mirrors/htmlpurifier
0
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-11-09 15:28:40 +00:00
Code Releases Activity

[3.1.0] Implement tag@attr for Allowed and Forbidden

Browse Source 
- Fix (or null) bug in configdoc

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1695 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang 2008-04-26 03:14:01 +00:00
parent 1f8619cda5
commit 84aa2ca390
9 changed files with 276 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
NEWS
View File

@ -23,6 +23,10 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
+ HTMLPurifier_HTMLModule->addBlankElement()
+ HTMLPurifier_LanguageFactory::instance()
# Printer_ConfigForm's get*() functions were static-ified
# %HTML.ForbiddenAttributes requires attribute declarations to be in the
form of tag@attr, NOT tag.attr (which will throw an error and won't do
anything). This is for forwards compatibility with XML; you'd do best
to migrate an %HTML.AllowedAttributes directives to this syntax too.
! Allow index to be false for config from form creation
! Added HTMLPurifier::VERSION constant
- InterchangeBuilder now alphabetizes its lists
@ -33,10 +37,14 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
- HTMLPurifier::instance() created for consistency, is equivalent to getInstance()
- Fixed and revamped broken ConfigForm smoketest
- Bug with bool/null fields in Printer_ConfigForm fixed
- Improved error messages for allowed and forbidden HTML elements and attributes
- Missing (or null) in configdoc documentation restored
. Out-of-date documentation revised
. UTF-8 encoding check optimization as suggested by Diego
. HTMLPurifier_Error removed in favor of exceptions
. More copy() function removed; should use clone instead
. More extensive unit tests for HTMLDefinition
. assertPurification moved to central harness
3.1.0rc1, released 2008-04-22
# Autoload support added. Internal require_once's removed in favor of an

2
TODO
View File

@ -52,6 +52,8 @@ FUTURE VERSIONS
Also, enable disabling of directionality
5.0 release [To XML and Beyond]
- AllowedAttributes and ForbiddenAttributes step on the toes of XML by
using periods; this needs to be changed.
- Extended HTML capabilities based on namespacing and tag transforms (COMPLEX)
- Hooks for adding custom processors to custom namespaced tags and
attributes, offer default implementation

4
configdoc/usage.xml
View File

@ -131,12 +131,12 @@
</directive>
<directive id="HTML.ForbiddenElements">
<file name="HTMLPurifier/HTMLDefinition.php">
<line>303</line>
<line>326</line>
</file>
</directive>
<directive id="HTML.ForbiddenAttributes">
<file name="HTMLPurifier/HTMLDefinition.php">
<line>304</line>
<line>327</line>
</file>
</directive>
<directive id="HTML.Trusted">

4
library/HTMLPurifier/ConfigSchema/Builder/Xml.php
View File

@ -71,8 +71,10 @@ class HTMLPurifier_ConfigSchema_Builder_Xml extends XMLWriter
$this->startElement('constraints');
if ($directive->version) $this->writeElement('version', $directive->version);
$this->writeElement('type', $directive->type);
$this->startElement('type');
if ($directive->typeAllowsNull) $this->writeAttribute('allow-null', 'yes');
$this->text($directive->type);
$this->endElement(); // type
if ($directive->allowed) {
$this->startElement('allowed');
foreach ($directive->allowed as $value => $x) $this->writeElement('value', $value);

14
library/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenAttributes.txt
View File

@ -4,7 +4,17 @@ VERSION: 3.1.0
DEFAULT: array()
--DESCRIPTION--
<p>
This directive complements %HTML.ForbiddenElements and is the inverse of
%HTML.AllowedAttributes. Please see the former for a discussion of why you
While this directive is similar to %HTML.AllowedAttributes, for
forwards-compatibility with XML, this attribute has a different syntax. Instead of
<code>tag.attr</code>, use <code>tag@attr</code>. To disallow <code>href</code>
attributes in <code>a</code> tags, set this directive to
<code>a@href</code>. You can also disallow an attribute globally with
<code>attr</code> or <code>*@attr</code> (either syntax is fine; the latter
is provided for consistency with %HTML.AllowedAttributes).
</p>
<p>
<strong>Warning:</strong> This directive complements %HTML.ForbiddenElements,
accordingly, check
out that directive for a discussion of why you
should think twice before using this directive.
</p>

