demo.php

   1 <?php
   2
   3 // major TODO: hook into some sort of templating system that utilizes
   4 // XHTML Compiler to process the template (cacheable, of course), before
   5 // passing it along to this script
   6
   7 // using _REQUEST because we accept GET and POST requests
   8
   9 function getFormMethod() {
  10     return (isset($_REQUEST['post'])) ? 'post' : 'get';
  11 }
  12 function escapeHTML($html) {
  13     return htmlspecialchars(
  14         HTMLPurifier_Encoder::cleanUTF8($html), ENT_COMPAT, 'UTF-8');
  15 }
  16 function isLocal() {
  17     return file_exists('xhtml-compiler/local.txt');
  18 }
  19
  20 if (!isLocal()) {
  21     if (empty($_REQUEST['experimental'])) {
  22         require_once 'live/library/HTMLPurifier.auto.php';
  23     } else {
  24         require_once 'dev/library/HTMLPurifier.auto.php';
  25     }
  26 } else {
  27     // local dev
  28     require_once '../htmlpurifier/library/HTMLPurifier.auto.php';
  29 }
  30 require_once 'HTMLPurifier/Printer/ConfigForm.php';
  31
  32 $allowed_lite = array(
  33     'Core.CollectErrors',
  34     'URI.DisableExternalResources',
  35     'URI.Munge',
  36     'HTML.TidyLevel',
  37     'HTML.Doctype',
  38     'HTML.Allowed',
  39     'CSS',
  40     'AutoFormat',
  41     '-AutoFormat.Custom',
  42     '-AutoFormat.PurifierLinkify',
  43 );
  44
  45 $config = HTMLPurifier_Config::loadArrayFromForm($_REQUEST, 'filter', $allowed_lite);
  46
  47 if (!empty($_REQUEST['strict'])) {
  48     // backwards-compatibility
  49     $config->set('HTML', 'Strict', true);
  50 }
  51 if (!empty($_REQUEST['experimental'])) {
  52     require_once 'HTMLPurifier/Lexer/PH5P.php';
  53     $config->set('Core', 'LexerImpl', 'PH5P');
  54 }
  55
  56 if (file_exists('demo.custom.php') && isLocal()) include 'demo.custom.php';
  57
  58 $definition = $config->getHTMLDefinition();
  59 $doctype = $definition->doctype;
  60
  61 if ($doctype->xml && stripos($_SERVER["HTTP_ACCEPT"], 'application/xhtml+xml') !== false && !isset($_REQUEST['debug'])) {
  62     $type = 'application/xhtml+xml';
  63 } else {
  64     $type = 'text/html';
  65 }
  66 header("Content-type:$type;charset=UTF-8");
  67
  68 // prevent PHP versions with shorttags from barfing
  69 if ($doctype->xml) {
  70     echo '<?xml version="1.0" encoding="UTF-8" ?>' . PHP_EOL;
  71 }
  72
  73 if (!empty($doctype->dtdPublic) && !empty($doctype->dtdSystem)) {
  74     echo '<!DOCTYPE html PUBLIC "'.$doctype->dtdPublic.'" "'.$doctype->dtdSystem.'">' . PHP_EOL;
  75 }
  76
  77 if ($doctype->xml) {
  78     echo '<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">' . PHP_EOL;
  79     $END = ' /';
  80 } else {
  81     echo '<html lang="en">' . PHP_EOL;
  82     $END = '';
  83 }
  84
  85 ?><head>
  86     <title>HTML Purifier Live Demo</title>
  87     <!-- make sure all empty elements that are not generated are
  88      appropriately ended -->
  89     <meta name="author" content="Edward Z. Yang"<?php echo $END; ?>>
  90     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"<?php echo $END; ?>>
  91     <link rel="icon" href="favicon.ico" type="image/x-icon"<?php echo $END; ?>>
  92     <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"<?php echo $END; ?>>
  93     <link rel="stylesheet" href="common.css" type="text/css"<?php echo $END; ?>>
  94     <link rel="stylesheet" href="demo.css" type="text/css"<?php echo $END; ?>>
  95     <link rel="stylesheet" href="live/library/HTMLPurifier/Printer/ConfigForm.css" type="text/css"<?php echo $END; ?>>
  96     <script defer="defer" type="text/javascript" src="live/library/HTMLPurifier/Printer/ConfigForm.js"></script>
  97 </head>
  98 <body>
  99 <div id="logo"></div>
 100 <div id="header"><a href=".">HTML Purifier</a></div>
 101 <?php readfile('navigation.frag'); ?>
