diff --git a/NEWS b/NEWS
index 0e787c9e..cc05dada 100644
--- a/NEWS
+++ b/NEWS
@@ -39,6 +39,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
- HTMLPurifier::instance() created for consistency, is equivalent to getInstance()
- Fixed and revamped broken ConfigForm smoketest
- Bug with bool/null fields in Printer_ConfigForm fixed
+- Bug with global forbidden attributes fixed
- Improved error messages for allowed and forbidden HTML elements and attributes
- Missing (or null) in configdoc documentation restored
- If DOM throws and exception during parsing with PH5P (occurs in newer versions
diff --git a/TODO b/TODO
index 417d7585..ea330ff6 100644
--- a/TODO
+++ b/TODO
@@ -11,9 +11,6 @@ If no interest is expressed for a feature that may require a considerable
amount of effort to implement, it may get endlessly delayed. Do not be
afraid to cast your vote for the next feature to be implemented!
- - FINISH THE DRUPAL MODULE!!!
- - Get PH5P working with the latest versions of DOM, which have much more
- stringent error checking procedures. Maybe convert straight to tokens.
- Figure out what to do with $this->config configuration object calls
in the scanner
- Quick optimizations for empty strings and strings without HTML (make sure
@@ -87,6 +84,8 @@ AutoFormat
Optimizations
- Reduce size of internal data-structures (esp. HTMLDefinition)
- Combine multiple strategies into a single, single-pass strategy
+ - Get PH5P working with the latest versions of DOM, which have much more
+ stringent error checking procedures. Maybe convert straight to tokens.
Neat feature related
! Factor demo.php into a set of Printer classes, and then create a stub
diff --git a/library/HTMLPurifier/HTMLDefinition.php b/library/HTMLPurifier/HTMLDefinition.php
index 3310bbc2..d8e22ee9 100644
--- a/library/HTMLPurifier/HTMLDefinition.php
+++ b/library/HTMLPurifier/HTMLDefinition.php
@@ -348,6 +348,13 @@ class HTMLPurifier_HTMLDefinition extends HTMLPurifier_Definition
}
}
}
+ foreach ($forbidden_attributes as $key => $v) {
+ if (strlen($key) < 2) continue;
+ if ($key[0] != '*') continue;
+ if ($key[1] == '.') {
+ trigger_error("Error with $key: *.attr syntax not supported for HTML.ForbiddenAttributes; use attr instead", E_USER_WARNING);
+ }
+ }
}
diff --git a/tests/HTMLPurifier/HTMLDefinitionTest.php b/tests/HTMLPurifier/HTMLDefinitionTest.php
index 35048ab0..a396d100 100644
--- a/tests/HTMLPurifier/HTMLDefinitionTest.php
+++ b/tests/HTMLPurifier/HTMLDefinitionTest.php
@@ -214,6 +214,28 @@ a[href|title]
$this->assertPurification('Test');
}
+ function test_ForbiddenAttributes_incorrectGlobalSyntax() {
+ $this->config->set('HTML', 'ForbiddenAttributes', '*.style');
+ $this->expectError("Error with *.style: *.attr syntax not supported for HTML.ForbiddenAttributes; use attr instead");
+ $this->assertPurification('Test');
+ }
+
+ function assertPurification_ForbiddenAttributes_style() {
+ $this->assertPurification(
+ 'bi',
+ 'bi');
+ }
+
+ function test_ForbiddenAttributes_global() {
+ $this->config->set('HTML', 'ForbiddenAttributes', 'style');
+ $this->assertPurification_ForbiddenAttributes_style();
+ }
+
+ function test_ForbiddenAttributes_globalVerboseFormat() {
+ $this->config->set('HTML', 'ForbiddenAttributes', '*@style');
+ $this->assertPurification_ForbiddenAttributes_style();
+ }
+
function test_addAttribute() {
$config = HTMLPurifier_Config::create(array(