2006-08-12 18:58:54 +00:00
|
|
|
<?php
|
|
|
|
|
2006-08-12 19:11:21 +00:00
|
|
|
// WARNING: All the URI schemes are far to relaxed, we need to tighten
|
|
|
|
// the checks.
|
|
|
|
|
2007-08-02 01:12:27 +00:00
|
|
|
class HTMLPurifier_URISchemeTest extends HTMLPurifier_URIHarness
|
2006-08-12 18:58:54 +00:00
|
|
|
{
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2010-03-07 21:14:44 -05:00
|
|
|
private $pngBase64;
|
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function __construct()
|
|
|
|
{
|
2010-03-07 21:14:44 -05:00
|
|
|
$this->pngBase64 =
|
|
|
|
'iVBORw0KGgoAAAANSUhEUgAAAAoAAAAKCAYAAACNMs+9AAAABGdBTUEAALGP'.
|
|
|
|
'C/xhBQAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9YGARc5KB0XV+IA'.
|
|
|
|
'AAAddEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIFRoZSBHSU1Q72QlbgAAAF1J'.
|
|
|
|
'REFUGNO9zL0NglAAxPEfdLTs4BZM4DIO4C7OwQg2JoQ9LE1exdlYvBBeZ7jq'.
|
|
|
|
'ch9//q1uH4TLzw4d6+ErXMMcXuHWxId3KOETnnXXV6MJpcq2MLaI97CER3N0'.
|
|
|
|
'vr4MkhoXe0rZigAAAABJRU5ErkJggg==';
|
|
|
|
}
|
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
protected function assertValidation($uri, $expect_uri = true)
|
|
|
|
{
|
2007-08-02 01:12:27 +00:00
|
|
|
$this->prepareURI($uri, $expect_uri);
|
2010-03-07 21:14:44 -05:00
|
|
|
$this->config->set('URI.AllowedSchemes', array($uri->scheme));
|
2007-08-01 18:34:46 +00:00
|
|
|
// convenience hack: the scheme should be explicitly specified
|
|
|
|
$scheme = $uri->getSchemeObj($this->config, $this->context);
|
|
|
|
$result = $scheme->validate($uri, $this->config, $this->context);
|
2007-08-02 01:12:27 +00:00
|
|
|
$this->assertEitherFailOrIdentical($result, $uri, $expect_uri);
|
2007-08-01 18:34:46 +00:00
|
|
|
}
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_http_regular()
|
|
|
|
{
|
2007-08-01 18:34:46 +00:00
|
|
|
$this->assertValidation(
|
|
|
|
'http://example.com/?s=q#fragment'
|
|
|
|
);
|
|
|
|
}
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_http_uppercase()
|
|
|
|
{
|
2012-06-02 11:22:58 -04:00
|
|
|
$this->assertValidation(
|
|
|
|
'http://example.com/FOO'
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_http_removeDefaultPort()
|
|
|
|
{
|
2007-08-01 18:34:46 +00:00
|
|
|
$this->assertValidation(
|
|
|
|
'http://example.com:80',
|
|
|
|
'http://example.com'
|
|
|
|
);
|
|
|
|
}
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_http_removeUserInfo()
|
|
|
|
{
|
2007-08-01 18:34:46 +00:00
|
|
|
$this->assertValidation(
|
|
|
|
'http://bob@example.com',
|
|
|
|
'http://example.com'
|
|
|
|
);
|
|
|
|
}
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_http_preserveNonDefaultPort()
|
|
|
|
{
|
2007-08-01 18:34:46 +00:00
|
|
|
$this->assertValidation(
|
|
|
|
'http://example.com:8080'
|
|
|
|
);
|
|
|
|
}
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_https_regular()
|
|
|
|
{
|
2007-08-01 18:34:46 +00:00
|
|
|
$this->assertValidation(
|
|
|
|
'https://user@example.com:443/?s=q#frag',
|
|
|
|
'https://example.com/?s=q#frag'
|
|
|
|
);
|
|
|
|
}
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_ftp_regular()
|
|
|
|
{
|
2007-08-01 18:34:46 +00:00
|
|
|
$this->assertValidation(
|
|
|
|
'ftp://user@example.com/path'
|
|
|
|
);
|
|
|
|
}
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_ftp_removeDefaultPort()
|
|
|
|
{
|
2007-08-01 18:34:46 +00:00
|
|
|
$this->assertValidation(
|
|
|
|
'ftp://example.com:21',
|
|
|
|
'ftp://example.com'
|
|
|
|
);
|
|
|
|
}
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_ftp_removeQueryString()
|
|
|
|
{
|
2007-08-01 18:34:46 +00:00
|
|
|
$this->assertValidation(
|
|
|
|
'ftp://example.com?s=q',
|
|
|
|
'ftp://example.com'
|
|
|
|
);
|
|
|
|
}
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_ftp_preserveValidTypecode()
|
|
|
|
{
|
2007-08-01 18:34:46 +00:00
|
|
|
$this->assertValidation(
|
|
|
|
'ftp://example.com/file.txt;type=a'
|
|
|
|
);
|
|
|
|
}
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_ftp_removeInvalidTypecode()
|
|
|
|
{
|
2007-08-01 18:34:46 +00:00
|
|
|
$this->assertValidation(
|
|
|
|
'ftp://example.com/file.txt;type=z',
|
|
|
|
'ftp://example.com/file.txt'
|
|
|
|
);
|
|
|
|
}
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_ftp_encodeExtraSemicolons()
|
|
|
|
{
|
2007-08-01 18:34:46 +00:00
|
|
|
$this->assertValidation(
|
|
|
|
'ftp://example.com/too;many;semicolons=1',
|
|
|
|
'ftp://example.com/too%3Bmany%3Bsemicolons=1'
|
|
|
|
);
|
|
|
|
}
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_news_regular()
|
|
|
|
{
|
2007-08-01 18:34:46 +00:00
|
|
|
$this->assertValidation(
|
|
|
|
'news:gmane.science.linguistics'
|
|
|
|
);
|
|
|
|
}
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_news_explicit()
|
|
|
|
{
|
2007-08-01 18:34:46 +00:00
|
|
|
$this->assertValidation(
|
|
|
|
'news:642@eagle.ATT.COM'
|
|
|
|
);
|
|
|
|
}
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_news_removeNonPathComponents()
|
|
|
|
{
|
2007-08-01 18:34:46 +00:00
|
|
|
$this->assertValidation(
|
|
|
|
'news://user@example.com:80/rec.music?path=foo#frag',
|
|
|
|
'news:/rec.music#frag'
|
|
|
|
);
|
|
|
|
}
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_nntp_regular()
|
|
|
|
{
|
2007-08-01 18:34:46 +00:00
|
|
|
$this->assertValidation(
|
|
|
|
'nntp://news.example.com/alt.misc/42#frag'
|
|
|
|
);
|
|
|
|
}
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_nntp_removalOfRedundantOrUselessComponents()
|
|
|
|
{
|
2007-08-01 18:34:46 +00:00
|
|
|
$this->assertValidation(
|
|
|
|
'nntp://user@news.example.com:119/alt.misc/42?s=q#frag',
|
|
|
|
'nntp://news.example.com/alt.misc/42#frag'
|
|
|
|
);
|
|
|
|
}
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_mailto_regular()
|
|
|
|
{
|
2007-08-01 18:34:46 +00:00
|
|
|
$this->assertValidation(
|
|
|
|
'mailto:bob@example.com'
|
|
|
|
);
|
|
|
|
}
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_mailto_removalOfRedundantOrUselessComponents()
|
|
|
|
{
|
2007-08-01 18:34:46 +00:00
|
|
|
$this->assertValidation(
|
|
|
|
'mailto://user@example.com:80/bob@example.com?subject=Foo#frag',
|
|
|
|
'mailto:/bob@example.com?subject=Foo#frag'
|
|
|
|
);
|
2006-08-12 18:58:54 +00:00
|
|
|
}
|
2008-12-06 02:28:20 -05:00
|
|
|
|
2016-06-17 18:39:18 -05:00
|
|
|
public function test_tel_strip_punctuation()
|
|
|
|
{
|
|
|
|
$this->assertValidation(
|
|
|
|
'tel:+1 (555) 555-5555', 'tel:+15555555555'
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
public function test_tel_regular()
|
|
|
|
{
|
|
|
|
$this->assertValidation(
|
|
|
|
'tel:+15555555555'
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
public function test_tel_with_extension()
|
|
|
|
{
|
|
|
|
$this->assertValidation(
|
|
|
|
'tel:+1-555-555-5555x123', 'tel:+15555555555x123'
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
public function test_tel_no_plus()
|
|
|
|
{
|
|
|
|
$this->assertValidation(
|
|
|
|
'tel:555-555-5555', 'tel:5555555555'
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
public function test_tel_strip_letters()
|
|
|
|
{
|
|
|
|
$this->assertValidation(
|
|
|
|
