0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-01-05 06:01:52 +00:00

Add double-munging protection by checking if the domains are the same.

Previously, if an absolute munge URL location was used, HTML passed through
HTML Purifier multiple times would be munged multiple times. This patch
checks if the output URI has the same URI as the input URI; if they do,
the munge is considered unnecessary and discarded.

Requested-by: Chris <justbittin@gmail.com>
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
This commit is contained in:
Edward Z. Yang 2008-07-26 22:45:19 -06:00
parent 3b6aa10592
commit 85090520f1
3 changed files with 12 additions and 1 deletions

2
NEWS
View File

@ -33,6 +33,8 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
- Redirected stderr to stdout for flush error output. - Redirected stderr to stdout for flush error output.
- %URI.DisableExternal will now use the host in %URI.Base if %URI.Host is not - %URI.DisableExternal will now use the host in %URI.Base if %URI.Host is not
available. available.
- Do not re-munge URL if the output URL has the same host as the input URL.
Requested by Chris.
. Strategy_MakeWellFormed now operates in-place, saving memory and allowing . Strategy_MakeWellFormed now operates in-place, saving memory and allowing
for more interesting filter-backtracking for more interesting filter-backtracking
. New HTMLPurifier_Injector->rewind() functionality, allows injectors to rewind . New HTMLPurifier_Injector->rewind() functionality, allows injectors to rewind

View File

@ -28,7 +28,11 @@ class HTMLPurifier_URIFilter_Munge extends HTMLPurifier_URIFilter
$this->replace = array_map('rawurlencode', $this->replace); $this->replace = array_map('rawurlencode', $this->replace);
$new_uri = strtr($this->target, $this->replace); $new_uri = strtr($this->target, $this->replace);
$uri = $this->parser->parse($new_uri); // overwrite $new_uri = $this->parser->parse($new_uri);
// don't redirect if the target host is the same as the
// starting host
if ($uri->host === $new_uri->host) return true;
$uri = $new_uri; // overwrite
return true; return true;
} }

View File

@ -112,4 +112,9 @@ class HTMLPurifier_URIFilter_MungeTest extends HTMLPurifier_URIFilterHarness
$this->assertFiltering('http://google.com', '/links/http%3A%2F%2Fgoogle.com/0072e2f817fd2844825def74e54443debecf0892'); $this->assertFiltering('http://google.com', '/links/http%3A%2F%2Fgoogle.com/0072e2f817fd2844825def74e54443debecf0892');
} }
function testMungeIgnoreSameDomain() {
$this->setMunge('http://example.com/%s');
$this->assertFiltering('http://example.com/foobar');
}
} }