Add double-munging protection by checking if the domains are the same.

Previously, if an absolute munge URL location was used, HTML passed through HTML Purifier multiple times would be munged multiple times. This patch checks if the output URI has the same URI as the input URI; if they do, the munge is considered unnecessary and discarded. Requested-by: Chris <justbittin@gmail.com> Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
2024-09-18 18:25:18 +00:00 · 2008-07-26 22:45:19 -06:00 · 2008-07-26 22:45:19 -06:00 · 85090520f1
commit 85090520f1
parent 3b6aa10592
3 changed files with 12 additions and 1 deletions
--- a/2
+++ b/2
@ -33,6 +33,8 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 - Redirected stderr to stdout for flush error output.
 - %URI.DisableExternal will now use the host in %URI.Base if %URI.Host is not
  available.
+- Do not re-munge URL if the output URL has the same host as the input URL.
+  Requested by Chris.
 . Strategy_MakeWellFormed now operates in-place, saving memory and allowing
  for more interesting filter-backtracking
 . New HTMLPurifier_Injector->rewind() functionality, allows injectors to rewind
--- a/library/HTMLPurifier/URIFilter/Munge.php
+++ b/library/HTMLPurifier/URIFilter/Munge.php
@ -28,7 +28,11 @@ class HTMLPurifier_URIFilter_Munge extends HTMLPurifier_URIFilter
        $this->replace = array_map('rawurlencode', $this->replace);
        
        $new_uri = strtr($this->target, $this->replace);
-        $uri = $this->parser->parse($new_uri); // overwrite
+        $new_uri = $this->parser->parse($new_uri);
+        // don't redirect if the target host is the same as the 
+        // starting host
+        if ($uri->host === $new_uri->host) return true;
+        $uri = $new_uri; // overwrite
        return true;
    }
    
--- a/tests/HTMLPurifier/URIFilter/MungeTest.php
+++ b/tests/HTMLPurifier/URIFilter/MungeTest.php
@ -112,4 +112,9 @@ class HTMLPurifier_URIFilter_MungeTest extends HTMLPurifier_URIFilterHarness
        $this->assertFiltering('http://google.com', '/links/http%3A%2F%2Fgoogle.com/0072e2f817fd2844825def74e54443debecf0892');
    }
    
+    function testMungeIgnoreSameDomain() {
+        $this->setMunge('http://example.com/%s');
+        $this->assertFiltering('http://example.com/foobar');
+    }
+    
 }