0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-12-22 08:21:52 +00:00

[1.2.0] Non-accessible resources (ex. mailto) blocked from embedded URIs (img src)

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@528 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang 2006-11-17 23:09:10 +00:00
parent b0df2f292f
commit 82afd890c4
12 changed files with 46 additions and 4 deletions

1
NEWS
View File

@ -23,6 +23,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
! Configuration documentation now has table of contents
! Added %URI.DisableExternal, which prevents links to external websites. You
can also use %URI.Host to permit absolute linking to subdomains
! Non-accessible resources (ex. mailto) blocked from embedded URIs (img src)
- Documentation updated
+ TODO added request Phalanger
+ TODO added request Native compression

2
TODO
View File

@ -5,8 +5,6 @@ TODO List
- Make URI validation routines tighter (especially mailto)
- More extensive URI filtering schemes (see URI in config-ideas.txt)
- Allow for background-image and list-style-image (see above)
- Distinguish between different types of URIs, for instance, a mailto URI
in IMG SRC is nonsensical
- Error logging for filtering/cleanup procedures
- Rich set* methods and config file loaders for HTMLPurifier_Config

View File

@ -43,10 +43,15 @@ class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
var $host;
var $PercentEncoder;
var $embeds;
function HTMLPurifier_AttrDef_URI() {
/**
* @param $embeds Does the URI here result in an extra HTTP request?
*/
function HTMLPurifier_AttrDef_URI($embeds = false) {
$this->host = new HTMLPurifier_AttrDef_Host();
$this->PercentEncoder = new HTMLPurifier_PercentEncoder();
$this->embeds = (bool) $embeds;
}
function validate($uri, $config, &$context) {
@ -100,6 +105,12 @@ class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
}
// the URI we're processing embeds a resource in the page, but the URI
// it references cannot be located
if ($this->embeds && !$scheme_obj->browsable) {
return false;
}
if ($authority !== null) {

View File

@ -351,12 +351,14 @@ class HTMLPurifier_HTMLDefinition
$e_URI = new HTMLPurifier_AttrDef_URI();
$this->info['a']->attr['href'] =
$this->info['img']->attr['longdesc'] =
$this->info['img']->attr['src'] =
$this->info['del']->attr['cite'] =
$this->info['ins']->attr['cite'] =
$this->info['blockquote']->attr['cite'] =
$this->info['q']->attr['cite'] = $e_URI;
// URI that causes HTTP request
$this->info['img']->attr['src'] = new HTMLPurifier_AttrDef_URI(true);
//////////////////////////////////////////////////////////////////////
// info_tag_transform : transformations of tags

View File

@ -12,6 +12,13 @@ class HTMLPurifier_URIScheme
*/
var $default_port = null;
/**
* Whether or not URIs of this schem are locatable by a browser
* http and ftp are accessible, while mailto and news are not.
* @public
*/
var $browsable = false;
/**
* Validates the components of a URI
* @note This implementation should be called by children if they define

View File

@ -8,6 +8,7 @@ require_once 'HTMLPurifier/URIScheme.php';
class HTMLPurifier_URIScheme_ftp extends HTMLPurifier_URIScheme {
var $default_port = 21;
var $browsable = true; // usually
function validateComponents(
$userinfo, $host, $port, $path, $query, $config, &$context

View File

@ -8,6 +8,7 @@ require_once 'HTMLPurifier/URIScheme.php';
class HTMLPurifier_URIScheme_http extends HTMLPurifier_URIScheme {
var $default_port = 80;
var $browsable = true;
function validateComponents(
$userinfo, $host, $port, $path, $query, $config, &$context

View File

@ -13,6 +13,8 @@ require_once 'HTMLPurifier/URIScheme.php';
class HTMLPurifier_URIScheme_mailto extends HTMLPurifier_URIScheme {
var $browsable = false;
function validateComponents(
$userinfo, $host, $port, $path, $query, $config, &$context
) {

View File

@ -7,6 +7,8 @@ require_once 'HTMLPurifier/URIScheme.php';
*/
class HTMLPurifier_URIScheme_news extends HTMLPurifier_URIScheme {
var $browsable = false;
function validateComponents(
$userinfo, $host, $port, $path, $query, $config, &$context
) {

View File

@ -8,6 +8,7 @@ require_once 'HTMLPurifier/URIScheme.php';
class HTMLPurifier_URIScheme_nntp extends HTMLPurifier_URIScheme {
var $default_port = 119;
var $browsable = false;
function validateComponents(
$userinfo, $host, $port, $path, $query, $config, &$context

View File

@ -261,6 +261,16 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
}
function testEmbeds() {
// embedded URI
$this->def = new HTMLPurifier_AttrDef_URI(true);
$this->assertDef('http://sub.example.com/alas?foo=asd');
$this->assertDef('mailto:foo@example.com', false);
}
}
?>

View File

@ -163,6 +163,12 @@ class HTMLPurifier_Strategy_ValidateAttributesTest extends
'<col />'
);
// mailto in image is not allowed
$this->assertResult(
'<img src="mailto:foo@example.com" />',
'<img src="" alt="Invalid image" />'
);
}
}