HTMLPurifier: library/HTMLPurifier/AttrDef/CSS/FontFamily.php Source File

00001 <?php
00002 
00007 class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
00008 {
00009     
00010     public function validate($string, $config, $context) {
00011         static $generic_names = array(
00012             'serif' => true,
00013             'sans-serif' => true,
00014             'monospace' => true,
00015             'fantasy' => true,
00016             'cursive' => true
00017         );
00018         
00019         // assume that no font names contain commas in them
00020         $fonts = explode(',', $string);
00021         $final = '';
00022         foreach($fonts as $font) {
00023             $font = trim($font);
00024             if ($font === '') continue;
00025             // match a generic name
00026             if (isset($generic_names[$font])) {
00027                 $final .= $font . ', ';
00028                 continue;
00029             }
00030             // match a quoted name
00031             if ($font[0] === '"' || $font[0] === "'") {
00032                 $length = strlen($font);
00033                 if ($length <= 2) continue;
00034                 $quote = $font[0];
00035                 if ($font[$length - 1] !== $quote) continue;
00036                 $font = substr($font, 1, $length - 2);
00037                 
00038                 $new_font = '';
00039                 for ($i = 0, $c = strlen($font); $i < $c; $i++) {
00040                     if ($font[$i] === '\\') {
00041                         $i++;
00042                         if ($i >= $c) {
00043                             $new_font .= '\\';
00044                             break;
00045                         }
00046                         if (ctype_xdigit($font[$i])) {
00047                             $code = $font[$i];
00048                             for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
00049                                 if (!ctype_xdigit($font[$i])) break;
00050                                 $code .= $font[$i];
00051                             }
00052                             // We have to be extremely careful when adding
00053                             // new characters, to make sure we're not breaking
00054                             // the encoding.
00055                             $char = HTMLPurifier_Encoder::unichr(hexdec($code));
00056                             if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue;
00057                             $new_font .= $char;
00058                             if ($i < $c && trim($font[$i]) !== '') $i--;
00059                             continue;
00060                         }
00061                         if ($font[$i] === "\n") continue;
00062                     }
00063                     $new_font .= $font[$i];
00064                 }
00065                 
00066                 $font = $new_font;
00067             }
00068             // $font is a pure representation of the font name
00069             
00070             if (ctype_alnum($font) && $font !== '') {
00071                 // very simple font, allow it in unharmed
00072                 $final .= $font . ', ';
00073                 continue;
00074             }
00075             
00076             // complicated font, requires quoting
00077             
00078             // armor single quotes and new lines
00079             $font = str_replace("\\", "\\\\", $font);
00080             $font = str_replace("'", "\\'", $font);
00081             $final .= "'$font', ";
00082         }
00083         $final = rtrim($final, ', ');
00084         if ($final === '') return false;
00085         return $final;
00086     }
00087     
00088 }
00089