mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-11-09 15:28:40 +00:00
Always quote the contents of url() in CSS.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
This commit is contained in:
Edward Z. Yang
parent
80793e925e
commit
da94d3d6ac
1
NEWS
1
NEWS
@ -18,6 +18,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
|
|||||||
! Support for Internet Explorer compatibility with %HTML.SafeObject
|
! Support for Internet Explorer compatibility with %HTML.SafeObject
|
||||||
using %Output.FlashCompat.
|
using %Output.FlashCompat.
|
||||||
! Handle <ol><ol> properly, by inserting the necessary <li> tag.
|
! Handle <ol><ol> properly, by inserting the necessary <li> tag.
|
||||||
|
- Always quote the insides of url(...) in CSS.
|
||||||
|
|
||||||
4.0.0, released 2009-07-07
|
4.0.0, released 2009-07-07
|
||||||
# APIs for ConfigSchema subsystem have substantially changed. See
|
# APIs for ConfigSchema subsystem have substantially changed. See
|
||||||
|
|||||||
@ -47,7 +47,7 @@ class HTMLPurifier_AttrDef_CSS_URI extends HTMLPurifier_AttrDef_URI
|
|||||||
// URI at all
|
// URI at all
|
||||||
$result = str_replace($keys, $values, $result);
|
$result = str_replace($keys, $values, $result);
|
||||||
|
|
||||||
return "url($result)";
|
return "url('$result')";
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -8,12 +8,12 @@ class HTMLPurifier_AttrDef_CSS_BackgroundTest extends HTMLPurifier_AttrDefHarnes
|
|||||||
$config = HTMLPurifier_Config::createDefault();
|
$config = HTMLPurifier_Config::createDefault();
|
||||||
$this->def = new HTMLPurifier_AttrDef_CSS_Background($config);
|
$this->def = new HTMLPurifier_AttrDef_CSS_Background($config);
|
||||||
|
|
||||||
$valid = '#333 url(chess.png) repeat fixed 50% top';
|
$valid = '#333 url(\'chess.png\') repeat fixed 50% top';
|
||||||
$this->assertDef($valid);
|
$this->assertDef($valid);
|
||||||
$this->assertDef('url("chess.png") #333 50% top repeat fixed', $valid);
|
$this->assertDef('url("chess.png") #333 50% top repeat fixed', $valid);
|
||||||
$this->assertDef(
|
$this->assertDef(
|
||||||
'rgb(34, 56, 33) url(chess.png) repeat fixed top',
|
'rgb(34, 56, 33) url(chess.png) repeat fixed top',
|
||||||
'rgb(34,56,33) url(chess.png) repeat fixed top'
|
'rgb(34,56,33) url(\'chess.png\') repeat fixed top'
|
||||||
);
|
);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@ -13,14 +13,14 @@ class HTMLPurifier_AttrDef_CSS_ListStyleTest extends HTMLPurifier_AttrDefHarness
|
|||||||
$this->assertDef('circle outside');
|
$this->assertDef('circle outside');
|
||||||
$this->assertDef('inside');
|
$this->assertDef('inside');
|
||||||
$this->assertDef('none');
|
$this->assertDef('none');
|
||||||
$this->assertDef('url(foo.gif)');
|
$this->assertDef('url(\'foo.gif\')');
|
||||||
$this->assertDef('circle url(foo.gif) inside');
|
$this->assertDef('circle url(\'foo.gif\') inside');
|
||||||
|
|
||||||
// invalid values
|
// invalid values
|
||||||
$this->assertDef('outside inside', 'outside');
|
$this->assertDef('outside inside', 'outside');
|
||||||
|
|
||||||
// ordering
|
// ordering
|
||||||
$this->assertDef('url(foo.gif) none', 'none url(foo.gif)');
|
$this->assertDef('url(foo.gif) none', 'none url(\'foo.gif\')');
|
||||||
$this->assertDef('circle lower-alpha', 'circle');
|
$this->assertDef('circle lower-alpha', 'circle');
|
||||||
// the spec is ambiguous about what happens in these
|
// the spec is ambiguous about what happens in these
|
||||||
// cases, so we're going off the W3C CSS validator
|
// cases, so we're going off the W3C CSS validator
|
||||||
|
|||||||
@ -15,8 +15,8 @@ class HTMLPurifier_AttrDef_CSS_URITest extends HTMLPurifier_AttrDefHarness
|
|||||||
// no quotes are used, since that's the most widely supported
|
// no quotes are used, since that's the most widely supported
|
||||||
// syntax
|
// syntax
|
||||||
$this->assertDef('url(', false);
|
$this->assertDef('url(', false);
|
||||||
$this->assertDef('url()', true);
|
$this->assertDef('url(\'\')', true);
|
||||||
$result = "url(http://www.example.com/)";
|
$result = "url('http://www.example.com/')";
|
||||||
$this->assertDef('url(http://www.example.com/)', $result);
|
$this->assertDef('url(http://www.example.com/)', $result);
|
||||||
$this->assertDef('url("http://www.example.com/")', $result);
|
$this->assertDef('url("http://www.example.com/")', $result);
|
||||||
$this->assertDef("url('http://www.example.com/')", $result);
|
$this->assertDef("url('http://www.example.com/')", $result);
|
||||||
@ -25,7 +25,7 @@ class HTMLPurifier_AttrDef_CSS_URITest extends HTMLPurifier_AttrDefHarness
