Browse Source

fix: Bye bye safehtml, bienvenie HtmlPurifier

Refs: spip/spip#3926
Cerdic 2 months ago
parent
commit
5a527f3983
  1. 14
      inc/HTMLPurifier.extended.php
  2. 73
      inc/safehtml.php
  3. 23509
      lib/html5/HTMLPurifier.standalone.php
  4. 48
      lib/html5/standalone/HTMLPurifier/ConfigSchema/Builder/ConfigSchema.php
  5. 144
      lib/html5/standalone/HTMLPurifier/ConfigSchema/Builder/Xml.php
  6. 11
      lib/html5/standalone/HTMLPurifier/ConfigSchema/Exception.php
  7. 47
      lib/html5/standalone/HTMLPurifier/ConfigSchema/Interchange.php
  8. 89
      lib/html5/standalone/HTMLPurifier/ConfigSchema/Interchange/Directive.php
  9. 58
      lib/html5/standalone/HTMLPurifier/ConfigSchema/Interchange/Id.php
  10. 226
      lib/html5/standalone/HTMLPurifier/ConfigSchema/InterchangeBuilder.php
  11. 248
      lib/html5/standalone/HTMLPurifier/ConfigSchema/Validator.php
  12. 130
      lib/html5/standalone/HTMLPurifier/ConfigSchema/ValidatorAtom.php
  13. 1
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema.ser
  14. 8
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.AllowedClasses.txt
  15. 12
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.AllowedFrameTargets.txt
  16. 9
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.AllowedRel.txt
  17. 9
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.AllowedRev.txt
  18. 19
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.ClassUseCDATA.txt
  19. 11
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.DefaultImageAlt.txt
  20. 9
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.DefaultInvalidImage.txt
  21. 8
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.DefaultInvalidImageAlt.txt
  22. 10
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.DefaultTextDir.txt
  23. 16
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.EnableID.txt
  24. 8
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.ForbiddenClasses.txt
  25. 10
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.ID.HTML5.txt
  26. 5
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.IDBlacklist.txt
  27. 9
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.IDBlacklistRegexp.txt
  28. 12
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.IDPrefix.txt
  29. 14
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.IDPrefixLocal.txt
  30. 31
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.AutoParagraph.txt
  31. 12
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.Custom.txt
  32. 11
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.DisplayLinkURI.txt
  33. 12
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.Linkify.txt
  34. 12
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.DocURL.txt
  35. 12
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.txt
  36. 14
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.Predicate.txt
  37. 11
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions.txt
  38. 15
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.txt
  39. 46
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.txt
  40. 11
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveSpansWithoutAttributes.txt
  41. 11
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/CSS.AllowDuplicates.txt
  42. 8
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/CSS.AllowImportant.txt
  43. 11
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/CSS.AllowTricky.txt
  44. 12
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/CSS.AllowedFonts.txt
  45. 18
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/CSS.AllowedProperties.txt
  46. 11
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/CSS.DefinitionRev.txt
  47. 13
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/CSS.ForbiddenProperties.txt
  48. 16
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/CSS.MaxImgLength.txt
  49. 10
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/CSS.Proprietary.txt
  50. 9
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt
  51. 14
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Cache.DefinitionImpl.txt
  52. 13
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPath.txt
  53. 16
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPermissions.txt
  54. 18
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyFixLt.txt
  55. 16
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyRemoveScript.txt
  56. 16
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.AllowHostnameUnderscore.txt
  57. 12
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.AllowParseManyTags.txt
  58. 12
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.CollectErrors.txt
  59. 160
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.ColorKeywords.txt
  60. 14
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.ConvertDocumentToFragment.txt
  61. 17
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.DirectLexLineNumberSyncInterval.txt
  62. 14
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.DisableExcludes.txt
  63. 9
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.EnableIDNA.txt
  64. 15
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.Encoding.txt
  65. 12
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidChildren.txt
  66. 7
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidTags.txt
  67. 13
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.EscapeNonASCIICharacters.txt
  68. 19
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.HiddenElements.txt
  69. 10
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.Language.txt
  70. 36
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.LegacyEntityDecoder.txt
  71. 34
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.LexerImpl.txt
  72. 16
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.MaintainLineNumbers.txt
  73. 11
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.NormalizeNewlines.txt
  74. 12
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.RemoveInvalidImg.txt
  75. 11
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.RemoveProcessingInstructions.txt
  76. 12
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Core.RemoveScriptContents.txt
  77. 11
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Filter.Custom.txt
  78. 14
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.Escaping.txt
  79. 29
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.Scope.txt
  80. 16
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.TidyImpl.txt
  81. 74
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.txt
  82. 16
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Filter.YouTube.txt
  83. 25
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/HTML.Allowed.txt
  84. 19
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/HTML.AllowedAttributes.txt
  85. 10
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/HTML.AllowedComments.txt
  86. 15
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/HTML.AllowedCommentsRegexp.txt
  87. 23
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/HTML.AllowedElements.txt
  88. 20
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/HTML.AllowedModules.txt
  89. 11
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/HTML.Attr.Name.UseCDATA.txt
  90. 18
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/HTML.BlockWrapper.txt
  91. 23
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/HTML.CoreModules.txt
  92. 9
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/HTML.CustomDoctype.txt
  93. 33
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionID.txt
  94. 16
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionRev.txt
  95. 11
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/HTML.Doctype.txt
  96. 11
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/HTML.FlashAllowFullScreen.txt
  97. 21
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenAttributes.txt
  98. 20
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenElements.txt
  99. 14
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/HTML.MaxImgLength.txt
  100. 7
      lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/HTML.Nofollow.txt
  101. Some files were not shown because too many files have changed in this diff Show More

14
inc/HTMLPurifier.extended.php

@ -0,0 +1,14 @@
<?php
class HTMLPurifier_URIScheme_generic extends HTMLPurifier_URIScheme {
public function doValidate(&$uri, $config, $context) {
return true;
}
}
class HTMLPurifier_URIScheme_tcp extends HTMLPurifier_URIScheme_generic {
}
class HTMLPurifier_URIScheme_udp extends HTMLPurifier_URIScheme_generic {
}
class HTMLPurifier_URIScheme_ssh extends HTMLPurifier_URIScheme_generic {
}

