| 1 |
efrain |
1 |
Filter.ExtractStyleBlocks
|
|
|
2 |
TYPE: bool
|
|
|
3 |
VERSION: 3.1.0
|
|
|
4 |
DEFAULT: false
|
|
|
5 |
EXTERNAL: CSSTidy
|
|
|
6 |
--DESCRIPTION--
|
|
|
7 |
<p>
|
|
|
8 |
This directive turns on the style block extraction filter, which removes
|
|
|
9 |
<code>style</code> blocks from input HTML, cleans them up with CSSTidy,
|
|
|
10 |
and places them in the <code>StyleBlocks</code> context variable, for further
|
|
|
11 |
use by you, usually to be placed in an external stylesheet, or a
|
|
|
12 |
<code>style</code> block in the <code>head</code> of your document.
|
|
|
13 |
</p>
|
|
|
14 |
<p>
|
|
|
15 |
Sample usage:
|
|
|
16 |
</p>
|
|
|
17 |
<pre><![CDATA[
|
|
|
18 |
<?php
|
|
|
19 |
header('Content-type: text/html; charset=utf-8');
|
|
|
20 |
echo '<?xml version="1.0" encoding="UTF-8"?>';
|
|
|
21 |
?>
|
|
|
22 |
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
|
|
23 |
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
|
24 |
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
|
|
|
25 |
<head>
|
|
|
26 |
<title>Filter.ExtractStyleBlocks</title>
|
|
|
27 |
<?php
|
|
|
28 |
require_once '/path/to/library/HTMLPurifier.auto.php';
|
|
|
29 |
require_once '/path/to/csstidy.class.php';
|
|
|
30 |
|
|
|
31 |
$dirty = '<style>body {color:#F00;}</style> Some text';
|
|
|
32 |
|
|
|
33 |
$config = HTMLPurifier_Config::createDefault();
|
|
|
34 |
$config->set('Filter', 'ExtractStyleBlocks', true);
|
|
|
35 |
$purifier = new HTMLPurifier($config);
|
|
|
36 |
|
|
|
37 |
$html = $purifier->purify($dirty);
|
|
|
38 |
|
|
|
39 |
// This implementation writes the stylesheets to the styles/ directory.
|
|
|
40 |
// You can also echo the styles inside the document, but it's a bit
|
|
|
41 |
// more difficult to make sure they get interpreted properly by
|
|
|
42 |
// browsers; try the usual CSS armoring techniques.
|
|
|
43 |
$styles = $purifier->context->get('StyleBlocks');
|
|
|
44 |
$dir = 'styles/';
|
|
|
45 |
if (!is_dir($dir)) mkdir($dir);
|
|
|
46 |
$hash = sha1($_GET['html']);
|
|
|
47 |
foreach ($styles as $i => $style) {
|
|
|
48 |
file_put_contents($name = $dir . $hash . "_$i");
|
|
|
49 |
echo '<link rel="stylesheet" type="text/css" href="'.$name.'" />';
|
|
|
50 |
}
|
|
|
51 |
?>
|
|
|
52 |
</head>
|
|
|
53 |
<body>
|
|
|
54 |
<div>
|
|
|
55 |
<?php echo $html; ?>
|
|
|
56 |
</div>
|
|
|
57 |
</b]]><![CDATA[ody>
|
|
|
58 |
</html>
|
|
|
59 |
]]></pre>
|
|
|
60 |
<p>
|
|
|
61 |
<strong>Warning:</strong> It is possible for a user to mount an
|
|
|
62 |
imagecrash attack using this CSS. Counter-measures are difficult;
|
|
|
63 |
it is not simply enough to limit the range of CSS lengths (using
|
|
|
64 |
relative lengths with many nesting levels allows for large values
|
|
|
65 |
to be attained without actually specifying them in the stylesheet),
|
|
|
66 |
and the flexible nature of selectors makes it difficult to selectively
|
|
|
67 |
disable lengths on image tags (HTML Purifier, however, does disable
|
|
|
68 |
CSS width and height in inline styling). There are probably two effective
|
|
|
69 |
counter measures: an explicit width and height set to auto in all
|
|
|
70 |
images in your document (unlikely) or the disabling of width and
|
|
|
71 |
height (somewhat reasonable). Whether or not these measures should be
|
|
|
72 |
used is left to the reader.
|
|
|
73 |
</p>
|
|
|
74 |
--# vim: et sw=4 sts=4
|