some important stuff we'll need
This commit is contained in:
friendica
@@ -0,0 +1,8 @@
|
||||
Attr.AllowedClasses
|
||||
TYPE: lookup/null
|
||||
VERSION: 4.0.0
|
||||
DEFAULT: null
|
||||
--DESCRIPTION--
|
||||
List of allowed class values in the class attribute. By default, this is null,
|
||||
which means all classes are allowed.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,12 @@
|
||||
Attr.AllowedFrameTargets
|
||||
TYPE: lookup
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
Lookup table of all allowed link frame targets. Some commonly used link
|
||||
targets include _blank, _self, _parent and _top. Values should be
|
||||
lowercase, as validation will be done in a case-sensitive manner despite
|
||||
W3C's recommendation. XHTML 1.0 Strict does not permit the target attribute
|
||||
so this directive will have no effect in that doctype. XHTML 1.1 does not
|
||||
enable the Target module by default, you will have to manually enable it
|
||||
(see the module documentation for more details.)
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,9 @@
|
||||
Attr.AllowedRel
|
||||
TYPE: lookup
|
||||
VERSION: 1.6.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
List of allowed forward document relationships in the rel attribute. Common
|
||||
values may be nofollow or print. By default, this is empty, meaning that no
|
||||
document relationships are allowed.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,9 @@
|
||||
Attr.AllowedRev
|
||||
TYPE: lookup
|
||||
VERSION: 1.6.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
List of allowed reverse document relationships in the rev attribute. This
|
||||
attribute is a bit of an edge-case; if you don't know what it is for, stay
|
||||
away.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,19 @@
|
||||
Attr.ClassUseCDATA
|
||||
TYPE: bool/null
|
||||
DEFAULT: null
|
||||
VERSION: 4.0.0
|
||||
--DESCRIPTION--
|
||||
If null, class will auto-detect the doctype and, if matching XHTML 1.1 or
|
||||
XHTML 2.0, will use the restrictive NMTOKENS specification of class. Otherwise,
|
||||
it will use a relaxed CDATA definition. If true, the relaxed CDATA definition
|
||||
is forced; if false, the NMTOKENS definition is forced. To get behavior
|
||||
of HTML Purifier prior to 4.0.0, set this directive to false.
|
||||
|
||||
Some rational behind the auto-detection:
|
||||
in previous versions of HTML Purifier, it was assumed that the form of
|
||||
class was NMTOKENS, as specified by the XHTML Modularization (representing
|
||||
XHTML 1.1 and XHTML 2.0). The DTDs for HTML 4.01 and XHTML 1.0, however
|
||||
specify class as CDATA. HTML 5 effectively defines it as CDATA, but
|
||||
with the additional constraint that each name should be unique (this is not
|
||||
explicitly outlined in previous specifications).
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,11 @@
|
||||
Attr.DefaultImageAlt
|
||||
TYPE: string/null
|
||||
DEFAULT: null
|
||||
VERSION: 3.2.0
|
||||
--DESCRIPTION--
|
||||
This is the content of the alt tag of an image if the user had not
|
||||
previously specified an alt attribute. This applies to all images without
|
||||
a valid alt attribute, as opposed to %Attr.DefaultInvalidImageAlt, which
|
||||
only applies to invalid images, and overrides in the case of an invalid image.
|
||||
Default behavior with null is to use the basename of the src tag for the alt.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,9 @@
|
||||
Attr.DefaultInvalidImage
|
||||
TYPE: string
|
||||
DEFAULT: ''
|
||||
--DESCRIPTION--
|
||||
This is the default image an img tag will be pointed to if it does not have
|
||||
a valid src attribute. In future versions, we may allow the image tag to
|
||||
be removed completely, but due to design issues, this is not possible right
|
||||
now.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,8 @@
|
||||
Attr.DefaultInvalidImageAlt
|
||||
TYPE: string
|
||||
DEFAULT: 'Invalid image'
|
||||
--DESCRIPTION--
|
||||
This is the content of the alt tag of an invalid image if the user had not
|
||||
previously specified an alt attribute. It has no effect when the image is
|
||||
valid but there was no alt attribute present.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,10 @@
|
||||
Attr.DefaultTextDir
|
||||
TYPE: string
|
||||
DEFAULT: 'ltr'
|
||||
--DESCRIPTION--
|
||||
Defines the default text direction (ltr or rtl) of the document being
|
||||
parsed. This generally is the same as the value of the dir attribute in
|
||||
HTML, or ltr if that is not specified.
|
||||
--ALLOWED--
|
||||
'ltr', 'rtl'
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,16 @@
|
||||
Attr.EnableID
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
VERSION: 1.2.0
|
||||
--DESCRIPTION--
|
||||
Allows the ID attribute in HTML. This is disabled by default due to the
|
||||
fact that without proper configuration user input can easily break the
|
||||
validation of a webpage by specifying an ID that is already on the
|
||||
surrounding HTML. If you don't mind throwing caution to the wind, enable
|
||||
this directive, but I strongly recommend you also consider blacklisting IDs
|
||||
you use (%Attr.IDBlacklist) or prefixing all user supplied IDs
|
||||
(%Attr.IDPrefix). When set to true HTML Purifier reverts to the behavior of
|
||||
pre-1.2.0 versions.
|
||||
--ALIASES--
|
||||
HTML.EnableAttrID
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,8 @@
|
||||
Attr.ForbiddenClasses
|
||||
TYPE: lookup
|
||||
VERSION: 4.0.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
List of forbidden class values in the class attribute. By default, this is
|
||||
empty, which means that no classes are forbidden. See also %Attr.AllowedClasses.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,5 @@
|
||||
Attr.IDBlacklist
|
||||
TYPE: list
|
||||
DEFAULT: array()
|
||||
DESCRIPTION: Array of IDs not allowed in the document.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,9 @@
|
||||
Attr.IDBlacklistRegexp
|
||||
TYPE: string/null
|
||||
VERSION: 1.6.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
PCRE regular expression to be matched against all IDs. If the expression is
|
||||
matches, the ID is rejected. Use this with care: may cause significant
|
||||
degradation. ID matching is done after all other validation.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,12 @@
|
||||
Attr.IDPrefix
|
||||
TYPE: string
|
||||
VERSION: 1.2.0
|
||||
DEFAULT: ''
|
||||
--DESCRIPTION--
|
||||
String to prefix to IDs. If you have no idea what IDs your pages may use,
|
||||
you may opt to simply add a prefix to all user-submitted ID attributes so
|
||||
that they are still usable, but will not conflict with core page IDs.
|
||||
Example: setting the directive to 'user_' will result in a user submitted
|
||||
'foo' to become 'user_foo' Be sure to set %HTML.EnableAttrID to true
|
||||
before using this.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,14 @@
|
||||
Attr.IDPrefixLocal
|
||||
TYPE: string
|
||||
VERSION: 1.2.0
|
||||
DEFAULT: ''
|
||||
--DESCRIPTION--
|
||||
Temporary prefix for IDs used in conjunction with %Attr.IDPrefix. If you
|
||||
need to allow multiple sets of user content on web page, you may need to
|
||||
have a seperate prefix that changes with each iteration. This way,
|
||||
seperately submitted user content displayed on the same page doesn't
|
||||
clobber each other. Ideal values are unique identifiers for the content it
|
||||
represents (i.e. the id of the row in the database). Be sure to add a
|
||||
seperator (like an underscore) at the end. Warning: this directive will
|
||||
not work unless %Attr.IDPrefix is set to a non-empty value!
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,31 @@
|
||||
AutoFormat.AutoParagraph
|
||||
TYPE: bool
|
||||
VERSION: 2.0.1
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This directive turns on auto-paragraphing, where double newlines are
|
||||
converted in to paragraphs whenever possible. Auto-paragraphing:
|
||||
</p>
|
||||
<ul>
|
||||
<li>Always applies to inline elements or text in the root node,</li>
|
||||
<li>Applies to inline elements or text with double newlines in nodes
|
||||
that allow paragraph tags,</li>
|
||||
<li>Applies to double newlines in paragraph tags</li>
|
||||
</ul>
|
||||
<p>
|
||||
<code>p</code> tags must be allowed for this directive to take effect.
|
||||
We do not use <code>br</code> tags for paragraphing, as that is
|
||||
semantically incorrect.
|
||||
</p>
|
||||
<p>
|
||||
To prevent auto-paragraphing as a content-producer, refrain from using
|
||||
double-newlines except to specify a new paragraph or in contexts where
|
||||
it has special meaning (whitespace usually has no meaning except in
|
||||
tags like <code>pre</code>, so this should not be difficult.) To prevent
|
||||
the paragraphing of inline text adjacent to block elements, wrap them
|
||||
in <code>div</code> tags (the behavior is slightly different outside of
|
||||
the root node.)
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,12 @@
|
||||
AutoFormat.Custom
|
||||
TYPE: list
|
||||
VERSION: 2.0.1
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This directive can be used to add custom auto-format injectors.
|
||||
Specify an array of injector names (class name minus the prefix)
|
||||
or concrete implementations. Injector class must exist.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,11 @@
|
||||
AutoFormat.DisplayLinkURI
|
||||
TYPE: bool
|
||||
VERSION: 3.2.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This directive turns on the in-text display of URIs in <a> tags, and disables
|
||||
those links. For example, <a href="http://example.com">example</a> becomes
|
||||
example (<a>http://example.com</a>).
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,12 @@
|
||||
AutoFormat.Linkify
|
||||
TYPE: bool
|
||||
VERSION: 2.0.1
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This directive turns on linkification, auto-linking http, ftp and
|
||||
https URLs. <code>a</code> tags with the <code>href</code> attribute
|
||||
must be allowed.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,12 @@
|
||||
AutoFormat.PurifierLinkify.DocURL
|
||||
TYPE: string
|
||||
VERSION: 2.0.1
|
||||
DEFAULT: '#%s'
|
||||
ALIASES: AutoFormatParam.PurifierLinkifyDocURL
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Location of configuration documentation to link to, let %s substitute
|
||||
into the configuration's namespace and directive names sans the percent
|
||||
sign.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,12 @@
|
||||
AutoFormat.PurifierLinkify
|
||||
TYPE: bool
|
||||
VERSION: 2.0.1
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Internal auto-formatter that converts configuration directives in
|
||||
syntax <a>%Namespace.Directive</a> to links. <code>a</code> tags
|
||||
with the <code>href</code> attribute must be allowed.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,11 @@
|
||||
AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions
|
||||
TYPE: lookup
|
||||
VERSION: 4.0.0
|
||||
DEFAULT: array('td' => true, 'th' => true)
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
When %AutoFormat.RemoveEmpty and %AutoFormat.RemoveEmpty.RemoveNbsp
|
||||
are enabled, this directive defines what HTML elements should not be
|
||||
removede if they have only a non-breaking space in them.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,15 @@
|
||||
AutoFormat.RemoveEmpty.RemoveNbsp
|
||||
TYPE: bool
|
||||
VERSION: 4.0.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
When enabled, HTML Purifier will treat any elements that contain only
|
||||
non-breaking spaces as well as regular whitespace as empty, and remove
|
||||
them when %AutoForamt.RemoveEmpty is enabled.
|
||||
</p>
|
||||
<p>
|
||||
See %AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions for a list of elements
|
||||
that don't have this behavior applied to them.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,46 @@
|
||||
AutoFormat.RemoveEmpty
|
||||
TYPE: bool
|
||||
VERSION: 3.2.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
When enabled, HTML Purifier will attempt to remove empty elements that
|
||||
contribute no semantic information to the document. The following types
|
||||
of nodes will be removed:
|
||||
</p>
|
||||
<ul><li>
|
||||
Tags with no attributes and no content, and that are not empty
|
||||
elements (remove <code><a></a></code> but not
|
||||
<code><br /></code>), and
|
||||
</li>
|
||||
<li>
|
||||
Tags with no content, except for:<ul>
|
||||
<li>The <code>colgroup</code> element, or</li>
|
||||
<li>
|
||||
Elements with the <code>id</code> or <code>name</code> attribute,
|
||||
when those attributes are permitted on those elements.
|
||||
</li>
|
||||
</ul></li>
|
||||
</ul>
|
||||
<p>
|
||||
Please be very careful when using this functionality; while it may not
|
||||
seem that empty elements contain useful information, they can alter the
|
||||
layout of a document given appropriate styling. This directive is most
|
||||
useful when you are processing machine-generated HTML, please avoid using
|
||||
it on regular user HTML.
|
||||
</p>
|
||||
<p>
|
||||
Elements that contain only whitespace will be treated as empty. Non-breaking
|
||||
spaces, however, do not count as whitespace. See
|
||||
%AutoFormat.RemoveEmpty.RemoveNbsp for alternate behavior.
|
||||
</p>
|
||||
<p>
|
||||
This algorithm is not perfect; you may still notice some empty tags,
|
||||
particularly if a node had elements, but those elements were later removed
|
||||
because they were not permitted in that context, or tags that, after
|
||||
being auto-closed by another tag, where empty. This is for safety reasons
|
||||
to prevent clever code from breaking validation. The general rule of thumb:
|
||||
if a tag looked empty on the way in, it will get removed; if HTML Purifier
|
||||
made it empty, it will stay.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,11 @@
|
||||
AutoFormat.RemoveSpansWithoutAttributes
|
||||
TYPE: bool
|
||||
VERSION: 4.0.1
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This directive causes <code>span</code> tags without any attributes
|
||||
to be removed. It will also remove spans that had all attributes
|
||||
removed during processing.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,8 @@
|
||||
CSS.AllowImportant
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
VERSION: 3.1.0
|
||||
--DESCRIPTION--
|
||||
This parameter determines whether or not !important cascade modifiers should
|
||||
be allowed in user CSS. If false, !important will stripped.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,11 @@
|
||||
CSS.AllowTricky
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
VERSION: 3.1.0
|
||||
--DESCRIPTION--
|
||||
This parameter determines whether or not to allow "tricky" CSS properties and
|
||||
values. Tricky CSS properties/values can drastically modify page layout or
|
||||
be used for deceptive practices but do not directly constitute a security risk.
