xpressengine /
xe-core
@@ -6,21 +6,21 @@ |
||
| 6 | 6 | class HTMLPurifier_AttrTransform_Length extends HTMLPurifier_AttrTransform |
| 7 | 7 | { |
| 8 | 8 | |
| 9 | - protected $name; |
|
| 10 | - protected $cssName; |
|
| 9 | + protected $name; |
|
| 10 | + protected $cssName; |
|
| 11 | 11 | |
| 12 | - public function __construct($name, $css_name = null) { |
|
| 13 | - $this->name = $name; |
|
| 14 | - $this->cssName = $css_name ? $css_name : $name; |
|
| 15 | - } |
|
| 12 | + public function __construct($name, $css_name = null) { |
|
| 13 | + $this->name = $name; |
|
| 14 | + $this->cssName = $css_name ? $css_name : $name; |
|
| 15 | + } |
|
| 16 | 16 | |
| 17 | - public function transform($attr, $config, $context) { |
|
| 18 | - if (!isset($attr[$this->name])) return $attr; |
|
| 19 | - $length = $this->confiscateAttr($attr, $this->name); |
|
| 20 | - if(ctype_digit($length)) $length .= 'px'; |
|
| 21 | - $this->prependCSS($attr, $this->cssName . ":$length;"); |
|
| 22 | - return $attr; |
|
| 23 | - } |
|
| 17 | + public function transform($attr, $config, $context) { |
|
| 18 | + if (!isset($attr[$this->name])) return $attr; |
|
| 19 | + $length = $this->confiscateAttr($attr, $this->name); |
|
| 20 | + if(ctype_digit($length)) $length .= 'px'; |
|
| 21 | + $this->prependCSS($attr, $this->cssName . ":$length;"); |
|
| 22 | + return $attr; |
|
| 23 | + } |
|
| 24 | 24 | |
| 25 | 25 | } |
| 26 | 26 | |
@@ -17,7 +17,7 @@ |
||
| 17 | 17 | public function transform($attr, $config, $context) { |
| 18 | 18 | if (!isset($attr[$this->name])) return $attr; |
| 19 | 19 | $length = $this->confiscateAttr($attr, $this->name); |
| 20 | - if(ctype_digit($length)) $length .= 'px'; |
|
| 20 | + if (ctype_digit($length)) $length .= 'px'; |
|
| 21 | 21 | $this->prependCSS($attr, $this->cssName . ":$length;"); |
| 22 | 22 | return $attr; |
| 23 | 23 | } |
@@ -15,9 +15,13 @@ |
||
| 15 | 15 | } |
| 16 | 16 | |
| 17 | 17 | public function transform($attr, $config, $context) { |
| 18 | - if (!isset($attr[$this->name])) return $attr; |
|
| 18 | + if (!isset($attr[$this->name])) { |
|
| 19 | + return $attr; |
|
| 20 | + } |
|
| 19 | 21 | $length = $this->confiscateAttr($attr, $this->name); |
| 20 | - if(ctype_digit($length)) $length .= 'px'; |
|
| 22 | + if(ctype_digit($length)) { |
|
| 23 | + $length .= 'px'; |
|
| 24 | + } |
|
| 21 | 25 | $this->prependCSS($attr, $this->cssName . ":$length;"); |
| 22 | 26 | return $attr; |
| 23 | 27 | } |
@@ -6,15 +6,15 @@ |
||
| 6 | 6 | class HTMLPurifier_AttrTransform_Name extends HTMLPurifier_AttrTransform |
| 7 | 7 | { |
| 8 | 8 | |
| 9 | - public function transform($attr, $config, $context) { |
|
| 10 | - // Abort early if we're using relaxed definition of name |
|
| 11 | - if ($config->get('HTML.Attr.Name.UseCDATA')) return $attr; |
|
| 12 | - if (!isset($attr['name'])) return $attr; |
|
| 13 | - $id = $this->confiscateAttr($attr, 'name'); |
|
| 14 | - if ( isset($attr['id'])) return $attr; |
|
| 15 | - $attr['id'] = $id; |
|
| 16 | - return $attr; |
|
| 17 | - } |
|
| 9 | + public function transform($attr, $config, $context) { |
|
| 10 | + // Abort early if we're using relaxed definition of name |
|
| 11 | + if ($config->get('HTML.Attr.Name.UseCDATA')) return $attr; |
|
| 12 | + if (!isset($attr['name'])) return $attr; |
|
| 13 | + $id = $this->confiscateAttr($attr, 'name'); |
|
| 14 | + if ( isset($attr['id'])) return $attr; |
