mirrors/htmlpurifier
0
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-01-03 13:21:51 +00:00
Code Releases Activity

[1.2.0] Non-accessible resources (ex. mailto) blocked from embedded URIs (img src)

Browse Source 
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@528 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang 2006-11-17 23:09:10 +00:00
parent b0df2f292f
commit 82afd890c4
12 changed files with 46 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
NEWS
View File

@ -23,6 +23,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
! Configuration documentation now has table of contents ! Configuration documentation now has table of contents
! Added %URI.DisableExternal, which prevents links to external websites. You ! Added %URI.DisableExternal, which prevents links to external websites. You
can also use %URI.Host to permit absolute linking to subdomains can also use %URI.Host to permit absolute linking to subdomains
! Non-accessible resources (ex. mailto) blocked from embedded URIs (img src)
- Documentation updated - Documentation updated
+ TODO added request Phalanger + TODO added request Phalanger
+ TODO added request Native compression + TODO added request Native compression

2
TODO
View File

@ -5,8 +5,6 @@ TODO List
- Make URI validation routines tighter (especially mailto) - Make URI validation routines tighter (especially mailto)
- More extensive URI filtering schemes (see URI in config-ideas.txt) - More extensive URI filtering schemes (see URI in config-ideas.txt)
- Allow for background-image and list-style-image (see above) - Allow for background-image and list-style-image (see above)
- Distinguish between different types of URIs, for instance, a mailto URI
in IMG SRC is nonsensical
- Error logging for filtering/cleanup procedures - Error logging for filtering/cleanup procedures
- Rich set* methods and config file loaders for HTMLPurifier_Config - Rich set* methods and config file loaders for HTMLPurifier_Config

13
library/HTMLPurifier/AttrDef/URI.php
View File

@ -43,10 +43,15 @@ class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
var $host; var $host;
var $PercentEncoder; var $PercentEncoder;
var $embeds;
function HTMLPurifier_AttrDef_URI() { /**
* @param $embeds Does the URI here result in an extra HTTP request?
*/
function HTMLPurifier_AttrDef_URI($embeds = false) {
$this->host = new HTMLPurifier_AttrDef_Host(); $this->host = new HTMLPurifier_AttrDef_Host();
$this->PercentEncoder = new HTMLPurifier_PercentEncoder(); $this->PercentEncoder = new HTMLPurifier_PercentEncoder();
$this->embeds = (bool) $embeds;
} }
function validate($uri, $config, &$context) { function validate($uri, $config, &$context) {
@ -100,6 +105,12 @@ class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
} }
// the URI we're processing embeds a resource in the page, but the URI
// it references cannot be located
if ($this->embeds && !$scheme_obj->browsable) {
return false;
}
if ($authority !== null) { if ($authority !== null) {

4
library/HTMLPurifier/HTMLDefinition.php
View File

@ -351,12 +351,14 @@ class HTMLPurifier_HTMLDefinition
$e_URI = new HTMLPurifier_AttrDef_URI(); $e_URI = new HTMLPurifier_AttrDef_URI();
$this->info['a']->attr['href'] = $this->info['a']->attr['href'] =
$this->info['img']->attr['longdesc'] = $this->info['img']->attr['longdesc'] =
$this->info['img']->attr['src'] =
$this->info['del']->attr['cite'] = $this->info['del']->attr['cite'] =
$this->info['ins']->attr['cite'] = $this->info['ins']->attr['cite'] =
$this->info['blockquote']->attr['cite'] = $this->info['blockquote']->attr['cite'] =
$this->info['q']->attr['cite'] = $e_URI; $this->info['q']->attr['cite'] = $e_URI;
// URI that causes HTTP request
$this->info['img']->attr['src'] = new HTMLPurifier_AttrDef_URI(true);
////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////
// info_tag_transform : transformations of tags // info_tag_transform : transformations of tags

