demo.php

   1 <?php
   2
   3 // major TODO: hook into some sort of templating system that utilizes
   4 // XHTML Compiler to process the template (cacheable, of course), before
   5 // passing it along to this script
   6
   7 // using _REQUEST because we accept GET and POST requests
   8
   9 $content = empty($_REQUEST['xml']) ? 'text/html' : 'application/xhtml+xml';
  10 header("Content-type:$content;charset=UTF-8");
  11
  12 // prevent PHP versions with shorttags from barfing
  13 echo '<?xml version="1.0" encoding="UTF-8" ?>
  14 ';
  15
  16 function getFormMethod() {
  17     return (isset($_REQUEST['post'])) ? 'post' : 'get';
  18 }
  19
  20 function escapeHTML($html) {
  21     return htmlspecialchars(
  22         HTMLPurifier_Encoder::cleanUTF8($html), ENT_COMPAT, 'UTF-8');
  23 }
  24
  25 /*
  26 Approved directives:
  27     * - Dangerous, but workable
  28     ! - Needs special processing by demo
  29
  30     Core.EscapeInvalidChildren
  31     Core.ColorKeywords
  32     Core.EscapeNonASCIICharacters
  33     Core.AcceptFullDocuments
  34     Core.EscapeInvalidTags
  35     Core.RemoveInvalidImg
  36     (missing: Core.Encoding!)
  37
  38     Attr.EnableID*
  39     Attr.IDPrefix*
  40     Attr.IDPrefixLocal*
  41     Attr.IDBlacklistRegexp*
  42     Attr.AllowedRel*
  43     Attr.AllowedRev*
  44     Attr.DefaultTextDir!
  45     Attr.DefaultInvalidImage
  46     Attr.DefaultInvalidImageAlt
  47     Attr.AllowedFrameTargets!
  48     Attr.IDBlacklist*!
  49
  50     URI.AllowedSchemes*!
  51     URI.DefaultScheme
  52     URI.Host
  53     URI.DisableExternal
  54     URI.DisableExternalResources
  55     URI.DisableResources
  56     URI.Munge
  57     URI.HostBlacklist
  58     URI.Disable
  59     (missing: OverrideAllowedSchemes)
  60
  61     HTML.TidyLevel
  62     HTML.TidyAdd
  63     HTML.TidyRemove
  64     HTML.Doctype!
  65     HTML.Trusted***
  66     HTML.AllowedModules
  67     HTML.BlockWrapper
  68     HTML.Parent!*
  69     HTML.AllowedElements
  70     HTML.AllowedAttributes
  71     (missing: Strict, XHTML, CoreModules)
  72
  73     Output.CommentScriptContents
  74     Output.TidyFormat
  75
  76 */
  77
  78 if (empty($_REQUEST['strict'])) {
  79 ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  80      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  81 <?php
  82 } else {
  83 ?>
  84 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
  85     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
  86 <?php
  87 }
  88 ?>
  89 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
  90 <head>
  91     <title>HTML Purifier Live Demo</title>
  92     <meta name="author" content="Edward Z. Yang" />
  93     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  94     <link rel="icon" href="favicon.ico" type="image/x-icon" />
  95     <link rel="shortcut icon" href="favicon.ico" type="image/x-icon" />
  96     <link rel="stylesheet" href="common.css" type="text/css" />
  97 </head>
  98 <body>
  99 <div id="logo"></div>
 100 <div id="header"><a href=".">HTML Purifier</a></div>
 101 <!-- add navigation soon! -->
 102 <h1 id="title">Live Demo</h1>
 103 <div id="content">
 104 <?php
 105
 106 if (!file_exists('xhtml-compiler/local.txt')) {
 107     require_once 'live/library/HTMLPurifier.auto.php';
 108 } else {
 109     require_once '../htmlpurifier/library/HTMLPurifier.auto.php';
 110 }
 111
 112 if (!empty($_REQUEST['html'])) { // start result
 113
 114     if (strlen($_REQUEST['html']) > 50000) {
 115         ?>
 116         <p>Request exceeds maximum allowed text size of 50kb.</p>
