mirrors/htmlpurifier
0
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-01-08 15:11:51 +00:00
Code Releases Activity

Add a directive that lets you disallow pure-registry overloading.

Browse Source 
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@216 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang 2006-08-12 17:12:27 +00:00
parent 6c3d364213
commit 8167fca493
3 changed files with 24 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
library/HTMLPurifier/URIScheme.php
View File

@ -4,7 +4,7 @@ class HTMLPurifier_URIScheme
{ {
function validateComponents($authority, $path, $query, $fragment) { function validateComponents($authority, $path, $query, $fragment) {
return array($authority, $path, $query, $fragment);
} }
} }

19
library/HTMLPurifier/URISchemeRegistry.php
View File

@ -16,6 +16,14 @@ HTMLPurifier_ConfigDef::define(
'prevents XSS attacks from using pseudo-schemes like javascript or mocha.' 'prevents XSS attacks from using pseudo-schemes like javascript or mocha.'
); );
HTMLPurifier_ConfigDef::define(
'URI', 'OverrideAllowedSchemes', true,
'If this is set to true (which it is by default), you can override '.
'%URI.AllowedSchemes by simply registering a HTMLPurifier_URIScheme '.
'to the registry. If false, you will also have to update that directive '.
'in order to add more schemes.'
);
class HTMLPurifier_URISchemeRegistry class HTMLPurifier_URISchemeRegistry
{ {
@ -38,11 +46,18 @@ class HTMLPurifier_URISchemeRegistry
function &getScheme($scheme, $config = null) { function &getScheme($scheme, $config = null) {
if (!$config) $config = HTMLPurifier_Config::createDefault(); if (!$config) $config = HTMLPurifier_Config::createDefault();
$null = null; // for the sake of passing by reference $null = null; // for the sake of passing by reference
if (isset($this->schemes[$scheme])) return $this->schemes[$scheme];
if (empty($this->_dir)) $this->_dir = dirname(__FILE__) . '/URIScheme/';
// important, otherwise attacker could include arbitrary file // important, otherwise attacker could include arbitrary file
$allowed_schemes = $config->get('URI', 'AllowedSchemes'); $allowed_schemes = $config->get('URI', 'AllowedSchemes');
if (!$config->get('URI', 'OverrideAllowedSchemes') &&
!isset($allowed_schemes[$scheme])
) {
return $null;
}
if (isset($this->schemes[$scheme])) return $this->schemes[$scheme];
if (empty($this->_dir)) $this->_dir = dirname(__FILE__) . '/URIScheme/';
if (!isset($allowed_schemes[$scheme])) return $null; if (!isset($allowed_schemes[$scheme])) return $null;
@include_once $this->_dir . $scheme . '.php'; @include_once $this->_dir . $scheme . '.php';

7
tests/HTMLPurifier/URISchemeRegistryTest.php
View File

@ -11,6 +11,7 @@ class HTMLPurifier_URISchemeRegistryTest extends UnitTestCase
$config = HTMLPurifier_Config::createDefault(); $config = HTMLPurifier_Config::createDefault();
$config->set('URI', 'AllowedSchemes', array('http' => true, 'telnet' => true)); $config->set('URI', 'AllowedSchemes', array('http' => true, 'telnet' => true));
$config->set('URI', 'OverrideAllowedSchemes', true);
$registry = new HTMLPurifier_URISchemeRegistry(); $registry = new HTMLPurifier_URISchemeRegistry();
$this->assertIsA($registry->getScheme('http'), 'HTMLPurifier_URIScheme_http'); $this->assertIsA($registry->getScheme('http'), 'HTMLPurifier_URIScheme_http');
@ -31,7 +32,11 @@ class HTMLPurifier_URISchemeRegistryTest extends UnitTestCase
$registry->register('foobar', $scheme_foobar); $registry->register('foobar', $scheme_foobar);
$this->assertIdentical($registry->getScheme('foobar', $config), $scheme_foobar); $this->assertIdentical($registry->getScheme('foobar', $config), $scheme_foobar);
// however, don't try to get a scheme that isn't allowed // now, test when overriding is not allowed
$config->set('URI', 'OverrideAllowedSchemes', false);
$this->assertNull($registry->getScheme('foobar', $config));
// scheme not allowed and never registered
$this->assertNull($registry->getScheme('ftp', $config)); $this->assertNull($registry->getScheme('ftp', $config));
} }