├── CREDITS
├── LICENSE
├── README.md
├── VERSION
├── composer.json
└── library
├── HTMLPurifier.auto.php
├── HTMLPurifier.autoload-legacy.php
├── HTMLPurifier.autoload.php
├── HTMLPurifier.composer.php
├── HTMLPurifier.func.php
├── HTMLPurifier.includes.php
├── HTMLPurifier.kses.php
├── HTMLPurifier.path.php
├── HTMLPurifier.php
├── HTMLPurifier.safe-includes.php
└── HTMLPurifier
├── Arborize.php
├── AttrCollections.php
├── AttrDef.php
├── AttrDef
├── CSS.php
├── CSS
│ ├── AlphaValue.php
│ ├── Background.php
│ ├── BackgroundPosition.php
│ ├── Border.php
│ ├── Color.php
│ ├── Composite.php
│ ├── DenyElementDecorator.php
│ ├── Filter.php
│ ├── Font.php
│ ├── FontFamily.php
│ ├── Ident.php
│ ├── ImportantDecorator.php
│ ├── Length.php
│ ├── ListStyle.php
│ ├── Multiple.php
│ ├── Number.php
│ ├── Percentage.php
│ ├── Ratio.php
│ ├── TextDecoration.php
│ └── URI.php
├── Clone.php
├── Enum.php
├── HTML
│ ├── Bool.php
│ ├── Class.php
│ ├── Color.php
│ ├── ContentEditable.php
│ ├── FrameTarget.php
│ ├── ID.php
│ ├── Length.php
│ ├── LinkTypes.php
│ ├── MultiLength.php
│ ├── Nmtokens.php
│ └── Pixels.php
├── Integer.php
├── Lang.php
├── Switch.php
├── Text.php
├── URI.php
└── URI
│ ├── Email.php
│ ├── Email
│ └── SimpleCheck.php
│ ├── Host.php
│ ├── IPv4.php
│ └── IPv6.php
├── AttrTransform.php
├── AttrTransform
├── Background.php
├── BdoDir.php
├── BgColor.php
├── BoolToCSS.php
├── Border.php
├── EnumToCSS.php
├── ImgRequired.php
├── ImgSpace.php
├── Input.php
├── Lang.php
├── Length.php
├── Name.php
├── NameSync.php
├── Nofollow.php
├── SafeEmbed.php
├── SafeObject.php
├── SafeParam.php
├── ScriptRequired.php
├── TargetBlank.php
├── TargetNoopener.php
├── TargetNoreferrer.php
└── Textarea.php
├── AttrTypes.php
├── AttrValidator.php
├── Bootstrap.php
├── CSSDefinition.php
├── ChildDef.php
├── ChildDef
├── Chameleon.php
├── Custom.php
├── Empty.php
├── List.php
├── Optional.php
├── Required.php
├── StrictBlockquote.php
└── Table.php
├── Config.php
├── ConfigSchema.php
├── ConfigSchema
├── Builder
│ ├── ConfigSchema.php
│ └── Xml.php
├── Exception.php
├── Interchange.php
├── Interchange
│ ├── Directive.php
│ └── Id.php
├── InterchangeBuilder.php
├── Validator.php
├── ValidatorAtom.php
├── schema.ser
└── schema
│ ├── Attr.AllowedClasses.txt
│ ├── Attr.AllowedFrameTargets.txt
│ ├── Attr.AllowedRel.txt
│ ├── Attr.AllowedRev.txt
│ ├── Attr.ClassUseCDATA.txt
│ ├── Attr.DefaultImageAlt.txt
│ ├── Attr.DefaultInvalidImage.txt
│ ├── Attr.DefaultInvalidImageAlt.txt
│ ├── Attr.DefaultTextDir.txt
│ ├── Attr.EnableID.txt
│ ├── Attr.ForbiddenClasses.txt
│ ├── Attr.ID.HTML5.txt
│ ├── Attr.IDBlacklist.txt
│ ├── Attr.IDBlacklistRegexp.txt
│ ├── Attr.IDPrefix.txt
│ ├── Attr.IDPrefixLocal.txt
│ ├── AutoFormat.AutoParagraph.txt
│ ├── AutoFormat.Custom.txt
│ ├── AutoFormat.DisplayLinkURI.txt
│ ├── AutoFormat.Linkify.txt
│ ├── AutoFormat.PurifierLinkify.DocURL.txt
│ ├── AutoFormat.PurifierLinkify.txt
│ ├── AutoFormat.RemoveEmpty.Predicate.txt
│ ├── AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions.txt
│ ├── AutoFormat.RemoveEmpty.RemoveNbsp.txt
│ ├── AutoFormat.RemoveEmpty.txt
│ ├── AutoFormat.RemoveSpansWithoutAttributes.txt
│ ├── CSS.AllowDuplicates.txt
│ ├── CSS.AllowImportant.txt
│ ├── CSS.AllowTricky.txt
│ ├── CSS.AllowedFonts.txt
│ ├── CSS.AllowedProperties.txt
│ ├── CSS.DefinitionRev.txt
│ ├── CSS.ForbiddenProperties.txt
│ ├── CSS.MaxImgLength.txt
│ ├── CSS.Proprietary.txt
│ ├── CSS.Trusted.txt
│ ├── Cache.DefinitionImpl.txt
│ ├── Cache.SerializerPath.txt
│ ├── Cache.SerializerPermissions.txt
│ ├── Core.AggressivelyFixLt.txt
│ ├── Core.AggressivelyRemoveScript.txt
│ ├── Core.AllowHostnameUnderscore.txt
│ ├── Core.AllowParseManyTags.txt
│ ├── Core.CollectErrors.txt
│ ├── Core.ColorKeywords.txt
│ ├── Core.ConvertDocumentToFragment.txt
│ ├── Core.DirectLexLineNumberSyncInterval.txt
│ ├── Core.DisableExcludes.txt
│ ├── Core.EnableIDNA.txt
│ ├── Core.Encoding.txt
│ ├── Core.EscapeInvalidChildren.txt
│ ├── Core.EscapeInvalidTags.txt
│ ├── Core.EscapeNonASCIICharacters.txt
│ ├── Core.HiddenElements.txt
│ ├── Core.Language.txt
│ ├── Core.LegacyEntityDecoder.txt
│ ├── Core.LexerImpl.txt
│ ├── Core.MaintainLineNumbers.txt
│ ├── Core.NormalizeNewlines.txt
│ ├── Core.RemoveBlanks.txt
│ ├── Core.RemoveInvalidImg.txt
│ ├── Core.RemoveProcessingInstructions.txt
│ ├── Core.RemoveScriptContents.txt
│ ├── Filter.Custom.txt
│ ├── Filter.ExtractStyleBlocks.Escaping.txt
│ ├── Filter.ExtractStyleBlocks.Scope.txt
│ ├── Filter.ExtractStyleBlocks.TidyImpl.txt
│ ├── Filter.ExtractStyleBlocks.txt
│ ├── Filter.YouTube.txt
│ ├── HTML.Allowed.txt
│ ├── HTML.AllowedAttributes.txt
│ ├── HTML.AllowedComments.txt
│ ├── HTML.AllowedCommentsRegexp.txt
│ ├── HTML.AllowedElements.txt
│ ├── HTML.AllowedModules.txt
│ ├── HTML.Attr.Name.UseCDATA.txt
│ ├── HTML.BlockWrapper.txt
│ ├── HTML.CoreModules.txt
│ ├── HTML.CustomDoctype.txt
│ ├── HTML.DefinitionID.txt
│ ├── HTML.DefinitionRev.txt
│ ├── HTML.Doctype.txt
│ ├── HTML.FlashAllowFullScreen.txt
│ ├── HTML.ForbiddenAttributes.txt
│ ├── HTML.ForbiddenElements.txt
│ ├── HTML.Forms.txt
│ ├── HTML.MaxImgLength.txt
│ ├── HTML.Nofollow.txt
│ ├── HTML.Parent.txt
│ ├── HTML.Proprietary.txt
│ ├── HTML.SafeEmbed.txt
│ ├── HTML.SafeIframe.txt
│ ├── HTML.SafeObject.txt
│ ├── HTML.SafeScripting.txt
│ ├── HTML.Strict.txt
│ ├── HTML.TargetBlank.txt
│ ├── HTML.TargetNoopener.txt
│ ├── HTML.TargetNoreferrer.txt
│ ├── HTML.TidyAdd.txt
│ ├── HTML.TidyLevel.txt
│ ├── HTML.TidyRemove.txt
│ ├── HTML.Trusted.txt
│ ├── HTML.XHTML.txt
│ ├── Output.CommentScriptContents.txt
│ ├── Output.FixInnerHTML.txt
│ ├── Output.FlashCompat.txt
│ ├── Output.Newline.txt
│ ├── Output.SortAttr.txt
│ ├── Output.TidyFormat.txt
│ ├── Test.ForceNoIconv.txt
│ ├── URI.AllowedSchemes.txt
│ ├── URI.Base.txt
│ ├── URI.DefaultScheme.txt
│ ├── URI.DefinitionID.txt
│ ├── URI.DefinitionRev.txt
│ ├── URI.Disable.txt
│ ├── URI.DisableExternal.txt
│ ├── URI.DisableExternalResources.txt
│ ├── URI.DisableResources.txt
│ ├── URI.Host.txt
│ ├── URI.HostBlacklist.txt
│ ├── URI.MakeAbsolute.txt
│ ├── URI.Munge.txt
│ ├── URI.MungeResources.txt
│ ├── URI.MungeSecretKey.txt
│ ├── URI.OverrideAllowedSchemes.txt
│ ├── URI.SafeIframeHosts.txt
│ ├── URI.SafeIframeRegexp.txt
│ └── info.ini
├── ContentSets.php
├── Context.php
├── Definition.php
├── DefinitionCache.php
├── DefinitionCache
├── Decorator.php
├── Decorator
│ ├── Cleanup.php
│ ├── Memory.php
│ └── Template.php.in
├── Null.php
├── Serializer.php
└── Serializer
│ └── README
├── DefinitionCacheFactory.php
├── Doctype.php
├── DoctypeRegistry.php
├── ElementDef.php
├── Encoder.php
├── EntityLookup.php
├── EntityLookup
└── entities.ser
├── EntityParser.php
├── ErrorCollector.php
├── ErrorStruct.php
├── Exception.php
├── Filter.php
├── Filter
├── ExtractStyleBlocks.php
└── YouTube.php
├── Generator.php
├── HTMLDefinition.php
├── HTMLModule.php
├── HTMLModule
├── Bdo.php
├── CommonAttributes.php
├── Edit.php
├── Forms.php
├── Hypertext.php
├── Iframe.php
├── Image.php
├── Legacy.php
├── List.php
├── Name.php
├── Nofollow.php
├── NonXMLCommonAttributes.php
├── Object.php
├── Presentation.php
├── Proprietary.php
├── Ruby.php
├── SafeEmbed.php
├── SafeObject.php
├── SafeScripting.php
├── Scripting.php
├── StyleAttribute.php
├── Tables.php
├── Target.php
├── TargetBlank.php
├── TargetNoopener.php
├── TargetNoreferrer.php
├── Text.php
├── Tidy.php
├── Tidy
│ ├── Name.php
│ ├── Proprietary.php
│ ├── Strict.php
│ ├── Transitional.php
│ ├── XHTML.php
│ └── XHTMLAndHTML4.php
└── XMLCommonAttributes.php
├── HTMLModuleManager.php
├── IDAccumulator.php
├── Injector.php
├── Injector
├── AutoParagraph.php
├── DisplayLinkURI.php
├── Linkify.php
├── PurifierLinkify.php
├── RemoveEmpty.php
├── RemoveSpansWithoutAttributes.php
└── SafeObject.php
├── Language.php
├── Language
└── messages
│ └── en.php
├── LanguageFactory.php
├── Length.php
├── Lexer.php
├── Lexer
├── DOMLex.php
├── DirectLex.php
└── PH5P.php
├── Node.php
├── Node
├── Comment.php
├── Element.php
└── Text.php
├── PercentEncoder.php
├── Printer.php
├── Printer
├── CSSDefinition.php
├── ConfigForm.css
├── ConfigForm.js
├── ConfigForm.php
└── HTMLDefinition.php
├── PropertyList.php
├── PropertyListIterator.php
├── Queue.php
├── Strategy.php
├── Strategy
├── Composite.php
├── Core.php
├── FixNesting.php
├── MakeWellFormed.php
├── RemoveForeignElements.php
└── ValidateAttributes.php
├── StringHash.php
├── StringHashParser.php
├── TagTransform.php
├── TagTransform
├── Font.php
└── Simple.php
├── Token.php
├── Token
├── Comment.php
├── Empty.php
├── End.php
├── Start.php
├── Tag.php
└── Text.php
├── TokenFactory.php
├── URI.php
├── URIDefinition.php
├── URIFilter.php
├── URIFilter
├── DisableExternal.php
├── DisableExternalResources.php
├── DisableResources.php
├── HostBlacklist.php
├── MakeAbsolute.php
├── Munge.php
└── SafeIframe.php
├── URIParser.php
├── URIScheme.php
├── URIScheme
├── data.php
├── file.php
├── ftp.php
├── http.php
├── https.php
├── mailto.php
├── news.php
├── nntp.php
└── tel.php
├── URISchemeRegistry.php
├── UnitConverter.php
├── VarParser.php
├── VarParser
├── Flexible.php
└── Native.php
├── VarParserException.php
└── Zipper.php
/CREDITS:
--------------------------------------------------------------------------------
1 |
2 | CREDITS
3 |
4 | Almost everything written by Edward Z. Yang (Ambush Commander). Lots of thanks
5 | to the DevNetwork Community for their help (see docs/ref-devnetwork.html for
6 | more details), Feyd especially (namely IPv6 and optimization). Thanks to RSnake
7 | for letting me package his fantastic XSS cheatsheet for a smoketest.
8 |
9 | vim: et sw=4 sts=4
10 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | HTML Purifier [](https://github.com/ezyang/htmlpurifier/actions/workflows/ci.yml)
2 | =============
3 |
4 | HTML Purifier is an HTML filtering solution that uses a unique combination
5 | of robust whitelists and aggressive parsing to ensure that not only are
6 | XSS attacks thwarted, but the resulting HTML is standards compliant.
7 |
8 | HTML Purifier is oriented towards richly formatted documents from
9 | untrusted sources that require CSS and a full tag-set. This library can
10 | be configured to accept a more restrictive set of tags, but it won't be
11 | as efficient as more bare-bones parsers. It will, however, do the job
12 | right, which may be more important.
13 |
14 | Places to go:
15 |
16 | * See INSTALL for a quick installation guide
17 | * See docs/ for developer-oriented documentation, code examples and
18 | an in-depth installation guide.
19 | * See WYSIWYG for information on editors like TinyMCE and FCKeditor
20 |
21 | HTML Purifier can be found on the web at: [http://htmlpurifier.org/](http://htmlpurifier.org/)
22 |
23 | ## Installation
24 |
25 | Package available on [Composer](https://packagist.org/packages/ezyang/htmlpurifier).
