mirrors/htmlpurifier
0
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-03-11 17:18:44 +00:00
Code Releases Activity

[2.1.0] Allow i18n font names

Browse Source 
- Minor typos fixed; we're release ready!

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1350 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang 2007-08-03 02:48:52 +00:00
parent ee388e86c0
commit a40e16dd2e
6 changed files with 21 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
NEWS
View File

@ -25,6 +25,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
! Ruby implemented for XHTML 1.1 ! Ruby implemented for XHTML 1.1
! You can now define custom URI filtering behavior, see enduser-uri-filter.html ! You can now define custom URI filtering behavior, see enduser-uri-filter.html
for more details for more details
! UTF-8 font names now supported in CSS
- AutoFormatters emit friendly error messages if tags or attributes they - AutoFormatters emit friendly error messages if tags or attributes they
need are not allowed need are not allowed
- ConfigForm's compactification of directive names is now configurable - ConfigForm's compactification of directive names is now configurable

8
TODO
View File

@ -11,12 +11,6 @@ If no interest is expressed for a feature that may required a considerable
amount of effort to implement, it may get endlessly delayed. Do not be amount of effort to implement, it may get endlessly delayed. Do not be
afraid to cast your vote for the next feature to be implemented! afraid to cast your vote for the next feature to be implemented!
2.1 release [Refactor, refactor!]
- Configuration profiles: predefined directives set with one func call
- Allow non-ASCII characters in font names
- Explain how to use HTML Purifier in non-PHP languages / create
a simple command line stub
2.2 release [Error'ed] 2.2 release [Error'ed]
# Error logging for filtering/cleanup procedures # Error logging for filtering/cleanup procedures
- XSS-attempt detection - XSS-attempt detection
@ -80,6 +74,8 @@ Unknown release (on a scratch-an-itch basis)
- Reorganize configuration directives (Create more namespaces! Get messy!) - Reorganize configuration directives (Create more namespaces! Get messy!)
- Advanced URI filtering schemes (see docs/proposal-new-directives.txt) - Advanced URI filtering schemes (see docs/proposal-new-directives.txt)
- Implement lenient <ruby> child validation - Implement lenient <ruby> child validation
- Explain how to use HTML Purifier in non-PHP languages / create
a simple command line stub (or complicated?)
Requested Requested

4
docs/enduser-security.txt
View File

@ -10,9 +10,7 @@ to be effective. Things to remember:
2. IDs: see enduser-id.html for more info 2. IDs: see enduser-id.html for more info
3. Links: document pending feature completion 3. URIs: see enduser-uri-filter.html
Rudimentary blacklisting, we should also allow only relative URIs. We
need a doc to explain the stuff.
4. CSS: document pending 4. CSS: document pending
Explain which CSS styles we blocked and why. Explain which CSS styles we blocked and why.

2
docs/proposal-filter-levels.txt
View File

@ -32,7 +32,7 @@ Here are some fuzzy levels you could set:
One final note: when you start axing tags that are more commonly used, you One final note: when you start axing tags that are more commonly used, you
run the risk of accidentally destroying user data, especially if the data run the risk of accidentally destroying user data, especially if the data
is incoming from a WYSIWYG eidtor that hasn't been synced accordingly. This may is incoming from a WYSIWYG editor that hasn't been synced accordingly. This may
make forbidden element to text transformations desirable (for example, images). make forbidden element to text transformations desirable (for example, images).

19
library/HTMLPurifier/AttrDef/CSS/FontFamily.php
View File

@ -38,19 +38,24 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
$quote = $font[0]; $quote = $font[0];
if ($font[$length - 1] !== $quote) continue; if ($font[$length - 1] !== $quote) continue;
$font = substr($font, 1, $length - 2); $font = substr($font, 1, $length - 2);
// double-backslash processing is buggy
$font = str_replace("\\$quote", $quote, $font); // de-escape quote
$font = str_replace("\\\n", "\n", $font); // de-escape newlines
} }
// process font // $font is a pure representation of the font name
if (ctype_alnum($font)) { if (ctype_alnum($font)) {
// very simple font, allow it in unharmed // very simple font, allow it in unharmed
$final .= $font . ', '; $final .= $font . ', ';
continue; continue;
} }
$nospace = str_replace(array(' ', '.', '!'), '', $font);
if (ctype_alnum($nospace)) { // complicated font, requires quoting
// font with spaces in it
$final .= "'$font', "; // armor single quotes and new lines
continue; $font = str_replace("'", "\\'", $font);
} $font = str_replace("\n", "\\\n", $font);
$final .= "'$font', ";
} }
$final = rtrim($final, ', '); $final = rtrim($final, ', ');
if ($final === '') return false; if ($final === '') return false;

4
tests/HTMLPurifier/AttrDef/CSS/FontFamilyTest.php
View File

@ -16,6 +16,10 @@ class HTMLPurifier_AttrDef_CSS_FontFamilyTest extends HTMLPurifier_AttrDefHarnes
$this->assertDef('01234'); $this->assertDef('01234');
$this->assertDef(',', false); $this->assertDef(',', false);
$this->assertDef('Times New Roman, serif', '\'Times New Roman\', serif'); $this->assertDef('Times New Roman, serif', '\'Times New Roman\', serif');
$this->assertDef($d = "'John\\'s Font'");
$this->assertDef("John's Font", $d);
$this->assertDef($d = "'\xE5\xAE\x8B\xE4\xBD\x93'");
$this->assertDef("\xE5\xAE\x8B\xE4\xBD\x93", $d);
} }