Permalink
Browse files

Merge branch 'w10_MDL-31785_m22_htmlpurifier' of git://github.com/sko…

…dak/moodle into MOODLE_22_STABLE
  • Loading branch information...
2 parents 27da392 + 9e8fe84 commit fc7776f50ac23c8d0540d07470d0a39df350d73f @stronk7 stronk7 committed Mar 6, 2012
Showing with 1,176 additions and 373 deletions.
  1. +3 −3 lib/htmlpurifier/HTMLPurifier.php
  2. +7 −0 lib/htmlpurifier/HTMLPurifier.safe-includes.php
  3. +24 −0 lib/htmlpurifier/HTMLPurifier/AttrDef/CSS/Ident.php
  4. +28 −0 lib/htmlpurifier/HTMLPurifier/AttrDef/Clone.php
  5. +1 −1 lib/htmlpurifier/HTMLPurifier/AttrDef/HTML/Color.php
  6. +16 −6 lib/htmlpurifier/HTMLPurifier/AttrDef/HTML/ID.php
  7. +1 −1 lib/htmlpurifier/HTMLPurifier/AttrDef/URI.php
  8. +39 −6 lib/htmlpurifier/HTMLPurifier/AttrDef/URI/Host.php
  9. +6 −2 lib/htmlpurifier/HTMLPurifier/AttrTransform/Nofollow.php
  10. +38 −0 lib/htmlpurifier/HTMLPurifier/AttrTransform/TargetBlank.php
  11. +14 −0 lib/htmlpurifier/HTMLPurifier/AttrTypes.php
  12. +120 −0 lib/htmlpurifier/HTMLPurifier/ChildDef/List.php
  13. +90 −5 lib/htmlpurifier/HTMLPurifier/ChildDef/Table.php
  14. +3 −3 lib/htmlpurifier/HTMLPurifier/Config.php
  15. BIN lib/htmlpurifier/HTMLPurifier/ConfigSchema/schema.ser
  16. +2 −1 lib/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.ColorKeywords.txt
  17. +9 −0 lib/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Core.EnableIDNA.txt
  18. +10 −0 lib/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.AllowedComments.txt
  19. +15 −0 lib/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.AllowedCommentsRegexp.txt
  20. +13 −0 lib/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt
  21. +8 −0 lib/htmlpurifier/HTMLPurifier/ConfigSchema/schema/HTML.TargetBlank.txt
  22. +22 −0 lib/htmlpurifier/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeRegexp.txt
  23. +136 −22 lib/htmlpurifier/HTMLPurifier/Encoder.php
  24. +164 −11 lib/htmlpurifier/HTMLPurifier/Filter/ExtractStyleBlocks.php
  25. +1 −1 lib/htmlpurifier/HTMLPurifier/HTMLDefinition.php
  26. +3 −2 lib/htmlpurifier/HTMLPurifier/HTMLModule/Forms.php
  27. +38 −0 lib/htmlpurifier/HTMLPurifier/HTMLModule/Iframe.php
  28. +17 −1 lib/htmlpurifier/HTMLPurifier/HTMLModule/Legacy.php
  29. +10 −4 lib/htmlpurifier/HTMLPurifier/HTMLModule/List.php
  30. +3 −0 lib/htmlpurifier/HTMLPurifier/HTMLModule/Tables.php
  31. +19 −0 lib/htmlpurifier/HTMLPurifier/HTMLModule/TargetBlank.php
  32. +15 −3 lib/htmlpurifier/HTMLPurifier/HTMLModuleManager.php
  33. +0 −139 lib/htmlpurifier/HTMLPurifier/Lexer/PEARSax3.php
  34. +2 −2 lib/htmlpurifier/HTMLPurifier/Lexer/PH5P.php
  35. +0 −2 lib/htmlpurifier/HTMLPurifier/Strategy/Composite.php
  36. +24 −7 lib/htmlpurifier/HTMLPurifier/Strategy/RemoveForeignElements.php
  37. +39 −1 lib/htmlpurifier/HTMLPurifier/URI.php
  38. +11 −2 lib/htmlpurifier/HTMLPurifier/URIDefinition.php
  39. +24 −2 lib/htmlpurifier/HTMLPurifier/URIFilter.php
  40. +4 −0 lib/htmlpurifier/HTMLPurifier/URIFilter/HostBlacklist.php
  41. +2 −7 lib/htmlpurifier/HTMLPurifier/URIFilter/Munge.php
  42. +35 −0 lib/htmlpurifier/HTMLPurifier/URIFilter/SafeIframe.php
  43. +6 −0 lib/htmlpurifier/HTMLPurifier/URIScheme.php
  44. +1 −0 lib/htmlpurifier/HTMLPurifier/URIScheme/https.php
  45. +2 −1 lib/htmlpurifier/readme_moodle.txt
  46. +150 −9 lib/simpletest/testhtmlpurifier.php
  47. +0 −128 lib/simpletest/testpurifier.php
  48. +1 −1 lib/thirdpartylibs.xml
@@ -19,7 +19,7 @@
*/
/*
- HTML Purifier 4.3.0 - Standards Compliant HTML Filtering
+ HTML Purifier 4.4.0 - Standards Compliant HTML Filtering
Copyright (C) 2006-2008 Edward Z. Yang
This library is free software; you can redistribute it and/or
@@ -55,10 +55,10 @@ class HTMLPurifier
{
/** Version of HTML Purifier */
- public $version = '4.3.0';
+ public $version = '4.4.0';
/** Constant with version of HTML Purifier */