7
library/HTMLPurifier/URIScheme.php
View File

@ -12,6 +12,13 @@ class HTMLPurifier_URIScheme
*/ */
var $default_port = null; var $default_port = null;
/**
* Whether or not URIs of this schem are locatable by a browser
* http and ftp are accessible, while mailto and news are not.
* @public
*/
var $browsable = false;
/** /**
* Validates the components of a URI * Validates the components of a URI
* @note This implementation should be called by children if they define * @note This implementation should be called by children if they define

1
library/HTMLPurifier/URIScheme/ftp.php
View File

@ -8,6 +8,7 @@ require_once 'HTMLPurifier/URIScheme.php';
class HTMLPurifier_URIScheme_ftp extends HTMLPurifier_URIScheme { class HTMLPurifier_URIScheme_ftp extends HTMLPurifier_URIScheme {
var $default_port = 21; var $default_port = 21;
var $browsable = true; // usually
function validateComponents( function validateComponents(
$userinfo, $host, $port, $path, $query, $config, &$context $userinfo, $host, $port, $path, $query, $config, &$context

1
library/HTMLPurifier/URIScheme/http.php
View File

@ -8,6 +8,7 @@ require_once 'HTMLPurifier/URIScheme.php';
class HTMLPurifier_URIScheme_http extends HTMLPurifier_URIScheme { class HTMLPurifier_URIScheme_http extends HTMLPurifier_URIScheme {
var $default_port = 80; var $default_port = 80;
var $browsable = true;
function validateComponents( function validateComponents(
$userinfo, $host, $port, $path, $query, $config, &$context $userinfo, $host, $port, $path, $query, $config, &$context

2
library/HTMLPurifier/URIScheme/mailto.php
View File

@ -13,6 +13,8 @@ require_once 'HTMLPurifier/URIScheme.php';
class HTMLPurifier_URIScheme_mailto extends HTMLPurifier_URIScheme { class HTMLPurifier_URIScheme_mailto extends HTMLPurifier_URIScheme {
var $browsable = false;
function validateComponents( function validateComponents(
$userinfo, $host, $port, $path, $query, $config, &$context $userinfo, $host, $port, $path, $query, $config, &$context
) { ) {

2
library/HTMLPurifier/URIScheme/news.php
View File

@ -7,6 +7,8 @@ require_once 'HTMLPurifier/URIScheme.php';
*/ */
class HTMLPurifier_URIScheme_news extends HTMLPurifier_URIScheme { class HTMLPurifier_URIScheme_news extends HTMLPurifier_URIScheme {
var $browsable = false;
function validateComponents( function validateComponents(
$userinfo, $host, $port, $path, $query, $config, &$context $userinfo, $host, $port, $path, $query, $config, &$context
) { ) {

1
library/HTMLPurifier/URIScheme/nntp.php
View File

@ -8,6 +8,7 @@ require_once 'HTMLPurifier/URIScheme.php';
class HTMLPurifier_URIScheme_nntp extends HTMLPurifier_URIScheme { class HTMLPurifier_URIScheme_nntp extends HTMLPurifier_URIScheme {
var $default_port = 119; var $default_port = 119;
var $browsable = false;
function validateComponents( function validateComponents(
$userinfo, $host, $port, $path, $query, $config, &$context $userinfo, $host, $port, $path, $query, $config, &$context

10
tests/HTMLPurifier/AttrDef/URITest.php
View File

@ -261,6 +261,16 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
} }
function testEmbeds() {
// embedded URI
$this->def = new HTMLPurifier_AttrDef_URI(true);
$this->assertDef('http://sub.example.com/alas?foo=asd');
$this->assertDef('mailto:foo@example.com', false);
}
} }
?> ?>

6
tests/HTMLPurifier/Strategy/ValidateAttributesTest.php
View File

@ -163,6 +163,12 @@ class HTMLPurifier_Strategy_ValidateAttributesTest extends
'<col />' '<col />'
); );
// mailto in image is not allowed
$this->assertResult(
'<img src="mailto:foo@example.com" />',
'<img src="" alt="Invalid image" />'
);
} }
} }