mirror of
https://bitbucket.org/jsuto/piler.git
synced 2024-12-25 06:10:12 +01:00
Added HTML purifier support
Change-Id: Ic76ebc3f3fb05518d0a0427b3fe327e4269ee7a9 Signed-off-by: SJ <sj@acts.hu>
This commit is contained in:
parent
95b906fa3f
commit
1ebd49956a
@ -267,6 +267,13 @@ class ModelSearchMessage extends Model {
|
||||
$mime_parts[] = array('header' => $headers, 'body' => $body);
|
||||
}
|
||||
|
||||
require_once DIR_SYSTEM . 'helper/HTMLPurifier.standalone.php';
|
||||
|
||||
$config = HTMLPurifier_Config::createDefault();
|
||||
$config->set('URI', 'DisableExternal', 'true');
|
||||
$config->set('URI', 'DisableExternalResources', 'true');
|
||||
$purifier = new HTMLPurifier($config);
|
||||
|
||||
for($i=0; $i<count($mime_parts); $i++) {
|
||||
$mime = array(
|
||||
'content-type' => '',
|
||||
@ -291,12 +298,12 @@ class ModelSearchMessage extends Model {
|
||||
$mime['encoding'] = $mime_parts[$i]['header']['content-transfer-encoding'];
|
||||
|
||||
if(in_array($mime['content-type']['type'], array('text/plain', 'text/html')))
|
||||
$this->message[$mime['content-type']['type']] .= $this->fix_mime_body_part($mime, $mime_parts[$i]['body']);
|
||||
$this->message[$mime['content-type']['type']] .= $this->fix_mime_body_part($purifier, $mime, $mime_parts[$i]['body']);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
private function fix_mime_body_part($mime = array(), $body = '') {
|
||||
private function fix_mime_body_part($purifier, $mime = array(), $body = '') {
|
||||
if($mime['encoding'] == 'quoted-printable')
|
||||
$body = Zend_Mime_Decode::decodeQuotedPrintable($body);
|
||||
|
||||
@ -316,23 +323,7 @@ class ModelSearchMessage extends Model {
|
||||
}
|
||||
|
||||
if(strtolower($mime['content-type']['type']) == 'text/html') {
|
||||
|
||||
$body = preg_replace("/\<style([\w\W]+)style\>/", "", $body);
|
||||
|
||||
if(ENABLE_REMOTE_IMAGES == 0) {
|
||||
$body = preg_replace("/style([\s]{0,}=[\s]{0,})\"([^\"]+)/", "style=\"xxxx", $body);
|
||||
$body = preg_replace("/style([\s]{0,}=[\s]{0,})\'([^\']+)/", "style='xxxx", $body);
|
||||
|
||||
$body = preg_replace("/\<img([^\>]+)\>/i", "<img src=\"" . REMOTE_IMAGE_REPLACEMENT . "\" />", $body);
|
||||
}
|
||||
|
||||
$body = preg_replace("/\<body ([\w\s\;\"\'\#\d\:\-\=]+)\>/i", "<body>", $body);
|
||||
|
||||
$body = preg_replace("/\<a\s{1,}([\w=\"\'\s]+){0,}\s{0,}href/i", "<qqqq", $body);
|
||||
$body = preg_replace("/\<base href/i", "<qqqq", $body);
|
||||
|
||||
$body = preg_replace("/document\.write/", "document.writeee", $body);
|
||||
$body = preg_replace("/<\s{0,}script([\w\W]+)\/script\s{0,}\>/i", "<!-- disabled javascript here -->", $body);
|
||||
$body = $purifier->purify($body);
|
||||
}
|
||||
|
||||
return $body;
|
||||
|
22099
webui/system/helper/HTMLPurifier.standalone.php
Normal file
22099
webui/system/helper/HTMLPurifier.standalone.php
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,48 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* Converts HTMLPurifier_ConfigSchema_Interchange to our runtime
|
||||
* representation used to perform checks on user configuration.
|
||||
*/
|
||||
class HTMLPurifier_ConfigSchema_Builder_ConfigSchema
|
||||
{
|
||||
|
||||
/**
|
||||
* @param HTMLPurifier_ConfigSchema_Interchange $interchange
|
||||
* @return HTMLPurifier_ConfigSchema
|
||||
*/
|
||||
public function build($interchange)
|
||||
{
|
||||
$schema = new HTMLPurifier_ConfigSchema();
|
||||
foreach ($interchange->directives as $d) {
|
||||
$schema->add(
|
||||
$d->id->key,
|
||||
$d->default,
|
||||
$d->type,
|
||||
$d->typeAllowsNull
|
||||
);
|
||||
if ($d->allowed !== null) {
|
||||
$schema->addAllowedValues(
|
||||
$d->id->key,
|
||||
$d->allowed
|
||||
);
|
||||
}
|
||||
foreach ($d->aliases as $alias) {
|
||||
$schema->addAlias(
|
||||
$alias->key,
|
||||
$d->id->key
|
||||
);
|
||||
}
|
||||
if ($d->valueAliases !== null) {
|
||||
$schema->addValueAliases(
|
||||
$d->id->key,
|
||||
$d->valueAliases
|
||||
);
|
||||
}
|
||||
}
|
||||
$schema->postProcess();
|
||||
return $schema;
|
||||
}
|
||||
}
|
||||
|
||||
// vim: et sw=4 sts=4
|
@ -0,0 +1,144 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* Converts HTMLPurifier_ConfigSchema_Interchange to an XML format,
|
||||
* which can be further processed to generate documentation.
|
||||
*/
|
||||
class HTMLPurifier_ConfigSchema_Builder_Xml extends XMLWriter
|
||||
{
|
||||
|
||||
/**
|
||||
* @type HTMLPurifier_ConfigSchema_Interchange
|
||||
*/
|
||||
protected $interchange;
|
||||
|
||||
/**
|
||||
* @type string
|
||||
*/
|
||||
private $namespace;
|
||||
|
||||
/**
|
||||
* @param string $html
|
||||
*/
|
||||
protected function writeHTMLDiv($html)
|
||||
{
|
||||
$this->startElement('div');
|
||||
|
||||
$purifier = HTMLPurifier::getInstance();
|
||||
$html = $purifier->purify($html);
|
||||
$this->writeAttribute('xmlns', 'http://www.w3.org/1999/xhtml');
|
||||
$this->writeRaw($html);
|
||||
|
||||
$this->endElement(); // div
|
||||
}
|
||||
|
||||
/**
|
||||
* @param mixed $var
|
||||
* @return string
|
||||
*/
|
||||
protected function export($var)
|
||||
{
|
||||
if ($var === array()) {
|
||||
return 'array()';
|
||||
}
|
||||
return var_export($var, true);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param HTMLPurifier_ConfigSchema_Interchange $interchange
|
||||
*/
|
||||
public function build($interchange)
|
||||
{
|
||||
// global access, only use as last resort
|
||||
$this->interchange = $interchange;
|
||||
|
||||
$this->setIndent(true);
|
||||
$this->startDocument('1.0', 'UTF-8');
|
||||
$this->startElement('configdoc');
|
||||
$this->writeElement('title', $interchange->name);
|
||||
|
||||
foreach ($interchange->directives as $directive) {
|
||||
$this->buildDirective($directive);
|
||||
}
|
||||
|
||||
if ($this->namespace) {
|
||||
$this->endElement();
|
||||
} // namespace
|
||||
|
||||
$this->endElement(); // configdoc
|
||||
$this->flush();
|
||||
}
|
||||
|
||||
/**
|
||||
* @param HTMLPurifier_ConfigSchema_Interchange_Directive $directive
|
||||
*/
|
||||
public function buildDirective($directive)
|
||||
{
|
||||
// Kludge, although I suppose having a notion of a "root namespace"
|
||||
// certainly makes things look nicer when documentation is built.
|
||||
// Depends on things being sorted.
|
||||
if (!$this->namespace || $this->namespace !== $directive->id->getRootNamespace()) {
|
||||
if ($this->namespace) {
|
||||
$this->endElement();
|
||||
} // namespace
|
||||
$this->namespace = $directive->id->getRootNamespace();
|
||||
$this->startElement('namespace');
|
||||
$this->writeAttribute('id', $this->namespace);
|
||||
$this->writeElement('name', $this->namespace);
|
||||
}
|
||||
|
||||
$this->startElement('directive');
|
||||
$this->writeAttribute('id', $directive->id->toString());
|
||||
|
||||
$this->writeElement('name', $directive->id->getDirective());
|
||||
|
||||
$this->startElement('aliases');
|
||||
foreach ($directive->aliases as $alias) {
|
||||
$this->writeElement('alias', $alias->toString());
|
||||
}
|
||||
$this->endElement(); // aliases
|
||||
|
||||
$this->startElement('constraints');
|
||||
if ($directive->version) {
|
||||
$this->writeElement('version', $directive->version);
|
||||
}
|
||||
$this->startElement('type');
|
||||
if ($directive->typeAllowsNull) {
|
||||
$this->writeAttribute('allow-null', 'yes');
|
||||
}
|
||||
$this->text($directive->type);
|
||||
$this->endElement(); // type
|
||||
if ($directive->allowed) {
|
||||
$this->startElement('allowed');
|
||||
foreach ($directive->allowed as $value => $x) {
|
||||
$this->writeElement('value', $value);
|
||||
}
|
||||
$this->endElement(); // allowed
|
||||
}
|
||||
$this->writeElement('default', $this->export($directive->default));
|
||||
$this->writeAttribute('xml:space', 'preserve');
|
||||
if ($directive->external) {
|
||||
$this->startElement('external');
|
||||
foreach ($directive->external as $project) {
|
||||
$this->writeElement('project', $project);
|
||||
}
|
||||
$this->endElement();
|
||||
}
|
||||
$this->endElement(); // constraints
|
||||
|
||||
if ($directive->deprecatedVersion) {
|
||||
$this->startElement('deprecated');
|
||||
$this->writeElement('version', $directive->deprecatedVersion);
|
||||
$this->writeElement('use', $directive->deprecatedUse->toString());
|
||||
$this->endElement(); // deprecated
|
||||
}
|
||||
|
||||
$this->startElement('description');
|
||||
$this->writeHTMLDiv($directive->description);
|
||||
$this->endElement(); // description
|
||||
|
||||
$this->endElement(); // directive
|
||||
}
|
||||
}
|
||||
|
||||
// vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* Exceptions related to configuration schema
|
||||
*/
|
||||
class HTMLPurifier_ConfigSchema_Exception extends HTMLPurifier_Exception
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
// vim: et sw=4 sts=4
|
@ -0,0 +1,47 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* Generic schema interchange format that can be converted to a runtime
|
||||
* representation (HTMLPurifier_ConfigSchema) or HTML documentation. Members
|
||||
* are completely validated.
|
||||
*/
|
||||
class HTMLPurifier_ConfigSchema_Interchange
|
||||
{
|
||||
|
||||
/**
|
||||
* Name of the application this schema is describing.
|
||||
* @type string
|
||||
*/
|
||||
public $name;
|
||||
|
||||
/**
|
||||
* Array of Directive ID => array(directive info)
|
||||
* @type HTMLPurifier_ConfigSchema_Interchange_Directive[]
|
||||
*/
|
||||
public $directives = array();
|
||||
|
||||
/**
|
||||
* Adds a directive array to $directives
|
||||
* @param HTMLPurifier_ConfigSchema_Interchange_Directive $directive
|
||||
* @throws HTMLPurifier_ConfigSchema_Exception
|
||||
*/
|
||||
public function addDirective($directive)
|
||||
{
|
||||
if (isset($this->directives[$i = $directive->id->toString()])) {
|
||||
throw new HTMLPurifier_ConfigSchema_Exception("Cannot redefine directive '$i'");
|
||||
}
|
||||
$this->directives[$i] = $directive;
|
||||
}
|
||||
|
||||
/**
|
||||
* Convenience function to perform standard validation. Throws exception
|
||||
* on failed validation.
|
||||
*/
|
||||
public function validate()
|
||||
{
|
||||
$validator = new HTMLPurifier_ConfigSchema_Validator();
|
||||
return $validator->validate($this);
|
||||
}
|
||||
}
|
||||
|
||||
// vim: et sw=4 sts=4
|
@ -0,0 +1,89 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* Interchange component class describing configuration directives.
|
||||
*/
|
||||
class HTMLPurifier_ConfigSchema_Interchange_Directive
|
||||
{
|
||||
|
||||
/**
|
||||
* ID of directive.
|
||||
* @type HTMLPurifier_ConfigSchema_Interchange_Id
|
||||
*/
|
||||
public $id;
|
||||
|
||||
/**
|
||||
* Type, e.g. 'integer' or 'istring'.
|
||||
* @type string
|
||||
*/
|
||||
public $type;
|
||||
|
||||
/**
|
||||
* Default value, e.g. 3 or 'DefaultVal'.
|
||||
* @type mixed
|
||||
*/
|
||||
public $default;
|
||||
|
||||
/**
|
||||
* HTML description.
|
||||
* @type string
|
||||
*/
|
||||
public $description;
|
||||
|
||||
/**
|
||||
* Whether or not null is allowed as a value.
|
||||
* @type bool
|
||||
*/
|
||||
public $typeAllowsNull = false;
|
||||
|
||||
/**
|
||||
* Lookup table of allowed scalar values.
|
||||
* e.g. array('allowed' => true).
|
||||
* Null if all values are allowed.
|
||||
* @type array
|
||||
*/
|
||||
public $allowed;
|
||||
|
||||
/**
|
||||
* List of aliases for the directive.
|
||||
* e.g. array(new HTMLPurifier_ConfigSchema_Interchange_Id('Ns', 'Dir'))).
|
||||
* @type HTMLPurifier_ConfigSchema_Interchange_Id[]
|
||||
*/
|
||||
public $aliases = array();
|
||||
|
||||
/**
|
||||
* Hash of value aliases, e.g. array('alt' => 'real'). Null if value
|
||||
* aliasing is disabled (necessary for non-scalar types).
|
||||
* @type array
|
||||
*/
|
||||
public $valueAliases;
|
||||
|
||||
/**
|
||||
* Version of HTML Purifier the directive was introduced, e.g. '1.3.1'.
|
||||
* Null if the directive has always existed.
|
||||
* @type string
|
||||
*/
|
||||
public $version;
|
||||
|
||||
/**
|
||||
* ID of directive that supercedes this old directive.
|
||||
* Null if not deprecated.
|
||||
* @type HTMLPurifier_ConfigSchema_Interchange_Id
|
||||
*/
|
||||
public $deprecatedUse;
|
||||
|
||||
/**
|
||||
* Version of HTML Purifier this directive was deprecated. Null if not
|
||||
* deprecated.
|
||||
* @type string
|
||||
*/
|
||||
public $deprecatedVersion;
|
||||
|
||||
/**
|
||||
* List of external projects this directive depends on, e.g. array('CSSTidy').
|
||||
* @type array
|
||||
*/
|
||||
public $external = array();
|
||||
}
|
||||
|
||||
// vim: et sw=4 sts=4
|
@ -0,0 +1,58 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* Represents a directive ID in the interchange format.
|
||||
*/
|
||||
class HTMLPurifier_ConfigSchema_Interchange_Id
|
||||
{
|
||||
|
||||
/**
|
||||
* @type string
|
||||
*/
|
||||
public $key;
|
||||
|
||||
/**
|
||||
* @param string $key
|
||||
*/
|
||||
public function __construct($key)
|
||||
{
|
||||
$this->key = $key;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return string
|
||||
* @warning This is NOT magic, to ensure that people don't abuse SPL and
|
||||
* cause problems for PHP 5.0 support.
|
||||
*/
|
||||
public function toString()
|
||||
{
|
||||
return $this->key;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return string
|
||||
*/
|
||||
public function getRootNamespace()
|
||||
{
|
||||
return substr($this->key, 0, strpos($this->key, "."));
|
||||
}
|
||||
|
||||
/**
|
||||
* @return string
|
||||
*/
|
||||
public function getDirective()
|
||||
{
|
||||
return substr($this->key, strpos($this->key, ".") + 1);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $id
|
||||
* @return HTMLPurifier_ConfigSchema_Interchange_Id
|
||||
*/
|
||||
public static function make($id)
|
||||
{
|
||||
return new HTMLPurifier_ConfigSchema_Interchange_Id($id);
|
||||
}
|
||||
}
|
||||
|
||||
// vim: et sw=4 sts=4
|
@ -0,0 +1,226 @@
|
||||
<?php
|
||||
|
||||
class HTMLPurifier_ConfigSchema_InterchangeBuilder
|
||||
{
|
||||
|
||||
/**
|
||||
* Used for processing DEFAULT, nothing else.
|
||||
* @type HTMLPurifier_VarParser
|
||||
*/
|
||||
protected $varParser;
|
||||
|
||||
/**
|
||||
* @param HTMLPurifier_VarParser $varParser
|
||||
*/
|
||||
public function __construct($varParser = null)
|
||||
{
|
||||
$this->varParser = $varParser ? $varParser : new HTMLPurifier_VarParser_Native();
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $dir
|
||||
* @return HTMLPurifier_ConfigSchema_Interchange
|
||||
*/
|
||||
public static function buildFromDirectory($dir = null)
|
||||
{
|
||||
$builder = new HTMLPurifier_ConfigSchema_InterchangeBuilder();
|
||||
$interchange = new HTMLPurifier_ConfigSchema_Interchange();
|
||||
return $builder->buildDir($interchange, $dir);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param HTMLPurifier_ConfigSchema_Interchange $interchange
|
||||
* @param string $dir
|
||||
* @return HTMLPurifier_ConfigSchema_Interchange
|
||||
*/
|
||||
public function buildDir($interchange, $dir = null)
|
||||
{
|
||||
if (!$dir) {
|
||||
$dir = HTMLPURIFIER_PREFIX . '/HTMLPurifier/ConfigSchema/schema';
|
||||
}
|
||||
if (file_exists($dir . '/info.ini')) {
|
||||
$info = parse_ini_file($dir . '/info.ini');
|
||||
$interchange->name = $info['name'];
|
||||
}
|
||||
|
||||
$files = array();
|
||||
$dh = opendir($dir);
|
||||
while (false !== ($file = readdir($dh))) {
|
||||
if (!$file || $file[0] == '.' || strrchr($file, '.') !== '.txt') {
|
||||
continue;
|
||||
}
|
||||
$files[] = $file;
|
||||
}
|
||||
closedir($dh);
|
||||
|
||||
sort($files);
|
||||
foreach ($files as $file) {
|
||||
$this->buildFile($interchange, $dir . '/' . $file);
|
||||
}
|
||||
return $interchange;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param HTMLPurifier_ConfigSchema_Interchange $interchange
|
||||
* @param string $file
|
||||
*/
|
||||
public function buildFile($interchange, $file)
|
||||
{
|
||||
$parser = new HTMLPurifier_StringHashParser();
|
||||
$this->build(
|
||||
$interchange,
|
||||
new HTMLPurifier_StringHash($parser->parseFile($file))
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Builds an interchange object based on a hash.
|
||||
* @param HTMLPurifier_ConfigSchema_Interchange $interchange HTMLPurifier_ConfigSchema_Interchange object to build
|
||||
* @param HTMLPurifier_StringHash $hash source data
|
||||
* @throws HTMLPurifier_ConfigSchema_Exception
|
||||
*/
|
||||
public function build($interchange, $hash)
|
||||
{
|
||||
if (!$hash instanceof HTMLPurifier_StringHash) {
|
||||
$hash = new HTMLPurifier_StringHash($hash);
|
||||
}
|
||||
if (!isset($hash['ID'])) {
|
||||
throw new HTMLPurifier_ConfigSchema_Exception('Hash does not have any ID');
|
||||
}
|
||||
if (strpos($hash['ID'], '.') === false) {
|
||||
if (count($hash) == 2 && isset($hash['DESCRIPTION'])) {
|
||||
$hash->offsetGet('DESCRIPTION'); // prevent complaining
|
||||
} else {
|
||||
throw new HTMLPurifier_ConfigSchema_Exception('All directives must have a namespace');
|
||||
}
|
||||
} else {
|
||||
$this->buildDirective($interchange, $hash);
|
||||
}
|
||||
$this->_findUnused($hash);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param HTMLPurifier_ConfigSchema_Interchange $interchange
|
||||
* @param HTMLPurifier_StringHash $hash
|
||||
* @throws HTMLPurifier_ConfigSchema_Exception
|
||||
*/
|
||||
public function buildDirective($interchange, $hash)
|
||||
{
|
||||
$directive = new HTMLPurifier_ConfigSchema_Interchange_Directive();
|
||||
|
||||
// These are required elements:
|
||||
$directive->id = $this->id($hash->offsetGet('ID'));
|
||||
$id = $directive->id->toString(); // convenience
|
||||
|
||||
if (isset($hash['TYPE'])) {
|
||||
$type = explode('/', $hash->offsetGet('TYPE'));
|
||||
if (isset($type[1])) {
|
||||
$directive->typeAllowsNull = true;
|
||||
}
|
||||
$directive->type = $type[0];
|
||||
} else {
|
||||
throw new HTMLPurifier_ConfigSchema_Exception("TYPE in directive hash '$id' not defined");
|
||||
}
|
||||
|
||||
if (isset($hash['DEFAULT'])) {
|
||||
try {
|
||||
$directive->default = $this->varParser->parse(
|
||||
$hash->offsetGet('DEFAULT'),
|
||||
$directive->type,
|
||||
$directive->typeAllowsNull
|
||||
);
|
||||
} catch (HTMLPurifier_VarParserException $e) {
|
||||
throw new HTMLPurifier_ConfigSchema_Exception($e->getMessage() . " in DEFAULT in directive hash '$id'");
|
||||
}
|
||||
}
|
||||
|
||||
if (isset($hash['DESCRIPTION'])) {
|
||||
$directive->description = $hash->offsetGet('DESCRIPTION');
|
||||
}
|
||||
|
||||
if (isset($hash['ALLOWED'])) {
|
||||
$directive->allowed = $this->lookup($this->evalArray($hash->offsetGet('ALLOWED')));
|
||||
}
|
||||
|
||||
if (isset($hash['VALUE-ALIASES'])) {
|
||||
$directive->valueAliases = $this->evalArray($hash->offsetGet('VALUE-ALIASES'));
|
||||
}
|
||||
|
||||
if (isset($hash['ALIASES'])) {
|
||||
$raw_aliases = trim($hash->offsetGet('ALIASES'));
|
||||
$aliases = preg_split('/\s*,\s*/', $raw_aliases);
|
||||
foreach ($aliases as $alias) {
|
||||
$directive->aliases[] = $this->id($alias);
|
||||
}
|
||||
}
|
||||
|
||||
if (isset($hash['VERSION'])) {
|
||||
$directive->version = $hash->offsetGet('VERSION');
|
||||
}
|
||||
|
||||
if (isset($hash['DEPRECATED-USE'])) {
|
||||
$directive->deprecatedUse = $this->id($hash->offsetGet('DEPRECATED-USE'));
|
||||
}
|
||||
|
||||
if (isset($hash['DEPRECATED-VERSION'])) {
|
||||
$directive->deprecatedVersion = $hash->offsetGet('DEPRECATED-VERSION');
|
||||
}
|
||||
|
||||
if (isset($hash['EXTERNAL'])) {
|
||||
$directive->external = preg_split('/\s*,\s*/', trim($hash->offsetGet('EXTERNAL')));
|
||||
}
|
||||
|
||||
$interchange->addDirective($directive);
|
||||
}
|
||||
|
||||
/**
|
||||
* Evaluates an array PHP code string without array() wrapper
|
||||
* @param string $contents
|
||||
*/
|
||||
protected function evalArray($contents)
|
||||
{
|
||||
return eval('return array(' . $contents . ');');
|
||||
}
|
||||
|
||||
/**
|
||||
* Converts an array list into a lookup array.
