mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-11-14 01:08:41 +00:00
d3abcb90e3
The new logic is as follows: * Given a URL to insert into url(), check that it is properly URL encoded (in particular, a doublequote and backslash never occurs within it) and then place it as url("http://example.com"). * Given a font name, if it is strictly alphanumeric, it is safe to omit quotes. Otherwise, wrap in double quotes and replace '"' with '\22 ' (note trailing space) and '\' with '\5C ' (ditto). We introduce expandCSSEscape() which is a hack for common parsing idioms in CSS; this means that CSS escapes are now recognized inside URLs as well as unquoted font names. Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
12 lines
764 B
Plaintext
12 lines
764 B
Plaintext
--INI--
|
|
URI.Munge = "/redirect?s=%s&t=%t&r=%r&n=%n&m=%m&p=%p"
|
|
URI.MungeSecretKey = "foo"
|
|
URI.MungeResources = true
|
|
--HTML--
|
|
<a href="http://example.com">Link</a>
|
|
<img src="http://example.com" style="background-image:url(http://example.com);" alt="example.com" />
|
|
--EXPECT--
|
|
<a href="/redirect?s=http%3A%2F%2Fexample.com&t=c15354f3953dfec262c55b1403067e0d045a3059&r=&n=a&m=href&p=">Link</a>
|
|
<img src="/redirect?s=http%3A%2F%2Fexample.com&t=c15354f3953dfec262c55b1403067e0d045a3059&r=1&n=img&m=src&p=" style="background-image:url("/redirect?s=http%3A%2F%2Fexample.com&t=c15354f3953dfec262c55b1403067e0d045a3059&r=1&n=img&m=style&p=background-image");" alt="example.com" />
|
|
--# vim: et sw=4 sts=4
|