0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-12-22 16:31:53 +00:00

URI.Munge munges https to http URIs.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
This commit is contained in:
Edward Z. Yang 2011-04-10 13:09:24 +01:00
parent f51a6f7de9
commit bcfbb8338c
5 changed files with 35 additions and 2 deletions

2
NEWS
View File

@ -10,6 +10,8 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
========================== ==========================
4.3.1, unknown release date 4.3.1, unknown release date
# URI.Munge now munges URIs inside the same host that go from https
to http. Reported by Neike Taika-Tessaro.
- Color keywords are now case insensitive. Thanks Yzmir Ramirez - Color keywords are now case insensitive. Thanks Yzmir Ramirez
<yramirez-htmlpurifier@adicio.com> for reporting. <yramirez-htmlpurifier@adicio.com> for reporting.

View File

@ -23,10 +23,17 @@ class HTMLPurifier_URIFilter_Munge extends HTMLPurifier_URIFilter
if (is_null($uri->host) || empty($scheme_obj->browsable)) { if (is_null($uri->host) || empty($scheme_obj->browsable)) {
return true; return true;
} }
$uri_definition = $config->getDefinition('URI');
// don't redirect if target host is our host // don't redirect if target host is our host
if ($uri->host === $config->getDefinition('URI')->host) { if ($uri->host === $uri_definition->host) {
// but do redirect if we're currently on a secure scheme,
// and the target scheme is insecure
$current_scheme_obj = HTMLPurifier_URISchemeRegistry::instance()->getScheme($uri_definition->defaultScheme, $config, $context);
if ($scheme_obj->secure || !$current_scheme_obj->secure) {
return true; return true;
} }
// target scheme was not secure, but we were secure
}
$this->makeReplace($uri, $config, $context); $this->makeReplace($uri, $config, $context);
$this->replace = array_map('rawurlencode', $this->replace); $this->replace = array_map('rawurlencode', $this->replace);

View File

@ -19,6 +19,12 @@ abstract class HTMLPurifier_URIScheme
*/ */
public $browsable = false; public $browsable = false;
/**
* Whether or not data transmitted over this scheme is encrypted.
* https is secure, http is not.
*/
public $secure = false;
/** /**
* Whether or not the URI always uses <hier_part>, resolves edge cases * Whether or not the URI always uses <hier_part>, resolves edge cases
* with making relative URIs absolute * with making relative URIs absolute

View File

@ -6,6 +6,7 @@
class HTMLPurifier_URIScheme_https extends HTMLPurifier_URIScheme_http { class HTMLPurifier_URIScheme_https extends HTMLPurifier_URIScheme_http {
public $default_port = 443; public $default_port = 443;
public $secure = true;
} }

View File

@ -117,6 +117,23 @@ class HTMLPurifier_URIFilter_MungeTest extends HTMLPurifier_URIFilterHarness
$this->assertFiltering('http://example.com/foobar'); $this->assertFiltering('http://example.com/foobar');
} }
function testMungeIgnoreSameDomainInsecureToSecure() {
$this->setMunge('http://example.com/%s');
$this->assertFiltering('https://example.com/foobar');
}
function testMungeIgnoreSameDomainSecureToSecure() {
$this->config->set('URI.Base', 'https://example.com');
$this->setMunge('http://example.com/%s');
$this->assertFiltering('https://example.com/foobar');
}
function testMungeSameDomainSecureToInsecure() {
$this->config->set('URI.Base', 'https://example.com');
$this->setMunge('/%s');
$this->assertFiltering('http://example.com/foobar', '/http%3A%2F%2Fexample.com%2Ffoobar');
}
function testMungeIgnoresSourceHost() { function testMungeIgnoresSourceHost() {
$this->config->set('URI.Host', 'foo.example.com'); $this->config->set('URI.Host', 'foo.example.com');
$this->setMunge('http://example.com/%s'); $this->setMunge('http://example.com/%s');