diff --git a/NEWS b/NEWS index 2eb2895c..9444d034 100644 --- a/NEWS +++ b/NEWS @@ -19,6 +19,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier - Non all-numeric top-level names (e.g., foo.1f, 1f) are now allowed. - Minor bounds error fix to squash a PHP 7 notice. +- Support non-/tmp temporary directories for data:// validation 4.7.0, released 2015-08-04 # opacity is now considered a "tricky" CSS property rather than a diff --git a/library/HTMLPurifier/URIScheme/data.php b/library/HTMLPurifier/URIScheme/data.php index 6ebca498..19321a03 100644 --- a/library/HTMLPurifier/URIScheme/data.php +++ b/library/HTMLPurifier/URIScheme/data.php @@ -81,7 +81,11 @@ class HTMLPurifier_URIScheme_data extends HTMLPurifier_URIScheme } // XXX probably want to refactor this into a general mechanism // for filtering arbitrary content types - $file = tempnam("/tmp", ""); + if (function_exists('sys_get_temp_dir')) { + $file = tempnam(sys_get_temp_dir(), ""); + } else { + $file = tempnam("/tmp", ""); + } file_put_contents($file, $raw_data); if (function_exists('exif_imagetype')) { $image_code = exif_imagetype($file);