mirror of
https://bitbucket.org/jsuto/piler.git
synced 2024-12-25 18:10:11 +01:00
Added HTML purifier support
Change-Id: Ic76ebc3f3fb05518d0a0427b3fe327e4269ee7a9 Signed-off-by: SJ <sj@acts.hu>
This commit is contained in:
parent
95b906fa3f
commit
1ebd49956a
@ -267,6 +267,13 @@ class ModelSearchMessage extends Model {
|
|||||||
$mime_parts[] = array('header' => $headers, 'body' => $body);
|
$mime_parts[] = array('header' => $headers, 'body' => $body);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
require_once DIR_SYSTEM . 'helper/HTMLPurifier.standalone.php';
|
||||||
|
|
||||||
|
$config = HTMLPurifier_Config::createDefault();
|
||||||
|
$config->set('URI', 'DisableExternal', 'true');
|
||||||
|
$config->set('URI', 'DisableExternalResources', 'true');
|
||||||
|
$purifier = new HTMLPurifier($config);
|
||||||
|
|
||||||
for($i=0; $i<count($mime_parts); $i++) {
|
for($i=0; $i<count($mime_parts); $i++) {
|
||||||
$mime = array(
|
$mime = array(
|
||||||
'content-type' => '',
|
'content-type' => '',
|
||||||
@ -291,12 +298,12 @@ class ModelSearchMessage extends Model {
|
|||||||
$mime['encoding'] = $mime_parts[$i]['header']['content-transfer-encoding'];
|
$mime['encoding'] = $mime_parts[$i]['header']['content-transfer-encoding'];
|
||||||
|
|
||||||
if(in_array($mime['content-type']['type'], array('text/plain', 'text/html')))
|
if(in_array($mime['content-type']['type'], array('text/plain', 'text/html')))
|
||||||
$this->message[$mime['content-type']['type']] .= $this->fix_mime_body_part($mime, $mime_parts[$i]['body']);
|
$this->message[$mime['content-type']['type']] .= $this->fix_mime_body_part($purifier, $mime, $mime_parts[$i]['body']);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
private function fix_mime_body_part($mime = array(), $body = '') {
|
private function fix_mime_body_part($purifier, $mime = array(), $body = '') {
|
||||||
if($mime['encoding'] == 'quoted-printable')
|
if($mime['encoding'] == 'quoted-printable')
|
||||||
$body = Zend_Mime_Decode::decodeQuotedPrintable($body);
|
$body = Zend_Mime_Decode::decodeQuotedPrintable($body);
|
||||||
|
|
||||||
@ -316,23 +323,7 @@ class ModelSearchMessage extends Model {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if(strtolower($mime['content-type']['type']) == 'text/html') {
|
if(strtolower($mime['content-type']['type']) == 'text/html') {
|
||||||
|
$body = $purifier->purify($body);
|
||||||
$body = preg_replace("/\<style([\w\W]+)style\>/", "", $body);
|
|
||||||
|
|
||||||
if(ENABLE_REMOTE_IMAGES == 0) {
|
|
||||||
$body = preg_replace("/style([\s]{0,}=[\s]{0,})\"([^\"]+)/", "style=\"xxxx", $body);
|
|
||||||
$body = preg_replace("/style([\s]{0,}=[\s]{0,})\'([^\']+)/", "style='xxxx", $body);
|
|
||||||
|
|
||||||
$body = preg_replace("/\<img([^\>]+)\>/i", "<img src=\"" . REMOTE_IMAGE_REPLACEMENT . "\" />", $body);
|
|
||||||
}
|
|
||||||
|
|
||||||
$body = preg_replace("/\<body ([\w\s\;\"\'\#\d\:\-\=]+)\>/i", "<body>", $body);
|
|
||||||
|
|
||||||
$body = preg_replace("/\<a\s{1,}([\w=\"\'\s]+){0,}\s{0,}href/i", "<qqqq", $body);
|
|
||||||
$body = preg_replace("/\<base href/i", "<qqqq", $body);
|
|
||||||
|
|
||||||
$body = preg_replace("/document\.write/", "document.writeee", $body);
|
|
||||||
$body = preg_replace("/<\s{0,}script([\w\W]+)\/script\s{0,}\>/i", "<!-- disabled javascript here -->", $body);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return $body;
|
return $body;
|
||||||
|
22099
webui/system/helper/HTMLPurifier.standalone.php
Normal file
22099
webui/system/helper/HTMLPurifier.standalone.php
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,48 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Converts HTMLPurifier_ConfigSchema_Interchange to our runtime
|
||||||
|
* representation used to perform checks on user configuration.
|
||||||
|
*/
|
||||||
|
class HTMLPurifier_ConfigSchema_Builder_ConfigSchema
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param HTMLPurifier_ConfigSchema_Interchange $interchange
|
||||||
|
* @return HTMLPurifier_ConfigSchema
|
||||||
|
*/
|
||||||
|
public function build($interchange)
|
||||||
|
{
|
||||||
|
$schema = new HTMLPurifier_ConfigSchema();
|
||||||
|
foreach ($interchange->directives as $d) {
|
||||||
|
$schema->add(
|
||||||
|
$d->id->key,
|
||||||
|
$d->default,
|
||||||
|
$d->type,
|
||||||
|
$d->typeAllowsNull
|
||||||
|
);
|
||||||
|
if ($d->allowed !== null) {
|
||||||
|
$schema->addAllowedValues(
|
||||||
|
$d->id->key,
|
||||||
|
$d->allowed
|
||||||
|
);
|
||||||
|
}
|
||||||
|
foreach ($d->aliases as $alias) {
|
||||||
|
$schema->addAlias(
|
||||||
|
$alias->key,
|
||||||
|
$d->id->key
|
||||||
|
);
|
||||||
|
}
|
||||||
|
if ($d->valueAliases !== null) {
|
||||||
|
$schema->addValueAliases(
|
||||||
|
$d->id->key,
|
||||||
|
$d->valueAliases
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
$schema->postProcess();
|
||||||
|
return $schema;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// vim: et sw=4 sts=4
|
@ -0,0 +1,144 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Converts HTMLPurifier_ConfigSchema_Interchange to an XML format,
|
||||||
|
* which can be further processed to generate documentation.
|
||||||
|
*/
|
||||||
|
class HTMLPurifier_ConfigSchema_Builder_Xml extends XMLWriter
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @type HTMLPurifier_ConfigSchema_Interchange
|
||||||
|
*/
|
||||||
|
protected $interchange;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @type string
|
||||||
|
*/
|
||||||
|
private $namespace;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $html
|
||||||
|
*/
|
||||||
|
protected function writeHTMLDiv($html)
|
||||||
|
{
|
||||||
|
$this->startElement('div');
|
||||||
|
|
||||||
|
$purifier = HTMLPurifier::getInstance();
|
||||||
|
$html = $purifier->purify($html);
|
||||||
|
$this->writeAttribute('xmlns', 'http://www.w3.org/1999/xhtml');
|
||||||
|
$this->writeRaw($html);
|
||||||
|
|
||||||
|
$this->endElement(); // div
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param mixed $var
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
protected function export($var)
|
||||||
|
{
|
||||||
|
if ($var === array()) {
|
||||||
|
return 'array()';
|
||||||
|
}
|
||||||
|
return var_export($var, true);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param HTMLPurifier_ConfigSchema_Interchange $interchange
|
||||||
|
*/
|
||||||
|
public function build($interchange)
|
||||||
|
{
|
||||||
|
// global access, only use as last resort
|
||||||
|
$this->interchange = $interchange;
|
||||||
|
|
||||||
|
$this->setIndent(true);
|
||||||
|
$this->startDocument('1.0', 'UTF-8');
|
||||||
|
$this->startElement('configdoc');
|
||||||
|
$this->writeElement('title', $interchange->name);
|
||||||
|
|
||||||
|
foreach ($interchange->directives as $directive) {
|
||||||
|
$this->buildDirective($directive);
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($this->namespace) {
|
||||||
|
$this->endElement();
|
||||||
|
} // namespace
|
||||||
|
|
||||||
|
$this->endElement(); // configdoc
|
||||||
|
$this->flush();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param HTMLPurifier_ConfigSchema_Interchange_Directive $directive
|
||||||
|
*/
|
||||||
|
public function buildDirective($directive)
|
||||||
|
{
|
||||||
|
// Kludge, although I suppose having a notion of a "root namespace"
|
||||||
|
// certainly makes things look nicer when documentation is built.
|
||||||
|
// Depends on things being sorted.
|
||||||
|
if (!$this->namespace || $this->namespace !== $directive->id->getRootNamespace()) {
|
||||||
|
if ($this->namespace) {
|
||||||
|
$this->endElement();
|
||||||
|
} // namespace
|
||||||
|
$this->namespace = $directive->id->getRootNamespace();
|
||||||
|
$this->startElement('namespace');
|
||||||
|
$this->writeAttribute('id', $this->namespace);
|
||||||
|
$this->writeElement('name', $this->namespace);
|
||||||
|
}
|
||||||
|
|
||||||
|
$this->startElement('directive');
|
||||||
|
$this->writeAttribute('id', $directive->id->toString());
|
||||||
|
|
||||||
|
$this->writeElement('name', $directive->id->getDirective());
|
||||||
|
|
||||||
|
$this->startElement('aliases');
|
||||||
|
foreach ($directive->aliases as $alias) {
|
||||||
|
$this->writeElement('alias', $alias->toString());
|
||||||
|
}
|
||||||
|
$this->endElement(); // aliases
|
||||||
|
|
||||||
|
$this->startElement('constraints');
|
||||||
|
if ($directive->version) {
|
||||||
|
$this->writeElement('version', $directive->version);
|
||||||
|
}
|
||||||
|
$this->startElement('type');
|
||||||
|
if ($directive->typeAllowsNull) {
|
||||||
|
$this->writeAttribute('allow-null', 'yes');
|
||||||
|
}
|
||||||
|
$this->text($directive->type);
|
||||||
|
$this->endElement(); // type
|
||||||
|
if ($directive->allowed) {
|
||||||
|
$this->startElement('allowed');
|
||||||
|
foreach ($directive->allowed as $value => $x) {
|
||||||
|
$this->writeElement('value', $value);
|
||||||
|
}
|
||||||
|
$this->endElement(); // allowed
|
||||||
|
}
|
||||||
|
$this->writeElement('default', $this->export($directive->default));
|
||||||
|
$this->writeAttribute('xml:space', 'preserve');
|
||||||
|
if ($directive->external) {
|
||||||
|
$this->startElement('external');
|
||||||
|
foreach ($directive->external as $project) {
|
||||||
|
$this->writeElement('project', $project);
|
||||||
|
}
|
||||||
|
$this->endElement();
|
||||||
|
}
|
||||||
|
$this->endElement(); // constraints
|
||||||
|
|
||||||
|
if ($directive->deprecatedVersion) {
|
||||||
|
$this->startElement('deprecated');
|
||||||
|
$this->writeElement('version', $directive->deprecatedVersion);
|
||||||
|
$this->writeElement('use', $directive->deprecatedUse->toString());
|
||||||
|
$this->endElement(); // deprecated
|
||||||
|
}
|
||||||
|
|
||||||
|
$this->startElement('description');
|
||||||
|
$this->writeHTMLDiv($directive->description);
|
||||||
|
$this->endElement(); // description
|
||||||
|
|
||||||
|
$this->endElement(); // directive
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Exceptions related to configuration schema
|
||||||
|
*/
|
||||||
|
class HTMLPurifier_ConfigSchema_Exception extends HTMLPurifier_Exception
|
||||||
|
{
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
// vim: et sw=4 sts=4
|
@ -0,0 +1,47 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Generic schema interchange format that can be converted to a runtime
|
||||||
|
* representation (HTMLPurifier_ConfigSchema) or HTML documentation. Members
|
||||||
|
* are completely validated.
|
||||||
|
*/
|
||||||
|
class HTMLPurifier_ConfigSchema_Interchange
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Name of the application this schema is describing.
