Browse Source

Mise a jour de SafeHTML pour le support de HTML5 notamment

cedric@yterium.com 4 months ago
parent
commit
5759e0c862
5 changed files with 230 additions and 173 deletions
  1. 211
    161
      lib/safehtml/classes/safehtml.php
  2. 1
    0
      lib/safehtml/license.txt
  3. 5
    5
      lib/safehtml/readme-SPIP.txt
  4. 12
    6
      lib/safehtml/readme.txt
  5. 1
    1
      paquet.xml

+ 211
- 161
lib/safehtml/classes/safehtml.php View File

@@ -8,10 +8,11 @@
8 8
  * 
9 9
  * @package    SafeHTML
10 10
  * @author     Roman Ivanov <thingol@mail.ru>
11
- * @copyright  2004-2005 Roman Ivanov
11
+ * @author     Miguel Vazquez Gocobachi <demrit@mx.gnu.org>
12
+ * @copyright  2004-2009 Roman Ivanov, Miguel Vazquez Gocobachi
12 13
  * @license    http://www.debian.org/misc/bsd.license  BSD License (3 Clause)
13
- * @version    1.3.7
14
- * @link       http://pixel-apes.com/safehtml/
14
+ * @version    1.3.10
15
+ * @link       https://wackowiki.org/doc/Dev/Projects/SafeHTML
15 16
  */
16 17
 
17 18
 
@@ -52,79 +53,71 @@ require_once(XML_HTMLSAX3 . 'HTMLSax3.php');
52 53
  * @version    Release: @package_version@
53 54
  * @link       http://pear.php.net/package/SafeHTML
54 55
  */
56
+
55 57
 class SafeHTML 
56 58
 {
57 59
     /**
58 60
      * Storage for resulting HTML output
59 61
      *
60 62
      * @var string
61
-     * @access private
62 63
      */
63
-    var $_xhtml = '';
64
+    protected $xhtml = '';
64 65
     
65 66
     /**
66 67
      * Array of counters for each tag
67 68
      *
68 69
      * @var array
69
-     * @access private
70 70
      */
71
-    var $_counter = array();
71
+    protected $counter = array();
72 72
     
73 73
     /**
74 74
      * Stack of unclosed tags
75 75
      *
76 76
      * @var array
77
-     * @access private
78 77
      */
79
-    var $_stack = array();
78
+    protected $stack = array();
80 79
     
81 80
     /**
82 81
      * Array of counters for tags that must be deleted with all content
83 82
      *
84 83
      * @var array
85
-     * @access private
86 84
      */
87
-    var $_dcCounter = array();
85
+    protected $dcCounter = array();
88 86
     
89 87
     /**
90 88
      * Stack of unclosed tags that must be deleted with all content
91 89
      *
92 90
      * @var array
93
-     * @access private
94 91
      */
95
-    var $_dcStack = array();
92
+    protected $dcStack = array();
96 93
     
97 94
     /**
98 95
      * Stores level of list (ol/ul) nesting
99 96
      *
100 97
      * @var int
101
-     * @access private
102 98
      */
103
-    var $_listScope = 0; 
99
+    protected $listScope = 0;
104 100
     
105 101
     /**
106 102
      * Stack of unclosed list tags 
107 103
      *
108 104
      * @var array
109
-     * @access private
110 105
      */
111
-    var $_liStack = array();
106
+    protected $liStack = array();
112 107
 
113 108
     /**
114 109
      * Array of prepared regular expressions for protocols (schemas) matching
115 110
      *
116 111
      * @var array
117
-     * @access private
118 112
      */
119
-    var $_protoRegexps = array();
113
+    protected $protoRegexps = array();
120 114
     
121 115
     /**
122 116
      * Array of prepared regular expressions for CSS matching
123 117
      *
124 118
      * @var array
125
-     * @access private
126 119
      */
127
-    var $_cssRegexps = array();
120
+    protected $cssRegexps = array();
128 121
 
129 122
     /**
130 123
      * Should we perform UTF7 repacking or not?
@@ -138,20 +131,26 @@ class SafeHTML
138 131
     var $repackUTF7 = true;
139 132
 
140 133
     /**
134
+     * Allowed tags
135
+     *
136
+     * @var array
137
+     */
138
+    protected $allowTags = array();
139
+
140
+
141
+    /**
141 142
      * List of single tags ("<tag />")
142 143
      *
143 144
      * @var array
144
-     * @access public
145 145
      */
146
-    var $singleTags = array('area', 'br', 'img', 'input', 'hr', 'wbr', );
146
+    public $singleTags = array('area', 'br', 'img', 'input', 'hr', 'wbr', );
147 147
 