|
||||
* @param array $array
|
||||
* @return array
|
||||
*/
|
||||
protected function lookup($array)
|
||||
{
|
||||
$ret = array();
|
||||
foreach ($array as $val) {
|
||||
$ret[$val] = true;
|
||||
}
|
||||
return $ret;
|
||||
}
|
||||
|
||||
/**
|
||||
* Convenience function that creates an HTMLPurifier_ConfigSchema_Interchange_Id
|
||||
* object based on a string Id.
|
||||
* @param string $id
|
||||
* @return HTMLPurifier_ConfigSchema_Interchange_Id
|
||||
*/
|
||||
protected function id($id)
|
||||
{
|
||||
return HTMLPurifier_ConfigSchema_Interchange_Id::make($id);
|
||||
}
|
||||
|
||||
/**
|
||||
* Triggers errors for any unused keys passed in the hash; such keys
|
||||
* may indicate typos, missing values, etc.
|
||||
* @param HTMLPurifier_StringHash $hash Hash to check.
|
||||
*/
|
||||
protected function _findUnused($hash)
|
||||
{
|
||||
$accessed = $hash->getAccessed();
|
||||
foreach ($hash as $k => $v) {
|
||||
if (!isset($accessed[$k])) {
|
||||
trigger_error("String hash key '$k' not used by builder", E_USER_NOTICE);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// vim: et sw=4 sts=4
|
@ -0,0 +1,248 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* Performs validations on HTMLPurifier_ConfigSchema_Interchange
|
||||
*
|
||||
* @note If you see '// handled by InterchangeBuilder', that means a
|
||||
* design decision in that class would prevent this validation from
|
||||
* ever being necessary. We have them anyway, however, for
|
||||
* redundancy.
|
||||
*/
|
||||
class HTMLPurifier_ConfigSchema_Validator
|
||||
{
|
||||
|
||||
/**
|
||||
* @type HTMLPurifier_ConfigSchema_Interchange
|
||||
*/
|
||||
protected $interchange;
|
||||
|
||||
/**
|
||||
* @type array
|
||||
*/
|
||||
protected $aliases;
|
||||
|
||||
/**
|
||||
* Context-stack to provide easy to read error messages.
|
||||
* @type array
|
||||
*/
|
||||
protected $context = array();
|
||||
|
||||
/**
|
||||
* to test default's type.
|
||||
* @type HTMLPurifier_VarParser
|
||||
*/
|
||||
protected $parser;
|
||||
|
||||
public function __construct()
|
||||
{
|
||||
$this->parser = new HTMLPurifier_VarParser();
|
||||
}
|
||||
|
||||
/**
|
||||
* Validates a fully-formed interchange object.
|
||||
* @param HTMLPurifier_ConfigSchema_Interchange $interchange
|
||||
* @return bool
|
||||
*/
|
||||
public function validate($interchange)
|
||||
{
|
||||
$this->interchange = $interchange;
|
||||
$this->aliases = array();
|
||||
// PHP is a bit lax with integer <=> string conversions in
|
||||
// arrays, so we don't use the identical !== comparison
|
||||
foreach ($interchange->directives as $i => $directive) {
|
||||
$id = $directive->id->toString();
|
||||
if ($i != $id) {
|
||||
$this->error(false, "Integrity violation: key '$i' does not match internal id '$id'");
|
||||
}
|
||||
$this->validateDirective($directive);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Validates a HTMLPurifier_ConfigSchema_Interchange_Id object.
|
||||
* @param HTMLPurifier_ConfigSchema_Interchange_Id $id
|
||||
*/
|
||||
public function validateId($id)
|
||||
{
|
||||
$id_string = $id->toString();
|
||||
$this->context[] = "id '$id_string'";
|
||||
if (!$id instanceof HTMLPurifier_ConfigSchema_Interchange_Id) {
|
||||
// handled by InterchangeBuilder
|
||||
$this->error(false, 'is not an instance of HTMLPurifier_ConfigSchema_Interchange_Id');
|
||||
}
|
||||
// keys are now unconstrained (we might want to narrow down to A-Za-z0-9.)
|
||||
// we probably should check that it has at least one namespace
|
||||
$this->with($id, 'key')
|
||||
->assertNotEmpty()
|
||||
->assertIsString(); // implicit assertIsString handled by InterchangeBuilder
|
||||
array_pop($this->context);
|
||||
}
|
||||
|
||||
/**
|
||||
* Validates a HTMLPurifier_ConfigSchema_Interchange_Directive object.
|
||||
* @param HTMLPurifier_ConfigSchema_Interchange_Directive $d
|
||||
*/
|
||||
public function validateDirective($d)
|
||||
{
|
||||
$id = $d->id->toString();
|
||||
$this->context[] = "directive '$id'";
|
||||
$this->validateId($d->id);
|
||||
|
||||
$this->with($d, 'description')
|
||||
->assertNotEmpty();
|
||||
|
||||
// BEGIN - handled by InterchangeBuilder
|
||||
$this->with($d, 'type')
|
||||
->assertNotEmpty();
|
||||
$this->with($d, 'typeAllowsNull')
|
||||
->assertIsBool();
|
||||
try {
|
||||
// This also tests validity of $d->type
|
||||
$this->parser->parse($d->default, $d->type, $d->typeAllowsNull);
|
||||
} catch (HTMLPurifier_VarParserException $e) {
|
||||
$this->error('default', 'had error: ' . $e->getMessage());
|
||||
}
|
||||
// END - handled by InterchangeBuilder
|
||||
|
||||
if (!is_null($d->allowed) || !empty($d->valueAliases)) {
|
||||
// allowed and valueAliases require that we be dealing with
|
||||
// strings, so check for that early.
|
||||
$d_int = HTMLPurifier_VarParser::$types[$d->type];
|
||||
if (!isset(HTMLPurifier_VarParser::$stringTypes[$d_int])) {
|
||||
$this->error('type', 'must be a string type when used with allowed or value aliases');
|
||||
}
|
||||
}
|
||||
|
||||
$this->validateDirectiveAllowed($d);
|
||||
$this->validateDirectiveValueAliases($d);
|
||||
$this->validateDirectiveAliases($d);
|
||||
|
||||
array_pop($this->context);
|
||||
}
|
||||
|
||||
/**
|
||||
* Extra validation if $allowed member variable of
|
||||
* HTMLPurifier_ConfigSchema_Interchange_Directive is defined.
|
||||
* @param HTMLPurifier_ConfigSchema_Interchange_Directive $d
|
||||
*/
|
||||
public function validateDirectiveAllowed($d)
|
||||
{
|
||||
if (is_null($d->allowed)) {
|
||||
return;
|
||||
}
|
||||
$this->with($d, 'allowed')
|
||||
->assertNotEmpty()
|
||||
->assertIsLookup(); // handled by InterchangeBuilder
|
||||
if (is_string($d->default) && !isset($d->allowed[$d->default])) {
|
||||
$this->error('default', 'must be an allowed value');
|
||||
}
|
||||
$this->context[] = 'allowed';
|
||||
foreach ($d->allowed as $val => $x) {
|
||||
if (!is_string($val)) {
|
||||
$this->error("value $val", 'must be a string');
|
||||
}
|
||||
}
|
||||
array_pop($this->context);
|
||||
}
|
||||
|
||||
/**
|
||||
* Extra validation if $valueAliases member variable of
|
||||
* HTMLPurifier_ConfigSchema_Interchange_Directive is defined.
|
||||
* @param HTMLPurifier_ConfigSchema_Interchange_Directive $d
|
||||
*/
|
||||
public function validateDirectiveValueAliases($d)
|
||||
{
|
||||
if (is_null($d->valueAliases)) {
|
||||
return;
|
||||
}
|
||||
$this->with($d, 'valueAliases')
|
||||
->assertIsArray(); // handled by InterchangeBuilder
|
||||
$this->context[] = 'valueAliases';
|
||||
foreach ($d->valueAliases as $alias => $real) {
|
||||
if (!is_string($alias)) {
|
||||
$this->error("alias $alias", 'must be a string');
|
||||
}
|
||||
if (!is_string($real)) {
|
||||
$this->error("alias target $real from alias '$alias'", 'must be a string');
|
||||
}
|
||||
if ($alias === $real) {
|
||||
$this->error("alias '$alias'", "must not be an alias to itself");
|
||||
}
|
||||
}
|
||||
if (!is_null($d->allowed)) {
|
||||
foreach ($d->valueAliases as $alias => $real) {
|
||||
if (isset($d->allowed[$alias])) {
|
||||
$this->error("alias '$alias'", 'must not be an allowed value');
|
||||
} elseif (!isset($d->allowed[$real])) {
|
||||
$this->error("alias '$alias'", 'must be an alias to an allowed value');
|
||||
}
|
||||
}
|
||||
}
|
||||
array_pop($this->context);
|
||||
}
|
||||
|
||||
/**
|
||||
* Extra validation if $aliases member variable of
|
||||
* HTMLPurifier_ConfigSchema_Interchange_Directive is defined.
