1: <?php
2: /**
3: * HtmLawed is used here to provide protection against XSS attacks with Editor
4: * input - see the `Field->xss()` method. The Vanilla forums wrapper is used
5: * to provide sensible defaults and a clean interface for HtmLawed.
6: *
7: * Changes:
8: *
9: * * Add `DataTables/Vendor` namespace to this and htmLawed - this is to ensure
10: * that if htmLawed is included by any other aspect of the site it will not
11: * result in a conflict.
12: * * Use the OOP version of htmLawed (required a single updated to call it) to
13: * make the namespacing relatively easy.
14: * * Change the name of the Vanilla class so it don't conflict with the
15: * htmLawed OOP class
16: * * Update all `htmLawed::` references to `\DataTables\Vendor\htmLawed::` in
17: * the htmLawed file (to allow callbacks to operate correctly)
18: * * Updated Vanilla wrapper to operate on PHP 5.3
19: *
20: * HtmLawed:
21: * http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/
22: * Copyright: Santosh Patnaik
23: * License: Dual licensed with LGPL 3 and GPL 2+
24: *
25: * Vanilla wrapper for HtmLawed:
26: * https://github.com/vanilla/htmlawed/
27: * Author: Todd Burry <todd@vanillaforums.com>
28: * Copyright: 2009-2014 Vanilla Forums Inc.
29: * License: LGPL-3.0
30: */
31:
32: namespace DataTables\Vendor;
33:
34: /**
35: * A class wrapper for the htmLawed library.
36: */
37: class Htmlaw {
38: /// Methods ///
39:
40: public static $defaultConfig = array(
41: 'anti_link_spam' => array('`.`', ''),
42: 'comment' => 1,
43: 'cdata' => 3,
44: 'css_expression' => 1,
45: 'deny_attribute' => 'on*',
46: 'unique_ids' => 0,
47: 'elements' => '*-applet-form-input-textarea-iframe-script-style-embed-object',
48: 'keep_bad' => 1,
49: 'schemes' => 'classid:clsid; href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https', // clsid allowed in class
50: 'valid_xhtml' => 0,
51: 'direct_list_nest' => 1,
52: 'balance' => 1
53: );
54:
55: public static $defaultSpec = array(
56: 'object=-classid-type, -codebase',
57: 'embed=type(oneof=application/x-shockwave-flash)'
58: );
59:
60: /**
61: * Filters a string of html with the htmLawed library.
62: *
63: * @param string $html The text to filter.
64: * @param array|null $config Config settings for the array.
65: * @param string|array|null $spec A specification to further limit the allowed attribute values in the html.
66: * @return string Returns the filtered html.
67: * @see http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm
68: */
69: public static function filter($html, array $config = null, $spec = null) {
70: if ($config === null) {
71: $config = self::$defaultConfig;
72: }
73:
74: if (isset($config['spec']) && !$spec) {
75: $spec = $config['spec'];
76: }
77:
78: if ($spec === null) {
79: $spec = static::$defaultSpec;
80: }
81:
82: return \DataTables\Vendor\Htmlawed::hl($html, $config, $spec);
83: }
84:
85:
86: /**
87: * Filter a string of html so that it can be put into an rss feed.
88: *
89: * @param $html The html text to fitlter.
90: * @return string Returns the filtered html.
91: * @see Htmlawed::filter().
92: */
93: public static function filterRSS($html) {
94: $config = array(
95: 'anti_link_spam' => array('`.`', ''),
96: 'comment' => 1,
97: 'cdata' => 3,
98: 'css_expression' => 1,
99: 'deny_attribute' => 'on*,style,class',
100: 'elements' => '*-applet-form-input-textarea-iframe-script-style-object-embed-comment-link-listing-meta-noscript-plaintext-xmp',
101: 'keep_bad' => 0,
102: 'schemes' => 'classid:clsid; href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https', // clsid allowed in class
103: 'valid_xml' => 2,
104: 'balance' => 1
105: );
106: $spec = static::$defaultSpec;
107:
108: $result = static::filter($html, $config, $spec);
109:
110: return $result;
111: }
112: }
113: