HTMLEditorSanitiser
class HTMLEditorSanitiser (View source)
Sanitises an HTMLValue so it's contents are the elements and attributes that are whitelisted using the same configuration as TinyMCE
See www.tinymce.com/wiki.php/configuration:valid_elements for details on the spec of TinyMCE's whitelist configuration
Traits
Provides extensions to this object to integrate it with standard config API methods.
A class that can be instantiated or replaced via DI
Config options
link_rel_value | string | rel attribute to add to link elements which have a target attribute (usually "_blank") this is to done to prevent reverse tabnabbing - see https://www.owasp.org/index.php/Reverse_Tabnabbing noopener includes the behaviour we want, though some browsers don't yet support it and rely upon using noreferrer instead - see https://caniuse.com/rel-noopener for current browser compatibility set this to null if you would like to disable this behaviour set this to an empty string if you would like to remove rel attributes that were previously set |
Properties
protected | stdClass | $elements | ||
protected | stdClass | $elementPatterns | ||
protected | stdClass | $globalAttributes |
Methods
Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .....).
Gets the uninherited value for the given config option
An implementation of the factory method, allows you to create an instance of a class
Creates a class instance by the "singleton" design pattern.
Given a TinyMCE pattern (close to unix glob style), create a regex that does the match
Given a valid_elements string, parse out the actual element and attribute rules and add to the internal whitelist
Given an element tag, return the rule structure for that element
Given an attribute name, return the rule structure for that attribute
Given a DOMElement and an element rule, check if that element passes the rule
Given a DOMAttr and an attribute rule, check if that attribute passes the rule
Details
static Config_ForClass
config()
Get a configuration accessor for this class. Short hand for Config::inst()->get($this->class, .....).
mixed
uninherited(string $name)
Gets the uninherited value for the given config option
static Injectable
create(mixed ...$args)
An implementation of the factory method, allows you to create an instance of a class
This method will defer class substitution to the Injector API, which can be customised via the Config API to declare substitution classes.
This can be called in one of two ways - either calling via the class directly, or calling on Object and passing the class name as the first parameter. The following are equivalent: $list = DataList::create(SiteTree::class); $list = SiteTree::get();
static Injectable
singleton(string $class = null)
Creates a class instance by the "singleton" design pattern.
It will always return the same instance for this class, which can be used for performance reasons and as a simple way to access instance methods which don't rely on instance data (e.g. the custom SilverStripe static handling).
__construct(HTMLEditorConfig $config)
Construct a sanitiser from a given HTMLEditorConfig
Note that we build data structures from the current state of HTMLEditorConfig - later changes to the passed instance won't cause this instance to update it's whitelist
protected string
patternToRegex($str)
Given a TinyMCE pattern (close to unix glob style), create a regex that does the match
protected
addValidElements(string $validElements)
Given a valid_elements string, parse out the actual element and attribute rules and add to the internal whitelist
Logic based heavily on javascript version from tiny_mce_src.js
protected stdClass
getRuleForElement(string $tag)
Given an element tag, return the rule structure for that element
protected stdClass
getRuleForAttribute(object $elementRule, string $name)
Given an attribute name, return the rule structure for that attribute
protected bool
elementMatchesRule(DOMElement $element, stdClass $rule = null)
Given a DOMElement and an element rule, check if that element passes the rule
protected bool
attributeMatchesRule(DOMAttr $attr, stdClass $rule = null)
Given a DOMAttr and an attribute rule, check if that attribute passes the rule
sanitise(HTMLValue $html)
Given an SS_HTMLValue instance, will remove and elements and attributes that are not explicitly included in the whitelist passed to __construct on instance creation