3.3.1 Handling of comments & CDATA sections
@@ -1076,7 +1093,7 @@ htmLawed documentation
CDATA sections have the format <![CDATA[...anything but not "]]>"...]]>, and HTML comments, <!--...anything but not "-->"... -->. Neither HTML comments nor CDATA sections can reside inside tags. HTML comments can exist anywhere else, but CDATA sections can exist only where plain text is allowed (e.g., immediately inside td element content but not immediately inside tr element content).
- htmLawed (function hl_cmtcd()) handles HTML comments or CDATA sections depending on the values of $config["comment"] or $config["cdata"]. If 0, such markup is not looked for and the text is processed like plain text. If 1, it is removed completely. If 2, it is preserved but any <, > and & inside are changed to entities. If 3 for $config["cdata"], or 3 or 4 for $config["comment"], they are left as such. When $config["comment"] is set to 4, htmLawed will not force a space character before the --> comment-closing marker. While such a space is required for standard-compliance, it can corrupt marker code put in HTML by some software (such as Microsoft Outlook).
+ htmLawed (function hl_commentCdata()) handles HTML comments or CDATA sections depending on the values of $config["comment"] or $config["cdata"]. If 0, such markup is not looked for and the text is processed like plain text. If 1, it is removed completely. If 2, it is preserved but any <, > and & inside are changed to entities. If 3 for $config["cdata"], or 3 or 4 for $config["comment"], they are left as such. When $config["comment"] is set to 4, htmLawed will not force a space character before the --> comment-closing marker. While such a space is required for standard-compliance, it can corrupt marker code put in HTML by some software (such as Microsoft Outlook).
Note that for the last two cases, HTML comments and CDATA sections will always be removed from tag content (function hl_tag()).
@@ -1120,14 +1137,14 @@ htmLawed documentation
3.3.2 Tag-transformation for better compliance with standards
(to top)
- If
$config["make_tag_strict"] is set and not
0, following deprecated elements (and attributes), as per HTML 5 specification, even if admin-permitted, are mutated as indicated (element content remains intact; function
hl_tag2()):
+ If
$config["make_tag_strict"] is set and not
0, following deprecated elements (and attributes), even if admin-permitted, are mutated as indicated (element content remains intact; function
hl_deprecatedElement()):
* acronym -
abbr
* applet - based on
$config["make_tag_strict"], unchanged (
1) or removed (
2)
* big -
span style="font-size: larger;"
* center -
div style="text-align: center;"
* dir -
ul
- * font (face, size, color) -
span style="font-family: ; font-size: ; color: ;" (size transformation
reference)
+ * font (face, size, color) -
span style="font-family: ; font-size: ; color: ;" (size transformation
reference)
* isindex - based on
$config["make_tag_strict"], unchanged (
1) or removed (
2)
* s -
span style="text-decoration: line-through;"
* strike -
span style="text-decoration: line-through;"
@@ -1153,7 +1170,7 @@
htmLawed documentation
<div style="text-align: center;">
-
The PHP <span style="text-decoration: line-through;">software</span> script used for this <span style="text-decoration: line-through;">web-page</span> web-page is <span style="font-weight: bold; font-family: arial; color: red; font-size: 200%;">htmLawedTest.php</span>, from <span style="color:green; text-decoration: underline;">PHP Labware</span>.
+
The PHP <span style="text-decoration: line-through;">software</span> script used for this <span style="text-decoration: line-through;">web-page</span> web-page is <span style="font-weight: bold; font-size: 200%; color: red; font-family: arial;">htmLawedTest.php</span>, from <u style="color:green">PHP Labware</u>.
</div>
@@ -1164,7 +1181,7 @@
htmLawed documentation
3.3.3 Tag balancing & proper nesting
(to top)
- If
$config["balance"] is set to
1, htmLawed (function
hl_bal()) checks and corrects the input to have properly balanced tags and legal element content (i.e., any element nesting should be valid, and plain text may be present only in the content of elements that allow them).