|
||||
* @param HTMLPurifier_ConfigSchema_Interchange_Directive $d
|
||||
*/
|
||||
public function validateDirectiveAliases($d)
|
||||
{
|
||||
$this->with($d, 'aliases')
|
||||
->assertIsArray(); // handled by InterchangeBuilder
|
||||
$this->context[] = 'aliases';
|
||||
foreach ($d->aliases as $alias) {
|
||||
$this->validateId($alias);
|
||||
$s = $alias->toString();
|
||||
if (isset($this->interchange->directives[$s])) {
|
||||
$this->error("alias '$s'", 'collides with another directive');
|
||||
}
|
||||
if (isset($this->aliases[$s])) {
|
||||
$other_directive = $this->aliases[$s];
|
||||
$this->error("alias '$s'", "collides with alias for directive '$other_directive'");
|
||||
}
|
||||
$this->aliases[$s] = $d->id->toString();
|
||||
}
|
||||
array_pop($this->context);
|
||||
}
|
||||
|
||||
// protected helper functions
|
||||
|
||||
/**
|
||||
* Convenience function for generating HTMLPurifier_ConfigSchema_ValidatorAtom
|
||||
* for validating simple member variables of objects.
|
||||
* @param $obj
|
||||
* @param $member
|
||||
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
|
||||
*/
|
||||
protected function with($obj, $member)
|
||||
{
|
||||
return new HTMLPurifier_ConfigSchema_ValidatorAtom($this->getFormattedContext(), $obj, $member);
|
||||
}
|
||||
|
||||
/**
|
||||
* Emits an error, providing helpful context.
|
||||
* @throws HTMLPurifier_ConfigSchema_Exception
|
||||
*/
|
||||
protected function error($target, $msg)
|
||||
{
|
||||
if ($target !== false) {
|
||||
$prefix = ucfirst($target) . ' in ' . $this->getFormattedContext();
|
||||
} else {
|
||||
$prefix = ucfirst($this->getFormattedContext());
|
||||
}
|
||||
throw new HTMLPurifier_ConfigSchema_Exception(trim($prefix . ' ' . $msg));
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns a formatted context string.
|
||||
* @return string
|
||||
*/
|
||||
protected function getFormattedContext()
|
||||
{
|
||||
return implode(' in ', array_reverse($this->context));
|
||||
}
|
||||
}
|
||||
|
||||
// vim: et sw=4 sts=4
|
@ -0,0 +1,130 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* Fluent interface for validating the contents of member variables.
|
||||
* This should be immutable. See HTMLPurifier_ConfigSchema_Validator for
|
||||
* use-cases. We name this an 'atom' because it's ONLY for validations that
|
||||
* are independent and usually scalar.
|
||||
*/
|
||||
class HTMLPurifier_ConfigSchema_ValidatorAtom
|
||||
{
|
||||
/**
|
||||
* @type string
|
||||
*/
|
||||
protected $context;
|
||||
|
||||
/**
|
||||
* @type object
|
||||
*/
|
||||
protected $obj;
|
||||
|
||||
/**
|
||||
* @type string
|
||||
*/
|
||||
protected $member;
|
||||
|
||||
/**
|
||||
* @type mixed
|
||||
*/
|
||||
protected $contents;
|
||||
|
||||
public function __construct($context, $obj, $member)
|
||||
{
|
||||
$this->context = $context;
|
||||
$this->obj = $obj;
|
||||
$this->member = $member;
|
||||
$this->contents =& $obj->$member;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
|
||||
*/
|
||||
public function assertIsString()
|
||||
{
|
||||
if (!is_string($this->contents)) {
|
||||
$this->error('must be a string');
|
||||
}
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
|
||||
*/
|
||||
public function assertIsBool()
|
||||
{
|
||||
if (!is_bool($this->contents)) {
|
||||
$this->error('must be a boolean');
|
||||
}
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
|
||||
*/
|
||||
public function assertIsArray()
|
||||
{
|
||||
if (!is_array($this->contents)) {
|
||||
$this->error('must be an array');
|
||||
}
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
|
||||
*/
|
||||
public function assertNotNull()
|
||||
{
|
||||
if ($this->contents === null) {
|
||||
$this->error('must not be null');
|
||||
}
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
|
||||
*/
|
||||
public function assertAlnum()
|
||||
{
|
||||
$this->assertIsString();
|
||||
if (!ctype_alnum($this->contents)) {
|
||||
$this->error('must be alphanumeric');
|
||||
}
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
|
||||
*/
|
||||
public function assertNotEmpty()
|
||||
{
|
||||
if (empty($this->contents)) {
|
||||
$this->error('must not be empty');
|
||||
}
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
|
||||
*/
|
||||
public function assertIsLookup()
|
||||
{
|
||||
$this->assertIsArray();
|
||||
foreach ($this->contents as $v) {
|
||||
if ($v !== true) {
|
||||
$this->error('must be a lookup array');
|
||||
}
|
||||
}
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $msg
|
||||
* @throws HTMLPurifier_ConfigSchema_Exception
|
||||
*/
|
||||
protected function error($msg)
|
||||
{
|
||||
throw new HTMLPurifier_ConfigSchema_Exception(ucfirst($this->member) . ' in ' . $this->context . ' ' . $msg);
|
||||
}
|
||||
}
|
||||
|
||||
// vim: et sw=4 sts=4
|
Binary file not shown.
@ -0,0 +1,8 @@
|
||||
Attr.AllowedClasses
|
||||
TYPE: lookup/null
|
||||
VERSION: 4.0.0
|
||||
DEFAULT: null
|
||||
--DESCRIPTION--
|
||||
List of allowed class values in the class attribute. By default, this is null,
|
||||
which means all classes are allowed.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
||||
Attr.AllowedFrameTargets
|
||||
TYPE: lookup
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
Lookup table of all allowed link frame targets. Some commonly used link
|
||||
targets include _blank, _self, _parent and _top. Values should be
|
||||
lowercase, as validation will be done in a case-sensitive manner despite
|
||||
W3C's recommendation. XHTML 1.0 Strict does not permit the target attribute
|
||||
so this directive will have no effect in that doctype. XHTML 1.1 does not
|
||||
enable the Target module by default, you will have to manually enable it
|
||||
(see the module documentation for more details.)
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,9 @@
|
||||
Attr.AllowedRel
|
||||
TYPE: lookup
|
||||
VERSION: 1.6.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
List of allowed forward document relationships in the rel attribute. Common
|
||||
values may be nofollow or print. By default, this is empty, meaning that no
|
||||
document relationships are allowed.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,9 @@
|
||||
Attr.AllowedRev
|
||||
TYPE: lookup
|
||||
VERSION: 1.6.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
List of allowed reverse document relationships in the rev attribute. This
|
||||
attribute is a bit of an edge-case; if you don't know what it is for, stay
|
||||
away.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,19 @@
|
||||
Attr.ClassUseCDATA
|
||||
TYPE: bool/null
|
||||
DEFAULT: null
|
||||
VERSION: 4.0.0
|
||||
--DESCRIPTION--
|
||||
If null, class will auto-detect the doctype and, if matching XHTML 1.1 or
|
||||
XHTML 2.0, will use the restrictive NMTOKENS specification of class. Otherwise,
|
||||
it will use a relaxed CDATA definition. If true, the relaxed CDATA definition
|
||||
is forced; if false, the NMTOKENS definition is forced. To get behavior
|
||||
of HTML Purifier prior to 4.0.0, set this directive to false.
|
||||
|
||||
Some rational behind the auto-detection:
|
||||
in previous versions of HTML Purifier, it was assumed that the form of
|
||||
class was NMTOKENS, as specified by the XHTML Modularization (representing
|
||||
XHTML 1.1 and XHTML 2.0). The DTDs for HTML 4.01 and XHTML 1.0, however
|
||||
specify class as CDATA. HTML 5 effectively defines it as CDATA, but
|
||||
with the additional constraint that each name should be unique (this is not
|
||||
explicitly outlined in previous specifications).
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
||||
Attr.DefaultImageAlt
|
||||
TYPE: string/null
|
||||
DEFAULT: null
|
||||
VERSION: 3.2.0
|
||||
--DESCRIPTION--
|
||||
This is the content of the alt tag of an image if the user had not
|
||||
previously specified an alt attribute. This applies to all images without
|
||||
a valid alt attribute, as opposed to %Attr.DefaultInvalidImageAlt, which
|
||||
only applies to invalid images, and overrides in the case of an invalid image.
|
||||
Default behavior with null is to use the basename of the src tag for the alt.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,9 @@
|
||||
Attr.DefaultInvalidImage
|
||||
TYPE: string
|
||||
DEFAULT: ''
|
||||
--DESCRIPTION--
|
||||
This is the default image an img tag will be pointed to if it does not have
|
||||
a valid src attribute. In future versions, we may allow the image tag to
|
||||
be removed completely, but due to design issues, this is not possible right
|
||||
now.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,8 @@
|
||||
Attr.DefaultInvalidImageAlt
|
||||
TYPE: string
|
||||
DEFAULT: 'Invalid image'
|
||||
--DESCRIPTION--
|
||||
This is the content of the alt tag of an invalid image if the user had not
|
||||
previously specified an alt attribute. It has no effect when the image is
|
||||
valid but there was no alt attribute present.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,10 @@
|
||||
Attr.DefaultTextDir
|
||||
TYPE: string
|
||||
DEFAULT: 'ltr'
|
||||
--DESCRIPTION--
|
||||
Defines the default text direction (ltr or rtl) of the document being
|
||||
parsed. This generally is the same as the value of the dir attribute in
|
||||
HTML, or ltr if that is not specified.
|
||||
--ALLOWED--
|
||||
'ltr', 'rtl'
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,16 @@
|
||||
Attr.EnableID
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
VERSION: 1.2.0
|
||||
--DESCRIPTION--
|
||||
Allows the ID attribute in HTML. This is disabled by default due to the
|
||||
fact that without proper configuration user input can easily break the
|
||||
validation of a webpage by specifying an ID that is already on the
|
||||
surrounding HTML. If you don't mind throwing caution to the wind, enable
|
||||
this directive, but I strongly recommend you also consider blacklisting IDs
|
||||
you use (%Attr.IDBlacklist) or prefixing all user supplied IDs
|
||||
(%Attr.IDPrefix). When set to true HTML Purifier reverts to the behavior of
|
||||
pre-1.2.0 versions.
|
||||
--ALIASES--
|
||||
HTML.EnableAttrID
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,8 @@
|
||||
Attr.ForbiddenClasses
|
||||
TYPE: lookup
|
||||
VERSION: 4.0.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
List of forbidden class values in the class attribute. By default, this is
|
||||
empty, which means that no classes are forbidden. See also %Attr.AllowedClasses.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,10 @@
|
||||
Attr.ID.HTML5
|
||||
TYPE: bool/null
|
||||
DEFAULT: null
|
||||
VERSION: 4.8.0
|
||||
--DESCRIPTION--
|
||||
In HTML5, restrictions on the format of the id attribute have been significantly
|
||||
relaxed, such that any string is valid so long as it contains no spaces and
|
||||
is at least one character. In lieu of a general HTML5 compatibility flag,
|
||||
set this configuration directive to true to use the relaxed rules.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,5 @@
|
||||
Attr.IDBlacklist
|
||||
TYPE: list
|
||||
DEFAULT: array()
|
||||
DESCRIPTION: Array of IDs not allowed in the document.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,9 @@
|
||||
Attr.IDBlacklistRegexp
|
||||
TYPE: string/null
|
||||
VERSION: 1.6.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
PCRE regular expression to be matched against all IDs. If the expression is
|
||||
matches, the ID is rejected. Use this with care: may cause significant
|
||||
degradation. ID matching is done after all other validation.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
||||
Attr.IDPrefix
|
||||
TYPE: string
|
||||
VERSION: 1.2.0
|
||||
DEFAULT: ''
|
||||
--DESCRIPTION--
|
||||
String to prefix to IDs. If you have no idea what IDs your pages may use,
|
||||
you may opt to simply add a prefix to all user-submitted ID attributes so
|
||||
that they are still usable, but will not conflict with core page IDs.
