| commit | author | age | ||
| 2207d6 | 1 | Filter.ExtractStyleBlocks |
| W | 2 | TYPE: bool |
| 3 | VERSION: 3.1.0 | |
| 4 | DEFAULT: false | |
| 5 | EXTERNAL: CSSTidy | |
| 6 | --DESCRIPTION-- | |
| 7 | <p> | |
| 8 | This directive turns on the style block extraction filter, which removes | |
| 9 | <code>style</code> blocks from input HTML, cleans them up with CSSTidy, | |
| 10 | and places them in the <code>StyleBlocks</code> context variable, for further | |
| 11 | use by you, usually to be placed in an external stylesheet, or a | |
| 12 | <code>style</code> block in the <code>head</code> of your document. | |
| 13 | </p> | |
| 14 | <p> | |
| 15 | Sample usage: | |
| 16 | </p> | |
| 17 | <pre><![CDATA[ | |
| 18 | <?php | |
| 19 | header('Content-type: text/html; charset=utf-8'); | |
| 20 | echo '<?xml version="1.0" encoding="UTF-8"?>'; | |
| 21 | ?> | |
| 22 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" | |
| 23 | "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | |
| 24 | <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> | |
| 25 | <head> | |
| 26 | <title>Filter.ExtractStyleBlocks</title> | |
| 27 | <?php | |
| 28 | require_once '/path/to/library/HTMLPurifier.auto.php'; | |
| 29 | require_once '/path/to/csstidy.class.php'; | |
| 30 | ||
| 31 | $dirty = '<style>body {color:#F00;}</style> Some text'; | |
| 32 | ||
| 33 | $config = HTMLPurifier_Config::createDefault(); | |
| 34 | $config->set('Filter', 'ExtractStyleBlocks', true); | |
| 35 | $purifier = new HTMLPurifier($config); | |
| 36 | ||
| 37 | $html = $purifier->purify($dirty); | |
| 38 | ||
| 39 | // This implementation writes the stylesheets to the styles/ directory. | |
| 40 | // You can also echo the styles inside the document, but it's a bit | |
| 41 | // more difficult to make sure they get interpreted properly by | |
| 42 | // browsers; try the usual CSS armoring techniques. | |
| 43 | $styles = $purifier->context->get('StyleBlocks'); | |
| 44 | $dir = 'styles/'; | |
| 45 | if (!is_dir($dir)) mkdir($dir); | |
| 46 | $hash = sha1($_GET['html']); | |
| 47 | foreach ($styles as $i => $style) { | |
| 48 | file_put_contents($name = $dir . $hash . "_$i"); | |
| 49 | echo '<link rel="stylesheet" type="text/css" href="'.$name.'" />'; | |
| 50 | } | |
| 51 | ?> | |
| 52 | </head> | |
| 53 | <body> | |
| 54 | <div> | |
| 55 | <?php echo $html; ?> | |
| 56 | </div> | |
| 57 | </b]]><![CDATA[ody> | |
| 58 | </html> | |
| 59 | ]]></pre> | |
| 60 | <p> | |
| 61 | <strong>Warning:</strong> It is possible for a user to mount an | |
| 62 | imagecrash attack using this CSS. Counter-measures are difficult; | |
| 63 | it is not simply enough to limit the range of CSS lengths (using | |
| 64 | relative lengths with many nesting levels allows for large values | |
| 65 | to be attained without actually specifying them in the stylesheet), | |
| 66 | and the flexible nature of selectors makes it difficult to selectively | |
| 67 | disable lengths on image tags (HTML Purifier, however, does disable | |
| 68 | CSS width and height in inline styling). There are probably two effective | |
| 69 | counter measures: an explicit width and height set to auto in all | |
| 70 | images in your document (unlikely) or the disabling of width and | |
| 71 | height (somewhat reasonable). Whether or not these measures should be | |
| 72 | used is left to the reader. | |
| 73 | </p> | |
| 74 | --# vim: et sw=4 sts=4 | |
