mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-12-22 16:31:53 +00:00
Make URI parsing algorithm more strict.
Thanks Michael Gusev <mgusev@sugarcrm.com> for contributing this patch. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
This commit is contained in:
parent
20eff0a3a0
commit
6e37ecd1c8
5
NEWS
5
NEWS
@ -9,6 +9,11 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
|
|||||||
. Internal change
|
. Internal change
|
||||||
==========================
|
==========================
|
||||||
|
|
||||||
|
4.6.0, unknown release date
|
||||||
|
# URI parsing algorithm was made more strict, so only prefixes which
|
||||||
|
looks like schemes will actually be schemes. Thanks
|
||||||
|
Michael Gusev <mgusev@sugarcrm.com> for fixing.
|
||||||
|
|
||||||
4.5.0, released 2013-02-17
|
4.5.0, released 2013-02-17
|
||||||
# Fix bug where stacked attribute transforms clobber each other;
|
# Fix bug where stacked attribute transforms clobber each other;
|
||||||
this also means it's no longer possible to override attribute
|
this also means it's no longer possible to override attribute
|
||||||
|
@ -30,7 +30,7 @@ class HTMLPurifier_URIParser
|
|||||||
// Note that ["<>] are an addition to the RFC's recommended
|
// Note that ["<>] are an addition to the RFC's recommended
|
||||||
// characters, because they represent external delimeters.
|
// characters, because they represent external delimeters.
|
||||||
$r_URI = '!'.
|
$r_URI = '!'.
|
||||||
'(([^:/?#"<>]+):)?'. // 2. Scheme
|
'(([a-zA-Z0-9\.\+\-]+):)?'. // 2. Scheme
|
||||||
'(//([^/?#"<>]*))?'. // 4. Authority
|
'(//([^/?#"<>]*))?'. // 4. Authority
|
||||||
'([^?#"<>]*)'. // 5. Path
|
'([^?#"<>]*)'. // 5. Path
|
||||||
'(\?([^#"<>]*))?'. // 7. Query
|
'(\?([^#"<>]*))?'. // 7. Query
|
||||||
|
@ -140,6 +140,13 @@ class HTMLPurifier_URIParserTest extends HTMLPurifier_Harness
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function testEmbeddedColon() {
|
||||||
|
$this->assertParsing(
|
||||||
|
'{:test:}',
|
||||||
|
null, null, null, null, '{:test:}', null, null
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// vim: et sw=4 sts=4
|
// vim: et sw=4 sts=4
|
||||||
|
Loading…
Reference in New Issue
Block a user