htmlpurifier-4.15.0-lite
This commit is contained in:
oheil
parent
5e1f40ee3c
commit
b5f0021573
40 changed files with 158 additions and 218 deletions
|
|
@ -9,6 +9,52 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
|
|||
. Internal change
|
||||
==========================
|
||||
|
||||
4.15.0, released 2022-09-18
|
||||
! PHP 8.1 and 8.2 support, esp. fixes for deprecation warnings. A joint effort
|
||||
by David Rans, Tim Düsterhus, Kieran and John Flatness.
|
||||
! Allow contenteditable="false" (#336), contributed by Kieran.
|
||||
- Replace PHP 8.1 deprecated utf8_ functions with mbstring (#326),
|
||||
contributed by John Flatness.
|
||||
- Enhanced composer suggestions with extensions (#317), contributed by
|
||||
func0der.
|
||||
|
||||
4.14.0, released 2021-12-24
|
||||
! Add "background-size" support (#289), contributed by Václav Smítal
|
||||
! Transform deprecated width attribute when tidying HTML, contributed by
|
||||
Kieran.
|
||||
- PHP 8 support, contributed by Maksims Sļotovs.
|
||||
- Improved PHP 7.3 compatibility, contributed by kishor.
|
||||
- Avoid spurious magic quotes notice in PHP 7.4. Thanks
|
||||
Jasper Zonneveld for the fix.
|
||||
- Do not remove thead from table even if there are no tbody/tr (#264).
|
||||
Thanks Marcus Artner for the fix.
|
||||
- Fix "Parameter must be an array or an object that implements
|
||||
Countable" (#285)". Thanks Kieran for this fix.
|
||||
. Fix unnecessary reference assignment, handling behavior change from
|
||||
PHP5 and PHP7. Thanks Arkadiusz Biczewski for the fix.
|
||||
|
||||
4.13.0, released 2020-06-28
|
||||
! Add %HTML.Forms directive, which lets you accept forms in user
|
||||
HTML without requiring full %HTML.Trusted. Note that forms can
|
||||
be (trivially) used to setup phishing; e.g., an attacker can
|
||||
use CSS absolute positioning to overlay a form on top of a login
|
||||
element, so please be sure to use this with care! Fixes #213.
|
||||
Thanks Mateusz Turcza for contributing this feature.
|
||||
! tr@bgcolor attribute is now supported. Thanks Kieran Brahney
|
||||
for this enhancement.
|
||||
- Further improvements to PHP 7.4 support, contributed by Witold
|
||||
Wasiczko and Eloy Lafuente.
|
||||
- Fix PSR-0 compatibility. Thanks Jordi Boggiano for contributing
|
||||
part of this fix.
|
||||
- Fix bug with purifyArray where it doesn't work on empty arrays.
|
||||
Thanks Fräntz Miccoli for the fix.
|
||||
- Reduce amount of maintenance scripts included in distribution
|
||||
packages. Thanks Sergei Morozov for this patch.
|
||||
- Remove leading zeros unless if it is only a zero, fixes #239. Thanks
|
||||
lubomirbartos for this fix.
|
||||
- Correct type hinting of maybeGet*, fixes #240. Thanks Anders Jenbo
|
||||
for this fix.
|
||||
|
||||
4.12.0, released 2019-10-27
|
||||
! PHP 7.4 is supported, thank you Witold Wasiczko, Mateuz Turcza and
|
||||
Edi Modrić
|
||||
|
|
|
|||
|
|
@ -4,12 +4,11 @@
|
|||
* @file
|
||||
* Legacy autoloader for systems lacking spl_autoload_register
|
||||
*
|
||||
* Must be separate to prevent deprecation warning on PHP 7.2
|
||||
*/
|
||||
|
||||
function __autoload($class)
|
||||
spl_autoload_register(function($class)
|
||||
{
|
||||
return HTMLPurifier_Bootstrap::autoload($class);
|
||||
}
|
||||
return HTMLPurifier_Bootstrap::autoload($class);
|
||||
});
|
||||
|
||||
// vim: et sw=4 sts=4
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ if (function_exists('spl_autoload_register') && function_exists('spl_autoload_un
|
|||
require dirname(__FILE__) . '/HTMLPurifier.autoload-legacy.php';
|
||||
}
|
||||
|
||||
// phpcs:ignore PHPCompatibility.IniDirectives.RemovedIniDirectives.zend_ze1_compatibility_modeRemoved
|
||||
if (ini_get('zend.ze1_compatibility_mode')) {
|
||||
trigger_error("HTML Purifier is not compatible with zend.ze1_compatibility_mode; please turn it off", E_USER_ERROR);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
* primary concern and you are using an opcode cache. PLEASE DO NOT EDIT THIS
|
||||
* FILE, changes will be overwritten the next time the script is run.
