htmlpurifier/library/HTMLPurifier/URIScheme/file.php

<?php

/**
 * Validates file as defined by RFC 1630 and RFC 1738.
 */
class HTMLPurifier_URIScheme_file extends HTMLPurifier_URIScheme {

    // Generally file:// URLs are not accessible from most
    // machines, so placing them as an img src is incorrect.
    public $browsable = false;

    // Basically the *only* URI scheme for which this is true, since
    // accessing files on the local machine is very common.  In fact,
    // browsers on some operating systems don't understand the
    // authority, though I hear it is used on Windows to refer to
    // network shares.
    public $may_omit_host = true;

    public function doValidate(&$uri, $config, $context) {
        // Authentication method is not supported
        $uri->userinfo = null;
        // file:// makes no provisions for accessing the resource
        $uri->port     = null;
        // While it seems to work on Firefox, the querystring has
        // no possible effect and is thus stripped.
        $uri->query    = null;
        return true;
    }

}

// vim: et sw=4 sts=4
Add support for file:// URI scheme. Signed-off-by: Edward Z. Yang <ezyang@mit.edu> 2010-09-09 04:01:26 +00:00			`<?php`

			`/**`
			`* Validates file as defined by RFC 1630 and RFC 1738.`
			`*/`
			`class HTMLPurifier_URIScheme_file extends HTMLPurifier_URIScheme {`

			`// Generally file:// URLs are not accessible from most`
			`// machines, so placing them as an img src is incorrect.`
			`public $browsable = false;`

Dramatically rewrite null host URI handling. Basically, browsers don't parse what should be valid URIs correctly, so we have to go through some backbends to accomodate them. Specifically, for browseable URIs, the following URIs have unintended behavior: - ///example.com - http:/example.com - http:///example.com Furthermore, if the path begins with //, modifying these URLs must be done with care, as if you remove the host-name component, the parse tree changes. I've modified the engine to follow correct URI semantics as much as possible while outputting browser compatible code, and invalidate the URI in cases where we can't deal. There has been a refactoring of URIScheme so that this important check is always performed, introducing a new member variable allow_empty_host which is true on data, file, mailto and news schemes. This also fixes bypass bugs on URI.Munge. Signed-off-by: Edward Z. Yang <ezyang@mit.edu> 2011-01-25 18:56:46 +00:00			`// Basically the only URI scheme for which this is true, since`
			`// accessing files on the local machine is very common. In fact,`
			`// browsers on some operating systems don't understand the`
			`// authority, though I hear it is used on Windows to refer to`
			`// network shares.`
			`public $may_omit_host = true;`

			`public function doValidate(&$uri, $config, $context) {`
Add support for file:// URI scheme. Signed-off-by: Edward Z. Yang <ezyang@mit.edu> 2010-09-09 04:01:26 +00:00			`// Authentication method is not supported`
			`$uri->userinfo = null;`
			`// file:// makes no provisions for accessing the resource`
			`$uri->port = null;`
			`// While it seems to work on Firefox, the querystring has`
			`// no possible effect and is thus stripped.`
			`$uri->query = null;`
			`return true;`
			`}`

			`}`

			`// vim: et sw=4 sts=4`