|
|||||||
|
|
||||||
// escaping
|
// escaping
|
||||||
$this->assertDef("url(http://www.example.com/foo,bar\))",
|
$this->assertDef("url(http://www.example.com/foo,bar\))",
|
||||||
"url(http://www.example.com/foo\,bar\))");
|
"url('http://www.example.com/foo\,bar\)')");
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|||||||
@ -25,7 +25,7 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
|
|||||||
$this->assertDef('text-transform:capitalize;');
|
$this->assertDef('text-transform:capitalize;');
|
||||||
$this->assertDef('background-color:rgb(0,0,255);');
|
$this->assertDef('background-color:rgb(0,0,255);');
|
||||||
$this->assertDef('background-color:transparent;');
|
$this->assertDef('background-color:transparent;');
|
||||||
$this->assertDef('background:#333 url(chess.png) repeat fixed 50% top;');
|
$this->assertDef('background:#333 url(\'chess.png\') repeat fixed 50% top;');
|
||||||
$this->assertDef('color:#F00;');
|
$this->assertDef('color:#F00;');
|
||||||
$this->assertDef('border-top-color:#F00;');
|
$this->assertDef('border-top-color:#F00;');
|
||||||
$this->assertDef('border-color:#F00 #FF0;');
|
$this->assertDef('border-color:#F00 #FF0;');
|
||||||
@ -73,9 +73,9 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
|
|||||||
$this->assertDef('vertical-align:12px;');
|
$this->assertDef('vertical-align:12px;');
|
||||||
$this->assertDef('vertical-align:50%;');
|
$this->assertDef('vertical-align:50%;');
|
||||||
$this->assertDef('table-layout:fixed;');
|
$this->assertDef('table-layout:fixed;');
|
||||||
$this->assertDef('list-style-image:url(nice.jpg);');
|
$this->assertDef('list-style-image:url(\'nice.jpg\');');
|
||||||
$this->assertDef('list-style:disc url(nice.jpg) inside;');
|
$this->assertDef('list-style:disc url(\'nice.jpg\') inside;');
|
||||||
$this->assertDef('background-image:url(foo.jpg);');
|
$this->assertDef('background-image:url(\'foo.jpg\');');
|
||||||
$this->assertDef('background-image:none;');
|
$this->assertDef('background-image:none;');
|
||||||
$this->assertDef('background-repeat:repeat-y;');
|
$this->assertDef('background-repeat:repeat-y;');
|
||||||
$this->assertDef('background-attachment:fixed;');
|
$this->assertDef('background-attachment:fixed;');
|
||||||
@ -101,7 +101,7 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
|
|||||||
// bad props
|
// bad props
|
||||||
$this->assertDef('nodice:foobar;', false);
|
$this->assertDef('nodice:foobar;', false);
|
||||||
$this->assertDef('position:absolute;', false);
|
$this->assertDef('position:absolute;', false);
|
||||||
$this->assertDef('background-image:url(javascript:alert\(\));', false);
|
$this->assertDef('background-image:url(\'javascript:alert\(\)\');', false);
|
||||||
|
|
||||||
// airy input
|
// airy input
|
||||||
$this->assertDef(' font-weight : bold; color : #ff0000',
|
$this->assertDef(' font-weight : bold; color : #ff0000',
|
||||||
|
|||||||
@ -7,5 +7,5 @@ URI.MungeResources = true
|
|||||||
<img src="http://example.com" style="background-image:url(http://example.com);" alt="example.com" />
|
<img src="http://example.com" style="background-image:url(http://example.com);" alt="example.com" />
|
||||||
--EXPECT--
|
--EXPECT--
|
||||||
<a href="/redirect?s=http%3A%2F%2Fexample.com&t=c15354f3953dfec262c55b1403067e0d045a3059&r=&n=a&m=href&p=">Link</a>
|
<a href="/redirect?s=http%3A%2F%2Fexample.com&t=c15354f3953dfec262c55b1403067e0d045a3059&r=&n=a&m=href&p=">Link</a>
|
||||||
<img src="/redirect?s=http%3A%2F%2Fexample.com&t=c15354f3953dfec262c55b1403067e0d045a3059&r=1&n=img&m=src&p=" style="background-image:url(/redirect?s=http%3A%2F%2Fexample.com&t=c15354f3953dfec262c55b1403067e0d045a3059&r=1&n=img&m=style&p=background-image);" alt="example.com" />
|
<img src="/redirect?s=http%3A%2F%2Fexample.com&t=c15354f3953dfec262c55b1403067e0d045a3059&r=1&n=img&m=src&p=" style="background-image:url('/redirect?s=http%3A%2F%2Fexample.com&t=c15354f3953dfec262c55b1403067e0d045a3059&r=1&n=img&m=style&p=background-image');" alt="example.com" />
|
||||||
--# vim: et sw=4 sts=4
|
--# vim: et sw=4 sts=4
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
--HTML--
|
--HTML--
|
||||||
<table background="logo.png"><tr><td>asdf</td></tr></table>
|
<table background="logo.png"><tr><td>asdf</td></tr></table>
|
||||||
--EXPECT--
|
--EXPECT--
|
||||||
<table style="background-image:url(logo.png);"><tr><td>asdf</td></tr></table>
|
<table style="background-image:url('logo.png');"><tr><td>asdf</td></tr></table>
|
||||||
--# vim: et sw=4 sts=4
|
--# vim: et sw=4 sts=4
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user