diff options
Diffstat (limited to 'lib/htmlpurifier/library/HTMLPurifier/AttrTransform')
20 files changed, 619 insertions, 0 deletions
diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Background.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Background.php new file mode 100644 index 000000000..0e1ff24a3 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Background.php @@ -0,0 +1,23 @@ +<?php + +/** + * Pre-transform that changes proprietary background attribute to CSS. + */ +class HTMLPurifier_AttrTransform_Background extends HTMLPurifier_AttrTransform { + + public function transform($attr, $config, $context) { + + if (!isset($attr['background'])) return $attr; + + $background = $this->confiscateAttr($attr, 'background'); + // some validation should happen here + + $this->prependCSS($attr, "background-image:url($background);"); + + return $attr; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BdoDir.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BdoDir.php new file mode 100644 index 000000000..4d1a05665 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BdoDir.php @@ -0,0 +1,19 @@ +<?php + +// this MUST be placed in post, as it assumes that any value in dir is valid + +/** + * Post-trasnform that ensures that bdo tags have the dir attribute set. + */ +class HTMLPurifier_AttrTransform_BdoDir extends HTMLPurifier_AttrTransform +{ + + public function transform($attr, $config, $context) { + if (isset($attr['dir'])) return $attr; + $attr['dir'] = $config->get('Attr.DefaultTextDir'); + return $attr; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BgColor.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BgColor.php new file mode 100644 index 000000000..ad3916bb9 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BgColor.php @@ -0,0 +1,23 @@ +<?php + +/** + * Pre-transform that changes deprecated bgcolor attribute to CSS. + */ +class HTMLPurifier_AttrTransform_BgColor extends HTMLPurifier_AttrTransform { + + public function transform($attr, $config, $context) { + + if (!isset($attr['bgcolor'])) return $attr; + + $bgcolor = $this->confiscateAttr($attr, 'bgcolor'); + // some validation should happen here + + $this->prependCSS($attr, "background-color:$bgcolor;"); + + return $attr; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BoolToCSS.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BoolToCSS.php new file mode 100644 index 000000000..51159b671 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BoolToCSS.php @@ -0,0 +1,36 @@ +<?php + +/** + * Pre-transform that changes converts a boolean attribute to fixed CSS + */ +class HTMLPurifier_AttrTransform_BoolToCSS extends HTMLPurifier_AttrTransform { + + /** + * Name of boolean attribute that is trigger + */ + protected $attr; + + /** + * CSS declarations to add to style, needs trailing semicolon + */ + protected $css; + + /** + * @param $attr string attribute name to convert from + * @param $css string CSS declarations to add to style (needs semicolon) + */ + public function __construct($attr, $css) { + $this->attr = $attr; + $this->css = $css; + } + + public function transform($attr, $config, $context) { + if (!isset($attr[$this->attr])) return $attr; + unset($attr[$this->attr]); + $this->prependCSS($attr, $this->css); + return $attr; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Border.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Border.php new file mode 100644 index 000000000..476b0b079 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Border.php @@ -0,0 +1,18 @@ +<?php + +/** + * Pre-transform that changes deprecated border attribute to CSS. + */ +class HTMLPurifier_AttrTransform_Border extends HTMLPurifier_AttrTransform { + + public function transform($attr, $config, $context) { + if (!isset($attr['border'])) return $attr; + $border_width = $this->confiscateAttr($attr, 'border'); + // some validation should happen here + $this->prependCSS($attr, "border:{$border_width}px solid;"); + return $attr; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/EnumToCSS.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/EnumToCSS.php new file mode 100644 index 000000000..2a5b4514a --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/EnumToCSS.php @@ -0,0 +1,58 @@ +<?php + +/** + * Generic pre-transform that converts an attribute with a fixed number of + * values (enumerated) to CSS. + */ +class HTMLPurifier_AttrTransform_EnumToCSS extends HTMLPurifier_AttrTransform { + + /** + * Name of attribute to transform from + */ + protected $attr; + + /** + * Lookup array of attribute values to CSS + */ + protected $enumToCSS = array(); + + /** + * Case sensitivity of the matching + * @warning Currently can only be guaranteed to work with ASCII + * values. + */ + protected $caseSensitive = false; + + /** + * @param $attr String attribute name to transform from + * @param $enumToCSS Lookup array of attribute values to CSS + * @param $case_sensitive Boolean case sensitivity indicator, default false + */ + public function __construct($attr, $enum_to_css, $case_sensitive = false) { + $this->attr = $attr; + $this->enumToCSS = $enum_to_css; + $this->caseSensitive = (bool) $case_sensitive; + } + + public function transform($attr, $config, $context) { + + if (!isset($attr[$this->attr])) return $attr; + + $value = trim($attr[$this->attr]); + unset($attr[$this->attr]); + + if (!