htmlpurifier

mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-09-19 18:55:19 +00:00

Author	SHA1	Message	Date
Edward Z. Yang	631021733b	Add %Core.DisableExcludes directive Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2013-02-17 15:47:38 -08:00
Edward Z. Yang	c0ad68108a	Do checks against iconvAvailable because PHP 5.4 has botched iconv support. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-10-27 02:27:57 -07:00
Edward Z. Yang	72db575446	Fix bug with non-lower case color names in HTML. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-07-30 10:54:32 -04:00
Edward Z. Yang	f38fca32a9	Don't lower-case components of background. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-06-02 11:22:58 -04:00
Edward Z. Yang	6705140082	Fix in AttrTransform_Nofollow Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-05-14 23:07:27 -04:00
Edward Z. Yang	2189a9430f	Support for safe external scripts via explicit whitelist. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-04-27 17:44:49 -04:00
Edward Z. Yang	7291f19347	Fix problem where stacked AttrTransforms clobber each other. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-03-16 23:12:16 -04:00
Edward Z. Yang	31dce298ea	Actually make URI.DisableResources do something. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-03-02 13:25:00 -05:00
Edward Z. Yang	8c9d461a62	Bugfix: _blank not blank. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-02-18 11:28:01 -05:00
Edward Z. Yang	70028f83d6	Make all of the tests work on all PHP versions. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-01-18 18:57:13 -05:00
Edward Z. Yang	5c5e3fe79f	Avoid doing stupidly clever reflection tricks that make old PHP versions sad. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-01-18 18:21:36 -05:00
Edward Z. Yang	56a26cab14	Modernize some of the testing facilities. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-01-18 18:10:16 -05:00
Edward Z. Yang	1c7fedff5a	Tighter CSS selector validation. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-01-17 15:36:26 -05:00
Edward Z. Yang	974fe3f25e	Optional support for IDNAs with PEAR Net_IDNA2 Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-01-06 05:28:00 -08:00
Edward Z. Yang	94468f3c24	Remove PEARSax3 lexer. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2012-01-03 20:40:17 +08:00
Edward Z. Yang	e0354fecd9	Make forms work for transitional doctypes. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-12-30 22:56:44 +08:00
Edward Z. Yang	d2de8d976a	Add test for invalid SafeIframe usage. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-12-26 21:52:55 +08:00
Bradley M. Froehle	4164b2eb2b	Implement Iframe module, and provide %HTML.SafeIframe and %URI.SafeIframeRegexp for untrusted usage. The purpose of this addition is twofold. In trusted mode, iframes are now unconditionally allowed. However, many online video providers (YouTube, Vimeo) and other web applications (Google Maps, Google Calendar, etc) provide embed code in iframe format, which is useful functionality in untrusted mode. You can specify iframes as trusted elements with %HTML.SafeIframe; however, you need to additionally specify a whitelist mechanism such as %URI.SafeIframeRegexp to say what iframe embeds are OK (by default everything is rejected). Note: As iframes are invalid in strict doctypes, you will not be able to use them there. We also added an always_load parameter to URIFilters in order to support the strange nature of the SafeIframe URIFilter (it always needs to be loaded, due to the inability of accessing the %HTML.SafeIframe directive to see if it's needed!) We expect this URIFilter can expand in the future to offer more complex validation mechanisms. Signed-off-by: Bradley M. Froehle <brad.froehle@gmail.com> Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-12-26 21:50:53 +08:00
Edward Z. Yang	6b643ede02	Implement %HTML.AllowedComments and %HTML.AllowedCommentsRegexp Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-12-26 15:34:42 +08:00
Edward Z. Yang	e41af46a8b	Fix broken table content model, easily seen in XHTML1.1 Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-12-26 14:49:26 +08:00
Edward Z. Yang	3570c9985a	Properly handle nested sublists by folding into previous list item. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-12-26 14:00:34 +08:00
Edward Z. Yang	8d572993b4	Implement %HTML.TargetBlank Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-12-26 08:36:00 +08:00
Edward Z. Yang	9b10515fa4	Core.EscapeNonASCIICharacters now always works, even if target is UTF-8. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-12-25 23:31:15 +08:00
Edward Z. Yang	d45e11cc6b	Add one more test for SPL autoload defaults. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-12-25 02:58:51 -05:00
Edward Z. Yang	94c15d1f56	Fix iconv truncation bug. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-12-25 02:31:06 -05:00
Edward Z. Yang	820d6e9097	Do not duplicate nofollow attribute in transform. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-08-24 09:56:13 -04:00