|
||||
For example, <code>display:none;</code> is considered a tricky property that
|
||||
will only be allowed if this directive is set to true.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,12 @@
|
||||
CSS.AllowedFonts
|
||||
TYPE: lookup/null
|
||||
VERSION: 4.3.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Allows you to manually specify a set of allowed fonts. If
|
||||
<code>NULL</code>, all fonts are allowed. This directive
|
||||
affects generic names (serif, sans-serif, monospace, cursive,
|
||||
fantasy) as well as specific font families.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,18 @@
|
||||
CSS.AllowedProperties
|
||||
TYPE: lookup/null
|
||||
VERSION: 3.1.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
If HTML Purifier's style attributes set is unsatisfactory for your needs,
|
||||
you can overload it with your own list of tags to allow. Note that this
|
||||
method is subtractive: it does its job by taking away from HTML Purifier
|
||||
usual feature set, so you cannot add an attribute that HTML Purifier never
|
||||
supported in the first place.
|
||||
</p>
|
||||
<p>
|
||||
<strong>Warning:</strong> If another directive conflicts with the
|
||||
elements here, <em>that</em> directive will win and override.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,11 @@
|
||||
CSS.DefinitionRev
|
||||
TYPE: int
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: 1
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Revision identifier for your custom definition. See
|
||||
%HTML.DefinitionRev for details.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,13 @@
|
||||
CSS.ForbiddenProperties
|
||||
TYPE: lookup
|
||||
VERSION: 4.2.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This is the logical inverse of %CSS.AllowedProperties, and it will
|
||||
override that directive or any other directive. If possible,
|
||||
%CSS.AllowedProperties is recommended over this directive,
|
||||
because it can sometimes be difficult to tell whether or not you've
|
||||
forbidden all of the CSS properties you truly would like to disallow.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,16 @@
|
||||
CSS.MaxImgLength
|
||||
TYPE: string/null
|
||||
DEFAULT: '1200px'
|
||||
VERSION: 3.1.1
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This parameter sets the maximum allowed length on <code>img</code> tags,
|
||||
effectively the <code>width</code> and <code>height</code> properties.
|
||||
Only absolute units of measurement (in, pt, pc, mm, cm) and pixels (px) are allowed. This is
|
||||
in place to prevent imagecrash attacks, disable with null at your own risk.
|
||||
This directive is similar to %HTML.MaxImgLength, and both should be
|
||||
concurrently edited, although there are
|
||||
subtle differences in the input format (the CSS max is a number with
|
||||
a unit).
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,10 @@
|
||||
CSS.Proprietary
|
||||
TYPE: bool
|
||||
VERSION: 3.0.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Whether or not to allow safe, proprietary CSS values.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,9 @@
|
||||
CSS.Trusted
|
||||
TYPE: bool
|
||||
VERSION: 4.2.1
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
Indicates whether or not the user's CSS input is trusted or not. If the
|
||||
input is trusted, a more expansive set of allowed properties. See
|
||||
also %HTML.Trusted.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,14 @@
|
||||
Cache.DefinitionImpl
|
||||
TYPE: string/null
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: 'Serializer'
|
||||
--DESCRIPTION--
|
||||
|
||||
This directive defines which method to use when caching definitions,
|
||||
the complex data-type that makes HTML Purifier tick. Set to null
|
||||
to disable caching (not recommended, as you will see a definite
|
||||
performance degradation).
|
||||
|
||||
--ALIASES--
|
||||
Core.DefinitionCache
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,13 @@
|
||||
Cache.SerializerPath
|
||||
TYPE: string/null
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Absolute path with no trailing slash to store serialized definitions in.
|
||||
Default is within the
|
||||
HTML Purifier library inside DefinitionCache/Serializer. This
|
||||
path must be writable by the webserver.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,11 @@
|
||||
Cache.SerializerPermissions
|
||||
TYPE: int
|
||||
VERSION: 4.3.0
|
||||
DEFAULT: 0755
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Directory permissions of the files and directories created inside
|
||||
the DefinitionCache/Serializer or other custom serializer path.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,18 @@
|
||||
Core.AggressivelyFixLt
|
||||
TYPE: bool
|
||||
VERSION: 2.1.0
|
||||
DEFAULT: true
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This directive enables aggressive pre-filter fixes HTML Purifier can
|
||||
perform in order to ensure that open angled-brackets do not get killed
|
||||
during parsing stage. Enabling this will result in two preg_replace_callback
|
||||
calls and at least two preg_replace calls for every HTML document parsed;
|
||||
if your users make very well-formed HTML, you can set this directive false.
|
||||
This has no effect when DirectLex is used.
|
||||
</p>
|
||||
<p>
|
||||
<strong>Notice:</strong> This directive's default turned from false to true
|
||||
in HTML Purifier 3.2.0.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,12 @@
|
||||
Core.CollectErrors
|
||||
TYPE: bool
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
|
||||
Whether or not to collect errors found while filtering the document. This
|
||||
is a useful way to give feedback to your users. <strong>Warning:</strong>
|
||||
Currently this feature is very patchy and experimental, with lots of
|
||||
possible error messages not yet implemented. It will not cause any
|
||||
problems, but it may not help your users either.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,29 @@
|
||||
Core.ColorKeywords
|
||||
TYPE: hash
|
||||
VERSION: 2.0.0
|
||||
--DEFAULT--
|
||||
array (
|
||||
'maroon' => '#800000',
|
||||
'red' => '#FF0000',
|
||||
'orange' => '#FFA500',
|
||||
'yellow' => '#FFFF00',
|
||||
'olive' => '#808000',
|
||||
'purple' => '#800080',
|
||||
'fuchsia' => '#FF00FF',
|
||||
'white' => '#FFFFFF',
|
||||
'lime' => '#00FF00',
|
||||
'green' => '#008000',
|
||||
'navy' => '#000080',
|
||||
'blue' => '#0000FF',
|
||||
'aqua' => '#00FFFF',
|
||||
'teal' => '#008080',
|
||||
'black' => '#000000',
|
||||
'silver' => '#C0C0C0',
|
||||
'gray' => '#808080',
|
||||
)
|
||||
--DESCRIPTION--
|
||||
|
||||
Lookup array of color names to six digit hexadecimal number corresponding
|
||||
to color, with preceding hash mark. Used when parsing colors. The lookup
|
||||
is done in a case-insensitive manner.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,14 @@
|
||||
Core.ConvertDocumentToFragment
|
||||
TYPE: bool
|
||||
DEFAULT: true
|
||||
--DESCRIPTION--
|
||||
|
||||
This parameter determines whether or not the filter should convert
|
||||
input that is a full document with html and body tags to a fragment
|
||||
of just the contents of a body tag. This parameter is simply something
|
||||
HTML Purifier can do during an edge-case: for most inputs, this
|
||||
processing is not necessary.
