mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-12-22 16:31:53 +00:00
Commit initial URI unit tests and implementation. They're not complete yet though.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@206 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
parent
c86df12ed7
commit
4b097ef493
93
library/HTMLPurifier/AttrDef/URI.php
Normal file
93
library/HTMLPurifier/AttrDef/URI.php
Normal file
@ -0,0 +1,93 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
require_once 'HTMLPurifier/URIScheme.php';
|
||||||
|
require_once 'HTMLPurifier/URISchemeRegistry.php';
|
||||||
|
|
||||||
|
class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
|
||||||
|
{
|
||||||
|
function validate($uri, $config = null) {
|
||||||
|
|
||||||
|
// We'll write stack-based parsers later, for now, use regexps to
|
||||||
|
// get things working as fast as possible (irony)
|
||||||
|
|
||||||
|
// parse as CDATA
|
||||||
|
$uri = $this->parseCDATA($uri);
|
||||||
|
|
||||||
|
// while it would be nice to use parse_url(), that's specifically
|
||||||
|
// for HTTP and thus won't work for our generic URI parsing
|
||||||
|
|
||||||
|
// according to the RFC... (but this cuts corners, i.e. non-validating)
|
||||||
|
$regexp = '!^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?!';
|
||||||
|
// 12 3 4 5 6 7 8 9
|
||||||
|
$matches = array();
|
||||||
|
|
||||||
|
$result = preg_match($regexp, $uri, $matches);
|
||||||
|
|
||||||
|
if (!$result) return ''; // wow, that's very strange
|
||||||
|
|
||||||
|
// seperate out parts
|
||||||
|
$scheme = !empty($matches[1]) ? $matches[2] : null;
|
||||||
|
$authority = !empty($matches[3]) ? $matches[4] : null;
|
||||||
|
$path = $matches[5]; // always present
|
||||||
|
$query = !empty($matches[6]) ? $matches[7] : null;
|
||||||
|
$fragment = !empty($matches[8]) ? $matches[9] : null;
|
||||||
|
|
||||||
|
// okay, no need to validate the scheme since we do that when we
|
||||||
|
// retrieve the specific scheme object from the registry
|
||||||
|
$scheme = ctype_lower($scheme) ? $scheme : strtolower($scheme);
|
||||||
|
$registry = HTMLPurifier_URISchemeRegistry::instance();
|
||||||
|
$scheme_obj = $registry->getScheme($scheme);
|
||||||
|
|
||||||
|
if (!$scheme_obj) return ''; // invalid scheme, clean it out
|
||||||
|
|
||||||
|
if ($authority !== null) {
|
||||||
|
// validate authority
|
||||||
|
$matches = array();
|
||||||
|
|
||||||
|
$HEXDIG = '[A-Fa-f0-9]';
|
||||||
|
$unreserved = 'A-Za-z0-9-._~';
|
||||||
|
$sub_delims = '!$&\'()';
|
||||||
|
$h16 = "{$HEXDIG}{1,4}";
|
||||||
|
$dec_octet = '(?:25[0-5]|2[0-4]\d|1\d\d|1\d|[0-9])';
|
||||||
|
$IPv4address = "$dec_octet.$dec_octet.$dec_octet.$dec_octet";
|
||||||
|
$ls32 = "(?:$h16:$h16|$IPv4address)";
|
||||||
|
$IPvFuture = "v$HEXDIG+\.[:$unreserved$sub_delims]+";
|
||||||
|
$IPv6Address = "(?:".
|
||||||
|
"(?:$h16:){6}$ls32" .
|
||||||
|
"|::(?:$h16:){5}$ls32" .
|
||||||
|
"|(?:$h16)?::(?:$h16:){4}$ls32" .
|
||||||
|
"|(?:(?:$h16:){1}$h16)?::(?:$h16:){3}$ls32" .
|
||||||
|
"|(?:(?:$h16:){2}$h16)?::(?:$h16:){2}$ls32" .
|
||||||
|
"|(?:(?:$h16:){3}$h16)?::(?:$h16:){1}$ls32" .
|
||||||
|
"|(?:(?:$h16:){4}$h16)?::$ls32" .
|
||||||
|
"|(?:(?:$h16:){5}$h16)?::$h16" .
|
||||||
|
"|(?:(?:$h16:){6}$h16)?::" .
