0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-01-05 14:11:52 +00:00

[1.3.1] Add defense in depth measure: reject entire node if there is no child definition for the element.

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@601 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang 2006-12-06 22:38:25 +00:00
parent d886ed59fd
commit b73b5100fd
2 changed files with 10 additions and 7 deletions

View File

@ -72,7 +72,7 @@ HTMLPurifier_ConfigSchema::define(
'can overload it with your own list of tags to allow. Note that this '. 'can overload it with your own list of tags to allow. Note that this '.
'method is subtractive: it does its job by taking away from HTML Purifier '. 'method is subtractive: it does its job by taking away from HTML Purifier '.
'usual feature set, so you cannot add a tag that HTML Purifier never '. 'usual feature set, so you cannot add a tag that HTML Purifier never '.
'supported in the first place (like embed). If you change this, you '. 'supported in the first place (like embed, form or head). If you change this, you '.
'probably also want to change %HTML.AllowedAttributes. '. 'probably also want to change %HTML.AllowedAttributes. '.
'<strong>Warning:</strong> If another directive conflicts with the '. '<strong>Warning:</strong> If another directive conflicts with the '.
'elements here, <em>that</em> directive will win and override. '. 'elements here, <em>that</em> directive will win and override. '.
@ -561,9 +561,9 @@ class HTMLPurifier_HTMLDefinition
////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////
// %HTML.Allowed(Elements|Attributes) : cut non-allowed elements // %HTML.Allowed(Elements|Attributes) : cut non-allowed elements
$allowed_elements = $config->get('HTML', 'AllowedElements'); $allowed_elements = $config->get('HTML', 'AllowedElements');
if (is_array($allowed_elements)) { if (is_array($allowed_elements)) {
// $allowed_elements[$this->info_parent] = true; // allow parent element
foreach ($this->info as $name => $d) { foreach ($this->info as $name => $d) {
if(!isset($allowed_elements[$name])) unset($this->info[$name]); if(!isset($allowed_elements[$name])) unset($this->info[$name]);
} }

View File

@ -156,11 +156,14 @@ class HTMLPurifier_Strategy_FixNesting extends HTMLPurifier_Strategy
} }
$child_def = $def->child; if (!empty($def->child)) {
// have DTD child def validate children // have DTD child def validate children
$result = $child_def->validateChildren( $result = $def->child->validateChildren(
$child_tokens, $config, $context); $child_tokens, $config, $context);
} else {
// weird, no child definition, get rid of everything
$result = false;
}
// determine whether or not this element has any exclusions // determine whether or not this element has any exclusions
$excludes = $def->excludes; $excludes = $def->excludes;