Änderungen https Andy Müller rückgängig gemacht
This commit is contained in:
aschwarz
@ -40,7 +40,7 @@ abstract class HTMLPurifier_AttrDef
|
||||
* Convenience method that parses a string as if it were CDATA.
|
||||
*
|
||||
* This method process a string in the manner specified at
|
||||
* <https://www.w3.org/TR/html4/types.html#h-6.2> by removing
|
||||
* <http://www.w3.org/TR/html4/types.html#h-6.2> by removing
|
||||
* leading and trailing whitespace, ignoring line feeds, and replacing
|
||||
* carriage returns and tabs with spaces. While most useful for HTML
|
||||
* attributes specified as CDATA, it can also be applied to most CSS
|
||||
|
||||
@ -127,11 +127,11 @@ class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
|
||||
// show up in non-Western pages and are supported by most
|
||||
// major browsers, for example: "MS 明朝" is a
|
||||
// legitimate font-name
|
||||
// <https://ja.wikipedia.org/wiki/MS_明朝>. See
|
||||
// <http://ja.wikipedia.org/wiki/MS_明朝>. See
|
||||
// the CSS3 spec for more examples:
|
||||
// <https://www.w3.org/TR/2011/WD-css3-fonts-20110324/localizedfamilynames.png>
|
||||
// <http://www.w3.org/TR/2011/WD-css3-fonts-20110324/localizedfamilynames.png>
|
||||
// You can see live samples of these on the Internet:
|
||||
// <https://www.google.co.jp/search?q=font-family+MS+明朝|ゴシック>
|
||||
// <http://www.google.co.jp/search?q=font-family+MS+明朝|ゴシック>
|
||||
// However, most of these fonts have ASCII equivalents:
|
||||
// for example, 'MS Mincho', and it's considered
|
||||
// professional to use ASCII font names instead of
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* Validates a URI in CSS syntax, which uses url('https://example.com')
|
||||
* Validates a URI in CSS syntax, which uses url('http://example.com')
|
||||
* @note While theoretically speaking a URI in a CSS document could
|
||||
* be non-embedded, as of CSS2 there is no such usage so we're
|
||||
* generalizing it. This may need to be changed in the future.
|
||||
|
||||
@ -48,7 +48,7 @@ class HTMLPurifier_AttrDef_HTML_Pixels extends HTMLPurifier_AttrDef
|
||||
}
|
||||
|
||||
// upper-bound value, extremely high values can
|
||||
// crash operating systems, see <https://ha.ckers.org/imagecrash.html>
|
||||
// crash operating systems, see <http://ha.ckers.org/imagecrash.html>
|
||||
// WARNING, above link WILL crash you if you're using Windows
|
||||
|
||||
if ($this->max !== null && $int > $this->max) {
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
/**
|
||||
* Primitive email validation class based on the regexp found at
|
||||
* https://www.regular-expressions.info/email.html
|
||||
* http://www.regular-expressions.info/email.html
|
||||
*/
|
||||
class HTMLPurifier_AttrDef_URI_Email_SimpleCheck extends HTMLPurifier_AttrDef_URI_Email
|
||||
{
|
||||
|
||||
@ -595,7 +595,7 @@ class HTMLPurifier_Config
|
||||
'modify your code to use maybeGetRawDefinition, and test if the returned ' .
|
||||
'value is null before making any edits (if it is null, that means that a ' .
|
||||
'cached version is available, and no raw operations are necessary). See ' .
|
||||
'<a href="https://htmlpurifier.org/docs/enduser-customize.html#optimized">' .
|
||||
'<a href="http://htmlpurifier.org/docs/enduser-customize.html#optimized">' .
|
||||
'Customize</a> for more details',
|
||||
E_USER_WARNING
|
||||
);
|
||||
|
||||
@ -26,7 +26,7 @@ class HTMLPurifier_ConfigSchema_Builder_Xml extends XMLWriter
|
||||
|
||||
$purifier = HTMLPurifier::getInstance();
|
||||
$html = $purifier->purify($html);
|
||||
$this->writeAttribute('xmlns', 'https://www.w3.org/1999/xhtml');
|
||||
$this->writeAttribute('xmlns', 'http://www.w3.org/1999/xhtml');
|
||||
$this->writeRaw($html);
|
||||
|
||||
$this->endElement(); // div
|
||||
|
||||
@ -5,7 +5,7 @@ DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This directive turns on the in-text display of URIs in <a> tags, and disables
|
||||
those links. For example, <a href="https://example.com">example</a> becomes
|
||||
example (<a>https://example.com</a>).
|
||||
those links. For example, <a href="http://example.com">example</a> becomes
|
||||
example (<a>http://example.com</a>).
