library/HTMLPurifier/EntityParser.php

   1 <?php
   2
   3 // if want to implement error collecting here, we'll need to use some sort
   4 // of global data (probably trigger_error) because it's impossible to pass
   5 // $config or $context to the callback functions.
   6
   7 /**
   8  * Handles referencing and derefencing character entities
   9  */
  10 class HTMLPurifier_EntityParser
  11 {
  12
  13     /**
  14      * Reference to entity lookup table.
  15      * @type HTMLPurifier_EntityLookup
  16      */
  17     protected $_entity_lookup;
  18
  19     /**
  20      * Callback regex string for entities in text.
  21      * @type string
  22      */
  23     protected $_textEntitiesRegex;
  24
  25     /**
  26      * Callback regex string for entities in attributes.
  27      * @type string
  28      */
  29     protected $_attrEntitiesRegex;
  30
  31     /**
  32      * Tests if the beginning of a string is a semi-optional regex
  33      */
  34     protected $_semiOptionalPrefixRegex;
  35
  36     public function __construct() {
  37         // From
  38         // http://stackoverflow.com/questions/15532252/why-is-reg-being-rendered-as-without-the-bounding-semicolon
  39         $semi_optional = "quot|QUOT|lt|LT|gt|GT|amp|AMP|AElig|Aacute|Acirc|Agrave|Aring|Atilde|Auml|COPY|Ccedil|ETH|Eacute|Ecirc|Egrave|Euml|Iacute|Icirc|Igrave|Iuml|Ntilde|Oacute|Ocirc|Ograve|Oslash|Otilde|Ouml|REG|THORN|Uacute|Ucirc|Ugrave|Uuml|Yacute|aacute|acirc|acute|aelig|agrave|aring|atilde|auml|brvbar|ccedil|cedil|cent|copy|curren|deg|divide|eacute|ecirc|egrave|eth|euml|frac12|frac14|frac34|iacute|icirc|iexcl|igrave|iquest|iuml|laquo|macr|micro|middot|nbsp|not|ntilde|oacute|ocirc|ograve|ordf|ordm|oslash|otilde|ouml|para|plusmn|pound|raquo|reg|sect|shy|sup1|sup2|sup3|szlig|thorn|times|uacute|ucirc|ugrave|uml|uuml|yacute|yen|yuml";
  40
  41         // NB: three empty captures to put the fourth match in the right
  42         // place
  43         $this->_semiOptionalPrefixRegex = "/&()()()($semi_optional)/";
  44
  45         $this->_textEntitiesRegex =
  46             '/&(?:'.
  47             // hex
  48             '[#]x([a-fA-F0-9]+);?|'.
  49             // dec
  50             '[#]0*(\d+);?|'.
  51             // string (mandatory semicolon)
  52             // NB: order matters: match semicolon preferentially
  53             '([A-Za-z_:][A-Za-z0-9.\-_:]*);|'.
  54             // string (optional semicolon)
  55             "($semi_optional)".
  56             ')/';
  57
  58         $this->_attrEntitiesRegex =
  59             '/&(?:'.
  60             // hex
  61             '[#]x([a-fA-F0-9]+);?|'.
  62             // dec
  63             '[#]0*(\d+);?|'.
  64             // string (mandatory semicolon)
  65             // NB: order matters: match semicolon preferentially
  66             '([A-Za-z_:][A-Za-z0-9.\-_:]*);|'.
  67             // string (optional semicolon)
  68             // don't match if trailing is equals or alphanumeric (URL
  69             // like)
  70             "($semi_optional)(?![=;A-Za-z0-9])".
  71             ')/';
  72
  73     }
  74
  75     /**
  76      * Substitute entities with the parsed equivalents.  Use this on
  77      * textual data in an HTML document (as opposed to attributes.)
  78      *
  79      * @param string $string String to have entities parsed.
  80      * @return string Parsed string.
  81      */
  82     public function substituteTextEntities($string)
  83     {
  84         return preg_replace_callback(
  85             $this->_textEntitiesRegex,
  86             array($this, 'entityCallback'),
  87             $string
  88         );
  89     }
  90
  91     /**
  92      * Substitute entities with the parsed equivalents.  Use this on
  93      * attribute contents in documents.
  94      *
  95      * @param string $string String to have entities parsed.
  96      * @return string Parsed string.
  97      */
  98     public function substituteAttrEntities($string)
  99     {
 100         return preg_replace_callback(
 101             $this->_attrEntitiesRegex,
 102             array($this, 'entityCallback'),
 103             $string
 104         );
 105     }
 106
 107     /**
 108      * Callback function for substituteNonSpecialEntities() that does the work.
 109      *
 110      * @param array $matches  PCRE matches array, with 0 the entire match, and
 111      *                  either index 1, 2 or 3 set with a hex value, dec value,
 112      *                  or string (respectively).
 113      * @return string Replacement string.
 114      */
 115
 116     protected function entityCallback($matches)
 117     {
 118         $entity = $matches[0];
 119         $hex_part = @$matches[1];
 120         $dec_part = @$matches[2];
 121         $named_part = empty($matches[3]) ? @$matches[4] : $matches[3];
 122         if ($hex_part !== NULL && $hex_part !== "") {
 123             return HTMLPurifier_Encoder::unichr(hexdec($hex_part));
 124         } elseif ($dec_part !== NULL && $dec_part !== "") {
 125             return HTMLPurifier_Encoder::unichr((int) $dec_part);
 126         } else {
 127             if (!$this->_entity_lookup) {
 128                 $this->_entity_lookup = HTMLPurifier_EntityLookup::instance();
 129             }
 130             if (isset($this->_entity_lookup->table[$named_part])) {
 131                 return $this->_entity_lookup->table[$named_part];
 132             } else {
 133                 // exact match didn't match anything, so test if
 134                 // any of the semicolon optional match the prefix.
