Edward Z. Yang
0c31b22240
Merge pull request #118 from fxbt/master
...
Add hsl, hsla and rgba support for css color attribute definition
2017-03-06 23:01:06 -08:00
Edward Z. Yang
5662efc936
Fix #78 .
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2017-03-06 22:54:54 -08:00
Edward Z. Yang
353c96f156
Document skips in more detail, #116 .
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2017-03-06 20:31:28 -08:00
Edward Z. Yang
4047a6230b
Extra cleanup on cleanUTF8.
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2017-03-06 16:31:02 -08:00
Andrey Pozolotin
9195cb7a2e
Added escape sequense
2017-03-06 16:28:53 -08:00
Andrey Pozolotin
39c4c359ad
Fixing PREG_BACKTRACK_LIMIT_ERROR in HTMLPurifier_Filter_ExtractStyleBlocks
2017-03-06 16:28:53 -08:00
mpyw
f145f64bf4
Fix #122 : correct surrogate pair range
2017-03-04 15:38:01 +09:00
f.godfrin
12185143ef
Use a constructor and a property for the alpha check
2017-02-10 21:03:11 +01:00
f.godfrin
17a90a951a
Better regex for mungeRgb
2017-02-10 00:40:56 +01:00
f.godfrin
0bab4b9fd0
Fix mungeRgb to handle percent, float and hsl values
2017-02-10 00:38:05 +01:00
f.godfrin
0d5ab2fe13
Include hsl and hsla support
2017-02-09 23:34:19 +01:00
f.godfrin
d41a59e422
Add rgba support for css color attribute definition
2017-02-09 22:18:15 +01:00
Bastian Hofmann
8e4cacf0a7
Refactor HTML.Noopener to HTML.TargetNoopener so that it behaves like HTML.TargetNoreferrer and is active by default if a target is set
2017-02-03 16:54:51 -08:00
Bastian Hofmann
c82051c3e1
Add HTML.Noopener to add a noopener rel to every external link
...
This has performance benefits https://jakearchibald.com/2016/performance-benefits-of-rel-noopener/ but most importantly also security benefits https://mathiasbynens.github.io/rel-noopener/
Adresses https://github.com/ezyang/htmlpurifier/issues/96
2017-02-03 16:54:51 -08:00
Edward Z. Yang
1b7d684d07
Remove $a = array($a) which is miscompiled by Zend OpCache.
...
Fixes #108 .
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2017-01-04 14:35:52 -05:00
Edward Z. Yang
5070404376
Handle semicolons in strings in CSS correctly.
...
Fixes http://htmlpurifier.org/phorum/read.php?3,7522,8096
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-10-29 00:01:19 -07:00
Edward Z. Yang
59463c5c39
Allow %URI.DefaultScheme to be null.
...
Fixes #103 .
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-10-27 17:30:44 -07:00
Edward Z. Yang
3ba9133b21
Don't assume that idn_to_ascii does validation.
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-10-27 02:00:46 -07:00
yan_kos
4dc68aa920
FIX directory not closing
...
#100
2016-10-15 16:20:47 +03:00
Edward Z. Yang
08eee90e15
Delete asserts, fixes #97 .
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-10-02 00:14:41 -07:00
Edward Z. Yang
1ef4375dbb
Proposed fix to Serializer code.
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-09-05 15:24:08 -07:00
zema
246fc8946a
css properties: min-width, max-width, min-height, max-height
2016-09-05 10:45:58 +03:00
Nick del Pozo
1f982d279f
rollback change to permissions
2016-07-29 08:56:36 +09:00
Nick del Pozo
8be8cee9b3
changed chmod behaviour in Serializer
2016-07-27 12:56:03 +09:00
Edward Z. Yang
d0c392f77d
Release 4.8.0
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-07-16 05:58:58 -07:00
Edward Z. Yang
d1c5d75027
Fix #73 with Attr.ID.HTML5
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-07-16 05:52:45 -07:00
Bart Butler
3747cb7efb
avoid exif_imagetype exception with small files/corrupt data URI
2016-07-16 05:23:17 -07:00
Edward Z. Yang
0166c3728b
Stop trying to chmod if SerializerPermissions is null, fixes #71
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-07-01 16:04:11 -04:00
Edward Z. Yang
ed180f595d
Hack to fix #85
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-07-01 15:52:09 -04:00
Edward Z. Yang
44baee6a82
Partial border-radius support.
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-06-30 22:22:13 -04:00
Cameron Ball
1675fc7caf
Add %HTML.TargetNoreferrer, which adds rel="noreferrer" when target attribute is set
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-06-30 21:53:43 -04:00
Wes Cossick
cc35c8eb8c
tel protocol support.
2016-06-30 21:19:49 -04:00
Edward Z. Yang
43a9f052fd
Fix #57 , make flashvars check (and others) case-insensitive.
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-03-27 15:56:30 -07:00
Edward Z. Yang
b4981c3395
Fix #67 , don't use <body> tags in comments for %Core.ConvertDocumentToFragment
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-03-27 15:19:32 -07:00
Edward Z. Yang
f14076dc3e
Fix #49 ; prevent readdir infinite loop when cache directory not listable.
