/*
-htmLawed_README.txt, 25 May 2017
-htmLawed 1.2.2, 25 May 2017
+htmLawed_README.txt, 4 September 2021
+htmLawed 1.2.6, 4 September 2021
Copyright Santosh Patnaik
Dual licensed with LGPL 3 and GPL 2+
A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
* Named character entities must be properly cased. Thus, '≪' or '˜' will not be recognized as entities and will be `neutralized`.
- * HTML comments should not be inside element tags (they can be between tags), and should begin with '<!--' and end with '-->'. Characters like '<', '>', and '&' may be allowed inside depending on '$config', but any '-->' inside should be put in as '-->'. Any '--' inside will be automatically converted to '-', and a space will be added before the comment delimiter '-->'.
+ * HTML comments should not be inside element tags (they can be between tags), and should begin with '<!--' and end with '-->'. Characters like '<', '>', and '&' may be allowed inside depending on '$config', but any '-->' inside should be put in as '-->'. Any '--' inside will be automatically converted to '-', and a space will be added before the '-->' comment-closing marker unless '$config["comments"]' is set to '4' (section:- #3.3.1).
* 'CDATA' sections should not be inside element tags, and can be in element content only if plain text is allowed for that element. They should begin with '<[CDATA[' and end with ']]>'. Characters like '<', '>', and '&' may be allowed inside depending on '$config', but any ']]>' inside should be put in as ']]>'.
'CDATA' sections have the format '<![CDATA[...anything but not "]]>"...]]>', and HTML comments, '<!--...anything but not "-->"... -->'. Neither HTML comments nor 'CDATA' sections can reside inside tags. HTML comments can exist anywhere else, but 'CDATA' sections can exist only where plain text is allowed (e.g., immediately inside 'td' element content but not immediately inside 'tr' element content).
- htmLawed (function 'hl_cmtcd()') handles HTML comments or 'CDATA' sections depending on the values of '$config["comment"]' or '$config["cdata"]'. If '0', such markup is not looked for and the text is processed like plain text. If '1', it is removed completely. If '2', it is preserved but any '<', '>' and '&' inside are changed to entities. If '3', they are left as such.
+ htmLawed (function 'hl_cmtcd()') handles HTML comments or 'CDATA' sections depending on the values of '$config["comment"]' or '$config["cdata"]'. If '0', such markup is not looked for and the text is processed like plain text. If '1', it is removed completely. If '2', it is preserved but any '<', '>' and '&' inside are changed to entities. If '3' for '$config["cdata"]', or '3' or '4' for '$config["comment"]', they are left as such. When '$config["comment"]' is set to '4', htmLawed will not force a space character before the '-->' comment-closing marker. While such a space is required for standard-compliance, it can corrupt marker code put in HTML by some software (such as Microsoft Outlook).
Note that for the last two cases, HTML comments and 'CDATA' sections will always be removed from tag content (function 'hl_tag()').
Examples:
Input:
- <!-- home link
--><a href="home.htm"><![CDATA[x=&y]]>Home</a>
+ <!-- home link--><a href="home.htm"><![CDATA[x=&y]]>Home</a>
Output ('$config["comment"] = 0, $config["cdata"] = 2'):
- <-- home link
--><a href="home.htm"><![CDATA[x=&y]]>Home</a>
+ <-- home link--><a href="home.htm"><![CDATA[x=&y]]>Home</a>
Output ('$config["comment"] = 1, $config["cdata"] = 2'):
<a href="home.htm"><![CDATA[x=&y]]>Home</a>
Output ('$config["comment"] = 2, $config["cdata"] = 2'):
<!-- home link --><a href="home.htm">Home</a>
Output ('$config["comment"] = 3, $config["cdata"] = 3'):
<!-- home link --><a href="home.htm"><![CDATA[x=&y]]>Home</a>
-
- For standard-compliance, comments are given the form '<!--comment -->', and any '--' in the content is made '-'.
+ Output ('$config["comment"] = 4, $config["cdata"] = 3'):
+ <!-- home link--><a href="home.htm"><![CDATA[x=&y]]>Home</a>
+
+ For standard-compliance, comments are given the form '<!--comment -->', and any '--' in the content is made '-'. When '$config["comment"]' is set to '4', htmLawed will not force a space character before the '-->' comment-closing marker.
