mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-11-09 23:28:42 +00:00
fac747bdbd
With minor corrections. Signed-off-by: Marcus Bointon <marcus@synchromedia.co.uk> Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
103 lines
3.4 KiB
PHP
103 lines
3.4 KiB
PHP
<?php
|
|
|
|
/**
|
|
* Validator for the components of a URI for a specific scheme
|
|
*/
|
|
abstract class HTMLPurifier_URIScheme
|
|
{
|
|
|
|
/**
|
|
* Scheme's default port (integer). If an explicit port number is
|
|
* specified that coincides with the default port, it will be
|
|
* elided.
|
|
* @type int
|
|
*/
|
|
public $default_port = null;
|
|
|
|
/**
|
|
* Whether or not URIs of this scheme are locatable by a browser
|
|
* http and ftp are accessible, while mailto and news are not.
|
|
* @type bool
|
|
*/
|
|
public $browsable = false;
|
|
|
|
/**
|
|
* Whether or not data transmitted over this scheme is encrypted.
|
|
* https is secure, http is not.
|
|
* @type bool
|
|
*/
|
|
public $secure = false;
|
|
|
|
/**
|
|
* Whether or not the URI always uses <hier_part>, resolves edge cases
|
|
* with making relative URIs absolute
|
|
* @type bool
|
|
*/
|
|
public $hierarchical = false;
|
|
|
|
/**
|
|
* Whether or not the URI may omit a hostname when the scheme is
|
|
* explicitly specified, ala file:///path/to/file. As of writing,
|
|
* 'file' is the only scheme that browsers support his properly.
|
|
* @type bool
|
|
*/
|
|
public $may_omit_host = false;
|
|
|
|
/**
|
|
* Validates the components of a URI for a specific scheme.
|
|
* @param HTMLPurifier_URI $uri Reference to a HTMLPurifier_URI object
|
|
* @param HTMLPurifier_Config $config
|
|
* @param HTMLPurifier_Context $context
|
|
* @return bool success or failure
|
|
*/
|
|
abstract public function doValidate(&$uri, $config, $context);
|
|
|
|
/**
|
|
* Public interface for validating components of a URI. Performs a
|
|
* bunch of default actions. Don't overload this method.
|
|
* @param HTMLPurifier_URI $uri Reference to a HTMLPurifier_URI object
|
|
* @param HTMLPurifier_Config $config
|
|
* @param HTMLPurifier_Context $context
|
|
* @return bool success or failure
|
|
*/
|
|
public function validate(&$uri, $config, $context)
|
|
{
|
|
if ($this->default_port == $uri->port) {
|
|
$uri->port = null;
|
|
}
|
|
// kludge: browsers do funny things when the scheme but not the
|
|
// authority is set
|
|
if (!$this->may_omit_host &&
|
|
// if the scheme is present, a missing host is always in error
|
|
(!is_null($uri->scheme) && ($uri->host === '' || is_null($uri->host))) ||
|
|
// if the scheme is not present, a *blank* host is in error,
|
|
// since this translates into '///path' which most browsers
|
|
// interpret as being 'http://path'.
|
|
(is_null($uri->scheme) && $uri->host === '')
|
|
) {
|
|
do {
|
|
if (is_null($uri->scheme)) {
|
|
if (substr($uri->path, 0, 2) != '//') {
|
|
$uri->host = null;
|
|
break;
|
|
}
|
|
// URI is '////path', so we cannot nullify the
|
|
// host to preserve semantics. Try expanding the
|
|
// hostname instead (fall through)
|
|
}
|
|
// first see if we can manually insert a hostname
|
|
$host = $config->get('URI.Host');
|
|
if (!is_null($host)) {
|
|
$uri->host = $host;
|
|
} else {
|
|
// we can't do anything sensible, reject the URL.
|
|
return false;
|
|
}
|
|
} while (false);
|
|
}
|
|
return $this->doValidate($uri, $config, $context);
|
|
}
|
|
}
|
|
|
|
// vim: et sw=4 sts=4
|