PageRenderTime 26ms CodeModel.GetById 19ms RepoModel.GetById 0ms app.codeStats 0ms

/include/htmlpurifier/library/HTMLPurifier/Lexer.php

https://bitbucket.org/jhunsinfotech/blue-blues
PHP | 298 lines | 140 code | 40 blank | 118 comment | 19 complexity | 8ec8d7147d51cee1b833a6553bebd467 MD5 | raw file
Possible License(s): LGPL-2.1, GPL-2.0, LGPL-3.0 
    

  1. <?php
    2. 

  2. 

  3. /**
    4. 

  4.  * Forgivingly lexes HTML (SGML-style) markup into tokens.
    5. 

  5.  *
    6. 

  6.  * A lexer parses a string of SGML-style markup and converts them into
    7. 

  7.  * corresponding tokens.  It doesn't check for well-formedness, although its
    8. 

  8.  * internal mechanism may make this automatic (such as the case of
    9. 

  9.  * HTMLPurifier_Lexer_DOMLex).  There are several implementations to choose
    10. 

  10.  * from.
    11. 

  11.  *
    12. 

  12.  * A lexer is HTML-oriented: it might work with XML, but it's not
    13. 

  13.  * recommended, as we adhere to a subset of the specification for optimization
    14. 

  14.  * reasons. This might change in the future. Also, most tokenizers are not
    15. 

  15.  * expected to handle DTDs or PIs.
    16. 

  16.  *
    17. 

  17.  * This class should not be directly instantiated, but you may use create() to
    18. 

  18.  * retrieve a default copy of the lexer.  Being a supertype, this class
    19. 

  19.  * does not actually define any implementation, but offers commonly used
    20. 

  20.  * convenience functions for subclasses.
    21. 

  21.  *
    22. 

  22.  * @note The unit tests will instantiate this class for testing purposes, as
    23. 

  23.  *       many of the utility functions require a class to be instantiated.
    24. 

  24.  *       This means that, even though this class is not runnable, it will
    25. 

  25.  *       not be declared abstract.
    26. 

  26.  *
    27. 

  27.  * @par
    28. 

  28.  *
    29. 

  29.  * @note
    30. 

  30.  * We use tokens rather than create a DOM representation because DOM would:
    31. 

  31.  *
    32. 

  32.  * @par
    33. 

  33.  *  -# Require more processing and memory to create,
    34. 

  34.  *  -# Is not streamable, and
    35. 

  35.  *  -# Has the entire document structure (html and body not needed).
    36. 

  36.  *
    37. 

  37.  * @par
    38. 

  38.  * However, DOM is helpful in that it makes it easy to move around nodes
    39. 

  39.  * without a lot of lookaheads to see when a tag is closed. This is a
    40. 

  40.  * limitation of the token system and some workarounds would be nice.
    41. 

  41.  */
    42. 

  42. class HTMLPurifier_Lexer
    43. 

  43. {
    44. 

  44. 

  45.     /**
    46. 

  46.      * Whether or not this lexer implements line-number/column-number tracking.
    47. 

  47.      * If it does, set to true.
    48. 

  48.      */
    49. 

  49.     public $tracksLineNumbers = false;
    50. 

  50. 

  51.     // -- STATIC ----------------------------------------------------------
    52. 

  52. 

  53.     /**
    54. 

  54.      * Retrieves or sets the default Lexer as a Prototype Factory.
    55. 

  55.      *
    56. 

  56.      * By default HTMLPurifier_Lexer_DOMLex will be returned. There are
    57. 

  57.      * a few exceptions involving special features that only DirectLex
    58. 

  58.      * implements.
    59. 

  59.      *
    60. 

  60.      * @note The behavior of this class has changed, rather than accepting
    61. 

  61.      *       a prototype object, it now accepts a configuration object.
    62. 

  62.      *       To specify your own prototype, set %Core.LexerImpl to it.
    63. 

