mirror of
https://github.com/EGroupware/egroupware.git
synced 2025-01-13 17:38:19 +01:00
Update HTMLawed into version 1.1.22
This commit is contained in:
parent
b379dffd51
commit
93f3826259
@ -1,7 +1,7 @@
|
||||
<?php
|
||||
|
||||
/*
|
||||
htmLawed 1.1.17, 11 March 2014
|
||||
htmLawed 1.1.22, 5 March 2016
|
||||
Copyright Santosh Patnaik
|
||||
Dual licensed with LGPL 3 and GPL 2+
|
||||
A PHP Labware internal utility; www.bioinformatics.org/phplabware/internal_utilities/htmLawed
|
||||
@ -115,31 +115,39 @@ return $t;
|
||||
// eof
|
||||
}
|
||||
|
||||
function hl_attrval($t, $p){
|
||||
function hl_attrval($a, $t, $p){
|
||||
// check attr val against $S
|
||||
$o = 1; $l = strlen($t);
|
||||
foreach($p as $k=>$v){
|
||||
switch($k){
|
||||
case 'maxlen':if($l > $v){$o = 0;}
|
||||
break; case 'minlen': if($l < $v){$o = 0;}
|
||||
break; case 'maxval': if((float)($t) > $v){$o = 0;}
|
||||
break; case 'minval': if((float)($t) < $v){$o = 0;}
|
||||
break; case 'match': if(!preg_match($v, $t)){$o = 0;}
|
||||
break; case 'nomatch': if(preg_match($v, $t)){$o = 0;}
|
||||
break; case 'oneof':
|
||||
$m = 0;
|
||||
foreach(explode('|', $v) as $n){if($t == $n){$m = 1; break;}}
|
||||
$o = $m;
|
||||
break; case 'noneof':
|
||||
$m = 1;
|
||||
foreach(explode('|', $v) as $n){if($t == $n){$m = 0; break;}}
|
||||
$o = $m;
|
||||
break; default:
|
||||
break;
|
||||
static $ma = array('accesskey', 'class', 'rel');
|
||||
$s = in_array($a, $ma) ? ' ' : '';
|
||||
$r = array();
|
||||
$t = !empty($s) ? explode($s, $t) : array($t);
|
||||
foreach($t as $tk=>$tv){
|
||||
$o = 1; $l = strlen($tv);
|
||||
foreach($p as $k=>$v){
|
||||
switch($k){
|
||||
case 'maxlen': if($l > $v){$o = 0;}
|
||||
break; case 'minlen': if($l < $v){$o = 0;}
|
||||
break; case 'maxval': if((float)($tv) > $v){$o = 0;}
|
||||
break; case 'minval': if((float)($tv) < $v){$o = 0;}
|
||||
break; case 'match': if(!preg_match($v, $tv)){$o = 0;}
|
||||
break; case 'nomatch': if(preg_match($v, $tv)){$o = 0;}
|
||||
break; case 'oneof':
|
||||
$m = 0;
|
||||
foreach(explode('|', $v) as $n){if($tv == $n){$m = 1; break;}}
|
||||
$o = $m;
|
||||
break; case 'noneof':
|
||||
$m = 1;
|
||||
foreach(explode('|', $v) as $n){if($tv == $n){$m = 0; break;}}
|
||||
$o = $m;
|
||||
break; default:
|
||||
break;
|
||||
}
|
||||
if(!$o){break;}
|
||||
}
|
||||
if(!$o){break;}
|
||||
if($o){$r[] = $tv;}
|
||||
}
|
||||
return ($o ? $t : (isset($p['default']) ? $p['default'] : 0));
|
||||
$r = implode($s, $r);
|
||||
return (isset($r[0]) ? $r : (isset($p['default']) ? $p['default'] : 0));
|
||||
// eof
|
||||
}
|
||||
|
||||
@ -440,11 +448,10 @@ static $eE = array('area'=>1, 'br'=>1, 'col'=>1, 'embed'=>1, 'hr'=>1, 'img'=>1,
|
||||
if(!empty($m[1])){
|
||||
return (!isset($eE[$e]) ? (empty($C['hook_tag']) ? "</$e>" : $C['hook_tag']($e)) : (($C['keep_bad'])%2 ? str_replace(array('<', '>'), array('<', '>'), $t) : ''));
|
||||
}
|
||||
|
||||
// open tag & attr
|
||||
static $aN = array('abbr'=>array('td'=>1, 'th'=>1), 'accept-charset'=>array('form'=>1), 'accept'=>array('form'=>1, 'input'=>1), 'accesskey'=>array('a'=>1, 'area'=>1, 'button'=>1, 'input'=>1, 'label'=>1, 'legend'=>1, 'textarea'=>1), 'action'=>array('form'=>1), 'align'=>array('caption'=>1, 'embed'=>1, 'applet'=>1, 'iframe'=>1, 'img'=>1, 'input'=>1, 'object'=>1, 'legend'=>1, 'table'=>1, 'hr'=>1, 'div'=>1, 'h1'=>1, 'h2'=>1, 'h3'=>1, 'h4'=>1, 'h5'=>1, 'h6'=>1, 'p'=>1, 'col'=>1, 'colgroup'=>1, 'tbody'=>1, 'td'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'tr'=>1), 'alt'=>array('applet'=>1, 'area'=>1, 'img'=>1, 'input'=>1), 'archive'=>array('applet'=>1, 'object'=>1), 'axis'=>array('td'=>1, 'th'=>1), 'bgcolor'=>array('embed'=>1, 'table'=>1, 'tr'=>1, 'td'=>1, 'th'=>1), 'border'=>array('table'=>1, 'img'=>1, 'object'=>1), 'bordercolor'=>array('table'=>1, 'td'=>1, 'tr'=>1), 'cellpadding'=>array('table'=>1), 'cellspacing'=>array('table'=>1), 'char'=>array('col'=>1, 'colgroup'=>1, 'tbody'=>1, 'td'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'tr'=>1), 'charoff'=>array('col'=>1, 'colgroup'=>1, 'tbody'=>1, 'td'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'tr'=>1), 'charset'=>array('a'=>1, 'script'=>1), 'checked'=>array('input'=>1), 'cite'=>array('blockquote'=>1, 'q'=>1, 'del'=>1, 'ins'=>1), 'classid'=>array('object'=>1), 'clear'=>array('br'=>1), 'code'=>array('applet'=>1), 'codebase'=>array('object'=>1, 'applet'=>1), 'codetype'=>array('object'=>1), 'color'=>array('font'=>1), 'cols'=>array('textarea'=>1), 'colspan'=>array('td'=>1, 'th'=>1), 'compact'=>array('dir'=>1, 'dl'=>1, 'menu'=>1, 'ol'=>1, 'ul'=>1), 'coords'=>array('area'=>1, 'a'=>1), 'data'=>array('object'=>1), 'datetime'=>array('del'=>1, 'ins'=>1), 'declare'=>array('object'=>1), 'defer'=>array('script'=>1), 'dir'=>array('bdo'=>1), 'disabled'=>array('button'=>1, 'input'=>1, 'optgroup'=>1, 'option'=>1, 'select'=>1, 'textarea'=>1), 'enctype'=>array('form'=>1), 'face'=>array('font'=>1), 'flashvars'=>array('embed'=>1), 'for'=>array('label'=>1), 'frame'=>array('table'=>1), 'frameborder'=>array('iframe'=>1), 'headers'=>array('td'=>1, 'th'=>1), 'height'=>array('embed'=>1, 'iframe'=>1, 'td'=>1, 'th'=>1, 'img'=>1, 'object'=>1, 'applet'=>1), 'href'=>array('a'=>1, 'area'=>1), 'hreflang'=>array('a'=>1), 'hspace'=>array('applet'=>1, 'img'=>1, 'object'=>1), 'ismap'=>array('img'=>1, 'input'=>1), 'label'=>array('option'=>1, 'optgroup'=>1), 'language'=>array('script'=>1), 'longdesc'=>array('img'=>1, 'iframe'=>1), 'marginheight'=>array('iframe'=>1), 'marginwidth'=>array('iframe'=>1), 'maxlength'=>array('input'=>1), 'method'=>array('form'=>1), 'model'=>array('embed'=>1), 'multiple'=>array('select'=>1), 'name'=>array('button'=>1, 'embed'=>1, 'textarea'=>1, 'applet'=>1, 'select'=>1, 'form'=>1, 'iframe'=>1, 'img'=>1, 'a'=>1, 'input'=>1, 'object'=>1, 'map'=>1, 'param'=>1), 'nohref'=>array('area'=>1), 'noshade'=>array('hr'=>1), 'nowrap'=>array('td'=>1, 'th'=>1), 'object'=>array('applet'=>1), 'onblur'=>array('a'=>1, 'area'=>1, 'button'=>1, 'input'=>1, 'label'=>1, 'select'=>1, 'textarea'=>1), 'onchange'=>array('input'=>1, 'select'=>1, 'textarea'=>1), 'onfocus'=>array('a'=>1, 'area'=>1, 'button'=>1, 'input'=>1, 'label'=>1, 'select'=>1, 'textarea'=>1), 