library/HTMLPurifier/AttrDef.php

   1 <?php
   2
   3 /**
   4  * Base class for all validating attribute definitions.
   5  *
   6  * This family of classes forms the core for not only HTML attribute validation,
   7  * but also any sort of string that needs to be validated or cleaned (which
   8  * means CSS properties and composite definitions are defined here too).
   9  * Besides defining (through code) what precisely makes the string valid,
  10  * subclasses are also responsible for cleaning the code if possible.
  11  */
  12
  13 abstract class HTMLPurifier_AttrDef
  14 {
  15
  16     /**
  17      * Tells us whether or not an HTML attribute is minimized.
  18      * Has no meaning in other contexts.
  19      * @type bool
  20      */
  21     public $minimized = false;
  22
  23     /**
  24      * Tells us whether or not an HTML attribute is required.
  25      * Has no meaning in other contexts
  26      * @type bool
  27      */
  28     public $required = false;
  29
  30     /**
  31      * Validates and cleans passed string according to a definition.
  32      *
  33      * @param string $string String to be validated and cleaned.
  34      * @param HTMLPurifier_Config $config Mandatory HTMLPurifier_Config object.
  35      * @param HTMLPurifier_Context $context Mandatory HTMLPurifier_Context object.
  36      */
  37     abstract public function validate($string, $config, $context);
  38
  39     /**
  40      * Convenience method that parses a string as if it were CDATA.
  41      *
  42      * This method process a string in the manner specified at
  43      * <http://www.w3.org/TR/html4/types.html#h-6.2> by removing
  44      * leading and trailing whitespace, ignoring line feeds, and replacing
  45      * carriage returns and tabs with spaces.  While most useful for HTML
  46      * attributes specified as CDATA, it can also be applied to most CSS
  47      * values.
  48      *
  49      * @note This method is not entirely standards compliant, as trim() removes
  50      *       more types of whitespace than specified in the spec. In practice,
  51      *       this is rarely a problem, as those extra characters usually have
  52      *       already been removed by HTMLPurifier_Encoder.
  53      *
  54      * @warning This processing is inconsistent with XML's whitespace handling
  55      *          as specified by section 3.3.3 and referenced XHTML 1.0 section
  56      *          4.7.  However, note that we are NOT necessarily
  57      *          parsing XML, thus, this behavior may still be correct. We
  58      *          assume that newlines have been normalized.
  59      */
  60     public function parseCDATA($string)
  61     {
  62         $string = trim($string);
  63         $string = str_replace(array("\n", "\t", "\r"), ' ', $string);
  64         return $string;
  65     }
  66
  67     /**
  68      * Factory method for creating this class from a string.
  69      * @param string $string String construction info
  70      * @return HTMLPurifier_AttrDef Created AttrDef object corresponding to $string
  71      */
  72     public function make($string)
  73     {
  74         // default implementation, return a flyweight of this object.
  75         // If $string has an effect on the returned object (i.e. you
  76         // need to overload this method), it is best
  77         // to clone or instantiate new copies. (Instantiation is safer.)
  78         return $this;
  79     }
  80
  81     /**
  82      * Removes spaces from rgb(0, 0, 0) so that shorthand CSS properties work
  83      * properly. THIS IS A HACK!
  84      * @param string $string a CSS colour definition
  85      * @return string
  86      */
  87     protected function mungeRgb($string)
  88     {
  89         $p = '\s*(\d+(\.\d+)?([%]?))\s*';
  90
  91         if (preg_match('/(rgba|hsla)\(/', $string)) {
  92             return preg_replace('/(rgba|hsla)\('.$p.','.$p.','.$p.','.$p.'\)/', '\1(\2,\5,\8,\11)', $string);
  93         }
  94
  95         return preg_replace('/(rgb|hsl)\('.$p.','.$p.','.$p.'\)/', '\1(\2,\5,\8)', $string);
  96     }
  97
  98     /**
  99      * Parses a possibly escaped CSS string and returns the "pure"
 100      * version of it.
 101      */
 102     protected function expandCSSEscape($string)
 103     {
 104         // flexibly parse it
 105         $ret = '';
 106         for ($i = 0, $c = strlen($string); $i < $c; $i++) {
 107             if ($string[$i] === '\\') {
 108                 $i++;
 109                 if ($i >= $c) {
 110                     $ret .= '\\';
 111                     break;
 112                 }
 113                 if (ctype_xdigit($string[$i])) {
 114                     $code = $string[$i];
 115                     for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
 116                         if (!ctype_xdigit($string[$i])) {
 117                             break;
 118                         }
 119                         $code .= $string[$i];
 120                     }
 121                     // We have to be extremely careful when adding
 122                     // new characters, to make sure we're not breaking
 123                     // the encoding.
 124                     $char = HTMLPurifier_Encoder::unichr(hexdec($code));
 125                     if (HTMLPurifier_Encoder::cleanUTF8($char) === '') {
 126                         continue;
 127                     }
 128                     $ret .= $char;
 129                     if ($i < $c && trim($string[$i]) !== '') {
 130                         $i--;
 131                     }
 132                     continue;
 133                 }
 134                 if ($string[$i] === "\n") {
 135                     continue;
 136                 }
 137             }
 138             $ret .= $string[$i];
 139         }
 140         return $ret;
 141     }
 142 }
 143
 144 // vim: et sw=4 sts=4