mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-12-23 00:41:52 +00:00
%URI.DisableExternal(Resources) uses %URI.Base if %URI.Host is not available.
As part of its duties, URIDefinition determine the base URL and the host URL of the page based on the two corresponding configuration directives. The DisableExternal URIFilter, however, bypassed this check by directly checking %URI.Host. This fix forwards the call through URIDefinition. Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
This commit is contained in:
parent
3a4b92da81
commit
3b6aa10592
2
NEWS
2
NEWS
@ -31,6 +31,8 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
|
|||||||
- Throw error when %Core.Encoding is set to a spurious value. Previously,
|
- Throw error when %Core.Encoding is set to a spurious value. Previously,
|
||||||
this errored silently and returned false.
|
this errored silently and returned false.
|
||||||
- Redirected stderr to stdout for flush error output.
|
- Redirected stderr to stdout for flush error output.
|
||||||
|
- %URI.DisableExternal will now use the host in %URI.Base if %URI.Host is not
|
||||||
|
available.
|
||||||
. Strategy_MakeWellFormed now operates in-place, saving memory and allowing
|
. Strategy_MakeWellFormed now operates in-place, saving memory and allowing
|
||||||
for more interesting filter-backtracking
|
for more interesting filter-backtracking
|
||||||
. New HTMLPurifier_Injector->rewind() functionality, allows injectors to rewind
|
. New HTMLPurifier_Injector->rewind() functionality, allows injectors to rewind
|
||||||
|
@ -5,7 +5,7 @@ class HTMLPurifier_URIFilter_DisableExternal extends HTMLPurifier_URIFilter
|
|||||||
public $name = 'DisableExternal';
|
public $name = 'DisableExternal';
|
||||||
protected $ourHostParts = false;
|
protected $ourHostParts = false;
|
||||||
public function prepare($config) {
|
public function prepare($config) {
|
||||||
$our_host = $config->get('URI', 'Host');
|
$our_host = $config->getDefinition('URI')->host;
|
||||||
if ($our_host !== null) $this->ourHostParts = array_reverse(explode('.', $our_host));
|
if ($our_host !== null) $this->ourHostParts = array_reverse(explode('.', $our_host));
|
||||||
}
|
}
|
||||||
public function filter(&$uri, $config, $context) {
|
public function filter(&$uri, $config, $context) {
|
||||||
|
@ -41,4 +41,11 @@ class HTMLPurifier_URIFilter_DisableExternalTest extends HTMLPurifier_URIFilterH
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function testBaseAsHost() {
|
||||||
|
$this->config->set('URI', 'Base', 'http://www.example.com/foo/bar');
|
||||||
|
$this->assertFiltering(
|
||||||
|
'http://www.example.com/baz'
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user