Menu
▾
▴
[xoops-svn] SF.net SVN: xoops:[9153] XoopsCore/branches/2.5.x/2.5.5
|
From: <be...@us...> - 2012-03-18 09:31:32
|
Revision: 9153
http://xoops.svn.sourceforge.net/xoops/?rev=9153&view=rev
Author: beckmi
Date: 2012-03-18 09:31:22 +0000 (Sun, 18 Mar 2012)
Log Message:
-----------
Updated HTML Purifier to 4.4.0
Modified Paths:
--------------
XoopsCore/branches/2.5.x/2.5.5/docs/changelog.250.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/CSS/BackgroundPosition.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/CSS/FontFamily.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/CSS/URI.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/HTML/Color.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/HTML/ID.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/URI/Host.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/URI.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTransform/ImgRequired.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTransform/SafeParam.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTypes.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Bootstrap.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/CSSDefinition.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ChildDef/Table.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Config.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/Core.ColorKeywords.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/Filter.YouTube.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/HTML.Allowed.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedElements.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeEmbed.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/HTML.Trusted.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/URI.DisableResources.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema.ser
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Definition.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/DefinitionCache/Serializer.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ElementDef.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Encoder.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/EntityLookup/entities.ser
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Filter/ExtractStyleBlocks.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Filter/YouTube.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Generator.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/HTMLDefinition.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/HTMLModule/Forms.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/HTMLModule/Legacy.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/HTMLModule/List.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/HTMLModule/SafeEmbed.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/HTMLModule/SafeObject.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/HTMLModule/Tables.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/HTMLModule/Tidy/Proprietary.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/HTMLModuleManager.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Injector/AutoParagraph.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Injector/SafeObject.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Language/messages/en.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Lexer/DOMLex.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Lexer/DirectLex.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Lexer/PH5P.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Lexer.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Strategy/Composite.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Strategy/MakeWellFormed.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Strategy/RemoveForeignElements.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/TagTransform/Font.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Token/Tag.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/URI.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/URIDefinition.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/URIFilter/HostBlacklist.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/URIFilter/Munge.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/URIFilter.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/URIScheme/ftp.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/URIScheme/http.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/URIScheme/https.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/URIScheme/mailto.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/URIScheme/news.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/URIScheme/nntp.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/URIScheme.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/VarParser/Flexible.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier.autoload.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier.includes.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier.safe-includes.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/INSTALL
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/NEWS
Added Paths:
-----------
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/CSS/Ident.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/Clone.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTransform/Nofollow.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTransform/TargetBlank.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ChildDef/List.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveSpansWithoutAttributes.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/CSS.AllowedFonts.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/CSS.ForbiddenProperties.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPermissions.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/Core.EnableIDNA.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/Core.NormalizeNewlines.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/Core.RemoveProcessingInstructions.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedComments.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedCommentsRegexp.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/HTML.FlashAllowFullScreen.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/HTML.Nofollow.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/HTML.TargetBlank.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/Output.FixInnerHTML.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/Output.FlashCompat.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeRegexp.txt
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/HTMLModule/Iframe.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/HTMLModule/Nofollow.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/HTMLModule/TargetBlank.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Injector/RemoveSpansWithoutAttributes.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/URIFilter/DisableResources.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/URIFilter/SafeIframe.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/URIScheme/data.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/URIScheme/file.php
