mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-12-03 05:14:12 +01:00
8f797be836
- can be used via html class like: $clean_html = html::purify($html); - using it now in eTemplate to remove malicious code from html: a) when displaying "formatted text" b) when "formatted text" get's input by the user
119 lines
4.5 KiB
PHP
Executable File
119 lines
4.5 KiB
PHP
Executable File
<?php
|
|
|
|
/**
|
|
* XHTML 1.1 Forms module, defines all form-related elements found in HTML 4.
|
|
*/
|
|
class HTMLPurifier_HTMLModule_Forms extends HTMLPurifier_HTMLModule
|
|
{
|
|
public $name = 'Forms';
|
|
public $safe = false;
|
|
|
|
public $content_sets = array(
|
|
'Block' => 'Form',
|
|
'Inline' => 'Formctrl',
|
|
);
|
|
|
|
public function setup($config) {
|
|
$form = $this->addElement('form', 'Form',
|
|
'Required: Heading | List | Block | fieldset', 'Common', array(
|
|
'accept' => 'ContentTypes',
|
|
'accept-charset' => 'Charsets',
|
|
'action*' => 'URI',
|
|
'method' => 'Enum#get,post',
|
|
// really ContentType, but these two are the only ones used today
|
|
'enctype' => 'Enum#application/x-www-form-urlencoded,multipart/form-data',
|
|
));
|
|
$form->excludes = array('form' => true);
|
|
|
|
$input = $this->addElement('input', 'Formctrl', 'Empty', 'Common', array(
|
|
'accept' => 'ContentTypes',
|
|
'accesskey' => 'Character',
|
|
'alt' => 'Text',
|
|
'checked' => 'Bool#checked',
|
|
'disabled' => 'Bool#disabled',
|
|
'maxlength' => 'Number',
|
|
'name' => 'CDATA',
|
|
'readonly' => 'Bool#readonly',
|
|
'size' => 'Number',
|
|
'src' => 'URI#embeds',
|
|
'tabindex' => 'Number',
|
|
'type' => 'Enum#text,password,checkbox,button,radio,submit,reset,file,hidden,image',
|
|
'value' => 'CDATA',
|
|
));
|
|
$input->attr_transform_post[] = new HTMLPurifier_AttrTransform_Input();
|
|
|
|
$this->addElement('select', 'Formctrl', 'Required: optgroup | option', 'Common', array(
|
|
'disabled' => 'Bool#disabled',
|
|
'multiple' => 'Bool#multiple',
|
|
'name' => 'CDATA',
|
|
'size' => 'Number',
|
|
'tabindex' => 'Number',
|
|
));
|
|
|
|
$this->addElement('option', false, 'Optional: #PCDATA', 'Common', array(
|
|
'disabled' => 'Bool#disabled',
|
|
'label' => 'Text',
|
|
'selected' => 'Bool#selected',
|
|
'value' => 'CDATA',
|
|
));
|
|
// It's illegal for there to be more than one selected, but not
|
|
// be multiple. Also, no selected means undefined behavior. This might
|
|
// be difficult to implement; perhaps an injector, or a context variable.
|
|
|
|
$textarea = $this->addElement('textarea', 'Formctrl', 'Optional: #PCDATA', 'Common', array(
|
|
'accesskey' => 'Character',
|
|
'cols*' => 'Number',
|
|
'disabled' => 'Bool#disabled',
|
|
'name' => 'CDATA',
|
|
'readonly' => 'Bool#readonly',
|
|
'rows*' => 'Number',
|
|
'tabindex' => 'Number',
|
|
));
|
|
$textarea->attr_transform_pre[] = new HTMLPurifier_AttrTransform_Textarea();
|
|
|
|
$button = $this->addElement('button', 'Formctrl', 'Optional: #PCDATA | Heading | List | Block | Inline', 'Common', array(
|
|
'accesskey' => 'Character',
|
|
'disabled' => 'Bool#disabled',
|
|
'name' => 'CDATA',
|
|
'tabindex' => 'Number',
|
|
'type' => 'Enum#button,submit,reset',
|
|
'value' => 'CDATA',
|
|
));
|
|
|
|
// For exclusions, ideally we'd specify content sets, not literal elements
|
|
$button->excludes = $this->makeLookup(
|
|
'form', 'fieldset', // Form
|
|
'input', 'select', 'textarea', 'label', 'button', // Formctrl
|
|
'a' // as per HTML 4.01 spec, this is omitted by modularization
|
|
);
|
|
|
|
// Extra exclusion: img usemap="" is not permitted within this element.
|
|
// We'll omit this for now, since we don't have any good way of
|
|
// indicating it yet.
|
|
|
|
// This is HIGHLY user-unfriendly; we need a custom child-def for this
|
|
$this->addElement('fieldset', 'Form', 'Custom: (#WS?,legend,(Flow|#PCDATA)*)', 'Common');
|
|
|
|
$label = $this->addElement('label', 'Formctrl', 'Optional: #PCDATA | Inline', 'Common', array(
|
|
'accesskey' => 'Character',
|
|
// 'for' => 'IDREF', // IDREF not implemented, cannot allow
|
|
));
|
|
$label->excludes = array('label' => true);
|
|
|
|
$this->addElement('legend', false, 'Optional: #PCDATA | Inline', 'Common', array(
|
|
'accesskey' => 'Character',
|
|
));
|
|
|
|
$this->addElement('optgroup', false, 'Required: option', 'Common', array(
|
|
'disabled' => 'Bool#disabled',
|
|
'label*' => 'Text',
|
|
));
|
|
|
|
// Don't forget an injector for <isindex>. This one's a little complex
|
|
// because it maps to multiple elements.
|
|
|
|
}
|
|
}
|
|
|
|
// vim: et sw=4 sts=4
|