mirrors/htmlpurifier
0
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-11-10 15:48:42 +00:00
Code Releases Activity
1,699 Commits 7 Branches 66 Tags 9.4 MiB
php8.4
Commit Graph

967 Commits

Author SHA1 Message Date
Chris Pelzer
ab7bbefe8a Update reference to the valid types to refer to HTMLPurifier_VarParser::types (#189) 2018-11-11 16:23:01 -05:00
Edward Z. Yang
0f7b138aaf Make SafeScripting case-sensitive. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2018-11-11 16:21:58 -05:00
Edward Z. Yang
4b6b3b31e8 Typofix: AutoForamt -> AutoFormat 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2018-11-11 16:21:58 -05:00
Dimitri Gritsajuk
5a01e6535d [SafeScripting] disable autoclosing of <script /> tag (#198) 2018-11-11 15:04:11 -05:00
Daijobou
b81690c17e More colors names (#176) 
Added more colors names https://www.w3schools.com/colors/colors_names.asp

remove old unorded colors names
 2018-06-09 22:48:13 -04:00
Mateusz Turcza
89b3fe431e Use IDNA constants only if defined (#171) 
Fixes #168.

Solution based on https://git.ispconfig.org/ispconfig/ispconfig3/commit/0e3cf6f51b4fd.
 2018-03-04 19:16:11 -05:00
Mateusz Turcza
3cb77da11d Make tagName and node data detection hhvm compatible (#170) 2018-03-04 13:22:03 -05:00
Edward Z. Yang
d85d39da45 Release 4.10.0 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2018-02-22 20:58:20 -05:00
John Flatness
6d6d88512a Skip counting currentNesting if null 
This is an error starting in PHP 7.2
 2017-12-30 00:23:44 -05:00
Edward Z. Yang
64baeda65c Deal with old libxml incompatibilities. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2017-12-22 22:03:02 -05:00
Jan Dageförde
67c3798922 Add relative length units from CSS 3 
cf. https://www.w3schools.com/cssref/css_units.asp
 2017-12-22 21:59:47 -05:00
Roberto
ab9c9f30fd Small typos in comments 2017-12-13 11:16:39 -05:00
Marina Glancy
ce0ede24de Use IDNA2008 for converting domains to ASCII 2017-10-03 11:19:50 -04:00
pawelkania
e11f7c9802 Fix E_WARNING when cache directory exists 
Sometimes Serializer from another thread already creaded dir - this commit resolves this issue.
 2017-06-20 09:53:14 +02:00
Edward Z. Yang
95e1bae318 Release 4.9.3 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2017-06-02 22:28:16 -04:00
Xiphin
1df505296f Mod: using stdClass instead of stdclass 2017-06-02 09:55:46 +08:00
Xiphin
b9bc1039da Mod: using null instead of false 2017-06-02 08:50:38 +08:00
Xiphin
cb4871f446 Fix: It runs on PHP 7.1.* CPU process is 100% 2017-06-01 21:32:25 +08:00
Viktor Khokhryakov
b45c6f5363 Autoloading must be skipped while checking for php builtin class. 2017-03-20 10:42:28 +04:00
Edward Z. Yang
6d50e5282a Release 4.9.2 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2017-03-12 23:30:53 -07:00
Edward Z. Yang
5bc7c72608 Add tests for new entity decoding codepath. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2017-03-12 20:05:09 -07:00
