diff --git a/NEWS b/NEWS index 5a3dfdfa..327bee30 100644 --- a/NEWS +++ b/NEWS @@ -15,6 +15,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier - AttrValidator operations are now atomic; updates to attributes are not manifest in token until end of operations. This prevents naughty internal code from directly modifying CurrentToken when they're not supposed to. +- Percent encoding checks enabled for URI query and fragment . Added HTMLPurifier_UnitConverter and HTMLPurifier_Length for convenient handling of CSS-style lengths. HTMLPurifier_AttrDef_CSS_Length now uses this class. diff --git a/TODO b/TODO index a7f3736a..ad5e080d 100644 --- a/TODO +++ b/TODO @@ -11,7 +11,6 @@ If no interest is expressed for a feature that may require a considerable amount of effort to implement, it may get endlessly delayed. Do not be afraid to cast your vote for the next feature to be implemented! -- Implement validation for query and for fragment - Ability to fully turn off imagecrash fixes (attribute and CSS will require two separate directives due to our architecture.) - Investigate how early internal structures can be accessed; this would diff --git a/library/HTMLPurifier/URI.php b/library/HTMLPurifier/URI.php index 43f1b192..cab09bfb 100644 --- a/library/HTMLPurifier/URI.php +++ b/library/HTMLPurifier/URI.php @@ -128,6 +128,17 @@ class HTMLPurifier_URI $this->path = ''; // just to be safe } + // qf = query and fragment + $qf_encoder = new HTMLPurifier_PercentEncoder($chars_pchar . '/?'); + + if (!is_null($this->query)) { + $this->query = $qf_encoder->encode($this->query); + } + + if (!is_null($this->fragment)) { + $this->fragment = $qf_encoder->encode($this->fragment); + } + return true; } diff --git a/tests/HTMLPurifier/URITest.php b/tests/HTMLPurifier/URITest.php index 97d77927..b4e99413 100644 --- a/tests/HTMLPurifier/URITest.php +++ b/tests/HTMLPurifier/URITest.php @@ -184,6 +184,14 @@ class HTMLPurifier_URITest extends HTMLPurifier_URIHarness $this->assertValidation("\xE3\x91\x94", '%E3%91%94'); } + function test_validate_query() { + $this->assertValidation("?/\xE3\x91\x94", '?/%E3%91%94'); + } + + function test_validate_fragment() { + $this->assertValidation("#/\xE3\x91\x94", '#/%E3%91%94'); + } + function test_validate_path_empty() { $this->assertValidation('http://google.com'); }