0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-12-22 16:31:53 +00:00

[1.4.0] Implemented AttrDef_CSSURI for url(http://google.com) style declarations

- 1.3.3 release downgraded to "not likely"

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@639 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang 2007-01-14 15:54:05 +00:00
parent d52189a19d
commit 582ffc4143
5 changed files with 101 additions and 2 deletions

4
NEWS
View File

@ -10,9 +10,9 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
========================== ==========================
1.4.0, unknown release date 1.4.0, unknown release date
(major feature release) . Implemented AttrDef_CSSURI for url(http://google.com) style declarations
1.3.3, unknown release date, may be dropped 1.3.3, unknown release date, likely to be dropped
! Moved SLOW to docs/enduser-slow.html and added code examples ! Moved SLOW to docs/enduser-slow.html and added code examples
1.3.2, released 2006-12-25 1.3.2, released 2006-12-25

View File

@ -20,6 +20,9 @@ class HTMLPurifier_AttrDef_CSS extends HTMLPurifier_AttrDef
// we're going to break the spec and explode by semicolons. // we're going to break the spec and explode by semicolons.
// This is because semicolon rarely appears in escaped form // This is because semicolon rarely appears in escaped form
// Doing this is generally flaky but fast
// IT MIGHT APPEAR IN URIs, see HTMLPurifier_AttrDef_CSSURI
// for details
$declarations = explode(';', $css); $declarations = explode(';', $css);
$propvalues = array(); $propvalues = array();

View File

@ -0,0 +1,58 @@
<?php
require_once 'HTMLPurifier/AttrDef/URI.php';
/**
* Validates a URI in CSS syntax, which uses url('http://example.com')
* @note While theoretically speaking we a URI in a CSS document could
* be non-embedded, as of CSS2 there is no such usage so we're
* generalizing it. This may need to be changed in the future.
* @warning Since HTMLPurifier_AttrDef_CSS blindly uses semicolons as
* the separator, you cannot put a literal semicolon in
* in the URI. Try percent encoding it, in that case.
*/
class HTMLPurifier_AttrDef_CSSURI extends HTMLPurifier_AttrDef_URI
{
function HTMLPurifier_AttrDef_CSSURI() {
$this->HTMLPurifier_AttrDef_URI(true); // always embedded
}
function validate($uri_string, $config, &$context) {
// parse the URI out of the string and then pass it onto
// the parent object
$uri_string = $this->parseCDATA($uri_string);
if (strpos($uri_string, 'url(') !== 0) return false;
$uri_string = substr($uri_string, 4);
$new_length = strlen($uri_string) - 1;
if ($uri_string[$new_length] != ')') return false;
$uri = trim(substr($uri_string, 0, $new_length));
if (isset($uri[0]) && ($uri[0] == "'" || $uri[0] == '"')) {
$quote = $uri[0];
$new_length = strlen($uri) - 1;
if ($uri[$new_length] !== $quote) return false;
$uri = substr($uri, 1, $new_length - 1);
}
$keys = array( '(', ')', ',', ' ', '"', "'");
$values = array('\\(', '\\)', '\\,', '\\ ', '\\"', "\\'");
$uri = str_replace($values, $keys, $uri);
$result = parent::validate($uri, $config, $context);
if ($result === false) return false;
// escape necessary characters according to CSS spec
// except for the comma, none of these should appear in the
// URI at all
$result = str_replace($keys, $values, $result);
return "url($result)";
}
}
?>

View File

@ -0,0 +1,37 @@
<?php
require_once 'HTMLPurifier/AttrDef/CSSURI.php';
require_once 'HTMLPurifier/AttrDefHarness.php';
class HTMLPurifier_AttrDef_CSSURITest extends HTMLPurifier_AttrDefHarness
{
function test() {
$this->def = new HTMLPurifier_AttrDef_CSSURI();
$this->assertDef('', false);
// we could be nice but we won't be
$this->assertDef('http://www.example.com/', false);
// no quotes are used, since that's the most widely supported
// syntax
$this->assertDef('url(', false);
$this->assertDef('url()', true);
$result = "url(http://www.example.com/)";
$this->assertDef('url(http://www.example.com/)', $result);
$this->assertDef('url("http://www.example.com/")', $result);
$this->assertDef("url('http://www.example.com/')", $result);
$this->assertDef(
' url( "http://www.example.com/" ) ', $result);
// escaping
$this->assertDef("url(http://www.example.com/foo,bar\))",
"url(http://www.example.com/foo\,bar\))");
}
}
?>

View File

@ -84,6 +84,7 @@ $test_files[] = 'AttrDef/FontTest.php';
$test_files[] = 'AttrDef/BorderTest.php'; $test_files[] = 'AttrDef/BorderTest.php';
$test_files[] = 'AttrDef/ListStyleTest.php'; $test_files[] = 'AttrDef/ListStyleTest.php';
$test_files[] = 'AttrDef/Email/SimpleCheckTest.php'; $test_files[] = 'AttrDef/Email/SimpleCheckTest.php';
$test_files[] = 'AttrDef/CSSURITest.php';
$test_files[] = 'IDAccumulatorTest.php'; $test_files[] = 'IDAccumulatorTest.php';
$test_files[] = 'TagTransformTest.php'; $test_files[] = 'TagTransformTest.php';
$test_files[] = 'AttrTransform/LangTest.php'; $test_files[] = 'AttrTransform/LangTest.php';