PageRenderTime 46ms CodeModel.GetById 20ms RepoModel.GetById 0ms app.codeStats 0ms

/common/libraries/plugin/htmlpurifier/library/HTMLPurifier.php

https://bitbucket.org/chamilo/chamilo-dev/
PHP | 250 lines | 107 code | 35 blank | 108 comment | 8 complexity | b7813da7b78393cef1ac5d7784965aec MD5 | raw file
Possible License(s): GPL-2.0, BSD-3-Clause, LGPL-2.1, LGPL-3.0, GPL-3.0, MIT 
    

  1. <?php

    2. 

  2. 

    3. 

  3. /*! @mainpage

    4. 

  4.  *

    5. 

  5.  * HTML Purifier is an HTML filter that will take an arbitrary snippet of

    6. 

  6.  * HTML and rigorously test, validate and filter it into a version that

    7. 

  7.  * is safe for output onto webpages. It achieves this by:

    8. 

  8.  *

    9. 

  9.  *  -# Lexing (parsing into tokens) the document,

    10. 

  10.  *  -# Executing various strategies on the tokens:

    11. 

  11.  *      -# Removing all elements not in the whitelist,

    12. 

  12.  *      -# Making the tokens well-formed,

    13. 

  13.  *      -# Fixing the nesting of the nodes, and

    14. 

  14.  *      -# Validating attributes of the nodes; and

    15. 

  15.  *  -# Generating HTML from the purified tokens.

    16. 

  16.  *

    17. 

  17.  * However, most users will only need to interface with the HTMLPurifier

    18. 

  18.  * and HTMLPurifier_Config.

    19. 

  19.  */

    20. 

  20. 

    21. 

  21. /*

    22. 

  22.     HTML Purifier 4.3.0 - Standards Compliant HTML Filtering

    23. 

  23.     Copyright (C) 2006-2008 Edward Z. Yang

    24. 

  24. 

    25. 

  25.     This library is free software; you can redistribute it and/or

    26. 

  26.     modify it under the terms of the GNU Lesser General Public

    27. 

  27.     License as published by the Free Software Foundation; either

    28. 

  28.     version 2.1 of the License, or (at your option) any later version.

    29. 

  29. 

    30. 

  30.     This library is distributed in the hope that it will be useful,

    31. 

  31.     but WITHOUT ANY WARRANTY; without even the implied warranty of

    32. 

  32.     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

    33. 

  33.     Lesser General Public License for more details.

    34. 

  34. 

    35. 

  35.     You should have received a copy of the GNU Lesser General Public

    36. 

  36.     License along with this library; if not, write to the Free Software

    37. 

  37.     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA

    38. 

  38.  */

    39. 

  39. 

    40. 

  40. /**

    41. 

  41.  * Facade that coordinates HTML Purifier's subsystems in order to purify HTML.

    42. 

  42.  *

    43. 

  43.  * @note There are several points in which configuration can be specified

    44. 

  44.  * for HTML Purifier.  The precedence of these (from lowest to

    45. 

  45.  * highest) is as follows:

    46. 

  46.  * -# Instance: new HTMLPurifier($config)

    47. 

  47.  * -# Invocation: purify($html, $config)

    48. 

  48.  * These configurations are entirely independent of each other and

    49. 

  49.  * are *not* merged (this behavior may change in the future).

    50. 

  50.  *

    51. 

  51.  * @todo We need an easier way to inject strategies using the configuration

    52. 

  52.  * object.

    53. 

  53.  */

    54. 

  54. class HTMLPurifier

    55. 

  55. {

    56. 

  56.     

    57. 

  57.     /** Version of HTML Purifier */

    58. 

  58.     public $version = '4.3.0';

    59. 

  59.     

    60. 

  60.     /** Constant with version of HTML Purifier */

    61. 

  61.     const VERSION = '4.3.0';

    62. 

  62.     

    63. 

  63.     /** Global configuration object */

    64. 

  64.     public $config;

    65. 

  65.     

    66. 

  66.     /** Array of extra HTMLPurifier_Filter objects to run on HTML, for backwards compatibility */

    67. 

  67.     private $filters = array();

    68. 

  68.     

    69. 

  69.     /** Single instance of HTML Purifier */

    70. 

  70.     private static $instance;

    71. 

  71.     

    72. 

  72.     protected $strategy, $generator;

    73. 

  73.     

    74. 

  74.     /**

    75. 

  75.      * Resultant HTMLPurifier_Context of last run purification. Is an array

    76. 

