File xoops_lib\modules\protector\library\HTMLPurifier\HTMLDefinition.php

1:	<?php
2:
3:	/**
4:	* Definition of the purified HTML that describes allowed children,
5:	* attributes, and many other things.
6:	*
7:	* Conventions:
8:	*
9:	* All member variables that are prefixed with info
10:	* (including the main $info array) are used by HTML Purifier internals
11:	* and should not be directly edited when customizing the HTMLDefinition.
12:	* They can usually be set via configuration directives or custom
13:	* modules.
14:	*
15:	* On the other hand, member variables without the info prefix are used
16:	* internally by the HTMLDefinition and MUST NOT be used by other HTML
17:	* Purifier internals. Many of them, however, are public, and may be
18:	* edited by userspace code to tweak the behavior of HTMLDefinition.
19:	*
20:	* @note This class is inspected by Printer_HTMLDefinition; please
21:	* update that class if things here change.
22:	*
23:	* @warning Directives that change this object's structure must be in
24:	* the HTML or Attr namespace!
25:	*/
26:	class HTMLPurifier_HTMLDefinition extends HTMLPurifier_Definition
27:	{
28:
29:	// FULLY-PUBLIC VARIABLES ---------------------------------------------
30:
31:	/**
32:	* Associative array of element names to HTMLPurifier_ElementDef.
33:	* @type HTMLPurifier_ElementDef[]
34:	*/
35:	public $info = array();
36:
37:	/**
38:	* Associative array of global attribute name to attribute definition.
39:	* @type array
40:	*/
41:	public $info_global_attr = array();
42:
43:	/**
44:	* String name of parent element HTML will be going into.
45:	* @type string
46:	*/
47:	public $info_parent = 'div';
48:
49:	/**
50:	* Definition for parent element, allows parent element to be a
51:	* tag that's not allowed inside the HTML fragment.
52:	* @type HTMLPurifier_ElementDef
53:	*/
54:	public $info_parent_def;
55:
56:	/**
57:	* String name of element used to wrap inline elements in block context.
58:	* @type string
59:	* @note This is rarely used except for BLOCKQUOTEs in strict mode
60:	*/
61:	public $info_block_wrapper = 'p';
62:
63:	/**
64:	* Associative array of deprecated tag name to HTMLPurifier_TagTransform.
65:	* @type array
66:	*/
67:	public $info_tag_transform = array();
68:
69:	/**
70:	* Indexed list of HTMLPurifier_AttrTransform to be performed before validation.
71:	* @type HTMLPurifier_AttrTransform[]
72:	*/
73:	public $info_attr_transform_pre = array();
74:
75:	/**
76:	* Indexed list of HTMLPurifier_AttrTransform to be performed after validation.
77:	* @type HTMLPurifier_AttrTransform[]
78:	*/
79:	public $info_attr_transform_post = array();
80:
81:	/**
82:	* Nested lookup array of content set name (Block, Inline) to
83:	* element name to whether or not it belongs in that content set.
84:	* @type array
85:	*/
86:	public $info_content_sets = array();
87:
88:	/**
89:	* Indexed list of HTMLPurifier_Injector to be used.
90:	* @type HTMLPurifier_Injector[]
91:	*/
92:	public $info_injector = array();
93:
94:	/**
95:	* Doctype object
96:	* @type HTMLPurifier_Doctype
97:	*/
98:	public $doctype;
99:
100:
101:
102:	// RAW CUSTOMIZATION STUFF --------------------------------------------
103:
104:	/**
105:	* Adds a custom attribute to a pre-existing element
106:	* @note This is strictly convenience, and does not have a corresponding
107:	* method in HTMLPurifier_HTMLModule
108:	* @param string $element_name Element name to add attribute to
109:	* @param string $attr_name Name of attribute
110:	* @param mixed $def Attribute definition, can be string or object, see
111:	* HTMLPurifier_AttrTypes for details
112:	*/
113:	public function addAttribute($element_name, $attr_name, $def)
114:	{
115:	$module = $this->getAnonymousModule();
116:	if (!isset($module->info[$element_name])) {
117:	$element = $module->addBlankElement($element_name);
118:	} else {
119:	$element = $module->info[$element_name];
120:	}
121:	$element->attr[$attr_name] = $def;
122:	}
123:
124:	/**
125:	* Adds a custom element to your HTML definition
126:	* @see HTMLPurifier_HTMLModule::addElement() for detailed
127:	* parameter and return value descriptions.
