0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-12-23 00:41:52 +00:00
Commit Graph

975 Commits

Author SHA1 Message Date
Edward Z. Yang
0c31b22240 Merge pull request #118 from fxbt/master
Add hsl, hsla and rgba support for css color attribute definition
2017-03-06 23:01:06 -08:00
Edward Z. Yang
5662efc936 Fix #78.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2017-03-06 22:54:54 -08:00
Edward Z. Yang
353c96f156 Document skips in more detail, #116.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2017-03-06 20:31:28 -08:00
Edward Z. Yang
4047a6230b Extra cleanup on cleanUTF8.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2017-03-06 16:31:02 -08:00
Andrey Pozolotin
9195cb7a2e Added escape sequense 2017-03-06 16:28:53 -08:00
Andrey Pozolotin
39c4c359ad Fixing PREG_BACKTRACK_LIMIT_ERROR in HTMLPurifier_Filter_ExtractStyleBlocks 2017-03-06 16:28:53 -08:00
mpyw
f145f64bf4
Fix #122: correct surrogate pair range 2017-03-04 15:38:01 +09:00
f.godfrin
12185143ef Use a constructor and a property for the alpha check 2017-02-10 21:03:11 +01:00
f.godfrin
17a90a951a Better regex for mungeRgb 2017-02-10 00:40:56 +01:00
f.godfrin
0bab4b9fd0 Fix mungeRgb to handle percent, float and hsl values 2017-02-10 00:38:05 +01:00
f.godfrin
0d5ab2fe13 Include hsl and hsla support 2017-02-09 23:34:19 +01:00
f.godfrin
d41a59e422 Add rgba support for css color attribute definition 2017-02-09 22:18:15 +01:00
Bastian Hofmann
8e4cacf0a7 Refactor HTML.Noopener to HTML.TargetNoopener so that it behaves like HTML.TargetNoreferrer and is active by default if a target is set 2017-02-03 16:54:51 -08:00
Bastian Hofmann
c82051c3e1 Add HTML.Noopener to add a noopener rel to every external link
This has performance benefits https://jakearchibald.com/2016/performance-benefits-of-rel-noopener/ but most importantly also security benefits https://mathiasbynens.github.io/rel-noopener/

Adresses https://github.com/ezyang/htmlpurifier/issues/96
2017-02-03 16:54:51 -08:00
Edward Z. Yang
1b7d684d07 Remove $a = array($a) which is miscompiled by Zend OpCache.
Fixes #108.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2017-01-04 14:35:52 -05:00
Edward Z. Yang
5070404376 Handle semicolons in strings in CSS correctly.
Fixes http://htmlpurifier.org/phorum/read.php?3,7522,8096

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-10-29 00:01:19 -07:00
Edward Z. Yang
59463c5c39 Allow %URI.DefaultScheme to be null.
Fixes #103.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-10-27 17:30:44 -07:00
Edward Z. Yang
3ba9133b21 Don't assume that idn_to_ascii does validation.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-10-27 02:00:46 -07:00
yan_kos
4dc68aa920 FIX directory not closing
#100
2016-10-15 16:20:47 +03:00
Edward Z. Yang
08eee90e15 Delete asserts, fixes #97.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-10-02 00:14:41 -07:00
Edward Z. Yang
1ef4375dbb Proposed fix to Serializer code.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-09-05 15:24:08 -07:00
zema
246fc8946a css properties: min-width, max-width, min-height, max-height 2016-09-05 10:45:58 +03:00
Nick del Pozo
1f982d279f rollback change to permissions 2016-07-29 08:56:36 +09:00
Nick del Pozo
8be8cee9b3 changed chmod behaviour in Serializer 2016-07-27 12:56:03 +09:00
Edward Z. Yang
d0c392f77d Release 4.8.0
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-07-16 05:58:58 -07:00
Edward Z. Yang
d1c5d75027 Fix #73 with Attr.ID.HTML5
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-07-16 05:52:45 -07:00
Bart Butler
3747cb7efb avoid exif_imagetype exception with small files/corrupt data URI 2016-07-16 05:23:17 -07:00
Edward Z. Yang
0166c3728b Stop trying to chmod if SerializerPermissions is null, fixes #71
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-07-01 16:04:11 -04:00
Edward Z. Yang
ed180f595d Hack to fix #85
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-07-01 15:52:09 -04:00
Edward Z. Yang
44baee6a82 Partial border-radius support.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-06-30 22:22:13 -04:00
Cameron Ball
1675fc7caf Add %HTML.TargetNoreferrer, which adds rel="noreferrer" when target attribute is set
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-06-30 21:53:43 -04:00
Wes Cossick
cc35c8eb8c tel protocol support. 2016-06-30 21:19:49 -04:00
Edward Z. Yang
43a9f052fd Fix #57, make flashvars check (and others) case-insensitive.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-03-27 15:56:30 -07:00
Edward Z. Yang
b4981c3395 Fix #67, don't use <body> tags in comments for %Core.ConvertDocumentToFragment
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-03-27 15:19:32 -07:00
Edward Z. Yang
f14076dc3e Fix #49; prevent readdir infinite loop when cache directory not listable.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-03-27 14:53:31 -07:00
Edward Z. Yang
91fd55c857 Fix #45, errors when ul/ol allowed without li.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-03-26 22:41:54 -07:00
Mike Zukowsky
845edf16e2 Docblock update 2016-03-24 20:26:41 -07:00
Chimpzee
6e00b443cd Bug with tempnam("/tmp", "");
Some hostings have a different temporary path than "/tmp".
2016-03-24 20:19:57 -07:00
Edward Z. Yang
1f3e282fde Fix a bounds error which now errors in PHP 7.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-03-24 00:13:08 -07:00
Edward Z. Yang
753c830239 Update to work with Git version of SimpleTest.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-03-24 00:08:03 -07:00
Edward Z. Yang
45161b4fb1 Accept leading digits in hostnames as per RFC 1123.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-03-23 22:42:21 -07:00
Edward Z. Yang
92aabf2b23 Fix #76, linkify includes dots at end of URL.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-03-02 02:05:54 -08:00
Edward Z. Yang
aebe1c02a2 Use idn_to_ascii when available.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2016-03-02 01:35:07 -08:00
Edward Z. Yang
913ac6955b CSS.AllowDuplicates for duplicate properties.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2015-12-20 11:53:54 -08:00
Edward Z. Yang
958ba65595 Don't truncate alts.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2015-09-29 15:36:53 -07:00
Edward Z. Yang
ae1828d955 Release 4.7.0.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2015-08-04 18:03:42 -07:00
Sylvain
2c963dcc7f Missing @return
Adding PHPDoc @return statement for code completion in IDE
2015-08-03 10:21:47 +02:00
Edward Z. Yang
c67e4c2f7e All values, including empty, are valid HTML bools.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2015-02-11 16:36:44 -08:00
Edward Z. Yang
0c3e68dd03 Stop using umask to make definition cache. Fixes #32
This is not really the right way to solve the ACL problem,
but there isn't really any reason we should be mucking about
with the umask.

