0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-01-03 05:11:52 +00:00

[3.1.0] Support for display/visibility CSS with %CSS.AllowTricky

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1579 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang 2008-02-25 22:05:49 +00:00
parent 30eb982961
commit 2cc535ad84
5 changed files with 35 additions and 1 deletions

2
NEWS
View File

@ -31,6 +31,8 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
demands them.
! Support for !important CSS cascade modifier. By default, this will be stripped
from CSS, but you can enable it using %CSS.AllowImportant
! Support for display and visibility CSS properties added, set %CSS.AllowTricky
to true to use them.
- Autoclose now operates iteratively, i.e. <span><span><div> now has
both span tags closed.
- Various HTMLPurifier_Config convenience functions now accept another parameter

View File

@ -202,6 +202,10 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
$this->doSetupProprietary($config);
}
if ($config->get('CSS', 'AllowTricky')) {
$this->doSetupTricky($config);
}
$allow_important = $config->get('CSS', 'AllowImportant');
// wrap all attr-defs with decorator that handles !important
foreach ($this->info as $k => $v) {
@ -229,5 +233,17 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
}
protected function doSetupTricky($config) {
$this->info['display'] = new HTMLPurifier_AttrDef_Enum(array(
'inline', 'block', 'list-item', 'run-in', 'compact',
'marker', 'table', 'inline-table', 'table-row-group',
'table-header-group', 'table-footer-group', 'table-row',
'table-column-group', 'table-column', 'table-cell', 'table-caption', 'none'
));
$this->info['visibility'] = new HTMLPurifier_AttrDef_Enum(array(
'visible', 'hidden', 'collapse'
));
}
}

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,10 @@
CSS.AllowTricky
TYPE: bool
DEFAULT: false
VERSION: 3.1.0
--DESCRIPTION--
This parameter determines whether or not to allow "tricky" CSS properties and
values. Tricky CSS properties/values can drastically modify page layout or
be used for deceptive practices but do not directly constitute a security risk.
For example, <code>display:none;</code> is considered a tricky property that
will only be allowed if this directive is set to true.

View File

@ -137,5 +137,11 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
$this->assertDef('float:left !important;');
}
function testTricky() {
$this->config->set('CSS', 'AllowTricky', true);
$this->assertDef('display:none;');
$this->assertDef('visibility:visible;');
}
}