 102 <h1 id="title">Live Demo</h1>
 103 <div id="alt-content">
 104 <?php
 105
 106 if (!empty($_REQUEST['html'])) { // start result
 107
 108     if (strlen($_REQUEST['html']) > 50000) {
 109         ?>
 110         <p>Request exceeds maximum allowed text size of 50kb.</p>
 111         <?php
 112     } else { // start main processing
 113
 114     $html = get_magic_quotes_gpc() ? stripslashes($_REQUEST['html']) : $_REQUEST['html'];
 115     $purifier = new HTMLPurifier($config);
 116     $pure_html = $purifier->purify($html);
 117
 118 ?>
 119 <p>Here is your purified HTML:</p>
 120 <div id="output">
 121 <?php if(getFormMethod() == 'get') {
 122 // calculate image
 123 $img = false;
 124 if ($doctype->name == 'HTML 4.01 Transitional' || $doctype->name == 'HTML 4.01 Strict') {
 125     $img = 'http://www.w3.org/Icons/valid-html401';
 126 } elseif ($doctype->name == 'XHTML 1.0 Transitional' || $doctype->name == 'XHTML 1.0 Strict') {
 127     $img = 'http://www.w3.org/Icons/valid-xhtml10';
 128 } elseif ($doctype->name == 'XHTML 1.1') {
 129     $img = 'http://www.w3.org/Icons/valid-xhtml11';
 130 }
 131 ?>
 132   <div id="w3c-validator">
 133     <a href="http://validator.w3.org/check?uri=referer" title="Valid <?php echo escapeHTML($doctype->name); ?>">
 134     <?php if ($img) { ?>
 135       <img
 136         src="<?php echo escapeHTML($img); ?>" height="31" width="88"
 137         alt="Valid <?php echo escapeHTML($doctype->name); ?>"<?php echo $END; ?>>
 138     <?php } else { ?>
 139       Valid <?php echo escapeHTML($doctype->name); ?>
 140     <?php } ?>
 141     </a>
 142   </div>
 143 <?php } ?>
 144 <?php
 145
 146 echo $pure_html;
 147
 148 ?>
 149 <div class="clear"></div>
 150 </div>
 151 <?php if ($config->get('Core', 'CollectErrors')) {
 152     $e = $purifier->context->get('ErrorCollector');
 153     $class = $e->getRaw() ? 'fail' : 'pass';
 154 ?>
 155     <p>Here are errors that occurred during purification:</p>
 156     <div id="errors" class="<?php echo $class ?>">
 157     <?php
 158     echo $e->getHTMLFormatted($config);
 159     ?>
 160 </div>
 161 <?php } ?>
 162 <p>Here is the source code of the purified HTML:</p>
 163 <pre id="source"><?php echo escapeHTML($pure_html); ?></pre>
 164 <?php
 165 if (getFormMethod() == 'post') { // start POST validation notice
 166 ?>
 167     <p>If you would like to validate the code with
 168     <a href="http://validator.w3.org/#validate-by-input">W3C's
 169     validator</a>, copy and paste the <em>entire</em> demo page's source.</p>
 170 <?php
 171 } // end POST validation notice
 172
 173 } // end main processing
 174
 175 // end result
 176 } else {
 177
 178 ?>
 179 <p>Welcome to the live demo.  Enter some HTML and see how HTML Purifier
 180 will filter it.</p>
 181 <?php
 182
 183 }
 184
 185 ?>
 186 <form id="filter" action="demo.php<?php
 187 echo '?' . getFormMethod();
 188 if (isset($_REQUEST['profile']) || isset($_REQUEST['XDEBUG_PROFILE'])) {
 189     echo '&amp;XDEBUG_PROFILE=1';
 190 } ?>" method="<?php echo getFormMethod();  ?>">
 191     <fieldset>
 192         <legend>HTML Purifier Input (<?php echo getFormMethod(); ?>)</legend>
 193
 194         <?php
 195 $form_printer = new HTMLPurifier_Printer_ConfigForm('filter', 'http://htmlpurifier.org/live/configdoc/plain.html#%s', 14);
 196 echo $form_printer->render($config, $allowed_lite, false);
 197         ?>
 198
 199         <div id="textarea">
 200         <textarea name="html" cols="60" rows="15"><?php
 201 if (isset($html)) echo escapeHTML($html);
 202         ?></textarea>
 203         </div>
 204
 205         <?php if (getFormMethod() == 'get') { ?>
 206             <p><strong>Warning:</strong> GET request method can only hold
 207                 8129 characters (probably less depending on your browser).
