Skip to content

Commit

Permalink
feat: Allow universal CSS values for all properties (#410)
Browse files Browse the repository at this point in the history
  • Loading branch information
zerocrates authored Jun 28, 2024
1 parent 93bee73 commit 9723267
Show file tree
Hide file tree
Showing 5 changed files with 43 additions and 21 deletions.
14 changes: 9 additions & 5 deletions library/HTMLPurifier/AttrDef/CSS.php
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,13 @@ public function validate($css, $config, $context)
$definition = $config->getCSSDefinition();
$allow_duplicates = $config->get("CSS.AllowDuplicates");

$universal_attrdef = new HTMLPurifier_AttrDef_Enum(
array(
'initial',
'inherit',
'unset',
)
);

// According to the CSS2.1 spec, the places where a
// non-delimiting semicolon can appear are in strings
Expand Down Expand Up @@ -96,16 +103,13 @@ public function validate($css, $config, $context)
if (!$ok) {
continue;
}
// inefficient call, since the validator will do this again
if (strtolower(trim($value)) !== 'inherit') {
// inherit works for everything (but only on the base property)
$result = $universal_attrdef->validate($value, $config, $context);
if ($result === false) {
$result = $definition->info[$property]->validate(
$value,
$config,
$context
);
} else {
$result = 'inherit';
}
if ($result === false) {
continue;
Expand Down
22 changes: 7 additions & 15 deletions library/HTMLPurifier/CSSDefinition.php
Original file line number Diff line number Diff line change
Expand Up @@ -116,8 +116,6 @@ protected function doSetup($config)
'auto',
'cover',
'contain',
'initial',
'inherit',
]
),
new HTMLPurifier_AttrDef_CSS_Percentage(),
Expand Down Expand Up @@ -236,21 +234,20 @@ protected function doSetup($config)
[
new HTMLPurifier_AttrDef_CSS_Length('0'),
new HTMLPurifier_AttrDef_CSS_Percentage(true),
new HTMLPurifier_AttrDef_Enum(['auto', 'initial', 'inherit'])
new HTMLPurifier_AttrDef_Enum(['auto'])
]
);
$trusted_min_wh = new HTMLPurifier_AttrDef_CSS_Composite(
[
new HTMLPurifier_AttrDef_CSS_Length('0'),
new HTMLPurifier_AttrDef_CSS_Percentage(true),
new HTMLPurifier_AttrDef_Enum(['initial', 'inherit'])
]
);
$trusted_max_wh = new HTMLPurifier_AttrDef_CSS_Composite(
[
new HTMLPurifier_AttrDef_CSS_Length('0'),
new HTMLPurifier_AttrDef_CSS_Percentage(true),
new HTMLPurifier_AttrDef_Enum(['none', 'initial', 'inherit'])
new HTMLPurifier_AttrDef_Enum(['none'])
]
);
$max = $config->get('CSS.MaxImgLength');
Expand Down Expand Up @@ -278,12 +275,7 @@ protected function doSetup($config)
new HTMLPurifier_AttrDef_Switch(
'img',
// For img tags:
new HTMLPurifier_AttrDef_CSS_Composite(
[
new HTMLPurifier_AttrDef_CSS_Length('0', $max),
new HTMLPurifier_AttrDef_Enum(['initial', 'inherit'])
]
),
new HTMLPurifier_AttrDef_CSS_Length('0', $max),
// For everyone else:
$trusted_min_wh
);
Expand All @@ -297,7 +289,7 @@ protected function doSetup($config)
new HTMLPurifier_AttrDef_CSS_Composite(
[
new HTMLPurifier_AttrDef_CSS_Length('0', $max),
new HTMLPurifier_AttrDef_Enum(['none', 'initial', 'inherit'])
new HTMLPurifier_AttrDef_Enum(['none'])
]
),
// For everyone else:
Expand All @@ -315,19 +307,19 @@ protected function doSetup($config)
$this->info['text-decoration'] = new HTMLPurifier_AttrDef_CSS_TextDecoration();

$this->info['text-decoration-line'] = new HTMLPurifier_AttrDef_Enum(
['none', 'underline', 'overline', 'line-through', 'initial', 'inherit']
['none', 'underline', 'overline', 'line-through']
);

$this->info['text-decoration-style'] = new HTMLPurifier_AttrDef_Enum(
['solid', 'double', 'dotted', 'dashed', 'wavy', 'initial', 'inherit']
['solid', 'double', 'dotted', 'dashed', 'wavy']
);

$this->info['text-decoration-color'] = new HTMLPurifier_AttrDef_CSS_Color();

$this->info['text-decoration-thickness'] = new HTMLPurifier_AttrDef_CSS_Composite([
new HTMLPurifier_AttrDef_CSS_Length(),
new HTMLPurifier_AttrDef_CSS_Percentage(),
new HTMLPurifier_AttrDef_Enum(['auto', 'from-font', 'initial', 'inherit'])
new HTMLPurifier_AttrDef_Enum(['auto', 'from-font'])
]);

$this->info['font-family'] = new HTMLPurifier_AttrDef_CSS_FontFamily();
Expand Down
17 changes: 17 additions & 0 deletions library/HTMLPurifier/Filter/ExtractStyleBlocks.php
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,11 @@ class HTMLPurifier_Filter_ExtractStyleBlocks extends HTMLPurifier_Filter
*/
private $_enum_attrdef;

/**
* @type HTMLPurifier_AttrDef_Enum
*/
private $_universal_attrdef;

public function __construct()
{
$this->_tidy = new csstidy();
Expand All @@ -70,6 +75,13 @@ public function __construct()
'focus'
)
);
$this->_universal_attrdef = new HTMLPurifier_AttrDef_Enum(
array(
'initial',
'inherit',
'unset',
)
);
}

/**
Expand Down Expand Up @@ -307,6 +319,11 @@ public function cleanCSS($css, $config, $context)
unset($style[$name]);
continue;
}
$uni_ret = $this->_universal_attrdef->validate($value, $config, $context);
if ($uni_ret !== false) {
$style[$name] = $uni_ret;
continue;
}
$def = $css_definition->info[$name];
$ret = $def->validate($value, $config, $context);
if ($ret === false) {
Expand Down
4 changes: 3 additions & 1 deletion tests/HTMLPurifier/AttrDef/CSSTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -120,8 +120,10 @@ public function test()
$this->assertDef('text-transform:capitalize;destroy:it;',
'text-transform:capitalize;');

// inherit works for everything
// universal values work for everything
$this->assertDef('text-align:inherit;');
$this->assertDef('text-align:initial;');
$this->assertDef('text-align:unset;');

// bad props
$this->assertDef('nodice:foobar;', false);
Expand Down
7 changes: 7 additions & 0 deletions tests/HTMLPurifier/Filter/ExtractStyleBlocksTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,13 @@ public function test_cleanCSS_selector()
$this->assertCleanCSS("a .foo #id div.cl#foo {\nfont-weight:700\n}");
}

public function test_cleanCSS_universals()
{
$this->assertCleanCSS("a {\nfont-weight:inherit\n}");
$this->assertCleanCSS("a {\nfont-weight:initial\n}");
$this->assertCleanCSS("a {\nfont-weight:unset\n}");
}

public function test_cleanCSS_angledBrackets()
{
// [Content] No longer can smuggle in angled brackets using
Expand Down

0 comments on commit 9723267

Please sign in to comment.