|
||||||
|
* @type string
|
||||||
|
*/
|
||||||
|
public $name;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Array of Directive ID => array(directive info)
|
||||||
|
* @type HTMLPurifier_ConfigSchema_Interchange_Directive[]
|
||||||
|
*/
|
||||||
|
public $directives = array();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Adds a directive array to $directives
|
||||||
|
* @param HTMLPurifier_ConfigSchema_Interchange_Directive $directive
|
||||||
|
* @throws HTMLPurifier_ConfigSchema_Exception
|
||||||
|
*/
|
||||||
|
public function addDirective($directive)
|
||||||
|
{
|
||||||
|
if (isset($this->directives[$i = $directive->id->toString()])) {
|
||||||
|
throw new HTMLPurifier_ConfigSchema_Exception("Cannot redefine directive '$i'");
|
||||||
|
}
|
||||||
|
$this->directives[$i] = $directive;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Convenience function to perform standard validation. Throws exception
|
||||||
|
* on failed validation.
|
||||||
|
*/
|
||||||
|
public function validate()
|
||||||
|
{
|
||||||
|
$validator = new HTMLPurifier_ConfigSchema_Validator();
|
||||||
|
return $validator->validate($this);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// vim: et sw=4 sts=4
|
@ -0,0 +1,89 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Interchange component class describing configuration directives.
|
||||||
|
*/
|
||||||
|
class HTMLPurifier_ConfigSchema_Interchange_Directive
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* ID of directive.
|
||||||
|
* @type HTMLPurifier_ConfigSchema_Interchange_Id
|
||||||
|
*/
|
||||||
|
public $id;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Type, e.g. 'integer' or 'istring'.
|
||||||
|
* @type string
|
||||||
|
*/
|
||||||
|
public $type;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Default value, e.g. 3 or 'DefaultVal'.
|
||||||
|
* @type mixed
|
||||||
|
*/
|
||||||
|
public $default;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* HTML description.
|
||||||
|
* @type string
|
||||||
|
*/
|
||||||
|
public $description;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Whether or not null is allowed as a value.
|
||||||
|
* @type bool
|
||||||
|
*/
|
||||||
|
public $typeAllowsNull = false;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Lookup table of allowed scalar values.
|
||||||
|
* e.g. array('allowed' => true).
|
||||||
|
* Null if all values are allowed.
|
||||||
|
* @type array
|
||||||
|
*/
|
||||||
|
public $allowed;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* List of aliases for the directive.
|
||||||
|
* e.g. array(new HTMLPurifier_ConfigSchema_Interchange_Id('Ns', 'Dir'))).
|
||||||
|
* @type HTMLPurifier_ConfigSchema_Interchange_Id[]
|
||||||
|
*/
|
||||||
|
public $aliases = array();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Hash of value aliases, e.g. array('alt' => 'real'). Null if value
|
||||||
|
* aliasing is disabled (necessary for non-scalar types).
|
||||||
|
* @type array
|
||||||
|
*/
|
||||||
|
public $valueAliases;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Version of HTML Purifier the directive was introduced, e.g. '1.3.1'.
|
||||||
|
* Null if the directive has always existed.
|
||||||
|
* @type string
|
||||||
|
*/
|
||||||
|
public $version;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* ID of directive that supercedes this old directive.
|
||||||
|
* Null if not deprecated.
|
||||||
|
* @type HTMLPurifier_ConfigSchema_Interchange_Id
|
||||||
|
*/
|
||||||
|
public $deprecatedUse;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Version of HTML Purifier this directive was deprecated. Null if not
|
||||||
|
* deprecated.
|
||||||
|
* @type string
|
||||||
|
*/
|
||||||
|
public $deprecatedVersion;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* List of external projects this directive depends on, e.g. array('CSSTidy').
|
||||||
|
* @type array
|
||||||
|
*/
|
||||||
|
public $external = array();
|
||||||
|
}
|
||||||
|
|
||||||
|
// vim: et sw=4 sts=4
|
@ -0,0 +1,58 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Represents a directive ID in the interchange format.
|
||||||
|
*/
|
||||||
|
class HTMLPurifier_ConfigSchema_Interchange_Id
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @type string
|
||||||
|
*/
|
||||||
|
public $key;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $key
|
||||||
|
*/
|
||||||
|
public function __construct($key)
|
||||||
|
{
|
||||||
|
$this->key = $key;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
* @warning This is NOT magic, to ensure that people don't abuse SPL and
|
||||||
|
* cause problems for PHP 5.0 support.
|
||||||
|
*/
|
||||||
|
public function toString()
|
||||||
|
{
|
||||||
|
return $this->key;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getRootNamespace()
|
||||||
|
{
|
||||||
|
return substr($this->key, 0, strpos($this->key, "."));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getDirective()
|
||||||
|
{
|
||||||
|
return substr($this->key, strpos($this->key, ".") + 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $id
|
||||||
|
* @return HTMLPurifier_ConfigSchema_Interchange_Id
|
||||||
|
*/
|
||||||
|
public static function make($id)
|
||||||
|
{
|
||||||
|
return new HTMLPurifier_ConfigSchema_Interchange_Id($id);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// vim: et sw=4 sts=4
|
@ -0,0 +1,226 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
class HTMLPurifier_ConfigSchema_InterchangeBuilder
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Used for processing DEFAULT, nothing else.
|
||||||
|
* @type HTMLPurifier_VarParser
|
||||||
|
*/
|
||||||
|
protected $varParser;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param HTMLPurifier_VarParser $varParser
|
||||||
|
*/
|
||||||
|
public function __construct($varParser = null)
|
||||||
|
{
|
||||||
|
$this->varParser = $varParser ? $varParser : new HTMLPurifier_VarParser_Native();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $dir
|
||||||
|
* @return HTMLPurifier_ConfigSchema_Interchange
|
||||||
|
*/
|
||||||
|
public static function buildFromDirectory($dir = null)
|
||||||
|
{
|
||||||
|
$builder = new HTMLPurifier_ConfigSchema_InterchangeBuilder();
|
||||||
|
$interchange = new HTMLPurifier_ConfigSchema_Interchange();
|
||||||
|
return $builder->buildDir($interchange, $dir);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param HTMLPurifier_ConfigSchema_Interchange $interchange
|
||||||
|
* @param string $dir
|
||||||
|
* @return HTMLPurifier_ConfigSchema_Interchange
|
||||||
|
*/
|
||||||
|
public function buildDir($interchange, $dir = null)
|
||||||
|
{
|
||||||
|
if (!$dir) {
|
||||||
|
$dir = HTMLPURIFIER_PREFIX . '/HTMLPurifier/ConfigSchema/schema';
|
||||||
|
}
|
||||||
|
if (file_exists($dir . '/info.ini')) {
|
||||||
|
$info = parse_ini_file($dir . '/info.ini');
|
||||||
|
$interchange->name = $info['name'];
|
||||||
|
}
|
||||||
|
|
||||||
|
$files = array();
|
||||||
|
$dh = opendir($dir);
|
||||||
|
while (false !== ($file = readdir($dh))) {
|
||||||
|
if (!$file || $file[0] == '.' || strrchr($file, '.') !== '.txt') {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
$files[] = $file;
|
||||||
|
}
|
||||||
|
closedir($dh);
|
||||||
|
|
||||||
|
sort($files);
|
||||||
|
foreach ($files as $file) {
|
||||||
|
$this->buildFile($interchange, $dir . '/' . $file);
|
||||||
|
}
|
||||||
|
return $interchange;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param HTMLPurifier_ConfigSchema_Interchange $interchange
|
||||||
|
* @param string $file
|
||||||
|
*/
|
||||||
|
public function buildFile($interchange, $file)
|
||||||
|
{
|
||||||
|
$parser = new HTMLPurifier_StringHashParser();
|
||||||
|
$this->build(
|
||||||
|
$interchange,
|
||||||
|
new HTMLPurifier_StringHash($parser->parseFile($file))
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Builds an interchange object based on a hash.
|
||||||
|
* @param HTMLPurifier_ConfigSchema_Interchange $interchange HTMLPurifier_ConfigSchema_Interchange object to build
|
||||||
|
* @param HTMLPurifier_StringHash $hash source data
|
||||||
|
* @throws HTMLPurifier_ConfigSchema_Exception
|
||||||
|
*/
|
||||||
|
public function build($interchange, $hash)
|
||||||
|
{
|
||||||
|
if (!$hash instanceof HTMLPurifier_StringHash) {
|
||||||
|
$hash = new HTMLPurifier_StringHash($hash);
|
||||||
|
}
|
||||||
|
if (!isset($hash['ID'])) {
|
||||||
|
throw new HTMLPurifier_ConfigSchema_Exception('Hash does not have any ID');
|
||||||
|
}
|
||||||
|
if (strpos($hash['ID'], '.') === false) {
|
||||||
|
if (count($hash) == 2 && isset($hash['DESCRIPTION'])) {
|
||||||
|
$hash->offsetGet('DESCRIPTION'); // prevent complaining
|
||||||
|
} else {
|
||||||
|
throw new HTMLPurifier_ConfigSchema_Exception('All directives must have a namespace');
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$this->buildDirective($interchange, $hash);
|
||||||
|
}
|
||||||
|
$this->_findUnused($hash);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param HTMLPurifier_ConfigSchema_Interchange $interchange
|
||||||
|
* @param HTMLPurifier_StringHash $hash
|
||||||
|
* @throws HTMLPurifier_ConfigSchema_Exception
|
||||||
|
*/
|
||||||
|
public function buildDirective($interchange, $hash)
|
||||||
|
{
|
||||||
|
$directive = new HTMLPurifier_ConfigSchema_Interchange_Directive();
|
||||||
|
|
||||||
|
// These are required elements:
|
||||||
|
$directive->id = $this->id($hash->offsetGet('ID'));
|
||||||
|
$id = $directive->id->toString(); // convenience
|
||||||
|
|
||||||
|
if (isset($hash['TYPE'])) {
|
||||||
|
$type = explode('/', $hash->offsetGet('TYPE'));
|
||||||
|
if (isset($type[1])) {
|
||||||
|
$directive->typeAllowsNull = true;
|
||||||
|
}
|
||||||
|
$directive->type = $type[0];
|
||||||
|
} else {
|
||||||
|
throw new HTMLPurifier_ConfigSchema_Exception("TYPE in directive hash '$id' not defined");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (isset($hash['DEFAULT'])) {
|
||||||
|
try {
|
||||||
|
$directive->default = $this->varParser->parse(
|
||||||
|
$hash->offsetGet('DEFAULT'),
|
||||||
|
$directive->type,
|
||||||
|
$directive->typeAllowsNull
|
||||||
|
);
|
||||||
|
} catch (HTMLPurifier_VarParserException $e) {
|
||||||
|
throw new HTMLPurifier_ConfigSchema_Exception($e->getMessage() . " in DEFAULT in directive hash '$id'");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (isset($hash['DESCRIPTION'])) {
|
||||||
|
$directive->description = $hash->offsetGet('DESCRIPTION');
|
||||||
|
}
|
||||||
|
|
||||||
|
if (isset($hash['ALLOWED'])) {
|
||||||
|
$directive->allowed = $this->lookup($this->evalArray($hash->offsetGet('ALLOWED')));
|
||||||
|
}
|
||||||
|
|
||||||
|
if (isset($hash['VALUE-ALIASES'])) {
|
||||||
|
$directive->valueAliases = $this->evalArray($hash->offsetGet('VALUE-ALIASES'));
|
||||||
|
}
|
||||||
|
|
||||||
|
if (isset($hash['ALIASES'])) {
|
||||||
|
$raw_aliases = trim($hash->offsetGet('ALIASES'));
|
||||||
|
$aliases = preg_split('/\s*,\s*/', $raw_aliases);
|
||||||
|
foreach ($aliases as $alias) {
|
||||||
|
$directive->aliases[] = $this->id($alias);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (isset($hash['VERSION'])) {
|
||||||
|
$directive->version = $hash->offsetGet('VERSION');
|
||||||
|
}
|
||||||
|
|
||||||
|
if (isset($hash['DEPRECATED-USE'])) {
|
||||||
|
$directive->deprecatedUse = $this->id($hash->offsetGet('DEPRECATED-USE'));
|
||||||
|
}
|
||||||
|
|
||||||
|
if (isset($hash['DEPRECATED-VERSION'])) {
|
||||||
|
$directive->deprecatedVersion = $hash->offsetGet('DEPRECATED-VERSION');
|
||||||
|
}
|
||||||
|
|
||||||
|
if (isset($hash['EXTERNAL'])) {
|
||||||
|
$directive->external = preg_split('/\s*,\s*/', trim($hash->offsetGet('EXTERNAL')));
|
||||||
|
}
|
||||||
|
|
||||||
|
$interchange->addDirective($directive);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Evaluates an array PHP code string without array() wrapper
|
||||||
|
* @param string $contents
|
||||||
|
*/
|
||||||
|
protected function evalArray($contents)
|
||||||
|
{
|
||||||
|
return eval('return array(' . $contents . ');');
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Converts an array list into a lookup array.
|
||||||
|
* @param array $array
|
||||||
|
* @return array
|
||||||
|
*/
|
||||||
|
protected function lookup($array)
|
||||||
|
{
|
||||||
|
$ret = array();
|
||||||
|
foreach ($array as $val) {
|
||||||
|
$ret[$val] = true;
|
||||||
|
}
|
||||||
|
return $ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Convenience function that creates an HTMLPurifier_ConfigSchema_Interchange_Id
|
||||||
|
* object based on a string Id.
|
||||||
|
* @param string $id
|
||||||
|
* @return HTMLPurifier_ConfigSchema_Interchange_Id
|
||||||
|
*/
|
||||||
|
protected function id($id)
|
||||||
|
{
|
||||||
|
return HTMLPurifier_ConfigSchema_Interchange_Id::make($id);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Triggers errors for any unused keys passed in the hash; such keys
|
||||||
|
* may indicate typos, missing values, etc.
|
||||||
|
* @param HTMLPurifier_StringHash $hash Hash to check.
|
||||||
|
*/
|
||||||
|
protected function _findUnused($hash)
|
||||||
|
{
|
||||||
|
$accessed = $hash->getAccessed();
|
||||||
|
foreach ($hash as $k => $v) {
|
||||||
|
if (!isset($accessed[$k])) {
|
||||||
|
trigger_error("String hash key '$k' not used by builder", E_USER_NOTICE);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// vim: et sw=4 sts=4
|
@ -0,0 +1,248 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Performs validations on HTMLPurifier_ConfigSchema_Interchange
|
||||||
|
*
|
||||||
|
* @note If you see '// handled by InterchangeBuilder', that means a
|
||||||
|
* design decision in that class would prevent this validation from
|
||||||
|
* ever being necessary. We have them anyway, however, for
|
||||||
|
* redundancy.
|
||||||
|
*/
|
||||||
|
class HTMLPurifier_ConfigSchema_Validator
|
||||||
|
{
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @type HTMLPurifier_ConfigSchema_Interchange
|
||||||
|
*/
|
||||||
|
protected $interchange;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @type array
|
||||||
|
*/
|
||||||
|
protected $aliases;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Context-stack to provide easy to read error messages.
|
||||||
|
* @type array
|
||||||
|
*/
|
||||||
|
protected $context = array();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* to test default's type.
|
||||||
|
* @type HTMLPurifier_VarParser
|
||||||
|
*/
|
||||||
|
protected $parser;
|
||||||
|
|
||||||
|
public function __construct()
|
||||||
|
{
|
||||||
|
$this->parser = new HTMLPurifier_VarParser();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Validates a fully-formed interchange object.
|
||||||
|
* @param HTMLPurifier_ConfigSchema_Interchange $interchange
|
||||||
|
* @return bool
|
||||||
|
*/
|
||||||
|
public function validate($interchange)
|
||||||
|
{
|
||||||
|
$this->interchange = $interchange;
|
||||||
|
$this->aliases = array();
|
||||||
|
// PHP is a bit lax with integer <=> string conversions in
|
||||||
|
// arrays, so we don't use the identical !== comparison
|
||||||
|
foreach ($interchange->directives as $i => $directive) {
|
||||||
|
$id = $directive->id->toString();
|
||||||
|
if ($i != $id) {
|
||||||
|
$this->error(false, "Integrity violation: key '$i' does not match internal id '$id'");
|
||||||
|
}
|
||||||
|
$this->validateDirective($directive);
|
||||||
|
}
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Validates a HTMLPurifier_ConfigSchema_Interchange_Id object.
|
||||||
|
* @param HTMLPurifier_ConfigSchema_Interchange_Id $id
|
||||||
|
*/
|
||||||
|
public function validateId($id)
|
||||||
|
{
|
||||||
|
$id_string = $id->toString();
|
||||||
|
$this->context[] = "id '$id_string'";
|
||||||
|
if (!$id instanceof HTMLPurifier_ConfigSchema_Interchange_Id) {
|
||||||
|
// handled by InterchangeBuilder
|
||||||
|
$this->error(false, 'is not an instance of HTMLPurifier_ConfigSchema_Interchange_Id');
|
||||||
|
}
|
||||||
|
// keys are now unconstrained (we might want to narrow down to A-Za-z0-9.)
|
||||||
|
// we probably should check that it has at least one namespace
|
||||||
|
$this->with($id, 'key')
|
||||||
|
->assertNotEmpty()
|
||||||
|
->assertIsString(); // implicit assertIsString handled by InterchangeBuilder
|
||||||
|
array_pop($this->context);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Validates a HTMLPurifier_ConfigSchema_Interchange_Directive object.
|
||||||
|
* @param HTMLPurifier_ConfigSchema_Interchange_Directive $d
|
||||||
|
*/
|
||||||
|
public function validateDirective($d)
|
||||||
|
{
|
||||||
|
$id = $d->id->toString();
|
||||||
|
$this->context[] = "directive '$id'";
|
||||||
|
$this->validateId($d->id);
|
||||||
|
|
||||||
|
$this->with($d, 'description')
|
||||||
|
->assertNotEmpty();
|
||||||
|
|
||||||
|
// BEGIN - handled by InterchangeBuilder
|
||||||
|
$this->with($d, 'type')
|
||||||
|
->assertNotEmpty();
|
||||||
|
$this->with($d, 'typeAllowsNull')
|
||||||
|
->assertIsBool();
|
||||||
|
try {
|
||||||
|
// This also tests validity of $d->type
|
||||||
|
$this->parser->parse($d->default, $d->type, $d->typeAllowsNull);
|
||||||
|
} catch (HTMLPurifier_VarParserException $e) {
|
||||||
|
$this->error('default', 'had error: ' . $e->getMessage());
|
||||||
|
}
|
||||||
|
// END - handled by InterchangeBuilder
|
||||||
|
|
||||||
|
if (!is_null($d->allowed) || !empty($d->valueAliases)) {
|
||||||
|
// allowed and valueAliases require that we be dealing with
|
||||||
|
// strings, so check for that early.
|
||||||
|
$d_int = HTMLPurifier_VarParser::$types[$d->type];
|
||||||
|
if (!isset(HTMLPurifier_VarParser::$stringTypes[$d_int])) {
|
||||||
|
$this->error('type', 'must be a string type when used with allowed or value aliases');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
$this->validateDirectiveAllowed($d);
|
||||||
|
$this->validateDirectiveValueAliases($d);
|
||||||
|
$this->validateDirectiveAliases($d);
|
||||||
|
|
||||||
|
array_pop($this->context);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Extra validation if $allowed member variable of
|
||||||
|
* HTMLPurifier_ConfigSchema_Interchange_Directive is defined.
|
||||||
|
* @param HTMLPurifier_ConfigSchema_Interchange_Directive $d
|
||||||
|
*/
|
||||||
|
public function validateDirectiveAllowed($d)
|
||||||
|
{
|
||||||
|
if (is_null($d->allowed)) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
$this->with($d, 'allowed')
|
||||||
|
->assertNotEmpty()
|
||||||
|
->assertIsLookup(); // handled by InterchangeBuilder
|
||||||
|
if (is_string($d->default) && !isset($d->allowed[$d->default])) {
|
||||||
|
$this->error('default', 'must be an allowed value');
|
||||||
|
}
|
||||||
|
$this->context[] = 'allowed';
|
||||||
|
foreach ($d->allowed as $val => $x) {
|
||||||
|
if (!is_string($val)) {
|
||||||
|
$this->error("value $val", 'must be a string');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
array_pop($this->context);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Extra validation if $valueAliases member variable of
|
||||||
|
* HTMLPurifier_ConfigSchema_Interchange_Directive is defined.
|
||||||
|
* @param HTMLPurifier_ConfigSchema_Interchange_Directive $d
|
||||||
|
*/
|
||||||
|
public function validateDirectiveValueAliases($d)
|
||||||
|
{
|
||||||
|
if (is_null($d->valueAliases)) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
$this->with($d, 'valueAliases')
|
||||||
|
->assertIsArray(); // handled by InterchangeBuilder
|
||||||
|
$this->context[] = 'valueAliases';
|
||||||
|
foreach ($d->valueAliases as $alias => $real) {
|
||||||
|
if (!is_string($alias)) {
|
||||||
|
$this->error("alias $alias", 'must be a string');
|
||||||
|
}
|
||||||
|
if (!is_string($real)) {
|
||||||
|
$this->error("alias target $real from alias '$alias'", 'must be a string');
|
||||||
|
}
|
||||||
|
if ($alias === $real) {
|
||||||
|
$this->error("alias '$alias'", "must not be an alias to itself");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (!is_null($d->allowed)) {
|
||||||
|
foreach ($d->valueAliases as $alias => $real) {
|
||||||
|
if (isset($d->allowed[$alias])) {
|
||||||
|
$this->error("alias '$alias'", 'must not be an allowed value');
|
||||||
|
} elseif (!isset($d->allowed[$real])) {
|
||||||
|
$this->error("alias '$alias'", 'must be an alias to an allowed value');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
array_pop($this->context);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Extra validation if $aliases member variable of
|
||||||
|
* HTMLPurifier_ConfigSchema_Interchange_Directive is defined.
|
||||||
|
* @param HTMLPurifier_ConfigSchema_Interchange_Directive $d
|
||||||
|
*/
|
||||||
|
public function validateDirectiveAliases($d)
|
||||||
|
{
|
||||||
|
$this->with($d, 'aliases')
|
||||||
|
->assertIsArray(); // handled by InterchangeBuilder
|
||||||
|
$this->context[] = 'aliases';
|
||||||
|
foreach ($d->aliases as $alias) {
|
||||||
|
$this->validateId($alias);
|
||||||
|
$s = $alias->toString();
|
||||||
|
if (isset($this->interchange->directives[$s])) {
|
||||||
|
$this->error("alias '$s'", 'collides with another directive');
|
||||||
|
}
|
||||||
|
if (isset($this->aliases[$s])) {
|
||||||
|
$other_directive = $this->aliases[$s];
|
||||||
|
$this->error("alias '$s'", "collides with alias for directive '$other_directive'");
|
||||||
|
}
|
||||||
|
$this->aliases[$s] = $d->id->toString();
|
||||||
|
}
|
||||||
|
array_pop($this->context);
|
||||||
|
}
|
||||||
|
|
||||||
|
// protected helper functions
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Convenience function for generating HTMLPurifier_ConfigSchema_ValidatorAtom
|
||||||
|
* for validating simple member variables of objects.
|
||||||
|
* @param $obj
|
||||||
|
* @param $member
|
||||||
|
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
|
||||||
|
*/
|
||||||
|
protected function with($obj, $member)
|
||||||
|
{
|
||||||
|
return new HTMLPurifier_ConfigSchema_ValidatorAtom($this->getFormattedContext(), $obj, $member);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Emits an error, providing helpful context.
|
||||||
|
* @throws HTMLPurifier_ConfigSchema_Exception
|
||||||
|
*/
|
||||||
|
protected function error($target, $msg)
|
||||||
|
{
|
||||||
|
if ($target !== false) {
|
||||||
|
$prefix = ucfirst($target) . ' in ' . $this->getFormattedContext();
|
||||||
|
} else {
|
||||||
|
$prefix = ucfirst($this->getFormattedContext());
|
||||||
|
}
|
||||||
|
throw new HTMLPurifier_ConfigSchema_Exception(trim($prefix . ' ' . $msg));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns a formatted context string.
