forked from GNUsocial/gnu-social
81ea0f8117
HTMLPurifier defangs arbitrary submitted HTML. We're using it in the OStatus plugin, but it may be valuable for other parts of the codebase (I think OEmbed might benefit, for example).
35 lines
1.2 KiB
PHP
35 lines
1.2 KiB
PHP
<?php
|
|
|
|
/**
|
|
* Implements special behavior for class attribute (normally NMTOKENS)
|
|
*/
|
|
class HTMLPurifier_AttrDef_HTML_Class extends HTMLPurifier_AttrDef_HTML_Nmtokens
|
|
{
|
|
protected function split($string, $config, $context) {
|
|
// really, this twiddle should be lazy loaded
|
|
$name = $config->getDefinition('HTML')->doctype->name;
|
|
if ($name == "XHTML 1.1" || $name == "XHTML 2.0") {
|
|
return parent::split($string, $config, $context);
|
|
} else {
|
|
return preg_split('/\s+/', $string);
|
|
}
|
|
}
|
|
protected function filter($tokens, $config, $context) {
|
|
$allowed = $config->get('Attr.AllowedClasses');
|
|
$forbidden = $config->get('Attr.ForbiddenClasses');
|
|
$ret = array();
|
|
foreach ($tokens as $token) {
|
|
if (
|
|
($allowed === null || isset($allowed[$token])) &&
|
|
!isset($forbidden[$token]) &&
|
|
// We need this O(n) check because of PHP's array
|
|
// implementation that casts -0 to 0.
|
|
!in_array($token, $ret, true)
|
|
) {
|
|
$ret[] = $token;
|
|
}
|
|
}
|
|
return $ret;
|
|
}
|
|
}
|