Eugene Leonovich
fd24de69a3 Fix a call to undefined function HTMLPurifier_Encoder() 2017-03-12 22:44:03 +01:00
Edward Z. Yang
5688656174 Fix more PHP 5.3 problems. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2017-03-08 18:01:58 -08:00
Edward Z. Yang
8836ae05aa Fix PHP 5.3 compatibility, fixes #125. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2017-03-08 17:46:29 -08:00
Edward Z. Yang
de82f9845f Release 4.9.1 (sic) 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2017-03-08 00:22:36 -08:00
Edward Z. Yang
74f123a84c Fix #83. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2017-03-07 17:52:41 -08:00
Edward Z. Yang
7e11c271b9 Revamp entity decoding to be more like HTML5. 
See %Core.LegacyEntityDecoder for more details.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2017-03-07 17:34:59 -08:00
Edward Z. Yang
66bbae73a9 Comment on why it's a non-greedy match. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2017-03-06 23:27:30 -08:00
Edward Z. Yang
b19dcb0ba5 CHANGELOG for #120 fix, and remove the array_filter. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2017-03-06 23:06:24 -08:00
Edward Z. Yang
0c31b22240 Merge pull request #118 from fxbt/master 
Add hsl, hsla and rgba support for css color attribute definition
 2017-03-06 23:01:06 -08:00
Edward Z. Yang
5662efc936 Fix #78. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2017-03-06 22:54:54 -08:00
Edward Z. Yang
353c96f156 Document skips in more detail, #116. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2017-03-06 20:31:28 -08:00
Edward Z. Yang
4047a6230b Extra cleanup on cleanUTF8. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2017-03-06 16:31:02 -08:00
Andrey Pozolotin
9195cb7a2e Added escape sequense 2017-03-06 16:28:53 -08:00
Andrey Pozolotin
39c4c359ad Fixing PREG_BACKTRACK_LIMIT_ERROR in HTMLPurifier_Filter_ExtractStyleBlocks 2017-03-06 16:28:53 -08:00
mpyw
f145f64bf4
Fix #122: correct surrogate pair range 2017-03-04 15:38:01 +09:00
f.godfrin
12185143ef Use a constructor and a property for the alpha check 2017-02-10 21:03:11 +01:00
f.godfrin
17a90a951a Better regex for mungeRgb 2017-02-10 00:40:56 +01:00
f.godfrin
0bab4b9fd0 Fix mungeRgb to handle percent, float and hsl values 2017-02-10 00:38:05 +01:00
f.godfrin
0d5ab2fe13 Include hsl and hsla support 2017-02-09 23:34:19 +01:00
f.godfrin
d41a59e422 Add rgba support for css color attribute definition 2017-02-09 22:18:15 +01:00
Bastian Hofmann
8e4cacf0a7 Refactor HTML.Noopener to HTML.TargetNoopener so that it behaves like HTML.TargetNoreferrer and is active by default if a target is set 2017-02-03 16:54:51 -08:00
Bastian Hofmann
c82051c3e1 Add HTML.Noopener to add a noopener rel to every external link 
This has performance benefits https://jakearchibald.com/2016/performance-benefits-of-rel-noopener/ but most importantly also security benefits https://mathiasbynens.github.io/rel-noopener/

