mirrors/htmlpurifier
0
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-01-03 13:21:51 +00:00
Code Releases Activity

[2.1.0] URI scheme is munged off if there is no authority and the scheme is the default one

Browse Source 
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1330 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang 2007-08-01 13:15:33 +00:00
parent b03a44abff
commit b0f3116b9e
3 changed files with 53 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
NEWS
View File

@ -90,6 +90,8 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
doctype use new %HTML.CustomDoctype doctype use new %HTML.CustomDoctype
. ConfigForm truncates long directives to keep the form small, and does . ConfigForm truncates long directives to keep the form small, and does
not re-output namespaces not re-output namespaces
. URI scheme is munged off if there is no authority and the scheme is the
default one
2.0.0, released 2007-06-20 2.0.0, released 2007-06-20
# Completely refactored HTMLModuleManager, decentralizing safety # Completely refactored HTMLModuleManager, decentralizing safety

9
library/HTMLPurifier/AttrDef/URI.php
View File

@ -134,7 +134,7 @@ class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
$matches = array(); $matches = array();
$result = preg_match($r_URI, $uri, $matches); $result = preg_match($r_URI, $uri, $matches);
if (!$result) return false; // invalid URI if (!$result) return false; // *really* invalid URI
// seperate out parts // seperate out parts
$scheme = !empty($matches[1]) ? $matches[2] : null; $scheme = !empty($matches[1]) ? $matches[2] : null;
@ -146,6 +146,7 @@ class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
$registry =& HTMLPurifier_URISchemeRegistry::instance(); $registry =& HTMLPurifier_URISchemeRegistry::instance();
$default_scheme = $config->get('URI', 'DefaultScheme');
if ($scheme !== null) { if ($scheme !== null) {
// no need to validate the scheme's fmt since we do that when we // no need to validate the scheme's fmt since we do that when we
// retrieve the specific scheme object from the registry // retrieve the specific scheme object from the registry
@ -154,7 +155,7 @@ class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
if (!$scheme_obj) return false; // invalid scheme, clean it out if (!$scheme_obj) return false; // invalid scheme, clean it out
} else { } else {
$scheme_obj = $registry->getScheme( $scheme_obj = $registry->getScheme(
$config->get('URI', 'DefaultScheme'), $config, $context $default_scheme, $config, $context
); );
} }
@ -176,6 +177,8 @@ class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
if ($authority !== null) { if ($authority !== null) {
// ridiculously inefficient
// remove URI if it's absolute and we disabled externals or // remove URI if it's absolute and we disabled externals or
// if it's absolute and embedded and we disabled external resources // if it's absolute and embedded and we disabled external resources
unset($our_host); unset($our_host);
@ -259,6 +262,8 @@ class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
if($userinfo !== null) $authority .= $userinfo . '@'; if($userinfo !== null) $authority .= $userinfo . '@';
$authority .= $host; $authority .= $host;
if($port !== null) $authority .= ':' . $port; if($port !== null) $authority .= ':' . $port;
} else {
if ($default_scheme == $scheme) $scheme = null; // munge scheme off when unnecessary
} }
// reconstruct the result // reconstruct the result

56
tests/HTMLPurifier/AttrDef/URITest.php
View File

@ -183,12 +183,9 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
); );
} }
// scheme munging (i.e. removal when unnecessary) not implemented
function testParsingPathAbsolute() { // note this is different from path-rootless function testParsingPathAbsolute() { // note this is different from path-rootless
$this->assertParsing( $this->assertParsing(
'http:/this/is/path', 'http:/this/is/path',
// do not munge scheme off
null, null, null, '/this/is/path', null null, null, null, '/this/is/path', null
); );
} }
@ -199,7 +196,6 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
'http:this/is/path', 'http:this/is/path',
null, null, null, 'this/is/path', null null, null, null, 'this/is/path', null
); );
// TODO: scheme should be munged off
} }
function testParsingPathEmpty() { function testParsingPathEmpty() {
@ -207,7 +203,6 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
'http:', 'http:',
null, null, null, '', null null, null, null, '', null
); );
// TODO: scheme should be munged off
} }
function testParsingRelativeURI() { function testParsingRelativeURI() {
@ -229,37 +224,74 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
'', '',
null, null, null, '', null null, null, null, '', null
); );
// TODO: should be returned unharmed
} }
// OUTPUT RELATED TESTS // OUTPUT RELATED TESTS
// scheme is mocked to ensure only the URI is being tested
function assertOutput($expect_uri, $userinfo, $host, $port, $path, $query, $config = null, $context = null) { function assertOutput($input_uri, $expect_uri, $userinfo, $host, $port, $path, $query, $config = null, $context = null) {
// prepare mock machinery // prepare mock machinery
$this->prepareCommon($config, $context); $this->prepareCommon($config, $context);
$scheme =& $this->generateSchemeMock(); $scheme =& $this->generateSchemeMock();
$components = array($userinfo, $host, $port, $path, $query, '*', '*'); $components = array($userinfo, $host, $port, $path, $query);
$scheme->setReturnValue('validateComponents', $components); $scheme->setReturnValue('validateComponents', $components);
// dummy URI is passed as input, MUST NOT HAVE FRAGMENT
$def = new HTMLPurifier_AttrDef_URI(); $def = new HTMLPurifier_AttrDef_URI();
$result_uri = $def->validate('http://example.com/', $config, $context); $result_uri = $def->validate($input_uri, $config, $context);
if ($expect_uri === true) $expect_uri = $input_uri;
$this->assertEqual($result_uri, $expect_uri); $this->assertEqual($result_uri, $expect_uri);
} }
function testOutputRegular() { function testOutputRegular() {
$this->assertOutput( $this->assertOutput(
'http://user@authority.part:8080/now/the/path?query', 'http://user@authority.part:8080/now/the/path?query#frag', true,
'user', 'authority.part', 8080, '/now/the/path', 'query' 'user', 'authority.part', 8080, '/now/the/path', 'query'
); );
} }
function testOutputEmpty() {
$this->assertOutput(
'', true,
null, null, null, '', null
);
}
function testOutputNullPath() {
$this->assertOutput(
'', true,
null, null, null, null, null // usually shouldn't happen
);
}
function testOutputPathAbsolute() {
$this->assertOutput(
'http:/this/is/path', '/this/is/path',
null, null, null, '/this/is/path', null
);
}
function testOutputPathRootless() {
$this->assertOutput(
'http:this/is/path', 'this/is/path',
null, null, null, 'this/is/path', null
);
}
function testOutputPathEmpty() {
$this->assertOutput(
'http:', '',
null, null, null, '', null
);
}
// INTEGRATION TESTS // INTEGRATION TESTS
function testIntegration() { function testIntegration() {
$this->assertDef('http://www.google.com/'); $this->assertDef('http://www.google.com/');
$this->assertDef('http:', '');
$this->assertDef('http:/foo', '/foo');
$this->assertDef('javascript:bad_stuff();', false); $this->assertDef('javascript:bad_stuff();', false);
$this->assertDef('ftp://www.example.com/'); $this->assertDef('ftp://www.example.com/');
$this->assertDef('news:rec.alt'); $this->assertDef('news:rec.alt');
@ -336,7 +368,7 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
} }
function testWhitelist() { function testWhitelist() {
/* /* unimplemented
$this->config->set('URI', 'HostPolicy', 'DenyAll'); $this->config->set('URI', 'HostPolicy', 'DenyAll');
$this->config->set('URI', 'HostWhitelist', array(null, 'google.com')); $this->config->set('URI', 'HostWhitelist', array(null, 'google.com'));