0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-12-23 00:41:52 +00:00

Add a directive that lets you disallow pure-registry overloading.

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@216 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang 2006-08-12 17:12:27 +00:00
parent 6c3d364213
commit 8167fca493
3 changed files with 24 additions and 4 deletions

View File

@ -4,7 +4,7 @@ class HTMLPurifier_URIScheme
{
function validateComponents($authority, $path, $query, $fragment) {
return array($authority, $path, $query, $fragment);
}
}

View File

@ -16,6 +16,14 @@ HTMLPurifier_ConfigDef::define(
'prevents XSS attacks from using pseudo-schemes like javascript or mocha.'
);
HTMLPurifier_ConfigDef::define(
'URI', 'OverrideAllowedSchemes', true,
'If this is set to true (which it is by default), you can override '.
'%URI.AllowedSchemes by simply registering a HTMLPurifier_URIScheme '.
'to the registry. If false, you will also have to update that directive '.
'in order to add more schemes.'
);
class HTMLPurifier_URISchemeRegistry
{
@ -38,11 +46,18 @@ class HTMLPurifier_URISchemeRegistry
function &getScheme($scheme, $config = null) {
if (!$config) $config = HTMLPurifier_Config::createDefault();
$null = null; // for the sake of passing by reference
if (isset($this->schemes[$scheme])) return $this->schemes[$scheme];
if (empty($this->_dir)) $this->_dir = dirname(__FILE__) . '/URIScheme/';
// important, otherwise attacker could include arbitrary file
$allowed_schemes = $config->get('URI', 'AllowedSchemes');
if (!$config->get('URI', 'OverrideAllowedSchemes') &&
!isset($allowed_schemes[$scheme])
) {
return $null;
}
if (isset($this->schemes[$scheme])) return $this->schemes[$scheme];
if (empty($this->_dir)) $this->_dir = dirname(__FILE__) . '/URIScheme/';
if (!isset($allowed_schemes[$scheme])) return $null;
@include_once $this->_dir . $scheme . '.php';

View File

@ -11,6 +11,7 @@ class HTMLPurifier_URISchemeRegistryTest extends UnitTestCase
$config = HTMLPurifier_Config::createDefault();
$config->set('URI', 'AllowedSchemes', array('http' => true, 'telnet' => true));
$config->set('URI', 'OverrideAllowedSchemes', true);
$registry = new HTMLPurifier_URISchemeRegistry();
$this->assertIsA($registry->getScheme('http'), 'HTMLPurifier_URIScheme_http');
@ -31,7 +32,11 @@ class HTMLPurifier_URISchemeRegistryTest extends UnitTestCase
$registry->register('foobar', $scheme_foobar);
$this->assertIdentical($registry->getScheme('foobar', $config), $scheme_foobar);
// however, don't try to get a scheme that isn't allowed
// now, test when overriding is not allowed
$config->set('URI', 'OverrideAllowedSchemes', false);
$this->assertNull($registry->getScheme('foobar', $config));
// scheme not allowed and never registered
$this->assertNull($registry->getScheme('ftp', $config));
}