73
inc/safehtml.php

@ -14,46 +14,45 @@ if (!defined('_ECRIRE_INC_VERSION')) {
return;
}
// Controle la presence de la lib safehtml et cree la fonction
// de transformation du texte qui l'exploite
function inc_safehtml_dist($t) {
static $process, $test;
if (!$test) {
$process = false;
if ($f = find_in_path('lib/safehtml/classes')) {
define('XML_HTMLSAX3', $f . '/');
require_once XML_HTMLSAX3 . 'safehtml.php';
$process = new safehtml();
$process->deleteTags[] = 'param'; // sinon bug Firefox
}
if ($process) {
$test = 1;
} # ok
else {
$test = -1;
} # se rabattre sur une fonction de securite basique
/**
* Sanitization du HTML via la librairie Purifier
* @param string $t
* @return false|string
*/
function inc_safehtml_dist(string $t): string {
static $purifier;
if (!isset($purifier)) {
require_spip('lib/html5/HTMLPurifier.standalone');
require_spip('inc/HTMLPurifier.extended');
$config = HTMLPurifier_Config::createDefault();
$config->set('Attr.EnableID', true);
$config->set('HTML.SafeIframe', true);
$config->set('URI.SafeIframeRegexp', '%^http[s]?://[a-z0-9\.]*' . $_SERVER['HTTP_HOST'] . '/%iS');
$config->set('HTML.TidyLevel', 'none');
$config->set('Cache.SerializerPath', preg_replace(',/$,', '', realpath(_DIR_TMP)));
$config->set('Attr.AllowedFrameTargets', ['_blank']);
$config->set('Attr.AllowedRel', 'facebox,nofollow,print,external');
$config->set('URI.AllowedSchemes', ['http' => true, 'https' => true, 'mailto' => true, 'ftp' => true, 'nntp' => true, 'news' => true, 'tel' => true, 'tcp' => true, 'udp' => true, 'ssh' => true,]);
$html = $config->getHTMLDefinition(true);
$html->manager->addModule('Forms');
$html->manager->registeredModules['Forms']->safe = true;
$purifier = new HTMLPurifier($config);
}
if ($test > 0) {
# reset ($process->clear() ne vide que _xhtml...),
# on doit pouvoir programmer ca plus propremement
$process->_counter = [];
$process->_stack = [];
$process->_dcCounter = [];
$process->_dcStack = [];
$process->_listScope = 0;
$process->_liStack = [];
# $process->parse(''); # cas particulier ?
$process->clear();
$t = $process->parse($t);
// HTML Purifier prefere l'utf-8
$charset = (empty($GLOBALS['meta']['charset']) ? _DEFAULT_CHARSET : $GLOBALS['meta']['charset']);
if ($charset === 'utf-8') {
$t = $purifier->purify($t);
} else {
$t = entites_html($t);
} // tres laid, en cas d'erreur
// supprimer un <li></li> provenant d'un <li> ouvrant seul+safehtml
// cf https://core.spip.net/issues/2201
$t = str_replace('<li></li>', '', $t);
$t = unicode2charset($purifier->purify(charset2unicode($t)));
}
return $t;
}

23509
lib/html5/HTMLPurifier.standalone.php

File diff suppressed because it is too large Load Diff

48
lib/html5/standalone/HTMLPurifier/ConfigSchema/Builder/ConfigSchema.php

@ -0,0 +1,48 @@
<?php
/**
* Converts HTMLPurifier_ConfigSchema_Interchange to our runtime
* representation used to perform checks on user configuration.
*/
class HTMLPurifier_ConfigSchema_Builder_ConfigSchema
{
/**
* @param HTMLPurifier_ConfigSchema_Interchange $interchange
* @return HTMLPurifier_ConfigSchema
*/
public function build($interchange)
{
$schema = new HTMLPurifier_ConfigSchema();
foreach ($interchange->directives as $d) {
$schema->add(
$d->id->key,
$d->default,
$d->type,
$d->typeAllowsNull
);
if ($d->allowed !== null) {
$schema->addAllowedValues(
$d->id->key,
$d->allowed
);
}
foreach ($d->aliases as $alias) {
$schema->addAlias(
$alias->key,
$d->id->key
);
}
if ($d->valueAliases !== null) {
$schema->addValueAliases(
$d->id->key,
$d->valueAliases
);
}
}
$schema->postProcess();
return $schema;
}
}
// vim: et sw=4 sts=4

144
lib/html5/standalone/HTMLPurifier/ConfigSchema/Builder/Xml.php

@ -0,0 +1,144 @@
<?php
/**
* Converts HTMLPurifier_ConfigSchema_Interchange to an XML format,
* which can be further processed to generate documentation.
*/
class HTMLPurifier_ConfigSchema_Builder_Xml extends XMLWriter
{
/**
* @type HTMLPurifier_ConfigSchema_Interchange
*/
protected $interchange;
/**
* @type string
*/
private $namespace;
/**
* @param string $html
*/
protected function writeHTMLDiv($html)
{
$this->startElement('div');
$purifier = HTMLPurifier::getInstance();
$html = $purifier->purify($html);
$this->writeAttribute('xmlns', 'http://www.w3.org/1999/xhtml');
$this->writeRaw($html);
$this->endElement(); // div
}
/**
* @param mixed $var
* @return string
*/
protected function export($var)
{
if ($var === array()) {
return 'array()';
}
return var_export($var, true);
}
/**
* @param HTMLPurifier_ConfigSchema_Interchange $interchange
*/
public function build($interchange)
{
// global access, only use as last resort
$this->interchange = $interchange;
$this->setIndent(true);
$this->startDocument('1.0', 'UTF-8');
$this->startElement('configdoc');
$this->writeElement('title', $interchange->name);
foreach ($interchange->directives as $directive) {
$this->buildDirective($directive);
}
if ($this->namespace) {
$this->endElement();
} // namespace
$this->endElement(); // configdoc
$this->flush();
}
/**
* @param HTMLPurifier_ConfigSchema_Interchange_Directive $directive
*/
public function buildDirective($directive)
{
// Kludge, although I suppose having a notion of a "root namespace"
// certainly makes things look nicer when documentation is built.
// Depends on things being sorted.
if (!$this->namespace || $this->namespace !== $directive->id->getRootNamespace()) {
if ($this->namespace) {
$this->endElement();
} // namespace
$this->namespace = $directive->id->getRootNamespace();
$this->startElement('namespace');
$this->writeAttribute('id', $this->namespace);
$this->writeElement('name', $this->namespace);
}
$this->startElement('directive');
$this->writeAttribute('id', $directive->id->toString());
$this->writeElement('name', $directive->id->getDirective());
$this->startElement('aliases');
foreach ($directive->aliases as $alias) {
$this->writeElement('alias', $alias->toString());
}
$this->endElement(); // aliases
$this->startElement('constraints');
if ($directive->version) {
$this->writeElement('version', $directive->version);
}
$this->startElement('type');
if ($directive->typeAllowsNull) {
$this->writeAttribute('allow-null', 'yes');
}
$this->text($directive->type);
$this->endElement(); // type
if ($directive->allowed) {
$this->startElement('allowed');
foreach ($directive->allowed as $value => $x) {
$this->writeElement('value', $value);
}
$this->endElement(); // allowed
}
$this->writeElement('default', $this->export($directive->default));
$this->writeAttribute('xml:space', 'preserve');
if ($directive->external) {
$this->startElement('external');
foreach ($directive->external as $project) {
$this->writeElement('project', $project);
}
$this->endElement();
}
$this->endElement(); // constraints
if ($directive->deprecatedVersion) {
$this->startElement('deprecated');
$this->writeElement('version', $directive->deprecatedVersion);
$this->writeElement('use', $directive->deprecatedUse->toString());
$this->endElement(); // deprecated
}
$this->startElement('description');
$this->writeHTMLDiv($directive->description);
$this->endElement(); // description
$this->endElement(); // directive
}
}
// vim: et sw=4 sts=4

