ConfigSchema/schema/Filter.ExtractStyleBlocks.txt

0001 Filter.ExtractStyleBlocks
0002 TYPE: bool
0003 VERSION: 3.1.0
0004 DEFAULT: false
0005 EXTERNAL: CSSTidy
0006 --DESCRIPTION--
0007 <p>
0008   This directive turns on the style block extraction filter, which removes
0009   <code>style</code> blocks from input HTML, cleans them up with CSSTidy,
0010   and places them in the <code>StyleBlocks</code> context variable, for further
0011   use by you, usually to be placed in an external stylesheet, or a
0012   <code>style</code> block in the <code>head</code> of your document.
0013 </p>
0014 <p>
0015   Sample usage:
0016 </p>
0017 <pre><![CDATA[
0018 <?php
0019     header('Content-type: text/html; charset=utf-8');
0020     echo '<?xml version="1.0" encoding="UTF-8"?>';
0021 ?>
0022 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
0023   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
0024 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
0025 <head>
0026   <title>Filter.ExtractStyleBlocks</title>
0027 <?php
0028     require_once '/path/to/library/HTMLPurifier.auto.php';
0029     require_once '/path/to/csstidy.class.php';
0030
0031     $dirty = '<style>body {color:#F00;}</style> Some text';
0032
0033     $config = HTMLPurifier_Config::createDefault();
0034     $config->set('Filter', 'ExtractStyleBlocks', true);
0035     $purifier = new HTMLPurifier($config);
0036
0037     $html = $purifier->purify($dirty);
0038
0039     // This implementation writes the stylesheets to the styles/ directory.
0040     // You can also echo the styles inside the document, but it's a bit
0041     // more difficult to make sure they get interpreted properly by
0042     // browsers; try the usual CSS armoring techniques.
0043     $styles = $purifier->context->get('StyleBlocks');
0044     $dir = 'styles/';
0045     if (!is_dir($dir)) mkdir($dir);
0046     $hash = sha1($_GET['html']);
0047     foreach ($styles as $i => $style) {
0048         file_put_contents($name = $dir . $hash . "_$i");
0049         echo '<link rel="stylesheet" type="text/css" href="'.$name.'" />';
0050     }
0051 ?>
0052 </head>
0053 <body>
0054   <div>
0055     <?php echo $html; ?>
0056   </div>
0057 </b]]><![CDATA[ody>
0058 </html>
0059 ]]></pre>
0060 <p>
0061   <strong>Warning:</strong> It is possible for a user to mount an
0062   imagecrash attack using this CSS. Counter-measures are difficult;
0063   it is not simply enough to limit the range of CSS lengths (using
0064   relative lengths with many nesting levels allows for large values
0065   to be attained without actually specifying them in the stylesheet),
0066   and the flexible nature of selectors makes it difficult to selectively
0067   disable lengths on image tags (HTML Purifier, however, does disable
0068   CSS width and height in inline styling). There are probably two effective
0069   counter measures: an explicit width and height set to auto in all
0070   images in your document (unlikely) or the disabling of width and
0071   height (somewhat reasonable). Whether or not these measures should be
0072   used is left to the reader.
0073 </p>
0074 --# vim: et sw=4 sts=4