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
|
||||
@ -20,8 +20,8 @@ EXTERNAL: CSSTidy
|
||||
echo '<?xml version="1.0" encoding="UTF-8"?>';
|
||||
?>
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||||
"https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||||
<html xmlns="https://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
|
||||
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||||
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
|
||||
<head>
|
||||
<title>Filter.ExtractStyleBlocks</title>
|
||||
<?php
|
||||
|
||||
@ -10,7 +10,7 @@ DEFAULT: false
|
||||
</p>
|
||||
<p>
|
||||
This directive enables YouTube video embedding in HTML Purifier. Check
|
||||
<a href="https://htmlpurifier.org/docs/enduser-youtube.html">this document
|
||||
<a href="http://htmlpurifier.org/docs/enduser-youtube.html">this document
|
||||
on embedding videos</a> for more information on what this filter does.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
||||
|
||||
@ -14,7 +14,7 @@ DEFAULT: NULL
|
||||
If you attempt to allow an element that HTML Purifier does not know
|
||||
about, HTML Purifier will raise an error. You will need to manually
|
||||
tell HTML Purifier about this element by using the
|
||||
<a href="https://htmlpurifier.org/docs/enduser-customize.html">advanced customization features.</a>
|
||||
<a href="http://htmlpurifier.org/docs/enduser-customize.html">advanced customization features.</a>
|
||||
</p>
|
||||
<p>
|
||||
<strong>Warning:</strong> If another directive conflicts with the
|
||||
|
||||
@ -9,7 +9,7 @@ DEFAULT: NULL
|
||||
absolute URIs into another URI, usually a URI redirection service.
|
||||
This directive accepts a URI, formatted with a <code>%s</code> where
|
||||
the url-encoded original URI should be inserted (sample:
|
||||
<code>https://www.google.com/url?q=%s</code>).
|
||||
<code>http://www.google.com/url?q=%s</code>).
|
||||
</p>
|
||||
<p>
|
||||
Uses for this directive:
|
||||
|
||||
@ -10,9 +10,9 @@ DEFAULT: NULL
|
||||
%HTML.SafeIframe is enabled. Here are some example values:
|
||||
</p>
|
||||
<ul>
|
||||
<li><code>%^https://www.youtube.com/embed/%</code> - Allow YouTube videos</li>
|
||||
<li><code>%^https://player.vimeo.com/video/%</code> - Allow Vimeo videos</li>
|
||||
<li><code>%^https://(www.youtube.com/embed/|player.vimeo.com/video/)%</code> - Allow both</li>
|
||||
<li><code>%^http://www.youtube.com/embed/%</code> - Allow YouTube videos</li>
|
||||
<li><code>%^http://player.vimeo.com/video/%</code> - Allow Vimeo videos</li>
|
||||
<li><code>%^http://(www.youtube.com/embed/|player.vimeo.com/video/)%</code> - Allow both</li>
|
||||
</ul>
|
||||
<p>
|
||||
Note that this directive does not give you enough granularity to, say, disable
|
||||
|
||||
@ -120,7 +120,7 @@ class HTMLPurifier_Encoder
|
||||
* UTF-8 representations.
|
||||
*
|
||||
* @note Fallback code adapted from utf8ToUnicode by Henri Sivonen and
|
||||
* hsivonen@iki.fi at <https://iki.fi/hsivonen/php-utf8/> under the
|
||||
* hsivonen@iki.fi at <http://iki.fi/hsivonen/php-utf8/> under the
|
||||
* LGPL license. Notes on what changed are inside, but in general,
|
||||
* the original code transformed UTF-8 text into an array of integer
|
||||
* Unicode codepoints. Understandably, transforming that back to
|
||||
@ -289,7 +289,7 @@ class HTMLPurifier_Encoder
|
||||
/**
|
||||
* Translates a Unicode codepoint into its corresponding UTF-8 character.
