CSS.php 4.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137
  1. <?php
  2. /**
  3. * Validates the HTML attribute style, otherwise known as CSS.
  4. * @note We don't implement the whole CSS specification, so it might be
  5. * difficult to reuse this component in the context of validating
  6. * actual stylesheet declarations.
  7. * @note If we were really serious about validating the CSS, we would
  8. * tokenize the styles and then parse the tokens. Obviously, we
  9. * are not doing that. Doing that could seriously harm performance,
  10. * but would make these components a lot more viable for a CSS
  11. * filtering solution.
  12. */
  13. class HTMLPurifier_AttrDef_CSS extends HTMLPurifier_AttrDef
  14. {
  15. /**
  16. * @param string $css
  17. * @param HTMLPurifier_Config $config
  18. * @param HTMLPurifier_Context $context
  19. * @return bool|string
  20. */
  21. public function validate($css, $config, $context)
  22. {
  23. $css = $this->parseCDATA($css);
  24. $definition = $config->getCSSDefinition();
  25. $allow_duplicates = $config->get("CSS.AllowDuplicates");
  26. // According to the CSS2.1 spec, the places where a
  27. // non-delimiting semicolon can appear are in strings
  28. // escape sequences. So here is some dumb hack to
  29. // handle quotes.
  30. $len = strlen($css);
  31. $accum = "";
  32. $declarations = array();
  33. $quoted = false;
  34. for ($i = 0; $i < $len; $i++) {
  35. $c = strcspn($css, ";'\"", $i);
  36. $accum .= substr($css, $i, $c);
  37. $i += $c;
  38. if ($i == $len) break;
  39. $d = $css[$i];
  40. if ($quoted) {
  41. $accum .= $d;
  42. if ($d == $quoted) {
  43. $quoted = false;
  44. }
  45. } else {
  46. if ($d == ";") {
  47. $declarations[] = $accum;
  48. $accum = "";
  49. } else {
  50. $accum .= $d;
  51. $quoted = $d;
  52. }
  53. }
  54. }
  55. if ($accum != "") $declarations[] = $accum;
  56. $propvalues = array();
  57. $new_declarations = '';
  58. /**
  59. * Name of the current CSS property being validated.
  60. */
  61. $property = false;
  62. $context->register('CurrentCSSProperty', $property);
  63. foreach ($declarations as $declaration) {
  64. if (!$declaration) {
  65. continue;
  66. }
  67. if (!strpos($declaration, ':')) {
  68. continue;
  69. }
  70. list($property, $value) = explode(':', $declaration, 2);
  71. $property = trim($property);
  72. $value = trim($value);
  73. $ok = false;
  74. do {
  75. if (isset($definition->info[$property])) {
  76. $ok = true;
  77. break;
  78. }
  79. if (ctype_lower($property)) {
  80. break;
  81. }
  82. $property = strtolower($property);
  83. if (isset($definition->info[$property])) {
  84. $ok = true;
  85. break;
  86. }
  87. } while (0);
  88. if (!$ok) {
  89. continue;
  90. }
  91. // inefficient call, since the validator will do this again
  92. if (strtolower(trim($value)) !== 'inherit') {
  93. // inherit works for everything (but only on the base property)
  94. $result = $definition->info[$property]->validate(
  95. $value,
  96. $config,
  97. $context
  98. );
  99. } else {
  100. $result = 'inherit';
  101. }
  102. if ($result === false) {
  103. continue;
  104. }
  105. if ($allow_duplicates) {
  106. $new_declarations .= "$property:$result;";
  107. } else {
  108. $propvalues[$property] = $result;
  109. }
  110. }
  111. $context->destroy('CurrentCSSProperty');
  112. // procedure does not write the new CSS simultaneously, so it's
  113. // slightly inefficient, but it's the only way of getting rid of
  114. // duplicates. Perhaps config to optimize it, but not now.
  115. foreach ($propvalues as $prop => $value) {
  116. $new_declarations .= "$prop:$value;";
  117. }
  118. return $new_declarations ? $new_declarations : false;
  119. }
  120. }
  121. // vim: et sw=4 sts=4