mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-12-22 08:21:52 +00:00
Exported configuration values!
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1537 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
parent
3d56c1253b
commit
4c502b25f2
@ -268,3 +268,10 @@ Backwards-compatibility
|
||||
I expect that the ConfigSchema methods should stick around for a little bit,
|
||||
but display E_USER_NOTICE warnings that they are deprecated. This will
|
||||
require documentation!
|
||||
|
||||
New stuff
|
||||
---------
|
||||
|
||||
VERSION: Version number directive was introduced
|
||||
DEPRECATED-VERSION: If the directive was deprecated, when was it deprecated?
|
||||
DEPRECATED-USE: If the directive was deprecated, what should the user use now?
|
||||
|
@ -0,0 +1,11 @@
|
||||
Attr.AllowedFrameTargets
|
||||
TYPE: lookup
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
Lookup table of all allowed link frame targets. Some commonly used link
|
||||
targets include _blank, _self, _parent and _top. Values should be
|
||||
lowercase, as validation will be done in a case-sensitive manner despite
|
||||
W3C's recommendation. XHTML 1.0 Strict does not permit the target attribute
|
||||
so this directive will have no effect in that doctype. XHTML 1.1 does not
|
||||
enable the Target module by default, you will have to manually enable it
|
||||
(see the module documentation for more details.)
|
8
library/HTMLPurifier/ConfigSchema/Attr.AllowedRel.txt
Normal file
8
library/HTMLPurifier/ConfigSchema/Attr.AllowedRel.txt
Normal file
@ -0,0 +1,8 @@
|
||||
Attr.AllowedRel
|
||||
TYPE: lookup
|
||||
VERSION: 1.6.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
List of allowed forward document relationships in the rel attribute. Common
|
||||
values may be nofollow or print. By default, this is empty, meaning that no
|
||||
document relationships are allowed.
|
8
library/HTMLPurifier/ConfigSchema/Attr.AllowedRev.txt
Normal file
8
library/HTMLPurifier/ConfigSchema/Attr.AllowedRev.txt
Normal file
@ -0,0 +1,8 @@
|
||||
Attr.AllowedRev
|
||||
TYPE: lookup
|
||||
VERSION: 1.6.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
List of allowed reverse document relationships in the rev attribute. This
|
||||
attribute is a bit of an edge-case; if you don't know what it is for, stay
|
||||
away.
|
@ -0,0 +1,8 @@
|
||||
Attr.DefaultInvalidImage
|
||||
TYPE: string
|
||||
DEFAULT: ''
|
||||
--DESCRIPTION--
|
||||
This is the default image an img tag will be pointed to if it does not have
|
||||
a valid src attribute. In future versions, we may allow the image tag to
|
||||
be removed completely, but due to design issues, this is not possible right
|
||||
now.
|
@ -0,0 +1,7 @@
|
||||
Attr.DefaultInvalidImageAlt
|
||||
TYPE: string
|
||||
DEFAULT: 'Invalid image'
|
||||
--DESCRIPTION--
|
||||
This is the content of the alt tag of an invalid image if the user had not
|
||||
previously specified an alt attribute. It has no effect when the image is
|
||||
valid but there was no alt attribute present.
|
@ -0,0 +1,9 @@
|
||||
Attr.DefaultTextDir
|
||||
TYPE: string
|
||||
DEFAULT: 'ltr'
|
||||
--DESCRIPTION--
|
||||
Defines the default text direction (ltr or rtl) of the document being
|
||||
parsed. This generally is the same as the value of the dir attribute in
|
||||
HTML, or ltr if that is not specified.
|
||||
--ALLOWED--
|
||||
'ltr', 'rtl'
|
15
library/HTMLPurifier/ConfigSchema/Attr.EnableID.txt
Normal file
15
library/HTMLPurifier/ConfigSchema/Attr.EnableID.txt
Normal file
@ -0,0 +1,15 @@
|
||||
Attr.EnableID
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
VERSION: 1.2.0
|
||||
--DESCRIPTION--
|
||||
Allows the ID attribute in HTML. This is disabled by default due to the
|
||||
fact that without proper configuration user input can easily break the
|
||||
validation of a webpage by specifying an ID that is already on the
|
||||
surrounding HTML. If you don't mind throwing caution to the wind, enable
|
||||
this directive, but I strongly recommend you also consider blacklisting IDs
|
||||
you use (%Attr.IDBlacklist) or prefixing all user supplied IDs
|
||||
(%Attr.IDPrefix). When set to true HTML Purifier reverts to the behavior of
|
||||
pre-1.2.0 versions.
|
||||
--ALIASES--
|
||||
HTML.EnableAttrID
|
4
library/HTMLPurifier/ConfigSchema/Attr.IDBlacklist.txt
Normal file
4
library/HTMLPurifier/ConfigSchema/Attr.IDBlacklist.txt
Normal file
@ -0,0 +1,4 @@
|
||||
Attr.IDBlacklist
|
||||
TYPE: list
|
||||
DEFAULT: array()
|
||||
DESCRIPTION: Array of IDs not allowed in the document.
|
@ -0,0 +1,8 @@
|
||||
Attr.IDBlacklistRegexp
|
||||
TYPE: string
|
||||
VERSION: 1.6.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
PCRE regular expression to be matched against all IDs. If the expression is
|
||||
matches, the ID is rejected. Use this with care: may cause significant
|
||||
degradation. ID matching is done after all other validation.
|
11
library/HTMLPurifier/ConfigSchema/Attr.IDPrefix.txt
Normal file
11
library/HTMLPurifier/ConfigSchema/Attr.IDPrefix.txt
Normal file
@ -0,0 +1,11 @@
|
||||
Attr.IDPrefix
|
||||
TYPE: string
|
||||
VERSION: 1.2.0
|
||||
DEFAULT: ''
|
||||
--DESCRIPTION--
|
||||
String to prefix to IDs. If you have no idea what IDs your pages may use,
|
||||
you may opt to simply add a prefix to all user-submitted ID attributes so
|
||||
that they are still usable, but will not conflict with core page IDs.
|
||||
Example: setting the directive to 'user_' will result in a user submitted
|
||||
'foo' to become 'user_foo' Be sure to set %HTML.EnableAttrID to true
|
||||
before using this.
|
13
library/HTMLPurifier/ConfigSchema/Attr.IDPrefixLocal.txt
Normal file
13
library/HTMLPurifier/ConfigSchema/Attr.IDPrefixLocal.txt
Normal file
@ -0,0 +1,13 @@
|
||||
Attr.IDPrefixLocal
|
||||
TYPE: string
|
||||
VERSION: 1.2.0
|
||||
DEFAULT: ''
|
||||
--DESCRIPTION--
|
||||
Temporary prefix for IDs used in conjunction with %Attr.IDPrefix. If you
|
||||
need to allow multiple sets of user content on web page, you may need to
|
||||
have a seperate prefix that changes with each iteration. This way,
|
||||
seperately submitted user content displayed on the same page doesn't
|
||||
clobber each other. Ideal values are unique identifiers for the content it
|
||||
represents (i.e. the id of the row in the database). Be sure to add a
|
||||
seperator (like an underscore) at the end. Warning: this directive will
|
||||
not work unless %Attr.IDPrefix is set to a non-empty value!
