ޑf*ѡKŘOtt8KѴKje|&&rgvC8Kc!W0p:Pmw0>my[H UxondLSLJ9}ъ` JpbW޽eO׸ei{ [7m ;S9gDee>GPy` A.@{q є2B2Ç3vT'`1X[o Ӝ%O7r+ΧsIR\ܦR1r%B'a$Y JcC{H7 "vI0;POz~b Wc`K7)!fQP)p}d\qp],b<%`;߷uߧ-[m))+YߛH|RW2(ޤ$rqP<ۿcTx!:U^ 񽁬w?=2i)yid)j 18xHh{]I&wsj]Fiv颦>gJaGe:?d{}Lb};vACo.kǵ77!!؋N$g\I"OG VQYĩ@svFTeDS-E&HX(/TPȣ[JMg6CnV@PdW#D_r_rlX]}&nTa>МllJ9 Wcj;!+(GPS\ҤN6j#]EƛÓc"'_YW p0?ш&ps‰LKp"CQNA찌]͟@W=EiZY}Ca ʛ!v0h 4hdzE7D_LjEAWҲ`BrvcpE G$#`.6Ȑ>cVFbR_d'zADSpdW r,s1Lev&efE<´Txpjqź%rT Uk7aakF CDE'io4f-` }XTɦ[ +E_ZDaٳeΏV޾+8J<(ǽF`1ėt|?Ǔ۲,)e} jDGb%c^y'Z1 oMG|8r*؉Y&U_E[cw}pOzE* 146H )f7H_H!X.ܩjqź%rT /a \9ZX-[řpvj1( 9UpC!ͱo ĢQ$3@b`P~u۲,)e} j3{Mk@ncN!%M"b^pL[ {eR4@Lmڏ9-qM>"%Qі̐zxYlD RPmU#_@5N)swc3:)}oMG|8T9:!Tk":DQ+@UNu= EgllS$=LzZ] XWJxPl f~_?+D{U_@B1z몾ԩ_)y>]FivMc)w/Y>!GOPNm+4∧BާM^||fWIc+|1P~ݖOyvdnZzWv{GKm/^-Ƒ1W ݂vvxTAm _DV{8+l\zk&%G H_ʤCB8L 1N/GR/ n XcH SBЭ͌V~ q#1dR?N@5jP8_ "Ѡ f 2I$qK$2G?K0ŃwHQ9g\ҏQVCnk^hz=õ.<b@䈎xp"hm"c;fX4N &[1$X[Ax}q׮S{]0pty 8IjtHWGÆ՟62e K!.<;\[VpQ," !V:iȄmCAǸmuh|vP()=" WhY#kZdەYk܅ '.o5ΰJs]m`_XKO F͕qlrp /_(Yb>}`K3ʋhH3`E1$OjlaѺ 5/B2i_%{0'ɺ*!&&|Nr9΅F3 vKb;t$pw]p9;>-{gU0j+{3:e_xyo;SgS8JL^[K .${C;ya(X#\Z,cv$W"KT(`K`'C7imai6<)[ّpPi*}ȯ|߳*s%S\@T @u|&)A4+J/ =ix#USNnaOƂNiGT6}= !GG~LK7|]kiE}vueyBJ=Of%_?t*?A}Mz2Tte:uE`!F,ꝥT[/Б[}4w }(ۨ$7 GIF(55ҖkFOh1)/SCII. Because // most parsers give little thought to Unicode, treatment // of these codepoints is basically uniform, even for // punctuation-like codepoints. These characters can // show up in non-Western pages and are supported by most // major browsers, for example: "MS 明朝" is a // legitimate font-name // . See // the CSS3 spec for more examples: // // You can see live samples of these on the Internet: // // However, most of these fonts have ASCII equivalents: // for example, 'MS Mincho', and it's considered // professional to use ASCII font names instead of // Unicode font names. Thanks Takeshi Terada for // providing this information. // The following characters, to my knowledge, have not been // used to name font names. // - Single quote. While theoretically you might find a // font name that has a single quote in its name (serving // as an apostrophe, e.g. Dave's Scribble), I haven't // been able to find any actual examples of this. // Internet Explorer's cssText translation (which I // believe is invoked by innerHTML) normalizes any // quoting to single quotes, and fails to escape single // quotes. (Note that this is not IE's behavior for all // CSS properties, just some sort of special casing for // font-family). So a single quote *cannot* be used // safely in the font-family context if there will be an // innerHTML/cssText translation. Note that Firefox 3.x // does this too. // - Double quote. In IE, these get normalized to // single-quotes, no matter what the encoding. (Fun // fact, in IE8, the 'content' CSS property gained // support, where they special cased to preserve encoded // double quotes, but still translate unadorned double // quotes into single quotes.) So, because their // fixpoint behavior is identical to single quotes, they // cannot be allowed either. Firefox 3.x displays // single-quote style behavior. // - Backslashes are reduced by one (so \\ -> \) every // iteration, so they cannot be used safely. This shows // up in IE7, IE8 and FF3 // - Semicolons, commas and backticks are handled properly. // - The rest of the ASCII punctuation is handled properly. // We haven't checked what browsers do to unadorned // versions, but this is not important as long as the // browser doesn't /remove/ surrounding quotes (as IE does // for HTML). // // With these results in hand, we conclude that there are // various levels of safety: // - Paranoid: alphanumeric, spaces and dashes(?) // - International: Paranoid + non-ASCII Unicode // - Edgy: Everything except quotes, backslashes // - NoJS: Standards compliance, e.g. sod IE. Note that // with some judicious character escaping (since certain // types of escaping doesn't work) this is theoretically // OK as long as innerHTML/cssText is not called. // We believe that international is a reasonable default // (that we will implement now), and once we do more // extensive research, we may feel comfortable with dropping // it down to edgy. // Edgy: alphanumeric, spaces, dashes, underscores and Unicode. Use of // str(c)spn assumes that the string was already well formed // Unicode (which of course it is). if (strspn($font, $this->mask) !== strlen($font)) { continue; } // Historical: // In the absence of innerHTML/cssText, these ugly // transforms don't pose a security risk (as \\ and \" // might--these escapes are not supported by most browsers). // We could try to be clever and use single-quote wrapping // when there is a double quote present, but I have choosen // not to implement that. (NOTE: you can reduce the amount // of escapes by one depending on what quoting style you use) // $font = str_replace('\\', '\\5C ', $font); // $font = str_replace('"', '\\22 ', $font); // $font = str_replace("'", '\\27 ', $font); // font possibly with spaces, requires quoting $final .= "'$font', "; } $final = rtrim($final, ', '); if ($final === '') { return false; } return $final; } } // vim: et sw=4 sts=4