1<?php
2
3/**
4 * Validates the HTML attribute ID.
5 * @warning Even though this is the id processor, it
6 *          will ignore the directive Attr:IDBlacklist, since it will only
7 *          go according to the ID accumulator. Since the accumulator is
8 *          automatically generated, it will have already absorbed the
9 *          blacklist. If you're hacking around, make sure you use load()!
10 */
11
12class HTMLPurifier_AttrDef_HTML_ID extends HTMLPurifier_AttrDef
13{
14
15    // selector is NOT a valid thing to use for IDREFs, because IDREFs
16    // *must* target IDs that exist, whereas selector #ids do not.
17
18    /**
19     * Determines whether or not we're validating an ID in a CSS
20     * selector context.
21     * @type bool
22     */
23    protected $selector;
24
25    /**
26     * @param bool $selector
27     */
28    public function __construct($selector = false)
29    {
30        $this->selector = $selector;
31    }
32
33    /**
34     * @param string $id
35     * @param HTMLPurifier_Config $config
36     * @param HTMLPurifier_Context $context
37     * @return bool|string
38     */
39    public function validate($id, $config, $context)
40    {
41        if (!$this->selector && !$config->get('Attr.EnableID')) {
42            return false;
43        }
44
45        $id = trim($id); // trim it first
46
47        if ($id === '') {
48            return false;
49        }
50
51        $prefix = $config->get('Attr.IDPrefix');
52        if ($prefix !== '') {
53            $prefix .= $config->get('Attr.IDPrefixLocal');
54            // prevent re-appending the prefix
55            if (strpos($id, $prefix) !== 0) {
56                $id = $prefix . $id;
57            }
58        } elseif ($config->get('Attr.IDPrefixLocal') !== '') {
59            trigger_error(
60                '%Attr.IDPrefixLocal cannot be used unless ' .
61                '%Attr.IDPrefix is set',
62                E_USER_WARNING
63            );
64        }
65
66        if (!$this->selector) {
67            $id_accumulator =& $context->get('IDAccumulator');
68            if (isset($id_accumulator->ids[$id])) {
69                return false;
70            }
71        }
72
73        // we purposely avoid using regex, hopefully this is faster
74
75        if ($config->get('Attr.ID.HTML5') === true) {
76            if (preg_match('/[\t\n\x0b\x0c ]/', $id)) {
77                return false;
78            }
79        } else {
80            if (ctype_alpha($id)) {
81                // OK
82            } else {
83                if (!ctype_alpha(@$id[0])) {
84                    return false;
85                }
86                // primitive style of regexps, I suppose
87                $trim = trim(
88                    $id,
89                    'A..Za..z0..9:-._'
90                );
91                if ($trim !== '') {
92                    return false;
93                }
94            }
95        }
96
97        $regexp = $config->get('Attr.IDBlacklistRegexp');
98        if ($regexp && preg_match($regexp, $id)) {
99            return false;
100        }
101
102        if (!$this->selector) {
103            $id_accumulator->add($id);
104        }
105
106        // if no change was made to the ID, return the result
107        // else, return the new id if stripping whitespace made it
108        //     valid, or return false.
109        return $id;
110    }
111}
112
113// vim: et sw=4 sts=4
114