|
2
library/HTMLPurifier/ConfigSchema/Attr.txt
Normal file
2
library/HTMLPurifier/ConfigSchema/Attr.txt
Normal file
@ -0,0 +1,2 @@
|
||||
Attr
|
||||
DESCRIPTION: Features regarding attribute validation.
|
@ -0,0 +1,30 @@
|
||||
AutoFormat.AutoParagraph
|
||||
TYPE: bool
|
||||
VERSION: 2.0.1
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This directive turns on auto-paragraphing, where double newlines are
|
||||
converted in to paragraphs whenever possible. Auto-paragraphing:
|
||||
</p>
|
||||
<ul>
|
||||
<li>Always applies to inline elements or text in the root node,</li>
|
||||
<li>Applies to inline elements or text with double newlines in nodes
|
||||
that allow paragraph tags,</li>
|
||||
<li>Applies to double newlines in paragraph tags</li>
|
||||
</ul>
|
||||
<p>
|
||||
<code>p</code> tags must be allowed for this directive to take effect.
|
||||
We do not use <code>br</code> tags for paragraphing, as that is
|
||||
semantically incorrect.
|
||||
</p>
|
||||
<p>
|
||||
To prevent auto-paragraphing as a content-producer, refrain from using
|
||||
double-newlines except to specify a new paragraph or in contexts where
|
||||
it has special meaning (whitespace usually has no meaning except in
|
||||
tags like <code>pre</code>, so this should not be difficult.) To prevent
|
||||
the paragraphing of inline text adjacent to block elements, wrap them
|
||||
in <code>div</code> tags (the behavior is slightly different outside of
|
||||
the root node.)
|
||||
</p>
|
12
library/HTMLPurifier/ConfigSchema/AutoFormat.Custom.txt
Normal file
12
library/HTMLPurifier/ConfigSchema/AutoFormat.Custom.txt
Normal file
@ -0,0 +1,12 @@
|
||||
AutoFormat.Custom
|
||||
TYPE: list
|
||||
VERSION: 2.0.1
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This directive can be used to add custom auto-format injectors.
|
||||
Specify an array of injector names (class name minus the prefix)
|
||||
or concrete implementations. Injector class must exist.
|
||||
</p>
|
||||
|
12
library/HTMLPurifier/ConfigSchema/AutoFormat.Linkify.txt
Normal file
12
library/HTMLPurifier/ConfigSchema/AutoFormat.Linkify.txt
Normal file
@ -0,0 +1,12 @@
|
||||
AutoFormat.Linkify
|
||||
TYPE: bool
|
||||
VERSION: 2.0.1
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This directive turns on linkification, auto-linking http, ftp and
|
||||
https URLs. <code>a</code> tags with the <code>href</code> attribute
|
||||
must be allowed.
|
||||
</p>
|
||||
|
@ -0,0 +1,12 @@
|
||||
AutoFormat.PurifierLinkify
|
||||
TYPE: bool
|
||||
VERSION: 2.0.1
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Internal auto-formatter that converts configuration directives in
|
||||
syntax <a>%Namespace.Directive</a> to links. <code>a</code> tags
|
||||
with the <code>href</code> attribute must be allowed.
|
||||
</p>
|
||||
|
2
library/HTMLPurifier/ConfigSchema/AutoFormat.txt
Normal file
2
library/HTMLPurifier/ConfigSchema/AutoFormat.txt
Normal file
@ -0,0 +1,2 @@
|
||||
AutoFormat
|
||||
DESCRIPTION: Configuration for activating auto-formatting functionality (also known as <code>Injector</code>s)
|
@ -0,0 +1,12 @@
|
||||
AutoFormatParam.PurifierLinkifyDocURL
|
||||
TYPE: string
|
||||
VERSION: 2.0.1
|
||||
DEFAULT: '#%s'
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Location of configuration documentation to link to, let %s substitute
|
||||
into the configuration's namespace and directive names sans the percent
|
||||
sign.
|
||||
</p>
|
||||
|
2
library/HTMLPurifier/ConfigSchema/AutoFormatParam.txt
Normal file
2
library/HTMLPurifier/ConfigSchema/AutoFormatParam.txt
Normal file
@ -0,0 +1,2 @@
|
||||
AutoFormatParam
|
||||
DESCRIPTION: Configuration for customizing auto-formatting functionality
|
11
library/HTMLPurifier/ConfigSchema/CSS.DefinitionRev.txt
Normal file
11
library/HTMLPurifier/ConfigSchema/CSS.DefinitionRev.txt
Normal file
@ -0,0 +1,11 @@
|
||||
CSS.DefinitionRev
|
||||
TYPE: int
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: 1
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Revision identifier for your custom definition. See
|
||||
%HTML.DefinitionRev for details.
|
||||
</p>
|
||||
|
10
library/HTMLPurifier/ConfigSchema/CSS.Proprietary.txt
Normal file
10
library/HTMLPurifier/ConfigSchema/CSS.Proprietary.txt
Normal file
@ -0,0 +1,10 @@
|
||||
CSS.Proprietary
|
||||
TYPE: bool
|
||||
VERSION: 3.0.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Whether or not to allow safe, proprietary CSS values.
|
||||
</p>
|
||||
|
2
library/HTMLPurifier/ConfigSchema/CSS.txt
Normal file
2
library/HTMLPurifier/ConfigSchema/CSS.txt
Normal file
@ -0,0 +1,2 @@
|
||||
CSS
|
||||
DESCRIPTION: Configuration regarding allowed CSS.
|
13
library/HTMLPurifier/ConfigSchema/Cache.DefinitionImpl.txt
Normal file
13
library/HTMLPurifier/ConfigSchema/Cache.DefinitionImpl.txt
Normal file
@ -0,0 +1,13 @@
|
||||
Cache.DefinitionImpl
|
||||
TYPE: string
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: 'Serializer'
|
||||
--DESCRIPTION--
|
||||
|
||||
This directive defines which method to use when caching definitions,
|
||||
the complex data-type that makes HTML Purifier tick. Set to null
|
||||
to disable caching (not recommended, as you will see a definite
|
||||
performance degradation).
|
||||
|
||||
--ALIASES--
|
||||
Core.DefinitionCache
|
13
library/HTMLPurifier/ConfigSchema/Cache.SerializerPath.txt
Normal file
13
library/HTMLPurifier/ConfigSchema/Cache.SerializerPath.txt
Normal file
@ -0,0 +1,13 @@
|
||||
Cache.SerializerPath
|
||||
TYPE: string
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Absolute path with no trailing slash to store serialized definitions in.
