プロジェクト: fferriere/web
<?php

// does not support network paths
require_once 'HTMLPurifier/URIFilter.php';
HTMLPurifier_ConfigSchema::define('URI', 'MakeAbsolute', false, 'bool', '
<p>
    Converts all URIs into absolute forms. This is useful when the HTML
    being filtered assumes a specific base path, but will actually be
    viewed in a different context (and setting an alternate base URI is
    not possible). %URI.Base must be set for this directive to work.
    This directive has been available since 2.1.0.
</p>
');
class HTMLPurifier_URIFilter_MakeAbsolute extends HTMLPurifier_URIFilter
{
    var $name = 'MakeAbsolute';
    var $base;
    var $basePathStack = array();
    function prepare($config)
    {
        $def = $config->getDefinition('URI');
        $this->base = $def->base;
        if (is_null($this->base)) {
            trigger_error('URI.MakeAbsolute is being ignored due to lack of value for URI.Base configuration', E_USER_ERROR);
            return;
        }
        $this->base->fragment = null;
        // fragment is invalid for base URI
        $stack = explode('/', $this->base->path);
        array_pop($stack);
        // discard last segment
コード例 #18
0
  has been available since 3.0.0.
</p>
');
HTMLPurifier_ConfigSchema::define('Filter', 'ExtractStyleBlocksScope', null, 'string/null', '
<p>
  If you would like users to be able to define external stylesheets, but
  only allow them to specify CSS declarations for a specific node and
  prevent them from fiddling with other elements, use this directive.
  It accepts any valid CSS selector, and will prepend this to any
  CSS declaration extracted from the document. For example, if this
  directive is set to <code>#user-content</code> and a user uses the
  selector <code>a:hover</code>, the final selector will be
  <code>#user-content a:hover</code>.
</p>
<p>
  The comma shorthand may be used; consider the above example, with
  <code>#user-content, #user-content2</code>, the final selector will
  be <code>#user-content a:hover, #user-content2 a:hover</code>.
</p>
<p>
  <strong>Warning:</strong> It is possible for users to bypass this measure
  using a naughty + selector. This is a bug in CSS Tidy 1.3, not HTML
  Purifier, and I am working to get it fixed. Until then, HTML Purifier
  performs a basic check to prevent this.
</p>
<p>
  This directive has been available since 3.0.0.
</p>
');
/**
 * This filter extracts <style> blocks from input HTML, cleans them up
 * using CSSTidy, and then places them in $purifier->context->get('StyleBlocks')
コード例 #19
0
ファイル: Encoder.php プロジェクト: BGCX067/ezrpg-svn-to-git
<?php

HTMLPurifier_ConfigSchema::define('Core', 'Encoding', 'utf-8', 'istring', 'If for some reason you are unable to convert all webpages to UTF-8, ' . 'you can use this directive as a stop-gap compatibility change to ' . 'let HTML Purifier deal with non UTF-8 input.  This technique has ' . 'notable deficiencies: absolutely no characters outside of the selected ' . 'character encoding will be preserved, not even the ones that have ' . 'been ampersand escaped (this is due to a UTF-8 specific <em>feature</em> ' . 'that automatically resolves all entities), making it pretty useless ' . 'for anything except the most I18N-blind applications, although ' . '%Core.EscapeNonASCIICharacters offers fixes this trouble with ' . 'another tradeoff. This directive ' . 'only accepts ISO-8859-1 if iconv is not enabled.');
HTMLPurifier_ConfigSchema::define('Core', 'EscapeNonASCIICharacters', false, 'bool', 'This directive overcomes a deficiency in %Core.Encoding by blindly ' . 'converting all non-ASCII characters into decimal numeric entities before ' . 'converting it to its native encoding. This means that even ' . 'characters that can be expressed in the non-UTF-8 encoding will ' . 'be entity-ized, which can be a real downer for encodings like Big5. ' . 'It also assumes that the ASCII repetoire is available, although ' . 'this is the case for almost all encodings. Anyway, use UTF-8! This ' . 'directive has been available since 1.4.0.');
if (!function_exists('iconv')) {
    // only encodings with native PHP support
    HTMLPurifier_ConfigSchema::defineAllowedValues('Core', 'Encoding', array('utf-8', 'iso-8859-1'));
    HTMLPurifier_ConfigSchema::defineValueAliases('Core', 'Encoding', array('iso8859-1' => 'iso-8859-1'));
}
HTMLPurifier_ConfigSchema::define('Test', 'ForceNoIconv', false, 'bool', 'When set to true, HTMLPurifier_Encoder will act as if iconv does not ' . 'exist and use only pure PHP implementations.');
/**
 * A UTF-8 specific character encoder that handles cleaning and transforming.