26 |
27 | If you're using Composer to manage dependencies, you can use
28 |
29 | $ composer require ezyang/htmlpurifier
30 |
--------------------------------------------------------------------------------
/VERSION:
--------------------------------------------------------------------------------
1 | 4.18.0
--------------------------------------------------------------------------------
/composer.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "ezyang/htmlpurifier",
3 | "description": "Standards compliant HTML filter written in PHP",
4 | "type": "library",
5 | "keywords": ["html"],
6 | "homepage": "http://htmlpurifier.org/",
7 | "license": "LGPL-2.1-or-later",
8 | "authors": [
9 | {
10 | "name": "Edward Z. Yang",
11 | "email": "admin@htmlpurifier.org",
12 | "homepage": "http://ezyang.com"
13 | }
14 | ],
15 | "require": {
16 | "php": "~5.6.0 || ~7.0.0 || ~7.1.0 || ~7.2.0 || ~7.3.0 || ~7.4.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0 || ~8.4.0"
17 | },
18 | "require-dev": {
19 | "cerdic/css-tidy": "^1.7 || ^2.0",
20 | "simpletest/simpletest": "dev-master"
21 | },
22 | "autoload": {
23 | "psr-0": { "HTMLPurifier": "library/" },
24 | "files": ["library/HTMLPurifier.composer.php"],
25 | "exclude-from-classmap": [
26 | "/library/HTMLPurifier/Language/"
27 | ]
28 | },
29 | "suggest": {
30 | "cerdic/css-tidy": "If you want to use the filter 'Filter.ExtractStyleBlocks'.",
31 | "ext-iconv": "Converts text to and from non-UTF-8 encodings",
32 | "ext-bcmath": "Used for unit conversion and imagecrash protection",
33 | "ext-tidy": "Used for pretty-printing HTML"
34 | },
35 | "config": {
36 | "sort-packages": true
37 | },
38 | "repositories": [
39 | {
40 | "type": "vcs",
41 | "url": "https://github.com/ezyang/simpletest.git",
42 | "no-api": true
43 | }
44 | ]
45 | }
46 |
--------------------------------------------------------------------------------
/library/HTMLPurifier.auto.php:
--------------------------------------------------------------------------------
1 | purify($html, $config);
23 | }
24 |
25 | // vim: et sw=4 sts=4
26 |
--------------------------------------------------------------------------------
/library/HTMLPurifier.kses.php:
--------------------------------------------------------------------------------
1 | $attributes) {
16 | $allowed_elements[$element] = true;
17 | foreach ($attributes as $attribute => $x) {
18 | $allowed_attributes["$element.$attribute"] = true;
19 | }
20 | }
21 | $config->set('HTML.AllowedElements', $allowed_elements);
22 | $config->set('HTML.AllowedAttributes', $allowed_attributes);
23 | if ($allowed_protocols !== null) {
24 | $config->set('URI.AllowedSchemes', $allowed_protocols);
25 | }
26 | $purifier = new HTMLPurifier($config);
27 | return $purifier->purify($string);
28 | }
29 |
30 | // vim: et sw=4 sts=4
31 |
--------------------------------------------------------------------------------
/library/HTMLPurifier.path.php:
--------------------------------------------------------------------------------
1 | 1.0) {
28 | $result = '1';
29 | }
30 | return $result;
31 | }
32 | }
33 |
34 | // vim: et sw=4 sts=4
35 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrDef/CSS/Composite.php:
--------------------------------------------------------------------------------
1 | defs = $defs;
28 | }
29 |
30 | /**
31 | * @param string $string
32 | * @param HTMLPurifier_Config $config
33 | * @param HTMLPurifier_Context $context
34 | * @return bool|string
35 | */
36 | public function validate($string, $config, $context)
37 | {
38 | foreach ($this->defs as $i => $def) {
39 | $result = $this->defs[$i]->validate($string, $config, $context);
40 | if ($result !== false) {
41 | return $result;
42 | }
43 | }
44 | return false;
45 | }
46 | }
47 |
48 | // vim: et sw=4 sts=4
49 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrDef/CSS/DenyElementDecorator.php:
--------------------------------------------------------------------------------
1 | def = $def;
24 | $this->element = $element;
25 | }
26 |
27 | /**
28 | * Checks if CurrentToken is set and equal to $this->element
29 | * @param string $string
30 | * @param HTMLPurifier_Config $config
31 | * @param HTMLPurifier_Context $context
32 | * @return bool|string
33 | */
34 | public function validate($string, $config, $context)
35 | {
36 | $token = $context->get('CurrentToken', true);
37 | if ($token && $token->name == $this->element) {
38 | return false;
39 | }
40 | return $this->def->validate($string, $config, $context);
41 | }
42 | }
43 |
44 | // vim: et sw=4 sts=4
45 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrDef/CSS/Ident.php:
--------------------------------------------------------------------------------
1 | number_def = new HTMLPurifier_AttrDef_CSS_Number($non_negative);
21 | }
22 |
23 | /**
24 | * @param string $string
25 | * @param HTMLPurifier_Config $config
26 | * @param HTMLPurifier_Context $context
27 | * @return bool|string
28 | */
29 | public function validate($string, $config, $context)
30 | {
31 | $string = $this->parseCDATA($string);
32 |
33 | if ($string === '') {
34 | return false;
35 | }
36 | $length = strlen($string);
37 | if ($length === 1) {
38 | return false;
39 | }
40 | if ($string[$length - 1] !== '%') {
41 | return false;
42 | }
43 |
44 | $number = substr($string, 0, $length - 1);
45 | $number = $this->number_def->validate($number, $config, $context);
46 |
47 | if ($number === false) {
48 | return false;
49 | }
50 | return "$number%";
51 | }
52 | }
53 |
54 | // vim: et sw=4 sts=4
55 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrDef/CSS/Ratio.php:
--------------------------------------------------------------------------------
1 | parseCDATA($ratio);
21 |
22 | $parts = explode('/', $ratio, 2);
23 | $length = count($parts);
24 |
25 | if ($length < 1 || $length > 2) {
26 | return false;
27 | }
28 |
29 | $num = new \HTMLPurifier_AttrDef_CSS_Number();
30 |
31 | if ($length === 1) {
32 | return $num->validate($parts[0], $config, $context);
33 | }
34 |
35 | $num1 = $num->validate($parts[0], $config, $context);
36 | $num2 = $num->validate($parts[1], $config, $context);
37 |
38 | if ($num1 === false || $num2 === false) {
39 | return false;
40 | }
41 |
42 | return $num1 . '/' . $num2;
43 | }
44 | }
45 |
46 | // vim: et sw=4 sts=4
47 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrDef/CSS/TextDecoration.php:
--------------------------------------------------------------------------------
1 | true,
21 | 'overline' => true,
22 | 'underline' => true,
23 | );
24 |
25 | $string = strtolower($this->parseCDATA($string));
26 |
27 | if ($string === 'none') {
28 | return $string;
29 | }
30 |
31 | $parts = explode(' ', $string);
32 | $final = '';
33 | foreach ($parts as $part) {
34 | if (isset($allowed_values[$part])) {
35 | $final .= $part . ' ';
36 | }
37 | }
38 | $final = rtrim($final);
39 | if ($final === '') {
40 | return false;
41 | }
42 | return $final;
43 | }
44 | }
45 |
46 | // vim: et sw=4 sts=4
47 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrDef/Clone.php:
--------------------------------------------------------------------------------
1 | clone = $clone;
21 | }
22 |
23 | /**
24 | * @param string $v
25 | * @param HTMLPurifier_Config $config
26 | * @param HTMLPurifier_Context $context
27 | * @return bool|string
28 | */
29 | public function validate($v, $config, $context)
30 | {
31 | return $this->clone->validate($v, $config, $context);
32 | }
33 |
34 | /**
35 | * @param string $string
36 | * @return HTMLPurifier_AttrDef
37 | */
38 | public function make($string)
39 | {
40 | return clone $this->clone;
41 | }
42 | }
43 |
44 | // vim: et sw=4 sts=4
45 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrDef/HTML/Bool.php:
--------------------------------------------------------------------------------
1 | name = $name;
25 | }
26 |
27 | /**
28 | * @param string $string
29 | * @param HTMLPurifier_Config $config
30 | * @param HTMLPurifier_Context $context
31 | * @return bool|string
32 | */
33 | public function validate($string, $config, $context)
34 | {
35 | return $this->name;
36 | }
37 |
38 | /**
39 | * @param string $string Name of attribute
40 | * @return HTMLPurifier_AttrDef_HTML_Bool
41 | */
42 | public function make($string)
43 | {
44 | return new HTMLPurifier_AttrDef_HTML_Bool($string);
45 | }
46 | }
47 |
48 | // vim: et sw=4 sts=4
49 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrDef/HTML/Class.php:
--------------------------------------------------------------------------------
1 | getDefinition('HTML')->doctype->name;
18 | if ($name == "XHTML 1.1" || $name == "XHTML 2.0") {
19 | return parent::split($string, $config, $context);
20 | } else {
21 | return preg_split('/\s+/', $string);
22 | }
23 | }
24 |
25 | /**
26 | * @param array $tokens
27 | * @param HTMLPurifier_Config $config
28 | * @param HTMLPurifier_Context $context
29 | * @return array
30 | */
31 | protected function filter($tokens, $config, $context)
32 | {
33 | $allowed = $config->get('Attr.AllowedClasses');
34 | $forbidden = $config->get('Attr.ForbiddenClasses');
35 | $ret = array();
36 | foreach ($tokens as $token) {
37 | if (($allowed === null || isset($allowed[$token])) &&
38 | !isset($forbidden[$token]) &&
39 | // We need this O(n) check because of PHP's array
40 | // implementation that casts -0 to 0.
41 | !in_array($token, $ret, true)
42 | ) {
43 | $ret[] = $token;
44 | }
45 | }
46 | return $ret;
47 | }
48 | }
49 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrDef/HTML/Color.php:
--------------------------------------------------------------------------------
1 | get('Core.ColorKeywords');
20 | }
21 |
22 | $string = trim($string);
23 |
24 | if (empty($string)) {
25 | return false;
26 | }
27 | $lower = strtolower($string);
28 | if (isset($colors[$lower])) {
29 | return $colors[$lower];
30 | }
31 | if ($string[0] === '#') {
32 | $hex = substr($string, 1);
33 | } else {
34 | $hex = $string;
35 | }
36 |
37 | $length = strlen($hex);
38 | if ($length !== 3 && $length !== 6) {
39 | return false;
40 | }
41 | if (!ctype_xdigit($hex)) {
42 | return false;
43 | }
44 | if ($length === 3) {
45 | $hex = $hex[0] . $hex[0] . $hex[1] . $hex[1] . $hex[2] . $hex[2];
46 | }
47 | return "#$hex";
48 | }
49 | }
50 |
51 | // vim: et sw=4 sts=4
52 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrDef/HTML/ContentEditable.php:
--------------------------------------------------------------------------------
1 | get('HTML.Trusted')) {
9 | $allowed = array('', 'true', 'false');
10 | }
11 |
12 | $enum = new HTMLPurifier_AttrDef_Enum($allowed);
13 |
14 | return $enum->validate($string, $config, $context);
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrDef/HTML/FrameTarget.php:
--------------------------------------------------------------------------------
1 | valid_values === false) {
32 | $this->valid_values = $config->get('Attr.AllowedFrameTargets');
33 | }
34 | return parent::validate($string, $config, $context);
35 | }
36 | }
37 |
38 | // vim: et sw=4 sts=4
39 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrDef/HTML/Length.php:
--------------------------------------------------------------------------------
1 | 100) {
50 | return '100%';
51 | }
52 | return ((string)$points) . '%';
53 | }
54 | }
55 |
56 | // vim: et sw=4 sts=4
57 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrDef/HTML/MultiLength.php:
--------------------------------------------------------------------------------
1 | tag = $tag;
32 | $this->withTag = $with_tag;
33 | $this->withoutTag = $without_tag;
34 | }
35 |
36 | /**
37 | * @param string $string
38 | * @param HTMLPurifier_Config $config
39 | * @param HTMLPurifier_Context $context
40 | * @return bool|string
41 | */
42 | public function validate($string, $config, $context)
43 | {
44 | $token = $context->get('CurrentToken', true);
45 | if (!$token || $token->name !== $this->tag) {
46 | return $this->withoutTag->validate($string, $config, $context);
47 | } else {
48 | return $this->withTag->validate($string, $config, $context);
49 | }
50 | }
51 | }
52 |
53 | // vim: et sw=4 sts=4
54 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrDef/Text.php:
--------------------------------------------------------------------------------
1 | parseCDATA($string);
18 | }
19 | }
20 |
21 | // vim: et sw=4 sts=4
22 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrDef/URI/Email.php:
--------------------------------------------------------------------------------
1 | "
19 | // that needs more percent encoding to be done
20 | if ($string == '') {
21 | return false;
22 | }
23 | $string = trim($string);
24 | $result = preg_match('/^[A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i', $string);
25 | return $result ? $string : false;
26 | }
27 | }
28 |
29 | // vim: et sw=4 sts=4
30 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrDef/URI/IPv4.php:
--------------------------------------------------------------------------------
1 | ip4) {
25 | $this->_loadRegex();
26 | }
27 |
28 | if (preg_match('#^' . $this->ip4 . '$#s', $aIP)) {
29 | return $aIP;
30 | }
31 | return false;
32 | }
33 |
34 | /**
35 | * Lazy load function to prevent regex from being stuffed in
36 | * cache.
37 | */
38 | protected function _loadRegex()
39 | {
40 | $oct = '(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9][0-9]|[0-9])'; // 0-255
41 | $this->ip4 = "(?:{$oct}\\.{$oct}\\.{$oct}\\.{$oct})";
42 | }
43 | }
44 |
45 | // vim: et sw=4 sts=4
46 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrTransform/Background.php:
--------------------------------------------------------------------------------
1 | confiscateAttr($attr, 'background');
21 | // some validation should happen here
22 |
23 | $this->prependCSS($attr, "background-image:url($background);");
24 | return $attr;
25 | }
26 | }
27 |
28 | // vim: et sw=4 sts=4
29 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrTransform/BdoDir.php:
--------------------------------------------------------------------------------
1 | get('Attr.DefaultTextDir');
23 | return $attr;
24 | }
25 | }
26 |
27 | // vim: et sw=4 sts=4
28 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrTransform/BgColor.php:
--------------------------------------------------------------------------------
1 | confiscateAttr($attr, 'bgcolor');
21 | // some validation should happen here
22 |
23 | $this->prependCSS($attr, "background-color:$bgcolor;");
24 | return $attr;
25 | }
26 | }
27 |
28 | // vim: et sw=4 sts=4
29 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrTransform/BoolToCSS.php:
--------------------------------------------------------------------------------
1 | attr = $attr;
27 | $this->css = $css;
28 | }
29 |
30 | /**
31 | * @param array $attr
32 | * @param HTMLPurifier_Config $config
33 | * @param HTMLPurifier_Context $context
34 | * @return array
35 | */
36 | public function transform($attr, $config, $context)
37 | {
38 | if (!isset($attr[$this->attr])) {
39 | return $attr;
40 | }
41 | unset($attr[$this->attr]);
42 | $this->prependCSS($attr, $this->css);
43 | return $attr;
44 | }
45 | }
46 |
47 | // vim: et sw=4 sts=4
48 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrTransform/Border.php:
--------------------------------------------------------------------------------
1 | confiscateAttr($attr, 'border');
20 | // some validation should happen here
21 | $this->prependCSS($attr, "border:{$border_width}px solid;");
22 | return $attr;
23 | }
24 | }
25 |
26 | // vim: et sw=4 sts=4
27 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrTransform/ImgRequired.php:
--------------------------------------------------------------------------------
1 | get('Core.RemoveInvalidImg')) {
25 | return $attr;
26 | }
27 | $attr['src'] = $config->get('Attr.DefaultInvalidImage');
28 | $src = false;
29 | }
30 |
31 | if (!isset($attr['alt'])) {
32 | if ($src) {
33 | $alt = $config->get('Attr.DefaultImageAlt');
34 | if ($alt === null) {
35 | $attr['alt'] = basename($attr['src']);
36 | } else {
37 | $attr['alt'] = $alt;
38 | }
39 | } else {
40 | $attr['alt'] = $config->get('Attr.DefaultInvalidImageAlt');
41 | }
42 | }
43 | return $attr;
44 | }
45 | }
46 |
47 | // vim: et sw=4 sts=4
48 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrTransform/ImgSpace.php:
--------------------------------------------------------------------------------
1 | array('left', 'right'),
18 | 'vspace' => array('top', 'bottom')
19 | );
20 |
21 | /**
22 | * @param string $attr
23 | */
24 | public function __construct($attr)
25 | {
26 | $this->attr = $attr;
27 | if (!isset($this->css[$attr])) {
28 | trigger_error(htmlspecialchars($attr) . ' is not valid space attribute');
29 | }
30 | }
31 |
32 | /**
33 | * @param array $attr
34 | * @param HTMLPurifier_Config $config
35 | * @param HTMLPurifier_Context $context
36 | * @return array
37 | */
38 | public function transform($attr, $config, $context)
39 | {
40 | if (!isset($attr[$this->attr])) {
41 | return $attr;
42 | }
43 |
44 | $width = $this->confiscateAttr($attr, $this->attr);
45 | // some validation could happen here
46 |
47 | if (!isset($this->css[$this->attr])) {
48 | return $attr;
49 | }
50 |
51 | $style = '';
52 | foreach ($this->css[$this->attr] as $suffix) {
53 | $property = "margin-$suffix";
54 | $style .= "$property:{$width}px;";
55 | }
56 | $this->prependCSS($attr, $style);
57 | return $attr;
58 | }
59 | }
60 |
61 | // vim: et sw=4 sts=4
62 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrTransform/Lang.php:
--------------------------------------------------------------------------------
1 | name = $name;
22 | $this->cssName = $css_name ? $css_name : $name;
23 | }
24 |
25 | /**
26 | * @param array $attr
27 | * @param HTMLPurifier_Config $config
28 | * @param HTMLPurifier_Context $context
29 | * @return array
30 | */
31 | public function transform($attr, $config, $context)
32 | {
33 | if (!isset($attr[$this->name])) {
34 | return $attr;
35 | }
36 | $length = $this->confiscateAttr($attr, $this->name);
37 | if (ctype_digit($length)) {
38 | $length .= 'px';
39 | }
40 | $this->prependCSS($attr, $this->cssName . ":$length;");
41 | return $attr;
42 | }
43 | }
44 |
45 | // vim: et sw=4 sts=4
46 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrTransform/Name.php:
--------------------------------------------------------------------------------
1 | get('HTML.Attr.Name.UseCDATA')) {
19 | return $attr;
20 | }
21 | if (!isset($attr['name'])) {
22 | return $attr;
23 | }
24 | $id = $this->confiscateAttr($attr, 'name');
25 | if (isset($attr['id'])) {
26 | return $attr;
27 | }
28 | $attr['id'] = $id;
29 | return $attr;
30 | }
31 | }
32 |
33 | // vim: et sw=4 sts=4
34 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrTransform/NameSync.php:
--------------------------------------------------------------------------------
1 | idDef = new HTMLPurifier_AttrDef_HTML_ID();
19 | }
20 |
21 | /**
22 | * @param array $attr
23 | * @param HTMLPurifier_Config $config
24 | * @param HTMLPurifier_Context $context
25 | * @return array
26 | */
27 | public function transform($attr, $config, $context)
28 | {
29 | if (!isset($attr['name'])) {
30 | return $attr;
31 | }
32 | $name = $attr['name'];
33 | if (isset($attr['id']) && $attr['id'] === $name) {
34 | return $attr;
35 | }
36 | $result = $this->idDef->validate($name, $config, $context);
37 | if ($result === false) {
38 | unset($attr['name']);
39 | } else {
40 | $attr['name'] = $result;
41 | }
42 | return $attr;
43 | }
44 | }
45 |
46 | // vim: et sw=4 sts=4
47 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrTransform/Nofollow.php:
--------------------------------------------------------------------------------
1 | parser = new HTMLPurifier_URIParser();
19 | }
20 |
21 | /**
22 | * @param array $attr
23 | * @param HTMLPurifier_Config $config
24 | * @param HTMLPurifier_Context $context
25 | * @return array
26 | */
27 | public function transform($attr, $config, $context)
28 | {
29 | if (!isset($attr['href'])) {
30 | return $attr;
31 | }
32 |
33 | // XXX Kind of inefficient
34 | $url = $this->parser->parse($attr['href']);
35 | $scheme = $url->getSchemeObj($config, $context);
36 |
37 | if ($scheme->browsable && !$url->isLocal($config, $context)) {
38 | if (isset($attr['rel'])) {
39 | $rels = explode(' ', $attr['rel']);
40 | if (!in_array('nofollow', $rels)) {
41 | $rels[] = 'nofollow';
42 | }
43 | $attr['rel'] = implode(' ', $rels);
44 | } else {
45 | $attr['rel'] = 'nofollow';
46 | }
47 | }
48 | return $attr;
49 | }
50 | }
51 |
52 | // vim: et sw=4 sts=4
53 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrTransform/SafeEmbed.php:
--------------------------------------------------------------------------------
1 |
5 | */
6 | class HTMLPurifier_AttrTransform_ScriptRequired extends HTMLPurifier_AttrTransform
7 | {
8 | /**
9 | * @param array $attr
10 | * @param HTMLPurifier_Config $config
11 | * @param HTMLPurifier_Context $context
12 | * @return array
13 | */
14 | public function transform($attr, $config, $context)
15 | {
16 | if (!isset($attr['type'])) {
17 | $attr['type'] = 'text/javascript';
18 | }
19 | return $attr;
20 | }
21 | }
22 |
23 | // vim: et sw=4 sts=4
24 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrTransform/TargetBlank.php:
--------------------------------------------------------------------------------
1 | parser = new HTMLPurifier_URIParser();
20 | }
21 |
22 | /**
23 | * @param array $attr
24 | * @param HTMLPurifier_Config $config
25 | * @param HTMLPurifier_Context $context
26 | * @return array
27 | */
28 | public function transform($attr, $config, $context)
29 | {
30 | if (!isset($attr['href'])) {
31 | return $attr;
32 | }
33 |
34 | // XXX Kind of inefficient
35 | $url = $this->parser->parse($attr['href']);
36 |
37 | // Ignore invalid schemes (e.g. `javascript:`)
38 | if (!($scheme = $url->getSchemeObj($config, $context))) {
39 | return $attr;
40 | }
41 |
42 | if ($scheme->browsable && !$url->isBenign($config, $context)) {
43 | $attr['target'] = '_blank';
44 | }
45 | return $attr;
46 | }
47 | }
48 |
49 | // vim: et sw=4 sts=4
50 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/AttrTransform/TargetNoopener.php:
--------------------------------------------------------------------------------
1 |
5 | */
6 | class HTMLPurifier_AttrTransform_Textarea extends HTMLPurifier_AttrTransform
7 | {
8 | /**
9 | * @param array $attr
10 | * @param HTMLPurifier_Config $config
11 | * @param HTMLPurifier_Context $context
12 | * @return array
13 | */
14 | public function transform($attr, $config, $context)
15 | {
16 | // Calculated from Firefox
17 | if (!isset($attr['cols'])) {
18 | $attr['cols'] = '22';
19 | }
20 | if (!isset($attr['rows'])) {
21 | $attr['rows'] = '3';
22 | }
23 | return $attr;
24 | }
25 | }
26 |
27 | // vim: et sw=4 sts=4
28 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ChildDef.php:
--------------------------------------------------------------------------------
1 | elements;
39 | }
40 |
41 | /**
42 | * Validates nodes according to definition and returns modification.