|
| 15 | + $attr['id'] = $id; |
|
| 16 | + return $attr; |
|
| 17 | + } |
|
| 18 | 18 | |
| 19 | 19 | } |
| 20 | 20 | |
@@ -11,7 +11,7 @@ |
||
| 11 | 11 | if ($config->get('HTML.Attr.Name.UseCDATA')) return $attr; |
| 12 | 12 | if (!isset($attr['name'])) return $attr; |
| 13 | 13 | $id = $this->confiscateAttr($attr, 'name'); |
| 14 | - if ( isset($attr['id'])) return $attr; |
|
| 14 | + if (isset($attr['id'])) return $attr; |
|
| 15 | 15 | $attr['id'] = $id; |
| 16 | 16 | return $attr; |
| 17 | 17 | } |
@@ -8,10 +8,16 @@ |
||
| 8 | 8 | |
| 9 | 9 | public function transform($attr, $config, $context) { |
| 10 | 10 | // Abort early if we're using relaxed definition of name |
| 11 | - if ($config->get('HTML.Attr.Name.UseCDATA')) return $attr; |
|
| 12 | - if (!isset($attr['name'])) return $attr; |
|
| 11 | + if ($config->get('HTML.Attr.Name.UseCDATA')) { |
|
| 12 | + return $attr; |
|
| 13 | + } |
|
| 14 | + if (!isset($attr['name'])) { |
|
| 15 | + return $attr; |
|
| 16 | + } |
|
| 13 | 17 | $id = $this->confiscateAttr($attr, 'name'); |
| 14 | - if ( isset($attr['id'])) return $attr; |
|
| 18 | + if ( isset($attr['id'])) { |
|
| 19 | + return $attr; |
|
| 20 | + } |
|
| 15 | 21 | $attr['id'] = $id; |
| 16 | 22 | return $attr; |
| 17 | 23 | } |
@@ -8,19 +8,19 @@ |
||
| 8 | 8 | class HTMLPurifier_AttrTransform_NameSync extends HTMLPurifier_AttrTransform |
| 9 | 9 | { |
| 10 | 10 | |
| 11 | - public function __construct() { |
|
| 12 | - $this->idDef = new HTMLPurifier_AttrDef_HTML_ID(); |
|
| 13 | - } |
|
| 11 | + public function __construct() { |
|
| 12 | + $this->idDef = new HTMLPurifier_AttrDef_HTML_ID(); |
|
| 13 | + } |
|
| 14 | 14 | |
| 15 | - public function transform($attr, $config, $context) { |
|
| 16 | - if (!isset($attr['name'])) return $attr; |
|
| 17 | - $name = $attr['name']; |
|
| 18 | - if (isset($attr['id']) && $attr['id'] === $name) return $attr; |
|
| 19 | - $result = $this->idDef->validate($name, $config, $context); |
|
| 20 | - if ($result === false) unset($attr['name']); |
|
| 21 | - else $attr['name'] = $result; |
|
| 22 | - return $attr; |
|
| 23 | - } |
|
| 15 | + public function transform($attr, $config, $context) { |
|
| 16 | + if (!isset($attr['name'])) return $attr; |
|
| 17 | + $name = $attr['name']; |
|
| 18 | + if (isset($attr['id']) && $attr['id'] === $name) return $attr; |
|
| 19 | + $result = $this->idDef->validate($name, $config, $context); |
|
| 20 | + if ($result === false) unset($attr['name']); |
|
| 21 | + else $attr['name'] = $result; |
|
| 22 | + return $attr; |
|
| 23 | + } |
|
| 24 | 24 | |
| 25 | 25 | } |
| 26 | 26 | |
@@ -13,12 +13,19 @@ |
||
| 13 | 13 | } |
| 14 | 14 | |
| 15 | 15 | public function transform($attr, $config, $context) { |
| 16 | - if (!isset($attr['name'])) return $attr; |
|
| 16 | + if (!isset($attr['name'])) { |
|
| 17 | + return $attr; |
|
| 18 | + } |
|
| 17 | 19 | $name = $attr['name']; |
| 18 | - if (isset($attr['id']) && $attr['id'] === $name) return $attr; |
|
| 20 | + if (isset($attr['id']) && $attr['id'] === $name) { |
|
| 21 | + return $attr; |
|
| 22 | + } |
|
| 19 | 23 | $result = $this->idDef->validate($name, $config, $context); |
| 20 | - if ($result === false) unset($attr['name']); |
|
| 21 | - else $attr['name'] = $result; |
|
| 24 | + if ($result === false) { |
|
| 25 | + unset($attr['name']); |
|
| 26 | + } else { |
|
