mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-12-22 08:21:52 +00:00
[3.1.0] Implement %HTML.Forbidden*
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1671 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
parent
d3710518ce
commit
4fe475c57f
5
INSTALL
5
INSTALL
@ -15,9 +15,8 @@ with these contents.
|
|||||||
---------------------------------------------------------------------------
|
---------------------------------------------------------------------------
|
||||||
1. Compatibility
|
1. Compatibility
|
||||||
|
|
||||||
HTML Purifier is PHP 5 only, and is actively tested from PHP 5.0.0 and
|
HTML Purifier is PHP 5 only, and is actively tested from PHP 5.0.5 and
|
||||||
up (see tests/multitest.php for the specific versions that are being
|
up. It has no core dependencies with other libraries. PHP
|
||||||
tested regularly). It has no core dependencies with other libraries. PHP
|
|
||||||
4 support was deprecated on December 31, 2007 with HTML Purifier 3.0.0.
|
4 support was deprecated on December 31, 2007 with HTML Purifier 3.0.0.
|
||||||
Essential security fixes will be issued for the 2.1.x branch until
|
Essential security fixes will be issued for the 2.1.x branch until
|
||||||
August 8, 2008.
|
August 8, 2008.
|
||||||
|
1
NEWS
1
NEWS
@ -50,6 +50,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
|
|||||||
! Finally %CSS.AllowedProperties for tweaking allowed CSS properties without
|
! Finally %CSS.AllowedProperties for tweaking allowed CSS properties without
|
||||||
mucking around with HTMLPurifier_CSSDefinition
|
mucking around with HTMLPurifier_CSSDefinition
|
||||||
! ConfigDoc output has been enhanced with version and deprecation info.
|
! ConfigDoc output has been enhanced with version and deprecation info.
|
||||||
|
! %HTML.ForbiddenAttributes and %HTML.ForbiddenElements implemented.
|
||||||
- Autoclose now operates iteratively, i.e. <span><span><div> now has
|
- Autoclose now operates iteratively, i.e. <span><span><div> now has
|
||||||
both span tags closed.
|
both span tags closed.
|
||||||
- Various HTMLPurifier_Config convenience functions now accept another parameter
|
- Various HTMLPurifier_Config convenience functions now accept another parameter
|
||||||
|
@ -129,6 +129,16 @@
|
|||||||
<line>242</line>
|
<line>242</line>
|
||||||
</file>
|
</file>
|
||||||
</directive>
|
</directive>
|
||||||
|
<directive id="HTML.ForbiddenElements">
|
||||||
|
<file name="HTMLPurifier/HTMLDefinition.php">
|
||||||
|
<line>303</line>
|
||||||
|
</file>
|
||||||
|
</directive>
|
||||||
|
<directive id="HTML.ForbiddenAttributes">
|
||||||
|
<file name="HTMLPurifier/HTMLDefinition.php">
|
||||||
|
<line>304</line>
|
||||||
|
</file>
|
||||||
|
</directive>
|
||||||
<directive id="HTML.Trusted">
|
<directive id="HTML.Trusted">
|
||||||
<file name="HTMLPurifier/HTMLModuleManager.php">
|
<file name="HTMLPurifier/HTMLModuleManager.php">
|
||||||
<line>198</line>
|
<line>198</line>
|
||||||
|
File diff suppressed because one or more lines are too long
@ -3,16 +3,13 @@ TYPE: lookup/null
|
|||||||
VERSION: 1.3.0
|
VERSION: 1.3.0
|
||||||
DEFAULT: NULL
|
DEFAULT: NULL
|
||||||
--DESCRIPTION--
|
--DESCRIPTION--
|
||||||
|
|
||||||
<p>
|
<p>
|
||||||
If HTML Purifier's tag set is unsatisfactory for your needs, you
|
If HTML Purifier's tag set is unsatisfactory for your needs, you
|
||||||
can overload it with your own list of tags to allow. Note that this
|
can overload it with your own list of tags to allow. Note that this
|
||||||
method is subtractive: it does its job by taking away from HTML
|
method is subtractive: it does its job by taking away from HTML Purifier
|
||||||
Purifier
|
|
||||||
usual feature set, so you cannot add a tag that HTML Purifier never
|
usual feature set, so you cannot add a tag that HTML Purifier never
|
||||||
supported in the first place (like embed, form or head). If you
|
supported in the first place (like embed, form or head). If you
|
||||||
change this, you probably also want to change %HTML.AllowedAttributes.