Mucked around with the test case to make it pass, but I think
it's probably a bit delicate now.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2014-12-08 18:30:54 -08:00
Edward Z. Yang
cd60294ada Fix rgb in border attribute with spaces, fixes #30.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2014-08-31 12:12:38 +01:00
Edward Z. Yang
39d3df1fd7 Add AutoFormat.RemoveEmpty.Predicate, fixes #35.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2014-08-31 12:12:17 +01:00
Edward Z. Yang
4da38aca80 Update YouTube embed code to new style, fixes #28
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2014-08-31 09:30:16 +01:00
Edward Z. Yang
bf84df4f7d Move opacity to tricky. Fixes #16.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2014-08-31 09:24:11 +01:00
Edward Z. Yang
15d1a3003a Don't truncate in DOMLex when seeing closing div
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2014-08-31 08:50:33 +01:00
Edward Z. Yang
80ebd4322e Typo in docs, thanks Soleil Golden for reporting.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2014-02-04 12:17:24 -08:00
Edward Z. Yang
18b8a0e44a Make Composer work with PHP 5.2 and earlier. Reported by @voku
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2013-12-08 15:51:56 -08:00
Edward Z. Yang
6f389f0f25 Release 4.6.0.
Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2013-11-30 00:25:19 -08:00
Edward Z. Yang
8cd08620dc Conditionalize hash_hmac tests for 5.0
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-11-29 22:27:01 -08:00
Edward Z. Yang
54477c172b Fix infinite loop in Lexer.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-27 21:41:08 -07:00
Edward Z. Yang
e52d1fe310 Fix < PHP 5.4 compatibility break. Thanks GromNaN for submitting the patch.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-22 14:17:41 -07:00
Edward Z. Yang
0767bbc12d Rewrite FixNesting implementation to be tree-based.
This mega-patch rips out the FixNesting implementation and the related
ChildDef components.  The primary algorithmic change is to convert from
use of tokens to tree nodes, which are far more amenable to the style
of processing that FixNesting uses.  Additionally, FixNesting has been
changed to go bottom-up rather than top-down, in order to avoid needing
to implement backtracking.

This patch simplifies a good deal of the relevant logic, since we no
longer need to continually recalculate the nesting structure when
processing things.  However, the conversion to the alternate format
incurs some overhead, so for small inputs these changes are not a win.
One possibility to greatly reduce the constant factors here is to switch
to entirely using libxml's representation, and never serializing tokens;
this would require one to rewrite injectors, however.

The iterative post-order traversal in FixNesting is a bit subtle, but
we have essentially reified the stack and continuations.

