0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-12-23 17:01:51 +00:00
Commit Graph

43 Commits

Author SHA1 Message Date
Edward Z. Yang
e76f4b45d0 Dramatically rewrite null host URI handling.
Basically, browsers don't parse what should be valid URIs correctly, so
we have to go through some backbends to accomodate them.  Specifically,
for browseable URIs, the following URIs have unintended behavior:

    - ///example.com
    - http:/example.com
    - http:///example.com

Furthermore, if the path begins with //, modifying these URLs must
be done with care, as if you remove the host-name component, the
parse tree changes.

I've modified the engine to follow correct URI semantics as much
as possible while outputting browser compatible code, and invalidate
the URI in cases where we can't deal.  There has been a refactoring
of URIScheme so that this important check is always performed,
introducing a new member variable allow_empty_host which is true
on data, file, mailto and news schemes.

This also fixes bypass bugs on URI.Munge.

Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-01-25 18:56:46 +00:00
Edward Z. Yang
86ca784da3 Convert all to new configuration get/set format.
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
2009-02-21 03:00:34 -05:00
Edward Z. Yang
12b811d749 Add vim modelines to all files.
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
2008-12-06 04:24:59 -05:00
Edward Z. Yang
2c955af135 Remove trailing whitespace.
Signed-off-by: Edward Z. Yang <edwardzyang@thewritingpot.com>
2008-12-06 02:28:20 -05:00
Edward Z. Yang
32025a12e1 [3.1.1] Allow injectors to be specified by modules.
- Make method for URI implemented
- Split out checkNeeded in Injector from prepare

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1779 48356398-32a2-884e-a903-53898d9a118a
2008-06-09 01:23:05 +00:00
Edward Z. Yang
322288e6c0 [3.1.1] Implement %URI.SecureMunge and %URI.SecureMungeSecretKey, thanks Chris!
- URIFilter->prepare can return false in order to abort loading of the filter
- Implemented post URI filtering. Set member variable $post to true to set a URIFilter as such.

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1772 48356398-32a2-884e-a903-53898d9a118a
2008-05-26 16:26:47 +00:00
Edward Z. Yang
cb5d5d0648 [3.1.0] Revamp URI handling of percent encoding and validation.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1709 48356398-32a2-884e-a903-53898d9a118a
2008-05-14 02:19:00 +00:00
Edward Z. Yang
eaabccdd9b [3.1.0] More PHP4->PHP5 conversions, notably reference removal of most methods that return objects
- Removed HTMLPurifier_Error
- Documentation updates
- Removed more copy() methods in favor of clone
- HTMLPurifier::getInstance() to HTMLPurifier::instance()
- Fix InterchangeBuilder to use HTMLPURIFIER_PREFIX

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1689 48356398-32a2-884e-a903-53898d9a118a
2008-04-23 02:40:17 +00:00
Edward Z. Yang
fbc595ebed Remove includes from unit tests.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1569 48356398-32a2-884e-a903-53898d9a118a
2008-02-18 04:41:42 +00:00
Edward Z. Yang
22ef52a7f6 [2.1.0] Migrate host blacklist functionality to URIFilter.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1336 48356398-32a2-884e-a903-53898d9a118a
2007-08-02 01:41:37 +00:00
Edward Z. Yang
4919187fc6 [2.1.0] Further refactoring of AttrDef_URI, creation of new URIFilter and URIDefinition subsystems.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1335 48356398-32a2-884e-a903-53898d9a118a
2007-08-02 01:12:27 +00:00
Edward Z. Yang
797b899305 [2.1.0] Create new URI object and migrate URI validation systems to use it. URIScheme interface changed.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1334 48356398-32a2-884e-a903-53898d9a118a
2007-08-01 18:34:46 +00:00
Edward Z. Yang
8c9dbe142d [2.1.0] Refactor AttrDef_URI: removed URIParser functionality
- Genericized flush-definition-cache script