Edward Z. Yang	bcfbb8338c	URI.Munge munges https to http URIs. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-04-10 13:09:24 +01:00
Edward Z. Yang	0124605918	Fix CSS URL innerHTML/cssText escaping bug. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-03-27 21:24:32 +01:00
Edward Z. Yang	afb007d22f	Protect against font family innerHTML/cssText attacks. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-03-27 20:35:43 +01:00
Edward Z. Yang	0dd9e4faf4	Fix Internet Explorer innerHTML bug. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-03-27 11:50:52 +01:00
Edward Z. Yang	94ed3b1231	Implement CSS.AllowedFonts. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-03-24 22:54:39 +00:00
Edward Z. Yang	6a6c0ed5d7	Don't autoclose if no parents support the tag. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-03-22 00:26:41 +00:00
Edward Z. Yang	e05b555448	Safety update for nested ul test. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-03-21 21:05:23 +00:00
Edward Z. Yang	ee9c70ab7f	Fix E_NOTICE from indexing into empty string. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-03-17 17:33:11 +00:00
Edward Z. Yang	e76f4b45d0	Dramatically rewrite null host URI handling. Basically, browsers don't parse what should be valid URIs correctly, so we have to go through some backbends to accomodate them. Specifically, for browseable URIs, the following URIs have unintended behavior: - ///example.com - http:/example.com - http:///example.com Furthermore, if the path begins with //, modifying these URLs must be done with care, as if you remove the host-name component, the parse tree changes. I've modified the engine to follow correct URI semantics as much as possible while outputting browser compatible code, and invalidate the URI in cases where we can't deal. There has been a refactoring of URIScheme so that this important check is always performed, introducing a new member variable allow_empty_host which is true on data, file, mailto and news schemes. This also fixes bypass bugs on URI.Munge. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-01-25 18:56:46 +00:00
Edward Z. Yang	a32d5b52e1	Fix embedding flash on non-IE browsers and allow more wmode. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-01-22 12:28:57 +00:00
Petr Skoda	78c4e62245	Add new Cache.SerializerPermissions option.	2011-01-13 22:57:40 +00:00
Edward Z. Yang	5803c06765	Check that argv is set before operating on it. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2011-01-13 22:42:47 +00:00
Edward Z. Yang	f3d050c517	Fix two bugs with caching of customized raw definitions. The first bug is that we will repeatedly write out the result of a customized raw definition to the filesystem, even when a cache entry already exists. The second bug is that caching these definitions doesn't actually work (the cache entry is written but never used.) A new API for retrieving raw definitions permits the user to take advantage of caching. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2010-12-30 23:51:53 +00:00
Edward Z. Yang	cfc4ee1faf	Add initial implementation of CSS.Trusted. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2010-11-12 18:45:03 +00:00
Edward Z. Yang	598c5b60c9	Add sanity check against ze1_compatibility_mode. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2010-11-12 16:15:03 +00:00
Edward Z. Yang	c9e7ffc172	Fix incorrect PEARSax3 test assertion. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2010-11-12 16:06:34 +00:00
Edward Z. Yang	4754d407aa	Fix removal of id with DirectLex by preserving armor. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2010-10-28 17:25:31 +01:00
Nick Pope	0b9db1f54b	Allow non-static autoload methods w/ PHP >= 5.2.11 HTML Purifier loads itself as the first autoload function by unregistering all existing functions and re-registering them after registering itself. Originally an exception was thrown when a non-static object method was encountered as the behaviour of spl_autoload_functions() did not return the object instance, but only the class name. This was filed on PHP bugs (#44144). The bug was fixed for PHP >= 5.2.11 and >= 5.3 Signed-off-by: Nick Pope <nick@nickpope.me.uk> Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2010-10-28 17:25:17 +01:00
Edward Z. Yang	8c80349f9d	Implement HTML.Nofollow for external links. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2010-09-28 12:01:57 -04:00
Edward Z. Yang	d848c99b74	Make IE conditional comment matching ungreedy. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2010-09-28 10:22:38 -04:00
Edward Z. Yang	86990a21f1	Rename newline normalization directive to something better. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2010-09-15 02:50:39 -04:00
Tomasz Muras	9573f0933d	Make newline normalization optional.	2010-09-14 23:49:28 -04:00
Edward Z. Yang	ec86598446	Add support for file:// URI scheme. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2010-09-09 00:01:26 -04:00
Edward Z. Yang	7c91104532	Implement HTML.FlashAllowFullScreen. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>	2010-09-08 23:39:20 -04:00

1 2 3 4 5 ...

695 Commits