|
||||
*
|
||||
* @version 4.12.0
|
||||
* @version 4.15.0
|
||||
*
|
||||
* @warning
|
||||
* You must *not* include any other HTML Purifier files before this file,
|
||||
|
|
@ -107,6 +107,7 @@ require 'HTMLPurifier/AttrDef/HTML/Bool.php';
|
|||
require 'HTMLPurifier/AttrDef/HTML/Nmtokens.php';
|
||||
require 'HTMLPurifier/AttrDef/HTML/Class.php';
|
||||
require 'HTMLPurifier/AttrDef/HTML/Color.php';
|
||||
require 'HTMLPurifier/AttrDef/HTML/ContentEditable.php';
|
||||
require 'HTMLPurifier/AttrDef/HTML/FrameTarget.php';
|
||||
require 'HTMLPurifier/AttrDef/HTML/ID.php';
|
||||
require 'HTMLPurifier/AttrDef/HTML/Pixels.php';
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@
|
|||
*/
|
||||
|
||||
/*
|
||||
HTML Purifier 4.12.0 - Standards Compliant HTML Filtering
|
||||
HTML Purifier 4.15.0 - Standards Compliant HTML Filtering
|
||||
Copyright (C) 2006-2008 Edward Z. Yang
|
||||
|
||||
This library is free software; you can redistribute it and/or
|
||||
|
|
@ -58,12 +58,12 @@ class HTMLPurifier
|
|||
* Version of HTML Purifier.
|
||||
* @type string
|
||||
*/
|
||||
public $version = '4.12.0';
|
||||
public $version = '4.15.0';
|
||||
|
||||
/**
|
||||
* Constant with version of HTML Purifier.
|
||||
*/
|
||||
const VERSION = '4.12.0';
|
||||
const VERSION = '4.15.0';
|
||||
|
||||
/**
|
||||
* Global configuration object.
|
||||
|
|
@ -240,6 +240,7 @@ class HTMLPurifier
|
|||
public function purifyArray($array_of_html, $config = null)
|
||||
{
|
||||
$context_array = array();
|
||||
$array = array();
|
||||
foreach($array_of_html as $key=>$value){
|
||||
if (is_array($value)) {
|
||||
$array[$key] = $this->purifyArray($value, $config);
|
||||
|
|
|
|||
|
|
@ -101,6 +101,7 @@ require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Bool.php';
|
|||
require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Nmtokens.php';
|
||||
require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Class.php';
|
||||
require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Color.php';
|
||||
require_once $__dir . '/HTMLPurifier/AttrDef/HTML/ContentEditable.php';
|
||||
require_once $__dir . '/HTMLPurifier/AttrDef/HTML/FrameTarget.php';
|
||||
require_once $__dir . '/HTMLPurifier/AttrDef/HTML/ID.php';
|
||||
require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Pixels.php';
|
||||
|
|
|
|||
|
|
@ -25,6 +25,7 @@ class HTMLPurifier_AttrDef_CSS_Background extends HTMLPurifier_AttrDef
|
|||
$this->info['background-repeat'] = $def->info['background-repeat'];
|
||||
$this->info['background-attachment'] = $def->info['background-attachment'];
|
||||
$this->info['background-position'] = $def->info['background-position'];
|
||||
$this->info['background-size'] = $def->info['background-size'];
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -53,6 +54,7 @@ class HTMLPurifier_AttrDef_CSS_Background extends HTMLPurifier_AttrDef
|
|||
$caught['repeat'] = false;
|
||||
$caught['attachment'] = false;
|
||||
$caught['position'] = false;
|
||||
$caught['size'] = false;
|
||||
|
||||
$i = 0; // number of catches
|
||||
|
||||
|
|
|
|||
|
|
@ -69,7 +69,13 @@ class HTMLPurifier_AttrDef_CSS_Number extends HTMLPurifier_AttrDef
|
|||
return false;
|
||||
}
|
||||
|
||||
$left = ltrim($left, '0');
|
||||
// Remove leading zeros until positive number or a zero stays left
|
||||
if (ltrim($left, '0') != '') {
|
||||