43 | *
44 | * @param HTMLPurifier_Node[] $children Array of HTMLPurifier_Node
45 | * @param HTMLPurifier_Config $config HTMLPurifier_Config object
46 | * @param HTMLPurifier_Context $context HTMLPurifier_Context object
47 | * @return bool|array true to leave nodes as is, false to remove parent node, array of replacement children
48 | */
49 | abstract public function validateChildren($children, $config, $context);
50 | }
51 |
52 | // vim: et sw=4 sts=4
53 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ChildDef/Empty.php:
--------------------------------------------------------------------------------
1 | whitespace) {
36 | return $children;
37 | } else {
38 | return array();
39 | }
40 | }
41 | return $result;
42 | }
43 | }
44 |
45 | // vim: et sw=4 sts=4
46 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/Builder/ConfigSchema.php:
--------------------------------------------------------------------------------
1 | directives as $d) {
18 | $schema->add(
19 | $d->id->key,
20 | $d->default,
21 | $d->type,
22 | $d->typeAllowsNull
23 | );
24 | if ($d->allowed !== null) {
25 | $schema->addAllowedValues(
26 | $d->id->key,
27 | $d->allowed
28 | );
29 | }
30 | foreach ($d->aliases as $alias) {
31 | $schema->addAlias(
32 | $alias->key,
33 | $d->id->key
34 | );
35 | }
36 | if ($d->valueAliases !== null) {
37 | $schema->addValueAliases(
38 | $d->id->key,
39 | $d->valueAliases
40 | );
41 | }
42 | }
43 | $schema->postProcess();
44 | return $schema;
45 | }
46 | }
47 |
48 | // vim: et sw=4 sts=4
49 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/Exception.php:
--------------------------------------------------------------------------------
1 | array(directive info)
19 | * @type HTMLPurifier_ConfigSchema_Interchange_Directive[]
20 | */
21 | public $directives = array();
22 |
23 | /**
24 | * Adds a directive array to $directives
25 | * @param HTMLPurifier_ConfigSchema_Interchange_Directive $directive
26 | * @throws HTMLPurifier_ConfigSchema_Exception
27 | */
28 | public function addDirective($directive)
29 | {
30 | if (isset($this->directives[$i = $directive->id->toString()])) {
31 | throw new HTMLPurifier_ConfigSchema_Exception("Cannot redefine directive '$i'");
32 | }
33 | $this->directives[$i] = $directive;
34 | }
35 |
36 | /**
37 | * Convenience function to perform standard validation. Throws exception
38 | * on failed validation.
39 | */
40 | public function validate()
41 | {
42 | $validator = new HTMLPurifier_ConfigSchema_Validator();
43 | return $validator->validate($this);
44 | }
45 | }
46 |
47 | // vim: et sw=4 sts=4
48 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/Interchange/Id.php:
--------------------------------------------------------------------------------
1 | key = $key;
20 | }
21 |
22 | /**
23 | * @return string
24 | * @warning This is NOT magic, to ensure that people don't abuse SPL and
25 | * cause problems for PHP 5.0 support.
26 | */
27 | public function toString()
28 | {
29 | return $this->key;
30 | }
31 |
32 | /**
33 | * @return string
34 | */
35 | public function getRootNamespace()
36 | {
37 | return substr($this->key, 0, strpos($this->key, "."));
38 | }
39 |
40 | /**
41 | * @return string
42 | */
43 | public function getDirective()
44 | {
45 | return substr($this->key, strpos($this->key, ".") + 1);
46 | }
47 |
48 | /**
49 | * @param string $id
50 | * @return HTMLPurifier_ConfigSchema_Interchange_Id
51 | */
52 | public static function make($id)
53 | {
54 | return new HTMLPurifier_ConfigSchema_Interchange_Id($id);
55 | }
56 | }
57 |
58 | // vim: et sw=4 sts=4
59 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Attr.AllowedClasses.txt:
--------------------------------------------------------------------------------
1 | Attr.AllowedClasses
2 | TYPE: lookup/null
3 | VERSION: 4.0.0
4 | DEFAULT: null
5 | --DESCRIPTION--
6 | List of allowed class values in the class attribute. By default, this is null,
7 | which means all classes are allowed.
8 | --# vim: et sw=4 sts=4
9 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Attr.AllowedFrameTargets.txt:
--------------------------------------------------------------------------------
1 | Attr.AllowedFrameTargets
2 | TYPE: lookup
3 | DEFAULT: array()
4 | --DESCRIPTION--
5 | Lookup table of all allowed link frame targets. Some commonly used link
6 | targets include _blank, _self, _parent and _top. Values should be
7 | lowercase, as validation will be done in a case-sensitive manner despite
8 | W3C's recommendation. XHTML 1.0 Strict does not permit the target attribute
9 | so this directive will have no effect in that doctype. XHTML 1.1 does not
10 | enable the Target module by default, you will have to manually enable it
11 | (see the module documentation for more details.)
12 | --# vim: et sw=4 sts=4
13 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Attr.AllowedRel.txt:
--------------------------------------------------------------------------------
1 | Attr.AllowedRel
2 | TYPE: lookup
3 | VERSION: 1.6.0
4 | DEFAULT: array()
5 | --DESCRIPTION--
6 | List of allowed forward document relationships in the rel attribute. Common
7 | values may be nofollow or print. By default, this is empty, meaning that no
8 | document relationships are allowed.
9 | --# vim: et sw=4 sts=4
10 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Attr.AllowedRev.txt:
--------------------------------------------------------------------------------
1 | Attr.AllowedRev
2 | TYPE: lookup
3 | VERSION: 1.6.0
4 | DEFAULT: array()
5 | --DESCRIPTION--
6 | List of allowed reverse document relationships in the rev attribute. This
7 | attribute is a bit of an edge-case; if you don't know what it is for, stay
8 | away.
9 | --# vim: et sw=4 sts=4
10 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Attr.ClassUseCDATA.txt:
--------------------------------------------------------------------------------
1 | Attr.ClassUseCDATA
2 | TYPE: bool/null
3 | DEFAULT: null
4 | VERSION: 4.0.0
5 | --DESCRIPTION--
6 | If null, class will auto-detect the doctype and, if matching XHTML 1.1 or
7 | XHTML 2.0, will use the restrictive NMTOKENS specification of class. Otherwise,
8 | it will use a relaxed CDATA definition. If true, the relaxed CDATA definition
9 | is forced; if false, the NMTOKENS definition is forced. To get behavior
10 | of HTML Purifier prior to 4.0.0, set this directive to false.
11 |
12 | Some rational behind the auto-detection:
13 | in previous versions of HTML Purifier, it was assumed that the form of
14 | class was NMTOKENS, as specified by the XHTML Modularization (representing
15 | XHTML 1.1 and XHTML 2.0). The DTDs for HTML 4.01 and XHTML 1.0, however
16 | specify class as CDATA. HTML 5 effectively defines it as CDATA, but
17 | with the additional constraint that each name should be unique (this is not
18 | explicitly outlined in previous specifications).
19 | --# vim: et sw=4 sts=4
20 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Attr.DefaultImageAlt.txt:
--------------------------------------------------------------------------------
1 | Attr.DefaultImageAlt
2 | TYPE: string/null
3 | DEFAULT: null
4 | VERSION: 3.2.0
5 | --DESCRIPTION--
6 | This is the content of the alt tag of an image if the user had not
7 | previously specified an alt attribute. This applies to all images without
8 | a valid alt attribute, as opposed to %Attr.DefaultInvalidImageAlt, which
9 | only applies to invalid images, and overrides in the case of an invalid image.
10 | Default behavior with null is to use the basename of the src tag for the alt.
11 | --# vim: et sw=4 sts=4
12 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Attr.DefaultInvalidImage.txt:
--------------------------------------------------------------------------------
1 | Attr.DefaultInvalidImage
2 | TYPE: string
3 | DEFAULT: ''
4 | --DESCRIPTION--
5 | This is the default image an img tag will be pointed to if it does not have
6 | a valid src attribute. In future versions, we may allow the image tag to
7 | be removed completely, but due to design issues, this is not possible right
8 | now.
9 | --# vim: et sw=4 sts=4
10 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Attr.DefaultInvalidImageAlt.txt:
--------------------------------------------------------------------------------
1 | Attr.DefaultInvalidImageAlt
2 | TYPE: string
3 | DEFAULT: 'Invalid image'
4 | --DESCRIPTION--
5 | This is the content of the alt tag of an invalid image if the user had not
6 | previously specified an alt attribute. It has no effect when the image is
7 | valid but there was no alt attribute present.
8 | --# vim: et sw=4 sts=4
9 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Attr.DefaultTextDir.txt:
--------------------------------------------------------------------------------
1 | Attr.DefaultTextDir
2 | TYPE: string
3 | DEFAULT: 'ltr'
4 | --DESCRIPTION--
5 | Defines the default text direction (ltr or rtl) of the document being
6 | parsed. This generally is the same as the value of the dir attribute in
7 | HTML, or ltr if that is not specified.
8 | --ALLOWED--
9 | 'ltr', 'rtl'
10 | --# vim: et sw=4 sts=4
11 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Attr.EnableID.txt:
--------------------------------------------------------------------------------
1 | Attr.EnableID
2 | TYPE: bool
3 | DEFAULT: false
4 | VERSION: 1.2.0
5 | --DESCRIPTION--
6 | Allows the ID attribute in HTML. This is disabled by default due to the
7 | fact that without proper configuration user input can easily break the
8 | validation of a webpage by specifying an ID that is already on the
9 | surrounding HTML. If you don't mind throwing caution to the wind, enable
10 | this directive, but I strongly recommend you also consider blacklisting IDs
11 | you use (%Attr.IDBlacklist) or prefixing all user supplied IDs
12 | (%Attr.IDPrefix). When set to true HTML Purifier reverts to the behavior of
13 | pre-1.2.0 versions.
14 | --ALIASES--
15 | HTML.EnableAttrID
16 | --# vim: et sw=4 sts=4
17 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Attr.ForbiddenClasses.txt:
--------------------------------------------------------------------------------
1 | Attr.ForbiddenClasses
2 | TYPE: lookup
3 | VERSION: 4.0.0
4 | DEFAULT: array()
5 | --DESCRIPTION--
6 | List of forbidden class values in the class attribute. By default, this is
7 | empty, which means that no classes are forbidden. See also %Attr.AllowedClasses.
8 | --# vim: et sw=4 sts=4
9 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Attr.ID.HTML5.txt:
--------------------------------------------------------------------------------
1 | Attr.ID.HTML5
2 | TYPE: bool/null
3 | DEFAULT: null
4 | VERSION: 4.8.0
5 | --DESCRIPTION--
6 | In HTML5, restrictions on the format of the id attribute have been significantly
7 | relaxed, such that any string is valid so long as it contains no spaces and
8 | is at least one character. In lieu of a general HTML5 compatibility flag,
9 | set this configuration directive to true to use the relaxed rules.
10 | --# vim: et sw=4 sts=4
11 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Attr.IDBlacklist.txt:
--------------------------------------------------------------------------------
1 | Attr.IDBlacklist
2 | TYPE: list
3 | DEFAULT: array()
4 | DESCRIPTION: Array of IDs not allowed in the document.
5 | --# vim: et sw=4 sts=4
6 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Attr.IDBlacklistRegexp.txt:
--------------------------------------------------------------------------------
1 | Attr.IDBlacklistRegexp
2 | TYPE: string/null
3 | VERSION: 1.6.0
4 | DEFAULT: NULL
5 | --DESCRIPTION--
6 | PCRE regular expression to be matched against all IDs. If the expression is
7 | matches, the ID is rejected. Use this with care: may cause significant
8 | degradation. ID matching is done after all other validation.
9 | --# vim: et sw=4 sts=4
10 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Attr.IDPrefix.txt:
--------------------------------------------------------------------------------
1 | Attr.IDPrefix
2 | TYPE: string
3 | VERSION: 1.2.0
4 | DEFAULT: ''
5 | --DESCRIPTION--
6 | String to prefix to IDs. If you have no idea what IDs your pages may use,
7 | you may opt to simply add a prefix to all user-submitted ID attributes so
8 | that they are still usable, but will not conflict with core page IDs.
9 | Example: setting the directive to 'user_' will result in a user submitted
10 | 'foo' to become 'user_foo' Be sure to set %HTML.EnableAttrID to true
11 | before using this.
12 | --# vim: et sw=4 sts=4
13 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Attr.IDPrefixLocal.txt:
--------------------------------------------------------------------------------
1 | Attr.IDPrefixLocal
2 | TYPE: string
3 | VERSION: 1.2.0
4 | DEFAULT: ''
5 | --DESCRIPTION--
6 | Temporary prefix for IDs used in conjunction with %Attr.IDPrefix. If you
7 | need to allow multiple sets of user content on web page, you may need to
8 | have a separate prefix that changes with each iteration. This way,
9 | separately submitted user content displayed on the same page doesn't
10 | clobber each other. Ideal values are unique identifiers for the content it
11 | represents (i.e. the id of the row in the database). Be sure to add a
12 | separator (like an underscore) at the end. Warning: this directive will
13 | not work unless %Attr.IDPrefix is set to a non-empty value!
14 | --# vim: et sw=4 sts=4
15 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.AutoParagraph.txt:
--------------------------------------------------------------------------------
1 | AutoFormat.AutoParagraph
2 | TYPE: bool
3 | VERSION: 2.0.1
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 |
8 | This directive turns on auto-paragraphing, where double newlines are
9 | converted in to paragraphs whenever possible. Auto-paragraphing:
10 |
11 |
12 | - Always applies to inline elements or text in the root node,
13 | - Applies to inline elements or text with double newlines in nodes
14 | that allow paragraph tags,
15 | - Applies to double newlines in paragraph tags
16 |
17 |
18 | p tags must be allowed for this directive to take effect.
19 | We do not use br tags for paragraphing, as that is
20 | semantically incorrect.
21 |
22 |
23 | To prevent auto-paragraphing as a content-producer, refrain from using
24 | double-newlines except to specify a new paragraph or in contexts where
25 | it has special meaning (whitespace usually has no meaning except in
26 | tags like pre, so this should not be difficult.) To prevent
27 | the paragraphing of inline text adjacent to block elements, wrap them
28 | in div tags (the behavior is slightly different outside of
29 | the root node.)
30 |
31 | --# vim: et sw=4 sts=4
32 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.Custom.txt:
--------------------------------------------------------------------------------
1 | AutoFormat.Custom
2 | TYPE: list
3 | VERSION: 2.0.1
4 | DEFAULT: array()
5 | --DESCRIPTION--
6 |
7 |
8 | This directive can be used to add custom auto-format injectors.
9 | Specify an array of injector names (class name minus the prefix)
10 | or concrete implementations. Injector class must exist.
11 |
12 | --# vim: et sw=4 sts=4
13 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.DisplayLinkURI.txt:
--------------------------------------------------------------------------------
1 | AutoFormat.DisplayLinkURI
2 | TYPE: bool
3 | VERSION: 3.2.0
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 | This directive turns on the in-text display of URIs in <a> tags, and disables
8 | those links. For example, example becomes
9 | example (http://example.com).
10 |
11 | --# vim: et sw=4 sts=4
12 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.Linkify.txt:
--------------------------------------------------------------------------------
1 | AutoFormat.Linkify
2 | TYPE: bool
3 | VERSION: 2.0.1
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 |
8 | This directive turns on linkification, auto-linking http, ftp and
9 | https URLs. a tags with the href attribute
10 | must be allowed.
11 |
12 | --# vim: et sw=4 sts=4
13 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.DocURL.txt:
--------------------------------------------------------------------------------
1 | AutoFormat.PurifierLinkify.DocURL
2 | TYPE: string
3 | VERSION: 2.0.1
4 | DEFAULT: '#%s'
5 | ALIASES: AutoFormatParam.PurifierLinkifyDocURL
6 | --DESCRIPTION--
7 |
8 | Location of configuration documentation to link to, let %s substitute
9 | into the configuration's namespace and directive names sans the percent
10 | sign.
11 |
12 | --# vim: et sw=4 sts=4
13 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.PurifierLinkify.txt:
--------------------------------------------------------------------------------
1 | AutoFormat.PurifierLinkify
2 | TYPE: bool
3 | VERSION: 2.0.1
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 |
8 | Internal auto-formatter that converts configuration directives in
9 | syntax %Namespace.Directive to links. a tags
10 | with the href attribute must be allowed.