|
||||
|
||||
--ALIASES--
|
||||
Core.AcceptFullDocuments
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,17 @@
|
||||
Core.DirectLexLineNumberSyncInterval
|
||||
TYPE: int
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: 0
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Specifies the number of tokens the DirectLex line number tracking
|
||||
implementations should process before attempting to resyncronize the
|
||||
current line count by manually counting all previous new-lines. When
|
||||
at 0, this functionality is disabled. Lower values will decrease
|
||||
performance, and this is only strictly necessary if the counting
|
||||
algorithm is buggy (in which case you should report it as a bug).
|
||||
This has no effect when %Core.MaintainLineNumbers is disabled or DirectLex is
|
||||
not being used.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,9 @@
|
||||
Core.EnableIDNA
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
VERSION: 4.4.0
|
||||
--DESCRIPTION--
|
||||
Allows international domain names in URLs. This configuration option
|
||||
requires the PEAR Net_IDNA2 module to be installed. It operates by
|
||||
punycoding any internationalized host names for maximum portability.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,15 @@
|
||||
Core.Encoding
|
||||
TYPE: istring
|
||||
DEFAULT: 'utf-8'
|
||||
--DESCRIPTION--
|
||||
If for some reason you are unable to convert all webpages to UTF-8, you can
|
||||
use this directive as a stop-gap compatibility change to let HTML Purifier
|
||||
deal with non UTF-8 input. This technique has notable deficiencies:
|
||||
absolutely no characters outside of the selected character encoding will be
|
||||
preserved, not even the ones that have been ampersand escaped (this is due
|
||||
to a UTF-8 specific <em>feature</em> that automatically resolves all
|
||||
entities), making it pretty useless for anything except the most I18N-blind
|
||||
applications, although %Core.EscapeNonASCIICharacters offers fixes this
|
||||
trouble with another tradeoff. This directive only accepts ISO-8859-1 if
|
||||
iconv is not enabled.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,10 @@
|
||||
Core.EscapeInvalidChildren
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
When true, a child is found that is not allowed in the context of the
|
||||
parent element will be transformed into text as if it were ASCII. When
|
||||
false, that element and all internal tags will be dropped, though text will
|
||||
be preserved. There is no option for dropping the element but preserving
|
||||
child nodes.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,7 @@
|
||||
Core.EscapeInvalidTags
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
When true, invalid tags will be written back to the document as plain text.
|
||||
Otherwise, they are silently dropped.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,13 @@
|
||||
Core.EscapeNonASCIICharacters
|
||||
TYPE: bool
|
||||
VERSION: 1.4.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
This directive overcomes a deficiency in %Core.Encoding by blindly
|
||||
converting all non-ASCII characters into decimal numeric entities before
|
||||
converting it to its native encoding. This means that even characters that
|
||||
can be expressed in the non-UTF-8 encoding will be entity-ized, which can
|
||||
be a real downer for encodings like Big5. It also assumes that the ASCII
|
||||
repetoire is available, although this is the case for almost all encodings.
|
||||
Anyway, use UTF-8!
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,19 @@
|
||||
Core.HiddenElements
|
||||
TYPE: lookup
|
||||
--DEFAULT--
|
||||
array (
|
||||
'script' => true,
|
||||
'style' => true,
|
||||
)
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This directive is a lookup array of elements which should have their
|
||||
contents removed when they are not allowed by the HTML definition.
|
||||
For example, the contents of a <code>script</code> tag are not
|
||||
normally shown in a document, so if script tags are to be removed,
|
||||
their contents should be removed to. This is opposed to a <code>b</code>
|
||||
tag, which defines some presentational changes but does not hide its
|
||||
contents.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,10 @@
|
||||
Core.Language
|
||||
TYPE: string
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: 'en'
|
||||
--DESCRIPTION--
|
||||
|
||||
ISO 639 language code for localizable things in HTML Purifier to use,
|
||||
which is mainly error reporting. There is currently only an English (en)
|
||||
translation, so this directive is currently useless.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,34 @@
|
||||
Core.LexerImpl
|
||||
TYPE: mixed/null
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This parameter determines what lexer implementation can be used. The
|
||||
valid values are:
|
||||
</p>
|
||||
<dl>
|
||||
<dt><em>null</em></dt>
|
||||
<dd>
|
||||
Recommended, the lexer implementation will be auto-detected based on
|
||||
your PHP-version and configuration.
|
||||
</dd>
|
||||
<dt><em>string</em> lexer identifier</dt>
|
||||
<dd>
|
||||
This is a slim way of manually overridding the implementation.
|
||||
Currently recognized values are: DOMLex (the default PHP5
|
||||
implementation)
|
||||
and DirectLex (the default PHP4 implementation). Only use this if
|
||||
you know what you are doing: usually, the auto-detection will
|
||||
manage things for cases you aren't even aware of.
|
||||
</dd>
|
||||
<dt><em>object</em> lexer instance</dt>
|
||||
<dd>
|
||||
Super-advanced: you can specify your own, custom, implementation that
|
||||
implements the interface defined by <code>HTMLPurifier_Lexer</code>.
|
||||
I may remove this option simply because I don't expect anyone
|
||||
to use it.
|
||||
</dd>
|
||||
</dl>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,16 @@
|
||||
Core.MaintainLineNumbers
|
||||
TYPE: bool/null
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
If true, HTML Purifier will add line number information to all tokens.
|
||||
This is useful when error reporting is turned on, but can result in
|
||||
significant performance degradation and should not be used when
|
||||
unnecessary. This directive must be used with the DirectLex lexer,
|
||||
as the DOMLex lexer does not (yet) support this functionality.
|
||||
If the value is null, an appropriate value will be selected based
|
||||
on other configuration.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,11 @@
|
||||
Core.NormalizeNewlines
|
||||
TYPE: bool
|
||||
VERSION: 4.2.0
|
||||
DEFAULT: true
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Whether or not to normalize newlines to the operating
|
||||
system default. When <code>false</code>, HTML Purifier
|
||||
will attempt to preserve mixed newline files.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,12 @@
|
||||
Core.RemoveInvalidImg
|
||||
TYPE: bool
|
||||
DEFAULT: true
|
||||
VERSION: 1.3.0
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This directive enables pre-emptive URI checking in <code>img</code>
|
||||
tags, as the attribute validation strategy is not authorized to
|
||||
remove elements from the document. Revert to pre-1.3.0 behavior by setting to false.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,11 @@
|
||||
Core.RemoveProcessingInstructions
|
||||
TYPE: bool
|
||||
VERSION: 4.2.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
Instead of escaping processing instructions in the form <code><? ...
