1: <?php
2: /**
3: * CHtmlPurifier class file.
4: *
5: * @author Qiang Xue <qiang.xue@gmail.com>
6: * @link http://www.yiiframework.com/
7: * @copyright 2008-2013 Yii Software LLC
8: * @license http://www.yiiframework.com/license/
9: */
10:
11: if(!class_exists('HTMLPurifier_Bootstrap',false))
12: {
13: require_once(Yii::getPathOfAlias('system.vendors.htmlpurifier').DIRECTORY_SEPARATOR.'HTMLPurifier.standalone.php');
14: HTMLPurifier_Bootstrap::registerAutoload();
15: }
16:
17: /**
18: * CHtmlPurifier is wrapper of {@link http://htmlpurifier.org HTML Purifier}.
19: *
20: * CHtmlPurifier removes all malicious code (better known as XSS) with a thoroughly audited,
21: * secure yet permissive whitelist. It will also make sure the resulting code
22: * is standard-compliant.
23: *
24: * CHtmlPurifier can be used as either a widget or a controller filter.
25: *
26: * Note: since HTML Purifier is a big package, its performance is not very good.
27: * You should consider either caching the purification result or purifying the user input
28: * before saving to database.
29: *
30: * Usage as a class:
31: * <pre>
32: * $p = new CHtmlPurifier();
33: * $p->options = array('URI.AllowedSchemes'=>array(
34: * 'http' => true,
35: * 'https' => true,
36: * ));
37: * $text = $p->purify($text);
38: * </pre>
39: *
40: * Usage as validation rule:
41: * <pre>
42: * array('text','filter','filter'=>array($obj=new CHtmlPurifier(),'purify')),
43: * </pre>
44: *
45: * @author Qiang Xue <qiang.xue@gmail.com>
46: * @package system.web.widgets
47: * @since 1.0
48: */
49: class CHtmlPurifier extends COutputProcessor
50: {
51: /**
52: * @var object the HTML Purifier instance.
53: */
54: private $_purifier;
55: /**
56: * @var mixed the options to be passed to HTML Purifier instance.
57: * This can be a HTMLPurifier_Config object, an array of directives (Namespace.Directive => Value)
58: * or the filename of an ini file.
59: * @see http://htmlpurifier.org/live/configdoc/plain.html
60: */
61: private $_options=null;
62:
63: /**
64: * Processes the captured output.
65: * This method purifies the output using {@link http://htmlpurifier.org HTML Purifier}.
66: * @param string $output the captured output to be processed
67: */
68: public function processOutput($output)
69: {
70: $output=$this->purify($output);
71: parent::processOutput($output);
72: }
73:
74: /**
75: * Purifies the HTML content by removing malicious code.
76: * @param mixed $content the content to be purified.
77: * @return mixed the purified content
78: */
79: public function purify($content)
80: {
81: if(is_array($content))
82: $content=array_map(array($this,'purify'),$content);
83: else
84: $content=$this->getPurifier()->purify($content);
85: return $content;
86: }
87:
88: /**
89: * Set the options for HTML Purifier and create a new HTML Purifier instance based on these options.
90: * @param mixed $options the options for HTML Purifier
91: * @return static the object instance itself
92: */
93: public function setOptions($options)
94: {
95: $this->_options=$options;
96: $this->createNewHtmlPurifierInstance();
97: return $this;
98: }
99:
100: /**
101: * Get the options for the HTML Purifier instance.
102: * @return mixed the HTML Purifier instance options
103: */
104: public function getOptions()
105: {
106: return $this->_options;
107: }
108:
109: /**
110: * Get the HTML Purifier instance or create a new one if it doesn't exist.
111: * @return HTMLPurifier
112: */
113: protected function getPurifier()
114: {
115: if($this->_purifier!==null)
116: return $this->_purifier;
117: return $this->createNewHtmlPurifierInstance();
118: }
119:
120: /**
121: * Create a new HTML Purifier instance.
122: * @return HTMLPurifier
123: */
124: protected function createNewHtmlPurifierInstance()
125: {
126: $this->_purifier=new HTMLPurifier($this->getOptions());
127: $this->_purifier->config->set('Cache.SerializerPath',Yii::app()->getRuntimePath());
128: return $this->_purifier;
129: }
130: }
131: