htmlpurifier

mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-09-19 18:55:19 +00:00

Author	SHA1	Message	Date
Cameron Ball	1675fc7caf	Add %HTML.TargetNoreferrer, which adds rel="noreferrer" when target attribute is set Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>	2016-06-30 21:53:43 -04:00
Wes Cossick	cc35c8eb8c	tel protocol support.	2016-06-30 21:19:49 -04:00
Edward Z. Yang	43a9f052fd	Fix #57 , make flashvars check (and others) case-insensitive. Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>	2016-03-27 15:56:30 -07:00
Edward Z. Yang	b4981c3395	Fix #67 , don't use <body> tags in comments for %Core.ConvertDocumentToFragment Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>	2016-03-27 15:19:32 -07:00
Edward Z. Yang	f14076dc3e	Fix #49 ; prevent readdir infinite loop when cache directory not listable. Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>	2016-03-27 14:53:31 -07:00
Edward Z. Yang	91fd55c857	Fix #45 , errors when ul/ol allowed without li. Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>	2016-03-26 22:41:54 -07:00
Edward Z. Yang	753c830239	Update to work with Git version of SimpleTest. Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>	2016-03-24 00:08:03 -07:00
Edward Z. Yang	72123e23c9	Update ExtractStyleBlocks tests for modern CSSTidy at https://github.com/Cerdic/CSSTidy Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>	2016-03-23 23:39:38 -07:00
Edward Z. Yang	45161b4fb1	Accept leading digits in hostnames as per RFC 1123. Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>	2016-03-23 22:42:21 -07:00
Synchro	25db9e1dd0	Don't use PHP4-style constructors	2016-03-16 17:09:41 -07:00
Edward Z. Yang	92aabf2b23	Fix #76 , linkify includes dots at end of URL. Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>	2016-03-02 02:05:54 -08:00
Edward Z. Yang	aebe1c02a2	Use idn_to_ascii when available. Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>	2016-03-02 01:35:07 -08:00
Edward Z. Yang	913ac6955b	CSS.AllowDuplicates for duplicate properties. Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>	2015-12-20 11:53:54 -08:00
Edward Z. Yang	c67e4c2f7e	All values, including empty, are valid HTML bools. Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>	2015-02-11 16:36:44 -08:00
Edward Z. Yang	0c3e68dd03	Stop using umask to make definition cache. Fixes #32 This is not really the right way to solve the ACL problem, but there isn't really any reason we should be mucking about with the umask. Mucked around with the test case to make it pass, but I think it's probably a bit delicate now. Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>	2014-12-08 18:30:54 -08:00
Edward Z. Yang	cd60294ada	Fix rgb in border attribute with spaces, fixes #30 . Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>	2014-08-31 12:12:38 +01:00
Edward Z. Yang	39d3df1fd7	Add AutoFormat.RemoveEmpty.Predicate, fixes #35 . Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>	2014-08-31 12:12:17 +01:00
Edward Z. Yang	b8704535a3	Update test. Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>	2014-08-31 11:10:11 +01:00
Edward Z. Yang	15d1a3003a	Don't truncate in DOMLex when seeing closing div Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>	2014-08-31 08:50:33 +01:00
Edward Z. Yang	8cd08620dc	Conditionalize hash_hmac tests for 5.0 Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2013-11-29 22:27:01 -08:00
Edward Z. Yang	54477c172b	Fix infinite loop in Lexer. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2013-10-27 21:41:08 -07:00
Edward Z. Yang	0767bbc12d	Rewrite FixNesting implementation to be tree-based. This mega-patch rips out the FixNesting implementation and the related ChildDef components. The primary algorithmic change is to convert from use of tokens to tree nodes, which are far more amenable to the style of processing that FixNesting uses. Additionally, FixNesting has been changed to go bottom-up rather than top-down, in order to avoid needing to implement backtracking. This patch simplifies a good deal of the relevant logic, since we no longer need to continually recalculate the nesting structure when processing things. However, the conversion to the alternate format incurs some overhead, so for small inputs these changes are not a win. One possibility to greatly reduce the constant factors here is to switch to entirely using libxml's representation, and never serializing tokens; this would require one to rewrite injectors, however. The iterative post-order traversal in FixNesting is a bit subtle, but we have essentially reified the stack and continuations. We've removed support for %Core.EscapeInvalidChildren. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2013-10-20 22:37:01 -07:00
Edward Z. Yang	8f401f769e	Use a Zipper to process MakeWellFormed, removing quadratic behavior. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2013-10-13 13:21:02 -07:00
Edward Z. Yang	82bcc62058	Properly handle context variables that are NULL. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2013-10-13 13:21:02 -07:00
