Initial implementation of URISchemeRegistry (fixed overload bug in process). Also, add extra notes to some of the unit tests.

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@210 48356398-32a2-884e-a903-53898d9a118a
2024-09-19 18:55:19 +00:00 · 2006-08-12 03:56:27 +00:00 · 2006-08-12 03:56:27 +00:00 · c2ec56b872
commit c2ec56b872
parent 4ab6cab15c
8 changed files with 80 additions and 3 deletions
--- a/library/HTMLPurifier/ConfigDef.php
+++ b/library/HTMLPurifier/ConfigDef.php
@ -29,6 +29,7 @@ class HTMLPurifier_ConfigDef {
            return;
        }
        if (isset($def->info[$namespace][$name])) {
+            // this behavior is at risk of change
            trigger_error('Cannot redefine directive', E_USER_ERROR);
            return;
        }
--- a/library/HTMLPurifier/URIScheme.php
+++ b/library/HTMLPurifier/URIScheme.php
@ -3,7 +3,7 @@
 class HTMLPurifier_URIScheme
 {
    
-    function validateComponents() {
+    function validateComponents($authority, $path, $query, $fragment) {
        
    }
    
--- a/library/HTMLPurifier/URIScheme/http.php
+++ b/library/HTMLPurifier/URIScheme/http.php
@ -0,0 +1,13 @@
+<?php
+
+require_once 'HTMLPurifier/URIScheme.php';
+
+class HTMLPurifier_URIScheme_http extends HTMLPurifier_URIScheme {
+    
+    function validateComponents($authority, $path, $query, $fragment) {
+        
+    }
+    
+}
+
+?>
--- a/library/HTMLPurifier/URISchemeRegistry.php
+++ b/library/HTMLPurifier/URISchemeRegistry.php
@ -1,5 +1,21 @@
 <?php

+HTMLPurifier_ConfigDef::define(
+    'URI', 'AllowedSchemes', array(
+        'http'  => true, // "Hypertext Transfer Protocol", nuf' said
+        'https' => true, // HTTP over SSL (Secure Socket Layer)
+        // quite useful, but not necessary
+        'mailto' => true,// Email
+        'ftp'   => true, // "File Transfer Protocol"
+        'irc'   => true, // "Internet Relay Chat", usually needs another app
+        // for Usenet, these two are similar, but distinct
+        'nntp'  => true, // individual Netnews articles
+        'news'  => true  // newsgroup or individual Netnews articles),
+    ),
+    'Whitelist that defines the schemes that a URI is allowed to have.  This '.
+    'prevents XSS attacks from using pseudo-schemes like javascript or mocha.'
+);
+
 class HTMLPurifier_URISchemeRegistry
 {
    
@ -16,7 +32,25 @@ class HTMLPurifier_URISchemeRegistry
        return $instance;
    }
    
-    function &getScheme($scheme) {}
+    var $schemes = array();
+    var $_scheme_dir = null;
+    
+    function &getScheme($scheme, $config = null) {
+        if (!$config) $config = HTMLPurifier_Config::createDefault();
+        $null = null; // for the sake of passing by reference
+        if (isset($this->schemes[$scheme])) return $this->schemes[$scheme];
+        if (empty($this->_dir)) $this->_dir = dirname(__FILE__) . '/URIScheme/';
+        
+        // important, otherwise attacker could include arbitrary file
+        $allowed_schemes = $config->get('URI', 'AllowedSchemes');
+        if (!isset($allowed_schemes[$scheme])) return $null;
+        
+        @include_once $this->_dir . $scheme . '.php';
+        $class = 'HTMLPurifier_URIScheme_' . $scheme;
+        if (!class_exists($class)) return $null;
+        $this->schemes[$scheme] = new $class();
+        return $this->schemes[$scheme];
+    }
    
 }

--- a/tests/HTMLPurifier/AttrDef/URITest.php
+++ b/tests/HTMLPurifier/AttrDef/URITest.php
@ -5,7 +5,7 @@ require_once 'HTMLPurifier/AttrDef/URI.php';

 // WARNING: INCOMPLETE UNIT TESTS!
 // we are currently abstaining IPv6 and percent-encode fixing unit tests
-// as well as recomposition tests
+// we also need to test all the configuration directives defined by this class

 class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
 {
@ -15,6 +15,8 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
        generate_mock_once('HTMLPurifier_URIScheme');
        generate_mock_once('HTMLPurifier_URISchemeRegistry');
        
+        $old_registry = HTMLPurifier_URISchemeRegistry::instance();
+        
        // finally, lets get a copy of the actual class
        $def = new HTMLPurifier_AttrDef_URI();
        
@ -186,6 +188,9 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
            
        }
        
+        // reset to regular implementation
+        HTMLPurifier_URISchemeRegistry::instance($old_registry);
+        
    }
    
 }
--- a/tests/HTMLPurifier/ConfigDefTest.php
+++ b/tests/HTMLPurifier/ConfigDefTest.php
@ -50,6 +50,9 @@ class HTMLPurifier_ConfigDefTest extends UnitTestCase
        $this->swallowErrors();
        
        // test overloading already defined value
+        // ACTUALLY, we probably should allow this behavior, which simply
+        // means that two class files need that directive. Using debug_backtrace
+        // we could probably figure which files those are too! :-D
        HTMLPurifier_ConfigDef::define('Core', 'Name', 89,
            'What, you\'re not allowed to overload directives? Bummer!');
        $this->assertError('Cannot redefine directive');
--- a/tests/HTMLPurifier/URISchemeRegistryTest.php
+++ b/tests/HTMLPurifier/URISchemeRegistryTest.php
@ -0,0 +1,20 @@
+<?php
+
+require_once 'HTMLPurifier/URISchemeRegistry.php';
+
+class HTMLPurifier_URISchemeRegistryTest extends UnitTestCase
+{
+    
+    function test() {
+        
+        $registry =& HTMLPurifier_URISchemeRegistry::instance();
+        $this->assertIsA($registry->getScheme('http'), 'HTMLPurifier_URIScheme_http');
+        
+        // to come: overloading and custom schemes, as well as changing the
+        // configuration values used by this class
+        
+    }
+    
+}
+
+?>
--- a/tests/index.php
+++ b/tests/index.php
@ -67,6 +67,7 @@ $test_files[] = 'IDAccumulatorTest.php';
 $test_files[] = 'TagTransformTest.php';
 $test_files[] = 'AttrTransform/LangTest.php';
 $test_files[] = 'AttrTransform/TextAlignTest.php';
+$test_files[] = 'URISchemeRegistryTest.php';

 $test_file_lookup = array_flip($test_files);