From cfc4ee1faf9e340a29b93d21590ea306140c6b71 Mon Sep 17 00:00:00 2001 From: "Edward Z. Yang" Date: Fri, 12 Nov 2010 18:45:03 +0000 Subject: [PATCH] Add initial implementation of CSS.Trusted. Signed-off-by: Edward Z. Yang --- NEWS | 2 ++ configdoc/usage.xml | 11 ++++++++--- library/HTMLPurifier/CSSDefinition.php | 21 +++++++++++++++++++++ library/HTMLPurifier/ConfigSchema/schema.ser | Bin 13776 -> 13845 bytes .../ConfigSchema/schema/CSS.Trusted.txt | 9 +++++++++ .../ConfigSchema/schema/HTML.Trusted.txt | 1 + tests/HTMLPurifier/AttrDef/CSSTest.php | 9 +++++++++ 7 files changed, 50 insertions(+), 3 deletions(-) rewrite library/HTMLPurifier/ConfigSchema/schema.ser (91%) create mode 100644 library/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt diff --git a/NEWS b/NEWS index a0d2084b..7cb9ba57 100644 --- a/NEWS +++ b/NEWS @@ -12,6 +12,8 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier 4.2.1, unknown release date ! Added %HTML.Nofollow to add rel="nofollow" to external links. ! More types of SPL autoloaders allowed on later versions of PHP. +! Implementations for position, top, left, right, bottom, z-index + when %CSS.Trusted is on. - Make removal of conditional IE comments ungreedy; thanks Bernd for reporting. - Escape CDATA before removing Internet Explorer comments. diff --git a/configdoc/usage.xml b/configdoc/usage.xml index d97dc6c9..42e60aa6 100644 --- a/configdoc/usage.xml +++ b/configdoc/usage.xml @@ -32,19 +32,24 @@ 218 - + 222 + + + 226 + + - 275 + 296 - 289 + 310 diff --git a/library/HTMLPurifier/CSSDefinition.php b/library/HTMLPurifier/CSSDefinition.php index f0257da0..91619f5d 100644 --- a/library/HTMLPurifier/CSSDefinition.php +++ b/library/HTMLPurifier/CSSDefinition.php @@ -219,6 +219,10 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition $this->doSetupTricky($config); } + if ($config->get('CSS.Trusted')) { + $this->doSetupTrusted($config); + } + $allow_important = $config->get('CSS.AllowImportant'); // wrap all attr-defs with decorator that handles !important foreach ($this->info as $k => $v) { @@ -260,6 +264,23 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition $this->info['overflow'] = new HTMLPurifier_AttrDef_Enum(array('visible', 'hidden', 'auto', 'scroll')); } + protected function doSetupTrusted($config) { + $this->info['position'] = new HTMLPurifier_AttrDef_Enum(array( + 'static', 'relative', 'absolute', 'fixed' + )); + $this->info['top'] = + $this->info['left'] = + $this->info['right'] = + $this->info['bottom'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_CSS_Length(), + new HTMLPurifier_AttrDef_CSS_Percentage(), + new HTMLPurifier_AttrDef_Enum(array('auto')), + )); + $this->info['z-index'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_Integer(), + new HTMLPurifier_AttrDef_Enum(array('auto')), + )); + } /** * Performs extra config-based processing. Based off of diff --git a/library/HTMLPurifier/ConfigSchema/schema.ser b/library/HTMLPurifier/ConfigSchema/schema.ser dissimilarity index 91% index 1f99bb9b4035daafbfd4aa486149cdb94c709110..7946aad437a294c9ab028ca27cc6cc214d4ef3a6 100644 GIT binary patch delta 102 zcwW1ZJvC>7IiuO+KtDb0K?zIiu<1dPUidp&2ZjudoR5pm0xdPxe(bWVF~^ub9I+`3j5FW*POLd;mY@ B6RrRN diff --git a/library/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt b/library/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt new file mode 100644 index 00000000..e733a61e --- /dev/null +++ b/library/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt @@ -0,0 +1,9 @@ +CSS.Trusted +TYPE: bool +VERSION: 4.2.1 +DEFAULT: false +--DESCRIPTION-- +Indicates whether or not the user's CSS input is trusted or not. If the +input is trusted, a more expansive set of allowed properties. See +also %HTML.Trusted. +--# vim: et sw=4 sts=4 diff --git a/library/HTMLPurifier/ConfigSchema/schema/HTML.Trusted.txt b/library/HTMLPurifier/ConfigSchema/schema/HTML.Trusted.txt index 89133b1a..1db9237e 100644 --- a/library/HTMLPurifier/ConfigSchema/schema/HTML.Trusted.txt +++ b/library/HTMLPurifier/ConfigSchema/schema/HTML.Trusted.txt @@ -5,4 +5,5 @@ DEFAULT: false --DESCRIPTION-- Indicates whether or not the user input is trusted or not. If the input is trusted, a more expansive set of allowed tags and attributes will be used. +See also %CSS.Trusted. --# vim: et sw=4 sts=4 diff --git a/tests/HTMLPurifier/AttrDef/CSSTest.php b/tests/HTMLPurifier/AttrDef/CSSTest.php index 619a78c9..72a17e1a 100644 --- a/tests/HTMLPurifier/AttrDef/CSSTest.php +++ b/tests/HTMLPurifier/AttrDef/CSSTest.php @@ -150,6 +150,15 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness $this->assertDef('text-align:right;'); } + function testTrusted() { + $this->config->set('CSS.Trusted', true); + $this->assertDef('position:relative;'); + $this->assertDef('left:2px;'); + $this->assertDef('right:100%;'); + $this->assertDef('top:auto;'); + $this->assertDef('z-index:-2;'); + } + } // vim: et sw=4 sts=4 -- 2.11.4.GIT