1: <?php
2: /**
3: * HtmLawed is used here to provide protection against XSS attacks with Editor
4: * input - see the `Field->xss()` method. The Vanilla forums wrapper is used
5: * to provide sensible defaults and a clean interface for HtmLawed.
6: *
7: * Changes:
8: *
9: * * Add `DataTables/Vendor` namespace to this and htmLawed - this is to ensure
10: * that if htmLawed is included by any other aspect of the site it will not
11: * result in a conflict.
12: * * Use the OOP version of htmLawed (required a single updated to call it) to
13: * make the namespacing relatively easy.
14: * * Change the name of the Vanilla class so it don't conflict with the
15: * htmLawed OOP class
16: * * Update all `htmLawed::` references to `\DataTables\Vendor\htmLawed::` in
17: * the htmLawed file (to allow callbacks to operate correctly)
18: * * Updated Vanilla wrapper to operate on PHP 5.3
19: *
20: * HtmLawed:
21: * http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/
22: * Copyright: Santosh Patnaik
23: * License: Dual licensed with LGPL 3 and GPL 2+
24: *
25: * Vanilla wrapper for HtmLawed:
26: * https://github.com/vanilla/htmlawed/
27: * Author: Todd Burry <todd@vanillaforums.com>
28: * Copyright: 2009-2014 Vanilla Forums Inc.
29: * License: LGPL-3.0
30: */
31:
32: namespace DataTables\Vendor;
33:
34: /**
35: * A class wrapper for the htmLawed library.
36: */
37: class Htmlaw {
38: /// Methods ///
39:
40: public static $defaultConfig = array(
41: 'anti_link_spam' => array('`.`', ''),
42: 'comment' => 1,
43: 'cdata' => 3,
44: 'css_expression' => 1,
45: 'deny_attribute' => 'on*',
46: 'unique_ids' => 0,
47: 'elements' => '*-applet-form-input-textarea-iframe-script-style-embed-object',
48: 'keep_bad' => 1,
49: 'schemes' => 'classid:clsid; href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https', // clsid allowed in class
50: 'valid_xhtml' => 0,
51: 'direct_list_nest' => 1,
52: 'balance' => 1
53: );
54:
55: public static $defaultSpec = array(
56: 'object=-classid-type, -codebase',
57: 'embed=type(oneof=application/x-shockwave-flash)'
58: );
59:
60: /**
61: * Filters a string of html with the htmLawed library.
62: *
63: * @param string $html The text to filter.
64: * @param array|null $config Config settings for the array.
65: * @param string|array|null $spec A specification to further limit the allowed attribute values in the html.
66: * @return string Returns the filtered html.
67: * @see http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm
68: */
69: public static function filter($html, array $config = null, $spec = null) {
70: require_once __DIR__.'/htmLawed/htmLawed.php';
71:
72: if ($config === null) {
73: $config = self::$defaultConfig;
74: }
75:
76: if (isset($config['spec']) && !$spec) {
77: $spec = $config['spec'];
78: }
79:
80: if ($spec === null) {
81: $spec = static::$defaultSpec;
82: }
83:
84: return htmLawed::hl($html, $config, $spec);
85: }
86:
87:
88: /**
89: * Filter a string of html so that it can be put into an rss feed.
90: *
91: * @param $html The html text to fitlter.
92: * @return string Returns the filtered html.
93: * @see Htmlawed::filter().
94: */
95: public static function filterRSS($html) {
96: $config = array(
97: 'anti_link_spam' => array('`.`', ''),
98: 'comment' => 1,
99: 'cdata' => 3,
100: 'css_expression' => 1,
101: 'deny_attribute' => 'on*,style,class',
102: 'elements' => '*-applet-form-input-textarea-iframe-script-style-object-embed-comment-link-listing-meta-noscript-plaintext-xmp',
103: 'keep_bad' => 0,
104: 'schemes' => 'classid:clsid; href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https', // clsid allowed in class
105: 'valid_xml' => 2,
106: 'balance' => 1
107: );
108: $spec = static::$defaultSpec;
109:
110: $result = static::filter($html, $config, $spec);
111:
112: return $result;
113: }
114: }
115: