3
require_once 'HTMLPurifier/AttrDef.php';
5
// whitelisting allowed fonts would be nice
8
4
* Validates a font family list according to CSS spec
5
* @todo whitelisting allowed fonts would be nice
10
7
class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
13
function validate($string, $config, &$context) {
10
public function validate($string, $config, $context) {
14
11
static $generic_names = array(
16
13
'sans-serif' => true,
38
35
if ($font[$length - 1] !== $quote) continue;
39
36
$font = substr($font, 1, $length - 2);
42
for ($i = 0, $c = strlen($font); $i < $c; $i++) {
43
if ($font[$i] === '\\') {
49
if (ctype_xdigit($font[$i])) {
51
for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
52
if (!ctype_xdigit($font[$i])) break;
55
// We have to be extremely careful when adding
56
// new characters, to make sure we're not breaking
58
$char = HTMLPurifier_Encoder::unichr(hexdec($code));
59
if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue;
61
if ($i < $c && trim($font[$i]) !== '') $i--;
64
if ($font[$i] === "\n") continue;
66
$new_font .= $font[$i];
39
$font = $this->expandCSSEscape($font);
71
41
// $font is a pure representation of the font name
73
43
if (ctype_alnum($font) && $font !== '') {
74
44
// very simple font, allow it in unharmed
75
45
$final .= $font . ', ';
49
// bugger out on whitespace. form feed (0C) really
50
// shouldn't show up regardless
51
$font = str_replace(array("\n", "\t", "\r", "\x0C"), ' ', $font);
53
// These ugly transforms don't pose a security
54
// risk (as \\ and \" might). We could try to be clever and
55
// use single-quote wrapping when there is a double quote
56
// present, but I have choosen not to implement that.
57
// (warning: this code relies on the selection of quotation
59
$font = str_replace('\\', '\\5C ', $font);
60
$font = str_replace('"', '\\22 ', $font);
79
62
// complicated font, requires quoting
81
// armor single quotes and new lines
82
$font = str_replace("\\", "\\\\", $font);
83
$font = str_replace("'", "\\'", $font);
84
$final .= "'$font', ";
63
$final .= "\"$font\", "; // note that this will later get turned into "
86
65
$final = rtrim($final, ', ');
87
66
if ($final === '') return false;