$left = ltrim($left, '0');
|
||||
} else {
|
||||
$left = '0';
|
||||
}
|
||||
|
||||
$right = rtrim($right, '0');
|
||||
|
||||
if ($right === '') {
|
||||
|
|
|
|||
|
|
@ -8,6 +8,11 @@
|
|||
class HTMLPurifier_AttrTransform_NameSync extends HTMLPurifier_AttrTransform
|
||||
{
|
||||
|
||||
/**
|
||||
* @type HTMLPurifier_AttrDef_HTML_ID
|
||||
*/
|
||||
public $idDef;
|
||||
|
||||
public function __construct()
|
||||
{
|
||||
$this->idDef = new HTMLPurifier_AttrDef_HTML_ID();
|
||||
|
|
|
|||
|
|
@ -24,6 +24,11 @@ class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
|
|||
*/
|
||||
private $uri;
|
||||
|
||||
/**
|
||||
* @type HTMLPurifier_AttrDef_Enum
|
||||
*/
|
||||
public $wmode;
|
||||
|
||||
public function __construct()
|
||||
{
|
||||
$this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
|
||||
|
|
|
|||
|
|
@ -41,6 +41,7 @@ class HTMLPurifier_AttrTypes
|
|||
$this->info['IAlign'] = self::makeEnum('top,middle,bottom,left,right');
|
||||
$this->info['LAlign'] = self::makeEnum('top,bottom,left,right');
|
||||
$this->info['FrameTarget'] = new HTMLPurifier_AttrDef_HTML_FrameTarget();
|
||||
$this->info['ContentEditable'] = new HTMLPurifier_AttrDef_HTML_ContentEditable();
|
||||
|
||||
// unimplemented aliases
|
||||
$this->info['ContentType'] = new HTMLPurifier_AttrDef_Text();
|
||||
|
|
|
|||
|
|
@ -109,6 +109,22 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
|
|||
);
|
||||
$this->info['background-position'] = new HTMLPurifier_AttrDef_CSS_BackgroundPosition();
|
||||
|
||||
$this->info['background-size'] = new HTMLPurifier_AttrDef_CSS_Composite(
|
||||
array(
|
||||
new HTMLPurifier_AttrDef_Enum(
|
||||
array(
|
||||
'auto',
|
||||
'cover',
|
||||
'contain',
|
||||
'initial',
|
||||
'inherit',
|
||||
)
|
||||
),
|
||||
new HTMLPurifier_AttrDef_CSS_Percentage(),
|
||||
new HTMLPurifier_AttrDef_CSS_Length()
|
||||
)
|
||||
);
|
||||
|
||||
$border_color =
|
||||
$this->info['border-top-color'] =
|
||||
$this->info['border-bottom-color'] =
|
||||
|
|
|
|||
|
|
@ -22,6 +22,8 @@ class HTMLPurifier_ChildDef_List extends HTMLPurifier_ChildDef
|
|||
// XXX: This whole business with 'wrap' is all a bit unsatisfactory
|
||||
public $elements = array('li' => true, 'ul' => true, 'ol' => true);
|
||||
|
||||
public $whitespace;
|
||||
|
||||
/**
|
||||
* @param array $children
|
||||
* @param HTMLPurifier_Config $config
|
||||
|
|
|
|||
|
|
@ -164,7 +164,7 @@ class HTMLPurifier_ChildDef_Table extends HTMLPurifier_ChildDef
|
|||
}
|
||||
}
|
||||
|
||||
if (empty($content)) {
|
||||
if (empty($content) && $thead === false && $tfoot === false) {
|
||||
return false;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ class HTMLPurifier_Config
|
|||
* HTML Purifier's version
|
||||
* @type string
|
||||
*/
|
||||
public $version = '4.12.0';
|
||||
public $version = '4.15.0';
|
||||
|
||||
/**
|
||||
* Whether or not to automatically finalize
|
||||
|
|
@ -408,7 +408,7 @@ class HTMLPurifier_Config
|
|||
* maybeGetRawHTMLDefinition, which is more explicitly
|
||||
* named, instead.
|
||||
*
|
||||
* @return HTMLPurifier_HTMLDefinition
|
||||
* @return HTMLPurifier_HTMLDefinition|null
|
||||
*/
|
||||
public function getHTMLDefinition($raw = false, $optimized = false)
|
||||
{
|
||||
|
|
@ -427,7 +427,7 @@ class HTMLPurifier_Config
|
|||
* maybeGetRawCSSDefinition, which is more explicitly
|
||||
* named, instead.