Adresses https://github.com/ezyang/htmlpurifier/issues/96
 2017-02-03 16:54:51 -08:00
Edward Z. Yang
1b7d684d07 Remove $a = array($a) which is miscompiled by Zend OpCache. 
Fixes #108.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2017-01-04 14:35:52 -05:00
Edward Z. Yang
5070404376 Handle semicolons in strings in CSS correctly. 
Fixes http://htmlpurifier.org/phorum/read.php?3,7522,8096

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2016-10-29 00:01:19 -07:00
Edward Z. Yang
59463c5c39 Allow %URI.DefaultScheme to be null. 
Fixes #103.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2016-10-27 17:30:44 -07:00
Edward Z. Yang
3ba9133b21 Don't assume that idn_to_ascii does validation. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2016-10-27 02:00:46 -07:00
yan_kos
4dc68aa920 FIX directory not closing 
#100
 2016-10-15 16:20:47 +03:00
Edward Z. Yang
08eee90e15 Delete asserts, fixes #97. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2016-10-02 00:14:41 -07:00
Edward Z. Yang
1ef4375dbb Proposed fix to Serializer code. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2016-09-05 15:24:08 -07:00
zema
246fc8946a css properties: min-width, max-width, min-height, max-height 2016-09-05 10:45:58 +03:00
Nick del Pozo
1f982d279f rollback change to permissions 2016-07-29 08:56:36 +09:00
Nick del Pozo
8be8cee9b3 changed chmod behaviour in Serializer 2016-07-27 12:56:03 +09:00
Edward Z. Yang
d0c392f77d Release 4.8.0 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2016-07-16 05:58:58 -07:00
Edward Z. Yang
d1c5d75027 Fix #73 with Attr.ID.HTML5 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2016-07-16 05:52:45 -07:00
Bart Butler
3747cb7efb avoid exif_imagetype exception with small files/corrupt data URI 2016-07-16 05:23:17 -07:00
Edward Z. Yang
0166c3728b Stop trying to chmod if SerializerPermissions is null, fixes #71 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2016-07-01 16:04:11 -04:00
Edward Z. Yang
ed180f595d Hack to fix #85 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2016-07-01 15:52:09 -04:00
Edward Z. Yang
44baee6a82 Partial border-radius support. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2016-06-30 22:22:13 -04:00
Cameron Ball
1675fc7caf Add %HTML.TargetNoreferrer, which adds rel="noreferrer" when target attribute is set 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2016-06-30 21:53:43 -04:00
Wes Cossick
cc35c8eb8c tel protocol support. 2016-06-30 21:19:49 -04:00
Edward Z. Yang
43a9f052fd Fix #57, make flashvars check (and others) case-insensitive. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2016-03-27 15:56:30 -07:00
Edward Z. Yang
b4981c3395 Fix #67, don't use <body> tags in comments for %Core.ConvertDocumentToFragment 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2016-03-27 15:19:32 -07:00
Edward Z. Yang
f14076dc3e Fix #49; prevent readdir infinite loop when cache directory not listable. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2016-03-27 14:53:31 -07:00
Edward Z. Yang
91fd55c857 Fix #45, errors when ul/ol allowed without li. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2016-03-26 22:41:54 -07:00
Chimpzee
6e00b443cd Bug with tempnam("/tmp", ""); 
Some hostings have a different temporary path than "/tmp".
 2016-03-24 20:19:57 -07:00
Edward Z. Yang
1f3e282fde Fix a bounds error which now errors in PHP 7. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2016-03-24 00:13:08 -07:00
Edward Z. Yang
753c830239 Update to work with Git version of SimpleTest. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2016-03-24 00:08:03 -07:00
Edward Z. Yang
45161b4fb1 Accept leading digits in hostnames as per RFC 1123. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2016-03-23 22:42:21 -07:00
Edward Z. Yang
92aabf2b23 Fix #76, linkify includes dots at end of URL. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2016-03-02 02:05:54 -08:00
Edward Z. Yang
aebe1c02a2 Use idn_to_ascii when available. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2016-03-02 01:35:07 -08:00
Edward Z. Yang
913ac6955b CSS.AllowDuplicates for duplicate properties. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2015-12-20 11:53:54 -08:00
Edward Z. Yang
958ba65595 Don't truncate alts. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2015-09-29 15:36:53 -07:00
Edward Z. Yang
ae1828d955 Release 4.7.0. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2015-08-04 18:03:42 -07:00
Sylvain
2c963dcc7f Missing @return 
Adding PHPDoc @return statement for code completion in IDE
 2015-08-03 10:21:47 +02:00
Edward Z. Yang
c67e4c2f7e All values, including empty, are valid HTML bools. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2015-02-11 16:36:44 -08:00
Edward Z. Yang
0c3e68dd03 Stop using umask to make definition cache. Fixes #32 
This is not really the right way to solve the ACL problem,
but there isn't really any reason we should be mucking about
with the umask.