'onreset'=>array('form'=>1), 'onselect'=>array('input'=>1, 'textarea'=>1), 'onsubmit'=>array('form'=>1), 'pluginspage'=>array('embed'=>1), 'pluginurl'=>array('embed'=>1), 'prompt'=>array('isindex'=>1), 'readonly'=>array('textarea'=>1, 'input'=>1), 'rel'=>array('a'=>1), 'rev'=>array('a'=>1), 'rows'=>array('textarea'=>1), 'rowspan'=>array('td'=>1, 'th'=>1), 'rules'=>array('table'=>1), 'scope'=>array('td'=>1, 'th'=>1), 'scrolling'=>array('iframe'=>1), 'selected'=>array('option'=>1), 'shape'=>array('area'=>1, 'a'=>1), 'size'=>array('hr'=>1, 'font'=>1, 'input'=>1, 'select'=>1), 'span'=>array('col'=>1, 'colgroup'=>1), 'src'=>array('embed'=>1, 'script'=>1, 'input'=>1, 'iframe'=>1, 'img'=>1), 'standby'=>array('object'=>1), 'start'=>array('ol'=>1), 'summary'=>array('table'=>1), 'tabindex'=>array('a'=>1, 'area'=>1, 'button'=>1, 'input'=>1, 'object'=>1, 'select'=>1, 'textarea'=>1), 'target'=>array('a'=>1, 'area'=>1, 'form'=>1), 'type'=>array('a'=>1, 'embed'=>1, 'object'=>1, 'param'=>1, 'script'=>1, 'input'=>1, 'li'=>1, 'ol'=>1, 'ul'=>1, 'button'=>1), 'usemap'=>array('img'=>1, 'input'=>1, 'object'=>1), 'valign'=>array('col'=>1, 'colgroup'=>1, 'tbody'=>1, 'td'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'tr'=>1), 'value'=>array('input'=>1, 'option'=>1, 'param'=>1, 'button'=>1, 'li'=>1), 'valuetype'=>array('param'=>1), 'vspace'=>array('applet'=>1, 'img'=>1, 'object'=>1), 'width'=>array('embed'=>1, 'hr'=>1, 'iframe'=>1, 'img'=>1, 'object'=>1, 'table'=>1, 'td'=>1, 'th'=>1, 'applet'=>1, 'col'=>1, 'colgroup'=>1, 'pre'=>1), 'wmode'=>array('embed'=>1), 'xml:space'=>array('pre'=>1, 'script'=>1, 'style'=>1)); // Ele-specific
|
||||
static $aN = array('abbr'=>array('td'=>1, 'th'=>1), 'accept-charset'=>array('form'=>1), 'accept'=>array('form'=>1, 'input'=>1), 'accesskey'=>array('a'=>1, 'area'=>1, 'button'=>1, 'input'=>1, 'label'=>1, 'legend'=>1, 'textarea'=>1), 'action'=>array('form'=>1), 'align'=>array('caption'=>1, 'embed'=>1, 'applet'=>1, 'iframe'=>1, 'img'=>1, 'input'=>1, 'object'=>1, 'legend'=>1, 'table'=>1, 'hr'=>1, 'div'=>1, 'h1'=>1, 'h2'=>1, 'h3'=>1, 'h4'=>1, 'h5'=>1, 'h6'=>1, 'p'=>1, 'col'=>1, 'colgroup'=>1, 'tbody'=>1, 'td'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'tr'=>1), 'allowfullscreen'=>array('iframe'=>1), 'alt'=>array('applet'=>1, 'area'=>1, 'img'=>1, 'input'=>1), 'archive'=>array('applet'=>1, 'object'=>1), 'axis'=>array('td'=>1, 'th'=>1), 'bgcolor'=>array('embed'=>1, 'table'=>1, 'tr'=>1, 'td'=>1, 'th'=>1), 'border'=>array('table'=>1, 'img'=>1, 'object'=>1), 'bordercolor'=>array('table'=>1, 'td'=>1, 'tr'=>1), 'cellpadding'=>array('table'=>1), 'cellspacing'=>array('table'=>1), 'char'=>array('col'=>1, 'colgroup'=>1, 'tbody'=>1, 'td'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'tr'=>1), 'charoff'=>array('col'=>1, 'colgroup'=>1, 'tbody'=>1, 'td'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'tr'=>1), 'charset'=>array('a'=>1, 'script'=>1), 'checked'=>array('input'=>1), 'cite'=>array('blockquote'=>1, 'q'=>1, 'del'=>1, 'ins'=>1), 'classid'=>array('object'=>1), 'clear'=>array('br'=>1), 'code'=>array('applet'=>1), 'codebase'=>array('object'=>1, 'applet'=>1), 'codetype'=>array('object'=>1), 'color'=>array('font'=>1), 'cols'=>array('textarea'=>1), 'colspan'=>array('td'=>1, 'th'=>1), 'compact'=>array('dir'=>1, 'dl'=>1, 'menu'=>1, 'ol'=>1, 'ul'=>1), 'coords'=>array('area'=>1, 'a'=>1), 'data'=>array('object'=>1), 'datetime'=>array('del'=>1, 'ins'=>1), 'declare'=>array('object'=>1), 'defer'=>array('script'=>1), 'dir'=>array('bdo'=>1), 'disabled'=>array('button'=>1, 'input'=>1, 'optgroup'=>1, 'option'=>1, 'select'=>1, 'textarea'=>1), 'enctype'=>array('form'=>1), 'face'=>array('font'=>1), 'flashvars'=>array('embed'=>1), 'for'=>array('label'=>1), 'frame'=>array('table'=>1), 'frameborder'=>array('iframe'=>1), 'headers'=>array('td'=>1, 'th'=>1), 'height'=>array('embed'=>1, 'iframe'=>1, 'td'=>1, 'th'=>1, 'img'=>1, 'object'=>1, 'applet'=>1), 'href'=>array('a'=>1, 'area'=>1), 'hreflang'=>array('a'=>1), 'hspace'=>array('applet'=>1, 'img'=>1, 'object'=>1), 'ismap'=>array('img'=>1, 'input'=>1), 'label'=>array('option'=>1, 'optgroup'=>1), 'language'=>array('script'=>1), 'longdesc'=>array('img'=>1, 'iframe'=>1), 'marginheight'=>array('iframe'=>1), 'marginwidth'=>array('iframe'=>1), 'maxlength'=>array('input'=>1), 'method'=>array('form'=>1), 'model'=>array('embed'=>1), 'multiple'=>array('select'=>1), 'name'=>array('button'=>1, 'embed'=>1, 'textarea'=>1, 'applet'=>1, 'select'=>1, 'form'=>1, 'iframe'=>1, 'img'=>1, 'a'=>1, 'input'=>1, 'object'=>1, 'map'=>1, 'param'=>1), 'nohref'=>array('area'=>1), 'noshade'=>array('hr'=>1), 'nowrap'=>array('td'=>1, 'th'=>1), 'object'=>array('applet'=>1), 'onblur'=>array('a'=>1, 'area'=>1, 'button'=>1, 'input'=>1, 'label'=>1, 'select'=>1, 'textarea'=>1), 'onchange'=>array('input'=>1, 'select'=>1, 'textarea'=>1), 'onfocus'=>array('a'=>1, 'area'=>1, 'button'=>1, 'input'=>1, 'label'=>1, 'select'=>1, 'textarea'=>1), 'onreset'=>array('form'=>1), 'onselect'=>array('input'=>1, 'textarea'=>1), 'onsubmit'=>array('form'=>1), 'pluginspage'=>array('embed'=>1), 'pluginurl'=>array('embed'=>1), 'prompt'=>array('isindex'=>1), 'readonly'=>array('textarea'=>1, 'input'=>1), 'rel'=>array('a'=>1), 'rev'=>array('a'=>1), 'rows'=>array('textarea'=>1), 'rowspan'=>array('td'=>1, 'th'=>1), 'rules'=>array('table'=>1), 'scope'=>array('td'=>1, 'th'=>1), 'scrolling'=>array('iframe'=>1), 'selected'=>array('option'=>1), 'shape'=>array('area'=>1, 'a'=>1), 'size'=>array('hr'=>1, 'font'=>1, 'input'=>1, 'select'=>1), 'span'=>array('col'=>1, 'colgroup'=>1), 'src'=>array('embed'=>1, 'script'=>1, 'input'=>1, 'iframe'=>1, 'img'=>1), 'standby'=>array('object'=>1), 'start'=>array('ol'=>1), 'summary'=>array('table'=>1), 'tabindex'=>array('a'=>1, 'area'=>1, 'button'=>1, 'input'=>1, 'object'=>1, 'select'=>1, 'textarea'=>1), 'target'=>array('a'=>1, 'area'=>1, 'form'=>1), 'type'=>array('a'=>1, 'embed'=>1, 'object'=>1, 'param'=>1, 'script'=>1, 'input'=>1, 'li'=>1, 'ol'=>1, 'ul'=>1, 'button'=>1), 'usemap'=>array('img'=>1, 'input'=>1, 'object'=>1), 'valign'=>array('col'=>1, 'colgroup'=>1, 'tbody'=>1, 'td'=>1, 'tfoot'=>1, 'th'=>1, 'thead'=>1, 'tr'=>1), 'value'=>array('input'=>1, 'option'=>1, 'param'=>1, 'button'=>1, 'li'=>1), 'valuetype'=>array('param'=>1), 'vspace'=>array('applet'=>1, 'img'=>1, 'object'=>1), 'width'=>array('embed'=>1, 'hr'=>1, 'iframe'=>1, 'img'=>1, 'object'=>1, 'table'=>1, 'td'=>1, 'th'=>1, 'applet'=>1, 'col'=>1, 'colgroup'=>1, 'pre'=>1), 'wmode'=>array('embed'=>1), 'xml:space'=>array('pre'=>1, 'script'=>1, 'style'=>1)); // Ele-specific