  63.      *       This change in behavior de-singletonizes the lexer object.
    64. 

  64.      *
    65. 

  65.      * @param $config Instance of HTMLPurifier_Config
    66. 

  66.      * @return Concrete lexer.
    67. 

  67.      */
    68. 

  68.     public static function create($config) {
    69. 

  69. 

  70.         if (!($config instanceof HTMLPurifier_Config)) {
    71. 

  71.             $lexer = $config;
    72. 

  72.             trigger_error("Passing a prototype to
    73. 

  73.               HTMLPurifier_Lexer::create() is deprecated, please instead
    74. 

  74.               use %Core.LexerImpl", E_USER_WARNING);
    75. 

  75.         } else {
    76. 

  76.             $lexer = $config->get('Core', 'LexerImpl');
    77. 

  77.         }
    78. 

  78. 

  79.         $needs_tracking =
    80. 

  80.             $config->get('Core', 'MaintainLineNumbers') ||
    81. 

  81.             $config->get('Core', 'CollectErrors');
    82. 

  82. 

  83.         $inst = null;
    84. 

  84.         if (is_object($lexer)) {
    85. 

  85.             $inst = $lexer;
    86. 

  86.         } else {
    87. 

  87. 

  88.             if (is_null($lexer)) { do {
    89. 

  89.                 // auto-detection algorithm
    90. 

  90. 

  91.                 if ($needs_tracking) {
    92. 

  92.                     $lexer = 'DirectLex';
    93. 

  93.                     break;
    94. 

  94.                 }
    95. 

  95. 

  96.                 if (
    97. 

  97.                     class_exists('DOMDocument') &&
    98. 

  98.                     method_exists('DOMDocument', 'loadHTML') &&
    99. 

  99.                     !extension_loaded('domxml')
    100. 

  100.                 ) {
    101. 

  101.                     // check for DOM support, because while it's part of the
    102. 

  102.                     // core, it can be disabled compile time. Also, the PECL
    103. 

  103.                     // domxml extension overrides the default DOM, and is evil
    104. 

  104.                     // and nasty and we shan't bother to support it
    105. 

  105.                     $lexer = 'DOMLex';
    106. 

  106.                 } else {
    107. 

  107.                     $lexer = 'DirectLex';
    108. 

  108.                 }
    109. 

  109. 

  110.             } while(0); } // do..while so we can break
    111. 

  111. 

  112.             // instantiate recognized string names
    113. 

  113.             switch ($lexer) {
    114. 

  114.                 case 'DOMLex':
    115. 

  115.                     $inst = new HTMLPurifier_Lexer_DOMLex();
    116. 

  116.                     break;
    117. 

  117.                 case 'DirectLex':
    118. 

  118.                     $inst = new HTMLPurifier_Lexer_DirectLex();
    119. 

  119.                     break;
    120. 

  120.                 case 'PH5P':
    121. 

  121.                     $inst = new HTMLPurifier_Lexer_PH5P();
    122. 

  122.                     break;
    123. 

  123.                 default:
    124. 

  124.                     throw new HTMLPurifier_Exception("Cannot instantiate unrecognized Lexer type " . htmlspecialchars($lexer));
    125. 

  125.             }
    126. 

  126.         }
    127. 

  127. 

  128.         if (!$inst) throw new HTMLPurifier_Exception('No lexer was instantiated');
    129. 

  129. 

  130.         // once PHP DOM implements native line numbers, or we
    131. 

  131.         // hack out something using XSLT, remove this stipulation
    132. 

  132.         if ($needs_tracking && !$inst->tracksLineNumbers) {
    133. 

  133.             throw new HTMLPurifier_Exception('Cannot use lexer that does not support line numbers with Core.MaintainLineNumbers or Core.CollectErrors (use DirectLex instead)');
    134. 

  134.         }
    135. 

  135. 

  136.         return $inst;
    137. 

  137. 

  138.     }
    139. 

  139. 