| 27 | + $attr['name'] = $result; |
|
| 28 | + } |
|
| 22 | 29 | return $attr; |
| 23 | 30 | } |
| 24 | 31 | |
@@ -8,37 +8,37 @@ |
||
| 8 | 8 | */ |
| 9 | 9 | class HTMLPurifier_AttrTransform_Nofollow extends HTMLPurifier_AttrTransform |
| 10 | 10 | { |
| 11 | - private $parser; |
|
| 11 | + private $parser; |
|
| 12 | 12 | |
| 13 | - public function __construct() { |
|
| 14 | - $this->parser = new HTMLPurifier_URIParser(); |
|
| 15 | - } |
|
| 13 | + public function __construct() { |
|
| 14 | + $this->parser = new HTMLPurifier_URIParser(); |
|
| 15 | + } |
|
| 16 | 16 | |
| 17 | - public function transform($attr, $config, $context) { |
|
| 17 | + public function transform($attr, $config, $context) { |
|
| 18 | 18 | |
| 19 | - if (!isset($attr['href'])) { |
|
| 20 | - return $attr; |
|
| 21 | - } |
|
| 19 | + if (!isset($attr['href'])) { |
|
| 20 | + return $attr; |
|
| 21 | + } |
|
| 22 | 22 | |
| 23 | - // XXX Kind of inefficient |
|
| 24 | - $url = $this->parser->parse($attr['href']); |
|
| 25 | - $scheme = $url->getSchemeObj($config, $context); |
|
| 23 | + // XXX Kind of inefficient |
|
| 24 | + $url = $this->parser->parse($attr['href']); |
|
| 25 | + $scheme = $url->getSchemeObj($config, $context); |
|
| 26 | 26 | |
| 27 | - if ($scheme->browsable && !$url->isLocal($config, $context)) { |
|
| 28 | - if (isset($attr['rel'])) { |
|
| 29 | - $rels = explode(' ', $attr); |
|
| 30 | - if (!in_array('nofollow', $rels)) { |
|
| 31 | - $rels[] = 'nofollow'; |
|
| 32 | - } |
|
| 33 | - $attr['rel'] = implode(' ', $rels); |
|
| 34 | - } else { |
|
| 35 | - $attr['rel'] = 'nofollow'; |
|
| 36 | - } |
|
| 37 | - } |
|
| 27 | + if ($scheme->browsable && !$url->isLocal($config, $context)) { |
|
| 28 | + if (isset($attr['rel'])) { |
|
| 29 | + $rels = explode(' ', $attr); |
|
| 30 | + if (!in_array('nofollow', $rels)) { |
|
| 31 | + $rels[] = 'nofollow'; |
|
| 32 | + } |
|
| 33 | + $attr['rel'] = implode(' ', $rels); |
|
| 34 | + } else { |
|
| 35 | + $attr['rel'] = 'nofollow'; |
|
| 36 | + } |
|
| 37 | + } |
|
| 38 | 38 | |
| 39 | - return $attr; |
|
| 39 | + return $attr; |
|
| 40 | 40 | |
| 41 | - } |
|
| 41 | + } |
|
| 42 | 42 | |
| 43 | 43 | } |
| 44 | 44 | |
@@ -2,14 +2,14 @@ |
||
| 2 | 2 | |
| 3 | 3 | class HTMLPurifier_AttrTransform_SafeEmbed extends HTMLPurifier_AttrTransform |
| 4 | 4 | { |
| 5 | - public $name = "SafeEmbed"; |
|
| 5 | + public $name = "SafeEmbed"; |
|
| 6 | 6 | |
| 7 | - public function transform($attr, $config, $context) { |
|
| 8 | - $attr['allowscriptaccess'] = 'never'; |
|
| 9 | - $attr['allownetworking'] = 'internal'; |
|
| 10 | - $attr['type'] = 'application/x-shockwave-flash'; |
|
| 11 | - return $attr; |
|
| 12 | - } |
|
| 7 | + public function transform($attr, $config, $context) { |
|
| 8 | + $attr['allowscriptaccess'] = 'never'; |
|
| 9 | + $attr['allownetworking'] = 'internal'; |
|
| 10 | + $attr['type'] = 'application/x-shockwave-flash'; |
|
| 11 | + return $attr; |
|
| 12 | + } |
|
| 13 | 13 | } |
| 14 | 14 | |
| 15 | 15 | // vim: et sw=4 sts=4 |
@@ -5,12 +5,12 @@ |
||
| 5 | 5 | */ |
| 6 | 6 | class HTMLPurifier_AttrTransform_SafeObject extends HTMLPurifier_AttrTransform |
| 7 | 7 | { |
| 8 | - public $name = "SafeObject"; |
|
| 8 | + public $name = "SafeObject"; |
|
| 9 | 9 | |
| 10 | - function transform($attr, $config, $context) { |
|
| 11 | - if (!isset($attr['type'])) $attr['type'] = 'application/x-shockwave-flash'; |
