mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2025-01-09 23:41:52 +00:00
Release 1.4.1, merged in 685-687.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/branches/strict@689 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
parent
c2d3d5b859
commit
cec7a1c087
2
Doxyfile
2
Doxyfile
@ -4,7 +4,7 @@
|
|||||||
# Project related configuration options
|
# Project related configuration options
|
||||||
#---------------------------------------------------------------------------
|
#---------------------------------------------------------------------------
|
||||||
PROJECT_NAME = HTML Purifier
|
PROJECT_NAME = HTML Purifier
|
||||||
PROJECT_NUMBER = 1.4.0
|
PROJECT_NUMBER = 1.4.1
|
||||||
OUTPUT_DIRECTORY = "C:/Documents and Settings/Edward/My Documents/My Webs/htmlpurifier/docs/doxygen"
|
OUTPUT_DIRECTORY = "C:/Documents and Settings/Edward/My Documents/My Webs/htmlpurifier/docs/doxygen"
|
||||||
CREATE_SUBDIRS = NO
|
CREATE_SUBDIRS = NO
|
||||||
OUTPUT_LANGUAGE = English
|
OUTPUT_LANGUAGE = English
|
||||||
|
4
NEWS
4
NEWS
@ -9,6 +9,10 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
|
|||||||
. Internal change
|
. Internal change
|
||||||
==========================
|
==========================
|
||||||
|
|
||||||
|
1.4.1, released 2007-01-21
|
||||||
|
! docs/enduser-youtube.html updated according to new functionality
|
||||||
|
- YouTube IDs can have underscores and dashes
|
||||||
|
|
||||||
1.4.0, released 2007-01-21
|
1.4.0, released 2007-01-21
|
||||||
! Implemented list-style-image, URIs now allowed in list-style
|
! Implemented list-style-image, URIs now allowed in list-style
|
||||||
! Implemented background-image, background-repeat, background-attachment
|
! Implemented background-image, background-repeat, background-attachment
|
||||||
|
@ -37,7 +37,7 @@ from a specific website, it probably is okay. If no amount of pleading will
|
|||||||
convince the people upstairs that they should just settle with just linking
|
convince the people upstairs that they should just settle with just linking
|
||||||
to their movies, you may find this technique very useful.</p>
|
to their movies, you may find this technique very useful.</p>
|
||||||
|
|
||||||
<h2>Sample</h2>
|
<h2>Looking in</h2>
|
||||||
|
|
||||||
<p>Below is custom code that allows users to embed
|
<p>Below is custom code that allows users to embed
|
||||||
YouTube videos. This is not favoritism: this trick can easily be adapted for
|
YouTube videos. This is not favoritism: this trick can easily be adapted for
|
||||||
@ -69,55 +69,27 @@ into your documents. YouTube's code goes like this:</p>
|
|||||||
<p>What point 2 means is that if we have code like <code><span
|
<p>What point 2 means is that if we have code like <code><span
|
||||||
class="embed-youtube">AyPzM5WK8ys</span></code> your
|
class="embed-youtube">AyPzM5WK8ys</span></code> your
|
||||||
application can reconstruct the full object from this small snippet that
|
application can reconstruct the full object from this small snippet that
|
||||||
passes through HTML Purifier <em>unharmed</em>.</p>
|
passes through HTML Purifier <em>unharmed</em>.
|
||||||
|
<a href="http://hp.jpsband.org/svnroot/htmlpurifier/trunk/library/HTMLPurifier/Filter/YouTube.php">Show me the code!</a></p>
|
||||||
|
|
||||||
<pre>
|
<p>And the corresponding usage:</p>
|
||||||
<?php
|
|
||||||
|
|
||||||
class HTMLPurifierX_PreserveYouTube extends HTMLPurifier
|
<pre><?php
|
||||||
{
|
// assuming $purifier is an instance of HTMLPurifier
|
||||||
function purify($html, $config = null) {
|
require_once 'HTMLPurifier/Filter/YouTube.php';
|
||||||
$pre_regex = '#<object[^>]+>.+?'.
