0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-12-23 00:41:52 +00:00

Check if the scheme can be removed from the URI when it s the default

scheme
This commit is contained in:
Syl20b 2016-10-25 16:12:36 +02:00
parent dc8702160c
commit 3c15a2de08
2 changed files with 20 additions and 2 deletions

View File

@ -124,8 +124,10 @@ class HTMLPurifier_URI
// scheme is in our registry, since a URIFilter may convert a // scheme is in our registry, since a URIFilter may convert a
// URI that we don't allow into one we do. So instead, we just // URI that we don't allow into one we do. So instead, we just
// check if the scheme can be dropped because there is no host // check if the scheme can be dropped because there is no host
// and it is our default scheme. // or the host can be omitted and it is our default scheme.
if (!is_null($this->scheme) && is_null($this->host) || $this->host === '') { if (!is_null($this->scheme) &&
(!$this->getSchemeObj($config, $context)->may_omit_host && (is_null($this->host) || $this->host === ''))
) {
// support for relative paths is pretty abysmal when the // support for relative paths is pretty abysmal when the
// scheme is present, so axe it when possible // scheme is present, so axe it when possible
$def = $config->getDefinition('URI'); $def = $config->getDefinition('URI');

View File

@ -225,6 +225,22 @@ class HTMLPurifier_URITest extends HTMLPurifier_URIHarness
$this->assertValidation('http://google.com'); $this->assertValidation('http://google.com');
} }
public function test_validate_schemeIsDefaultAndTheOnlyAllowed()
{
$uri =
'data:'.
'image/png,'.
'iVBORw0KGgoAAAANSUhEUgAAAAoAAAAKCAYAAACNMs+9AAAABGdBTUEAALGP'.
'C/xhBQAAAAlwSFlzAAALEwAACxMBAJqcGAAAAAd0SU1FB9YGARc5KB0XV+IA'.
'AAAddEVYdENvbW1lbnQAQ3JlYXRlZCB3aXRoIFRoZSBHSU1Q72QlbgAAAF1J'.
'REFUGNO9zL0NglAAxPEfdLTs4BZM4DIO4C7OwQg2JoQ9LE1exdlYvBBeZ7jq'.
'ch9//q1uH4TLzw4d6+ErXMMcXuHWxId3KOETnnXXV6MJpcq2MLaI97CER3N0'.
'vr4MkhoXe0rZigAAAABJRU5ErkJggg==';
$this->config->set('URI.DefaultScheme', 'data');
$this->config->set('URI.AllowedSchemes', array('data' => true));
$this->assertValidation($uri, $uri);
}
} }
// vim: et sw=4 sts=4 // vim: et sw=4 sts=4