[3.1.0] Implement %HTML.Forbidden*

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1671 48356398-32a2-884e-a903-53898d9a118a

INSTALL

@@ -15,9 +15,8 @@ with these contents.
 ---------------------------------------------------------------------------
 1.  Compatibility
 
-HTML Purifier is PHP 5 only, and is actively tested from PHP 5.0.0 and 
+HTML Purifier is PHP 5 only, and is actively tested from PHP 5.0.5 and 
-up (see tests/multitest.php for the specific versions that are being 
+up. It has no core dependencies with other libraries. PHP 
-tested regularly). It has no core dependencies with other libraries. PHP 
 4 support was deprecated on December 31, 2007 with HTML Purifier 3.0.0. 
 Essential security fixes will be issued for the 2.1.x branch until 
 August 8, 2008. 

NEWS

@@ -50,6 +50,7 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 ! Finally %CSS.AllowedProperties for tweaking allowed CSS properties without
   mucking around with HTMLPurifier_CSSDefinition
 ! ConfigDoc output has been enhanced with version and deprecation info.
+! %HTML.ForbiddenAttributes and %HTML.ForbiddenElements implemented.
 - Autoclose now operates iteratively, i.e. <span><span><div> now has
   both span tags closed.
 - Various HTMLPurifier_Config convenience functions now accept another parameter

configdoc/usage.xml

@@ -129,6 +129,16 @@
    <line>242</line>
   </file>
  </directive>
+ <directive id="HTML.ForbiddenElements">
+  <file name="HTMLPurifier/HTMLDefinition.php">
+   <line>303</line>
+  </file>
+ </directive>
+ <directive id="HTML.ForbiddenAttributes">
+  <file name="HTMLPurifier/HTMLDefinition.php">
+   <line>304</line>
+  </file>
+ </directive>
  <directive id="HTML.Trusted">
   <file name="HTMLPurifier/HTMLModuleManager.php">
    <line>198</line>

library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedElements.txt

@@ -3,16 +3,13 @@ TYPE: lookup/null
 VERSION: 1.3.0
 DEFAULT: NULL
 --DESCRIPTION--
-
 <p>
     If HTML Purifier's tag set is unsatisfactory for your needs, you 
     can overload it with your own list of tags to allow.  Note that this 
-    method is subtractive: it does its job by taking away from HTML
+    method is subtractive: it does its job by taking away from HTML Purifier 
-Purifier 
     usual feature set, so you cannot add a tag that HTML Purifier never 
     supported in the first place (like embed, form or head).  If you 
     change this, you probably also want to change %HTML.AllowedAttributes.
-
 </p>
 <p>
     <strong>Warning:</strong> If another directive conflicts with the 

library/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenAttributes.txt

@@ -0,0 +1,10 @@
+HTML.ForbiddenAttributes
+TYPE: lookup
+VERSION: 3.1.0
+DEFAULT: array()
+--DESCRIPTION--
+<p>
+    This directive complements %HTML.ForbiddenElements and is the inverse of
+    %HTML.AllowedAttributes. Please see the former for a discussion of why you
+    should think twice before using this directive.
+</p>

library/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenElements.txt

@@ -0,0 +1,19 @@
+HTML.ForbiddenElements
+TYPE: lookup
+VERSION: 3.1.0
+DEFAULT: array()
+--DESCRIPTION--
+<p>
+    This was, perhaps, the most requested feature ever in HTML
+    Purifier. Please don't abuse it! This is the logical inverse of
+    %HTML.AllowedElements, and it will override that directive, or any
+    other directive.
+</p>
+<p>
+    If possible, %HTML.Allowed is recommended over this directive, because it
+    can sometimes be difficult to tell whether or not you've forbidden all of
+    the behavior you would like to disallow. If you forbid <code>img</code>
+    with the expectation of preventing images on your site, you'll be in for
+    a nasty surprise when people start using the <code>background-image</code>
+    CSS property.
+</p>

library/HTMLPurifier/HTMLDefinition.php

@@ -296,6 +296,24 @@ class HTMLPurifier_HTMLDefinition extends HTMLPurifier_Definition
                         E_USER_WARNING);
                 }
             }
+            
+        }
+        
+        // setup forbidden elements
+        $forbidden_elements = $config->get('HTML', 'ForbiddenElements');
+        $forbidden_attributes = $config->get('HTML', 'ForbiddenAttributes');
+        
+        foreach ($this->info as $tag => $info) {
+            if (isset($forbidden_elements[$tag])) {
+                unset($this->info[$tag]);
+                continue;
+            }
+            foreach ($info->attr as $name => $def) {
+                if (isset($forbidden_attributes["$tag.$name"])) {
+                    unset($this->info[$tag]->attr[$name]);
+                    continue;
+                }
+            }
         }
         
     }

tests/HTMLPurifierTest.php

@@ -53,6 +53,21 @@ class HTMLPurifierTest extends HTMLPurifier_Harness
         
     }
     
+    function testBlacklistElements() {
+        $this->purifier = new HTMLPurifier(array(
+            'HTML.ForbiddenElements' => array('b'),
+            'HTML.ForbiddenAttributes' => array('a.href')
+        ));
+        $this->assertPurification(
+            '<p>Par.</p>'
+        );
+        $this->assertPurification(
+            '<b>Pa<a href="foo">r</a>.</b>',
+            'Pa<a>r</a>.'
+        );
+        
+    }
+    
     function testDifferentAllowedCSSProperties() {
         
         $this->purifier = new HTMLPurifier(array(