mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2025-01-03 05:11:52 +00:00
Add double-munging protection by checking if the domains are the same.
Previously, if an absolute munge URL location was used, HTML passed through HTML Purifier multiple times would be munged multiple times. This patch checks if the output URI has the same URI as the input URI; if they do, the munge is considered unnecessary and discarded. Requested-by: Chris <justbittin@gmail.com> Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
This commit is contained in:
parent
3b6aa10592
commit
85090520f1
2
NEWS
2
NEWS
@ -33,6 +33,8 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
|
|||||||
- Redirected stderr to stdout for flush error output.
|
- Redirected stderr to stdout for flush error output.
|
||||||
- %URI.DisableExternal will now use the host in %URI.Base if %URI.Host is not
|
- %URI.DisableExternal will now use the host in %URI.Base if %URI.Host is not
|
||||||
available.
|
available.
|
||||||
|
- Do not re-munge URL if the output URL has the same host as the input URL.
|
||||||
|
Requested by Chris.
|
||||||
. Strategy_MakeWellFormed now operates in-place, saving memory and allowing
|
. Strategy_MakeWellFormed now operates in-place, saving memory and allowing
|
||||||
for more interesting filter-backtracking
|
for more interesting filter-backtracking
|
||||||
. New HTMLPurifier_Injector->rewind() functionality, allows injectors to rewind
|
. New HTMLPurifier_Injector->rewind() functionality, allows injectors to rewind
|
||||||
|
@ -28,7 +28,11 @@ class HTMLPurifier_URIFilter_Munge extends HTMLPurifier_URIFilter
|
|||||||
$this->replace = array_map('rawurlencode', $this->replace);
|
$this->replace = array_map('rawurlencode', $this->replace);
|
||||||
|
|
||||||
$new_uri = strtr($this->target, $this->replace);
|
$new_uri = strtr($this->target, $this->replace);
|
||||||
$uri = $this->parser->parse($new_uri); // overwrite
|
$new_uri = $this->parser->parse($new_uri);
|
||||||
|
// don't redirect if the target host is the same as the
|
||||||
|
// starting host
|
||||||
|
if ($uri->host === $new_uri->host) return true;
|
||||||
|
$uri = $new_uri; // overwrite
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -112,4 +112,9 @@ class HTMLPurifier_URIFilter_MungeTest extends HTMLPurifier_URIFilterHarness
|
|||||||
$this->assertFiltering('http://google.com', '/links/http%3A%2F%2Fgoogle.com/0072e2f817fd2844825def74e54443debecf0892');
|
$this->assertFiltering('http://google.com', '/links/http%3A%2F%2Fgoogle.com/0072e2f817fd2844825def74e54443debecf0892');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function testMungeIgnoreSameDomain() {
|
||||||
|
$this->setMunge('http://example.com/%s');
|
||||||
|
$this->assertFiltering('http://example.com/foobar');
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user