 117         <?php
 118     } else { // start main processing
 119
 120     $html = get_magic_quotes_gpc() ? stripslashes($_REQUEST['html']) : $_REQUEST['html'];
 121
 122     $config = HTMLPurifier_Config::createDefault();
 123     $config->set('Core', 'TidyFormat', !empty($_REQUEST['tidy']));
 124     $config->set('HTML', 'Strict',     !empty($_REQUEST['strict']));
 125     $purifier = new HTMLPurifier($config);
 126     $pure_html = $purifier->purify($html);
 127
 128 ?>
 129 <p>Here is your purified HTML:</p>
 130 <div style="border:5px solid #BCC8D8; margin:1em 10%; padding:1em;">
 131 <?php if(getFormMethod() == 'get') { ?>
 132 <div style="float:right;">
 133     <a href="http://validator.w3.org/check?uri=referer"><img
 134         src="http://www.w3.org/Icons/valid-xhtml10"
 135         alt="Valid XHTML 1.0 Transitional" height="31" width="88" style="border:0;" /></a>
 136 </div>
 137 <?php } ?>
 138 <?php
 139
 140 echo $pure_html;
 141
 142 ?>
 143 <div style="clear:both;"></div>
 144 </div>
 145 <p>Here is the source code of the purified HTML:</p>
 146 <pre><?php
 147
 148 echo escapeHTML($pure_html);
 149
 150 ?></pre>
 151 <?php
 152 if (getFormMethod() == 'post') { // start POST validation notice
 153 ?>
 154 <p>If you would like to validate the code with
 155 <a href="http://validator.w3.org/#validate-by-input">W3C's
 156 validator</a>, copy and paste the <em>entire</em> demo page's source.</p>
 157 <?php
 158 } // end POST validation notice
 159
 160 } // end main processing
 161
 162 // end result
 163 } else {
 164
 165 ?>
 166 <p>Welcome to the live demo.  Enter some HTML and see how HTML Purifier
 167 will filter it.</p>
 168 <?php
 169
 170 }
 171
 172 ?>
 173 <form id="filter" action="demo.php<?php
 174 echo '?' . getFormMethod();
 175 if (isset($_REQUEST['profile']) || isset($_REQUEST['XDEBUG_PROFILE'])) {
 176     echo '&amp;XDEBUG_PROFILE=1';
 177 } ?>" method="<?php echo getFormMethod();  ?>">
 178     <fieldset>
 179         <legend>HTML Purifier Input (<?php echo getFormMethod(); ?>)</legend>
 180         <textarea name="html" cols="60" rows="15"><?php
 181
 182 if (isset($html)) {
 183     echo escapeHTML($html);
 184 }
 185         ?></textarea>
 186         <?php if (getFormMethod() == 'get') { ?>
 187             <p><strong>Warning:</strong> GET request method can only hold
 188                 8129 characters (probably less depending on your browser).
 189                 If you need to test anything
 190                 larger than that, try the <a href="?post">POST form</a>.</p>
 191         <?php } ?>
 192         <?php if (extension_loaded('tidy')) { ?>
 193             <div>Nicely format output with Tidy? <input type="checkbox" value="1"
 194             name="tidy"<?php if (!empty($_REQUEST['tidy'])) echo ' checked="checked"'; ?> /></div>
 195         <?php } ?>
 196         <div>XHTML 1.0 Strict output? <input type="checkbox" value="1"
 197         name="strict"<?php if (!empty($_REQUEST['strict'])) echo ' checked="checked"'; ?> /></div>
 198         <div>Serve as application/xhtml+xml? (not for IE) <input type="checkbox" value="1"
 199         name="xml"<?php if (!empty($_REQUEST['xml'])) echo ' checked="checked"'; ?> /></div>
 200         <div>
 201             <input type="submit" value="Submit" name="submit" class="button" />
 202         </div>
 203     </fieldset>
 204 </form>
 205 <p>Try the form in <a href="?get">GET</a> and <a href="?post">POST</a> request
 206 flavors (GET is easy to validate with W3C, but POST allows larger inputs).</p>
 207 </div>
 208 </body>
 209 </html>