|
||||
Default is within the
|
||||
HTML Purifier library inside DefinitionCache/Serializer. This
|
||||
path must be writable by the webserver.
|
||||
</p>
|
||||
|
2
library/HTMLPurifier/ConfigSchema/Cache.txt
Normal file
2
library/HTMLPurifier/ConfigSchema/Cache.txt
Normal file
@ -0,0 +1,2 @@
|
||||
Cache
|
||||
DESCRIPTION: Configuration for DefinitionCache and related subclasses.
|
13
library/HTMLPurifier/ConfigSchema/Core.AggressivelyFixLt.txt
Normal file
13
library/HTMLPurifier/ConfigSchema/Core.AggressivelyFixLt.txt
Normal file
@ -0,0 +1,13 @@
|
||||
Core.AggressivelyFixLt
|
||||
TYPE: bool
|
||||
VERSION: 2.1.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
|
||||
This directive enables aggressive pre-filter fixes HTML Purifier can
|
||||
perform in order to ensure that open angled-brackets do not get killed
|
||||
during parsing stage. Enabling this will result in two preg_replace_callback
|
||||
calls and one preg_replace call for every bit of HTML passed through here.
|
||||
It is not necessary and will have no effect for PHP 4.
|
||||
|
||||
|
11
library/HTMLPurifier/ConfigSchema/Core.CollectErrors.txt
Normal file
11
library/HTMLPurifier/ConfigSchema/Core.CollectErrors.txt
Normal file
@ -0,0 +1,11 @@
|
||||
Core.CollectErrors
|
||||
TYPE: bool
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
|
||||
Whether or not to collect errors found while filtering the document. This
|
||||
is a useful way to give feedback to your users. <strong>Warning:</strong>
|
||||
Currently this feature is very patchy and experimental, with lots of
|
||||
possible error messages not yet implemented. It will not cause any
|
||||
problems, but it may not help your users either.
|
29
library/HTMLPurifier/ConfigSchema/Core.ColorKeywords.txt
Normal file
29
library/HTMLPurifier/ConfigSchema/Core.ColorKeywords.txt
Normal file
@ -0,0 +1,29 @@
|
||||
Core.ColorKeywords
|
||||
TYPE: hash
|
||||
VERSION: 2.0.0
|
||||
--DEFAULT--
|
||||
array (
|
||||
'maroon' => '#800000',
|
||||
'red' => '#FF0000',
|
||||
'orange' => '#FFA500',
|
||||
'yellow' => '#FFFF00',
|
||||
'olive' => '#808000',
|
||||
'purple' => '#800080',
|
||||
'fuchsia' => '#FF00FF',
|
||||
'white' => '#FFFFFF',
|
||||
'lime' => '#00FF00',
|
||||
'green' => '#008000',
|
||||
'navy' => '#000080',
|
||||
'blue' => '#0000FF',
|
||||
'aqua' => '#00FFFF',
|
||||
'teal' => '#008080',
|
||||
'black' => '#000000',
|
||||
'silver' => '#C0C0C0',
|
||||
'gray' => '#808080',
|
||||
)
|
||||
--DESCRIPTION--
|
||||
|
||||
Lookup array of color names to six digit hexadecimal number corresponding
|
||||
to color, with preceding hash mark. Used when parsing colors.
|
||||
|
||||
|
@ -0,0 +1,13 @@
|
||||
Core.ConvertDocumentToFragment
|
||||
TYPE: bool
|
||||
DEFAULT: true
|
||||
--DESCRIPTION--
|
||||
|
||||
This parameter determines whether or not the filter should convert
|
||||
input that is a full document with html and body tags to a fragment
|
||||
of just the contents of a body tag. This parameter is simply something
|
||||
HTML Purifier can do during an edge-case: for most inputs, this
|
||||
processing is not necessary.
|
||||
|
||||
--ALIASES--
|
||||
Core.AcceptFullDocuments
|
@ -0,0 +1,17 @@
|
||||
Core.DirectLexLineNumberSyncInterval
|
||||
TYPE: int
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: 0
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Specifies the number of tokens the DirectLex line number tracking
|
||||
implementations should process before attempting to resyncronize the
|
||||
current line count by manually counting all previous new-lines. When
|
||||
at 0, this functionality is disabled. Lower values will decrease
|
||||
performance, and this is only strictly necessary if the counting
|
||||
algorithm is buggy (in which case you should report it as a bug).
|
||||
This has no effect when %Core.MaintainLineNumbers is disabled or DirectLex is
|
||||
not being used.
|
||||
</p>
|
||||
|
14
library/HTMLPurifier/ConfigSchema/Core.Encoding.txt
Normal file
14
library/HTMLPurifier/ConfigSchema/Core.Encoding.txt
Normal file
@ -0,0 +1,14 @@
|
||||
Core.Encoding
|
||||
TYPE: istring
|
||||
DEFAULT: 'utf-8'
|
||||
--DESCRIPTION--
|
||||
If for some reason you are unable to convert all webpages to UTF-8, you can
|
||||
use this directive as a stop-gap compatibility change to let HTML Purifier
|
||||
deal with non UTF-8 input. This technique has notable deficiencies:
|
||||
absolutely no characters outside of the selected character encoding will be
|
||||
preserved, not even the ones that have been ampersand escaped (this is due
|
||||
to a UTF-8 specific <em>feature</em> that automatically resolves all
|
||||
entities), making it pretty useless for anything except the most I18N-blind
|
||||
applications, although %Core.EscapeNonASCIICharacters offers fixes this
|
||||
trouble with another tradeoff. This directive only accepts ISO-8859-1 if
|
||||
iconv is not enabled.
|
@ -0,0 +1,9 @@
|
||||
Core.EscapeInvalidChildren
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
When true, a child is found that is not allowed in the context of the
|
||||
parent element will be transformed into text as if it were ASCII. When
|
||||
false, that element and all internal tags will be dropped, though text will
|
||||
be preserved. There is no option for dropping the element but preserving
|
||||
child nodes.
|
@ -0,0 +1,6 @@
|
||||
Core.EscapeInvalidTags
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
When true, invalid tags will be written back to the document as plain text.
|
||||
Otherwise, they are silently dropped.
|
@ -0,0 +1,12 @@
|
||||
Core.EscapeNonASCIICharacters
|
||||
TYPE: bool
|
||||
VERSION: 1.4.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
This directive overcomes a deficiency in %Core.Encoding by blindly
|
||||
converting all non-ASCII characters into decimal numeric entities before
|
||||
converting it to its native encoding. This means that even characters that
|
||||
can be expressed in the non-UTF-8 encoding will be entity-ized, which can
|
||||
be a real downer for encodings like Big5. It also assumes that the ASCII
|
||||
repetoire is available, although this is the case for almost all encodings.
|
||||
Anyway, use UTF-8!
