mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-12-23 00:41:52 +00:00
Finish bare-bones implementation of URI. This will suffice for now.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@209 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
parent
5b14310284
commit
4ab6cab15c
@ -3,20 +3,63 @@
|
|||||||
require_once 'HTMLPurifier/URIScheme.php';
|
require_once 'HTMLPurifier/URIScheme.php';
|
||||||
require_once 'HTMLPurifier/URISchemeRegistry.php';
|
require_once 'HTMLPurifier/URISchemeRegistry.php';
|
||||||
|
|
||||||
|
HTMLPurifier_ConfigDef::define(
|
||||||
|
'URI', 'DefaultScheme', 'http',
|
||||||
|
'Defines through what scheme the output will be served, in order to '.
|
||||||
|
'select the proper object validator when no scheme information is present.'
|
||||||
|
);
|
||||||
|
|
||||||
class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
|
class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
|
||||||
{
|
{
|
||||||
|
|
||||||
function validate($uri, $config = null) {
|
function validate($uri, $config = null) {
|
||||||
|
|
||||||
// We'll write stack-based parsers later, for now, use regexps to
|
// We'll write stack-based parsers later, for now, use regexps to
|
||||||
// get things working as fast as possible (irony)
|
// get things working as fast as possible (irony)
|
||||||
|
|
||||||
|
if (!$config) $config = HTMLPurifier_Config::createDefault();
|
||||||
|
|
||||||
// parse as CDATA
|
// parse as CDATA
|
||||||
$uri = $this->parseCDATA($uri);
|
$uri = $this->parseCDATA($uri);
|
||||||
|
|
||||||
// while it would be nice to use parse_url(), that's specifically
|
// while it would be nice to use parse_url(), that's specifically
|
||||||
// for HTTP and thus won't work for our generic URI parsing
|
// for HTTP and thus won't work for our generic URI parsing
|
||||||
|
|
||||||
|
// according to the RFC... (but this cuts corners, i.e. non-validating)
|
||||||
|
$r_URI = '!^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?!';
|
||||||
|
// 12 3 4 5 6 7 8 9
|
||||||
|
|
||||||
|
$matches = array();
|
||||||
|
$result = preg_match($r_URI, $uri, $matches);
|
||||||
|
|
||||||
|
if (!$result) return '';
|
||||||
|
|
||||||
|
// seperate out parts
|
||||||
|
$scheme = !empty($matches[1]) ? $matches[2] : null;
|
||||||
|
$authority = !empty($matches[3]) ? $matches[4] : null;
|
||||||
|
$path = $matches[5]; // always present
|
||||||
|
$query = !empty($matches[6]) ? $matches[7] : null;
|
||||||
|
$fragment = !empty($matches[8]) ? $matches[9] : null;
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
$registry = HTMLPurifier_URISchemeRegistry::instance();
|
||||||
|
if ($scheme !== null) {
|
||||||
|
// no need to validate the scheme's fmt since we do that when we
|
||||||
|
// retrieve the specific scheme object from the registry
|
||||||
|
$scheme = ctype_lower($scheme) ? $scheme : strtolower($scheme);
|
||||||
|
$scheme_obj = $registry->getScheme($scheme);
|
||||||
|
if (!$scheme_obj) return ''; // invalid scheme, clean it out
|
||||||
|
} else {
|
||||||
|
$scheme_obj = $registry->getScheme($config->get('URI', 'DefaultScheme'));
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
if ($authority !== null) {
|
||||||
|
|
||||||
// define regexps
|
// define regexps
|
||||||
|
// this stuff may need to be factored out so Email can get to it
|
||||||
|
|
||||||
$HEXDIG = '[A-Fa-f0-9]';
|
$HEXDIG = '[A-Fa-f0-9]';
|
||||||
$unreserved = 'A-Za-z0-9-._~'; // make sure you wrap with []
|
$unreserved = 'A-Za-z0-9-._~'; // make sure you wrap with []
|
||||||
@ -39,65 +82,63 @@ class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
|
|||||||
"|(?:(?:$h16:){6}$h16)?::" .
|
"|(?:(?:$h16:){6}$h16)?::" .
