4 * Validates a font family list according to CSS spec
5 * @todo whitelisting allowed fonts would be nice
7 class HTMLPurifier_AttrDef_CSS_FontFamily extends HTMLPurifier_AttrDef
10 public function validate($string, $config, $context) {
11 static $generic_names = array(
19 // assume that no font names contain commas in them
20 $fonts = explode(',', $string);
22 foreach($fonts as $font) {
24 if ($font === '') continue;
25 // match a generic name
26 if (isset($generic_names[$font])) {
27 $final .= $font . ', ';
30 // match a quoted name
31 if ($font[0] === '"' || $font[0] === "'") {
32 $length = strlen($font);
33 if ($length <= 2) continue;
35 if ($font[$length - 1] !== $quote) continue;
36 $font = substr($font, 1, $length - 2);
39 for ($i = 0, $c = strlen($font); $i < $c; $i++) {
40 if ($font[$i] === '\\') {
46 if (ctype_xdigit($font[$i])) {
48 for ($a = 1, $i++; $i < $c && $a < 6; $i++, $a++) {
49 if (!ctype_xdigit($font[$i])) break;
52 // We have to be extremely careful when adding
53 // new characters, to make sure we're not breaking
55 $char = HTMLPurifier_Encoder::unichr(hexdec($code));
56 if (HTMLPurifier_Encoder::cleanUTF8($char) === '') continue;
58 if ($i < $c && trim($font[$i]) !== '') $i--;
61 if ($font[$i] === "\n") continue;
63 $new_font .= $font[$i];
68 // $font is a pure representation of the font name
70 if (ctype_alnum($font) && $font !== '') {
71 // very simple font, allow it in unharmed
72 $final .= $font . ', ';
76 // complicated font, requires quoting
78 // armor single quotes and new lines
79 $font = str_replace("\\", "\\\\", $font);
80 $font = str_replace("'", "\\'", $font);
81 $final .= "'$font', ";
83 $final = rtrim($final, ', ');
84 if ($final === '') return false;