From eac628f49064705d11ae6eca869ba724f497a3a0 Mon Sep 17 00:00:00 2001 From: "Edward Z. Yang" Date: Sat, 4 Sep 2010 02:59:03 -0400 Subject: [PATCH] Add %CSS.ForbiddenProperties directive. Signed-off-by: Edward Z. Yang --- NEWS | 1 + configdoc/usage.xml | 9 +++++++-- library/HTMLPurifier.includes.php | 1 + library/HTMLPurifier.safe-includes.php | 1 + library/HTMLPurifier/CSSDefinition.php | 19 ++++++++++++++----- library/HTMLPurifier/ConfigSchema/schema.ser | Bin 13379 -> 13488 bytes .../ConfigSchema/schema/CSS.ForbiddenProperties.txt | 13 +++++++++++++ tests/HTMLPurifier/AttrDef/CSSTest.php | 6 ++++++ 8 files changed, 43 insertions(+), 7 deletions(-) rewrite library/HTMLPurifier/ConfigSchema/schema.ser (92%) create mode 100644 library/HTMLPurifier/ConfigSchema/schema/CSS.ForbiddenProperties.txt diff --git a/NEWS b/NEWS index 2aadbd02..6bc8a962 100644 --- a/NEWS +++ b/NEWS @@ -15,6 +15,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier ! Added %URI.DisableResources functionality; the directive originally did nothing. Thanks David Rothstein for reporting. ! Add documentation about configuration directive types. +! Add %CSS.ForbiddenProperties configuration directive. - Fix improper handling of Internet Explorer conditional comments by parser. Thanks zmonteca for reporting. - Fix missing attributes bug when running on Mac Snow Leopard and APC. diff --git a/configdoc/usage.xml b/configdoc/usage.xml index 444c3ad5..4086092d 100644 --- a/configdoc/usage.xml +++ b/configdoc/usage.xml @@ -42,6 +42,11 @@ 275 + + + 289 + + 49 @@ -136,12 +141,12 @@ - 337 + 342 - 338 + 343 diff --git a/library/HTMLPurifier.includes.php b/library/HTMLPurifier.includes.php index 2ed0f0c1..2de7f190 100644 --- a/library/HTMLPurifier.includes.php +++ b/library/HTMLPurifier.includes.php @@ -196,6 +196,7 @@ require 'HTMLPurifier/Token/Start.php'; require 'HTMLPurifier/Token/Text.php'; require 'HTMLPurifier/URIFilter/DisableExternal.php'; require 'HTMLPurifier/URIFilter/DisableExternalResources.php'; +require 'HTMLPurifier/URIFilter/DisableResources.php'; require 'HTMLPurifier/URIFilter/HostBlacklist.php'; require 'HTMLPurifier/URIFilter/MakeAbsolute.php'; require 'HTMLPurifier/URIFilter/Munge.php'; diff --git a/library/HTMLPurifier.safe-includes.php b/library/HTMLPurifier.safe-includes.php index 6402de04..630daaa1 100644 --- a/library/HTMLPurifier.safe-includes.php +++ b/library/HTMLPurifier.safe-includes.php @@ -190,6 +190,7 @@ require_once $__dir . '/HTMLPurifier/Token/Start.php'; require_once $__dir . '/HTMLPurifier/Token/Text.php'; require_once $__dir . '/HTMLPurifier/URIFilter/DisableExternal.php'; require_once $__dir . '/HTMLPurifier/URIFilter/DisableExternalResources.php'; +require_once $__dir . '/HTMLPurifier/URIFilter/DisableResources.php'; require_once $__dir . '/HTMLPurifier/URIFilter/HostBlacklist.php'; require_once $__dir . '/HTMLPurifier/URIFilter/MakeAbsolute.php'; require_once $__dir . '/HTMLPurifier/URIFilter/Munge.php'; diff --git a/library/HTMLPurifier/CSSDefinition.php b/library/HTMLPurifier/CSSDefinition.php index 6a2e6f56..f0257da0 100644 --- a/library/HTMLPurifier/CSSDefinition.php +++ b/library/HTMLPurifier/CSSDefinition.php @@ -272,20 +272,29 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition // setup allowed elements $support = "(for information on implementing this, see the ". "support forums) "; - $allowed_attributes = $config->get('CSS.AllowedProperties'); - if ($allowed_attributes !