Added %Core.RemoveProcessingInstructions.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2024-09-18 18:25:18 +00:00 · 2010-06-20 18:26:44 -07:00 · 2010-06-20 18:26:44 -07:00 · 1bed8b6d5f
commit 1bed8b6d5f
parent 33afd7d9e0
6 changed files with 34 additions and 3 deletions
--- a/2
+++ b/2
@ -10,6 +10,8 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 ==========================

 4.1.2, unknown release date
+! Added %Core.RemoveProcessingInstructions, which lets you remove
+  <? ... ?> statements.
 - Fix improper handling of Internet Explorer conditional comments
  by parser.  Thanks zmonteca for reporting.

--- a/configdoc/usage.xml
+++ b/configdoc/usage.xml
@ -6,7 +6,7 @@
  </file>
  <file name="HTMLPurifier/Lexer.php">
   <line>81</line>
-   <line>269</line>
+   <line>282</line>
  </file>
  <file name="HTMLPurifier/Lexer/DirectLex.php">
   <line>53</line>
@ -149,7 +149,7 @@
   <line>202</line>
  </file>
  <file name="HTMLPurifier/Lexer.php">
-   <line>258</line>
+   <line>269</line>
  </file>
  <file name="HTMLPurifier/HTMLModule/Image.php">
   <line>27</line>
@ -211,7 +211,12 @@
 </directive>
 <directive id="Core.ConvertDocumentToFragment">
  <file name="HTMLPurifier/Lexer.php">
-   <line>267</line>
+   <line>280</line>
+  </file>
+ </directive>
+ <directive id="Core.RemoveProcessingInstructions">
+  <file name="HTMLPurifier/Lexer.php">
+   <line>301</line>
  </file>
 </directive>
 <directive id="URI.">
--- a/library/HTMLPurifier/ConfigSchema/schema.ser
+++ b/library/HTMLPurifier/ConfigSchema/schema.ser
--- a/library/HTMLPurifier/ConfigSchema/schema/Core.RemoveProcessingInstructions.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/Core.RemoveProcessingInstructions.txt
@ -0,0 +1,11 @@
+Core.RemoveProcessingInstructions
+TYPE: bool
+VERSION: 4.1.2
+DEFAULT: false
+--DESCRIPTION--
+Instead of escaping processing instructions in the form <code>&lt;? ...
+?&gt;</code>, remove it out-right.  This may be useful if the HTML
+you are validating contains XML processing instruction gunk, however,
+it can also be user-unfriendly for people attempting to post PHP
+snippets.
+--# vim: et sw=4 sts=4
--- a/library/HTMLPurifier/Lexer.php
+++ b/library/HTMLPurifier/Lexer.php
@ -297,6 +297,11 @@ class HTMLPurifier_Lexer
        // represent non-SGML characters (horror, horror!)
        $html = HTMLPurifier_Encoder::cleanUTF8($html);

+        // if processing instructions are to removed, remove them now
+        if ($config->get('Core.RemoveProcessingInstructions')) {
+            $html = preg_replace('#<\?.+?\?>#s', '', $html);
+        }
+
        return $html;
    }

--- a/tests/HTMLPurifier/LexerTest.php
+++ b/tests/HTMLPurifier/LexerTest.php
@ -717,6 +717,14 @@ div {}
        );
    }

+    function test_tokenizeHTML_removeProcessingInstruction() {
+        $this->config->set('Core.RemoveProcessingInstructions', true);
+        $this->assertTokenization(
+            '<?xml blah blah ?>',
+            array()
+        );
+    }
+
    /*

    function test_tokenizeHTML_() {