148 148
     /**
149 149
      * List of dangerous tags (such tags will be deleted)
150 150
      *
151 151
      * @var array
152
-     * @access public
153 152
      */
154
-    var $deleteTags = array(
153
+    public $deleteTags = array(
155 154
         'applet', 'base',   'basefont', 'bgsound', 'blink',  'body', 
156 155
         'embed',  'frame',  'frameset', 'head',    'html',   'ilayer', 
157 156
         'iframe', 'layer',  'link',     'meta',    'object', 'style', 
@@ -163,25 +162,22 @@ class SafeHTML
163 162
      * inside this tags will be also removed)
164 163
      *
165 164
      * @var array
166
-     * @access public
167 165
      */
168
-    var $deleteTagsContent = array('script', 'style', 'title', 'xml', );
166
+    public $deleteTagsContent = array('script', 'style', 'title', 'xml', );
169 167
 
170 168
     /**
171 169
      * Type of protocols filtering ('white' or 'black')
172 170
      *
173 171
      * @var string
174
-     * @access public
175 172
      */
176
-    var $protocolFiltering = 'white';
173
+    public $protocolFiltering = 'white';
177 174
 
178 175
     /**
179 176
      * List of "dangerous" protocols (used for blacklist-filtering)
180 177
      *
181 178
      * @var array
182
-     * @access public
183 179
      */
184
-    var $blackProtocols = array(
180
+    public $blackProtocols = array(
185 181
         'about',   'chrome',     'data',       'disk',     'hcp',     
186 182
         'help',    'javascript', 'livescript', 'lynxcgi',  'lynxexec', 
187 183
         'ms-help', 'ms-its',     'mhtml',      'mocha',    'opera',   
@@ -193,9 +189,8 @@ class SafeHTML
193 189
      * List of "safe" protocols (used for whitelist-filtering)
194 190
      *
195 191
      * @var array
196
-     * @access public
197 192
      */
198
-    var $whiteProtocols = array(
193
+    public $whiteProtocols = array(
199 194
         'ed2k',   'file', 'ftp',  'gopher', 'http',  'https', 
200 195
         'irc',    'mailto', 'news', 'nntp', 'telnet', 'webcal', 
201 196
         'xmpp',   'callto',
@@ -205,9 +200,8 @@ class SafeHTML
205 200
      * List of attributes that can contain protocols
206 201
      *
207 202
      * @var array
208
-     * @access public
209 203
      */
210
-    var $protocolAttributes = array(
204
+    public $protocolAttributes = array(
211 205
         'action', 'background', 'codebase', 'dynsrc', 'href', 'lowsrc', 'src', 'formaction',
212 206
         );
213 207
 
@@ -218,9 +212,8 @@ class SafeHTML
218 212
      * these keywords
219 213
      *
220 214
      * @var array
221
-     * @access public
222 215
      */
223
-    var $cssKeywords = array(
216
+    public $cssKeywords = array(
224 217
         'absolute', 'behavior',       'behaviour',   'content', 'expression', 
225 218
         'fixed',    'include-source', 'moz-binding',
226 219
         );
@@ -229,10 +222,9 @@ class SafeHTML
229 222
      * List of tags that can have no "closing tag"
230 223
      *
231 224
      * @var array
232
-     * @access public
233 225
      * @deprecated XHTML does not allow such tags
234 226
      */
235
-    var $noClose = array();
227
+    public $noClose = array();
236 228
 
237 229
     /**
238 230
      * List of block-level tags that terminates paragraph
@@ -240,23 +232,23 @@ class SafeHTML
240 232
      * Paragraph will be closed when this tags opened
241 233
      *
242 234
      * @var array
243
-     * @access public
244 235
      */
245
-    var $closeParagraph = array(
246
-        'address', 'blockquote', 'center', 'dd',      'dir',       'div', 
247
-        'dl',      'dt',         'h1',     'h2',      'h3',        'h4', 
248
-        'h5',      'h6',         'hr',     'isindex', 'listing',   'marquee', 
249
-        'menu',    'multicol',   'ol',     'p',       'plaintext', 'pre', 
250
-        'table',   'ul',         'xmp', 
236
+    public $closeParagraph = array(
237
+        'address', 'article',    'aside',     'audio',    'blockquote', 'canvas',
238
+        'center',  'dd',         'dir',       'div',      'dl',         'dt',
239
+        'figure',  'figcaption', 'footer',    'h1',       'h2',         'h3',
240
+        'h4',      'h5',         'h6',        'header',   'hr',         'isindex',
241
+        'listing', 'main',       'marquee',   'menu',      'multicol',  'nav',
242
+        'ol',      'output',     'p',         'plaintext', 'pre',       'section',
243
+        'table',   'ul',         'video',     'xmp',
251 244
         );
252 245
 
