mirrors/htmlpurifier
0
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-09-18 18:25:18 +00:00
Code Releases Activity

[3.1.1] Implement SafeEmbed. Also, miscellaneous bugfixes.

Browse Source 
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1781 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang 2008-06-10 01:18:03 +00:00
parent 13eb016e06
commit 36bd06d53e
15 changed files with 162 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
NEWS
View File

@ -19,7 +19,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
a URIFilter as such.
! Allow modules to define injectors via $info_injector. Injectors are
automatically disabled if injector's needed elements are not found.
! Support for "safe" objects added [info on how to enable needed]
! Support for "safe" objects added, use %HTML.SafeObject and %HTML.SafeEmbed.
- Disable percent height/width attributes for img
- AttrValidator operations are now atomic; updates to attributes are not
manifest in token until end of operations. This prevents naughty internal

13
configdoc/usage.xml
View File

@ -173,6 +173,16 @@
<line>220</line>
</file>
</directive>
<directive id="HTML.SafeObject">
<file name="HTMLPurifier/HTMLModuleManager.php">
<line>225</line>
</file>
</directive>
<directive id="HTML.SafeEmbed">
<file name="HTMLPurifier/HTMLModuleManager.php">
<line>228</line>
</file>
</directive>
<directive id="Attr.IDBlacklist">
<file name="HTMLPurifier/IDAccumulator.php">
<line>26</line>
@ -317,6 +327,9 @@
<file name="HTMLPurifier/HTMLModule/Image.php">
<line>14</line>
</file>
<file name="HTMLPurifier/HTMLModule/SafeEmbed.php">
<line>13</line>
</file>
<file name="HTMLPurifier/HTMLModule/SafeObject.php">
<line>19</line>
</file>

2
library/HTMLPurifier.includes.php
View File

@ -118,6 +118,7 @@ require 'HTMLPurifier/AttrTransform/ImgSpace.php';
require 'HTMLPurifier/AttrTransform/Lang.php';
require 'HTMLPurifier/AttrTransform/Length.php';
require 'HTMLPurifier/AttrTransform/Name.php';
require 'HTMLPurifier/AttrTransform/SafeEmbed.php';
require 'HTMLPurifier/AttrTransform/SafeObject.php';
require 'HTMLPurifier/AttrTransform/SafeParam.php';
require 'HTMLPurifier/AttrTransform/ScriptRequired.php';
@ -145,6 +146,7 @@ require 'HTMLPurifier/HTMLModule/Object.php';
require 'HTMLPurifier/HTMLModule/Presentation.php';
require 'HTMLPurifier/HTMLModule/Proprietary.php';
require 'HTMLPurifier/HTMLModule/Ruby.php';
require 'HTMLPurifier/HTMLModule/SafeEmbed.php';
require 'HTMLPurifier/HTMLModule/SafeObject.php';
require 'HTMLPurifier/HTMLModule/Scripting.php';
require 'HTMLPurifier/HTMLModule/StyleAttribute.php';

2
library/HTMLPurifier.safe-includes.php
View File

@ -112,6 +112,7 @@ require_once $__dir . '/HTMLPurifier/AttrTransform/ImgSpace.php';
require_once $__dir . '/HTMLPurifier/AttrTransform/Lang.php';
require_once $__dir . '/HTMLPurifier/AttrTransform/Length.php';
require_once $__dir . '/HTMLPurifier/AttrTransform/Name.php';
require_once $__dir . '/HTMLPurifier/AttrTransform/SafeEmbed.php';
require_once $__dir . '/HTMLPurifier/AttrTransform/SafeObject.php';
require_once $__dir . '/HTMLPurifier/AttrTransform/SafeParam.php';
require_once $__dir . '/HTMLPurifier/AttrTransform/ScriptRequired.php';
@ -139,6 +140,7 @@ require_once $__dir . '/HTMLPurifier/HTMLModule/Object.php';
require_once $__dir . '/HTMLPurifier/HTMLModule/Presentation.php';
require_once $__dir . '/HTMLPurifier/HTMLModule/Proprietary.php';
require_once $__dir . '/HTMLPurifier/HTMLModule/Ruby.php';
require_once $__dir . '/HTMLPurifier/HTMLModule/SafeEmbed.php';
require_once $__dir . '/HTMLPurifier/HTMLModule/SafeObject.php';
require_once $__dir . '/HTMLPurifier/HTMLModule/Scripting.php';
require_once $__dir . '/HTMLPurifier/HTMLModule/StyleAttribute.php';

