htmlpurifier update - compatibility issue with language library autoloader
This commit is contained in:
friendica
@@ -0,0 +1,12 @@
|
||||
CSS.AllowedFonts
|
||||
TYPE: lookup/null
|
||||
VERSION: 4.3.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Allows you to manually specify a set of allowed fonts. If
|
||||
<code>NULL</code>, all fonts are allowed. This directive
|
||||
affects generic names (serif, sans-serif, monospace, cursive,
|
||||
fantasy) as well as specific font families.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,13 @@
|
||||
CSS.ForbiddenProperties
|
||||
TYPE: lookup
|
||||
VERSION: 4.2.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This is the logical inverse of %CSS.AllowedProperties, and it will
|
||||
override that directive or any other directive. If possible,
|
||||
%CSS.AllowedProperties is recommended over this directive,
|
||||
because it can sometimes be difficult to tell whether or not you've
|
||||
forbidden all of the CSS properties you truly would like to disallow.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
9
library/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt
Normal file
9
library/HTMLPurifier/ConfigSchema/schema/CSS.Trusted.txt
Normal file
@@ -0,0 +1,9 @@
|
||||
CSS.Trusted
|
||||
TYPE: bool
|
||||
VERSION: 4.2.1
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
Indicates whether or not the user's CSS input is trusted or not. If the
|
||||
input is trusted, a more expansive set of allowed properties. See
|
||||
also %HTML.Trusted.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,11 @@
|
||||
Cache.SerializerPermissions
|
||||
TYPE: int
|
||||
VERSION: 4.3.0
|
||||
DEFAULT: 0755
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Directory permissions of the files and directories created inside
|
||||
the DefinitionCache/Serializer or other custom serializer path.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,16 @@
|
||||
Core.AllowHostnameUnderscore
|
||||
TYPE: bool
|
||||
VERSION: 4.6.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
By RFC 1123, underscores are not permitted in host names.
|
||||
(This is in contrast to the specification for DNS, RFC
|
||||
2181, which allows underscores.)
|
||||
However, most browsers do the right thing when faced with
|
||||
an underscore in the host name, and so some poorly written
|
||||
websites are written with the expectation this should work.
|
||||
Setting this parameter to true relaxes our allowed character
|
||||
check so that underscores are permitted.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -24,5 +24,6 @@ array (
|
||||
--DESCRIPTION--
|
||||
|
||||
Lookup array of color names to six digit hexadecimal number corresponding
|
||||
to color, with preceding hash mark. Used when parsing colors.
|
||||
to color, with preceding hash mark. Used when parsing colors. The lookup
|
||||
is done in a case-insensitive manner.
|
||||
--# vim: et sw=4 sts=4
|
||||
|
||||
@@ -0,0 +1,14 @@
|
||||
Core.DisableExcludes
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
VERSION: 4.5.0
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This directive disables SGML-style exclusions, e.g. the exclusion of
|
||||
<code><object></code> in any descendant of a
|
||||
<code><pre></code> tag. Disabling excludes will allow some
|
||||
invalid documents to pass through HTML Purifier, but HTML Purifier
|
||||
will also be less likely to accidentally remove large documents during
|
||||
processing.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,9 @@
|
||||
Core.EnableIDNA
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
VERSION: 4.4.0
|
||||
--DESCRIPTION--
|
||||
Allows international domain names in URLs. This configuration option
|
||||
requires the PEAR Net_IDNA2 module to be installed. It operates by
|
||||
punycoding any internationalized host names for maximum portability.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -2,9 +2,11 @@ Core.EscapeInvalidChildren
|
||||
TYPE: bool
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
When true, a child is found that is not allowed in the context of the
|
||||
<p><strong>Warning:</strong> this configuration option is no longer does anything as of 4.6.0.</p>
|
||||
|
||||
<p>When true, a child is found that is not allowed in the context of the
|
||||
parent element will be transformed into text as if it were ASCII. When
|
||||
false, that element and all internal tags will be dropped, though text will
|
||||
be preserved. There is no option for dropping the element but preserving
|
||||
child nodes.
|
||||
child nodes.</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
|
||||
@@ -0,0 +1,11 @@
|
||||
Core.NormalizeNewlines
|
||||
TYPE: bool
|
||||
VERSION: 4.2.0
|
||||
DEFAULT: true
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Whether or not to normalize newlines to the operating
|
||||
system default. When <code>false</code>, HTML Purifier
|
||||
will attempt to preserve mixed newline files.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,11 @@
|
||||
Core.RemoveProcessingInstructions
|
||||
TYPE: bool
|
||||
VERSION: 4.2.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
Instead of escaping processing instructions in the form <code><? ...
|
||||
?></code>, remove it out-right. This may be useful if the HTML
|
||||
you are validating contains XML processing instruction gunk, however,
|
||||
it can also be user-unfriendly for people attempting to post PHP
|
||||
snippets.
