in corporate environments. </li> </ul> <p> This directive has been available since 1.3.0. </p> '); // disabling directives HTMLPurifier_ConfigSchema::define('URI', 'Disable', false, 'bool', ' <p> Disables all URIs in all forms. Not sure why you\'d want to do that (after all, the Internet\'s founded on the notion of a hyperlink). This directive has been available since 1.3.0. </p> '); HTMLPurifier_ConfigSchema::defineAlias('Attr', 'DisableURI', 'URI', 'Disable'); HTMLPurifier_ConfigSchema::define('URI', 'DisableResources', false, 'bool', ' <p> Disables embedding resources, essentially meaning no pictures. You can still link to them though. See %URI.DisableExternalResources for why this might be a good idea. This directive has been available since 1.3.0. </p> '); /** * Validates a URI as defined by RFC 3986. * @note Scheme-specific mechanics deferred to HTMLPurifier_URIScheme */ class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef { var $parser, $percentEncoder; var $embedsResource;
<?php require_once HTML_PURIFIER_LIB_PATH . '/HTMLPurifier/Doctype.php'; // Legacy directives for doctype specification HTMLPurifier_ConfigSchema::define('HTML', 'Strict', false, 'bool', 'Determines whether or not to use Transitional (loose) or Strict rulesets. ' . 'This directive is deprecated in favor of %HTML.Doctype. ' . 'This directive has been available since 1.3.0.'); HTMLPurifier_ConfigSchema::define('HTML', 'XHTML', true, 'bool', 'Determines whether or not output is XHTML 1.0 or HTML 4.01 flavor. ' . 'This directive is deprecated in favor of %HTML.Doctype. ' . 'This directive was available since 1.1.'); HTMLPurifier_ConfigSchema::defineAlias('Core', 'XHTML', 'HTML', 'XHTML'); class HTMLPurifier_DoctypeRegistry { /** * Hash of doctype names to doctype objects * @protected */ var $doctypes; /** * Lookup table of aliases to real doctype names * @protected */ var $aliases; /** * Registers a doctype to the registry * @note Accepts a fully-formed doctype object, or the * parameters for constructing a doctype object * @param $doctype Name of doctype or literal doctype object * @param $modules Modules doctype will load * @param $modules_for_modes Modules doctype will load for certain modes * @param $aliases Alias names for doctype * @return Reference to registered doctype (usable for further editing) */ function ®ister($doctype, $xml = true, $modules = array(), $tidy_modules = array(), $aliases = array(), $dtd_public = null, $dtd_system = null) {
require_once 'HTMLPurifier/EntityParser.php'; // implementations require_once 'HTMLPurifier/Lexer/DirectLex.php'; if (version_compare(PHP_VERSION, "5", ">=")) { // You can remove the if statement if you are running PHP 5 only. // We ought to get the strict version to follow those rules. require_once 'HTMLPurifier/Lexer/DOMLex.php'; } HTMLPurifier_ConfigSchema::define('Core', 'ConvertDocumentToFragment', true, 'bool', ' This parameter determines whether or not the filter should convert input that is a full document with html and body tags to a fragment of just the contents of a body tag. This parameter is simply something HTML Purifier can do during an edge-case: for most inputs, this processing is not necessary. '); HTMLPurifier_ConfigSchema::defineAlias('Core', 'AcceptFullDocuments', 'Core', 'ConvertDocumentToFragment'); HTMLPurifier_ConfigSchema::define('Core', 'LexerImpl', null, 'mixed/null', ' <p> This parameter determines what lexer implementation can be used. The valid values are: </p> <dl> <dt><em>null</em></dt> <dd> Recommended, the lexer implementation will be auto-detected based on your PHP-version and configuration. </dd> <dt><em>string</em> lexer identifier</dt> <dd> This is a slim way of manually overridding the implementation. Currently recognized values are: DOMLex (the default PHP5 implementation)
<?php require_once 'HTMLPurifier/DefinitionCache.php'; HTMLPurifier_ConfigSchema::define('Cache', 'DefinitionImpl', 'Serializer', 'string/null', ' This directive defines which method to use when caching definitions, the complex data-type that makes HTML Purifier tick. Set to null to disable caching (not recommended, as you will see a definite performance degradation). This directive has been available since 2.0.0. '); HTMLPurifier_ConfigSchema::defineAlias('Core', 'DefinitionCache', 'Cache', 'DefinitionImpl'); /** * Responsible for creating definition caches. */ class HTMLPurifier_DefinitionCacheFactory { protected $caches = array('Serializer' => array()); protected $implementations = array(); protected $decorators = array(); /** * Initialize default decorators */ public function setup() { $this->addDecorator('Cleanup'); } /** * Retrieves an instance of global definition cache factory. */ public static function &instance($prototype = null) { static $instance;