Removed Paths:
-------------
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigDef/
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ConfigDef.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/DefinitionCache/Serializer/CSS/
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/DefinitionCache/Serializer/HTML/
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/DefinitionCache/Serializer/Test/
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/DefinitionCache/Serializer/URI/
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Error.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/HTMLModule/Tidy/XHTMLStrict.php
XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Lexer/PEARSax3.php
Modified: XoopsCore/branches/2.5.x/2.5.5/docs/changelog.250.txt
===================================================================
--- XoopsCore/branches/2.5.x/2.5.5/docs/changelog.250.txt 2012-03-18 09:15:30 UTC (rev 9152)
+++ XoopsCore/branches/2.5.x/2.5.5/docs/changelog.250.txt 2012-03-18 09:31:22 UTC (rev 9153)
@@ -5,11 +5,14 @@
===============================
Bugfixes:
- adding missing check for local timezone (XavierS)
- - ID: 3494895: When changing the # of visible entries, it goes to Admin
+ - ID: 3494895: When changing the # of visible entries, it goes to Admin (jcweb/mamba)
Improved:
- replacing "msnbot" with "bingbot" in Protector (mamba)
+Updated:
+ - HTML Purifier to 4.4.0 (mamba)
+
===============================
2011/02/19: Version 2.5.5 Beta
===============================
Modified: XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/CSS/BackgroundPosition.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/CSS/BackgroundPosition.php 2012-03-18 09:15:30 UTC (rev 9152)
+++ XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/CSS/BackgroundPosition.php 2012-03-18 09:31:22 UTC (rev 9153)
@@ -59,7 +59,8 @@
$keywords = array();
$keywords['h'] = false; // left, right
$keywords['v'] = false; // top, bottom
- $keywords['c'] = false; // center
+ $keywords['ch'] = false; // center (first word)
+ $keywords['cv'] = false; // center (second word)
$measures = array();
$i = 0;
@@ -79,6 +80,13 @@
$lbit = ctype_lower($bit) ? $bit : strtolower($bit);
if (isset($lookup[$lbit])) {
$status = $lookup[$lbit];
+ if ($status == 'c') {
+ if ($i == 0) {
+ $status = 'ch';
+ } else {
+ $status = 'cv';
+ }
+ }
$keywords[$status] = $lbit;
$i++;
}
@@ -101,20 +109,19 @@
if (!$i) return false; // no valid values were caught
-
$ret = array();
// first keyword
if ($keywords['h']) $ret[] = $keywords['h'];
+ elseif ($keywords['ch']) {
+ $ret[] = $keywords['ch'];
+ $keywords['cv'] = false; // prevent re-use: center = center center
+ }
elseif (count($measures)) $ret[] = array_shift($measures);
- elseif ($keywords['c']) {
- $ret[] = $keywords['c'];
- $keywords['c'] = false; // prevent re-use: center = center center
- }
if ($keywords['v']) $ret[] = $keywords['v'];
+ elseif ($keywords['cv']) $ret[] = $keywords['cv'];
elseif (count($measures)) $ret[] = array_shift($measures);
- elseif ($keywords['c']) $ret[] = $keywords['c'];
if (empty($ret)) return false;
return implode(' ', $ret);
Modified: XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/CSS/FontFamily.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/CSS/FontFamily.php 2012-03-18 09:15:30 UTC (rev 9152)
+++ XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/CSS/FontFamily.php 2012-03-18 09:31:22 UTC (rev 9153)
@@ -2,11 +2,43 @@
/**
* Validates a font family list according to CSS spec
- * @todo whitelisting allowed fonts would be nice
*/
class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
{
+ protected $mask = null;
+
+ public function __construct() {
+ $this->mask = '- ';
+ for ($c = 'a'; $c <= 'z'; $c++) $this->mask .= $c;
+ for ($c = 'A'; $c <= 'Z'; $c++) $this->mask .= $c;
+ for ($c = '0'; $c <= '9'; $c++) $this->mask .= $c; // cast-y, but should be fine
+ // special bytes used by UTF-8
+ for ($i = 0x80; $i <= 0xFF; $i++) {
+ // We don't bother excluding invalid bytes in this range,
+ // because the our restriction of well-formed UTF-8 will
+ // prevent these from ever occurring.
+ $this->mask .= chr($i);
+ }
+
+ /*
+ PHP's internal strcspn implementation is
+ O(length of string * length of mask), making it inefficient
+ for large masks. However, it's still faster than
+ preg_match 8)
+ for (p = s1;;) {
+ spanp = s2;
+ do {
+ if (*spanp == c || p == s1_end) {
+ return p - s1;
+ }
+ } while (spanp++ < (s2_end - 1));
+ c = *++p;
+ }
+ */
+ // possible optimization: invert the mask.
+ }
+
public function validate($string, $config, $context) {
static $generic_names = array(
'serif' => true,
@@ -15,6 +47,7 @@
'fantasy' => true,
'cursive' => true
);
+ $allowed_fonts = $config->get('CSS.AllowedFonts');
// assume that no font names contain commas in them
$fonts = explode(',', $string);
@@ -24,7 +57,9 @@
if ($font === '') continue;
// match a generic name
if (isset($generic_names[$font])) {
- $final .= $font . ', ';
+ if ($allowed_fonts === null || isset($allowed_fonts[$font])) {
+ $final .= $font . ', ';
+ }
continue;
}
// match a quoted name
@@ -34,50 +69,122 @@
$quote = $font[0];
if ($font[$length - 1] !== $quote) continue;
$font = substr($font, 1, $length - 2);
+ }
- $new_font = '';
- for ($i = 0, $c = strlen($font); $i < $c; $i++) {
- if ($font[$i] === '\\') {
- $i++;
- if ($i >= $c) {
- $new_font .= '\\';
- break;
- }
- if (ctype_xdigit($font[$i])) {
- $code = $font[$i];
- for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
- if (!ctype_xdigit($font[$i])) break;
- $code .= $font[$i];
- }
- // We have to be extremely careful when adding
- // new characters, to make sure we're not breaking
- // the encoding.
- $char = HTMLPurifier_Encoder::unichr(hexdec($code));
- if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue;
- $new_font .= $char;
- if ($i < $c && trim($font[$i]) !== '') $i--;
- continue;
- }
- if ($font[$i] === "\n") continue;
- }
- $new_font .= $font[$i];
- }
+ $font = $this->expandCSSEscape($font);
- $font = $new_font;
- }
// $font is a pure representation of the font name
+ if ($allowed_fonts !== null && !isset($allowed_fonts[$font])) {
+ continue;
+ }
+
if (ctype_alnum($font) && $font !== '') {
// very simple font, allow it in unharmed
$final .= $font . ', ';
continue;
}
- // complicated font, requires quoting
+ // bugger out on whitespace. form feed (0C) really
+ // shouldn't show up regardless
+ $font = str_replace(array("\n", "\t", "\r", "\x0C"), ' ', $font);
- // armor single quotes and new lines
- $font = str_replace("\\", "\\\\", $font);
- $font = str_replace("'", "\\'", $font);
+ // Here, there are various classes of characters which need
+ // to be treated differently:
+ // - Alphanumeric characters are essentially safe. We
+ // handled these above.