|
||||
$aN['background']=(isset($aN['background'])?array_merge($aN['background'],array('td'=>1)):array('td'=>1));//allow attribute background for (additional) elements, its not allowed by HTML Standards exept for body, but used anyway; one should check for the url to be allowed by application means
|
||||
static $aNE = array('checked'=>1, 'compact'=>1, 'declare'=>1, 'defer'=>1, 'disabled'=>1, 'ismap'=>1, 'multiple'=>1, 'nohref'=>1, 'noresize'=>1, 'noshade'=>1, 'nowrap'=>1, 'readonly'=>1, 'selected'=>1); // Empty
|
||||
static $aNE = array('allowfullscreen'=>1, 'checked'=>1, 'compact'=>1, 'declare'=>1, 'defer'=>1, 'disabled'=>1, 'ismap'=>1, 'multiple'=>1, 'nohref'=>1, 'noresize'=>1, 'noshade'=>1, 'nowrap'=>1, 'readonly'=>1, 'selected'=>1); // Empty
|
||||
static $aNP = array('action'=>1, 'cite'=>1, 'classid'=>1, 'codebase'=>1, 'data'=>1, 'href'=>1, 'longdesc'=>1, 'model'=>1, 'pluginspage'=>1, 'pluginurl'=>1, 'usemap'=>1); // Need scheme check; excludes style, on* & src
|
||||
static $aNU = array('class'=>array('param'=>1, 'script'=>1), 'dir'=>array('applet'=>1, 'bdo'=>1, 'br'=>1, 'iframe'=>1, 'param'=>1, 'script'=>1), 'id'=>array('script'=>1), 'lang'=>array('applet'=>1, 'br'=>1, 'iframe'=>1, 'param'=>1, 'script'=>1), 'xml:lang'=>array('applet'=>1, 'br'=>1, 'iframe'=>1, 'param'=>1, 'script'=>1), 'onclick'=>array('applet'=>1, 'bdo'=>1, 'br'=>1, 'font'=>1, 'iframe'=>1, 'isindex'=>1, 'param'=>1, 'script'=>1), 'ondblclick'=>array('applet'=>1, 'bdo'=>1, 'br'=>1, 'font'=>1, 'iframe'=>1, 'isindex'=>1, 'param'=>1, 'script'=>1), 'onkeydown'=>array('applet'=>1, 'bdo'=>1, 'br'=>1, 'font'=>1, 'iframe'=>1, 'isindex'=>1, 'param'=>1, 'script'=>1), 'onkeypress'=>array('applet'=>1, 'bdo'=>1, 'br'=>1, 'font'=>1, 'iframe'=>1, 'isindex'=>1, 'param'=>1, 'script'=>1), 'onkeyup'=>array('applet'=>1, 'bdo'=>1, 'br'=>1, 'font'=>1, 'iframe'=>1, 'isindex'=>1, 'param'=>1, 'script'=>1), 'onmousedown'=>array('applet'=>1, 'bdo'=>1, 'br'=>1, 'font'=>1, 'iframe'=>1, 'isindex'=>1, 'param'=>1, 'script'=>1), 'onmousemove'=>array('applet'=>1, 'bdo'=>1, 'br'=>1, 'font'=>1, 'iframe'=>1, 'isindex'=>1, 'param'=>1, 'script'=>1), 'onmouseout'=>array('applet'=>1, 'bdo'=>1, 'br'=>1, 'font'=>1, 'iframe'=>1, 'isindex'=>1, 'param'=>1, 'script'=>1), 'onmouseover'=>array('applet'=>1, 'bdo'=>1, 'br'=>1, 'font'=>1, 'iframe'=>1, 'isindex'=>1, 'param'=>1, 'script'=>1), 'onmouseup'=>array('applet'=>1, 'bdo'=>1, 'br'=>1, 'font'=>1, 'iframe'=>1, 'isindex'=>1, 'param'=>1, 'script'=>1), 'style'=>array('param'=>1, 'script'=>1), 'title'=>array('param'=>1, 'script'=>1)); // Univ & exceptions
|
||||
|
||||
@ -484,7 +491,7 @@ while(strlen($a)){
|
||||
break; case 2: // Val
|
||||
if(preg_match('`^((?:"[^"]*")|(?:\'[^\']*\')|(?:\s*[^\s"\']+))(.*)`', $a, $m)){
|
||||
$a = ltrim($m[2]); $m = $m[1]; $w = 1; $mode = 0;
|
||||
$aA[$nm] = trim(($m[0] == '"' or $m[0] == '\'') ? substr($m, 1, -1) : $m);
|
||||
$aA[$nm] = trim(str_replace('<', '<', ($m[0] == '"' or $m[0] == '\'') ? substr($m, 1, -1) : $m));
|
||||
}
|
||||
break;
|
||||
}
|
||||
@ -513,7 +520,7 @@ foreach($aA as $k=>$v){
|
||||
$v = preg_replace_callback('`(url(?:\()(?: )*(?:\'|"|&(?:quot|apos);)?)(.+?)((?:\'|"|&(?:quot|apos);)?(?: )*(?:\)))`iS', 'hl_prot', $v);
|
||||
$v = !$C['css_expression'] ? preg_replace('`expression`i', ' ', preg_replace('`\\\\\S|(/|(%2f))(\*|(%2a))`i', ' ', $v)) : $v;
|
||||
}elseif(isset($aNP[$k]) or strpos($k, 'src') !== false or $k[0] == 'o'){
|
||||
$v = str_replace("\xad", ' ', (strpos($v, '&') !== false ? str_replace(array('­', '­', '­'), ' ', $v) : $v));
|
||||
$v = str_replace("", ' ', (strpos($v, '&') !== false ? str_replace(array('­', '­', '­'), ' ', $v) : $v)); # double-quoted char is soft-hyphen; appears here as "" or hyphen or something else depending on viewing software
|
||||
$v = hl_prot($v, $k);
|
||||
if($k == 'href'){ // X-spam
|
||||
if($C['anti_mail_spam'] && strpos($v, 'mailto:') === 0){
|
||||
@ -532,7 +539,7 @@ foreach($aA as $k=>$v){
|
||||
}
|
||||
}
|
||||
}
|
||||
if(isset($rl[$k]) && is_array($rl[$k]) && ($v = hl_attrval($v, $rl[$k])) === 0){continue;}
|
||||
if(isset($rl[$k]) && is_array($rl[$k]) && ($v = hl_attrval($k, $v, $rl[$k])) === 0){continue;}
|
||||
$a[$k] = str_replace('"', '"', $v);
|
||||
}
|
||||
}
|
||||
@ -634,22 +641,15 @@ if($e == 'u'){$e = 'span'; return 'text-decoration: underline;';}
|
||||
static $fs = array('0'=>'xx-small', '1'=>'xx-small', '2'=>'small', '3'=>'medium', '4'=>'large', '5'=>'x-large', '6'=>'xx-large', '7'=>'300%', '-1'=>'smaller', '-2'=>'60%', '+1'=>'larger', '+2'=>'150%', '+3'=>'200%', '+4'=>'300%');
|
||||
if($e == 'font' && $t !=3){//3 is a new make_tag_strict config value, to indicate that transformation is to be performed, but don't transform font, as size transformation of numeric sizes to keywords alters the intended result too much
|
||||
$a2 = '';
|
||||
if(preg_match('`face\s*=\s*(\'|")([^=]+?)\\1`i', $a, $m) or preg_match('`face\s*=(\s*)(\S+)`i', $a, $m)){
|
||||
$a2 .= ' font-family: '. str_replace('"', '\'', trim($m[2])). ';';
|
||||
while(preg_match('`(^|\s)(color|size)\s*=\s*(\'|")?(.+?)(\\3|\s|$)`i', $a, $m)){
|
||||
$a = str_replace($m[0], ' ', $a);
|
||||
$a2 .= strtolower($m[2]) == 'color' ? (' color: '. str_replace('"', '\'', trim($m[4])). ';') : (isset($fs[($m = trim($m[4]))]) ? ($a2 .= ' font-size: '. str_replace('"', '\'', $fs[$m]). ';') : '');
|
||||
}
|
||||
if(preg_match('`color\s*=\s*(\'|")?(.+?)(\\1|\s|$)`i', $a, $m)){
|
||||
$a2 .= ' color: '. trim($m[2]). ';';
|
||||
}
|
||||
if(preg_match('`size\s*=\s*(\'|")?(.+?)(\\1|\s|$)`i', $a, $m) && isset($fs[($m = trim($m[2]))])){
|
||||
$a2 .= ' font-size: '. $fs[$m]. ';';
|
||||
}
|
||||
// $e = 'span'; return ltrim($a2);
|
||||
// replace the above with following
|
||||
if($GLOBALS['C']['balance']){
|
||||
$e = 'div'; return 'display: inline; -htmlawed-transform: 1; '. ltrim($a2);
|
||||
}else{
|
||||
$e = 'span'; return ltrim($a2);