11
lib/html5/standalone/HTMLPurifier/ConfigSchema/Exception.php

@ -0,0 +1,11 @@
<?php
/**
* Exceptions related to configuration schema
*/
class HTMLPurifier_ConfigSchema_Exception extends HTMLPurifier_Exception
{
}
// vim: et sw=4 sts=4

47
lib/html5/standalone/HTMLPurifier/ConfigSchema/Interchange.php

@ -0,0 +1,47 @@
<?php
/**
* Generic schema interchange format that can be converted to a runtime
* representation (HTMLPurifier_ConfigSchema) or HTML documentation. Members
* are completely validated.
*/
class HTMLPurifier_ConfigSchema_Interchange
{
/**
* Name of the application this schema is describing.
* @type string
*/
public $name;
/**
* Array of Directive ID => array(directive info)
* @type HTMLPurifier_ConfigSchema_Interchange_Directive[]
*/
public $directives = array();
/**
* Adds a directive array to $directives
* @param HTMLPurifier_ConfigSchema_Interchange_Directive $directive
* @throws HTMLPurifier_ConfigSchema_Exception
*/
public function addDirective($directive)
{
if (isset($this->directives[$i = $directive->id->toString()])) {
throw new HTMLPurifier_ConfigSchema_Exception("Cannot redefine directive '$i'");
}
$this->directives[$i] = $directive;
}
/**
* Convenience function to perform standard validation. Throws exception
* on failed validation.
*/
public function validate()
{
$validator = new HTMLPurifier_ConfigSchema_Validator();
return $validator->validate($this);
}
}
// vim: et sw=4 sts=4

89
lib/html5/standalone/HTMLPurifier/ConfigSchema/Interchange/Directive.php

@ -0,0 +1,89 @@
<?php
/**
* Interchange component class describing configuration directives.
*/
class HTMLPurifier_ConfigSchema_Interchange_Directive
{
/**
* ID of directive.
* @type HTMLPurifier_ConfigSchema_Interchange_Id
*/
public $id;
/**
* Type, e.g. 'integer' or 'istring'.
* @type string
*/
public $type;
/**
* Default value, e.g. 3 or 'DefaultVal'.
* @type mixed
*/
public $default;
/**
* HTML description.
* @type string
*/
public $description;
/**
* Whether or not null is allowed as a value.
* @type bool
*/
public $typeAllowsNull = false;
/**
* Lookup table of allowed scalar values.
* e.g. array('allowed' => true).
* Null if all values are allowed.
* @type array
*/
public $allowed;
/**
* List of aliases for the directive.
* e.g. array(new HTMLPurifier_ConfigSchema_Interchange_Id('Ns', 'Dir'))).
* @type HTMLPurifier_ConfigSchema_Interchange_Id[]
*/
public $aliases = array();
/**
* Hash of value aliases, e.g. array('alt' => 'real'). Null if value
* aliasing is disabled (necessary for non-scalar types).
* @type array
*/
public $valueAliases;
/**
* Version of HTML Purifier the directive was introduced, e.g. '1.3.1'.
* Null if the directive has always existed.
* @type string
*/
public $version;
/**
* ID of directive that supercedes this old directive.
* Null if not deprecated.
* @type HTMLPurifier_ConfigSchema_Interchange_Id
*/
public $deprecatedUse;
/**
* Version of HTML Purifier this directive was deprecated. Null if not
* deprecated.
* @type string
*/
public $deprecatedVersion;
/**
* List of external projects this directive depends on, e.g. array('CSSTidy').
* @type array
*/
public $external = array();
}
// vim: et sw=4 sts=4

58
lib/html5/standalone/HTMLPurifier/ConfigSchema/Interchange/Id.php

@ -0,0 +1,58 @@
<?php
/**
* Represents a directive ID in the interchange format.
*/
class HTMLPurifier_ConfigSchema_Interchange_Id
{
/**
* @type string
*/
public $key;
/**
* @param string $key
*/
public function __construct($key)
{
$this->key = $key;
}
/**
* @return string
* @warning This is NOT magic, to ensure that people don't abuse SPL and
* cause problems for PHP 5.0 support.
*/
public function toString()
{
return $this->key;
}
/**
* @return string
*/
public function getRootNamespace()
{
return substr($this->key, 0, strpos($this->key, "."));
}
/**
* @return string
*/
public function getDirective()
{
return substr($this->key, strpos($this->key, ".") + 1);
}
/**
* @param string $id
* @return HTMLPurifier_ConfigSchema_Interchange_Id
*/
public static function make($id)
{
return new HTMLPurifier_ConfigSchema_Interchange_Id($id);
}
}
// vim: et sw=4 sts=4