11 |
12 | --# vim: et sw=4 sts=4
13 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.Predicate.txt:
--------------------------------------------------------------------------------
1 | AutoFormat.RemoveEmpty.Predicate
2 | TYPE: hash
3 | VERSION: 4.7.0
4 | DEFAULT: array('colgroup' => array(), 'th' => array(), 'td' => array(), 'iframe' => array('src'))
5 | --DESCRIPTION--
6 |
7 | Given that an element has no contents, it will be removed by default, unless
8 | this predicate dictates otherwise. The predicate can either be an associative
9 | map from tag name to list of attributes that must be present for the element
10 | to be considered preserved: thus, the default always preserves colgroup,
11 | th and td, and also iframe if it
12 | has a src.
13 |
14 | --# vim: et sw=4 sts=4
15 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions.txt:
--------------------------------------------------------------------------------
1 | AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions
2 | TYPE: lookup
3 | VERSION: 4.0.0
4 | DEFAULT: array('td' => true, 'th' => true)
5 | --DESCRIPTION--
6 |
7 | When %AutoFormat.RemoveEmpty and %AutoFormat.RemoveEmpty.RemoveNbsp
8 | are enabled, this directive defines what HTML elements should not be
9 | removede if they have only a non-breaking space in them.
10 |
11 | --# vim: et sw=4 sts=4
12 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveEmpty.RemoveNbsp.txt:
--------------------------------------------------------------------------------
1 | AutoFormat.RemoveEmpty.RemoveNbsp
2 | TYPE: bool
3 | VERSION: 4.0.0
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 | When enabled, HTML Purifier will treat any elements that contain only
8 | non-breaking spaces as well as regular whitespace as empty, and remove
9 | them when %AutoFormat.RemoveEmpty is enabled.
10 |
11 |
12 | See %AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions for a list of elements
13 | that don't have this behavior applied to them.
14 |
15 | --# vim: et sw=4 sts=4
16 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/AutoFormat.RemoveSpansWithoutAttributes.txt:
--------------------------------------------------------------------------------
1 | AutoFormat.RemoveSpansWithoutAttributes
2 | TYPE: bool
3 | VERSION: 4.0.1
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 | This directive causes span tags without any attributes
8 | to be removed. It will also remove spans that had all attributes
9 | removed during processing.
10 |
11 | --# vim: et sw=4 sts=4
12 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/CSS.AllowDuplicates.txt:
--------------------------------------------------------------------------------
1 | CSS.AllowDuplicates
2 | TYPE: bool
3 | DEFAULT: false
4 | VERSION: 4.8.0
5 | --DESCRIPTION--
6 |
7 | By default, HTML Purifier removes duplicate CSS properties,
8 | like color:red; color:blue. If this is set to
9 | true, duplicate properties are allowed.
10 |
11 | --# vim: et sw=4 sts=4
12 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/CSS.AllowImportant.txt:
--------------------------------------------------------------------------------
1 | CSS.AllowImportant
2 | TYPE: bool
3 | DEFAULT: false
4 | VERSION: 3.1.0
5 | --DESCRIPTION--
6 | This parameter determines whether or not !important cascade modifiers should
7 | be allowed in user CSS. If false, !important will stripped.
8 | --# vim: et sw=4 sts=4
9 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/CSS.AllowTricky.txt:
--------------------------------------------------------------------------------
1 | CSS.AllowTricky
2 | TYPE: bool
3 | DEFAULT: false
4 | VERSION: 3.1.0
5 | --DESCRIPTION--
6 | This parameter determines whether or not to allow "tricky" CSS properties and
7 | values. Tricky CSS properties/values can drastically modify page layout or
8 | be used for deceptive practices but do not directly constitute a security risk.
9 | For example, display:none; is considered a tricky property that
10 | will only be allowed if this directive is set to true.
11 | --# vim: et sw=4 sts=4
12 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/CSS.AllowedFonts.txt:
--------------------------------------------------------------------------------
1 | CSS.AllowedFonts
2 | TYPE: lookup/null
3 | VERSION: 4.3.0
4 | DEFAULT: NULL
5 | --DESCRIPTION--
6 |
7 | Allows you to manually specify a set of allowed fonts. If
8 | NULL, all fonts are allowed. This directive
9 | affects generic names (serif, sans-serif, monospace, cursive,
10 | fantasy) as well as specific font families.
11 |
12 | --# vim: et sw=4 sts=4
13 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/CSS.AllowedProperties.txt:
--------------------------------------------------------------------------------
1 | CSS.AllowedProperties
2 | TYPE: lookup/null
3 | VERSION: 3.1.0
4 | DEFAULT: NULL
5 | --DESCRIPTION--
6 |
7 |
8 | If HTML Purifier's style attributes set is unsatisfactory for your needs,
9 | you can overload it with your own list of tags to allow. Note that this
10 | method is subtractive: it does its job by taking away from HTML Purifier
11 | usual feature set, so you cannot add an attribute that HTML Purifier never
12 | supported in the first place.
13 |
14 |
15 | Warning: If another directive conflicts with the
16 | elements here, that directive will win and override.
17 |
18 | --# vim: et sw=4 sts=4
19 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/CSS.DefinitionRev.txt:
--------------------------------------------------------------------------------
1 | CSS.DefinitionRev
2 | TYPE: int
3 | VERSION: 2.0.0
4 | DEFAULT: 1
5 | --DESCRIPTION--
6 |
7 |
8 | Revision identifier for your custom definition. See
9 | %HTML.DefinitionRev for details.
10 |
11 | --# vim: et sw=4 sts=4
12 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/CSS.ForbiddenProperties.txt:
--------------------------------------------------------------------------------
1 | CSS.ForbiddenProperties
2 | TYPE: lookup
3 | VERSION: 4.2.0
4 | DEFAULT: array()
5 | --DESCRIPTION--
6 |
7 | This is the logical inverse of %CSS.AllowedProperties, and it will
8 | override that directive or any other directive. If possible,
9 | %CSS.AllowedProperties is recommended over this directive,
10 | because it can sometimes be difficult to tell whether or not you've
11 | forbidden all of the CSS properties you truly would like to disallow.
12 |
13 | --# vim: et sw=4 sts=4
14 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/CSS.MaxImgLength.txt:
--------------------------------------------------------------------------------
1 | CSS.MaxImgLength
2 | TYPE: string/null
3 | DEFAULT: null
4 | VERSION: 3.1.1
5 | --DESCRIPTION--
6 |
7 | This parameter sets the maximum allowed length on img tags,
8 | effectively the width and height properties.
9 | Only absolute units of measurement (in, pt, pc, mm, cm) and pixels (px) are allowed. This is
10 | in place to prevent imagecrash attacks, disable with null at your own risk.
11 | This directive is similar to %HTML.MaxImgLength, and both should be
12 | concurrently edited, although there are
13 | subtle differences in the input format (the CSS max is a number with
14 | a unit).
15 |
16 | --# vim: et sw=4 sts=4
17 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/CSS.Proprietary.txt:
--------------------------------------------------------------------------------
1 | CSS.Proprietary
2 | TYPE: bool
3 | VERSION: 3.0.0
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 |
8 | Whether or not to allow safe, proprietary CSS values.
9 |
10 | --# vim: et sw=4 sts=4
11 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt:
--------------------------------------------------------------------------------
1 | CSS.Trusted
2 | TYPE: bool
3 | VERSION: 4.2.1
4 | DEFAULT: false
5 | --DESCRIPTION--
6 | Indicates whether or not the user's CSS input is trusted or not. If the
7 | input is trusted, a more expansive set of allowed properties. See
8 | also %HTML.Trusted.
9 | --# vim: et sw=4 sts=4
10 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Cache.DefinitionImpl.txt:
--------------------------------------------------------------------------------
1 | Cache.DefinitionImpl
2 | TYPE: string/null
3 | VERSION: 2.0.0
4 | DEFAULT: 'Serializer'
5 | --DESCRIPTION--
6 |
7 | This directive defines which method to use when caching definitions,
8 | the complex data-type that makes HTML Purifier tick. Set to null
9 | to disable caching (not recommended, as you will see a definite
10 | performance degradation).
11 |
12 | --ALIASES--
13 | Core.DefinitionCache
14 | --# vim: et sw=4 sts=4
15 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPath.txt:
--------------------------------------------------------------------------------
1 | Cache.SerializerPath
2 | TYPE: string/null
3 | VERSION: 2.0.0
4 | DEFAULT: NULL
5 | --DESCRIPTION--
6 |
7 |
8 | Absolute path with no trailing slash to store serialized definitions in.
9 | Default is within the
10 | HTML Purifier library inside DefinitionCache/Serializer. This
11 | path must be writable by the webserver.
12 |
13 | --# vim: et sw=4 sts=4
14 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Cache.SerializerPermissions.txt:
--------------------------------------------------------------------------------
1 | Cache.SerializerPermissions
2 | TYPE: int/null
3 | VERSION: 4.3.0
4 | DEFAULT: 0755
5 | --DESCRIPTION--
6 |
7 |
8 | Directory permissions of the files and directories created inside
9 | the DefinitionCache/Serializer or other custom serializer path.
10 |
11 |
12 | In HTML Purifier 4.8.0, this also supports NULL,
13 | which means that no chmod'ing or directory creation shall
14 | occur.
15 |
16 | --# vim: et sw=4 sts=4
17 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyFixLt.txt:
--------------------------------------------------------------------------------
1 | Core.AggressivelyFixLt
2 | TYPE: bool
3 | VERSION: 2.1.0
4 | DEFAULT: true
5 | --DESCRIPTION--
6 |
7 | This directive enables aggressive pre-filter fixes HTML Purifier can
8 | perform in order to ensure that open angled-brackets do not get killed
9 | during parsing stage. Enabling this will result in two preg_replace_callback
10 | calls and at least two preg_replace calls for every HTML document parsed;
11 | if your users make very well-formed HTML, you can set this directive false.
12 | This has no effect when DirectLex is used.
13 |
14 |
15 | Notice: This directive's default turned from false to true
16 | in HTML Purifier 3.2.0.
17 |
18 | --# vim: et sw=4 sts=4
19 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.AggressivelyRemoveScript.txt:
--------------------------------------------------------------------------------
1 | Core.AggressivelyRemoveScript
2 | TYPE: bool
3 | VERSION: 4.9.0
4 | DEFAULT: true
5 | --DESCRIPTION--
6 |
7 | This directive enables aggressive pre-filter removal of
8 | script tags. This is not necessary for security,
9 | but it can help work around a bug in libxml where embedded
10 | HTML elements inside script sections cause the parser to
11 | choke. To revert to pre-4.9.0 behavior, set this to false.
12 | This directive has no effect if %Core.Trusted is true,
13 | %Core.RemoveScriptContents is false, or %Core.HiddenElements
14 | does not contain script.
15 |
16 | --# vim: et sw=4 sts=4
17 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.AllowHostnameUnderscore.txt:
--------------------------------------------------------------------------------
1 | Core.AllowHostnameUnderscore
2 | TYPE: bool
3 | VERSION: 4.6.0
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 | By RFC 1123, underscores are not permitted in host names.
8 | (This is in contrast to the specification for DNS, RFC
9 | 2181, which allows underscores.)
10 | However, most browsers do the right thing when faced with
11 | an underscore in the host name, and so some poorly written
12 | websites are written with the expectation this should work.
13 | Setting this parameter to true relaxes our allowed character
14 | check so that underscores are permitted.
15 |
16 | --# vim: et sw=4 sts=4
17 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.AllowParseManyTags.txt:
--------------------------------------------------------------------------------
1 | Core.AllowParseManyTags
2 | TYPE: bool
3 | DEFAULT: false
4 | VERSION: 4.10.1
5 | --DESCRIPTION--
6 |
7 | This directive allows parsing of many nested tags.
8 | If you set true, relaxes any hardcoded limit from the parser.
9 | However, in that case it may cause a Dos attack.
10 | Be careful when enabling it.
11 |
12 | --# vim: et sw=4 sts=4
13 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.CollectErrors.txt:
--------------------------------------------------------------------------------
1 | Core.CollectErrors
2 | TYPE: bool
3 | VERSION: 2.0.0
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 | Whether or not to collect errors found while filtering the document. This
8 | is a useful way to give feedback to your users. Warning:
9 | Currently this feature is very patchy and experimental, with lots of
10 | possible error messages not yet implemented. It will not cause any
11 | problems, but it may not help your users either.
12 | --# vim: et sw=4 sts=4
13 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.ConvertDocumentToFragment.txt:
--------------------------------------------------------------------------------
1 | Core.ConvertDocumentToFragment
2 | TYPE: bool
3 | DEFAULT: true
4 | --DESCRIPTION--
5 |
6 | This parameter determines whether or not the filter should convert
7 | input that is a full document with html and body tags to a fragment
8 | of just the contents of a body tag. This parameter is simply something
9 | HTML Purifier can do during an edge-case: for most inputs, this
10 | processing is not necessary. Warning: Full HTML purification has not
11 | been implemented. See GitHub issue #7.
12 |
13 | --ALIASES--
14 | Core.AcceptFullDocuments
15 | --# vim: et sw=4 sts=4
16 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.DirectLexLineNumberSyncInterval.txt:
--------------------------------------------------------------------------------
1 | Core.DirectLexLineNumberSyncInterval
2 | TYPE: int
3 | VERSION: 2.0.0
4 | DEFAULT: 0
5 | --DESCRIPTION--
6 |
7 |
8 | Specifies the number of tokens the DirectLex line number tracking
9 | implementations should process before attempting to resyncronize the
10 | current line count by manually counting all previous new-lines. When
11 | at 0, this functionality is disabled. Lower values will decrease
12 | performance, and this is only strictly necessary if the counting
13 | algorithm is buggy (in which case you should report it as a bug).
14 | This has no effect when %Core.MaintainLineNumbers is disabled or DirectLex is
15 | not being used.
16 |
17 | --# vim: et sw=4 sts=4
18 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.DisableExcludes.txt:
--------------------------------------------------------------------------------
1 | Core.DisableExcludes
2 | TYPE: bool
3 | DEFAULT: false
4 | VERSION: 4.5.0
5 | --DESCRIPTION--
6 |
7 | This directive disables SGML-style exclusions, e.g. the exclusion of
8 | <object> in any descendant of a
9 | <pre> tag. Disabling excludes will allow some
10 | invalid documents to pass through HTML Purifier, but HTML Purifier
11 | will also be less likely to accidentally remove large documents during
12 | processing.
13 |
14 | --# vim: et sw=4 sts=4
15 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.EnableIDNA.txt:
--------------------------------------------------------------------------------
1 | Core.EnableIDNA
2 | TYPE: bool
3 | DEFAULT: false
4 | VERSION: 4.4.0
5 | --DESCRIPTION--
6 | Allows international domain names in URLs. This configuration option
7 | requires the PEAR Net_IDNA2 module to be installed. It operates by
8 | punycoding any internationalized host names for maximum portability.
9 | --# vim: et sw=4 sts=4
10 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.Encoding.txt:
--------------------------------------------------------------------------------
1 | Core.Encoding
2 | TYPE: istring
3 | DEFAULT: 'utf-8'
4 | --DESCRIPTION--
5 | If for some reason you are unable to convert all webpages to UTF-8, you can
6 | use this directive as a stop-gap compatibility change to let HTML Purifier
7 | deal with non UTF-8 input. This technique has notable deficiencies:
8 | absolutely no characters outside of the selected character encoding will be
9 | preserved, not even the ones that have been ampersand escaped (this is due
10 | to a UTF-8 specific feature that automatically resolves all
11 | entities), making it pretty useless for anything except the most I18N-blind
12 | applications, although %Core.EscapeNonASCIICharacters offers fixes this
13 | trouble with another tradeoff. This directive only accepts ISO-8859-1 if
14 | iconv is not enabled.
15 | --# vim: et sw=4 sts=4
16 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidChildren.txt:
--------------------------------------------------------------------------------
1 | Core.EscapeInvalidChildren
2 | TYPE: bool
3 | DEFAULT: false
4 | --DESCRIPTION--
5 | Warning: this configuration option is no longer does anything as of 4.6.0.
6 |
7 | When true, a child is found that is not allowed in the context of the
8 | parent element will be transformed into text as if it were ASCII. When
9 | false, that element and all internal tags will be dropped, though text will
10 | be preserved. There is no option for dropping the element but preserving
11 | child nodes.
12 | --# vim: et sw=4 sts=4
13 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.EscapeInvalidTags.txt:
--------------------------------------------------------------------------------
1 | Core.EscapeInvalidTags
2 | TYPE: bool
3 | DEFAULT: false
4 | --DESCRIPTION--
5 | When true, invalid tags will be written back to the document as plain text.
6 | Otherwise, they are silently dropped.
7 | --# vim: et sw=4 sts=4
8 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.EscapeNonASCIICharacters.txt:
--------------------------------------------------------------------------------
1 | Core.EscapeNonASCIICharacters
2 | TYPE: bool
3 | VERSION: 1.4.0
4 | DEFAULT: false
5 | --DESCRIPTION--
6 | This directive overcomes a deficiency in %Core.Encoding by blindly
7 | converting all non-ASCII characters into decimal numeric entities before
8 | converting it to its native encoding. This means that even characters that
9 | can be expressed in the non-UTF-8 encoding will be entity-ized, which can
10 | be a real downer for encodings like Big5. It also assumes that the ASCII
11 | repertoire is available, although this is the case for almost all encodings.
12 | Anyway, use UTF-8!
13 | --# vim: et sw=4 sts=4
14 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.HiddenElements.txt:
--------------------------------------------------------------------------------
1 | Core.HiddenElements
2 | TYPE: lookup
3 | --DEFAULT--
4 | array (
5 | 'script' => true,
6 | 'style' => true,
7 | )
8 | --DESCRIPTION--
9 |
10 |
11 | This directive is a lookup array of elements which should have their
12 | contents removed when they are not allowed by the HTML definition.
13 | For example, the contents of a script tag are not
14 | normally shown in a document, so if script tags are to be removed,
15 | their contents should be removed to. This is opposed to a b
16 | tag, which defines some presentational changes but does not hide its
17 | contents.
18 |
19 | --# vim: et sw=4 sts=4
20 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.Language.txt:
--------------------------------------------------------------------------------
1 | Core.Language
2 | TYPE: string
3 | VERSION: 2.0.0
4 | DEFAULT: 'en'
5 | --DESCRIPTION--
6 |
7 | ISO 639 language code for localizable things in HTML Purifier to use,
8 | which is mainly error reporting. There is currently only an English (en)
9 | translation, so this directive is currently useless.