|
||||
?></code>, remove it out-right. This may be useful if the HTML
|
||||
you are validating contains XML processing instruction gunk, however,
|
||||
it can also be user-unfriendly for people attempting to post PHP
|
||||
snippets.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,12 @@
|
||||
Core.RemoveScriptContents
|
||||
TYPE: bool/null
|
||||
DEFAULT: NULL
|
||||
VERSION: 2.0.0
|
||||
DEPRECATED-VERSION: 2.1.0
|
||||
DEPRECATED-USE: Core.HiddenElements
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This directive enables HTML Purifier to remove not only script tags
|
||||
but all of their contents.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,11 @@
|
||||
Filter.Custom
|
||||
TYPE: list
|
||||
VERSION: 3.1.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This directive can be used to add custom filters; it is nearly the
|
||||
equivalent of the now deprecated <code>HTMLPurifier->addFilter()</code>
|
||||
method. Specify an array of concrete implementations.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,14 @@
|
||||
Filter.ExtractStyleBlocks.Escaping
|
||||
TYPE: bool
|
||||
VERSION: 3.0.0
|
||||
DEFAULT: true
|
||||
ALIASES: Filter.ExtractStyleBlocksEscaping, FilterParam.ExtractStyleBlocksEscaping
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Whether or not to escape the dangerous characters <, > and &
|
||||
as \3C, \3E and \26, respectively. This is can be safely set to false
|
||||
if the contents of StyleBlocks will be placed in an external stylesheet,
|
||||
where there is no risk of it being interpreted as HTML.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,29 @@
|
||||
Filter.ExtractStyleBlocks.Scope
|
||||
TYPE: string/null
|
||||
VERSION: 3.0.0
|
||||
DEFAULT: NULL
|
||||
ALIASES: Filter.ExtractStyleBlocksScope, FilterParam.ExtractStyleBlocksScope
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
If you would like users to be able to define external stylesheets, but
|
||||
only allow them to specify CSS declarations for a specific node and
|
||||
prevent them from fiddling with other elements, use this directive.
|
||||
It accepts any valid CSS selector, and will prepend this to any
|
||||
CSS declaration extracted from the document. For example, if this
|
||||
directive is set to <code>#user-content</code> and a user uses the
|
||||
selector <code>a:hover</code>, the final selector will be
|
||||
<code>#user-content a:hover</code>.
|
||||
</p>
|
||||
<p>
|
||||
The comma shorthand may be used; consider the above example, with
|
||||
<code>#user-content, #user-content2</code>, the final selector will
|
||||
be <code>#user-content a:hover, #user-content2 a:hover</code>.
|
||||
</p>
|
||||
<p>
|
||||
<strong>Warning:</strong> It is possible for users to bypass this measure
|
||||
using a naughty + selector. This is a bug in CSS Tidy 1.3, not HTML
|
||||
Purifier, and I am working to get it fixed. Until then, HTML Purifier
|
||||
performs a basic check to prevent this.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,16 @@
|
||||
Filter.ExtractStyleBlocks.TidyImpl
|
||||
TYPE: mixed/null
|
||||
VERSION: 3.1.0
|
||||
DEFAULT: NULL
|
||||
ALIASES: FilterParam.ExtractStyleBlocksTidyImpl
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
If left NULL, HTML Purifier will attempt to instantiate a <code>csstidy</code>
|
||||
class to use for internal cleaning. This will usually be good enough.
|
||||
</p>
|
||||
<p>
|
||||
However, for trusted user input, you can set this to <code>false</code> to
|
||||
disable cleaning. In addition, you can supply your own concrete implementation
|
||||
of Tidy's interface to use, although I don't know why you'd want to do that.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,74 @@
|
||||
Filter.ExtractStyleBlocks
|
||||
TYPE: bool
|
||||
VERSION: 3.1.0
|
||||
DEFAULT: false
|
||||
EXTERNAL: CSSTidy
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This directive turns on the style block extraction filter, which removes
|
||||
<code>style</code> blocks from input HTML, cleans them up with CSSTidy,
|
||||
and places them in the <code>StyleBlocks</code> context variable, for further
|
||||
use by you, usually to be placed in an external stylesheet, or a
|
||||
<code>style</code> block in the <code>head</code> of your document.
|
||||
</p>
|
||||
<p>
|
||||
Sample usage:
|
||||
</p>
|
||||
<pre><![CDATA[
|
||||
<?php
|
||||
header('Content-type: text/html; charset=utf-8');
|
||||
echo '<?xml version="1.0" encoding="UTF-8"?>';
|
||||
?>
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||||
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
|
||||
<head>
|
||||
<title>Filter.ExtractStyleBlocks</title>
|
||||
<?php
|
||||
require_once '/path/to/library/HTMLPurifier.auto.php';
|
||||
require_once '/path/to/csstidy.class.php';
|
||||
|
||||
$dirty = '<style>body {color:#F00;}</style> Some text';
|
||||
|
||||
$config = HTMLPurifier_Config::createDefault();
|
||||
$config->set('Filter', 'ExtractStyleBlocks', true);
|
||||
$purifier = new HTMLPurifier($config);
|
||||
|
||||
$html = $purifier->purify($dirty);
|
||||
|
||||
// This implementation writes the stylesheets to the styles/ directory.
|
||||
// You can also echo the styles inside the document, but it's a bit
|
||||
// more difficult to make sure they get interpreted properly by
|
||||
// browsers; try the usual CSS armoring techniques.
|
||||
$styles = $purifier->context->get('StyleBlocks');
|
||||
$dir = 'styles/';
|
||||
if (!is_dir($dir)) mkdir($dir);
|
||||
$hash = sha1($_GET['html']);
|
||||
foreach ($styles as $i => $style) {
|
||||
file_put_contents($name = $dir . $hash . "_$i");
|
||||
echo '<link rel="stylesheet" type="text/css" href="'.$name.'" />';
|
||||
}
|
||||
?>
|
||||
</head>
|
||||
<body>
|
||||
<div>
|
||||
<?php echo $html; ?>
|
||||
</div>
|
||||
</b]]><![CDATA[ody>
|
||||
</html>
|
||||
]]></pre>
|
||||
<p>
|
||||
<strong>Warning:</strong> It is possible for a user to mount an
|
||||
imagecrash attack using this CSS. Counter-measures are difficult;
|
||||
it is not simply enough to limit the range of CSS lengths (using
|
||||
relative lengths with many nesting levels allows for large values
|
||||
to be attained without actually specifying them in the stylesheet),
|
||||
and the flexible nature of selectors makes it difficult to selectively
|
||||
disable lengths on image tags (HTML Purifier, however, does disable
|
||||
CSS width and height in inline styling). There are probably two effective
|
||||
counter measures: an explicit width and height set to auto in all
|
||||
images in your document (unlikely) or the disabling of width and
|
||||
height (somewhat reasonable). Whether or not these measures should be
|
||||
used is left to the reader.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,16 @@
|
||||
Filter.YouTube
|
||||
TYPE: bool
|
||||
VERSION: 3.1.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
<strong>Warning:</strong> Deprecated in favor of %HTML.SafeObject and
|
||||
%Output.FlashCompat (turn both on to allow YouTube videos and other
|
||||
Flash content).
|
||||
</p>
|
||||
<p>
|
||||
This directive enables YouTube video embedding in HTML Purifier. Check
|
||||
<a href="http://htmlpurifier.org/docs/enduser-youtube.html">this document
|
||||
on embedding videos</a> for more information on what this filter does.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,25 @@
|
||||
HTML.Allowed
|
||||
TYPE: itext/null
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This is a preferred convenience directive that combines
|
||||
%HTML.AllowedElements and %HTML.AllowedAttributes.