|
$purifier->addFilter(new HTMLPurifier_Filter_YouTube());
|
||||||
'http://www.youtube.com/v/([A-Za-z0-9]+).+?</object>#';
|
?></pre>
|
||||||
$pre_replace = '<span class="youtube-embed">\1</span>';
|
|
||||||
$html = preg_replace($pre_regex, $pre_replace, $html);
|
|
||||||
$html = parent::purify($html, $config);
|
|
||||||
$post_regex = '#<span class="youtube-embed">([A-Za-z0-9]+)</span>#';
|
|
||||||
$post_replace = '<object width="425" height="350" '.
|
|
||||||
'data="http://www.youtube.com/v/\1">'.
|
|
||||||
'<param name="movie" value="http://www.youtube.com/v/\1"></param>'.
|
|
||||||
'<param name="wmode" value="transparent"></param>'.
|
|
||||||
'<!--[if IE]>'.
|
|
||||||
'<embed src="http://www.youtube.com/v/\1"'.
|
|
||||||
'type="application/x-shockwave-flash"'.
|
|
||||||
'wmode="transparent" width="425" height="350" />'.
|
|
||||||
'<![endif]-->'.
|
|
||||||
'</object>';
|
|
||||||
$html = preg_replace($post_regex, $post_replace, $html);
|
|
||||||
return $html;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
$purifier = new HTMLPurifierX_PreserveYouTube();
|
<p>There is a bit going in the two code snippets, so let's explain.</p>
|
||||||
$html_still_with_youtube = $purifier->purify($html_with_youtube);
|
|
||||||
|
|
||||||
?>
|
|
||||||
</pre>
|
|
||||||
|
|
||||||
<p>There is a bit going on here, so let's explain.</p>
|
|
||||||
|
|
||||||
<ol>
|
<ol>
|
||||||
<li>The class uses the prefix <code>HTMLPurifierX</code> because it's
|
<li>This is a Filter object, which intercepts the HTML that is
|
||||||
userspace code. Don't use <code>HTMLPurifier</code> in front of your
|
coming into and out of the purifier. You can add as many
|
||||||
class, since it might clobber another class in the library.</li>
|
filter objects as you like. <code>preFilter()</code>
|
||||||
<li>In order to keep the interface compatible, we've extended HTMLPurifier
|
processes the code before it gets purified, and <code>postFilter()</code>
|
||||||
into a new class that preserves the YouTube videos. This means that
|
processes the code afterwards. So, we'll use <code>preFilter()</code> to
|
||||||
all you have to do is replace all instances of
|
replace the object tag with a <code>span</code>, and <code>postFilter()</code>
|
||||||
<code>new HTMLPurifier</code> to <code>new
|
to restore it.</li>
|
||||||
HTMLPurifierX_PreserveYouTube</code>. There's other ways to go about
|
|
||||||
doing this: if you were calling a function that wrapped HTML Purifier,
|
|
||||||
you could paste the PHP right there. If you wanted to be really
|
|
||||||
fancy, you could make a decorator for HTMLPurifier.</li>
|
|
||||||
<li>The first preg_replace call replaces any YouTube code users may have
|
<li>The first preg_replace call replaces any YouTube code users may have
|
||||||
embedded into the benign span tag. Span is used because it is inline,
|
embedded into the benign span tag. Span is used because it is inline,
|
||||||
and objects are inline too. We are very careful to be extremely
|
and objects are inline too. We are very careful to be extremely
|
||||||
@ -165,17 +137,16 @@ it is important that you are cognizant of the risk.</p>
|
|||||||
|
|
||||||
<p>This should go without saying, but if you're going to adapt this code
|
<p>This should go without saying, but if you're going to adapt this code
|
||||||
