0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-11-14 17:28:40 +00:00
Commit Graph

52 Commits

Author SHA1 Message Date
Mateusz Turcza
3bdc031224
Add %HTML.Forms config directive (#260)
The %HTML.Forms directive enables Forms module regardless of the %HTML.Trusted
value. This adds support for form elements without enabling other unsafe
modules, such as Scripts, Iframe or Object.

To achieve the same effect without this directive one has to explicitly list
all enabled modules in %HTML.AllowedModules, and any not listed will be
removed. This however is not very convenient, as the allowed modules may vary
between doctypes.

Resolves #213.
2020-06-28 20:26:33 -04:00
Edward Z. Yang
0f7b138aaf Make SafeScripting case-sensitive.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2018-11-11 16:21:58 -05:00
Dimitri Gritsajuk
5a01e6535d [SafeScripting] disable autoclosing of <script /> tag (#198) 2018-11-11 15:04:11 -05:00
Bastian Hofmann
8e4cacf0a7 Refactor HTML.Noopener to HTML.TargetNoopener so that it behaves like HTML.TargetNoreferrer and is active by default if a target is set 2017-02-03 16:54:51 -08:00
Bastian Hofmann
c82051c3e1 Add HTML.Noopener to add a noopener rel to every external link
This has performance benefits https://jakearchibald.com/2016/performance-benefits-of-rel-noopener/ but most importantly also security benefits https://mathiasbynens.github.io/rel-noopener/

Adresses https://github.com/ezyang/htmlpurifier/issues/96
2017-02-03 16:54:51 -08:00
Cameron Ball
1675fc7caf Add %HTML.TargetNoreferrer, which adds rel="noreferrer" when target attribute is set
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-06-30 21:53:43 -04:00
Edward Z. Yang
753c830239 Update to work with Git version of SimpleTest.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-03-24 00:08:03 -07:00
Marcus Bointon
fac747bdbd PSR-2 reformatting PHPDoc corrections
With minor corrections.

Signed-off-by: Marcus Bointon <marcus@synchromedia.co.uk>
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-08-17 22:27:26 -04:00
Edward Z. Yang
6705140082 Fix in AttrTransform_Nofollow
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-05-14 23:07:27 -04:00
Edward Z. Yang
2189a9430f Support for safe external scripts via explicit whitelist.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-04-27 17:44:49 -04:00
Edward Z. Yang
8c9d461a62 Bugfix: _blank not blank.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-02-18 11:28:01 -05:00
Edward Z. Yang
e0354fecd9 Make forms work for transitional doctypes.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-30 22:56:44 +08:00
Edward Z. Yang
8d572993b4 Implement %HTML.TargetBlank
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-26 08:36:00 +08:00
Edward Z. Yang
820d6e9097 Do not duplicate nofollow attribute in transform.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-08-24 09:56:13 -04:00
Edward Z. Yang
f3d050c517 Fix two bugs with caching of customized raw definitions.
The first bug is that we will repeatedly write out the result
of a customized raw definition to the filesystem, even when a cache
entry already exists.

The second bug is that caching these definitions doesn't actually
work (the cache entry is written but never used.)  A new API
for retrieving raw definitions permits the user to take advantage
of caching.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2010-12-30 23:51:53 +00:00
Edward Z. Yang
8c80349f9d Implement HTML.Nofollow for external links.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2010-09-28 12:01:57 -04:00
Edward Z. Yang
7c91104532 Implement HTML.FlashAllowFullScreen.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2010-09-08 23:39:20 -04:00
Edward Z. Yang
dc90e8e85b Support flashvars.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2010-03-08 01:16:57 -05:00
Edward Z. Yang
41c9226f3d Style refresh: add/remove vimlines, fix minor factual errors.
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
2009-04-09 12:47:10 -04:00
Edward Z. Yang
398a02039e Implement %HTML.Attr.Name.UseCDATA which relaxes name validation rules.
Sponsored-by: Ian Cook <thinkspill@gmail.com>
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
2009-03-20 19:34:38 -04:00
Edward Z. Yang
86ca784da3 Convert all to new configuration get/set format.
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
2009-02-21 03:00:34 -05:00
Edward Z. Yang
12b811d749 Add vim modelines to all files.
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
2008-12-06 04:24:59 -05:00
Edward Z. Yang
2c955af135 Remove trailing whitespace.
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
2008-12-06 02:28:20 -05:00
Edward Z. Yang
c9b6f125aa Forms implementation for %HTML.Trusted. Some backend changes:
* Added Charsets and Character attribute types
* Fix a heavily recursive form of ContentSets, this allows a content-set
  to include another content-set which includes another content-set, and
  so forth.

Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
2008-08-15 18:57:44 -04:00
Edward Z. Yang
6bb8c1fcac Handle CRLF discrepancies
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
2008-06-24 21:10:51 -04:00
Edward Z. Yang
486b401cf7 Fix broken tests.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1795 48356398-32a2-884e-a903-53898d9a118a
2008-06-12 03:12:39 +00:00
Edward Z. Yang
36bd06d53e [3.1.1] Implement SafeEmbed. Also, miscellaneous bugfixes.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1781 48356398-32a2-884e-a903-53898d9a118a
2008-06-10 01:18:03 +00:00
Edward Z. Yang
13eb016e06 [3.1.1] Implement SafeObject.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1780 48356398-32a2-884e-a903-53898d9a118a
2008-06-10 00:13:44 +00:00
Edward Z. Yang
eb9f9bc7f6 [3.1.1] Round up imagecrash support with HTML.MaxImgLength
- Add $max to AttrDef/HTML/Pixels.php
- Add %HTML.MaxImgLength
- CSS width/height allows percents when MaxImgLength is disabled


git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1762 48356398-32a2-884e-a903-53898d9a118a
2008-05-23 02:09:43 +00:00
Edward Z. Yang
8d0d0d1a03 [3.1.1] construct() to setup() in HTMLModules
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1760 48356398-32a2-884e-a903-53898d9a118a
2008-05-22 04:34:19 +00:00
Edward Z. Yang
eaabccdd9b [3.1.0] More PHP4->PHP5 conversions, notably reference removal of most methods that return objects
- Removed HTMLPurifier_Error
- Documentation updates
- Removed more copy() methods in favor of clone
- HTMLPurifier::getInstance() to HTMLPurifier::instance()
- Fix InterchangeBuilder to use HTMLPURIFIER_PREFIX

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1689 48356398-32a2-884e-a903-53898d9a118a
2008-04-23 02:40:17 +00:00
Edward Z. Yang
3b5effcb72 - Removed tally(), swallowErrors(), assertNoErrors()
- Removed unnecessary ampersands

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1657 48356398-32a2-884e-a903-53898d9a118a
2008-04-14 03:06:36 +00:00
Edward Z. Yang
dac98cdb06 [3.1.0] Emit notice if setting configuration alias, and fix up our test code not to use aliases
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1643 48356398-32a2-884e-a903-53898d9a118a
2008-04-03 21:53:06 +00:00
Edward Z. Yang
fa6b6fe85f [3.1.0] Reconfigure tester to glob for test files using *Test.php pattern.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1585 48356398-32a2-884e-a903-53898d9a118a
2008-03-02 02:05:47 +00:00
Edward Z. Yang
b5f1c76ee8 [3.1.0] Implement Proprietary HTML module with <marquee>
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1572 48356398-32a2-884e-a903-53898d9a118a
2008-02-20 00:53:09 +00:00
Edward Z. Yang
fbc595ebed Remove includes from unit tests.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1569 48356398-32a2-884e-a903-53898d9a118a
2008-02-18 04:41:42 +00:00
Edward Z. Yang
71301b36eb [2.1.2?] Implemented Object module for trusted users.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1377 48356398-32a2-884e-a903-53898d9a118a
2007-08-08 05:16:15 +00:00
Edward Z. Yang
f922285383 More unit test refactoring; remove unnecessary periods from HTMLDefinition error messages
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1374 48356398-32a2-884e-a903-53898d9a118a
2007-08-07 05:38:22 +00:00
Edward Z. Yang
f5b72c623c [2.1.0] Implement Ruby.
- Destroy some zombie context variables
- Reorganize some TODO items