 * @note All functions in this class should be static.
 */
class HTMLPurifier_Encoder
{
    /**
     * Constructor throws fatal error if you attempt to instantiate class
     */
    private function __construct()
    {
        trigger_error('Cannot instantiate encoder, call methods statically', E_USER_ERROR);
    }
    /**
     * Cleans a UTF-8 string for well-formedness and SGML validity
     * 
     * It will parse according to UTF-8 and return a valid UTF8 string, with
     * non-SGML codepoints excluded.
     * 
     * @note Just for reference, the non-SGML code points are 0 to 31 and
     *       127 to 159, inclusive.  However, we allow code points 9, 10
コード例 #20
0
require_once 'HTMLPurifier/AttrDef/CSS/ListStyle.php';
require_once 'HTMLPurifier/AttrDef/CSS/Multiple.php';
require_once 'HTMLPurifier/AttrDef/CSS/Percentage.php';
require_once 'HTMLPurifier/AttrDef/CSS/TextDecoration.php';
require_once 'HTMLPurifier/AttrDef/CSS/URI.php';
require_once 'HTMLPurifier/AttrDef/Enum.php';
HTMLPurifier_ConfigSchema::define('CSS', 'DefinitionRev', 1, 'int', '
<p>
    Revision identifier for your custom definition. See
    %HTML.DefinitionRev for details. This directive has been available
    since 2.0.0.
</p>
');
HTMLPurifier_ConfigSchema::define('CSS', 'Proprietary', false, 'bool', '
<p>
    Whether or not to allow safe, proprietary CSS values. This directive
    has been available since 3.0.0.
</p>
');
/**
 * Defines allowed CSS attributes and what their values are.
 * @see HTMLPurifier_HTMLDefinition
 */
class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
{
    public $type = 'CSS';
    /**
     * Assoc array of attribute name to definition object.
     */
    public $info = array();
    /**
     * Constructs the info array.  The meat of this class.
コード例 #21
0
ファイル: HostBlacklist.php プロジェクト: jbzdak/wikidot
<?php

require_once 'HTMLPurifier/URIFilter.php';
HTMLPurifier_ConfigSchema::define('URI', 'HostBlacklist', array(), 'list', 'List of strings that are forbidden in the host of any URI. Use it to ' . 'kill domain names of spam, etc. Note that it will catch anything in ' . 'the domain, so <tt>moo.com</tt> will catch <tt>moo.com.example.com</tt>. ' . 'This directive has been available since 1.3.0.');
class HTMLPurifier_URIFilter_HostBlacklist extends HTMLPurifier_URIFilter
{
    public $name = 'HostBlacklist';
    protected $blacklist = array();
    public function prepare($config)
    {
        $this->blacklist = $config->get('URI', 'HostBlacklist');
    }
    public function filter(&$uri, $config, $context)
    {
        foreach ($this->blacklist as $blacklisted_host_fragment) {
            if (strpos($uri->host, $blacklisted_host_fragment) !== false) {
                return false;
            }
        }
        return true;
    }
}
コード例 #22
0
ファイル: LanguageFactory.php プロジェクト: fferriere/web
<?php

require_once 'HTMLPurifier/Language.php';
require_once 'HTMLPurifier/AttrDef/Lang.php';
HTMLPurifier_ConfigSchema::define('Core', 'Language', 'en', 'string', '
ISO 639 language code for localizable things in HTML Purifier to use,
which is mainly error reporting. There is currently only an English (en)
translation, so this directive is currently useless.
