Add %CSS.ForbiddenProperties directive.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2024-12-22 16:31:53 +00:00 · 2010-09-04 02:59:03 -04:00 · 2010-09-04 02:59:03 -04:00 · eac628f490
commit eac628f490
parent 92913bc816
8 changed files with 43 additions and 7 deletions
--- a/1
+++ b/1
@ -15,6 +15,7 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 ! Added %URI.DisableResources functionality; the directive originally
  did nothing.  Thanks David Rothstein for reporting.
 ! Add documentation about configuration directive types.
 ! Add %CSS.ForbiddenProperties configuration directive.
 - Fix improper handling of Internet Explorer conditional comments
  by parser.  Thanks zmonteca for reporting.
 - Fix missing attributes bug when running on Mac Snow Leopard and APC.
--- a/configdoc/usage.xml
+++ b/configdoc/usage.xml
@ -42,6 +42,11 @@
   <line>275</line>
  </file>
 </directive>
 <directive id="CSS.ForbiddenProperties">
  <file name="HTMLPurifier/CSSDefinition.php">
   <line>289</line>
  </file>
 </directive>
 <directive id="Cache.DefinitionImpl">
  <file name="HTMLPurifier/DefinitionCacheFactory.php">
   <line>49</line>
@ -136,12 +141,12 @@
 </directive>
 <directive id="HTML.ForbiddenElements">
  <file name="HTMLPurifier/HTMLDefinition.php">
-   <line>337</line>
+   <line>342</line>
  </file>
 </directive>
 <directive id="HTML.ForbiddenAttributes">
  <file name="HTMLPurifier/HTMLDefinition.php">
-   <line>338</line>
+   <line>343</line>
  </file>
 </directive>
 <directive id="HTML.Trusted">
--- a/library/HTMLPurifier.includes.php
+++ b/library/HTMLPurifier.includes.php
@ -196,6 +196,7 @@ require 'HTMLPurifier/Token/Start.php';
 require 'HTMLPurifier/Token/Text.php';
 require 'HTMLPurifier/URIFilter/DisableExternal.php';
 require 'HTMLPurifier/URIFilter/DisableExternalResources.php';
 require 'HTMLPurifier/URIFilter/DisableResources.php';
 require 'HTMLPurifier/URIFilter/HostBlacklist.php';
 require 'HTMLPurifier/URIFilter/MakeAbsolute.php';
 require 'HTMLPurifier/URIFilter/Munge.php';
--- a/library/HTMLPurifier.safe-includes.php
+++ b/library/HTMLPurifier.safe-includes.php
@ -190,6 +190,7 @@ require_once $__dir . '/HTMLPurifier/Token/Start.php';
 require_once $__dir . '/HTMLPurifier/Token/Text.php';
 require_once $__dir . '/HTMLPurifier/URIFilter/DisableExternal.php';
 require_once $__dir . '/HTMLPurifier/URIFilter/DisableExternalResources.php';
 require_once $__dir . '/HTMLPurifier/URIFilter/DisableResources.php';
 require_once $__dir . '/HTMLPurifier/URIFilter/HostBlacklist.php';
 require_once $__dir . '/HTMLPurifier/URIFilter/MakeAbsolute.php';
 require_once $__dir . '/HTMLPurifier/URIFilter/Munge.php';
--- a/library/HTMLPurifier/CSSDefinition.php
+++ b/library/HTMLPurifier/CSSDefinition.php
@ -272,20 +272,29 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
        // setup allowed elements
        $support = "(for information on implementing this, see the ".
                   "support forums) ";
-        $allowed_attributes = $config->get('CSS.AllowedProperties');
+        $allowed_properties = $config->get('CSS.AllowedProperties');
-        if ($allowed_attributes !== null) {
+        if ($allowed_properties !== null) {
            foreach ($this->info as $name => $d) {
-                if(!isset($allowed_attributes[$name])) unset($this->info[$name]);
+                if(!isset($allowed_properties[$name])) unset($this->info[$name]);
-                unset($allowed_attributes[$name]);
+                unset($allowed_properties[$name]);
            }
            // emit errors
-            foreach ($allowed_attributes as $name => $d) {
+            foreach ($allowed_properties as $name => $d) {
                // :TODO: Is this htmlspecialchars() call really necessary?
                $name = htmlspecialchars($name);
                trigger_error("Style attribute '$name' is not supported $support", E_USER_WARNING);
            }
        }
        $forbidden_properties = $config->get('CSS.ForbiddenProperties');
        if ($forbidden_properties !== null) {
            foreach ($this->info as $name => $d) {
                if (isset($forbidden_properties[$name])) {
                    unset($this->info[$name]);
                }
            }
        }
    }
 }
--- a/library/HTMLPurifier/ConfigSchema/schema.ser
+++ b/library/HTMLPurifier/ConfigSchema/schema.ser
--- a/library/HTMLPurifier/ConfigSchema/schema/CSS.ForbiddenProperties.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/CSS.ForbiddenProperties.txt
@ -0,0 +1,13 @@
 CSS.ForbiddenProperties
 TYPE: lookup
 VERSION: 4.1.2
 DEFAULT: array()
 --DESCRIPTION--
 <p>
    This is the logical inverse of %CSS.AllowedProperties, and it will
    override that directive or any other directive.  If possible,
    %CSS.AllowedProperties is recommended over this directive,
    because it can sometimes be difficult to tell whether or not you've
    forbidden all of the CSS properties you truly would like to disallow.
 </p>
 --# vim: et sw=4 sts=4
--- a/tests/HTMLPurifier/AttrDef/CSSTest.php
+++ b/tests/HTMLPurifier/AttrDef/CSSTest.php
@ -144,6 +144,12 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness
        $this->assertDef('overflow:scroll;');
    }
    function testForbidden() {
        $this->config->set('CSS.ForbiddenProperties', 'float');
        $this->assertDef('float:left;', false);
        $this->assertDef('text-align:right;');
    }
 }
 // vim: et sw=4 sts=4