]>
Commit | Line | Data |
---|---|---|
d4949327 NL |
1 | Filter.ExtractStyleBlocks\r |
2 | TYPE: bool\r | |
3 | VERSION: 3.1.0\r | |
4 | DEFAULT: false\r | |
5 | EXTERNAL: CSSTidy\r | |
6 | --DESCRIPTION--\r | |
7 | <p>\r | |
8 | This directive turns on the style block extraction filter, which removes\r | |
9 | <code>style</code> blocks from input HTML, cleans them up with CSSTidy,\r | |
10 | and places them in the <code>StyleBlocks</code> context variable, for further\r | |
11 | use by you, usually to be placed in an external stylesheet, or a\r | |
12 | <code>style</code> block in the <code>head</code> of your document.\r | |
13 | </p>\r | |
14 | <p>\r | |
15 | Sample usage:\r | |
16 | </p>\r | |
17 | <pre><![CDATA[\r | |
18 | <?php\r | |
19 | header('Content-type: text/html; charset=utf-8');\r | |
20 | echo '<?xml version="1.0" encoding="UTF-8"?>';\r | |
21 | ?>\r | |
22 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"\r | |
23 | "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\r | |
24 | <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">\r | |
25 | <head>\r | |
26 | <title>Filter.ExtractStyleBlocks</title>\r | |
27 | <?php\r | |
28 | require_once '/path/to/library/HTMLPurifier.auto.php';\r | |
29 | require_once '/path/to/csstidy.class.php';\r | |
30 | \r | |
31 | $dirty = '<style>body {color:#F00;}</style> Some text';\r | |
32 | \r | |
33 | $config = HTMLPurifier_Config::createDefault();\r | |
34 | $config->set('Filter', 'ExtractStyleBlocks', true);\r | |
35 | $purifier = new HTMLPurifier($config);\r | |
36 | \r | |
37 | $html = $purifier->purify($dirty);\r | |
38 | \r | |
39 | // This implementation writes the stylesheets to the styles/ directory.\r | |
40 | // You can also echo the styles inside the document, but it's a bit\r | |
41 | // more difficult to make sure they get interpreted properly by\r | |
42 | // browsers; try the usual CSS armoring techniques.\r | |
43 | $styles = $purifier->context->get('StyleBlocks');\r | |
44 | $dir = 'styles/';\r | |
45 | if (!is_dir($dir)) mkdir($dir);\r | |
46 | $hash = sha1($_GET['html']);\r | |
47 | foreach ($styles as $i => $style) {\r | |
48 | file_put_contents($name = $dir . $hash . "_$i");\r | |
49 | echo '<link rel="stylesheet" type="text/css" href="'.$name.'" />';\r | |
50 | }\r | |
51 | ?>\r | |
52 | </head>\r | |
53 | <body>\r | |
54 | <div>\r | |
55 | <?php echo $html; ?>\r | |
56 | </div>\r | |
57 | </b]]><![CDATA[ody>\r | |
58 | </html>\r | |
59 | ]]></pre>\r | |
60 | <p>\r | |
61 | <strong>Warning:</strong> It is possible for a user to mount an\r | |
62 | imagecrash attack using this CSS. Counter-measures are difficult;\r | |
63 | it is not simply enough to limit the range of CSS lengths (using\r | |
64 | relative lengths with many nesting levels allows for large values\r | |
65 | to be attained without actually specifying them in the stylesheet),\r | |
66 | and the flexible nature of selectors makes it difficult to selectively\r | |
67 | disable lengths on image tags (HTML Purifier, however, does disable\r | |
68 | CSS width and height in inline styling). There are probably two effective\r | |
69 | counter measures: an explicit width and height set to auto in all\r | |
70 | images in your document (unlikely) or the disabling of width and\r | |
71 | height (somewhat reasonable). Whether or not these measures should be\r | |
72 | used is left to the reader.\r | |
73 | </p>\r | |
74 | --# vim: et sw=4 sts=4\r |