|
||||
Example: setting the directive to 'user_' will result in a user submitted
|
||||
'foo' to become 'user_foo' Be sure to set %HTML.EnableAttrID to true
|
||||
before using this.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,14 @@
|
||||
Attr.IDPrefixLocal
|
||||
TYPE: string
|
||||
VERSION: 1.2.0
|
||||
DEFAULT: ''
|
||||
--DESCRIPTION--
|
||||
Temporary prefix for IDs used in conjunction with %Attr.IDPrefix. If you
|
||||
need to allow multiple sets of user content on web page, you may need to
|
||||
have a seperate prefix that changes with each iteration. This way,
|
||||
seperately submitted user content displayed on the same page doesn't
|
||||
clobber each other. Ideal values are unique identifiers for the content it
|
||||
represents (i.e. the id of the row in the database). Be sure to add a
|
||||
seperator (like an underscore) at the end. Warning: this directive will
|
||||
not work unless %Attr.IDPrefix is set to a non-empty value!
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,31 @@
|
||||
AutoFormat.AutoParagraph
|
||||
TYPE: bool
|
||||
VERSION: 2.0.1
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This directive turns on auto-paragraphing, where double newlines are
|
||||
converted in to paragraphs whenever possible. Auto-paragraphing:
|
||||
</p>
|
||||
<ul>
|
||||
<li>Always applies to inline elements or text in the root node,</li>
|
||||
<li>Applies to inline elements or text with double newlines in nodes
|
||||
that allow paragraph tags,</li>
|
||||
<li>Applies to double newlines in paragraph tags</li>
|
||||
</ul>
|
||||
<p>
|
||||
<code>p</code> tags must be allowed for this directive to take effect.
|
||||
We do not use <code>br</code> tags for paragraphing, as that is
|
||||
semantically incorrect.
|
||||
</p>
|
||||
<p>
|
||||
To prevent auto-paragraphing as a content-producer, refrain from using
|
||||
double-newlines except to specify a new paragraph or in contexts where
|
||||
it has special meaning (whitespace usually has no meaning except in
|
||||
tags like <code>pre</code>, so this should not be difficult.) To prevent
|
||||
the paragraphing of inline text adjacent to block elements, wrap them
|
||||
in <code>div</code> tags (the behavior is slightly different outside of
|
||||
the root node.)
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
||||
AutoFormat.Custom
|
||||
TYPE: list
|
||||
VERSION: 2.0.1
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This directive can be used to add custom auto-format injectors.
|
||||
Specify an array of injector names (class name minus the prefix)
|
||||
or concrete implementations. Injector class must exist.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
||||
AutoFormat.DisplayLinkURI
|
||||
TYPE: bool
|
||||
VERSION: 3.2.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This directive turns on the in-text display of URIs in <a> tags, and disables
|
||||
those links. For example, <a href="http://example.com">example</a> becomes
|
||||
example (<a>http://example.com</a>).
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
||||
AutoFormat.Linkify
|
||||
TYPE: bool
|
||||
VERSION: 2.0.1
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This directive turns on linkification, auto-linking http, ftp and
|
||||
https URLs. <code>a</code> tags with the <code>href</code> attribute
|
||||
must be allowed.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
||||
AutoFormat.PurifierLinkify.DocURL
|
||||
TYPE: string
|
||||
VERSION: 2.0.1
|
||||
DEFAULT: '#%s'
|
||||
ALIASES: AutoFormatParam.PurifierLinkifyDocURL
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Location of configuration documentation to link to, let %s substitute
|
||||
into the configuration's namespace and directive names sans the percent
|
||||
sign.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
||||
AutoFormat.PurifierLinkify
|
||||
TYPE: bool
|
||||
VERSION: 2.0.1
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Internal auto-formatter that converts configuration directives in
|
||||
syntax <a>%Namespace.Directive</a> to links. <code>a</code> tags
|
||||
with the <code>href</code> attribute must be allowed.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,14 @@
|
||||
AutoFormat.RemoveEmpty.Predicate
|
||||
TYPE: hash
|
||||
VERSION: 4.7.0
|
||||
DEFAULT: array('colgroup' => array(), 'th' => array(), 'td' => array(), 'iframe' => array('src'))
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Given that an element has no contents, it will be removed by default, unless
|
||||
this predicate dictates otherwise. The predicate can either be an associative
|
||||
map from tag name to list of attributes that must be present for the element
|
||||
to be considered preserved: thus, the default always preserves <code>colgroup</code>,
|
||||
<code>th</code> and <code>td</code>, and also <code>iframe</code> if it
|
||||
has a <code>src</code>.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
||||
AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions
|
||||
TYPE: lookup
|
||||
VERSION: 4.0.0
|
||||
DEFAULT: array('td' => true, 'th' => true)
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
When %AutoFormat.RemoveEmpty and %AutoFormat.RemoveEmpty.RemoveNbsp
|
||||
are enabled, this directive defines what HTML elements should not be
|
||||
removede if they have only a non-breaking space in them.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,15 @@
|
||||
AutoFormat.RemoveEmpty.RemoveNbsp
|
||||
TYPE: bool
|
||||
VERSION: 4.0.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
When enabled, HTML Purifier will treat any elements that contain only
|
||||
non-breaking spaces as well as regular whitespace as empty, and remove
|
||||
them when %AutoForamt.RemoveEmpty is enabled.
|
||||
</p>
|
||||
<p>
|
||||
See %AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions for a list of elements
|
||||
that don't have this behavior applied to them.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,46 @@
|
||||
AutoFormat.RemoveEmpty
|
||||
TYPE: bool
|
||||
VERSION: 3.2.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
When enabled, HTML Purifier will attempt to remove empty elements that
|
||||
contribute no semantic information to the document. The following types
|
||||
of nodes will be removed:
|
||||
</p>
|
||||
<ul><li>
|
||||
Tags with no attributes and no content, and that are not empty
|
||||
elements (remove <code><a></a></code> but not
|
||||
<code><br /></code>), and
|
||||
</li>
|
||||
<li>
|
||||
Tags with no content, except for:<ul>
|
||||
<li>The <code>colgroup</code> element, or</li>
|
||||
<li>
|
||||
Elements with the <code>id</code> or <code>name</code> attribute,
|
||||
when those attributes are permitted on those elements.
|
||||
</li>
|
||||
</ul></li>
|
||||
</ul>
|
||||
<p>
|
||||
Please be very careful when using this functionality; while it may not
|
||||
seem that empty elements contain useful information, they can alter the
|
||||
layout of a document given appropriate styling. This directive is most
|
||||
useful when you are processing machine-generated HTML, please avoid using
|
||||
it on regular user HTML.
|
||||
</p>
|
||||
<p>
|
||||
Elements that contain only whitespace will be treated as empty. Non-breaking
|
||||
spaces, however, do not count as whitespace. See
|
||||
%AutoFormat.RemoveEmpty.RemoveNbsp for alternate behavior.
|
||||
</p>
|
||||
<p>
|
||||
This algorithm is not perfect; you may still notice some empty tags,
|
||||
particularly if a node had elements, but those elements were later removed
|
||||
because they were not permitted in that context, or tags that, after
|
||||
being auto-closed by another tag, where empty. This is for safety reasons
|
||||
to prevent clever code from breaking validation. The general rule of thumb:
|
||||
if a tag looked empty on the way in, it will get removed; if HTML Purifier
|
||||
made it empty, it will stay.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
||||
AutoFormat.RemoveSpansWithoutAttributes
|
||||
TYPE: bool
|
||||
VERSION: 4.0.1
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This directive causes <code>span</code> tags without any attributes
|
||||
to be removed. It will also remove spans that had all attributes
|
||||
removed during processing.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
||||
CSS.AllowDuplicates
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
VERSION: 4.8.0
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
By default, HTML Purifier removes duplicate CSS properties,
|
||||
like <code>color:red; color:blue</code>. If this is set to
|
||||
true, duplicate properties are allowed.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,8 @@
|
||||
CSS.AllowImportant
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
VERSION: 3.1.0
|
||||
--DESCRIPTION--
|
||||
This parameter determines whether or not !important cascade modifiers should
|
||||
be allowed in user CSS. If false, !important will stripped.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
||||
CSS.AllowTricky
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
VERSION: 3.1.0
|
||||
--DESCRIPTION--
|
||||
This parameter determines whether or not to allow "tricky" CSS properties and
|
||||
values. Tricky CSS properties/values can drastically modify page layout or
|
||||
be used for deceptive practices but do not directly constitute a security risk.
|
||||
For example, <code>display:none;</code> is considered a tricky property that
|
||||
will only be allowed if this directive is set to true.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
||||
CSS.AllowedFonts
|
||||
TYPE: lookup/null
|
||||
VERSION: 4.3.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Allows you to manually specify a set of allowed fonts. If
|
||||
<code>NULL</code>, all fonts are allowed. This directive
|
||||
affects generic names (serif, sans-serif, monospace, cursive,
|
||||
fantasy) as well as specific font families.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,18 @@
|
||||
CSS.AllowedProperties
|
||||
TYPE: lookup/null
|
||||
VERSION: 3.1.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
If HTML Purifier's style attributes set is unsatisfactory for your needs,
|
||||
you can overload it with your own list of tags to allow. Note that this
|
||||
method is subtractive: it does its job by taking away from HTML Purifier
|
||||
usual feature set, so you cannot add an attribute that HTML Purifier never
|
||||
supported in the first place.
|
||||
</p>
|
||||
<p>
|
||||
<strong>Warning:</strong> If another directive conflicts with the
|
||||
elements here, <em>that</em> directive will win and override.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
||||
CSS.DefinitionRev
|
||||
TYPE: int
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: 1
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Revision identifier for your custom definition. See
|
||||
%HTML.DefinitionRev for details.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,13 @@
|
||||
CSS.ForbiddenProperties
|
||||
TYPE: lookup
|
||||
VERSION: 4.2.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This is the logical inverse of %CSS.AllowedProperties, and it will
|
||||
override that directive or any other directive. If possible,
|
||||
%CSS.AllowedProperties is recommended over this directive,
|
||||
because it can sometimes be difficult to tell whether or not you've
|
||||
forbidden all of the CSS properties you truly would like to disallow.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,16 @@
|
||||
CSS.MaxImgLength
|
||||
TYPE: string/null
|
||||
DEFAULT: '1200px'
|
||||
VERSION: 3.1.1
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This parameter sets the maximum allowed length on <code>img</code> tags,
|
||||
effectively the <code>width</code> and <code>height</code> properties.
|
||||
Only absolute units of measurement (in, pt, pc, mm, cm) and pixels (px) are allowed. This is
|
||||
in place to prevent imagecrash attacks, disable with null at your own risk.
|
||||
This directive is similar to %HTML.MaxImgLength, and both should be
|
||||
concurrently edited, although there are
|
||||
subtle differences in the input format (the CSS max is a number with
|
||||
a unit).
