mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-12-23 08:51:53 +00:00
5070404376
Fixes http://htmlpurifier.org/phorum/read.php?3,7522,8096 Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
137 lines
4.2 KiB
PHP
137 lines
4.2 KiB
PHP
<?php
|
|
|
|
/**
|
|
* Validates the HTML attribute style, otherwise known as CSS.
|
|
* @note We don't implement the whole CSS specification, so it might be
|
|
* difficult to reuse this component in the context of validating
|
|
* actual stylesheet declarations.
|
|
* @note If we were really serious about validating the CSS, we would
|
|
* tokenize the styles and then parse the tokens. Obviously, we
|
|
* are not doing that. Doing that could seriously harm performance,
|
|
* but would make these components a lot more viable for a CSS
|
|
* filtering solution.
|
|
*/
|
|
class HTMLPurifier_AttrDef_CSS extends HTMLPurifier_AttrDef
|
|
{
|
|
|
|
/**
|
|
* @param string $css
|
|
* @param HTMLPurifier_Config $config
|
|
* @param HTMLPurifier_Context $context
|
|
* @return bool|string
|
|
*/
|
|
public function validate($css, $config, $context)
|
|
{
|
|
$css = $this->parseCDATA($css);
|
|
|
|
$definition = $config->getCSSDefinition();
|
|
$allow_duplicates = $config->get("CSS.AllowDuplicates");
|
|
|
|
|
|
// According to the CSS2.1 spec, the places where a
|
|
// non-delimiting semicolon can appear are in strings
|
|
// escape sequences. So here is some dumb hack to
|
|
// handle quotes.
|
|
$len = strlen($css);
|
|
$accum = "";
|
|
$declarations = array();
|
|
$quoted = false;
|
|
for ($i = 0; $i < $len; $i++) {
|
|
$c = strcspn($css, ";'\"", $i);
|
|
$accum .= substr($css, $i, $c);
|
|
$i += $c;
|
|
if ($i == $len) break;
|
|
$d = $css[$i];
|
|
if ($quoted) {
|
|
$accum .= $d;
|
|
if ($d == $quoted) {
|
|
$quoted = false;
|
|
}
|
|
} else {
|
|
if ($d == ";") {
|
|
$declarations[] = $accum;
|
|
$accum = "";
|
|
} else {
|
|
$accum .= $d;
|
|
$quoted = $d;
|
|
}
|
|
}
|
|
}
|
|
if ($accum != "") $declarations[] = $accum;
|
|
|
|
$propvalues = array();
|
|
$new_declarations = '';
|
|
|
|
/**
|
|
* Name of the current CSS property being validated.
|
|
*/
|
|
$property = false;
|
|
$context->register('CurrentCSSProperty', $property);
|
|
|
|
foreach ($declarations as $declaration) {
|
|
if (!$declaration) {
|
|
continue;
|
|
}
|
|
if (!strpos($declaration, ':')) {
|
|
continue;
|
|
}
|
|
list($property, $value) = explode(':', $declaration, 2);
|
|
$property = trim($property);
|
|
$value = trim($value);
|
|
$ok = false;
|
|
do {
|
|
if (isset($definition->info[$property])) {
|
|
$ok = true;
|
|
break;
|
|
}
|
|
if (ctype_lower($property)) {
|
|
break;
|
|
}
|
|
$property = strtolower($property);
|
|
if (isset($definition->info[$property])) {
|
|
$ok = true;
|
|
break;
|
|
}
|
|
} while (0);
|
|
if (!$ok) {
|
|
continue;
|
|
}
|
|
// inefficient call, since the validator will do this again
|
|
if (strtolower(trim($value)) !== 'inherit') {
|
|
// inherit works for everything (but only on the base property)
|
|
$result = $definition->info[$property]->validate(
|
|
$value,
|
|
$config,
|
|
$context
|
|
);
|
|
} else {
|
|
$result = 'inherit';
|
|
}
|
|
if ($result === false) {
|
|
continue;
|
|
}
|
|
if ($allow_duplicates) {
|
|
$new_declarations .= "$property:$result;";
|
|
} else {
|
|
$propvalues[$property] = $result;
|
|
}
|
|
}
|
|
|
|
$context->destroy('CurrentCSSProperty');
|
|
|
|
// procedure does not write the new CSS simultaneously, so it's
|
|
// slightly inefficient, but it's the only way of getting rid of
|
|
// duplicates. Perhaps config to optimize it, but not now.
|
|
|
|
foreach ($propvalues as $prop => $value) {
|
|
$new_declarations .= "$prop:$value;";
|
|
}
|
|
|
|
return $new_declarations ? $new_declarations : false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// vim: et sw=4 sts=4
|