|
||||
Specify elements and attributes that are allowed using:
|
||||
<code>element1[attr1|attr2],element2...</code>. For example,
|
||||
if you would like to only allow paragraphs and links, specify
|
||||
<code>a[href],p</code>. You can specify attributes that apply
|
||||
to all elements using an asterisk, e.g. <code>*[lang]</code>.
|
||||
You can also use newlines instead of commas to separate elements.
|
||||
</p>
|
||||
<p>
|
||||
<strong>Warning</strong>:
|
||||
All of the constraints on the component directives are still enforced.
|
||||
The syntax is a <em>subset</em> of TinyMCE's <code>valid_elements</code>
|
||||
whitelist: directly copy-pasting it here will probably result in
|
||||
broken whitelists. If %HTML.AllowedElements or %HTML.AllowedAttributes
|
||||
are set, this directive has no effect.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,19 @@
|
||||
HTML.AllowedAttributes
|
||||
TYPE: lookup/null
|
||||
VERSION: 1.3.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
If HTML Purifier's attribute set is unsatisfactory, overload it!
|
||||
The syntax is "tag.attr" or "*.attr" for the global attributes
|
||||
(style, id, class, dir, lang, xml:lang).
|
||||
</p>
|
||||
<p>
|
||||
<strong>Warning:</strong> If another directive conflicts with the
|
||||
elements here, <em>that</em> directive will win and override. For
|
||||
example, %HTML.EnableAttrID will take precedence over *.id in this
|
||||
directive. You must set that directive to true before you can use
|
||||
IDs at all.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,10 @@
|
||||
HTML.AllowedComments
|
||||
TYPE: lookup
|
||||
VERSION: 4.4.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
A whitelist which indicates what explicit comment bodies should be
|
||||
allowed, modulo leading and trailing whitespace. See also %HTML.AllowedCommentsRegexp
|
||||
(these directives are union'ed together, so a comment is considered
|
||||
valid if any directive deems it valid.)
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,15 @@
|
||||
HTML.AllowedCommentsRegexp
|
||||
TYPE: string/null
|
||||
VERSION: 4.4.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
A regexp, which if it matches the body of a comment, indicates that
|
||||
it should be allowed. Trailing and leading spaces are removed prior
|
||||
to running this regular expression.
|
||||
<strong>Warning:</strong> Make sure you specify
|
||||
correct anchor metacharacters <code>^regex$</code>, otherwise you may accept
|
||||
comments that you did not mean to! In particular, the regex <code>/foo|bar/</code>
|
||||
is probably not sufficiently strict, since it also allows <code>foobar</code>.
|
||||
See also %HTML.AllowedComments (these directives are union'ed together,
|
||||
so a comment is considered valid if any directive deems it valid.)
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,23 @@
|
||||
HTML.AllowedElements
|
||||
TYPE: lookup/null
|
||||
VERSION: 1.3.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
If HTML Purifier's tag set is unsatisfactory for your needs, you can
|
||||
overload it with your own list of tags to allow. If you change
|
||||
this, you probably also want to change %HTML.AllowedAttributes; see
|
||||
also %HTML.Allowed which lets you set allowed elements and
|
||||
attributes at the same time.
|
||||
</p>
|
||||
<p>
|
||||
If you attempt to allow an element that HTML Purifier does not know
|
||||
about, HTML Purifier will raise an error. You will need to manually
|
||||
tell HTML Purifier about this element by using the
|
||||
<a href="http://htmlpurifier.org/docs/enduser-customize.html">advanced customization features.</a>
|
||||
</p>
|
||||
<p>
|
||||
<strong>Warning:</strong> If another directive conflicts with the
|
||||
elements here, <em>that</em> directive will win and override.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,20 @@
|
||||
HTML.AllowedModules
|
||||
TYPE: lookup/null
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
A doctype comes with a set of usual modules to use. Without having
|
||||
to mucking about with the doctypes, you can quickly activate or
|
||||
disable these modules by specifying which modules you wish to allow
|
||||
with this directive. This is most useful for unit testing specific
|
||||
modules, although end users may find it useful for their own ends.
|
||||
</p>
|
||||
<p>
|
||||
If you specify a module that does not exist, the manager will silently
|
||||
fail to use it, so be careful! User-defined modules are not affected
|
||||
by this directive. Modules defined in %HTML.CoreModules are not
|
||||
affected by this directive.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,11 @@
|
||||
HTML.Attr.Name.UseCDATA
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
VERSION: 4.0.0
|
||||
--DESCRIPTION--
|
||||
The W3C specification DTD defines the name attribute to be CDATA, not ID, due
|
||||
to limitations of DTD. In certain documents, this relaxed behavior is desired,
|
||||
whether it is to specify duplicate names, or to specify names that would be
|
||||
illegal IDs (for example, names that begin with a digit.) Set this configuration
|
||||
directive to true to use the relaxed parsing rules.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,18 @@
|
||||
HTML.BlockWrapper
|
||||
TYPE: string
|
||||
VERSION: 1.3.0
|
||||
DEFAULT: 'p'
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
String name of element to wrap inline elements that are inside a block
|
||||
context. This only occurs in the children of blockquote in strict mode.
|
||||
</p>
|
||||
<p>
|
||||
Example: by default value,
|
||||
<code><blockquote>Foo</blockquote></code> would become
|
||||
<code><blockquote><p>Foo</p></blockquote></code>.
|
||||
The <code><p></code> tags can be replaced with whatever you desire,
|
||||
as long as it is a block level element.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,23 @@
|
||||
HTML.CoreModules
|
||||
TYPE: lookup
|
||||
VERSION: 2.0.0
|
||||
--DEFAULT--
|
||||
array (
|
||||
'Structure' => true,
|
||||
'Text' => true,
|
||||
'Hypertext' => true,
|
||||
'List' => true,
|
||||
'NonXMLCommonAttributes' => true,
|
||||
'XMLCommonAttributes' => true,
|
||||
'CommonAttributes' => true,
|
||||
)
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Certain modularized doctypes (XHTML, namely), have certain modules
|
||||
that must be included for the doctype to be an conforming document
|
||||
type: put those modules here. By default, XHTML's core modules
|
||||
are used. You can set this to a blank array to disable core module
|
||||
protection, but this is not recommended.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,9 @@
|
||||
HTML.CustomDoctype
|
||||
TYPE: string/null
|
||||
VERSION: 2.0.1
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
A custom doctype for power-users who defined there own document
|
||||
type. This directive only applies when %HTML.Doctype is blank.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,33 @@
|
||||
HTML.DefinitionID
|
||||
TYPE: string/null
|
||||
DEFAULT: NULL
|
||||
VERSION: 2.0.0
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Unique identifier for a custom-built HTML definition. If you edit
|
||||
the raw version of the HTMLDefinition, introducing changes that the
|
||||
configuration object does not reflect, you must specify this variable.