$this->caseSensitive) $value = strtolower($value); + + if (!isset($this->enumToCSS[$value])) { + return $attr; + } + + $this->prependCSS($attr, $this->enumToCSS[$value]); + + return $attr; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgRequired.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgRequired.php new file mode 100644 index 000000000..7f0e4b7a5 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgRequired.php @@ -0,0 +1,43 @@ +<?php + +// must be called POST validation + +/** + * Transform that supplies default values for the src and alt attributes + * in img tags, as well as prevents the img tag from being removed + * because of a missing alt tag. This needs to be registered as both + * a pre and post attribute transform. + */ +class HTMLPurifier_AttrTransform_ImgRequired extends HTMLPurifier_AttrTransform +{ + + public function transform($attr, $config, $context) { + + $src = true; + if (!isset($attr['src'])) { + if ($config->get('Core.RemoveInvalidImg')) return $attr; + $attr['src'] = $config->get('Attr.DefaultInvalidImage'); + $src = false; + } + + if (!isset($attr['alt'])) { + if ($src) { + $alt = $config->get('Attr.DefaultImageAlt'); + if ($alt === null) { + // truncate if the alt is too long + $attr['alt'] = substr(basename($attr['src']),0,40); + } else { + $attr['alt'] = $alt; + } + } else { + $attr['alt'] = $config->get('Attr.DefaultInvalidImageAlt'); + } + } + + return $attr; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgSpace.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgSpace.php new file mode 100644 index 000000000..fd84c10c3 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgSpace.php @@ -0,0 +1,44 @@ +<?php + +/** + * Pre-transform that changes deprecated hspace and vspace attributes to CSS + */ +class HTMLPurifier_AttrTransform_ImgSpace extends HTMLPurifier_AttrTransform { + + protected $attr; + protected $css = array( + 'hspace' => array('left', 'right'), + 'vspace' => array('top', 'bottom') + ); + + public function __construct($attr) { + $this->attr = $attr; + if (!isset($this->css[$attr])) { + trigger_error(htmlspecialchars($attr) . ' is not valid space attribute'); + } + } + + public function transform($attr, $config, $context) { + + if (!isset($attr[$this->attr])) return $attr; + + $width = $this->confiscateAttr($attr, $this->attr); + // some validation could happen here + + if (!isset($this->css[$this->attr])) return $attr; + + $style = ''; + foreach ($this->css[$this->attr] as $suffix) { + $property = "margin-$suffix"; + $style .= "$property:{$width}px;"; + } + + $this->prependCSS($attr, $style); + + return $attr; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Input.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Input.php new file mode 100644 index 000000000..16829552d --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Input.php @@ -0,0 +1,40 @@ +<?php + +/** + * Performs miscellaneous cross attribute validation and filtering for + * input elements. This is meant to be a post-transform. + */ +class HTMLPurifier_AttrTransform_Input extends HTMLPurifier_AttrTransform { + + protected $pixels; + + public function __construct() { + $this->pixels = new HTMLPurifier_AttrDef_HTML_Pixels(); + } + + public function transform($attr, $config, $context) { + if (!isset($attr['type'])) $t = 'text'; + else $t = strtolower($attr['type']); + if (isset($attr['checked']) && $t !== 'radio' && $t !== 'checkbox') { + unset($attr['checked']); + } + if (isset($attr['maxlength']) && $t !== 'text' && $t !== 'password') { + unset($attr['maxlength']); + } + if (isset($attr['size']) && $t !== 'text' && $t !== 'password') { + $result = $this->pixels->validate($attr['size'], $config, $context); + if ($result === false) unset($attr['size']); + else $attr['size'] = $result; + } + if (isset($attr['src']) && $t !== 'image') { + unset($attr['src']); + } + if (!isset($attr['value']) && ($t === 'radio' || $t === 'checkbox')) { + $attr['value'] = ''; + } + return $attr; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Lang.