10 | --# vim: et sw=4 sts=4
11 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.LegacyEntityDecoder.txt:
--------------------------------------------------------------------------------
1 | Core.LegacyEntityDecoder
2 | TYPE: bool
3 | VERSION: 4.9.0
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 | Prior to HTML Purifier 4.9.0, entities were decoded by performing
8 | a global search replace for all entities whose decoded versions
9 | did not have special meanings under HTML, and replaced them with
10 | their decoded versions. We would match all entities, even if they did
11 | not have a trailing semicolon, but only if there weren't any trailing
12 | alphanumeric characters.
13 |
14 |
15 | | Original | Text | Attribute |
|---|
16 | | ¥ | ¥ | ¥ |
17 | | ¥ | ¥ | ¥ |
18 | | ¥a | ¥a | ¥a |
19 | | ¥= | ¥= | ¥= |
20 |
21 |
22 | In HTML Purifier 4.9.0, we changed the behavior of entity parsing
23 | to match entities that had missing trailing semicolons in less
24 | cases, to more closely match HTML5 parsing behavior:
25 |
26 |
27 | | Original | Text | Attribute |
|---|
28 | | ¥ | ¥ | ¥ |
29 | | ¥ | ¥ | ¥ |
30 | | ¥a | ¥a | ¥a |
31 | | ¥= | ¥= | ¥= |
32 |
33 |
34 | This flag reverts back to pre-HTML Purifier 4.9.0 behavior.
35 |
36 | --# vim: et sw=4 sts=4
37 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.LexerImpl.txt:
--------------------------------------------------------------------------------
1 | Core.LexerImpl
2 | TYPE: mixed/null
3 | VERSION: 2.0.0
4 | DEFAULT: NULL
5 | --DESCRIPTION--
6 |
7 |
8 | This parameter determines what lexer implementation can be used. The
9 | valid values are:
10 |
11 |
12 | - null
13 | -
14 | Recommended, the lexer implementation will be auto-detected based on
15 | your PHP-version and configuration.
16 |
17 | - string lexer identifier
18 | -
19 | This is a slim way of manually overriding the implementation.
20 | Currently recognized values are: DOMLex (the default PHP5
21 | implementation)
22 | and DirectLex (the default PHP4 implementation). Only use this if
23 | you know what you are doing: usually, the auto-detection will
24 | manage things for cases you aren't even aware of.
25 |
26 | - object lexer instance
27 | -
28 | Super-advanced: you can specify your own, custom, implementation that
29 | implements the interface defined by
HTMLPurifier_Lexer.
30 | I may remove this option simply because I don't expect anyone
31 | to use it.
32 |
33 |
34 | --# vim: et sw=4 sts=4
35 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.MaintainLineNumbers.txt:
--------------------------------------------------------------------------------
1 | Core.MaintainLineNumbers
2 | TYPE: bool/null
3 | VERSION: 2.0.0
4 | DEFAULT: NULL
5 | --DESCRIPTION--
6 |
7 |
8 | If true, HTML Purifier will add line number information to all tokens.
9 | This is useful when error reporting is turned on, but can result in
10 | significant performance degradation and should not be used when
11 | unnecessary. This directive must be used with the DirectLex lexer,
12 | as the DOMLex lexer does not (yet) support this functionality.
13 | If the value is null, an appropriate value will be selected based
14 | on other configuration.
15 |
16 | --# vim: et sw=4 sts=4
17 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.NormalizeNewlines.txt:
--------------------------------------------------------------------------------
1 | Core.NormalizeNewlines
2 | TYPE: bool
3 | VERSION: 4.2.0
4 | DEFAULT: true
5 | --DESCRIPTION--
6 |
7 | Whether or not to normalize newlines to the operating
8 | system default. When false, HTML Purifier
9 | will attempt to preserve mixed newline files.
10 |
11 | --# vim: et sw=4 sts=4
12 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.RemoveBlanks.txt:
--------------------------------------------------------------------------------
1 | Core.RemoveBlanks
2 | TYPE: bool
3 | DEFAULT: false
4 | VERSION: 4.18
5 | --DESCRIPTION--
6 |
7 | If set to true, blank nodes will be removed. This can be useful for maintaining
8 | backwards compatibility when upgrading from previous versions of PHP.
9 |
10 | --# vim: et sw=4 sts=4
11 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.RemoveInvalidImg.txt:
--------------------------------------------------------------------------------
1 | Core.RemoveInvalidImg
2 | TYPE: bool
3 | DEFAULT: true
4 | VERSION: 1.3.0
5 | --DESCRIPTION--
6 |
7 |
8 | This directive enables pre-emptive URI checking in img
9 | tags, as the attribute validation strategy is not authorized to
10 | remove elements from the document. Revert to pre-1.3.0 behavior by setting to false.
11 |
12 | --# vim: et sw=4 sts=4
13 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.RemoveProcessingInstructions.txt:
--------------------------------------------------------------------------------
1 | Core.RemoveProcessingInstructions
2 | TYPE: bool
3 | VERSION: 4.2.0
4 | DEFAULT: false
5 | --DESCRIPTION--
6 | Instead of escaping processing instructions in the form <? ...
7 | ?>, remove it out-right. This may be useful if the HTML
8 | you are validating contains XML processing instruction gunk, however,
9 | it can also be user-unfriendly for people attempting to post PHP
10 | snippets.
11 | --# vim: et sw=4 sts=4
12 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Core.RemoveScriptContents.txt:
--------------------------------------------------------------------------------
1 | Core.RemoveScriptContents
2 | TYPE: bool/null
3 | DEFAULT: NULL
4 | VERSION: 2.0.0
5 | DEPRECATED-VERSION: 2.1.0
6 | DEPRECATED-USE: Core.HiddenElements
7 | --DESCRIPTION--
8 |
9 | This directive enables HTML Purifier to remove not only script tags
10 | but all of their contents.
11 |
12 | --# vim: et sw=4 sts=4
13 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Filter.Custom.txt:
--------------------------------------------------------------------------------
1 | Filter.Custom
2 | TYPE: list
3 | VERSION: 3.1.0
4 | DEFAULT: array()
5 | --DESCRIPTION--
6 |
7 | This directive can be used to add custom filters; it is nearly the
8 | equivalent of the now deprecated HTMLPurifier->addFilter()
9 | method. Specify an array of concrete implementations.
10 |
11 | --# vim: et sw=4 sts=4
12 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.Escaping.txt:
--------------------------------------------------------------------------------
1 | Filter.ExtractStyleBlocks.Escaping
2 | TYPE: bool
3 | VERSION: 3.0.0
4 | DEFAULT: true
5 | ALIASES: Filter.ExtractStyleBlocksEscaping, FilterParam.ExtractStyleBlocksEscaping
6 | --DESCRIPTION--
7 |
8 |
9 | Whether or not to escape the dangerous characters <, > and &
10 | as \3C, \3E and \26, respectively. This is can be safely set to false
11 | if the contents of StyleBlocks will be placed in an external stylesheet,
12 | where there is no risk of it being interpreted as HTML.
13 |
14 | --# vim: et sw=4 sts=4
15 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.Scope.txt:
--------------------------------------------------------------------------------
1 | Filter.ExtractStyleBlocks.Scope
2 | TYPE: string/null
3 | VERSION: 3.0.0
4 | DEFAULT: NULL
5 | ALIASES: Filter.ExtractStyleBlocksScope, FilterParam.ExtractStyleBlocksScope
6 | --DESCRIPTION--
7 |
8 |
9 | If you would like users to be able to define external stylesheets, but
10 | only allow them to specify CSS declarations for a specific node and
11 | prevent them from fiddling with other elements, use this directive.
12 | It accepts any valid CSS selector, and will prepend this to any
13 | CSS declaration extracted from the document. For example, if this
14 | directive is set to #user-content and a user uses the
15 | selector a:hover, the final selector will be
16 | #user-content a:hover.
17 |
18 |
19 | The comma shorthand may be used; consider the above example, with
20 | #user-content, #user-content2, the final selector will
21 | be #user-content a:hover, #user-content2 a:hover.
22 |
23 |
24 | Warning: It is possible for users to bypass this measure
25 | using a naughty + selector. This is a bug in CSS Tidy 1.3, not HTML
26 | Purifier, and I am working to get it fixed. Until then, HTML Purifier
27 | performs a basic check to prevent this.
28 |
29 | --# vim: et sw=4 sts=4
30 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.TidyImpl.txt:
--------------------------------------------------------------------------------
1 | Filter.ExtractStyleBlocks.TidyImpl
2 | TYPE: mixed/null
3 | VERSION: 3.1.0
4 | DEFAULT: NULL
5 | ALIASES: FilterParam.ExtractStyleBlocksTidyImpl
6 | --DESCRIPTION--
7 |
8 | If left NULL, HTML Purifier will attempt to instantiate a csstidy
9 | class to use for internal cleaning. This will usually be good enough.
10 |
11 |
12 | However, for trusted user input, you can set this to false to
13 | disable cleaning. In addition, you can supply your own concrete implementation
14 | of Tidy's interface to use, although I don't know why you'd want to do that.
15 |
16 | --# vim: et sw=4 sts=4
17 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Filter.YouTube.txt:
--------------------------------------------------------------------------------
1 | Filter.YouTube
2 | TYPE: bool
3 | VERSION: 3.1.0
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 | Warning: Deprecated in favor of %HTML.SafeObject and
8 | %Output.FlashCompat (turn both on to allow YouTube videos and other
9 | Flash content).
10 |
11 |
12 | This directive enables YouTube video embedding in HTML Purifier. Check
13 | this document
14 | on embedding videos for more information on what this filter does.
15 |
16 | --# vim: et sw=4 sts=4
17 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.Allowed.txt:
--------------------------------------------------------------------------------
1 | HTML.Allowed
2 | TYPE: itext/null
3 | VERSION: 2.0.0
4 | DEFAULT: NULL
5 | --DESCRIPTION--
6 |
7 |
8 | This is a preferred convenience directive that combines
9 | %HTML.AllowedElements and %HTML.AllowedAttributes.
10 | Specify elements and attributes that are allowed using:
11 | element1[attr1|attr2],element2.... For example,
12 | if you would like to only allow paragraphs and links, specify
13 | a[href],p. You can specify attributes that apply
14 | to all elements using an asterisk, e.g. *[lang].
15 | You can also use newlines instead of commas to separate elements.
16 |
17 |
18 | Warning:
19 | All of the constraints on the component directives are still enforced.
20 | The syntax is a subset of TinyMCE's valid_elements
21 | whitelist: directly copy-pasting it here will probably result in
22 | broken whitelists. If %HTML.AllowedElements or %HTML.AllowedAttributes
23 | are set, this directive has no effect.
24 |
25 | --# vim: et sw=4 sts=4
26 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedAttributes.txt:
--------------------------------------------------------------------------------
1 | HTML.AllowedAttributes
2 | TYPE: lookup/null
3 | VERSION: 1.3.0
4 | DEFAULT: NULL
5 | --DESCRIPTION--
6 |
7 |
8 | If HTML Purifier's attribute set is unsatisfactory, overload it!
9 | The syntax is "tag.attr" or "*.attr" for the global attributes
10 | (style, id, class, dir, lang, xml:lang).
11 |
12 |
13 | Warning: If another directive conflicts with the
14 | elements here, that directive will win and override. For
15 | example, %HTML.EnableAttrID will take precedence over *.id in this
16 | directive. You must set that directive to true before you can use
17 | IDs at all.
18 |
19 | --# vim: et sw=4 sts=4
20 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedComments.txt:
--------------------------------------------------------------------------------
1 | HTML.AllowedComments
2 | TYPE: lookup
3 | VERSION: 4.4.0
4 | DEFAULT: array()
5 | --DESCRIPTION--
6 | A whitelist which indicates what explicit comment bodies should be
7 | allowed, modulo leading and trailing whitespace. See also %HTML.AllowedCommentsRegexp
8 | (these directives are union'ed together, so a comment is considered
9 | valid if any directive deems it valid.)
10 | --# vim: et sw=4 sts=4
11 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedCommentsRegexp.txt:
--------------------------------------------------------------------------------
1 | HTML.AllowedCommentsRegexp
2 | TYPE: string/null
3 | VERSION: 4.4.0
4 | DEFAULT: NULL
5 | --DESCRIPTION--
6 | A regexp, which if it matches the body of a comment, indicates that
7 | it should be allowed. Trailing and leading spaces are removed prior
8 | to running this regular expression.
9 | Warning: Make sure you specify
10 | correct anchor metacharacters ^regex$, otherwise you may accept
11 | comments that you did not mean to! In particular, the regex /foo|bar/
12 | is probably not sufficiently strict, since it also allows foobar.
13 | See also %HTML.AllowedComments (these directives are union'ed together,
14 | so a comment is considered valid if any directive deems it valid.)
15 | --# vim: et sw=4 sts=4
16 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedElements.txt:
--------------------------------------------------------------------------------
1 | HTML.AllowedElements
2 | TYPE: lookup/null
3 | VERSION: 1.3.0
4 | DEFAULT: NULL
5 | --DESCRIPTION--
6 |
7 | If HTML Purifier's tag set is unsatisfactory for your needs, you can
8 | overload it with your own list of tags to allow. If you change
9 | this, you probably also want to change %HTML.AllowedAttributes; see
10 | also %HTML.Allowed which lets you set allowed elements and
11 | attributes at the same time.
12 |
13 |
14 | If you attempt to allow an element that HTML Purifier does not know
15 | about, HTML Purifier will raise an error. You will need to manually
16 | tell HTML Purifier about this element by using the
17 | advanced customization features.
18 |
19 |
20 | Warning: If another directive conflicts with the
21 | elements here, that directive will win and override.
22 |
23 | --# vim: et sw=4 sts=4
24 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.AllowedModules.txt:
--------------------------------------------------------------------------------
1 | HTML.AllowedModules
2 | TYPE: lookup/null
3 | VERSION: 2.0.0
4 | DEFAULT: NULL
5 | --DESCRIPTION--
6 |
7 |
8 | A doctype comes with a set of usual modules to use. Without having
9 | to mucking about with the doctypes, you can quickly activate or
10 | disable these modules by specifying which modules you wish to allow
11 | with this directive. This is most useful for unit testing specific
12 | modules, although end users may find it useful for their own ends.
13 |
14 |
15 | If you specify a module that does not exist, the manager will silently
16 | fail to use it, so be careful! User-defined modules are not affected
17 | by this directive. Modules defined in %HTML.CoreModules are not
18 | affected by this directive.
19 |
20 | --# vim: et sw=4 sts=4
21 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.Attr.Name.UseCDATA.txt:
--------------------------------------------------------------------------------
1 | HTML.Attr.Name.UseCDATA
2 | TYPE: bool
3 | DEFAULT: false
4 | VERSION: 4.0.0
5 | --DESCRIPTION--
6 | The W3C specification DTD defines the name attribute to be CDATA, not ID, due
7 | to limitations of DTD. In certain documents, this relaxed behavior is desired,
8 | whether it is to specify duplicate names, or to specify names that would be
9 | illegal IDs (for example, names that begin with a digit.) Set this configuration
10 | directive to true to use the relaxed parsing rules.
11 | --# vim: et sw=4 sts=4
12 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.BlockWrapper.txt:
--------------------------------------------------------------------------------
1 | HTML.BlockWrapper
2 | TYPE: string
3 | VERSION: 1.3.0
4 | DEFAULT: 'p'
5 | --DESCRIPTION--
6 |
7 |
8 | String name of element to wrap inline elements that are inside a block
9 | context. This only occurs in the children of blockquote in strict mode.
10 |
11 |
12 | Example: by default value,
13 | <blockquote>Foo</blockquote> would become
14 | <blockquote><p>Foo</p></blockquote>.
15 | The <p> tags can be replaced with whatever you desire,
16 | as long as it is a block level element.
17 |
18 | --# vim: et sw=4 sts=4
19 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.CoreModules.txt:
--------------------------------------------------------------------------------
1 | HTML.CoreModules
2 | TYPE: lookup
3 | VERSION: 2.0.0
4 | --DEFAULT--
5 | array (
6 | 'Structure' => true,
7 | 'Text' => true,
8 | 'Hypertext' => true,
9 | 'List' => true,
10 | 'NonXMLCommonAttributes' => true,
11 | 'XMLCommonAttributes' => true,
12 | 'CommonAttributes' => true,
13 | )
14 | --DESCRIPTION--
15 |
16 |
17 | Certain modularized doctypes (XHTML, namely), have certain modules
18 | that must be included for the doctype to be an conforming document
19 | type: put those modules here. By default, XHTML's core modules
20 | are used. You can set this to a blank array to disable core module
21 | protection, but this is not recommended.
22 |
23 | --# vim: et sw=4 sts=4
24 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.CustomDoctype.txt:
--------------------------------------------------------------------------------
1 | HTML.CustomDoctype
2 | TYPE: string/null
3 | VERSION: 2.0.1
4 | DEFAULT: NULL
5 | --DESCRIPTION--
6 |
7 | A custom doctype for power-users who defined their own document
8 | type. This directive only applies when %HTML.Doctype is blank.
9 | --# vim: et sw=4 sts=4
10 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionID.txt:
--------------------------------------------------------------------------------
1 | HTML.DefinitionID
2 | TYPE: string/null
3 | DEFAULT: NULL
4 | VERSION: 2.0.0
5 | --DESCRIPTION--
6 |
7 |
8 | Unique identifier for a custom-built HTML definition. If you edit
9 | the raw version of the HTMLDefinition, introducing changes that the
10 | configuration object does not reflect, you must specify this variable.
11 | If you change your custom edits, you should change this directive, or
12 | clear your cache. Example:
13 |
14 |
15 | $config = HTMLPurifier_Config::createDefault();
16 | $config->set('HTML', 'DefinitionID', '1');
17 | $def = $config->getHTMLDefinition();
18 | $def->addAttribute('a', 'tabindex', 'Number');
19 |
20 |
21 | In the above example, the configuration is still at the defaults, but
22 | using the advanced API, an extra attribute has been added. The
23 | configuration object normally has no way of knowing that this change
24 | has taken place, so it needs an extra directive: %HTML.DefinitionID.
25 | If someone else attempts to use the default configuration, these two
26 | pieces of code will not clobber each other in the cache, since one has
27 | an extra directive attached to it.
28 |
29 |
30 | You must specify a value to this directive to use the
31 | advanced API features.
