diff options
Diffstat (limited to 'inc/3rdparty/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.txt')
-rw-r--r-- | inc/3rdparty/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.txt | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/inc/3rdparty/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.txt b/inc/3rdparty/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.txt new file mode 100644 index 00000000..be0177d4 --- /dev/null +++ b/inc/3rdparty/htmlpurifier/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.txt | |||
@@ -0,0 +1,74 @@ | |||
1 | Filter.ExtractStyleBlocks | ||
2 | TYPE: bool | ||
3 | VERSION: 3.1.0 | ||
4 | DEFAULT: false | ||
5 | EXTERNAL: CSSTidy | ||
6 | --DESCRIPTION-- | ||
7 | <p> | ||
8 | This directive turns on the style block extraction filter, which removes | ||
9 | <code>style</code> blocks from input HTML, cleans them up with CSSTidy, | ||
10 | and places them in the <code>StyleBlocks</code> context variable, for further | ||
11 | use by you, usually to be placed in an external stylesheet, or a | ||
12 | <code>style</code> block in the <code>head</code> of your document. | ||
13 | </p> | ||
14 | <p> | ||
15 | Sample usage: | ||
16 | </p> | ||
17 | <pre><![CDATA[ | ||
18 | <?php | ||
19 | header('Content-type: text/html; charset=utf-8'); | ||
20 | echo '<?xml version="1.0" encoding="UTF-8"?>'; | ||
21 | ?> | ||
22 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" | ||
23 | "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | ||
24 | <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> | ||
25 | <head> | ||
26 | <title>Filter.ExtractStyleBlocks</title> | ||
27 | <?php | ||
28 | require_once '/path/to/library/HTMLPurifier.auto.php'; | ||
29 | require_once '/path/to/csstidy.class.php'; | ||
30 | |||
31 | $dirty = '<style>body {color:#F00;}</style> Some text'; | ||
32 | |||
33 | $config = HTMLPurifier_Config::createDefault(); | ||
34 | $config->set('Filter', 'ExtractStyleBlocks', true); | ||
35 | $purifier = new HTMLPurifier($config); | ||
36 | |||
37 | $html = $purifier->purify($dirty); | ||
38 | |||
39 | // This implementation writes the stylesheets to the styles/ directory. | ||
40 | // You can also echo the styles inside the document, but it's a bit | ||
41 | // more difficult to make sure they get interpreted properly by | ||
42 | // browsers; try the usual CSS armoring techniques. | ||
43 | $styles = $purifier->context->get('StyleBlocks'); | ||
44 | $dir = 'styles/'; | ||
45 | if (!is_dir($dir)) mkdir($dir); | ||
46 | $hash = sha1($_GET['html']); | ||
47 | foreach ($styles as $i => $style) { | ||
48 | file_put_contents($name = $dir . $hash . "_$i"); | ||
49 | echo '<link rel="stylesheet" type="text/css" href="'.$name.'" />'; | ||
50 | } | ||
51 | ?> | ||
52 | </head> | ||
53 | <body> | ||
54 | <div> | ||
55 | <?php echo $html; ?> | ||
56 | </div> | ||
57 | </b]]><![CDATA[ody> | ||
58 | </html> | ||
59 | ]]></pre> | ||
60 | <p> | ||
61 | <strong>Warning:</strong> It is possible for a user to mount an | ||
62 | imagecrash attack using this CSS. Counter-measures are difficult; | ||
63 | it is not simply enough to limit the range of CSS lengths (using | ||
64 | relative lengths with many nesting levels allows for large values | ||
65 | to be attained without actually specifying them in the stylesheet), | ||
66 | and the flexible nature of selectors makes it difficult to selectively | ||
67 | disable lengths on image tags (HTML Purifier, however, does disable | ||
68 | CSS width and height in inline styling). There are probably two effective | ||
69 | counter measures: an explicit width and height set to auto in all | ||
70 | images in your document (unlikely) or the disabling of width and | ||
71 | height (somewhat reasonable). Whether or not these measures should be | ||
72 | used is left to the reader. | ||
73 | </p> | ||
74 | --# vim: et sw=4 sts=4 | ||