93
library/HTMLPurifier/HTMLDefinition.php
View File

@ -233,10 +233,10 @@ class HTMLPurifier_HTMLDefinition extends HTMLPurifier_Definition
$support = "(for information on implementing this, see the ".
"support forums) ";
// setup allowed elements
// setup allowed elements -----------------------------------------
$allowed_elements = $config->get('HTML', 'AllowedElements');
$allowed_attributes = $config->get('HTML', 'AllowedAttributes');
$allowed_attributes = $config->get('HTML', 'AllowedAttributes'); // retrieve early
if (!is_array($allowed_elements) && !is_array($allowed_attributes)) {
$allowed = $config->get('HTML', 'Allowed');
@ -252,54 +252,79 @@ class HTMLPurifier_HTMLDefinition extends HTMLPurifier_Definition
}
// emit errors
foreach ($allowed_elements as $element => $d) {
// :TODO: Is this htmlspecialchars() call really necessary?
$element = htmlspecialchars($element);
$element = htmlspecialchars($element); // PHP doesn't escape errors, be careful!
trigger_error("Element '$element' is not supported $support", E_USER_WARNING);
}
}
// setup allowed attributes ---------------------------------------
$allowed_attributes_mutable = $allowed_attributes; // by copy!
if (is_array($allowed_attributes)) {
foreach ($this->info_global_attr as $attr_key => $info) {
if (!isset($allowed_attributes["*.$attr_key"])) {
unset($this->info_global_attr[$attr_key]);
} elseif (isset($allowed_attributes_mutable["*.$attr_key"])) {
unset($allowed_attributes_mutable["*.$attr_key"]);
// This actually doesn't do anything, since we went away from
// global attributes. It's possible that userland code uses
// it, but HTMLModuleManager doesn't!
foreach ($this->info_global_attr as $attr => $x) {
$keys = array($attr, "*@$attr", "*.$attr");
$delete = true;
foreach ($keys as $key) {
if ($delete && isset($allowed_attributes[$key])) {
$delete = false;
}
if (isset($allowed_attributes_mutable[$key])) {
unset($allowed_attributes_mutable[$key]);
}
}
if ($delete) unset($this->info_global_attr[$attr]);
}
foreach ($this->info as $tag => $info) {
foreach ($info->attr as $attr => $attr_info) {
if (!isset($allowed_attributes["$tag.$attr"]) &&
!isset($allowed_attributes["*.$attr"])) {
unset($this->info[$tag]->attr[$attr]);
} else {
if (isset($allowed_attributes_mutable["$tag.$attr"])) {
unset($allowed_attributes_mutable["$tag.$attr"]);
} elseif (isset($allowed_attributes_mutable["*.$attr"])) {
unset($allowed_attributes_mutable["*.$attr"]);
foreach ($info->attr as $attr => $x) {
$keys = array("$tag@$attr", $attr, "*@$attr", "$tag.$attr", "*.$attr");
$delete = true;
foreach ($keys as $key) {
if ($delete && isset($allowed_attributes[$key])) {
$delete = false;
}
if (isset($allowed_attributes_mutable[$key])) {
unset($allowed_attributes_mutable[$key]);
}
}
if ($delete) unset($this->info[$tag]->attr[$attr]);
}
}
// emit errors
foreach ($allowed_attributes_mutable as $elattr => $d) {
list($element, $attribute) = explode('.', $elattr);
// :TODO: Is this htmlspecialchars() call really necessary?
$element = htmlspecialchars($element);
$attribute = htmlspecialchars($attribute);
if ($element == '*') {
trigger_error("Global attribute '$attribute' is not ".
"supported in any elements $support",
E_USER_WARNING);
$bits = preg_split('/[.@]/', $elattr, 2);
$c = count($bits);
switch ($c) {
case 2:
if ($bits[0] !== '*') {
$element = htmlspecialchars($bits[0]);
$attribute = htmlspecialchars($bits[1]);
if (!isset($this->info[$element])) {
trigger_error("Cannot allow attribute '$attribute' if element '$element' is not allowed/supported $support");
} else {
trigger_error("Attribute '$attribute' in element '$element' not supported $support",
E_USER_WARNING);
}
break;
}
// otherwise fall through
case 1:
$attribute = htmlspecialchars($bits[0]);
trigger_error("Global attribute '$attribute' is not ".
"supported in any elements $support",
E_USER_WARNING);
break;
}
}
}
// setup forbidden elements
// setup forbidden elements ---------------------------------------
$forbidden_elements = $config->get('HTML', 'ForbiddenElements');
$forbidden_attributes = $config->get('HTML', 'ForbiddenAttributes');
@ -308,10 +333,18 @@ class HTMLPurifier_HTMLDefinition extends HTMLPurifier_Definition
unset($this->info[$tag]);
continue;
}
foreach ($info->attr as $name => $def) {
if (isset($forbidden_attributes["$tag.$name"])) {
unset($this->info[$tag]->attr[$name]);
foreach ($info->attr as $attr => $x) {
if (
isset($forbidden_attributes["$tag@$attr"]) ||
isset($forbidden_attributes["*@$attr"]) ||
isset($forbidden_attributes[$attr])
) {
unset($this->info[$tag]->attr[$attr]);
continue;
} // this segment might get removed eventually
elseif (isset($forbidden_attributes["$tag.$attr"])) {
// $tag.$attr are not user supplied, so no worries!
trigger_error("Error with $tag.$attr: tag.attr syntax not supported for HTML.ForbiddenAttributes; use tag@attr instead", E_USER_WARNING);
}
}
}

