2006-08-12 01:12:35 +00:00
|
|
|
<?php
|
|
|
|
|
2006-08-17 01:05:35 +00:00
|
|
|
require_once 'HTMLPurifier/AttrDef.php';
|
2007-08-01 14:55:09 +00:00
|
|
|
require_once 'HTMLPurifier/URIParser.php';
|
2006-08-12 01:12:35 +00:00
|
|
|
require_once 'HTMLPurifier/URIScheme.php';
|
|
|
|
require_once 'HTMLPurifier/URISchemeRegistry.php';
|
2007-02-14 20:38:51 +00:00
|
|
|
require_once 'HTMLPurifier/AttrDef/URI/Host.php';
|
2006-11-07 17:15:28 +00:00
|
|
|
require_once 'HTMLPurifier/PercentEncoder.php';
|
2006-08-12 01:12:35 +00:00
|
|
|
|
2006-09-16 22:36:58 +00:00
|
|
|
HTMLPurifier_ConfigSchema::define(
|
2006-08-27 18:49:16 +00:00
|
|
|
'URI', 'DefaultScheme', 'http', 'string',
|
2006-08-12 03:35:05 +00:00
|
|
|
'Defines through what scheme the output will be served, in order to '.
|
|
|
|
'select the proper object validator when no scheme information is present.'
|
|
|
|
);
|
|
|
|
|
2006-11-12 03:35:41 +00:00
|
|
|
HTMLPurifier_ConfigSchema::define(
|
|
|
|
'URI', 'Host', null, 'string/null',
|
|
|
|
'Defines the domain name of the server, so we can determine whether or '.
|
|
|
|
'an absolute URI is from your website or not. Not strictly necessary, '.
|
|
|
|
'as users should be using relative URIs to reference resources on your '.
|
|
|
|
'website. It will, however, let you use absolute URIs to link to '.
|
|
|
|
'subdomains of the domain you post here: i.e. example.com will allow '.
|
|
|
|
'sub.example.com. However, higher up domains will still be excluded: '.
|
|
|
|
'if you set %URI.Host to sub.example.com, example.com will be blocked. '.
|
|
|
|
'This directive has been available since 1.2.0.'
|
|
|
|
);
|
|
|
|
|
2006-11-23 23:59:20 +00:00
|
|
|
HTMLPurifier_ConfigSchema::define(
|
2006-11-12 03:35:41 +00:00
|
|
|
'URI', 'DisableExternal', false, 'bool',
|
|
|
|
'Disables links to external websites. This is a highly effective '.
|
|
|
|
'anti-spam and anti-pagerank-leech measure, but comes at a hefty price: no'.
|
|
|
|
'links or images outside of your domain will be allowed. Non-linkified '.
|
|
|
|
'URIs will still be preserved. If you want to be able to link to '.
|
|
|
|
'subdomains or use absolute URIs, specify %URI.Host for your website. '.
|
|
|
|
'This directive has been available since 1.2.0.'
|
|
|
|
);
|
|
|
|
|
2006-11-23 23:59:20 +00:00
|
|
|
HTMLPurifier_ConfigSchema::define(
|
|
|
|
'URI', 'DisableExternalResources', false, 'bool',
|
|
|
|
'Disables the embedding of external resources, preventing users from '.
|
|
|
|
'embedding things like images from other hosts. This prevents '.
|
|
|
|
'access tracking (good for email viewers), bandwidth leeching, '.
|
|
|
|
'cross-site request forging, goatse.cx posting, and '.
|
|
|
|
'other nasties, but also results in '.
|
|
|
|
'a loss of end-user functionality (they can\'t directly post a pic '.
|
|
|
|
'they posted from Flickr anymore). Use it if you don\'t have a '.
|
|
|
|
'robust user-content moderation team. This directive has been '.
|
|
|
|
'available since 1.3.0.'
|
|
|
|
);
|
|
|
|
|
|
|
|
HTMLPurifier_ConfigSchema::define(
|
|
|
|
'URI', 'DisableResources', false, 'bool',
|
|
|
|
'Disables embedding resources, essentially meaning no pictures. You can '.
|
|
|
|
'still link to them though. See %URI.DisableExternalResources for why '.
|
|
|
|
'this might be a good idea. This directive has been available since 1.3.0.'
|
|
|
|
);
|
|
|
|
|
2006-11-24 00:29:16 +00:00
|
|
|
HTMLPurifier_ConfigSchema::define(
|
|
|
|
'URI', 'Munge', null, 'string/null',
|
|
|
|
'Munges all browsable (usually http, https and ftp) URI\'s into some URL '.
|
|
|
|
'redirection service. Pass this directive a URI, with %s inserted where '.
|
|
|
|
'the url-encoded original URI should be inserted (sample: '.
|
|
|
|
'<code>http://www.google.com/url?q=%s</code>). '.
|
|
|
|
'This prevents PageRank leaks, while being as transparent as possible '.
|
|
|
|
'to users (you may also want to add some client side JavaScript to '.
|
|
|
|
'override the text in the statusbar). Warning: many security experts '.
|
|
|
|
'believe that this form of protection does not deter spam-bots. '.
|
|
|
|
'You can also use this directive to redirect users to a splash page '.
|
|
|
|
'telling them they are leaving your website. '.
|
|
|
|
'This directive has been available since 1.3.0.'
|
|
|
|
);
|
|
|
|
|
2006-11-26 23:14:12 +00:00
|
|
|
HTMLPurifier_ConfigSchema::define(
|
|
|
|
'URI', 'HostBlacklist', array(), 'list',
|
|
|
|
'List of strings that are forbidden in the host of any URI. Use it to '.