fixed all major errors the HTML may have had. Tidy is a non-default extension, and this directive will silently fail if Tidy is not available. </p> <p> If you are looking to make the overall look of your page's source better, I recommend running Tidy on the entire page rather than just user-content (after all, the indentation relative to the containing blocks will be incorrect). </p> <p> This directive was available since 1.1.1. </p> HTML ); HTMLPurifier_ConfigSchema::defineAlias('Core', 'TidyFormat', 'Output', 'TidyFormat'); HTMLPurifier_ConfigSchema::define('Output', 'Newline', null, 'string/null', ' <p> Newline string to format final output with. If left null, HTML Purifier will auto-detect the default newline type of the system and use that; you can manually override it here. Remember, \\r\\n is Windows, \\r is Mac, and \\n is Unix. This directive was available since 2.0.1. </p> '); /** * Generates HTML from tokens. * @todo Refactor interface so that configuration/context is determined * upon instantiation, no need for messy generateFromTokens() calls */ class HTMLPurifier_Generator {
<?php require_once 'HTMLPurifier/AttrDef.php'; require_once 'HTMLPurifier/IDAccumulator.php'; HTMLPurifier_ConfigSchema::define('Attr', 'EnableID', false, 'bool', 'Allows the ID attribute in HTML. This is disabled by default ' . 'due to the fact that without proper configuration user input can ' . 'easily break the validation of a webpage by specifying an ID that is ' . 'already on the surrounding HTML. If you don\'t mind throwing caution to ' . 'the wind, enable this directive, but I strongly recommend you also ' . 'consider blacklisting IDs you use (%Attr.IDBlacklist) or prefixing all ' . 'user supplied IDs (%Attr.IDPrefix). This directive has been available ' . 'since 1.2.0, and when set to true reverts to the behavior of pre-1.2.0 ' . 'versions.'); HTMLPurifier_ConfigSchema::defineAlias('HTML', 'EnableAttrID', 'Attr', 'EnableID'); HTMLPurifier_ConfigSchema::define('Attr', 'IDPrefix', '', 'string', 'String to prefix to IDs. If you have no idea what IDs your pages ' . 'may use, you may opt to simply add a prefix to all user-submitted ID ' . 'attributes so that they are still usable, but will not conflict with ' . 'core page IDs. Example: setting the directive to \'user_\' will result in ' . 'a user submitted \'foo\' to become \'user_foo\' Be sure to set ' . '%HTML.EnableAttrID to true before using ' . 'this. This directive was available since 1.2.0.'); HTMLPurifier_ConfigSchema::define('Attr', 'IDPrefixLocal', '', 'string', 'Temporary prefix for IDs used in conjunction with %Attr.IDPrefix. If ' . 'you need to allow multiple sets of ' . 'user content on web page, you may need to have a seperate prefix that ' . 'changes with each iteration. This way, seperately submitted user content ' . 'displayed on the same page doesn\'t clobber each other. Ideal values ' . 'are unique identifiers for the content it represents (i.e. the id of ' . 'the row in the database). Be sure to add a seperator (like an underscore) ' . 'at the end. Warning: this directive will not work unless %Attr.IDPrefix ' . 'is set to a non-empty value! This directive was available since 1.2.0.'); HTMLPurifier_ConfigSchema::define('Attr', 'IDBlacklistRegexp', null, 'string/null', 'PCRE regular expression to be matched against all IDs. If the expression ' . 'is matches, the ID is rejected. Use this with care: may cause ' . 'significant degradation. ID matching is done after all other ' . 'validation. This directive was available since 1.6.0.'); /** * Validates the HTML attribute ID. * @warning Even though this is the id processor, it * will ignore the directive Attr:IDBlacklist, since it will only * go according to the ID accumulator. Since the accumulator is * automatically generated, it will have already absorbed the * blacklist. If you're hacking around, make sure you use load()! */ class HTMLPurifier_AttrDef_HTML_ID extends HTMLPurifier_AttrDef { // ref functionality disabled, since we also have to verify // whether or not the ID it refers to exists function validate($id, $config, &$context) { if (!$config->get('Attr', 'EnableID')) { return false; } $id = trim($id); // trim it first if ($id === '') { return false; }