32 |
33 | --# vim: et sw=4 sts=4
34 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.DefinitionRev.txt:
--------------------------------------------------------------------------------
1 | HTML.DefinitionRev
2 | TYPE: int
3 | VERSION: 2.0.0
4 | DEFAULT: 1
5 | --DESCRIPTION--
6 |
7 |
8 | Revision identifier for your custom definition specified in
9 | %HTML.DefinitionID. This serves the same purpose: uniquely identifying
10 | your custom definition, but this one does so in a chronological
11 | context: revision 3 is more up-to-date then revision 2. Thus, when
12 | this gets incremented, the cache handling is smart enough to clean
13 | up any older revisions of your definition as well as flush the
14 | cache.
15 |
16 | --# vim: et sw=4 sts=4
17 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.Doctype.txt:
--------------------------------------------------------------------------------
1 | HTML.Doctype
2 | TYPE: string/null
3 | DEFAULT: NULL
4 | --DESCRIPTION--
5 | Doctype to use during filtering. Technically speaking this is not actually
6 | a doctype (as it does not identify a corresponding DTD), but we are using
7 | this name for sake of simplicity. When non-blank, this will override any
8 | older directives like %HTML.XHTML or %HTML.Strict.
9 | --ALLOWED--
10 | 'HTML 4.01 Transitional', 'HTML 4.01 Strict', 'XHTML 1.0 Transitional', 'XHTML 1.0 Strict', 'XHTML 1.1'
11 | --# vim: et sw=4 sts=4
12 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.FlashAllowFullScreen.txt:
--------------------------------------------------------------------------------
1 | HTML.FlashAllowFullScreen
2 | TYPE: bool
3 | VERSION: 4.2.0
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 | Whether or not to permit embedded Flash content from
8 | %HTML.SafeObject to expand to the full screen. Corresponds to
9 | the allowFullScreen parameter.
10 |
11 | --# vim: et sw=4 sts=4
12 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenAttributes.txt:
--------------------------------------------------------------------------------
1 | HTML.ForbiddenAttributes
2 | TYPE: lookup
3 | VERSION: 3.1.0
4 | DEFAULT: array()
5 | --DESCRIPTION--
6 |
7 | While this directive is similar to %HTML.AllowedAttributes, for
8 | forwards-compatibility with XML, this attribute has a different syntax. Instead of
9 | tag.attr, use tag@attr. To disallow href
10 | attributes in a tags, set this directive to
11 | a@href. You can also disallow an attribute globally with
12 | attr or *@attr (either syntax is fine; the latter
13 | is provided for consistency with %HTML.AllowedAttributes).
14 |
15 |
16 | Warning: This directive complements %HTML.ForbiddenElements,
17 | accordingly, check
18 | out that directive for a discussion of why you
19 | should think twice before using this directive.
20 |
21 | --# vim: et sw=4 sts=4
22 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.ForbiddenElements.txt:
--------------------------------------------------------------------------------
1 | HTML.ForbiddenElements
2 | TYPE: lookup
3 | VERSION: 3.1.0
4 | DEFAULT: array()
5 | --DESCRIPTION--
6 |
7 | This was, perhaps, the most requested feature ever in HTML
8 | Purifier. Please don't abuse it! This is the logical inverse of
9 | %HTML.AllowedElements, and it will override that directive, or any
10 | other directive.
11 |
12 |
13 | If possible, %HTML.Allowed is recommended over this directive, because it
14 | can sometimes be difficult to tell whether or not you've forbidden all of
15 | the behavior you would like to disallow. If you forbid img
16 | with the expectation of preventing images on your site, you'll be in for
17 | a nasty surprise when people start using the background-image
18 | CSS property.
19 |
20 | --# vim: et sw=4 sts=4
21 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.Forms.txt:
--------------------------------------------------------------------------------
1 | HTML.Forms
2 | TYPE: bool
3 | VERSION: 4.13.0
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 | Whether or not to permit form elements in the user input, regardless of
8 | %HTML.Trusted value. Please be very careful when using this functionality, as
9 | enabling forms in untrusted documents may allow for phishing attacks.
10 |
11 | --# vim: et sw=4 sts=4
12 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.MaxImgLength.txt:
--------------------------------------------------------------------------------
1 | HTML.MaxImgLength
2 | TYPE: int/null
3 | DEFAULT: null
4 | VERSION: 3.1.1
5 | --DESCRIPTION--
6 |
7 | This directive controls the maximum number of pixels in the width and
8 | height attributes in img tags. This is
9 | in place to prevent imagecrash attacks, disable with null at your own risk.
10 | This directive is similar to %CSS.MaxImgLength, and both should be
11 | concurrently edited, although there are
12 | subtle differences in the input format (the HTML max is an integer).
13 |
14 | --# vim: et sw=4 sts=4
15 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.Nofollow.txt:
--------------------------------------------------------------------------------
1 | HTML.Nofollow
2 | TYPE: bool
3 | VERSION: 4.3.0
4 | DEFAULT: FALSE
5 | --DESCRIPTION--
6 | If enabled, nofollow rel attributes are added to all outgoing links.
7 | --# vim: et sw=4 sts=4
8 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.Parent.txt:
--------------------------------------------------------------------------------
1 | HTML.Parent
2 | TYPE: string
3 | VERSION: 1.3.0
4 | DEFAULT: 'div'
5 | --DESCRIPTION--
6 |
7 |
8 | String name of element that HTML fragment passed to library will be
9 | inserted in. An interesting variation would be using span as the
10 | parent element, meaning that only inline tags would be allowed.
11 |
12 | --# vim: et sw=4 sts=4
13 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.Proprietary.txt:
--------------------------------------------------------------------------------
1 | HTML.Proprietary
2 | TYPE: bool
3 | VERSION: 3.1.0
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 | Whether or not to allow proprietary elements and attributes in your
8 | documents, as per HTMLPurifier_HTMLModule_Proprietary.
9 | Warning: This can cause your documents to stop
10 | validating!
11 |
12 | --# vim: et sw=4 sts=4
13 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeEmbed.txt:
--------------------------------------------------------------------------------
1 | HTML.SafeEmbed
2 | TYPE: bool
3 | VERSION: 3.1.1
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 | Whether or not to permit embed tags in documents, with a number of extra
8 | security features added to prevent script execution. This is similar to
9 | what websites like MySpace do to embed tags. Embed is a proprietary
10 | element and will cause your website to stop validating; you should
11 | see if you can use %Output.FlashCompat with %HTML.SafeObject instead
12 | first.
13 | --# vim: et sw=4 sts=4
14 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt:
--------------------------------------------------------------------------------
1 | HTML.SafeIframe
2 | TYPE: bool
3 | VERSION: 4.4.0
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 | Whether or not to permit iframe tags in untrusted documents. This
8 | directive must be accompanied by a whitelist of permitted iframes,
9 | such as %URI.SafeIframeRegexp or %URI.SafeIframeHosts, otherwise it will fatally error.
10 | This directive has no effect on strict doctypes, as iframes are not
11 | valid.
12 |
13 | --# vim: et sw=4 sts=4
14 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt:
--------------------------------------------------------------------------------
1 | HTML.SafeObject
2 | TYPE: bool
3 | VERSION: 3.1.1
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 | Whether or not to permit object tags in documents, with a number of extra
8 | security features added to prevent script execution. This is similar to
9 | what websites like MySpace do to object tags. You should also enable
10 | %Output.FlashCompat in order to generate Internet Explorer
11 | compatibility code for your object tags.
12 |
13 | --# vim: et sw=4 sts=4
14 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.SafeScripting.txt:
--------------------------------------------------------------------------------
1 | HTML.SafeScripting
2 | TYPE: lookup
3 | VERSION: 4.5.0
4 | DEFAULT: array()
5 | --DESCRIPTION--
6 |
7 | Whether or not to permit script tags to external scripts in documents.
8 | Inline scripting is not allowed, and the script must match an explicit whitelist.
9 |
10 | --# vim: et sw=4 sts=4
11 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.Strict.txt:
--------------------------------------------------------------------------------
1 | HTML.Strict
2 | TYPE: bool
3 | VERSION: 1.3.0
4 | DEFAULT: false
5 | DEPRECATED-VERSION: 1.7.0
6 | DEPRECATED-USE: HTML.Doctype
7 | --DESCRIPTION--
8 | Determines whether or not to use Transitional (loose) or Strict rulesets.
9 | --# vim: et sw=4 sts=4
10 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.TargetBlank.txt:
--------------------------------------------------------------------------------
1 | HTML.TargetBlank
2 | TYPE: bool
3 | VERSION: 4.4.0
4 | DEFAULT: FALSE
5 | --DESCRIPTION--
6 | If enabled, target=blank attributes are added to all outgoing links.
7 | (This includes links from an HTTPS version of a page to an HTTP version.)
8 | --# vim: et sw=4 sts=4
9 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoopener.txt:
--------------------------------------------------------------------------------
1 | --# vim: et sw=4 sts=4
2 | HTML.TargetNoopener
3 | TYPE: bool
4 | VERSION: 4.8.0
5 | DEFAULT: TRUE
6 | --DESCRIPTION--
7 | If enabled, noopener rel attributes are added to links which have
8 | a target attribute associated with them. This prevents malicious
9 | destinations from overwriting the original window.
10 | --# vim: et sw=4 sts=4
11 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.TargetNoreferrer.txt:
--------------------------------------------------------------------------------
1 | HTML.TargetNoreferrer
2 | TYPE: bool
3 | VERSION: 4.8.0
4 | DEFAULT: TRUE
5 | --DESCRIPTION--
6 | If enabled, noreferrer rel attributes are added to links which have
7 | a target attribute associated with them. This prevents malicious
8 | destinations from overwriting the original window.
9 | --# vim: et sw=4 sts=4
10 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.TidyAdd.txt:
--------------------------------------------------------------------------------
1 | HTML.TidyAdd
2 | TYPE: lookup
3 | VERSION: 2.0.0
4 | DEFAULT: array()
5 | --DESCRIPTION--
6 |
7 | Fixes to add to the default set of Tidy fixes as per your level.
8 | --# vim: et sw=4 sts=4
9 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.TidyLevel.txt:
--------------------------------------------------------------------------------
1 | HTML.TidyLevel
2 | TYPE: string
3 | VERSION: 2.0.0
4 | DEFAULT: 'medium'
5 | --DESCRIPTION--
6 |
7 | General level of cleanliness the Tidy module should enforce.
8 | There are four allowed values:
9 |
10 | - none
11 | - No extra tidying should be done
12 | - light
13 | - Only fix elements that would be discarded otherwise due to
14 | lack of support in doctype
15 | - medium
16 | - Enforce best practices
17 | - heavy
18 | - Transform all deprecated elements and attributes to standards
19 | compliant equivalents
20 |
21 |
22 | --ALLOWED--
23 | 'none', 'light', 'medium', 'heavy'
24 | --# vim: et sw=4 sts=4
25 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.TidyRemove.txt:
--------------------------------------------------------------------------------
1 | HTML.TidyRemove
2 | TYPE: lookup
3 | VERSION: 2.0.0
4 | DEFAULT: array()
5 | --DESCRIPTION--
6 |
7 | Fixes to remove from the default set of Tidy fixes as per your level.
8 | --# vim: et sw=4 sts=4
9 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.Trusted.txt:
--------------------------------------------------------------------------------
1 | HTML.Trusted
2 | TYPE: bool
3 | VERSION: 2.0.0
4 | DEFAULT: false
5 | --DESCRIPTION--
6 | Indicates whether or not the user input is trusted or not. If the input is
7 | trusted, a more expansive set of allowed tags and attributes will be used.
8 | See also %CSS.Trusted.
9 | --# vim: et sw=4 sts=4
10 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/HTML.XHTML.txt:
--------------------------------------------------------------------------------
1 | HTML.XHTML
2 | TYPE: bool
3 | DEFAULT: true
4 | VERSION: 1.1.0
5 | DEPRECATED-VERSION: 1.7.0
6 | DEPRECATED-USE: HTML.Doctype
7 | --DESCRIPTION--
8 | Determines whether or not output is XHTML 1.0 or HTML 4.01 flavor.
9 | --ALIASES--
10 | Core.XHTML
11 | --# vim: et sw=4 sts=4
12 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Output.CommentScriptContents.txt:
--------------------------------------------------------------------------------
1 | Output.CommentScriptContents
2 | TYPE: bool
3 | VERSION: 2.0.0
4 | DEFAULT: true
5 | --DESCRIPTION--
6 | Determines whether or not HTML Purifier should attempt to fix up the
7 | contents of script tags for legacy browsers with comments.
8 | --ALIASES--
9 | Core.CommentScriptContents
10 | --# vim: et sw=4 sts=4
11 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Output.FixInnerHTML.txt:
--------------------------------------------------------------------------------
1 | Output.FixInnerHTML
2 | TYPE: bool
3 | VERSION: 4.3.0
4 | DEFAULT: true
5 | --DESCRIPTION--
6 |
7 | If true, HTML Purifier will protect against Internet Explorer's
8 | mishandling of the innerHTML attribute by appending
9 | a space to any attribute that does not contain angled brackets, spaces
10 | or quotes, but contains a backtick. This slightly changes the
11 | semantics of any given attribute, so if this is unacceptable and
12 | you do not use innerHTML on any of your pages, you can
13 | turn this directive off.
14 |
15 | --# vim: et sw=4 sts=4
16 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Output.FlashCompat.txt:
--------------------------------------------------------------------------------
1 | Output.FlashCompat
2 | TYPE: bool
3 | VERSION: 4.1.0
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 | If true, HTML Purifier will generate Internet Explorer compatibility
8 | code for all object code. This is highly recommended if you enable
9 | %HTML.SafeObject.
10 |
11 | --# vim: et sw=4 sts=4
12 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Output.Newline.txt:
--------------------------------------------------------------------------------
1 | Output.Newline
2 | TYPE: string/null
3 | VERSION: 2.0.1
4 | DEFAULT: NULL
5 | --DESCRIPTION--
6 |
7 |
8 | Newline string to format final output with. If left null, HTML Purifier
9 | will auto-detect the default newline type of the system and use that;
10 | you can manually override it here. Remember, \r\n is Windows, \r
11 | is Mac, and \n is Unix.
12 |
13 | --# vim: et sw=4 sts=4
14 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Output.SortAttr.txt:
--------------------------------------------------------------------------------
1 | Output.SortAttr
2 | TYPE: bool
3 | VERSION: 3.2.0
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 | If true, HTML Purifier will sort attributes by name before writing them back
8 | to the document, converting a tag like: <el b="" a="" c="" />
9 | to <el a="" b="" c="" />. This is a workaround for
10 | a bug in FCKeditor which causes it to swap attributes order, adding noise
11 | to text diffs. If you're not seeing this bug, chances are, you don't need
12 | this directive.
13 |
14 | --# vim: et sw=4 sts=4
15 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Output.TidyFormat.txt:
--------------------------------------------------------------------------------
1 | Output.TidyFormat
2 | TYPE: bool
3 | VERSION: 1.1.1
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 | Determines whether or not to run Tidy on the final output for pretty
8 | formatting reasons, such as indentation and wrap.
9 |
10 |
11 | This can greatly improve readability for editors who are hand-editing
12 | the HTML, but is by no means necessary as HTML Purifier has already
13 | fixed all major errors the HTML may have had. Tidy is a non-default
14 | extension, and this directive will silently fail if Tidy is not
15 | available.
16 |
17 |
18 | If you are looking to make the overall look of your page's source
19 | better, I recommend running Tidy on the entire page rather than just
20 | user-content (after all, the indentation relative to the containing
21 | blocks will be incorrect).
22 |
23 | --ALIASES--
24 | Core.TidyFormat
25 | --# vim: et sw=4 sts=4
26 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/Test.ForceNoIconv.txt:
--------------------------------------------------------------------------------
1 | Test.ForceNoIconv
2 | TYPE: bool
3 | DEFAULT: false
4 | --DESCRIPTION--
5 | When set to true, HTMLPurifier_Encoder will act as if iconv does not exist
6 | and use only pure PHP implementations.
7 | --# vim: et sw=4 sts=4
8 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt:
--------------------------------------------------------------------------------
1 | URI.AllowedSchemes
2 | TYPE: lookup
3 | --DEFAULT--
4 | array (
5 | 'http' => true,
6 | 'https' => true,
7 | 'mailto' => true,
8 | 'ftp' => true,
9 | 'nntp' => true,
10 | 'news' => true,
11 | 'tel' => true,
12 | )
13 | --DESCRIPTION--
14 | Whitelist that defines the schemes that a URI is allowed to have. This
15 | prevents XSS attacks from using pseudo-schemes like javascript or mocha.
16 | There is also support for the data and file
17 | URI schemes, but they are not enabled by default.
18 | --# vim: et sw=4 sts=4
19 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/URI.Base.txt:
--------------------------------------------------------------------------------
1 | URI.Base
2 | TYPE: string/null
3 | VERSION: 2.1.0
4 | DEFAULT: NULL
5 | --DESCRIPTION--
6 |
7 |
8 | The base URI is the URI of the document this purified HTML will be
9 | inserted into. This information is important if HTML Purifier needs
10 | to calculate absolute URIs from relative URIs, such as when %URI.MakeAbsolute
11 | is on. You may use a non-absolute URI for this value, but behavior
12 | may vary (%URI.MakeAbsolute deals nicely with both absolute and
13 | relative paths, but forwards-compatibility is not guaranteed).
14 | Warning: If set, the scheme on this URI
15 | overrides the one specified by %URI.DefaultScheme.
16 |
17 | --# vim: et sw=4 sts=4
18 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/URI.DefaultScheme.txt:
--------------------------------------------------------------------------------
1 | URI.DefaultScheme
2 | TYPE: string/null
3 | DEFAULT: 'http'
4 | --DESCRIPTION--
5 |
6 |
7 | Defines through what scheme the output will be served, in order to
8 | select the proper object validator when no scheme information is present.
9 |
10 |
11 |
12 | Starting with HTML Purifier 4.9.0, the default scheme can be null, in
13 | which case we reject all URIs which do not have explicit schemes.
14 |
15 | --# vim: et sw=4 sts=4
16 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/URI.DefinitionID.txt:
--------------------------------------------------------------------------------
1 | URI.DefinitionID
2 | TYPE: string/null
3 | VERSION: 2.1.0
4 | DEFAULT: NULL
5 | --DESCRIPTION--
6 |
7 |
8 | Unique identifier for a custom-built URI definition. If you want
9 | to add custom URIFilters, you must specify this value.