'tel:abcd1234',
|
|
|
|
'tel:1234'
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_data_png()
|
|
|
|
{
|
2010-03-07 21:14:44 -05:00
|
|
|
$this->assertValidation(
|
|
|
|
'data:image/png;base64,'.$this->pngBase64
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_data_malformed()
|
|
|
|
{
|
2010-03-07 21:14:44 -05:00
|
|
|
$this->assertValidation(
|
|
|
|
'',
|
|
|
|
false
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_data_implicit()
|
|
|
|
{
|
2010-03-07 21:14:44 -05:00
|
|
|
$this->assertValidation(
|
|
|
|
'data:base64,'.$this->pngBase64,
|
|
|
|
'data:image/png;base64,'.$this->pngBase64
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_file_basic()
|
|
|
|
{
|
2010-09-09 00:01:26 -04:00
|
|
|
$this->assertValidation(
|
|
|
|
'file://user@MYCOMPUTER:12/foo/bar?baz#frag',
|
|
|
|
'file://MYCOMPUTER/foo/bar#frag'
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_file_local()
|
|
|
|
{
|
Dramatically rewrite null host URI handling.
Basically, browsers don't parse what should be valid URIs correctly, so
we have to go through some backbends to accomodate them. Specifically,
for browseable URIs, the following URIs have unintended behavior:
- ///example.com
- http:/example.com
- http:///example.com
Furthermore, if the path begins with //, modifying these URLs must
be done with care, as if you remove the host-name component, the
parse tree changes.
I've modified the engine to follow correct URI semantics as much
as possible while outputting browser compatible code, and invalidate
the URI in cases where we can't deal. There has been a refactoring
of URIScheme so that this important check is always performed,
introducing a new member variable allow_empty_host which is true
on data, file, mailto and news schemes.
This also fixes bypass bugs on URI.Munge.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-01-25 18:56:46 +00:00
|
|
|
$this->assertValidation(
|
|
|
|
'file:///foo/bar?baz#frag',
|
|
|
|
'file:///foo/bar#frag'
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2013-07-16 13:56:14 +02:00
|
|
|
public function test_ftp_empty_host()
|
|
|
|
{
|
Dramatically rewrite null host URI handling.
Basically, browsers don't parse what should be valid URIs correctly, so
we have to go through some backbends to accomodate them. Specifically,
for browseable URIs, the following URIs have unintended behavior:
- ///example.com
- http:/example.com
- http:///example.com
Furthermore, if the path begins with //, modifying these URLs must
be done with care, as if you remove the host-name component, the
parse tree changes.
I've modified the engine to follow correct URI semantics as much
as possible while outputting browser compatible code, and invalidate
the URI in cases where we can't deal. There has been a refactoring
of URIScheme so that this important check is always performed,
introducing a new member variable allow_empty_host which is true
on data, file, mailto and news schemes.
This also fixes bypass bugs on URI.Munge.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-01-25 18:56:46 +00:00
|
|
|
$this->assertValidation('ftp:///example.com', false);
|
|
|
|
}
|
|
|
|
|
2016-07-12 17:23:12 -07:00
|
|
|
public function test_data_bad_base64()
|
|
|
|
{
|
|
|
|
$this->assertValidation('|', false);
|
|
|
|
}
|
|
|
|
|
|
|
|
public function test_data_too_short()
|
|
|
|
{
|
|
|
|
$this->assertValidation('', false);
|
|
|
|
}
|
|
|
|
|
2006-08-12 18:58:54 +00:00
|
|
|
}
|
|
|
|
|
2008-12-06 04:24:59 -05:00
|
|
|
// vim: et sw=4 sts=4
|