|
||||
while(preg_match('`(^|\s)face\s*=\s*(\'|")?([^=]+?)\\2`i', $a, $m) or preg_match('`(^|\s)face\s*=(\s*)(\S+)`i', $a, $m)){
|
||||
$a = str_replace($m[0], ' ', $a);
|
||||
$a2 .= ' font-family: '. str_replace('"', '\'', trim($m[3])). ';';
|
||||
}
|
||||
$e = 'span'; return ltrim(str_replace('<', '', $a2));
|
||||
}
|
||||
if($t == 2){$e = 0; return 0;}
|
||||
return '';
|
||||
@ -713,7 +713,7 @@ return str_replace(array("\x01", "\x02", "\x03", "\x04", "\x05", "\x07"), array(
|
||||
|
||||
function hl_version(){
|
||||
// rel
|
||||
return '1.1.17';
|
||||
return '1.1.22';
|
||||
// eof
|
||||
}
|
||||
|
||||
|
@ -2,7 +2,7 @@
|
||||
|
||||
/*
|
||||
htmLawedTest.php, 28 May 2013
|
||||
htmLawed 1.1.17, 11 March 2014
|
||||
htmLawed 1.1.22, 5 March 2016
|
||||
Copyright Santosh Patnaik
|
||||
Dual licensed with LGPL 3 and GPL 2+
|
||||
A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
|
||||
|
@ -110,8 +110,8 @@ span.totop a, span.totop a:visited {color: #6699cc;}
|
||||
|
||||
<div id="body">
|
||||
<br />
|
||||
<div class="comment">htmLawed_README.txt, 11 March 2014<br />
|
||||
htmLawed 1.1.17, 11 March 2014<br />
|
||||
<div class="comment">htmLawed_README.txt, 5 March 2016<br />
|
||||
htmLawed 1.1.22, 5 March 2016<br />
|
||||
Copyright Santosh Patnaik<br />
|
||||
Dual licensed with LGPL 3 and GPL 2+<br />
|
||||
A PHP Labware internal utility - <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed">http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed</a> </div>
|
||||
@ -195,7 +195,7 @@ A PHP Labware internal utility - <a href="http://www.bioinformatics.org/phpl
|
||||
  *  option to <strong>remove or neutralize bad content</strong> ^~`<br />
|
||||
  *  attempts to <strong>rectify common errors of plain-text misplacement</strong> (e.g., directly inside <span class="term">blockquote</span>) ^~`<br />
|
||||
<br />
|
||||
  *  fast, <strong>non-OOP</strong> code of ~45 kb incurring peak basal memory usage of ~0.5 MB<br />
|
||||
  *  fast, <strong>non-OOP</strong> code of ~50 kb incurring peak basal memory usage of ~0.5 MB<br />
|
||||
  *  <strong>compatible</strong> with pre-existing code using <span class="term">Kses</span> (the filter used by <span class="term">WordPress</span>)<br />
|
||||
<br />
|
||||
  *  optional <strong>anti-spam</strong> measures such as addition of <span class="term">rel="nofollow"</span> and link-disabling  ~`<br />
|
||||
@ -554,36 +554,38 @@ A PHP Labware internal utility - <a href="http://www.bioinformatics.org/phpl
|
||||
<br />
|
||||
  Rules regarding <strong>attribute values</strong> are optionally specified inside round brackets after attribute names in slash ('/')-separated <em>parameter = value</em> pairs. E.g., <span class="term">title(maxlen=30/minlen=5)</span>. None or one or more of the following parameters may be specified:<br />
|
||||
<br />
|
||||
  *  <span class="term">oneof</span> - one or more choices separated by <span class="term">|</span> that the value should match; if only one choice is provided, then the value must match that choice<br />
|
||||
  *  <span class="term">oneof</span> - one or more choices separated by <span class="term">|</span> that the value should match; if only one choice is provided, then the value must match that choice; matching is case-sensitive<br />
|
||||
<br />
|
||||
  *  <span class="term">noneof</span> - one or more choices separated by <span class="term">|</span> that the value should not match<br />
|
||||
  *  <span class="term">noneof</span> - one or more choices separated by <span class="term">|</span> that the value should not match; matching is case-sensitive<br />
|
||||
<br />
|
||||
  *  <span class="term">maxlen</span> and <span class="term">minlen</span> - upper and lower limits for the number of characters in the attribute value; specified in numbers<br />
|
||||
<br />
|
||||
  *  <span class="term">maxval</span> and <span class="term">minval</span> - upper and lower limits for the numerical value specified in the attribute value; specified in numbers<br />
|
||||
<br />
|
||||
  *  <span class="term">match</span> and <span class="term">nomatch</span> - pattern that the attribute value should or should not match; specified as PHP/PCRE-compatible regular expressions with delimiters and possibly modifiers<br />
|
||||
  *  <span class="term">match</span> and <span class="term">nomatch</span> - pattern that the attribute value should or should not match; specified as PHP/PCRE-compatible regular expressions with delimiters and possibly modifiers (e.g., to specify case-sensitivity for matching)<br />
|
||||
<br />
|
||||
  *  <span class="term">default</span> - a value to force on the attribute if the value provided by the writer does not fit any of the specified parameters<br />
|
||||
<br />
|
||||
  If <span class="term">default</span> is not set and the attribute value does not satisfy any of the specified parameters, then the attribute is removed. The <span class="term">default</span> value can also be used to force all attribute declarations to take the same value (by getting the values declared illegal by setting, e.g., <span class="term">maxlen</span> to <span class="term">-1</span>).<br />
|
||||
<br />
|
||||
  Examples with <em>input</em> <span class="term"><input title="WIDTH" value="10em" /><input title="length" value="5" /></span> are shown below.<br />
|
||||
  Examples with <em>input</em> <span class="term"><input title="WIDTH" value="10em" /><input title="length" value="5" class="ic1 ic2" /></span> are shown below.<br />
|
||||
<br />
|
||||
  <em>Rule</em>: <span class="term">input=title(maxlen=60/minlen=6), value</span><br />
|
||||
  <em>Output</em>: <span class="term"><input value="10em" /><input title="length" value="5" /></span><br />
|
||||
  <em>Output</em>: <span class="term"><input value="10em" /><input title="length" value="5" class="ic1 ic2" /></span><br />
|
||||
<br />
|
||||
  <em>Rule</em>: <span class="term">input=title(), value(maxval=8/default=6)</span><br />
|
||||
  <em>Output</em>: <span class="term"><input title="WIDTH" value="6" /><input title="length" value="5" /></span><br />
|
||||