226
lib/html5/standalone/HTMLPurifier/ConfigSchema/InterchangeBuilder.php

@ -0,0 +1,226 @@
<?php
class HTMLPurifier_ConfigSchema_InterchangeBuilder
{
/**
* Used for processing DEFAULT, nothing else.
* @type HTMLPurifier_VarParser
*/
protected $varParser;
/**
* @param HTMLPurifier_VarParser $varParser
*/
public function __construct($varParser = null)
{
$this->varParser = $varParser ? $varParser : new HTMLPurifier_VarParser_Native();
}
/**
* @param string $dir
* @return HTMLPurifier_ConfigSchema_Interchange
*/
public static function buildFromDirectory($dir = null)
{
$builder = new HTMLPurifier_ConfigSchema_InterchangeBuilder();
$interchange = new HTMLPurifier_ConfigSchema_Interchange();
return $builder->buildDir($interchange, $dir);
}
/**
* @param HTMLPurifier_ConfigSchema_Interchange $interchange
* @param string $dir
* @return HTMLPurifier_ConfigSchema_Interchange
*/
public function buildDir($interchange, $dir = null)
{
if (!$dir) {
$dir = HTMLPURIFIER_PREFIX . '/HTMLPurifier/ConfigSchema/schema';
}
if (file_exists($dir . '/info.ini')) {
$info = parse_ini_file($dir . '/info.ini');
$interchange->name = $info['name'];
}
$files = array();
$dh = opendir($dir);
while (false !== ($file = readdir($dh))) {
if (!$file || $file[0] == '.' || strrchr($file, '.') !== '.txt') {
continue;
}
$files[] = $file;
}
closedir($dh);
sort($files);
foreach ($files as $file) {
$this->buildFile($interchange, $dir . '/' . $file);
}
return $interchange;
}
/**
* @param HTMLPurifier_ConfigSchema_Interchange $interchange
* @param string $file
*/
public function buildFile($interchange, $file)
{
$parser = new HTMLPurifier_StringHashParser();
$this->build(
$interchange,
new HTMLPurifier_StringHash($parser->parseFile($file))
);
}
/**
* Builds an interchange object based on a hash.
* @param HTMLPurifier_ConfigSchema_Interchange $interchange HTMLPurifier_ConfigSchema_Interchange object to build
* @param HTMLPurifier_StringHash $hash source data
* @throws HTMLPurifier_ConfigSchema_Exception
*/
public function build($interchange, $hash)
{
if (!$hash instanceof HTMLPurifier_StringHash) {
$hash = new HTMLPurifier_StringHash($hash);
}
if (!isset($hash['ID'])) {
throw new HTMLPurifier_ConfigSchema_Exception('Hash does not have any ID');
}
if (strpos($hash['ID'], '.') === false) {
if (count($hash) == 2 && isset($hash['DESCRIPTION'])) {
$hash->offsetGet('DESCRIPTION'); // prevent complaining
} else {
throw new HTMLPurifier_ConfigSchema_Exception('All directives must have a namespace');
}
} else {
$this->buildDirective($interchange, $hash);
}
$this->_findUnused($hash);
}
/**
* @param HTMLPurifier_ConfigSchema_Interchange $interchange
* @param HTMLPurifier_StringHash $hash
* @throws HTMLPurifier_ConfigSchema_Exception
*/
public function buildDirective($interchange, $hash)
{
$directive = new HTMLPurifier_ConfigSchema_Interchange_Directive();
// These are required elements:
$directive->id = $this->id($hash->offsetGet('ID'));
$id = $directive->id->toString(); // convenience
if (isset($hash['TYPE'])) {
$type = explode('/', $hash->offsetGet('TYPE'));
if (isset($type[1])) {
$directive->typeAllowsNull = true;
}
$directive->type = $type[0];
} else {
throw new HTMLPurifier_ConfigSchema_Exception("TYPE in directive hash '$id' not defined");
}
if (isset($hash['DEFAULT'])) {
try {
$directive->default = $this->varParser->parse(
$hash->offsetGet('DEFAULT'),
$directive->type,
$directive->typeAllowsNull
);
} catch (HTMLPurifier_VarParserException $e) {
throw new HTMLPurifier_ConfigSchema_Exception($e->getMessage() . " in DEFAULT in directive hash '$id'");
}
}
if (isset($hash['DESCRIPTION'])) {
$directive->description = $hash->offsetGet('DESCRIPTION');
}
if (isset($hash['ALLOWED'])) {
$directive->allowed = $this->lookup($this->evalArray($hash->offsetGet('ALLOWED')));
}
if (isset($hash['VALUE-ALIASES'])) {
$directive->valueAliases = $this->evalArray($hash->offsetGet('VALUE-ALIASES'));
}
if (isset($hash['ALIASES'])) {
$raw_aliases = trim($hash->offsetGet('ALIASES'));
$aliases = preg_split('/\s*,\s*/', $raw_aliases);
foreach ($aliases as $alias) {
$directive->aliases[] = $this->id($alias);
}
}
if (isset($hash['VERSION'])) {
$directive->version = $hash->offsetGet('VERSION');
}
if (isset($hash['DEPRECATED-USE'])) {
$directive->deprecatedUse = $this->id($hash->offsetGet('DEPRECATED-USE'));
}
if (isset($hash['DEPRECATED-VERSION'])) {
$directive->deprecatedVersion = $hash->offsetGet('DEPRECATED-VERSION');
}
if (isset($hash['EXTERNAL'])) {
$directive->external = preg_split('/\s*,\s*/', trim($hash->offsetGet('EXTERNAL')));
}
$interchange->addDirective($directive);
}
/**
* Evaluates an array PHP code string without array() wrapper
* @param string $contents
*/
protected function evalArray($contents)
{
return eval('return array(' . $contents . ');');
}
/**
* Converts an array list into a lookup array.
* @param array $array
* @return array
*/
protected function lookup($array)
{
$ret = array();
foreach ($array as $val) {
$ret[$val] = true;
}
return $ret;
}
/**
* Convenience function that creates an HTMLPurifier_ConfigSchema_Interchange_Id
* object based on a string Id.
* @param string $id
* @return HTMLPurifier_ConfigSchema_Interchange_Id
*/
protected function id($id)
{
return HTMLPurifier_ConfigSchema_Interchange_Id::make($id);
}
/**
* Triggers errors for any unused keys passed in the hash; such keys
* may indicate typos, missing values, etc.
* @param HTMLPurifier_StringHash $hash Hash to check.
*/
protected function _findUnused($hash)
{
$accessed = $hash->getAccessed();
foreach ($hash as $k => $v) {
if (!isset($accessed[$k])) {
trigger_error("String hash key '$k' not used by builder", E_USER_NOTICE);
}
}
}
}
// vim: et sw=4 sts=4

