0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-01-08 23:11:52 +00:00

Add support for file:// URI scheme.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
This commit is contained in:
Edward Z. Yang 2010-09-09 00:01:26 -04:00
parent b6c3f5e89b
commit ec86598446
5 changed files with 42 additions and 2 deletions

2
NEWS
View File

@ -18,6 +18,8 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
! Add %CSS.ForbiddenProperties configuration directive. ! Add %CSS.ForbiddenProperties configuration directive.
! Add %HTML.FlashAllowFullScreen to permit embedded Flash objects ! Add %HTML.FlashAllowFullScreen to permit embedded Flash objects
to utilize full-screen mode. to utilize full-screen mode.
! Add optional support for the <code>file</code> URI scheme, enable
by explicitly setting %URI.AllowedSchemes.
- Fix improper handling of Internet Explorer conditional comments - Fix improper handling of Internet Explorer conditional comments
by parser. Thanks zmonteca for reporting. by parser. Thanks zmonteca for reporting.
- Fix missing attributes bug when running on Mac Snow Leopard and APC. - Fix missing attributes bug when running on Mac Snow Leopard and APC.

View File

@ -12,6 +12,6 @@ array (
--DESCRIPTION-- --DESCRIPTION--
Whitelist that defines the schemes that a URI is allowed to have. This Whitelist that defines the schemes that a URI is allowed to have. This
prevents XSS attacks from using pseudo-schemes like javascript or mocha. prevents XSS attacks from using pseudo-schemes like javascript or mocha.
There is also support for the <code>data</code> URI scheme, but it is not There is also support for the <code>data</code> and <code>file</code>
enabled by default. URI schemes, but they are not enabled by default.
--# vim: et sw=4 sts=4 --# vim: et sw=4 sts=4

View File

@ -0,0 +1,26 @@
<?php
/**
* Validates file as defined by RFC 1630 and RFC 1738.
*/
class HTMLPurifier_URIScheme_file extends HTMLPurifier_URIScheme {
// Generally file:// URLs are not accessible from most
// machines, so placing them as an img src is incorrect.
public $browsable = false;
public function validate(&$uri, $config, $context) {
parent::validate($uri, $config, $context);
// Authentication method is not supported
$uri->userinfo = null;
// file:// makes no provisions for accessing the resource
$uri->port = null;
// While it seems to work on Firefox, the querystring has
// no possible effect and is thus stripped.
$uri->query = null;
return true;
}
}
// vim: et sw=4 sts=4

View File

@ -0,0 +1,5 @@
--INI--
URI.AllowedSchemes = file
--HTML--
<a href="file:///foo">foo</a>
--# vim: et sw=4 sts=4

View File

@ -165,6 +165,13 @@ class HTMLPurifier_URISchemeTest extends HTMLPurifier_URIHarness
); );
} }
function test_file_basic() {
$this->assertValidation(
'file://user@MYCOMPUTER:12/foo/bar?baz#frag',
'file://MYCOMPUTER/foo/bar#frag'
);
}
} }
// vim: et sw=4 sts=4 // vim: et sw=4 sts=4