3 // major TODO: hook into some sort of templating system that utilizes
4 // XHTML Compiler to process the template (cacheable, of course), before
5 // passing it along to this script
7 // using _REQUEST because we accept GET and POST requests
9 function getFormMethod() {
10 return (isset($_REQUEST['post'])) ?
'post' : 'get';
12 function escapeHTML($html) {
13 return htmlspecialchars(
14 HTMLPurifier_Encoder
::cleanUTF8($html), ENT_COMPAT
, 'UTF-8');
19 if (file_exists($dir = 'xhtml-compiler/conf/name.txt')) {
20 $name = trim(file_get_contents($dir));
21 } elseif (file_exists('xhtml-compiler/local.txt')) {
23 } elseif (file_exists('local.txt')) {
27 return $name == 'EZYANG' ||
$name == 'EZYANG2';
30 if (empty($_REQUEST['experimental'])) {
31 require_once 'live/library/HTMLPurifier.auto.php';
32 } elseif (!isLocal()) {
33 require_once 'dev/library/HTMLPurifier.auto.php';
35 require_once '../htmlpurifier/library/HTMLPurifier.auto.php';
37 require_once 'HTMLPurifier/Printer/ConfigForm.php';
39 // Permissible configuration options have to be chosen carefully; HTML
40 // Purifier wasn't designed for unfriendly user configuration, so
41 // certain configuration directives can be used to cause XSS attacks
42 // because they're not validated at all.
44 $allowed_lite = array(
46 'URI.DisableExternalResources',
53 'CSS.AllowedProperties',
56 '-AutoFormat.PurifierLinkify',
57 '-AutoFormat.PurifierLinkify.DocURL',
58 '-AutoFormat.RemoveEmpty.RemoveNbsp',
59 '-AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions'
62 $config = HTMLPurifier_Config
::loadArrayFromForm($_REQUEST, 'filter', $allowed_lite);
63 $purifier = new HTMLPurifier($config);
65 if (!empty($_REQUEST['strict'])) {
66 // backwards-compatibility
67 // (muting deprecated error)
68 @$config->set('HTML', 'Strict', true);
70 if (!empty($_REQUEST['experimental'])) {
71 //require_once 'HTMLPurifier/Lexer/PH5P.php';
72 //$config->set('Core', 'LexerImpl', 'PH5P');
73 //$config->set('HTML.SafeObject', true);
74 //$config->set('HTML.FlashCompat', true);
77 if (file_exists('demo.custom.php') && isLocal()) include 'demo.custom.php';
79 $definition = $config->getHTMLDefinition();
80 $doctype = $definition->doctype
;
82 if ($doctype->xml
&& stripos($_SERVER["HTTP_ACCEPT"], 'application/xhtml+xml') !== false && !isset($_REQUEST['debug'])) {
83 $type = 'application/xhtml+xml';
87 header("Content-type:$type;charset=UTF-8");
89 // prevent PHP versions with shorttags from barfing
91 echo '<?xml version="1.0" encoding="UTF-8" ?>' . PHP_EOL
;
94 if (!empty($doctype->dtdPublic
) && !empty($doctype->dtdSystem
)) {
95 echo '<!DOCTYPE html PUBLIC "'.$doctype->dtdPublic
.'" "'.$doctype->dtdSystem
.'">' . PHP_EOL
;
99 echo '<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">' . PHP_EOL
;
102 echo '<html lang="en">' . PHP_EOL
;
107 <title
>HTML Purifier Live Demo
</title
>
108 <!-- make sure all
empty elements that are not generated are
109 appropriately ended
-->
110 <meta name
="author" content
="Edward Z. Yang"<?php
echo $END; ?
>>
111 <meta http
-equiv
="Content-Type" content
="text/html; charset=UTF-8"<?php
echo $END; ?
>>
112 <link rel
="icon" href
="favicon.ico" type
="image/x-icon"<?php
echo $END; ?