248
lib/html5/standalone/HTMLPurifier/ConfigSchema/Validator.php

@ -0,0 +1,248 @@
<?php
/**
* Performs validations on HTMLPurifier_ConfigSchema_Interchange
*
* @note If you see '// handled by InterchangeBuilder', that means a
* design decision in that class would prevent this validation from
* ever being necessary. We have them anyway, however, for
* redundancy.
*/
class HTMLPurifier_ConfigSchema_Validator
{
/**
* @type HTMLPurifier_ConfigSchema_Interchange
*/
protected $interchange;
/**
* @type array
*/
protected $aliases;
/**
* Context-stack to provide easy to read error messages.
* @type array
*/
protected $context = array();
/**
* to test default's type.
* @type HTMLPurifier_VarParser
*/
protected $parser;
public function __construct()
{
$this->parser = new HTMLPurifier_VarParser();
}
/**
* Validates a fully-formed interchange object.
* @param HTMLPurifier_ConfigSchema_Interchange $interchange
* @return bool
*/
public function validate($interchange)
{
$this->interchange = $interchange;
$this->aliases = array();
// PHP is a bit lax with integer <=> string conversions in
// arrays, so we don't use the identical !== comparison
foreach ($interchange->directives as $i => $directive) {
$id = $directive->id->toString();
if ($i != $id) {
$this->error(false, "Integrity violation: key '$i' does not match internal id '$id'");
}
$this->validateDirective($directive);
}
return true;
}
/**
* Validates a HTMLPurifier_ConfigSchema_Interchange_Id object.
* @param HTMLPurifier_ConfigSchema_Interchange_Id $id
*/
public function validateId($id)
{
$id_string = $id->toString();
$this->context[] = "id '$id_string'";
if (!$id instanceof HTMLPurifier_ConfigSchema_Interchange_Id) {
// handled by InterchangeBuilder
$this->error(false, 'is not an instance of HTMLPurifier_ConfigSchema_Interchange_Id');
}
// keys are now unconstrained (we might want to narrow down to A-Za-z0-9.)
// we probably should check that it has at least one namespace
$this->with($id, 'key')
->assertNotEmpty()
->assertIsString(); // implicit assertIsString handled by InterchangeBuilder
array_pop($this->context);
}
/**
* Validates a HTMLPurifier_ConfigSchema_Interchange_Directive object.
* @param HTMLPurifier_ConfigSchema_Interchange_Directive $d
*/
public function validateDirective($d)
{
$id = $d->id->toString();
$this->context[] = "directive '$id'";
$this->validateId($d->id);
$this->with($d, 'description')
->assertNotEmpty();
// BEGIN - handled by InterchangeBuilder
$this->with($d, 'type')
->assertNotEmpty();
$this->with($d, 'typeAllowsNull')
->assertIsBool();
try {
// This also tests validity of $d->type
$this->parser->parse($d->default, $d->type, $d->typeAllowsNull);
} catch (HTMLPurifier_VarParserException $e) {
$this->error('default', 'had error: ' . $e->getMessage());
}
// END - handled by InterchangeBuilder
if (!is_null($d->allowed) || !empty($d->valueAliases)) {
// allowed and valueAliases require that we be dealing with
// strings, so check for that early.
$d_int = HTMLPurifier_VarParser::$types[$d->type];
if (!isset(HTMLPurifier_VarParser::$stringTypes[$d_int])) {
$this->error('type', 'must be a string type when used with allowed or value aliases');
}
}
$this->validateDirectiveAllowed($d);
$this->validateDirectiveValueAliases($d);
$this->validateDirectiveAliases($d);
array_pop($this->context);
}
/**
* Extra validation if $allowed member variable of
* HTMLPurifier_ConfigSchema_Interchange_Directive is defined.
* @param HTMLPurifier_ConfigSchema_Interchange_Directive $d
*/
public function validateDirectiveAllowed($d)
{
if (is_null($d->allowed)) {
return;
}
$this->with($d, 'allowed')
->assertNotEmpty()
->assertIsLookup(); // handled by InterchangeBuilder
if (is_string($d->default) && !isset($d->allowed[$d->default])) {
$this->error('default', 'must be an allowed value');
}
$this->context[] = 'allowed';
foreach ($d->allowed as $val => $x) {
if (!is_string($val)) {
$this->error("value $val", 'must be a string');
}
}
array_pop($this->context);
}
/**
* Extra validation if $valueAliases member variable of
* HTMLPurifier_ConfigSchema_Interchange_Directive is defined.
* @param HTMLPurifier_ConfigSchema_Interchange_Directive $d
*/
public function validateDirectiveValueAliases($d)
{
if (is_null($d->valueAliases)) {
return;
}
$this->with($d, 'valueAliases')
->assertIsArray(); // handled by InterchangeBuilder
$this->context[] = 'valueAliases';
foreach ($d->valueAliases as $alias => $real) {
if (!is_string($alias)) {
$this->error("alias $alias", 'must be a string');
}
if (!is_string($real)) {
$this->error("alias target $real from alias '$alias'", 'must be a string');
}
if ($alias === $real) {
$this->error("alias '$alias'", "must not be an alias to itself");
}
}
if (!is_null($d->allowed)) {
foreach ($d->valueAliases as $alias => $real) {
if (isset($d->allowed[$alias])) {
$this->error("alias '$alias'", 'must not be an allowed value');
} elseif (!isset($d->allowed[$real])) {
$this->error("alias '$alias'", 'must be an alias to an allowed value');
}
}
}
array_pop($this->context);
}
/**
* Extra validation if $aliases member variable of
* HTMLPurifier_ConfigSchema_Interchange_Directive is defined.
* @param HTMLPurifier_ConfigSchema_Interchange_Directive $d
*/
public function validateDirectiveAliases($d)
{
$this->with($d, 'aliases')
->assertIsArray(); // handled by InterchangeBuilder
$this->context[] = 'aliases';
foreach ($d->aliases as $alias) {
$this->validateId($alias);
$s = $alias->toString();
if (isset($this->interchange->directives[$s])) {
$this->error("alias '$s'", 'collides with another directive');
}
if (isset($this->aliases[$s])) {
$other_directive = $this->aliases[$s];
$this->error("alias '$s'", "collides with alias for directive '$other_directive'");
}
$this->aliases[$s] = $d->id->toString();
}
array_pop($this->context);
}
// protected helper functions
/**
* Convenience function for generating HTMLPurifier_ConfigSchema_ValidatorAtom
* for validating simple member variables of objects.
* @param $obj
* @param $member
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
*/
protected function with($obj, $member)
{
return new HTMLPurifier_ConfigSchema_ValidatorAtom($this->getFormattedContext(), $obj, $member);
}
/**
* Emits an error, providing helpful context.
* @throws HTMLPurifier_ConfigSchema_Exception
*/
protected function error($target, $msg)
{
if ($target !== false) {
$prefix = ucfirst($target) . ' in ' . $this->getFormattedContext();
} else {
$prefix = ucfirst($this->getFormattedContext());
}
throw new HTMLPurifier_ConfigSchema_Exception(trim($prefix . ' ' . $msg));
}
/**
* Returns a formatted context string.
* @return string
*/
protected function getFormattedContext()
{
return implode(' in ', array_reverse($this->context));
}
}
// vim: et sw=4 sts=4