128:	*/
129:	public function addElement($element_name, $type, $contents, $attr_collections, $attributes = array())
130:	{
131:	$module = $this->getAnonymousModule();
132:	// assume that if the user is calling this, the element
133:	// is safe. This may not be a good idea
134:	$element = $module->addElement($element_name, $type, $contents, $attr_collections, $attributes);
135:	return $element;
136:	}
137:
138:	/**
139:	* Adds a blank element to your HTML definition, for overriding
140:	* existing behavior
141:	* @param string $element_name
142:	* @return HTMLPurifier_ElementDef
143:	* @see HTMLPurifier_HTMLModule::addBlankElement() for detailed
144:	* parameter and return value descriptions.
145:	*/
146:	public function addBlankElement($element_name)
147:	{
148:	$module = $this->getAnonymousModule();
149:	$element = $module->addBlankElement($element_name);
150:	return $element;
151:	}
152:
153:	/**
154:	* Retrieves a reference to the anonymous module, so you can
155:	* bust out advanced features without having to make your own
156:	* module.
157:	* @return HTMLPurifier_HTMLModule
158:	*/
159:	public function getAnonymousModule()
160:	{
161:	if (!$this->_anonModule) {
162:	$this->_anonModule = new HTMLPurifier_HTMLModule();
163:	$this->_anonModule->name = 'Anonymous';
164:	}
165:	return $this->_anonModule;
166:	}
167:
168:	private $_anonModule = null;
169:
170:	// PUBLIC BUT INTERNAL VARIABLES --------------------------------------
171:
172:	/**
173:	* @type string
174:	*/
175:	public $type = 'HTML';
176:
177:	/**
178:	* @type HTMLPurifier_HTMLModuleManager
179:	*/
180:	public $manager;
181:
182:	/**
183:	* Performs low-cost, preliminary initialization.
184:	*/
185:	public function __construct()
186:	{
187:	$this->manager = new HTMLPurifier_HTMLModuleManager();
188:	}
189:
190:	/**
191:	* @param HTMLPurifier_Config $config
192:	*/
193:	protected function doSetup($config)
194:	{
195:	$this->processModules($config);
196:	$this->setupConfigStuff($config);
197:	unset($this->manager);
198:
199:	// cleanup some of the element definitions
200:	foreach ($this->info as $k => $v) {
201:	unset($this->info[$k]->content_model);
202:	unset($this->info[$k]->content_model_type);
203:	}
204:	}
205:
206:	/**
207:	* Extract out the information from the manager
208:	* @param HTMLPurifier_Config $config
209:	*/
210:	protected function processModules($config)
211:	{
212:	if ($this->_anonModule) {
213:	// for user specific changes
214:	// this is late-loaded so we don't have to deal with PHP4
215:	// reference wonky-ness
216:	$this->manager->addModule($this->_anonModule);
217:	unset($this->_anonModule);
218:	}
219:
220:	$this->manager->setup($config);
221:	$this->doctype = $this->manager->doctype;
222:
223:	foreach ($this->manager->modules as $module) {
224:	foreach ($module->info_tag_transform as $k => $v) {
225:	if ($v === false) {
226:	unset($this->info_tag_transform[$k]);
227:	} else {
228:	$this->info_tag_transform[$k] = $v;
229:	}
230:	}
231:	foreach ($module->info_attr_transform_pre as $k => $v) {
232:	if ($v === false) {
233:	unset($this->info_attr_transform_pre[$k]);
234:	} else {
235:	$this->info_attr_transform_pre[$k] = $v;
236:	}
237:	}
238:	foreach ($module->info_attr_transform_post as $k => $v) {
239:	if ($v === false) {
240:	unset($this->info_attr_transform_post[$k]);
241:	} else {
242:	$this->info_attr_transform_post[$k] = $v;
243:	}
244:	}
245:	foreach ($module->info_injector as $k => $v) {
246:	if ($v === false) {
247:	unset($this->info_injector[$k]);
248:	} else {
249:	$this->info_injector[$k] = $v;
250:	}
251:	}
252:	}
253:	$this->info = $this->manager->getElements();
254:	$this->info_content_sets = $this->manager->contentSets->lookup;
255:	}
256:
257:	/**
258:	* Sets up stuff based on config. We need a better way of doing this.
