mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-12-23 00:41:52 +00:00
d3abcb90e3
The new logic is as follows: * Given a URL to insert into url(), check that it is properly URL encoded (in particular, a doublequote and backslash never occurs within it) and then place it as url("http://example.com"). * Given a font name, if it is strictly alphanumeric, it is safe to omit quotes. Otherwise, wrap in double quotes and replace '"' with '\22 ' (note trailing space) and '\' with '\5C ' (ditto). We introduce expandCSSEscape() which is a hack for common parsing idioms in CSS; this means that CSS escapes are now recognized inside URLs as well as unquoted font names. Signed-off-by: Edward Z. Yang <ezyang@mit.edu> |
||
---|---|---|
.. | ||
allowed-preserve.htmlt | ||
allowed-remove.htmlt | ||
basic.htmlt | ||
blacklist-preserve.htmlt | ||
blacklist-remove.htmlt | ||
css-allowed-preserve.htmlt | ||
css-allowed-remove.htmlt | ||
disable-uri.htmlt | ||
empty.htmlt | ||
id-default.htmlt | ||
id-enabled.htmlt | ||
id-name-mix.htmlt | ||
inline-list-loop.htmlt | ||
inline-wraps-block.htmlt | ||
munge-extra.htmlt | ||
name.htmlt | ||
safe-object-embed-munge.htmlt | ||
safe-object-embed.htmlt | ||
script-bare.htmlt | ||
script-cdata.htmlt | ||
script-comment.htmlt | ||
script-dbl-comment.htmlt | ||
script-ideal.htmlt | ||
secure-munge.htmlt | ||
shift-jis-preserve-yen.htmlt | ||
shift-jis-remove-yen.htmlt | ||
strict-blockquote-with-inline.htmlt | ||
strict-blockquote.htmlt | ||
strict-underline.htmlt | ||
tidy-background.htmlt | ||
trusted-comments-required.htmlt | ||
trusted-comments-table.htmlt | ||
trusted-comments.htmlt | ||
whitespace-preserve.htmlt |