130
lib/html5/standalone/HTMLPurifier/ConfigSchema/ValidatorAtom.php

@ -0,0 +1,130 @@
<?php
/**
* Fluent interface for validating the contents of member variables.
* This should be immutable. See HTMLPurifier_ConfigSchema_Validator for
* use-cases. We name this an 'atom' because it's ONLY for validations that
* are independent and usually scalar.
*/
class HTMLPurifier_ConfigSchema_ValidatorAtom
{
/**
* @type string
*/
protected $context;
/**
* @type object
*/
protected $obj;
/**
* @type string
*/
protected $member;
/**
* @type mixed
*/
protected $contents;
public function __construct($context, $obj, $member)
{
$this->context = $context;
$this->obj = $obj;
$this->member = $member;
$this->contents =& $obj->$member;
}
/**
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
*/
public function assertIsString()
{
if (!is_string($this->contents)) {
$this->error('must be a string');
}
return $this;
}
/**
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
*/
public function assertIsBool()
{
if (!is_bool($this->contents)) {
$this->error('must be a boolean');
}
return $this;
}
/**
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
*/
public function assertIsArray()
{
if (!is_array($this->contents)) {
$this->error('must be an array');
}
return $this;
}
/**
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
*/
public function assertNotNull()
{
if ($this->contents === null) {
$this->error('must not be null');
}
return $this;
}
/**
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
*/
public function assertAlnum()
{
$this->assertIsString();
if (!ctype_alnum($this->contents)) {
$this->error('must be alphanumeric');
}
return $this;
}
/**
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
*/
public function assertNotEmpty()
{
if (empty($this->contents)) {
$this->error('must not be empty');
}
return $this;
}
/**
* @return HTMLPurifier_ConfigSchema_ValidatorAtom
*/
public function assertIsLookup()
{
$this->assertIsArray();
foreach ($this->contents as $v) {
if ($v !== true) {
$this->error('must be a lookup array');
}
}
return $this;
}
/**
* @param string $msg
* @throws HTMLPurifier_ConfigSchema_Exception
*/
protected function error($msg)
{
throw new HTMLPurifier_ConfigSchema_Exception(ucfirst($this->member) . ' in ' . $this->context . ' ' . $msg);
}
}
// vim: et sw=4 sts=4

1
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema.ser

File diff suppressed because one or more lines are too long

8
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.AllowedClasses.txt

@ -0,0 +1,8 @@
Attr.AllowedClasses
TYPE: lookup/null
VERSION: 4.0.0
DEFAULT: null
--DESCRIPTION--
List of allowed class values in the class attribute. By default, this is null,
which means all classes are allowed.
--# vim: et sw=4 sts=4

12
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.AllowedFrameTargets.txt

@ -0,0 +1,12 @@
Attr.AllowedFrameTargets
TYPE: lookup
DEFAULT: array()
--DESCRIPTION--
Lookup table of all allowed link frame targets. Some commonly used link
targets include _blank, _self, _parent and _top. Values should be
lowercase, as validation will be done in a case-sensitive manner despite
W3C's recommendation. XHTML 1.0 Strict does not permit the target attribute
so this directive will have no effect in that doctype. XHTML 1.1 does not
enable the Target module by default, you will have to manually enable it
(see the module documentation for more details.)
--# vim: et sw=4 sts=4

9
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.AllowedRel.txt

@ -0,0 +1,9 @@
Attr.AllowedRel
TYPE: lookup
VERSION: 1.6.0
DEFAULT: array()
--DESCRIPTION--
List of allowed forward document relationships in the rel attribute. Common
values may be nofollow or print. By default, this is empty, meaning that no
document relationships are allowed.
--# vim: et sw=4 sts=4

9
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.AllowedRev.txt

@ -0,0 +1,9 @@
Attr.AllowedRev
TYPE: lookup
VERSION: 1.6.0
DEFAULT: array()
--DESCRIPTION--
List of allowed reverse document relationships in the rev attribute. This
attribute is a bit of an edge-case; if you don't know what it is for, stay
away.
--# vim: et sw=4 sts=4

19
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.ClassUseCDATA.txt

@ -0,0 +1,19 @@
Attr.ClassUseCDATA
TYPE: bool/null
DEFAULT: null
VERSION: 4.0.0
--DESCRIPTION--
If null, class will auto-detect the doctype and, if matching XHTML 1.1 or
XHTML 2.0, will use the restrictive NMTOKENS specification of class. Otherwise,
it will use a relaxed CDATA definition. If true, the relaxed CDATA definition
is forced; if false, the NMTOKENS definition is forced. To get behavior
of HTML Purifier prior to 4.0.0, set this directive to false.
Some rational behind the auto-detection:
in previous versions of HTML Purifier, it was assumed that the form of
class was NMTOKENS, as specified by the XHTML Modularization (representing
XHTML 1.1 and XHTML 2.0). The DTDs for HTML 4.01 and XHTML 1.0, however
specify class as CDATA. HTML 5 effectively defines it as CDATA, but
with the additional constraint that each name should be unique (this is not
explicitly outlined in previous specifications).
--# vim: et sw=4 sts=4

11
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.DefaultImageAlt.txt

@ -0,0 +1,11 @@
Attr.DefaultImageAlt
TYPE: string/null
DEFAULT: null
VERSION: 3.2.0
--DESCRIPTION--
This is the content of the alt tag of an image if the user had not
previously specified an alt attribute. This applies to all images without
a valid alt attribute, as opposed to %Attr.DefaultInvalidImageAlt, which
only applies to invalid images, and overrides in the case of an invalid image.
Default behavior with null is to use the basename of the src tag for the alt.
--# vim: et sw=4 sts=4