253 246
     /**
254 247
      * List of table tags, all table tags outside a table will be removed
255 248
      *
256 249
      * @var array
257
-     * @access public
258 250
      */
259
-    var $tableTags = array(
251
+    public $tableTags = array(
260 252
         'caption', 'col', 'colgroup', 'tbody', 'td', 'tfoot', 'th', 
261 253
         'thead',   'tr', 
262 254
         );
@@ -265,32 +257,29 @@ class SafeHTML
265 257
      * List of list tags
266 258
      *
267 259
      * @var array
268
-     * @access public
269 260
      */
270
-    var $listTags = array('dir', 'menu', 'ol', 'ul', 'dl', );
261
+    public $listTags = array('dir', 'menu', 'ol', 'ul', 'dl', );
271 262
 
272 263
     /**
273 264
      * List of dangerous attributes
274 265
      *
275 266
      * @var array
276
-     * @access public
277 267
      */
278
-    var $attributes = array('dynsrc', 'id', 'name', );
268
+    public $attributes = array('dynsrc', 'id', 'name', );
279 269
 
280 270
     /**
281 271
      * List of allowed "namespaced" attributes
282 272
      *
283 273
      * @var array
284
-     * @access public
285 274
      */
286
-    var $attributesNS = array('xml:lang', );
275
+    public $attributesNS = array('xml:lang', );
287 276
 
288 277
     /**
289 278
      * Constructs class
290 279
      *
291 280
      * @access public
292 281
      */
293
-    function __construct()
282
+    public function __construct()
294 283
     {
295 284
         //making regular expressions based on Proto & CSS arrays
296 285
         foreach ($this->blackProtocols as $proto) {
@@ -299,59 +288,62 @@ class SafeHTML
299 288
                 $preg .= $proto{$i} . "[\s\x01-\x1F]*";
300 289
             }
301 290
             $preg .= ":/i";
302
-            $this->_protoRegexps[] = $preg;
291
+            $this->protoRegexps[] = $preg;
303 292
         }
304 293
 
305 294
         foreach ($this->cssKeywords as $css) {
306
-            $this->_cssRegexps[] = '/' . $css . '/i';
295
+            $this->cssRegexps[] = '/' . $css . '/i';
307 296
         }
308 297
         return true;
309 298
     }
310 299
 
311 300
     /**
312
-     * Handles the writing of attributes - called from $this->_openHandler()
301
+     * Handles the writing of attributes - called from $this->openHandler()
313 302
      *
314 303
      * @param array $attrs array of attributes $name => $value
304
+     * @param string|null $tag
315 305
      * @return boolean
316
-     * @access private
317 306
      */
318
-    function _writeAttrs ($attrs, $tag = null) 
307
+    protected function writeAttrs ($attrs, $tag = null)
319 308
     {
320 309
         if (is_array($attrs)) {
321 310
             foreach ($attrs as $name => $value) {
322
-
323 311
                 $name = strtolower($name);
324 312
 
325 313
                 if (strpos($name, 'on') === 0) {
326 314
                     continue;
327 315
                 }
316
+
328 317
                 if (strpos($name, 'data') === 0) {
329 318
                     continue;
330 319
                 }
320
+
331 321
                 if ($tag != 'a' and in_array($name, $this->attributes)) {
332 322
                     continue;
333 323
                 }
334
-                if (!preg_match("/^[a-z0-9]+$/i", $name)) {
335
-                    if (!in_array($name, $this->attributesNS))
336
-                    {
324
+
325
+                if (!preg_match('/^[a-z0-9]+$/i', $name)) {
326
+                    if (!in_array($name, $this->attributesNS)) {
337 327
                         continue;
338 328
                     }
339 329
                 }
340 330
 
341
-                if (($value === TRUE) || (is_null($value))) {
331
+                if (($value === true) || (is_null($value))) {
342 332
                     $value = $name;
343 333
                 }
344 334
 
345 335
                 if ($name == 'style') {
346
-                   
347 336
                    // removes insignificant backslahes
348 337
                    $value = str_replace("\\", '', $value);
349 338
 
350 339
                    // removes CSS comments
351
-                   while (1)
352
-                   {
353
-                     $_value = preg_replace("!/\*.*?\*/!s", '', $value);
354
-                     if ($_value == $value) break;
340
+                   while (1) {
341
+                     $_value = preg_replace('!/\*.*?\*/!s', '', $value);
342
+
343
+                     if ($_value == $value) {
344
+                         break;
345
+                     }
346
+
355 347
                      $value = $_value;
356 348
                    }
357 349
                    
@@ -359,151 +351,169 @@ class SafeHTML
359 351
                    $value = str_replace('&amp;', '&', $value);
360 352
                    $value = str_replace('&', '&amp;', $value);
361 353
 
362
-                   foreach ($this->_cssRegexps as $css) {
354
+                   foreach ($this->cssRegexps as $css) {
363 355
                        if (preg_match($css, $value)) { 
364 356
                            continue 2;
365 357
                        }
366 358
                    }
367
-                   foreach ($this->_protoRegexps as $proto) {
359
+
360
+                   foreach ($this->protoRegexps as $proto) {
368 361
                        if (preg_match($proto, $value)) {
369 362
                            continue 2;
370 363
                        }
371 364
                    }
372 365
                 }
373 366
 
374
-                $tempval = preg_replace_callback('/&#(\d+);?/m', function($m) { return chr($m[1]); }, $value); //"'
375
-                $tempval = preg_replace_callback('/&#x([0-9a-f]+);?/mi', function($m) { return chr(hexdec($m[1])); }, $tempval); //"'
367
+                $tempval = preg_replace_callback('/&#(\d+);?/m', function ($matches) { return chr($matches[1]); }, $value); //"'
368
+                $tempval = preg_replace_callback(
369
+                	'/&#x([0-9a-f]+);?/mi',
370
+                	function ($matches) { return chr(hexdec($matches[1])); },
371
+                    $tempval
372
+                );
376 373
 
377
-                if ((in_array($name, $this->protocolAttributes)) && 
378
-                    (strpos($tempval, ':') !== false)) 
379
-                {
374
+                if ((in_array($name, $this->protocolAttributes))
375
+                  && (strpos($tempval, ':') !== false)
376
+                ) {
380 377
                     if ($this->protocolFiltering == 'black') {
381
-                        foreach ($this->_protoRegexps as $proto) {
382
-                            if (preg_match($proto, $tempval)) continue 2;
378
+                        foreach ($this->protoRegexps as $proto) {
379
+                            if (preg_match($proto, $tempval)) {
380
+                                continue 2;
381
+                            }
383 382
                         }
384 383
                     } else {
385 384
                         $_tempval = explode(':', $tempval);
386 385
                         $proto = $_tempval[0];
386
+
387 387
                         if (!in_array($proto, $this->whiteProtocols)) {
388 388
                             continue;
389 389
                         }
390 390
                     }
391 391
                 }
392 392
 
393
-                $value = str_replace("\"", "&quot;", $value);
394
-                $this->_xhtml .= ' ' . $name . '="' . $value . '"';
393
+                $value        = str_replace("\"", '&quot;', $value);
394
+                $this->xhtml .= ' ' . $name . '="' . $value . '"';
395 395
             }
396 396
         }
397
+
397 398
         return true;
398 399
     }
399 400
 
400 401
     /**
401 402
      * Opening tag handler - called from HTMLSax
402 403
      *
403
-     * @param object $parser HTML Parser
404
+     * @param object &$parser HTML Parser
404 405
      * @param string $name   tag name
405 406
      * @param array  $attrs  tag attributes
407
+     *
406 408
      * @return boolean
407
-     * @access private
408 409
      */
409
-    function _openHandler(&$parser, $name, $attrs) 
410
+    public function openHandler(&$parser, $name, $attrs)
410 411
     {
411 412
         $name = strtolower($name);
412 413
 
