mirrors/htmlpurifier
0
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-09-20 03:05:18 +00:00
Code Releases Activity
1,401 Commits 5 Branches 65 Tags 9.1 MiB
6b643ede02
Commit Graph

1401 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Edward Z. Yang
6b643ede02 Implement %HTML.AllowedComments and %HTML.AllowedCommentsRegexp 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-12-26 15:34:42 +08:00
Edward Z. Yang
e41af46a8b Fix broken table content model, easily seen in XHTML1.1 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-12-26 14:49:26 +08:00
Edward Z. Yang
3570c9985a Properly handle nested sublists by folding into previous list item. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-12-26 14:00:34 +08:00
Edward Z. Yang
8d572993b4 Implement %HTML.TargetBlank 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-12-26 08:36:00 +08:00
Edward Z. Yang
1bacbc0563 Add isBenign and getDefaultScheme methods. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-12-25 23:31:15 +08:00
Edward Z. Yang
bfe2c10d07 Add a little bit of documentation about contexts for URIFilters. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-12-25 23:31:15 +08:00
Edward Z. Yang
9b10515fa4 Core.EscapeNonASCIICharacters now always works, even if target is UTF-8. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-12-25 23:31:15 +08:00
Edward Z. Yang
1255d0f15d Add support for scope attribute on td and th. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-12-25 23:31:13 +08:00
Edward Z. Yang
d45e11cc6b Add one more test for SPL autoload defaults. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-12-25 02:58:51 -05:00
Edward Z. Yang
94c15d1f56 Fix iconv truncation bug. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-12-25 02:31:06 -05:00
Edward Z. Yang
ce68cfe484 Remove spurious abstract definition; PHP 5.4 doesn't like that. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-12-18 13:28:07 -05:00
Edward Z. Yang
9f5f85952b Don't unset parser variable; plays poorly with serialize. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-12-18 13:27:51 -05:00
Edward Z. Yang
dbb365155b Typofix. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-08-24 09:56:51 -04:00
Edward Z. Yang
32c0ffde0c Don't add nofollow for matching hosts, generalize this code. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-08-24 09:56:49 -04:00
Edward Z. Yang
856a5e5b89 Update INSTALL to avoid missing config snafu, update usage.xml. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-08-24 09:56:21 -04:00
Edward Z. Yang
820d6e9097 Do not duplicate nofollow attribute in transform. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-08-24 09:56:13 -04:00
Edward Z. Yang
35b1fbce01 Explicitly initialize anonModule to null. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-04-19 22:46:17 +01:00
Edward Z. Yang
bcfbb8338c URI.Munge munges https to http URIs. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-04-10 13:09:24 +01:00
Edward Z. Yang
f51a6f7de9 Color keywords now case-insensitive. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-04-10 12:45:02 +01:00
Edward Z. Yang
f1439f0af5 Release 4.3.0 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-03-27 23:02:49 +01:00
Edward Z. Yang
0124605918 Fix CSS URL innerHTML/cssText escaping bug. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-03-27 21:24:32 +01:00
Edward Z. Yang
afb007d22f Protect against font family innerHTML/cssText attacks. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-03-27 20:35:43 +01:00
Edward Z. Yang
0dd9e4faf4 Fix Internet Explorer innerHTML bug. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-03-27 11:50:52 +01:00
Edward Z. Yang
94ed3b1231 Implement CSS.AllowedFonts. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-03-24 22:54:39 +00:00
Edward Z. Yang
6a6c0ed5d7 Don't autoclose if no parents support the tag. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-03-22 00:26:41 +00:00
Edward Z. Yang
e05b555448 Safety update for nested ul test. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-03-21 21:05:23 +00:00
Edward Z. Yang
ee9c70ab7f Fix E_NOTICE from indexing into empty string. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-03-17 17:33:11 +00:00
Edward Z. Yang
b4469f17aa Fix missing numeric entities (shows up when DirectLexing). 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-02-27 11:58:37 +00:00
Edward Z. Yang
e76f4b45d0 Dramatically rewrite null host URI handling. 
Basically, browsers don't parse what should be valid URIs correctly, so
we have to go through some backbends to accomodate them.  Specifically,
for browseable URIs, the following URIs have unintended behavior:

    - ///example.com
    - http:/example.com
    - http:///example.com

Furthermore, if the path begins with //, modifying these URLs must
be done with care, as if you remove the host-name component, the
parse tree changes.