  140.     // -- CONVENIENCE MEMBERS ---------------------------------------------
    141. 

  141. 

  142.     public function __construct() {
    143. 

  143.         $this->_entity_parser = new HTMLPurifier_EntityParser();
    144. 

  144.     }
    145. 

  145. 

  146.     /**
    147. 

  147.      * Most common entity to raw value conversion table for special entities.
    148. 

  148.      */
    149. 

  149.     protected $_special_entity2str =
    150. 

  150.             array(
    151. 

  151.                     '&quot;' => '"',
    152. 

  152.                     '&amp;'  => '&',
    153. 

  153.                     '&lt;'   => '<',
    154. 

  154.                     '&gt;'   => '>',
    155. 

  155.                     '&#39;'  => "'",
    156. 

  156.                     '&#039;' => "'",
    157. 

  157.                     '&#x27;' => "'"
    158. 

  158.             );
    159. 

  159. 

  160.     /**
    161. 

  161.      * Parses special entities into the proper characters.
    162. 

  162.      *
    163. 

  163.      * This string will translate escaped versions of the special characters
    164. 

  164.      * into the correct ones.
    165. 

  165.      *
    166. 

  166.      * @warning
    167. 

  167.      * You should be able to treat the output of this function as
    168. 

  168.      * completely parsed, but that's only because all other entities should
    169. 

  169.      * have been handled previously in substituteNonSpecialEntities()
    170. 

  170.      *
    171. 

  171.      * @param $string String character data to be parsed.
    172. 

  172.      * @returns Parsed character data.
    173. 

  173.      */
    174. 

  174.     public function parseData($string) {
    175. 

  175. 

  176.         // following functions require at least one character
    177. 

  177.         if ($string === '') return '';
    178. 

  178. 

  179.         // subtracts amps that cannot possibly be escaped
    180. 

  180.         $num_amp = substr_count($string, '&') - substr_count($string, '& ') -
    181. 

  181.             ($string[strlen($string)-1] === '&' ? 1 : 0);
    182. 

  182. 

  183.         if (!$num_amp) return $string; // abort if no entities
    184. 

  184.         $num_esc_amp = substr_count($string, '&amp;');
    185. 

  185.         $string = strtr($string, $this->_special_entity2str);
    186. 

  186. 

  187.         // code duplication for sake of optimization, see above
    188. 

  188.         $num_amp_2 = substr_count($string, '&') - substr_count($string, '& ') -
    189. 

  189.             ($string[strlen($string)-1] === '&' ? 1 : 0);
    190. 

  190. 

  191.         if ($num_amp_2 <= $num_esc_amp) return $string;
    192. 

  192. 

  193.         // hmm... now we have some uncommon entities. Use the callback.
    194. 

  194.         $string = $this->_entity_parser->substituteSpecialEntities($string);
    195. 

  195.         return $string;
    196. 

  196.     }
    197. 

  197. 

  198.     /**
    199. 

  199.      * Lexes an HTML string into tokens.
    200. 

  200.      *
    201. 

  201.      * @param $string String HTML.
    202. 

  202.      * @return HTMLPurifier_Token array representation of HTML.
    203. 

  203.      */
    204. 

  204.     public function tokenizeHTML($string, $config, $context) {
    205. 

  205.         trigger_error('Call to abstract class', E_USER_ERROR);
    206. 

  206.     }
    207. 

  207. 

  208.     /**
    209. 

  209.      * Translates CDATA sections into regular sections (through escaping).
    210. 

  210.      *
    211. 

  211.      * @param $string HTML string to process.
    212. 

  212.      * @returns HTML with CDATA sections escaped.
    213. 

  213.      */
    214. 

  214.     protected static function escapeCDATA($string) {
    215. 

  215.         return preg_replace_callback(
    216. 

  216.             '/<!\[CDATA\[(.+?)\]\]>/s',
    217. 

  217.             array('HTMLPurifier_Lexer', 'CDATACallback'),
    218. 