|
|
|
|
'kill domain names of spam, etc. Note that it will catch anything in '.
|
|
|
|
'the domain, so <tt>moo.com</tt> will catch <tt>moo.com.example.com</tt>. '.
|
|
|
|
'This directive has been available since 1.3.0.'
|
|
|
|
);
|
|
|
|
|
2007-02-14 01:57:06 +00:00
|
|
|
HTMLPurifier_ConfigSchema::define(
|
|
|
|
'URI', 'Disable', false, 'bool',
|
|
|
|
'Disables all URIs in all forms. Not sure why you\'d want to do that '.
|
|
|
|
'(after all, the Internet\'s founded on the notion of a hyperlink). '.
|
|
|
|
'This directive has been available since 1.3.0.'
|
|
|
|
);
|
|
|
|
HTMLPurifier_ConfigSchema::defineAlias('Attr', 'DisableURI', 'URI', 'Disable');
|
|
|
|
|
2006-08-20 21:47:15 +00:00
|
|
|
/**
|
|
|
|
* Validates a URI as defined by RFC 3986.
|
|
|
|
* @note Scheme-specific mechanics deferred to HTMLPurifier_URIScheme
|
|
|
|
*/
|
2006-08-12 01:12:35 +00:00
|
|
|
class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
|
|
|
|
{
|
2006-08-12 03:35:05 +00:00
|
|
|
|
2007-08-01 18:34:46 +00:00
|
|
|
var $parser, $percentEncoder;
|
|
|
|
var $embedsResource;
|
2006-08-17 01:05:35 +00:00
|
|
|
|
2006-11-17 23:09:10 +00:00
|
|
|
/**
|
2006-11-23 23:59:20 +00:00
|
|
|
* @param $embeds_resource_resource Does the URI here result in an extra HTTP request?
|
2006-11-17 23:09:10 +00:00
|
|
|
*/
|
2006-11-23 23:59:20 +00:00
|
|
|
function HTMLPurifier_AttrDef_URI($embeds_resource = false) {
|
2007-08-01 14:55:09 +00:00
|
|
|
$this->parser = new HTMLPurifier_URIParser();
|
2007-08-01 18:34:46 +00:00
|
|
|
$this->percentEncoder = new HTMLPurifier_PercentEncoder();
|
|
|
|
$this->embedsResource = (bool) $embeds_resource;
|
2006-08-17 01:05:35 +00:00
|
|
|
}
|
|
|
|
|
2006-08-12 16:04:40 +00:00
|
|
|
function validate($uri, $config, &$context) {
|
2006-08-12 01:12:35 +00:00
|
|
|
|
2007-02-14 01:57:06 +00:00
|
|
|
if ($config->get('URI', 'Disable')) return false;
|
|
|
|
|
2007-08-01 14:55:09 +00:00
|
|
|
// initial operations
|
2006-08-12 01:12:35 +00:00
|
|
|
$uri = $this->parseCDATA($uri);
|
2007-08-01 18:34:46 +00:00
|
|
|
$uri = $this->percentEncoder->normalize($uri);
|
2006-11-07 17:15:28 +00:00
|
|
|
|
2007-08-01 14:55:09 +00:00
|
|
|
// parse the URI
|
2007-08-01 18:34:46 +00:00
|
|
|
$uri = $this->parser->parse($uri);
|
|
|
|
if ($uri === false) return false;
|
2006-08-12 03:35:05 +00:00
|
|
|
|
2007-08-01 18:34:46 +00:00
|
|
|
// generic validation
|
|
|
|
$context->register('EmbeddedURI', $this->embedsResource); // flag
|
|
|
|
$result = $uri->validate($config, $context);
|
|
|
|
$context->destroy('EmbeddedURI');
|
|
|
|
if (!$result) return false;
|
2006-08-12 03:35:05 +00:00
|
|
|
|
2007-08-01 18:34:46 +00:00
|
|
|
// scheme-specific validation
|
|
|
|
$scheme_obj = $uri->getSchemeObj($config, $context);
|
|
|
|
if (!$scheme_obj) return false;
|
|
|
|
if ($this->embedsResource && !$scheme_obj->browsable) return false;
|
|
|
|
$result = $scheme_obj->validate($uri, $config, $context);
|
|
|
|
if (!$result) return false;
|
2006-08-12 03:35:05 +00:00
|
|
|
|
2007-08-01 18:34:46 +00:00
|
|
|
// back to string
|
|
|
|
$result = $uri->toString();
|
2006-08-12 03:35:05 +00:00
|
|
|
|
2006-11-24 00:29:16 +00:00
|
|
|
// munge if necessary
|
2007-08-01 18:34:46 +00:00
|
|
|
if (
|
|
|
|
!is_null($uri->host) && // indicator for authority
|
|
|
|
!empty($scheme_obj->browsable) &&
|
|
|
|
!is_null($munge = $config->get('URI', 'Munge'))
|
|
|
|
) {
|
|
|
|
$result = str_replace('%s', rawurlencode($result), $munge);
|
2006-11-24 00:29:16 +00:00
|
|
|
}
|
|
|
|
|
2006-08-12 03:35:05 +00:00
|
|
|
return $result;
|
|
|
|
|
2006-08-12 01:12:35 +00:00
|
|
|
}
|
2006-08-12 03:35:05 +00:00
|
|
|
|
2006-08-12 01:12:35 +00:00
|
|
|
}
|
|
|
|
|
2007-06-27 13:58:32 +00:00
|
|
|
|