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1347 48356398-32a2-884e-a903-53898d9a118a
2007-08-02 22:44:42 +00:00
Edward Z. Yang
2a002857ce [2.1.0] All unit tests inherit from HTMLPurifier_Harness, not UnitTestCase. prepareCommon() refactored to global test-case.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1332 48356398-32a2-884e-a903-53898d9a118a
2007-08-01 14:06:59 +00:00
Edward Z. Yang
e99520ab96 Remove trailing ?> in PHP library files, add trailing newlines to all other files.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1253 48356398-32a2-884e-a903-53898d9a118a
2007-06-27 13:58:32 +00:00
Edward Z. Yang
275932ec05 [2.0.1] Fix DirectLex's incomprehension of un-armored script contents as CDATA using custom preg_replace_callback
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1244 48356398-32a2-884e-a903-53898d9a118a
2007-06-26 16:08:42 +00:00
Edward Z. Yang
ae90bb919d Remove unnecessary $this parameters from mock instantiation; SimpleTest doesn't use it!
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1243 48356398-32a2-884e-a903-53898d9a118a
2007-06-26 15:40:04 +00:00
Edward Z. Yang
bf0d659c47 [2.0.1] Improve special case handling for <script>
- DirectLex now honors comments with greater than or less than signs in them
- Comments are transformed into script elements, ending comments are scrapped
- Buggy generator code rewritten to be more error-proof
- AttrValidator checks if token has attributes before processing
- Remove invalid documentation from Scripting
- "Commenting" of script elements switched to the more advanced version

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1189 48356398-32a2-884e-a903-53898d9a118a
2007-06-21 14:44:26 +00:00
Edward Z. Yang
e840564228 [1.7.0] Contents between <script> tags are now completely removed if <script> is not allowed
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1145 48356398-32a2-884e-a903-53898d9a118a
2007-06-16 19:31:45 +00:00
Edward Z. Yang
831db14c79 [1.7.0] Remove HTMLModule tests. They were a bad idea.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1083 48356398-32a2-884e-a903-53898d9a118a
2007-05-21 00:24:32 +00:00
Edward Z. Yang
a470fc5621 [1.7.0] Refactor HTMLModule unit tests
- AttrCollections does not barf when an inclusion is not present
- HTMLDefinition configuration directives now use new syntax
- Added %HTML.AllowedModules and %HTML.CoreModules for testing
- Extend Harness so that it can accept a default configuration object member variable
- Refactor modules to use Scaffolding, which defines some custom attributes that allows for the easy testing of attribute collections

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1082 48356398-32a2-884e-a903-53898d9a118a
2007-05-20 22:29:31 +00:00
Edward Z. Yang
4d38c02932 [1.7.0] Implement and hook-in Tidy module setup.
- CommonAttributes factored into XMLCommonAttributes and NonXMLCommonAttributes
- Tidy abstract module was completely refactored in interest of usability
- Add friendly error message if module does not have name

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1070 48356398-32a2-884e-a903-53898d9a118a
2007-05-19 21:00:12 +00:00
Edward Z. Yang
83a50465dc [1.7.0] Commit abstract implementation of Tidy module: migration to follow.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1069 48356398-32a2-884e-a903-53898d9a118a
2007-05-19 01:42:17 +00:00
Edward Z. Yang
f7eccc0038 [1.7.0] Add %HTML.Trusted directive to allow untrusted elements in. Add special-case code for <script> into Generator.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1061 48356398-32a2-884e-a903-53898d9a118a
2007-05-15 01:17:10 +00:00