Search code examples
phpcsstransformhtmlpurifier

how to allow transform in htmlpurifier

********* Updated question **************

So I have tried to implement my own AttrDef to HTMLPurifier but it doesn't "take", and I can't debug using die() either.

Here's what I have:

I created Transform.php in the HTMLPurifier/AttrDef/CSS/ directory. The only contents so far is this (I'm only trying to hook it in for now, I will add validating logics once I see that it is in the loop and thus can test it):

<?php

/**
 * Validates Transform as defined by CSS.
 */
class HTMLPurifier_AttrDef_CSS_Transform extends HTMLPurifier_AttrDef
{
    //basing this off of the color definition so the var is $color for now, may change it to $transform later
    public function validate($color, $config, $context) {
        return $color;
    }
}

I added my file to library/HTMLPurifier.includes.php like this:

require 'HTMLPurifier/AttrDef/CSS/Transform.php';

and to the library/HTMLPurifier.safe-includes.php

require_once $__dir . '/HTMLPurifier/AttrDef/CSS/Transform.php';

(not sure about the difference between these two include files above but all AttrDef files seemed to be in both so I added my file to both as well).

Then I try to make use of this new definition by adding this to library/HTMLPurifier/CSSDefinition.php:

    // transform
    $this->info['transform'] = new HTMLPurifier_AttrDef_CSS_Transform();

It is as if all of my additions were never made, and I can't debug it by putting a die() in my own file either, nothing happens.

So any advice on where I went wrong or how I can debug this is very much appreciated.

*********** addition *******

I also tried a simple bypass by applying the Color-AttrDef to any transform property, in the CSSDefinition.php:

$this->info['transform'] = new HTMLPurifier_AttrDef_CSS_Color();

And I hacked the original Color definition like this:

//TODO: testing ways to bypass
    if (strpos($color, 'rotate(') !== false) {
        return $color;
    }

Not working. Please advice on what I am missing.

Solution

  • You'll need to define your own AttrDef which knows how to parse and validate such definitions. Color should serve as a decent model, since the rgb syntax is similar to matrix.