From 4b862f64e63a07932696affe28f1eaabdc9f6134 Mon Sep 17 00:00:00 2001 From: "Edward Z. Yang" Date: Mon, 28 Apr 2008 01:35:07 +0000 Subject: [PATCH] [3.1.0] Fix ScriptRequired bug with trusted installs - Generator now takes $config and $context during instantiation - Double quotes outside of attributes are not escaped git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1700 48356398-32a2-884e-a903-53898d9a118a --- NEWS | 4 + TODO | 2 + configdoc/usage.xml | 14 +- library/HTMLPurifier.includes.php | 1 + library/HTMLPurifier.php | 8 +- library/HTMLPurifier.safe-includes.php | 1 + .../AttrTransform/ScriptRequired.php | 14 + library/HTMLPurifier/Generator.php | 109 ++++---- library/HTMLPurifier/HTMLModule/Scripting.php | 13 - tests/HTMLPurifier/ComplexHarness.php | 9 +- tests/HTMLPurifier/GeneratorTest.php | 240 ++++++++++-------- 11 files changed, 227 insertions(+), 188 deletions(-) create mode 100644 library/HTMLPurifier/AttrTransform/ScriptRequired.php diff --git a/NEWS b/NEWS index 6ca5d2d8..0e787c9e 100644 --- a/NEWS +++ b/NEWS @@ -43,12 +43,16 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier - Missing (or null) in configdoc documentation restored - If DOM throws and exception during parsing with PH5P (occurs in newer versions of DOM), HTML Purifier punts to DirectLex +- Fatal error with unserialization of ScriptRequired . Out-of-date documentation revised . UTF-8 encoding check optimization as suggested by Diego . HTMLPurifier_Error removed in favor of exceptions . More copy() function removed; should use clone instead . More extensive unit tests for HTMLDefinition . assertPurification moved to central harness +. HTMLPurifier_Generator accepts $config and $context parameters during + instantiation, not runtime +. Double-quotes outside of attribute values are now unescaped 3.1.0rc1, released 2008-04-22 # Autoload support added. Internal require_once's removed in favor of an diff --git a/TODO b/TODO index bfd5a269..b4e436f2 100644 --- a/TODO +++ b/TODO @@ -13,6 +13,8 @@ afraid to cast your vote for the next feature to be implemented! - Get PH5P working with the latest versions of DOM, which have much more stringent error checking procedures. Maybe convert straight to tokens. + - Figure out what to do with $this->config configuration object calls + in the scanner FUTURE VERSIONS --------------- diff --git a/configdoc/usage.xml b/configdoc/usage.xml index 19e2f621..286f8d16 100644 --- a/configdoc/usage.xml +++ b/configdoc/usage.xml @@ -2,7 +2,7 @@ - 132 + 131 85 @@ -91,17 +91,7 @@ - 37 - - - - - 58 - - - - - 83 + 41 diff --git a/library/HTMLPurifier.includes.php b/library/HTMLPurifier.includes.php index e7ba0cc1..5b73fc5e 100644 --- a/library/HTMLPurifier.includes.php +++ b/library/HTMLPurifier.includes.php @@ -116,6 +116,7 @@ require 'HTMLPurifier/AttrTransform/ImgSpace.php'; require 'HTMLPurifier/AttrTransform/Lang.php'; require 'HTMLPurifier/AttrTransform/Length.php'; require 'HTMLPurifier/AttrTransform/Name.php'; +require 'HTMLPurifier/AttrTransform/ScriptRequired.php'; require 'HTMLPurifier/ChildDef/Chameleon.php'; require 'HTMLPurifier/ChildDef/Custom.php'; require 'HTMLPurifier/ChildDef/Empty.php'; diff --git a/library/HTMLPurifier.php b/library/HTMLPurifier.php index 91008f42..8e962be1 100644 --- a/library/HTMLPurifier.php +++ b/library/HTMLPurifier.php @@ -90,7 +90,6 @@ class HTMLPurifier $this->config = HTMLPurifier_Config::create($config); $this->strategy = new HTMLPurifier_Strategy_Core(); - $this->generator = new HTMLPurifier_Generator(); } @@ -124,8 +123,8 @@ class HTMLPurifier $context = new HTMLPurifier_Context(); - // our friendly neighborhood generator, all primed with configuration too! - $this->generator->generateFromTokens(array(), $config, $context); + // setup HTML generator + $this->generator = new HTMLPurifier_Generator($config, $context); $context->register('Generator', $this->generator); // set up global context variables @@ -178,8 +177,7 @@ class HTMLPurifier $html, $config, $context ), $config, $context - ), - $config, $context + ) ); for ($i = $filter_size - 1; $i >= 0; $i--) { diff --git a/library/HTMLPurifier.safe-includes.php b/library/HTMLPurifier.safe-includes.php index 4ae5ea7d..4273da36 100644 --- a/library/HTMLPurifier.safe-includes.php +++ b/library/HTMLPurifier.safe-includes.php @@ -110,6 +110,7 @@ require_once $__dir . '/HTMLPurifier/AttrTransform/ImgSpace.php'; require_once $__dir . '/HTMLPurifier/AttrTransform/Lang.php'; require_once $__dir . '/HTMLPurifier/AttrTransform/Length.php'; require_once $__dir . '/HTMLPurifier/AttrTransform/Name.php'; +require_once $__dir . '/HTMLPurifier/AttrTransform/ScriptRequired.php'; require_once $__dir . '/HTMLPurifier/ChildDef/Chameleon.php'; require_once $__dir . '/HTMLPurifier/ChildDef/Custom.php'; require_once $__dir . '/HTMLPurifier/ChildDef/Empty.php'; diff --git a/library/HTMLPurifier/AttrTransform/ScriptRequired.php b/library/HTMLPurifier/AttrTransform/ScriptRequired.php new file mode 100644 index 00000000..cc18b7e9 --- /dev/null +++ b/library/HTMLPurifier/AttrTransform/ScriptRequired.php @@ -0,0 +1,14 @@ + + */ +class HTMLPurifier_AttrTransform_ScriptRequired extends HTMLPurifier_AttrTransform +{ + public function transform($attr, $config, $context) { + if (!isset($attr['type'])) { + $attr['type'] = 'text/javascript'; + } + return $attr; + } +} diff --git a/library/HTMLPurifier/Generator.php b/library/HTMLPurifier/Generator.php index 97e8e526..736772da 100644 --- a/library/HTMLPurifier/Generator.php +++ b/library/HTMLPurifier/Generator.php @@ -11,78 +11,79 @@ class HTMLPurifier_Generator { /** - * Bool cache of %HTML.XHTML + * Whether or not generator should produce XML output */ private $_xhtml = true; /** - * Bool cache of %Output.CommentScriptContents + * :HACK: Whether or not generator should comment the insides of " ); - - // if missing close tag, don't do anything + } + + function test_generateFromTokens_Scripting_missingCloseTag() { $this->assertGeneration( array( new HTMLPurifier_Token_Start('script'), @@ -145,8 +182,9 @@ class HTMLPurifier_GeneratorTest extends HTMLPurifier_ComplexHarness ), "" ); - - - - $this->config = HTMLPurifier_Config::createDefault(); + } + + function test_generateFromTokens_Scripting_disableWrapper() { $this->config->set('Output', 'CommentScriptContents', false); - $this->assertGeneration( array( new HTMLPurifier_Token_Start('script'),