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Lang.php new file mode 100644 index 000000000..5869e7f82 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Lang.php @@ -0,0 +1,28 @@ +<?php + +/** + * Post-transform that copies lang's value to xml:lang (and vice-versa) + * @note Theoretically speaking, this could be a pre-transform, but putting + * post is more efficient. + */ +class HTMLPurifier_AttrTransform_Lang extends HTMLPurifier_AttrTransform +{ + + public function transform($attr, $config, $context) { + + $lang = isset($attr['lang']) ? $attr['lang'] : false; + $xml_lang = isset($attr['xml:lang']) ? $attr['xml:lang'] : false; + + if ($lang !== false && $xml_lang === false) { + $attr['xml:lang'] = $lang; + } elseif ($xml_lang !== false) { + $attr['lang'] = $xml_lang; + } + + return $attr; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Length.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Length.php new file mode 100644 index 000000000..ea2f30473 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Length.php @@ -0,0 +1,27 @@ +<?php + +/** + * Class for handling width/height length attribute transformations to CSS + */ +class HTMLPurifier_AttrTransform_Length extends HTMLPurifier_AttrTransform +{ + + protected $name; + protected $cssName; + + public function __construct($name, $css_name = null) { + $this->name = $name; + $this->cssName = $css_name ? $css_name : $name; + } + + public function transform($attr, $config, $context) { + if (!isset($attr[$this->name])) return $attr; + $length = $this->confiscateAttr($attr, $this->name); + if(ctype_digit($length)) $length .= 'px'; + $this->prependCSS($attr, $this->cssName . ":$length;"); + return $attr; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Name.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Name.php new file mode 100644 index 000000000..15315bc73 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Name.php @@ -0,0 +1,21 @@ +<?php + +/** + * Pre-transform that changes deprecated name attribute to ID if necessary + */ +class HTMLPurifier_AttrTransform_Name extends HTMLPurifier_AttrTransform +{ + + public function transform($attr, $config, $context) { + // Abort early if we're using relaxed definition of name + if ($config->get('HTML.Attr.Name.UseCDATA')) return $attr; + if (!isset($attr['name'])) return $attr; + $id = $this->confiscateAttr($attr, 'name'); + if ( isset($attr['id'])) return $attr; + $attr['id'] = $id; + return $attr; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/NameSync.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/NameSync.php new file mode 100644 index 000000000..a95638c14 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/NameSync.php @@ -0,0 +1,27 @@ +<?php + +/** + * Post-transform that performs validation to the name attribute; if + * it is present with an equivalent id attribute, it is passed through; + * otherwise validation is performed. + */ +class HTMLPurifier_AttrTransform_NameSync extends HTMLPurifier_AttrTransform +{ + + public function __construct() { + $this->idDef = new HTMLPurifier_AttrDef_HTML_ID(); + } + + public function transform($attr, $config, $context) { + if (!isset($attr['name'])) return $attr; + $name = $attr['name']; + if (isset($attr['id']) && $attr['id'] === $name) return $attr; + $result = $this->idDef->validate($name, $config, $context); + if ($result === false) unset($attr['name']); + else $attr['name'] = $result; + return $attr; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Nofollow.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Nofollow.php new file mode 100644 index 000000000..f7fb1209b --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Nofollow.php @@ -0,0 +1,45 @@ +<?php + +// must be called POST validation + +/** + * Adds rel="nofollow" to all outbound links. This transform is + * only attached if Attr.Nofollow is TRUE. + */ +class HTMLPurifier_AttrTransform_Nofollow extends HTMLPurifier_AttrTransform +{ + private $parser; + + public function __construct() { + $this->parser = new HTMLPurifier_URIParser(); + } + + public function transform($attr, $config, $context) { + + if (!isset($attr['href'])) { + return $attr; + } + + // XXX Kind of inefficient + $url = $this->parser->parse($attr['href']); + $scheme = $url->getSchemeObj($config, $context); + + if ($scheme->browsable && !$url->isLocal($config, $context)) { + if (isset($attr['rel'])) { + $rels = explode(' ', $attr); + if (!in_array('nofollow', $rels)) { + $rels[] = 'nofollow'; + } + $attr['rel'] = implode(' ', $rels); + } else { + $attr['rel'] = 'nofollow'; + } + } + + return $attr; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeEmbed.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeEmbed.php new file mode 100644 index 000000000..4da449981 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeEmbed.php @@ -0,0 +1,15 @@ +<?php + +class HTMLPurifier_AttrTransform_SafeEmbed extends HTMLPurifier_AttrTransform +{ + public $name = "SafeEmbed"; + + public function transform($attr, $config, $context) { + $attr['allowscriptaccess'] = 'never'; + $attr['allownetworking'] = 'internal'; + $attr['type'] = 'application/x-shockwave-flash'; + return $attr; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeObject.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeObject.php new file mode 100644 index 000000000..1ed74898b --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeObject.php @@ -0,0 +1,16 @@ +<?php + +/** + * Writes default type for all objects. Currently only supports flash. + */ +class HTMLPurifier_AttrTransform_SafeObject extends HTMLPurifier_AttrTransform +{ + public $name = "SafeObject"; + + function transform($attr, $config, $context) { + if (!isset($attr['type'])) $attr['type'] = 'application/x-shockwave-flash'; + return $attr; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php new file mode 100644 index 000000000..bd86a7455 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php @@ -0,0 +1,64 @@ +<?php + +/** + * Validates name/value pairs in param tags to be used in safe objects. This + * will only allow name values it recognizes, and pre-fill certain attributes + * with required values. + * + * @note + * This class only supports Flash. In the future, Quicktime support + * may be added. + * + * @warning + * This class expects an injector to add the necessary parameters tags. + */ +class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform +{ + public $name = "SafeParam"; + private $uri; + + public function __construct() { + $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded + $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent')); + } + + public function transform($attr, $config, $context) { + // If we add support for other objects, we'll need to alter the + // transforms. + switch ($attr['name']) { + // application/x-shockwave-flash + // Keep this synchronized with Injector/SafeObject.php + case 'allowScriptAccess': + $attr['value'] = 'never'; + break; + case 'allowNetworking': + $attr['value'] = 'internal'; + break; + case 'allowFullScreen': + if ($config->get('HTML.FlashAllowFullScreen')) { + $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false'; + } else { + $attr['value'] = 'false'; + } + break; + case 'wmode': + $attr['value'] = $this->wmode->validate($attr['value'], $config, $context); + break; + case 'movie': + case 'src': + $attr['name'] = "movie"; + $attr['value'] = $this->uri->validate($attr['value'], $config, $context); + break; + case 'flashvars': + // we're going to allow arbitrary inputs to the SWF, on + // the reasoning that it could only hack the SWF, not us. + break; + // add other cases to support other param name/value pairs + default: + $attr['name'] = $attr['value'] = null; + } + return $attr; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ScriptRequired.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ScriptRequired.php new file mode 100644 index 000000000..4499050a2 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ScriptRequired.php @@ -0,0 +1,16 @@ +<?php + +/** + * Implements required attribute stipulation for <script> + */ +class HTMLPurifier_AttrTransform_ScriptRequired extends HTMLPurifier_AttrTransform +{ + public function transform($attr, $config, $context) { + if (!isset($attr['type'])) { + $attr['type'] = 'text/javascript'; + } + return $attr; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/TargetBlank.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/TargetBlank.php new file mode 100644 index 000000000..a6502c749 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/TargetBlank.php @@ -0,0 +1,38 @@ +<?php + +// must be called POST validation + +/** + * Adds target="blank" to all outbound links. This transform is + * only attached if Attr.TargetBlank is TRUE. This works regardless + * of whether or not Attr.AllowedFrameTargets + */ +class HTMLPurifier_AttrTransform_TargetBlank extends HTMLPurifier_AttrTransform +{ + private $parser; + + public function __construct() { + $this->parser = new HTMLPurifier_URIParser(); + } + + public function transform($attr, $config, $context) { + + if (!isset($attr['href'])) { + return $attr; + } + + // XXX Kind of inefficient + $url = $this->parser->parse($attr['href']); + $scheme = $url->getSchemeObj($config, $context); + + if ($scheme->browsable && !$url->isBenign($config, $context)) { + $attr['target'] = 'blank'; + } + + return $attr; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Textarea.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Textarea.php new file mode 100644 index 000000000..81ac3488b --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Textarea.php @@ -0,0 +1,18 @@ +<?php + +/** + * Sets height/width defaults for <textarea> + */ +class HTMLPurifier_AttrTransform_Textarea extends HTMLPurifier_AttrTransform +{ + + public function transform($attr, $config, $context) { + // Calculated from Firefox + if (!isset($attr['cols'])) $attr['cols'] = '22'; + if (!isset($attr['rows'])) $attr['rows'] = '3'; + return $attr; + } + +} + +// vim: et sw=4 sts=4 |