[3.1.1] Lazy token updating for HTMLPurifier/AttrValidator.php

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1757 48356398-32a2-884e-a903-53898d9a118a
2024-12-22 16:31:53 +00:00 · 2008-05-21 02:30:27 +00:00 · 2008-05-21 02:30:27 +00:00 · af3f5190dc
commit af3f5190dc
parent 5620241165
3 changed files with 9 additions and 5 deletions
--- a/3
+++ b/3
@ -12,6 +12,9 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 3.1.1, unknown release date
 ! More robust imagecrash protection with height/width CSS with %CSS.MaxImgLength.
 - Disable percent height/width attributes for img
+- AttrValidator operations are now atomic; updates to attributes are not
+  manifest in token until end of operations. This prevents naughty internal
+  code from directly modifying CurrentToken when they're not supposed to.
 . Added HTMLPurifier_UnitConverter and HTMLPurifier_Length for convenient
  handling of CSS-style lengths. HTMLPurifier_AttrDef_CSS_Length now uses
  this class.
--- a/5
+++ b/5
@ -12,9 +12,8 @@ amount of effort to implement, it may get endlessly delayed. Do not be
 afraid to cast your vote for the next feature to be implemented!

 - Implement validation for query and for fragment
- Prevent percentages from being used in width/height attribute in images
- Maintain old attribute data in tokens (configurable?)
- Lazy update of token when validating attributes?
+- Ability to fully turn off imagecrash fixes (attribute and CSS will require
+  two separate directives due to our architecture.)
 - Investigate how early internal structures can be accessed; this would
  prevent structures from being parsed and serialized multiple times.

--- a/library/HTMLPurifier/AttrValidator.php
+++ b/library/HTMLPurifier/AttrValidator.php
@ -43,8 +43,8 @@ class HTMLPurifier_AttrValidator
        // DEFINITION CALL
        $d_defs = $definition->info_global_attr;
        
-        // reference attributes for easy manipulation
-        $attr =& $token->attr;
+        // don't update token until the very end, to ensure an atomic update
+        $attr = $token->attr;
        
        // do global transformations (pre)
        // nothing currently utilizes this
@ -139,6 +139,8 @@ class HTMLPurifier_AttrValidator
            if ($e && ($attr != $o)) $e->send(E_NOTICE, 'AttrValidator: Attributes transformed', $o, $attr);
        }
        
+        $token->attr = $attr;
+        
        // destroy CurrentToken if we made it ourselves
        if (!$current_token) $context->destroy('CurrentToken');