When '$config["safe"] = 1', CDATA sections and comments are considered plain text unless '$config["comment"]' or '$config["cdata"]' is explicitly specified; see section:- #3.6.
* big - 'span style="font-size: larger;"'
* center - 'div style="text-align: center;"'
* dir - 'ul'
- * font (face, size, color) - 'span style="font-family: ; font-size: ; color: ;"' (size transformation reference:- http://style.cleverchimp.com/font_size_intervals/altintervals.html)
+ * font (face, size, color) - 'span style="font-family: ; font-size: ; color: ;"' (size transformation reference:- http://web.archive.org/web/20180201141931/http://style.cleverchimp.com/font_size_intervals/altintervals.html)
* isindex - based on '$config["make_tag_strict"]', unchanged ('1') or removed ('2')
* s - 'span style="text-decoration: line-through;"'
* strike - 'span style="text-decoration: line-through;"'
The output:
<div style="text-align: center;">
- The PHP <span style="text-decoration: line-through;">software</span> script used for this <span style="text-decoration: line-through;">web-page</span> web-page is <span style="font-weight: bold; font-family: arial; color: red; font-size: 200%;">htmLawedTest.php</span>, from <span style="color:green; text-decoration: underline;">PHP Labware</span>.
+ The PHP <span style="text-decoration: line-through;">software</span> script used for this <span style="text-decoration: line-through;">web-page</span> web-page is <span style="font-weight: bold; font-size: 200%; color: red; font-family: arial;">htmLawedTest.php</span>, from <u style="color:green">PHP Labware</u>.
</div>
Note that attributes specified in '$config["deny_attribute"]' are denied globally, for all elements. To deny attributes for only specific elements, '$spec' (see section:- #2.3) can be used. '$spec' can also be used to element-specifically permit an attribute otherwise denied through '$config["deny_attribute"]'.
- Finer restrictions on attributes can also be put into effect through '$config["deny_attribute"]' (section:- 3.4.9).
+ Finer restrictions on attributes can also be put into effect through '$config["hook_tag"]' (section:- #3.4.9).
*Note*: To deny all but a few attributes globally, a simpler way to specify '$config["deny_attribute"]' would be to use the notation '* -attribute1 -attribute2 ...'. Thus, a value of '* -title -href' implies that except 'href' and 'title' (where allowed as per standards) all other attributes are to be removed. With this notation, the value for the parameter 'safe' (section:- #3.6) will have no effect on 'deny_attribute'. Values of 'aria*' 'data*', and 'on*' cannot be used in this notation to refer to the sets of all ARIA, data-*, and on* attributes respectively.
// Inject param for allowscriptaccess
if($element == 'object'){
- $new_element = '<param id='my_'. $id; allowscriptaccess="never" />';
+ $new_element = '<param id="my_'. $id. '"; allowscriptaccess="never" />';
++$id;
}
(The release date for the downloadable package of files containing documentation, demo script, test-cases, etc., besides the 'htmLawed.php' file, may be updated without a change-log entry if the secondary files, but not htmLawed per se, are revised.)
`Version number - Release date. Notes`
+
+ 1.2.6 - 4 September 2021. Fixes a bug that arises when '$config["deny_attribute"]' has a 'data-*' attribute with > 1 hyphen character
+
+ 1.2.5 - 24 September 2019. Fixes two bugs in 'font' tag transformation
+
+ 1.2.4.2 - 16 May 2019. Corrects a PHP notice if a semi-colon is present in '$config["schemes"]'
+
+ 1.2.4.1 - 12 September 2017. Corrects a function re-declaration bug introduced in version 1.2.4
+
+ 1.2.4 - 31 August 2017. Removes use of PHP 'create_function' function and '$php_errormsg' reserved variable (deprecated in PHP 7.2)
+
+ 1.2.3 - 5 July 2017. New option value of '4' for '$config["comments"]' to stop enforcing a space character before the '-->' comment-closing marker
1.2.2 - 25 May 2017. Fix for a bug in parsing '$spec' that got introduced in version 1.2; also, '$spec' is now parsed to accommodate specifications for an HTML element when they are specified in multiple rules
projects / yaffs-website / blobdiff