9
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.DefaultInvalidImage.txt

@ -0,0 +1,9 @@
Attr.DefaultInvalidImage
TYPE: string
DEFAULT: ''
--DESCRIPTION--
This is the default image an img tag will be pointed to if it does not have
a valid src attribute. In future versions, we may allow the image tag to
be removed completely, but due to design issues, this is not possible right
now.
--# vim: et sw=4 sts=4

8
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.DefaultInvalidImageAlt.txt

@ -0,0 +1,8 @@
Attr.DefaultInvalidImageAlt
TYPE: string
DEFAULT: 'Invalid image'
--DESCRIPTION--
This is the content of the alt tag of an invalid image if the user had not
previously specified an alt attribute. It has no effect when the image is
valid but there was no alt attribute present.
--# vim: et sw=4 sts=4

10
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.DefaultTextDir.txt

@ -0,0 +1,10 @@
Attr.DefaultTextDir
TYPE: string
DEFAULT: 'ltr'
--DESCRIPTION--
Defines the default text direction (ltr or rtl) of the document being
parsed. This generally is the same as the value of the dir attribute in
HTML, or ltr if that is not specified.
--ALLOWED--
'ltr', 'rtl'
--# vim: et sw=4 sts=4

16
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.EnableID.txt

@ -0,0 +1,16 @@
Attr.EnableID
TYPE: bool
DEFAULT: false
VERSION: 1.2.0
--DESCRIPTION--
Allows the ID attribute in HTML. This is disabled by default due to the
fact that without proper configuration user input can easily break the
validation of a webpage by specifying an ID that is already on the
surrounding HTML. If you don't mind throwing caution to the wind, enable
this directive, but I strongly recommend you also consider blacklisting IDs
you use (%Attr.IDBlacklist) or prefixing all user supplied IDs
(%Attr.IDPrefix). When set to true HTML Purifier reverts to the behavior of
pre-1.2.0 versions.
--ALIASES--
HTML.EnableAttrID
--# vim: et sw=4 sts=4

8
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.ForbiddenClasses.txt

@ -0,0 +1,8 @@
Attr.ForbiddenClasses
TYPE: lookup
VERSION: 4.0.0
DEFAULT: array()
--DESCRIPTION--
List of forbidden class values in the class attribute. By default, this is
empty, which means that no classes are forbidden. See also %Attr.AllowedClasses.
--# vim: et sw=4 sts=4

10
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.ID.HTML5.txt

@ -0,0 +1,10 @@
Attr.ID.HTML5
TYPE: bool/null
DEFAULT: null
VERSION: 4.8.0
--DESCRIPTION--
In HTML5, restrictions on the format of the id attribute have been significantly
relaxed, such that any string is valid so long as it contains no spaces and
is at least one character. In lieu of a general HTML5 compatibility flag,
set this configuration directive to true to use the relaxed rules.
--# vim: et sw=4 sts=4

5
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.IDBlacklist.txt

@ -0,0 +1,5 @@
Attr.IDBlacklist
TYPE: list
DEFAULT: array()
DESCRIPTION: Array of IDs not allowed in the document.
--# vim: et sw=4 sts=4

9
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.IDBlacklistRegexp.txt

@ -0,0 +1,9 @@
Attr.IDBlacklistRegexp
TYPE: string/null
VERSION: 1.6.0
DEFAULT: NULL
--DESCRIPTION--
PCRE regular expression to be matched against all IDs. If the expression is
matches, the ID is rejected. Use this with care: may cause significant
degradation. ID matching is done after all other validation.
--# vim: et sw=4 sts=4

12
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.IDPrefix.txt

@ -0,0 +1,12 @@
Attr.IDPrefix
TYPE: string
VERSION: 1.2.0
DEFAULT: ''
--DESCRIPTION--
String to prefix to IDs. If you have no idea what IDs your pages may use,
you may opt to simply add a prefix to all user-submitted ID attributes so
that they are still usable, but will not conflict with core page IDs.
Example: setting the directive to 'user_' will result in a user submitted
'foo' to become 'user_foo' Be sure to set %HTML.EnableAttrID to true
before using this.
--# vim: et sw=4 sts=4

14
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/Attr.IDPrefixLocal.txt

@ -0,0 +1,14 @@
Attr.IDPrefixLocal
TYPE: string
VERSION: 1.2.0
DEFAULT: ''
--DESCRIPTION--
Temporary prefix for IDs used in conjunction with %Attr.IDPrefix. If you
need to allow multiple sets of user content on web page, you may need to
have a seperate prefix that changes with each iteration. This way,
seperately submitted user content displayed on the same page doesn't
clobber each other. Ideal values are unique identifiers for the content it
represents (i.e. the id of the row in the database). Be sure to add a
seperator (like an underscore) at the end. Warning: this directive will
not work unless %Attr.IDPrefix is set to a non-empty value!
--# vim: et sw=4 sts=4

31
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.AutoParagraph.txt

@ -0,0 +1,31 @@
AutoFormat.AutoParagraph
TYPE: bool
VERSION: 2.0.1
DEFAULT: false
--DESCRIPTION--
<p>
This directive turns on auto-paragraphing, where double newlines are
converted in to paragraphs whenever possible. Auto-paragraphing:
</p>
<ul>
<li>Always applies to inline elements or text in the root node,</li>
<li>Applies to inline elements or text with double newlines in nodes
that allow paragraph tags,</li>
<li>Applies to double newlines in paragraph tags</li>
</ul>
<p>
<code>p</code> tags must be allowed for this directive to take effect.
We do not use <code>br</code> tags for paragraphing, as that is
semantically incorrect.
</p>
<p>
To prevent auto-paragraphing as a content-producer, refrain from using
double-newlines except to specify a new paragraph or in contexts where
it has special meaning (whitespace usually has no meaning except in
tags like <code>pre</code>, so this should not be difficult.) To prevent
the paragraphing of inline text adjacent to block elements, wrap them
in <code>div</code> tags (the behavior is slightly different outside of
the root node.)
</p>
--# vim: et sw=4 sts=4