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -3,6 +3,11 @@ TYPE: bool
|
||||
VERSION: 3.1.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
<strong>Warning:</strong> Deprecated in favor of %HTML.SafeObject and
|
||||
%Output.FlashCompat (turn both on to allow YouTube videos and other
|
||||
Flash content).
|
||||
</p>
|
||||
<p>
|
||||
This directive enables YouTube video embedding in HTML Purifier. Check
|
||||
<a href="http://htmlpurifier.org/docs/enduser-youtube.html">this document
|
||||
|
||||
@@ -5,11 +5,14 @@ DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
This is a convenience directive that rolls the functionality of
|
||||
%HTML.AllowedElements and %HTML.AllowedAttributes into one directive.
|
||||
This is a preferred convenience directive that combines
|
||||
%HTML.AllowedElements and %HTML.AllowedAttributes.
|
||||
Specify elements and attributes that are allowed using:
|
||||
<code>element1[attr1|attr2],element2...</code>. You can also use
|
||||
newlines instead of commas to separate elements.
|
||||
<code>element1[attr1|attr2],element2...</code>. For example,
|
||||
if you would like to only allow paragraphs and links, specify
|
||||
<code>a[href],p</code>. You can specify attributes that apply
|
||||
to all elements using an asterisk, e.g. <code>*[lang]</code>.
|
||||
You can also use newlines instead of commas to separate elements.
|
||||
</p>
|
||||
<p>
|
||||
<strong>Warning</strong>:
|
||||
|
||||
@@ -0,0 +1,10 @@
|
||||
HTML.AllowedComments
|
||||
TYPE: lookup
|
||||
VERSION: 4.4.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
A whitelist which indicates what explicit comment bodies should be
|
||||
allowed, modulo leading and trailing whitespace. See also %HTML.AllowedCommentsRegexp
|
||||
(these directives are union'ed together, so a comment is considered
|
||||
valid if any directive deems it valid.)
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,15 @@
|
||||
HTML.AllowedCommentsRegexp
|
||||
TYPE: string/null
|
||||
VERSION: 4.4.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
A regexp, which if it matches the body of a comment, indicates that
|
||||
it should be allowed. Trailing and leading spaces are removed prior
|
||||
to running this regular expression.
|
||||
<strong>Warning:</strong> Make sure you specify
|
||||
correct anchor metacharacters <code>^regex$</code>, otherwise you may accept
|
||||
comments that you did not mean to! In particular, the regex <code>/foo|bar/</code>
|
||||
is probably not sufficiently strict, since it also allows <code>foobar</code>.
|
||||
See also %HTML.AllowedComments (these directives are union'ed together,
|
||||
so a comment is considered valid if any directive deems it valid.)
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -4,12 +4,17 @@ VERSION: 1.3.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
If HTML Purifier's tag set is unsatisfactory for your needs, you
|
||||
can overload it with your own list of tags to allow. Note that this
|
||||
method is subtractive: it does its job by taking away from HTML Purifier
|
||||
usual feature set, so you cannot add a tag that HTML Purifier never
|
||||
supported in the first place (like embed, form or head). If you
|
||||
change this, you probably also want to change %HTML.AllowedAttributes.
|
||||
If HTML Purifier's tag set is unsatisfactory for your needs, you can
|
||||
overload it with your own list of tags to allow. If you change
|
||||
this, you probably also want to change %HTML.AllowedAttributes; see
|
||||
also %HTML.Allowed which lets you set allowed elements and
|
||||
attributes at the same time.
|
||||
</p>
|
||||
<p>
|
||||
If you attempt to allow an element that HTML Purifier does not know
|
||||
about, HTML Purifier will raise an error. You will need to manually
|
||||
tell HTML Purifier about this element by using the
|
||||
<a href="http://htmlpurifier.org/docs/enduser-customize.html">advanced customization features.</a>
|
||||
</p>
|
||||
<p>
|
||||
<strong>Warning:</strong> If another directive conflicts with the
|
||||
|
||||
@@ -0,0 +1,11 @@
|
||||
HTML.FlashAllowFullScreen
|
||||
TYPE: bool
|
||||
VERSION: 4.2.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Whether or not to permit embedded Flash content from
|
||||
%HTML.SafeObject to expand to the full screen. Corresponds to
|
||||
the <code>allowFullScreen</code> parameter.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,7 @@
|
||||
HTML.Nofollow
|
||||
TYPE: bool
|
||||
VERSION: 4.3.0
|
||||
DEFAULT: FALSE
|
||||
--DESCRIPTION--
|
||||
If enabled, nofollow rel attributes are added to all outgoing links.