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1333 48356398-32a2-884e-a903-53898d9a118a
2007-08-01 14:55:09 +00:00
Edward Z. Yang
2a002857ce [2.1.0] All unit tests inherit from HTMLPurifier_Harness, not UnitTestCase. prepareCommon() refactored to global test-case.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1332 48356398-32a2-884e-a903-53898d9a118a
2007-08-01 14:06:59 +00:00
Edward Z. Yang
b0f3116b9e [2.1.0] URI scheme is munged off if there is no authority and the scheme is the default one
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1330 48356398-32a2-884e-a903-53898d9a118a
2007-08-01 13:15:33 +00:00
Edward Z. Yang
b03a44abff Remove expectations from assertOutput in URITest.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1329 48356398-32a2-884e-a903-53898d9a118a
2007-08-01 02:19:43 +00:00
Edward Z. Yang
cf257cabde [2.1.0]
- AttrDef_URI unit tests refactored
- Block access to benchmarks: they should be called via command line

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1328 48356398-32a2-884e-a903-53898d9a118a
2007-08-01 01:48:51 +00:00
Edward Z. Yang
e99520ab96 Remove trailing ?> in PHP library files, add trailing newlines to all other files.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1253 48356398-32a2-884e-a903-53898d9a118a
2007-06-27 13:58:32 +00:00
Edward Z. Yang
ae90bb919d Remove unnecessary $this parameters from mock instantiation; SimpleTest doesn't use it!
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1243 48356398-32a2-884e-a903-53898d9a118a
2007-06-26 15:40:04 +00:00
Edward Z. Yang
e180b7689e [1.7.0] Implement HTMLDefinition cache (very hacked together, but long unit test times were driving me crazy!)
- Add extra protection in AttrDef_URI against phantom Schemes
- Doctype moved from config to HTMLDefinition
- AttrDef_URITest mocks have more generic object parameters to deal with PHP4's copy-happy behavior

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1089 48356398-32a2-884e-a903-53898d9a118a
2007-05-23 03:27:36 +00:00
Edward Z. Yang
9728be4a52 [1.7.0] Configuration object now finalizes itself after first read operation
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1075 48356398-32a2-884e-a903-53898d9a118a
2007-05-20 18:06:51 +00:00
Edward Z. Yang
61f852d429 Merge in PHP5 strict changes that are applicable to PHP4.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@650 48356398-32a2-884e-a903-53898d9a118a
2007-01-16 22:22:08 +00:00
Edward Z. Yang
4bdc0446de [1.3.0] New directive %URI.HostBlacklist for blocking links to bad hosts. xssAttacks.php smoketest updated accordingly.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@586 48356398-32a2-884e-a903-53898d9a118a
2006-11-26 23:14:12 +00:00
Edward Z. Yang
775763c583 [1.3.0] New directive %URI.Munge, munges URI so you can use some sort of redirector service to avoid PageRank leaks or warn users that they are exiting your site.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@576 48356398-32a2-884e-a903-53898d9a118a
2006-11-24 00:29:16 +00:00
Edward Z. Yang
49cb2a4a7c [1.3.0] More control of URIs granted
# Invalid images are now removed, rather than replaced with a dud <img src="" alt="Invalid image" />. Previous behavior can be restored with new directive %Core.RemoveInvalidImg set to false.
! New directives %URI.DisableExternalResources and %URI.DisableResources
! New directive %Attr.DisableURI, which eliminates all hyperlinking
- Missing "Available since" documentation added

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@575 48356398-32a2-884e-a903-53898d9a118a
2006-11-23 23:59:20 +00:00
Edward Z. Yang
82afd890c4 [1.2.0] Non-accessible resources (ex. mailto) blocked from embedded URIs (img src)
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@528 48356398-32a2-884e-a903-53898d9a118a
2006-11-17 23:09:10 +00:00
Edward Z. Yang
f38fe431ed [1.2.0]
- Added %URI.DisableExternal, which prevents links to external websites. You can also use %URI.Host to permit absolute linking to subdomains
- Fixed a few bugs involving null configuration values

