]>
Commit | Line | Data |
---|---|---|
f45a286b AD |
1 | Filter.ExtractStyleBlocks |
2 | TYPE: bool | |
3 | VERSION: 3.1.0 | |
4 | DEFAULT: false | |
5 | EXTERNAL: CSSTidy | |
6 | --DESCRIPTION-- | |
7 | <p> | |
8 | This directive turns on the style block extraction filter, which removes | |
9 | <code>style</code> blocks from input HTML, cleans them up with CSSTidy, | |
10 | and places them in the <code>StyleBlocks</code> context variable, for further | |
11 | use by you, usually to be placed in an external stylesheet, or a | |
12 | <code>style</code> block in the <code>head</code> of your document. | |
13 | </p> | |
14 | <p> | |
15 | Sample usage: | |
16 | </p> | |
17 | <pre><![CDATA[ | |
18 | <?php | |
19 | header('Content-type: text/html; charset=utf-8'); | |
20 | echo '<?xml version="1.0" encoding="UTF-8"?>'; | |
21 | ?> | |
22 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" | |
23 | "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> | |
24 | <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> | |
25 | <head> | |
26 | <title>Filter.ExtractStyleBlocks</title> | |
27 | <?php | |
28 | require_once '/path/to/library/HTMLPurifier.auto.php'; | |
29 | require_once '/path/to/csstidy.class.php'; | |
30 | ||
31 | $dirty = '<style>body {color:#F00;}</style> Some text'; | |
32 | ||
33 | $config = HTMLPurifier_Config::createDefault(); | |
34 | $config->set('Filter', 'ExtractStyleBlocks', true); | |
35 | $purifier = new HTMLPurifier($config); | |
36 | ||
37 | $html = $purifier->purify($dirty); | |
38 | ||
39 | // This implementation writes the stylesheets to the styles/ directory. | |
40 | // You can also echo the styles inside the document, but it's a bit | |
41 | // more difficult to make sure they get interpreted properly by | |
42 | // browsers; try the usual CSS armoring techniques. | |
43 | $styles = $purifier->context->get('StyleBlocks'); | |
44 | $dir = 'styles/'; | |
45 | if (!is_dir($dir)) mkdir($dir); | |
46 | $hash = sha1($_GET['html']); | |
47 | foreach ($styles as $i => $style) { | |
48 | file_put_contents($name = $dir . $hash . "_$i"); | |
49 | echo '<link rel="stylesheet" type="text/css" href="'.$name.'" />'; | |
50 | } | |
51 | ?> | |
52 | </head> | |
53 | <body> | |
54 | <div> | |
55 | <?php echo $html; ?> | |
56 | </div> | |
57 | </b]]><![CDATA[ody> | |
58 | </html> | |
59 | ]]></pre> | |
60 | <p> | |
61 | <strong>Warning:</strong> It is possible for a user to mount an | |
62 | imagecrash attack using this CSS. Counter-measures are difficult; | |
63 | it is not simply enough to limit the range of CSS lengths (using | |
64 | relative lengths with many nesting levels allows for large values | |
65 | to be attained without actually specifying them in the stylesheet), | |
66 | and the flexible nature of selectors makes it difficult to selectively | |
67 | disable lengths on image tags (HTML Purifier, however, does disable | |
68 | CSS width and height in inline styling). There are probably two effective | |
69 | counter measures: an explicit width and height set to auto in all | |
70 | images in your document (unlikely) or the disabling of width and | |
71 | height (somewhat reasonable). Whether or not these measures should be | |
72 | used is left to the reader. | |
73 | </p> | |
74 | --# vim: et sw=4 sts=4 |