|
||||
* @note Based on Feyd's function at
|
||||
* <https://forums.devnetwork.net/viewtopic.php?p=191404#191404>,
|
||||
* <http://forums.devnetwork.net/viewtopic.php?p=191404#191404>,
|
||||
* which is in public domain.
|
||||
* @note While we're going to do code point parsing anyway, a good
|
||||
* optimization would be to refuse to translate code points that
|
||||
@ -408,7 +408,7 @@ class HTMLPurifier_Encoder
|
||||
} else {
|
||||
trigger_error(
|
||||
'You have a buggy version of iconv, see https://bugs.php.net/bug.php?id=48147 ' .
|
||||
'and https://sourceware.org/bugzilla/show_bug.cgi?id=13541',
|
||||
'and http://sourceware.org/bugzilla/show_bug.cgi?id=13541',
|
||||
E_USER_ERROR
|
||||
);
|
||||
}
|
||||
|
||||
@ -35,7 +35,7 @@ class HTMLPurifier_EntityParser
|
||||
|
||||
public function __construct() {
|
||||
// From
|
||||
// https://stackoverflow.com/questions/15532252/why-is-reg-being-rendered-as-without-the-bounding-semicolon
|
||||
// http://stackoverflow.com/questions/15532252/why-is-reg-being-rendered-as-without-the-bounding-semicolon
|
||||
$semi_optional = "quot|QUOT|lt|LT|gt|GT|amp|AMP|AElig|Aacute|Acirc|Agrave|Aring|Atilde|Auml|COPY|Ccedil|ETH|Eacute|Ecirc|Egrave|Euml|Iacute|Icirc|Igrave|Iuml|Ntilde|Oacute|Ocirc|Ograve|Oslash|Otilde|Ouml|REG|THORN|Uacute|Ucirc|Ugrave|Uuml|Yacute|aacute|acirc|acute|aelig|agrave|aring|atilde|auml|brvbar|ccedil|cedil|cent|copy|curren|deg|divide|eacute|ecirc|egrave|eth|euml|frac12|frac14|frac34|iacute|icirc|iexcl|igrave|iquest|iuml|laquo|macr|micro|middot|nbsp|not|ntilde|oacute|ocirc|ograve|ordf|ordm|oslash|otilde|ouml|para|plusmn|pound|raquo|reg|sect|shy|sup1|sup2|sup3|szlig|thorn|times|uacute|ucirc|ugrave|uml|uuml|yacute|yen|yuml";
|
||||
|
||||
// NB: three empty captures to put the fourth match in the right
|
||||
|
||||
@ -112,7 +112,7 @@ class HTMLPurifier_Filter_ExtractStyleBlocks extends HTMLPurifier_Filter
|
||||
|
||||
/**
|
||||
* Takes CSS (the stuff found in <style>) and cleans it.
|
||||
* @warning Requires CSSTidy <https://csstidy.sourceforge.net/>
|
||||
* @warning Requires CSSTidy <http://csstidy.sourceforge.net/>
|
||||
* @param string $css CSS styling to clean
|
||||
* @param HTMLPurifier_Config $config
|
||||
* @param HTMLPurifier_Context $context
|
||||
|
||||
@ -17,7 +17,7 @@ class HTMLPurifier_Filter_YouTube extends HTMLPurifier_Filter
|
||||
public function preFilter($html, $config, $context)
|
||||
{
|
||||
$pre_regex = '#<object[^>]+>.+?' .