|
19
library/HTMLPurifier/ConfigSchema/Core.HiddenElements.txt
Normal file
19
library/HTMLPurifier/ConfigSchema/Core.HiddenElements.txt
Normal file
@ -0,0 +1,19 @@
|
||||
Core.HiddenElements
|
||||
TYPE: lookup
|
||||
--DEFAULT--
|
||||
array (
|
||||
'script' => true,
|
||||
'style' => true,
|
||||
)
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This directive is a lookup array of elements which should have their
|
||||
contents removed when they are not allowed by the HTML definition.
|
||||
For example, the contents of a <code>script</code> tag are not
|
||||
normally shown in a document, so if script tags are to be removed,
|
||||
their contents should be removed to. This is opposed to a <code>b</code>
|
||||
tag, which defines some presentational changes but does not hide its
|
||||
contents.
|
||||
</p>
|
||||
|
11
library/HTMLPurifier/ConfigSchema/Core.Language.txt
Normal file
11
library/HTMLPurifier/ConfigSchema/Core.Language.txt
Normal file
@ -0,0 +1,11 @@
|
||||
Core.Language
|
||||
TYPE: string
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: 'en'
|
||||
--DESCRIPTION--
|
||||
|
||||
ISO 639 language code for localizable things in HTML Purifier to use,
|
||||
which is mainly error reporting. There is currently only an English (en)
|
||||
translation, so this directive is currently useless.
|
||||
|
||||
|
33
library/HTMLPurifier/ConfigSchema/Core.LexerImpl.txt
Normal file
33
library/HTMLPurifier/ConfigSchema/Core.LexerImpl.txt
Normal file
@ -0,0 +1,33 @@
|
||||
Core.LexerImpl
|
||||
TYPE: mixed
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This parameter determines what lexer implementation can be used. The
|
||||
valid values are:
|
||||
</p>
|
||||
<dl>
|
||||
<dt><em>null</em></dt>
|
||||
<dd>
|
||||
Recommended, the lexer implementation will be auto-detected based on
|
||||
your PHP-version and configuration.
|
||||
</dd>
|
||||
<dt><em>string</em> lexer identifier</dt>
|
||||
<dd>
|
||||
This is a slim way of manually overridding the implementation.
|
||||
Currently recognized values are: DOMLex (the default PHP5
|
||||
implementation)
|
||||
and DirectLex (the default PHP4 implementation). Only use this if
|
||||
you know what you are doing: usually, the auto-detection will
|
||||
manage things for cases you aren't even aware of.
|
||||
</dd>
|
||||
<dt><em>object</em> lexer instance</dt>
|
||||
<dd>
|
||||
Super-advanced: you can specify your own, custom, implementation that
|
||||
implements the interface defined by <code>HTMLPurifier_Lexer</code>.
|
||||
I may remove this option simply because I don't expect anyone
|
||||
to use it.
|
||||
</dd>
|
||||
</dl>
|
@ -0,0 +1,16 @@
|
||||
Core.MaintainLineNumbers
|
||||
TYPE: bool
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
If true, HTML Purifier will add line number information to all tokens.
|
||||
This is useful when error reporting is turned on, but can result in
|
||||
significant performance degradation and should not be used when
|
||||
unnecessary. This directive must be used with the DirectLex lexer,
|
||||
as the DOMLex lexer does not (yet) support this functionality.
|
||||
If the value is null, an appropriate value will be selected based
|
||||
on other configuration.
|
||||
</p>
|
||||
|
12
library/HTMLPurifier/ConfigSchema/Core.RemoveInvalidImg.txt
Normal file
12
library/HTMLPurifier/ConfigSchema/Core.RemoveInvalidImg.txt
Normal file
@ -0,0 +1,12 @@
|
||||
Core.RemoveInvalidImg
|
||||
TYPE: bool
|
||||
DEFAULT: true
|
||||
VERSION: 1.3.0
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This directive enables pre-emptive URI checking in <code>img</code>
|
||||
tags, as the attribute validation strategy is not authorized to
|
||||
remove elements from the document. Revert to pre-1.3.0 behavior by setting to false.
|
||||
</p>
|
||||
|
@ -0,0 +1,11 @@
|
||||
Core.RemoveScriptContents
|
||||
TYPE: bool
|
||||
DEFAULT: NULL
|
||||
VERSION: 2.0.0
|
||||
DEPRECATED-VERSION: 2.1.0
|
||||
DEPRECATED-USE: %Core.HiddenElements
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This directive enables HTML Purifier to remove not only script tags
|
||||
but all of their contents.
|
||||
</p>
|
2
library/HTMLPurifier/ConfigSchema/Core.txt
Normal file
2
library/HTMLPurifier/ConfigSchema/Core.txt
Normal file
@ -0,0 +1,2 @@
|
||||
Core
|
||||
DESCRIPTION: Core features that are always available.
|
@ -0,0 +1,13 @@
|
||||
Filter.ExtractStyleBlocksEscaping
|
||||
TYPE: bool
|
||||
VERSION: 3.0.0
|
||||
DEFAULT: true
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Whether or not to escape the dangerous characters <, > and &
|
||||
as \3C, \3E and \26, respectively. This is can be safely set to false
|
||||
if the contents of StyleBlocks will be placed in an external stylesheet,
|
||||
where there is no risk of it being interpreted as HTML.
|
||||
</p>
|
||||
|
@ -0,0 +1,27 @@
|
||||
Filter.ExtractStyleBlocksScope
|
||||
TYPE: string
|
||||
VERSION: 3.0.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
If you would like users to be able to define external stylesheets, but
|
||||
only allow them to specify CSS declarations for a specific node and
|
||||
prevent them from fiddling with other elements, use this directive.
|
||||
It accepts any valid CSS selector, and will prepend this to any
|
||||
CSS declaration extracted from the document. For example, if this
|
||||
directive is set to <code>#user-content</code> and a user uses the
|
||||
selector <code>a:hover</code>, the final selector will be
|
||||
<code>#user-content a:hover</code>.
|
||||
</p>
|
||||
<p>
|
||||
The comma shorthand may be used; consider the above example, with
|
||||
<code>#user-content, #user-content2</code>, the final selector will
|
||||
be <code>#user-content a:hover, #user-content2 a:hover</code>.
|
||||
</p>
|
||||
<p>
|
||||
<strong>Warning:</strong> It is possible for users to bypass this measure
|
||||
using a naughty + selector. This is a bug in CSS Tidy 1.3, not HTML
|
||||
Purifier, and I am working to get it fixed. Until then, HTML Purifier
|
||||
performs a basic check to prevent this.
|
||||
</p>
|
2
library/HTMLPurifier/ConfigSchema/Filter.txt
Normal file
2
library/HTMLPurifier/ConfigSchema/Filter.txt
Normal file
@ -0,0 +1,2 @@
|
||||
Filter
|
||||
DESCRIPTION: Configuration for filters
|
22
library/HTMLPurifier/ConfigSchema/HTML.Allowed.txt
Normal file
22
library/HTMLPurifier/ConfigSchema/HTML.Allowed.txt
Normal file
@ -0,0 +1,22 @@
|
||||
HTML.Allowed
|
||||
TYPE: itext
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This is a convenience directive that rolls the functionality of
|
||||
%HTML.AllowedElements and %HTML.AllowedAttributes into one directive.
