[Summary view] [Print] [Text view]

   1  <?php
   2  
   3  require_once 'HTMLPurifier/AttrDef.php';
   4  require_once 'HTMLPurifier/IDAccumulator.php';
   5  
   6  HTMLPurifier_ConfigSchema::define(
   7      'Attr', 'EnableID', false, 'bool',
   8      'Allows the ID attribute in HTML.  This is disabled by default '.
   9      'due to the fact that without proper configuration user input can '.
  10      'easily break the validation of a webpage by specifying an ID that is '.
  11      'already on the surrounding HTML.  If you don\'t mind throwing caution to '.
  12      'the wind, enable this directive, but I strongly recommend you also '.
  13      'consider blacklisting IDs you use (%Attr.IDBlacklist) or prefixing all '.
  14      'user supplied IDs (%Attr.IDPrefix).  This directive has been available '.
  15      'since 1.2.0, and when set to true reverts to the behavior of pre-1.2.0 '.
  16      'versions.'
  17  );
  18  HTMLPurifier_ConfigSchema::defineAlias(
  19      'HTML', 'EnableAttrID', 'Attr', 'EnableID'
  20  );
  21  
  22  HTMLPurifier_ConfigSchema::define(
  23      'Attr', 'IDPrefix', '', 'string',
  24      'String to prefix to IDs.  If you have no idea what IDs your pages '.
  25      'may use, you may opt to simply add a prefix to all user-submitted ID '.
  26      'attributes so that they are still usable, but will not conflict with '.
  27      'core page IDs. Example: setting the directive to \'user_\' will result in '.
  28      'a user submitted \'foo\' to become \'user_foo\'  Be sure to set '.
  29      '%HTML.EnableAttrID to true before using '.
  30      'this.  This directive was available since 1.2.0.'
  31  );
  32  
  33  HTMLPurifier_ConfigSchema::define(
  34      'Attr', 'IDPrefixLocal', '', 'string',
  35      'Temporary prefix for IDs used in conjunction with %Attr.IDPrefix.  If '.
  36      'you need to allow multiple sets of '.
  37      'user content on web page, you may need to have a seperate prefix that '.
  38      'changes with each iteration.  This way, seperately submitted user content '.
  39      'displayed on the same page doesn\'t clobber each other. Ideal values '.
  40      'are unique identifiers for the content it represents (i.e. the id of '.
  41      'the row in the database). Be sure to add a seperator (like an underscore) '.
  42      'at the end.  Warning: this directive will not work unless %Attr.IDPrefix '.
  43      'is set to a non-empty value! This directive was available since 1.2.0.'
  44  );
  45  
  46  HTMLPurifier_ConfigSchema::define(
  47      'Attr', 'IDBlacklistRegexp', null, 'string/null',
  48      'PCRE regular expression to be matched against all IDs. If the expression '.
  49      'is matches, the ID is rejected. Use this with care: may cause '.
  50      'significant degradation. ID matching is done after all other '.
  51      'validation. This directive was available since 1.6.0.'
  52  );
  53  
  54  /**
  55   * Validates the HTML attribute ID.
  56   * @warning Even though this is the id processor, it
  57   *          will ignore the directive Attr:IDBlacklist, since it will only
  58   *          go according to the ID accumulator. Since the accumulator is
  59   *          automatically generated, it will have already absorbed the
  60   *          blacklist. If you're hacking around, make sure you use load()!
  61   */
  62  
  63  class HTMLPurifier_AttrDef_HTML_ID extends HTMLPurifier_AttrDef
  64  {
  65      
  66      // ref functionality disabled, since we also have to verify
  67      // whether or not the ID it refers to exists
  68      
  69      function validate($id, $config, &$context) {
  70          
  71          if (!$config->get('Attr', 'EnableID')) return false;
  72          
  73          $id = trim($id); // trim it first
  74          
  75          if ($id === '') return false;
  76          
  77          $prefix = $config->get('Attr', 'IDPrefix');
  78          if ($prefix !== '') {
  79              $prefix .= $config->get('Attr', 'IDPrefixLocal');
  80              // prevent re-appending the prefix
  81              if (strpos($id, $prefix) !== 0) $id = $prefix . $id;
  82          } elseif ($config->get('Attr', 'IDPrefixLocal') !== '') {
  83              trigger_error('%Attr.IDPrefixLocal cannot be used unless '.
  84                  '%Attr.IDPrefix is set', E_USER_WARNING);
  85          }
  86          
  87          //if (!$this->ref) {
  88              $id_accumulator =& $context->get('IDAccumulator');
  89              if (isset($id_accumulator->ids[$id])) return false;
  90          //}
  91          
  92          // we purposely avoid using regex, hopefully this is faster
  93          
  94          if (ctype_alpha($id)) {
  95              $result = true;
  96          } else {
  97              if (!ctype_alpha(@$id[0])) return false;
  98              $trim = trim( // primitive style of regexps, I suppose
  99                  $id,
 100                  'A..Za..z0..9:-._'
 101                );
 102              $result = ($trim === '');
 103          }
 104          
 105          $regexp = $config->get('Attr', 'IDBlacklistRegexp');
 106          if ($regexp && preg_match($regexp, $id)) {
 107              return false;
 108          }
 109          
 110          if (/*!$this->ref && */$result) $id_accumulator->add($id);
 111          
 112          // if no change was made to the ID, return the result
 113          // else, return the new id if stripping whitespace made it
 114          //     valid, or return false.
 115          return $result ? $id : false;
 116          
 117      }
 118      
 119  }
 120