== null) { + $allowed_properties = $config->get('CSS.AllowedProperties'); + if ($allowed_properties !== null) { foreach ($this->info as $name => $d) { - if(!isset($allowed_attributes[$name])) unset($this->info[$name]); - unset($allowed_attributes[$name]); + if(!isset($allowed_properties[$name])) unset($this->info[$name]); + unset($allowed_properties[$name]); } // emit errors - foreach ($allowed_attributes as $name => $d) { + foreach ($allowed_properties as $name => $d) { // :TODO: Is this htmlspecialchars() call really necessary? $name = htmlspecialchars($name); trigger_error("Style attribute '$name' is not supported $support", E_USER_WARNING); } } + $forbidden_properties = $config->get('CSS.ForbiddenProperties'); + if ($forbidden_properties !== null) { + foreach ($this->info as $name => $d) { + if (isset($forbidden_properties[$name])) { + unset($this->info[$name]); + } + } + } + } } diff --git a/library/HTMLPurifier/ConfigSchema/schema.ser b/library/HTMLPurifier/ConfigSchema/schema.ser dissimilarity index 92% index ac93a0c4ea640720ff6d628003d9cefafcdf541f..20bd89dfbf1dd388bc5bd10d24f9ef875f45d767 100644 GIT binary patch delta 155 zcwRf4u_1GUIit~LZvh1sWg}xNCFkH^J-7U#q|B6*)VzSA{DRb?lFZa%CF?{h1FP!V p&6y%=xF<6Sc#x*&E;pm;WN!i4%_$0BSQPN;$+WWA9IE<`4**{nGh+Y% delta 54 ycwXC(c{pQ&Iium^i3+ltdj*(THrKLz;zs4K;+`C@V902)d7^?K>*k}XulWEBN)mzq diff --git a/library/HTMLPurifier/ConfigSchema/schema/CSS.ForbiddenProperties.txt b/library/HTMLPurifier/ConfigSchema/schema/CSS.ForbiddenProperties.txt new file mode 100644 index 00000000..2e7d4a6c --- /dev/null +++ b/library/HTMLPurifier/ConfigSchema/schema/CSS.ForbiddenProperties.txt @@ -0,0 +1,13 @@ +CSS.ForbiddenProperties +TYPE: lookup +VERSION: 4.1.2 +DEFAULT: array() +--DESCRIPTION-- +

+ This is the logical inverse of %CSS.AllowedProperties, and it will + override that directive or any other directive. If possible, + %CSS.AllowedProperties is recommended over this directive, + because it can sometimes be difficult to tell whether or not you've + forbidden all of the CSS properties you truly would like to disallow. +

+--# vim: et sw=4 sts=4 diff --git a/tests/HTMLPurifier/AttrDef/CSSTest.php b/tests/HTMLPurifier/AttrDef/CSSTest.php index 27e5c432..619a78c9 100644 --- a/tests/HTMLPurifier/AttrDef/CSSTest.php +++ b/tests/HTMLPurifier/AttrDef/CSSTest.php @@ -144,6 +144,12 @@ class HTMLPurifier_AttrDef_CSSTest extends HTMLPurifier_AttrDefHarness $this->assertDef('overflow:scroll;'); } + function testForbidden() { + $this->config->set('CSS.ForbiddenProperties', 'float'); + $this->assertDef('float:left;', false); + $this->assertDef('text-align:right;'); + } + } // vim: et sw=4 sts=4 -- 2.11.4.GIT