13
library/HTMLPurifier/AttrTransform/SafeEmbed.php Normal file
View File

@ -0,0 +1,13 @@
<?php
class HTMLPurifier_AttrTransform_SafeEmbed extends HTMLPurifier_AttrTransform
{
public $name = "SafeEmbed";
public function transform($attr, $config, $context) {
$attr['allowscriptaccess'] = 'never';
$attr['allownetworking'] = 'internal';
$attr['type'] = 'application/x-shockwave-flash';
return $attr;
}
}

4
library/HTMLPurifier/AttrTransform/SafeParam.php
View File

@ -17,11 +17,11 @@ class HTMLPurifier_AttrTransform_SafeParam extends HTMLPurifier_AttrTransform
public $name = "SafeParam";
private $uri;
function __construct() {
public function __construct() {
$this->uri = new HTMLPurifier_AttrDef_URI(true); // embedded
}
function transform($attr, $config, $context) {
public function transform($attr, $config, $context) {
// If we add support for other objects, we'll need to alter the
// transforms.
switch ($attr['name']) {

2
library/HTMLPurifier/ConfigSchema/schema.ser
View File

File diff suppressed because one or more lines are too long

13
library/HTMLPurifier/ConfigSchema/schema/HTML.SafeEmbed.txt Normal file
View File

@ -0,0 +1,13 @@
HTML.SafeEmbed
TYPE: bool
VERSION: 3.1.1
DEFAULT: false
--DESCRIPTION--
<p>
Whether or not to permit embed tags in documents, with a number of extra
security features added to prevent script execution. This is similar to
what websites like MySpace do to embed tags. Embed is a proprietary
element and will cause your website to stop validating. You probably want
to enable this with %HTML.SafeObject.
<strong>Highly experimental.</strong>
</p>

13
library/HTMLPurifier/ConfigSchema/schema/HTML.SafeObject.txt Normal file
View File

@ -0,0 +1,13 @@
HTML.SafeObject
TYPE: bool
VERSION: 3.1.1
DEFAULT: false
--DESCRIPTION--
<p>
Whether or not to permit object tags in documents, with a number of extra
security features added to prevent script execution. This is similar to
what websites like MySpace do to object tags. You may also want to
enable %HTML.SafeEmbed for maximum interoperability with Internet Explorer,
although embed tags will cause your website to stop validating.
<strong>Highly experimental.</strong>
</p>

31
library/HTMLPurifier/HTMLModule/SafeEmbed.php Normal file
View File

@ -0,0 +1,31 @@
<?php
/**
* A "safe" embed module. See SafeObject. This is a proprietary element.
*/
class HTMLPurifier_HTMLModule_SafeEmbed extends HTMLPurifier_HTMLModule
{
public $name = 'SafeEmbed';
public function setup($config) {
$max = $config->get('HTML', 'MaxImgLength');
$embed = $this->addElement(
'embed', 'Inline', 'Empty', 'Common',
array(
'src*' => 'URI#embedded',
'type' => 'Enum#application/x-shockwave-flash',
'width' => 'Pixels#' . $max,
'height' => 'Pixels#' . $max,
'allowscriptaccess' => 'Enum#never',
'allownetworking' => 'Enum#internal',
'wmode' => 'Enum#window',
'name' => 'ID',
)
);
$embed->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeEmbed();
}
}

2
library/HTMLPurifier/HTMLModule/SafeObject.php
View File

@ -28,7 +28,7 @@ class HTMLPurifier_HTMLModule_SafeObject extends HTMLPurifier_HTMLModule
'type' => 'Enum#application/x-shockwave-flash',
'width' => 'Pixels#' . $max,
'height' => 'Pixels#' . $max,
'data' => 'Text'
'data' => 'URI#embedded'
)
);
$object->attr_transform_post[] = new HTMLPurifier_AttrTransform_SafeObject();