+ // - Spaces require quoting, though most parsers will do
+ // the right thing if there aren't any characters that
+ // can be misinterpreted
+ // - Dashes rarely occur, but they fairly unproblematic
+ // for parsing/rendering purposes.
+ // The above characters cover the majority of Western font
+ // names.
+ // - Arbitrary Unicode characters not in ASCII. Because
+ // most parsers give little thought to Unicode, treatment
+ // of these codepoints is basically uniform, even for
+ // punctuation-like codepoints. These characters can
+ // show up in non-Western pages and are supported by most
+ // major browsers, for example: "MS 明朝" is a
+ // legitimate font-name
+ // <http://ja.wikipedia.org/wiki/MS_明朝>. See
+ // the CSS3 spec for more examples:
+ // <http://www.w3.org/TR/2011/WD-css3-fonts-20110324/localizedfamilynames.png>
+ // You can see live samples of these on the Internet:
+ // <http://www.google.co.jp/search?q=font-family+MS+明朝|ゴシック>
+ // However, most of these fonts have ASCII equivalents:
+ // for example, 'MS Mincho', and it's considered
+ // professional to use ASCII font names instead of
+ // Unicode font names. Thanks Takeshi Terada for
+ // providing this information.
+ // The following characters, to my knowledge, have not been
+ // used to name font names.
+ // - Single quote. While theoretically you might find a
+ // font name that has a single quote in its name (serving
+ // as an apostrophe, e.g. Dave's Scribble), I haven't
+ // been able to find any actual examples of this.
+ // Internet Explorer's cssText translation (which I
+ // believe is invoked by innerHTML) normalizes any
+ // quoting to single quotes, and fails to escape single
+ // quotes. (Note that this is not IE's behavior for all
+ // CSS properties, just some sort of special casing for
+ // font-family). So a single quote *cannot* be used
+ // safely in the font-family context if there will be an
+ // innerHTML/cssText translation. Note that Firefox 3.x
+ // does this too.
+ // - Double quote. In IE, these get normalized to
+ // single-quotes, no matter what the encoding. (Fun
+ // fact, in IE8, the 'content' CSS property gained
+ // support, where they special cased to preserve encoded
+ // double quotes, but still translate unadorned double
+ // quotes into single quotes.) So, because their
+ // fixpoint behavior is identical to single quotes, they
+ // cannot be allowed either. Firefox 3.x displays
+ // single-quote style behavior.
+ // - Backslashes are reduced by one (so \\ -> \) every
+ // iteration, so they cannot be used safely. This shows
+ // up in IE7, IE8 and FF3
+ // - Semicolons, commas and backticks are handled properly.
+ // - The rest of the ASCII punctuation is handled properly.
+ // We haven't checked what browsers do to unadorned
+ // versions, but this is not important as long as the
+ // browser doesn't /remove/ surrounding quotes (as IE does
+ // for HTML).
+ //
+ // With these results in hand, we conclude that there are
+ // various levels of safety:
+ // - Paranoid: alphanumeric, spaces and dashes(?)
+ // - International: Paranoid + non-ASCII Unicode
+ // - Edgy: Everything except quotes, backslashes
+ // - NoJS: Standards compliance, e.g. sod IE. Note that
+ // with some judicious character escaping (since certain
+ // types of escaping doesn't work) this is theoretically
+ // OK as long as innerHTML/cssText is not called.
+ // We believe that international is a reasonable default
+ // (that we will implement now), and once we do more
+ // extensive research, we may feel comfortable with dropping
+ // it down to edgy.
+
+ // Edgy: alphanumeric, spaces, dashes and Unicode. Use of
+ // str(c)spn assumes that the string was already well formed
+ // Unicode (which of course it is).
+ if (strspn($font, $this->mask) !== strlen($font)) {
+ continue;
+ }
+
+ // Historical:
+ // In the absence of innerHTML/cssText, these ugly
+ // transforms don't pose a security risk (as \\ and \"
+ // might--these escapes are not supported by most browsers).
