diff options
Diffstat (limited to 'lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.txt')
| -rw-r--r-- | lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.txt | 74 |
1 files changed, 0 insertions, 74 deletions
diff --git a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.txt b/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.txt deleted file mode 100644 index 078d08741..000000000 --- a/lib/htmlpurifier/library/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.txt +++ /dev/null @@ -1,74 +0,0 @@ -Filter.ExtractStyleBlocks -TYPE: bool -VERSION: 3.1.0 -DEFAULT: false -EXTERNAL: CSSTidy ---DESCRIPTION-- -<p> - This directive turns on the style block extraction filter, which removes - <code>style</code> blocks from input HTML, cleans them up with CSSTidy, - and places them in the <code>StyleBlocks</code> context variable, for further - use by you, usually to be placed in an external stylesheet, or a - <code>style</code> block in the <code>head</code> of your document. -</p> -<p> - Sample usage: -</p> -<pre><![CDATA[ -<?php - header('Content-type: text/html; charset=utf-8'); - echo '<?xml version="1.0" encoding="UTF-8"?>'; -?> -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" - "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> -<head> - <title>Filter.ExtractStyleBlocks</title> -<?php - require_once '/path/to/library/HTMLPurifier.auto.php'; - require_once '/path/to/csstidy.class.php'; - - $dirty = '<style>body {color:#F00;}</style> Some text'; - - $config = HTMLPurifier_Config::createDefault(); - $config->set('Filter', 'ExtractStyleBlocks', true); - $purifier = new HTMLPurifier($config); - - $html = $purifier->purify($dirty); - - // This implementation writes the stylesheets to the styles/ directory. - // You can also echo the styles inside the document, but it's a bit - // more difficult to make sure they get interpreted properly by - // browsers; try the usual CSS armoring techniques. - $styles = $purifier->context->get('StyleBlocks'); - $dir = 'styles/'; - if (!is_dir($dir)) mkdir($dir); - $hash = sha1($_GET['html']); - foreach ($styles as $i => $style) { - file_put_contents($name = $dir . $hash . "_$i"); - echo '<link rel="stylesheet" type="text/css" href="'.$name.'" />'; - } -?> -</head> -<body> - <div> - <?php echo $html; ?> - </div> -</b]]><![CDATA[ody> -</html> -]]></pre> -<p> - <strong>Warning:</strong> It is possible for a user to mount an - imagecrash attack using this CSS. Counter-measures are difficult; - it is not simply enough to limit the range of CSS lengths (using - relative lengths with many nesting levels allows for large values - to be attained without actually specifying them in the stylesheet), - and the flexible nature of selectors makes it difficult to selectively - disable lengths on image tags (HTML Purifier, however, does disable - CSS width and height in inline styling). There are probably two effective - counter measures: an explicit width and height set to auto in all - images in your document (unlikely) or the disabling of width and - height (somewhat reasonable). Whether or not these measures should be - used is left to the reader. -</p> ---# vim: et sw=4 sts=4 |