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-03-27 14:53:31 -07:00
Edward Z. Yang
91fd55c857
Fix #45 , errors when ul/ol allowed without li.
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-03-26 22:41:54 -07:00
Mike Zukowsky
845edf16e2
Docblock update
2016-03-24 20:26:41 -07:00
Chimpzee
6e00b443cd
Bug with tempnam("/tmp", "");
...
Some hostings have a different temporary path than "/tmp".
2016-03-24 20:19:57 -07:00
Edward Z. Yang
1f3e282fde
Fix a bounds error which now errors in PHP 7.
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-03-24 00:13:08 -07:00
Edward Z. Yang
753c830239
Update to work with Git version of SimpleTest.
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-03-24 00:08:03 -07:00
Edward Z. Yang
45161b4fb1
Accept leading digits in hostnames as per RFC 1123.
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-03-23 22:42:21 -07:00
Edward Z. Yang
92aabf2b23
Fix #76 , linkify includes dots at end of URL.
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-03-02 02:05:54 -08:00
Edward Z. Yang
aebe1c02a2
Use idn_to_ascii when available.
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-03-02 01:35:07 -08:00
Edward Z. Yang
913ac6955b
CSS.AllowDuplicates for duplicate properties.
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2015-12-20 11:53:54 -08:00
Edward Z. Yang
958ba65595
Don't truncate alts.
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2015-09-29 15:36:53 -07:00
Edward Z. Yang
ae1828d955
Release 4.7.0.
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2015-08-04 18:03:42 -07:00
Sylvain
2c963dcc7f
Missing @return
...
Adding PHPDoc @return statement for code completion in IDE
2015-08-03 10:21:47 +02:00
Edward Z. Yang
c67e4c2f7e
All values, including empty, are valid HTML bools.
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2015-02-11 16:36:44 -08:00
Edward Z. Yang
0c3e68dd03
Stop using umask to make definition cache. Fixes #32
...
This is not really the right way to solve the ACL problem,
but there isn't really any reason we should be mucking about
with the umask.
Mucked around with the test case to make it pass, but I think
it's probably a bit delicate now.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2014-12-08 18:30:54 -08:00
Edward Z. Yang
cd60294ada
Fix rgb in border attribute with spaces, fixes #30 .
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2014-08-31 12:12:38 +01:00
Edward Z. Yang
39d3df1fd7
Add AutoFormat.RemoveEmpty.Predicate, fixes #35 .
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2014-08-31 12:12:17 +01:00
Edward Z. Yang
4da38aca80
Update YouTube embed code to new style, fixes #28
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2014-08-31 09:30:16 +01:00
Edward Z. Yang
bf84df4f7d
Move opacity to tricky. Fixes #16 .
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2014-08-31 09:24:11 +01:00
Edward Z. Yang
15d1a3003a
Don't truncate in DOMLex when seeing closing div
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2014-08-31 08:50:33 +01:00
Edward Z. Yang
80ebd4322e
Typo in docs, thanks Soleil Golden for reporting.
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2014-02-04 12:17:24 -08:00
Edward Z. Yang
18b8a0e44a
Make Composer work with PHP 5.2 and earlier. Reported by @voku
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2013-12-08 15:51:56 -08:00
Edward Z. Yang
6f389f0f25
Release 4.6.0.
...
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2013-11-30 00:25:19 -08:00
Edward Z. Yang
8cd08620dc
Conditionalize hash_hmac tests for 5.0
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-11-29 22:27:01 -08:00
Edward Z. Yang
54477c172b
Fix infinite loop in Lexer.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-27 21:41:08 -07:00
Edward Z. Yang
e52d1fe310
Fix < PHP 5.4 compatibility break. Thanks GromNaN for submitting the patch.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-22 14:17:41 -07:00
Edward Z. Yang
0767bbc12d
Rewrite FixNesting implementation to be tree-based.
...
This mega-patch rips out the FixNesting implementation and the related
ChildDef components. The primary algorithmic change is to convert from
use of tokens to tree nodes, which are far more amenable to the style
of processing that FixNesting uses. Additionally, FixNesting has been
changed to go bottom-up rather than top-down, in order to avoid needing
to implement backtracking.
This patch simplifies a good deal of the relevant logic, since we no
longer need to continually recalculate the nesting structure when
processing things. However, the conversion to the alternate format
incurs some overhead, so for small inputs these changes are not a win.
One possibility to greatly reduce the constant factors here is to switch
to entirely using libxml's representation, and never serializing tokens;
this would require one to rewrite injectors, however.
The iterative post-order traversal in FixNesting is a bit subtle, but
we have essentially reified the stack and continuations.
