mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-11-26 09:53:20 +01:00
purifier upgrade to 4.3.0, add missing files
This commit is contained in:
Klaus Leithoff
parent
2a9198eb86
commit
53bb18041e
@ -0,0 +1,41 @@
|
||||
<?php
|
||||
|
||||
// must be called POST validation
|
||||
|
||||
/**
|
||||
* Adds rel="nofollow" to all outbound links. This transform is
|
||||
* only attached if Attr.Nofollow is TRUE.
|
||||
*/
|
||||
class HTMLPurifier_AttrTransform_Nofollow extends HTMLPurifier_AttrTransform
|
||||
{
|
||||
private $parser;
|
||||
|
||||
public function __construct() {
|
||||
$this->parser = new HTMLPurifier_URIParser();
|
||||
}
|
||||
|
||||
public function transform($attr, $config, $context) {
|
||||
|
||||
if (!isset($attr['href'])) {
|
||||
return $attr;
|
||||
}
|
||||
|
||||
// XXX Kind of inefficient
|
||||
$url = $this->parser->parse($attr['href']);
|
||||
$scheme = $url->getSchemeObj($config, $context);
|
||||
|
||||
if (!is_null($url->host) && $scheme !== false && $scheme->browsable) {
|
||||
if (isset($attr['rel'])) {
|
||||
$attr['rel'] .= ' nofollow';
|
||||
} else {
|
||||
$attr['rel'] = 'nofollow';
|
||||
}
|
||||
}
|
||||
|
||||
return $attr;
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// vim: et sw=4 sts=4
|
||||
@ -0,0 +1,12 @@
|
||||
CSS.AllowedFonts
|
||||
TYPE: lookup/null
|
||||
VERSION: 4.3.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Allows you to manually specify a set of allowed fonts. If
|
||||
<code>NULL</code>, all fonts are allowed. This directive
|
||||
affects generic names (serif, sans-serif, monospace, cursive,
|
||||
fantasy) as well as specific font families.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@ -0,0 +1,13 @@
|
||||
CSS.ForbiddenProperties
|
||||
TYPE: lookup
|
||||
VERSION: 4.2.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This is the logical inverse of %CSS.AllowedProperties, and it will
|
||||
override that directive or any other directive. If possible,
|
||||
%CSS.AllowedProperties is recommended over this directive,
|
||||
because it can sometimes be difficult to tell whether or not you've
|
||||
forbidden all of the CSS properties you truly would like to disallow.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@ -0,0 +1,9 @@
|
||||
CSS.Trusted
|
||||
TYPE: bool
|
||||
VERSION: 4.2.1
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
Indicates whether or not the user's CSS input is trusted or not. If the
|
||||
input is trusted, a more expansive set of allowed properties. See
|
||||
also %HTML.Trusted.
|
||||
--# vim: et sw=4 sts=4
|
||||
@ -0,0 +1,11 @@
|
||||
Cache.SerializerPermissions
|
||||
TYPE: int
|
||||
VERSION: 4.3.0
|
||||
DEFAULT: 0755
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Directory permissions of the files and directories created inside
|
||||
the DefinitionCache/Serializer or other custom serializer path.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@ -0,0 +1,11 @@
|
||||
Core.NormalizeNewlines
|
||||
TYPE: bool
|
||||
VERSION: 4.2.0
|
||||
DEFAULT: true
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Whether or not to normalize newlines to the operating
|
||||
system default. When <code>false</code>, HTML Purifier
|
||||
will attempt to preserve mixed newline files.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@ -0,0 +1,11 @@
|
||||
Core.RemoveProcessingInstructions
|
||||
TYPE: bool
|
||||
VERSION: 4.2.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
Instead of escaping processing instructions in the form <code><? ...
|
||||
?></code>, remove it out-right. This may be useful if the HTML
|
||||
you are validating contains XML processing instruction gunk, however,
|
||||
it can also be user-unfriendly for people attempting to post PHP
|
||||
snippets.
|
||||
--# vim: et sw=4 sts=4
|
||||
@ -0,0 +1,11 @@
|
||||
HTML.FlashAllowFullScreen
|
||||
TYPE: bool
|
||||
VERSION: 4.2.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Whether or not to permit embedded Flash content from
|
||||
%HTML.SafeObject to expand to the full screen. Corresponds to
|
||||
the <code>allowFullScreen</code> parameter.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@ -0,0 +1,7 @@
|
||||
HTML.Nofollow
|
||||
TYPE: bool
|
||||
VERSION: 4.3.0
|
||||
DEFAULT: FALSE
|
||||
--DESCRIPTION--
|
||||
If enabled, nofollow rel attributes are added to all outgoing links.
|
||||
--# vim: et sw=4 sts=4
|
||||
@ -0,0 +1,15 @@
|
||||
Output.FixInnerHTML
|
||||
TYPE: bool
|
||||
VERSION: 4.3.0
|
||||
DEFAULT: true
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
If true, HTML Purifier will protect against Internet Explorer's
|
||||
mishandling of the <code>innerHTML</code> attribute by appending
|
||||
a space to any attribute that does not contain angled brackets, spaces
|
||||
or quotes, but contains a backtick. This slightly changes the
|
||||
semantics of any given attribute, so if this is unacceptable and
|
||||
you do not use <code>innerHTML</code> on any of your pages, you can
|
||||
turn this directive off.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@ -0,0 +1,19 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* Module adds the nofollow attribute transformation to a tags. It
|
||||
* is enabled by HTML.Nofollow
|
||||
*/
|
||||
class HTMLPurifier_HTMLModule_Nofollow extends HTMLPurifier_HTMLModule
|
||||
{
|
||||
|
||||
public $name = 'Nofollow';
|
||||
|
||||
public function setup($config) {
|
||||
$a = $this->addBlankElement('a');
|
||||
$a->attr_transform_post[] = new HTMLPurifier_AttrTransform_Nofollow();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// vim: et sw=4 sts=4
|
||||
@ -0,0 +1,11 @@
|
||||
<?php
|
||||
|
||||
class HTMLPurifier_URIFilter_DisableResources extends HTMLPurifier_URIFilter
|
||||
{
|
||||
public $name = 'DisableResources';
|
||||
public function filter(&$uri, $config, $context) {
|
||||
return !$context->get('EmbeddedURI', true);
|
||||
}
|
||||
}
|
||||
|
||||
// vim: et sw=4 sts=4
|
||||
@ -0,0 +1,32 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* Validates file as defined by RFC 1630 and RFC 1738.
|
||||
*/
|
||||
class HTMLPurifier_URIScheme_file extends HTMLPurifier_URIScheme {
|
||||
|
||||
// Generally file:// URLs are not accessible from most
|
||||
// machines, so placing them as an img src is incorrect.
|
||||
public $browsable = false;
|
||||
|
||||
// Basically the *only* URI scheme for which this is true, since
|
||||
// accessing files on the local machine is very common. In fact,
|
||||
// browsers on some operating systems don't understand the
|
||||
// authority, though I hear it is used on Windows to refer to
|
||||
// network shares.
|
||||
public $may_omit_host = true;
|
||||
|
||||
public function doValidate(&$uri, $config, $context) {
|
||||
// Authentication method is not supported
|
||||
$uri->userinfo = null;
|
||||
// file:// makes no provisions for accessing the resource
|
||||
$uri->port = null;
|
||||
// While it seems to work on Firefox, the querystring has
|
||||
// no possible effect and is thus stripped.
|
||||
$uri->query = null;
|
||||
return true;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// vim: et sw=4 sts=4
|
||||
Loading…
Reference in New Issue
Block a user