This directive has been available since 2.0.0.
');
/**
 * Class responsible for generating HTMLPurifier_Language objects, managing
 * caching and fallbacks.
 * @note Thanks to MediaWiki for the general logic, although this version
 *       has been entirely rewritten
 */
class HTMLPurifier_LanguageFactory
{
    /**
     * Cache of language code information used to load HTMLPurifier_Language objects
     * Structure is: $factory->cache[$language_code][$key] = $value
     * @value array map
     */
    var $cache;
    /**
     * Valid keys in the HTMLPurifier_Language object. Designates which
     * variables to slurp out of a message file.
     * @value array list
     */
    var $keys = array('fallback', 'messages', 'errorNames');
    /**
コード例 #23
0
<?php

require_once HTML_PURIFIER_LIB_PATH . '/HTMLPurifier/AttrTransform.php';
// must be called POST validation
HTMLPurifier_ConfigSchema::define('Attr', 'DefaultInvalidImage', '', 'string', 'This is the default image an img tag will be pointed to if it does ' . 'not have a valid src attribute.  In future versions, we may allow the ' . 'image tag to be removed completely, but due to design issues, this is ' . 'not possible right now.');
HTMLPurifier_ConfigSchema::define('Attr', 'DefaultInvalidImageAlt', 'Invalid image', 'string', 'This is the content of the alt tag of an invalid image if the user ' . 'had not previously specified an alt attribute.  It has no effect when the ' . 'image is valid but there was no alt attribute present.');
/**
 * Transform that supplies default values for the src and alt attributes
 * in img tags, as well as prevents the img tag from being removed
 * because of a missing alt tag. This needs to be registered as both
 * a pre and post attribute transform.
 */
class HTMLPurifier_AttrTransform_ImgRequired extends HTMLPurifier_AttrTransform
{
    function transform($attr, $config, &$context)
    {
        $src = true;
        if (!isset($attr['src'])) {
            if ($config->get('Core', 'RemoveInvalidImg')) {
                return $attr;
            }
            $attr['src'] = $config->get('Attr', 'DefaultInvalidImage');
            $src = false;
        }
        if (!isset($attr['alt'])) {
            if ($src) {
                $attr['alt'] = basename($attr['src']);
            } else {
                $attr['alt'] = $config->get('Attr', 'DefaultInvalidImageAlt');
            }
        }
コード例 #24
0
ファイル: IDAccumulator.php プロジェクト: jbzdak/wikidot
<?php

HTMLPurifier_ConfigSchema::define('Attr', 'IDBlacklist', array(), 'list', 'Array of IDs not allowed in the document.');
/**
 * Component of HTMLPurifier_AttrContext that accumulates IDs to prevent dupes
 * @note In Slashdot-speak, dupe means duplicate.
 * @note The default constructor does not accept $config or $context objects:
 *       use must use the static build() factory method to perform initialization.
 */
class HTMLPurifier_IDAccumulator
{
    /**
     * Lookup table of IDs we've accumulated.
     * @public
     */
    public $ids = array();
    /**
     * Builds an IDAccumulator, also initializing the default blacklist
     * @param $config Instance of HTMLPurifier_Config
     * @param $context Instance of HTMLPurifier_Context
     * @return Fully initialized HTMLPurifier_IDAccumulator
     */
    public static function build($config, $context)
    {
        $id_accumulator = new HTMLPurifier_IDAccumulator();
        $id_accumulator->load($config->get('Attr', 'IDBlacklist'));
        return $id_accumulator;
    }
    /**
     * Add an ID to the lookup table.
     * @param $id ID to be added.
コード例 #25
0
ファイル: Lexer.php プロジェクト: BackupTheBerlios/samouk-svn
');
HTMLPurifier_ConfigSchema::define('Core', 'MaintainLineNumbers', null, 'bool/null', '
<p>
  If true, HTML Purifier will add line number information to all tokens.