|
||||
*
|
||||
* @return HTMLPurifier_CSSDefinition
|
||||
* @return HTMLPurifier_CSSDefinition|null
|
||||
*/
|
||||
public function getCSSDefinition($raw = false, $optimized = false)
|
||||
{
|
||||
|
|
@ -446,7 +446,7 @@ class HTMLPurifier_Config
|
|||
* maybeGetRawURIDefinition, which is more explicitly
|
||||
* named, instead.
|
||||
*
|
||||
* @return HTMLPurifier_URIDefinition
|
||||
* @return HTMLPurifier_URIDefinition|null
|
||||
*/
|
||||
public function getURIDefinition($raw = false, $optimized = false)
|
||||
{
|
||||
|
|
@ -468,7 +468,7 @@ class HTMLPurifier_Config
|
|||
* maybe semantics is the "right thing to do."
|
||||
*
|
||||
* @throws HTMLPurifier_Exception
|
||||
* @return HTMLPurifier_Definition
|
||||
* @return HTMLPurifier_Definition|null
|
||||
*/
|
||||
public function getDefinition($type, $raw = false, $optimized = false)
|
||||
{
|
||||
|
|
@ -647,7 +647,7 @@ class HTMLPurifier_Config
|
|||
}
|
||||
|
||||
/**
|
||||
* @return HTMLPurifier_HTMLDefinition
|
||||
* @return HTMLPurifier_HTMLDefinition|null
|
||||
*/
|
||||
public function maybeGetRawHTMLDefinition()
|
||||
{
|
||||
|
|
@ -655,7 +655,7 @@ class HTMLPurifier_Config
|
|||
}
|
||||
|
||||
/**
|
||||
* @return HTMLPurifier_CSSDefinition
|
||||
* @return HTMLPurifier_CSSDefinition|null
|
||||
*/
|
||||
public function maybeGetRawCSSDefinition()
|
||||
{
|
||||
|
|
@ -663,7 +663,7 @@ class HTMLPurifier_Config
|
|||
}
|
||||
|
||||
/**
|
||||
* @return HTMLPurifier_URIDefinition
|
||||
* @return HTMLPurifier_URIDefinition|null
|
||||
*/
|
||||
public function maybeGetRawURIDefinition()
|
||||
{
|
||||
|
|
@ -803,7 +803,7 @@ class HTMLPurifier_Config
|
|||
if ($index !== false) {
|
||||
$array = (isset($array[$index]) && is_array($array[$index])) ? $array[$index] : array();
|
||||
}
|
||||
$mq = $mq_fix && function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc();
|
||||
$mq = $mq_fix && version_compare(PHP_VERSION, '7.4.0', '<') && function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc();
|
||||
|
||||
$allowed = HTMLPurifier_Config::getAllowedDirectivesForForm($allowed, $schema);
|
||||
$ret = array();
|
||||
|
|
|
|||
File diff suppressed because one or more lines are too long
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
|
@ -176,7 +176,7 @@ class HTMLPurifier_ElementDef
|
|||
|
||||
if (!empty($def->content_model)) {
|
||||
$this->content_model =
|
||||
str_replace("#SUPER", $this->content_model, $def->content_model);
|
||||
str_replace("#SUPER", (string)$this->content_model, $def->content_model);
|
||||
$this->child = false;
|
||||
}
|
||||
if (!empty($def->content_model_type)) {
|
||||
|
|
|
|||
|
|
@ -398,8 +398,8 @@ class HTMLPurifier_Encoder
|
|||
// characters to their true byte-wise ASCII/UTF-8 equivalents.
|
||||
$str = strtr($str, self::testEncodingSupportsASCII($encoding));
|
||||
return $str;
|
||||
} elseif ($encoding === 'iso-8859-1') {
|
||||
$str = utf8_encode($str);
|
||||
} elseif ($encoding === 'iso-8859-1' && function_exists('mb_convert_encoding')) {
|
||||
$str = mb_convert_encoding($str, 'UTF-8', 'ISO-8859-1');
|
||||
return $str;
|
||||
}
|
||||
$bug = HTMLPurifier_Encoder::testIconvTruncateBug();
|
||||
|
|
@ -450,8 +450,8 @@ class HTMLPurifier_Encoder
|
|||
// Normal stuff
|
||||
$str = self::iconv('utf-8', $encoding . '//IGNORE', $str);
|
||||
return $str;
|
||||
} elseif ($encoding === 'iso-8859-1') {
|
||||
$str = utf8_decode($str);
|
||||
} elseif ($encoding === 'iso-8859-1' && function_exists('mb_convert_encoding')) {
|
||||
$str = mb_convert_encoding($str, 'ISO-8859-1', 'UTF-8');
|
||||
return $str;
|
||||
}
|
||||
trigger_error('Encoding not supported', E_USER_ERROR);
|
||||
|
|
|
|||
|
|
@ -257,8 +257,9 @@ class HTMLPurifier_HTMLModule
|
|||
*/
|
||||
public function makeLookup($list)
|
||||
{
|
||||
$args = func_get_args();
|
||||
if (is_string($list)) {
|
||||
$list = func_get_args();
|
||||
$list = $args;
|
||||
}
|
||||
$ret = array();
|
||||
foreach ($list as $value) {
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ class HTMLPurifier_HTMLModule_CommonAttributes extends HTMLPurifier_HTMLModule
|
|||
'class' => 'Class',
|
||||
'id' => 'ID',
|
||||
'title' => 'CDATA',
|
||||
'contenteditable' => 'ContentEditable',
|
||||
),
|
||||
'Lang' => array(),
|
||||
'I18N' => array(
|
||||
|
|
|
|||
|
|
@ -28,6 +28,10 @@ class HTMLPurifier_HTMLModule_Forms extends HTMLPurifier_HTMLModule
|
|||
*/
|
||||
public function setup($config)
|
||||
{
|
||||
if ($config->get('HTML.Forms')) {
|
||||
$this->safe = true;
|
||||
}
|
||||
|
||||
$form = $this->addElement(
|
||||
'form',
|
||||
'Form',
|
||||
|
|
|
|||
|
|
@ -146,10 +146,7 @@ class HTMLPurifier_HTMLModule_Tidy extends HTMLPurifier_HTMLModule
|
|||
$type = "info_$type";
|
||||
$e = $this;
|
||||
}
|
||||
// PHP does some weird parsing when I do
|
||||
// $e->$type[$attr], so I have to assign a ref.
|
||||
$f =& $e->$type;
|
||||
$f[$attr] = $fix;
|
||||
$e->{$type}[$attr] = $fix;
|
||||
break;
|
||||
case 'tag_transform':
|
||||
$this->info_tag_transform[$params['element']] = $fix;
|
||||
|
|
|
|||
|
|
@ -96,6 +96,7 @@ class HTMLPurifier_HTMLModule_Tidy_XHTMLAndHTML4 extends HTMLPurifier_HTMLModule
|
|||
|
||||
// @bgcolor for table, tr, td, th ---------------------------------
|
||||
$r['table@bgcolor'] =
|
||||
$r['tr@bgcolor'] =
|
||||
$r['td@bgcolor'] =
|
||||
$r['th@bgcolor'] =
|
||||
new HTMLPurifier_AttrTransform_BgColor();
|
||||
|
|
@ -167,9 +168,11 @@ class HTMLPurifier_HTMLModule_Tidy_XHTMLAndHTML4 extends HTMLPurifier_HTMLModule
|
|||
// @vspace for img ------------------------------------------------
|
||||
$r['img@vspace'] = new HTMLPurifier_AttrTransform_ImgSpace('vspace');
|
||||
|
||||
// @width for hr, td, th ------------------------------------------
|
||||
// @width for table, hr, td, th, col ------------------------------------------
|
||||
$r['table@width'] =
|
||||
$r['td@width'] =
|
||||
$r['th@width'] =
|
||||
$r['col@width'] =
|
||||
$r['hr@width'] = new HTMLPurifier_AttrTransform_Length('width');
|
||||
|
||||
return $r;
|
||||
|
|
|
|||
|
|
@ -40,6 +40,9 @@ class HTMLPurifier_Injector_Linkify extends HTMLPurifier_Injector
|
|||
'/\\b((?:[a-z][\\w\\-]+:(?:\\/{1,3}|[a-z0-9%])|www\\d{0,3}[.]|[a-z0-9.\\-]+[.][a-z]{2,4}\\/)(?:[^\\s()<>]|\\((?:[^\\s()<>]|(?:\\([^\\s()<>]+\\)))*\\))+(?:\\((?:[^\\s()<>]|(?:\\([^\\s()<>]+\\)))*\\)|[^\\s`!()\\[\\]{};:\'".,<>?\x{00ab}\x{00bb}\x{201c}\x{201d}\x{2018}\x{2019}]))/iu',
|
||||
$token->data, -1, PREG_SPLIT_DELIM_CAPTURE);
|
||||
|
||||
if ($bits === false) {
|
||||
return;
|
||||
}
|
||||
|
||||
$token = array();
|
||||
|
||||
|
|
|
|||
|
|
@ -31,6 +31,16 @@ class HTMLPurifier_Injector_RemoveSpansWithoutAttributes extends HTMLPurifier_In
|
|||
*/
|
||||
private $context;
|
||||
|
||||
/**
|
||||
* @type SplObjectStorage
|
||||
*/
|
||||
private $markForDeletion;
|
||||
|
||||
public function __construct()
|
||||
{
|
||||
$this->markForDeletion = new SplObjectStorage();
|
||||
}
|
||||
|
||||
public function prepare($config, $context)
|
||||
{
|
||||
$this->attrValidator = new HTMLPurifier_AttrValidator();
|
||||
|
|
@ -64,7 +74,7 @@ class HTMLPurifier_Injector_RemoveSpansWithoutAttributes extends HTMLPurifier_In
|
|||
|
||||
if ($current instanceof HTMLPurifier_Token_End && $current->name === 'span') {
|
||||
// Mark closing span tag for deletion
|
||||
$current->markForDeletion = true;
|
||||
$this->markForDeletion->attach($current);
|
||||
// Delete open span tag
|
||||
$token = false;
|
||||
}
|
||||
|
|
@ -75,7 +85,8 @@ class HTMLPurifier_Injector_RemoveSpansWithoutAttributes extends HTMLPurifier_In
|
|||
*/
|
||||
public function handleEnd(&$token)
|
||||
{
|
||||
if ($token->markForDeletion) {
|
||||
if ($this->markForDeletion->contains($token)) {
|
||||
$this->markForDeletion->detach($token);
|
||||
$token = false;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,9 +0,0 @@
|
|||
<?php
|
||||
|
||||
// private class for unit testing
|
||||
|
||||
class HTMLPurifier_Language_en_x_test extends HTMLPurifier_Language
|
||||
{
|
||||
}
|
||||
|
||||
// vim: et sw=4 sts=4
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
<?php
|
||||
|
||||
// private language message file for unit testing purposes
|
||||
|
||||
$fallback = 'en';
|
||||
|
||||
$messages = array(
|
||||
'HTMLPurifier' => 'HTML Purifier X'
|
||||
);
|
||||
|
||||
$errorNames = array();
|
||||
|
||||
// vim: et sw=4 sts=4
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
<?php
|
||||
|
||||
// private language message file for unit testing purposes
|
||||
// this language file has no class associated with it
|
||||
|
||||
$fallback = 'en';
|
||||
|
||||
$messages = array(
|
||||
'HTMLPurifier' => 'HTML Purifier XNone'
|
||||
);
|
||||
|
||||
$errorNames = array();
|
||||
|
||||
// vim: et sw=4 sts=4
|
||||
|
|
@ -78,7 +78,7 @@ class HTMLPurifier_Length
|
|||
if ($this->n === '0' && $this->unit === false) {
|
||||
return true;
|
||||
}
|
||||
if (!ctype_lower($this->unit)) {
|
||||
if ($this->unit === false || !ctype_lower($this->unit)) {
|
||||
$this->unit = strtolower($this->unit);
|
||||
}
|
||||
if (!isset(HTMLPurifier_Length::$allowedUnits[$this->unit])) {
|
||||
|
|
|
|||
|
|
@ -48,6 +48,11 @@ class HTMLPurifier_Lexer
|
|||
*/
|
||||
public $tracksLineNumbers = false;
|
||||
|
||||
/**
|
||||
* @type HTMLPurifier_EntityParser
|
||||
*/
|
||||
private $_entity_parser;
|
||||
|
||||
// -- STATIC ----------------------------------------------------------
|
||||
|
||||
/**
|
||||
|
|
@ -306,8 +311,8 @@ class HTMLPurifier_Lexer
|
|||
{
|
||||
// normalize newlines to \n
|
||||
if ($config->get('Core.NormalizeNewlines')) {
|
||||
$html = str_replace("\r\n", "\n", $html);
|
||||
$html = str_replace("\r", "\n", $html);
|
||||
$html = str_replace("\r\n", "\n", (string)$html);
|
||||
$html = str_replace("\r", "\n", (string)$html);
|
||||
}
|
||||
|
||||
if ($config->get('HTML.Trusted')) {
|
||||
|
|
|
|||
|
|
@ -4410,7 +4410,7 @@ class HTML5TreeConstructer
|
|||
|
||||
foreach ($token['attr'] as $attr) {
|
||||
if (!$el->hasAttribute($attr['name'])) {
|
||||
$el->setAttribute($attr['name'], $attr['value']);
|
||||
$el->setAttribute($attr['name'], (string)$attr['value']);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -43,8 +43,8 @@ class HTMLPurifier_Printer_HTMLDefinition extends HTMLPurifier_Printer
|
|||
$ret .= $this->element('caption', 'Doctype');
|
||||
$ret .= $this->row('Name', $doctype->name);
|
||||
$ret .= $this->row('XML', $doctype->xml ? 'Yes' : 'No');
|
||||
$ret .= $this->row('Default Modules', implode($doctype->modules, ', '));
|
||||
$ret .= $this->row('Default Tidy Modules', implode($doctype->tidyModules, ', '));
|
||||
$ret .= $this->row('Default Modules', implode(', ', $doctype->modules));
|
||||
$ret .= $this->row('Default Tidy Modules', implode(', ', $doctype->tidyModules));
|
||||
$ret .= $this->end('table');
|
||||
return $ret;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,6 +29,7 @@ class HTMLPurifier_PropertyListIterator extends FilterIterator
|
|||
/**
|
||||
* @return bool
|
||||
*/
|
||||
#[\ReturnTypeWillChange]
|
||||
public function accept()
|
||||
{
|
||||
$key = $this->getInnerIterator()->key();
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ class HTMLPurifier_StringHash extends ArrayObject
|
|||
* @param mixed $index
|
||||
* @return mixed
|
||||
*/
|
||||
#[\ReturnTypeWillChange]
|
||||
public function offsetGet($index)
|
||||
{
|
||||
$this->accessed[$index] = true;
|
||||
|
|
|
|||
|
|
@ -35,7 +35,7 @@ class HTMLPurifier_URIFilter_HostBlacklist extends HTMLPurifier_URIFilter
|
|||
public function filter(&$uri, $config, $context)
|
||||
{
|
||||
foreach ($this->blacklist as $blacklisted_host_fragment) {
|
||||
if (strpos($uri->host, $blacklisted_host_fragment) !== false) {
|
||||
if ($uri->host !== null && strpos($uri->host, $blacklisted_host_fragment) !== false) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -100,11 +100,11 @@ class HTMLPurifier_URIFilter_Munge extends HTMLPurifier_URIFilter
|
|||
$string = $uri->toString();
|
||||
// always available
|
||||
$this->replace['%s'] = $string;
|
||||
$this->replace['%r'] = $context->get('EmbeddedURI', true);
|
||||
$token = $context->get('CurrentToken', true);
|
||||
$this->replace['%n'] = $token ? $token->name : null;
|
||||
$this->replace['%m'] = $context->get('CurrentAttr', true);
|
||||
$this->replace['%p'] = $context->get('CurrentCSSProperty', true);
|
||||
$this->replace['%r'] = $context->get('EmbeddedURI', true) ?: '';
|
||||
$token = $context->get('CurrentToken', true) ?: '';
|
||||
$this->replace['%n'] = $token ? $token->name : '';
|
||||
$this->replace['%m'] = $context->get('CurrentAttr', true) ?: '';
|
||||
$this->replace['%p'] = $context->get('CurrentCSSProperty', true) ?: '';
|
||||
// not always available
|
||||
if ($this->secretKey) {
|
||||
$this->replace['%t'] = hash_hmac("sha256", $string, $this->secretKey);
|
||||
|
|
|
|||
|
|
@ -1,137 +0,0 @@
|
|||
<?php
|
||||
|
||||
/**
|
||||
* Implements cid: URI for base64 encoded images supported by GD.
|
||||
*/
|
||||
class HTMLPurifier_URIScheme_cid extends HTMLPurifier_URIScheme
|
||||
{
|
||||
/**
|
||||
* @type bool
|
||||
*/
|
||||
public $browsable = true;
|
||||
|
||||
/**
|
||||
* @type array
|
||||
*/
|
||||
public $allowed_types = array(
|
||||
// you better write validation code for other types if you
|
||||
// decide to allow them
|
||||
'image/jpeg' => true,
|
||||
'image/gif' => true,
|
||||
'image/png' => true,
|
||||
'application/octet-stream' => true,
|
||||
);
|
||||
// this is actually irrelevant since we only write out the path
|
||||
// component
|
||||
/**
|
||||
* @type bool
|
||||
*/
|
||||
public $may_omit_host = true;
|
||||
|
||||
/**
|
||||
* @param HTMLPurifier_URI $uri
|
||||
* @param HTMLPurifier_Config $config
|
||||
* @param HTMLPurifier_Context $context
|
||||
* @return bool
|
||||
*/
|
||||
public function doValidate(&$uri, $config, $context)
|
||||
{
|
||||
$result = explode(',', $uri->path, 2);
|
||||
$is_base64 = false;
|
||||
$charset = null;
|
||||
$content_type = null;
|
||||
if (count($result) == 2) {
|
||||
list($metadata, $data) = $result;
|
||||
// do some legwork on the metadata
|
||||
$metas = explode(';', $metadata);
|
||||
while (!empty($metas)) {
|
||||
$cur = array_shift($metas);
|
||||
if ($cur == 'base64') {
|
||||
$is_base64 = true;
|
||||
break;
|
||||
}
|
||||
if (substr($cur, 0, 8) == 'charset=') {
|
||||
// doesn't match if there are arbitrary spaces, but
|
||||
// whatever dude
|
||||
if ($charset !== null) {
|
||||
continue;
|
||||
} // garbage
|
||||
$charset = substr($cur, 8); // not used
|
||||
} else {
|
||||
if ($content_type !== null) {
|
||||
continue;
|
||||
} // garbage
|
||||
$content_type = $cur;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$data = $result[0];
|
||||
}
|
||||
if ($content_type !== null && empty($this->allowed_types[$content_type])) {
|
||||
return false;
|
||||
}
|
||||
if ($charset !== null) {
|
||||
// error; we don't allow plaintext stuff
|
||||
$charset = null;
|
||||
}
|
||||
$data = rawurldecode($data);
|
||||
if ($is_base64) {
|
||||
$raw_data = base64_decode($data);
|
||||
} else {
|
||||
$raw_data = $data;
|
||||
}
|
||||
if ( strlen($raw_data) < 12 ) {
|
||||
// error; exif_imagetype throws exception with small files,
|
||||
// and this likely indicates a corrupt URI/failed parse anyway
|
||||
return false;
|
||||
}
|
||||
// XXX probably want to refactor this into a general mechanism
|
||||
// for filtering arbitrary content types
|
||||
if (function_exists('sys_get_temp_dir')) {
|
||||
$file = tempnam(sys_get_temp_dir(), "");
|
||||
} else {
|
||||
$file = tempnam("/tmp", "");
|
||||
}
|
||||
file_put_contents($file, $raw_data);
|
||||
if (function_exists('exif_imagetype')) {
|
||||
$image_code = exif_imagetype($file);
|
||||
unlink($file);
|
||||
} elseif (function_exists('getimagesize')) {
|
||||
set_error_handler(array($this, 'muteErrorHandler'));
|
||||
$info = getimagesize($file);
|
||||
restore_error_handler();
|
||||
unlink($file);
|
||||
if ($info == false) {
|
||||
return false;
|
||||
}
|
||||
$image_code = $info[2];
|
||||
} else {
|
||||
trigger_error("could not find exif_imagetype or getimagesize functions", E_USER_ERROR);
|
||||
}
|
||||
$real_content_type = image_type_to_mime_type($image_code);
|
||||
if ($real_content_type != $content_type) {
|
||||
// we're nice guys; if the content type is something else we
|
||||
// support, change it over
|
||||
if (empty($this->allowed_types[$real_content_type])) {
|
||||
return false;
|
||||
}
|
||||
$content_type = $real_content_type;
|
||||
}
|
||||
// ok, it's kosher, rewrite what we need
|
||||
$uri->userinfo = null;
|
||||
$uri->host = null;
|
||||
$uri->port = null;
|
||||
$uri->fragment = null;
|
||||
$uri->query = null;
|
||||
$uri->path = $raw_data;
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param int $errno
|
||||
* @param string $errstr
|
||||
*/
|
||||
public function muteErrorHandler($errno, $errstr)
|
||||
{
|
||||
}
|
||||
}
|
||||
Loading…
Reference in a new issue