mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-11-10 07:38:41 +00:00
d3abcb90e3
The new logic is as follows:
* Given a URL to insert into url(), check that it is properly URL
encoded (in particular, a doublequote and backslash never occurs
within it) and then place it as url("http://example.com").
* Given a font name, if it is strictly alphanumeric, it is safe to omit
quotes. Otherwise, wrap in double quotes and replace '"' with '\22 '
(note trailing space) and '\' with '\5C ' (ditto).
We introduce expandCSSEscape() which is a hack for common parsing
idioms in CSS; this means that CSS escapes are now recognized inside
URLs as well as unquoted font names.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
36 lines
1.0 KiB
PHP
36 lines
1.0 KiB
PHP
<?php
|
|
|
|
class HTMLPurifier_AttrDef_CSS_ListStyleTest extends HTMLPurifier_AttrDefHarness
|
|
{
|
|
|
|
function test() {
|
|
|
|
$config = HTMLPurifier_Config::createDefault();
|
|
$this->def = new HTMLPurifier_AttrDef_CSS_ListStyle($config);
|
|
|
|
$this->assertDef('lower-alpha');
|
|
$this->assertDef('upper-roman inside');
|
|
$this->assertDef('circle outside');
|
|
$this->assertDef('inside');
|
|
$this->assertDef('none');
|
|
$this->assertDef('url("foo.gif")');
|
|
$this->assertDef('circle url("foo.gif") inside');
|
|
|
|
// invalid values
|
|
$this->assertDef('outside inside', 'outside');
|
|
|
|
// ordering
|
|
$this->assertDef('url(foo.gif) none', 'none url("foo.gif")');
|
|
$this->assertDef('circle lower-alpha', 'circle');
|
|
// the spec is ambiguous about what happens in these
|
|
// cases, so we're going off the W3C CSS validator
|
|
$this->assertDef('disc none', 'disc');
|
|
$this->assertDef('none disc', 'none');
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// vim: et sw=4 sts=4
|