10 |
11 | --# vim: et sw=4 sts=4
12 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/URI.DefinitionRev.txt:
--------------------------------------------------------------------------------
1 | URI.DefinitionRev
2 | TYPE: int
3 | VERSION: 2.1.0
4 | DEFAULT: 1
5 | --DESCRIPTION--
6 |
7 |
8 | Revision identifier for your custom definition. See
9 | %HTML.DefinitionRev for details.
10 |
11 | --# vim: et sw=4 sts=4
12 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/URI.Disable.txt:
--------------------------------------------------------------------------------
1 | URI.Disable
2 | TYPE: bool
3 | VERSION: 1.3.0
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 |
8 | Disables all URIs in all forms. Not sure why you'd want to do that
9 | (after all, the Internet's founded on the notion of a hyperlink).
10 |
11 |
12 | --ALIASES--
13 | Attr.DisableURI
14 | --# vim: et sw=4 sts=4
15 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/URI.DisableExternal.txt:
--------------------------------------------------------------------------------
1 | URI.DisableExternal
2 | TYPE: bool
3 | VERSION: 1.2.0
4 | DEFAULT: false
5 | --DESCRIPTION--
6 | Disables links to external websites. This is a highly effective anti-spam
7 | and anti-pagerank-leech measure, but comes at a hefty price: nolinks or
8 | images outside of your domain will be allowed. Non-linkified URIs will
9 | still be preserved. If you want to be able to link to subdomains or use
10 | absolute URIs, specify %URI.Host for your website.
11 | --# vim: et sw=4 sts=4
12 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/URI.DisableExternalResources.txt:
--------------------------------------------------------------------------------
1 | URI.DisableExternalResources
2 | TYPE: bool
3 | VERSION: 1.3.0
4 | DEFAULT: false
5 | --DESCRIPTION--
6 | Disables the embedding of external resources, preventing users from
7 | embedding things like images from other hosts. This prevents access
8 | tracking (good for email viewers), bandwidth leeching, cross-site request
9 | forging, goatse.cx posting, and other nasties, but also results in a loss
10 | of end-user functionality (they can't directly post a pic they posted from
11 | Flickr anymore). Use it if you don't have a robust user-content moderation
12 | team.
13 | --# vim: et sw=4 sts=4
14 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/URI.DisableResources.txt:
--------------------------------------------------------------------------------
1 | URI.DisableResources
2 | TYPE: bool
3 | VERSION: 4.2.0
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 | Disables embedding resources, essentially meaning no pictures. You can
8 | still link to them though. See %URI.DisableExternalResources for why
9 | this might be a good idea.
10 |
11 |
12 | Note: While this directive has been available since 1.3.0,
13 | it didn't actually start doing anything until 4.2.0.
14 |
15 | --# vim: et sw=4 sts=4
16 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/URI.Host.txt:
--------------------------------------------------------------------------------
1 | URI.Host
2 | TYPE: string/null
3 | VERSION: 1.2.0
4 | DEFAULT: NULL
5 | --DESCRIPTION--
6 |
7 |
8 | Defines the domain name of the server, so we can determine whether or
9 | an absolute URI is from your website or not. Not strictly necessary,
10 | as users should be using relative URIs to reference resources on your
11 | website. It will, however, let you use absolute URIs to link to
12 | subdomains of the domain you post here: i.e. example.com will allow
13 | sub.example.com. However, higher up domains will still be excluded:
14 | if you set %URI.Host to sub.example.com, example.com will be blocked.
15 | Note: This directive overrides %URI.Base because
16 | a given page may be on a sub-domain, but you wish HTML Purifier to be
17 | more relaxed and allow some of the parent domains too.
18 |
19 | --# vim: et sw=4 sts=4
20 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/URI.HostBlacklist.txt:
--------------------------------------------------------------------------------
1 | URI.HostBlacklist
2 | TYPE: list
3 | VERSION: 1.3.0
4 | DEFAULT: array()
5 | --DESCRIPTION--
6 | List of strings that are forbidden in the host of any URI. Use it to kill
7 | domain names of spam, etc. Note that it will catch anything in the domain,
8 | so moo.com will catch moo.com.example.com.
9 | --# vim: et sw=4 sts=4
10 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/URI.MakeAbsolute.txt:
--------------------------------------------------------------------------------
1 | URI.MakeAbsolute
2 | TYPE: bool
3 | VERSION: 2.1.0
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 |
8 | Converts all URIs into absolute forms. This is useful when the HTML
9 | being filtered assumes a specific base path, but will actually be
10 | viewed in a different context (and setting an alternate base URI is
11 | not possible). %URI.Base must be set for this directive to work.
12 |
13 | --# vim: et sw=4 sts=4
14 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/URI.MungeResources.txt:
--------------------------------------------------------------------------------
1 | URI.MungeResources
2 | TYPE: bool
3 | VERSION: 3.1.1
4 | DEFAULT: false
5 | --DESCRIPTION--
6 |
7 | If true, any URI munging directives like %URI.Munge
8 | will also apply to embedded resources, such as <img src="">.
9 | Be careful enabling this directive if you have a redirector script
10 | that does not use the Location HTTP header; all of your images
11 | and other embedded resources will break.
12 |
13 |
14 | Warning: It is strongly advised you use this in conjunction
15 | %URI.MungeSecretKey to mitigate the security risk of an open redirector.
16 |
17 | --# vim: et sw=4 sts=4
18 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/URI.MungeSecretKey.txt:
--------------------------------------------------------------------------------
1 | URI.MungeSecretKey
2 | TYPE: string/null
3 | VERSION: 3.1.1
4 | DEFAULT: NULL
5 | --DESCRIPTION--
6 |
7 | This directive enables secure checksum generation along with %URI.Munge.
8 | It should be set to a secure key that is not shared with anyone else.
9 | The checksum can be placed in the URI using %t. Use of this checksum
10 | affords an additional level of protection by allowing a redirector
11 | to check if a URI has passed through HTML Purifier with this line:
12 |
13 |
14 | $checksum === hash_hmac("sha256", $url, $secret_key)
15 |
16 |
17 | If the output is TRUE, the redirector script should accept the URI.
18 |
19 |
20 |
21 | Please note that it would still be possible for an attacker to procure
22 | secure hashes en-mass by abusing your website's Preview feature or the
23 | like, but this service affords an additional level of protection
24 | that should be combined with website blacklisting.
25 |
26 |
27 |
28 | Remember this has no effect if %URI.Munge is not on.
29 |
30 | --# vim: et sw=4 sts=4
31 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/URI.OverrideAllowedSchemes.txt:
--------------------------------------------------------------------------------
1 | URI.OverrideAllowedSchemes
2 | TYPE: bool
3 | DEFAULT: true
4 | --DESCRIPTION--
5 | If this is set to true (which it is by default), you can override
6 | %URI.AllowedSchemes by simply registering a HTMLPurifier_URIScheme to the
7 | registry. If false, you will also have to update that directive in order
8 | to add more schemes.
9 | --# vim: et sw=4 sts=4
10 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeHosts.txt:
--------------------------------------------------------------------------------
1 | URI.SafeIframeHosts
2 | TYPE: lookup/null
3 | DEFAULT: null
4 | --DESCRIPTION--
5 |
6 | A whitelist which indicates what explicit hosts should be
7 | allowed to embed iframe. See also %HTML.SafeIframeRegexp,
8 | it has precedence over this config. Here are some example values:
9 |
10 |
11 | www.youtube.com - Allow YouTube videosmaps.google.com - Allow Embedding a Google map
14 | --# vim: et sw=4 sts=4
15 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeRegexp.txt:
--------------------------------------------------------------------------------
1 | URI.SafeIframeRegexp
2 | TYPE: string/null
3 | VERSION: 4.4.0
4 | DEFAULT: NULL
5 | --DESCRIPTION--
6 |
7 | A PCRE regular expression that will be matched against an iframe URI. This is
8 | a relatively inflexible scheme, but works well enough for the most common
9 | use-case of iframes: embedded video. This directive only has an effect if
10 | %HTML.SafeIframe is enabled. Here are some example values:
11 |
12 |
13 | %^http://www.youtube.com/embed/% - Allow YouTube videos%^http://player.vimeo.com/video/% - Allow Vimeo videos%^http://(www.youtube.com/embed/|player.vimeo.com/video/)% - Allow both
17 |
18 | Note that this directive does not give you enough granularity to, say, disable
19 | all autoplay videos. Pipe up on the HTML Purifier forums if this
20 | is a capability you want.
21 |
22 | --# vim: et sw=4 sts=4
23 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/ConfigSchema/schema/info.ini:
--------------------------------------------------------------------------------
1 | name = "HTML Purifier"
2 |
3 | ; vim: et sw=4 sts=4
4 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/Definition.php:
--------------------------------------------------------------------------------
1 | setup) {
48 | return;
49 | }
50 | $this->setup = true;
51 | $this->doSetup($config);
52 | }
53 | }
54 |
55 | // vim: et sw=4 sts=4
56 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/DefinitionCache/Null.php:
--------------------------------------------------------------------------------
1 | table = unserialize(file_get_contents($file));
27 | }
28 |
29 | /**
30 | * Retrieves sole instance of the object.
31 | * @param bool|HTMLPurifier_EntityLookup $prototype Optional prototype of custom lookup table to overload with.
32 | * @return HTMLPurifier_EntityLookup
33 | */
34 | public static function instance($prototype = false)
35 | {
36 | // no references, since PHP doesn't copy unless modified
37 | static $instance = null;
38 | if ($prototype) {
39 | $instance = $prototype;
40 | } elseif (!$instance) {
41 | $instance = new HTMLPurifier_EntityLookup();
42 | $instance->setup();
43 | }
44 | return $instance;
45 | }
46 | }
47 |
48 | // vim: et sw=4 sts=4
49 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/Exception.php:
--------------------------------------------------------------------------------
1 | array('dir' => false)
20 | );
21 |
22 | /**
23 | * @param HTMLPurifier_Config $config
24 | */
25 | public function setup($config)
26 | {
27 | $bdo = $this->addElement(
28 | 'bdo',
29 | 'Inline',
30 | 'Inline',
31 | array('Core', 'Lang'),
32 | array(
33 | 'dir' => 'Enum#ltr,rtl', // required
34 | // The Abstract Module specification has the attribute
35 | // inclusions wrong for bdo: bdo allows Lang
36 | )
37 | );
38 | $bdo->attr_transform_post[] = new HTMLPurifier_AttrTransform_BdoDir();
39 |
40 | $this->attr_collections['I18N']['dir'] = 'Enum#ltr,rtl';
41 | }
42 | }
43 |
44 | // vim: et sw=4 sts=4
45 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/HTMLModule/CommonAttributes.php:
--------------------------------------------------------------------------------
1 | array(
15 | 0 => array('Style'),
16 | // 'xml:space' => false,
17 | 'class' => 'Class',
18 | 'id' => 'ID',
19 | 'title' => 'CDATA',
20 | 'contenteditable' => 'ContentEditable',
21 | ),
22 | 'Lang' => array(),
23 | 'I18N' => array(
24 | 0 => array('Lang'), // proprietary, for xml:lang/lang
25 | ),
26 | 'Common' => array(
27 | 0 => array('Core', 'I18N')
28 | )
29 | );
30 | }
31 |
32 | // vim: et sw=4 sts=4
33 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/HTMLModule/Edit.php:
--------------------------------------------------------------------------------
1 | 'URI',
23 | // 'datetime' => 'Datetime', // not implemented
24 | );
25 | $this->addElement('del', 'Inline', $contents, 'Common', $attr);
26 | $this->addElement('ins', 'Inline', $contents, 'Common', $attr);
27 | }
28 |
29 | // HTML 4.01 specifies that ins/del must not contain block
30 | // elements when used in an inline context, chameleon is
31 | // a complicated workaround to achieve this effect
32 |
33 | // Inline context ! Block context (exclamation mark is
34 | // separator, see getChildDef for parsing)
35 |
36 | /**
37 | * @type bool
38 | */
39 | public $defines_child_def = true;
40 |
41 | /**
42 | * @param HTMLPurifier_ElementDef $def
43 | * @return HTMLPurifier_ChildDef_Chameleon
44 | */
45 | public function getChildDef($def)
46 | {
47 | if ($def->content_model_type != 'chameleon') {
48 | return false;
49 | }
50 | $value = explode('!', $def->content_model);
51 | return new HTMLPurifier_ChildDef_Chameleon($value[0], $value[1]);
52 | }
53 | }
54 |
55 | // vim: et sw=4 sts=4
56 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/HTMLModule/Hypertext.php:
--------------------------------------------------------------------------------
1 | addElement(
20 | 'a',
21 | 'Inline',
22 | 'Inline',
23 | 'Common',
24 | array(
25 | // 'accesskey' => 'Character',
26 | // 'charset' => 'Charset',
27 | 'href' => 'URI',
28 | // 'hreflang' => 'LanguageCode',
29 | 'rel' => new HTMLPurifier_AttrDef_HTML_LinkTypes('rel'),
30 | 'rev' => new HTMLPurifier_AttrDef_HTML_LinkTypes('rev'),
31 | // 'tabindex' => 'Number',
32 | // 'type' => 'ContentType',
33 | )
34 | );
35 | $a->formatting = true;
36 | $a->excludes = array('a' => true);
37 | }
38 | }
39 |
40 | // vim: et sw=4 sts=4
41 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/HTMLModule/Iframe.php:
--------------------------------------------------------------------------------
1 | get('HTML.SafeIframe')) {
29 | $this->safe = true;
30 | }
31 | $attrs = array(
32 | 'src' => 'URI#embedded',
33 | 'width' => 'Length',
34 | 'height' => 'Length',
35 | 'name' => 'ID',
36 | 'scrolling' => 'Enum#yes,no,auto',
37 | 'frameborder' => 'Enum#0,1',
38 | 'longdesc' => 'URI',
39 | 'marginheight' => 'Pixels',
40 | 'marginwidth' => 'Pixels',
41 | );
42 |
43 | if ($config->get('HTML.Trusted')) {
44 | $attrs['allowfullscreen'] = 'Bool#allowfullscreen';
45 | }
46 |
47 | $this->addElement(
48 | 'iframe',
49 | 'Inline',
50 | 'Flow',
51 | 'Common',
52 | $attrs
53 | );
54 | }
55 | }
56 |
57 | // vim: et sw=4 sts=4
58 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/HTMLModule/Image.php:
--------------------------------------------------------------------------------
1 | get('HTML.MaxImgLength');
22 | $img = $this->addElement(
23 | 'img',
24 | 'Inline',
25 | 'Empty',
26 | 'Common',
27 | array(
28 | 'alt*' => 'Text',
29 | // According to the spec, it's Length, but percents can
30 | // be abused, so we allow only Pixels.
31 | 'height' => 'Pixels#' . $max,
32 | 'width' => 'Pixels#' . $max,
33 | 'longdesc' => 'URI',
34 | 'src*' => new HTMLPurifier_AttrDef_URI(true), // embedded
35 | )
36 | );
37 | if ($max === null || $config->get('HTML.Trusted')) {
38 | $img->attr['height'] =
39 | $img->attr['width'] = 'Length';
40 | }
41 |
42 | // kind of strange, but splitting things up would be inefficient
43 | $img->attr_transform_pre[] =
44 | $img->attr_transform_post[] =
45 | new HTMLPurifier_AttrTransform_ImgRequired();
46 | }
47 | }
48 |
49 | // vim: et sw=4 sts=4
50 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/HTMLModule/Name.php:
--------------------------------------------------------------------------------
1 | addBlankElement($name);
18 | $element->attr['name'] = 'CDATA';
19 | if (!$config->get('HTML.Attr.Name.UseCDATA')) {
20 | $element->attr_transform_post[] = new HTMLPurifier_AttrTransform_NameSync();
21 | }
22 | }
23 | }
24 | }
25 |
26 | // vim: et sw=4 sts=4
27 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/HTMLModule/Nofollow.php:
--------------------------------------------------------------------------------
1 | addBlankElement('a');
21 | $a->attr_transform_post[] = new HTMLPurifier_AttrTransform_Nofollow();
22 | }
23 | }
24 |
25 | // vim: et sw=4 sts=4
26 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/HTMLModule/NonXMLCommonAttributes.php:
--------------------------------------------------------------------------------
1 | array(
15 | 'lang' => 'LanguageCode',
16 | )
17 | );
18 | }
19 |
20 | // vim: et sw=4 sts=4
21 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/HTMLModule/Presentation.php:
--------------------------------------------------------------------------------
1 | addElement('hr', 'Block', 'Empty', 'Common');
27 | $this->addElement('sub', 'Inline', 'Inline', 'Common');
28 | $this->addElement('sup', 'Inline', 'Inline', 'Common');
29 | $b = $this->addElement('b', 'Inline', 'Inline', 'Common');
30 | $b->formatting = true;
31 | $big = $this->addElement('big', 'Inline', 'Inline', 'Common');
32 | $big->formatting = true;
33 | $i = $this->addElement('i', 'Inline', 'Inline', 'Common');
34 | $i->formatting = true;
35 | $small = $this->addElement('small', 'Inline', 'Inline', 'Common');
36 | $small->formatting = true;
37 | $tt = $this->addElement('tt', 'Inline', 'Inline', 'Common');
38 | $tt->formatting = true;
39 | }
40 | }
41 |
42 | // vim: et sw=4 sts=4
43 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/HTMLModule/Proprietary.php:
--------------------------------------------------------------------------------
1 | addElement(
20 | 'marquee',
21 | 'Inline',
22 | 'Flow',
23 | 'Common',
24 | array(
25 | 'direction' => 'Enum#left,right,up,down',
26 | 'behavior' => 'Enum#alternate',
27 | 'width' => 'Length',
28 | 'height' => 'Length',
29 | 'scrolldelay' => 'Number',
30 | 'scrollamount' => 'Number',
31 | 'loop' => 'Number',
32 | 'bgcolor' => 'Color',
33 | 'hspace' => 'Pixels',
34 | 'vspace' => 'Pixels',
35 | )
36 | );
37 | }
38 | }
39 |
40 | // vim: et sw=4 sts=4
41 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/HTMLModule/Ruby.php:
--------------------------------------------------------------------------------
1 | addElement(
21 | 'ruby',
22 | 'Inline',
23 | 'Custom: ((rb, (rt | (rp, rt, rp))) | (rbc, rtc, rtc?))',
24 | 'Common'
25 | );
26 | $this->addElement('rbc', false, 'Required: rb', 'Common');
27 | $this->addElement('rtc', false, 'Required: rt', 'Common');
28 | $rb = $this->addElement('rb', false, 'Inline', 'Common');
29 | $rb->excludes = array('ruby' => true);
30 | $rt = $this->addElement('rt', false, 'Inline', 'Common', array('rbspan' => 'Number'));
31 | $rt->excludes = array('ruby' => true);
32 | $this->addElement('rp', false, 'Optional: #PCDATA', 'Common');
33 | }
34 | }
35 |
36 | // vim: et sw=4 sts=4
37 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/HTMLModule/SafeEmbed.php:
--------------------------------------------------------------------------------
1 | get('HTML.MaxImgLength');
19 | $embed = $this->addElement(
20 | 'embed',
21 | 'Inline',
22 | 'Empty',
23 | 'Common',
24 | array(
25 | 'src*' => 'URI#embedded',
26 | 'type' => 'Enum#application/x-shockwave-flash',
27 | 'width' => 'Pixels#' . $max,
28 | 'height' => 'Pixels#' . $max,
29 | 'allowscriptaccess' => 'Enum#never',
30 | 'allownetworking' => 'Enum#internal',
31 | 'flashvars' => 'Text',
32 | 'wmode' => 'Enum#window,transparent,opaque',
33 | 'name' => 'ID',
34 | )
35 | );
36 | $embed->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeEmbed();
37 | }
38 | }
39 |
40 | // vim: et sw=4 sts=4
41 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/HTMLModule/SafeScripting.php:
--------------------------------------------------------------------------------
1 | get('HTML.SafeScripting');
23 | $script = $this->addElement(
24 | 'script',
25 | 'Inline',
26 | 'Optional:', // Not `Empty` to not allow to autoclose the tag @see https://www.w3.org/TR/html4/interact/scripts.html
27 | null,
28 | array(
29 | // While technically not required by the spec, we're forcing
30 | // it to this value.
