diff --git a/NEWS b/NEWS index cbb47927..0a8b994f 100644 --- a/NEWS +++ b/NEWS @@ -10,16 +10,17 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier ========================== 1.6.0, unknown release date -! Support for all deprecated attributes via attribute transformations +! Support for most common deprecated attributes via transformations: + bgcolor in td, th, tr and table + border in img + name in a and img + width in td, th and hr + height in td, th - + (incomplete) ! Support for CSS attribute 'height' added ! Support for rel and rev attributes in a tags added, use %Attr.AllowedRel and %Attr.AllowedRev to activate +- You can define ID blacklists using regular expressions via + %Attr.IDBlacklistRegexp 1.5.1, unknown release date - Fix segfault in unit test. The problem is not very reproduceable and diff --git a/TODO b/TODO index 807266a2..b6ce9930 100644 --- a/TODO +++ b/TODO @@ -8,7 +8,6 @@ TODO List ========================== 1.6 release [Long Overdue] - - Regexp matching for IDs - More user-friendly warnings when %HTML.Allow* attempts to specify a tag or attribute that is not supported diff --git a/library/HTMLPurifier/AttrDef/HTML/ID.php b/library/HTMLPurifier/AttrDef/HTML/ID.php index 2a6d2c9a..c8bf2991 100644 --- a/library/HTMLPurifier/AttrDef/HTML/ID.php +++ b/library/HTMLPurifier/AttrDef/HTML/ID.php @@ -43,6 +43,14 @@ HTMLPurifier_ConfigSchema::define( 'is set to a non-empty value! This directive was available since 1.2.0.' ); +HTMLPurifier_ConfigSchema::define( + 'Attr', 'IDBlacklistRegexp', null, 'string/null', + 'PCRE regular expression to be matched against all IDs. If the expression '. + 'is matches, the ID is rejected. Use this with care: may cause '. + 'significant degradation. ID matching is done after all other '. + 'validation. This directive was available since 1.6.0.' +); + /** * Validates the HTML attribute ID. * @warning Even though this is the id processor, it @@ -94,6 +102,11 @@ class HTMLPurifier_AttrDef_HTML_ID extends HTMLPurifier_AttrDef $result = ($trim === ''); } + $regexp = $config->get('Attr', 'IDBlacklistRegexp'); + if ($regexp && preg_match($regexp, $id)) { + return false; + } + if (/*!$this->ref && */$result) $id_accumulator->add($id); // if no change was made to the ID, return the result diff --git a/library/HTMLPurifier/AttrDef/HTML/LinkTypes.php b/library/HTMLPurifier/AttrDef/HTML/LinkTypes.php index 45c17cb2..94a47ba9 100644 --- a/library/HTMLPurifier/AttrDef/HTML/LinkTypes.php +++ b/library/HTMLPurifier/AttrDef/HTML/LinkTypes.php @@ -6,14 +6,15 @@ HTMLPurifier_ConfigSchema::define( 'Attr', 'AllowedRel', array(), 'lookup', 'List of allowed forward document relationships in the rel attribute. '. 'Common values may be nofollow or print. By default, this is empty, '. - 'meaning that no document relationships are allowed.' + 'meaning that no document relationships are allowed. This directive '. + 'was available since 1.6.0.' ); HTMLPurifier_ConfigSchema::define( 'Attr', 'AllowedRev', array(), 'lookup', 'List of allowed reverse document relationships in the rev attribute. '. 'This attribute is a bit of an edge-case; if you don\'t know what it '. - 'is for, stay away.' + 'is for, stay away. This directive was available since 1.6.0.' ); /** diff --git a/tests/HTMLPurifier/AttrDef/HTML/IDTest.php b/tests/HTMLPurifier/AttrDef/HTML/IDTest.php index a604ca0c..98fffbba 100644 --- a/tests/HTMLPurifier/AttrDef/HTML/IDTest.php +++ b/tests/HTMLPurifier/AttrDef/HTML/IDTest.php @@ -95,6 +95,15 @@ class HTMLPurifier_AttrDef_HTML_IDTest extends HTMLPurifier_AttrDefHarness } + function testRegexp() { + + $this->config->set('Attr', 'IDBlacklistRegexp', '/^g_/'); + + $this->assertDef('good_id'); + $this->assertDef('g_bad_id', false); + + } + } ?> \ No newline at end of file