Update HTMLPurifier to current stable version 4.5.0
This commit is contained in:
Michael Kaufmann (d00p)
@@ -21,7 +21,7 @@ class HTMLPurifier_HTMLModule_Bdo extends HTMLPurifier_HTMLModule
|
||||
// inclusions wrong for bdo: bdo allows Lang
|
||||
)
|
||||
);
|
||||
$bdo->attr_transform_post['required-dir'] = new HTMLPurifier_AttrTransform_BdoDir();
|
||||
$bdo->attr_transform_post[] = new HTMLPurifier_AttrTransform_BdoDir();
|
||||
|
||||
$this->attr_collections['I18N']['dir'] = 'Enum#ltr,rtl';
|
||||
}
|
||||
|
||||
@@ -35,7 +35,7 @@ class HTMLPurifier_HTMLModule_Forms extends HTMLPurifier_HTMLModule
|
||||
'name' => 'CDATA',
|
||||
'readonly' => 'Bool#readonly',
|
||||
'size' => 'Number',
|
||||
'src' => 'URI#embeds',
|
||||
'src' => 'URI#embedded',
|
||||
'tabindex' => 'Number',
|
||||
'type' => 'Enum#text,password,checkbox,button,radio,submit,reset,file,hidden,image',
|
||||
'value' => 'CDATA',
|
||||
@@ -84,7 +84,8 @@ class HTMLPurifier_HTMLModule_Forms extends HTMLPurifier_HTMLModule
|
||||
$button->excludes = $this->makeLookup(
|
||||
'form', 'fieldset', // Form
|
||||
'input', 'select', 'textarea', 'label', 'button', // Formctrl
|
||||
'a' // as per HTML 4.01 spec, this is omitted by modularization
|
||||
'a', // as per HTML 4.01 spec, this is omitted by modularization
|
||||
'isindex', 'iframe' // legacy items
|
||||
);
|
||||
|
||||
// Extra exclusion: img usemap="" is not permitted within this element.
|
||||
|
||||
@@ -0,0 +1,38 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* XHTML 1.1 Iframe Module provides inline frames.
|
||||
*
|
||||
* @note This module is not considered safe unless an Iframe
|
||||
* whitelisting mechanism is specified. Currently, the only
|
||||
* such mechanism is %URL.SafeIframeRegexp
|
||||
*/
|
||||
class HTMLPurifier_HTMLModule_Iframe extends HTMLPurifier_HTMLModule
|
||||
{
|
||||
|
||||
public $name = 'Iframe';
|
||||
public $safe = false;
|
||||
|
||||
public function setup($config) {
|
||||
if ($config->get('HTML.SafeIframe')) {
|
||||
$this->safe = true;
|
||||
}
|
||||
$this->addElement(
|
||||
'iframe', 'Inline', 'Flow', 'Common',
|
||||
array(
|
||||
'src' => 'URI#embedded',
|
||||
'width' => 'Length',
|
||||
'height' => 'Length',
|
||||
'name' => 'ID',
|
||||
'scrolling' => 'Enum#yes,no,auto',
|
||||
'frameborder' => 'Enum#0,1',
|
||||
'longdesc' => 'URI',
|
||||
'marginheight' => 'Pixels',
|
||||
'marginwidth' => 'Pixels',
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// vim: et sw=4 sts=4
|
||||
@@ -89,7 +89,7 @@ class HTMLPurifier_HTMLModule_Legacy extends HTMLPurifier_HTMLModule
|
||||
$hr->attr['width'] = 'Length';
|
||||
|
||||
$img = $this->addBlankElement('img');
|
||||
$img->attr['align'] = 'Enum#top,middle,bottom,left,right';
|
||||
$img->attr['align'] = 'IAlign';
|
||||
$img->attr['border'] = 'Pixels';
|
||||
$img->attr['hspace'] = 'Pixels';
|
||||
$img->attr['vspace'] = 'Pixels';
|
||||
@@ -136,6 +136,22 @@ class HTMLPurifier_HTMLModule_Legacy extends HTMLPurifier_HTMLModule
|
||||
$ul->attr['compact'] = 'Bool#compact';
|
||||
$ul->attr['type'] = 'Enum#square,disc,circle';
|
||||
|
||||
// "safe" modifications to "unsafe" elements
|
||||
// WARNING: If you want to add support for an unsafe, legacy
|
||||
// attribute, make a new TrustedLegacy module with the trusted
|
||||
// bit set appropriately
|
||||
|
||||
$form = $this->addBlankElement('form');
|
||||
$form->content_model = 'Flow | #PCDATA';
|
||||
$form->content_model_type = 'optional';
|
||||
$form->attr['target'] = 'FrameTarget';
|
||||
|
||||
$input = $this->addBlankElement('input');
|
||||
$input->attr['align'] = 'IAlign';
|
||||
|
||||
$legend = $this->addBlankElement('legend');
|
||||
$legend->attr['align'] = 'LAlign';
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -20,10 +20,16 @@ class HTMLPurifier_HTMLModule_List extends HTMLPurifier_HTMLModule
|
||||
public $content_sets = array('Flow' => 'List');
|
||||
|
||||
public function setup($config) {
|
||||
$ol = $this->addElement('ol', 'List', 'Required: li', 'Common');
|
||||
$ol->wrap = "li";
|
||||
$ul = $this->addElement('ul', 'List', 'Required: li', 'Common');
|
||||
$ul->wrap = "li";
|
||||
$ol = $this->addElement('ol', 'List', new HTMLPurifier_ChildDef_List(), 'Common');
|
||||
$ul = $this->addElement('ul', 'List', new HTMLPurifier_ChildDef_List(), 'Common');
|
||||
// XXX The wrap attribute is handled by MakeWellFormed. This is all
|
||||
// quite unsatisfactory, because we generated this
|
||||
// *specifically* for lists, and now a big chunk of the handling
|
||||
// is done properly by the List ChildDef. So actually, we just
|
||||
// want enough information to make autoclosing work properly,
|
||||
// and then hand off the tricky stuff to the ChildDef.
