From 3ba9133b2198d1b8b94615ab807137d986d21627 Mon Sep 17 00:00:00 2001 From: "Edward Z. Yang" Date: Thu, 27 Oct 2016 01:36:08 -0700 Subject: [PATCH] Don't assume that idn_to_ascii does validation. Signed-off-by: Edward Z. Yang --- library/HTMLPurifier/AttrDef/URI/Host.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/library/HTMLPurifier/AttrDef/URI/Host.php b/library/HTMLPurifier/AttrDef/URI/Host.php index 151f7aff..3b4d1867 100644 --- a/library/HTMLPurifier/AttrDef/URI/Host.php +++ b/library/HTMLPurifier/AttrDef/URI/Host.php @@ -97,7 +97,7 @@ class HTMLPurifier_AttrDef_URI_Host extends HTMLPurifier_AttrDef // PHP 5.3 and later support this functionality natively if (function_exists('idn_to_ascii')) { - return idn_to_ascii($string); + $string = idn_to_ascii($string); // If we have Net_IDNA2 support, we can support IRIs by // punycoding them. (This is the most portable thing to do, @@ -123,13 +123,14 @@ class HTMLPurifier_AttrDef_URI_Host extends HTMLPurifier_AttrDef } } $string = implode('.', $new_parts); - if (preg_match("/^($domainlabel\.)*$toplabel\.?$/i", $string)) { - return $string; - } } catch (Exception $e) { // XXX error reporting } } + // Try again + if (preg_match("/^($domainlabel\.)*$toplabel\.?$/i", $string)) { + return $string; + } return false; } }