lib/htmlpurifier/HTMLPurifier/AttrDef/CSS/FontFamily.php

   1 <?php
   2
   3 require_once 'HTMLPurifier/AttrDef.php';
   4
   5 // whitelisting allowed fonts would be nice
   6
   7 /**
   8  * Validates a font family list according to CSS spec
   9  */
  10 class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
  11 {
  12
  13     function validate($string, $config, &$context) {
  14         static $generic_names = array(
  15             'serif' => true,
  16             'sans-serif' => true,
  17             'monospace' => true,
  18             'fantasy' => true,
  19             'cursive' => true
  20         );
  21
  22         $string = $this->parseCDATA($string);
  23         // assume that no font names contain commas in them
  24         $fonts = explode(',', $string);
  25         $final = '';
  26         foreach($fonts as $font) {
  27             $font = trim($font);
  28             if ($font === '') continue;
  29             // match a generic name
  30             if (isset($generic_names[$font])) {
  31                 $final .= $font . ', ';
  32                 continue;
  33             }
  34             // match a quoted name
  35             if ($font[0] === '"' || $font[0] === "'") {
  36                 $length = strlen($font);
  37                 if ($length <= 2) continue;
  38                 $quote = $font[0];
  39                 if ($font[$length - 1] !== $quote) continue;
  40                 $font = substr($font, 1, $length - 2);
  41                 // double-backslash processing is buggy
  42                 $font = str_replace("\\$quote", $quote, $font); // de-escape quote
  43                 $font = str_replace("\\\n", "\n", $font);       // de-escape newlines
  44             }
  45             // $font is a pure representation of the font name
  46
  47             if (ctype_alnum($font)) {
  48                 // very simple font, allow it in unharmed
  49                 $final .= $font . ', ';
  50                 continue;
  51             }
  52
  53             // complicated font, requires quoting
  54
  55             // armor single quotes and new lines
  56             $font = str_replace("'", "\\'", $font);
  57             $font = str_replace("\n", "\\\n", $font);
  58             $final .= "'$font', ";
  59         }
  60         $final = rtrim($final, ', ');
  61         if ($final === '') return false;
  62         return $final;
  63     }
  64
  65 }
  66