Update HTMLPurifier to current stable version 4.5.0
This commit is contained in:
Michael Kaufmann (d00p)
@@ -36,6 +36,11 @@ class HTMLPurifier_Generator
|
||||
*/
|
||||
private $_flashCompat;
|
||||
|
||||
/**
|
||||
* Cache of %Output.FixInnerHTML
|
||||
*/
|
||||
private $_innerHTMLFix;
|
||||
|
||||
/**
|
||||
* Stack for keeping track of object information when outputting IE
|
||||
* compatibility code.
|
||||
@@ -54,6 +59,7 @@ class HTMLPurifier_Generator
|
||||
public function __construct($config, $context) {
|
||||
$this->config = $config;
|
||||
$this->_scriptFix = $config->get('Output.CommentScriptContents');
|
||||
$this->_innerHTMLFix = $config->get('Output.FixInnerHTML');
|
||||
$this->_sortAttr = $config->get('Output.SortAttr');
|
||||
$this->_flashCompat = $config->get('Output.FlashCompat');
|
||||
$this->_def = $config->getHTMLDefinition();
|
||||
@@ -132,19 +138,7 @@ class HTMLPurifier_Generator
|
||||
$_extra = '';
|
||||
if ($this->_flashCompat) {
|
||||
if ($token->name == "object" && !empty($this->_flashStack)) {
|
||||
$flash = array_pop($this->_flashStack);
|
||||
$compat_token = new HTMLPurifier_Token_Empty("embed");
|
||||
foreach ($flash->attr as $name => $val) {
|
||||
if ($name == "classid") continue;
|
||||
if ($name == "type") continue;
|
||||
if ($name == "data") $name = "src";
|
||||
$compat_token->attr[$name] = $val;
|
||||
}
|
||||
foreach ($flash->param as $name => $val) {
|
||||
if ($name == "movie") $name = "src";
|
||||
$compat_token->attr[$name] = $val;
|
||||
}
|
||||
$_extra = "<!--[if IE]>".$this->generateFromToken($compat_token)."<![endif]-->";
|
||||
// doesn't do anything for now
|
||||
}
|
||||
}
|
||||
return $_extra . '</' . $token->name . '>';
|
||||
@@ -202,6 +196,37 @@ class HTMLPurifier_Generator
|
||||
continue;
|
||||
}
|
||||
}
|
||||
// Workaround for Internet Explorer innerHTML bug.
|
||||
// Essentially, Internet Explorer, when calculating
|
||||
// innerHTML, omits quotes if there are no instances of
|
||||
// angled brackets, quotes or spaces. However, when parsing
|
||||
// HTML (for example, when you assign to innerHTML), it
|
||||
// treats backticks as quotes. Thus,
|
||||
// <img alt="``" />
|
||||
// becomes
|
||||
// <img alt=`` />
|
||||
// becomes
|
||||
// <img alt='' />
|
||||
// Fortunately, all we need to do is trigger an appropriate
|
||||
// quoting style, which we do by adding an extra space.
|
||||
// This also is consistent with the W3C spec, which states
|
||||
// that user agents may ignore leading or trailing
|
||||
// whitespace (in fact, most don't, at least for attributes
|
||||
// like alt, but an extra space at the end is barely
|
||||
// noticeable). Still, we have a configuration knob for
|
||||
// this, since this transformation is not necesary if you
|
||||
// don't process user input with innerHTML or you don't plan
|
||||
// on supporting Internet Explorer.
|
||||
if ($this->_innerHTMLFix) {
|
||||
if (strpos($value, '`') !== false) {
|
||||
// check if correct quoting style would not already be
|
||||
// triggered
|
||||
if (strcspn($value, '"\' <>') === strlen($value)) {
|
||||
// protect!
|
||||
$value .= ' ';
|
||||
}
|
||||
}
|
||||
}
|
||||
$html .= $key.'="'.$this->escape($value).'" ';
|
||||
}
|
||||
return rtrim($html);
|
||||
|
||||
Reference in New Issue
Block a user