|
||||
Specify elements and attributes that are allowed using:
|
||||
<code>element1[attr1|attr2],element2...</code>. You can also use
|
||||
newlines instead of commas to separate elements.
|
||||
</p>
|
||||
<p>
|
||||
<strong>Warning</strong>:
|
||||
All of the constraints on the component directives are still enforced.
|
||||
The syntax is a <em>subset</em> of TinyMCE's <code>valid_elements</code>
|
||||
whitelist: directly copy-pasting it here will probably result in
|
||||
broken whitelists. If %HTML.AllowedElements or %HTML.AllowedAttributes
|
||||
are set, this directive has no effect.
|
||||
</p>
|
||||
|
19
library/HTMLPurifier/ConfigSchema/HTML.AllowedAttributes.txt
Normal file
19
library/HTMLPurifier/ConfigSchema/HTML.AllowedAttributes.txt
Normal file
@ -0,0 +1,19 @@
|
||||
HTML.AllowedAttributes
|
||||
TYPE: lookup
|
||||
VERSION: 1.3.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
If HTML Purifier's attribute set is unsatisfactory, overload it!
|
||||
The syntax is "tag.attr" or "*.attr" for the global attributes
|
||||
(style, id, class, dir, lang, xml:lang).
|
||||
</p>
|
||||
<p>
|
||||
<strong>Warning:</strong> If another directive conflicts with the
|
||||
elements here, <em>that</em> directive will win and override. For
|
||||
example, %HTML.EnableAttrID will take precedence over *.id in this
|
||||
directive. You must set that directive to true before you can use
|
||||
IDs at all.
|
||||
</p>
|
||||
|
21
library/HTMLPurifier/ConfigSchema/HTML.AllowedElements.txt
Normal file
21
library/HTMLPurifier/ConfigSchema/HTML.AllowedElements.txt
Normal file
@ -0,0 +1,21 @@
|
||||
HTML.AllowedElements
|
||||
TYPE: lookup
|
||||
VERSION: 1.3.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
If HTML Purifier's tag set is unsatisfactory for your needs, you
|
||||
can overload it with your own list of tags to allow. Note that this
|
||||
method is subtractive: it does its job by taking away from HTML
|
||||
Purifier
|
||||
usual feature set, so you cannot add a tag that HTML Purifier never
|
||||
supported in the first place (like embed, form or head). If you
|
||||
change this, you probably also want to change %HTML.AllowedAttributes.
|
||||
|
||||
</p>
|
||||
<p>
|
||||
<strong>Warning:</strong> If another directive conflicts with the
|
||||
elements here, <em>that</em> directive will win and override.
|
||||
</p>
|
||||
|
20
library/HTMLPurifier/ConfigSchema/HTML.AllowedModules.txt
Normal file
20
library/HTMLPurifier/ConfigSchema/HTML.AllowedModules.txt
Normal file
@ -0,0 +1,20 @@
|
||||
HTML.AllowedModules
|
||||
TYPE: lookup
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
A doctype comes with a set of usual modules to use. Without having
|
||||
to mucking about with the doctypes, you can quickly activate or
|
||||
disable these modules by specifying which modules you wish to allow
|
||||
with this directive. This is most useful for unit testing specific
|
||||
modules, although end users may find it useful for their own ends.
|
||||
</p>
|
||||
<p>
|
||||
If you specify a module that does not exist, the manager will silently
|
||||
fail to use it, so be careful! User-defined modules are not affected
|
||||
by this directive. Modules defined in %HTML.CoreModules are not
|
||||
affected by this directive.
|
||||
</p>
|
||||
|
18
library/HTMLPurifier/ConfigSchema/HTML.BlockWrapper.txt
Normal file
18
library/HTMLPurifier/ConfigSchema/HTML.BlockWrapper.txt
Normal file
@ -0,0 +1,18 @@
|
||||
HTML.BlockWrapper
|
||||
TYPE: string
|
||||
VERSION: 1.3.0
|
||||
DEFAULT: 'p'
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
String name of element to wrap inline elements that are inside a block
|
||||
context. This only occurs in the children of blockquote in strict mode.
|
||||
</p>
|
||||
<p>
|
||||
Example: by default value,
|
||||
<code><blockquote>Foo</blockquote></code> would become
|
||||
<code><blockquote><p>Foo</p></blockquote></code>.
|
||||
The <code><p></code> tags can be replaced with whatever you desire,
|
||||
as long as it is a block level element.
|
||||
</p>
|
||||
|
23
library/HTMLPurifier/ConfigSchema/HTML.CoreModules.txt
Normal file
23
library/HTMLPurifier/ConfigSchema/HTML.CoreModules.txt
Normal file
@ -0,0 +1,23 @@
|
||||
HTML.CoreModules
|
||||
TYPE: lookup
|
||||
VERSION: 2.0.0
|
||||
--DEFAULT--
|
||||
array (
|
||||
'Structure' => true,
|
||||
'Text' => true,
|
||||
'Hypertext' => true,
|
||||
'List' => true,
|
||||
'NonXMLCommonAttributes' => true,
|
||||
'XMLCommonAttributes' => true,
|
||||
'CommonAttributes' => true,
|
||||
)
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Certain modularized doctypes (XHTML, namely), have certain modules
|
||||
that must be included for the doctype to be an conforming document
|
||||
type: put those modules here. By default, XHTML's core modules
|
||||
are used. You can set this to a blank array to disable core module
|
||||
protection, but this is not recommended.
|
||||
</p>
|
||||
|
10
library/HTMLPurifier/ConfigSchema/HTML.CustomDoctype.txt
Normal file
10
library/HTMLPurifier/ConfigSchema/HTML.CustomDoctype.txt
Normal file
@ -0,0 +1,10 @@
|
||||
HTML.CustomDoctype
|
||||
TYPE: string
|
||||
VERSION: 2.0.1
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
A custom doctype for power-users who defined there own document
|
||||
type. This directive only applies when %HTML.Doctype is blank.
|
||||
|
||||
|
33
library/HTMLPurifier/ConfigSchema/HTML.DefinitionID.txt
Normal file
33
library/HTMLPurifier/ConfigSchema/HTML.DefinitionID.txt
Normal file
@ -0,0 +1,33 @@
|
||||
HTML.DefinitionID
|
||||
TYPE: string
|
||||
DEFAULT: NULL
|
||||
VERSION: 2.0.0
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Unique identifier for a custom-built HTML definition. If you edit
|
||||
the raw version of the HTMLDefinition, introducing changes that the
|
||||
configuration object does not reflect, you must specify this variable.