- const VERSION = '4.3.0';
+ const VERSION = '4.4.0';
/** Global configuration object */
public $config;
@@ -67,6 +67,7 @@
require_once $__dir . '/HTMLPurifier/VarParser.php';
require_once $__dir . '/HTMLPurifier/VarParserException.php';
require_once $__dir . '/HTMLPurifier/AttrDef/CSS.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/Clone.php';
require_once $__dir . '/HTMLPurifier/AttrDef/Enum.php';
require_once $__dir . '/HTMLPurifier/AttrDef/Integer.php';
require_once $__dir . '/HTMLPurifier/AttrDef/Lang.php';
@@ -84,6 +85,7 @@
require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Filter.php';
require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Font.php';
require_once $__dir . '/HTMLPurifier/AttrDef/CSS/FontFamily.php';
+require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Ident.php';
require_once $__dir . '/HTMLPurifier/AttrDef/CSS/ImportantDecorator.php';
require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Length.php';
require_once $__dir . '/HTMLPurifier/AttrDef/CSS/ListStyle.php';
@@ -124,10 +126,12 @@
require_once $__dir . '/HTMLPurifier/AttrTransform/SafeObject.php';
require_once $__dir . '/HTMLPurifier/AttrTransform/SafeParam.php';
require_once $__dir . '/HTMLPurifier/AttrTransform/ScriptRequired.php';
+require_once $__dir . '/HTMLPurifier/AttrTransform/TargetBlank.php';
require_once $__dir . '/HTMLPurifier/AttrTransform/Textarea.php';
require_once $__dir . '/HTMLPurifier/ChildDef/Chameleon.php';
require_once $__dir . '/HTMLPurifier/ChildDef/Custom.php';
require_once $__dir . '/HTMLPurifier/ChildDef/Empty.php';
+require_once $__dir . '/HTMLPurifier/ChildDef/List.php';
require_once $__dir . '/HTMLPurifier/ChildDef/Required.php';
require_once $__dir . '/HTMLPurifier/ChildDef/Optional.php';
require_once $__dir . '/HTMLPurifier/ChildDef/StrictBlockquote.php';
@@ -142,6 +146,7 @@
require_once $__dir . '/HTMLPurifier/HTMLModule/Edit.php';
require_once $__dir . '/HTMLPurifier/HTMLModule/Forms.php';
require_once $__dir . '/HTMLPurifier/HTMLModule/Hypertext.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/Iframe.php';
require_once $__dir . '/HTMLPurifier/HTMLModule/Image.php';
require_once $__dir . '/HTMLPurifier/HTMLModule/Legacy.php';
require_once $__dir . '/HTMLPurifier/HTMLModule/List.php';
@@ -158,6 +163,7 @@
require_once $__dir . '/HTMLPurifier/HTMLModule/StyleAttribute.php';
require_once $__dir . '/HTMLPurifier/HTMLModule/Tables.php';
require_once $__dir . '/HTMLPurifier/HTMLModule/Target.php';
+require_once $__dir . '/HTMLPurifier/HTMLModule/TargetBlank.php';
require_once $__dir . '/HTMLPurifier/HTMLModule/Text.php';
require_once $__dir . '/HTMLPurifier/HTMLModule/Tidy.php';
require_once $__dir . '/HTMLPurifier/HTMLModule/XMLCommonAttributes.php';
@@ -196,6 +202,7 @@
require_once $__dir . '/HTMLPurifier/URIFilter/HostBlacklist.php';
require_once $__dir . '/HTMLPurifier/URIFilter/MakeAbsolute.php';
require_once $__dir . '/HTMLPurifier/URIFilter/Munge.php';
+require_once $__dir . '/HTMLPurifier/URIFilter/SafeIframe.php';
require_once $__dir . '/HTMLPurifier/URIScheme/data.php';
require_once $__dir . '/HTMLPurifier/URIScheme/file.php';
require_once $__dir . '/HTMLPurifier/URIScheme/ftp.php';
@@ -0,0 +1,24 @@
+<?php
+
+/**
+ * Validates based on {ident} CSS grammar production
+ */
+class HTMLPurifier_AttrDef_CSS_Ident extends HTMLPurifier_AttrDef
+{
+
+ public function validate($string, $config, $context) {
+
+ $string = trim($string);
+
+ // early abort: '' and '0' (strings that convert to false) are invalid
+ if (!$string) return false;
+
+ $pattern = '/^(-?[A-Za-z_][A-Za-z_\-0-9]*)$/';
+ if (!preg_match($pattern, $string)) return false;
+ return $string;
+
+ }
+
+}
+
+// vim: et sw=4 sts=4
@@ -0,0 +1,28 @@
+<?php
+
+/**
+ * Dummy AttrDef that mimics another AttrDef, BUT it generates clones
+ * with make.