8
library/HTMLPurifier/HTMLModuleManager.php
View File

@ -221,6 +221,14 @@ class HTMLPurifier_HTMLModuleManager
$modules[] = 'Proprietary';
}
// add SafeObject/Safeembed modules
if ($config->get('HTML', 'SafeObject')) {
$modules[] = 'SafeObject';
}
if ($config->get('HTML', 'SafeEmbed')) {
$modules[] = 'SafeEmbed';
}
foreach ($modules as $module) {
$this->processModule($module);
$this->modules[$module]->setup($config);

2
library/HTMLPurifier/URIFilter/SecureMunge.php
View File

@ -20,7 +20,7 @@ class HTMLPurifier_URIFilter_SecureMunge extends HTMLPurifier_URIFilter
if ($context->get('EmbeddedURI', true)) return true; // abort for embedded URIs
$scheme_obj = $uri->getSchemeObj($config, $context);
if (!$scheme_obj) return true; // ignore unknown schemes, maybe another postfilter did it
if (is_null($uri->host) || empty($scheme_obj->browsable)) {
if (is_null($uri->host) || empty($scheme_obj->browsable) || $context->get('EmbeddedURI', true)) {
return true;
}
$string = $uri->toString();

41
tests/HTMLPurifier/HTMLModule/SafeEmbedTest.php Normal file
View File

@ -0,0 +1,41 @@
<?php
class HTMLPurifier_HTMLModule_SafeEmbedTest extends HTMLPurifier_HTMLModuleHarness
{
function setUp() {
parent::setUp();
$this->config->set('HTML', 'DefinitionID', 'HTMLPurifier_HTMLModule_SafeEmbedTest');
$def = $this->config->getHTMLDefinition(true);
$def->manager->addModule('SafeEmbed');
}
function testMinimal() {
$this->assertResult(
'<embed src="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" />',
'<embed src="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" allowscriptaccess="never" allownetworking="internal" type="application/x-shockwave-flash" />'
);
}
function testYouTube() {
$this->assertResult(
'<embed src="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" type="application/x-shockwave-flash" width="425" height="344"></embed>',
'<embed src="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="never" allownetworking="internal" />'
);
}
function testMalicious() {
$this->assertResult(
'<embed src="http://example.com/bad.swf" type="application/x-shockwave-flash" width="9999999" height="3499994" allowscriptaccess="always" allownetworking="always" />',
'<embed src="http://example.com/bad.swf" type="application/x-shockwave-flash" width="1200" height="1200" allowscriptaccess="never" allownetworking="internal" />'
);
}
function testFull() {
$this->assertResult(
'<b><embed src="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" type="application/x-shockwave-flash" width="24" height="23" allowscriptaccess="never" allownetworking="internal" wmode="window" /></b>'
);
}
}

20
tests/HTMLPurifierTest.php
View File

@ -194,5 +194,25 @@ alert("<This is compatible with XHTML>");
);
}
function test_safeObjectAndEmbed() {
$this->config->set('HTML', 'SafeObject', true);
$this->config->set('HTML', 'SafeEmbed', true);
$this->assertPurification(
'<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en"></param><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" type="application/x-shockwave-flash" width="425" height="344"></embed></object>',
'<object width="425" height="344" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&amp;hl=en" /><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&amp;hl=en" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="never" allownetworking="internal" /></object>'
);
}
function test_safeObjectAndEmbedWithSecureMunge() {
$this->config->set('HTML', 'SafeObject', true);
$this->config->set('HTML', 'SafeEmbed', true);
$this->config->set('URI', 'SecureMunge', '/redirect.php?url=%s&check=%t');
$this->config->set('URI', 'SecureMungeSecretKey', 'foo');
$this->assertPurification(
'<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en"></param><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" type="application/x-shockwave-flash" width="425" height="344"></embed></object>',
'<object width="425" height="344" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&amp;hl=en" /><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&amp;hl=en" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="never" allownetworking="internal" /></object>'
);
}
}