[3.1.0] Support for display/visibility CSS with %CSS.AllowTricky

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1579 48356398-32a2-884e-a903-53898d9a118a
2025-01-03 05:11:52 +00:00 · 2008-02-25 22:05:49 +00:00 · 2008-02-25 22:05:49 +00:00 · 2cc535ad84
commit 2cc535ad84
parent 30eb982961
5 changed files with 35 additions and 1 deletions
--- a/2
+++ b/2
@ -31,6 +31,8 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
  demands them.
 ! Support for !important CSS cascade modifier. By default, this will be stripped
  from CSS, but you can enable it using %CSS.AllowImportant
+! Support for display and visibility CSS properties added, set %CSS.AllowTricky
+  to true to use them.
 - Autoclose now operates iteratively, i.e. <span><span><div> now has
  both span tags closed.
 - Various HTMLPurifier_Config convenience functions now accept another parameter
--- a/library/HTMLPurifier/CSSDefinition.php
+++ b/library/HTMLPurifier/CSSDefinition.php
@ -202,6 +202,10 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
            $this->doSetupProprietary($config);
        }
        
+        if ($config->get('CSS', 'AllowTricky')) {
+            $this->doSetupTricky($config);
+        }
+        
        $allow_important = $config->get('CSS', 'AllowImportant');
        // wrap all attr-defs with decorator that handles !important
        foreach ($this->info as $k => $v) {
@ -229,5 +233,17 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
        
    }
    
+    protected function doSetupTricky($config) {
+        $this->info['display'] = new HTMLPurifier_AttrDef_Enum(array(
+            'inline', 'block', 'list-item', 'run-in', 'compact',
+            'marker', 'table', 'inline-table', 'table-row-group',
+            'table-header-group', 'table-footer-group', 'table-row',
+            'table-column-group', 'table-column', 'table-cell', 'table-caption', 'none'
+        ));
+        $this->info['visibility'] = new HTMLPurifier_AttrDef_Enum(array(
+            'visible', 'hidden', 'collapse'
+        ));
+    }
+    
 }

--- a/library/HTMLPurifier/ConfigSchema/schema.ser
+++ b/library/HTMLPurifier/ConfigSchema/schema.ser
--- a/library/HTMLPurifier/ConfigSchema/schema/CSS.AllowTricky.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/CSS.AllowTricky.txt
@ -0,0 +1,10 @@
+CSS.AllowTricky
+TYPE: bool
+DEFAULT: false
+VERSION: 3.1.0
+--DESCRIPTION--
+This parameter determines whether or not to allow "tricky" CSS properties and
+values. Tricky CSS properties/values can drastically modify page layout or
+be used for deceptive practices but do not directly constitute a security risk.
+For example, <code>display:none;</code> is considered a tricky property that
+will only be allowed if this directive is set to true.
--- a/tests/HTMLPurifier/AttrDef/CSSTest.php
+++ b/tests/HTMLPurifier/AttrDef/CSSTest.php
@ -137,5 +137,11 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
        $this->assertDef('float:left !important;');
    }
    
+    function testTricky() {
+        $this->config->set('CSS', 'AllowTricky', true);
+        $this->assertDef('display:none;');
+        $this->assertDef('visibility:visible;');
+    }
+    
 }