mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-11-26 09:53:20 +01:00
purifier upgrade to 4.3.0, add missing files
This commit is contained in:
Klaus Leithoff
parent
2a9198eb86
commit
53bb18041e
@ -0,0 +1,41 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
// must be called POST validation
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Adds rel="nofollow" to all outbound links. This transform is
|
||||||
|
* only attached if Attr.Nofollow is TRUE.
|
||||||
|
*/
|
||||||
|
class HTMLPurifier_AttrTransform_Nofollow extends HTMLPurifier_AttrTransform
|
||||||
|
{
|
||||||
|
private $parser;
|
||||||
|
|
||||||
|
public function __construct() {
|
||||||
|
$this->parser = new HTMLPurifier_URIParser();
|
||||||
|
}
|
||||||
|
|
||||||
|
public function transform($attr, $config, $context) {
|
||||||
|
|
||||||
|
if (!isset($attr['href'])) {
|
||||||
|
return $attr;
|
||||||
|
}
|
||||||
|
|
||||||
|
// XXX Kind of inefficient
|
||||||
|
$url = $this->parser->parse($attr['href']);
|
||||||
|
$scheme = $url->getSchemeObj($config, $context);
|
||||||
|
|
||||||
|
if (!is_null($url->host) && $scheme !== false && $scheme->browsable) {
|
||||||
|
if (isset($attr['rel'])) {
|
||||||
|
$attr['rel'] .= ' nofollow';
|
||||||
|
} else {
|
||||||
|
$attr['rel'] = 'nofollow';
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return $attr;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
// vim: et sw=4 sts=4
|
||||||
@ -0,0 +1,12 @@
|
|||||||
|
CSS.AllowedFonts
|
||||||
|
TYPE: lookup/null
|
||||||
|
VERSION: 4.3.0
|
||||||
|
DEFAULT: NULL
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
Allows you to manually specify a set of allowed fonts. If
|
||||||
|
<code>NULL</code>, all fonts are allowed. This directive
|
||||||
|
affects generic names (serif, sans-serif, monospace, cursive,
|
||||||
|
fantasy) as well as specific font families.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
||||||
@ -0,0 +1,13 @@
|
|||||||
|
CSS.ForbiddenProperties
|
||||||
|
TYPE: lookup
|
||||||
|
VERSION: 4.2.0
|
||||||
|
DEFAULT: array()
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
This is the logical inverse of %CSS.AllowedProperties, and it will
|
||||||
|
override that directive or any other directive. If possible,
|
||||||
|
%CSS.AllowedProperties is recommended over this directive,
|
||||||
|
because it can sometimes be difficult to tell whether or not you've
|
||||||
|
forbidden all of the CSS properties you truly would like to disallow.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
||||||
@ -0,0 +1,9 @@
|
|||||||
|
CSS.Trusted
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 4.2.1
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
Indicates whether or not the user's CSS input is trusted or not. If the
|
||||||
|
input is trusted, a more expansive set of allowed properties. See
|
||||||
|
also %HTML.Trusted.
|
||||||
|
--# vim: et sw=4 sts=4
|
||||||
@ -0,0 +1,11 @@
|
|||||||
|
Cache.SerializerPermissions
|
||||||
|
TYPE: int
|
||||||
|
VERSION: 4.3.0
|
||||||
|
DEFAULT: 0755
|
||||||
|
--DESCRIPTION--
|
||||||
|
|
||||||
|
<p>
|
||||||
|
Directory permissions of the files and directories created inside
|
||||||
|
the DefinitionCache/Serializer or other custom serializer path.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
||||||
@ -0,0 +1,11 @@
|
|||||||
|
Core.NormalizeNewlines
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 4.2.0
|
||||||
|
DEFAULT: true
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
Whether or not to normalize newlines to the operating
|
||||||
|
system default. When <code>false</code>, HTML Purifier
|
||||||
|
will attempt to preserve mixed newline files.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
||||||
@ -0,0 +1,11 @@
|
|||||||
|
Core.RemoveProcessingInstructions
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 4.2.0
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
Instead of escaping processing instructions in the form <code><? ...
|
||||||
|
?></code>, remove it out-right. This may be useful if the HTML
|
||||||
|
you are validating contains XML processing instruction gunk, however,
|
||||||
|
it can also be user-unfriendly for people attempting to post PHP
|
||||||
|
snippets.
|
||||||
|
--# vim: et sw=4 sts=4
|
||||||
@ -0,0 +1,11 @@
|
|||||||
|
HTML.FlashAllowFullScreen
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 4.2.0
|
||||||
|
DEFAULT: false
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
Whether or not to permit embedded Flash content from
|
||||||
|
%HTML.SafeObject to expand to the full screen. Corresponds to
|
||||||
|
the <code>allowFullScreen</code> parameter.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
||||||
@ -0,0 +1,7 @@
|
|||||||
|
HTML.Nofollow
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 4.3.0
|
||||||
|
DEFAULT: FALSE
|
||||||
|
--DESCRIPTION--
|
||||||
|
If enabled, nofollow rel attributes are added to all outgoing links.
|
||||||
|
--# vim: et sw=4 sts=4
|
||||||
@ -0,0 +1,15 @@
|
|||||||
|
Output.FixInnerHTML
|
||||||
|
TYPE: bool
|
||||||
|
VERSION: 4.3.0
|
||||||
|
DEFAULT: true
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
If true, HTML Purifier will protect against Internet Explorer's
|
||||||
|
mishandling of the <code>innerHTML</code> attribute by appending
|
||||||
|
a space to any attribute that does not contain angled brackets, spaces
|
||||||
|
or quotes, but contains a backtick. This slightly changes the
|
||||||
|
semantics of any given attribute, so if this is unacceptable and
|
||||||
|
you do not use <code>innerHTML</code> on any of your pages, you can
|
||||||
|
turn this directive off.
|
||||||
|
</p>
|
||||||
|
--# vim: et sw=4 sts=4
|
||||||
@ -0,0 +1,19 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Module adds the nofollow attribute transformation to a tags. It
|
||||||
|
* is enabled by HTML.Nofollow
|
||||||
|
*/
|
||||||
|
class HTMLPurifier_HTMLModule_Nofollow extends HTMLPurifier_HTMLModule
|
||||||
|
{
|
||||||
|
|
||||||
|
public $name = 'Nofollow';
|
||||||
|
|
||||||
|
public function setup($config) {
|
||||||
|
$a = $this->addBlankElement('a');
|
||||||
|
$a->attr_transform_post[] = new HTMLPurifier_AttrTransform_Nofollow();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
// vim: et sw=4 sts=4
|
||||||
@ -0,0 +1,11 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
class HTMLPurifier_URIFilter_DisableResources extends HTMLPurifier_URIFilter
|
||||||
|
{
|
||||||
|
public $name = 'DisableResources';
|
||||||
|
public function filter(&$uri, $config, $context) {
|
||||||
|
return !$context->get('EmbeddedURI', true);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// vim: et sw=4 sts=4
|
||||||
@ -0,0 +1,32 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Validates file as defined by RFC 1630 and RFC 1738.
|
||||||
|
*/
|
||||||
|
class HTMLPurifier_URIScheme_file extends HTMLPurifier_URIScheme {
|
||||||
|
|
||||||
|
// Generally file:// URLs are not accessible from most
|
||||||
|
// machines, so placing them as an img src is incorrect.
|
||||||
|
public $browsable = false;
|
||||||
|
|
||||||
|
// Basically the *only* URI scheme for which this is true, since
|
||||||
|
// accessing files on the local machine is very common. In fact,
|
||||||
|
// browsers on some operating systems don't understand the
|
||||||
|
// authority, though I hear it is used on Windows to refer to
|
||||||
|
// network shares.
|
||||||
|
public $may_omit_host = true;
|
||||||
|
|
||||||
|
public function doValidate(&$uri, $config, $context) {
|
||||||
|
// Authentication method is not supported
|
||||||
|
$uri->userinfo = null;
|
||||||
|
// file:// makes no provisions for accessing the resource
|
||||||
|
$uri->port = null;
|
||||||
|
// While it seems to work on Firefox, the querystring has
|
||||||
|
// no possible effect and is thus stripped.
|
||||||
|
$uri->query = null;
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
// vim: et sw=4 sts=4
|
||||||
Loading…
Reference in New Issue
Block a user