+ If
$config["balance"] is set to
1, htmLawed (function
hl_balance()) checks and corrects the input to have properly balanced tags and legal element content (i.e., any element nesting should be valid, and plain text may be present only in the content of elements that allow them).
Depending on the value of
$config["keep_bad"] (see
section 2.2 and
section 3.3), illegal content may be removed or neutralized to plain text by converting < and > to entities:
@@ -1258,7 +1275,7 @@
htmLawed documentation
Note: In the example above, unlike
<*>,
<xml> gets considered as a tag (even though there is no HTML element named
xml). Thus, the
keep_bad parameter's value affects
<xml> but not
<*>. In general, text matching the regular expression pattern
<(/?)([a-zA-Z][a-zA-Z1-6]*)([^>]*?)\s?> is considered a tag (phrase enclosed by the angled brackets
< and
>, and starting [with an optional slash preceding] with an alphanumeric word that starts with an alphabet...), and is subjected to the
keep_bad value.
- Nesting/content rules for each of the 118 elements in htmLawed's default set (see
section 3.3) are defined in function
hl_bal(). This means that if a non-standard element besides
embed is being permitted through
$config["elements"], the element's tag content will end up getting removed if
$config["balance"] is set to
1.
+ Nesting/content rules for each of the 122 standard elements in htmLawed's default set (see
section 3.3) are defined in function
hl_balance(). Any custom element (
section 3.3.6) is permitted to be within and to contain any other element.
Plain text and/or certain elements nested inside
blockquote,
form,
map and
noscript need to be in block-level elements. This point is often missed during manual writing of HTML code. htmLawed attempts to address this during balancing. E.g., if the parent container is set as
form, the input
B:<input type="text" value="b" />C:<input type="text" value="c" /> is converted to
<div>B:<input type="text" value="b" />C:<input type="text" value="c" /></div>.
@@ -1288,34 +1305,57 @@
htmLawed documentation
As per the HTML standards, spaces, tabs and line-breaks in web-pages (except those inside
pre elements) are all considered equivalent, and referred to as
white-spaces. Browser applications are supposed to consider contiguous white-spaces as just a single space, and to disregard white-spaces trailing opening tags or preceding closing tags. This white-space
normalization allows the use of text/code beautifully formatted with indentations and line-spacings for readability. Such
pretty HTML can, however, increase the size of web-pages, or make the extraction or scraping of plain text cumbersome.
- With the
$config parameter
tidy, htmLawed can be used to beautify or compact the input text. Input with just plain text and no HTML markup is also subject to this. Besides
pre, the
script and
textarea elements, CDATA sections, and HTML comments are not subjected to the tidying process.
+ With the
$config parameter
tidy, htmLawed can be used to beautify or compact the input text. Input with just plain text and no HTML markup is also subject to this. Besides
pre, the
script, and
textarea elements, CDATA sections, and HTML comments are not subjected to the tidying process.
+
+ Any custom HTML element (
section 3.3.6) is treated like an inline element, like
strong, during tidying.
To
compact, use
$config["tidy"] = -1; single instances or runs of white-spaces are replaced with a single space, and white-spaces trailing and leading open and closing tags, respectively, are removed.
To
beautify,
$config["tidy"] is set as
1, or for customized tidying, as a string like
2s2n. The
s or
t character specifies the use of spaces or tabs for indentation. The first and third characters, any of the digits 0-9, specify the number of spaces or tabs per indentation, and any parental lead spacing (extra indenting of the whole block of input text). The
r and
n characters are used to specify line-break characters:
n for
\n (Unix/Mac OS X line-breaks),
rn or
nr for
\r\n (Windows/DOS line-breaks), or
r for
\r.
+ For instance, with
$config["tidy"] set as
3s2n, 3 space characters are used per indentation level, the entire block of text (HTML code) gets a lead (left spacing) of 2 space characters, and line-breaks are with
\n character.
