Don't add nofollow for matching hosts, generalize this code.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2024-09-19 10:45:18 +00:00 · 2011-06-12 10:59:27 +01:00 · 2011-06-12 10:59:27 +01:00 · 32c0ffde0c
commit 32c0ffde0c
parent 856a5e5b89
4 changed files with 22 additions and 6 deletions
--- a/2
+++ b/2
@ -17,6 +17,8 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 - Explicitly initialize anonModule variable to null.
 - Do not duplicate nofollow if already present.  Thanks 178
  for reporting.
+- Do not add nofollow if hostname matches our current host.  Thanks 178
+  for reporting, and Neike Taika-Tessaro for helping diagnose.

 4.3.0, released 2011-03-27
 # Fixed broken caching of customized raw definitions, but requires an
--- a/library/HTMLPurifier/AttrTransform/Nofollow.php
+++ b/library/HTMLPurifier/AttrTransform/Nofollow.php
@ -24,7 +24,7 @@ class HTMLPurifier_AttrTransform_Nofollow extends HTMLPurifier_AttrTransform
        $url = $this->parser->parse($attr['href']);
        $scheme = $url->getSchemeObj($config, $context);

-        if (!is_null($url->host) && $scheme !== false && $scheme->browsable) {
+        if ($scheme->browsable && !$url->isLocal($config, $context)) {
            if (isset($attr['rel'])) {
                $rels = explode(' ', $attr);
                if (!in_array('nofollow', $rels)) {
--- a/library/HTMLPurifier/URI.php
+++ b/library/HTMLPurifier/URI.php
@ -199,6 +199,21 @@ class HTMLPurifier_URI
        return $result;
    }

+    /**
+     * Returns true if this URL might be considered a 'local' URL given
+     * the current context.  This is true when the host is null, or
+     * when it matches the host supplied to the configuration.
+     *
+     * Note that this does not do any scheme checking (URI.Munge, I'm
+     * looking at you).
+     */
+    public function isLocal($config, $context) {
+        if ($this->host === null) return true;
+        $uri_def = $config->getDefinition('URI');
+        if ($uri_def->host === $this->host) return true;
+        return false;
+    }
+
 }

 // vim: et sw=4 sts=4
--- a/library/HTMLPurifier/URIFilter/Munge.php
+++ b/library/HTMLPurifier/URIFilter/Munge.php
@ -20,12 +20,11 @@ class HTMLPurifier_URIFilter_Munge extends HTMLPurifier_URIFilter

        $scheme_obj = $uri->getSchemeObj($config, $context);
        if (!$scheme_obj) return true; // ignore unknown schemes, maybe another postfilter did it
-        if (is_null($uri->host) || empty($scheme_obj->browsable)) {
-            return true;
-        }
-        $uri_definition = $config->getDefinition('URI');
+        if (!$scheme_obj->browsable) return true; // ignore non-browseable schemes
+
        // don't redirect if target host is our host
-        if ($uri->host === $uri_definition->host) {
+        if ($uri->isLocal($config, $context)) {
+            $uri_definition = $config->getDefinition('URI');
            // but do redirect if we're currently on a secure scheme,
            // and the target scheme is insecure
            $current_scheme_obj = HTMLPurifier_URISchemeRegistry::instance()->getScheme($uri_definition->defaultScheme, $config, $context);