+ // We could try to be clever and use single-quote wrapping
+ // when there is a double quote present, but I have choosen
+ // not to implement that. (NOTE: you can reduce the amount
+ // of escapes by one depending on what quoting style you use)
+ // $font = str_replace('\\', '\\5C ', $font);
+ // $font = str_replace('"', '\\22 ', $font);
+ // $font = str_replace("'", '\\27 ', $font);
+
+ // font possibly with spaces, requires quoting
$final .= "'$font', ";
}
$final = rtrim($final, ', ');
Added: XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/CSS/Ident.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/CSS/Ident.php (rev 0)
+++ XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/CSS/Ident.php 2012-03-18 09:31:22 UTC (rev 9153)
@@ -0,0 +1,24 @@
+<?php
+
+/**
+ * Validates based on {ident} CSS grammar production
+ */
+class HTMLPurifier_AttrDef_CSS_Ident extends HTMLPurifier_AttrDef
+{
+
+ public function validate($string, $config, $context) {
+
+ $string = trim($string);
+
+ // early abort: '' and '0' (strings that convert to false) are invalid
+ if (!$string) return false;
+
+ $pattern = '/^(-?[A-Za-z_][A-Za-z_\-0-9]*)$/';
+ if (!preg_match($pattern, $string)) return false;
+ return $string;
+
+ }
+
+}
+
+// vim: et sw=4 sts=4
Modified: XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/CSS/URI.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/CSS/URI.php 2012-03-18 09:15:30 UTC (rev 9152)
+++ XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/CSS/URI.php 2012-03-18 09:31:22 UTC (rev 9153)
@@ -34,21 +34,26 @@
$uri = substr($uri, 1, $new_length - 1);
}
- $keys = array( '(', ')', ',', ' ', '"', "'");
- $values = array('\\(', '\\)', '\\,', '\\ ', '\\"', "\\'");
- $uri = str_replace($values, $keys, $uri);
+ $uri = $this->expandCSSEscape($uri);
$result = parent::validate($uri, $config, $context);
if ($result === false) return false;
- // escape necessary characters according to CSS spec
- // except for the comma, none of these should appear in the
- // URI at all
- $result = str_replace($keys, $values, $result);
+ // extra sanity check; should have been done by URI
+ $result = str_replace(array('"', "\\", "\n", "\x0c", "\r"), "", $result);
- return "url($result)";
+ // suspicious characters are ()'; we're going to percent encode
+ // them for safety.
+ $result = str_replace(array('(', ')', "'"), array('%28', '%29', '%27'), $result);
+ // there's an extra bug where ampersands lose their escaping on
+ // an innerHTML cycle, so a very unlucky query parameter could
+ // then change the meaning of the URL. Unfortunately, there's
+ // not much we can do about that...
+
+ return "url(\"$result\")";
+
}
}
Added: XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/Clone.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/Clone.php (rev 0)
+++ XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/Clone.php 2012-03-18 09:31:22 UTC (rev 9153)
@@ -0,0 +1,28 @@
+<?php
+
+/**
+ * Dummy AttrDef that mimics another AttrDef, BUT it generates clones
+ * with make.
+ */
+class HTMLPurifier_AttrDef_Clone extends HTMLPurifier_AttrDef
+{
+ /**
+ * What we're cloning
+ */
+ protected $clone;
+
+ public function __construct($clone) {
+ $this->clone = $clone;
+ }
+
+ public function validate($v, $config, $context) {
+ return $this->clone->validate($v, $config, $context);
+ }
+
+ public function make($string) {
+ return clone $this->clone;
+ }
+
+}
+
+// vim: et sw=4 sts=4
Modified: XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/HTML/Color.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/HTML/Color.php 2012-03-18 09:15:30 UTC (rev 9152)
+++ XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/HTML/Color.php 2012-03-18 09:31:22 UTC (rev 9153)
@@ -14,7 +14,7 @@
$string = trim($string);
if (empty($string)) return false;
- if (isset($colors[$string])) return $colors[$string];
+ if (isset($colors[strtolower($string)])) return $colors[$string];
if ($string[0] === '#') $hex = substr($string, 1);
else $hex = $string;
Modified: XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/HTML/ID.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/HTML/ID.php 2012-03-18 09:15:30 UTC (rev 9152)
+++ XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/HTML/ID.php 2012-03-18 09:31:22 UTC (rev 9153)
@@ -12,12 +12,22 @@
class HTMLPurifier_AttrDef_HTML_ID extends HTMLPurifier_AttrDef
{
- // ref functionality disabled, since we also have to verify
- // whether or not the ID it refers to exists
+ // selector is NOT a valid thing to use for IDREFs, because IDREFs
+ // *must* target IDs that exist, whereas selector #ids do not.
+ /**
+ * Determines whether or not we're validating an ID in a CSS
+ * selector context.
+ */
+ protected $selector;
+
+ public function __construct($selector = false) {
+ $this->selector = $selector;
+ }
+
public function validate($id, $config, $context) {
- if (!$config->get('Attr.EnableID')) return false;
+ if (!$this->selector && !$config->get('Attr.EnableID')) return false;
$id = trim($id); // trim it first
@@ -33,10 +43,10 @@
'%Attr.IDPrefix is set', E_USER_WARNING);
}
- //if (!$this->ref) {
+ if (!$this->selector) {
$id_accumulator =& $context->get('IDAccumulator');
if (isset($id_accumulator->ids[$id])) return false;
- //}
+ }
// we purposely avoid using regex, hopefully this is faster
@@ -56,7 +66,7 @@
return false;
}
- if (/*!$this->ref && */$result) $id_accumulator->add($id);
+ if (!$this->selector && $result) $id_accumulator->add($id);
// if no change was made to the ID, return the result
// else, return the new id if stripping whitespace made it
Modified: XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/URI/Host.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/URI/Host.php 2012-03-18 09:15:30 UTC (rev 9152)
+++ XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/URI/Host.php 2012-03-18 09:31:22 UTC (rev 9153)
@@ -23,6 +23,12 @@
public function validate($string, $config, $context) {
$length = strlen($string);
+ // empty hostname is OK; it's usually semantically equivalent:
+ // the default host as defined by a URI scheme is used:
+ //
+ // If the URI scheme defines a default for host, then that
+ // default applies when the host subcomponent is undefined
+ // or when the registered name is empty (zero length).
if ($string === '') return '';
if ($length > 1 && $string[0] === '[' && $string[$length-1] === ']') {
//IPv6
@@ -38,9 +44,8 @@
// A regular domain name.