  218.             $string
    219. 

  219.         );
    220. 

  220.     }
    221. 

  221. 

  222.     /**
    223. 

  223.      * Special CDATA case that is especially convoluted for <script>
    224. 

  224.      */
    225. 

  225.     protected static function escapeCommentedCDATA($string) {
    226. 

  226.         return preg_replace_callback(
    227. 

  227.             '#<!--//--><!\[CDATA\[//><!--(.+?)//--><!\]\]>#s',
    228. 

  228.             array('HTMLPurifier_Lexer', 'CDATACallback'),
    229. 

  229.             $string
    230. 

  230.         );
    231. 

  231.     }
    232. 

  232. 

  233.     /**
    234. 

  234.      * Callback function for escapeCDATA() that does the work.
    235. 

  235.      *
    236. 

  236.      * @warning Though this is public in order to let the callback happen,
    237. 

  237.      *          calling it directly is not recommended.
    238. 

  238.      * @params $matches PCRE matches array, with index 0 the entire match
    239. 

  239.      *                  and 1 the inside of the CDATA section.
    240. 

  240.      * @returns Escaped internals of the CDATA section.
    241. 

  241.      */
    242. 

  242.     protected static function CDATACallback($matches) {
    243. 

  243.         // not exactly sure why the character set is needed, but whatever
    244. 

  244.         return htmlspecialchars($matches[1], ENT_COMPAT, 'UTF-8');
    245. 

  245.     }
    246. 

  246. 

  247.     /**
    248. 

  248.      * Takes a piece of HTML and normalizes it by converting entities, fixing
    249. 

  249.      * encoding, extracting bits, and other good stuff.
    250. 

  250.      * @todo Consider making protected
    251. 

  251.      */
    252. 

  252.     public function normalize($html, $config, $context) {
    253. 

  253. 

  254.         // normalize newlines to \n
    255. 

  255.         $html = str_replace("\r\n", "\n", $html);
    256. 

  256.         $html = str_replace("\r", "\n", $html);
    257. 

  257. 

  258.         if ($config->get('HTML', 'Trusted')) {
    259. 

  259.             // escape convoluted CDATA
    260. 

  260.             $html = $this->escapeCommentedCDATA($html);
    261. 

  261.         }
    262. 

  262. 

  263.         // escape CDATA
    264. 

  264.         $html = $this->escapeCDATA($html);
    265. 

  265. 

  266.         // extract body from document if applicable
    267. 

  267.         if ($config->get('Core', 'ConvertDocumentToFragment')) {
    268. 

  268.             $html = $this->extractBody($html);
    269. 

  269.         }
    270. 

  270. 

  271.         // expand entities that aren't the big five
    272. 

  272.         $html = $this->_entity_parser->substituteNonSpecialEntities($html);
    273. 

  273. 

  274.         // clean into wellformed UTF-8 string for an SGML context: this has
    275. 

  275.         // to be done after entity expansion because the entities sometimes
    276. 

  276.         // represent non-SGML characters (horror, horror!)
    277. 

  277.         $html = HTMLPurifier_Encoder::cleanUTF8($html);
    278. 

  278. 

  279.         return $html;
    280. 

  280.     }
    281. 

  281. 

  282.     /**
    283. 

  283.      * Takes a string of HTML (fragment or document) and returns the content
    284. 

  284.      * @todo Consider making protected
    285. 

  285.      */
    286. 

  286.     public function extractBody($html) {
    287. 

  287.         $matches = array();
    288. 

  288.         $result = preg_match('!<body[^>]*>(.+?)</body>!is', $html, $matches);
    289. 

  289.         if ($result) {
    290. 

  290.             return $matches[1];
    291. 

  291.         } else {
    292. 

  292.             return $html;
    293. 

  293.         }
    294. 

  294.     }
    295. 

  295. 

  296. }
    297. 

  297. 

  298. // vim: et sw=4 sts=4
    299. 

  299.