>>
113 <link rel
="shortcut icon" href
="favicon.ico" type
="image/x-icon"<?php
echo $END; ?
>>
114 <link rel
="stylesheet" href
="common.css" type
="text/css"<?php
echo $END; ?
>>
115 <link rel
="stylesheet" href
="demo.css" type
="text/css"<?php
echo $END; ?
>>
116 <link rel
="stylesheet" href
="live/library/HTMLPurifier/Printer/ConfigForm.css" type
="text/css"<?php
echo $END; ?
>>
117 <script defer
="defer" type
="text/javascript" src
="live/library/HTMLPurifier/Printer/ConfigForm.js"></script
>
120 <div id
="logo"></div
>
121 <div id
="header"><a href
=".">HTML Purifier
</a
></div
>
123 if (file_exists('navigation.frag')) {
124 readfile('navigation.frag');
126 <div
><strong
>Please navigate to
<a href
="navigation.html">navigation
.html
</a
> to regenerate menu
</strong
></div
>
130 <h1 id
="title">Live Demo
</h1
>
134 if (!empty($_REQUEST['html'])) { // start result
136 if (strlen($_REQUEST['html']) > 50000) {
138 <p
>Request exceeds maximum allowed text size of
50kb
.</p
>
140 } else { // start main processing
142 $html = get_magic_quotes_gpc() ?
stripslashes($_REQUEST['html']) : $_REQUEST['html'];
143 $pure_html = $purifier->purify($html);
146 <p
>Here is your purified HTML
:</p
>
148 <?php
if(getFormMethod() == 'get') {
151 if ($doctype->name
== 'HTML 4.01 Transitional' ||
$doctype->name
== 'HTML 4.01 Strict') {
152 $img = 'http://www.w3.org/Icons/valid-html401';
153 } elseif ($doctype->name
== 'XHTML 1.0 Transitional' ||
$doctype->name
== 'XHTML 1.0 Strict') {
154 $img = 'http://www.w3.org/Icons/valid-xhtml10';
155 } elseif ($doctype->name
== 'XHTML 1.1') {
156 $img = 'http://www.w3.org/Icons/valid-xhtml11';
159 <div id
="w3c-validator">
160 <a href
="http://validator.w3.org/check?uri=referer" title
="Valid <?php echo escapeHTML($doctype->name); ?>">
163 src
="<?php echo escapeHTML($img); ?>" height
="31" width
="88"
164 alt
="Valid <?php echo escapeHTML($doctype->name); ?>"<?php
echo $END; ?
>>
166 Valid
<?php
echo escapeHTML($doctype->name
); ?
>
176 <div
class="clear"></div
>
178 <?php
if (@$config->get('Core', 'CollectErrors')) {
179 $e = $purifier->context
->get('ErrorCollector');
180 $class = $e->getRaw() ?
'fail' : 'pass';
182 <p
>Here are errors that occurred during purification
:</p
>
183 <div id
="errors" class="<?php echo $class ?>">
185 echo $e->getHTMLFormatted($config);
189 <p
>Here is the source code of the purified HTML
:</p
>
190 <pre id
="source"><?php
echo escapeHTML($pure_html); ?
></pre
>
192 if (getFormMethod() == 'post') { // start POST validation notice
194 <p
>If you would like to validate the code with
195 <a href
="http://validator.w3.org/#validate-by-input">W3C
's
196 validator</a>, copy and paste the <em>entire</em> demo page's source
.</p
>
198 } // end POST validation notice
201 <p
>Share this purification using the
<a href
="javascript:var%20e=document.createElement('script');e.setAttribute('language','javascript');e.setAttribute('src','http://bit.ly/bookmarklet/load.js');document.body.appendChild(e);void(0);">bit
.ly URL shortener
</a
>.</p
>
204 } // end main processing
210 <p
>Welcome to the live demo
. Enter some HTML
and see how HTML Purifier
217 <form id
="filter" action
="demo.php<?php
218 echo '?' . getFormMethod();
219 if (isset($_REQUEST['profile']) || isset($_REQUEST['XDEBUG_PROFILE'])) {
220 echo '&XDEBUG_PROFILE=1';
221 } ?>" method
="<?php echo getFormMethod(); ?>">
223 <legend
>HTML Purifier
Input (<?php
echo getFormMethod(); ?
>)</legend
>
226 $form_printer = new HTMLPurifier_Printer_ConfigForm('filter', 'http://htmlpurifier.org/live/configdoc/plain.html#%s', 14);
227 echo $form_printer->render($config, $allowed_lite, false);
231 <textarea name
="html" cols
="60" rows
="15"><?php
232 if (isset($html)) echo escapeHTML($html);
237 By
default, HTML Purifier may remove some of your spacing
or
238 indentation
. Turn on CollectErrors
or experimental features in
239 order to fully preserve whitespace
.
241 <?php
if (getFormMethod() == 'get') { ?
>
242 <p
><strong
>Warning
:</strong
> GET request method can only hold
243 8129 characters (probably less depending on your browser
).
244 If you need to test anything
245 larger than that
, try the
<a href
="?post">POST form
</a
>.</p
>
248 <input type
="submit" value
="Submit" name
="submit" class="button"<?php
echo $END; ?
>>
249 Use <abbr
class="elaborates" title
="This runs code from the master Git repository branch.">experimental features
</abbr
>: <input type
="checkbox" value
="1" <?php
if(!empty($_REQUEST['experimental'])) {echo 'checked="checked" ';} ?
>name
="experimental"<?php
echo $END; ?
>>
253 <p
class="lead">Try the form in
<a href
="?get">GET
</a
> and <a href
="?post">POST
</a
> request
254 flavors (GET is easy to validate with W3C
, but POST allows larger inputs
).
255 Don
't know what to test? Try out these sample filterings:</p>
257 <li><a href="demo.php?html=%3Cimg+src%3D%22javascript%3Aevil%28%29%3B%22+onload%3D%22evil%28%29%3B%22+%2F%3E">Malicious code removed</a></li>
258 <li><a href="demo.php?html=%3Cb%3EBold&submit=Submit">Missing end tags fixed</a></li>
259 <li><a href="demo.php?html=%3Cb%3EInline+%3Cdel%3Econtext+%3Cdiv%3ENo+block+allowed%3C%2Fdiv%3E%3C%2Fdel%3E%3C%2Fb%3E&submit=Submit">Illegal nesting fixed</a></li>
260 <li><a href="demo.php?html=%3Ccenter%3ECentered%3C%2Fcenter%3E&filter%5BHTML.Doctype%5D=XHTML+1.0+Strict&submit=Submit">Deprecated tags converted</a></li>
261 <li><a href="demo.php?html=%3Cspan+style%3D%22color%3A%23COW%3Bfloat%3Aaround%3Btext-decoration%3Ablink%3B%22%3EText%3C%2Fspan%3E&submit=Submit"><abbr>CSS</abbr> validated</a></li>
262 <li><a href="demo.php?html=%3Ctable%3E%0D%0A++%3Ccaption%3E%0D%0A++++Cool+table%0D%0A++%3C%2Fcaption%3E%0D%0A++%3Ctfoot%3E%0D%0A++++%3Ctr%3E%0D%0A++++++%3Cth%3EI+can+do+so+much%21%3C%2Fth%3E%0D%0A++++%3C%2Ftr%3E%0D%0A++%3C%2Ftfoot%3E%0D%0A++%3Ctr%3E%0D%0A++++%3Ctd+style%3D%22font-size%3A16pt%3B%0D%0A++++++color%3A%23F00%3Bfont-family%3Asans-serif%3B%0D%0A++++++text-align%3Acenter%3B%22%3EWow%3C%2Ftd%3E%0D%0A++%3C%2Ftr%3E%0D%0A%3C%2Ftable%3E&experimental=1&submit=Submit">Rich formatting preserved</a></li>