Mucked around with the test case to make it pass, but I think
it's probably a bit delicate now.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2014-12-08 18:30:54 -08:00
Edward Z. Yang
cd60294ada Fix rgb in border attribute with spaces, fixes #30. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2014-08-31 12:12:38 +01:00
Edward Z. Yang
39d3df1fd7 Add AutoFormat.RemoveEmpty.Predicate, fixes #35. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2014-08-31 12:12:17 +01:00
Edward Z. Yang
4da38aca80 Update YouTube embed code to new style, fixes #28 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2014-08-31 09:30:16 +01:00
Edward Z. Yang
bf84df4f7d Move opacity to tricky. Fixes #16. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2014-08-31 09:24:11 +01:00
Edward Z. Yang
15d1a3003a Don't truncate in DOMLex when seeing closing div 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2014-08-31 08:50:33 +01:00
Edward Z. Yang
80ebd4322e Typo in docs, thanks Soleil Golden for reporting. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2014-02-04 12:17:24 -08:00
Edward Z. Yang
6f389f0f25 Release 4.6.0. 
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
 2013-11-30 00:25:19 -08:00
Edward Z. Yang
8cd08620dc Conditionalize hash_hmac tests for 5.0 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2013-11-29 22:27:01 -08:00
Edward Z. Yang
54477c172b Fix infinite loop in Lexer. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2013-10-27 21:41:08 -07:00
Edward Z. Yang
e52d1fe310 Fix < PHP 5.4 compatibility break. Thanks GromNaN for submitting the patch. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2013-10-22 14:17:41 -07:00
Edward Z. Yang
0767bbc12d Rewrite FixNesting implementation to be tree-based. 
This mega-patch rips out the FixNesting implementation and the related
ChildDef components.  The primary algorithmic change is to convert from
use of tokens to tree nodes, which are far more amenable to the style
of processing that FixNesting uses.  Additionally, FixNesting has been
changed to go bottom-up rather than top-down, in order to avoid needing
to implement backtracking.

This patch simplifies a good deal of the relevant logic, since we no
longer need to continually recalculate the nesting structure when
processing things.  However, the conversion to the alternate format
incurs some overhead, so for small inputs these changes are not a win.
One possibility to greatly reduce the constant factors here is to switch
to entirely using libxml's representation, and never serializing tokens;
this would require one to rewrite injectors, however.

The iterative post-order traversal in FixNesting is a bit subtle, but
we have essentially reified the stack and continuations.

We've removed support for %Core.EscapeInvalidChildren.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2013-10-20 22:37:01 -07:00
Edward Z. Yang
b3640e1af6 Add conversion functions for our own tree format. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2013-10-20 15:05:11 -07:00
Edward Z. Yang
be5769804a Make the Token class abstract. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2013-10-17 16:13:04 -07:00
Edward Z. Yang
d6fbd7df22 Remove some unnecessary pass-by-reference. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2013-10-16 18:55:23 -07:00
Edward Z. Yang
804a06f01e Remove PHP 4 compatibility hack. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2013-10-16 18:36:44 -07:00
Edward Z. Yang
8f401f769e Use a Zipper to process MakeWellFormed, removing quadratic behavior. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2013-10-13 13:21:02 -07:00
Edward Z. Yang
82bcc62058 Properly handle context variables that are NULL. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2013-10-13 13:21:02 -07:00
Edward Z. Yang
f17490f009 Implementation of a Zipper, for efficient splice. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2013-10-13 01:16:32 -07:00
Edward Z. Yang
412bae13b5 Fix quadratic behavior in DOMLex due to array_shift. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2013-09-17 00:48:42 -07:00
Edward Z. Yang
cf44f399f8 Properly use HMAC for secure munging. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2013-09-13 21:16:50 -07:00
Marcus Bointon
fac747bdbd PSR-2 reformatting PHPDoc corrections 
With minor corrections.

Signed-off-by: Marcus Bointon <marcus@synchromedia.co.uk>
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2013-08-17 22:27:26 -04:00
Edward Z. Yang
19eee14899 Tighten up invariants. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2013-07-26 21:54:53 -07:00
Edward Z. Yang
25d49f4ec0 Explicitly specify decorator name. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2013-07-26 21:37:33 -07:00