in corporate environments.
</li>
</ul>
<p>
This directive has been available since 1.3.0.
</p>
');
// disabling directives
HTMLPurifier_ConfigSchema::define('URI', 'Disable', false, 'bool', '
<p>
Disables all URIs in all forms. Not sure why you\'d want to do that
(after all, the Internet\'s founded on the notion of a hyperlink).
This directive has been available since 1.3.0.
</p>
');
HTMLPurifier_ConfigSchema::defineAlias('Attr', 'DisableURI', 'URI', 'Disable');
HTMLPurifier_ConfigSchema::define('URI', 'DisableResources', false, 'bool', '
<p>
Disables embedding resources, essentially meaning no pictures. You can
still link to them though. See %URI.DisableExternalResources for why
this might be a good idea. This directive has been available since 1.3.0.
</p>
');
/**
* Validates a URI as defined by RFC 3986.
* @note Scheme-specific mechanics deferred to HTMLPurifier_URIScheme
*/
class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
{
var $parser, $percentEncoder;
var $embedsResource;
<?php
require_once HTML_PURIFIER_LIB_PATH . '/HTMLPurifier/Doctype.php';
// Legacy directives for doctype specification
HTMLPurifier_ConfigSchema::define('HTML', 'Strict', false, 'bool', 'Determines whether or not to use Transitional (loose) or Strict rulesets. ' . 'This directive is deprecated in favor of %HTML.Doctype. ' . 'This directive has been available since 1.3.0.');
HTMLPurifier_ConfigSchema::define('HTML', 'XHTML', true, 'bool', 'Determines whether or not output is XHTML 1.0 or HTML 4.01 flavor. ' . 'This directive is deprecated in favor of %HTML.Doctype. ' . 'This directive was available since 1.1.');
HTMLPurifier_ConfigSchema::defineAlias('Core', 'XHTML', 'HTML', 'XHTML');
class HTMLPurifier_DoctypeRegistry
{
/**
* Hash of doctype names to doctype objects
* @protected
*/
var $doctypes;
/**
* Lookup table of aliases to real doctype names
* @protected
*/
var $aliases;
/**
* Registers a doctype to the registry
* @note Accepts a fully-formed doctype object, or the
* parameters for constructing a doctype object
* @param $doctype Name of doctype or literal doctype object
* @param $modules Modules doctype will load
* @param $modules_for_modes Modules doctype will load for certain modes
* @param $aliases Alias names for doctype
* @return Reference to registered doctype (usable for further editing)
*/
function ®ister($doctype, $xml = true, $modules = array(), $tidy_modules = array(), $aliases = array(), $dtd_public = null, $dtd_system = null)
{
require_once 'HTMLPurifier/EntityParser.php';
// implementations
require_once 'HTMLPurifier/Lexer/DirectLex.php';
if (version_compare(PHP_VERSION, "5", ">=")) {
// You can remove the if statement if you are running PHP 5 only.
// We ought to get the strict version to follow those rules.
require_once 'HTMLPurifier/Lexer/DOMLex.php';
}
HTMLPurifier_ConfigSchema::define('Core', 'ConvertDocumentToFragment', true, 'bool', '
This parameter determines whether or not the filter should convert
input that is a full document with html and body tags to a fragment
of just the contents of a body tag. This parameter is simply something
HTML Purifier can do during an edge-case: for most inputs, this
processing is not necessary.
');
HTMLPurifier_ConfigSchema::defineAlias('Core', 'AcceptFullDocuments', 'Core', 'ConvertDocumentToFragment');
HTMLPurifier_ConfigSchema::define('Core', 'LexerImpl', null, 'mixed/null', '
<p>
This parameter determines what lexer implementation can be used. The
valid values are:
</p>
<dl>
<dt><em>null</em></dt>
<dd>
Recommended, the lexer implementation will be auto-detected based on
your PHP-version and configuration.
</dd>
<dt><em>string</em> lexer identifier</dt>
<dd>
This is a slim way of manually overridding the implementation.
Currently recognized values are: DOMLex (the default PHP5 implementation)
<?php
require_once 'HTMLPurifier/DefinitionCache.php';
HTMLPurifier_ConfigSchema::define('Cache', 'DefinitionImpl', 'Serializer', 'string/null', '
This directive defines which method to use when caching definitions,
the complex data-type that makes HTML Purifier tick. Set to null
to disable caching (not recommended, as you will see a definite
performance degradation). This directive has been available since 2.0.0.
');
HTMLPurifier_ConfigSchema::defineAlias('Core', 'DefinitionCache', 'Cache', 'DefinitionImpl');
/**
* Responsible for creating definition caches.
