0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-01-08 15:11:51 +00:00

Make URI parsing algorithm more strict.

Thanks Michael Gusev <mgusev@sugarcrm.com> for contributing this patch.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
This commit is contained in:
Edward Z. Yang 2013-04-16 13:46:00 -07:00
parent 20eff0a3a0
commit 6e37ecd1c8
3 changed files with 13 additions and 1 deletions

5
NEWS
View File

@ -9,6 +9,11 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
. Internal change . Internal change
========================== ==========================
4.6.0, unknown release date
# URI parsing algorithm was made more strict, so only prefixes which
looks like schemes will actually be schemes. Thanks
Michael Gusev <mgusev@sugarcrm.com> for fixing.
4.5.0, released 2013-02-17 4.5.0, released 2013-02-17
# Fix bug where stacked attribute transforms clobber each other; # Fix bug where stacked attribute transforms clobber each other;
this also means it's no longer possible to override attribute this also means it's no longer possible to override attribute

View File

@ -30,7 +30,7 @@ class HTMLPurifier_URIParser
// Note that ["<>] are an addition to the RFC's recommended // Note that ["<>] are an addition to the RFC's recommended
// characters, because they represent external delimeters. // characters, because they represent external delimeters.
$r_URI = '!'. $r_URI = '!'.
'(([^:/?#"<>]+):)?'. // 2. Scheme '(([a-zA-Z0-9\.\+\-]+):)?'. // 2. Scheme
'(//([^/?#"<>]*))?'. // 4. Authority '(//([^/?#"<>]*))?'. // 4. Authority
'([^?#"<>]*)'. // 5. Path '([^?#"<>]*)'. // 5. Path
'(\?([^#"<>]*))?'. // 7. Query '(\?([^#"<>]*))?'. // 7. Query

View File

@ -140,6 +140,13 @@ class HTMLPurifier_URIParserTest extends HTMLPurifier_Harness
); );
} }
function testEmbeddedColon() {
$this->assertParsing(
'{:test:}',
null, null, null, null, '{:test:}', null, null
);
}
} }
// vim: et sw=4 sts=4 // vim: et sw=4 sts=4