|
||||
$ol->wrap = 'li';
|
||||
$ul->wrap = 'li';
|
||||
$this->addElement('dl', 'List', 'Required: dt | dd', 'Common');
|
||||
|
||||
$this->addElement('li', false, 'Flow', 'Common');
|
||||
|
||||
@@ -11,7 +11,7 @@ class HTMLPurifier_HTMLModule_Name extends HTMLPurifier_HTMLModule
|
||||
$element = $this->addBlankElement($name);
|
||||
$element->attr['name'] = 'CDATA';
|
||||
if (!$config->get('HTML.Attr.Name.UseCDATA')) {
|
||||
$element->attr_transform_post['NameSync'] = new HTMLPurifier_AttrTransform_NameSync();
|
||||
$element->attr_transform_post[] = new HTMLPurifier_AttrTransform_NameSync();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,19 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* Module adds the nofollow attribute transformation to a tags. It
|
||||
* is enabled by HTML.Nofollow
|
||||
*/
|
||||
class HTMLPurifier_HTMLModule_Nofollow extends HTMLPurifier_HTMLModule
|
||||
{
|
||||
|
||||
public $name = 'Nofollow';
|
||||
|
||||
public function setup($config) {
|
||||
$a = $this->addBlankElement('a');
|
||||
$a->attr_transform_post[] = new HTMLPurifier_AttrTransform_Nofollow();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// vim: et sw=4 sts=4
|
||||
@@ -21,7 +21,7 @@ class HTMLPurifier_HTMLModule_SafeEmbed extends HTMLPurifier_HTMLModule
|
||||
'allowscriptaccess' => 'Enum#never',
|
||||
'allownetworking' => 'Enum#internal',
|
||||
'flashvars' => 'Text',
|
||||
'wmode' => 'Enum#window',
|
||||
'wmode' => 'Enum#window,transparent,opaque',
|
||||
'name' => 'ID',
|
||||
)
|
||||
);
|
||||
|
||||
@@ -29,7 +29,6 @@ class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
|
||||
'width' => 'Pixels#' . $max,
|
||||
'height' => 'Pixels#' . $max,
|
||||
'data' => 'URI#embedded',
|
||||
'classid' => 'Enum#clsid:d27cdb6e-ae6d-11cf-96b8-444553540000',
|
||||
'codebase' => new HTMLPurifier_AttrDef_Enum(array(
|
||||
'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0')),
|
||||
)
|
||||
|
||||
@@ -0,0 +1,37 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* A "safe" script module. No inline JS is allowed, and pointed to JS
|
||||
* files must match whitelist.
|
||||
*/
|
||||
class HTMLPurifier_HTMLModule_SafeScripting extends HTMLPurifier_HTMLModule
|
||||
{
|
||||
|
||||
public $name = 'SafeScripting';
|
||||
|
||||
public function setup($config) {
|
||||
|
||||
// These definitions are not intrinsically safe: the attribute transforms
|
||||
// are a vital part of ensuring safety.
|
||||
|
||||
$allowed = $config->get('HTML.SafeScripting');
|
||||
$script = $this->addElement(
|
||||
'script',
|
||||
'Inline',
|
||||
'Empty',
|
||||
null,
|
||||
array(
|
||||
// While technically not required by the spec, we're forcing
|
||||
// it to this value.
|
||||
'type' => 'Enum#text/javascript',
|
||||
'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed))
|
||||
)
|
||||
);
|
||||
$script->attr_transform_pre[] =
|
||||
$script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired();
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// vim: et sw=4 sts=4
|
||||
@@ -45,8 +45,8 @@ class HTMLPurifier_HTMLModule_Scripting extends HTMLPurifier_HTMLModule
|
||||
);
|
||||
$this->info['script']->content_model = '#PCDATA';
|
||||
$this->info['script']->content_model_type = 'optional';
|
||||
$this->info['script']->attr_transform_pre['type'] =
|
||||
$this->info['script']->attr_transform_post['type'] =
|
||||
$this->info['script']->attr_transform_pre[] =
|
||||
$this->info['script']->attr_transform_post[] =
|
||||
new HTMLPurifier_AttrTransform_ScriptRequired();
|
||||
}
|
||||
}
|
||||
|
||||
@@ -37,6 +37,9 @@ class HTMLPurifier_HTMLModule_Tables extends HTMLPurifier_HTMLModule
|
||||
'abbr' => 'Text',
|
||||
'colspan' => 'Number',
|
||||
'rowspan' => 'Number',
|
||||
// Apparently, as of HTML5 this attribute only applies
|
||||
// to 'th' elements.
|
||||
'scope' => 'Enum#row,col,rowgroup,colgroup',
|
||||
),
|
||||
$cell_align
|
||||
);
|
||||
|
||||
@@ -0,0 +1,19 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* Module adds the target=blank attribute transformation to a tags. It
|
||||
* is enabled by HTML.TargetBlank
|
||||
*/
|
||||
class HTMLPurifier_HTMLModule_TargetBlank extends HTMLPurifier_HTMLModule
|
||||
{
|
||||
|
||||
public $name = 'TargetBlank';
|
||||
|
||||
public function setup($config) {
|
||||
$a = $this->addBlankElement('a');
|
||||
$a->attr_transform_post[] = new HTMLPurifier_AttrTransform_TargetBlank();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// vim: et sw=4 sts=4
|
||||
Reference in New Issue
Block a user