|
||||
If you change your custom edits, you should change this directive, or
|
||||
clear your cache. Example:
|
||||
</p>
|
||||
<pre>
|
||||
$config = HTMLPurifier_Config::createDefault();
|
||||
$config->set('HTML', 'DefinitionID', '1');
|
||||
$def = $config->getHTMLDefinition();
|
||||
$def->addAttribute('a', 'tabindex', 'Number');
|
||||
</pre>
|
||||
<p>
|
||||
In the above example, the configuration is still at the defaults, but
|
||||
using the advanced API, an extra attribute has been added. The
|
||||
configuration object normally has no way of knowing that this change
|
||||
has taken place, so it needs an extra directive: %HTML.DefinitionID.
|
||||
If someone else attempts to use the default configuration, these two
|
||||
pieces of code will not clobber each other in the cache, since one has
|
||||
an extra directive attached to it.
|
||||
</p>
|
||||
<p>
|
||||
You <em>must</em> specify a value to this directive to use the
|
||||
advanced API features.
|
||||
</p>
|
||||
|
16
library/HTMLPurifier/ConfigSchema/HTML.DefinitionRev.txt
Normal file
16
library/HTMLPurifier/ConfigSchema/HTML.DefinitionRev.txt
Normal file
@ -0,0 +1,16 @@
|
||||
HTML.DefinitionRev
|
||||
TYPE: int
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: 1
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Revision identifier for your custom definition specified in
|
||||
%HTML.DefinitionID. This serves the same purpose: uniquely identifying
|
||||
your custom definition, but this one does so in a chronological
|
||||
context: revision 3 is more up-to-date then revision 2. Thus, when
|
||||
this gets incremented, the cache handling is smart enough to clean
|
||||
up any older revisions of your definition as well as flush the
|
||||
cache.
|
||||
</p>
|
||||
|
10
library/HTMLPurifier/ConfigSchema/HTML.Doctype.txt
Normal file
10
library/HTMLPurifier/ConfigSchema/HTML.Doctype.txt
Normal file
@ -0,0 +1,10 @@
|
||||
HTML.Doctype
|
||||
TYPE: string
|
||||
DEFAULT: ''
|
||||
--DESCRIPTION--
|
||||
Doctype to use during filtering. Technically speaking this is not actually
|
||||
a doctype (as it does not identify a corresponding DTD), but we are using
|
||||
this name for sake of simplicity. When non-blank, this will override any
|
||||
older directives like %HTML.XHTML or %HTML.Strict.
|
||||
--ALLOWED--
|
||||
'', 'HTML 4.01 Transitional', 'HTML 4.01 Strict', 'XHTML 1.0 Transitional', 'XHTML 1.0 Strict', 'XHTML 1.1'
|
12
library/HTMLPurifier/ConfigSchema/HTML.Parent.txt
Normal file
12
library/HTMLPurifier/ConfigSchema/HTML.Parent.txt
Normal file
@ -0,0 +1,12 @@
|
||||
HTML.Parent
|
||||
TYPE: string
|
||||
VERSION: 1.3.0
|
||||
DEFAULT: 'div'
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
String name of element that HTML fragment passed to library will be
|
||||
inserted in. An interesting variation would be using span as the
|
||||
parent element, meaning that only inline tags would be allowed.
|
||||
</p>
|
||||
|
7
library/HTMLPurifier/ConfigSchema/HTML.Strict.txt
Normal file
7
library/HTMLPurifier/ConfigSchema/HTML.Strict.txt
Normal file
@ -0,0 +1,7 @@
|
||||
HTML.Strict
|
||||
TYPE: bool
|
||||
VERSION: 1.3.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
Determines whether or not to use Transitional (loose) or Strict rulesets.
|
||||
This directive is deprecated in favor of %HTML.Doctype.
|
8
library/HTMLPurifier/ConfigSchema/HTML.TidyAdd.txt
Normal file
8
library/HTMLPurifier/ConfigSchema/HTML.TidyAdd.txt
Normal file
@ -0,0 +1,8 @@
|
||||
HTML.TidyAdd
|
||||
TYPE: lookup
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
|
||||
Fixes to add to the default set of Tidy fixes as per your level.
|
||||
|
23
library/HTMLPurifier/ConfigSchema/HTML.TidyLevel.txt
Normal file
23
library/HTMLPurifier/ConfigSchema/HTML.TidyLevel.txt
Normal file
@ -0,0 +1,23 @@
|
||||
HTML.TidyLevel
|
||||
TYPE: string
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: 'medium'
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>General level of cleanliness the Tidy module should enforce.
|
||||
There are four allowed values:</p>
|
||||
<dl>
|
||||
<dt>none</dt>
|
||||
<dd>No extra tidying should be done</dd>
|
||||
<dt>light</dt>
|
||||
<dd>Only fix elements that would be discarded otherwise due to
|
||||
lack of support in doctype</dd>
|
||||
<dt>medium</dt>
|
||||
<dd>Enforce best practices</dd>
|
||||
<dt>heavy</dt>
|
||||
<dd>Transform all deprecated elements and attributes to standards
|
||||
compliant equivalents</dd>
|
||||
</dl>
|
||||
|
||||
--ALLOWED--
|
||||
'none', 'light', 'medium', 'heavy'
|
8
library/HTMLPurifier/ConfigSchema/HTML.TidyRemove.txt
Normal file
8
library/HTMLPurifier/ConfigSchema/HTML.TidyRemove.txt
Normal file
@ -0,0 +1,8 @@
|
||||
HTML.TidyRemove
|
||||
TYPE: lookup
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
|
||||
Fixes to remove from the default set of Tidy fixes as per your level.
|
||||
|
7
library/HTMLPurifier/ConfigSchema/HTML.Trusted.txt
Normal file
7
library/HTMLPurifier/ConfigSchema/HTML.Trusted.txt
Normal file
@ -0,0 +1,7 @@
|
||||
HTML.Trusted
|
||||
TYPE: bool
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
Indicates whether or not the user input is trusted or not. If the input is
|
||||
trusted, a more expansive set of allowed tags and attributes will be used.
|
9
library/HTMLPurifier/ConfigSchema/HTML.XHTML.txt
Normal file
9
library/HTMLPurifier/ConfigSchema/HTML.XHTML.txt
Normal file
@ -0,0 +1,9 @@
|
||||
HTML.XHTML
|
||||
TYPE: bool
|
||||
DEFAULT: true
|
||||
VERSION: 1.1.0
|
||||
--DESCRIPTION--
|
||||
Determines whether or not output is XHTML 1.0 or HTML 4.01 flavor. This
|
||||
directive is deprecated in favor of %HTML.Doctype.
|
||||
--ALIASES--
|
||||
Core.XHTML
|
2
library/HTMLPurifier/ConfigSchema/HTML.txt
Normal file
2
library/HTMLPurifier/ConfigSchema/HTML.txt
Normal file
@ -0,0 +1,2 @@
|
||||
HTML
|
||||
DESCRIPTION: Configuration regarding allowed HTML.