|
||||||
|
")";
|
||||||
|
$IP_literal = "\[(?:$IPvFuture|$IPv6Address)\]";
|
||||||
|
$regexp = "/^(([^@]+)@)?(\[$IP_literal\]|[^:]*)(:(\d*))?/";
|
||||||
|
|
||||||
|
preg_match($regexp, $authority, $matches);
|
||||||
|
$userinfo = !empty($matches[1]) ? $matches[2] : null;
|
||||||
|
$host = !empty($matches[3]) ? $matches[3] : null;
|
||||||
|
$port = !empty($matches[4]) ? $matches[5] : null;
|
||||||
|
|
||||||
|
if ($port !== null) {
|
||||||
|
if (!ctype_digit($port) || $port < 1 || $port > 65535) {
|
||||||
|
$port = null;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
$authority =
|
||||||
|
($userinfo === null ? '' : ($userinfo . '@')) .
|
||||||
|
$host .
|
||||||
|
($port === null ? '' : (':' . $port));
|
||||||
|
}
|
||||||
|
|
||||||
|
list($authority, $path, $query, $fragment) =
|
||||||
|
$scheme_obj->validateComponents($authority, $path, $query, $fragment);
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
?>
|
12
library/HTMLPurifier/URIScheme.php
Normal file
12
library/HTMLPurifier/URIScheme.php
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
class HTMLPurifier_URIScheme
|
||||||
|
{
|
||||||
|
|
||||||
|
function validateComponents() {
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
?>
|
23
library/HTMLPurifier/URISchemeRegistry.php
Normal file
23
library/HTMLPurifier/URISchemeRegistry.php
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
class HTMLPurifier_URISchemeRegistry
|
||||||
|
{
|
||||||
|
|
||||||
|
// pass a registry object $prototype with a compatible interface and
|
||||||
|
// the function will copy it and return it all further times.
|
||||||
|
// pass bool true to reset to the default registry
|
||||||
|
function &instance($prototype = null) {
|
||||||
|
static $instance = null;
|
||||||
|
if ($prototype !== null) {
|
||||||
|
$instance = $prototype;
|
||||||
|
} elseif ($instance === null || $prototype == true) {
|
||||||
|
$instance = new HTMLPurifier_URISchemeRegistry();
|
||||||
|
}
|
||||||
|
return $instance;
|
||||||
|
}
|
||||||
|
|
||||||
|
function &getScheme($scheme) {}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
?>
|
183
tests/HTMLPurifier/AttrDef/URITest.php
Normal file
183
tests/HTMLPurifier/AttrDef/URITest.php
Normal file
@ -0,0 +1,183 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
require_once 'HTMLPurifier/AttrDefHarness.php';
|
||||||
|
require_once 'HTMLPurifier/AttrDef/URI.php';
|
||||||
|
|
||||||
|
// WARNING: INCOMPLETE UNIT TESTS!
|
||||||
|
// we are currently abstaining IPv6 and percent-encode fixing unit tests
|
||||||
|
// as well as recomposition tests
|
||||||
|
|
||||||
|
class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
|
||||||
|
{
|
||||||
|
|
||||||
|
function testGenericURI() {
|
||||||
|
|
||||||
|
generate_mock_once('HTMLPurifier_URIScheme');
|
||||||
|
generate_mock_once('HTMLPurifier_URISchemeRegistry');
|
||||||
|
|
||||||
|
// finally, lets get a copy of the actual class
|
||||||
|
$def = new HTMLPurifier_AttrDef_URI();
|
||||||
|
|
||||||
|
// initialize test inputs
|
||||||
|
$uri = // input URI
|
||||||
|
$components = // what components the URI should be parsed to
|
||||||
|
$return_components = // return components
|
||||||
|
$expect_uri = array(); // what reassembled URI to expect
|
||||||
|
|
||||||
|
//////////////////////////////////////////////////////////////////////
|
||||||
|
|
||||||
|
// test a regular instance, return identical URI
|
||||||
|
$uri[0] = 'http://www.example.com/webhp?q=foo#result2';
|
||||||
|
$components[0] = array(
|
||||||
|
'www.example.com', // authority
|
||||||
|
'/webhp', // path
|
||||||
|
'q=foo', // query
|
||||||
|
'result2' // fragment
|
||||||
|
);
|
||||||
|
|
||||||
|
// test an amended URI (the actual logic is irrelevant)
|
||||||
|
// test that user and port get parsed correctly (3.2.1 and 3.2.3)
|
||||||
|
$uri[1] = 'http://user@authority.part:80/now/the/path?query#fragment';
|
||||||
|
$components[1] = array(
|
||||||
|
'user@authority.part:80', // yes, user+port are part of authority
|
||||||
|
'/now/the/path', 'query', 'fragment'
|
||||||
|
);
|
||||||
|
$return_components[1] = array( // removed port (it's standard)
|
||||||
|
'user@authority.part', '/now/the/path', 'query', 'fragment'
|
||||||
|
);
|
||||||
|
$expect_uri[1] = 'http://user@authority.part/now/the/path?query#fragment';
|
||||||
|
|
||||||
|
// percent encoded characters are not resolved during generic URI
|
||||||
|
// parsing even though RFC 3986 defines this notation
|
||||||
|
// also test what happens when query/fragment are missing
|
||||||
|
$uri[2] = 'http://en.wikipedia.org/wiki/Clich%C3%A9';
|
||||||
|
$components[2] = array(
|
||||||
|
'en.wikipedia.org', '/wiki/Clich%C3%A9', null, null
|
||||||
|
);
|
||||||
|
|
||||||
|
// test distinction between empty query and undefined query (above)
|
||||||
|
$uri[3] = 'http://www.example.com/?#';
|
||||||
|
$components[3] = array( 'www.example.com', '/', '', '' );
|
||||||
|
|
||||||
|
// path is always defined, even if empty
|
||||||
|
$uri[4] = 'http://www.example.com';
|
||||||
|
$components[4] = array( 'www.example.com', '', null, null );
|
||||||
|
|
||||||
|
// test parsing of an opaque URI
|
||||||
|
$uri[5] = 'mailto:bob@example.com';
|
||||||
|
$components[5] = array(null, 'bob@example.com', null, null);
|
||||||
|
|
||||||
|
// even though we don't resolve percent entities, we have to fix
|
||||||
|
// improper percent-encodes. Taken one at a time:
|
||||||
|
// %56 - V, which is an unreserved character
|
||||||
|
// %fc - u with an umlaut, normalize to uppercase
|
||||||
|
// %GJ - invalid characters in entity, encode %
|
||||||
|
// %5 - prematurely terminated, encode %
|
||||||
|
// %FC - u with umlaut, correct
|
||||||
|
// note that Apache doesn't do such fixing, rather, it just claims
|
||||||
|
// that the browser sent a "Bad Request".
|
||||||
|
//$uri[6] = 'http://www.example.com/%56%fc%GJ%5%FC';
|
||||||
|
//$components[6] = array('www.example.com', '/V%FC%25GJ%255%FC', null, null);
|
||||||
|
//$expect_uri[6] = 'http://www.example.com/V%FC%25GJ%255%FC';
|
||||||
|
|
||||||
|
// test IPv4 address (behavior may vary with configuration)
|
||||||
|
$uri[7] = 'http://192.0.34.166/';
|
||||||
|
$components[7] = array('192.0.34.166', '/', null, null);
|
||||||
|
|
||||||
|
// while it may look like an IPv4 address, it's really a reg-name.
|
||||||
|
// don't destroy it
|
||||||
|
$uri[8] = 'http://333.123.32.123/';
|
||||||
|
$components[8] = array('333.123.32.123', '/', null, null);
|
||||||
|
|
||||||
|
// test IPv6 address, using amended form of RFC's example
|
||||||
|
//$uri[9] = 'http://[2001:db8::7]/c=GB?objectClass?one';
|
||||||
|
//$components[9] = array('[2001:db8::7]', '/c=GB', 'objectClass?one', null);
|
||||||
|
|
||||||
|
// We will not implement punycode encoding, that's up to the browsers
|
||||||
|
// We also will not implement percent to IDNA encoding transformations:
|
||||||
|
// if you need to use an international domain in a link, make sure that
|
||||||
|
// you've got it in UTF-8 and send it in raw (no encoding).
|
||||||
|
|
||||||
|
// break the RFC a little and allow international characters
|
||||||
|
// WARNING: UTF-8 encoded!
