Home Explore Help
Register Sign In
aj
/
chamilo-lms2
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 0e3191628e
Branches Tags
chamilo-lms2
/
main
/
inc
/
lib
/
htmlpurifier
/
library
/
HTMLPurifier
/
AttrDef
/
CSS
/
FontFamily.php

FontFamily.php 2.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172 
  1. <?php
    2. 

  2. 

  3. /**
    4. 

  4.  * Validates a font family list according to CSS spec
    5. 

  5.  * @todo whitelisting allowed fonts would be nice
    6. 

  6.  */
    7. 

  7. class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
    8. 

  8. {
    9. 

  9. 

  10.     public function validate($string, $config, $context) {
    11. 

  11.         static $generic_names = array(
    12. 

  12.             'serif' => true,
    13. 

  13.             'sans-serif' => true,
    14. 

  14.             'monospace' => true,
    15. 

  15.             'fantasy' => true,
    16. 

  16.             'cursive' => true
    17. 

  17.         );
    18. 

  18. 

  19.         // assume that no font names contain commas in them
    20. 

  20.         $fonts = explode(',', $string);
    21. 

  21.         $final = '';
    22. 

  22.         foreach($fonts as $font) {
    23. 

  23.             $font = trim($font);
    24. 

  24.             if ($font === '') continue;
    25. 

  25.             // match a generic name
    26. 

  26.             if (isset($generic_names[$font])) {
    27. 

  27.                 $final .= $font . ', ';
    28. 

  28.                 continue;
    29. 

  29.             }
    30. 

  30.             // match a quoted name
    31. 

  31.             if ($font[0] === '"' || $font[0] === "'") {
    32. 

  32.                 $length = strlen($font);
    33. 

  33.                 if ($length <= 2) continue;
    34. 

  34.                 $quote = $font[0];
    35. 

  35.                 if ($font[$length - 1] !== $quote) continue;
    36. 

  36.                 $font = substr($font, 1, $length - 2);
    37. 

  37.             }
    38. 

  38. 

  39.             $font = $this->expandCSSEscape($font);
    40. 

  40. 

  41.             // $font is a pure representation of the font name
    42. 

  42. 

  43.             if (ctype_alnum($font) && $font !== '') {
    44. 

  44.                 // very simple font, allow it in unharmed
    45. 

  45.                 $final .= $font . ', ';
    46. 

  46.                 continue;
    47. 

  47.             }
    48. 

  48. 

  49.             // bugger out on whitespace.  form feed (0C) really
    50. 

  50.             // shouldn't show up regardless
    51. 

  51.             $font = str_replace(array("\n", "\t", "\r", "\x0C"), ' ', $font);
    52. 

  52. 

  53.             // These ugly transforms don't pose a security
    54. 

  54.             // risk (as \\ and \" might).  We could try to be clever and
    55. 

  55.             // use single-quote wrapping when there is a double quote
    56. 

  56.             // present, but I have choosen not to implement that.
    57. 

  57.             // (warning: this code relies on the selection of quotation
    58. 

  58.             // mark below)
    59. 

  59.             $font = str_replace('\\', '\\5C ', $font);
    60. 

  60.             $font = str_replace('"',  '\\22 ', $font);
    61. 

  61. 

  62.             // complicated font, requires quoting
    63. 

  63.             $final .= "\"$font\", "; // note that this will later get turned into &quot;
    64. 

  64.         }
    65. 

  65.         $final = rtrim($final, ', ');
    66. 

  66.         if ($final === '') return false;
    67. 

  67.         return $final;
    68. 

  68.     }
    69. 

  69. 

  70. }
    71. 

  71. 

  72. // vim: et sw=4 sts=4
    73.