2006-08-12 01:12:35 +00:00
|
|
|
<?php
|
|
|
|
|
|
2006-08-20 21:47:15 +00:00
|
|
|
/**
|
|
|
|
|
* Validates a URI as defined by RFC 3986.
|
|
|
|
|
* @note Scheme-specific mechanics deferred to HTMLPurifier_URIScheme
|
|
|
|
|
*/
|
2006-08-12 01:12:35 +00:00
|
|
|
class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
|
|
|
|
|
{
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2013-07-16 11:56:14 +00:00
|
|
|
/**
|
|
|
|
|
* @type HTMLPurifier_URIParser
|
|
|
|
|
*/
|
2008-05-14 02:19:00 +00:00
|
|
|
protected $parser;
|
2013-07-16 11:56:14 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @type bool
|
|
|
|
|
*/
|
2007-11-25 02:24:39 +00:00
|
|
|
protected $embedsResource;
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2006-11-17 23:09:10 +00:00
|
|
|
/**
|
2013-07-16 11:56:14 +00:00
|
|
|
* @param bool $embeds_resource Does the URI here result in an extra HTTP request?
|
2006-11-17 23:09:10 +00:00
|
|
|
*/
|
2013-07-16 11:56:14 +00:00
|
|
|
public function __construct($embeds_resource = false)
|
|
|
|
|
{
|
2007-08-01 14:55:09 +00:00
|
|
|
$this->parser = new HTMLPurifier_URIParser();
|
2013-07-16 11:56:14 +00:00
|
|
|
$this->embedsResource = (bool)$embeds_resource;
|
2006-08-17 01:05:35 +00:00
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2013-07-16 11:56:14 +00:00
|
|
|
/**
|
|
|
|
|
* @param string $string
|
|
|
|
|
* @return HTMLPurifier_AttrDef_URI
|
|
|
|
|
*/
|
|
|
|
|
public function make($string)
|
|
|
|
|
{
|
Implement Iframe module, and provide %HTML.SafeIframe and %URI.SafeIframeRegexp for untrusted usage.
The purpose of this addition is twofold. In trusted mode, iframes are
now unconditionally allowed.
However, many online video providers (YouTube, Vimeo) and other web
applications (Google Maps, Google Calendar, etc) provide embed code in
iframe format, which is useful functionality in untrusted mode.
You can specify iframes as trusted elements with %HTML.SafeIframe;
however, you need to additionally specify a whitelist mechanism such as
%URI.SafeIframeRegexp to say what iframe embeds are OK (by default
everything is rejected).
Note: As iframes are invalid in strict doctypes, you will not be able to
use them there.
We also added an always_load parameter to URIFilters in order to support
the strange nature of the SafeIframe URIFilter (it always needs to be
loaded, due to the inability of accessing the %HTML.SafeIframe directive
to see if it's needed!) We expect this URIFilter can expand in the future
to offer more complex validation mechanisms.
Signed-off-by: Bradley M. Froehle <brad.froehle@gmail.com>
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-02-14 01:47:01 +00:00
|
|
|
$embeds = ($string === 'embedded');
|
2008-06-09 01:23:05 +00:00
|
|
|
return new HTMLPurifier_AttrDef_URI($embeds);
|
|
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2013-07-16 11:56:14 +00:00
|
|
|
/**
|
|
|
|
|
* @param string $uri
|
|
|
|
|
* @param HTMLPurifier_Config $config
|
|
|
|
|
* @param HTMLPurifier_Context $context
|
|
|
|
|
* @return bool|string
|
|
|
|
|
*/
|
|
|
|
|
public function validate($uri, $config, $context)
|
|
|
|
|
{
|
|
|
|
|
if ($config->get('URI.Disable')) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2006-08-12 01:12:35 +00:00
|
|
|
$uri = $this->parseCDATA($uri);
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2007-08-01 14:55:09 +00:00
|
|
|
// parse the URI
|
2007-08-01 18:34:46 +00:00
|
|
|
$uri = $this->parser->parse($uri);
|
2013-07-16 11:56:14 +00:00
|
|
|
if ($uri === false) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2007-08-02 01:12:27 +00:00
|
|
|
// add embedded flag to context for validators
|
2008-12-06 07:28:20 +00:00
|
|
|
$context->register('EmbeddedURI', $this->embedsResource);
|
|
|
|
|
|
2007-08-02 01:12:27 +00:00
|
|
|
$ok = false;
|
|
|
|
|
do {
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2007-08-02 01:12:27 +00:00
|
|
|
// generic validation
|
|
|
|
|
$result = $uri->validate($config, $context);
|
2013-07-16 11:56:14 +00:00
|
|
|
if (!$result) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2007-09-27 00:07:27 +00:00
|
|
|
// chained filtering
|
2008-04-23 02:40:17 +00:00
|
|
|
$uri_def = $config->getDefinition('URI');
|
2007-08-02 01:12:27 +00:00
|
|
|
$result = $uri_def->filter($uri, $config, $context);
|
2013-07-16 11:56:14 +00:00
|
|
|
if (!$result) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
|
|
|
|
// scheme-specific validation
|
2007-08-02 01:12:27 +00:00
|
|
|
$scheme_obj = $uri->getSchemeObj($config, $context);
|
2013-07-16 11:56:14 +00:00
|
|
|
if (!$scheme_obj) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if ($this->embedsResource && !$scheme_obj->browsable) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
2007-08-02 01:12:27 +00:00
|
|
|
$result = $scheme_obj->validate($uri, $config, $context);
|
2013-07-16 11:56:14 +00:00
|
|
|
if (!$result) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2008-05-26 16:26:47 +00:00
|
|
|
// Post chained filtering
|
|
|
|
|
$result = $uri_def->postFilter($uri, $config, $context);
|
2013-07-16 11:56:14 +00:00
|
|
|
if (!$result) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2007-08-02 01:12:27 +00:00
|
|
|
// survived gauntlet
|
|
|
|
|
$ok = true;
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2007-08-02 01:12:27 +00:00
|
|
|
} while (false);
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2007-08-02 01:12:27 +00:00
|
|
|
$context->destroy('EmbeddedURI');
|
2013-07-16 11:56:14 +00:00
|
|
|
if (!$ok) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
2007-08-01 18:34:46 +00:00
|
|
|
// back to string
|
2008-06-18 03:29:27 +00:00
|
|
|
return $uri->toString();
|
2006-08-12 01:12:35 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2008-12-06 09:24:59 +00:00
|
|
|
// vim: et sw=4 sts=4
|