Edward Z. Yang	f17490f009	Implementation of a Zipper, for efficient splice. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2013-10-13 01:16:32 -07:00
Edward Z. Yang	a5fc37d8c3	Improve gitignore. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2013-10-13 00:18:11 -07:00
Edward Z. Yang	cf44f399f8	Properly use HMAC for secure munging. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2013-09-13 21:16:50 -07:00
Marcus Bointon	fac747bdbd	PSR-2 reformatting PHPDoc corrections With minor corrections. Signed-off-by: Marcus Bointon <marcus@synchromedia.co.uk> Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2013-08-17 22:27:26 -04:00
Edward Z. Yang	53c2907706	New directive %Core.AllowHostnameUnderscore Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2013-07-26 21:33:39 -07:00
Edward Z. Yang	75bd7abcc7	Make list nesting test more sensitive. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2013-06-06 13:08:13 -07:00
Edward Z. Yang	0680832d41	Use info_parent_def to get parent information, since it may not be present in info array. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2013-05-21 17:19:59 -07:00
Edward Z. Yang	6e37ecd1c8	Make URI parsing algorithm more strict. Thanks Michael Gusev <mgusev@sugarcrm.com> for contributing this patch. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2013-04-16 13:56:43 -07:00
Edward Z. Yang	631021733b	Add %Core.DisableExcludes directive Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2013-02-17 15:47:38 -08:00
Edward Z. Yang	c0ad68108a	Do checks against iconvAvailable because PHP 5.4 has botched iconv support. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-10-27 02:27:57 -07:00
Edward Z. Yang	72db575446	Fix bug with non-lower case color names in HTML. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-07-30 10:54:32 -04:00
Edward Z. Yang	f38fca32a9	Don't lower-case components of background. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-06-02 11:22:58 -04:00
Edward Z. Yang	6705140082	Fix in AttrTransform_Nofollow Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-05-14 23:07:27 -04:00
Edward Z. Yang	2189a9430f	Support for safe external scripts via explicit whitelist. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-04-27 17:44:49 -04:00
Edward Z. Yang	7291f19347	Fix problem where stacked AttrTransforms clobber each other. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-03-16 23:12:16 -04:00
Edward Z. Yang	8c9d461a62	Bugfix: _blank not blank. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-02-18 11:28:01 -05:00
Edward Z. Yang	70028f83d6	Make all of the tests work on all PHP versions. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-01-18 18:57:13 -05:00
Edward Z. Yang	5c5e3fe79f	Avoid doing stupidly clever reflection tricks that make old PHP versions sad. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-01-18 18:21:36 -05:00
Edward Z. Yang	1c7fedff5a	Tighter CSS selector validation. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-01-17 15:36:26 -05:00
Edward Z. Yang	974fe3f25e	Optional support for IDNAs with PEAR Net_IDNA2 Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-01-06 05:28:00 -08:00
Edward Z. Yang	94468f3c24	Remove PEARSax3 lexer. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-01-03 20:40:17 +08:00
Edward Z. Yang	e0354fecd9	Make forms work for transitional doctypes. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-12-30 22:56:44 +08:00
Edward Z. Yang	d2de8d976a	Add test for invalid SafeIframe usage. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-12-26 21:52:55 +08:00
Bradley M. Froehle	4164b2eb2b	Implement Iframe module, and provide %HTML.SafeIframe and %URI.SafeIframeRegexp for untrusted usage. The purpose of this addition is twofold. In trusted mode, iframes are now unconditionally allowed. However, many online video providers (YouTube, Vimeo) and other web applications (Google Maps, Google Calendar, etc) provide embed code in iframe format, which is useful functionality in untrusted mode. You can specify iframes as trusted elements with %HTML.SafeIframe; however, you need to additionally specify a whitelist mechanism such as %URI.SafeIframeRegexp to say what iframe embeds are OK (by default everything is rejected). Note: As iframes are invalid in strict doctypes, you will not be able to use them there. We also added an always_load parameter to URIFilters in order to support the strange nature of the SafeIframe URIFilter (it always needs to be loaded, due to the inability of accessing the %HTML.SafeIframe directive to see if it's needed!) We expect this URIFilter can expand in the future to offer more complex validation mechanisms. Signed-off-by: Bradley M. Froehle <brad.froehle@gmail.com> Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-12-26 21:50:53 +08:00
Edward Z. Yang	6b643ede02	Implement %HTML.AllowedComments and %HTML.AllowedCommentsRegexp Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-12-26 15:34:42 +08:00
Edward Z. Yang	e41af46a8b	Fix broken table content model, easily seen in XHTML1.1 Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-12-26 14:49:26 +08:00

1 2 3 4 5 ...

621 Commits