31 | 'type' => 'Enum#text/javascript',
32 | 'src*' => new HTMLPurifier_AttrDef_Enum(array_keys($allowed), /*case sensitive*/ true)
33 | )
34 | );
35 | $script->attr_transform_pre[] =
36 | $script->attr_transform_post[] = new HTMLPurifier_AttrTransform_ScriptRequired();
37 | }
38 | }
39 |
40 | // vim: et sw=4 sts=4
41 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/HTMLModule/StyleAttribute.php:
--------------------------------------------------------------------------------
1 | array('style' => false), // see constructor
21 | 'Core' => array(0 => array('Style'))
22 | );
23 |
24 | /**
25 | * @param HTMLPurifier_Config $config
26 | */
27 | public function setup($config)
28 | {
29 | $this->attr_collections['Style']['style'] = new HTMLPurifier_AttrDef_CSS();
30 | }
31 | }
32 |
33 | // vim: et sw=4 sts=4
34 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/HTMLModule/Target.php:
--------------------------------------------------------------------------------
1 | addBlankElement($name);
21 | $e->attr = array(
22 | 'target' => new HTMLPurifier_AttrDef_HTML_FrameTarget()
23 | );
24 | }
25 | }
26 | }
27 |
28 | // vim: et sw=4 sts=4
29 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/HTMLModule/TargetBlank.php:
--------------------------------------------------------------------------------
1 | addBlankElement('a');
20 | $a->attr_transform_post[] = new HTMLPurifier_AttrTransform_TargetBlank();
21 | }
22 | }
23 |
24 | // vim: et sw=4 sts=4
25 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/HTMLModule/TargetNoopener.php:
--------------------------------------------------------------------------------
1 | addBlankElement('a');
19 | $a->attr_transform_post[] = new HTMLPurifier_AttrTransform_TargetNoopener();
20 | }
21 | }
22 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/HTMLModule/TargetNoreferrer.php:
--------------------------------------------------------------------------------
1 | addBlankElement('a');
19 | $a->attr_transform_post[] = new HTMLPurifier_AttrTransform_TargetNoreferrer();
20 | }
21 | }
22 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/HTMLModule/Tidy/Name.php:
--------------------------------------------------------------------------------
1 | content_model_type != 'strictblockquote') {
37 | return parent::getChildDef($def);
38 | }
39 | return new HTMLPurifier_ChildDef_StrictBlockquote($def->content_model);
40 | }
41 | }
42 |
43 | // vim: et sw=4 sts=4
44 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/HTMLModule/Tidy/Transitional.php:
--------------------------------------------------------------------------------
1 | array(
15 | 'xml:lang' => 'LanguageCode',
16 | )
17 | );
18 | }
19 |
20 | // vim: et sw=4 sts=4
21 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/Injector/DisplayLinkURI.php:
--------------------------------------------------------------------------------
1 | start->attr['href'])) {
31 | $url = $token->start->attr['href'];
32 | unset($token->start->attr['href']);
33 | $token = array($token, new HTMLPurifier_Token_Text(" ($url)"));
34 | } else {
35 | // nothing to display
36 | }
37 | }
38 | }
39 |
40 | // vim: et sw=4 sts=4
41 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/Node.php:
--------------------------------------------------------------------------------
1 | data = $data;
29 | $this->line = $line;
30 | $this->col = $col;
31 | }
32 |
33 | public function toTokenPair() {
34 | return array(new HTMLPurifier_Token_Comment($this->data, $this->line, $this->col), null);
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/Node/Text.php:
--------------------------------------------------------------------------------
1 | data = $data;
44 | $this->is_whitespace = $is_whitespace;
45 | $this->line = $line;
46 | $this->col = $col;
47 | }
48 |
49 | public function toTokenPair() {
50 | return array(new HTMLPurifier_Token_Text($this->data, $this->line, $this->col), null);
51 | }
52 | }
53 |
54 | // vim: et sw=4 sts=4
55 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/Printer/CSSDefinition.php:
--------------------------------------------------------------------------------
1 | def = $config->getCSSDefinition();
17 | $ret = '';
18 |
19 | $ret .= $this->start('div', array('class' => 'HTMLPurifier_Printer'));
20 | $ret .= $this->start('table');
21 |
22 | $ret .= $this->element('caption', 'Properties ($info)');
23 |
24 | $ret .= $this->start('thead');
25 | $ret .= $this->start('tr');
26 | $ret .= $this->element('th', 'Property', array('class' => 'heavy'));
27 | $ret .= $this->element('th', 'Definition', array('class' => 'heavy', 'style' => 'width:auto;'));
28 | $ret .= $this->end('tr');
29 | $ret .= $this->end('thead');
30 |
31 | ksort($this->def->info);
32 | foreach ($this->def->info as $property => $obj) {
33 | $name = $this->getClass($obj, 'AttrDef_');
34 | $ret .= $this->row($property, $name);
35 | }
36 |
37 | $ret .= $this->end('table');
38 | $ret .= $this->end('div');
39 |
40 | return $ret;
41 | }
42 | }
43 |
44 | // vim: et sw=4 sts=4
45 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/Printer/ConfigForm.css:
--------------------------------------------------------------------------------
1 |
2 | .hp-config {}
3 |
4 | .hp-config tbody th {text-align:right; padding-right:0.5em;}
5 | .hp-config thead, .hp-config .namespace {background:#3C578C; color:#FFF;}
6 | .hp-config .namespace th {text-align:center;}
7 | .hp-config .verbose {display:none;}
8 | .hp-config .controls {text-align:center;}
9 |
10 | /* vim: et sw=4 sts=4 */
11 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/Printer/ConfigForm.js:
--------------------------------------------------------------------------------
1 | function toggleWriteability(id_of_patient, checked) {
2 | document.getElementById(id_of_patient).disabled = checked;
3 | }
4 |
5 | // vim: et sw=4 sts=4
6 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/PropertyListIterator.php:
--------------------------------------------------------------------------------
1 | l = strlen($filter);
26 | $this->filter = $filter;
27 | }
28 |
29 | /**
30 | * @return bool
31 | */
32 | #[\ReturnTypeWillChange]
33 | public function accept()
34 | {
35 | $key = $this->getInnerIterator()->key();
36 | if (strncmp($key, $this->filter, $this->l) !== 0) {
37 | return false;
38 | }
39 | return true;
40 | }
41 | }
42 |
43 | // vim: et sw=4 sts=4
44 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/Queue.php:
--------------------------------------------------------------------------------
1 | input = $input;
26 | $this->output = array();
27 | }
28 |
29 | /**
30 | * Shifts an element off the front of the queue.
31 | */
32 | public function shift() {
33 | if (empty($this->output)) {
34 | $this->output = array_reverse($this->input);
35 | $this->input = array();
36 | }
37 | if (empty($this->output)) {
38 | return NULL;
39 | }
40 | return array_pop($this->output);
41 | }
42 |
43 | /**
44 | * Pushes an element onto the front of the queue.
45 | */
46 | public function push($x) {
47 | array_push($this->input, $x);
48 | }
49 |
50 | /**
51 | * Checks if it's empty.
52 | */
53 | public function isEmpty() {
54 | return empty($this->input) && empty($this->output);
55 | }
56 | }
57 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/Strategy.php:
--------------------------------------------------------------------------------
1 | strategies as $strategy) {
24 | $tokens = $strategy->execute($tokens, $config, $context);
25 | }
26 | return $tokens;
27 | }
28 | }
29 |
30 | // vim: et sw=4 sts=4
31 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/Strategy/Core.php:
--------------------------------------------------------------------------------
1 | strategies[] = new HTMLPurifier_Strategy_RemoveForeignElements();
11 | $this->strategies[] = new HTMLPurifier_Strategy_MakeWellFormed();
12 | $this->strategies[] = new HTMLPurifier_Strategy_FixNesting();
13 | $this->strategies[] = new HTMLPurifier_Strategy_ValidateAttributes();
14 | }
15 | }
16 |
17 | // vim: et sw=4 sts=4
18 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/Strategy/ValidateAttributes.php:
--------------------------------------------------------------------------------
1 | register('CurrentToken', $token);
23 |
24 | foreach ($tokens as $key => $token) {
25 |
26 | // only process tokens that have attributes,
27 | // namely start and empty tags
28 | if (!$token instanceof HTMLPurifier_Token_Start && !$token instanceof HTMLPurifier_Token_Empty) {
29 | continue;
30 | }
31 |
32 | // skip tokens that are armored
33 | if (!empty($token->armor['ValidateAttributes'])) {
34 | continue;
35 | }
36 |
37 | // note that we have no facilities here for removing tokens
38 | $validator->validateToken($token, $config, $context);
39 | }
40 | $context->destroy('CurrentToken');
41 | return $tokens;
42 | }
43 | }
44 |
45 | // vim: et sw=4 sts=4
46 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/StringHash.php:
--------------------------------------------------------------------------------
1 | accessed[$index] = true;
27 | return parent::offsetGet($index);
28 | }
29 |
30 | /**
31 | * Returns a lookup array of all array indexes that have been accessed.
32 | * @return array in form array($index => true).
33 | */
34 | public function getAccessed()
35 | {
36 | return $this->accessed;
37 | }
38 |
39 | /**
40 | * Resets the access array.
41 | */
42 | public function resetAccessed()
43 | {
44 | $this->accessed = array();
45 | }
46 | }
47 |
48 | // vim: et sw=4 sts=4
49 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/TagTransform.php:
--------------------------------------------------------------------------------
1 | transform_to = $transform_to;
22 | $this->style = $style;
23 | }
24 |
25 | /**
26 | * @param HTMLPurifier_Token_Tag $tag
27 | * @param HTMLPurifier_Config $config
28 | * @param HTMLPurifier_Context $context
29 | * @return string
30 | */
31 | public function transform($tag, $config, $context)
32 | {
33 | $new_tag = clone $tag;
34 | $new_tag->name = $this->transform_to;
35 | if (!is_null($this->style) &&
36 | ($new_tag instanceof HTMLPurifier_Token_Start || $new_tag instanceof HTMLPurifier_Token_Empty)
37 | ) {
38 | $this->prependCSS($new_tag->attr, $this->style);
39 | }
40 | return $new_tag;
41 | }
42 | }
43 |
44 | // vim: et sw=4 sts=4
45 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/Token/Comment.php:
--------------------------------------------------------------------------------
1 | data = $data;
29 | $this->line = $line;
30 | $this->col = $col;
31 | }
32 |
33 | public function toNode() {
34 | return new HTMLPurifier_Node_Comment($this->data, $this->line, $this->col);
35 | }
36 | }
37 |
38 | // vim: et sw=4 sts=4
39 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/Token/Empty.php:
--------------------------------------------------------------------------------
1 | empty = true;
11 | return $n;
12 | }
13 | }
14 |
15 | // vim: et sw=4 sts=4
16 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/Token/End.php:
--------------------------------------------------------------------------------
1 | toNode not supported!");
21 | }
22 | }
23 |
24 | // vim: et sw=4 sts=4
25 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/Token/Start.php:
--------------------------------------------------------------------------------
1 | data = $data;
43 | $this->is_whitespace = ctype_space($data);
44 | $this->line = $line;
45 | $this->col = $col;
46 | }
47 |
48 | public function toNode() {
49 | return new HTMLPurifier_Node_Text($this->data, $this->is_whitespace, $this->line, $this->col);
50 | }
51 | }
52 |
53 | // vim: et sw=4 sts=4
54 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/URIFilter/DisableExternal.php:
--------------------------------------------------------------------------------
1 | getDefinition('URI')->host;
22 | if ($our_host !== null) {
23 | $this->ourHostParts = array_reverse(explode('.', $our_host));
24 | }
25 | }
26 |
27 | /**
28 | * @param HTMLPurifier_URI $uri Reference
29 | * @param HTMLPurifier_Config $config
30 | * @param HTMLPurifier_Context $context
31 | * @return bool
32 | */
33 | public function filter(&$uri, $config, $context)
34 | {
35 | if (is_null($uri->host)) {
36 | return true;
37 | }
38 | if ($this->ourHostParts === false) {
39 | return false;
40 | }
41 | $host_parts = array_reverse(explode('.', $uri->host));
42 | foreach ($this->ourHostParts as $i => $x) {
43 | if (!isset($host_parts[$i])) {
44 | return false;
45 | }
46 | if ($host_parts[$i] != $this->ourHostParts[$i]) {
47 | return false;
48 | }
49 | }
50 | return true;
51 | }
52 | }
53 |
54 | // vim: et sw=4 sts=4
55 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/URIFilter/DisableExternalResources.php:
--------------------------------------------------------------------------------
1 | get('EmbeddedURI', true)) {
19 | return true;
20 | }
21 | return parent::filter($uri, $config, $context);
22 | }
23 | }
24 |
25 | // vim: et sw=4 sts=4
26 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/URIFilter/DisableResources.php:
--------------------------------------------------------------------------------
1 | get('EmbeddedURI', true);
19 | }
20 | }
21 |
22 | // vim: et sw=4 sts=4
23 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/URIFilter/HostBlacklist.php:
--------------------------------------------------------------------------------
1 | blacklist = $config->get('URI.HostBlacklist');
26 | return true;
27 | }
28 |
29 | /**
30 | * @param HTMLPurifier_URI $uri
31 | * @param HTMLPurifier_Config $config
32 | * @param HTMLPurifier_Context $context
33 | * @return bool
34 | */
35 | public function filter(&$uri, $config, $context)
36 | {
37 | foreach ($this->blacklist as $blacklisted_host_fragment) {
38 | if ($uri->host !== null && strpos($uri->host, $blacklisted_host_fragment) !== false) {
39 | return false;
40 | }
41 | }
42 | return true;
43 | }
44 | }
45 |
46 | // vim: et sw=4 sts=4
47 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/URIScheme/file.php:
--------------------------------------------------------------------------------
1 | userinfo = null;
35 | // file:// makes no provisions for accessing the resource
36 | $uri->port = null;
37 | // While it seems to work on Firefox, the querystring has
38 | // no possible effect and is thus stripped.
39 | $uri->query = null;
40 | return true;
41 | }
42 | }
43 |
44 | // vim: et sw=4 sts=4
45 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/URIScheme/http.php:
--------------------------------------------------------------------------------
1 | userinfo = null;
32 | return true;
33 | }
34 | }
35 |
36 | // vim: et sw=4 sts=4
37 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/URIScheme/https.php:
--------------------------------------------------------------------------------
1 | userinfo = null;
33 | $uri->host = null;
34 | $uri->port = null;
35 | // we need to validate path against RFC 2368's addr-spec
36 | return true;
37 | }
38 | }
39 |
40 | // vim: et sw=4 sts=4
41 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/URIScheme/news.php:
--------------------------------------------------------------------------------
1 | userinfo = null;
27 | $uri->host = null;
28 | $uri->port = null;
29 | $uri->query = null;
30 | // typecode check needed on path
31 | return true;
32 | }
33 | }
34 |
35 | // vim: et sw=4 sts=4
36 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/URIScheme/nntp.php:
--------------------------------------------------------------------------------
1 | userinfo = null;
27 | $uri->query = null;
28 | return true;
29 | }
30 | }
31 |
32 | // vim: et sw=4 sts=4
33 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/URIScheme/tel.php:
--------------------------------------------------------------------------------
1 | userinfo = null;
33 | $uri->host = null;
34 | $uri->port = null;
35 |
36 | // Delete all non-numeric characters, commas, and non-x characters
37 | // from phone number, EXCEPT for a leading plus sign.
38 | $uri->path = preg_replace('/(?!^\+)[^\dx,]/', '',
39 | // Normalize e(x)tension to lower-case
40 | str_replace('X', 'x', rawurldecode($uri->path)));
41 |
42 | return true;
43 | }
44 | }
45 |
46 | // vim: et sw=4 sts=4
47 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/VarParser/Native.php:
--------------------------------------------------------------------------------
1 | evalExpression($var);
20 | }
21 |
22 | /**
23 | * @param string $expr
24 | * @return mixed
25 | * @throws HTMLPurifier_VarParserException
26 | */
27 | protected function evalExpression($expr)
28 | {
29 | $var = null;
30 | $result = eval("\$var = $expr;");
31 | if ($result === false) {
32 | throw new HTMLPurifier_VarParserException("Fatal error in evaluated code");
33 | }
34 | return $var;
35 | }
36 | }
37 |
38 | // vim: et sw=4 sts=4
39 |
--------------------------------------------------------------------------------
/library/HTMLPurifier/VarParserException.php:
--------------------------------------------------------------------------------
1 |