0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-12-22 16:31:53 +00:00

Lock configuration objects to a single namespace, to help prevent bugs.

* Also, fix a slight bug with URI definition clearing.

Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
This commit is contained in:
Edward Z. Yang 2009-05-25 23:38:49 -04:00
parent baf053b016
commit 10e2d32a79
3 changed files with 24 additions and 3 deletions

5
NEWS
View File

@ -34,8 +34,13 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
! Implement %Attr.AllowedClasses, which allows administrators to restrict ! Implement %Attr.AllowedClasses, which allows administrators to restrict
classes users can use to a specified finite set of classes, and classes users can use to a specified finite set of classes, and
%Attr.ForbiddenClasses, which is the logical inverse. %Attr.ForbiddenClasses, which is the logical inverse.
- Fix bug where URIDefinition would not get cleared if it's directives got
changed.
. Created script maintenance/rename-config.php for renaming a configuration . Created script maintenance/rename-config.php for renaming a configuration
directive while maintaining its alias. This script does not change source code. directive while maintaining its alias. This script does not change source code.
. Implement namespace locking for definition construction, to prevent
bugs where a directive is used for definition construction but is not
used to construct the cache hash.
3.3.0, released 2009-02-16 3.3.0, released 2009-02-16
! Implement CSS property 'overflow' when %CSS.AllowTricky is true. ! Implement CSS property 'overflow' when %CSS.AllowTricky is true.

2
TODO
View File

@ -20,8 +20,6 @@ afraid to cast your vote for the next feature to be implemented!
- Think about allowing explicit order of operations hooks for transforms - Think about allowing explicit order of operations hooks for transforms
- Allow more relaxed "class" definition than NMTOKENS for appropriate - Allow more relaxed "class" definition than NMTOKENS for appropriate
doctypes doctypes
- Lock when configuring Definition objects so we CAN'T access configuration
directives outside of what dependency has been registered.
FUTURE VERSIONS FUTURE VERSIONS
--------------- ---------------

View File

@ -80,6 +80,11 @@ class HTMLPurifier_Config
*/ */
public $chatty = true; public $chatty = true;
/**
* Current lock; only gets to this namespace are allowed.
*/
private $lock;
/** /**
* @param $definition HTMLPurifier_ConfigSchema that defines what directives * @param $definition HTMLPurifier_ConfigSchema that defines what directives
* are allowed. * are allowed.
@ -157,6 +162,13 @@ class HTMLPurifier_Config
E_USER_ERROR); E_USER_ERROR);
return; return;
} }
if ($this->lock) {
list($ns) = explode('.', $key);
if ($ns !== $this->lock) {
$this->triggerError('Cannot get value of namespace ' . $ns . ' when lock for ' . $this->lock . ' is active, this probably indicates a Definition setup method is accessing directives that are not within its namespace', E_USER_ERROR);
return;
}
}
return $this->plist->get($key); return $this->plist->get($key);
} }
@ -285,7 +297,7 @@ class HTMLPurifier_Config
// reset definitions if the directives they depend on changed // reset definitions if the directives they depend on changed
// this is a very costly process, so it's discouraged // this is a very costly process, so it's discouraged
// with finalization // with finalization
if ($namespace == 'HTML' || $namespace == 'CSS') { if ($namespace == 'HTML' || $namespace == 'CSS' || $namespace == 'URI') {
$this->definitions[$namespace] = null; $this->definitions[$namespace] = null;
} }
@ -326,8 +338,12 @@ class HTMLPurifier_Config
*/ */
public function getDefinition($type, $raw = false) { public function getDefinition($type, $raw = false) {
if (!$this->finalized) $this->autoFinalize(); if (!$this->finalized) $this->autoFinalize();
// temporarily suspend locks, so we can handle recursive definition calls
$lock = $this->lock;
$this->lock = null;
$factory = HTMLPurifier_DefinitionCacheFactory::instance(); $factory = HTMLPurifier_DefinitionCacheFactory::instance();
$cache = $factory->create($type, $this); $cache = $factory->create($type, $this);
$this->lock = $lock;
if (!$raw) { if (!$raw) {
// see if we can quickly supply a definition // see if we can quickly supply a definition
if (!empty($this->definitions[$type])) { if (!empty($this->definitions[$type])) {
@ -369,7 +385,9 @@ class HTMLPurifier_Config
return $this->definitions[$type]; return $this->definitions[$type];
} }
// set it up // set it up
$this->lock = $type;
$this->definitions[$type]->setup($this); $this->definitions[$type]->setup($this);
$this->lock = null;
// save in cache // save in cache
$cache->set($this->definitions[$type], $this); $cache->set($this->definitions[$type], $this);
return $this->definitions[$type]; return $this->definitions[$type];