|
change this, you probably also want to change %HTML.AllowedAttributes.
|
||||||
|
|
||||||
</p>
|
</p>
|
||||||
<p>
|
<p>
|
||||||
<strong>Warning:</strong> If another directive conflicts with the
|
<strong>Warning:</strong> If another directive conflicts with the
|
||||||
|
@ -0,0 +1,10 @@
|
|||||||
|
HTML.ForbiddenAttributes
|
||||||
|
TYPE: lookup
|
||||||
|
VERSION: 3.1.0
|
||||||
|
DEFAULT: array()
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
This directive complements %HTML.ForbiddenElements and is the inverse of
|
||||||
|
%HTML.AllowedAttributes. Please see the former for a discussion of why you
|
||||||
|
should think twice before using this directive.
|
||||||
|
</p>
|
@ -0,0 +1,19 @@
|
|||||||
|
HTML.ForbiddenElements
|
||||||
|
TYPE: lookup
|
||||||
|
VERSION: 3.1.0
|
||||||
|
DEFAULT: array()
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
This was, perhaps, the most requested feature ever in HTML
|
||||||
|
Purifier. Please don't abuse it! This is the logical inverse of
|
||||||
|
%HTML.AllowedElements, and it will override that directive, or any
|
||||||
|
other directive.
|
||||||
|
</p>
|
||||||
|
<p>
|
||||||
|
If possible, %HTML.Allowed is recommended over this directive, because it
|
||||||
|
can sometimes be difficult to tell whether or not you've forbidden all of
|
||||||
|
the behavior you would like to disallow. If you forbid <code>img</code>
|
||||||
|
with the expectation of preventing images on your site, you'll be in for
|
||||||
|
a nasty surprise when people start using the <code>background-image</code>
|
||||||
|
CSS property.
|
||||||
|
</p>
|
@ -296,6 +296,24 @@ class HTMLPurifier_HTMLDefinition extends HTMLPurifier_Definition
|
|||||||
E_USER_WARNING);
|
E_USER_WARNING);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
// setup forbidden elements
|
||||||
|
$forbidden_elements = $config->get('HTML', 'ForbiddenElements');
|
||||||
|
$forbidden_attributes = $config->get('HTML', 'ForbiddenAttributes');
|
||||||
|
|
||||||
|
foreach ($this->info as $tag => $info) {
|
||||||
|
if (isset($forbidden_elements[$tag])) {
|
||||||
|
unset($this->info[$tag]);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
foreach ($info->attr as $name => $def) {
|
||||||
|
if (isset($forbidden_attributes["$tag.$name"])) {
|
||||||
|
unset($this->info[$tag]->attr[$name]);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -53,6 +53,21 @@ class HTMLPurifierTest extends HTMLPurifier_Harness
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function testBlacklistElements() {
|
||||||
|
$this->purifier = new HTMLPurifier(array(
|
||||||
|
'HTML.ForbiddenElements' => array('b'),
|
||||||
|
'HTML.ForbiddenAttributes' => array('a.href')
|
||||||
|
));
|
||||||
|
$this->assertPurification(
|
||||||
|
'<p>Par.</p>'
|
||||||
|
);
|
||||||
|
$this->assertPurification(
|
||||||
|
'<b>Pa<a href="foo">r</a>.</b>',
|
||||||
|
'Pa<a>r</a>.'
|
||||||
|
);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
function testDifferentAllowedCSSProperties() {
|
function testDifferentAllowedCSSProperties() {
|
||||||
|
|
||||||
$this->purifier = new HTMLPurifier(array(
|
$this->purifier = new HTMLPurifier(array(
|
||||||
|
Loading…
Reference in New Issue
Block a user