148
tests/HTMLPurifier/HTMLDefinitionTest.php
View File

@ -59,7 +59,7 @@ a[href|title]
$config1 = HTMLPurifier_Config::create(array(
'HTML.AllowedElements' => array('b', 'i', 'p', 'a'),
'HTML.AllowedAttributes' => array('a.href', '*.id')
'HTML.AllowedAttributes' => array('a@href', '*@id')
));
$config2 = HTMLPurifier_Config::create(array(
@ -70,6 +70,150 @@ a[href|title]
}
function assertPurification_AllowedElements_p() {
$this->assertPurification('<p><b>Jelly</b></p>', '<p>Jelly</p>');
}
function test_AllowedElements() {
$this->config->set('HTML', 'AllowedElements', 'p');
$this->assertPurification_AllowedElements_p();
}
function test_AllowedElements_multiple() {
$this->config->set('HTML', 'AllowedElements', 'p,div');
$this->assertPurification('<div><p><b>Jelly</b></p></div>', '<div><p>Jelly</p></div>');
}
function test_AllowedElements_invalidElement() {
$this->config->set('Cache', 'DefinitionImpl', null); // Necessary to ensure error is thrown
$this->config->set('HTML', 'AllowedElements', 'obviously_invalid,p');
$this->expectError(new PatternExpectation("/Element 'obviously_invalid' is not supported/"));
$this->assertPurification_AllowedElements_p();
}
function test_AllowedElements_invalidElement_xssAttempt() {
$this->config->set('Cache', 'DefinitionImpl', null);
$this->config->set('HTML', 'AllowedElements', '<script>,p');
$this->expectError(new PatternExpectation("/Element '&lt;script&gt;' is not supported/"));
$this->assertPurification_AllowedElements_p();
}
function test_AllowedElements_multipleInvalidElements() {
$this->config->set('Cache', 'DefinitionImpl', null);
$this->config->set('HTML', 'AllowedElements', 'dr-wiggles,dr-pepper,p');
$this->expectError(new PatternExpectation("/Element 'dr-wiggles' is not supported/"));
$this->expectError(new PatternExpectation("/Element 'dr-pepper' is not supported/"));
$this->assertPurification_AllowedElements_p();
}
function assertPurification_AllowedAttributes_global_style() {
$this->assertPurification(
'<p style="font-weight:bold;" class="foo">Jelly</p><br style="clear:both;" />',
'<p style="font-weight:bold;">Jelly</p><br style="clear:both;" />');
}
function test_AllowedAttributes_global_preferredSyntax() {
$this->config->set('HTML', 'AllowedAttributes', 'style');
$this->assertPurification_AllowedAttributes_global_style();
}
function test_AllowedAttributes_global_verboseSyntax() {
$this->config->set('HTML', 'AllowedAttributes', '*@style');
$this->assertPurification_AllowedAttributes_global_style();
}
function test_AllowedAttributes_global_discouragedSyntax() {
// Emit errors eventually
$this->config->set('HTML', 'AllowedAttributes', '*.style');
$this->assertPurification_AllowedAttributes_global_style();
}
function assertPurification_AllowedAttributes_local_p_style() {
$this->assertPurification(
'<p style="font-weight:bold;" class="foo">Jelly</p><br style="clear:both;" />',
'<p style="font-weight:bold;">Jelly</p><br />');
}
function test_AllowedAttributes_local_preferredSyntax() {
$this->config->set('HTML', 'AllowedAttributes', 'p@style');
$this->assertPurification_AllowedAttributes_local_p_style();
}
function test_AllowedAttributes_local_discouragedSyntax() {
$this->config->set('HTML', 'AllowedAttributes', 'p.style');