|
||||||
")";
|
")";
|
||||||
$IP_literal = "\[(?:$IPvFuture|$IPv6Address)\]";
|
$IP_literal = "\[(?:$IPvFuture|$IPv6Address)\]";
|
||||||
|
|
||||||
// the important regexps, the collide with other names, prefix with r_
|
|
||||||
|
|
||||||
$r_userinfo = "(?:[$unreserved$sub_delims:]|$pct_encoded)*";
|
$r_userinfo = "(?:[$unreserved$sub_delims:]|$pct_encoded)*";
|
||||||
$r_authority = "/^(($r_userinfo)@)?(\[$IP_literal\]|[^:]*)(:(\d*))?/";
|
|
||||||
|
|
||||||
// according to the RFC... (but this cuts corners, i.e. non-validating)
|
|
||||||
$r_URI = '!^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?!';
|
|
||||||
// 12 3 4 5 6 7 8 9
|
|
||||||
$matches = array();
|
|
||||||
|
|
||||||
$result = preg_match($r_URI, $uri, $matches);
|
|
||||||
|
|
||||||
if (!$result) return ''; // wow, that's very strange
|
|
||||||
|
|
||||||
// seperate out parts
|
|
||||||
$scheme = !empty($matches[1]) ? $matches[2] : null;
|
|
||||||
$authority = !empty($matches[3]) ? $matches[4] : null;
|
|
||||||
$path = $matches[5]; // always present
|
|
||||||
$query = !empty($matches[6]) ? $matches[7] : null;
|
|
||||||
$fragment = !empty($matches[8]) ? $matches[9] : null;
|
|
||||||
|
|
||||||
// okay, no need to validate the scheme since we do that when we
|
|
||||||
// retrieve the specific scheme object from the registry
|
|
||||||
$scheme = ctype_lower($scheme) ? $scheme : strtolower($scheme);
|
|
||||||
$registry = HTMLPurifier_URISchemeRegistry::instance();
|
|
||||||
$scheme_obj = $registry->getScheme($scheme);
|
|
||||||
|
|
||||||
if (!$scheme_obj) return ''; // invalid scheme, clean it out
|
|
||||||
|
|
||||||
if ($authority !== null) {
|
|
||||||
// validate authority
|
|
||||||
$matches = array();
|
|
||||||
|
|
||||||
// IPv6 is broken
|
// IPv6 is broken
|
||||||
|
$r_authority = "/^(($r_userinfo)@)?(\[$IP_literal\]|[^:]*)(:(\d*))?/";
|
||||||
|
$matches = array();
|
||||||
preg_match($r_authority, $authority, $matches);
|
preg_match($r_authority, $authority, $matches);
|
||||||
|
// overloads regexp!
|
||||||
$userinfo = !empty($matches[1]) ? $matches[2] : null;
|
$userinfo = !empty($matches[1]) ? $matches[2] : null;
|
||||||
$host = !empty($matches[3]) ? $matches[3] : null;
|
$host = !empty($matches[3]) ? $matches[3] : null;
|
||||||
$port = !empty($matches[4]) ? $matches[5] : null;
|
$port = !empty($matches[4]) ? $matches[5] : null;
|
||||||
|
|
||||||
// validate port
|
// validate port
|
||||||
if ($port !== null) {
|
if ($port !== null) {
|
||||||
if (!ctype_digit($port) || $port < 1 || $port > 65535) {
|
$port = (int) $port;
|
||||||
$port = null;
|
if ($port < 1 || $port > 65535) $port = null;
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// userinfo and host are validated within the regexp
|
||||||
|
|
||||||
|
// regenerate authority
|
||||||
$authority =
|
$authority =
|
||||||
($userinfo === null ? '' : ($userinfo . '@')) .
|
($userinfo === null ? '' : ($userinfo . '@')) .
|
||||||
$host .
|
$host .