|
||||
'(?:https:)?//www.youtube.com/((?:v|cp)/[A-Za-z0-9\-_=]+).+?</object>#s';
|
||||
'(?:http:)?//www.youtube.com/((?:v|cp)/[A-Za-z0-9\-_=]+).+?</object>#s';
|
||||
$pre_replace = '<span class="youtube-embed">\1</span>';
|
||||
return preg_replace($pre_regex, $pre_replace, $html);
|
||||
}
|
||||
|
||||
@ -195,7 +195,7 @@ class HTMLPurifier_Generator
|
||||
if (!$token instanceof HTMLPurifier_Token_Text) {
|
||||
return $this->generateFromToken($token);
|
||||
}
|
||||
// Thanks <https://lachy.id.au/log/2005/05/script-comments>
|
||||
// Thanks <http://lachy.id.au/log/2005/05/script-comments>
|
||||
$data = preg_replace('#//\s*$#', '', $token->data);
|
||||
return '<!--//--><![CDATA[//><!--' . "\n" . trim($data) . "\n" . '//--><!]]>';
|
||||
}
|
||||
@ -275,7 +275,7 @@ class HTMLPurifier_Generator
|
||||
public function escape($string, $quote = null)
|
||||
{
|
||||
// Workaround for APC bug on Mac Leopard reported by sidepodcast
|
||||
// https://htmlpurifier.org/phorum/read.php?3,4823,4846
|
||||
// http://htmlpurifier.org/phorum/read.php?3,4823,4846
|
||||
if ($quote === null) {
|
||||
$quote = ENT_COMPAT;
|
||||
}
|
||||
|
||||
@ -36,7 +36,7 @@ class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
|
||||
'data' => 'URI#embedded',
|
||||
'codebase' => new HTMLPurifier_AttrDef_Enum(
|
||||
array(
|
||||
'https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0'
|
||||
'http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,40,0'
|
||||
)
|
||||
),
|
||||
)
|
||||
|
||||
@ -99,7 +99,7 @@ class HTMLPurifier_HTMLModuleManager
|
||||
array('Tidy_Transitional', 'Tidy_Proprietary'),
|
||||
array(),
|
||||
'-//W3C//DTD HTML 4.01 Transitional//EN',
|
||||
'https://www.w3.org/TR/html4/loose.dtd'
|
||||
'http://www.w3.org/TR/html4/loose.dtd'
|
||||
);
|
||||
|
||||
$this->doctypes->register(
|
||||
@ -109,7 +109,7 @@ class HTMLPurifier_HTMLModuleManager
|
||||
array('Tidy_Strict', 'Tidy_Proprietary', 'Tidy_Name'),
|
||||
array(),
|
||||
'-//W3C//DTD HTML 4.01//EN',
|
||||
'https://www.w3.org/TR/html4/strict.dtd'
|
||||
'http://www.w3.org/TR/html4/strict.dtd'
|
||||
);
|
||||
|
||||
$this->doctypes->register(
|
||||
@ -119,7 +119,7 @@ class HTMLPurifier_HTMLModuleManager
|
||||
array('Tidy_Transitional', 'Tidy_XHTML', 'Tidy_Proprietary', 'Tidy_Name'),
|
||||
array(),
|
||||
'-//W3C//DTD XHTML 1.0 Transitional//EN',
|
||||
'https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'
|
||||
'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'
|
||||
);
|
||||
|
||||
$this->doctypes->register(
|
||||
@ -129,7 +129,7 @@ class HTMLPurifier_HTMLModuleManager
|
||||
array('Tidy_Strict', 'Tidy_XHTML', 'Tidy_Strict', 'Tidy_Proprietary', 'Tidy_Name'),
|
||||
array(),
|
||||
'-//W3C//DTD XHTML 1.0 Strict//EN',
|
||||
'https://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'
|
||||
'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'
|
||||
);
|
||||
|
||||
$this->doctypes->register(
|
||||
@ -141,7 +141,7 @@ class HTMLPurifier_HTMLModuleManager
|
||||
array('Tidy_Strict', 'Tidy_XHTML', 'Tidy_Proprietary', 'Tidy_Strict', 'Tidy_Name'), // Tidy_XHTML1_1
|
||||
array(),
|
||||
'-//W3C//DTD XHTML 1.1//EN',
|
||||
'https://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd'
|
||||
'http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd'
|
||||
);
|
||||
|
||||
}
|
||||
|
||||
@ -44,7 +44,7 @@ class HTMLPurifier_Lexer_PH5P extends HTMLPurifier_Lexer_DOMLex
|
||||
|
||||
/*
|
||||
|
||||
Copyright 2007 Jeroen van der Meer <https://jero.net/>
|
||||
Copyright 2007 Jeroen van der Meer <http://jero.net/>
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a
|
||||
copy of this software and associated documentation files (the
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
*
|
||||
* @note Size is an interesting case because it doesn't map cleanly to CSS.