413 414
         if (in_array($name, $this->deleteTagsContent)) {
414
-            array_push($this->_dcStack, $name);
415
-            $this->_dcCounter[$name] = isset($this->_dcCounter[$name]) ? $this->_dcCounter[$name]+1 : 1;
415
+            array_push($this->dcStack, $name);
416
+            $this->dcCounter[$name] = isset($this->dcCounter[$name])
417
+                ? $this->dcCounter[$name]+1 : 1;
416 418
         }
417
-        if (count($this->_dcStack) != 0) {
419
+        if (count($this->dcStack) != 0) {
418 420
             return true;
419 421
         }
420 422
 
421
-        if (in_array($name, $this->deleteTags)) {
423
+        if (in_array($name, $this->deleteTags)
424
+            && !in_array($name, $this->allowTags)
425
+        ) {
422 426
             return true;
423 427
         }
424 428
         
425
-        if (!preg_match("/^[a-z0-9]+$/i", $name)) {
426
-            if (preg_match("!(?:\@|://)!i", $name)) {
427
-                $this->_xhtml .= '&lt;' . $name . '&gt;';
429
+        if (!preg_match('/^[a-z0-9]+$/i', $name)) {
430
+            if (preg_match('!(?:\@|://)!i', $name)) {
431
+                $this->xhtml .= '&lt;' . $name . '&gt;';
428 432
             }
429 433
             return true;
430 434
         }
431 435
 
432 436
         if (in_array($name, $this->singleTags)) {
433
-            $this->_xhtml .= '<' . $name;
434
-            $this->_writeAttrs($attrs, $name);
435
-            $this->_xhtml .= ' />';
437
+            $this->xhtml .= '<' . $name;
438
+            $this->writeAttrs($attrs, $name);
439
+            $this->xhtml .= ' />';
436 440
             return true;
437 441
         }
438 442
 
439 443
         // TABLES: cannot open table elements when we are not inside table
440
-        if ((isset($this->_counter['table'])) && ($this->_counter['table'] <= 0) 
441
-            && (in_array($name, $this->tableTags))) 
442
-        {
444
+        if ((isset($this->counter['table']))
445
+            && ($this->counter['table'] <= 0)
446
+            && (in_array($name, $this->tableTags))
447
+        ) {
443 448
             return true;
444 449
         }
445 450
 
446 451
         // PARAGRAPHS: close paragraph when closeParagraph tags opening
447
-        if ((in_array($name, $this->closeParagraph)) && (in_array('p', $this->_stack))) {
448
-            $this->_closeHandler($parser, 'p');
452
+        if ((in_array($name, $this->closeParagraph))
453
+            && (in_array('p', $this->stack))
454
+        ) {
455
+            $this->closeHandler($parser, 'p');
449 456
         }
450 457
 
451 458
         // LISTS: we should close <li> if <li> of the same level opening
452
-        if ($name == 'li' && count($this->_liStack) && 
453
-            $this->_listScope == $this->_liStack[count($this->_liStack)-1]) 
454
-        {
455
-            $this->_closeHandler($parser, 'li');
459
+        if (($name == 'li') && count($this->liStack)
460
+            && ($this->listScope == $this->liStack[count($this->liStack) - 1])
461
+        ) {
462
+            $this->closeHandler($parser, 'li');
456 463
         }
457 464
 
458 465
         // LISTS: we want to know on what nesting level of lists we are
459 466
         if (in_array($name, $this->listTags)) {
460
-            $this->_listScope++;
467
+            ++$this->listScope;
461 468
         }
469
+
462 470
         if ($name == 'li') {
463
-            array_push($this->_liStack, $this->_listScope);
471
+            array_push($this->liStack, $this->listScope);
464 472
         }
465 473
             
466
-        $this->_xhtml .= '<' . $name;
467
-        $this->_writeAttrs($attrs, $name);
468
-        $this->_xhtml .= '>';
469
-        array_push($this->_stack,$name);
470
-        $this->_counter[$name] = isset($this->_counter[$name]) ? $this->_counter[$name]+1 : 1;
474
+        $this->xhtml .= '<' . $name;
475
+        $this->writeAttrs($attrs, $name);
476
+        $this->xhtml .= '>';
477
+        array_push($this->stack,$name);
478
+        $this->counter[$name] = isset($this->counter[$name])
479
+            ? ($this->counter[$name] + 1) : 1;
480
+
471 481
         return true;
472 482
     }
473 483
 