for Google Video or the like, make sure you do it <em>right</em>. It's
|
for Google Video or the like, make sure you do it <em>right</em>. It's
|
||||||
extremely easy to allow a character too many in the final section and
|
extremely easy to allow a character too many in <code>postFilter()</code> and
|
||||||
suddenly you're introducing XSS into HTML Purifier's XSS free output. HTML
|
suddenly you're introducing XSS into HTML Purifier's XSS free output. HTML
|
||||||
Purifier may be well written, but it cannot guard against vulnerabilities
|
Purifier may be well written, but it cannot guard against vulnerabilities
|
||||||
introduced after it has finished.</p>
|
introduced after it has finished.</p>
|
||||||
|
|
||||||
<h2>Future plans</h2>
|
<h2>Help out!</h2>
|
||||||
|
|
||||||
<p>This functionality is part of the core library, using the
|
<p>If you write a filter for your favorite video destination (or anything
|
||||||
HTMLPurifier_Filter class to acheive the desired effect. Our implementation
|
like that, for that matter), send it over and it might get included
|
||||||
is slightly different, and this page will be updated to reflect that
|
with the core!</p>
|
||||||
once 1.4.0 is released.</p>
|
|
||||||
|
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
@ -22,7 +22,7 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
/*
|
/*
|
||||||
HTML Purifier 1.4.0 - Standards Compliant HTML Filtering
|
HTML Purifier 1.4.1 - Standards Compliant HTML Filtering
|
||||||
Copyright (C) 2006 Edward Z. Yang
|
Copyright (C) 2006 Edward Z. Yang
|
||||||
|
|
||||||
This library is free software; you can redistribute it and/or
|
This library is free software; you can redistribute it and/or
|
||||||
@ -64,7 +64,7 @@ require_once 'HTMLPurifier/Encoder.php';
|
|||||||
class HTMLPurifier
|
class HTMLPurifier
|
||||||
{
|
{
|
||||||
|
|
||||||
var $version = '1.4.0';
|
var $version = '1.4.1';
|
||||||
|
|
||||||
var $config;
|
var $config;
|
||||||
var $filters;
|
var $filters;
|
||||||
|
@ -9,13 +9,13 @@ class HTMLPurifier_Filter_YouTube extends HTMLPurifier_Filter
|
|||||||
|
|
||||||
function preFilter($html, $config, &$context) {
|
function preFilter($html, $config, &$context) {
|
||||||
$pre_regex = '#<object[^>]+>.+?'.
|
$pre_regex = '#<object[^>]+>.+?'.
|
||||||
'http://www.youtube.com/v/([A-Za-z0-9]+).+?</object>#';
|
'http://www.youtube.com/v/([A-Za-z0-9\-_]+).+?</object>#';
|
||||||
$pre_replace = '<span class="youtube-embed">\1</span>';
|
$pre_replace = '<span class="youtube-embed">\1</span>';
|
||||||
return preg_replace($pre_regex, $pre_replace, $html);
|
return preg_replace($pre_regex, $pre_replace, $html);
|
||||||
}
|
}
|
||||||
|
|
||||||
function postFilter($html, $config, &$context) {
|
function postFilter($html, $config, &$context) {
|
||||||
$post_regex = '#<span class="youtube-embed">([A-Za-z0-9]+)</span>#';
|
$post_regex = '#<span class="youtube-embed">([A-Za-z0-9\-_]+)</span>#';
|
||||||
$post_replace = '<object width="425" height="350" '.
|
$post_replace = '<object width="425" height="350" '.
|
||||||
'data="http://www.youtube.com/v/\1">'.
|
'data="http://www.youtube.com/v/\1">'.
|
||||||
'<param name="movie" value="http://www.youtube.com/v/\1"></param>'.
|
'<param name="movie" value="http://www.youtube.com/v/\1"></param>'.
|
||||||
|
Loading…
Reference in New Issue
Block a user