I've modified the engine to follow correct URI semantics as much
as possible while outputting browser compatible code, and invalidate
the URI in cases where we can't deal.  There has been a refactoring
of URIScheme so that this important check is always performed,
introducing a new member variable allow_empty_host which is true
on data, file, mailto and news schemes.

This also fixes bypass bugs on URI.Munge.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-01-25 18:56:46 +00:00
Edward Z. Yang
a32d5b52e1 Fix embedding flash on non-IE browsers and allow more wmode. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-01-22 12:28:57 +00:00
Maxim Krizhanovsky
a3d71fe606 Iterative traversal of DOM. 
There are some deep DOMs you can hit the maximum nesting level
limit in tokenizeDOM (we've experienced this even with maximum nesting
level of 300). Here is an iterative version of the same function with
simple queue/dequeue approach.

Signed-off-by: Maxim Krizhanovsky <darhazer@gmail.com>
 2011-01-19 22:06:40 +00:00
Edward Z. Yang
77982bd61d Bump version number for Cache.SerializerPermissions. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-01-14 00:40:39 +00:00
Petr Skoda
78c4e62245 Add new Cache.SerializerPermissions option. 2011-01-13 22:57:40 +00:00
Edward Z. Yang
5803c06765 Check that argv is set before operating on it. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2011-01-13 22:42:47 +00:00
Edward Z. Yang
b63569ac22 Fix bad interaction between bootstrap autoloader and Zend Debugger/APC. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-12-31 09:48:28 +00:00
Edward Z. Yang
f3d050c517 Fix two bugs with caching of customized raw definitions. 
The first bug is that we will repeatedly write out the result
of a customized raw definition to the filesystem, even when a cache
entry already exists.

The second bug is that caching these definitions doesn't actually
work (the cache entry is written but never used.)  A new API
for retrieving raw definitions permits the user to take advantage
of caching.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-12-30 23:51:53 +00:00
Edward Z. Yang
6dcc37cb55 Update PHPT instructions. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-11-21 14:00:20 +00:00
Edward Z. Yang
cfc4ee1faf Add initial implementation of CSS.Trusted. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-11-12 18:45:03 +00:00
Edward Z. Yang
598c5b60c9 Add sanity check against ze1_compatibility_mode. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-11-12 16:15:03 +00:00
Edward Z. Yang
c9e7ffc172 Fix incorrect PEARSax3 test assertion. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-11-12 16:06:34 +00:00
Edward Z. Yang
feeffe6ed2 Check if schema.ser was corrupted. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-10-29 14:47:40 +01:00
Edward Z. Yang
4754d407aa Fix removal of id with DirectLex by preserving armor. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-10-28 17:25:31 +01:00
Nick Pope
0b9db1f54b Allow non-static autoload methods w/ PHP >= 5.2.11 
HTML Purifier loads itself as the first autoload function by
unregistering all existing functions and re-registering them after
registering itself.

Originally an exception was thrown when a non-static object method was
encountered as the behaviour of spl_autoload_functions() did not return
the object instance, but only the class name.  This was filed on PHP
bugs (#44144).

The bug was fixed for PHP >= 5.2.11 and >= 5.3

Signed-off-by: Nick Pope <nick@nickpope.me.uk>
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-10-28 17:25:17 +01:00
Edward Z. Yang
1d4a38d055 Escape CDATA before handling conditional comments. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-09-28 12:11:26 -04:00
Edward Z. Yang
8c80349f9d Implement HTML.Nofollow for external links. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-09-28 12:01:57 -04:00
Edward Z. Yang
d848c99b74 Make IE conditional comment matching ungreedy. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-09-28 10:22:38 -04:00
Edward Z. Yang
882ffed9ba Release 4.2.0. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-09-15 02:52:57 -04:00
Edward Z. Yang
86990a21f1 Rename newline normalization directive to something better. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-09-15 02:50:39 -04:00
Tomasz Muras
9573f0933d Make newline normalization optional. 2010-09-14 23:49:28 -04:00
Edward Z. Yang
632bf2bbd4 Shift to 4.2.0 release cycle. 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
 2010-09-14 23:38:51 -04:00