+
The
$config["tidy"] value of
1 is equivalent to
2s0n. Other
$config["tidy"] values are read loosely: a value of
4 is equivalent to
4s0n;
t2, to
1t2n;
s, to
2s0n;
2TR, to
2t0r;
T1, to
1t1n;
nr3, to
3s0nr, and so on. Except in the indentations and line-spacings, runs of white-spaces are replaced with a single space during beautification.
Input formatting using
$config["tidy"] is not recommended when input text has mixed markup (like HTML + PHP).
+
3.4 Attributes
(to top)
- In its default setting, htmLawed will only permit attributes described in the HTML specifications (including deprecated ones). A list of the attributes and the elements they are allowed in is in
section 5.2. Using the
$spec argument, htmLawed can be forced to permit custom, non-standard attributes as well as custom rules for standard attributes (
section 2.3).
+
+
In its default setting, htmLawed will only permit attributes described in the HTML specifications (including deprecated ones). A list of the attributes and the elements they are allowed in is in section:- #5.2. Using the '$spec' argument, htmLawed can be forced to permit custom, non-standard attributes as well as custom rules for standard attributes (section:- #2.3).
+
Custom
data-* (
data-star) attributes, where the first three characters of the value of
star (*) after lower-casing do not equal
xml, and the value of
star does not have a colon (:), equal-to (=), newline, solidus (/), space or tab character, or any upper-case A-Z character are allowed in all elements. ARIA, event and microdata attributes like
aria-live,
onclick and
itemid are also considered global attributes (
section 5.2).
- When
$config["deny_attribute"] is not set, or set to
0, or empty (
""), all attributes are permitted. Otherwise,
$config["deny_attribute"] can be set as a list of comma-separated names of the denied attributes.
on* can be used to refer to the group of potentially dangerous, script-accepting event attributes like
onblur and
onchange that have
on at the beginning of their names. Similarly,
aria* and
data* can be used to respectively refer to the set of all ARIA and data-* attributes.
+ When
$config["deny_attribute"] is not set, or set to
0, or empty (
""), all attributes are permitted as per standards. Otherwise,
$config["deny_attribute"] can be set in two different ways. One way is as a list of comma-separated names of the denied attributes.
on* can be used to refer to the group of potentially dangerous, script-accepting event attributes like
onchange that have
on at the beginning of their names. Similarly,
aria* and
data* can be used to respectively refer to the set of all ARIA and data-* attributes. The second way to set
$config["deny_attribute"] permits the denying of all but a few attributes globally. The notation is
* -attribute1 -attribute2 .... Thus, a value of
* -title -href implies that except
href and
title (where allowed as per standards) all other attributes are to be removed. Terms
aria* data*, and
on* can be used in this notation, and a whitespace character is necessary before the
- character.
- With
$config["safe"] = 1 (
section 3.6), the
on* event attributes are automatically disallowed even if a value for
$config["deny_attribute"] has been manually provided.
+ With
$config["safe"] = 1 (
section 3.6), any
on* event attribute is disallowed even if
$config["deny_attribute"] is set otherwise (such as
* -style -on*).
- Note that attributes specified in
$config["deny_attribute"] are denied globally, for all elements. To deny attributes for only specific elements,
$spec (see
section 2.3) can be used.
$spec can also be used to element-specifically permit an attribute otherwise denied through
$config["deny_attribute"].
+ The attribute restrictions specified with
$config["deny_attribute"] apply to all elements. To deny attributes for only specific elements,
$spec (see
section 2.3) can be used.
$spec can also be used to element-specifically permit an attribute otherwise denied through
$config["deny_attribute"].
- Finer restrictions on attributes can also be put into effect through
$config["deny_attribute"] (
section).
+ Finer restrictions on attributes can also be put into effect through
$config["hook_tag"] (
section 3.4.9).