+ */
+class HTMLPurifier_AttrDef_Clone extends HTMLPurifier_AttrDef
+{
+ /**
+ * What we're cloning
+ */
+ protected $clone;
+
+ public function __construct($clone) {
+ $this->clone = $clone;
+ }
+
+ public function validate($v, $config, $context) {
+ return $this->clone->validate($v, $config, $context);
+ }
+
+ public function make($string) {
+ return clone $this->clone;
+ }
+
+}
+
+// vim: et sw=4 sts=4
@@ -14,7 +14,7 @@ public function validate($string, $config, $context) {
$string = trim($string);
if (empty($string)) return false;
- if (isset($colors[$string])) return $colors[$string];
+ if (isset($colors[strtolower($string)])) return $colors[$string];
if ($string[0] === '#') $hex = substr($string, 1);
else $hex = $string;
@@ -12,12 +12,22 @@
class HTMLPurifier_AttrDef_HTML_ID extends HTMLPurifier_AttrDef
{
- // ref functionality disabled, since we also have to verify
- // whether or not the ID it refers to exists
+ // selector is NOT a valid thing to use for IDREFs, because IDREFs
+ // *must* target IDs that exist, whereas selector #ids do not.
+
+ /**
+ * Determines whether or not we're validating an ID in a CSS
+ * selector context.
+ */
+ protected $selector;
+
+ public function __construct($selector = false) {
+ $this->selector = $selector;
+ }
public function validate($id, $config, $context) {
- if (!$config->get('Attr.EnableID')) return false;
+ if (!$this->selector && !$config->get('Attr.EnableID')) return false;
$id = trim($id); // trim it first
@@ -33,10 +43,10 @@ public function validate($id, $config, $context) {
'%Attr.IDPrefix is set', E_USER_WARNING);
}
- //if (!$this->ref) {
+ if (!$this->selector) {
$id_accumulator =& $context->get('IDAccumulator');
if (isset($id_accumulator->ids[$id])) return false;
- //}
+ }
// we purposely avoid using regex, hopefully this is faster
@@ -56,7 +66,7 @@ public function validate($id, $config, $context) {
return false;
}
- if (/*!$this->ref && */$result) $id_accumulator->add($id);
+ if (!$this->selector && $result) $id_accumulator->add($id);
// if no change was made to the ID, return the result
// else, return the new id if stripping whitespace made it
@@ -19,7 +19,7 @@ public function __construct($embeds_resource = false) {
}
public function make($string) {
- $embeds = (bool) $string;
+ $embeds = ($string === 'embedded');
return new HTMLPurifier_AttrDef_URI($embeds);
}
@@ -44,9 +44,8 @@ public function validate($string, $config, $context) {
// A regular domain name.
- // This breaks I18N domain names, but we don't have proper IRI support,
- // so force users to insert Punycode. If there's complaining we'll
- // try to fix things into an international friendly form.
+ // This doesn't match I18N domain names, but we don't have proper IRI support,
+ // so force users to insert Punycode.