|
| 12 | - return $attr; |
|
| 13 | - } |
|
| 10 | + function transform($attr, $config, $context) { |
|
| 11 | + if (!isset($attr['type'])) $attr['type'] = 'application/x-shockwave-flash'; |
|
| 12 | + return $attr; |
|
| 13 | + } |
|
| 14 | 14 | } |
| 15 | 15 | |
| 16 | 16 | // vim: et sw=4 sts=4 |
@@ -8,7 +8,9 @@ |
||
| 8 | 8 | public $name = "SafeObject"; |
| 9 | 9 | |
| 10 | 10 | function transform($attr, $config, $context) { |
| 11 | - if (!isset($attr['type'])) $attr['type'] = 'application/x-shockwave-flash'; |
|
| 11 | + if (!isset($attr['type'])) { |
|
| 12 | + $attr['type'] = 'application/x-shockwave-flash'; |
|
| 13 | + } |
|
| 12 | 14 | return $attr; |
| 13 | 15 | } |
| 14 | 16 | } |
@@ -14,51 +14,51 @@ |
||
| 14 | 14 | */ |
| 15 | 15 | class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform |
| 16 | 16 | { |
| 17 | - public $name = "SafeParam"; |
|
| 18 | - private $uri; |
|
| 17 | + public $name = "SafeParam"; |
|
| 18 | + private $uri; |
|
| 19 | 19 | |
| 20 | - public function __construct() { |
|
| 21 | - $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded |
|
| 22 | - $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent')); |
|
| 23 | - } |
|
| 20 | + public function __construct() { |
|
| 21 | + $this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded |
|
| 22 | + $this->wmode = new HTMLPurifier_AttrDef_Enum(array('window', 'opaque', 'transparent')); |
|
| 23 | + } |
|
| 24 | 24 | |
| 25 | - public function transform($attr, $config, $context) { |
|
| 26 | - // If we add support for other objects, we'll need to alter the |
|
| 27 | - // transforms. |
|
| 28 | - switch ($attr['name']) { |
|
| 29 | - // application/x-shockwave-flash |
|
| 30 | - // Keep this synchronized with Injector/SafeObject.php |
|
| 31 | - case 'allowScriptAccess': |
|
| 32 | - $attr['value'] = 'never'; |
|
| 33 | - break; |
|
| 34 | - case 'allowNetworking': |
|
| 35 | - $attr['value'] = 'internal'; |
|
| 36 | - break; |
|
| 37 | - case 'allowFullScreen': |
|
| 38 | - if ($config->get('HTML.FlashAllowFullScreen')) { |
|
| 39 | - $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false'; |
|
| 40 | - } else { |
|
| 41 | - $attr['value'] = 'false'; |
|
| 42 | - } |
|
| 43 | - break; |
|
| 44 | - case 'wmode': |
|
| 45 | - $attr['value'] = $this->wmode->validate($attr['value'], $config, $context); |
|
| 46 | - break; |
|
| 47 | - case 'movie': |
|
| 48 | - case 'src': |
|
| 49 | - $attr['name'] = "movie"; |
|
| 50 | - $attr['value'] = $this->uri->validate($attr['value'], $config, $context); |
|
| 51 | - break; |
|
| 52 | - case 'flashvars': |
|
| 53 | - // we're going to allow arbitrary inputs to the SWF, on |
|
| 54 | - // the reasoning that it could only hack the SWF, not us. |
|
| 55 | - break; |
|
| 56 | - // add other cases to support other param name/value pairs |
|
| 57 | - default: |
|
| 58 | - $attr['name'] = $attr['value'] = null; |
|
| 59 | - } |
|
| 60 | - return $attr; |
|
| 61 | - } |
|
| 25 | + public function transform($attr, $config, $context) { |
|
| 26 | + // If we add support for other objects, we'll need to alter the |
|
| 27 | + // transforms. |
|
| 28 | + switch ($attr['name']) { |
|
| 29 | + // application/x-shockwave-flash |
|
| 30 | + // Keep this synchronized with Injector/SafeObject.php |
|
| 31 | + case 'allowScriptAccess': |
|
| 32 | + $attr['value'] = 'never'; |
|
| 33 | + break; |
|
| 34 | + case 'allowNetworking': |
|
| 35 | + $attr['value'] = 'internal'; |
|
| 36 | + break; |
|
| 37 | + case 'allowFullScreen': |
|
| 38 | + if ($config->get('HTML.FlashAllowFullScreen')) { |
|
| 39 | + $attr['value'] = ($attr['value'] == 'true') ? 'true' : 'false'; |
|
| 40 | + } else { |
|
| 41 | + $attr['value'] = 'false'; |
|
| 42 | + } |
|
| 43 | + break; |
|
| 44 | + case 'wmode': |
|
| 45 | + $attr['value'] = $this->wmode->validate($attr['value'], $config, $context); |
|
| 46 | + break; |
|
| 47 | + case 'movie': |
|
| 48 | + case 'src': |
|
| 49 | + $attr['name'] = "movie"; |
|
| 50 | + $attr['value'] = $this->uri->validate($attr['value'], $config, $context); |
|
| 51 | + break; |
|
| 52 | + case 'flashvars': |
|
| 53 | + // we're going to allow arbitrary inputs to the SWF, on |
|
| 54 | + // the reasoning that it could only hack the SWF, not us. |
|
| 55 | + break; |
|
| 56 | + // add other cases to support other param name/value pairs |
|
| 57 | + default: |
|
| 58 | + $attr['name'] = $attr['value'] = null; |
|
| 59 | + } |
|
| 60 | + return $attr; |
|
| 61 | + } |
|
| 62 | 62 | } |
| 63 | 63 | |
| 64 | 64 | // vim: et sw=4 sts=4 |
@@ -5,12 +5,12 @@ |
||
| 5 | 5 | */ |
| 6 | 6 | class HTMLPurifier_AttrTransform_ScriptRequired extends HTMLPurifier_AttrTransform |
| 7 | 7 | { |
| 8 | - public function transform($attr, $config, $context) { |
|
| 9 | - if (!isset($attr['type'])) { |
|
| 10 | - $attr['type'] = 'text/javascript'; |
|
| 11 | - } |
|
| 12 | - return $attr; |
|
| 13 | - } |
|
| 8 | + public function transform($attr, $config, $context) { |
|
| 9 | + if (!isset($attr['type'])) { |
|
| 10 | + $attr['type'] = 'text/javascript'; |
|
| 11 | + } |
|
| 12 | + return $attr; |
|
| 13 | + } |
|
| 14 | 14 | } |
| 15 | 15 | |
| 16 | 16 | // vim: et sw=4 sts=4 |
@@ -9,29 +9,29 @@ |
||
| 9 | 9 | */ |
| 10 | 10 | class HTMLPurifier_AttrTransform_TargetBlank extends HTMLPurifier_AttrTransform |
| 11 | 11 | { |
| 12 | - private $parser; |
|
| 12 | + private $parser; |
|
| 13 | 13 | |
| 14 | - public function __construct() { |
|
| 15 | - $this->parser = new HTMLPurifier_URIParser(); |
|
| 16 | - } |
|
| 14 | + public function __construct() { |
|
| 15 | + $this->parser = new HTMLPurifier_URIParser(); |
|
| 16 | + } |
|
| 17 | 17 | |
| 18 | - public function transform($attr, $config, $context) { |
|
| 18 | + public function transform($attr, $config, $context) { |
|
| 19 | 19 | |
| 20 | - if (!isset($attr['href'])) { |
|
| 21 | - return $attr; |
|
| 22 | - } |
|
| 20 | + if (!isset($attr['href'])) { |
|
| 21 | + return $attr; |
|
| 22 | + } |
|
| 23 | 23 | |
| 24 | - // XXX Kind of inefficient |
|
| 25 | - $url = $this->parser->parse($attr['href']); |
|
| 26 | - $scheme = $url->getSchemeObj($config, $context); |
|
| 24 | + // XXX Kind of inefficient |
|
| 25 | + $url = $this->parser->parse($attr['href']); |
|
| 26 | + $scheme = $url->getSchemeObj($config, $context); |
|
| 27 | 27 | |
| 28 | - if ($scheme->browsable && !$url->isBenign($config, $context)) { |
|
| 29 | - $attr['target'] = 'blank'; |
|
| 30 | - } |
|
| 28 | + if ($scheme->browsable && !$url->isBenign($config, $context)) { |
|
| 29 | + $attr['target'] = 'blank'; |
|
| 30 | + } |
|
| 31 | 31 | |
| 32 | - return $attr; |
|
| 32 | + return $attr; |
|
| 33 | 33 | |
| 34 | - } |
|
| 34 | + } |
|
| 35 | 35 | |
| 36 | 36 | } |
| 37 | 37 | |
