1
0
www.mikescher.com/framework/web/widgets/CHtmlPurifier.php

131 lines
3.5 KiB
PHP

<?php
/**
* CHtmlPurifier class file.
*
* @author Qiang Xue <qiang.xue@gmail.com>
* @link http://www.yiiframework.com/
* @copyright 2008-2013 Yii Software LLC
* @license http://www.yiiframework.com/license/
*/
if(!class_exists('HTMLPurifier_Bootstrap',false))
{
require_once(Yii::getPathOfAlias('system.vendors.htmlpurifier').DIRECTORY_SEPARATOR.'HTMLPurifier.standalone.php');
HTMLPurifier_Bootstrap::registerAutoload();
}
/**
* CHtmlPurifier is wrapper of {@link http://htmlpurifier.org HTML Purifier}.
*
* CHtmlPurifier removes all malicious code (better known as XSS) with a thoroughly audited,
* secure yet permissive whitelist. It will also make sure the resulting code
* is standard-compliant.
*
* CHtmlPurifier can be used as either a widget or a controller filter.
*
* Note: since HTML Purifier is a big package, its performance is not very good.
* You should consider either caching the purification result or purifying the user input
* before saving to database.
*
* Usage as a class:
* <pre>
* $p = new CHtmlPurifier();
* $p->options = array('URI.AllowedSchemes'=>array(
* 'http' => true,
* 'https' => true,
* ));
* $text = $p->purify($text);
* </pre>
*
* Usage as validation rule:
* <pre>
* array('text','filter','filter'=>array($obj=new CHtmlPurifier(),'purify')),
* </pre>
*
* @author Qiang Xue <qiang.xue@gmail.com>
* @package system.web.widgets
* @since 1.0
*/
class CHtmlPurifier extends COutputProcessor
{
/**
* @var object the HTML Purifier instance.
*/
private $_purifier;
/**
* @var mixed the options to be passed to HTML Purifier instance.
* This can be a HTMLPurifier_Config object, an array of directives (Namespace.Directive => Value)
* or the filename of an ini file.
* @see http://htmlpurifier.org/live/configdoc/plain.html
*/
private $_options=null;
/**
* Processes the captured output.
* This method purifies the output using {@link http://htmlpurifier.org HTML Purifier}.
* @param string $output the captured output to be processed
*/
public function processOutput($output)
{
$output=$this->purify($output);
parent::processOutput($output);
}
/**
* Purifies the HTML content by removing malicious code.
* @param mixed $content the content to be purified.
* @return mixed the purified content
*/
public function purify($content)
{
if(is_array($content))
$content=array_map(array($this,'purify'),$content);
else
$content=$this->getPurifier()->purify($content);
return $content;
}
/**
* Set the options for HTML Purifier and create a new HTML Purifier instance based on these options.
* @param mixed $options the options for HTML Purifier
* @return CHtmlPurifier
*/
public function setOptions($options)
{
$this->_options=$options;
$this->createNewHtmlPurifierInstance();
return $this;
}
/**
* Get the options for the HTML Purifier instance.
* @return mixed the HTML Purifier instance options
*/
public function getOptions()
{
return $this->_options;
}
/**
* Get the HTML Purifier instance or create a new one if it doesn't exist.
* @return HTMLPurifier
*/
protected function getPurifier()
{
if($this->_purifier!==null)
return $this->_purifier;
return $this->createNewHtmlPurifierInstance();
}
/**
* Create a new HTML Purifier instance.
* @return HTMLPurifier
*/
protected function createNewHtmlPurifierInstance()
{
$this->_purifier=new HTMLPurifier($this->getOptions());
$this->_purifier->config->set('Cache.SerializerPath',Yii::app()->getRuntimePath());
return $this->_purifier;
}
}