 208                 If you need to test anything
 209                 larger than that, try the <a href="?post">POST form</a>.</p>
 210         <?php } ?>
 211         <div>
 212             <input type="submit" value="Submit" name="submit" class="button"<?php echo $END; ?>>
 213             Use experimental features: <input type="checkbox" value="1" <?php if(!empty($_REQUEST['experimental'])) {echo 'checked="checked" ';} ?>name="experimental"<?php echo $END; ?>>
 214         </div>
 215     </fieldset>
 216 </form>
 217 <p>Try the form in <a href="?get">GET</a> and <a href="?post">POST</a> request
 218 flavors (GET is easy to validate with W3C, but POST allows larger inputs).
 219 Don't know what to test? Try out these sample filterings:</p>
 220 <ul>
 221     <li><a href="demo.php?html=%3Cimg+src%3D%22javascript%3Aevil%28%29%3B%22+onload%3D%22evil%28%29%3B%22+%2F%3E">Malicious code removed</a></li>
 222     <li><a href="demo.php?html=%3Cb%3EBold&amp;submit=Submit">Missing end tags fixed</a></li>
 223     <li><a href="demo.php?html=%3Cb%3EInline+%3Cdel%3Econtext+%3Cdiv%3ENo+block+allowed%3C%2Fdiv%3E%3C%2Fdel%3E%3C%2Fb%3E&amp;submit=Submit">Illegal nesting fixed</a></li>
 224     <li><a href="demo.php?html=%3Ccenter%3ECentered%3C%2Fcenter%3E&amp;filter%5BHTML.Doctype%5D=XHTML+1.0+Strict&amp;submit=Submit">Deprecated tags converted</a></li>
 225     <li><a href="demo.php?html=%3Cspan+style%3D%22color%3A%23COW%3Bfloat%3Aaround%3Btext-decoration%3Ablink%3B%22%3EText%3C%2Fspan%3E&amp;submit=Submit"><abbr>CSS</abbr> validated</a></li>
 226     <li><a href="demo.php?html=%3Ctable%3E%0D%0A++%3Ccaption%3E%0D%0A++++Cool+table%0D%0A++%3C%2Fcaption%3E%0D%0A++%3Ctfoot%3E%0D%0A++++%3Ctr%3E%0D%0A++++++%3Cth%3EI+can+do+so+much%21%3C%2Fth%3E%0D%0A++++%3C%2Ftr%3E%0D%0A++%3C%2Ftfoot%3E%0D%0A++%3Ctr%3E%0D%0A++++%3Ctd+style%3D%22font-size%3A16pt%3B%0D%0A++++++color%3A%23F00%3Bfont-family%3Asans-serif%3B%0D%0A++++++text-align%3Acenter%3B%22%3EWow%3C%2Ftd%3E%0D%0A++%3C%2Ftr%3E%0D%0A%3C%2Ftable%3E&amp;submit=Submit">Rich formatting preserved</a></li>
 227 </ul>
 228 </div>
 229 </body>
 230 </html>