[3.1.0] Implement %HTML.Forbidden*

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1671 48356398-32a2-884e-a903-53898d9a118a
2024-09-18 18:25:18 +00:00 · 2008-04-22 07:16:49 +00:00 · 2008-04-22 07:16:49 +00:00 · 4fe475c57f
commit 4fe475c57f
parent d3710518ce
9 changed files with 77 additions and 8 deletions
--- a/5
+++ b/5
@ -15,9 +15,8 @@ with these contents.
 ---------------------------------------------------------------------------
 1.  Compatibility

-HTML Purifier is PHP 5 only, and is actively tested from PHP 5.0.0 and 
-up (see tests/multitest.php for the specific versions that are being 
-tested regularly). It has no core dependencies with other libraries. PHP 
+HTML Purifier is PHP 5 only, and is actively tested from PHP 5.0.5 and 
+up. It has no core dependencies with other libraries. PHP 
 4 support was deprecated on December 31, 2007 with HTML Purifier 3.0.0. 
 Essential security fixes will be issued for the 2.1.x branch until 
 August 8, 2008. 
--- a/1
+++ b/1
@ -50,6 +50,7 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 ! Finally %CSS.AllowedProperties for tweaking allowed CSS properties without
  mucking around with HTMLPurifier_CSSDefinition
 ! ConfigDoc output has been enhanced with version and deprecation info.
+! %HTML.ForbiddenAttributes and %HTML.ForbiddenElements implemented.
 - Autoclose now operates iteratively, i.e. <span><span><div> now has
  both span tags closed.
 - Various HTMLPurifier_Config convenience functions now accept another parameter
--- a/configdoc/usage.xml
+++ b/configdoc/usage.xml
@ -129,6 +129,16 @@
   <line>242</line>
  </file>
 </directive>
+ <directive id="HTML.ForbiddenElements">
+  <file name="HTMLPurifier/HTMLDefinition.php">
+   <line>303</line>
+  </file>
+ </directive>
+ <directive id="HTML.ForbiddenAttributes">
+  <file name="HTMLPurifier/HTMLDefinition.php">
+   <line>304</line>
+  </file>
+ </directive>
 <directive id="HTML.Trusted">
  <file name="HTMLPurifier/HTMLModuleManager.php">
   <line>198</line>
--- a/library/HTMLPurifier/ConfigSchema/schema.ser
+++ b/library/HTMLPurifier/ConfigSchema/schema.ser
--- a/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedElements.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedElements.txt
@ -3,16 +3,13 @@ TYPE: lookup/null
 VERSION: 1.3.0
 DEFAULT: NULL
 --DESCRIPTION--
-
 <p>
    If HTML Purifier's tag set is unsatisfactory for your needs, you 
    can overload it with your own list of tags to allow.  Note that this 
-    method is subtractive: it does its job by taking away from HTML
-Purifier 
+    method is subtractive: it does its job by taking away from HTML Purifier 
    usual feature set, so you cannot add a tag that HTML Purifier never 
    supported in the first place (like embed, form or head).  If you 
    change this, you probably also want to change %HTML.AllowedAttributes.
-
 </p>
 <p>
    <strong>Warning:</strong> If another directive conflicts with the 
--- a/library/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenAttributes.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenAttributes.txt
@ -0,0 +1,10 @@
+HTML.ForbiddenAttributes
+TYPE: lookup
+VERSION: 3.1.0
+DEFAULT: array()
+--DESCRIPTION--
+<p>
+    This directive complements %HTML.ForbiddenElements and is the inverse of
+    %HTML.AllowedAttributes. Please see the former for a discussion of why you
+    should think twice before using this directive.
+</p>
--- a/library/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenElements.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenElements.txt
@ -0,0 +1,19 @@
+HTML.ForbiddenElements
+TYPE: lookup
+VERSION: 3.1.0
+DEFAULT: array()
+--DESCRIPTION--
+<p>
+    This was, perhaps, the most requested feature ever in HTML
+    Purifier. Please don't abuse it! This is the logical inverse of
+    %HTML.AllowedElements, and it will override that directive, or any
+    other directive.
+</p>
+<p>
+    If possible, %HTML.Allowed is recommended over this directive, because it
+    can sometimes be difficult to tell whether or not you've forbidden all of
+    the behavior you would like to disallow. If you forbid <code>img</code>
+    with the expectation of preventing images on your site, you'll be in for
+    a nasty surprise when people start using the <code>background-image</code>
+    CSS property.
+</p>
--- a/library/HTMLPurifier/HTMLDefinition.php
+++ b/library/HTMLPurifier/HTMLDefinition.php
@ -296,6 +296,24 @@ class HTMLPurifier_HTMLDefinition extends HTMLPurifier_Definition
                        E_USER_WARNING);
                }
            }
+            
+        }
+        
+        // setup forbidden elements
+        $forbidden_elements = $config->get('HTML', 'ForbiddenElements');
+        $forbidden_attributes = $config->get('HTML', 'ForbiddenAttributes');
+        
+        foreach ($this->info as $tag => $info) {
+            if (isset($forbidden_elements[$tag])) {
+                unset($this->info[$tag]);
+                continue;
+            }
+            foreach ($info->attr as $name => $def) {
+                if (isset($forbidden_attributes["$tag.$name"])) {
+                    unset($this->info[$tag]->attr[$name]);
+                    continue;
+                }
+            }
        }
        
    }
--- a/tests/HTMLPurifierTest.php
+++ b/tests/HTMLPurifierTest.php
@ -53,6 +53,21 @@ class HTMLPurifierTest extends HTMLPurifier_Harness
        
    }
    
+    function testBlacklistElements() {
+        $this->purifier = new HTMLPurifier(array(
+            'HTML.ForbiddenElements' => array('b'),
+            'HTML.ForbiddenAttributes' => array('a.href')
+        ));
+        $this->assertPurification(
+            '<p>Par.</p>'
+        );
+        $this->assertPurification(
+            '<b>Pa<a href="foo">r</a>.</b>',
+            'Pa<a>r</a>.'
+        );
+        
+    }
+    
    function testDifferentAllowedCSSProperties() {
        
        $this->purifier = new HTMLPurifier(array(