0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-12-22 08:21:52 +00:00
Commit Graph

675 Commits

Author SHA1 Message Date
Tim Otten
00a0748427
feat: Allow more image widths by default (#430) 2024-12-11 14:15:46 -05:00
Morgan Klonteig
63e631ebd3
feat: Add CSS direction support (#429) 2024-11-21 23:46:53 -05:00
Eli Barbosa
b5cbf0cc3d
feat: Add option for safe iframe hosts using array lookup (#423)
Co-authored-by: Edward Z. Yang <ezyang@meta.com>
2024-11-09 22:02:09 -05:00
Atsushi Matsuo
f0fbf51098
fix: Avoid a deprecated error when the attribute name is numeric and DirectLex is used (#412) 2024-07-30 22:06:23 -04:00
John Flatness
70754a2533
feat: Add allowfullscreen attr for iframe (#411) 2024-06-30 07:54:09 -04:00
John Flatness
972326785d
feat: Allow universal CSS values for all properties (#410) 2024-06-28 08:37:00 -04:00
Erik
93bee73349
feat: Add support for CSS aspect-ratio (#408) 2024-06-27 15:12:06 -04:00
Atsushi Matsuo
d9fbef8e27
fix: Adjust Core.AllowHostnameUnderscore to consider that "_" is defined as Unreserved Characters in RFC 3986 (#406) 2024-04-18 21:48:20 -04:00
charlie-curtis
c9d60c96d7
feat: add directive for removing blank nodes (#404) 2024-04-11 20:52:45 -04:00
Kent Oyer
4828fdf45a
fix: Ignore conditional comments (#401) 2024-03-12 23:41:45 -04:00
cracksalad
43f49ac9a5
fix: Support for locales using decimal separators other than . (dot) (#372)
* Bugfix UnitConverter expects float got string (strict types enabled)

* Bugfix for latest bugfix with huge numbers

* Bugfix for german locale

* Use number_format instead of str_replace(sprintf())
2023-04-30 09:30:23 -04:00
Francis Lévesque
78a9b4d0da
fix: CSSTidy ImportantComments not handled properly (#359)
* fix: CSSTidy ImportantComments not handled properly

Signed-off-by: Francis Lévesque <wolfrank2164@gmail.com>

* fix: CSSTidy ImportantComments not handled properly -> remove comments

Signed-off-by: Francis Lévesque <wolfrank2164@gmail.com>
Co-authored-by: Edward Z. Yang <ezyang@meta.com>
2023-01-21 22:44:44 -05:00
Raheel Hsn
2d775c0187
feat: Add support for all text-decoration properties (#360)
* CSS: add support for all text-decoration related properties

* updated arrays to use short syntex

Co-authored-by: Raheel Hasan <raheel.hasan@luciditysoftware.com.au>
2023-01-12 08:41:13 -05:00
Michael S
1424f17cf3
Add support for encoded tel URI schemes. (#354) 2022-11-24 16:31:20 -05:00
Kieran
f1d6da13bc
Fix contenteditable attribute definition (#336) 2022-09-12 07:53:24 -07:00
Kieran
ce9cf2ec99
Fix creation of dynamic property (#337) 2022-09-10 14:03:42 -04:00
Kieran
36e06603a8
Fix creation of dynamic property (#333) 2022-09-06 13:05:15 -04:00
Kieran
dbbd3e59f9
Add contenteditable attribute definition (#332)
* Add contenteditable attribute definition

* gate behind html.trusted

* use enum
2022-09-06 13:04:45 -04:00
Tim Düsterhus
1b80051115
Fix some more PHP 8.2 deprecations (#330)
* Define HTMLPurifier_AttrTransform_SafeParam::$wmode

This fixes a PHP 8.2 deprecation.

* Define HTMLPurifier_DefinitionCache_DecoratorHarness::$cache

This fixes a PHP 8.2 deprecation.

* Define HTMLPurifier_DefinitionCache_DecoratorHarness::$mock

This fixes a PHP 8.2 deprecation.

* Define HTMLPurifier_DefinitionCache_DecoratorHarness::$def

This fixes a PHP 8.2 deprecation.

* Define HTMLPurifier_EntityParserTest::$_entity_lookup

This fixes a PHP 8.2 deprecation.
2022-09-02 21:38:58 -04:00
Kieran
3fc193c755
Fix #322 - PHP 8.1 deprecation notice in HostBlacklist URIFilter (#323) 2022-06-27 17:20:36 -04:00
Tim Düsterhus
1db36fb09d
Fix some PHP 8.2 deprecations (#319)
* Define HTMLPurifier_Lexer::$_entity_parser property

This fixes a PHP 8.2 deprecation.

* Define HTMLPurifier_URIFilterHarness::$filter property

This fixes a PHP 8.2 deprecation.

* Define HTMLPurifier_AttrTransform_NameSync::$idDef property

This fixes a PHP 8.2 deprecation.

* Define HTMLPurifier_AttrTransform_NameSyncTest::$accumulator property

This fixes a PHP 8.2 deprecation.

* Define HTMLPurifier_AttrValidator_ErrorsTest::$language property

This fixes a PHP 8.2 deprecation.

* Define HTMLPurifier_ChildDef_List::$whitespace property

This fixes a PHP 8.2 deprecation.

