Add support for file:// URI scheme.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2024-09-18 18:25:18 +00:00 · 2010-09-09 00:01:26 -04:00 · 2010-09-09 00:01:26 -04:00 · ec86598446
commit ec86598446
parent b6c3f5e89b
5 changed files with 42 additions and 2 deletions
--- a/2
+++ b/2
@ -18,6 +18,8 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 ! Add %CSS.ForbiddenProperties configuration directive.
 ! Add %HTML.FlashAllowFullScreen to permit embedded Flash objects
  to utilize full-screen mode.
+! Add optional support for the <code>file</code> URI scheme, enable
+  by explicitly setting %URI.AllowedSchemes.
 - Fix improper handling of Internet Explorer conditional comments
  by parser.  Thanks zmonteca for reporting.
 - Fix missing attributes bug when running on Mac Snow Leopard and APC.
--- a/library/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt
@ -12,6 +12,6 @@ array (
 --DESCRIPTION--
 Whitelist that defines the schemes that a URI is allowed to have.  This
 prevents XSS attacks from using pseudo-schemes like javascript or mocha.
-There is also support for the <code>data</code> URI scheme, but it is not
-enabled by default.
+There is also support for the <code>data</code> and <code>file</code>
+URI schemes, but they are not enabled by default.
 --# vim: et sw=4 sts=4
--- a/library/HTMLPurifier/URIScheme/file.php
+++ b/library/HTMLPurifier/URIScheme/file.php
@ -0,0 +1,26 @@
+<?php
+
+/**
+ * Validates file as defined by RFC 1630 and RFC 1738.
+ */
+class HTMLPurifier_URIScheme_file extends HTMLPurifier_URIScheme {
+
+    // Generally file:// URLs are not accessible from most
+    // machines, so placing them as an img src is incorrect.
+    public $browsable = false;
+
+    public function validate(&$uri, $config, $context) {
+        parent::validate($uri, $config, $context);
+        // Authentication method is not supported
+        $uri->userinfo = null;
+        // file:// makes no provisions for accessing the resource
+        $uri->port     = null;
+        // While it seems to work on Firefox, the querystring has
+        // no possible effect and is thus stripped.
+        $uri->query    = null;
+        return true;
+    }
+
+}
+
+// vim: et sw=4 sts=4
--- a/tests/HTMLPurifier/HTMLT/file-uri.htmlt
+++ b/tests/HTMLPurifier/HTMLT/file-uri.htmlt
@ -0,0 +1,5 @@
+--INI--
+URI.AllowedSchemes = file
+--HTML--
+<a href="file:///foo">foo</a>
+--# vim: et sw=4 sts=4
--- a/tests/HTMLPurifier/URISchemeTest.php
+++ b/tests/HTMLPurifier/URISchemeTest.php
@ -165,6 +165,13 @@ class HTMLPurifier_URISchemeTest extends HTMLPurifier_URIHarness
        );
    }

+    function test_file_basic() {
+        $this->assertValidation(
+            'file://user@MYCOMPUTER:12/foo/bar?baz#frag',
+            'file://MYCOMPUTER/foo/bar#frag'
+        );
+    }
+
 }

 // vim: et sw=4 sts=4