You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111
  1. <?php
  2. /**
  3. * Validates the HTML attribute style, otherwise known as CSS.
  4. * @note We don't implement the whole CSS specification, so it might be
  5. * difficult to reuse this component in the context of validating
  6. * actual stylesheet declarations.
  7. * @note If we were really serious about validating the CSS, we would
  8. * tokenize the styles and then parse the tokens. Obviously, we
  9. * are not doing that. Doing that could seriously harm performance,
  10. * but would make these components a lot more viable for a CSS
  11. * filtering solution.
  12. */
  13. class HTMLPurifier_AttrDef_CSS extends HTMLPurifier_AttrDef
  14. {
  15. /**
  16. * @param string $css
  17. * @param HTMLPurifier_Config $config
  18. * @param HTMLPurifier_Context $context
  19. * @return bool|string
  20. */
  21. public function validate($css, $config, $context)
  22. {
  23. $css = $this->parseCDATA($css);
  24. $definition = $config->getCSSDefinition();
  25. $allow_duplicates = $config->get("CSS.AllowDuplicates");
  26. // we're going to break the spec and explode by semicolons.
  27. // This is because semicolon rarely appears in escaped form
  28. // Doing this is generally flaky but fast
  29. // IT MIGHT APPEAR IN URIs, see HTMLPurifier_AttrDef_CSSURI
  30. // for details
  31. $declarations = explode(';', $css);
  32. $propvalues = array();
  33. $new_declarations = '';
  34. /**
  35. * Name of the current CSS property being validated.
  36. */
  37. $property = false;
  38. $context->register('CurrentCSSProperty', $property);
  39. foreach ($declarations as $declaration) {
  40. if (!$declaration) {
  41. continue;
  42. }
  43. if (!strpos($declaration, ':')) {
  44. continue;
  45. }
  46. list($property, $value) = explode(':', $declaration, 2);
  47. $property = trim($property);
  48. $value = trim($value);
  49. $ok = false;
  50. do {
  51. if (isset($definition->info[$property])) {
  52. $ok = true;
  53. break;
  54. }
  55. if (ctype_lower($property)) {
  56. break;
  57. }
  58. $property = strtolower($property);
  59. if (isset($definition->info[$property])) {
  60. $ok = true;
  61. break;
  62. }
  63. } while (0);
  64. if (!$ok) {
  65. continue;
  66. }
  67. // inefficient call, since the validator will do this again
  68. if (strtolower(trim($value)) !== 'inherit') {
  69. // inherit works for everything (but only on the base property)
  70. $result = $definition->info[$property]->validate(
  71. $value,
  72. $config,
  73. $context
  74. );
  75. } else {
  76. $result = 'inherit';
  77. }
  78. if ($result === false) {
  79. continue;
  80. }
  81. if ($allow_duplicates) {
  82. $new_declarations .= "$property:$result;";
  83. } else {
  84. $propvalues[$property] = $result;
  85. }
  86. }
  87. $context->destroy('CurrentCSSProperty');
  88. // procedure does not write the new CSS simultaneously, so it's
  89. // slightly inefficient, but it's the only way of getting rid of
  90. // duplicates. Perhaps config to optimize it, but not now.
  91. foreach ($propvalues as $prop => $value) {
  92. $new_declarations .= "$prop:$value;";
  93. }
  94. return $new_declarations ? $new_declarations : false;
  95. }
  96. }
  97. // vim: et sw=4 sts=4