259:	* @param HTMLPurifier_Config $config
260:	*/
261:	protected function setupConfigStuff($config)
262:	{
263:	$block_wrapper = $config->get('HTML.BlockWrapper');
264:	if (isset($this->info_content_sets['Block'][$block_wrapper])) {
265:	$this->info_block_wrapper = $block_wrapper;
266:	} else {
267:	trigger_error(
268:	'Cannot use non-block element as block wrapper',
269:	E_USER_ERROR
270:	);
271:	}
272:
273:	$parent = $config->get('HTML.Parent');
274:	$def = $this->manager->getElement($parent, true);
275:	if ($def) {
276:	$this->info_parent = $parent;
277:	$this->info_parent_def = $def;
278:	} else {
279:	trigger_error(
280:	'Cannot use unrecognized element as parent',
281:	E_USER_ERROR
282:	);
283:	$this->info_parent_def = $this->manager->getElement($this->info_parent, true);
284:	}
285:
286:	// support template text
287:	$support = "(for information on implementing this, see the support forums) ";
288:
289:	// setup allowed elements -----------------------------------------
290:
291:	$allowed_elements = $config->get('HTML.AllowedElements');
292:	$allowed_attributes = $config->get('HTML.AllowedAttributes'); // retrieve early
293:
294:	if (!is_array($allowed_elements) && !is_array($allowed_attributes)) {
295:	$allowed = $config->get('HTML.Allowed');
296:	if (is_string($allowed)) {
297:	list($allowed_elements, $allowed_attributes) = $this->parseTinyMCEAllowedList($allowed);
298:	}
299:	}
300:
301:	if (is_array($allowed_elements)) {
302:	foreach ($this->info as $name => $d) {
303:	if (!isset($allowed_elements[$name])) {
304:	unset($this->info[$name]);
305:	}
306:	unset($allowed_elements[$name]);
307:	}
308:	// emit errors
309:	foreach ($allowed_elements as $element => $d) {
310:	$element = htmlspecialchars($element); // PHP doesn't escape errors, be careful!
311:	trigger_error("Element '$element' is not supported $support", E_USER_WARNING);
312:	}
313:	}
314:
315:	// setup allowed attributes ---------------------------------------
316:
317:	$allowed_attributes_mutable = $allowed_attributes; // by copy!
318:	if (is_array($allowed_attributes)) {
319:	// This actually doesn't do anything, since we went away from
320:	// global attributes. It's possible that userland code uses
321:	// it, but HTMLModuleManager doesn't!
322:	foreach ($this->info_global_attr as $attr => $x) {
323:	$keys = array($attr, "@$attr", ".$attr");
324:	$delete = true;
325:	foreach ($keys as $key) {
326:	if ($delete && isset($allowed_attributes[$key])) {
327:	$delete = false;
328:	}
329:	if (isset($allowed_attributes_mutable[$key])) {
330:	unset($allowed_attributes_mutable[$key]);
331:	}
332:	}
333:	if ($delete) {
334:	unset($this->info_global_attr[$attr]);
335:	}
336:	}
337:
338:	foreach ($this->info as $tag => $info) {
339:	foreach ($info->attr as $attr => $x) {
340:	$keys = array("$tag@$attr", $attr, "@$attr", "$tag.$attr", ".$attr");
341:	$delete = true;
342:	foreach ($keys as $key) {
343:	if ($delete && isset($allowed_attributes[$key])) {
344:	$delete = false;
345:	}
346:	if (isset($allowed_attributes_mutable[$key])) {
347:	unset($allowed_attributes_mutable[$key]);
348:	}
349:	}
350:	if ($delete) {
351:	if ($this->info[$tag]->attr[$attr]->required) {
352:	trigger_error(
353:	"Required attribute '$attr' in element '$tag' " .
354:	"was not allowed, which means '$tag' will not be allowed either",
355:	E_USER_WARNING
356:	);
357:	}
358:	unset($this->info[$tag]->attr[$attr]);
359:	}
360:	}
361:	}
362:	// emit errors
363:	foreach ($allowed_attributes_mutable as $elattr => $d) {
364:	$bits = preg_split('/[.@]/', $elattr, 2);
365:	$c = count($bits);
366:	switch ($c) {
367:	case 2:
368:	if ($bits[0] !== '*') {
369:	$element = htmlspecialchars($bits[0]);
370:	$attribute = htmlspecialchars($bits[1]);
371:	if (!isset($this->info[$element])) {
372:	trigger_error(
373:	"Cannot allow attribute '$attribute' if element " .
374:	"'$element' is not allowed/supported $support"
375:	);
376:	} else {
377:	trigger_error(
378:	"Attribute '$attribute' in element '$element' not supported $support",
379:	E_USER_WARNING
380:	);
381:	}
382:	break;
383:	}
384:	// otherwise fall through
385:	case 1:
386:	$attribute = htmlspecialchars($bits[0]);
387:	trigger_error(
388:	"Global attribute '$attribute' is not ".
389:	"supported in any elements $support",
390:	E_USER_WARNING
391:	);
392:	break;
393:	}
394:	}
395:	}
396:
397:	// setup forbidden elements ---------------------------------------
398:
399:	$forbidden_elements = $config->get('HTML.ForbiddenElements');
400:	$forbidden_attributes = $config->get('HTML.ForbiddenAttributes');
401:
402:	foreach ($this->info as $tag => $info) {
403:	if (isset($forbidden_elements[$tag])) {
404:	unset($this->info[$tag]);
405:	continue;
406:	}
407:	foreach ($info->attr as $attr => $x) {
408:	if (isset($forbidden_attributes["$tag@$attr"]) \|\|
409:	isset($forbidden_attributes["*@$attr"]) \|\|
410:	isset($forbidden_attributes[$attr])
411:	) {
412:	unset($this->info[$tag]->attr[$attr]);
413:	continue;
414:	} elseif (isset($forbidden_attributes["$tag.$attr"])) { // this segment might get removed eventually
415:	// $tag.$attr are not user supplied, so no worries!
416:	trigger_error(
417:	"Error with $tag.$attr: tag.attr syntax not supported for " .
418:	"HTML.ForbiddenAttributes; use tag@attr instead",
419:	E_USER_WARNING
420:	);
421:	}
422:	}
423:	}
424:	foreach ($forbidden_attributes as $key => $v) {
425:	if (strlen($key) < 2) {
426:	continue;
427:	}
428:	if ($key[0] != '*') {
429:	continue;
430:	}
431:	if ($key[1] == '.') {
432:	trigger_error(
433:	"Error with $key: *.attr syntax not supported for HTML.ForbiddenAttributes; use attr instead",
434:	E_USER_WARNING
435:	);
436:	}
437:	}
438:
439:	// setup injectors -----------------------------------------------------
440:	foreach ($this->info_injector as $i => $injector) {
441:	if ($injector->checkNeeded($config) !== false) {
442:	// remove injector that does not have it's required
443:	// elements/attributes present, and is thus not needed.
444:	unset($this->info_injector[$i]);
445:	}
446:	}
447:	}
448:
449:	/**
450:	* Parses a TinyMCE-flavored Allowed Elements and Attributes list into
451:	* separate lists for processing. Format is element[attr1\|attr2],element2...
452:	* @warning Although it's largely drawn from TinyMCE's implementation,
453:	* it is different, and you'll probably have to modify your lists
454:	* @param array $list String list to parse
455:	* @return array
456:	* @todo Give this its own class, probably static interface
457:	*/
458:	public function parseTinyMCEAllowedList($list)
459:	{
460:	$list = str_replace(array(' ', "\t"), '', $list);
461:
462:	$elements = array();
463:	$attributes = array();
464:
465:	$chunks = preg_split('/(,\|[\n\r]+)/', $list);
466:	foreach ($chunks as $chunk) {
467:	if (empty($chunk)) {
468:	continue;
469:	}
470:	// remove TinyMCE element control characters
471:	if (!strpos($chunk, '[')) {
472:	$element = $chunk;
473:	$attr = false;
474:	} else {
475:	list($element, $attr) = explode('[', $chunk);
476:	}
477:	if ($element !== '*') {
478:	$elements[$element] = true;
479:	}
480:	if (!$attr) {
481:	continue;
482:	}
483:	$attr = substr($attr, 0, strlen($attr) - 1); // remove trailing ]
484:	$attr = explode('\|', $attr);
485:	foreach ($attr as $key) {
486:	$attributes["$element.$key"] = true;
487:	}
488:	}
489:	return array($elements, $attributes);
490:	}
491:	}
492:
493:	// vim: et sw=4 sts=4
494:

Namespaces

Classes

Interfaces

Exceptions

Functions