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
protected function getFormattedContext()
|
||||||
|
{
|
||||||
|
return implode(' in ', array_reverse($this->context));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// vim: et sw=4 sts=4
|
@ -0,0 +1,130 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Fluent interface for validating the contents of member variables.
|
||||||
|
* This should be immutable. See HTMLPurifier_ConfigSchema_Validator for
|
||||||
|
* use-cases. We name this an 'atom' because it's ONLY for validations that
|
||||||
|
* are independent and usually scalar.
|
||||||
|
*/
|
||||||
|
class HTMLPurifier_ConfigSchema_ValidatorAtom
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @type string
|
||||||
|
*/
|
||||||
|
protected $context;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @type object
|
||||||
|
*/
|
||||||
|
protected $obj;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @type string
|
||||||
|
*/
|
||||||
|
protected $member;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @type mixed
|
||||||
|
*/
|
||||||
|
protected $contents;
|
||||||
|
|
||||||
|
public function __construct($context, $obj, $member)
|
||||||
|
{
|
||||||
|
$this->context = $context;
|
||||||
|
$this->obj = $obj;
|
||||||
|
$this->member = $member;
|
||||||
|
$this->contents =& $obj->$member;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
|
||||||
|
*/
|
||||||
|
public function assertIsString()
|
||||||
|
{
|
||||||
|
if (!is_string($this->contents)) {
|
||||||
|
$this->error('must be a string');
|
||||||
|
}
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
|
||||||
|
*/
|
||||||
|
public function assertIsBool()
|
||||||
|
{
|
||||||
|
if (!is_bool($this->contents)) {
|
||||||
|
$this->error('must be a boolean');
|
||||||
|
}
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
|
||||||
|
*/
|
||||||
|
public function assertIsArray()
|
||||||
|
{
|
||||||
|
if (!is_array($this->contents)) {
|
||||||
|
$this->error('must be an array');
|
||||||
|
}
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
|
||||||
|
*/
|
||||||
|
public function assertNotNull()
|
||||||
|
{
|
||||||
|
if ($this->contents === null) {
|
||||||
|
$this->error('must not be null');
|
||||||
|
}
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
|
||||||
|
*/
|
||||||
|
public function assertAlnum()
|
||||||
|
{
|
||||||
|
$this->assertIsString();
|
||||||
|
if (!ctype_alnum($this->contents)) {
|
||||||
|
$this->error('must be alphanumeric');
|
||||||
|
}
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
|
||||||
|
*/
|
||||||
|
public function assertNotEmpty()
|
||||||
|
{
|
||||||
|
if (empty($this->contents)) {
|
||||||
|
$this->error('must not be empty');
|
||||||
|
}
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
|
||||||
|
*/
|
||||||
|
public function assertIsLookup()
|
||||||
|
{
|
||||||
|
$this->assertIsArray();
|
||||||
|
foreach ($this->contents as $v) {
|
||||||
|
if ($v !== true) {
|
||||||
|
$this->error('must be a lookup array');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return $this;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $msg
|
||||||
|
* @throws HTMLPurifier_ConfigSchema_Exception
|
||||||
|
*/
|
||||||
|
protected function error($msg)
|
||||||
|
{
|
||||||
|
throw new HTMLPurifier_ConfigSchema_Exception(ucfirst($this->member) . ' in ' . $this->context . ' ' . $msg);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// vim: et sw=4 sts=4
|
Binary file not shown.
@ -0,0 +1,8 @@
|
|||||||
|
Attr.AllowedClasses
|
||||||
|
TYPE: lookup/null
|
||||||
|
VERSION: 4.0.0
|
||||||
|
DEFAULT: null
|
||||||
|
--DESCRIPTION--
|
||||||
|
List of allowed class values in the class attribute. By default, this is null,
|
||||||
|
which means all classes are allowed.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
|||||||
|
Attr.AllowedFrameTargets
|
||||||
|
TYPE: lookup
|
||||||
|
DEFAULT: array()
|
||||||
|
--DESCRIPTION--
|
||||||
|
Lookup table of all allowed link frame targets. Some commonly used link
|
||||||
|
targets include _blank, _self, _parent and _top. Values should be
|
||||||
|
lowercase, as validation will be done in a case-sensitive manner despite
|
||||||
|
W3C's recommendation. XHTML 1.0 Strict does not permit the target attribute
|
||||||
|
so this directive will have no effect in that doctype. XHTML 1.1 does not
|
||||||
|
enable the Target module by default, you will have to manually enable it
|
||||||
|
(see the module documentation for more details.)
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,9 @@
|
|||||||
|
Attr.AllowedRel
|
||||||
|
TYPE: lookup
|
||||||
|
VERSION: 1.6.0
|
||||||
|
DEFAULT: array()
|
||||||
|
--DESCRIPTION--
|
||||||
|
List of allowed forward document relationships in the rel attribute. Common
|
||||||
|
values may be nofollow or print. By default, this is empty, meaning that no
|
||||||
|
document relationships are allowed.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,9 @@
|
|||||||
|
Attr.AllowedRev
|
||||||
|
TYPE: lookup
|
||||||
|
VERSION: 1.6.0
|
||||||
|
DEFAULT: array()
|
||||||
|
--DESCRIPTION--
|
||||||
|
List of allowed reverse document relationships in the rev attribute. This
|
||||||
|
attribute is a bit of an edge-case; if you don't know what it is for, stay
|
||||||
|
away.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,19 @@
|
|||||||
|
Attr.ClassUseCDATA
|
||||||
|
TYPE: bool/null
|
||||||
|
DEFAULT: null
|
||||||
|
VERSION: 4.0.0
|
||||||
|
--DESCRIPTION--
|
||||||
|
If null, class will auto-detect the doctype and, if matching XHTML 1.1 or
|
||||||
|
XHTML 2.0, will use the restrictive NMTOKENS specification of class. Otherwise,
|
||||||
|
it will use a relaxed CDATA definition. If true, the relaxed CDATA definition
|
||||||
|
is forced; if false, the NMTOKENS definition is forced. To get behavior
|
||||||
|
of HTML Purifier prior to 4.0.0, set this directive to false.
|
||||||
|
|
||||||
|
Some rational behind the auto-detection:
|
||||||
|
in previous versions of HTML Purifier, it was assumed that the form of
|
||||||
|
class was NMTOKENS, as specified by the XHTML Modularization (representing
|
||||||
|
XHTML 1.1 and XHTML 2.0). The DTDs for HTML 4.01 and XHTML 1.0, however
|
||||||
|
specify class as CDATA. HTML 5 effectively defines it as CDATA, but
|
||||||
|
with the additional constraint that each name should be unique (this is not
|
||||||
|
explicitly outlined in previous specifications).
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
|||||||
|
Attr.DefaultImageAlt
|
||||||
|
TYPE: string/null
|
||||||
|
DEFAULT: null
|
||||||
|
VERSION: 3.2.0
|
||||||
|
--DESCRIPTION--
|
||||||
|
This is the content of the alt tag of an image if the user had not
|
||||||
|
previously specified an alt attribute. This applies to all images without
|
||||||
|
a valid alt attribute, as opposed to %Attr.DefaultInvalidImageAlt, which
|
||||||
|
only applies to invalid images, and overrides in the case of an invalid image.
|
||||||
|
Default behavior with null is to use the basename of the src tag for the alt.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,9 @@
|
|||||||
|
Attr.DefaultInvalidImage
|
||||||
|
TYPE: string
|
||||||
|
DEFAULT: ''
|
||||||
|
--DESCRIPTION--
|
||||||
|
This is the default image an img tag will be pointed to if it does not have
|
||||||
|
a valid src attribute. In future versions, we may allow the image tag to
|
||||||
|
be removed completely, but due to design issues, this is not possible right
|
||||||
|
now.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,8 @@
|
|||||||
|
Attr.DefaultInvalidImageAlt
|
||||||
|
TYPE: string
|
||||||
|
DEFAULT: 'Invalid image'
|
||||||
|
--DESCRIPTION--
|
||||||
|
This is the content of the alt tag of an invalid image if the user had not
|
||||||
|
previously specified an alt attribute. It has no effect when the image is
|
||||||
|
valid but there was no alt attribute present.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,10 @@
|
|||||||
|
Attr.DefaultTextDir
|
||||||
|
TYPE: string
|
||||||
|
DEFAULT: 'ltr'
|
||||||
|
--DESCRIPTION--
|
||||||
|
Defines the default text direction (ltr or rtl) of the document being
|
||||||
|
parsed. This generally is the same as the value of the dir attribute in
|
||||||
|
HTML, or ltr if that is not specified.
|
||||||
|
--ALLOWED--
|
||||||
|
'ltr', 'rtl'
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,16 @@
|
|||||||
|
Attr.EnableID
|
||||||
|
TYPE: bool
|
||||||
|
DEFAULT: false
|
||||||
|
VERSION: 1.2.0
|
||||||
|
--DESCRIPTION--
|
||||||
|
Allows the ID attribute in HTML. This is disabled by default due to the
|
||||||
|
fact that without proper configuration user input can easily break the
|
||||||
|
validation of a webpage by specifying an ID that is already on the
|
||||||
|
surrounding HTML. If you don't mind throwing caution to the wind, enable
|
||||||
|
this directive, but I strongly recommend you also consider blacklisting IDs
|
||||||
|
you use (%Attr.IDBlacklist) or prefixing all user supplied IDs
|
||||||
|
(%Attr.IDPrefix). When set to true HTML Purifier reverts to the behavior of
|
||||||
|
pre-1.2.0 versions.
|
||||||
|
--ALIASES--
|
||||||
|
HTML.EnableAttrID
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,8 @@
|
|||||||
|
Attr.ForbiddenClasses
|
||||||
|
TYPE: lookup
|
||||||
|
VERSION: 4.0.0
|
||||||
|
DEFAULT: array()
|
||||||
|
--DESCRIPTION--
|
||||||
|
List of forbidden class values in the class attribute. By default, this is
|
||||||
|
empty, which means that no classes are forbidden. See also %Attr.AllowedClasses.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,10 @@
|
|||||||
|
Attr.ID.HTML5
|
||||||
|
TYPE: bool/null
|
||||||
|
DEFAULT: null
|
||||||
|
VERSION: 4.8.0
|
||||||
|
--DESCRIPTION--
|
||||||
|
In HTML5, restrictions on the format of the id attribute have been significantly
|
||||||
|
relaxed, such that any string is valid so long as it contains no spaces and
|
||||||
|
is at least one character. In lieu of a general HTML5 compatibility flag,
|
||||||
|
set this configuration directive to true to use the relaxed rules.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,5 @@
|
|||||||
|
Attr.IDBlacklist
|
||||||
|
TYPE: list
|
||||||
|
DEFAULT: array()
|
||||||
|
DESCRIPTION: Array of IDs not allowed in the document.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,9 @@
|
|||||||
|
Attr.IDBlacklistRegexp
|
||||||
|
TYPE: string/null
|
||||||
|
VERSION: 1.6.0
|
||||||
|
DEFAULT: NULL
|
||||||
|
--DESCRIPTION--
|
||||||
|
PCRE regular expression to be matched against all IDs. If the expression is
|
||||||
|
matches, the ID is rejected. Use this with care: may cause significant
|
||||||
|
degradation. ID matching is done after all other validation.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
|||||||
|
Attr.IDPrefix
|
||||||
|
TYPE: string
|
||||||
|
VERSION: 1.2.0
|
||||||
|
DEFAULT: ''
|
||||||
|
--DESCRIPTION--
|
||||||
|
String to prefix to IDs. If you have no idea what IDs your pages may use,
|
||||||
|
you may opt to simply add a prefix to all user-submitted ID attributes so
|
||||||
|
that they are still usable, but will not conflict with core page IDs.
|
||||||
|
Example: setting the directive to 'user_' will result in a user submitted
|
||||||
|
'foo' to become 'user_foo' Be sure to set %HTML.EnableAttrID to true
|
||||||
|
before using this.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,14 @@
|
|||||||
|
Attr.IDPrefixLocal
|
||||||
|
TYPE: string
|
||||||
|
VERSION: 1.2.0
|
||||||
|
DEFAULT: ''
|
||||||
|
--DESCRIPTION--
|
||||||
|
Temporary prefix for IDs used in conjunction with %Attr.IDPrefix. If you
|
||||||
|
need to allow multiple sets of user content on web page, you may need to
|
||||||
|
have a seperate prefix that changes with each iteration. This way,
|
||||||
|
seperately submitted user content displayed on the same page doesn't
|
||||||
|
clobber each other. Ideal values are unique identifiers for the content it
|
||||||
|
represents (i.e. the id of the row in the database). Be sure to add a
|
||||||
|
seperator (like an underscore) at the end. Warning: this directive will
|
||||||
|
not work unless %Attr.IDPrefix is set to a non-empty value!
