Search moodle.org's
Developer Documentation

See Release Notes

  • Bug fixes for general core bugs in 4.0.x will end 8 May 2023 (12 months).
  • Bug fixes for security issues in 4.0.x will end 13 November 2023 (18 months).
  • PHP version: minimum PHP 7.3.0 Note: the minimum PHP version has increased since Moodle 3.10. PHP 7.4.x is also supported.
   1  <?php
   2  
   3  /**

   4   * Base class for all validating attribute definitions.

   5   *

   6   * This family of classes forms the core for not only HTML attribute validation,

   7   * but also any sort of string that needs to be validated or cleaned (which

   8   * means CSS properties and composite definitions are defined here too).

   9   * Besides defining (through code) what precisely makes the string valid,

  10   * subclasses are also responsible for cleaning the code if possible.

  11   */
  12  
  13  abstract class HTMLPurifier_AttrDef
  14  {
  15  
  16      /**

  17       * Tells us whether or not an HTML attribute is minimized.

  18       * Has no meaning in other contexts.

  19       * @type bool

  20       */
  21      public $minimized = false;
  22  
  23      /**

  24       * Tells us whether or not an HTML attribute is required.

  25       * Has no meaning in other contexts

  26       * @type bool

  27       */
  28      public $required = false;
  29  
  30      /**

  31       * Validates and cleans passed string according to a definition.

  32       *

  33       * @param string $string String to be validated and cleaned.

  34       * @param HTMLPurifier_Config $config Mandatory HTMLPurifier_Config object.

  35       * @param HTMLPurifier_Context $context Mandatory HTMLPurifier_Context object.

  36       */
  37      abstract public function validate($string, $config, $context);
  38  
  39      /**

  40       * Convenience method that parses a string as if it were CDATA.

  41       *

  42       * This method process a string in the manner specified at

  43       * <http://www.w3.org/TR/html4/types.html#h-6.2> by removing

  44       * leading and trailing whitespace, ignoring line feeds, and replacing

  45       * carriage returns and tabs with spaces.  While most useful for HTML

  46       * attributes specified as CDATA, it can also be applied to most CSS

  47       * values.

  48       *

  49       * @note This method is not entirely standards compliant, as trim() removes

  50       *       more types of whitespace than specified in the spec. In practice,

  51       *       this is rarely a problem, as those extra characters usually have

  52       *       already been removed by HTMLPurifier_Encoder.

  53       *

  54       * @warning This processing is inconsistent with XML's whitespace handling

  55       *          as specified by section 3.3.3 and referenced XHTML 1.0 section

  56       *          4.7.  However, note that we are NOT necessarily

  57       *          parsing XML, thus, this behavior may still be correct. We

  58       *          assume that newlines have been normalized.

  59       */
  60      public function parseCDATA($string)
  61      {
  62          $string = trim($string);
  63          $string = str_replace(array("\n", "\t", "\r"), ' ', $string);
  64          return $string;
  65      }
  66  
  67      /**

  68       * Factory method for creating this class from a string.

  69       * @param string $string String construction info

  70       * @return HTMLPurifier_AttrDef Created AttrDef object corresponding to $string

  71       */
  72      public function make($string)
  73      {
  74          // default implementation, return a flyweight of this object.

  75          // If $string has an effect on the returned object (i.e. you

  76          // need to overload this method), it is best

  77          // to clone or instantiate new copies. (Instantiation is safer.)

  78          return $this;
  79      }
  80  
  81      /**

  82       * Removes spaces from rgb(0, 0, 0) so that shorthand CSS properties work

  83       * properly. THIS IS A HACK!

  84       * @param string $string a CSS colour definition

  85       * @return string

  86       */
  87      protected function mungeRgb($string)
  88      {
  89          $p = '\s*(\d+(\.\d+)?([%]?))\s*';
  90  
  91          if (preg_match('/(rgba|hsla)\(/', $string)) {
  92              return preg_replace('/(rgba|hsla)\('.$p.','.$p.','.$p.','.$p.'\)/', '\1(\2,\5,\8,\11)', $string);
  93          }
  94  
  95          return preg_replace('/(rgb|hsl)\('.$p.','.$p.','.$p.'\)/', '\1(\2,\5,\8)', $string);
  96      }
  97  
  98      /**

  99       * Parses a possibly escaped CSS string and returns the "pure"

 100       * version of it.

 101       */
 102      protected function expandCSSEscape($string)
 103      {
 104          // flexibly parse it

 105          $ret = '';
 106          for ($i = 0, $c = strlen($string); $i < $c; $i++) {
 107              if ($string[$i] === '\\') {
 108                  $i++;
 109                  if ($i >= $c) {
 110                      $ret .= '\\';
 111                      break;
 112                  }
 113                  if (ctype_xdigit($string[$i])) {
 114                      $code = $string[$i];
 115                      for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
 116                          if (!ctype_xdigit($string[$i])) {
 117                              break;
 118                          }
 119                          $code .= $string[$i];
 120                      }
 121                      // We have to be extremely careful when adding

 122                      // new characters, to make sure we're not breaking

 123                      // the encoding.

 124                      $char = HTMLPurifier_Encoder::unichr(hexdec($code));
 125                      if (HTMLPurifier_Encoder::cleanUTF8($char) === '') {
 126                          continue;
 127                      }
 128                      $ret .= $char;
 129                      if ($i < $c && trim($string[$i]) !== '') {
 130                          $i--;
 131                      }
 132                      continue;
 133                  }
 134                  if ($string[$i] === "\n") {
 135                      continue;
 136                  }
 137              }
 138              $ret .= $string[$i];
 139          }
 140          return $ret;
 141      }
 142  }
 143  
 144  // vim: et sw=4 sts=4