* Do not modify incoming tokens in RemoveSpansWithoutAttributes

Previously the undefined property `->markForDeletion` was added to the incoming
tokens. This causes a deprecation in PHP 8.2. Fix this by storing to-be-deleted
tokens inside SplObjectStorage. In PHP 8 a WeakMap would be preferable, as that
prevents leaks if `handleEnd` is never called for the token.
2022-06-10 16:30:01 -04:00
Václav Smítal
6f9aac9325
CSS: Add "background-size" tag support (#289) 2021-04-22 10:01:00 -04:00
Marcus Artner
214cb8a693
Fixed Issue #264: <thead> element removed from <table> if there are no <tbody> or <tr> elements (#283) 2021-01-26 11:11:50 -05:00
Edward Z. Yang
ce7efc11b2 Delete language tests that are interfering with PSR-0 compatibility
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2020-06-28 20:38:16 -04:00
Mateusz Turcza
3bdc031224
Add %HTML.Forms config directive (#260)
The %HTML.Forms directive enables Forms module regardless of the %HTML.Trusted
value. This adds support for form elements without enabling other unsafe
modules, such as Scripts, Iframe or Object.

To achieve the same effect without this directive one has to explicitly list
all enabled modules in %HTML.AllowedModules, and any not listed will be
removed. This however is not very convenient, as the allowed modules may vary
between doctypes.

Resolves #213.
2020-06-28 20:26:33 -04:00
lubomirbartos
df923d1f15 Issue 238 remove leading zeroes except if there is only zero (#239)
* Issue 238 remove leading zeroes except if there is only zero

* Issue-238 unit test fixes
2019-11-21 10:05:07 -05:00
Michael Kliewe
7cfc44654a CSS: added "initial" and "inherit" to width + height (#144)
* CSS: added "initial" and "inherit" to width + height
CSS: added "initial" and "inherit" to min-width + min-height, removed "auto"
CSS: added "initial" and "inherit" and "none" to max-width + max-height, removed "auto"

* Fixed test: min-width:auto; should be false
2019-07-14 13:20:58 -04:00
msuzuki
8c153eef3a Supported hundreds of nested HTML (#202)
* Supported hundreds of nested HTML (#201)

* Add Core.AllowParseManyTags
2019-07-14 13:15:31 -04:00
Darko Hrgovic
f03e1a2c48 Fixed reserved words in constants for PHP 7 as per https://www.php.net/manual/en/reserved.other-reserved-words.php (#222) 2019-07-10 22:24:27 -04:00
Edward Z. Yang
0f7b138aaf Make SafeScripting case-sensitive.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2018-11-11 16:21:58 -05:00
Dimitri Gritsajuk
5a01e6535d [SafeScripting] disable autoclosing of <script /> tag (#198) 2018-11-11 15:04:11 -05:00
Jan Dageförde
67c3798922 Add relative length units from CSS 3
cf. https://www.w3schools.com/cssref/css_units.asp
2017-12-22 21:59:47 -05:00
Marina Glancy
ce0ede24de Use IDNA2008 for converting domains to ASCII 2017-10-03 11:19:50 -04:00
Edward Z. Yang
5bc7c72608 Add tests for new entity decoding codepath.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2017-03-12 20:05:09 -07:00
Edward Z. Yang
9d2d75d8bc Add test case for removing empty list items.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2017-03-08 00:11:32 -08:00
Edward Z. Yang
7e11c271b9 Revamp entity decoding to be more like HTML5.
See %Core.LegacyEntityDecoder for more details.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2017-03-07 17:34:59 -08:00
Edward Z. Yang
5886326cd0 Test for catastrophic backtracking.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2017-03-06 23:26:55 -08:00
Edward Z. Yang
0c31b22240 Merge pull request #118 from fxbt/master
Add hsl, hsla and rgba support for css color attribute definition
2017-03-06 23:01:06 -08:00
Edward Z. Yang
5662efc936 Fix #78.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2017-03-06 22:54:54 -08:00
mpyw
d16e73e63e
Add test for #122 2017-03-04 15:40:44 +09:00
f.godfrin
0bab4b9fd0 Fix mungeRgb to handle percent, float and hsl values 2017-02-10 00:38:05 +01:00
f.godfrin
bd92f3531b Remove double % 2017-02-09 23:37:36 +01:00
f.godfrin
0d5ab2fe13 Include hsl and hsla support 2017-02-09 23:34:19 +01:00
f.godfrin
d41a59e422 Add rgba support for css color attribute definition 2017-02-09 22:18:15 +01:00
Bastian Hofmann
8e4cacf0a7 Refactor HTML.Noopener to HTML.TargetNoopener so that it behaves like HTML.TargetNoreferrer and is active by default if a target is set 2017-02-03 16:54:51 -08:00
Bastian Hofmann
c82051c3e1 Add HTML.Noopener to add a noopener rel to every external link
This has performance benefits https://jakearchibald.com/2016/performance-benefits-of-rel-noopener/ but most importantly also security benefits https://mathiasbynens.github.io/rel-noopener/

Adresses https://github.com/ezyang/htmlpurifier/issues/96
2017-02-03 16:54:51 -08:00
Edward Z. Yang
5070404376 Handle semicolons in strings in CSS correctly.
Fixes http://htmlpurifier.org/phorum/read.php?3,7522,8096

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-10-29 00:01:19 -07:00
Edward Z. Yang
59463c5c39 Allow %URI.DefaultScheme to be null.
Fixes #103.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-10-27 17:30:44 -07:00
Edward Z. Yang
8b28e571fe Handle case when IDNAs are supported.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-10-27 02:00:46 -07:00
Edward Z. Yang
3ae21ce511 PHP 7.0 warnings fix: don't pass rvalue by reference.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-10-27 02:00:46 -07:00