- // This breaks I18N domain names, but we don't have proper IRI support,
- // so force users to insert Punycode. If there's complaining we'll
- // try to fix things into an international friendly form.
+ // This doesn't match I18N domain names, but we don't have proper IRI support,
+ // so force users to insert Punycode.
// The productions describing this are:
$a = '[a-z]'; // alpha
@@ -51,10 +56,44 @@
// toplabel = alpha | alpha *( alphanum | "-" ) alphanum
$toplabel = "$a($and*$an)?";
// hostname = *( domainlabel "." ) toplabel [ "." ]
- $match = preg_match("/^($domainlabel\.)*$toplabel\.?$/i", $string);
- if (!$match) return false;
+ if (preg_match("/^($domainlabel\.)*$toplabel\.?$/i", $string)) {
+ return $string;
+ }
- return $string;
+ // If we have Net_IDNA2 support, we can support IRIs by
+ // punycoding them. (This is the most portable thing to do,
+ // since otherwise we have to assume browsers support
+
+ if ($config->get('Core.EnableIDNA')) {
+ $idna = new Net_IDNA2(array('encoding' => 'utf8', 'overlong' => false, 'strict' => true));
+ // we need to encode each period separately
+ $parts = explode('.', $string);
+ try {
+ $new_parts = array();
+ foreach ($parts as $part) {
+ $encodable = false;
+ for ($i = 0, $c = strlen($part); $i < $c; $i++) {
+ if (ord($part[$i]) > 0x7a) {
+ $encodable = true;
+ break;
+ }
+ }
+ if (!$encodable) {
+ $new_parts[] = $part;
+ } else {
+ $new_parts[] = $idna->encode($part);
+ }
+ }
+ $string = implode('.', $new_parts);
+ if (preg_match("/^($domainlabel\.)*$toplabel\.?$/i", $string)) {
+ return $string;
+ }
+ } catch (Exception $e) {
+ // XXX error reporting
+ }
+ }
+
+ return false;
}
}
Modified: XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/URI.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/URI.php 2012-03-18 09:15:30 UTC (rev 9152)
+++ XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef/URI.php 2012-03-18 09:31:22 UTC (rev 9153)
@@ -19,7 +19,7 @@
}
public function make($string) {
- $embeds = (bool) $string;
+ $embeds = ($string === 'embedded');
return new HTMLPurifier_AttrDef_URI($embeds);
}
Modified: XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef.php 2012-03-18 09:15:30 UTC (rev 9152)
+++ XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrDef.php 2012-03-18 09:31:22 UTC (rev 9153)
@@ -82,6 +82,42 @@
return preg_replace('/rgb\((\d+)\s*,\s*(\d+)\s*,\s*(\d+)\)/', 'rgb(\1,\2,\3)', $string);
}
+ /**
+ * Parses a possibly escaped CSS string and returns the "pure"
+ * version of it.
+ */
+ protected function expandCSSEscape($string) {
+ // flexibly parse it
+ $ret = '';
+ for ($i = 0, $c = strlen($string); $i < $c; $i++) {
+ if ($string[$i] === '\\') {
+ $i++;
+ if ($i >= $c) {
+ $ret .= '\\';
+ break;
+ }
+ if (ctype_xdigit($string[$i])) {
+ $code = $string[$i];
+ for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
+ if (!ctype_xdigit($string[$i])) break;
+ $code .= $string[$i];
+ }
+ // We have to be extremely careful when adding
+ // new characters, to make sure we're not breaking
+ // the encoding.
+ $char = HTMLPurifier_Encoder::unichr(hexdec($code));
+ if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue;
+ $ret .= $char;
+ if ($i < $c && trim($string[$i]) !== '') $i--;
+ continue;
+ }
+ if ($string[$i] === "\n") continue;
+ }
+ $ret .= $string[$i];
+ }
+ return $ret;
+ }
+
}
// vim: et sw=4 sts=4
Modified: XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTransform/ImgRequired.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTransform/ImgRequired.php 2012-03-18 09:15:30 UTC (rev 9152)
+++ XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTransform/ImgRequired.php 2012-03-18 09:31:22 UTC (rev 9153)
@@ -24,7 +24,8 @@
if ($src) {
$alt = $config->get('Attr.DefaultImageAlt');
if ($alt === null) {
- $attr['alt'] = basename($attr['src']);
+ // truncate if the alt is too long
+ $attr['alt'] = substr(basename($attr['src']),0,40);
} else {
$attr['alt'] = $alt;
}
Added: XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTransform/Nofollow.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTransform/Nofollow.php (rev 0)
+++ XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTransform/Nofollow.php 2012-03-18 09:31:22 UTC (rev 9153)
@@ -0,0 +1,45 @@
+<?php
+
+// must be called POST validation
+
+/**
+ * Adds rel="nofollow" to all outbound links. This transform is
+ * only attached if Attr.Nofollow is TRUE.