|
||||
--# vim: et sw=4 sts=4
|
||||
13
library/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt
Normal file
13
library/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt
Normal file
@@ -0,0 +1,13 @@
|
||||
HTML.SafeIframe
|
||||
TYPE: bool
|
||||
VERSION: 4.4.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Whether or not to permit iframe tags in untrusted documents. This
|
||||
directive must be accompanied by a whitelist of permitted iframes,
|
||||
such as %URI.SafeIframeRegexp, otherwise it will fatally error.
|
||||
This directive has no effect on strict doctypes, as iframes are not
|
||||
valid.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,10 @@
|
||||
HTML.SafeScripting
|
||||
TYPE: lookup
|
||||
VERSION: 4.5.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Whether or not to permit script tags to external scripts in documents.
|
||||
Inline scripting is not allowed, and the script must match an explicit whitelist.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -0,0 +1,8 @@
|
||||
HTML.TargetBlank
|
||||
TYPE: bool
|
||||
VERSION: 4.4.0
|
||||
DEFAULT: FALSE
|
||||
--DESCRIPTION--
|
||||
If enabled, <code>target=blank</code> attributes are added to all outgoing links.
|
||||
(This includes links from an HTTPS version of a page to an HTTP version.)
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -5,4 +5,5 @@ DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
Indicates whether or not the user input is trusted or not. If the input is
|
||||
trusted, a more expansive set of allowed tags and attributes will be used.
|
||||
See also %CSS.Trusted.
|
||||
--# vim: et sw=4 sts=4
|
||||
|
||||
@@ -0,0 +1,15 @@
|
||||
Output.FixInnerHTML
|
||||
TYPE: bool
|
||||
VERSION: 4.3.0
|
||||
DEFAULT: true
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
If true, HTML Purifier will protect against Internet Explorer's
|
||||
mishandling of the <code>innerHTML</code> attribute by appending
|
||||
a space to any attribute that does not contain angled brackets, spaces
|
||||
or quotes, but contains a backtick. This slightly changes the
|
||||
semantics of any given attribute, so if this is unacceptable and
|
||||
you do not use <code>innerHTML</code> on any of your pages, you can
|
||||
turn this directive off.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
@@ -12,6 +12,6 @@ array (
|
||||
--DESCRIPTION--
|
||||
Whitelist that defines the schemes that a URI is allowed to have. This
|
||||
prevents XSS attacks from using pseudo-schemes like javascript or mocha.
|
||||
There is also support for the <code>data</code> URI scheme, but it is not
|
||||
enabled by default.
|
||||
There is also support for the <code>data</code> and <code>file</code>
|
||||
URI schemes, but they are not enabled by default.
|
||||
--# vim: et sw=4 sts=4
|
||||
|
||||
@@ -1,12 +1,15 @@
|
||||
URI.DisableResources
|
||||
TYPE: bool
|
||||
VERSION: 1.3.0
|
||||
VERSION: 4.2.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
|
||||
<p>
|
||||
Disables embedding resources, essentially meaning no pictures. You can
|
||||
still link to them though. See %URI.DisableExternalResources for why
|
||||
this might be a good idea.
|
||||
</p>
|
||||
<p>
|
||||
<em>Note:</em> While this directive has been available since 1.3.0,
|
||||
it didn't actually start doing anything until 4.2.0.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
|
||||
@@ -11,7 +11,7 @@ DEFAULT: NULL
|
||||
to check if a URI has passed through HTML Purifier with this line:
|
||||
</p>
|
||||
|
||||
<pre>$checksum === sha1($secret_key . ':' . $url)</pre>
|
||||
<pre>$checksum === hash_hmac("sha256", $url, $secret_key)</pre>
|
||||
|
||||
<p>
|
||||
If the output is TRUE, the redirector script should accept the URI.
|
||||
|
||||
@@ -0,0 +1,22 @@
|
||||
URI.SafeIframeRegexp
|
||||
TYPE: string/null
|
||||
VERSION: 4.4.0
|
||||
DEFAULT: NULL
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
A PCRE regular expression that will be matched against an iframe URI. This is
|
||||
a relatively inflexible scheme, but works well enough for the most common
|
||||
use-case of iframes: embedded video. This directive only has an effect if
|
||||
%HTML.SafeIframe is enabled. Here are some example values:
|
||||
</p>
|
||||
<ul>
|
||||
<li><code>%^http://www.youtube.com/embed/%</code> - Allow YouTube videos</li>
|
||||
<li><code>%^http://player.vimeo.com/video/%</code> - Allow Vimeo videos</li>
|
||||
<li><code>%^http://(www.youtube.com/embed/|player.vimeo.com/video/)%</code> - Allow both</li>
|
||||
</ul>
|
||||
<p>
|
||||
Note that this directive does not give you enough granularity to, say, disable
|
||||
all <code>autoplay</code> videos. Pipe up on the HTML Purifier forums if this
|
||||
is a capability you want.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
Reference in New Issue
Block a user