mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-12-23 00:41:52 +00:00
Add a directive that lets you disallow pure-registry overloading.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@216 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
parent
6c3d364213
commit
8167fca493
@ -4,7 +4,7 @@ class HTMLPurifier_URIScheme
|
||||
{
|
||||
|
||||
function validateComponents($authority, $path, $query, $fragment) {
|
||||
|
||||
return array($authority, $path, $query, $fragment);
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -16,6 +16,14 @@ HTMLPurifier_ConfigDef::define(
|
||||
'prevents XSS attacks from using pseudo-schemes like javascript or mocha.'
|
||||
);
|
||||
|
||||
HTMLPurifier_ConfigDef::define(
|
||||
'URI', 'OverrideAllowedSchemes', true,
|
||||
'If this is set to true (which it is by default), you can override '.
|
||||
'%URI.AllowedSchemes by simply registering a HTMLPurifier_URIScheme '.
|
||||
'to the registry. If false, you will also have to update that directive '.
|
||||
'in order to add more schemes.'
|
||||
);
|
||||
|
||||
class HTMLPurifier_URISchemeRegistry
|
||||
{
|
||||
|
||||
@ -38,11 +46,18 @@ class HTMLPurifier_URISchemeRegistry
|
||||
function &getScheme($scheme, $config = null) {
|
||||
if (!$config) $config = HTMLPurifier_Config::createDefault();
|
||||
$null = null; // for the sake of passing by reference
|
||||
if (isset($this->schemes[$scheme])) return $this->schemes[$scheme];
|
||||
if (empty($this->_dir)) $this->_dir = dirname(__FILE__) . '/URIScheme/';
|
||||
|
||||
// important, otherwise attacker could include arbitrary file
|
||||
$allowed_schemes = $config->get('URI', 'AllowedSchemes');
|
||||
if (!$config->get('URI', 'OverrideAllowedSchemes') &&
|
||||
!isset($allowed_schemes[$scheme])
|
||||
) {
|
||||
return $null;
|
||||
}
|
||||
|
||||
if (isset($this->schemes[$scheme])) return $this->schemes[$scheme];
|
||||
if (empty($this->_dir)) $this->_dir = dirname(__FILE__) . '/URIScheme/';
|
||||
|
||||
if (!isset($allowed_schemes[$scheme])) return $null;
|
||||
|
||||
@include_once $this->_dir . $scheme . '.php';
|
||||
|
@ -11,6 +11,7 @@ class HTMLPurifier_URISchemeRegistryTest extends UnitTestCase
|
||||
|
||||
$config = HTMLPurifier_Config::createDefault();
|
||||
$config->set('URI', 'AllowedSchemes', array('http' => true, 'telnet' => true));
|
||||
$config->set('URI', 'OverrideAllowedSchemes', true);
|
||||
|
||||
$registry = new HTMLPurifier_URISchemeRegistry();
|
||||
$this->assertIsA($registry->getScheme('http'), 'HTMLPurifier_URIScheme_http');
|
||||
@ -31,7 +32,11 @@ class HTMLPurifier_URISchemeRegistryTest extends UnitTestCase
|
||||
$registry->register('foobar', $scheme_foobar);
|
||||
$this->assertIdentical($registry->getScheme('foobar', $config), $scheme_foobar);
|
||||
|
||||
// however, don't try to get a scheme that isn't allowed
|
||||
// now, test when overriding is not allowed
|
||||
$config->set('URI', 'OverrideAllowedSchemes', false);
|
||||
$this->assertNull($registry->getScheme('foobar', $config));
|
||||
|
||||
// scheme not allowed and never registered
|
||||
$this->assertNull($registry->getScheme('ftp', $config));
|
||||
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user