  76.      * of contexts if the last called method was purifyArray().

    77. 

  77.      */

    78. 

  78.     public $context;

    79. 

  79. 

    80. 

  80.     /**

    81. 

  81.      * Initializes the purifier.

    82. 

  82.      * @param $config Optional HTMLPurifier_Config object for all instances of

    83. 

  83.      * the purifier, if omitted, a default configuration is

    84. 

  84.      * supplied (which can be overridden on a per-use basis).

    85. 

  85.      * The parameter can also be any type that

    86. 

  86.      * HTMLPurifier_Config::create() supports.

    87. 

  87.      */

    88. 

  88.     public function __construct($config = null)

    89. 

  89.     {

    90. 

  90.         

    91. 

  91.         $this->config = HTMLPurifier_Config :: create($config);

    92. 

  92.         

    93. 

  93.         $this->strategy = new HTMLPurifier_Strategy_Core();

    94. 

  94.     

    95. 

  95.     }

    96. 

  96. 

    97. 

  97.     /**

    98. 

  98.      * Adds a filter to process the output. First come first serve

    99. 

  99.      * @param $filter HTMLPurifier_Filter object

    100. 

  100.      */

    101. 

  101.     public function addFilter($filter)

    102. 

  102.     {

    103. 

  103.         trigger_error('HTMLPurifier->addFilter() is deprecated, use configuration directives in the Filter namespace or Filter.Custom', E_USER_WARNING);

    104. 

  104.         $this->filters[] = $filter;

    105. 

  105.     }

    106. 

  106. 

    107. 

  107.     /**

    108. 

  108.      * Filters an HTML snippet/document to be XSS-free and standards-compliant.

    109. 

  109.      *

    110. 

  110.      * @param $html String of HTML to purify

    111. 

  111.      * @param $config HTMLPurifier_Config object for this operation, if omitted,

    112. 

  112.      * defaults to the config object specified during this

    113. 

  113.      * object's construction. The parameter can also be any type

    114. 

  114.      * that HTMLPurifier_Config::create() supports.

    115. 

  115.      * @return Purified HTML

    116. 

  116.      */

    117. 

  117.     public function purify($html, $config = null)

    118. 

  118.     {

    119. 

  119.         

    120. 

  120.         // :TODO: make the config merge in, instead of replace

    121. 

  121.         $config = $config ? HTMLPurifier_Config :: create($config) : $this->config;

    122. 

  122.         

    123. 

  123.         // implementation is partially environment dependant, partially

    124. 

  124.         // configuration dependant

    125. 

  125.         $lexer = HTMLPurifier_Lexer :: create($config);

    126. 

  126.         

    127. 

  127.         $context = new HTMLPurifier_Context();

    128. 

  128.         

    129. 

  129.         // setup HTML generator

    130. 

  130.         $this->generator = new HTMLPurifier_Generator($config, $context);

    131. 

  131.         $context->register('Generator', $this->generator);

    132. 

  132.         

    133. 

  133.         // set up global context variables

    134. 

  134.         if ($config->get('Core.CollectErrors'))

    135. 

  135.         {

    136. 

  136.             // may get moved out if other facilities use it

    137. 

  137.             $language_factory = HTMLPurifier_LanguageFactory :: instance();

    138. 

  138.             $language = $language_factory->create($config, $context);

    139. 

  139.             $context->register('Locale', $language);

    140. 

  140.             

    141. 

  141.             $error_collector = new HTMLPurifier_ErrorCollector($context);

    142. 

  142.             $context->register('ErrorCollector', $error_collector);

    143. 

  143.         }

    144. 

  144.         

    145. 

  145.         // setup id_accumulator context, necessary due to the fact that

    146. 

  146.         // AttrValidator can be called from many places

    147. 

  147.         $id_accumulator = HTMLPurifier_IDAccumulator :: build($config, $context);

    148. 

  148.         $context->register('IDAccumulator', $id_accumulator);

    149. 

  149.         

    150. 

  150.         $html = HTMLPurifier_Encoder :: convertToUTF8($html, $config, $context);

    151. 

  151.         

    152. 

  152.         // setup filters

    153. 

  153.         $filter_flags = $config->getBatch('Filter');

    154. 

  154.         $custom_filters = $filter_flags['Custom'];

    155. 

  155.         unset($filter_flags['Custom']);

    156. 

  156.         $filters = array();

    157. 

  157.         foreach ($filter_flags as $filter => $flag)

    158. 