// The productions describing this are:
$a = '[a-z]'; // alpha
@@ -57,10 +56,44 @@ public function validate($string, $config, $context) {
// toplabel = alpha | alpha *( alphanum | "-" ) alphanum
$toplabel = "$a($and*$an)?";
// hostname = *( domainlabel "." ) toplabel [ "." ]
- $match = preg_match("/^($domainlabel\.)*$toplabel\.?$/i", $string);
- if (!$match) return false;
+ if (preg_match("/^($domainlabel\.)*$toplabel\.?$/i", $string)) {
+ return $string;
+ }
+
+ // If we have Net_IDNA2 support, we can support IRIs by
+ // punycoding them. (This is the most portable thing to do,
+ // since otherwise we have to assume browsers support
+
+ if ($config->get('Core.EnableIDNA')) {
+ $idna = new Net_IDNA2(array('encoding' => 'utf8', 'overlong' => false, 'strict' => true));
+ // we need to encode each period separately
+ $parts = explode('.', $string);
+ try {
+ $new_parts = array();
+ foreach ($parts as $part) {
+ $encodable = false;
+ for ($i = 0, $c = strlen($part); $i < $c; $i++) {
+ if (ord($part[$i]) > 0x7a) {
+ $encodable = true;
+ break;
+ }
+ }
+ if (!$encodable) {
+ $new_parts[] = $part;
+ } else {
+ $new_parts[] = $idna->encode($part);
+ }
+ }
+ $string = implode('.', $new_parts);
+ if (preg_match("/^($domainlabel\.)*$toplabel\.?$/i", $string)) {
+ return $string;
+ }
+ } catch (Exception $e) {
+ // XXX error reporting
+ }
+ }
- return $string;
+ return false;
}
}
@@ -24,9 +24,13 @@ public function transform($attr, $config, $context) {
$url = $this->parser->parse($attr['href']);
$scheme = $url->getSchemeObj($config, $context);
- if (!is_null($url->host) && $scheme !== false && $scheme->browsable) {
+ if ($scheme->browsable && !$url->isLocal($config, $context)) {
if (isset($attr['rel'])) {
- $attr['rel'] .= ' nofollow';
+ $rels = explode(' ', $attr);
+ if (!in_array('nofollow', $rels)) {
+ $rels[] = 'nofollow';
+ }
+ $attr['rel'] = implode(' ', $rels);
} else {
$attr['rel'] = 'nofollow';
}
@@ -0,0 +1,38 @@
+<?php
+
+// must be called POST validation
+
+/**
+ * Adds target="blank" to all outbound links. This transform is
+ * only attached if Attr.TargetBlank is TRUE. This works regardless
+ * of whether or not Attr.AllowedFrameTargets
+ */
+class HTMLPurifier_AttrTransform_TargetBlank extends HTMLPurifier_AttrTransform
+{
+ private $parser;
+
+ public function __construct() {
+ $this->parser = new HTMLPurifier_URIParser();
+ }
+
+ public function transform($attr, $config, $context) {
+
+ if (!isset($attr['href'])) {
+ return $attr;
+ }
+
+ // XXX Kind of inefficient
+ $url = $this->parser->parse($attr['href']);
+ $scheme = $url->getSchemeObj($config, $context);
+
+ if ($scheme->browsable && !$url->isBenign($config, $context)) {
+ $attr['target'] = '_blank';
+ }
+
+ return $attr;
+
+ }
+
+}
+
+// vim: et sw=4 sts=4
@@ -15,6 +15,13 @@ class HTMLPurifier_AttrTypes
* types.
*/
public function __construct() {
+ // XXX This is kind of poor, since we don't actually /clone/
+ // instances; instead, we use the supplied make() attribute. So,
+ // the underlying class must know how to deal with arguments.
+ // With the old implementation of Enum, that ignored its
+ // arguments when handling a make dispatch, the IAlign
+ // definition wouldn't work.
+
// pseudo-types, must be instantiated via shorthand
$this->info['Enum'] = new HTMLPurifier_AttrDef_Enum();
$this->info['Bool'] = new HTMLPurifier_AttrDef_HTML_Bool();
@@ -29,6 +36,9 @@ public function __construct() {
$this->info['URI'] = new HTMLPurifier_AttrDef_URI();
$this->info['LanguageCode'] = new HTMLPurifier_AttrDef_Lang();
$this->info['Color'] = new HTMLPurifier_AttrDef_HTML_Color();
+ $this->info['IAlign'] = self::makeEnum('top,middle,bottom,left,right');
+ $this->info['LAlign'] = self::makeEnum('top,bottom,left,right');
+ $this->info['FrameTarget'] = new HTMLPurifier_AttrDef_HTML_FrameTarget();
// unimplemented aliases
$this->info['ContentType'] = new HTMLPurifier_AttrDef_Text();
@@ -44,6 +54,10 @@ public function __construct() {
$this->info['Number'] = new HTMLPurifier_AttrDef_Integer(false, false, true);
}
+ private static function makeEnum($in) {
+ return new HTMLPurifier_AttrDef_Clone(new HTMLPurifier_AttrDef_Enum(explode(',', $in)));
+ }
+
/**
* Retrieves a type
* @param $type String type name
Oops, something went wrong.

0 comments on commit fc7776f

Please sign in to comment.