mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-12-23 00:41:52 +00:00
[1.3.0] New directive %URI.Munge, munges URI so you can use some sort of redirector service to avoid PageRank leaks or warn users that they are exiting your site.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@576 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
parent
49cb2a4a7c
commit
775763c583
2
NEWS
2
NEWS
@ -24,6 +24,8 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
|
|||||||
! <li value="4"> and <ul start="2"> now allowed in loose mode
|
! <li value="4"> and <ul start="2"> now allowed in loose mode
|
||||||
! New directives %URI.DisableExternalResources and %URI.DisableResources
|
! New directives %URI.DisableExternalResources and %URI.DisableResources
|
||||||
! New directive %Attr.DisableURI, which eliminates all hyperlinking
|
! New directive %Attr.DisableURI, which eliminates all hyperlinking
|
||||||
|
! New directive %URI.Munge, munges URI so you can use some sort of redirector
|
||||||
|
service to avoid PageRank leaks or warn users that they are exiting your site.
|
||||||
- Added missing type to ChildDef_Chameleon
|
- Added missing type to ChildDef_Chameleon
|
||||||
- Remove Tidy option from demo if there is not Tidy available
|
- Remove Tidy option from demo if there is not Tidy available
|
||||||
. ChildDef_Required guards against empty tags
|
. ChildDef_Required guards against empty tags
|
||||||
|
@ -21,14 +21,6 @@ time. Note the naming convention: %Namespace.Directive
|
|||||||
%Attr.MaxHeight - caps for width and height related checks.
|
%Attr.MaxHeight - caps for width and height related checks.
|
||||||
(the hack in Pixels for an image crashing attack could be replaced by this)
|
(the hack in Pixels for an image crashing attack could be replaced by this)
|
||||||
|
|
||||||
%URI.Munge - will munge all external URIs to a different URI, which redirects
|
|
||||||
the user to the applicable page. A urlencoded version of the URI
|
|
||||||
will replace any instances of %s in the string. One possible
|
|
||||||
string is 'http://www.google.com/url?q=%s'. Useful for preventing
|
|
||||||
pagerank from being sent to other sites, but can also be used to
|
|
||||||
redirect to a splash page notifying user that they are leaving your
|
|
||||||
website.
|
|
||||||
|
|
||||||
%URI.AddRelNofollow - will add rel="nofollow" to all links, preventing the
|
%URI.AddRelNofollow - will add rel="nofollow" to all links, preventing the
|
||||||
spread of ill-gotten pagerank
|
spread of ill-gotten pagerank
|
||||||
|
|
||||||
|
@ -54,6 +54,21 @@ HTMLPurifier_ConfigSchema::define(
|
|||||||
'this might be a good idea. This directive has been available since 1.3.0.'
|
'this might be a good idea. This directive has been available since 1.3.0.'
|
||||||
);
|
);
|
||||||
|
|
||||||
|
HTMLPurifier_ConfigSchema::define(
|
||||||
|
'URI', 'Munge', null, 'string/null',
|
||||||
|
'Munges all browsable (usually http, https and ftp) URI\'s into some URL '.
|
||||||
|
'redirection service. Pass this directive a URI, with %s inserted where '.
|
||||||
|
'the url-encoded original URI should be inserted (sample: '.
|
||||||
|
'<code>http://www.google.com/url?q=%s</code>). '.
|
||||||
|
'This prevents PageRank leaks, while being as transparent as possible '.
|
||||||
|
'to users (you may also want to add some client side JavaScript to '.
|
||||||
|
'override the text in the statusbar). Warning: many security experts '.
|
||||||
|
'believe that this form of protection does not deter spam-bots. '.
|
||||||
|
'You can also use this directive to redirect users to a splash page '.
|
||||||
|
'telling them they are leaving your website. '.
|
||||||
|
'This directive has been available since 1.3.0.'
|
||||||
|
);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Validates a URI as defined by RFC 3986.
|
* Validates a URI as defined by RFC 3986.
|
||||||
* @note Scheme-specific mechanics deferred to HTMLPurifier_URIScheme
|
* @note Scheme-specific mechanics deferred to HTMLPurifier_URIScheme
|
||||||
@ -225,6 +240,14 @@ class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
|
|||||||
if ($query !== null) $result .= "?$query";
|
if ($query !== null) $result .= "?$query";
|
||||||
if ($fragment !== null) $result .= "#$fragment";
|
if ($fragment !== null) $result .= "#$fragment";
|
||||||
|
|
||||||
|
// munge if necessary
|
||||||
|
$munge = $config->get('URI', 'Munge');
|
||||||
|
if (!empty($scheme_obj->browsable) && $munge !== null) {
|
||||||
|
if ($authority !== null) {
|
||||||
|
$result = str_replace('%s', rawurlencode($result), $munge);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return $result;
|
return $result;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -285,6 +285,21 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function testMunge() {
|
||||||
|
|
||||||
|
$this->config->set('URI', 'Munge', 'http://www.google.com/url?q=%s');
|
||||||
|
$this->def = new HTMLPurifier_AttrDef_URI();
|
||||||
|
|
||||||
|
$this->assertDef(
|
||||||
|
'http://www.example.com/',
|
||||||
|
'http://www.google.com/url?q=http%3A%2F%2Fwww.example.com%2F'
|
||||||
|
);
|
||||||
|
|
||||||
|
$this->assertDef('index.html');
|
||||||
|
$this->assertDef('javascript:foobar();', false);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
?>
|
?>
|
Loading…
Reference in New Issue
Block a user