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,10 @@
|
||||
CSS.Proprietary
|
||||
TYPE: bool
|
||||
VERSION: 3.0.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Whether or not to allow safe, proprietary CSS values.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,9 @@
|
||||
CSS.Trusted
|
||||
TYPE: bool
|
||||
VERSION: 4.2.1
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
Indicates whether or not the user's CSS input is trusted or not. If the
|
||||
input is trusted, a more expansive set of allowed properties. See
|
||||
also %HTML.Trusted.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,14 @@
|
||||
Cache.DefinitionImpl
|
||||
TYPE: string/null
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: 'Serializer'
|
||||
--DESCRIPTION--
|
||||
|
||||
This directive defines which method to use when caching definitions,
|
||||
the complex data-type that makes HTML Purifier tick. Set to null
|
||||
to disable caching (not recommended, as you will see a definite
|
||||
performance degradation).
|
||||
|
||||
--ALIASES--
|
||||
Core.DefinitionCache
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,13 @@
|
||||
Cache.SerializerPath
|
||||
TYPE: string/null
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Absolute path with no trailing slash to store serialized definitions in.
|
||||
Default is within the
|
||||
HTML Purifier library inside DefinitionCache/Serializer. This
|
||||
path must be writable by the webserver.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,16 @@
|
||||
Cache.SerializerPermissions
|
||||
TYPE: int/null
|
||||
VERSION: 4.3.0
|
||||
DEFAULT: 0755
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Directory permissions of the files and directories created inside
|
||||
the DefinitionCache/Serializer or other custom serializer path.
|
||||
</p>
|
||||
<p>
|
||||
In HTML Purifier 4.8.0, this also supports <code>NULL</code>,
|
||||
which means that no chmod'ing or directory creation shall
|
||||
occur.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,18 @@
|
||||
Core.AggressivelyFixLt
|
||||
TYPE: bool
|
||||
VERSION: 2.1.0
|
||||
DEFAULT: true
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This directive enables aggressive pre-filter fixes HTML Purifier can
|
||||
perform in order to ensure that open angled-brackets do not get killed
|
||||
during parsing stage. Enabling this will result in two preg_replace_callback
|
||||
calls and at least two preg_replace calls for every HTML document parsed;
|
||||
if your users make very well-formed HTML, you can set this directive false.
|
||||
This has no effect when DirectLex is used.
|
||||
</p>
|
||||
<p>
|
||||
<strong>Notice:</strong> This directive's default turned from false to true
|
||||
in HTML Purifier 3.2.0.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,16 @@
|
||||
Core.AllowHostnameUnderscore
|
||||
TYPE: bool
|
||||
VERSION: 4.6.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
By RFC 1123, underscores are not permitted in host names.
|
||||
(This is in contrast to the specification for DNS, RFC
|
||||
2181, which allows underscores.)
|
||||
However, most browsers do the right thing when faced with
|
||||
an underscore in the host name, and so some poorly written
|
||||
websites are written with the expectation this should work.
|
||||
Setting this parameter to true relaxes our allowed character
|
||||
check so that underscores are permitted.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
||||
Core.CollectErrors
|
||||
TYPE: bool
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
|
||||
Whether or not to collect errors found while filtering the document. This
|
||||
is a useful way to give feedback to your users. <strong>Warning:</strong>
|
||||
Currently this feature is very patchy and experimental, with lots of
|
||||
possible error messages not yet implemented. It will not cause any
|
||||
problems, but it may not help your users either.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,29 @@
|
||||
Core.ColorKeywords
|
||||
TYPE: hash
|
||||
VERSION: 2.0.0
|
||||
--DEFAULT--
|
||||
array (
|
||||
'maroon' => '#800000',
|
||||
'red' => '#FF0000',
|
||||
'orange' => '#FFA500',
|
||||
'yellow' => '#FFFF00',
|
||||
'olive' => '#808000',
|
||||
'purple' => '#800080',
|
||||
'fuchsia' => '#FF00FF',
|
||||
'white' => '#FFFFFF',
|
||||
'lime' => '#00FF00',
|
||||
'green' => '#008000',
|
||||
'navy' => '#000080',
|
||||
'blue' => '#0000FF',
|
||||
'aqua' => '#00FFFF',
|
||||
'teal' => '#008080',
|
||||
'black' => '#000000',
|
||||
'silver' => '#C0C0C0',
|
||||
'gray' => '#808080',
|
||||
)
|
||||
--DESCRIPTION--
|
||||
|
||||
Lookup array of color names to six digit hexadecimal number corresponding
|
||||
to color, with preceding hash mark. Used when parsing colors. The lookup
|
||||
is done in a case-insensitive manner.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,14 @@
|
||||
Core.ConvertDocumentToFragment
|
||||
TYPE: bool
|
||||
DEFAULT: true
|
||||
--DESCRIPTION--
|
||||
|
||||
This parameter determines whether or not the filter should convert
|
||||
input that is a full document with html and body tags to a fragment
|
||||
of just the contents of a body tag. This parameter is simply something
|
||||
HTML Purifier can do during an edge-case: for most inputs, this
|
||||
processing is not necessary.
|
||||
|
||||
--ALIASES--
|
||||
Core.AcceptFullDocuments
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,17 @@
|
||||
Core.DirectLexLineNumberSyncInterval
|
||||
TYPE: int
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: 0
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Specifies the number of tokens the DirectLex line number tracking
|
||||
implementations should process before attempting to resyncronize the
|
||||
current line count by manually counting all previous new-lines. When
|
||||
at 0, this functionality is disabled. Lower values will decrease
|
||||
performance, and this is only strictly necessary if the counting
|
||||
algorithm is buggy (in which case you should report it as a bug).
|
||||
This has no effect when %Core.MaintainLineNumbers is disabled or DirectLex is
|
||||
not being used.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,14 @@
|
||||
Core.DisableExcludes
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
VERSION: 4.5.0
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This directive disables SGML-style exclusions, e.g. the exclusion of
|
||||
<code><object></code> in any descendant of a
|
||||
<code><pre></code> tag. Disabling excludes will allow some
|
||||
invalid documents to pass through HTML Purifier, but HTML Purifier
|
||||
will also be less likely to accidentally remove large documents during
|
||||
processing.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,9 @@
|
||||
Core.EnableIDNA
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
VERSION: 4.4.0
|
||||
--DESCRIPTION--
|
||||
Allows international domain names in URLs. This configuration option
|
||||
requires the PEAR Net_IDNA2 module to be installed. It operates by
|
||||
punycoding any internationalized host names for maximum portability.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,15 @@
|
||||
Core.Encoding
|
||||
TYPE: istring
|
||||
DEFAULT: 'utf-8'
|
||||
--DESCRIPTION--
|
||||
If for some reason you are unable to convert all webpages to UTF-8, you can
|
||||
use this directive as a stop-gap compatibility change to let HTML Purifier
|
||||
deal with non UTF-8 input. This technique has notable deficiencies:
|
||||
absolutely no characters outside of the selected character encoding will be
|
||||
preserved, not even the ones that have been ampersand escaped (this is due
|
||||
to a UTF-8 specific <em>feature</em> that automatically resolves all
|
||||
entities), making it pretty useless for anything except the most I18N-blind
|
||||
applications, although %Core.EscapeNonASCIICharacters offers fixes this
|
||||
trouble with another tradeoff. This directive only accepts ISO-8859-1 if
|
||||
iconv is not enabled.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
||||
Core.EscapeInvalidChildren
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p><strong>Warning:</strong> this configuration option is no longer does anything as of 4.6.0.</p>
|
||||
|
||||
<p>When true, a child is found that is not allowed in the context of the
|
||||
parent element will be transformed into text as if it were ASCII. When
|
||||
false, that element and all internal tags will be dropped, though text will
|
||||
be preserved. There is no option for dropping the element but preserving
|
||||
child nodes.</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,7 @@
|
||||
Core.EscapeInvalidTags
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
When true, invalid tags will be written back to the document as plain text.
|
||||
Otherwise, they are silently dropped.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,13 @@
|
||||
Core.EscapeNonASCIICharacters
|
||||
TYPE: bool
|
||||
VERSION: 1.4.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
This directive overcomes a deficiency in %Core.Encoding by blindly
|
||||
converting all non-ASCII characters into decimal numeric entities before
|
||||
converting it to its native encoding. This means that even characters that
|
||||
can be expressed in the non-UTF-8 encoding will be entity-ized, which can
|
||||
be a real downer for encodings like Big5. It also assumes that the ASCII
|
||||
repetoire is available, although this is the case for almost all encodings.
|
||||
Anyway, use UTF-8!
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,19 @@
|
||||
Core.HiddenElements
|
||||
TYPE: lookup
|
||||
--DEFAULT--
|
||||
array (
|
||||
'script' => true,
|
||||
'style' => true,
|
||||
)
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This directive is a lookup array of elements which should have their
|
||||
contents removed when they are not allowed by the HTML definition.
|
||||
For example, the contents of a <code>script</code> tag are not
|
||||
normally shown in a document, so if script tags are to be removed,
|
||||
their contents should be removed to. This is opposed to a <code>b</code>
|
||||
tag, which defines some presentational changes but does not hide its
|
||||
contents.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,10 @@
|
||||
Core.Language
|
||||
TYPE: string
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: 'en'
|
||||
--DESCRIPTION--
|
||||
|
||||
ISO 639 language code for localizable things in HTML Purifier to use,
|
||||
which is mainly error reporting. There is currently only an English (en)
|
||||
translation, so this directive is currently useless.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,34 @@
|
||||
Core.LexerImpl
|
||||
TYPE: mixed/null
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This parameter determines what lexer implementation can be used. The
|
||||
valid values are:
|
||||
</p>
|
||||
<dl>
|
||||
<dt><em>null</em></dt>
|
||||
<dd>
|
||||
Recommended, the lexer implementation will be auto-detected based on
|
||||
your PHP-version and configuration.
|
||||
</dd>
|
||||
<dt><em>string</em> lexer identifier</dt>
|
||||
<dd>
|
||||
This is a slim way of manually overridding the implementation.
|
||||
Currently recognized values are: DOMLex (the default PHP5
|
||||
implementation)
|
||||
and DirectLex (the default PHP4 implementation). Only use this if
|
||||
you know what you are doing: usually, the auto-detection will
|
||||
manage things for cases you aren't even aware of.
|
||||
</dd>
|
||||
<dt><em>object</em> lexer instance</dt>
|
||||
<dd>
|
||||
Super-advanced: you can specify your own, custom, implementation that
|
||||
implements the interface defined by <code>HTMLPurifier_Lexer</code>.
|
||||
I may remove this option simply because I don't expect anyone
|
||||
to use it.