  This is useful when error reporting is turned on, but can result in
  significant performance degradation and should not be used when
  unnecessary. This directive must be used with the DirectLex lexer,
  as the DOMLex lexer does not (yet) support this functionality. 
  If the value is null, an appropriate value will be selected based
  on other configuration. This directive has been available since 2.0.0.
</p>
');
HTMLPurifier_ConfigSchema::define('Core', 'AggressivelyFixLt', false, 'bool', '
This directive enables aggressive pre-filter fixes HTML Purifier can
perform in order to ensure that open angled-brackets do not get killed
during parsing stage. Enabling this will result in two preg_replace_callback
calls and one preg_replace call for every bit of HTML passed through here.
It is not necessary and will have no effect for PHP 4.
This directive has been available since 2.1.0.
');
/**
 * Forgivingly lexes HTML (SGML-style) markup into tokens.
 * 
 * A lexer parses a string of SGML-style markup and converts them into
 * corresponding tokens.  It doesn't check for well-formedness, although its
 * internal mechanism may make this automatic (such as the case of
 * HTMLPurifier_Lexer_DOMLex).  There are several implementations to choose
 * from.
 * 
 * A lexer is HTML-oriented: it might work with XML, but it's not
 * recommended, as we adhere to a subset of the specification for optimization
 * reasons.
コード例 #26
0
 /**
  * Defines a directive alias for backwards compatibility
  * @param $namespace
  * @param $name Directive that will be aliased
  * @param $new_namespace
  * @param $new_name Directive that the alias will be to
  */
 public static function defineAlias($namespace, $name, $new_namespace, $new_name)
 {
     $def =& HTMLPurifier_ConfigSchema::instance();
     if (HTMLPURIFIER_SCHEMA_STRICT) {
         if (!isset($def->info[$namespace])) {
             trigger_error('Cannot define directive alias in undefined namespace', E_USER_ERROR);
             return;
         }
         if (!ctype_alnum($name)) {
             trigger_error('Directive name must be alphanumeric', E_USER_ERROR);
             return;
         }
         if (isset($def->info[$namespace][$name])) {
             trigger_error('Cannot define alias over directive', E_USER_ERROR);
             return;
         }
         if (!isset($def->info[$new_namespace][$new_name])) {
             trigger_error('Cannot define alias to undefined directive', E_USER_ERROR);
             return;
         }
         if ($def->info[$new_namespace][$new_name]->class == 'alias') {
             trigger_error('Cannot define alias to alias', E_USER_ERROR);
             return;
         }
     }
     $def->info[$namespace][$name] = new HTMLPurifier_ConfigDef_DirectiveAlias($new_namespace, $new_name);
     $def->info[$new_namespace][$new_name]->directiveAliases[] = "{$namespace}.{$name}";
 }
コード例 #27
0
<?php

require_once 'HTMLPurifier/URIFilter/DisableExternal.php';
HTMLPurifier_ConfigSchema::define('URI', 'DisableExternalResources', false, 'bool', 'Disables the embedding of external resources, preventing users from ' . 'embedding things like images from other hosts. This prevents ' . 'access tracking (good for email viewers), bandwidth leeching, ' . 'cross-site request forging, g****e.cx posting, and ' . 'other nasties, but also results in ' . 'a loss of end-user functionality (they can\'t directly post a pic ' . 'they posted from Flickr anymore). Use it if you don\'t have a ' . 'robust user-content moderation team. This directive has been ' . 'available since 1.3.0.');
class HTMLPurifier_URIFilter_DisableExternalResources extends HTMLPurifier_URIFilter_DisableExternal
{
    public $name = 'DisableExternalResources';
    public function filter(&$uri, $config, $context)
    {
        if (!$context->get('EmbeddedURI', true)) {
            return true;
        }
        return parent::filter($uri, $config, $context);
    }
}
コード例 #28
0
    disable these modules by specifying which modules you wish to allow
    with this directive. This is most useful for unit testing specific
    modules, although end users may find it useful for their own ends.