*/
class HTMLPurifier_DefinitionCacheFactory
{
protected $caches = array('Serializer' => array());
protected $implementations = array();
protected $decorators = array();
/**
* Initialize default decorators
*/
public function setup()
{
$this->addDecorator('Cleanup');
}
/**
* Retrieves an instance of global definition cache factory.
*/
public static function &instance($prototype = null)
{
static $instance;
fixed all major errors the HTML may have had. Tidy is a non-default
extension, and this directive will silently fail if Tidy is not
available.
</p>
<p>
If you are looking to make the overall look of your page's source
better, I recommend running Tidy on the entire page rather than just
user-content (after all, the indentation relative to the containing
blocks will be incorrect).
</p>
<p>
This directive was available since 1.1.1.
</p>
HTML
);
HTMLPurifier_ConfigSchema::defineAlias('Core', 'TidyFormat', 'Output', 'TidyFormat');
HTMLPurifier_ConfigSchema::define('Output', 'Newline', null, 'string/null', '
<p>
Newline string to format final output with. If left null, HTML Purifier
will auto-detect the default newline type of the system and use that;
you can manually override it here. Remember, \\r\\n is Windows, \\r
is Mac, and \\n is Unix. This directive was available since 2.0.1.
</p>
');
/**
* Generates HTML from tokens.
* @todo Refactor interface so that configuration/context is determined
* upon instantiation, no need for messy generateFromTokens() calls
*/
class HTMLPurifier_Generator
{
<?php
require_once 'HTMLPurifier/AttrDef.php';
require_once 'HTMLPurifier/IDAccumulator.php';
HTMLPurifier_ConfigSchema::define('Attr', 'EnableID', false, 'bool', 'Allows the ID attribute in HTML. This is disabled by default ' . 'due to the fact that without proper configuration user input can ' . 'easily break the validation of a webpage by specifying an ID that is ' . 'already on the surrounding HTML. If you don\'t mind throwing caution to ' . 'the wind, enable this directive, but I strongly recommend you also ' . 'consider blacklisting IDs you use (%Attr.IDBlacklist) or prefixing all ' . 'user supplied IDs (%Attr.IDPrefix). This directive has been available ' . 'since 1.2.0, and when set to true reverts to the behavior of pre-1.2.0 ' . 'versions.');
HTMLPurifier_ConfigSchema::defineAlias('HTML', 'EnableAttrID', 'Attr', 'EnableID');
HTMLPurifier_ConfigSchema::define('Attr', 'IDPrefix', '', 'string', 'String to prefix to IDs. If you have no idea what IDs your pages ' . 'may use, you may opt to simply add a prefix to all user-submitted ID ' . 'attributes so that they are still usable, but will not conflict with ' . 'core page IDs. Example: setting the directive to \'user_\' will result in ' . 'a user submitted \'foo\' to become \'user_foo\' Be sure to set ' . '%HTML.EnableAttrID to true before using ' . 'this. This directive was available since 1.2.0.');
HTMLPurifier_ConfigSchema::define('Attr', 'IDPrefixLocal', '', 'string', 'Temporary prefix for IDs used in conjunction with %Attr.IDPrefix. If ' . 'you need to allow multiple sets of ' . 'user content on web page, you may need to have a seperate prefix that ' . 'changes with each iteration. This way, seperately submitted user content ' . 'displayed on the same page doesn\'t clobber each other. Ideal values ' . 'are unique identifiers for the content it represents (i.e. the id of ' . 'the row in the database). Be sure to add a seperator (like an underscore) ' . 'at the end. Warning: this directive will not work unless %Attr.IDPrefix ' . 'is set to a non-empty value! This directive was available since 1.2.0.');
HTMLPurifier_ConfigSchema::define('Attr', 'IDBlacklistRegexp', null, 'string/null', 'PCRE regular expression to be matched against all IDs. If the expression ' . 'is matches, the ID is rejected. Use this with care: may cause ' . 'significant degradation. ID matching is done after all other ' . 'validation. This directive was available since 1.6.0.');
/**
* Validates the HTML attribute ID.
* @warning Even though this is the id processor, it
* will ignore the directive Attr:IDBlacklist, since it will only
* go according to the ID accumulator. Since the accumulator is
* automatically generated, it will have already absorbed the
* blacklist. If you're hacking around, make sure you use load()!
*/
class HTMLPurifier_AttrDef_HTML_ID extends HTMLPurifier_AttrDef
{
// ref functionality disabled, since we also have to verify
// whether or not the ID it refers to exists
function validate($id, $config, &$context)
{
if (!$config->get('Attr', 'EnableID')) {
return false;
}
$id = trim($id);
// trim it first
if ($id === '') {
return false;
}