|
||||
</dd>
|
||||
</dl>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,16 @@
|
||||
Core.MaintainLineNumbers
|
||||
TYPE: bool/null
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
If true, HTML Purifier will add line number information to all tokens.
|
||||
This is useful when error reporting is turned on, but can result in
|
||||
significant performance degradation and should not be used when
|
||||
unnecessary. This directive must be used with the DirectLex lexer,
|
||||
as the DOMLex lexer does not (yet) support this functionality.
|
||||
If the value is null, an appropriate value will be selected based
|
||||
on other configuration.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
||||
Core.NormalizeNewlines
|
||||
TYPE: bool
|
||||
VERSION: 4.2.0
|
||||
DEFAULT: true
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Whether or not to normalize newlines to the operating
|
||||
system default. When <code>false</code>, HTML Purifier
|
||||
will attempt to preserve mixed newline files.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
||||
Core.RemoveInvalidImg
|
||||
TYPE: bool
|
||||
DEFAULT: true
|
||||
VERSION: 1.3.0
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This directive enables pre-emptive URI checking in <code>img</code>
|
||||
tags, as the attribute validation strategy is not authorized to
|
||||
remove elements from the document. Revert to pre-1.3.0 behavior by setting to false.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
||||
Core.RemoveProcessingInstructions
|
||||
TYPE: bool
|
||||
VERSION: 4.2.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
Instead of escaping processing instructions in the form <code><? ...
|
||||
?></code>, remove it out-right. This may be useful if the HTML
|
||||
you are validating contains XML processing instruction gunk, however,
|
||||
it can also be user-unfriendly for people attempting to post PHP
|
||||
snippets.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
||||
Core.RemoveScriptContents
|
||||
TYPE: bool/null
|
||||
DEFAULT: NULL
|
||||
VERSION: 2.0.0
|
||||
DEPRECATED-VERSION: 2.1.0
|
||||
DEPRECATED-USE: Core.HiddenElements
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This directive enables HTML Purifier to remove not only script tags
|
||||
but all of their contents.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
||||
Filter.Custom
|
||||
TYPE: list
|
||||
VERSION: 3.1.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This directive can be used to add custom filters; it is nearly the
|
||||
equivalent of the now deprecated <code>HTMLPurifier->addFilter()</code>
|
||||
method. Specify an array of concrete implementations.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,14 @@
|
||||
Filter.ExtractStyleBlocks.Escaping
|
||||
TYPE: bool
|
||||
VERSION: 3.0.0
|
||||
DEFAULT: true
|
||||
ALIASES: Filter.ExtractStyleBlocksEscaping, FilterParam.ExtractStyleBlocksEscaping
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Whether or not to escape the dangerous characters <, > and &
|
||||
as \3C, \3E and \26, respectively. This is can be safely set to false
|
||||
if the contents of StyleBlocks will be placed in an external stylesheet,
|
||||
where there is no risk of it being interpreted as HTML.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,29 @@
|
||||
Filter.ExtractStyleBlocks.Scope
|
||||
TYPE: string/null
|
||||
VERSION: 3.0.0
|
||||
DEFAULT: NULL
|
||||
ALIASES: Filter.ExtractStyleBlocksScope, FilterParam.ExtractStyleBlocksScope
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
If you would like users to be able to define external stylesheets, but
|
||||
only allow them to specify CSS declarations for a specific node and
|
||||
prevent them from fiddling with other elements, use this directive.
|
||||
It accepts any valid CSS selector, and will prepend this to any
|
||||
CSS declaration extracted from the document. For example, if this
|
||||
directive is set to <code>#user-content</code> and a user uses the
|
||||
selector <code>a:hover</code>, the final selector will be
|
||||
<code>#user-content a:hover</code>.
|
||||
</p>
|
||||
<p>
|
||||
The comma shorthand may be used; consider the above example, with
|
||||
<code>#user-content, #user-content2</code>, the final selector will
|
||||
be <code>#user-content a:hover, #user-content2 a:hover</code>.
|
||||
</p>
|
||||
<p>
|
||||
<strong>Warning:</strong> It is possible for users to bypass this measure
|
||||
using a naughty + selector. This is a bug in CSS Tidy 1.3, not HTML
|
||||
Purifier, and I am working to get it fixed. Until then, HTML Purifier
|
||||
performs a basic check to prevent this.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,16 @@
|
||||
Filter.ExtractStyleBlocks.TidyImpl
|
||||
TYPE: mixed/null
|
||||
VERSION: 3.1.0
|
||||
DEFAULT: NULL
|
||||
ALIASES: FilterParam.ExtractStyleBlocksTidyImpl
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
If left NULL, HTML Purifier will attempt to instantiate a <code>csstidy</code>
|
||||
class to use for internal cleaning. This will usually be good enough.
|
||||
</p>
|
||||
<p>
|
||||
However, for trusted user input, you can set this to <code>false</code> to
|
||||
disable cleaning. In addition, you can supply your own concrete implementation
|
||||
of Tidy's interface to use, although I don't know why you'd want to do that.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,74 @@
|
||||
Filter.ExtractStyleBlocks
|
||||
TYPE: bool
|
||||
VERSION: 3.1.0
|
||||
DEFAULT: false
|
||||
EXTERNAL: CSSTidy
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This directive turns on the style block extraction filter, which removes
|
||||
<code>style</code> blocks from input HTML, cleans them up with CSSTidy,
|
||||
and places them in the <code>StyleBlocks</code> context variable, for further
|
||||
use by you, usually to be placed in an external stylesheet, or a
|
||||
<code>style</code> block in the <code>head</code> of your document.
|
||||
</p>
|
||||
<p>
|
||||
Sample usage:
|
||||
</p>
|
||||
<pre><![CDATA[
|
||||
<?php
|
||||
header('Content-type: text/html; charset=utf-8');
|
||||
echo '<?xml version="1.0" encoding="UTF-8"?>';
|
||||
?>
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||||
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
|
||||
<head>
|
||||
<title>Filter.ExtractStyleBlocks</title>
|
||||
<?php
|
||||
require_once '/path/to/library/HTMLPurifier.auto.php';
|
||||
require_once '/path/to/csstidy.class.php';
|
||||
|
||||
$dirty = '<style>body {color:#F00;}</style> Some text';
|
||||
|
||||
$config = HTMLPurifier_Config::createDefault();
|
||||
$config->set('Filter', 'ExtractStyleBlocks', true);
|
||||
$purifier = new HTMLPurifier($config);
|
||||
|
||||
$html = $purifier->purify($dirty);
|
||||
|
||||
// This implementation writes the stylesheets to the styles/ directory.
|
||||
// You can also echo the styles inside the document, but it's a bit
|
||||
// more difficult to make sure they get interpreted properly by
|
||||
// browsers; try the usual CSS armoring techniques.
|
||||
$styles = $purifier->context->get('StyleBlocks');
|
||||
$dir = 'styles/';
|
||||
if (!is_dir($dir)) mkdir($dir);
|
||||
$hash = sha1($_GET['html']);
|
||||
foreach ($styles as $i => $style) {
|
||||
file_put_contents($name = $dir . $hash . "_$i");
|
||||
echo '<link rel="stylesheet" type="text/css" href="'.$name.'" />';
|
||||
}
|
||||
?>
|
||||
</head>
|
||||
<body>
|
||||
<div>
|
||||
<?php echo $html; ?>
|
||||
</div>
|
||||
</b]]><![CDATA[ody>
|
||||
</html>
|
||||
]]></pre>
|
||||
<p>
|
||||
<strong>Warning:</strong> It is possible for a user to mount an
|
||||
imagecrash attack using this CSS. Counter-measures are difficult;
|
||||
it is not simply enough to limit the range of CSS lengths (using
|
||||
relative lengths with many nesting levels allows for large values
|
||||
to be attained without actually specifying them in the stylesheet),
|
||||
and the flexible nature of selectors makes it difficult to selectively
|
||||
disable lengths on image tags (HTML Purifier, however, does disable
|
||||
CSS width and height in inline styling). There are probably two effective
|
||||
counter measures: an explicit width and height set to auto in all
|
||||
images in your document (unlikely) or the disabling of width and
|
||||
height (somewhat reasonable). Whether or not these measures should be
|
||||
used is left to the reader.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,16 @@
|
||||
Filter.YouTube
|
||||
TYPE: bool
|
||||
VERSION: 3.1.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
<strong>Warning:</strong> Deprecated in favor of %HTML.SafeObject and
|
||||
%Output.FlashCompat (turn both on to allow YouTube videos and other
|
||||
Flash content).
|
||||
</p>
|
||||
<p>
|
||||
This directive enables YouTube video embedding in HTML Purifier. Check
|
||||
<a href="http://htmlpurifier.org/docs/enduser-youtube.html">this document
|
||||
on embedding videos</a> for more information on what this filter does.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,25 @@
|
||||
HTML.Allowed
|
||||
TYPE: itext/null
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This is a preferred convenience directive that combines
|
||||
%HTML.AllowedElements and %HTML.AllowedAttributes.
|
||||
Specify elements and attributes that are allowed using:
|
||||
<code>element1[attr1|attr2],element2...</code>. For example,
|
||||
if you would like to only allow paragraphs and links, specify
|
||||
<code>a[href],p</code>. You can specify attributes that apply
|
||||
to all elements using an asterisk, e.g. <code>*[lang]</code>.
|
||||
You can also use newlines instead of commas to separate elements.
|
||||
</p>
|
||||
<p>
|
||||
<strong>Warning</strong>:
|
||||
All of the constraints on the component directives are still enforced.
|
||||
The syntax is a <em>subset</em> of TinyMCE's <code>valid_elements</code>
|
||||
whitelist: directly copy-pasting it here will probably result in
|
||||
broken whitelists. If %HTML.AllowedElements or %HTML.AllowedAttributes
|
||||
are set, this directive has no effect.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,19 @@
|
||||
HTML.AllowedAttributes
|
||||
TYPE: lookup/null
|
||||
VERSION: 1.3.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
If HTML Purifier's attribute set is unsatisfactory, overload it!
|
||||
The syntax is "tag.attr" or "*.attr" for the global attributes
|
||||
(style, id, class, dir, lang, xml:lang).
|
||||
</p>
|
||||
<p>
|
||||
<strong>Warning:</strong> If another directive conflicts with the
|
||||
elements here, <em>that</em> directive will win and override. For
|
||||
example, %HTML.EnableAttrID will take precedence over *.id in this
|
||||
directive. You must set that directive to true before you can use
|
||||
IDs at all.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,10 @@
|
||||
HTML.AllowedComments
|
||||
TYPE: lookup
|
||||
VERSION: 4.4.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
A whitelist which indicates what explicit comment bodies should be
|
||||
allowed, modulo leading and trailing whitespace. See also %HTML.AllowedCommentsRegexp
|
||||
(these directives are union'ed together, so a comment is considered
|
||||
valid if any directive deems it valid.)
