mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-12-23 17:01:51 +00:00
4164b2eb2b
The purpose of this addition is twofold. In trusted mode, iframes are now unconditionally allowed. However, many online video providers (YouTube, Vimeo) and other web applications (Google Maps, Google Calendar, etc) provide embed code in iframe format, which is useful functionality in untrusted mode. You can specify iframes as trusted elements with %HTML.SafeIframe; however, you need to additionally specify a whitelist mechanism such as %URI.SafeIframeRegexp to say what iframe embeds are OK (by default everything is rejected). Note: As iframes are invalid in strict doctypes, you will not be able to use them there. We also added an always_load parameter to URIFilters in order to support the strange nature of the SafeIframe URIFilter (it always needs to be loaded, due to the inability of accessing the %HTML.SafeIframe directive to see if it's needed!) We expect this URIFilter can expand in the future to offer more complex validation mechanisms. Signed-off-by: Bradley M. Froehle <brad.froehle@gmail.com> Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
103 lines
3.2 KiB
PHP
103 lines
3.2 KiB
PHP
<?php
|
|
|
|
class HTMLPurifier_URIDefinition extends HTMLPurifier_Definition
|
|
{
|
|
|
|
public $type = 'URI';
|
|
protected $filters = array();
|
|
protected $postFilters = array();
|
|
protected $registeredFilters = array();
|
|
|
|
/**
|
|
* HTMLPurifier_URI object of the base specified at %URI.Base
|
|
*/
|
|
public $base;
|
|
|
|
/**
|
|
* String host to consider "home" base, derived off of $base
|
|
*/
|
|
public $host;
|
|
|
|
/**
|
|
* Name of default scheme based on %URI.DefaultScheme and %URI.Base
|
|
*/
|
|
public $defaultScheme;
|
|
|
|
public function __construct() {
|
|
$this->registerFilter(new HTMLPurifier_URIFilter_DisableExternal());
|
|
$this->registerFilter(new HTMLPurifier_URIFilter_DisableExternalResources());
|
|
$this->registerFilter(new HTMLPurifier_URIFilter_HostBlacklist());
|
|
$this->registerFilter(new HTMLPurifier_URIFilter_SafeIframe());
|
|
$this->registerFilter(new HTMLPurifier_URIFilter_MakeAbsolute());
|
|
$this->registerFilter(new HTMLPurifier_URIFilter_Munge());
|
|
}
|
|
|
|
public function registerFilter($filter) {
|
|
$this->registeredFilters[$filter->name] = $filter;
|
|
}
|
|
|
|
public function addFilter($filter, $config) {
|
|
$r = $filter->prepare($config);
|
|
if ($r === false) return; // null is ok, for backwards compat
|
|
if ($filter->post) {
|
|
$this->postFilters[$filter->name] = $filter;
|
|
} else {
|
|
$this->filters[$filter->name] = $filter;
|
|
}
|
|
}
|
|
|
|
protected function doSetup($config) {
|
|
$this->setupMemberVariables($config);
|
|
$this->setupFilters($config);
|
|
}
|
|
|
|
protected function setupFilters($config) {
|
|
foreach ($this->registeredFilters as $name => $filter) {
|
|
if ($filter->always_load) {
|
|
$this->addFilter($filter, $config);
|
|
} else {
|
|
$conf = $config->get('URI.' . $name);
|
|
if ($conf !== false && $conf !== null) {
|
|
$this->addFilter($filter, $config);
|
|
}
|
|
}
|
|
}
|
|
unset($this->registeredFilters);
|
|
}
|
|
|
|
protected function setupMemberVariables($config) {
|
|
$this->host = $config->get('URI.Host');
|
|
$base_uri = $config->get('URI.Base');
|
|
if (!is_null($base_uri)) {
|
|
$parser = new HTMLPurifier_URIParser();
|
|
$this->base = $parser->parse($base_uri);
|
|
$this->defaultScheme = $this->base->scheme;
|
|
if (is_null($this->host)) $this->host = $this->base->host;
|
|
}
|
|
if (is_null($this->defaultScheme)) $this->defaultScheme = $config->get('URI.DefaultScheme');
|
|
}
|
|
|
|
public function getDefaultScheme($config, $context) {
|
|
return HTMLPurifier_URISchemeRegistry::instance()->getScheme($this->defaultScheme, $config, $context);
|
|
}
|
|
|
|
public function filter(&$uri, $config, $context) {
|
|
foreach ($this->filters as $name => $f) {
|
|
$result = $f->filter($uri, $config, $context);
|
|
if (!$result) return false;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
public function postFilter(&$uri, $config, $context) {
|
|
foreach ($this->postFilters as $name => $f) {
|
|
$result = $f->filter($uri, $config, $context);
|
|
if (!$result) return false;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
}
|
|
|
|
// vim: et sw=4 sts=4
|