From a40e16dd2e3ba457126f0606089a835c00096d73 Mon Sep 17 00:00:00 2001 From: "Edward Z. Yang" Date: Fri, 3 Aug 2007 02:48:52 +0000 Subject: [PATCH] [2.1.0] Allow i18n font names - Minor typos fixed; we're release ready! git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1350 48356398-32a2-884e-a903-53898d9a118a --- NEWS | 1 + TODO | 8 ++------ docs/enduser-security.txt | 4 +--- docs/proposal-filter-levels.txt | 2 +- .../HTMLPurifier/AttrDef/CSS/FontFamily.php | 19 ++++++++++++------- .../AttrDef/CSS/FontFamilyTest.php | 4 ++++ 6 files changed, 21 insertions(+), 17 deletions(-) diff --git a/NEWS b/NEWS index 6796ddd3..0ffe6bb9 100644 --- a/NEWS +++ b/NEWS @@ -25,6 +25,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier ! Ruby implemented for XHTML 1.1 ! You can now define custom URI filtering behavior, see enduser-uri-filter.html for more details +! UTF-8 font names now supported in CSS - AutoFormatters emit friendly error messages if tags or attributes they need are not allowed - ConfigForm's compactification of directive names is now configurable diff --git a/TODO b/TODO index 6cc9f895..6960d4b5 100644 --- a/TODO +++ b/TODO @@ -11,12 +11,6 @@ If no interest is expressed for a feature that may required a considerable amount of effort to implement, it may get endlessly delayed. Do not be afraid to cast your vote for the next feature to be implemented! -2.1 release [Refactor, refactor!] - - Configuration profiles: predefined directives set with one func call - - Allow non-ASCII characters in font names - - Explain how to use HTML Purifier in non-PHP languages / create - a simple command line stub - 2.2 release [Error'ed] # Error logging for filtering/cleanup procedures - XSS-attempt detection @@ -80,6 +74,8 @@ Unknown release (on a scratch-an-itch basis) - Reorganize configuration directives (Create more namespaces! Get messy!) - Advanced URI filtering schemes (see docs/proposal-new-directives.txt) - Implement lenient child validation + - Explain how to use HTML Purifier in non-PHP languages / create + a simple command line stub (or complicated?) Requested diff --git a/docs/enduser-security.txt b/docs/enduser-security.txt index 49aff331..dd856395 100644 --- a/docs/enduser-security.txt +++ b/docs/enduser-security.txt @@ -10,9 +10,7 @@ to be effective. Things to remember: 2. IDs: see enduser-id.html for more info -3. Links: document pending feature completion -Rudimentary blacklisting, we should also allow only relative URIs. We -need a doc to explain the stuff. +3. URIs: see enduser-uri-filter.html 4. CSS: document pending Explain which CSS styles we blocked and why. diff --git a/docs/proposal-filter-levels.txt b/docs/proposal-filter-levels.txt index 9e9cfbb0..3118c644 100644 --- a/docs/proposal-filter-levels.txt +++ b/docs/proposal-filter-levels.txt @@ -32,7 +32,7 @@ Here are some fuzzy levels you could set: One final note: when you start axing tags that are more commonly used, you run the risk of accidentally destroying user data, especially if the data -is incoming from a WYSIWYG eidtor that hasn't been synced accordingly. This may +is incoming from a WYSIWYG editor that hasn't been synced accordingly. This may make forbidden element to text transformations desirable (for example, images). diff --git a/library/HTMLPurifier/AttrDef/CSS/FontFamily.php b/library/HTMLPurifier/AttrDef/CSS/FontFamily.php index 223e7769..dfd89b95 100644 --- a/library/HTMLPurifier/AttrDef/CSS/FontFamily.php +++ b/library/HTMLPurifier/AttrDef/CSS/FontFamily.php @@ -38,19 +38,24 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef $quote = $font[0]; if ($font[$length - 1] !== $quote) continue; $font = substr($font, 1, $length - 2); + // double-backslash processing is buggy + $font = str_replace("\\$quote", $quote, $font); // de-escape quote + $font = str_replace("\\\n", "\n", $font); // de-escape newlines } - // process font + // $font is a pure representation of the font name + if (ctype_alnum($font)) { // very simple font, allow it in unharmed $final .= $font . ', '; continue; } - $nospace = str_replace(array(' ', '.', '!'), '', $font); - if (ctype_alnum($nospace)) { - // font with spaces in it - $final .= "'$font', "; - continue; - } + + // complicated font, requires quoting + + // armor single quotes and new lines + $font = str_replace("'", "\\'", $font); + $font = str_replace("\n", "\\\n", $font); + $final .= "'$font', "; } $final = rtrim($final, ', '); if ($final === '') return false; diff --git a/tests/HTMLPurifier/AttrDef/CSS/FontFamilyTest.php b/tests/HTMLPurifier/AttrDef/CSS/FontFamilyTest.php index 861cbb32..25571128 100644 --- a/tests/HTMLPurifier/AttrDef/CSS/FontFamilyTest.php +++ b/tests/HTMLPurifier/AttrDef/CSS/FontFamilyTest.php @@ -16,6 +16,10 @@ class HTMLPurifier_AttrDef_CSS_FontFamilyTest extends HTMLPurifier_AttrDefHarnes $this->assertDef('01234'); $this->assertDef(',', false); $this->assertDef('Times New Roman, serif', '\'Times New Roman\', serif'); + $this->assertDef($d = "'John\\'s Font'"); + $this->assertDef("John's Font", $d); + $this->assertDef($d = "'\xE5\xAE\x8B\xE4\xBD\x93'"); + $this->assertDef("\xE5\xAE\x8B\xE4\xBD\x93", $d); }