|
@ -0,0 +1,9 @@
|
||||
Output.CommentScriptContents
|
||||
TYPE: bool
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: true
|
||||
--DESCRIPTION--
|
||||
Determines whether or not HTML Purifier should attempt to fix up the
|
||||
contents of script tags for legacy browsers with comments.
|
||||
--ALIASES--
|
||||
Core.CommentScriptContents
|
13
library/HTMLPurifier/ConfigSchema/Output.Newline.txt
Normal file
13
library/HTMLPurifier/ConfigSchema/Output.Newline.txt
Normal file
@ -0,0 +1,13 @@
|
||||
Output.Newline
|
||||
TYPE: string
|
||||
VERSION: 2.0.1
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Newline string to format final output with. If left null, HTML Purifier
|
||||
will auto-detect the default newline type of the system and use that;
|
||||
you can manually override it here. Remember, \r\n is Windows, \r
|
||||
is Mac, and \n is Unix.
|
||||
</p>
|
||||
|
24
library/HTMLPurifier/ConfigSchema/Output.TidyFormat.txt
Normal file
24
library/HTMLPurifier/ConfigSchema/Output.TidyFormat.txt
Normal file
@ -0,0 +1,24 @@
|
||||
Output.TidyFormat
|
||||
TYPE: bool
|
||||
VERSION: 1.1.1
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Determines whether or not to run Tidy on the final output for pretty
|
||||
formatting reasons, such as indentation and wrap.
|
||||
</p>
|
||||
<p>
|
||||
This can greatly improve readability for editors who are hand-editing
|
||||
the HTML, but is by no means necessary as HTML Purifier has already
|
||||
fixed all major errors the HTML may have had. Tidy is a non-default
|
||||
extension, and this directive will silently fail if Tidy is not
|
||||
available.
|
||||
</p>
|
||||
<p>
|
||||
If you are looking to make the overall look of your page's source
|
||||
better, I recommend running Tidy on the entire page rather than just
|
||||
user-content (after all, the indentation relative to the containing
|
||||
blocks will be incorrect).
|
||||
</p>
|
||||
--ALIASES--
|
||||
Core.TidyFormat
|
2
library/HTMLPurifier/ConfigSchema/Output.txt
Normal file
2
library/HTMLPurifier/ConfigSchema/Output.txt
Normal file
@ -0,0 +1,2 @@
|
||||
Output
|
||||
DESCRIPTION: Configuration relating to the generation of (X)HTML.
|
6
library/HTMLPurifier/ConfigSchema/Test.ForceNoIconv.txt
Normal file
6
library/HTMLPurifier/ConfigSchema/Test.ForceNoIconv.txt
Normal file
@ -0,0 +1,6 @@
|
||||
Test.ForceNoIconv
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
When set to true, HTMLPurifier_Encoder will act as if iconv does not exist
|
||||
and use only pure PHP implementations.
|
2
library/HTMLPurifier/ConfigSchema/Test.txt
Normal file
2
library/HTMLPurifier/ConfigSchema/Test.txt
Normal file
@ -0,0 +1,2 @@
|
||||
Test
|
||||
DESCRIPTION: Developer testing configuration for our unit tests.
|
14
library/HTMLPurifier/ConfigSchema/URI.AllowedSchemes.txt
Normal file
14
library/HTMLPurifier/ConfigSchema/URI.AllowedSchemes.txt
Normal file
@ -0,0 +1,14 @@
|
||||
URI.AllowedSchemes
|
||||
TYPE: lookup
|
||||
--DEFAULT--
|
||||
array (
|
||||
'http' => true,
|
||||
'https' => true,
|
||||
'mailto' => true,
|
||||
'ftp' => true,
|
||||
'nntp' => true,
|
||||
'news' => true,
|
||||
)
|
||||
--DESCRIPTION--
|
||||
Whitelist that defines the schemes that a URI is allowed to have. This
|
||||
prevents XSS attacks from using pseudo-schemes like javascript or mocha.
|
17
library/HTMLPurifier/ConfigSchema/URI.Base.txt
Normal file
17
library/HTMLPurifier/ConfigSchema/URI.Base.txt
Normal file
@ -0,0 +1,17 @@
|
||||
URI.Base
|
||||
TYPE: string
|
||||
VERSION: 2.1.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
The base URI is the URI of the document this purified HTML will be
|
||||
inserted into. This information is important if HTML Purifier needs
|
||||
to calculate absolute URIs from relative URIs, such as when %URI.MakeAbsolute
|
||||
is on. You may use a non-absolute URI for this value, but behavior
|
||||
may vary (%URI.MakeAbsolute deals nicely with both absolute and
|
||||
relative paths, but forwards-compatibility is not guaranteed).
|
||||
<strong>Warning:</strong> If set, the scheme on this URI
|
||||
overrides the one specified by %URI.DefaultScheme.
|
||||
</p>
|
||||
|
10
library/HTMLPurifier/ConfigSchema/URI.DefaultScheme.txt
Normal file
10
library/HTMLPurifier/ConfigSchema/URI.DefaultScheme.txt
Normal file
@ -0,0 +1,10 @@
|
||||
URI.DefaultScheme
|
||||
TYPE: string
|
||||
DEFAULT: 'http'
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Defines through what scheme the output will be served, in order to
|
||||
select the proper object validator when no scheme information is present.
|
||||
</p>
|
||||
|
11
library/HTMLPurifier/ConfigSchema/URI.DefinitionID.txt
Normal file
11
library/HTMLPurifier/ConfigSchema/URI.DefinitionID.txt
Normal file
@ -0,0 +1,11 @@
|
||||
URI.DefinitionID
|
||||
TYPE: string
|
||||
VERSION: 2.1.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Unique identifier for a custom-built URI definition. If you want
|
||||
to add custom URIFilters, you must specify this value.
|
||||
</p>
|
||||
|
11
library/HTMLPurifier/ConfigSchema/URI.DefinitionRev.txt
Normal file
11
library/HTMLPurifier/ConfigSchema/URI.DefinitionRev.txt
Normal file
@ -0,0 +1,11 @@
|
||||
URI.DefinitionRev
|
||||
TYPE: int
|
||||
VERSION: 2.1.0
|
||||
DEFAULT: 1
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Revision identifier for your custom definition. See
|
||||
%HTML.DefinitionRev for details.
|
||||
</p>
|
||||
|
13
library/HTMLPurifier/ConfigSchema/URI.Disable.txt
Normal file
13
library/HTMLPurifier/ConfigSchema/URI.Disable.txt
Normal file
@ -0,0 +1,13 @@
|
||||
URI.Disable
|
||||
TYPE: bool
|
||||
VERSION: 1.3.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Disables all URIs in all forms. Not sure why you'd want to do that
|
||||
(after all, the Internet's founded on the notion of a hyperlink).