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,31 @@
|
|||||||
|
AutoFormat.AutoParagraph
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 2.0.1
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
This directive turns on auto-paragraphing, where double newlines are
|
||||||
|
converted in to paragraphs whenever possible. Auto-paragraphing:
|
||||||
|
</p>
|
||||||
|
<ul>
|
||||||
|
<li>Always applies to inline elements or text in the root node,</li>
|
||||||
|
<li>Applies to inline elements or text with double newlines in nodes
|
||||||
|
that allow paragraph tags,</li>
|
||||||
|
<li>Applies to double newlines in paragraph tags</li>
|
||||||
|
</ul>
|
||||||
|
<p>
|
||||||
|
<code>p</code> tags must be allowed for this directive to take effect.
|
||||||
|
We do not use <code>br</code> tags for paragraphing, as that is
|
||||||
|
semantically incorrect.
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
To prevent auto-paragraphing as a content-producer, refrain from using
|
||||||
|
double-newlines except to specify a new paragraph or in contexts where
|
||||||
|
it has special meaning (whitespace usually has no meaning except in
|
||||||
|
tags like <code>pre</code>, so this should not be difficult.) To prevent
|
||||||
|
the paragraphing of inline text adjacent to block elements, wrap them
|
||||||
|
in <code>div</code> tags (the behavior is slightly different outside of
|
||||||
|
the root node.)
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
|||||||
|
AutoFormat.Custom
|
||||||
|
TYPE: list
|
||||||
|
VERSION: 2.0.1
|
||||||
|
DEFAULT: array()
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
This directive can be used to add custom auto-format injectors.
|
||||||
|
Specify an array of injector names (class name minus the prefix)
|
||||||
|
or concrete implementations. Injector class must exist.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
|||||||
|
AutoFormat.DisplayLinkURI
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 3.2.0
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
This directive turns on the in-text display of URIs in <a> tags, and disables
|
||||||
|
those links. For example, <a href="http://example.com">example</a> becomes
|
||||||
|
example (<a>http://example.com</a>).
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
|||||||
|
AutoFormat.Linkify
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 2.0.1
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
This directive turns on linkification, auto-linking http, ftp and
|
||||||
|
https URLs. <code>a</code> tags with the <code>href</code> attribute
|
||||||
|
must be allowed.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
|||||||
|
AutoFormat.PurifierLinkify.DocURL
|
||||||
|
TYPE: string
|
||||||
|
VERSION: 2.0.1
|
||||||
|
DEFAULT: '#%s'
|
||||||
|
ALIASES: AutoFormatParam.PurifierLinkifyDocURL
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
Location of configuration documentation to link to, let %s substitute
|
||||||
|
into the configuration's namespace and directive names sans the percent
|
||||||
|
sign.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
|||||||
|
AutoFormat.PurifierLinkify
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 2.0.1
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
Internal auto-formatter that converts configuration directives in
|
||||||
|
syntax <a>%Namespace.Directive</a> to links. <code>a</code> tags
|
||||||
|
with the <code>href</code> attribute must be allowed.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,14 @@
|
|||||||
|
AutoFormat.RemoveEmpty.Predicate
|
||||||
|
TYPE: hash
|
||||||
|
VERSION: 4.7.0
|
||||||
|
DEFAULT: array('colgroup' => array(), 'th' => array(), 'td' => array(), 'iframe' => array('src'))
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
Given that an element has no contents, it will be removed by default, unless
|
||||||
|
this predicate dictates otherwise. The predicate can either be an associative
|
||||||
|
map from tag name to list of attributes that must be present for the element
|
||||||
|
to be considered preserved: thus, the default always preserves <code>colgroup</code>,
|
||||||
|
<code>th</code> and <code>td</code>, and also <code>iframe</code> if it
|
||||||
|
has a <code>src</code>.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
|||||||
|
AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions
|
||||||
|
TYPE: lookup
|
||||||
|
VERSION: 4.0.0
|
||||||
|
DEFAULT: array('td' => true, 'th' => true)
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
When %AutoFormat.RemoveEmpty and %AutoFormat.RemoveEmpty.RemoveNbsp
|
||||||
|
are enabled, this directive defines what HTML elements should not be
|
||||||
|
removede if they have only a non-breaking space in them.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,15 @@
|
|||||||
|
AutoFormat.RemoveEmpty.RemoveNbsp
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 4.0.0
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
When enabled, HTML Purifier will treat any elements that contain only
|
||||||
|
non-breaking spaces as well as regular whitespace as empty, and remove
|
||||||
|
them when %AutoForamt.RemoveEmpty is enabled.
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
See %AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions for a list of elements
|
||||||
|
that don't have this behavior applied to them.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,46 @@
|
|||||||
|
AutoFormat.RemoveEmpty
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 3.2.0
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
When enabled, HTML Purifier will attempt to remove empty elements that
|
||||||
|
contribute no semantic information to the document. The following types
|
||||||
|
of nodes will be removed:
|
||||||
|
</p>
|
||||||
|
<ul><li>
|
||||||
|
Tags with no attributes and no content, and that are not empty
|
||||||
|
elements (remove <code><a></a></code> but not
|
||||||
|
<code><br /></code>), and
|
||||||
|
</li>
|
||||||
|
<li>
|
||||||
|
Tags with no content, except for:<ul>
|
||||||
|
<li>The <code>colgroup</code> element, or</li>
|
||||||
|
<li>
|
||||||
|
Elements with the <code>id</code> or <code>name</code> attribute,
|
||||||
|
when those attributes are permitted on those elements.
|
||||||
|
</li>
|
||||||
|
</ul></li>
|
||||||
|
</ul>
|
||||||
|
<p>
|
||||||
|
Please be very careful when using this functionality; while it may not
|
||||||
|
seem that empty elements contain useful information, they can alter the
|
||||||
|
layout of a document given appropriate styling. This directive is most
|
||||||
|
useful when you are processing machine-generated HTML, please avoid using
|
||||||
|
it on regular user HTML.
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
Elements that contain only whitespace will be treated as empty. Non-breaking
|
||||||
|
spaces, however, do not count as whitespace. See
|
||||||
|
%AutoFormat.RemoveEmpty.RemoveNbsp for alternate behavior.
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
This algorithm is not perfect; you may still notice some empty tags,
|
||||||
|
particularly if a node had elements, but those elements were later removed
|
||||||
|
because they were not permitted in that context, or tags that, after
|
||||||
|
being auto-closed by another tag, where empty. This is for safety reasons
|
||||||
|
to prevent clever code from breaking validation. The general rule of thumb:
|
||||||
|
if a tag looked empty on the way in, it will get removed; if HTML Purifier
|
||||||
|
made it empty, it will stay.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
|||||||
|
AutoFormat.RemoveSpansWithoutAttributes
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 4.0.1
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
This directive causes <code>span</code> tags without any attributes
|
||||||
|
to be removed. It will also remove spans that had all attributes
|
||||||
|
removed during processing.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
|||||||
|
CSS.AllowDuplicates
|
||||||
|
TYPE: bool
|
||||||
|
DEFAULT: false
|
||||||
|
VERSION: 4.8.0
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
By default, HTML Purifier removes duplicate CSS properties,
|
||||||
|
like <code>color:red; color:blue</code>. If this is set to
|
||||||
|
true, duplicate properties are allowed.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,8 @@
|
|||||||
|
CSS.AllowImportant
|
||||||
|
TYPE: bool
|
||||||
|
DEFAULT: false
|
||||||
|
VERSION: 3.1.0
|
||||||
|
--DESCRIPTION--
|
||||||
|
This parameter determines whether or not !important cascade modifiers should
|
||||||
|
be allowed in user CSS. If false, !important will stripped.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
|||||||
|
CSS.AllowTricky
|
||||||
|
TYPE: bool
|
||||||
|
DEFAULT: false
|
||||||
|
VERSION: 3.1.0
|
||||||
|
--DESCRIPTION--
|
||||||
|
This parameter determines whether or not to allow "tricky" CSS properties and
|
||||||
|
values. Tricky CSS properties/values can drastically modify page layout or
|
||||||
|
be used for deceptive practices but do not directly constitute a security risk.
|
||||||
|
For example, <code>display:none;</code> is considered a tricky property that
|
||||||
|
will only be allowed if this directive is set to true.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
|||||||
|
CSS.AllowedFonts
|
||||||
|
TYPE: lookup/null
|
||||||
|
VERSION: 4.3.0
|
||||||
|
DEFAULT: NULL
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
Allows you to manually specify a set of allowed fonts. If
|
||||||
|
<code>NULL</code>, all fonts are allowed. This directive
|
||||||
|
affects generic names (serif, sans-serif, monospace, cursive,
|
||||||
|
fantasy) as well as specific font families.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,18 @@
|
|||||||
|
CSS.AllowedProperties
|
||||||
|
TYPE: lookup/null
|
||||||
|
VERSION: 3.1.0
|
||||||
|
DEFAULT: NULL
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
If HTML Purifier's style attributes set is unsatisfactory for your needs,
|
||||||
|
you can overload it with your own list of tags to allow. Note that this
|
||||||
|
method is subtractive: it does its job by taking away from HTML Purifier
|
||||||
|
usual feature set, so you cannot add an attribute that HTML Purifier never
|
||||||
|
supported in the first place.
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
<strong>Warning:</strong> If another directive conflicts with the
|
||||||
|
elements here, <em>that</em> directive will win and override.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
|||||||
|
CSS.DefinitionRev
|
||||||
|
TYPE: int
|
||||||
|
VERSION: 2.0.0
|
||||||
|
DEFAULT: 1
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
Revision identifier for your custom definition. See
|
||||||
|
%HTML.DefinitionRev for details.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,13 @@
|
|||||||
|
CSS.ForbiddenProperties
|
||||||
|
TYPE: lookup
|
||||||
|
VERSION: 4.2.0
|
||||||
|
DEFAULT: array()
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
This is the logical inverse of %CSS.AllowedProperties, and it will
|
||||||
|
override that directive or any other directive. If possible,
|
||||||
|
%CSS.AllowedProperties is recommended over this directive,
|
||||||
|
because it can sometimes be difficult to tell whether or not you've
|
||||||
|
forbidden all of the CSS properties you truly would like to disallow.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,16 @@
|
|||||||
|
CSS.MaxImgLength
|
||||||
|
TYPE: string/null
|
||||||
|
DEFAULT: '1200px'
|
||||||
|
VERSION: 3.1.1
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
This parameter sets the maximum allowed length on <code>img</code> tags,
|
||||||
|
effectively the <code>width</code> and <code>height</code> properties.
|
||||||
|
Only absolute units of measurement (in, pt, pc, mm, cm) and pixels (px) are allowed. This is
|
||||||
|
in place to prevent imagecrash attacks, disable with null at your own risk.
|
||||||
|
This directive is similar to %HTML.MaxImgLength, and both should be
|
||||||
|
concurrently edited, although there are
|
||||||
|
subtle differences in the input format (the CSS max is a number with
|
||||||
|
a unit).