  <em>Output</em>: <span class="term"><input title="WIDTH" value="6" /><input title="length" value="5" class="ic1 ic2" /></span><br />
|
||||
<br />
|
||||
  <em>Rule</em>: <span class="term">input=title(nomatch=%w.d%i), value(match=%em%/default=6em)</span><br />
|
||||
  <em>Output</em>: <span class="term"><input value="10em" /><input title="length" value="6em" /></span><br />
|
||||
  <em>Output</em>: <span class="term"><input value="10em" /><input title="length" value="6em" class="ic1 ic2" /></span><br />
|
||||
<br />
|
||||
  <em>Rule</em>: <span class="term">input=title(oneof=height|depth/default=depth), value(noneof=5|6)</span><br />
|
||||
  <em>Output</em>: <span class="term"><input title="depth" value="10em" /><input title="depth" /></span><br />
|
||||
  <em>Rule</em>: <span class="term">input=class(noneof=ic2|ic3/oneof=ic1|ic4), title(oneof=height|depth/default=depth), value(noneof=5|6)</span><br />
|
||||
  <em>Output</em>: <span class="term"><input title="depth" value="10em" /><input title="depth" class="ic1" /></span><br />
|
||||
<br />
|
||||
  <strong>Special characters</strong>: The characters <span class="term">;</span>, <span class="term">,</span>, <span class="term">/</span>, <span class="term">(</span>, <span class="term">)</span>, <span class="term">|</span>, <span class="term">~</span> and space have special meanings in the rules. Words in the rules that use such characters, or the characters themselves, should be <em>escaped</em> by enclosing in pairs of double-quotes (<span class="term">"</span>). A back-tick (<span class="term">`</span>) can be used to escape a literal <span class="term">"</span>. An example rule illustrating this is <span class="term">input=value(maxlen=30/match="/^\w/"/default="your `"ID`"")</span>.<br />
|
||||
<br />
|
||||
  <strong>Attributes that accept multiple values</strong>: If an attribute is <span class="term">accesskey</span>, <span class="term">class</span>, or <span class="term">rel</span>, which can have multiple, space-separated values, htmLawed will parse the attribute value for such multiple values and will test each of them individually.<br />
|
||||
<br />
|
||||
  <strong>Note</strong>: To deny an attribute for all elements for which it is legal, <span class="term">$config["deny_attribute"]</span> (see <a href="#s3.4">section 3.4</a>) can be used instead of <span class="term">$spec</span>. Also, attributes can be allowed element-specifically through <span class="term">$spec</span> while being denied globally through <span class="term">$config["deny_attribute"]</span>. The <span class="term">hook_tag</span> parameter (<a href="#s3.4.9">section 3.4.9</a>) can also be possibly used to implement a functionality like that achieved using <span class="term">$spec</span> functionality.<br />
|
||||
<br />
|
||||
  <span class="term">$spec</span> can also be used to permit custom, non-standard attributes as well as custom rules for standard attributes. Thus, the following value of <span class="term">$spec</span> will permit the custom uses of the standard <span class="term">rel</span> attribute in <span class="term">input</span> (not permitted as per standards) and of a non-standard attribute, <span class="term">vFlag</span>, in <span class="term">img</span>.<br />
|
||||
@ -1250,7 +1252,7 @@ A PHP Labware internal utility - <a href="http://www.bioinformatics.org/phpl
|
||||
<a name="s3.4" id="s3.4"></a><span class="item-no">3.4</span>  Attributes
|
||||
</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
|
||||
<br />
|
||||
  htmLawed will only permit attributes described in the HTML specs (including deprecated ones). It also permits some attributes for use with the <span class="term">embed</span> element (the non-standard <span class="term">embed</span> element is supported in htmLawed because of its widespread use), and the the <span class="term">xml:space</span> attribute (valid only in XHTML 1.1). A list of such 111 attributes and the elements they are allowed in is in <a href="#s5.2">section 5.2</a>. Using the <span class="term">$spec</span> argument, htmLawed can be forced to permit custom, non-standard attributes as well as custom rules for standard attributes (<a href="#s2.3">section 2.3</a>).<br />
|
||||
  htmLawed will only permit attributes described in the HTML specs (including deprecated ones). It also permits some attributes for use with the <span class="term">embed</span> element (the non-standard <span class="term">embed</span> element is supported in htmLawed because of its widespread use), and the <span class="term">allowfullscreen</span> (in <span class="term">iframe</span>, because of its widespread use), <span class="term">bordercolor</span> (in <span class="term">table</span>, <span class="term">td</span> and <span class="term">tr</span>, because of its widespread use), and <span class="term">xml:space</span> (valid only in XHTML 1.1) attributes. A list of such 112 attributes and the elements they are allowed in is in <a href="#s5.2">section 5.2</a>. Using the <span class="term">$spec</span> argument, htmLawed can be forced to permit custom, non-standard attributes as well as custom rules for standard attributes (<a href="#s2.3">section 2.3</a>).<br />
|
||||
<br />
|
||||
  When <span class="term">$config["deny_attribute"]</span> is not set, or set to <span class="term">0</span>, or empty (<span class="term">""</span>), all the 111 attributes are permitted. Otherwise, <span class="term">$config["deny_attribute"]</span> can be set as a list of comma-separated names of the denied attributes. <span class="term">on*</span> can be used to refer to the group of potentially dangerous, script-accepting attributes: <span class="term">onblur</span>, <span class="term">onchange</span>, <span class="term">onclick</span>, <span class="term">ondblclick</span>, <span class="term">onfocus</span>, <span class="term">onkeydown</span>, <span class="term">onkeypress</span>, <span class="term">onkeyup</span>, <span class="term">onmousedown</span>, <span class="term">onmousemove</span>, <span class="term">onmouseout</span>, <span class="term">onmouseover</span>, <span class="term">onmouseup</span>, <span class="term">onreset</span>, <span class="term">onselect</span> and <span class="term">onsubmit</span>.<br />
