0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-01-05 06:01:52 +00:00

[3.1.1] Fix stray backslashes in font-family.

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1768 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang 2008-05-24 18:19:36 +00:00
parent c7e172f660
commit 10530d7f81
4 changed files with 7 additions and 4 deletions

1
NEWS
View File

@ -17,6 +17,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
manifest in token until end of operations. This prevents naughty internal manifest in token until end of operations. This prevents naughty internal
code from directly modifying CurrentToken when they're not supposed to. code from directly modifying CurrentToken when they're not supposed to.
- Percent encoding checks enabled for URI query and fragment - Percent encoding checks enabled for URI query and fragment
- Fix stray backslashes in font-family
. Added HTMLPurifier_UnitConverter and HTMLPurifier_Length for convenient . Added HTMLPurifier_UnitConverter and HTMLPurifier_Length for convenient
handling of CSS-style lengths. HTMLPurifier_AttrDef_CSS_Length now uses handling of CSS-style lengths. HTMLPurifier_AttrDef_CSS_Length now uses
this class. this class.

View File

@ -35,9 +35,11 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
$quote = $font[0]; $quote = $font[0];
if ($font[$length - 1] !== $quote) continue; if ($font[$length - 1] !== $quote) continue;
$font = substr($font, 1, $length - 2); $font = substr($font, 1, $length - 2);
// double-backslash processing is buggy // double-backslash processing is buggy. Namely, it doesn't allow
// fonts that contain an adjacent quote, backslash, or comma
$font = str_replace("\\$quote", $quote, $font); // de-escape quote $font = str_replace("\\$quote", $quote, $font); // de-escape quote
$font = str_replace("\\\n", "\n", $font); // de-escape newlines $font = str_replace("\\\n", '', $font); // de-escape newlines
$font = str_replace("\\\\", "\\", $font); // de-escape double backslashes
} }
// $font is a pure representation of the font name // $font is a pure representation of the font name
@ -50,8 +52,8 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
// complicated font, requires quoting // complicated font, requires quoting
// armor single quotes and new lines // armor single quotes and new lines
$font = str_replace("\\", "\\\\", $font);
$font = str_replace("'", "\\'", $font); $font = str_replace("'", "\\'", $font);
$font = str_replace("\n", "\\\n", $font);
$final .= "'$font', "; $final .= "'$font', ";
} }
$final = rtrim($final, ', '); $final = rtrim($final, ', ');

View File

@ -17,6 +17,7 @@ class HTMLPurifier_AttrDef_CSS_FontFamilyTest extends HTMLPurifier_AttrDefHarnes
$this->assertDef("John's Font", $d); $this->assertDef("John's Font", $d);
$this->assertDef($d = "'\xE5\xAE\x8B\xE4\xBD\x93'"); $this->assertDef($d = "'\xE5\xAE\x8B\xE4\xBD\x93'");
$this->assertDef("\xE5\xAE\x8B\xE4\xBD\x93", $d); $this->assertDef("\xE5\xAE\x8B\xE4\xBD\x93", $d);
$this->assertDef("'\\','f'", "'\\\\', f");
} }

View File

@ -26,7 +26,6 @@ class HTMLPurifier_AttrDef_CSS_URITest extends HTMLPurifier_AttrDefHarness
// escaping // escaping
$this->assertDef("url(http://www.example.com/foo,bar\))", $this->assertDef("url(http://www.example.com/foo,bar\))",
"url(http://www.example.com/foo\,bar\))"); "url(http://www.example.com/foo\,bar\))");
} }
} }