+ */
+class HTMLPurifier_AttrTransform_Nofollow extends HTMLPurifier_AttrTransform
+{
+ private $parser;
+
+ public function __construct() {
+ $this->parser = new HTMLPurifier_URIParser();
+ }
+
+ public function transform($attr, $config, $context) {
+
+ if (!isset($attr['href'])) {
+ return $attr;
+ }
+
+ // XXX Kind of inefficient
+ $url = $this->parser->parse($attr['href']);
+ $scheme = $url->getSchemeObj($config, $context);
+
+ if ($scheme->browsable && !$url->isLocal($config, $context)) {
+ if (isset($attr['rel'])) {
+ $rels = explode(' ', $attr);
+ if (!in_array('nofollow', $rels)) {
+ $rels[] = 'nofollow';
+ }
+ $attr['rel'] = implode(' ', $rels);
+ } else {
+ $attr['rel'] = 'nofollow';
+ }
+ }
+
+ return $attr;
+
+ }
+
+}
+
+// vim: et sw=4 sts=4
Modified: XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTransform/SafeParam.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTransform/SafeParam.php 2012-03-18 09:15:30 UTC (rev 9152)
+++ XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTransform/SafeParam.php 2012-03-18 09:31:22 UTC (rev 9153)
@@ -19,6 +19,7 @@
public function __construct() {
$this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
+ $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent'));
}
public function transform($attr, $config, $context) {
@@ -33,12 +34,25 @@
case 'allowNetworking':
$attr['value'] = 'internal';
break;
+ case 'allowFullScreen':
+ if ($config->get('HTML.FlashAllowFullScreen')) {
+ $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false';
+ } else {
+ $attr['value'] = 'false';
+ }
+ break;
case 'wmode':
- $attr['value'] = 'window';
+ $attr['value'] = $this->wmode->validate($attr['value'], $config, $context);
break;
case 'movie':
+ case 'src':
+ $attr['name'] = "movie";
$attr['value'] = $this->uri->validate($attr['value'], $config, $context);
break;
+ case 'flashvars':
+ // we're going to allow arbitrary inputs to the SWF, on
+ // the reasoning that it could only hack the SWF, not us.
+ break;
// add other cases to support other param name/value pairs
default:
$attr['name'] = $attr['value'] = null;
Added: XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTransform/TargetBlank.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTransform/TargetBlank.php (rev 0)
+++ XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTransform/TargetBlank.php 2012-03-18 09:31:22 UTC (rev 9153)
@@ -0,0 +1,38 @@
+<?php
+
+// must be called POST validation
+
+/**
+ * Adds target="blank" to all outbound links. This transform is
+ * only attached if Attr.TargetBlank is TRUE. This works regardless
+ * of whether or not Attr.AllowedFrameTargets
+ */
+class HTMLPurifier_AttrTransform_TargetBlank extends HTMLPurifier_AttrTransform
+{
+ private $parser;
+
+ public function __construct() {
+ $this->parser = new HTMLPurifier_URIParser();
+ }
+
+ public function transform($attr, $config, $context) {
+
+ if (!isset($attr['href'])) {
+ return $attr;
+ }
+
+ // XXX Kind of inefficient
+ $url = $this->parser->parse($attr['href']);
+ $scheme = $url->getSchemeObj($config, $context);
+
+ if ($scheme->browsable && !$url->isBenign($config, $context)) {
+ $attr['target'] = 'blank';
+ }
+
+ return $attr;
+
+ }
+
+}
+
+// vim: et sw=4 sts=4
Modified: XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTypes.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTypes.php 2012-03-18 09:15:30 UTC (rev 9152)
+++ XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/AttrTypes.php 2012-03-18 09:31:22 UTC (rev 9153)
@@ -15,6 +15,13 @@
* types.
*/
public function __construct() {
+ // XXX This is kind of poor, since we don't actually /clone/
+ // instances; instead, we use the supplied make() attribute. So,
+ // the underlying class must know how to deal with arguments.
+ // With the old implementation of Enum, that ignored its
+ // arguments when handling a make dispatch, the IAlign
+ // definition wouldn't work.
