summaryrefslogtreecommitdiff
path: root/html.class
diff options
context:
space:
mode:
authorChristian Schneider2007-02-12 15:13:41 +0000
committerChristian Schneider2007-02-12 15:13:41 +0000
commite923bc4ab388d00ec757987003e39918756a7c59 (patch)
treef9bc60877cb8401879f1cd141b341d5bad0b96a9 /html.class
parent1a5c18447e6d9dc7a6f0d31720ea28a66c190271 (diff)
downloaditools-e923bc4ab388d00ec757987003e39918756a7c59.tar.gz
itools-e923bc4ab388d00ec757987003e39918756a7c59.tar.bz2
itools-e923bc4ab388d00ec757987003e39918756a7c59.zip
Added it_html::sanitize to make user-contributed html safe to use
Diffstat (limited to 'html.class')
-rw-r--r--html.class50
1 files changed, 48 insertions, 2 deletions
diff --git a/html.class b/html.class
index 098e4b3..ccacfea 100644
--- a/html.class
+++ b/html.class
@@ -33,10 +33,11 @@ class it_html
'show_content_type' => true,
'show_favicon' => true,
'show_boot_dom' => true,
+ 'staticallycallable' => "q,u,select", # Those methods are statically callable (have same arguments as global stubs) but are a bit slower
+ 'notexported' => "sanitize", # Those methods are not exported
);
var $tags_seen = array('body' => true); # body always counts as seen
var $_hasnonewline = array();
- var $_staticallycallable = "q,u,select"; # Those methods are statically callable (have same arguments as global stubs) but are a bit slower
/**
* Create a HTML object and global functions for all methods (exlcluding
@@ -64,6 +65,7 @@ function it_html($config = array())
$this->_htmltype = $this->_oldhtml ? "html" : "xhtml";
$this->_oldhtml = $this->_htmltype == "html";
$this->_hasnonewline = array_flip(explode(',', "dummy," . $this->_nonewlinetags)); # dummy keeps values >0
+ $notexported = array_flip(explode(',', "dummy," . $this->_notexported)); # dummy keeps values >0
# Create global functions for _tags
foreach (array_merge(explode(',', $this->_tags), explode(',', $this->_moretags)) as $func)
@@ -75,7 +77,7 @@ function it_html($config = array())
# Create global functions for it_html methods
foreach (get_class_methods(get_class($this)) as $func)
{
- if (!preg_match('/^_/', $func) && !is_a($this, $func) && $func && !function_exists($func))
+ if (!preg_match('/^_/', $func) && !is_a($this, $func) && $func && !function_exists($func) && !$notexported[$func])
$code[$func] = "function $func() { \$args = func_get_args(); return \$GLOBALS['$this->_name']->$func(\$args); }";
}
@@ -224,6 +226,50 @@ function span($args)
/**
+ * Return HTML with all evil things stripped. Allowed are a coupld of simple
+ * tags like div, p, i, b, br without attributes, a with absolute href,
+ * img with absolute src url. Also ensures that tags are balanced.
+ * @param $html HTML string to be sanitized
+ * @return Sanitized HTML
+ */
+function sanitize($html)
+{
+ $result = "";
+ $html = it::replace('[\0\n\r\s]+' => " ", $html);
+ $urlpattern = 'https?://[^">]+';
+
+ if ($tag = it::match("(.*)<(div|p|i|b)[^>]*>(.*?)</\\2>(.*)", $html))
+ {
+ # Simple tags with content, no attributes kept
+ list($head, $tagname, $content, $tail) = $tag;
+ $result .= it_html::sanitize($head) . "<$tagname>" . it_html::sanitize($content) . "</$tagname>" . it_html::sanitize($tail);
+ }
+ else if ($tag = it::match('(.*)<a[^>]+?href="(' . $urlpattern . ')"[^>]*?>(.*?)</a>(.*)', $html))
+ {
+ # Link tags, keeps only href attribute
+ list($head, $href, $content, $tail) = $tag;
+ $result .= it_html::sanitize($head) . "<a href=\"$href\">" . it_html::sanitize($content) . "</a>" . it_html::sanitize($tail);
+ }
+ else if ($tag = it::match('(.*)<img[^>]+?src="(' . $urlpattern . ')"[^>]*?>(.*)', $html))
+ {
+ # Image tags, keeps only src attribute
+ list($head, $src, $tail) = $tag;
+ $result .= it_html::sanitize($head) . "<img src=\"$src\" />" . it_html::sanitize($tail);
+ }
+ else if ($tag = it::match("(.*)<(br)[^>]*>(.*)", $html))
+ {
+ # Simple tags without content, no attributes kept
+ list($head, $tagname, $tail) = $tag;
+ $result .= it_html::sanitize($head) . "<$tagname />" . it_html::sanitize($tail);
+ }
+ else
+ $result = Q(html_entity_decode(strip_tags($html)));
+
+ return $result;
+}
+
+
+/**
* Shortcut: return htmlspecialchars($string);
* @param $string String to encode with htmlspecialchars()
* @return htmlspecialchars($string)