|
||||
If you change your custom edits, you should change this directive, or
|
||||
clear your cache. Example:
|
||||
</p>
|
||||
<pre>
|
||||
$config = HTMLPurifier_Config::createDefault();
|
||||
$config->set('HTML', 'DefinitionID', '1');
|
||||
$def = $config->getHTMLDefinition();
|
||||
$def->addAttribute('a', 'tabindex', 'Number');
|
||||
</pre>
|
||||
<p>
|
||||
In the above example, the configuration is still at the defaults, but
|
||||
using the advanced API, an extra attribute has been added. The
|
||||
configuration object normally has no way of knowing that this change
|
||||
has taken place, so it needs an extra directive: %HTML.DefinitionID.
|
||||
If someone else attempts to use the default configuration, these two
|
||||
pieces of code will not clobber each other in the cache, since one has
|
||||
an extra directive attached to it.
|
||||
</p>
|
||||
<p>
|
||||
You <em>must</em> specify a value to this directive to use the
|
||||
advanced API features.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,16 @@
|
||||
HTML.DefinitionRev
|
||||
TYPE: int
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: 1
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Revision identifier for your custom definition specified in
|
||||
%HTML.DefinitionID. This serves the same purpose: uniquely identifying
|
||||
your custom definition, but this one does so in a chronological
|
||||
context: revision 3 is more up-to-date then revision 2. Thus, when
|
||||
this gets incremented, the cache handling is smart enough to clean
|
||||
up any older revisions of your definition as well as flush the
|
||||
cache.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,11 @@
|
||||
HTML.Doctype
|
||||
TYPE: string/null
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
Doctype to use during filtering. Technically speaking this is not actually
|
||||
a doctype (as it does not identify a corresponding DTD), but we are using
|
||||
this name for sake of simplicity. When non-blank, this will override any
|
||||
older directives like %HTML.XHTML or %HTML.Strict.
|
||||
--ALLOWED--
|
||||
'HTML 4.01 Transitional', 'HTML 4.01 Strict', 'XHTML 1.0 Transitional', 'XHTML 1.0 Strict', 'XHTML 1.1'
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,11 @@
|
||||
HTML.FlashAllowFullScreen
|
||||
TYPE: bool
|
||||
VERSION: 4.2.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Whether or not to permit embedded Flash content from
|
||||
%HTML.SafeObject to expand to the full screen. Corresponds to
|
||||
the <code>allowFullScreen</code> parameter.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,21 @@
|
||||
HTML.ForbiddenAttributes
|
||||
TYPE: lookup
|
||||
VERSION: 3.1.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
While this directive is similar to %HTML.AllowedAttributes, for
|
||||
forwards-compatibility with XML, this attribute has a different syntax. Instead of
|
||||
<code>tag.attr</code>, use <code>tag@attr</code>. To disallow <code>href</code>
|
||||
attributes in <code>a</code> tags, set this directive to
|
||||
<code>a@href</code>. You can also disallow an attribute globally with
|
||||
<code>attr</code> or <code>*@attr</code> (either syntax is fine; the latter
|
||||
is provided for consistency with %HTML.AllowedAttributes).
|
||||
</p>
|
||||
<p>
|
||||
<strong>Warning:</strong> This directive complements %HTML.ForbiddenElements,
|
||||
accordingly, check
|
||||
out that directive for a discussion of why you
|
||||
should think twice before using this directive.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,20 @@
|
||||
HTML.ForbiddenElements
|
||||
TYPE: lookup
|
||||
VERSION: 3.1.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This was, perhaps, the most requested feature ever in HTML
|
||||
Purifier. Please don't abuse it! This is the logical inverse of
|
||||
%HTML.AllowedElements, and it will override that directive, or any
|
||||
other directive.
|
||||
</p>
|
||||
<p>
|
||||
If possible, %HTML.Allowed is recommended over this directive, because it
|
||||
can sometimes be difficult to tell whether or not you've forbidden all of
|
||||
the behavior you would like to disallow. If you forbid <code>img</code>
|
||||
with the expectation of preventing images on your site, you'll be in for
|
||||
a nasty surprise when people start using the <code>background-image</code>
|
||||
CSS property.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,14 @@
|
||||
HTML.MaxImgLength
|
||||
TYPE: int/null
|
||||
DEFAULT: 1200
|
||||
VERSION: 3.1.1
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This directive controls the maximum number of pixels in the width and
|
||||
height attributes in <code>img</code> tags. This is
|
||||
in place to prevent imagecrash attacks, disable with null at your own risk.
|
||||
This directive is similar to %CSS.MaxImgLength, and both should be
|
||||
concurrently edited, although there are
|
||||
subtle differences in the input format (the HTML max is an integer).
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,7 @@
|
||||
HTML.Nofollow
|
||||
TYPE: bool
|
||||
VERSION: 4.3.0
|
||||
DEFAULT: FALSE
|
||||
--DESCRIPTION--
|
||||
If enabled, nofollow rel attributes are added to all outgoing links.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,12 @@
|
||||
HTML.Parent
|
||||
TYPE: string
|
||||
VERSION: 1.3.0
|
||||
DEFAULT: 'div'
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
String name of element that HTML fragment passed to library will be
|
||||
inserted in. An interesting variation would be using span as the
|
||||
parent element, meaning that only inline tags would be allowed.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,12 @@
|
||||
HTML.Proprietary
|
||||
TYPE: bool
|
||||
VERSION: 3.1.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Whether or not to allow proprietary elements and attributes in your
|
||||
documents, as per <code>HTMLPurifier_HTMLModule_Proprietary</code>.
|
||||
<strong>Warning:</strong> This can cause your documents to stop
|
||||
validating!
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,13 @@
|
||||
HTML.SafeEmbed
|
||||
TYPE: bool
|
||||
VERSION: 3.1.1
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Whether or not to permit embed tags in documents, with a number of extra
|
||||
security features added to prevent script execution. This is similar to
|
||||
what websites like MySpace do to embed tags. Embed is a proprietary
|
||||
element and will cause your website to stop validating; you should
|
||||
see if you can use %Output.FlashCompat with %HTML.SafeObject instead
|
||||
first.</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,13 @@
|
||||
HTML.SafeIframe
|
||||
TYPE: bool
|
||||
VERSION: 4.4.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Whether or not to permit iframe tags in untrusted documents. This
|
||||
directive must be accompanied by a whitelist of permitted iframes,
|
||||
such as %URI.SafeIframeRegexp, otherwise it will fatally error.
|
||||
This directive has no effect on strict doctypes, as iframes are not
|
||||
valid.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,13 @@
|
||||
HTML.SafeObject
|
||||
TYPE: bool
|
||||
VERSION: 3.1.1
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Whether or not to permit object tags in documents, with a number of extra
|
||||
security features added to prevent script execution. This is similar to
|
||||
what websites like MySpace do to object tags. You should also enable
|
||||
%Output.FlashCompat in order to generate Internet Explorer
|
||||
compatibility code for your object tags.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,9 @@
|
||||
HTML.Strict
|
||||
TYPE: bool
|
||||
VERSION: 1.3.0
|
||||
DEFAULT: false
|
||||
DEPRECATED-VERSION: 1.7.0
|
||||
DEPRECATED-USE: HTML.Doctype
|
||||
--DESCRIPTION--
|
||||
Determines whether or not to use Transitional (loose) or Strict rulesets.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,8 @@
|
||||
HTML.TargetBlank
|
||||
TYPE: bool
|
||||
VERSION: 4.4.0
|
||||
DEFAULT: FALSE
|
||||
--DESCRIPTION--
|
||||
If enabled, <code>target=blank</code> attributes are added to all outgoing links.
|
||||
(This includes links from an HTTPS version of a page to an HTTP version.)
