0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-12-22 08:21:52 +00:00

[3.1.0] Implement %HTML.Forbidden*

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1671 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang 2008-04-22 07:16:49 +00:00
parent d3710518ce
commit 4fe475c57f
9 changed files with 77 additions and 8 deletions

View File

@ -15,9 +15,8 @@ with these contents.
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
1. Compatibility 1. Compatibility
HTML Purifier is PHP 5 only, and is actively tested from PHP 5.0.0 and HTML Purifier is PHP 5 only, and is actively tested from PHP 5.0.5 and
up (see tests/multitest.php for the specific versions that are being up. It has no core dependencies with other libraries. PHP
tested regularly). It has no core dependencies with other libraries. PHP
4 support was deprecated on December 31, 2007 with HTML Purifier 3.0.0. 4 support was deprecated on December 31, 2007 with HTML Purifier 3.0.0.
Essential security fixes will be issued for the 2.1.x branch until Essential security fixes will be issued for the 2.1.x branch until
August 8, 2008. August 8, 2008.

1
NEWS
View File

@ -50,6 +50,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
! Finally %CSS.AllowedProperties for tweaking allowed CSS properties without ! Finally %CSS.AllowedProperties for tweaking allowed CSS properties without
mucking around with HTMLPurifier_CSSDefinition mucking around with HTMLPurifier_CSSDefinition
! ConfigDoc output has been enhanced with version and deprecation info. ! ConfigDoc output has been enhanced with version and deprecation info.
! %HTML.ForbiddenAttributes and %HTML.ForbiddenElements implemented.
- Autoclose now operates iteratively, i.e. <span><span><div> now has - Autoclose now operates iteratively, i.e. <span><span><div> now has
both span tags closed. both span tags closed.
- Various HTMLPurifier_Config convenience functions now accept another parameter - Various HTMLPurifier_Config convenience functions now accept another parameter

View File

@ -129,6 +129,16 @@
<line>242</line> <line>242</line>
</file> </file>
</directive> </directive>
<directive id="HTML.ForbiddenElements">
<file name="HTMLPurifier/HTMLDefinition.php">
<line>303</line>
</file>
</directive>
<directive id="HTML.ForbiddenAttributes">
<file name="HTMLPurifier/HTMLDefinition.php">
<line>304</line>
</file>
</directive>
<directive id="HTML.Trusted"> <directive id="HTML.Trusted">
<file name="HTMLPurifier/HTMLModuleManager.php"> <file name="HTMLPurifier/HTMLModuleManager.php">
<line>198</line> <line>198</line>

File diff suppressed because one or more lines are too long

View File

@ -3,16 +3,13 @@ TYPE: lookup/null
VERSION: 1.3.0 VERSION: 1.3.0
DEFAULT: NULL DEFAULT: NULL
--DESCRIPTION-- --DESCRIPTION--
<p> <p>
If HTML Purifier's tag set is unsatisfactory for your needs, you If HTML Purifier's tag set is unsatisfactory for your needs, you
can overload it with your own list of tags to allow. Note that this can overload it with your own list of tags to allow. Note that this
method is subtractive: it does its job by taking away from HTML method is subtractive: it does its job by taking away from HTML Purifier
Purifier
usual feature set, so you cannot add a tag that HTML Purifier never usual feature set, so you cannot add a tag that HTML Purifier never
supported in the first place (like embed, form or head). If you supported in the first place (like embed, form or head). If you
change this, you probably also want to change %HTML.AllowedAttributes. change this, you probably also want to change %HTML.AllowedAttributes.
</p> </p>
<p> <p>
<strong>Warning:</strong> If another directive conflicts with the <strong>Warning:</strong> If another directive conflicts with the

View File

@ -0,0 +1,10 @@
HTML.ForbiddenAttributes
TYPE: lookup
VERSION: 3.1.0
DEFAULT: array()
--DESCRIPTION--
<p>
This directive complements %HTML.ForbiddenElements and is the inverse of
%HTML.AllowedAttributes. Please see the former for a discussion of why you
should think twice before using this directive.
</p>

View File

@ -0,0 +1,19 @@
HTML.ForbiddenElements
TYPE: lookup
VERSION: 3.1.0
DEFAULT: array()
--DESCRIPTION--
<p>
This was, perhaps, the most requested feature ever in HTML
Purifier. Please don't abuse it! This is the logical inverse of
%HTML.AllowedElements, and it will override that directive, or any
other directive.
</p>
<p>
If possible, %HTML.Allowed is recommended over this directive, because it
can sometimes be difficult to tell whether or not you've forbidden all of
the behavior you would like to disallow. If you forbid <code>img</code>
with the expectation of preventing images on your site, you'll be in for
a nasty surprise when people start using the <code>background-image</code>
CSS property.
</p>

View File

@ -296,6 +296,24 @@ class HTMLPurifier_HTMLDefinition extends HTMLPurifier_Definition
E_USER_WARNING); E_USER_WARNING);
} }
} }
}
// setup forbidden elements
$forbidden_elements = $config->get('HTML', 'ForbiddenElements');
$forbidden_attributes = $config->get('HTML', 'ForbiddenAttributes');
foreach ($this->info as $tag => $info) {
if (isset($forbidden_elements[$tag])) {
unset($this->info[$tag]);
continue;
}
foreach ($info->attr as $name => $def) {
if (isset($forbidden_attributes["$tag.$name"])) {
unset($this->info[$tag]->attr[$name]);
continue;
}
}
} }
} }

View File

@ -53,6 +53,21 @@ class HTMLPurifierTest extends HTMLPurifier_Harness
} }
function testBlacklistElements() {
$this->purifier = new HTMLPurifier(array(
'HTML.ForbiddenElements' => array('b'),
'HTML.ForbiddenAttributes' => array('a.href')
));
$this->assertPurification(
'<p>Par.</p>'
);
$this->assertPurification(
'<b>Pa<a href="foo">r</a>.</b>',
'Pa<a>r</a>.'
);
}
function testDifferentAllowedCSSProperties() { function testDifferentAllowedCSSProperties() {
$this->purifier = new HTMLPurifier(array( $this->purifier = new HTMLPurifier(array(