12
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.Custom.txt

@ -0,0 +1,12 @@
AutoFormat.Custom
TYPE: list
VERSION: 2.0.1
DEFAULT: array()
--DESCRIPTION--
<p>
This directive can be used to add custom auto-format injectors.
Specify an array of injector names (class name minus the prefix)
or concrete implementations. Injector class must exist.
</p>
--# vim: et sw=4 sts=4

11
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.DisplayLinkURI.txt

@ -0,0 +1,11 @@
AutoFormat.DisplayLinkURI
TYPE: bool
VERSION: 3.2.0
DEFAULT: false
--DESCRIPTION--
<p>
This directive turns on the in-text display of URIs in &lt;a&gt; tags, and disables
those links. For example, <a href="http://example.com">example</a> becomes
example (<a>http://example.com</a>).
</p>
--# vim: et sw=4 sts=4

12
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.Linkify.txt

@ -0,0 +1,12 @@
AutoFormat.Linkify
TYPE: bool
VERSION: 2.0.1
DEFAULT: false
--DESCRIPTION--
<p>
This directive turns on linkification, auto-linking http, ftp and
https URLs. <code>a</code> tags with the <code>href</code> attribute
must be allowed.
</p>
--# vim: et sw=4 sts=4

12
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.DocURL.txt

@ -0,0 +1,12 @@
AutoFormat.PurifierLinkify.DocURL
TYPE: string
VERSION: 2.0.1
DEFAULT: '#%s'
ALIASES: AutoFormatParam.PurifierLinkifyDocURL
--DESCRIPTION--
<p>
Location of configuration documentation to link to, let %s substitute
into the configuration's namespace and directive names sans the percent
sign.
</p>
--# vim: et sw=4 sts=4

12
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.txt

@ -0,0 +1,12 @@
AutoFormat.PurifierLinkify
TYPE: bool
VERSION: 2.0.1
DEFAULT: false
--DESCRIPTION--
<p>
Internal auto-formatter that converts configuration directives in
syntax <a>%Namespace.Directive</a> to links. <code>a</code> tags
with the <code>href</code> attribute must be allowed.
</p>
--# vim: et sw=4 sts=4

14
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.Predicate.txt

@ -0,0 +1,14 @@
AutoFormat.RemoveEmpty.Predicate
TYPE: hash
VERSION: 4.7.0
DEFAULT: array('colgroup' => array(), 'th' => array(), 'td' => array(), 'iframe' => array('src'))
--DESCRIPTION--
<p>
Given that an element has no contents, it will be removed by default, unless
this predicate dictates otherwise. The predicate can either be an associative
map from tag name to list of attributes that must be present for the element
to be considered preserved: thus, the default always preserves <code>colgroup</code>,
<code>th</code> and <code>td</code>, and also <code>iframe</code> if it
has a <code>src</code>.
</p>
--# vim: et sw=4 sts=4

11
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions.txt

@ -0,0 +1,11 @@
AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions
TYPE: lookup
VERSION: 4.0.0
DEFAULT: array('td' => true, 'th' => true)
--DESCRIPTION--
<p>
When %AutoFormat.RemoveEmpty and %AutoFormat.RemoveEmpty.RemoveNbsp
are enabled, this directive defines what HTML elements should not be
removede if they have only a non-breaking space in them.
</p>
--# vim: et sw=4 sts=4

15
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.txt

@ -0,0 +1,15 @@
AutoFormat.RemoveEmpty.RemoveNbsp
TYPE: bool
VERSION: 4.0.0
DEFAULT: false
--DESCRIPTION--
<p>
When enabled, HTML Purifier will treat any elements that contain only
non-breaking spaces as well as regular whitespace as empty, and remove
them when %AutoForamt.RemoveEmpty is enabled.
</p>
<p>
See %AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions for a list of elements
that don't have this behavior applied to them.
</p>
--# vim: et sw=4 sts=4

46
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.txt

@ -0,0 +1,46 @@
AutoFormat.RemoveEmpty
TYPE: bool
VERSION: 3.2.0
DEFAULT: false
--DESCRIPTION--
<p>
When enabled, HTML Purifier will attempt to remove empty elements that
contribute no semantic information to the document. The following types
of nodes will be removed:
</p>
<ul><li>
Tags with no attributes and no content, and that are not empty
elements (remove <code>&lt;a&gt;&lt;/a&gt;</code> but not
<code>&lt;br /&gt;</code>), and
</li>
<li>
Tags with no content, except for:<ul>
<li>The <code>colgroup</code> element, or</li>
<li>
Elements with the <code>id</code> or <code>name</code> attribute,
when those attributes are permitted on those elements.
</li>
</ul></li>
</ul>
<p>
Please be very careful when using this functionality; while it may not
seem that empty elements contain useful information, they can alter the
layout of a document given appropriate styling. This directive is most
useful when you are processing machine-generated HTML, please avoid using
it on regular user HTML.
</p>
<p>
Elements that contain only whitespace will be treated as empty. Non-breaking
spaces, however, do not count as whitespace. See
%AutoFormat.RemoveEmpty.RemoveNbsp for alternate behavior.
</p>
<p>
This algorithm is not perfect; you may still notice some empty tags,
particularly if a node had elements, but those elements were later removed
because they were not permitted in that context, or tags that, after
being auto-closed by another tag, where empty. This is for safety reasons
to prevent clever code from breaking validation. The general rule of thumb:
if a tag looked empty on the way in, it will get removed; if HTML Purifier
made it empty, it will stay.
</p>
--# vim: et sw=4 sts=4

11
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveSpansWithoutAttributes.txt

@ -0,0 +1,11 @@
AutoFormat.RemoveSpansWithoutAttributes
TYPE: bool
VERSION: 4.0.1
DEFAULT: false
--DESCRIPTION--
<p>
This directive causes <code>span</code> tags without any attributes
to be removed. It will also remove spans that had all attributes
removed during processing.
</p>
--# vim: et sw=4 sts=4

11
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/CSS.AllowDuplicates.txt

@ -0,0 +1,11 @@
CSS.AllowDuplicates
TYPE: bool
DEFAULT: false
VERSION: 4.8.0
--DESCRIPTION--
<p>
By default, HTML Purifier removes duplicate CSS properties,
like <code>color:red; color:blue</code>. If this is set to
true, duplicate properties are allowed.
</p>
--# vim: et sw=4 sts=4

8
lib/html5/standalone/HTMLPurifier/ConfigSchema/schema/CSS.AllowImportant.txt

@ -0,0 +1,8 @@
CSS.AllowImportant