|
||||||
($port === null ? '' : (':' . $port));
|
($port === null ? '' : (':' . $port));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
// query and fragment are quite simple in terms of definition:
|
||||||
|
// *( pchar / "/" / "?" ), so define their validation routines
|
||||||
|
// when we start fixing percent encoding
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
// path gets to be validated against a hodge-podge of rules depending
|
||||||
|
// on the status of authority and scheme, but it's not that important,
|
||||||
|
// esp. since it won't be applicable to everyone
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
// okay, now we defer execution to the subobject for more processing
|
||||||
list($authority, $path, $query, $fragment) =
|
list($authority, $path, $query, $fragment) =
|
||||||
$scheme_obj->validateComponents($authority, $path, $query, $fragment);
|
$scheme_obj->validateComponents($authority, $path, $query, $fragment);
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
// reconstruct the result
|
||||||
|
$result = '';
|
||||||
|
if ($scheme !== null) $result .= "$scheme:";
|
||||||
|
if ($authority !== null) $result .= "//$authority";
|
||||||
|
$result .= $path;
|
||||||
|
if ($query !== null) $result .= "?$query";
|
||||||
|
if ($fragment !== null) $result .= "#$fragment";
|
||||||
|
|
||||||
|
return $result;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
?>
|
?>
|
@ -7,6 +7,7 @@ class HTMLPurifier_ConfigDef {
|
|||||||
function initialize() {
|
function initialize() {
|
||||||
$this->defineNamespace('Core', 'Core features that are always available.');
|
$this->defineNamespace('Core', 'Core features that are always available.');
|
||||||
$this->defineNamespace('Attr', 'Features regarding attribute validation.');
|
$this->defineNamespace('Attr', 'Features regarding attribute validation.');
|
||||||
|
$this->defineNamespace('URI', 'Features regarding Uniform Resource Identifiers.');
|
||||||
}
|
}
|
||||||
|
|
||||||
function &instance($prototype = null) {
|
function &instance($prototype = null) {
|
||||||
|
@ -110,10 +110,12 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
|
|||||||
// test invalid port
|
// test invalid port
|
||||||
$uri[12] = 'http://example.com:foobar';
|
$uri[12] = 'http://example.com:foobar';
|
||||||
$components[12] = array('example.com', '', null, null);
|
$components[12] = array('example.com', '', null, null);
|
||||||
|
$expect_uri[12] = 'http://example.com';
|
||||||
|
|
||||||
// test overlarge port (max is 65535, although this isn't official)
|
// test overlarge port (max is 65535, although this isn't official)
|
||||||
$uri[13] = 'http://example.com:65536';
|
$uri[13] = 'http://example.com:65536';
|
||||||
$components[13] = array('example.com', '', null, null);
|
$components[13] = array('example.com', '', null, null);
|
||||||
|
$uri[13] = 'http://example.com';
|
||||||
|
|
||||||
// some spec abnf tests
|
// some spec abnf tests
|
||||||
|
|
||||||
@ -124,21 +126,29 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
|
|||||||
$components[14] = array(null, '/this/is/path', null, null);
|
$components[14] = array(null, '/this/is/path', null, null);
|
||||||
$expect_uri[14] = 'http:/this/is/path'; // do not munge scheme off
|
$expect_uri[14] = 'http:/this/is/path'; // do not munge scheme off
|
||||||
|
|
||||||
|
// scheme munging is not being tested yet, it's an extra feature
|
||||||
|
|
||||||
// "path-rootless" - this should not be used but is allowed
|
// "path-rootless" - this should not be used but is allowed
|
||||||
$uri[15] = 'http:this/is/path';
|
$uri[15] = 'http:this/is/path';
|
||||||
$components[15] = array(null, 'this/is/path', null, null);
|
$components[15] = array(null, 'this/is/path', null, null);
|
||||||
$expect_uri[15] = 'this/is/path'; // munge scheme off
|
//$expect_uri[15] = 'this/is/path'; // munge scheme off
|
||||||
|
|
||||||
// "path-empty" - a rather interesting case, remove the scheme
|
// "path-empty" - a rather interesting case, remove the scheme
|
||||||
$uri[16] = 'http:';
|
$uri[16] = 'http:';
|
||||||
$components[16] = array(null, '', null, null);
|
$components[16] = array(null, '', null, null);
|
||||||
$expect_uri[16] = ''; // munge scheme off
|
//$expect_uri[16] = ''; // munge scheme off
|
||||||
|
|
||||||
// test invalid scheme
|
// test invalid scheme
|
||||||
$uri[17] = 'javascript:alert("moo");';
|
$uri[17] = 'javascript:alert("moo");';
|
||||||
$components[17] = false;
|
$components[17] = false;
|
||||||
$expect_uri[17] = '';
|
$expect_uri[17] = '';
|
||||||
|
|
||||||
|
// relative URIs
|
||||||
|
|
||||||
|
// test basic case
|
||||||
|
$uri[18] = '/a/b';
|
||||||
|
$components[18] = array(null, '/a/b', null, null);
|
||||||
|
|
||||||
foreach ($uri as $i => $value) {
|
foreach ($uri as $i => $value) {
|
||||||
|
|
||||||
// $fake_registry isn't the real mock, because due to PHP 4 weirdness
|
// $fake_registry isn't the real mock, because due to PHP 4 weirdness
|
||||||
@ -172,7 +182,7 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
|
|||||||
}
|
}
|
||||||
$result = $def->validate($value);
|
$result = $def->validate($value);
|
||||||
$scheme->tally();
|
$scheme->tally();
|
||||||
//$this->assertIdentical($expect_uri[$i], $result);
|
$this->assertIdentical($expect_uri[$i], $result);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user