2006-08-16 17:25:25 +00:00
|
|
|
<?php
|
|
|
|
|
2006-08-20 21:47:15 +00:00
|
|
|
/**
|
|
|
|
* Validates a font family list according to CSS spec
|
2008-02-11 00:27:35 +00:00
|
|
|
* @todo whitelisting allowed fonts would be nice
|
2006-08-20 21:47:15 +00:00
|
|
|
*/
|
2007-02-14 20:38:51 +00:00
|
|
|
class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
|
2006-08-16 17:25:25 +00:00
|
|
|
{
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2008-01-05 00:10:43 +00:00
|
|
|
public function validate($string, $config, $context) {
|
2007-05-20 17:23:09 +00:00
|
|
|
static $generic_names = array(
|
|
|
|
'serif' => true,
|
|
|
|
'sans-serif' => true,
|
|
|
|
'monospace' => true,
|
|
|
|
'fantasy' => true,
|
|
|
|
'cursive' => true
|
|
|
|
);
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2006-08-16 17:25:25 +00:00
|
|
|
// assume that no font names contain commas in them
|
|
|
|
$fonts = explode(',', $string);
|
|
|
|
$final = '';
|
|
|
|
foreach($fonts as $font) {
|
|
|
|
$font = trim($font);
|
|
|
|
if ($font === '') continue;
|
|
|
|
// match a generic name
|
2007-05-20 17:23:09 +00:00
|
|
|
if (isset($generic_names[$font])) {
|
2006-08-16 17:25:25 +00:00
|
|
|
$final .= $font . ', ';
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
// match a quoted name
|
|
|
|
if ($font[0] === '"' || $font[0] === "'") {
|
|
|
|
$length = strlen($font);
|
|
|
|
if ($length <= 2) continue;
|
|
|
|
$quote = $font[0];
|
|
|
|
if ($font[$length - 1] !== $quote) continue;
|
|
|
|
$font = substr($font, 1, $length - 2);
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2008-05-25 05:40:20 +00:00
|
|
|
$new_font = '';
|
|
|
|
for ($i = 0, $c = strlen($font); $i < $c; $i++) {
|
|
|
|
if ($font[$i] === '\\') {
|
|
|
|
$i++;
|
|
|
|
if ($i >= $c) {
|
|
|
|
$new_font .= '\\';
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (ctype_xdigit($font[$i])) {
|
|
|
|
$code = $font[$i];
|
|
|
|
for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
|
|
|
|
if (!ctype_xdigit($font[$i])) break;
|
|
|
|
$code .= $font[$i];
|
|
|
|
}
|
2008-05-26 21:27:52 +00:00
|
|
|
// We have to be extremely careful when adding
|
|
|
|
// new characters, to make sure we're not breaking
|
|
|
|
// the encoding.
|
2008-05-25 05:40:20 +00:00
|
|
|
$char = HTMLPurifier_Encoder::unichr(hexdec($code));
|
2008-05-26 21:27:52 +00:00
|
|
|
if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue;
|
2008-05-25 05:40:20 +00:00
|
|
|
$new_font .= $char;
|
|
|
|
if ($i < $c && trim($font[$i]) !== '') $i--;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
if ($font[$i] === "\n") continue;
|
|
|
|
}
|
|
|
|
$new_font .= $font[$i];
|
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2008-05-25 05:40:20 +00:00
|
|
|
$font = $new_font;
|
2006-08-16 17:25:25 +00:00
|
|
|
}
|
2007-08-03 02:48:52 +00:00
|
|
|
// $font is a pure representation of the font name
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2008-05-26 04:35:12 +00:00
|
|
|
if (ctype_alnum($font) && $font !== '') {
|
2006-08-16 17:25:25 +00:00
|
|
|
// very simple font, allow it in unharmed
|
|
|
|
$final .= $font . ', ';
|
|
|
|
continue;
|
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2007-08-03 02:48:52 +00:00
|
|
|
// complicated font, requires quoting
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2007-08-03 02:48:52 +00:00
|
|
|
// armor single quotes and new lines
|
2008-05-24 18:19:36 +00:00
|
|
|
$font = str_replace("\\", "\\\\", $font);
|
2007-08-03 02:48:52 +00:00
|
|
|
$font = str_replace("'", "\\'", $font);
|
|
|
|
$final .= "'$font', ";
|
2006-08-16 17:25:25 +00:00
|
|
|
}
|
|
|
|
$final = rtrim($final, ', ');
|
|
|
|
if ($final === '') return false;
|
|
|
|
return $final;
|
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2006-08-16 17:25:25 +00:00
|
|
|
}
|
|
|
|
|