[1.1.0] Enforce alphanumeric namespace and directive names for configuration.

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@389 48356398-32a2-884e-a903-53898d9a118a
2024-12-22 16:31:53 +00:00 · 2006-09-06 02:07:46 +00:00 · 2006-09-06 02:07:46 +00:00 · 65a628bcb7
commit 65a628bcb7
parent a5b4ed2126
3 changed files with 29 additions and 0 deletions
--- a/1
+++ b/1
@ -4,6 +4,7 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 1.1.0, unknown release date
 - Made URI validator more forgiving: will ignore leading and trailing
  quotes, apostrophes and less than or greater than signs.
+- Enforce alphanumeric namespace and directive names for configuration.

 1.0.1, unknown release date
 - Fixed slight bug in DOMLex attribute parsing
--- a/library/HTMLPurifier/ConfigDef.php
+++ b/library/HTMLPurifier/ConfigDef.php
@ -86,6 +86,11 @@ class HTMLPurifier_ConfigDef {
                E_USER_ERROR);
            return;
        }
+        if (!ctype_alnum($name)) {
+            trigger_error('Directive name must be alphanumeric',
+                E_USER_ERROR);
+            return;
+        }
        if (isset($def->info[$namespace][$name])) {
            if (
                $def->info[$namespace][$name]->type !== $type ||
@ -127,6 +132,11 @@ class HTMLPurifier_ConfigDef {
            trigger_error('Cannot redefine namespace', E_USER_ERROR);
            return;
        }
+        if (!ctype_alnum($namespace)) {
+            trigger_error('Namespace name must be alphanumeric',
+                E_USER_ERROR);
+            return;
+        }
        $def->info[$namespace] = array();
        $def->info_namespace[$namespace] = new HTMLPurifier_ConfigEntity_Namespace();
        $backtrace = debug_backtrace();
--- a/tests/HTMLPurifier/ConfigDefTest.php
+++ b/tests/HTMLPurifier/ConfigDefTest.php
@ -231,6 +231,24 @@ class HTMLPurifier_ConfigDefTest extends UnitTestCase
        $this->swallowErrors();
        
        
+        // define a directive with bad characters
+        HTMLPurifier_ConfigDef::define(
+            'Core', 'Core.Attr', 10, 'int',
+            'No periods! >:-('
+        );
+        
+        $this->assertError('Directive name must be alphanumeric');
+        $this->assertNoErrors();
+        $this->swallowErrors();
+        
+        // define a namespace with bad characters
+        HTMLPurifier_ConfigDef::defineNamespace(
+            'Foobar&Gromit', $description
+        );
+        
+        $this->assertError('Namespace name must be alphanumeric');
+        $this->assertNoErrors();
+        $this->swallowErrors();
        
    }