474 484
     /**
475 485
      * Closing tag handler - called from HTMLSax
476 486
      *
477
-     * @param object $parsers HTML parser
487
+     * @param object &$parser HTML parser
478 488
      * @param string $name    tag name
489
+     *
479 490
      * @return boolean
480
-     * @access private
481 491
      */
482
-    function _closeHandler(&$parser, $name) 
492
+    public function closeHandler(&$parser, $name)
483 493
     {
484
-
485 494
         $name = strtolower($name);
486 495
 
487
-        if (isset($this->_dcCounter[$name]) && ($this->_dcCounter[$name] > 0) && 
488
-            (in_array($name, $this->deleteTagsContent))) 
489
-        {
490
-           while ($name != ($tag = array_pop($this->_dcStack))) {
491
-            $this->_dcCounter[$tag]--;
496
+        if (isset($this->dcCounter[$name])
497
+            && ($this->dcCounter[$name] > 0)
498
+            && (in_array($name, $this->deleteTagsContent))
499
+        ) {
500
+           while ($name != ($tag = array_pop($this->dcStack))) {
501
+                --$this->dcCounter[$tag];
492 502
            }
493 503
 
494
-           $this->_dcCounter[$name]--;
504
+            --$this->dcCounter[$name];
495 505
         }
496 506
 
497
-        if (count($this->_dcStack) != 0) {
507
+        if (count($this->dcStack) != 0) {
498 508
             return true;
499 509
         }
500 510
 
501
-        if ((isset($this->_counter[$name])) && ($this->_counter[$name] > 0)) {
502
-           while ($name != ($tag = array_pop($this->_stack))) {
503
-               $this->_closeTag($tag);
511
+        if ((isset($this->counter[$name])) && ($this->counter[$name] > 0)) {
512
+           while ($name != ($tag = array_pop($this->stack))) {
513
+                $this->closeTag($tag);
504 514
            }
505 515
 
506
-           $this->_closeTag($name);
516
+            $this->closeTag($name);
507 517
         }
508 518
         return true;
509 519
     }
@@ -512,80 +522,120 @@ class SafeHTML
512 522
      * Closes tag 
513 523
      *
514 524
      * @param string $tag tag name
525
+     *
515 526
      * @return boolean
516
-     * @access private
517 527
      */
518
-    function _closeTag($tag) 
528
+    protected function closeTag($tag)
519 529
     {
520 530
         if (!in_array($tag, $this->noClose)) {
521
-            $this->_xhtml .= '</' . $tag . '>';
531
+            $this->xhtml .= '</' . $tag . '>';
522 532
         }
523 533
 
524
-        $this->_counter[$tag]--;
534
+        --$this->counter[$tag];
525 535
 
526 536
         if (in_array($tag, $this->listTags)) {
527
-            $this->_listScope--;
537
+            --$this->listScope;
528 538
         }
529 539
 
530 540
         if ($tag == 'li') {
531
-            array_pop($this->_liStack);
541
+            array_pop($this->liStack);
532 542
         }
543
+
533 544
         return true;
534 545
     }
535 546
 
536 547
     /**
537 548
      * Character data handler - called from HTMLSax
538 549
      *
539
-     * @param object $parser HTML parser
550
+     * @param object &$parser HTML parser
540 551
      * @param string $data   textual data
552
+     *
541 553
      * @return boolean
542
-     * @access private
543 554
      */
544
-    function _dataHandler(&$parser, $data) 
555
+    public function dataHandler(&$parser, $data)
545 556
     {
546
-        if (count($this->_dcStack) == 0) {
547
-            $this->_xhtml .= $data;
557
+        if (count($this->dcStack) == 0) {
558
+            $this->xhtml .= $data;
548 559
         }
560
+
549 561
         return true;
550 562
     }
551 563
 
552 564
     /**
553 565
      * Escape handler - called from HTMLSax
554 566
      *
555
-     * @param object $parser HTML parser
567
+     * @param object &$parser HTML parser
556 568
      * @param string $data   comments or other type of data
569
+     *
557 570
      * @return boolean
558
-     * @access private
559 571
      */
560
-    function _escapeHandler(&$parser, $data) 
572
+    public function escapeHandler(&$parser, $data)
561 573
     {
562 574
         return true;
563 575
     }
564 576
 
565 577
     /**
578
+     * Allow tags
579
+     *
580
+     * Example:
581
+     * <pre>
582
+     * $safe = new HTML_Safe;
583
+     * $safe->setAllowTags(array('body'));
584
+     * </pre>
585
+     *
586
+     * @param array $tags Tags to allow
587
+     *
588
+     * @return void
589
+     */
590
+    public function setAllowTags($tags = array())
591
+    {
592
+        if (is_array($tags)) {
593
+            $this->allowTags = $tags;
594
+        }
595
+    }
596
+
597
+    /**
598
+     * Returns the allowed tags
599
+     *
600
+     * @return array
601
+     */
602
+    public function getAllowTags()
603
+    {
604
+        return $this->allowTags;
605
+    }
606
+
607
+    /**
608
+     * Reset the allowed tags
609
+     *
610
+     * @return void
611
+     */
612
+    public function resetAllowTags()
613
+    {
614
+        $this->allowTags = array();
615
+    }
616
+
617
+    /**
566 618
      * Returns the XHTML document
567 619
      *
568 620
      * @return string Processed (X)HTML document
569
-     * @access public
570 621
      */
571
-    function getXHTML () 
622
+    public function getXHTML()
572 623
     {
573
-        while ($tag = array_pop($this->_stack)) {
574
-            $this->_closeTag($tag);
624
+        while ($tag = array_pop($this->stack)) {
625
+            $this->closeTag($tag);
575 626
         }
576 627
         
577
-        return $this->_xhtml;
628
+        return $this->xhtml;
578 629
     }
579 630
 
580 631
     /**
581 632
      * Clears current document data
582 633
      *
583 634
      * @return boolean
584
-     * @access public
585 635
      */
586
-    function clear() 
636
+    public function clear()
587 637
     {
588
-        $this->_xhtml = '';
638
+        $this->xhtml = '';
589 639
         return true;
590 640
     }
591 641
 
@@ -593,14 +643,15 @@ class SafeHTML
593 643
      * Main parsing fuction
594 644
      *
595 645
      * @param string $doc HTML document for processing
646
+     *
596 647
      * @return string Processed (X)HTML document
597
-     * @access public
598 648
      */
599
-    function parse($doc) 
649
+    public function parse($doc)
600 650
     {
651
+       $result = '';
601 652
 
602 653
        // Save all '<' symbols
603
-       $doc = preg_replace("/<(?=[^a-zA-Z\/\!\?\%])/", '&lt;', $doc);
654
+       $doc = preg_replace('/<(?=[^a-zA-Z\/\!\?\%])/', '&lt;', $doc);
604 655
 
605 656
        // Web documents shouldn't contains \x00 symbol
606 657
        $doc = str_replace("\x00", '', $doc);
@@ -619,25 +670,26 @@ class SafeHTML
619 670
        // Set up the parser
620 671
        $parser->set_object($this);
621 672
 
622
-       $parser->set_element_handler('_openHandler','_closeHandler');
623
-       $parser->set_data_handler('_dataHandler');
624
-       $parser->set_escape_handler('_escapeHandler');
673
+       $parser->set_element_handler('openHandler', 'closeHandler');
674
+       $parser->set_data_handler('dataHandler');
675
+       $parser->set_escape_handler('escapeHandler');
625 676
 
626 677
        $parser->parse($doc);
627 678
 
628
-       return $this->getXHTML();
679
+       $result = $this->getXHTML();
629 680
 
630
-    }
681
+       $this->clear();
631 682
 
683
+       return $result;
684
+    }
632 685
 
633 686
     /**
634 687
      * UTF-7 decoding fuction
635 688
      *
636 689
      * @param string $str HTML document for recode ASCII part of UTF-7 back to ASCII
637 690
      * @return string Decoded document
638
-     * @access private
639 691
      */
640
-    function repackUTF7($str)
692
+    protected function repackUTF7($str)
641 693
     {
642 694
        return preg_replace_callback('!\+([0-9a-zA-Z/]+)\-!', array($this, 'repackUTF7Callback'), $str);
643 695
     }
@@ -647,9 +699,8 @@ class SafeHTML
647 699
      *
648 700
      * @param string $str String for recode ASCII part of UTF-7 back to ASCII
649 701
      * @return string Recoded string
650
-     * @access private
651 702
      */
652
-    function repackUTF7Callback($str)
703
+    protected function repackUTF7Callback($str)
653 704
     {
654 705
        $str = base64_decode($str[1]);
655 706
        $str = preg_replace_callback('/^((?:\x00.)*)((?:[^\x00].)+)/', array($this, 'repackUTF7Back'), $str);
@@ -661,9 +712,8 @@ class SafeHTML
661 712
      *
662 713
      * @param string $str String for recode ASCII part of UTF-7 back to ASCII
663 714
      * @return string Recoded string
664
-     * @access private
665 715
      */
666
-    function repackUTF7Back($str)
716
+    protected function repackUTF7Back($str)
667 717
     {
668 718
        return $str[1].'+'.rtrim(base64_encode($str[2]), '=').'-';
669 719
     }

