%URI.DisableExternal(Resources) uses %URI.Base if %URI.Host is not available.

As part of its duties, URIDefinition determine the base URL and the host URL
of the page based on the two corresponding configuration directives. The
DisableExternal URIFilter, however, bypassed this check by directly checking
%URI.Host. This fix forwards the call through URIDefinition.

Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>

NEWS

@@ -31,6 +31,8 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 - Throw error when %Core.Encoding is set to a spurious value. Previously,
   this errored silently and returned false.
 - Redirected stderr to stdout for flush error output.
+- %URI.DisableExternal will now use the host in %URI.Base if %URI.Host is not
+  available.
 . Strategy_MakeWellFormed now operates in-place, saving memory and allowing
   for more interesting filter-backtracking
 . New HTMLPurifier_Injector->rewind() functionality, allows injectors to rewind

library/HTMLPurifier/URIFilter/DisableExternal.php

@@ -5,7 +5,7 @@ class HTMLPurifier_URIFilter_DisableExternal extends HTMLPurifier_URIFilter
     public $name = 'DisableExternal';
     protected $ourHostParts = false;
     public function prepare($config) {
-        $our_host = $config->get('URI', 'Host');
+        $our_host = $config->getDefinition('URI')->host;
         if ($our_host !== null) $this->ourHostParts = array_reverse(explode('.', $our_host));
     }
     public function filter(&$uri, $config, $context) {

tests/HTMLPurifier/URIFilter/DisableExternalTest.php

@@ -41,4 +41,11 @@ class HTMLPurifier_URIFilter_DisableExternalTest extends HTMLPurifier_URIFilterH
         );
     }
     
+    function testBaseAsHost() {
+        $this->config->set('URI', 'Base', 'http://www.example.com/foo/bar');
+        $this->assertFiltering(
+            'http://www.example.com/baz'
+        );
+    }
+    
 }