|
||||||
|
$uri[10] = 'http://tūdaliņ.lv';
|
||||||
|
$components[10] = array('tūdaliņ.lv', '', null, null);
|
||||||
|
|
||||||
|
// test invalid IPv6 address and invalid reg-name
|
||||||
|
//$uri[11] = 'http://[2001:0db8:85z3:08d3:1319:8a2e:0370:7334]';
|
||||||
|
//$components[11] = array(null, '', null, null);
|
||||||
|
|
||||||
|
// test invalid port
|
||||||
|
$uri[12] = 'http://example.com:foobar';
|
||||||
|
$components[12] = array('example.com', '', null, null);
|
||||||
|
|
||||||
|
// test overlarge port (max is 65535, although this isn't official)
|
||||||
|
$uri[13] = 'http://example.com:65536';
|
||||||
|
$components[13] = array('example.com', '', null, null);
|
||||||
|
|
||||||
|
// some spec abnf tests
|
||||||
|
|
||||||
|
// "authority . path-abempty" omitted, it is a trivial case
|
||||||
|
|
||||||
|
// "path-absolute", note this is different from path-rootless
|
||||||
|
$uri[14] = 'http:/this/is/path';
|
||||||
|
$components[14] = array(null, '/this/is/path', null, null);
|
||||||
|
$expect_uri[14] = 'http:/this/is/path'; // do not munge scheme off
|
||||||
|
|
||||||
|
// "path-rootless" - this should not be used but is allowed
|
||||||
|
$uri[15] = 'http:this/is/path';
|
||||||
|
$components[15] = array(null, 'this/is/path', null, null);
|
||||||
|
$expect_uri[15] = 'this/is/path'; // munge scheme off
|
||||||
|
|
||||||
|
// "path-empty" - a rather interesting case, remove the scheme
|
||||||
|
$uri[16] = 'http:';
|
||||||
|
$components[16] = array(null, '', null, null);
|
||||||
|
$expect_uri[16] = ''; // munge scheme off
|
||||||
|
|
||||||
|
// test invalid scheme
|
||||||
|
$uri[17] = 'javascript:alert("moo");';
|
||||||
|
$components[17] = false;
|
||||||
|
$expect_uri[17] = '';
|
||||||
|
|
||||||
|
foreach ($uri as $i => $value) {
|
||||||
|
|
||||||
|
// $fake_registry isn't the real mock, because due to PHP 4 weirdness
|
||||||
|
// I cannot set a default value to function parameters that are passed
|
||||||
|
// by reference. So we use the value instance() returns.
|
||||||
|
$fake_registry = new HTMLPurifier_URISchemeRegistryMock($this);
|
||||||
|
$registry = HTMLPurifier_URISchemeRegistry::instance($fake_registry);
|
||||||
|
|
||||||
|
// now, let's at a pseudo-scheme to the registry
|
||||||
|
$scheme = new HTMLPurifier_URISchemeMock($this);
|
||||||
|
|
||||||
|
// here are the schemes we will support with overloaded mocks
|
||||||
|
$registry->setReturnValue('getScheme', $scheme, array('http'));
|
||||||
|
$registry->setReturnValue('getScheme', $scheme, array('mailto'));
|
||||||
|
|
||||||
|
// default return value is false (meaning no scheme defined: reject)
|
||||||
|
$registry->setReturnValue('getScheme', false, array('*'));
|
||||||
|
|
||||||
|
if (!isset($return_components[$i])) {
|
||||||
|
$return_components[$i] = $components[$i];
|
||||||
|
}
|
||||||
|
if (!isset($expect_uri[$i])) {
|
||||||
|
$expect_uri[$i] = $value;
|
||||||
|
}
|
||||||
|
if ($components[$i] === false) {
|
||||||
|
$scheme->expectNever('validateComponents');
|
||||||
|
} else {
|
||||||
|
$scheme->setReturnValue(
|
||||||
|
'validateComponents', $return_components[$i], $components[$i]);
|
||||||
|
$scheme->expectOnce('validateComponents', $components[$i]);
|
||||||
|
}
|
||||||
|
$result = $def->validate($value);
|
||||||
|
$scheme->tally();
|
||||||
|
//$this->assertIdentical($expect_uri[$i], $result);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
?>
|
@ -62,7 +62,7 @@ $test_files[] = 'AttrDef/LangTest.php';
|
|||||||
$test_files[] = 'AttrDef/PixelsTest.php';
|
$test_files[] = 'AttrDef/PixelsTest.php';
|
||||||
$test_files[] = 'AttrDef/LengthTest.php';
|
$test_files[] = 'AttrDef/LengthTest.php';
|
||||||
$test_files[] = 'AttrDef/NumberSpanTest.php';
|
$test_files[] = 'AttrDef/NumberSpanTest.php';
|
||||||
//$test_files[] = 'AttrDef/URITest.php';
|
$test_files[] = 'AttrDef/URITest.php';
|
||||||
$test_files[] = 'IDAccumulatorTest.php';
|
$test_files[] = 'IDAccumulatorTest.php';
|
||||||
$test_files[] = 'TagTransformTest.php';
|
$test_files[] = 'TagTransformTest.php';
|
||||||
$test_files[] = 'AttrTransform/LangTest.php';
|
$test_files[] = 'AttrTransform/LangTest.php';
|
||||||
|
Loading…
Reference in New Issue
Block a user