|
||||
<br />
|
||||
@ -1773,6 +1775,17 @@ A PHP Labware internal utility - <a href="http://www.bioinformatics.org/phpl
|
||||
<br />
|
||||
  <em>Version number - Release date. Notes</em><br />
|
||||
<br />
|
||||
<br />
|
||||
  1.1.22 - 5 March 2016. Improved testing of attribute value rules specified in <span class="term">$spec</span>.<br />
|
||||
<br />
|
||||
  1.1.21 - 27 February 2016. Improvement and security fix in transforming <span class="term">font</span> element.<br />
|
||||
<br />
|
||||
  1.1.20 - 9 June 2015. Fix for a potential security vulnerability arising from unescaped double-quote character in single-quoted attribute value of some deprecated elements when tag transformation is enabled; recognition for non-(HTML4) standard <span class="term">allowfullscreen</span> attribute of <span class="term">iframe.</span><br />
|
||||
<br />
|
||||
  1.1.19 - 19 January 2015. Fix for a bug in cleaning of soft-hyphens in URL values, etc.<br />
|
||||
<br />
|
||||
  1.1.18 - 2 August 2014. Fix for a potential security vulnerability arising from specially encoded text with serial opening tags<br />
|
||||
<br />
|
||||
  1.1.17 - 11 March 2014. Removed use of PHP function preg_replace with <span class="term">e</span> modifier for compatibility with PHP 5.5<br />
|
||||
<br />
|
||||
  1.1.16 - 29 August 2013. Fix for a potential security vulnerability arising from specially encoded space characters in URL schemes/protocols<br />
|
||||
@ -1904,7 +1917,7 @@ A PHP Labware internal utility - <a href="http://www.bioinformatics.org/phpl
|
||||
<a name="s4.10" id="s4.10"></a><span class="item-no">4.10</span>  Acknowledgements
|
||||
</h3><span class="totop"><a href="#peak">(to top)</a></span><br style="clear: both;" />
|
||||
<br />
|
||||
  Nicholas Alipaz, Bryan Blakey, Pádraic Brady, Dac Chartrand, Ulf Harnhammer, Gareth Heyes, Klaus Leithoff, Lukasz Pilorz, Shelley Powers, Harro Verton, Edward Yang, and many anonymous users.<br />
|
||||
  Nicholas Alipaz, Bryan Blakey, Pádraic Brady, Dac Chartrand, Ulf Harnhammer, Gareth Heyes, Hakre, Klaus Leithoff, Lukasz Pilorz, Shelley Powers, Psych0tr1a, Lincoln Russell, Tomas Sykorka, Harro Verton, Edward Yang, and many anonymous users.<br />
|
||||
<br />
|
||||
  Thank you!<br />
|
||||
|
||||
@ -1928,8 +1941,9 @@ A PHP Labware internal utility - <a href="http://www.bioinformatics.org/phpl
|
||||
<br />
|
||||
  Valid attribute-element combinations as per <a href="http://www.w3c.org">W3C</a> specs.<br />
|
||||
<br />
|
||||
  *  includes deprecated attributes (marked <span class="term">^</span>), attributes for the non-standard <span class="term">embed</span> element (marked <span class="term">*</span>), and the proprietary <span class="term">bordercolor</span> (marked <span class="term">~</span>)<br />
|
||||
  *  includes deprecated attributes (marked <span class="term">^</span>), attributes for the non-standard <span class="term">embed</span> element (marked <span class="term">*</span>), and the non-standard <span class="term">allowfullscreen</span> and <span class="term">bordercolor</span> (marked <span class="term">~</span>)<br />
|
||||
  *  only non-frameset, HTML body elements<br />
|
||||
  * <span class="term">accesskey</span>, <span class="term">class</span> and <span class="term">rel</span> can have multiple, space-separated values<br />
|
||||
  *  <span class="term">name</span> for <span class="term">a</span> and <span class="term">map</span>, and <span class="term">lang</span> are invalid in XHTML 1.1<br />
|
||||
  *  <span class="term">target</span> is valid for <span class="term">a</span> in XHTML 1.1 and higher<br />
|
||||
  *  <span class="term">xml:space</span> is only for XHTML 1.1<br />
|
||||
@ -1940,6 +1954,7 @@ A PHP Labware internal utility - <a href="http://www.bioinformatics.org/phpl
|
||||
  accesskey - a, area, button, input, label, legend, textarea<br />
|
||||
  action - form<br />
|
||||
  align - caption^, embed, applet, iframe, img^, input^, object^, legend^, table^, hr^, div^, h1^, h2^, h3^, h4^, h5^, h6^, p^, col, colgroup, tbody, td, tfoot, th, thead, tr<br />
|
||||
  allowfullscreen - iframe~<br />
|
||||
  alt - applet, area, img, input<br />
|
||||
  archive - applet, object<br />
|
||||
  axis - td, th<br />
|
||||
@ -2173,7 +2188,7 @@ A PHP Labware internal utility - <a href="http://www.bioinformatics.org/phpl
|
||||
</div>
|
||||
</div>
|
||||
<br />
|
||||
<hr /><br /><br /><span class="subtle"><small>HTM version of <em><a href="htmLawed_README.txt">htmLawed_README.txt</a></em> generated on 11 Mar, 2014 using <a href="http://www.bioinformatics.org/phplabware/internal_utilities">rTxt2htm</a> from PHP Labware</small></span>
|
||||
<hr /><br /><br /><span class="subtle"><small>HTM version of <em><a href="htmLawed_README.txt">htmLawed_README.txt</a></em> generated on 06 Mar, 2016 using <a href="http://www.bioinformatics.org/phplabware/internal_utilities">rTxt2htm</a> from PHP Labware</small></span>
|
||||
</div><!-- ended div body -->
|
||||
</div><!-- ended div top -->
|
||||
</body>
|
||||
|
@ -1,6 +1,6 @@
|
||||
/*
|
||||
htmLawed_README.txt, 11 March 2014
|
||||
htmLawed 1.1.17, 11 March 2014
|
||||
htmLawed_README.txt, 5 March 2016
|
||||
htmLawed 1.1.22, 5 March 2016
|
||||
Copyright Santosh Patnaik
|
||||
Dual licensed with LGPL 3 and GPL 2+
|
||||
A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
|
||||
@ -146,7 +146,7 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern
|
||||
* option to *remove or neutralize bad content* ^~`
|
||||
* attempts to *rectify common errors of plain-text misplacement* (e.g., directly inside 'blockquote') ^~`
|
||||
|
||||
* fast, *non-OOP* code of ~45 kb incurring peak basal memory usage of ~0.5 MB
|
||||
* fast, *non-OOP* code of ~50 kb incurring peak basal memory usage of ~0.5 MB
|
||||
* *compatible* with pre-existing code using 'Kses' (the filter used by 'WordPress')
|
||||
|
||||
* optional *anti-spam* measures such as addition of 'rel="nofollow"' and link-disabling ~`
|
||||
@ -469,36 +469,38 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern
|
||||
|
||||
Rules regarding *attribute values* are optionally specified inside round brackets after attribute names in slash ('/')-separated `parameter = value` pairs. E.g., 'title(maxlen=30/minlen=5)'. None or one or more of the following parameters may be specified:
|
||||
|
||||
* 'oneof' - one or more choices separated by '|' that the value should match; if only one choice is provided, then the value must match that choice
|
||||
* 'oneof' - one or more choices separated by '|' that the value should match; if only one choice is provided, then the value must match that choice; matching is case-sensitive
|
||||
|
||||
* 'noneof' - one or more choices separated by '|' that the value should not match
|
||||
* 'noneof' - one or more choices separated by '|' that the value should not match; matching is case-sensitive
|
||||
|
||||
* 'maxlen' and 'minlen' - upper and lower limits for the number of characters in the attribute value; specified in numbers
|
||||
|
||||
* 'maxval' and 'minval' - upper and lower limits for the numerical value specified in the attribute value; specified in numbers
|
||||
|
||||
* 'match' and 'nomatch' - pattern that the attribute value should or should not match; specified as PHP/PCRE-compatible regular expressions with delimiters and possibly modifiers
|
||||
* 'match' and 'nomatch' - pattern that the attribute value should or should not match; specified as PHP/PCRE-compatible regular expressions with delimiters and possibly modifiers (e.g., to specify case-sensitivity for matching)
|
||||
|
||||
* 'default' - a value to force on the attribute if the value provided by the writer does not fit any of the specified parameters
|
||||
|
||||
If 'default' is not set and the attribute value does not satisfy any of the specified parameters, then the attribute is removed. The 'default' value can also be used to force all attribute declarations to take the same value (by getting the values declared illegal by setting, e.g., 'maxlen' to '-1').
|
||||
|
||||
Examples with `input` '<input title="WIDTH" value="10em" /><input title="length" value="5" />' are shown below.
|
||||
Examples with `input` '<input title="WIDTH" value="10em" /><input title="length" value="5" class="ic1 ic2" />' are shown below.
|
||||
|
||||
`Rule`: 'input=title(maxlen=60/minlen=6), value'
|
||||
`Output`: '<input value="10em" /><input title="length" value="5" />'
|
||||
`Output`: '<input value="10em" /><input title="length" value="5" class="ic1 ic2" />'
|
||||
|
||||
`Rule`: 'input=title(), value(maxval=8/default=6)'
|
||||
`Output`: '<input title="WIDTH" value="6" /><input title="length" value="5" />'
|
||||
`Output`: '<input title="WIDTH" value="6" /><input title="length" value="5" class="ic1 ic2" />'
|
||||
|
||||
`Rule`: 'input=title(nomatch=%w.d%i), value(match=%em%/default=6em)'
|
||||
`Output`: '<input value="10em" /><input title="length" value="6em" />'
|
||||
`Output`: '<input value="10em" /><input title="length" value="6em" class="ic1 ic2" />'
|
||||
|
||||
`Rule`: 'input=title(oneof=height|depth/default=depth), value(noneof=5|6)'
|
||||
`Output`: '<input title="depth" value="10em" /><input title="depth" />'
|
||||
`Rule`: 'input=class(noneof=ic2|ic3/oneof=ic1|ic4), title(oneof=height|depth/default=depth), value(noneof=5|6)'
|
||||
`Output`: '<input title="depth" value="10em" /><input title="depth" class="ic1" />'
|
||||
|
||||
*Special characters*: The characters ';', ',', '/', '(', ')', '|', '~' and space have special meanings in the rules. Words in the rules that use such characters, or the characters themselves, should be `escaped` by enclosing in pairs of double-quotes ('"'). A back-tick ('`') can be used to escape a literal '"'. An example rule illustrating this is 'input=value(maxlen=30/match="/^\w/"/default="your `"ID`"")'.
|
||||
|
||||
*Attributes that accept multiple values*: If an attribute is 'accesskey', 'class', or 'rel', which can have multiple, space-separated values, htmLawed will parse the attribute value for such multiple values and will test each of them individually.
|
||||
|
||||
*Note*: To deny an attribute for all elements for which it is legal, '$config["deny_attribute"]' (see section:- #3.4) can be used instead of '$spec'. Also, attributes can be allowed element-specifically through '$spec' while being denied globally through '$config["deny_attribute"]'. The 'hook_tag' parameter (section:- #3.4.9) can also be possibly used to implement a functionality like that achieved using '$spec' functionality.
|
||||
|
||||
'$spec' can also be used to permit custom, non-standard attributes as well as custom rules for standard attributes. Thus, the following value of '$spec' will permit the custom uses of the standard 'rel' attribute in 'input' (not permitted as per standards) and of a non-standard attribute, 'vFlag', in 'img'.
|
||||
@ -991,7 +993,7 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern
|
||||
-- 3.4 Attributes ------------------------------------------------oo
|
||||
|
||||
|
||||
htmLawed will only permit attributes described in the HTML specs (including deprecated ones). It also permits some attributes for use with the 'embed' element (the non-standard 'embed' element is supported in htmLawed because of its widespread use), and the the 'xml:space' attribute (valid only in XHTML 1.1). A list of such 111 attributes and the elements they are allowed in is in section:- #5.2. Using the '$spec' argument, htmLawed can be forced to permit custom, non-standard attributes as well as custom rules for standard attributes (section:- #2.3).
|
||||
htmLawed will only permit attributes described in the HTML specs (including deprecated ones). It also permits some attributes for use with the 'embed' element (the non-standard 'embed' element is supported in htmLawed because of its widespread use), and the 'allowfullscreen' (in 'iframe', because of its widespread use), 'bordercolor' (in 'table', 'td' and 'tr', because of its widespread use), and 'xml:space' (valid only in XHTML 1.1) attributes. A list of such 112 attributes and the elements they are allowed in is in section:- #5.2. Using the '$spec' argument, htmLawed can be forced to permit custom, non-standard attributes as well as custom rules for standard attributes (section:- #2.3).
|
||||
|
||||
When '$config["deny_attribute"]' is not set, or set to '0', or empty ('""'), all the 111 attributes are permitted. Otherwise, '$config["deny_attribute"]' can be set as a list of comma-separated names of the denied attributes. 'on*' can be used to refer to the group of potentially dangerous, script-accepting attributes: 'onblur', 'onchange', 'onclick', 'ondblclick', 'onfocus', 'onkeydown', 'onkeypress', 'onkeyup', 'onmousedown', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onreset', 'onselect' and 'onsubmit'.
|
||||
|
||||
@ -1344,6 +1346,17 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern
|
||||
|
||||
`Version number - Release date. Notes`
|
||||
|
||||
|
||||
1.1.22 - 5 March 2016. Improved testing of attribute value rules specified in '$spec'.
|
||||
|
||||
1.1.21 - 27 February 2016. Improvement and security fix in transforming 'font' element.
|
||||
|
||||
1.1.20 - 9 June 2015. Fix for a potential security vulnerability arising from unescaped double-quote character in single-quoted attribute value of some deprecated elements when tag transformation is enabled; recognition for non-(HTML4) standard 'allowfullscreen' attribute of 'iframe.'
|
||||
|
||||
1.1.19 - 19 January 2015. Fix for a bug in cleaning of soft-hyphens in URL values, etc.
|
||||
|
||||
1.1.18 - 2 August 2014. Fix for a potential security vulnerability arising from specially encoded text with serial opening tags
|
||||
|
||||
1.1.17 - 11 March 2014. Removed use of PHP function preg_replace with 'e' modifier for compatibility with PHP 5.5
|
||||
|
||||
1.1.16 - 29 August 2013. Fix for a potential security vulnerability arising from specially encoded space characters in URL schemes/protocols
|
||||
@ -1468,7 +1481,7 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern
|
||||
-- 4.10 Acknowledgements ------------------------------------------o
|
||||
|
||||
|
||||
Nicholas Alipaz, Bryan Blakey, Pádraic Brady, Dac Chartrand, Ulf Harnhammer, Gareth Heyes, Klaus Leithoff, Lukasz Pilorz, Shelley Powers, Harro Verton, Edward Yang, and many anonymous users.
|
||||
Nicholas Alipaz, Bryan Blakey, Pádraic Brady, Dac Chartrand, Ulf Harnhammer, Gareth Heyes, Hakre, Klaus Leithoff, Lukasz Pilorz, Shelley Powers, Psych0tr1a, Lincoln Russell, Tomas Sykorka, Harro Verton, Edward Yang, and many anonymous users.
|
||||
|
||||
Thank you!
|
||||
|
||||
@ -1489,8 +1502,9 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern
|
||||
|
||||
Valid attribute-element combinations as per W3C:- http://www.w3c.org specs.
|
||||
|
||||
* includes deprecated attributes (marked '^'), attributes for the non-standard 'embed' element (marked '*'), and the proprietary 'bordercolor' (marked '~')
|
||||
* includes deprecated attributes (marked '^'), attributes for the non-standard 'embed' element (marked '*'), and the non-standard 'allowfullscreen' and 'bordercolor' (marked '~')
|
||||
* only non-frameset, HTML body elements
|
||||
* 'accesskey', 'class' and 'rel' can have multiple, space-separated values
|
||||
* 'name' for 'a' and 'map', and 'lang' are invalid in XHTML 1.1
|
||||
* 'target' is valid for 'a' in XHTML 1.1 and higher
|
||||
* 'xml:space' is only for XHTML 1.1
|
||||
@ -1501,6 +1515,7 @@ A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/intern
|
||||
accesskey - a, area, button, input, label, legend, textarea
|
||||
action - form
|
||||
align - caption^, embed, applet, iframe, img^, input^, object^, legend^, table^, hr^, div^, h1^, h2^, h3^, h4^, h5^, h6^, p^, col, colgroup, tbody, td, tfoot, th, thead, tr
|
||||
allowfullscreen - iframe~
|
||||
alt - applet, area, img, input
|
||||
archive - applet, object
|
||||
axis - td, th
|
||||
|
@ -1,6 +1,6 @@
|
||||
/*
|
||||
htmLawed_TESTCASE.txt, 27 August 2013
|
||||
htmLawed 1.1.17, 11 March 2014
|
||||
htmLawed_TESTCASE.txt, 27 February 2016
|
||||
htmLawed 1.1.22, 5 March 2016
|
||||
Copyright Santosh Patnaik
|
||||
Dual licensed with LGPL 3 and GPL 2+
|
||||
A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
|
||||
@ -372,7 +372,7 @@ na Alemanha.
|
||||
<h6>Tag transformation</h6>
|
||||
<strong>Font element intended as 'inline' element:</strong> <p><font color='red'>hi</font></p><br />
|
||||
<strong>Font element intended as 'block' element:</strong> <div><font color='red'><div>hi</div></font></div><br />
|
||||
<strong>Font element intended as 'block' element:</strong> <center><font color='red'><div>hi</div><div>QQQ</div></font></center><br />
|
||||
<strong>Font element intended as 'block' element:</strong> <center><font color='red' face="serif, 'Times'"><div>hi</div><div>QQQ</div></font></center><br />
|
||||
|
||||
<h6>Tidy</h6>
|
||||
<strong>White-space handling:</strong> abc<em> def </em> ghi abc <em>def</em> ghi
|
||||
@ -384,15 +384,19 @@ na Alemanha.
|
||||
<strong>CSS URLs:</strong> <div style="background-image: url('a.gif');"></div>, <div style="background-image: URL("a.gif");"></div>, <div style="background-image: url('http://a.com/a.gif');"></div>, <div style="background-image: url('./../a.gif');"></div>, <div style="background-image: url('js:xss')"></div><br />
|
||||
<strong>Double URLs:</strong> <a style="behaviour: url(foo) url(http://example.com/xss.htc)">b</a><br />
|
||||
<strong>Anti-spam:</strong> (try regex for 'http://a.com', etc.) <a href="mailto:x@y.com"></a>, <a href="http://a.com/b@d.f"></a>, <a href="a.com/d.f" rel="nofollow"></a>, <a href="a.com/d.f" rel="1, 2"></a>, <a href="a.com/d.f"></a>, <a href="b.com/d.f"></a>, <a href="c.com/d.f">, <a href="denied:http://c.com/d.f"></a><br />
|
||||
<strong>Soft-hyphen:</strong> <a href="http://q=ídisc">ídisc</a>
|
||||
|
||||
<h6>XSS</h6>
|
||||
|
||||
<img alt="<img onmouseover=confirm(1)//"<"">
|
||||
'';!--"<xss>=&{()}<br />
|
||||
<img src="javascript%3Aalert('xss');" /><br />
|
||||
<img src="javascript:alert('xss');" /><br />
|
||||
<img src="java script:alert('xss');" /><br />
|
||||
<img
|
||||
src=javascript:alert('XSS') /><br />
|
||||
<font color='#FF6699"onmouseover="alert(1)//'>test</font>
|
||||
<font color='<img//onerror="alert`www.ptsecurity.com`"src=Psych0tr1a'>
|
||||
<div style="javascript:alert('xss');"></div><br />
|
||||
<div style="background-image:url(javascript:alert('xss'));"></div><br />
|
||||
<div style="background-image:url("javascript:alert('xss')" );"></div><br />
|
||||
|
Loading…
Reference in New Issue
Block a user