summaryrefslogtreecommitdiff
path: root/library/ezyang/htmlpurifier/docs/proposal-new-directives.txt
diff options
context:
space:
mode:
authorGreg Roach <fisharebest@gmail.com>2014-03-27 11:26:04 +0000
committerGreg Roach <fisharebest@gmail.com>2014-03-27 13:00:15 +0000
commited285daa12bd7bf5fef583fe91b97c238dbf606f (patch)
tree5bc90b8548789a587609d8dbc030c571ea831b23 /library/ezyang/htmlpurifier/docs/proposal-new-directives.txt
parente7fa959ef1d52de051e5ac63e0debdbe47939a3f (diff)
downloadwebtrees-ed285daa12bd7bf5fef583fe91b97c238dbf606f.tar.gz
webtrees-ed285daa12bd7bf5fef583fe91b97c238dbf606f.tar.bz2
webtrees-ed285daa12bd7bf5fef583fe91b97c238dbf606f.zip
Install libraries using composer; use faster autoloader; update to latest versions
Diffstat (limited to 'library/ezyang/htmlpurifier/docs/proposal-new-directives.txt')
-rw-r--r--library/ezyang/htmlpurifier/docs/proposal-new-directives.txt44
1 files changed, 44 insertions, 0 deletions
diff --git a/library/ezyang/htmlpurifier/docs/proposal-new-directives.txt b/library/ezyang/htmlpurifier/docs/proposal-new-directives.txt
new file mode 100644
index 0000000000..f54ee2d8dd
--- /dev/null
+++ b/library/ezyang/htmlpurifier/docs/proposal-new-directives.txt
@@ -0,0 +1,44 @@
+
+Configuration Ideas
+
+Here are some theoretical configuration ideas that we could implement some
+time. Note the naming convention: %Namespace.Directive. If you want one
+implemented, give us a ring, and we'll move it up the priority chain.
+
+%Attr.RewriteFragments - if there's %Attr.IDPrefix we may want to transparently
+ rewrite the URLs we parse too. However, we can only do it when it's a pure
+ anchor link, so it's not foolproof
+
+%Attr.ClassBlacklist,
+%Attr.ClassWhitelist,
+%Attr.ClassPolicy - determines what classes are allowed. When
+ %Attr.ClassPolicy is set to Blacklist, only allow those not in
+ %Attr.ClassBlacklist. When it's Whitelist, only allow those in
+ %Attr.ClassWhitelist.
+
+%Attr.MaxWidth,
+%Attr.MaxHeight - caps for width and height related checks.
+ (the hack in Pixels for an image crashing attack could be replaced by this)
+
+%URI.AddRelNofollow - will add rel="nofollow" to all links, preventing the
+ spread of ill-gotten pagerank
+
+%URI.HostBlacklistRegex - regexes that if matching the host are disallowed
+%URI.HostWhitelist - domain names that are excluded from the host blacklist
+%URI.HostPolicy - determines whether or not its reject all and then whitelist
+ or allow all in then do specific blacklists with whitelist intervening.
+ 'DenyAll' or 'AllowAll' (default)
+
+%URI.DisableIPHosts - URIs that have IP addresses for hosts are disallowed.
+ Be sure to also grab unusual encodings (dword, hex and octal), which may
+ be currently be caught by regular DNS
+%URI.DisableIDN - Disallow raw internationalized domain names. Punycode
+ will still be permitted.
+
+%URI.ConvertUnusualIPHosts - transform dword/hex/octal IP addresses to the
+ regular form
+%URI.ConvertAbsoluteDNS - Remove extra dots after host names that trigger
+ absolute DNS. While this is actually the preferred method according to
+ the RFC, most people opt to use a relative domain name relative to . (root).
+
+ vim: et sw=4 sts=4