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,10 @@
|
|||||||
|
CSS.Proprietary
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 3.0.0
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
Whether or not to allow safe, proprietary CSS values.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,9 @@
|
|||||||
|
CSS.Trusted
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 4.2.1
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
Indicates whether or not the user's CSS input is trusted or not. If the
|
||||||
|
input is trusted, a more expansive set of allowed properties. See
|
||||||
|
also %HTML.Trusted.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,14 @@
|
|||||||
|
Cache.DefinitionImpl
|
||||||
|
TYPE: string/null
|
||||||
|
VERSION: 2.0.0
|
||||||
|
DEFAULT: 'Serializer'
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
This directive defines which method to use when caching definitions,
|
||||||
|
the complex data-type that makes HTML Purifier tick. Set to null
|
||||||
|
to disable caching (not recommended, as you will see a definite
|
||||||
|
performance degradation).
|
||||||
|
|
||||||
|
--ALIASES--
|
||||||
|
Core.DefinitionCache
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,13 @@
|
|||||||
|
Cache.SerializerPath
|
||||||
|
TYPE: string/null
|
||||||
|
VERSION: 2.0.0
|
||||||
|
DEFAULT: NULL
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
Absolute path with no trailing slash to store serialized definitions in.
|
||||||
|
Default is within the
|
||||||
|
HTML Purifier library inside DefinitionCache/Serializer. This
|
||||||
|
path must be writable by the webserver.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,16 @@
|
|||||||
|
Cache.SerializerPermissions
|
||||||
|
TYPE: int/null
|
||||||
|
VERSION: 4.3.0
|
||||||
|
DEFAULT: 0755
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
Directory permissions of the files and directories created inside
|
||||||
|
the DefinitionCache/Serializer or other custom serializer path.
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
In HTML Purifier 4.8.0, this also supports <code>NULL</code>,
|
||||||
|
which means that no chmod'ing or directory creation shall
|
||||||
|
occur.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,18 @@
|
|||||||
|
Core.AggressivelyFixLt
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 2.1.0
|
||||||
|
DEFAULT: true
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
This directive enables aggressive pre-filter fixes HTML Purifier can
|
||||||
|
perform in order to ensure that open angled-brackets do not get killed
|
||||||
|
during parsing stage. Enabling this will result in two preg_replace_callback
|
||||||
|
calls and at least two preg_replace calls for every HTML document parsed;
|
||||||
|
if your users make very well-formed HTML, you can set this directive false.
|
||||||
|
This has no effect when DirectLex is used.
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
<strong>Notice:</strong> This directive's default turned from false to true
|
||||||
|
in HTML Purifier 3.2.0.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,16 @@
|
|||||||
|
Core.AllowHostnameUnderscore
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 4.6.0
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
By RFC 1123, underscores are not permitted in host names.
|
||||||
|
(This is in contrast to the specification for DNS, RFC
|
||||||
|
2181, which allows underscores.)
|
||||||
|
However, most browsers do the right thing when faced with
|
||||||
|
an underscore in the host name, and so some poorly written
|
||||||
|
websites are written with the expectation this should work.
|
||||||
|
Setting this parameter to true relaxes our allowed character
|
||||||
|
check so that underscores are permitted.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
|||||||
|
Core.CollectErrors
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 2.0.0
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
Whether or not to collect errors found while filtering the document. This
|
||||||
|
is a useful way to give feedback to your users. <strong>Warning:</strong>
|
||||||
|
Currently this feature is very patchy and experimental, with lots of
|
||||||
|
possible error messages not yet implemented. It will not cause any
|
||||||
|
problems, but it may not help your users either.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,29 @@
|
|||||||
|
Core.ColorKeywords
|
||||||
|
TYPE: hash
|
||||||
|
VERSION: 2.0.0
|
||||||
|
--DEFAULT--
|
||||||
|
array (
|
||||||
|
'maroon' => '#800000',
|
||||||
|
'red' => '#FF0000',
|
||||||
|
'orange' => '#FFA500',
|
||||||
|
'yellow' => '#FFFF00',
|
||||||
|
'olive' => '#808000',
|
||||||
|
'purple' => '#800080',
|
||||||
|
'fuchsia' => '#FF00FF',
|
||||||
|
'white' => '#FFFFFF',
|
||||||
|
'lime' => '#00FF00',
|
||||||
|
'green' => '#008000',
|
||||||
|
'navy' => '#000080',
|
||||||
|
'blue' => '#0000FF',
|
||||||
|
'aqua' => '#00FFFF',
|
||||||
|
'teal' => '#008080',
|
||||||
|
'black' => '#000000',
|
||||||
|
'silver' => '#C0C0C0',
|
||||||
|
'gray' => '#808080',
|
||||||
|
)
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
Lookup array of color names to six digit hexadecimal number corresponding
|
||||||
|
to color, with preceding hash mark. Used when parsing colors. The lookup
|
||||||
|
is done in a case-insensitive manner.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,14 @@
|
|||||||
|
Core.ConvertDocumentToFragment
|
||||||
|
TYPE: bool
|
||||||
|
DEFAULT: true
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
This parameter determines whether or not the filter should convert
|
||||||
|
input that is a full document with html and body tags to a fragment
|
||||||
|
of just the contents of a body tag. This parameter is simply something
|
||||||
|
HTML Purifier can do during an edge-case: for most inputs, this
|
||||||
|
processing is not necessary.
|
||||||
|
|
||||||
|
--ALIASES--
|
||||||
|
Core.AcceptFullDocuments
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,17 @@
|
|||||||
|
Core.DirectLexLineNumberSyncInterval
|
||||||
|
TYPE: int
|
||||||
|
VERSION: 2.0.0
|
||||||
|
DEFAULT: 0
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
Specifies the number of tokens the DirectLex line number tracking
|
||||||
|
implementations should process before attempting to resyncronize the
|
||||||
|
current line count by manually counting all previous new-lines. When
|
||||||
|
at 0, this functionality is disabled. Lower values will decrease
|
||||||
|
performance, and this is only strictly necessary if the counting
|
||||||
|
algorithm is buggy (in which case you should report it as a bug).
|
||||||
|
This has no effect when %Core.MaintainLineNumbers is disabled or DirectLex is
|
||||||
|
not being used.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,14 @@
|
|||||||
|
Core.DisableExcludes
|
||||||
|
TYPE: bool
|
||||||
|
DEFAULT: false
|
||||||
|
VERSION: 4.5.0
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
This directive disables SGML-style exclusions, e.g. the exclusion of
|
||||||
|
<code><object></code> in any descendant of a
|
||||||
|
<code><pre></code> tag. Disabling excludes will allow some
|
||||||
|
invalid documents to pass through HTML Purifier, but HTML Purifier
|
||||||
|
will also be less likely to accidentally remove large documents during
|
||||||
|
processing.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,9 @@
|
|||||||
|
Core.EnableIDNA
|
||||||
|
TYPE: bool
|
||||||
|
DEFAULT: false
|
||||||
|
VERSION: 4.4.0
|
||||||
|
--DESCRIPTION--
|
||||||
|
Allows international domain names in URLs. This configuration option
|
||||||
|
requires the PEAR Net_IDNA2 module to be installed. It operates by
|
||||||
|
punycoding any internationalized host names for maximum portability.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,15 @@
|
|||||||
|
Core.Encoding
|
||||||
|
TYPE: istring
|
||||||
|
DEFAULT: 'utf-8'
|
||||||
|
--DESCRIPTION--
|
||||||
|
If for some reason you are unable to convert all webpages to UTF-8, you can
|
||||||
|
use this directive as a stop-gap compatibility change to let HTML Purifier
|
||||||
|
deal with non UTF-8 input. This technique has notable deficiencies:
|
||||||
|
absolutely no characters outside of the selected character encoding will be
|
||||||
|
preserved, not even the ones that have been ampersand escaped (this is due
|
||||||
|
to a UTF-8 specific <em>feature</em> that automatically resolves all
|
||||||
|
entities), making it pretty useless for anything except the most I18N-blind
|
||||||
|
applications, although %Core.EscapeNonASCIICharacters offers fixes this
|
||||||
|
trouble with another tradeoff. This directive only accepts ISO-8859-1 if
|
||||||
|
iconv is not enabled.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
|||||||
|
Core.EscapeInvalidChildren
|
||||||
|
TYPE: bool
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p><strong>Warning:</strong> this configuration option is no longer does anything as of 4.6.0.</p>
|
||||||
|
|
||||||
|
<p>When true, a child is found that is not allowed in the context of the
|
||||||
|
parent element will be transformed into text as if it were ASCII. When
|
||||||
|
false, that element and all internal tags will be dropped, though text will
|
||||||
|
be preserved. There is no option for dropping the element but preserving
|
||||||
|
child nodes.</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,7 @@
|
|||||||
|
Core.EscapeInvalidTags
|
||||||
|
TYPE: bool
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
When true, invalid tags will be written back to the document as plain text.
|
||||||
|
Otherwise, they are silently dropped.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,13 @@
|
|||||||
|
Core.EscapeNonASCIICharacters
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 1.4.0
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
This directive overcomes a deficiency in %Core.Encoding by blindly
|
||||||
|
converting all non-ASCII characters into decimal numeric entities before
|
||||||
|
converting it to its native encoding. This means that even characters that
|
||||||
|
can be expressed in the non-UTF-8 encoding will be entity-ized, which can
|
||||||
|
be a real downer for encodings like Big5. It also assumes that the ASCII
|
||||||
|
repetoire is available, although this is the case for almost all encodings.
|
||||||
|
Anyway, use UTF-8!
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,19 @@
|
|||||||
|
Core.HiddenElements
|
||||||
|
TYPE: lookup
|
||||||
|
--DEFAULT--
|
||||||
|
array (
|
||||||
|
'script' => true,
|
||||||
|
'style' => true,
|
||||||
|
)
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
This directive is a lookup array of elements which should have their
|
||||||
|
contents removed when they are not allowed by the HTML definition.
|
||||||
|
For example, the contents of a <code>script</code> tag are not
|
||||||
|
normally shown in a document, so if script tags are to be removed,
|
||||||
|
their contents should be removed to. This is opposed to a <code>b</code>
|
||||||
|
tag, which defines some presentational changes but does not hide its
|
||||||
|
contents.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,10 @@
|
|||||||
|
Core.Language
|
||||||
|
TYPE: string
|
||||||
|
VERSION: 2.0.0
|
||||||
|
DEFAULT: 'en'
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
ISO 639 language code for localizable things in HTML Purifier to use,
|
||||||
|
which is mainly error reporting. There is currently only an English (en)
|
||||||
|
translation, so this directive is currently useless.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,34 @@
|
|||||||
|
Core.LexerImpl
|
||||||
|
TYPE: mixed/null
|
||||||
|
VERSION: 2.0.0
|
||||||
|
DEFAULT: NULL
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
This parameter determines what lexer implementation can be used. The
|
||||||
|
valid values are:
|
||||||
|
</p>
|
||||||
|
<dl>
|
||||||
|
<dt><em>null</em></dt>
|
||||||
|
<dd>
|
||||||
|
Recommended, the lexer implementation will be auto-detected based on
|
||||||
|
your PHP-version and configuration.
|
||||||
|
</dd>
|
||||||
|
<dt><em>string</em> lexer identifier</dt>
|
||||||
|
<dd>
|
||||||
|
This is a slim way of manually overridding the implementation.
|
||||||
|
Currently recognized values are: DOMLex (the default PHP5
|
||||||
|
implementation)
|
||||||
|
and DirectLex (the default PHP4 implementation). Only use this if
|
||||||
|
you know what you are doing: usually, the auto-detection will
|
||||||
|
manage things for cases you aren't even aware of.
|
||||||
|
</dd>
|
||||||
|
<dt><em>object</em> lexer instance</dt>
|
||||||
|
<dd>
|
||||||
|
Super-advanced: you can specify your own, custom, implementation that
|
||||||
|
implements the interface defined by <code>HTMLPurifier_Lexer</code>.
|
||||||
|
I may remove this option simply because I don't expect anyone
|
||||||
|
to use it.
|
||||||
|
</dd>
|
||||||
|
</dl>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,16 @@
|
|||||||
|
Core.MaintainLineNumbers
|
||||||
|
TYPE: bool/null
|
||||||
|
VERSION: 2.0.0
|
||||||
|
DEFAULT: NULL
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
If true, HTML Purifier will add line number information to all tokens.
|
||||||
|
This is useful when error reporting is turned on, but can result in
|
||||||
|
significant performance degradation and should not be used when
|
||||||
|
unnecessary. This directive must be used with the DirectLex lexer,
|
||||||
|
as the DOMLex lexer does not (yet) support this functionality.
|
||||||
|
If the value is null, an appropriate value will be selected based
|
||||||
|
on other configuration.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
|||||||
|
Core.NormalizeNewlines
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 4.2.0
|
||||||
|
DEFAULT: true
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
Whether or not to normalize newlines to the operating
|
||||||
|
system default. When <code>false</code>, HTML Purifier
|
||||||
|
will attempt to preserve mixed newline files.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
|||||||
|
Core.RemoveInvalidImg
|
||||||
|
TYPE: bool
|
||||||
|
DEFAULT: true
|
||||||
|
VERSION: 1.3.0
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
This directive enables pre-emptive URI checking in <code>img</code>
|
||||||
|
tags, as the attribute validation strategy is not authorized to
|
||||||
|
remove elements from the document. Revert to pre-1.3.0 behavior by setting to false.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
|||||||
|
Core.RemoveProcessingInstructions
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 4.2.0
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
Instead of escaping processing instructions in the form <code><? ...
|
||||||
|
?></code>, remove it out-right. This may be useful if the HTML
|
||||||
|
you are validating contains XML processing instruction gunk, however,
|
||||||
|
it can also be user-unfriendly for people attempting to post PHP
|
||||||
|
snippets.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
|||||||
|
Core.RemoveScriptContents
|
||||||
|
TYPE: bool/null
|
||||||
|
DEFAULT: NULL
|
||||||
|
VERSION: 2.0.0
|
||||||
|
DEPRECATED-VERSION: 2.1.0
|
||||||
|
DEPRECATED-USE: Core.HiddenElements
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
This directive enables HTML Purifier to remove not only script tags
|
||||||
|
but all of their contents.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
|||||||
|
Filter.Custom
|
||||||
|
TYPE: list
|
||||||
|
VERSION: 3.1.0
|
||||||
|
DEFAULT: array()
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
This directive can be used to add custom filters; it is nearly the
|
||||||
|
equivalent of the now deprecated <code>HTMLPurifier->addFilter()</code>
|
||||||
|
method. Specify an array of concrete implementations.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,14 @@
|
|||||||
|
Filter.ExtractStyleBlocks.Escaping
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 3.0.0
|
||||||
|
DEFAULT: true
|
||||||
|
ALIASES: Filter.ExtractStyleBlocksEscaping, FilterParam.ExtractStyleBlocksEscaping
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
Whether or not to escape the dangerous characters <, > and &
|
||||||
|
as \3C, \3E and \26, respectively. This is can be safely set to false
|
||||||
|
if the contents of StyleBlocks will be placed in an external stylesheet,
|
||||||
|
where there is no risk of it being interpreted as HTML.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,29 @@
|
|||||||
|
Filter.ExtractStyleBlocks.Scope
|
||||||
|
TYPE: string/null
|
||||||
|
VERSION: 3.0.0
|
||||||
|
DEFAULT: NULL
|
||||||
|
ALIASES: Filter.ExtractStyleBlocksScope, FilterParam.ExtractStyleBlocksScope
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
If you would like users to be able to define external stylesheets, but
|
||||||
|
only allow them to specify CSS declarations for a specific node and
|
||||||
|
prevent them from fiddling with other elements, use this directive.
|
||||||
|
It accepts any valid CSS selector, and will prepend this to any
|
||||||
|
CSS declaration extracted from the document. For example, if this
|
||||||
|
directive is set to <code>#user-content</code> and a user uses the
|
||||||
|
selector <code>a:hover</code>, the final selector will be
|
||||||
|
<code>#user-content a:hover</code>.
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
The comma shorthand may be used; consider the above example, with
|
||||||
|
<code>#user-content, #user-content2</code>, the final selector will
|
||||||
|
be <code>#user-content a:hover, #user-content2 a:hover</code>.
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
<strong>Warning:</strong> It is possible for users to bypass this measure
|
||||||
|
using a naughty + selector. This is a bug in CSS Tidy 1.3, not HTML
|
||||||
|
Purifier, and I am working to get it fixed. Until then, HTML Purifier
|
||||||
|
performs a basic check to prevent this.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,16 @@
|
|||||||
|
Filter.ExtractStyleBlocks.TidyImpl
|
||||||
|
TYPE: mixed/null
|
||||||
|
VERSION: 3.1.0
|
||||||
|
DEFAULT: NULL
|
||||||
|
ALIASES: FilterParam.ExtractStyleBlocksTidyImpl
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
If left NULL, HTML Purifier will attempt to instantiate a <code>csstidy</code>
|
||||||
|
class to use for internal cleaning. This will usually be good enough.
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
However, for trusted user input, you can set this to <code>false</code> to
|
||||||
|
disable cleaning. In addition, you can supply your own concrete implementation
|
||||||
|
of Tidy's interface to use, although I don't know why you'd want to do that.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,74 @@
|
|||||||
|
Filter.ExtractStyleBlocks
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 3.1.0
|
||||||
|
DEFAULT: false
|
||||||
|
EXTERNAL: CSSTidy
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
This directive turns on the style block extraction filter, which removes
|
||||||
|
<code>style</code> blocks from input HTML, cleans them up with CSSTidy,
|
||||||
|
and places them in the <code>StyleBlocks</code> context variable, for further
|
||||||
|
use by you, usually to be placed in an external stylesheet, or a
|
||||||
|
<code>style</code> block in the <code>head</code> of your document.
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
Sample usage:
|
||||||
|
</p>
|
||||||
|
<pre><![CDATA[
|
||||||
|
<?php
|
||||||
|
header('Content-type: text/html; charset=utf-8');
|
||||||
|
echo '<?xml version="1.0" encoding="UTF-8"?>';
|
||||||
|
?>
|
||||||
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||||||
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||||||
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
|
||||||
|
<head>
|
||||||
|
<title>Filter.ExtractStyleBlocks</title>
|
||||||
|
<?php
|
||||||
|
require_once '/path/to/library/HTMLPurifier.auto.php';
|
||||||
|
require_once '/path/to/csstidy.class.php';
|
||||||
|
|
||||||
|
$dirty = '<style>body {color:#F00;}</style> Some text';
|
||||||
|
|
||||||
|
$config = HTMLPurifier_Config::createDefault();
|
||||||
|
$config->set('Filter', 'ExtractStyleBlocks', true);
|
||||||
|
$purifier = new HTMLPurifier($config);
|
||||||
|
|
||||||
|
$html = $purifier->purify($dirty);
|
||||||
|
|
||||||
|
// This implementation writes the stylesheets to the styles/ directory.
|
||||||
|
// You can also echo the styles inside the document, but it's a bit
|
||||||
|
// more difficult to make sure they get interpreted properly by
|
||||||
|
// browsers; try the usual CSS armoring techniques.
|
||||||
|
$styles = $purifier->context->get('StyleBlocks');
|
||||||
|
$dir = 'styles/';
|
||||||
|
if (!is_dir($dir)) mkdir($dir);
|
||||||
|
$hash = sha1($_GET['html']);
|
||||||
|
foreach ($styles as $i => $style) {
|
||||||
|
file_put_contents($name = $dir . $hash . "_$i");
|
||||||
|
echo '<link rel="stylesheet" type="text/css" href="'.$name.'" />';
|
||||||
|
}
|
||||||
|
?>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<div>
|
||||||
|
<?php echo $html; ?>
|
||||||
|
</div>
|
||||||
|
</b]]><![CDATA[ody>
|
||||||
|
</html>
|
||||||
|
]]></pre>
|
||||||
|
<p>
|
||||||
|
<strong>Warning:</strong> It is possible for a user to mount an
|
||||||
|
imagecrash attack using this CSS. Counter-measures are difficult;
|
||||||
|
it is not simply enough to limit the range of CSS lengths (using
|
||||||
|
relative lengths with many nesting levels allows for large values
|
||||||
|
to be attained without actually specifying them in the stylesheet),
|
||||||
|
and the flexible nature of selectors makes it difficult to selectively
|
||||||
|
disable lengths on image tags (HTML Purifier, however, does disable
|
||||||
|
CSS width and height in inline styling). There are probably two effective
|
||||||
|
counter measures: an explicit width and height set to auto in all
|
||||||
|
images in your document (unlikely) or the disabling of width and
|
||||||
|
height (somewhat reasonable). Whether or not these measures should be
|
||||||
|
used is left to the reader.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,16 @@
|
|||||||
|
Filter.YouTube
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 3.1.0
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
<strong>Warning:</strong> Deprecated in favor of %HTML.SafeObject and
|
||||||
|
%Output.FlashCompat (turn both on to allow YouTube videos and other
|
||||||
|
Flash content).
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
This directive enables YouTube video embedding in HTML Purifier. Check
|
||||||
|
<a href="http://htmlpurifier.org/docs/enduser-youtube.html">this document
|
||||||
|
on embedding videos</a> for more information on what this filter does.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,25 @@
|
|||||||
|
HTML.Allowed
|
||||||
|
TYPE: itext/null
|
||||||
|
VERSION: 2.0.0
|
||||||
|
DEFAULT: NULL
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
This is a preferred convenience directive that combines
|
||||||
|
%HTML.AllowedElements and %HTML.AllowedAttributes.
|
||||||
|
Specify elements and attributes that are allowed using:
|
||||||
|
<code>element1[attr1|attr2],element2...</code>. For example,
|
||||||
|
if you would like to only allow paragraphs and links, specify
|
||||||
|
<code>a[href],p</code>. You can specify attributes that apply
|
||||||
|
to all elements using an asterisk, e.g. <code>*[lang]</code>.
|
||||||
|
You can also use newlines instead of commas to separate elements.
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
<strong>Warning</strong>:
|
||||||
|
All of the constraints on the component directives are still enforced.
|
||||||
|
The syntax is a <em>subset</em> of TinyMCE's <code>valid_elements</code>
|
||||||
|
whitelist: directly copy-pasting it here will probably result in
|
||||||
|
broken whitelists. If %HTML.AllowedElements or %HTML.AllowedAttributes
|
||||||
|
are set, this directive has no effect.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,19 @@
|
|||||||
|
HTML.AllowedAttributes
|
||||||
|
TYPE: lookup/null
|
||||||
|
VERSION: 1.3.0
|
||||||
|
DEFAULT: NULL
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
If HTML Purifier's attribute set is unsatisfactory, overload it!
|
||||||
|
The syntax is "tag.attr" or "*.attr" for the global attributes
|
||||||
|
(style, id, class, dir, lang, xml:lang).
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
<strong>Warning:</strong> If another directive conflicts with the
|
||||||
|
elements here, <em>that</em> directive will win and override. For
|
||||||
|
example, %HTML.EnableAttrID will take precedence over *.id in this
|
||||||
|
directive. You must set that directive to true before you can use
|
||||||
|
IDs at all.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,10 @@
|
|||||||
|
HTML.AllowedComments
|
||||||
|
TYPE: lookup
|
||||||
|
VERSION: 4.4.0
|
||||||
|
DEFAULT: array()
|
||||||
|
--DESCRIPTION--
|
||||||
|
A whitelist which indicates what explicit comment bodies should be
|
||||||
|
allowed, modulo leading and trailing whitespace. See also %HTML.AllowedCommentsRegexp
|
||||||
|
(these directives are union'ed together, so a comment is considered
|
||||||
|
valid if any directive deems it valid.)
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,15 @@
|
|||||||
|
HTML.AllowedCommentsRegexp
|
||||||
|
TYPE: string/null
|
||||||
|
VERSION: 4.4.0
|
||||||
|
DEFAULT: NULL
|
||||||
|
--DESCRIPTION--
|
||||||
|
A regexp, which if it matches the body of a comment, indicates that
|
||||||
|
it should be allowed. Trailing and leading spaces are removed prior
|
||||||
|
to running this regular expression.
|
||||||
|
<strong>Warning:</strong> Make sure you specify
|
||||||
|
correct anchor metacharacters <code>^regex$</code>, otherwise you may accept
|
||||||
|
comments that you did not mean to! In particular, the regex <code>/foo|bar/</code>
|
||||||
|
is probably not sufficiently strict, since it also allows <code>foobar</code>.
|
||||||
|
See also %HTML.AllowedComments (these directives are union'ed together,
|
||||||
|
so a comment is considered valid if any directive deems it valid.)