+ 1
- 0
lib/safehtml/license.txt View File

@@ -1,3 +1,4 @@
1
+(c) Miguel Vazquez Gocobachi, WackoWiki Team, 2005-2017
1 2
 (c) Roman Ivanov, 2004-2005
2 3
 (c) Pixel-Apes ( http://pixel-apes.com/ ), 2004-2005
3 4
 (c) JetStyle   ( http://jetstyle.ru/    ), 2004-2005

+ 5
- 5
lib/safehtml/readme-SPIP.txt View File

@@ -1,10 +1,10 @@
1 1
 
2
-SafeHTML pour SPIP
2
+SafeHTML pour SPIP
3 3
 
4
---------
5
-Version 1.3.7.
6
-http://pixel-apes.com/safehtml/
7
---------
4
+--------
5
+Version 1.3.10.
6
+https://bitbucket.org/wackowiki/wackowiki-dev/src/0861d16a01dd/wacko/lib/safehtml/
7
+--------
8 8
 
9 9
 Ce repertoire est extrait de SafeHTML 1.3.7 ; les fichiers suivants ont ete supprimes :
10 10
 

+ 12
- 6
lib/safehtml/readme.txt View File

@@ -1,14 +1,14 @@
1 1
 SafeHTML
2 2
 --------
3
-Version 1.3.7.
4
-http://pixel-apes.com/safehtml/
3
+Version 1.3.10.
4
+https://wackowiki.org/doc/Dev/Projects/SafeHTML
5 5
 --------
6 6
 
7 7
 This parser strips down all potentially dangerous content within HTML:
8 8
   * opening tag without its closing tag
9 9
   * closing tag without its opening tag
10
-  * any of these tags: "base", "basefont", "head", "html", "body", "applet", "object", 
11
-    "iframe", "frame", "frameset", "script", "layer", "ilayer", "embed", "bgsound", 
10
+  * any of these tags: "base", "basefont", "head", "html", "body", "applet", "object",
11
+    "iframe", "frame", "frameset", "script", "layer", "ilayer", "embed", "bgsound",
12 12
     "link", "meta", "style", "title", "blink", "xml" etc.
13 13
   * any of these attributes: on*, data*, dynsrc
14 14
   * javascript:/vbscript:/about: etc. protocols
@@ -16,9 +16,9 @@ This parser strips down all potentially dangerous content within HTML:
16 16
   * any other active content
17 17
 It also tries to convert code to XHTML valid, but htmltidy is far better solution for this task.
18 18
 
19
-If you found any bugs in this parser, please inform me -- ICQ:551593 or mailto:thingol@mail.ru
19
+If you found any bugs in this parser, please file an issue -- https://wackowiki.org/bugs/
20 20
 
21
-Please, subscribe to http://pixel-apes.com/safehtml/feed/rss feed in order to receive notices 
21
+Please, subscribe to https://wackowiki.org/doc/Dev/Projects/SafeHTML in order to receive notices
22 22
 when SAFEHTML will be updated.
23 23
 
24 24
 -- Roman Ivanov.
@@ -30,6 +30,12 @@ when SAFEHTML will be updated.
30 30
 --------
31 31
 Version history:
32 32
 --------
33
+1.3.10.
34
+ * added HTML5 Block-level elements
35
+1.3.9.
36
+ * Replaced preg_replace() e modifier with preg_replace_callback
37
+1.3.8.
38
+ * UTF-7 XSS vulnerability fixed
33 39
 1.3.7.
34 40
  * Added 'dl' to the list of 'lists' tags.
35 41
  * Added 'callto' to the white list of protocols.

+ 1
- 1
paquet.xml View File

@@ -1,7 +1,7 @@
1 1
 <paquet
2 2
 	prefix="safehtml"
3 3
 	categorie="performance"
4
-	version="1.6.0"
4
+	version="1.6.1"
5 5
 	etat="stable"
6 6
 	compatibilite="[3.3.0-dev;3.3.*]"
7 7
 	logo="images/safehtml-32.png"

Loading…
Cancel
Save