  158.         {

    159. 

  159.             if (! $flag)

    160. 

  160.                 continue;

    161. 

  161.             if (strpos($filter, '.') !== false)

    162. 

  162.                 continue;

    163. 

  163.             $class = "HTMLPurifier_Filter_$filter";

    164. 

  164.             $filters[] = new $class();

    165. 

  165.         }

    166. 

  166.         foreach ($custom_filters as $filter)

    167. 

  167.         {

    168. 

  168.             // maybe "HTMLPurifier_Filter_$filter", but be consistent with AutoFormat

    169. 

  169.             $filters[] = $filter;

    170. 

  170.         }

    171. 

  171.         $filters = array_merge($filters, $this->filters);

    172. 

  172.         // maybe prepare(), but later

    173. 

  173.         

    174. 

  174. 

    175. 

  175.         for($i = 0, $filter_size = count($filters); $i < $filter_size; $i ++)

    176. 

  176.         {

    177. 

  177.             $html = $filters[$i]->preFilter($html, $config, $context);

    178. 

  178.         }

    179. 

  179.         

    180. 

  180.         // purified HTML

    181. 

  181.         $html = $this->generator->generateFromTokens(// list of tokens

    182. 

  182.         $this->strategy->execute(// list of un-purified tokens

    183. 

  183.         $lexer->tokenizeHTML(// un-purified HTML

    184. 

  184.         $html, $config, $context), $config, $context));

    185. 

  185.         

    186. 

  186.         for($i = $filter_size - 1; $i >= 0; $i --)

    187. 

  187.         {

    188. 

  188.             $html = $filters[$i]->postFilter($html, $config, $context);

    189. 

  189.         }

    190. 

  190.         

    191. 

  191.         $html = HTMLPurifier_Encoder :: convertFromUTF8($html, $config, $context);

    192. 

  192.         $this->context = & $context;

    193. 

  193.         return $html;

    194. 

  194.     }

    195. 

  195. 

    196. 

  196.     /**

    197. 

  197.      * Filters an array of HTML snippets

    198. 

  198.      * @param $config Optional HTMLPurifier_Config object for this operation.

    199. 

  199.      * See HTMLPurifier::purify() for more details.

    200. 

  200.      * @return Array of purified HTML

    201. 

  201.      */

    202. 

  202.     public function purifyArray($array_of_html, $config = null)

    203. 

  203.     {

    204. 

  204.         $context_array = array();

    205. 

  205.         foreach ($array_of_html as $key => $html)

    206. 

  206.         {

    207. 

  207.             $array_of_html[$key] = $this->purify($html, $config);

    208. 

  208.             $context_array[$key] = $this->context;

    209. 

  209.         }

    210. 

  210.         $this->context = $context_array;

    211. 

  211.         return $array_of_html;

    212. 

  212.     }

    213. 

  213. 

    214. 

  214.     /**

    215. 

  215.      * Singleton for enforcing just one HTML Purifier in your system

    216. 

  216.      * @param $prototype Optional prototype HTMLPurifier instance to

    217. 

  217.      * overload singleton with, or HTMLPurifier_Config

    218. 

  218.      * instance to configure the generated version with.

    219. 

  219.      */

    220. 

  220.     public static function instance($prototype = null)

    221. 

  221.     {

    222. 

  222.         if (! self :: $instance || $prototype)

    223. 

  223.         {

    224. 

  224.             if ($prototype instanceof HTMLPurifier)

    225. 

  225.             {

    226. 

  226.                 self :: $instance = $prototype;

    227. 

  227.             }

    228. 

  228.             elseif ($prototype)

    229. 

  229.             {

    230. 

  230.                 self :: $instance = new HTMLPurifier($prototype);

    231. 

  231.             }

    232. 

  232.             else

    233. 

  233.             {

    234. 

  234.                 self :: $instance = new HTMLPurifier();

    235. 

  235.             }

    236. 

  236.         }

    237. 

  237.         return self :: $instance;

    238. 

  238.     }

    239. 

  239. 

    240. 

  240.     /**

    241. 

  241.      * @note Backwards compatibility, see instance()

    242. 

  242.      */

    243. 

  243.     public static function getInstance($prototype = null)

    244. 

  244.     {

    245. 

  245.         return HTMLPurifier :: instance($prototype);

    246. 

  246.     }

    247. 

  247. 

    248. 

  248. }

    249. 

  249. 

    250. 

  250. // vim: et sw=4 sts=4

    251. 

  251.