-
Note: To deny all but a few attributes globally, a simpler way to specify
$config["deny_attribute"] would be to use the notation
* -attribute1 -attribute2 .... Thus, a value of
* -title -href implies that except
href and
title (where allowed as per standards) all other attributes are to be removed. With this notation, the value for the parameter
safe (
section 3.6) will have no effect on
deny_attribute. Values of
aria* data*, and
on* cannot be used in this notation to refer to the sets of all ARIA, data-*, and on* attributes respectively.
+ Custom elements are permitted to have attributes of any name consisting of any character except a few such as equal, forward slash, and most control characters (unless denied through
$spec) and satisfying any
data attribute name requirement.
htmLawed (function
hl_tag()) also:
@@ -1323,6 +1363,7 @@
htmLawed documentation
* Removes duplicate attributes (last one stays)
* Gives attributes the form
name="value" and single-spaces them, removing unnecessary white-spacing
* Provides
required attributes (see
section 3.4.1)
+ * Optionally lowercases certain standard attribute values (see
section 3.4.5)
* Double-quotes values and escapes any
" inside them
* Replaces the possibly dangerous soft-hyphen characters (hexadecimal code-point
ad) in the values with spaces
* Allows custom function to additionally filter/modify attribute values (see
section 3.4.9)
@@ -1380,11 +1421,13 @@
htmLawed documentation
Also, only
data,
file,
http,
https and
javascript are permitted in these attributes that accept URLs:
-
action, cite, classid, codebase, data, itemtype, longdesc, model, pluginspage, pluginurl, src, srcset, style, usemap, and event attributes like onclick
+
action, archive, cite, classid, codebase, data, itemtype, longdesc, model, pluginspage, pluginurl, poster, src, srcset, style, usemap, and event attributes like onclick
With
$config["safe"] = 1 (
section 3.6), the above is changed to disallow
app,
data and
javascript.
+
Note: URLs in
data-* attribute values are not checked, but $spec (
section 2.3) or
$config["hook_tag"] (
section 3.4.9) can be used for this purpose.
+
These default sets are used when
$config["schemes"] is not set (see
section 2.2). To over-ride the defaults,
$config["schemes"] is defined as a string of semi-colon-separated sub-strings of type
attribute: comma-separated schemes. E.g.,
href: mailto, http, https; onclick: javascript; src: http, https. For unspecified attributes,
data,
file,
http,
https and
javascript are permitted. This can be changed by passing schemes for
* in
$config["schemes"]. E.g.,
href: mailto, http, https; *: https, https.
* (asterisk) can be put in the list of schemes to permit all protocols. E.g.,
style: *; img: http, https results in protocols not being checked in
style attribute values. However, in such cases, any relative-to-absolute URL conversion, or vice versa, (
section 3.4.4) is not done. When an attribute is explicitly listed in
$config["schemes"], then filtering is dictated by the setting for the attribute, with no effect of the setting for asterisk. That is, the set of attributes that asterisk refers to no longer includes the listed attribute.
@@ -1395,8 +1438,6 @@
htmLawed documentation
! can be put in the list of schemes to disallow all protocols as well as
local URLs. Thus, with
href: http, style: !,
<a href="http://cnn.com" style="background-image: url(local.jpg);">CNN</a> will become
<a href="http://cnn.com" style="background-image: url(denied:local.jpg);">CNN</a>
-
Note: If URL-accepting attributes other than those listed above are being allowed, then the scheme will not be checked unless the attribute name contains the string
src (e.g.,
dynsrc) or starts with
o (e.g.,
onbeforecopy).
-
With
$config["safe"] = 1, all URLs are disallowed in the
style attribute values.
