That, and more. CSSTidy doesn't guarantee standards-compliance with the CSS spec; HTML Purifier does. :-)

Not sure what you mean by non-OOP. It does use classes and objects and the like... Do you mean it doesn't fully take advantage of OOP features? If so, which ones?

OOP is not simply using classes and objects; it's a design philosophy. Consequently, the question what "features" aren't being used is a little nonsensical. Polymorphism is a biggy, though.

No, this is not a pressing need. But some might prefer to work with a particular standard (and the rest of us in the world, (i.e., US, Liberia, and Myanmar) should already be using metric!)).

True. But practically speaking, HTML Purifier's output is meant for output-only (and not re-editing by the person), so a conversion would introduce errors in scaling without any tangible benefit.

To parse a style string, couldn't you just encapsulate the whole string in a dummy class selector or the like and then strip it?

The problem with this approach is if the user passes something like text-align:left;}more-css:properties;. In theory, this is harmless in terms of security, but the user will end up loosing the rest the CSS string even though we should be able to keep it.

We've encountered this problem previously with HTMLPurifier_Lexer_DOMLex; this lexer operates by wrapping everything in HTML/BODY/DIV tags, so if a user has a stray closing div tag, the rest of the document mysteriously disappears.

Within CSSTidy, the file data.inc.php has some groupings of allowable CSS which might, I think, should be easily manipulated by functions (if not themselves grouped into modules) to remove groups of allowable values (e.g., if people didn't want certain colors allowed, certain properties (e.g., display which could hide elements), etc., as I saw discussed on one of your ideas pages).

I noticed this. However, as of right now HTML Purifier is completely bypassing CSSTidy's validation/optimization logic, so all these validations are done on HTML Purifier's side (there's no way of guaranteeing the security of CSSTidy's validation either).

You meant CSSTidy doesn't also guarantee security, right? I take it you're referring to bogus image insertions, etc.? Can we do something about that?

I am using CSSTidy almost solely for its parsing capabilities. It'll be interesting to see what from this file we can reuse, but it's non-OOP design makes it more difficult to jive with HTML Purifier.

Not sure what you mean by non-OOP. It does use classes and objects and the like... Do you mean it doesn't fully take advantage of OOP features? If so, which ones?

Oh, also had the idea while looking at the units to have a function optionally auto-convert inches to cm, etc. :)

An interesting idea, although it sounds a bit strange to me. I could easily hack it into HTMLPurifier_AttrDef_ChildDef_CSS_Length, but I can't see any practical use for it.

No, this is not a pressing need. But some might prefer to work with a particular standard (and the rest of us in the world, (i.e., US, Liberia, and Myanmar) should already be using metric!)).

Also, do you have plans to add support for the style attribute too?

If I do this, CSSTidy will need to be distributed with HTML Purifier, since style attribute validation is integral to HTML Purifier. I still need to analyze whether or not the parser can be used to parse style strings, and not actual style sheets.

To parse a style string, couldn't you just encapsulate the whole string in a dummy class selector or the like and then strip it?

-- hugh

I noticed this. However, as of right now HTML Purifier is completely bypassing CSSTidy's validation/optimization logic, so all these validations are done on HTML Purifier's side (there's no way of guaranteeing the security of CSSTidy's validation either). I am using CSSTidy almost solely for its parsing capabilities. It'll be interesting to see what from this file we can reuse, but it's non-OOP design makes it more difficult to jive with HTML Purifier.

Oh, also had the idea while looking at the units to have a function optionally auto-convert inches to cm, etc. :)

An interesting idea, although it sounds a bit strange to me. I could easily hack it into HTMLPurifier_AttrDef_ChildDef_CSS_Length, but I can't see any practical use for it.

Also, do you have plans to add support for the style attribute too?

If I do this, CSSTidy will need to be distributed with HTML Purifier, since style attribute validation is integral to HTML Purifier. I still need to analyze whether or not the parser can be used to parse style strings, and not actual style sheets.

Within CSSTidy, the file data.inc.php has some groupings of allowable CSS which might, I think, should be easily manipulated by functions (if not themselves grouped into modules) to remove groups of allowable values (e.g., if people didn't want certain colors allowed, certain properties (e.g., display which could hide elements), etc., as I saw discussed on one of your ideas pages).

Oh, also had the idea while looking at the units to have a function optionally auto-convert inches to cm, etc. :)

take care, Brett

<?php
// change these two paths as necessary
require_once 'class.csstidy.php';
require_once 'class.csstidy_print.php';
require_once 'HTMLPurifier/Filter/ExtractStyleBlocks.php';

$purifier = new HTMLPurifier();
$purifier->addFilter(new HTMLPurifier_Filter_ExtractStyleBlocks());
$text = $purifier->purify(
  '<style>.foo{text-align:left;bogus:foo;}</style>'.
  '<span class="foo">a</span>'
);
print_r($text);
// '<span class="foo">a</span>'
print_r($purifier->context->get('StyleBlocks'));
/*
array
(
    0 => '.class {
text-align:left;
}'
)
*/

Thanks.

I've recently come across what may be different than what you need to develop, but it seems to do the trick for me for CSS parsing (I recently joined the developers to make a few changes of my own and the project manager is looking for anyone to take over the project) and maybe it could be of some help to you in getting started?

http://csstidy.sourceforge.net/

By the way, thanks for developing/working on something which was is so essential...

best wishes, Brett

Any means or plans to add the means for purifying CSS when injected into a stylesheet--i.e., when removing the <style> tags is not sufficient (i.e., removing javascript protocol from url(), etc.)?

thanks, Brett

Edited 1 time(s). Last edit at 08/02/2007 11:13PM by Ambush Commander.