mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-12-22 16:31:53 +00:00
d9e60350d3
AttrValidator's changes are fairly self-explanatory, but ErrorCollector's changes are worth a little discussion. ErrorCollector can use generators at various points during its flow control; there are two distinct generators that it should use: 1. The one used for the output, and 2. The one used for the error output. These will usually be the same, but in the odd case where they need to be different, getHTMLFormatted() will accept an alterate configuration object with an appropriate doctype. Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
172 lines
6.8 KiB
PHP
172 lines
6.8 KiB
PHP
<?php
|
|
|
|
/**
|
|
* Validates the attributes of a token. Doesn't manage required attributes
|
|
* very well. The only reason we factored this out was because RemoveForeignElements
|
|
* also needed it besides ValidateAttributes.
|
|
*/
|
|
class HTMLPurifier_AttrValidator
|
|
{
|
|
|
|
/**
|
|
* Validates the attributes of a token, returning a modified token
|
|
* that has valid tokens
|
|
* @param $token Reference to token to validate. We require a reference
|
|
* because the operation this class performs on the token are
|
|
* not atomic, so the context CurrentToken to be updated
|
|
* throughout
|
|
* @param $config Instance of HTMLPurifier_Config
|
|
* @param $context Instance of HTMLPurifier_Context
|
|
*/
|
|
public function validateToken(&$token, &$config, $context) {
|
|
|
|
$definition = $config->getHTMLDefinition();
|
|
$e =& $context->get('ErrorCollector', true);
|
|
|
|
// initialize IDAccumulator if necessary
|
|
$ok =& $context->get('IDAccumulator', true);
|
|
if (!$ok) {
|
|
$id_accumulator = HTMLPurifier_IDAccumulator::build($config, $context);
|
|
$context->register('IDAccumulator', $id_accumulator);
|
|
}
|
|
|
|
// initialize CurrentToken if necessary
|
|
$current_token =& $context->get('CurrentToken', true);
|
|
if (!$current_token) $context->register('CurrentToken', $token);
|
|
|
|
if (
|
|
!$token instanceof HTMLPurifier_Token_Start &&
|
|
!$token instanceof HTMLPurifier_Token_Empty
|
|
) return $token;
|
|
|
|
// create alias to global definition array, see also $defs
|
|
// DEFINITION CALL
|
|
$d_defs = $definition->info_global_attr;
|
|
|
|
// don't update token until the very end, to ensure an atomic update
|
|
$attr = $token->attr;
|
|
|
|
// do global transformations (pre)
|
|
// nothing currently utilizes this
|
|
foreach ($definition->info_attr_transform_pre as $transform) {
|
|
if ($e) $e->start();
|
|
$attr = $transform->transform($o = $attr, $config, $context);
|
|
if ($e) {
|
|
if ($attr != $o) $e->end(E_NOTICE, 'AttrValidator: Attributes transformed', $o, $attr);
|
|
else $e->end();
|
|
}
|
|
}
|
|
|
|
// do local transformations only applicable to this element (pre)
|
|
// ex. <p align="right"> to <p style="text-align:right;">
|
|
foreach ($definition->info[$token->name]->attr_transform_pre as $transform) {
|
|
if ($e) $e->start();
|
|
$attr = $transform->transform($o = $attr, $config, $context);
|
|
if ($e) {
|
|
if ($attr != $o) $e->end(E_NOTICE, 'AttrValidator: Attributes transformed', $o, $attr);
|
|
else $e->end();
|
|
}
|
|
}
|
|
|
|
// create alias to this element's attribute definition array, see
|
|
// also $d_defs (global attribute definition array)
|
|
// DEFINITION CALL
|
|
$defs = $definition->info[$token->name]->attr;
|
|
|
|
$attr_key = false;
|
|
$context->register('CurrentAttr', $attr_key);
|
|
|
|
// iterate through all the attribute keypairs
|
|
// Watch out for name collisions: $key has previously been used
|
|
foreach ($attr as $attr_key => $value) {
|
|
|
|
if ($e) $e->start();
|
|
// call the definition
|
|
if ( isset($defs[$attr_key]) ) {
|
|
// there is a local definition defined
|
|
if ($defs[$attr_key] === false) {
|
|
// We've explicitly been told not to allow this element.
|
|
// This is usually when there's a global definition
|
|
// that must be overridden.
|
|
// Theoretically speaking, we could have a
|
|
// AttrDef_DenyAll, but this is faster!
|
|
$result = false;
|
|
} else {
|
|
// validate according to the element's definition
|
|
$result = $defs[$attr_key]->validate(
|
|
$value, $config, $context
|
|
);
|
|
}
|
|
} elseif ( isset($d_defs[$attr_key]) ) {
|
|
// there is a global definition defined, validate according
|
|
// to the global definition
|
|
$result = $d_defs[$attr_key]->validate(
|
|
$value, $config, $context
|
|
);
|
|
} else {
|
|
// system never heard of the attribute? DELETE!
|
|
$result = false;
|
|
}
|
|
|
|
// put the results into effect
|
|
if ($result === false || $result === null) {
|
|
// this is a generic error message that should replaced
|
|
// with more specific ones when possible
|
|
if ($e) $e->end(E_ERROR, 'AttrValidator: Attribute removed');
|
|
|
|
// remove the attribute
|
|
unset($attr[$attr_key]);
|
|
} elseif (is_string($result)) {
|
|
// generally, if a substitution is happening, there
|
|
// was some sort of implicit correction going on. We'll
|
|
// delegate it to the attribute classes to say exactly what.
|
|
|
|
// simple substitution
|
|
$attr[$attr_key] = $result;
|
|
if ($e) $e->end();
|
|
} else {
|
|
if ($e) $e->end();
|
|
}
|
|
|
|
// we'd also want slightly more complicated substitution
|
|
// involving an array as the return value,
|
|
// although we're not sure how colliding attributes would
|
|
// resolve (certain ones would be completely overriden,
|
|
// others would prepend themselves).
|
|
}
|
|
|
|
$context->destroy('CurrentAttr');
|
|
|
|
// post transforms
|
|
|
|
// global (error reporting untested)
|
|
foreach ($definition->info_attr_transform_post as $transform) {
|
|
if ($e) $e->start();
|
|
$attr = $transform->transform($o = $attr, $config, $context);
|
|
if ($e) {
|
|
if ($attr != $o) $e->end(E_NOTICE, 'AttrValidator: Attributes transformed', $o, $attr);
|
|
else $e->end();
|
|
}
|
|
}
|
|
|
|
// local (error reporting untested)
|
|
foreach ($definition->info[$token->name]->attr_transform_post as $transform) {
|
|
if ($e) $e->start();
|
|
$attr = $transform->transform($o = $attr, $config, $context);
|
|
if ($e) {
|
|
if ($attr != $o) $e->end(E_NOTICE, 'AttrValidator: Attributes transformed', $o, $attr);
|
|
else $e->end();
|
|
}
|
|
}
|
|
|
|
$token->attr = $attr;
|
|
|
|
// destroy CurrentToken if we made it ourselves
|
|
if (!$current_token) $context->destroy('CurrentToken');
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|