mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-12-22 16:31:53 +00:00
URI.Munge munges https to http URIs.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
This commit is contained in:
parent
f51a6f7de9
commit
bcfbb8338c
2
NEWS
2
NEWS
@ -10,6 +10,8 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
|
|||||||
==========================
|
==========================
|
||||||
|
|
||||||
4.3.1, unknown release date
|
4.3.1, unknown release date
|
||||||
|
# URI.Munge now munges URIs inside the same host that go from https
|
||||||
|
to http. Reported by Neike Taika-Tessaro.
|
||||||
- Color keywords are now case insensitive. Thanks Yzmir Ramirez
|
- Color keywords are now case insensitive. Thanks Yzmir Ramirez
|
||||||
<yramirez-htmlpurifier@adicio.com> for reporting.
|
<yramirez-htmlpurifier@adicio.com> for reporting.
|
||||||
|
|
||||||
|
@ -23,9 +23,16 @@ class HTMLPurifier_URIFilter_Munge extends HTMLPurifier_URIFilter
|
|||||||
if (is_null($uri->host) || empty($scheme_obj->browsable)) {
|
if (is_null($uri->host) || empty($scheme_obj->browsable)) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
$uri_definition = $config->getDefinition('URI');
|
||||||
// don't redirect if target host is our host
|
// don't redirect if target host is our host
|
||||||
if ($uri->host === $config->getDefinition('URI')->host) {
|
if ($uri->host === $uri_definition->host) {
|
||||||
return true;
|
// but do redirect if we're currently on a secure scheme,
|
||||||
|
// and the target scheme is insecure
|
||||||
|
$current_scheme_obj = HTMLPurifier_URISchemeRegistry::instance()->getScheme($uri_definition->defaultScheme, $config, $context);
|
||||||
|
if ($scheme_obj->secure || !$current_scheme_obj->secure) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
// target scheme was not secure, but we were secure
|
||||||
}
|
}
|
||||||
|
|
||||||
$this->makeReplace($uri, $config, $context);
|
$this->makeReplace($uri, $config, $context);
|
||||||
|
@ -19,6 +19,12 @@ abstract class HTMLPurifier_URIScheme
|
|||||||
*/
|
*/
|
||||||
public $browsable = false;
|
public $browsable = false;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Whether or not data transmitted over this scheme is encrypted.
|
||||||
|
* https is secure, http is not.
|
||||||
|
*/
|
||||||
|
public $secure = false;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Whether or not the URI always uses <hier_part>, resolves edge cases
|
* Whether or not the URI always uses <hier_part>, resolves edge cases
|
||||||
* with making relative URIs absolute
|
* with making relative URIs absolute
|
||||||
|
@ -6,6 +6,7 @@
|
|||||||
class HTMLPurifier_URIScheme_https extends HTMLPurifier_URIScheme_http {
|
class HTMLPurifier_URIScheme_https extends HTMLPurifier_URIScheme_http {
|
||||||
|
|
||||||
public $default_port = 443;
|
public $default_port = 443;
|
||||||
|
public $secure = true;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -117,6 +117,23 @@ class HTMLPurifier_URIFilter_MungeTest extends HTMLPurifier_URIFilterHarness
|
|||||||
$this->assertFiltering('http://example.com/foobar');
|
$this->assertFiltering('http://example.com/foobar');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function testMungeIgnoreSameDomainInsecureToSecure() {
|
||||||
|
$this->setMunge('http://example.com/%s');
|
||||||
|
$this->assertFiltering('https://example.com/foobar');
|
||||||
|
}
|
||||||
|
|
||||||
|
function testMungeIgnoreSameDomainSecureToSecure() {
|
||||||
|
$this->config->set('URI.Base', 'https://example.com');
|
||||||
|
$this->setMunge('http://example.com/%s');
|
||||||
|
$this->assertFiltering('https://example.com/foobar');
|
||||||
|
}
|
||||||
|
|
||||||
|
function testMungeSameDomainSecureToInsecure() {
|
||||||
|
$this->config->set('URI.Base', 'https://example.com');
|
||||||
|
$this->setMunge('/%s');
|
||||||
|
$this->assertFiltering('http://example.com/foobar', '/http%3A%2F%2Fexample.com%2Ffoobar');
|
||||||
|
}
|
||||||
|
|
||||||
function testMungeIgnoresSourceHost() {
|
function testMungeIgnoresSourceHost() {
|
||||||
$this->config->set('URI.Host', 'foo.example.com');
|
$this->config->set('URI.Host', 'foo.example.com');
|
||||||
$this->setMunge('http://example.com/%s');
|
$this->setMunge('http://example.com/%s');
|
||||||
|
Loading…
Reference in New Issue
Block a user