The purpose of this addition is twofold. In trusted mode, iframes are
now unconditionally allowed.
However, many online video providers (YouTube, Vimeo) and other web
applications (Google Maps, Google Calendar, etc) provide embed code in
iframe format, which is useful functionality in untrusted mode.
You can specify iframes as trusted elements with %HTML.SafeIframe;
however, you need to additionally specify a whitelist mechanism such as
%URI.SafeIframeRegexp to say what iframe embeds are OK (by default
everything is rejected).
Note: As iframes are invalid in strict doctypes, you will not be able to
use them there.
We also added an always_load parameter to URIFilters in order to support
the strange nature of the SafeIframe URIFilter (it always needs to be
loaded, due to the inability of accessing the %HTML.SafeIframe directive
to see if it's needed!) We expect this URIFilter can expand in the future
to offer more complex validation mechanisms.
Signed-off-by: Bradley M. Froehle <brad.froehle@gmail.com>
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
* Added Charsets and Character attribute types
* Fix a heavily recursive form of ContentSets, this allows a content-set
to include another content-set which includes another content-set, and
so forth.
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
Prior to this commit, the name attribute was unilaterally removed, except
for Strict doctypes or a heavy TidyLevel, when it was converted to an id
attribute. As name is actually permitted in both HTML 4.01 Strict and
XHTML 1.0 Strict, although deprecated, the more sensible default behavior
is to allow it unless TidyLevel is heavy.
Our implementation is slightly stricter than the specs, as name attributes are
treated as first class IDs, disallowing <a name="foo" id="foo"> or duplicate
names. The former should be treated as a special case, but that will be
a separate commit.
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
- Remove includes call in HTMLPurifier.auto.php
- Relax ConfigSchema treatment in generate-includes.php
- Clean up some empty comments (there are probably more)
- De-indent some extends
- class_exists() should now attempt to use autoload
- schema.ser is now a standalone file
- tests/index.php can be run from any directory
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1540 48356398-32a2-884e-a903-53898d9a118a
- Add FSTools:globr()
- require_once removed from all files
- HTMLPurifier.autoload.php added to register autoload handler
- Removed redundant chdir in maintenance script
- Modified standalone to use HTMLPurifier.includes.php for including stuff
- Added maintenance script remove-require-once.php which we used once and should never use again
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1516 48356398-32a2-884e-a903-53898d9a118a
- Printer adheres to configuration's directives on output format
- Fix improperly named form field in ConfigForm printer
. HTMLPurifier_Config::getAllowedDirectivesForForm implemented, allows much easier selective embedding of configuration values
. Doctype objects now accept public and system DTD identifiers
. %HTML.Doctype is now constrained by specific values, to specify a custom doctype use new %HTML.CustomDoctype
. ConfigForm truncates long directives to keep the form small, and does not re-output namespaces
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1232 48356398-32a2-884e-a903-53898d9a118a
- Stray xmlns attributes removed from configuration documentation
. Interlinking in configuration documentation added using Injector_PurifierLinkify
. Directives now keep track of aliases to themselves
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1225 48356398-32a2-884e-a903-53898d9a118a
- Add extra protection in AttrDef_URI against phantom Schemes
- Doctype moved from config to HTMLDefinition
- AttrDef_URITest mocks have more generic object parameters to deal with PHP4's copy-happy behavior
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1089 48356398-32a2-884e-a903-53898d9a118a
- AttrCollections does not barf when an inclusion is not present
- HTMLDefinition configuration directives now use new syntax
- Added %HTML.AllowedModules and %HTML.CoreModules for testing
- Extend Harness so that it can accept a default configuration object member variable
- Refactor modules to use Scaffolding, which defines some custom attributes that allows for the easy testing of attribute collections
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1082 48356398-32a2-884e-a903-53898d9a118a
- Make specifying the child property for ElementDef unnecessary when overloading content_model or content_model_type
- Add necessary includes to Tidy module files
- Move div@align fix to Tidy_Proprietary
- Future proof attrTransform.php by setting doctype to strict
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1071 48356398-32a2-884e-a903-53898d9a118a
- CommonAttributes factored into XMLCommonAttributes and NonXMLCommonAttributes
- Tidy abstract module was completely refactored in interest of usability
- Add friendly error message if module does not have name
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1070 48356398-32a2-884e-a903-53898d9a118a
- Add $xml property to Doctype, make more serialize friendly in preparation for stuffing into Config object
- Add FIXME markers for areas of further development, code is hooked so this is easy
- Document what the new Tidy classes will be
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1065 48356398-32a2-884e-a903-53898d9a118a
- Move Doctype to its own file
- Remove vestigial autoDoctype and order
- Setup will automatically load modules for you
- Allow overriding trust level for parent element
- Random documentation update
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1056 48356398-32a2-884e-a903-53898d9a118a
- Make our modified class_exists() check to work in both PHP 4 and 5
(todo: we need some unit tests for ElementDef)
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1023 48356398-32a2-884e-a903-53898d9a118a
- Yet even more unit test for HTMLModuleManager
- Sample code in printDefinition for defining a new element
- Downgraded importances of HTMLModule->elements
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@762 48356398-32a2-884e-a903-53898d9a118a