@@ -1986,7 +2041,7 @@ htmLawed documentation
4.10 Acknowledgements
(to top)
- Nicholas Alipaz, Bryan Blakey, Pádraic Brady, Dac Chartrand, Alexandre Chouinard, Ulf Harnhammer, Gareth Heyes, Hakre, Klaus Leithoff, Lukasz Pilorz, Shelley Powers, Psych0tr1a, Lincoln Russell, Tomas Sykorka, Harro Verton, Edward Yang, and many anonymous users.
+ Nicholas Alipaz, Bryan Blakey, Pádraic Brady, Michael Butler, Dac Chartrand, Alexandre Chouinard, NinCollin, Ulf Harnhammer, Gareth Heyes, Hakre, Klaus Leithoff, Hideki Mitsuda, Lukasz Pilorz, Shelley Powers, Psych0tr1a, Lincoln Russell, Tomas Sykorka, Harro Verton, walrusmoose, Edward Yang, and many others.
Thank you!
@@ -2008,11 +2063,11 @@
htmLawed documentation
5.2 Valid attribute-element combinations
(to top)
- * includes deprecated attributes (marked
^), attributes for microdata (marked
*), the non-standard
bordercolor, and new-in-HTML5 attributes (marked
~); can have multiple comma-separated values (marked
%); can have multiple space-separated values (marked
$)
+ * includes deprecated attributes (marked
^), attributes for microdata (marked
*), some non-standard attributes for
embed (marked
**), and the non-standard
bordercolor; can have multiple comma-separated values (marked
%); can have multiple space-separated values (marked
$)
* only non-frameset, HTML body elements
*
name for
a and
map, and
lang are invalid in XHTML 1.1
- *
target is valid for
a in XHTML 1.1 and higher
*
xml:space is only for XHTML 1.1
+ * excludes data-* and author-specified, non-standard attributes of custom elements
abbr - td, th
accept - form, input
@@ -2022,17 +2077,17 @@
htmLawed documentation
allowfullscreen - iframe
alt - applet, area, img, input
archive - applet, object
- async~ - script
- autocomplete~ - input
- autofocus~ - button, input, keygen, select, textarea
- autoplay~ - audio, video
+ async - script
+ autocomplete - input
+ autofocus - button, input, keygen, select, textarea
+ autoplay - audio, video
axis - td, th
bgcolor - embed, table^, td^, th^, tr^
border - img, object^, table
bordercolor - table, td, tr
cellpadding - table
cellspacing - table
- challenge~ - keygen
+ challenge - keygen
char - col, colgroup, tbody, td, tfoot, th, thead, tr
charoff - col, colgroup, tbody, td, tfoot, th, thead, tr
charset - a, script
@@ -2048,94 +2103,94 @@
htmLawed documentation
colspan - td, th
compact - dir, dl^, menu, ol^, ul^
content - meta
- controls~ - audio, video
+ controls - audio, video
coords - area, a
- crossorigin~ - img
+ crossorigin - img
data - object
datetime - del, ins, time
declare - object
- default~ - track
+ default - track
defer - script
dir - bdo
- dirname~ - input, textarea
+ dirname - input, textarea
disabled - button, command, fieldset, input, keygen, optgroup, option, select, textarea
- download~ - a
+ download - a
enctype - form
face - font
flashvars** - embed
for - label, output
- form~ - button, fieldset, input, keygen, label, object, output, select, textarea
- formaction~ - button, input
- formenctype~ - button, input
- formmethod~ - button, input
- formnovalidate~ - button, input
- formtarget~ - button, input
+ form - button, fieldset, input, keygen, label, object, output, select, textarea
+ formaction - button, input
+ formenctype - button, input
+ formmethod - button, input
+ formnovalidate - button, input
+ formtarget - button, input
frame - table
