Edward Z. Yang
f90372f8ab
More support for white-space.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-06-16 17:10:36 -04:00
Edward Z. Yang
f38fca32a9
Don't lower-case components of background.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-06-02 11:22:58 -04:00
Edward Z. Yang
5a23004652
Support for inline-block.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-05-25 23:55:48 -04:00
Edward Z. Yang
6705140082
Fix in AttrTransform_Nofollow
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-05-14 23:07:27 -04:00
Edward Z. Yang
cb7162a995
Use prepend for autoloading on PHP 5.3+
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-05-02 11:07:24 -04:00
Edward Z. Yang
2189a9430f
Support for safe external scripts via explicit whitelist.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-04-27 17:44:49 -04:00
Edward Z. Yang
7291f19347
Fix problem where stacked AttrTransforms clobber each other.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-03-16 23:12:16 -04:00
Benjamin Steininger
9fcffd6533
Add composer.json file for easy install via composer.
...
Composer: http://getcomposer.org/
Since HTML Purifier is not completely psr-0 compatible (a classmap is
not enough for autoloading), the package-description does not contain
anything autoload-related. The user has to include the autoloader
himself.
This lets us create an entry on packagist which allows installing HTML
Purifier without the need to declare a repository in projects; it also
makes it easy to create libraries which want to use HTML Purifier using
composer.
Signed-off-by: Benjamin Steininger <robo47@robo47.net>
2012-03-16 01:05:02 -04:00
Edward Z. Yang
31dce298ea
Actually make URI.DisableResources do something.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-03-02 13:25:00 -05:00
Edward Z. Yang
8c9d461a62
Bugfix: _blank not blank.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-02-18 11:28:01 -05:00
Edward Z. Yang
7291a9647e
Update NEWS.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-01-25 07:06:30 -05:00
Edward Z. Yang
17af0e4fc1
Release 4.4.0
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-01-18 19:22:31 -05:00
Edward Z. Yang
70028f83d6
Make all of the tests work on all PHP versions.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-01-18 18:57:13 -05:00
Edward Z. Yang
5c5e3fe79f
Avoid doing stupidly clever reflection tricks that make old PHP versions sad.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-01-18 18:21:36 -05:00
Edward Z. Yang
56a26cab14
Modernize some of the testing facilities.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-01-18 18:10:16 -05:00
Edward Z. Yang
1c7fedff5a
Tighter CSS selector validation.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-01-17 15:36:26 -05:00
Edward Z. Yang
9de0785448
Remark about bypassing host list with punycode.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-01-06 05:32:53 -08:00
Edward Z. Yang
974fe3f25e
Optional support for IDNAs with PEAR Net_IDNA2
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-01-06 05:28:00 -08:00
Edward Z. Yang
94468f3c24
Remove PEARSax3 lexer.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-01-03 20:40:17 +08:00
Edward Z. Yang
e0354fecd9
Make forms work for transitional doctypes.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-30 22:56:44 +08:00
Edward Z. Yang
1bbbc624dd
Remove inscrutable TODO, optionalize another.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-27 23:50:02 +08:00
Edward Z. Yang
49879d2cc6
Add note about superseding modules in TODO.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-27 23:21:32 +08:00
Edward Z. Yang
5c9b5130c8
Bump minor version number to 4.4.0.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-26 21:55:14 +08:00
Edward Z. Yang
d2de8d976a
Add test for invalid SafeIframe usage.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-26 21:52:55 +08:00
Bradley M. Froehle
4164b2eb2b
Implement Iframe module, and provide %HTML.SafeIframe and %URI.SafeIframeRegexp for untrusted usage.
...
The purpose of this addition is twofold. In trusted mode, iframes are
now unconditionally allowed.
However, many online video providers (YouTube, Vimeo) and other web
applications (Google Maps, Google Calendar, etc) provide embed code in
iframe format, which is useful functionality in untrusted mode.