We've removed support for %Core.EscapeInvalidChildren.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-20 22:37:01 -07:00
Edward Z. Yang
b3640e1af6
Add conversion functions for our own tree format.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-20 15:05:11 -07:00
Edward Z. Yang
be5769804a
Make the Token class abstract.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-17 16:13:04 -07:00
Edward Z. Yang
d6fbd7df22
Remove some unnecessary pass-by-reference.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-16 18:55:23 -07:00
Edward Z. Yang
804a06f01e
Remove PHP 4 compatibility hack.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-16 18:36:44 -07:00
Edward Z. Yang
8f401f769e
Use a Zipper to process MakeWellFormed, removing quadratic behavior.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-13 13:21:02 -07:00
Edward Z. Yang
82bcc62058
Properly handle context variables that are NULL.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-13 13:21:02 -07:00
Edward Z. Yang
f17490f009
Implementation of a Zipper, for efficient splice.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-13 01:16:32 -07:00
Edward Z. Yang
412bae13b5
Fix quadratic behavior in DOMLex due to array_shift.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-09-17 00:48:42 -07:00
Edward Z. Yang
cf44f399f8
Properly use HMAC for secure munging.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-09-13 21:16:50 -07:00
Marcus Bointon
fac747bdbd
PSR-2 reformatting PHPDoc corrections
...
With minor corrections.
Signed-off-by: Marcus Bointon <marcus@synchromedia.co.uk>
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-08-17 22:27:26 -04:00
Edward Z. Yang
19eee14899
Tighten up invariants.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-07-26 21:54:53 -07:00
Edward Z. Yang
25d49f4ec0
Explicitly specify decorator name.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-07-26 21:37:33 -07:00
Edward Z. Yang
53c2907706
New directive %Core.AllowHostnameUnderscore
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-07-26 21:33:39 -07:00
Edward Z. Yang
af7107e830
Add note fall through is intentional.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-07-18 10:22:45 -07:00
Marcus Bointon
107b3055a1
Fix var name conflict in loadArray
2013-07-16 21:56:29 -07:00
Synchro
29a3c70370
A bunch of PHPdoc and php codesniffer corrections - no functional code changes
2013-07-16 21:53:17 -07:00
Edward Z. Yang
0680832d41
Use info_parent_def to get parent information, since it may not be present in info array.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-05-21 17:19:59 -07:00
Edward Z. Yang
19360ddb36
Ignore commas and nbsps for linkification. Thanks nAS for contributing.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-05-21 16:43:59 -07:00
Edward Z. Yang
3c903b7463
Doc fix.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-05-18 08:48:47 -07:00
Edward Z. Yang
6e37ecd1c8
Make URI parsing algorithm more strict.
...
Thanks Michael Gusev <mgusev@sugarcrm.com> for contributing this patch.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-04-16 13:56:43 -07:00
Edward Z. Yang
d516e2f8de
Release 4.5.0
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-02-17 16:04:08 -08:00
Edward Z. Yang
631021733b
Add %Core.DisableExcludes directive
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-02-17 15:47:38 -08:00
Michael Tibben
344e0640b6
Add required constant for composer autoloading
...
Signed-off-by: Michael Tibben <michael.tibben@99designs.com>
2012-12-21 16:16:16 +08:00
Edward Z. Yang
62d2550e16
Use SHA-1 instead of MD5.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-10-27 02:33:22 -07:00
Edward Z. Yang
087145a71b
Blacklist more tags from RemoveEmpty.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-10-27 02:32:48 -07:00
Edward Z. Yang
a44187a5c1
Cleanup after data validation.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-10-27 02:30:58 -07:00
Edward Z. Yang
c0ad68108a
Do checks against iconvAvailable because PHP 5.4 has botched iconv support.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-10-27 02:27:57 -07:00
Edward Z. Yang
83a574491e
Comment for bug that needs to get fixed.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-10-11 11:40:02 -07:00
Edward Z. Yang
3b537365a4
CSS properties page-break-*
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-10-11 11:39:52 -07:00
Edward Z. Yang
72db575446
Fix bug with non-lower case color names in HTML.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-07-30 10:54:32 -04:00
Edward Z. Yang
d8bb73ce46
Permit underscores in font-families.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-07-27 18:28:29 -04:00
Edward Z. Yang
f90372f8ab
More support for white-space.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-06-16 17:10:36 -04:00
Edward Z. Yang
f38fca32a9
Don't lower-case components of background.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-06-02 11:22:58 -04:00
Edward Z. Yang
5a23004652
Support for inline-block.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-05-25 23:55:48 -04:00
Edward Z. Yang
6705140082
Fix in AttrTransform_Nofollow
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-05-14 23:07:27 -04:00
Edward Z. Yang
cb7162a995
Use prepend for autoloading on PHP 5.3+
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-05-02 11:07:24 -04:00
Edward Z. Yang
2189a9430f
Support for safe external scripts via explicit whitelist.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-04-27 17:44:49 -04:00
Edward Z. Yang
7291f19347
Fix problem where stacked AttrTransforms clobber each other.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-03-16 23:12:16 -04:00
Edward Z. Yang
31dce298ea
Actually make URI.DisableResources do something.
...
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-03-02 13:25:00 -05:00