+
// pseudo-types, must be instantiated via shorthand
$this->info['Enum'] = new HTMLPurifier_AttrDef_Enum();
$this->info['Bool'] = new HTMLPurifier_AttrDef_HTML_Bool();
@@ -29,6 +36,9 @@
$this->info['URI'] = new HTMLPurifier_AttrDef_URI();
$this->info['LanguageCode'] = new HTMLPurifier_AttrDef_Lang();
$this->info['Color'] = new HTMLPurifier_AttrDef_HTML_Color();
+ $this->info['IAlign'] = self::makeEnum('top,middle,bottom,left,right');
+ $this->info['LAlign'] = self::makeEnum('top,bottom,left,right');
+ $this->info['FrameTarget'] = new HTMLPurifier_AttrDef_HTML_FrameTarget();
// unimplemented aliases
$this->info['ContentType'] = new HTMLPurifier_AttrDef_Text();
@@ -44,6 +54,10 @@
$this->info['Number'] = new HTMLPurifier_AttrDef_Integer(false, false, true);
}
+ private static function makeEnum($in) {
+ return new HTMLPurifier_AttrDef_Clone(new HTMLPurifier_AttrDef_Enum(explode(',', $in)));
+ }
+
/**
* Retrieves a type
* @param $type String type name
Modified: XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Bootstrap.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Bootstrap.php 2012-03-18 09:15:30 UTC (rev 9152)
+++ XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/Bootstrap.php 2012-03-18 09:31:22 UTC (rev 9153)
@@ -37,7 +37,12 @@
public static function autoload($class) {
$file = HTMLPurifier_Bootstrap::getPath($class);
if (!$file) return false;
- require HTMLPURIFIER_PREFIX . '/' . $file;
+ // Technically speaking, it should be ok and more efficient to
+ // just do 'require', but Antonio Parraga reports that with
+ // Zend extensions such as Zend debugger and APC, this invariant
+ // may be broken. Since we have efficient alternatives, pay
+ // the cost here and avoid the bug.
+ require_once HTMLPURIFIER_PREFIX . '/' . $file;
return true;
}
@@ -65,10 +70,11 @@
if ( ($funcs = spl_autoload_functions()) === false ) {
spl_autoload_register($autoload);
} elseif (function_exists('spl_autoload_unregister')) {
+ $buggy = version_compare(PHP_VERSION, '5.2.11', '<');
$compat = version_compare(PHP_VERSION, '5.1.2', '<=') &&
version_compare(PHP_VERSION, '5.1.0', '>=');
foreach ($funcs as $func) {
- if (is_array($func)) {
+ if ($buggy && is_array($func)) {
// :TRICKY: There are some compatibility issues and some
// places where we need to error out
$reflector = new ReflectionMethod($func[0], $func[1]);
Modified: XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/CSSDefinition.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/CSSDefinition.php 2012-03-18 09:15:30 UTC (rev 9152)
+++ XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/CSSDefinition.php 2012-03-18 09:31:22 UTC (rev 9153)
@@ -219,6 +219,10 @@
$this->doSetupTricky($config);
}
+ if ($config->get('CSS.Trusted')) {
+ $this->doSetupTrusted($config);
+ }
+
$allow_important = $config->get('CSS.AllowImportant');
// wrap all attr-defs with decorator that handles !important
foreach ($this->info as $k => $v) {
@@ -260,6 +264,23 @@
$this->info['overflow'] = new HTMLPurifier_AttrDef_Enum(array('visible', 'hidden', 'auto', 'scroll'));
}
+ protected function doSetupTrusted($config) {
+ $this->info['position'] = new HTMLPurifier_AttrDef_Enum(array(
+ 'static', 'relative', 'absolute', 'fixed'
+ ));
+ $this->info['top'] =
+ $this->info['left'] =
+ $this->info['right'] =
+ $this->info['bottom'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
+ new HTMLPurifier_AttrDef_CSS_Length(),
+ new HTMLPurifier_AttrDef_CSS_Percentage(),
+ new HTMLPurifier_AttrDef_Enum(array('auto')),
+ ));
+ $this->info['z-index'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
+ new HTMLPurifier_AttrDef_Integer(),
+ new HTMLPurifier_AttrDef_Enum(array('auto')),
+ ));
+ }
/**
* Performs extra config-based processing. Based off of
@@ -272,20 +293,29 @@
// setup allowed elements
$support = "(for information on implementing this, see the ".
"support forums) ";
- $allowed_attributes = $config->get('CSS.AllowedProperties');
- if ($allowed_attributes !== null) {
+ $allowed_properties = $config->get('CSS.AllowedProperties');
+ if ($allowed_properties !== null) {
foreach ($this->info as $name => $d) {
- if(!isset($allowed_attributes[$name])) unset($this->info[$name]);
- unset($allowed_attributes[$name]);
+ if(!isset($allowed_properties[$name])) unset($this->info[$name]);
+ unset($allowed_properties[$name]);
}
// emit errors
- foreach ($allowed_attributes as $name => $d) {
+ foreach ($allowed_properties as $name => $d) {
// :TODO: Is this htmlspecialchars() call really necessary?
$name = htmlspecialchars($name);
trigger_error("Style attribute '$name' is not supported $support", E_USER_WARNING);
}
}
+ $forbidden_properties = $config->get('CSS.ForbiddenProperties');
+ if ($forbidden_properties !== null) {
+ foreach ($this->info as $name => $d) {
+ if (isset($forbidden_properties[$name])) {
+ unset($this->info[$name]);
+ }
+ }
+ }
+
}
}
Added: XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ChildDef/List.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ChildDef/List.php (rev 0)
+++ XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ChildDef/List.php 2012-03-18 09:31:22 UTC (rev 9153)
@@ -0,0 +1,120 @@
+<?php
+
+/**
+ * Definition for list containers ul and ol.