You can specify iframes as trusted elements with %HTML.SafeIframe;
however, you need to additionally specify a whitelist mechanism such as
%URI.SafeIframeRegexp to say what iframe embeds are OK (by default
everything is rejected).
Note: As iframes are invalid in strict doctypes, you will not be able to
use them there.
We also added an always_load parameter to URIFilters in order to support
the strange nature of the SafeIframe URIFilter (it always needs to be
loaded, due to the inability of accessing the %HTML.SafeIframe directive
to see if it's needed!) We expect this URIFilter can expand in the future
to offer more complex validation mechanisms.
Signed-off-by: Bradley M. Froehle <brad.froehle@gmail.com>
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-26 21:50:53 +08:00
Edward Z. Yang
1e5293d9fe
Add more attributions.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-26 15:45:41 +08:00
Edward Z. Yang
6b643ede02
Implement %HTML.AllowedComments and %HTML.AllowedCommentsRegexp
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-26 15:34:42 +08:00
Edward Z. Yang
e41af46a8b
Fix broken table content model, easily seen in XHTML1.1
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-26 14:49:26 +08:00
Edward Z. Yang
3570c9985a
Properly handle nested sublists by folding into previous list item.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-26 14:00:34 +08:00
Edward Z. Yang
8d572993b4
Implement %HTML.TargetBlank
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-26 08:36:00 +08:00
Edward Z. Yang
1bacbc0563
Add isBenign and getDefaultScheme methods.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-25 23:31:15 +08:00
Edward Z. Yang
bfe2c10d07
Add a little bit of documentation about contexts for URIFilters.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-25 23:31:15 +08:00
Edward Z. Yang
9b10515fa4
Core.EscapeNonASCIICharacters now always works, even if target is UTF-8.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-25 23:31:15 +08:00
Edward Z. Yang
1255d0f15d
Add support for scope attribute on td and th.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-25 23:31:13 +08:00
Edward Z. Yang
d45e11cc6b
Add one more test for SPL autoload defaults.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-25 02:58:51 -05:00
Edward Z. Yang
94c15d1f56
Fix iconv truncation bug.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-25 02:31:06 -05:00
Edward Z. Yang
ce68cfe484
Remove spurious abstract definition; PHP 5.4 doesn't like that.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-18 13:28:07 -05:00
Edward Z. Yang
9f5f85952b
Don't unset parser variable; plays poorly with serialize.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-12-18 13:27:51 -05:00
Edward Z. Yang
dbb365155b
Typofix.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-08-24 09:56:51 -04:00
Edward Z. Yang
32c0ffde0c
Don't add nofollow for matching hosts, generalize this code.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-08-24 09:56:49 -04:00
Edward Z. Yang
856a5e5b89
Update INSTALL to avoid missing config snafu, update usage.xml.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-08-24 09:56:21 -04:00
Edward Z. Yang
820d6e9097
Do not duplicate nofollow attribute in transform.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-08-24 09:56:13 -04:00
Edward Z. Yang
35b1fbce01
Explicitly initialize anonModule to null.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-04-19 22:46:17 +01:00
Edward Z. Yang
bcfbb8338c
URI.Munge munges https to http URIs.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-04-10 13:09:24 +01:00
Edward Z. Yang
f51a6f7de9
Color keywords now case-insensitive.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-04-10 12:45:02 +01:00
Edward Z. Yang
f1439f0af5
Release 4.3.0
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-03-27 23:02:49 +01:00
Edward Z. Yang
0124605918
Fix CSS URL innerHTML/cssText escaping bug.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-03-27 21:24:32 +01:00
Edward Z. Yang
afb007d22f
Protect against font family innerHTML/cssText attacks.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-03-27 20:35:43 +01:00
Edward Z. Yang
0dd9e4faf4
Fix Internet Explorer innerHTML bug.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-03-27 11:50:52 +01:00
Edward Z. Yang
94ed3b1231
Implement CSS.AllowedFonts.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-03-24 22:54:39 +00:00