frameborder - iframe
headers - td, th
height - applet, canvas, embed, iframe, img, input, object, td^, th^, video
- high~ - meter
+ high - meter
href - a, area, link
hreflang - a, area, link
hspace - applet, embed, img^, object^
- icon~ - command
+ icon - command
ismap - img, input
- keytype~ - keygen
- keyparams~ - keygen
- kind~ - track
+ keytype - keygen
+ keyparams - keygen
+ kind - track
label - command, menu, option, optgroup, track
language - script^
- list~ - input
+ list - input
longdesc - img, iframe
- loop~ - audio, video
- low~ - meter
+ loop - audio, video
+ low - meter
marginheight - iframe
marginwidth - iframe
- max~ - input, meter, progress
+ max - input, meter, progress
maxlength - input, textarea
- media~ - a, area, link, source, style
- mediagroup~ - audio, video
+ media - a, area, link, source, style
+ mediagroup - audio, video
method - form
- min~ - input, meter
+ min - input, meter
model** - embed
multiple - input, select
- muted~ - audio, video
- name - a^, applet^, button, embed, fieldset, form^, iframe^, img^, input, keygen, map^, object, output, param, select, textarea
+ muted - audio, video
+ name - a^, applet^, button, embed, fieldset, form^, iframe^, img^, input, keygen, map^, object, output, param, select, slot, textarea
nohref - area
noshade - hr^
- novalidate~ - form
+ novalidate - form
nowrap - td^, th^
object - applet
- open~ - details
- optimum~ - meter
- pattern~ - input
- ping~ - a, area
- placeholder~ - input, textarea
+ open - details, dialog
+ optimum - meter
+ pattern - input
+ ping - a, area
+ placeholder - input, textarea
pluginspage** - embed
pluginurl** - embed
- poster~ - video
- pqg~ - keygen
- preload~ - audio, video
+ poster - video
+ pqg - keygen
+ preload - audio, video
prompt - isindex
- pubdate~ - time
+ pubdate - time
radiogroup* - command
readonly - input, textarea
- required~ - input, select, textarea
+ required - input, select, textarea
rel$ - a, area, link
rev - a
- reversed~ - old
+ reversed - old
rows - textarea
rowspan - td, th
rules - table
- sandbox~ - iframe
+ sandbox - iframe
scope - td, th
- scoped~ - style
+ scoped - style
scrolling - iframe
- seamless~ - iframe
+ seamless - iframe
selected - option
shape - area, a
size - font, hr^, input, select
- sizes~ - link
+ sizes - link
span - col, colgroup
src - audio, embed, iframe, img, input, script, source, track, video
srcdoc~ - iframe
@@ -2159,7 +2214,7 @@
htmLawed documentation
The following attributes, including event-specific ones and attributes of ARIA and microdata specifications, are considered global and allowed in all elements:
- accesskey, aria-activedescendant, aria-atomic, aria-autocomplete, aria-busy, aria-checked, aria-controls, aria-describedby, aria-disabled, aria-dropeffect, aria-expanded, aria-flowto, aria-grabbed, aria-haspopup, aria-hidden, aria-invalid, aria-label, aria-labelledby, aria-level, aria-live, aria-multiline, aria-multiselectable, aria-orientation, aria-owns, aria-posinset, aria-pressed, aria-readonly, aria-relevant, aria-required, aria-selected, aria-setsize, aria-sort, aria-valuemax, aria-valuemin, aria-valuenow, aria-valuetext, class$, contenteditable, contextmenu, dir, draggable, dropzone, hidden, id, inert, itemid, itemprop, itemref, itemscope, itemtype, lang, onabort, onblur, oncanplay, oncanplaythrough, onchange, onclick, oncontextmenu, oncopy, oncuechange, oncut, ondblclick, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, ondurationchange, onemptied, onended, onerror, onfocus, onformchange, onforminput, oninput, oninvalid, onkeydown, onkeypress, onkeyup, onload, onloadeddata, onloadedmetadata, onloadstart, onlostpointercapture, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onpaste, onpause, onplay, onplaying, onpointercancel, ongotpointercapture, onpointerdown, onpointerenter, onpointerleave, onpointermove, onpointerout, onpointerover, onpointerup, onprogress, onratechange, onreadystatechange, onreset, onsearch, onscroll, onseeked, onseeking, onselect, onshow, onstalled, onsubmit, onsuspend, ontimeupdate, ontoggle, ontouchcancel, ontouchend, ontouchmove, ontouchstart, onvolumechange, onwaiting, onwheel, role, spellcheck, style, tabindex, title, translate, xmlns, xml:base, xml:lang, xml:space
+ accesskey, autocapitalize, autofocus, aria-activedescendant, aria-atomic, aria-autocomplete, aria-braillelabel, aria-brailleroledescription, aria-busy, aria-checked, aria-colcount, aria-colindex, aria-colindextext, aria-colspan, aria-controls, aria-current, aria-describedby, aria-description, aria-details, aria-disabled, aria-dropeffect, aria-errormessage, aria-expanded, aria-flowto, aria-grabbed, aria-haspopup, aria-hidden, aria-invalid, aria-keyshortcuts, aria-label, aria-labelledby, aria-level, aria-live, aria-multiline, aria-multiselectable, aria-orientation, aria-owns, aria-placeholder, aria-posinset, aria-pressed, aria-readonly, aria-relevant, aria-required, aria-roledescription, aria-rowcount, aria-rowindex, aria-rowindextext, aria-rowspan, aria-selected, aria-setsize, aria-sort, aria-valuemax, aria-valuemin, aria-valuenow, aria-valuetext, class, contenteditable, contextmenu, dir, draggable, dropzone, enterkeyhint, hidden, id, inert, inputmode, is, itemid, itemprop, itemref, itemscope, itemtype, lang, nonce, onabort, onblur, oncanplay, oncanplaythrough, onchange, onclick, oncontextmenu, oncopy, oncuechange, oncut, ondblclick, ondrag, ondragend, ondragenter, ondragleave, ondragover, ondragstart, ondrop, ondurationchange, onemptied, onended, onerror, onfocus, onformchange, onforminput, oninput, oninvalid, onkeydown, onkeypress, onkeyup, onload, onloadeddata, onloadedmetadata, onloadend, onloadstart, onlostpointercapture, onmousedown, onmousemove, onmouseout, onmouseover, onmouseup, onmousewheel, onpaste, onpause, onplay, onplaying, onpointercancel, ongotpointercapture, onpointerdown, onpointerenter, onpointerleave, onpointermove, onpointerout, onpointerover, onpointerup, onprogress, onratechange, onreadystatechange, onreset, onsearch, onscroll, onseeked, onseeking, onselect, onshow, onstalled, onsubmit, onsuspend, ontimeupdate, ontoggle, ontouchcancel, ontouchend, ontouchmove, ontouchstart, onvolumechange, onwaiting, onwheel, onauxclick, oncancel, onclose, oncontextlost, oncontextrestored, onformdata, onmouseenter, onmouseleave, onresize, onsecuritypolicyviolation, onslotchange, role, slot, spellcheck, style, tabindex, title, translate, xmlns, xml:base, xml:lang, xml:space
Custom
data-* attributes, where the first three characters of the value of
star (*) after lower-casing do not equal
xml and the value of
star does not have a colon (:), equal-to (=), newline, solidus (/), space, tab, or any A-Z character, are also considered global and allowed in all elements.
