[Summary view] [Print] [Text view]

   1  <?php
   2  
   3  /**
   4   * Validates a font family list according to CSS spec
   5   * @todo whitelisting allowed fonts would be nice
   6   */
   7  class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
   8  {
   9  
  10      public function validate($string, $config, $context) {
  11          static $generic_names = array(
  12              'serif' => true,
  13              'sans-serif' => true,
  14              'monospace' => true,
  15              'fantasy' => true,
  16              'cursive' => true
  17          );
  18  
  19          // assume that no font names contain commas in them
  20          $fonts = explode(',', $string);
  21          $final = '';
  22          foreach($fonts as $font) {
  23              $font = trim($font);
  24              if ($font === '') continue;
  25              // match a generic name
  26              if (isset($generic_names[$font])) {
  27                  $final .= $font . ', ';
  28                  continue;
  29              }
  30              // match a quoted name
  31              if ($font[0] === '"' || $font[0] === "'") {
  32                  $length = strlen($font);
  33                  if ($length <= 2) continue;
  34                  $quote = $font[0];
  35                  if ($font[$length - 1] !== $quote) continue;
  36                  $font = substr($font, 1, $length - 2);
  37  
  38                  $new_font = '';
  39                  for ($i = 0, $c = strlen($font); $i < $c; $i++) {
  40                      if ($font[$i] === '\\') {
  41                          $i++;
  42                          if ($i >= $c) {
  43                              $new_font .= '\\';
  44                              break;
  45                          }
  46                          if (ctype_xdigit($font[$i])) {
  47                              $code = $font[$i];
  48                              for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
  49                                  if (!ctype_xdigit($font[$i])) break;
  50                                  $code .= $font[$i];
  51                              }
  52                              // We have to be extremely careful when adding
  53                              // new characters, to make sure we're not breaking
  54                              // the encoding.
  55                              $char = HTMLPurifier_Encoder::unichr(hexdec($code));
  56                              if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue;
  57                              $new_font .= $char;
  58                              if ($i < $c && trim($font[$i]) !== '') $i--;
  59                              continue;
  60                          }
  61                          if ($font[$i] === "\n") continue;
  62                      }
  63                      $new_font .= $font[$i];
  64                  }
  65  
  66                  $font = $new_font;
  67              }
  68              // $font is a pure representation of the font name
  69  
  70              if (ctype_alnum($font) && $font !== '') {
  71                  // very simple font, allow it in unharmed
  72                  $final .= $font . ', ';
  73                  continue;
  74              }
  75  
  76              // complicated font, requires quoting
  77  
  78              // armor single quotes and new lines
  79              $font = str_replace("\\", "\\\\", $font);
  80              $font = str_replace("'", "\\'", $font);
  81              $final .= "'$font', ";
  82          }
  83          $final = rtrim($final, ', ');
  84          if ($final === '') return false;
  85          return $final;
  86      }
  87  
  88  }
  89  
  90  // vim: et sw=4 sts=4