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,8 @@
|
||||
HTML.TidyAdd
|
||||
TYPE: lookup
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
|
||||
Fixes to add to the default set of Tidy fixes as per your level.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,24 @@
|
||||
HTML.TidyLevel
|
||||
TYPE: string
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: 'medium'
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>General level of cleanliness the Tidy module should enforce.
|
||||
There are four allowed values:</p>
|
||||
<dl>
|
||||
<dt>none</dt>
|
||||
<dd>No extra tidying should be done</dd>
|
||||
<dt>light</dt>
|
||||
<dd>Only fix elements that would be discarded otherwise due to
|
||||
lack of support in doctype</dd>
|
||||
<dt>medium</dt>
|
||||
<dd>Enforce best practices</dd>
|
||||
<dt>heavy</dt>
|
||||
<dd>Transform all deprecated elements and attributes to standards
|
||||
compliant equivalents</dd>
|
||||
</dl>
|
||||
|
||||
--ALLOWED--
|
||||
'none', 'light', 'medium', 'heavy'
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,8 @@
|
||||
HTML.TidyRemove
|
||||
TYPE: lookup
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
|
||||
Fixes to remove from the default set of Tidy fixes as per your level.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,9 @@
|
||||
HTML.Trusted
|
||||
TYPE: bool
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
Indicates whether or not the user input is trusted or not. If the input is
|
||||
trusted, a more expansive set of allowed tags and attributes will be used.
|
||||
See also %CSS.Trusted.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,11 @@
|
||||
HTML.XHTML
|
||||
TYPE: bool
|
||||
DEFAULT: true
|
||||
VERSION: 1.1.0
|
||||
DEPRECATED-VERSION: 1.7.0
|
||||
DEPRECATED-USE: HTML.Doctype
|
||||
--DESCRIPTION--
|
||||
Determines whether or not output is XHTML 1.0 or HTML 4.01 flavor.
|
||||
--ALIASES--
|
||||
Core.XHTML
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,10 @@
|
||||
Output.CommentScriptContents
|
||||
TYPE: bool
|
||||
VERSION: 2.0.0
|
||||
DEFAULT: true
|
||||
--DESCRIPTION--
|
||||
Determines whether or not HTML Purifier should attempt to fix up the
|
||||
contents of script tags for legacy browsers with comments.
|
||||
--ALIASES--
|
||||
Core.CommentScriptContents
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,15 @@
|
||||
Output.FixInnerHTML
|
||||
TYPE: bool
|
||||
VERSION: 4.3.0
|
||||
DEFAULT: true
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
If true, HTML Purifier will protect against Internet Explorer's
|
||||
mishandling of the <code>innerHTML</code> attribute by appending
|
||||
a space to any attribute that does not contain angled brackets, spaces
|
||||
or quotes, but contains a backtick. This slightly changes the
|
||||
semantics of any given attribute, so if this is unacceptable and
|
||||
you do not use <code>innerHTML</code> on any of your pages, you can
|
||||
turn this directive off.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,11 @@
|
||||
Output.FlashCompat
|
||||
TYPE: bool
|
||||
VERSION: 4.1.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
If true, HTML Purifier will generate Internet Explorer compatibility
|
||||
code for all object code. This is highly recommended if you enable
|
||||
%HTML.SafeObject.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,13 @@
|
||||
Output.Newline
|
||||
TYPE: string/null
|
||||
VERSION: 2.0.1
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Newline string to format final output with. If left null, HTML Purifier
|
||||
will auto-detect the default newline type of the system and use that;
|
||||
you can manually override it here. Remember, \r\n is Windows, \r
|
||||
is Mac, and \n is Unix.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,14 @@
|
||||
Output.SortAttr
|
||||
TYPE: bool
|
||||
VERSION: 3.2.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
If true, HTML Purifier will sort attributes by name before writing them back
|
||||
to the document, converting a tag like: <code><el b="" a="" c="" /></code>
|
||||
to <code><el a="" b="" c="" /></code>. This is a workaround for
|
||||
a bug in FCKeditor which causes it to swap attributes order, adding noise
|
||||
to text diffs. If you're not seeing this bug, chances are, you don't need
|
||||
this directive.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,25 @@
|
||||
Output.TidyFormat
|
||||
TYPE: bool
|
||||
VERSION: 1.1.1
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Determines whether or not to run Tidy on the final output for pretty
|
||||
formatting reasons, such as indentation and wrap.
|
||||
</p>
|
||||
<p>
|
||||
This can greatly improve readability for editors who are hand-editing
|
||||
the HTML, but is by no means necessary as HTML Purifier has already
|
||||
fixed all major errors the HTML may have had. Tidy is a non-default
|
||||
extension, and this directive will silently fail if Tidy is not
|
||||
available.
|
||||
</p>
|
||||
<p>
|
||||
If you are looking to make the overall look of your page's source
|
||||
better, I recommend running Tidy on the entire page rather than just
|
||||
user-content (after all, the indentation relative to the containing
|
||||
blocks will be incorrect).
|
||||
</p>
|
||||
--ALIASES--
|
||||
Core.TidyFormat
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,7 @@
|
||||
Test.ForceNoIconv
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
When set to true, HTMLPurifier_Encoder will act as if iconv does not exist
|
||||
and use only pure PHP implementations.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,17 @@
|
||||
URI.AllowedSchemes
|
||||
TYPE: lookup
|
||||
--DEFAULT--
|
||||
array (
|
||||
'http' => true,
|
||||
'https' => true,
|
||||
'mailto' => true,
|
||||
'ftp' => true,
|
||||
'nntp' => true,
|
||||
'news' => true,
|
||||
)
|
||||
--DESCRIPTION--
|
||||
Whitelist that defines the schemes that a URI is allowed to have. This
|
||||
prevents XSS attacks from using pseudo-schemes like javascript or mocha.
|
||||
There is also support for the <code>data</code> and <code>file</code>
|
||||
URI schemes, but they are not enabled by default.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,17 @@
|
||||
URI.Base
|
||||
TYPE: string/null
|
||||
VERSION: 2.1.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
The base URI is the URI of the document this purified HTML will be
|
||||
inserted into. This information is important if HTML Purifier needs
|
||||
to calculate absolute URIs from relative URIs, such as when %URI.MakeAbsolute
|
||||
is on. You may use a non-absolute URI for this value, but behavior
|
||||
may vary (%URI.MakeAbsolute deals nicely with both absolute and
|
||||
relative paths, but forwards-compatibility is not guaranteed).
|
||||
<strong>Warning:</strong> If set, the scheme on this URI
|
||||
overrides the one specified by %URI.DefaultScheme.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user