diff options
| author | Nicolas LÅ“uillet <nicolas@loeuillet.org> | 2015-01-18 20:07:46 +0100 |
|---|---|---|
| committer | Nicolas LÅ“uillet <nicolas@loeuillet.org> | 2015-01-18 20:07:46 +0100 |
| commit | adf17b677edeb2387671f6a0f12123e7497b5938 (patch) | |
| tree | 8fd87d7bf5699488ffc12afa991011e80ac1011b /inc/3rdparty/htmlpurifier/HTMLPurifier/AttrDef/CSS/URI.php | |
| parent | 894cd087f41d605f2f093aaad1300825f705e009 (diff) | |
| download | wallabag-adf17b677edeb2387671f6a0f12123e7497b5938.tar.gz wallabag-adf17b677edeb2387671f6a0f12123e7497b5938.tar.zst wallabag-adf17b677edeb2387671f6a0f12123e7497b5938.zip | |
remove 3rd libraries
Diffstat (limited to 'inc/3rdparty/htmlpurifier/HTMLPurifier/AttrDef/CSS/URI.php')
| -rw-r--r-- | inc/3rdparty/htmlpurifier/HTMLPurifier/AttrDef/CSS/URI.php | 74 |
1 files changed, 0 insertions, 74 deletions
diff --git a/inc/3rdparty/htmlpurifier/HTMLPurifier/AttrDef/CSS/URI.php b/inc/3rdparty/htmlpurifier/HTMLPurifier/AttrDef/CSS/URI.php deleted file mode 100644 index 482b0997..00000000 --- a/inc/3rdparty/htmlpurifier/HTMLPurifier/AttrDef/CSS/URI.php +++ /dev/null | |||
| @@ -1,74 +0,0 @@ | |||
| 1 | <?php | ||
| 2 | |||
| 3 | /** | ||
| 4 | * Validates a URI in CSS syntax, which uses url('http://example.com') | ||
| 5 | * @note While theoretically speaking a URI in a CSS document could | ||
| 6 | * be non-embedded, as of CSS2 there is no such usage so we're | ||
| 7 | * generalizing it. This may need to be changed in the future. | ||
| 8 | * @warning Since HTMLPurifier_AttrDef_CSS blindly uses semicolons as | ||
| 9 | * the separator, you cannot put a literal semicolon in | ||
| 10 | * in the URI. Try percent encoding it, in that case. | ||
| 11 | */ | ||
| 12 | class HTMLPurifier_AttrDef_CSS_URI extends HTMLPurifier_AttrDef_URI | ||
| 13 | { | ||
| 14 | |||
| 15 | public function __construct() | ||
| 16 | { | ||
| 17 | parent::__construct(true); // always embedded | ||
| 18 | } | ||
| 19 | |||
| 20 | /** | ||
| 21 | * @param string $uri_string | ||
| 22 | * @param HTMLPurifier_Config $config | ||
| 23 | * @param HTMLPurifier_Context $context | ||
| 24 | * @return bool|string | ||
| 25 | */ | ||
| 26 | public function validate($uri_string, $config, $context) | ||
| 27 | { | ||
| 28 | // parse the URI out of the string and then pass it onto | ||
| 29 | // the parent object | ||
| 30 | |||
| 31 | $uri_string = $this->parseCDATA($uri_string); | ||
| 32 | if (strpos($uri_string, 'url(') !== 0) { | ||
| 33 | return false; | ||
| 34 | } | ||
| 35 | $uri_string = substr($uri_string, 4); | ||
| 36 | $new_length = strlen($uri_string) - 1; | ||
| 37 | if ($uri_string[$new_length] != ')') { | ||
| 38 | return false; | ||
| 39 | } | ||
| 40 | $uri = trim(substr($uri_string, 0, $new_length)); | ||
| 41 | |||
| 42 | if (!empty($uri) && ($uri[0] == "'" || $uri[0] == '"')) { | ||
| 43 | $quote = $uri[0]; | ||
| 44 | $new_length = strlen($uri) - 1; | ||
| 45 | if ($uri[$new_length] !== $quote) { | ||
| 46 | return false; | ||
| 47 | } | ||
| 48 | $uri = substr($uri, 1, $new_length - 1); | ||
| 49 | } | ||
| 50 | |||
| 51 | $uri = $this->expandCSSEscape($uri); | ||
| 52 | |||
| 53 | $result = parent::validate($uri, $config, $context); | ||
| 54 | |||
| 55 | if ($result === false) { | ||
| 56 | return false; | ||
| 57 | } | ||
| 58 | |||
| 59 | // extra sanity check; should have been done by URI | ||
| 60 | $result = str_replace(array('"', "\\", "\n", "\x0c", "\r"), "", $result); | ||
| 61 | |||
| 62 | // suspicious characters are ()'; we're going to percent encode | ||
| 63 | // them for safety. | ||
| 64 | $result = str_replace(array('(', ')', "'"), array('%28', '%29', '%27'), $result); | ||
| 65 | |||
| 66 | // there's an extra bug where ampersands lose their escaping on | ||
| 67 | // an innerHTML cycle, so a very unlucky query parameter could | ||
| 68 | // then change the meaning of the URL. Unfortunately, there's | ||
| 69 | // not much we can do about that... | ||
| 70 | return "url(\"$result\")"; | ||
| 71 | } | ||
| 72 | } | ||
| 73 | |||
| 74 | // vim: et sw=4 sts=4 | ||