+ */
+class HTMLPurifier_ChildDef_List extends HTMLPurifier_ChildDef
+{
+ public $type = 'list';
+ // lying a little bit, so that we can handle ul and ol ourselves
+ // XXX: This whole business with 'wrap' is all a bit unsatisfactory
+ public $elements = array('li' => true, 'ul' => true, 'ol' => true);
+ public function validateChildren($tokens_of_children, $config, $context) {
+ // Flag for subclasses
+ $this->whitespace = false;
+
+ // if there are no tokens, delete parent node
+ if (empty($tokens_of_children)) return false;
+
+ // the new set of children
+ $result = array();
+
+ // current depth into the nest
+ $nesting = 0;
+
+ // a little sanity check to make sure it's not ALL whitespace
+ $all_whitespace = true;
+
+ $seen_li = false;
+ $need_close_li = false;
+
+ foreach ($tokens_of_children as $token) {
+ if (!empty($token->is_whitespace)) {
+ $result[] = $token;
+ continue;
+ }
+ $all_whitespace = false; // phew, we're not talking about whitespace
+
+ if ($nesting == 1 && $need_close_li) {
+ $result[] = new HTMLPurifier_Token_End('li');
+ $nesting--;
+ $need_close_li = false;
+ }
+
+ $is_child = ($nesting == 0);
+
+ if ($token instanceof HTMLPurifier_Token_Start) {
+ $nesting++;
+ } elseif ($token instanceof HTMLPurifier_Token_End) {
+ $nesting--;
+ }
+
+ if ($is_child) {
+ if ($token->name === 'li') {
+ // good
+ $seen_li = true;
+ } elseif ($token->name === 'ul' || $token->name === 'ol') {
+ // we want to tuck this into the previous li
+ $need_close_li = true;
+ $nesting++;
+ if (!$seen_li) {
+ // create a new li element
+ $result[] = new HTMLPurifier_Token_Start('li');
+ } else {
+ // backtrack until </li> found
+ while(true) {
+ $t = array_pop($result);
+ if ($t instanceof HTMLPurifier_Token_End) {
+ // XXX actually, these invariants could very plausibly be violated
+ // if we are doing silly things with modifying the set of allowed elements.
+ // FORTUNATELY, it doesn't make a difference, since the allowed
+ // elements are hard-coded here!
+ if ($t->name !== 'li') {
+ trigger_error("Only li present invariant violated in List ChildDef", E_USER_ERROR);
+ return false;
+ }
+ break;
+ } elseif ($t instanceof HTMLPurifier_Token_Empty) { // bleagh
+ if ($t->name !== 'li') {
+ trigger_error("Only li present invariant violated in List ChildDef", E_USER_ERROR);
+ return false;
+ }
+ // XXX this should have a helper for it...
+ $result[] = new HTMLPurifier_Token_Start('li', $t->attr, $t->line, $t->col, $t->armor);
+ break;
+ } else {
+ if (!$t->is_whitespace) {
+ trigger_error("Only whitespace present invariant violated in List ChildDef", E_USER_ERROR);
+ return false;
+ }
+ }
+ }
+ }
+ } else {
+ // start wrapping (this doesn't precisely mimic
+ // browser behavior, but what browsers do is kind of
+ // hard to mimic in a standards compliant way
+ // XXX Actually, this has no impact in practice,
+ // because this gets handled earlier. Arguably,
+ // we should rip out all of that processing
+ $result[] = new HTMLPurifier_Token_Start('li');
+ $nesting++;
+ $seen_li = true;
+ $need_close_li = true;
+ }
+ }
+ $result[] = $token;
+ }
+ if ($need_close_li) {
+ $result[] = new HTMLPurifier_Token_End('li');
+ }
+ if (empty($result)) return false;
+ if ($all_whitespace) {
+ return false;
+ }
+ if ($tokens_of_children == $result) return true;
+ return $result;
+ }
+}
+
+// vim: et sw=4 sts=4
Modified: XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ChildDef/Table.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ChildDef/Table.php 2012-03-18 09:15:30 UTC (rev 9152)
+++ XoopsCore/branches/2.5.x/2.5.5/htdocs/xoops_lib/modules/protector/library/HTMLPurifier/ChildDef/Table.php 2012-03-18 09:31:22 UTC (rev 9153)
@@ -1,7 +1,33 @@
<?php
/**
- * Definition for tables
+ * Definition for tables. The general idea is to extract out all of the
+ * essential bits, and then reconstruct it later.
+ *
+ * This is a bit confusing, because the DTDs and the W3C
+ * validators seem to disagree on the appropriate definition. The
+ * DTD claims:
+ *
+ * (CAPTION?, (COL*|COLGROUP*), THEAD?, TFOOT?, TBODY+)
+ *
+ * But actually, the HTML4 spec then has this to say:
+ *
+ * The TBODY start tag is always required except when the table
+ * contains only one table body and no table head or foot sections.
+ * The TBODY end tag may always be safely omitted.
+ *
+ * So the DTD is kind of wrong. The validator is, unfortunately, kind
+ * of on crack.
+ *
+ * The definition changed again in XHTML1.1; and in my opinion, this
+ * formulation makes the m...
[truncated message content] |