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,15 @@
|
||||
HTML.AllowedCommentsRegexp
|
||||
TYPE: string/null
|
||||
VERSION: 4.4.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
A regexp, which if it matches the body of a comment, indicates that
|
||||
it should be allowed. Trailing and leading spaces are removed prior
|
||||
to running this regular expression.
|
||||
<strong>Warning:</strong> Make sure you specify
|
||||
correct anchor metacharacters <code>^regex$</code>, otherwise you may accept
|
||||
comments that you did not mean to! In particular, the regex <code>/foo|bar/</code>
|
||||
is probably not sufficiently strict, since it also allows <code>foobar</code>.
|
||||
See also %HTML.AllowedComments (these directives are union'ed together,
|
||||
so a comment is considered valid if any directive deems it valid.)
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,23 @@
|
||||
HTML.AllowedElements
|
||||
TYPE: lookup/null
|
||||
VERSION: 1.3.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
If HTML Purifier's tag set is unsatisfactory for your needs, you can
|
||||
overload it with your own list of tags to allow. If you change
|
||||
this, you probably also want to change %HTML.AllowedAttributes; see
|
||||
also %HTML.Allowed which lets you set allowed elements and
|
||||
attributes at the same time.
|
||||
</p>
|
||||
<p>
|
||||
If you attempt to allow an element that HTML Purifier does not know
|
||||
about, HTML Purifier will raise an error. You will need to manually
|
||||
tell HTML Purifier about this element by using the
|
||||
<a href="http://htmlpurifier.org/docs/enduser-customize.html">advanced customization features.</a>
|
||||
</p>
|
||||
<p>
|
||||
<strong>Warning:</strong> If another directive conflicts with the
|
||||
elements here, <em>that</em> directive will win and override.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,20 @@
|
||||
HTML.AllowedModules
|
||||
TYPE: lookup/null
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
A doctype comes with a set of usual modules to use. Without having
|
||||
to mucking about with the doctypes, you can quickly activate or
|
||||
disable these modules by specifying which modules you wish to allow
|
||||
with this directive. This is most useful for unit testing specific
|
||||
modules, although end users may find it useful for their own ends.
|
||||
</p>
|
||||
<p>
|
||||
If you specify a module that does not exist, the manager will silently
|
||||
fail to use it, so be careful! User-defined modules are not affected
|
||||
by this directive. Modules defined in %HTML.CoreModules are not
|
||||
affected by this directive.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
||||
HTML.Attr.Name.UseCDATA
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
VERSION: 4.0.0
|
||||
--DESCRIPTION--
|
||||
The W3C specification DTD defines the name attribute to be CDATA, not ID, due
|
||||
to limitations of DTD. In certain documents, this relaxed behavior is desired,
|
||||
whether it is to specify duplicate names, or to specify names that would be
|
||||
illegal IDs (for example, names that begin with a digit.) Set this configuration
|
||||
directive to true to use the relaxed parsing rules.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,18 @@
|
||||
HTML.BlockWrapper
|
||||
TYPE: string
|
||||
VERSION: 1.3.0
|
||||
DEFAULT: 'p'
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
String name of element to wrap inline elements that are inside a block
|
||||
context. This only occurs in the children of blockquote in strict mode.
|
||||
</p>
|
||||
<p>
|
||||
Example: by default value,
|
||||
<code><blockquote>Foo</blockquote></code> would become
|
||||
<code><blockquote><p>Foo</p></blockquote></code>.
|
||||
The <code><p></code> tags can be replaced with whatever you desire,
|
||||
as long as it is a block level element.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,23 @@
|
||||
HTML.CoreModules
|
||||
TYPE: lookup
|
||||
VERSION: 2.0.0
|
||||
--DEFAULT--
|
||||
array (
|
||||
'Structure' => true,
|
||||
'Text' => true,
|
||||
'Hypertext' => true,
|
||||
'List' => true,
|
||||
'NonXMLCommonAttributes' => true,
|
||||
'XMLCommonAttributes' => true,
|
||||
'CommonAttributes' => true,
|
||||
)
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Certain modularized doctypes (XHTML, namely), have certain modules
|
||||
that must be included for the doctype to be an conforming document
|
||||
type: put those modules here. By default, XHTML's core modules
|
||||
are used. You can set this to a blank array to disable core module
|
||||
protection, but this is not recommended.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,9 @@
|
||||
HTML.CustomDoctype
|
||||
TYPE: string/null
|
||||
VERSION: 2.0.1
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
A custom doctype for power-users who defined their own document
|
||||
type. This directive only applies when %HTML.Doctype is blank.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,33 @@
|
||||
HTML.DefinitionID
|
||||
TYPE: string/null
|
||||
DEFAULT: NULL
|
||||
VERSION: 2.0.0
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Unique identifier for a custom-built HTML definition. If you edit
|
||||
the raw version of the HTMLDefinition, introducing changes that the
|
||||
configuration object does not reflect, you must specify this variable.
|
||||
If you change your custom edits, you should change this directive, or
|
||||
clear your cache. Example:
|
||||
</p>
|
||||
<pre>
|
||||
$config = HTMLPurifier_Config::createDefault();
|
||||
$config->set('HTML', 'DefinitionID', '1');
|
||||
$def = $config->getHTMLDefinition();
|
||||
$def->addAttribute('a', 'tabindex', 'Number');
|
||||
</pre>
|
||||
<p>
|
||||
In the above example, the configuration is still at the defaults, but
|
||||
using the advanced API, an extra attribute has been added. The
|
||||
configuration object normally has no way of knowing that this change
|
||||
has taken place, so it needs an extra directive: %HTML.DefinitionID.
|
||||
If someone else attempts to use the default configuration, these two
|
||||
pieces of code will not clobber each other in the cache, since one has
|
||||
an extra directive attached to it.
|
||||
</p>
|
||||
<p>
|
||||
You <em>must</em> specify a value to this directive to use the
|
||||
advanced API features.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,16 @@
|
||||
HTML.DefinitionRev
|
||||
TYPE: int
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: 1
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Revision identifier for your custom definition specified in
|
||||
%HTML.DefinitionID. This serves the same purpose: uniquely identifying
|
||||
your custom definition, but this one does so in a chronological
|
||||
context: revision 3 is more up-to-date then revision 2. Thus, when
|
||||
this gets incremented, the cache handling is smart enough to clean
|
||||
up any older revisions of your definition as well as flush the
|
||||
cache.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
||||
HTML.Doctype
|
||||
TYPE: string/null
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
Doctype to use during filtering. Technically speaking this is not actually
|
||||
a doctype (as it does not identify a corresponding DTD), but we are using
|
||||
this name for sake of simplicity. When non-blank, this will override any
|
||||
older directives like %HTML.XHTML or %HTML.Strict.
|
||||
--ALLOWED--
|
||||
'HTML 4.01 Transitional', 'HTML 4.01 Strict', 'XHTML 1.0 Transitional', 'XHTML 1.0 Strict', 'XHTML 1.1'
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,11 @@
|
||||
HTML.FlashAllowFullScreen
|
||||
TYPE: bool
|
||||
VERSION: 4.2.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Whether or not to permit embedded Flash content from
|
||||
%HTML.SafeObject to expand to the full screen. Corresponds to
|
||||
the <code>allowFullScreen</code> parameter.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,21 @@
|
||||
HTML.ForbiddenAttributes
|
||||
TYPE: lookup
|
||||
VERSION: 3.1.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
While this directive is similar to %HTML.AllowedAttributes, for
|
||||
forwards-compatibility with XML, this attribute has a different syntax. Instead of
|
||||
<code>tag.attr</code>, use <code>tag@attr</code>. To disallow <code>href</code>
|
||||
attributes in <code>a</code> tags, set this directive to
|
||||
<code>a@href</code>. You can also disallow an attribute globally with
|
||||
<code>attr</code> or <code>*@attr</code> (either syntax is fine; the latter
|
||||
is provided for consistency with %HTML.AllowedAttributes).
|
||||
</p>
|
||||
<p>
|
||||
<strong>Warning:</strong> This directive complements %HTML.ForbiddenElements,
|
||||
accordingly, check
|
||||
out that directive for a discussion of why you
|
||||
should think twice before using this directive.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,20 @@
|
||||
HTML.ForbiddenElements
|
||||
TYPE: lookup
|
||||
VERSION: 3.1.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This was, perhaps, the most requested feature ever in HTML
|
||||
Purifier. Please don't abuse it! This is the logical inverse of
|
||||
%HTML.AllowedElements, and it will override that directive, or any
|
||||
other directive.
|
||||
</p>
|
||||
<p>
|
||||
If possible, %HTML.Allowed is recommended over this directive, because it
|
||||
can sometimes be difficult to tell whether or not you've forbidden all of
|
||||
the behavior you would like to disallow. If you forbid <code>img</code>
|
||||
with the expectation of preventing images on your site, you'll be in for
|
||||
a nasty surprise when people start using the <code>background-image</code>
|
||||
CSS property.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,14 @@
|
||||
HTML.MaxImgLength
|
||||
TYPE: int/null
|
||||
DEFAULT: 1200
|
||||
VERSION: 3.1.1
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This directive controls the maximum number of pixels in the width and
|
||||
height attributes in <code>img</code> tags. This is
|
||||
in place to prevent imagecrash attacks, disable with null at your own risk.
|
||||
This directive is similar to %CSS.MaxImgLength, and both should be
|
||||
concurrently edited, although there are
|
||||
subtle differences in the input format (the HTML max is an integer).
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,7 @@
|
||||
HTML.Nofollow
|
||||
TYPE: bool
|
||||
VERSION: 4.3.0
|
||||
DEFAULT: FALSE
|
||||
--DESCRIPTION--
|
||||
If enabled, nofollow rel attributes are added to all outgoing links.
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
||||
HTML.Parent
|
||||
TYPE: string
|
||||
VERSION: 1.3.0
|
||||
DEFAULT: 'div'
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
String name of element that HTML fragment passed to library will be
|
||||
inserted in. An interesting variation would be using span as the
|
||||
parent element, meaning that only inline tags would be allowed.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,12 @@
|
||||
HTML.Proprietary
|
||||
TYPE: bool
|
||||
VERSION: 3.1.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Whether or not to allow proprietary elements and attributes in your
|
||||
documents, as per <code>HTMLPurifier_HTMLModule_Proprietary</code>.
|
||||
<strong>Warning:</strong> This can cause your documents to stop
|
||||
validating!
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,13 @@
|
||||
HTML.SafeEmbed
|
||||
TYPE: bool
|
||||
VERSION: 3.1.1
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Whether or not to permit embed tags in documents, with a number of extra
|
||||
security features added to prevent script execution. This is similar to
|
||||
what websites like MySpace do to embed tags. Embed is a proprietary
|
||||
element and will cause your website to stop validating; you should
|
||||
see if you can use %Output.FlashCompat with %HTML.SafeObject instead
|
||||
first.</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -0,0 +1,13 @@
|
||||
HTML.SafeIframe
|
||||
TYPE: bool
|
||||
VERSION: 4.4.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Whether or not to permit iframe tags in untrusted documents. This
|
||||
directive must be accompanied by a whitelist of permitted iframes,
|
||||
such as %URI.SafeIframeRegexp, otherwise it will fatally error.
|
||||
This directive has no effect on strict doctypes, as iframes are not
|
||||
valid.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user