mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-12-23 00:41:52 +00:00
Add support for file:// URI scheme.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
This commit is contained in:
parent
b6c3f5e89b
commit
ec86598446
2
NEWS
2
NEWS
@ -18,6 +18,8 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
|
|||||||
! Add %CSS.ForbiddenProperties configuration directive.
|
! Add %CSS.ForbiddenProperties configuration directive.
|
||||||
! Add %HTML.FlashAllowFullScreen to permit embedded Flash objects
|
! Add %HTML.FlashAllowFullScreen to permit embedded Flash objects
|
||||||
to utilize full-screen mode.
|
to utilize full-screen mode.
|
||||||
|
! Add optional support for the <code>file</code> URI scheme, enable
|
||||||
|
by explicitly setting %URI.AllowedSchemes.
|
||||||
- Fix improper handling of Internet Explorer conditional comments
|
- Fix improper handling of Internet Explorer conditional comments
|
||||||
by parser. Thanks zmonteca for reporting.
|
by parser. Thanks zmonteca for reporting.
|
||||||
- Fix missing attributes bug when running on Mac Snow Leopard and APC.
|
- Fix missing attributes bug when running on Mac Snow Leopard and APC.
|
||||||
|
@ -12,6 +12,6 @@ array (
|
|||||||
--DESCRIPTION--
|
--DESCRIPTION--
|
||||||
Whitelist that defines the schemes that a URI is allowed to have. This
|
Whitelist that defines the schemes that a URI is allowed to have. This
|
||||||
prevents XSS attacks from using pseudo-schemes like javascript or mocha.
|
prevents XSS attacks from using pseudo-schemes like javascript or mocha.
|
||||||
There is also support for the <code>data</code> URI scheme, but it is not
|
There is also support for the <code>data</code> and <code>file</code>
|
||||||
enabled by default.
|
URI schemes, but they are not enabled by default.
|
||||||
--# vim: et sw=4 sts=4
|
--# vim: et sw=4 sts=4
|
||||||
|
26
library/HTMLPurifier/URIScheme/file.php
Normal file
26
library/HTMLPurifier/URIScheme/file.php
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Validates file as defined by RFC 1630 and RFC 1738.
|
||||||
|
*/
|
||||||
|
class HTMLPurifier_URIScheme_file extends HTMLPurifier_URIScheme {
|
||||||
|
|
||||||
|
// Generally file:// URLs are not accessible from most
|
||||||
|
// machines, so placing them as an img src is incorrect.
|
||||||
|
public $browsable = false;
|
||||||
|
|
||||||
|
public function validate(&$uri, $config, $context) {
|
||||||
|
parent::validate($uri, $config, $context);
|
||||||
|
// Authentication method is not supported
|
||||||
|
$uri->userinfo = null;
|
||||||
|
// file:// makes no provisions for accessing the resource
|
||||||
|
$uri->port = null;
|
||||||
|
// While it seems to work on Firefox, the querystring has
|
||||||
|
// no possible effect and is thus stripped.
|
||||||
|
$uri->query = null;
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
// vim: et sw=4 sts=4
|
5
tests/HTMLPurifier/HTMLT/file-uri.htmlt
Normal file
5
tests/HTMLPurifier/HTMLT/file-uri.htmlt
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
--INI--
|
||||||
|
URI.AllowedSchemes = file
|
||||||
|
--HTML--
|
||||||
|
<a href="file:///foo">foo</a>
|
||||||
|
--# vim: et sw=4 sts=4
|
@ -165,6 +165,13 @@ class HTMLPurifier_URISchemeTest extends HTMLPurifier_URIHarness
|
|||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function test_file_basic() {
|
||||||
|
$this->assertValidation(
|
||||||
|
'file://user@MYCOMPUTER:12/foo/bar?baz#frag',
|
||||||
|
'file://MYCOMPUTER/foo/bar#frag'
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// vim: et sw=4 sts=4
|
// vim: et sw=4 sts=4
|
||||||
|
Loading…
Reference in New Issue
Block a user