mirrors/htmlpurifier
0
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-01-03 05:11:52 +00:00
Code Releases Activity

Remove legacy required code from AttrDef_URI, also explicitly disallow < and > in URIs.

Browse Source 
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@253 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang 2006-08-14 21:06:57 +00:00
parent 299236f695
commit 218eb67167
4 changed files with 21 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/config.txt
View File

@ -3,5 +3,9 @@ Configuration
Configuration is documented on a per-use case: if a class uses a certain Configuration is documented on a per-use case: if a class uses a certain
value from the configuration object, it has to define its name and what the value from the configuration object, it has to define its name and what the
value is used for. This means decentralized configuration declaration that value is used for. This means decentralized configuration declarations that
is nevertheless error checking. are nevertheless error checking and a centralized configuration object.
Directives are divided into namespaces, indicating the major portion of
functionality they cover (although there may be overlaps. Please consult
the documentation in ConfigDef for more information on these namespaces.

21
library/HTMLPurifier/AttrDef/URI.php
View File

@ -12,12 +12,6 @@ HTMLPurifier_ConfigDef::define(
class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
{ {
var $required = false;
function HTMLPurifier_AttrDef_URI($required = false) {
$this->required = $required;
}
function validate($uri, $config, &$context) { function validate($uri, $config, &$context) {
// We'll write stack-based parsers later, for now, use regexps to // We'll write stack-based parsers later, for now, use regexps to
@ -30,18 +24,23 @@ class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
// for HTTP and thus won't work for our generic URI parsing // for HTTP and thus won't work for our generic URI parsing
// according to the RFC... (but this cuts corners, i.e. non-validating) // according to the RFC... (but this cuts corners, i.e. non-validating)
$r_URI = '!^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?!'; $r_URI = '!^'.
// 12 3 4 5 6 7 8 9 '(([^:/?#<>]+):)?'. // 2. Scheme
'(//([^/?#<>]*))?'. // 4. Authority
'([^?#<>]*)'. // 5. Path
'(\?([^#<>]*))?'. // 7. Query
'(#([^<>]*))?'. // 8. Fragment
'$!';
$matches = array(); $matches = array();
$result = preg_match($r_URI, $uri, $matches); $result = preg_match($r_URI, $uri, $matches);
if (!$result) return ''; if (!$result) return false; // invalid URI
// seperate out parts // seperate out parts
$scheme = !empty($matches[1]) ? $matches[2] : null; $scheme = !empty($matches[1]) ? $matches[2] : null;
$authority = !empty($matches[3]) ? $matches[4] : null; $authority = !empty($matches[3]) ? $matches[4] : null;
$path = $matches[5]; // always present $path = $matches[5]; // always present, can be empty
$query = !empty($matches[6]) ? $matches[7] : null; $query = !empty($matches[6]) ? $matches[7] : null;
$fragment = !empty($matches[8]) ? $matches[9] : null; $fragment = !empty($matches[8]) ? $matches[9] : null;
@ -53,7 +52,7 @@ class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
// retrieve the specific scheme object from the registry // retrieve the specific scheme object from the registry
$scheme = ctype_lower($scheme) ? $scheme : strtolower($scheme); $scheme = ctype_lower($scheme) ? $scheme : strtolower($scheme);
$scheme_obj =& $registry->getScheme($scheme, $config); $scheme_obj =& $registry->getScheme($scheme, $config);
if (!$scheme_obj) return $this->required ? '' : false; // invalid scheme, clean it out if (!$scheme_obj) return false; // invalid scheme, clean it out
} else { } else {
$scheme_obj =& $registry->getScheme( $scheme_obj =& $registry->getScheme(
$config->get('URI', 'DefaultScheme'), $config $config->get('URI', 'DefaultScheme'), $config

3
library/HTMLPurifier/Definition.php
View File

@ -317,13 +317,12 @@ class HTMLPurifier_Definition
$e_URI = new HTMLPurifier_AttrDef_URI(); $e_URI = new HTMLPurifier_AttrDef_URI();
$this->info['a']->attr['href'] = $this->info['a']->attr['href'] =
$this->info['img']->attr['longdesc'] = $this->info['img']->attr['longdesc'] =
$this->info['img']->attr['src'] =
$this->info['del']->attr['cite'] = $this->info['del']->attr['cite'] =
$this->info['ins']->attr['cite'] = $this->info['ins']->attr['cite'] =
$this->info['blockquote']->attr['cite'] = $this->info['blockquote']->attr['cite'] =
$this->info['q']->attr['cite'] = $e_URI; $this->info['q']->attr['cite'] = $e_URI;
$this->info['img']->attr['src'] = new HTMLPurifier_AttrDef_URI(true);
////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////
// UNIMP : info_tag_transform : transformations of tags // UNIMP : info_tag_transform : transformations of tags

4
tests/HTMLPurifier/AttrDef/URITest.php
View File

@ -153,6 +153,10 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
$uri[18] = '/a/b'; $uri[18] = '/a/b';
$components[18] = array(null, null, null, '/a/b', null); $components[18] = array(null, null, null, '/a/b', null);
// it's not allowed, so generic URI should get it
$uri[19] = '<';
$expect_uri[19] = false;
foreach ($uri as $i => $value) { foreach ($uri as $i => $value) {
// setUpAssertDef // setUpAssertDef