 135                 // Test that this is an EXACT match is important to
 136                 // prevent infinite loop
 137                 if (!empty($matches[3])) {
 138                     return preg_replace_callback(
 139                         $this->_semiOptionalPrefixRegex,
 140                         array($this, 'entityCallback'),
 141                         $entity
 142                     );
 143                 }
 144                 return $entity;
 145             }
 146         }
 147     }
 148
 149     // LEGACY CODE BELOW
 150
 151     /**
 152      * Callback regex string for parsing entities.
 153      * @type string
 154      */
 155     protected $_substituteEntitiesRegex =
 156         '/&(?:[#]x([a-fA-F0-9]+)|[#]0*(\d+)|([A-Za-z_:][A-Za-z0-9.\-_:]*));?/';
 157         //     1. hex             2. dec      3. string (XML style)
 158
 159     /**
 160      * Decimal to parsed string conversion table for special entities.
 161      * @type array
 162      */
 163     protected $_special_dec2str =
 164             array(
 165                     34 => '"',
 166                     38 => '&',
 167                     39 => "'",
 168                     60 => '<',
 169                     62 => '>'
 170             );
 171
 172     /**
 173      * Stripped entity names to decimal conversion table for special entities.
 174      * @type array
 175      */
 176     protected $_special_ent2dec =
 177             array(
 178                     'quot' => 34,
 179                     'amp'  => 38,
 180                     'lt'   => 60,
 181                     'gt'   => 62
 182             );
 183
 184     /**
 185      * Substitutes non-special entities with their parsed equivalents. Since
 186      * running this whenever you have parsed character is t3h 5uck, we run
 187      * it before everything else.
 188      *
 189      * @param string $string String to have non-special entities parsed.
 190      * @return string Parsed string.
 191      */
 192     public function substituteNonSpecialEntities($string)
 193     {
 194         // it will try to detect missing semicolons, but don't rely on it
 195         return preg_replace_callback(
 196             $this->_substituteEntitiesRegex,
 197             array($this, 'nonSpecialEntityCallback'),
 198             $string
 199         );
 200     }
 201
 202     /**
 203      * Callback function for substituteNonSpecialEntities() that does the work.
 204      *
 205      * @param array $matches  PCRE matches array, with 0 the entire match, and
 206      *                  either index 1, 2 or 3 set with a hex value, dec value,
 207      *                  or string (respectively).
 208      * @return string Replacement string.
 209      */
 210
 211     protected function nonSpecialEntityCallback($matches)
 212     {
 213         // replaces all but big five
 214         $entity = $matches[0];
 215         $is_num = (@$matches[0][1] === '#');
 216         if ($is_num) {
 217             $is_hex = (@$entity[2] === 'x');
 218             $code = $is_hex ? hexdec($matches[1]) : (int) $matches[2];
 219             // abort for special characters
 220             if (isset($this->_special_dec2str[$code])) {
 221                 return $entity;
 222             }
 223             return HTMLPurifier_Encoder::unichr($code);
 224         } else {
 225             if (isset($this->_special_ent2dec[$matches[3]])) {
 226                 return $entity;
 227             }
 228             if (!$this->_entity_lookup) {
 229                 $this->_entity_lookup = HTMLPurifier_EntityLookup::instance();
 230             }
 231             if (isset($this->_entity_lookup->table[$matches[3]])) {
 232                 return $this->_entity_lookup->table[$matches[3]];
 233             } else {
 234                 return $entity;
 235             }
 236         }
 237     }
 238
 239     /**
 240      * Substitutes only special entities with their parsed equivalents.
 241      *
 242      * @notice We try to avoid calling this function because otherwise, it
 243      * would have to be called a lot (for every parsed section).
 244      *
 245      * @param string $string String to have non-special entities parsed.
 246      * @return string Parsed string.
 247      */
 248     public function substituteSpecialEntities($string)
 249     {
 250         return preg_replace_callback(
 251             $this->_substituteEntitiesRegex,
 252             array($this, 'specialEntityCallback'),
 253             $string
 254         );
 255     }
 256
 257     /**
 258      * Callback function for substituteSpecialEntities() that does the work.
 259      *
 260      * This callback has same syntax as nonSpecialEntityCallback().
 261      *
 262      * @param array $matches  PCRE-style matches array, with 0 the entire match, and
 263      *                  either index 1, 2 or 3 set with a hex value, dec value,
 264      *                  or string (respectively).
 265      * @return string Replacement string.
 266      */
 267     protected function specialEntityCallback($matches)
 268     {
 269         $entity = $matches[0];
 270         $is_num = (@$matches[0][1] === '#');
 271         if ($is_num) {
 272             $is_hex = (@$entity[2] === 'x');
 273             $int = $is_hex ? hexdec($matches[1]) : (int) $matches[2];
 274             return isset($this->_special_dec2str[$int]) ?
 275                 $this->_special_dec2str[$int] :
 276                 $entity;
 277         } else {
 278             return isset($this->_special_ent2dec[$matches[3]]) ?
 279                 $this->_special_dec2str[$this->_special_ent2dec[$matches[3]]] :
 280                 $entity;
 281         }
 282     }
 283 }
 284
 285 // vim: et sw=4 sts=4