$this->assertPurification_AllowedAttributes_local_p_style();
}
function test_AllowedAttributes_multiple() {
$this->config->set('HTML', 'AllowedAttributes', 'p@style,br@class,title');
$this->assertPurification(
'<p style="font-weight:bold;" class="foo" title="foo">Jelly</p><br style="clear:both;" class="foo" title="foo" />',
'<p style="font-weight:bold;" title="foo">Jelly</p><br class="foo" title="foo" />'
);
}
function test_AllowedAttributes_local_invalidAttribute() {
$this->config->set('Cache', 'DefinitionImpl', null);
$this->config->set('HTML', 'AllowedAttributes', array('p@style', 'p@<foo>'));
$this->expectError(new PatternExpectation("/Attribute '&lt;foo&gt;' in element 'p' not supported/"));
$this->assertPurification_AllowedAttributes_local_p_style();
}
function test_AllowedAttributes_global_invalidAttribute() {
$this->config->set('Cache', 'DefinitionImpl', null);
$this->config->set('HTML', 'AllowedAttributes', array('style', '<foo>'));
$this->expectError(new PatternExpectation("/Global attribute '&lt;foo&gt;' is not supported in any elements/"));
$this->assertPurification_AllowedAttributes_global_style();
}
function test_AllowedAttributes_local_invalidAttributeDueToMissingElement() {
$this->config->set('Cache', 'DefinitionImpl', null);
$this->config->set('HTML', 'AllowedAttributes', 'p.style,foo.style');
$this->expectError(new PatternExpectation("/Cannot allow attribute 'style' if element 'foo' is not allowed\/supported/"));
$this->assertPurification_AllowedAttributes_local_p_style();
}
function test_AllowedAttributes_duplicate() {
$this->config->set('HTML', 'AllowedAttributes', 'p.style,p@style');
$this->assertPurification_AllowedAttributes_local_p_style();
}
function test_AllowedAttributes_multipleErrors() {
$this->config->set('HTML', 'AllowedAttributes', 'p.style,foo.style,<foo>');
$this->expectError(new PatternExpectation("/Cannot allow attribute 'style' if element 'foo' is not allowed\/supported/"));
$this->expectError(new PatternExpectation("/Global attribute '&lt;foo&gt;' is not supported in any elements/"));
$this->assertPurification_AllowedAttributes_local_p_style();
}
function test_ForbiddenElements() {
$this->config->set('HTML', 'ForbiddenElements', 'b');
$this->assertPurification('<b>b</b><i>i</i>', 'b<i>i</i>');
}
function test_ForbiddenElements_invalidElement() {
$this->config->set('HTML', 'ForbiddenElements', 'obviously_incorrect');
// no error!
$this->assertPurification('<i>i</i>');
}
function assertPurification_ForbiddenAttributes_b_style() {
$this->assertPurification(
'<b style="float:left;">b</b><i style="float:left;">i</i>',
'<b>b</b><i style="float:left;">i</i>');
}
function test_ForbiddenAttributes() {
$this->config->set('HTML', 'ForbiddenAttributes', 'b@style');
$this->assertPurification_ForbiddenAttributes_b_style();
}
function test_ForbiddenAttributes_incorrectSyntax() {
$this->config->set('Cache', 'DefinitionImpl', null);
$this->config->set('HTML', 'ForbiddenAttributes', 'b.style');
$this->expectError("Error with b.style: tag.attr syntax not supported for HTML.ForbiddenAttributes; use tag@attr instead");
$this->assertPurification('<b style="float:left;">Test</b>');
}
function test_addAttribute() {
$config = HTMLPurifier_Config::create(array(
@ -116,5 +260,7 @@ a[href|title]
}
}