@@ -2257,22 +2312,22 @@
htmLawed documentation
Except for the main
htmLawed() function, htmLawed's functions are
name-spaced using the
hl_ prefix. The
functions and their roles are:
- *
hl_attrval - check attribute values against
$spec
- *
hl_bal - balance tags and ensure proper nesting
- *
hl_cmtcd - handle CDATA sections and HTML comments
- *
hl_ent - handle character entities
- *
hl_prot - check a URL scheme/protocol
+ *
hl_attributeValue - check attribute values against
$spec rules
+ *
hl_balance - balance tags and ensure proper nesting
+ *
hl_commentCdata - handle CDATA sections and HTML comments
+ *
hl_deprecatedElement - transform element tags
+ *
hl_entity - handle character entities
*
hl_regex - check syntax of a regular expression
- *
hl_spec - convert user-supplied
$spec value to one used internally
+ *
hl_spec - convert
$spec value to one used internally
*
hl_tag - handle element tags and attributes
- *
hl_tag2 - transform element tags
*
hl_tidy - compact/beautify HTML
+ *
hl_url - check URL-containing values
*
hl_version - report htmLawed version
*
htmLawed - main function
-
htmLawed() finalizes
$spec (with the help of
hl_spec()) and
$config, and globalizes them. Finalization of
$config involves setting default values if an inappropriate or invalid one is supplied. This includes calling
hl_regex() to check well-formedness of regular expression patterns if such expressions are user-supplied through
$config.
htmLawed() then removes invalid characters like nulls and
x01 and appropriately handles entities using
hl_ent(). HTML comments and CDATA sections are identified and treated as per
$config with the help of
hl_cmtcd(). When retained, the
< and
> characters identifying them, and the
<,
> and
& characters inside them, are replaced with control characters (code-points
1 to
5) till any tag balancing is completed.
+
htmLawed() finalizes
$spec (with the help of
hl_spec()) and
$config, and globalizes them. Finalization of
$config involves setting default values if an inappropriate or invalid one is supplied. This includes calling
hl_regex() to check well-formedness of regular expression patterns if such expressions are user-supplied through
$config.
htmLawed() then removes invalid characters like nulls and
x01 and appropriately handles entities using
hl_entity(). HTML comments and CDATA sections are identified and treated as per
$config with the help of
hl_commentCdata(). When retained, the
< and
> characters identifying them, and the
<,
> and
& characters inside them, are replaced with control characters (code-points
1 to
5) till any tag balancing is completed.
- After this
initial processing htmLawed() identifies tags using regex and processes them with the help of
hl_tag() -- a large function that analyzes tag content, filtering it as per HTML standards,
$config and
$spec. Among other things,
hl_tag() transforms deprecated elements using
hl_tag2(), removes attributes from closing tags, checks attribute values as per
$spec rules using
hl_attrval(), and checks URL protocols using
hl_prot().
htmLawed() performs tag balancing and nesting checks with a call to
hl_bal(), and optionally compacts/beautifies the output with proper white-spacing with a call to
hl_tidy(). The latter temporarily replaces white-space, and
<,
> and
& characters inside
pre,
script and
textarea elements, and HTML comments and CDATA sections with control characters (code-points
1 to
5, and
7).
+ After this
initial processing htmLawed() identifies tags using regex and processes them with the help of
hl_tag() -- a large function that analyzes tag content, filtering it as per HTML standards,
$config and
$spec. Among other things,
hl_tag() transforms deprecated elements using
hl_deprecatedElement(), removes attributes from closing tags, checks attribute values as per
$spec rules using
hl_attributeValue(), and checks URL protocols using
hl_url().
htmLawed() performs tag balancing and nesting checks with a call to
hl_balance(), and optionally compacts/beautifies the output with proper white-spacing with a call to
hl_tidy(). The latter temporarily replaces white-space, and
<,
> and
& characters inside
pre,
script and
textarea elements, and HTML comments and CDATA sections with control characters (code-points
1 to
5, and
7).
htmLawed permits the use of custom code or
hook functions at two stages. The first, called inside
htmLawed(), allows the input text as well as the finalized
$config and
$spec values to be altered right after the initial processing (see
section 3.7). The second is called by
hl_tag() once the tag content is finalized (see
section 3.4.9).
@@ -2280,8 +2335,8 @@
htmLawed documentation
-htmLawed 1.2.4.2, 16 May 2019
+
+htmLawed 1.2.11
Copyright Santosh Patnaik
Dual licensed with LGPL 3 and GPL 2+
-A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed