Файл: framework/vendors/htmlpurifier/standalone/HTMLPurifier/ConfigSchema/schema/Filter.ExtractStyleBlocks.txt
Строк: 89
Filter.ExtractStyleBlocks
TYPE: bool
VERSION: 3.1.0
DEFAULT:
false
EXTERNAL: CSSTidy
--DESCRIPTION--
<p>
This directive turns on
the style block extraction filter, which removes
<code>style</code> blocks from input HTML, cleans them up with
CSSTidy,
and places them in the <code>StyleBlocks</code>
context variable, for further
use by you, usually to be placed in an
external stylesheet, or a
<code>style</code> block in the
<code>head</code> of your document.
</p>
<p>
Sample usage:
</p>
<pre><![CDATA[
<?php
header('Content-type: text/html; charset=utf-8');
echo '<?xml
version="1.0"
encoding="UTF-8"?>';
?>
<!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html
xmlns="http://www.w3.org/1999/xhtml" lang="en"
xml:lang="en">
<head>
<title>Filter.ExtractStyleBlocks</title>
<?php
require_once '/path/to/library/HTMLPurifier.auto.php';
require_once
'/path/to/csstidy.class.php';
$dirty = '<style>body
{color:#F00;}</style> Some text';
$config =
HTMLPurifier_Config::createDefault();
$config->set('Filter',
'ExtractStyleBlocks', true);
$purifier = new HTMLPurifier($config);
$html = $purifier->purify($dirty);
// This implementation writes
the stylesheets to the styles/ directory.
// You can also echo the
styles inside the document, but it's a bit
// more difficult to make
sure they get interpreted properly by
// browsers; try the usual CSS
armoring techniques.
$styles =
$purifier->context->get('StyleBlocks');
$dir = 'styles/';
if
(!is_dir($dir)) mkdir($dir);
$hash = sha1($_GET['html']);
foreach
($styles as $i => $style) {
file_put_contents($name = $dir .
$hash . "_$i");
echo '<link rel="stylesheet"
type="text/css" href="'.$name.'" />';
}
?>
</head>
<body>
<div>
<?php echo $html;
?>
</div>
</b]]><![CDATA[ody>
</html>
]]></pre>
<p>
<strong>Warning:</strong> It is possible for a user to mount
an
imagecrash attack using this CSS. Counter-measures are difficult;
it
is not simply enough to limit the range of CSS lengths (using
relative
lengths with many nesting levels allows for large values
to be attained
without actually specifying them in the stylesheet),
and the flexible
nature of selectors makes it difficult to selectively
disable lengths on
image tags (HTML Purifier, however, does disable
CSS width and height in
inline styling). There are probably two effective
counter measures: an
explicit width and height set to auto in all
images in your document
(unlikely) or the disabling of width and
height (somewhat reasonable).
Whether or not these measures should be
used is left to the
reader.
</p>
--# vim: et sw=4 sts=4