16
tests/HTMLPurifier/Harness.php
View File

@ -10,15 +10,27 @@ class HTMLPurifier_Harness extends UnitTestCase
parent::__construct();
}
protected $config, $context;
protected $config, $context, $purifier;
/**
* Generates easily accessible default config/context
* Generates easily accessible default config/context, as well as
* a convenience purifier for integration testing.
*/
public function setUp() {
list($this->config, $this->context) = $this->createCommon();
$this->purifier = new HTMLPurifier();
}
/**
* Asserts a purification. Good for integration testing.
*/
function assertPurification($input, $expect = null) {
if ($expect === null) $expect = $input;
$result = $this->purifier->purify($input, $this->config);
$this->assertIdentical($expect, $result);
}
/**
* Accepts config and context and prepares them into a valid state
* @param &$config Reference to config variable

61
tests/HTMLPurifierTest.php
View File

@ -4,24 +4,12 @@ class HTMLPurifierTest extends HTMLPurifier_Harness
{
protected $purifier;
function setUp() {
$this->purifier = new HTMLPurifier();
}
function assertPurification($input, $expect = null, $config = array()) {
if ($expect === null) $expect = $input;
$result = $this->purifier->purify($input, $config);
$this->assertIdentical($expect, $result);
}
function testNull() {
$this->assertPurification("Null byte\0", "Null byte");
}
function testStrict() {
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML', 'Strict', true);
$this->purifier = new HTMLPurifier( $config ); // verbose syntax
$this->config->set('HTML', 'Strict', true);
$this->assertPurification(
'<u>Illegal underline</u>',
@ -37,10 +25,8 @@ class HTMLPurifierTest extends HTMLPurifier_Harness
function testDifferentAllowedElements() {
$this->purifier = new HTMLPurifier(array(
'HTML.AllowedElements' => array('b', 'i', 'p', 'a'),
'HTML.AllowedAttributes' => array('a.href', '*.id')
));
$this->config->set('HTML', 'AllowedElements', array('b', 'i', 'p', 'a'));
$this->config->set('HTML', 'AllowedAttributes', array('a.href', '*.id'));
$this->assertPurification(
'<p>Par.</p><p>Para<a href="http://google.com/">gr</a>aph</p>Text<b>Bol<i>d</i></b>'
@ -54,10 +40,9 @@ class HTMLPurifierTest extends HTMLPurifier_Harness
}
function testBlacklistElements() {
$this->purifier = new HTMLPurifier(array(
'HTML.ForbiddenElements' => array('b'),
'HTML.ForbiddenAttributes' => array('a.href')
));
$this->config->set('HTML', 'ForbiddenElements', array('b'));
$this->config->set('HTML', 'ForbiddenAttributes', array('a@href'));
$this->assertPurification(
'<p>Par.</p>'
);
@ -70,9 +55,7 @@ class HTMLPurifierTest extends HTMLPurifier_Harness
function testDifferentAllowedCSSProperties() {
$this->purifier = new HTMLPurifier(array(
'CSS.AllowedProperties' => array('color', 'background-color')
));
$this->config->set('CSS', 'AllowedProperties', array('color', 'background-color'));
$this->assertPurification(
'<div style="color:#f00;background-color:#ded;">red</div>'
@ -87,7 +70,7 @@ class HTMLPurifierTest extends HTMLPurifier_Harness
function testDisableURI() {
$this->purifier = new HTMLPurifier( array('URI.Disable' => true) );
$this->config->set('URI', 'Disable', true);
$this->assertPurification(
'<img src="foobar"/>',
@ -98,8 +81,6 @@ class HTMLPurifierTest extends HTMLPurifier_Harness
function test_purifyArray() {
$this->purifier = new HTMLPurifier();
$this->assertIdentical(
$this->purifier->purifyArray(
array('Good', '<b>Sketchy', 'foo' => '<script>bad</script>')
@ -111,23 +92,24 @@ class HTMLPurifierTest extends HTMLPurifier_Harness
}
function testEnableAttrID() {
$this->purifier = new HTMLPurifier();
function testAttrIDDisabledByDefault() {
$this->assertPurification(
'<span id="moon">foobar</span>',
'<span>foobar</span>'
);
$this->purifier = new HTMLPurifier(array('Attr.EnableID' => true));
}
function testEnableAttrID() {
$this->config->set('Attr', 'EnableID', true);
$this->assertPurification('<span id="moon">foobar</span>');
$this->assertPurification('<img id="folly" src="folly.png" alt="Omigosh!" />');
}
function testScript() {
$this->purifier = new HTMLPurifier(array('HTML.Trusted' => true));
$this->config->set('HTML', 'Trusted', true);
$ideal = '<script type="text/javascript"><!--//--><![CDATA[//><!--
alert("<This is compatible with XHTML>");
//--><!]]></script>';
@ -168,24 +150,21 @@ alert("<This is compatible with XHTML>");
}
function testMakeAbsolute() {
$this->config->set('URI', 'Base', 'http://example.com/bar/baz.php');
$this->config->set('URI', 'MakeAbsolute', true);
$this->assertPurification(
'<a href="foo.txt">Foobar</a>',
'<a href="http://example.com/bar/foo.txt">Foobar</a>',
array(
'URI.Base' => 'http://example.com/bar/baz.php',
'URI.MakeAbsolute' => true
)
'<a href="http://example.com/bar/foo.txt">Foobar</a>'
);
}
function test_addFilter_deprecated() {
$purifier = new HTMLPurifier();
$this->expectError('HTMLPurifier->addFilter() is deprecated, use configuration directives in the Filter namespace or Filter.Custom');
generate_mock_once('HTMLPurifier_Filter');
$purifier->addFilter($mock = new HTMLPurifier_FilterMock());
$this->purifier->addFilter($mock = new HTMLPurifier_FilterMock());
$mock->expectOnce('preFilter');
$mock->expectOnce('postFilter');
$purifier->purify('foo');
$this->purifier->purify('foo');
}
}