Accept leading digits in hostnames as per RFC 1123.

Signed-off-by: Edward Z. Yang <ezyang@cs.stanford.edu>
2024-09-18 18:25:18 +00:00 · 2016-03-23 22:42:18 -07:00 · 2016-03-23 22:42:18 -07:00 · 45161b4fb1
commit 45161b4fb1
parent 25db9e1dd0
3 changed files with 17 additions and 7 deletions
--- a/2
+++ b/2
@ -15,6 +15,8 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
  truncate.  Thanks Brandon Farber for reporting.
 - Linkify regex is smarter, based off of Gruber's regex.
 - IDNA supported natively on PHP 5.3 and later.
+- Non all-numeric top-level names (e.g., foo.1f, 1f) are now
+  allowed.

 4.7.0, released 2015-08-04
 # opacity is now considered a "tricky" CSS property rather than a
--- a/library/HTMLPurifier/AttrDef/URI/Host.php
+++ b/library/HTMLPurifier/AttrDef/URI/Host.php
@ -76,17 +76,23 @@ class HTMLPurifier_AttrDef_URI_Host extends HTMLPurifier_AttrDef
        // fairly well supported.
        $underscore = $config->get('Core.AllowHostnameUnderscore') ? '_' : '';

+        // Based off of RFC 1738, but amended so that
+        // as per RFC 3696, the top label need only not be all numeric.
        // The productions describing this are:
        $a   = '[a-z]';     // alpha
        $an  = '[a-z0-9]';  // alphanum
        $and = "[a-z0-9-$underscore]"; // alphanum | "-"
        // domainlabel = alphanum | alphanum *( alphanum | "-" ) alphanum
-        $domainlabel = "$an($and*$an)?";
-        // toplabel    = alpha | alpha *( alphanum | "-" ) alphanum
-        $toplabel = "$a($and*$an)?";
+        $domainlabel = "$an(?:$and*$an)?";
+        // AMENDED as per RFC 3696
+        // toplabel    = alphanum | alphanum *( alphanum | "-" ) alphanum
+        //      side condition: not all numeric
+        $toplabel = "$an(?:$and*$an)?";
        // hostname    = *( domainlabel "." ) toplabel [ "." ]
-        if (preg_match("/^($domainlabel\.)*$toplabel\.?$/i", $string)) {
-            return $string;
+        if (preg_match("/^(?:$domainlabel\.)*($toplabel)\.?$/i", $string, $matches)) {
+            if (!ctype_digit($matches[1])) {
+                return $string;
+            }
        }

        // PHP 5.3 and later support this functionality natively
--- a/tests/HTMLPurifier/AttrDef/URI/HostTest.php
+++ b/tests/HTMLPurifier/AttrDef/URI/HostTest.php
@ -19,12 +19,13 @@ class HTMLPurifier_AttrDef_URI_HostTest extends HTMLPurifier_AttrDefHarness
        $this->assertDef('sub.test.');
        $this->assertDef('.test', false);
        $this->assertDef('ff');
-        $this->assertDef('1f', false);
+        $this->assertDef('1f'); // per RFC 1123
+        // See also http://serverfault.com/questions/638260/is-it-valid-for-a-hostname-to-start-with-a-digit
        $this->assertDef('-f', false);
        $this->assertDef('f1');
        $this->assertDef('f-', false);
        $this->assertDef('sub.ff');
-        $this->assertDef('sub.1f', false);
+        $this->assertDef('sub.1f'); // per RFC 1123
        $this->assertDef('sub.-f', false);
        $this->assertDef('sub.f1');
        $this->assertDef('sub.f-', false);
@ -35,6 +36,7 @@ class HTMLPurifier_AttrDef_URI_HostTest extends HTMLPurifier_AttrDefHarness
        $this->assertDef('f1.top');
        $this->assertDef('f1_f2.ex.top', false);
        $this->assertDef('f-.top', false);
+        $this->assertDef('1a');

        $this->assertDef("\xE4\xB8\xAD\xE6\x96\x87.com.cn", false);