We've removed support for %Core.EscapeInvalidChildren.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-20 22:37:01 -07:00
Edward Z. Yang
b3640e1af6 Add conversion functions for our own tree format.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-20 15:05:11 -07:00
Edward Z. Yang
be5769804a Make the Token class abstract.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-17 16:13:04 -07:00
Edward Z. Yang
d6fbd7df22 Remove some unnecessary pass-by-reference.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-16 18:55:23 -07:00
Edward Z. Yang
804a06f01e Remove PHP 4 compatibility hack.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-16 18:36:44 -07:00
Edward Z. Yang
8f401f769e Use a Zipper to process MakeWellFormed, removing quadratic behavior.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-13 13:21:02 -07:00
Edward Z. Yang
82bcc62058 Properly handle context variables that are NULL.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-13 13:21:02 -07:00
Edward Z. Yang
f17490f009 Implementation of a Zipper, for efficient splice.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-10-13 01:16:32 -07:00
Edward Z. Yang
412bae13b5 Fix quadratic behavior in DOMLex due to array_shift.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-09-17 00:48:42 -07:00
Edward Z. Yang
cf44f399f8 Properly use HMAC for secure munging.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-09-13 21:16:50 -07:00
Marcus Bointon
fac747bdbd PSR-2 reformatting PHPDoc corrections
With minor corrections.

Signed-off-by: Marcus Bointon <marcus@synchromedia.co.uk>
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-08-17 22:27:26 -04:00
Edward Z. Yang
19eee14899 Tighten up invariants.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-07-26 21:54:53 -07:00
Edward Z. Yang
25d49f4ec0 Explicitly specify decorator name.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-07-26 21:37:33 -07:00
Edward Z. Yang
53c2907706 New directive %Core.AllowHostnameUnderscore
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-07-26 21:33:39 -07:00
Edward Z. Yang
af7107e830 Add note fall through is intentional.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-07-18 10:22:45 -07:00
Marcus Bointon
107b3055a1 Fix var name conflict in loadArray 2013-07-16 21:56:29 -07:00
Synchro
29a3c70370 A bunch of PHPdoc and php codesniffer corrections - no functional code changes 2013-07-16 21:53:17 -07:00
Edward Z. Yang
0680832d41 Use info_parent_def to get parent information, since it may not be present in info array.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-05-21 17:19:59 -07:00
Edward Z. Yang
19360ddb36 Ignore commas and nbsps for linkification. Thanks nAS for contributing.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-05-21 16:43:59 -07:00
Edward Z. Yang
3c903b7463 Doc fix.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-05-18 08:48:47 -07:00
Edward Z. Yang
6e37ecd1c8 Make URI parsing algorithm more strict.
Thanks Michael Gusev <mgusev@sugarcrm.com> for contributing this patch.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-04-16 13:56:43 -07:00
Edward Z. Yang
d516e2f8de Release 4.5.0
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-02-17 16:04:08 -08:00
Edward Z. Yang
631021733b Add %Core.DisableExcludes directive
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2013-02-17 15:47:38 -08:00
Michael Tibben
344e0640b6 Add required constant for composer autoloading
Signed-off-by: Michael Tibben <michael.tibben@99designs.com>
2012-12-21 16:16:16 +08:00
Edward Z. Yang
62d2550e16 Use SHA-1 instead of MD5.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-10-27 02:33:22 -07:00
Edward Z. Yang
087145a71b Blacklist more tags from RemoveEmpty.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-10-27 02:32:48 -07:00
Edward Z. Yang
a44187a5c1 Cleanup after data validation.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-10-27 02:30:58 -07:00
Edward Z. Yang
c0ad68108a Do checks against iconvAvailable because PHP 5.4 has botched iconv support.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-10-27 02:27:57 -07:00
Edward Z. Yang
83a574491e Comment for bug that needs to get fixed.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-10-11 11:40:02 -07:00
Edward Z. Yang
3b537365a4 CSS properties page-break-*
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-10-11 11:39:52 -07:00
Edward Z. Yang
72db575446 Fix bug with non-lower case color names in HTML.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-07-30 10:54:32 -04:00
Edward Z. Yang
d8bb73ce46 Permit underscores in font-families.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-07-27 18:28:29 -04:00
Edward Z. Yang
f90372f8ab More support for white-space.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-06-16 17:10:36 -04:00
Edward Z. Yang
f38fca32a9 Don't lower-case components of background.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-06-02 11:22:58 -04:00
Edward Z. Yang
5a23004652 Support for inline-block.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-05-25 23:55:48 -04:00
Edward Z. Yang
6705140082 Fix in AttrTransform_Nofollow
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-05-14 23:07:27 -04:00
Edward Z. Yang
cb7162a995 Use prepend for autoloading on PHP 5.3+
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-05-02 11:07:24 -04:00
Edward Z. Yang
2189a9430f Support for safe external scripts via explicit whitelist.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-04-27 17:44:49 -04:00
Edward Z. Yang
7291f19347 Fix problem where stacked AttrTransforms clobber each other.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-03-16 23:12:16 -04:00
Edward Z. Yang
31dce298ea Actually make URI.DisableResources do something.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2012-03-02 13:25:00 -05:00