|
||||
</p>
|
||||
|
||||
--ALIASES--
|
||||
Attr.DisableURI
|
10
library/HTMLPurifier/ConfigSchema/URI.DisableExternal.txt
Normal file
10
library/HTMLPurifier/ConfigSchema/URI.DisableExternal.txt
Normal file
@ -0,0 +1,10 @@
|
||||
URI.DisableExternal
|
||||
TYPE: bool
|
||||
VERSION: 1.2.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
Disables links to external websites. This is a highly effective anti-spam
|
||||
and anti-pagerank-leech measure, but comes at a hefty price: nolinks or
|
||||
images outside of your domain will be allowed. Non-linkified URIs will
|
||||
still be preserved. If you want to be able to link to subdomains or use
|
||||
absolute URIs, specify %URI.Host for your website.
|
@ -0,0 +1,12 @@
|
||||
URI.DisableExternalResources
|
||||
TYPE: bool
|
||||
VERSION: 1.3.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
Disables the embedding of external resources, preventing users from
|
||||
embedding things like images from other hosts. This prevents access
|
||||
tracking (good for email viewers), bandwidth leeching, cross-site request
|
||||
forging, goatse.cx posting, and other nasties, but also results in a loss
|
||||
of end-user functionality (they can't directly post a pic they posted from
|
||||
Flickr anymore). Use it if you don't have a robust user-content moderation
|
||||
team.
|
12
library/HTMLPurifier/ConfigSchema/URI.DisableResources.txt
Normal file
12
library/HTMLPurifier/ConfigSchema/URI.DisableResources.txt
Normal file
@ -0,0 +1,12 @@
|
||||
URI.DisableResources
|
||||
TYPE: bool
|
||||
VERSION: 1.3.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Disables embedding resources, essentially meaning no pictures. You can
|
||||
still link to them though. See %URI.DisableExternalResources for why
|
||||
this might be a good idea.
|
||||
</p>
|
||||
|
19
library/HTMLPurifier/ConfigSchema/URI.Host.txt
Normal file
19
library/HTMLPurifier/ConfigSchema/URI.Host.txt
Normal file
@ -0,0 +1,19 @@
|
||||
URI.Host
|
||||
TYPE: string
|
||||
VERSION: 1.2.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Defines the domain name of the server, so we can determine whether or
|
||||
an absolute URI is from your website or not. Not strictly necessary,
|
||||
as users should be using relative URIs to reference resources on your
|
||||
website. It will, however, let you use absolute URIs to link to
|
||||
subdomains of the domain you post here: i.e. example.com will allow
|
||||
sub.example.com. However, higher up domains will still be excluded:
|
||||
if you set %URI.Host to sub.example.com, example.com will be blocked.
|
||||
<strong>Note:</strong> This directive overrides %URI.Base because
|
||||
a given page may be on a sub-domain, but you wish HTML Purifier to be
|
||||
more relaxed and allow some of the parent domains too.
|
||||
</p>
|
||||
|
8
library/HTMLPurifier/ConfigSchema/URI.HostBlacklist.txt
Normal file
8
library/HTMLPurifier/ConfigSchema/URI.HostBlacklist.txt
Normal file
@ -0,0 +1,8 @@
|
||||
URI.HostBlacklist
|
||||
TYPE: list
|
||||
VERSION: 1.3.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
List of strings that are forbidden in the host of any URI. Use it to kill
|
||||
domain names of spam, etc. Note that it will catch anything in the domain,
|
||||
so <tt>moo.com</tt> will catch <tt>moo.com.example.com</tt>.
|
12
library/HTMLPurifier/ConfigSchema/URI.MakeAbsolute.txt
Normal file
12
library/HTMLPurifier/ConfigSchema/URI.MakeAbsolute.txt
Normal file
@ -0,0 +1,12 @@
|
||||
URI.MakeAbsolute
|
||||
TYPE: bool
|
||||
VERSION: 2.1.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Converts all URIs into absolute forms. This is useful when the HTML
|
||||
being filtered assumes a specific base path, but will actually be
|
||||
viewed in a different context (and setting an alternate base URI is
|
||||
not possible). %URI.Base must be set for this directive to work.
|
||||
</p>
|
31
library/HTMLPurifier/ConfigSchema/URI.Munge.txt
Normal file
31
library/HTMLPurifier/ConfigSchema/URI.Munge.txt
Normal file
@ -0,0 +1,31 @@
|
||||
URI.Munge
|
||||
TYPE: string
|
||||
VERSION: 1.3.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Munges all browsable (usually http, https and ftp)
|
||||
absolute URI's into another URI, usually a URI redirection service.
|
||||
This directive accepts a URI, formatted with a <code>%s</code> where
|
||||
the url-encoded original URI should be inserted (sample:
|
||||
<code>http://www.google.com/url?q=%s</code>).
|
||||
</p>
|
||||
<p>
|
||||
Uses for this directive:
|
||||
</p>
|
||||
<ul>
|
||||
<li>
|
||||
Prevent PageRank leaks, while being fairly transparent
|
||||
to users (you may also want to add some client side JavaScript to
|
||||
override the text in the statusbar). <strong>Notice</strong>:
|
||||
Many security experts believe that this form of protection does
|
||||
not deter spam-bots.
|
||||
</li>
|
||||
<li>
|
||||
Redirect users to a splash page telling them they are leaving your
|
||||
website. While this is poor usability practice, it is often
|
||||
mandated
|
||||
in corporate environments.
|
||||
</li>
|
||||
</ul>
|
@ -0,0 +1,8 @@
|
||||
URI.OverrideAllowedSchemes
|
||||
TYPE: bool
|
||||
DEFAULT: true
|
||||
--DESCRIPTION--
|
||||
If this is set to true (which it is by default), you can override
|
||||
%URI.AllowedSchemes by simply registering a HTMLPurifier_URIScheme to the
|
||||
registry. If false, you will also have to update that directive in order
|
||||
to add more schemes.
|
2
library/HTMLPurifier/ConfigSchema/URI.txt
Normal file
2
library/HTMLPurifier/ConfigSchema/URI.txt
Normal file
@ -0,0 +1,2 @@
|
||||
URI
|
||||
DESCRIPTION: Features regarding Uniform Resource Identifiers.
|
@ -28,12 +28,12 @@ require_once 'HTMLPurifier/Filter/ExtractStyleBlocks.php';
|
||||
*/
|
||||
function saveHash($hash) {
|
||||
if ($hash === false) return;
|
||||
$dir = realpath(dirname(__FILE__) . '/../library/HTMLPurifier/ConfigSchema/');
|
||||
$dir = realpath(dirname(__FILE__) . '/../library/HTMLPurifier/ConfigSchema');
|
||||
$name = $hash['ID'] . '.txt';
|
||||
$file = $dir . $name;
|
||||
$file = $dir . '/' . $name;
|
||||
if (file_exists($file)) {
|
||||
//trigger_error("File already exists; skipped $name");
|
||||
//return;
|
||||
trigger_error("File already exists; skipped $name");
|
||||
return;
|
||||
}
|
||||
$file = new FSTools_File($file);
|
||||
$file->open('w');
|
||||
|
Loading…
Reference in New Issue
Block a user