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,23 @@
|
|||||||
|
HTML.AllowedElements
|
||||||
|
TYPE: lookup/null
|
||||||
|
VERSION: 1.3.0
|
||||||
|
DEFAULT: NULL
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
If HTML Purifier's tag set is unsatisfactory for your needs, you can
|
||||||
|
overload it with your own list of tags to allow. If you change
|
||||||
|
this, you probably also want to change %HTML.AllowedAttributes; see
|
||||||
|
also %HTML.Allowed which lets you set allowed elements and
|
||||||
|
attributes at the same time.
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
If you attempt to allow an element that HTML Purifier does not know
|
||||||
|
about, HTML Purifier will raise an error. You will need to manually
|
||||||
|
tell HTML Purifier about this element by using the
|
||||||
|
<a href="http://htmlpurifier.org/docs/enduser-customize.html">advanced customization features.</a>
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
<strong>Warning:</strong> If another directive conflicts with the
|
||||||
|
elements here, <em>that</em> directive will win and override.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,20 @@
|
|||||||
|
HTML.AllowedModules
|
||||||
|
TYPE: lookup/null
|
||||||
|
VERSION: 2.0.0
|
||||||
|
DEFAULT: NULL
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
A doctype comes with a set of usual modules to use. Without having
|
||||||
|
to mucking about with the doctypes, you can quickly activate or
|
||||||
|
disable these modules by specifying which modules you wish to allow
|
||||||
|
with this directive. This is most useful for unit testing specific
|
||||||
|
modules, although end users may find it useful for their own ends.
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
If you specify a module that does not exist, the manager will silently
|
||||||
|
fail to use it, so be careful! User-defined modules are not affected
|
||||||
|
by this directive. Modules defined in %HTML.CoreModules are not
|
||||||
|
affected by this directive.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
|||||||
|
HTML.Attr.Name.UseCDATA
|
||||||
|
TYPE: bool
|
||||||
|
DEFAULT: false
|
||||||
|
VERSION: 4.0.0
|
||||||
|
--DESCRIPTION--
|
||||||
|
The W3C specification DTD defines the name attribute to be CDATA, not ID, due
|
||||||
|
to limitations of DTD. In certain documents, this relaxed behavior is desired,
|
||||||
|
whether it is to specify duplicate names, or to specify names that would be
|
||||||
|
illegal IDs (for example, names that begin with a digit.) Set this configuration
|
||||||
|
directive to true to use the relaxed parsing rules.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,18 @@
|
|||||||
|
HTML.BlockWrapper
|
||||||
|
TYPE: string
|
||||||
|
VERSION: 1.3.0
|
||||||
|
DEFAULT: 'p'
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
String name of element to wrap inline elements that are inside a block
|
||||||
|
context. This only occurs in the children of blockquote in strict mode.
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
Example: by default value,
|
||||||
|
<code><blockquote>Foo</blockquote></code> would become
|
||||||
|
<code><blockquote><p>Foo</p></blockquote></code>.
|
||||||
|
The <code><p></code> tags can be replaced with whatever you desire,
|
||||||
|
as long as it is a block level element.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,23 @@
|
|||||||
|
HTML.CoreModules
|
||||||
|
TYPE: lookup
|
||||||
|
VERSION: 2.0.0
|
||||||
|
--DEFAULT--
|
||||||
|
array (
|
||||||
|
'Structure' => true,
|
||||||
|
'Text' => true,
|
||||||
|
'Hypertext' => true,
|
||||||
|
'List' => true,
|
||||||
|
'NonXMLCommonAttributes' => true,
|
||||||
|
'XMLCommonAttributes' => true,
|
||||||
|
'CommonAttributes' => true,
|
||||||
|
)
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
Certain modularized doctypes (XHTML, namely), have certain modules
|
||||||
|
that must be included for the doctype to be an conforming document
|
||||||
|
type: put those modules here. By default, XHTML's core modules
|
||||||
|
are used. You can set this to a blank array to disable core module
|
||||||
|
protection, but this is not recommended.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,9 @@
|
|||||||
|
HTML.CustomDoctype
|
||||||
|
TYPE: string/null
|
||||||
|
VERSION: 2.0.1
|
||||||
|
DEFAULT: NULL
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
A custom doctype for power-users who defined their own document
|
||||||
|
type. This directive only applies when %HTML.Doctype is blank.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,33 @@
|
|||||||
|
HTML.DefinitionID
|
||||||
|
TYPE: string/null
|
||||||
|
DEFAULT: NULL
|
||||||
|
VERSION: 2.0.0
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
Unique identifier for a custom-built HTML definition. If you edit
|
||||||
|
the raw version of the HTMLDefinition, introducing changes that the
|
||||||
|
configuration object does not reflect, you must specify this variable.
|
||||||
|
If you change your custom edits, you should change this directive, or
|
||||||
|
clear your cache. Example:
|
||||||
|
</p>
|
||||||
|
<pre>
|
||||||
|
$config = HTMLPurifier_Config::createDefault();
|
||||||
|
$config->set('HTML', 'DefinitionID', '1');
|
||||||
|
$def = $config->getHTMLDefinition();
|
||||||
|
$def->addAttribute('a', 'tabindex', 'Number');
|
||||||
|
</pre>
|
||||||
|
<p>
|
||||||
|
In the above example, the configuration is still at the defaults, but
|
||||||
|
using the advanced API, an extra attribute has been added. The
|
||||||
|
configuration object normally has no way of knowing that this change
|
||||||
|
has taken place, so it needs an extra directive: %HTML.DefinitionID.
|
||||||
|
If someone else attempts to use the default configuration, these two
|
||||||
|
pieces of code will not clobber each other in the cache, since one has
|
||||||
|
an extra directive attached to it.
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
You <em>must</em> specify a value to this directive to use the
|
||||||
|
advanced API features.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,16 @@
|
|||||||
|
HTML.DefinitionRev
|
||||||
|
TYPE: int
|
||||||
|
VERSION: 2.0.0
|
||||||
|
DEFAULT: 1
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
Revision identifier for your custom definition specified in
|
||||||
|
%HTML.DefinitionID. This serves the same purpose: uniquely identifying
|
||||||
|
your custom definition, but this one does so in a chronological
|
||||||
|
context: revision 3 is more up-to-date then revision 2. Thus, when
|
||||||
|
this gets incremented, the cache handling is smart enough to clean
|
||||||
|
up any older revisions of your definition as well as flush the
|
||||||
|
cache.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
|||||||
|
HTML.Doctype
|
||||||
|
TYPE: string/null
|
||||||
|
DEFAULT: NULL
|
||||||
|
--DESCRIPTION--
|
||||||
|
Doctype to use during filtering. Technically speaking this is not actually
|
||||||
|
a doctype (as it does not identify a corresponding DTD), but we are using
|
||||||
|
this name for sake of simplicity. When non-blank, this will override any
|
||||||
|
older directives like %HTML.XHTML or %HTML.Strict.
|
||||||
|
--ALLOWED--
|
||||||
|
'HTML 4.01 Transitional', 'HTML 4.01 Strict', 'XHTML 1.0 Transitional', 'XHTML 1.0 Strict', 'XHTML 1.1'
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
|||||||
|
HTML.FlashAllowFullScreen
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 4.2.0
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
Whether or not to permit embedded Flash content from
|
||||||
|
%HTML.SafeObject to expand to the full screen. Corresponds to
|
||||||
|
the <code>allowFullScreen</code> parameter.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,21 @@
|
|||||||
|
HTML.ForbiddenAttributes
|
||||||
|
TYPE: lookup
|
||||||
|
VERSION: 3.1.0
|
||||||
|
DEFAULT: array()
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
While this directive is similar to %HTML.AllowedAttributes, for
|
||||||
|
forwards-compatibility with XML, this attribute has a different syntax. Instead of
|
||||||
|
<code>tag.attr</code>, use <code>tag@attr</code>. To disallow <code>href</code>
|
||||||
|
attributes in <code>a</code> tags, set this directive to
|
||||||
|
<code>a@href</code>. You can also disallow an attribute globally with
|
||||||
|
<code>attr</code> or <code>*@attr</code> (either syntax is fine; the latter
|
||||||
|
is provided for consistency with %HTML.AllowedAttributes).
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
<strong>Warning:</strong> This directive complements %HTML.ForbiddenElements,
|
||||||
|
accordingly, check
|
||||||
|
out that directive for a discussion of why you
|
||||||
|
should think twice before using this directive.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,20 @@
|
|||||||
|
HTML.ForbiddenElements
|
||||||
|
TYPE: lookup
|
||||||
|
VERSION: 3.1.0
|
||||||
|
DEFAULT: array()
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
This was, perhaps, the most requested feature ever in HTML
|
||||||
|
Purifier. Please don't abuse it! This is the logical inverse of
|
||||||
|
%HTML.AllowedElements, and it will override that directive, or any
|
||||||
|
other directive.
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
If possible, %HTML.Allowed is recommended over this directive, because it
|
||||||
|
can sometimes be difficult to tell whether or not you've forbidden all of
|
||||||
|
the behavior you would like to disallow. If you forbid <code>img</code>
|
||||||
|
with the expectation of preventing images on your site, you'll be in for
|
||||||
|
a nasty surprise when people start using the <code>background-image</code>
|
||||||
|
CSS property.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,14 @@
|
|||||||
|
HTML.MaxImgLength
|
||||||
|
TYPE: int/null
|
||||||
|
DEFAULT: 1200
|
||||||
|
VERSION: 3.1.1
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
This directive controls the maximum number of pixels in the width and
|
||||||
|
height attributes in <code>img</code> tags. This is
|
||||||
|
in place to prevent imagecrash attacks, disable with null at your own risk.
|
||||||
|
This directive is similar to %CSS.MaxImgLength, and both should be
|
||||||
|
concurrently edited, although there are
|
||||||
|
subtle differences in the input format (the HTML max is an integer).
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,7 @@
|
|||||||
|
HTML.Nofollow
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 4.3.0
|
||||||
|
DEFAULT: FALSE
|
||||||
|
--DESCRIPTION--
|
||||||
|
If enabled, nofollow rel attributes are added to all outgoing links.
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
|||||||
|
HTML.Parent
|
||||||
|
TYPE: string
|
||||||
|
VERSION: 1.3.0
|
||||||
|
DEFAULT: 'div'
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
String name of element that HTML fragment passed to library will be
|
||||||
|
inserted in. An interesting variation would be using span as the
|
||||||
|
parent element, meaning that only inline tags would be allowed.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
|||||||
|
HTML.Proprietary
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 3.1.0
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
Whether or not to allow proprietary elements and attributes in your
|
||||||
|
documents, as per <code>HTMLPurifier_HTMLModule_Proprietary</code>.
|
||||||
|
<strong>Warning:</strong> This can cause your documents to stop
|
||||||
|
validating!
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,13 @@
|
|||||||
|
HTML.SafeEmbed
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 3.1.1
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
Whether or not to permit embed tags in documents, with a number of extra
|
||||||
|
security features added to prevent script execution. This is similar to
|
||||||
|
what websites like MySpace do to embed tags. Embed is a proprietary
|
||||||
|
element and will cause your website to stop validating; you should
|
||||||
|
see if you can use %Output.FlashCompat with %HTML.SafeObject instead
|
||||||
|
first.</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -0,0 +1,13 @@
|
|||||||
|
HTML.SafeIframe
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 4.4.0
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
Whether or not to permit iframe tags in untrusted documents. This
|
||||||
|
directive must be accompanied by a whitelist of permitted iframes,
|
||||||
|
such as %URI.SafeIframeRegexp, otherwise it will fatally error.
|
||||||
|
This directive has no effect on strict doctypes, as iframes are not
|
||||||
|
valid.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user