</p>
<p>
    If you specify a module that does not exist, the manager will silently
    fail to use it, so be careful! User-defined modules are not affected
    by this directive. Modules defined in %HTML.CoreModules are not
    affected by this directive. This directive has been available since 2.0.0.
</p>
');
HTMLPurifier_ConfigSchema::define('HTML', 'CoreModules', array('Structure' => true, 'Text' => true, 'Hypertext' => true, 'List' => true, 'NonXMLCommonAttributes' => true, 'XMLCommonAttributes' => true, 'CommonAttributes' => true), 'lookup', '
<p>
    Certain modularized doctypes (XHTML, namely), have certain modules
    that must be included for the doctype to be an conforming document
    type: put those modules here. By default, XHTML\'s core modules
    are used. You can set this to a blank array to disable core module
    protection, but this is not recommended. This directive has been
    available since 2.0.0.
</p>
');
class HTMLPurifier_HTMLModuleManager
{
    /**
     * Instance of HTMLPurifier_DoctypeRegistry
     * @public
     */
    var $doctypes;
    /**
     * Instance of current doctype
     * @public
     */
コード例 #29
0
ファイル: URI.php プロジェクト: fferriere/web
    This directive has been available since 1.3.0.
</p>
');
// disabling directives
HTMLPurifier_ConfigSchema::define('URI', 'Disable', false, 'bool', '
<p>
    Disables all URIs in all forms. Not sure why you\'d want to do that 
    (after all, the Internet\'s founded on the notion of a hyperlink). 
    This directive has been available since 1.3.0.
</p>
');
HTMLPurifier_ConfigSchema::defineAlias('Attr', 'DisableURI', 'URI', 'Disable');
HTMLPurifier_ConfigSchema::define('URI', 'DisableResources', false, 'bool', '
<p>
    Disables embedding resources, essentially meaning no pictures. You can 
    still link to them though. See %URI.DisableExternalResources for why 
    this might be a good idea. This directive has been available since 1.3.0.
</p>
');
/**
 * Validates a URI as defined by RFC 3986.
 * @note Scheme-specific mechanics deferred to HTMLPurifier_URIScheme
 */
class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
{
    var $parser, $percentEncoder;
    var $embedsResource;
    /**
     * @param $embeds_resource_resource Does the URI here result in an extra HTTP request?
     */
    function HTMLPurifier_AttrDef_URI($embeds_resource = false)
コード例 #30
0
ファイル: Color.php プロジェクト: atikahmed/joomla-probid
<?php

require_once 'HTMLPurifier/AttrDef.php';
HTMLPurifier_ConfigSchema::define('Core', 'ColorKeywords', array('maroon' => '#800000', 'red' => '#FF0000', 'orange' => '#FFA500', 'yellow' => '#FFFF00', 'olive' => '#808000', 'purple' => '#800080', 'fuchsia' => '#FF00FF', 'white' => '#FFFFFF', 'lime' => '#00FF00', 'green' => '#008000', 'navy' => '#000080', 'blue' => '#0000FF', 'aqua' => '#00FFFF', 'teal' => '#008080', 'black' => '#000000', 'silver' => '#C0C0C0', 'gray' => '#808080'), 'hash', '
Lookup array of color names to six digit hexadecimal number corresponding
to color, with preceding hash mark. Used when parsing colors.
This directive has been available since 2.0.0.
');
/**
 * Validates Color as defined by CSS.
 */
class HTMLPurifier_AttrDef_CSS_Color extends HTMLPurifier_AttrDef
{
    function validate($color, $config, &$context)
    {
        static $colors = null;
        if ($colors === null) {
            $colors = $config->get('Core', 'ColorKeywords');
        }
        $color = trim($color);
        if ($color === '') {
            return false;
        }
        $lower = strtolower($color);
        if (isset($colors[$lower])) {
            return $colors[$lower];
        }
        if (strpos($color, 'rgb(') !== false) {
            // rgb literal handling
            $length = strlen($color);
            if (strpos($color, ')') !== $length - 1) {