From 5b14310284d2f83be8413a5b94be5ef6dc954e3e Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang" <edwardzyang@thewritingpot.com>
Date: Sat, 12 Aug 2006 02:48:17 +0000
Subject: [PATCH] Refactor a little, but I think I'm going to end up rewriting
 the whole thing.

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@208 48356398-32a2-884e-a903-53898d9a118a
---
 library/HTMLPurifier/AttrDef/URI.php | 60 ++++++++++++++++------------
 1 file changed, 35 insertions(+), 25 deletions(-)

diff --git a/library/HTMLPurifier/AttrDef/URI.php b/library/HTMLPurifier/AttrDef/URI.php
index ffda0e71..ab8c9746 100644
--- a/library/HTMLPurifier/AttrDef/URI.php
+++ b/library/HTMLPurifier/AttrDef/URI.php
@@ -16,12 +16,41 @@ class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
         // while it would be nice to use parse_url(), that's specifically
         // for HTTP and thus won't work for our generic URI parsing
         
+        // define regexps
+        
+        $HEXDIG = '[A-Fa-f0-9]';
+        $unreserved = 'A-Za-z0-9-._~'; // make sure you wrap with []
+        $sub_delims = '!$&\'()'; // needs []
+        $pct_encoded = "%$HEXDIG$HEXDIG";
+        $h16 = "{$HEXDIG}{1,4}";
+        $dec_octet = '(?:25[0-5]|2[0-4]\d|1\d\d|1\d|[0-9])';
+        $IPv4address = "$dec_octet.$dec_octet.$dec_octet.$dec_octet";
+        $ls32 = "(?:$h16:$h16|$IPv4address)";
+        $IPvFuture = "v$HEXDIG+\.[:$unreserved$sub_delims]+";
+        $IPv6Address = "(?:".
+                                    "(?:$h16:){6}$ls32" .
+                                 "|::(?:$h16:){5}$ls32" .
+                        "|(?:$h16)?::(?:$h16:){4}$ls32" .
+            "|(?:(?:$h16:){1}$h16)?::(?:$h16:){3}$ls32" .
+            "|(?:(?:$h16:){2}$h16)?::(?:$h16:){2}$ls32" .
+            "|(?:(?:$h16:){3}$h16)?::(?:$h16:){1}$ls32" .
+            "|(?:(?:$h16:){4}$h16)?::$ls32" .
+            "|(?:(?:$h16:){5}$h16)?::$h16" .
+            "|(?:(?:$h16:){6}$h16)?::" .
+            ")";
+        $IP_literal = "\[(?:$IPvFuture|$IPv6Address)\]";
+        
+        // the important regexps, the collide with other names, prefix with r_
+        
+        $r_userinfo = "(?:[$unreserved$sub_delims:]|$pct_encoded)*";
+        $r_authority = "/^(($r_userinfo)@)?(\[$IP_literal\]|[^:]*)(:(\d*))?/";
+        
         // according to the RFC... (but this cuts corners, i.e. non-validating)
-        $regexp = '!^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?!';
+        $r_URI = '!^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?!';
         //           12            3  4          5       6  7        8 9
         $matches = array();
         
-        $result = preg_match($regexp, $uri, $matches);
+        $result = preg_match($r_URI, $uri, $matches);
         
         if (!$result) return ''; // wow, that's very strange
         
@@ -44,38 +73,19 @@ class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
             // validate authority
             $matches = array();
             
-            $HEXDIG = '[A-Fa-f0-9]';
-            $unreserved = 'A-Za-z0-9-._~';
-            $sub_delims = '!$&\'()';
-            $h16 = "{$HEXDIG}{1,4}";
-            $dec_octet = '(?:25[0-5]|2[0-4]\d|1\d\d|1\d|[0-9])';
-            $IPv4address = "$dec_octet.$dec_octet.$dec_octet.$dec_octet";
-            $ls32 = "(?:$h16:$h16|$IPv4address)";
-            $IPvFuture = "v$HEXDIG+\.[:$unreserved$sub_delims]+";
-            $IPv6Address = "(?:".
-                                        "(?:$h16:){6}$ls32" .
-                                     "|::(?:$h16:){5}$ls32" .
-                            "|(?:$h16)?::(?:$h16:){4}$ls32" .
-                "|(?:(?:$h16:){1}$h16)?::(?:$h16:){3}$ls32" .
-                "|(?:(?:$h16:){2}$h16)?::(?:$h16:){2}$ls32" .
-                "|(?:(?:$h16:){3}$h16)?::(?:$h16:){1}$ls32" .
-                "|(?:(?:$h16:){4}$h16)?::$ls32" .
-                "|(?:(?:$h16:){5}$h16)?::$h16" .
-                "|(?:(?:$h16:){6}$h16)?::" .
-                ")";
-            $IP_literal = "\[(?:$IPvFuture|$IPv6Address)\]";
-            $regexp = "/^(([^@]+)@)?(\[$IP_literal\]|[^:]*)(:(\d*))?/";
-            
-            preg_match($regexp, $authority, $matches);
+            // IPv6 is broken
+            preg_match($r_authority, $authority, $matches);
             $userinfo   = !empty($matches[1]) ? $matches[2] : null;
             $host       = !empty($matches[3]) ? $matches[3] : null;
             $port       = !empty($matches[4]) ? $matches[5] : null;
             
+            // validate port
             if ($port !== null) {
                 if (!ctype_digit($port) || $port < 1 || $port > 65535) {
                     $port = null;
                 }
             }
+            
             $authority =
                 ($userinfo === null ? '' : ($userinfo . '@')) .
                 $host .