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@522 48356398-32a2-884e-a903-53898d9a118a
2006-11-12 03:35:41 +00:00
Edward Z. Yang
ad934540da [1.2.0] Merge two comment strings.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@520 48356398-32a2-884e-a903-53898d9a118a
2006-11-12 02:01:39 +00:00
Edward Z. Yang
504203c0f3 [1.2.0] Added percent encoding normalization
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@509 48356398-32a2-884e-a903-53898d9a118a
2006-11-07 17:15:28 +00:00
Edward Z. Yang
74ba9b8629 [1.2.0] Add context parameter to URIScheme and URISchemeRegistry classes.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@500 48356398-32a2-884e-a903-53898d9a118a
2006-10-27 01:20:10 +00:00
Edward Z. Yang
7d2fe4c5d7 [1.2.0]
- Factor out Config and Context object population through arrays
- Bring dependent assertions together in IDTest.php
- AttrDefHarness.php now resets context and configuration between tests
- Add missing reference operator in AttrDef/ID.php

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@494 48356398-32a2-884e-a903-53898d9a118a
2006-10-21 18:18:36 +00:00
Edward Z. Yang
b99573223d [1.1.0] Made URI validator more forgiving: will ignore leading and trailing quotes, apostrophes and less than or greater than signs.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@380 48356398-32a2-884e-a903-53898d9a118a
2006-09-04 02:31:27 +00:00
Edward Z. Yang
1cadb08fbb Commit IPv6 fix, with majoring factoring out. Thank you Feyd!
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@284 48356398-32a2-884e-a903-53898d9a118a
2006-08-17 01:05:35 +00:00
Edward Z. Yang
218eb67167 Remove legacy required code from AttrDef_URI, also explicitly disallow < and > in URIs.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@253 48356398-32a2-884e-a903-53898d9a118a
2006-08-14 21:06:57 +00:00
Edward Z. Yang
4193fd018a Commit a very lenient mailto checker. We'll tighten it later.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@219 48356398-32a2-884e-a903-53898d9a118a
2006-08-12 19:11:21 +00:00
Edward Z. Yang
d28bad648a Implement URIScheme and subclasses except for mailto. Remove fragment from components, as it is scheme independent.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@218 48356398-32a2-884e-a903-53898d9a118a
2006-08-12 18:58:54 +00:00
Edward Z. Yang
6c3d364213 Augment URISchemeRegistry with the ability to overload/register your own schemes.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@215 48356398-32a2-884e-a903-53898d9a118a
2006-08-12 17:06:14 +00:00
Edward Z. Yang
10ea44932a Revamp URITest to use the harness.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@214 48356398-32a2-884e-a903-53898d9a118a
2006-08-12 16:32:57 +00:00
Edward Z. Yang
ebe01a0a24 Fix a few errors that came with API change. I really should run the unit tests before committing.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@213 48356398-32a2-884e-a903-53898d9a118a
2006-08-12 16:12:16 +00:00
Edward Z. Yang
77f2833f36 Fix PHP 4 problems with references.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@211 48356398-32a2-884e-a903-53898d9a118a
2006-08-12 04:07:06 +00:00
Edward Z. Yang
c2ec56b872 Initial implementation of URISchemeRegistry (fixed overload bug in process). Also, add extra notes to some of the unit tests.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@210 48356398-32a2-884e-a903-53898d9a118a
2006-08-12 03:56:27 +00:00
Edward Z. Yang
4ab6cab15c Finish bare-bones implementation of URI. This will suffice for now.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@209 48356398-32a2-884e-a903-53898d9a118a
2006-08-12 03:35:05 +00:00
Edward Z. Yang
4b097ef493 Commit initial URI unit tests and implementation. They're not complete yet though.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@206 48356398-32a2-884e-a903-53898d9a118a
2006-08-12 01:12:35 +00:00