|
||||
* Thanks to
|
||||
* https://style.cleverchimp.com/font_size_intervals/altintervals.html
|
||||
* http://style.cleverchimp.com/font_size_intervals/altintervals.html
|
||||
* for reasonable mappings.
|
||||
* @warning This doesn't work completely correctly; specifically, this
|
||||
* TagTransform operates before well-formedness is enforced, so
|
||||
|
||||
@ -153,7 +153,7 @@ class HTMLPurifier_URI
|
||||
$segments_encoder = new HTMLPurifier_PercentEncoder($chars_pchar . '/');
|
||||
if (!is_null($this->host)) { // this catches $this->host === ''
|
||||
// path-abempty (hier and relative)
|
||||
// https://www.example.com/my/path
|
||||
// http://www.example.com/my/path
|
||||
// //www.example.com/my/path (looks odd, but works, and
|
||||
// recognized by most browsers)
|
||||
// (this set is valid or invalid on a scheme by scheme
|
||||
@ -164,12 +164,12 @@ class HTMLPurifier_URI
|
||||
} elseif ($this->path !== '') {
|
||||
if ($this->path[0] === '/') {
|
||||
// path-absolute (hier and relative)
|
||||
// https:/my/path
|
||||
// http:/my/path
|
||||
// /my/path
|
||||
if (strlen($this->path) >= 2 && $this->path[1] === '/') {
|
||||
// This could happen if both the host gets stripped
|
||||
// out
|
||||
// https://my/path
|
||||
// http://my/path
|
||||
// //my/path
|
||||
$this->path = '';
|
||||
} else {
|
||||
@ -177,7 +177,7 @@ class HTMLPurifier_URI
|
||||
}
|
||||
} elseif (!is_null($this->scheme)) {
|
||||
// path-rootless (hier)
|
||||
// https:my/path
|
||||
// http:my/path
|
||||
// Short circuit evaluation means we don't need to check nz
|
||||
$this->path = $segments_encoder->encode($this->path);
|
||||
} else {
|
||||
@ -221,8 +221,8 @@ class HTMLPurifier_URI
|
||||
// reconstruct authority
|
||||
$authority = null;
|
||||
// there is a rendering difference between a null authority
|
||||
// (https:foo-bar) and an empty string authority
|
||||
// (https:///foo-bar).
|
||||
// (http:foo-bar) and an empty string authority
|
||||
// (http:///foo-bar).
|
||||
if (!is_null($this->host)) {
|
||||
$authority = '';
|
||||
if (!is_null($this->userinfo)) {
|
||||
@ -238,7 +238,7 @@ class HTMLPurifier_URI
|
||||
// One might wonder about parsing quirks from browsers after
|
||||
// this reconstruction. Unfortunately, parsing behavior depends
|
||||
// on what *scheme* was employed (file:///foo is handled *very*
|
||||
// differently than https:///foo), so unfortunately we have to
|
||||
// differently than http:///foo), so unfortunately we have to
|
||||
// defer to the schemes to do the right thing.
|
||||
$result = '';
|
||||
if (!is_null($this->scheme)) {
|
||||
|
||||
@ -72,7 +72,7 @@ abstract class HTMLPurifier_URIScheme
|
||||
(!is_null($uri->scheme) && ($uri->host === '' || is_null($uri->host))) ||
|
||||
// if the scheme is not present, a *blank* host is in error,
|
||||
// since this translates into '///path' which most browsers
|
||||
// interpret as being 'https://path'.
|
||||
// interpret as being 'http://path'.
|
||||
(is_null($uri->scheme) && $uri->host === '')
|
||||
) {
|
||||
do {
|
||||
|
||||
Reference in New Issue
Block a user