[3.1.1] General munge improvements

- Add CurrentCSSProperty context variable
- Move Munge to its own class, derived off of SecureMunge.
- Rename %URI.SecureMunge to %URI.Munge
- Rename %URI.SecureMungeSecretKey to %URI.MungeSecretKey
- Add extra substitutions for munge

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1803 48356398-32a2-884e-a903-53898d9a118a

library/HTMLPurifier/AttrDef/CSS.php

@@ -29,6 +29,12 @@ class HTMLPurifier_AttrDef_CSS extends HTMLPurifier_AttrDef
         $declarations = explode(';', $css);
         $propvalues = array();
         
+        /**
+         * Name of the current CSS property being validated.
+         */
+        $property = false;
+        $context->register('CurrentCSSProperty', $property);
+        
         foreach ($declarations as $declaration) {
             if (!$declaration) continue;
             if (!strpos($declaration, ':')) continue;
@@ -61,6 +67,8 @@ class HTMLPurifier_AttrDef_CSS extends HTMLPurifier_AttrDef
             $propvalues[$property] = $result;
         }
         
+        $context->destroy('CurrentCSSProperty');
+        
         // procedure does not write the new CSS simultaneously, so it's
         // slightly inefficient, but it's the only way of getting rid of
         // duplicates. Perhaps config to optimize it, but not now.

library/HTMLPurifier/AttrDef/URI.php

@@ -68,18 +68,7 @@ class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
         if (!$ok) return false;
         
         // back to string
-        $result = $uri->toString();
-        
-        // munge entire URI if necessary
-        if (
-            !is_null($uri->host) && // indicator for authority
-            !empty($scheme_obj->browsable) &&
-            !is_null($munge = $config->get('URI', 'Munge'))
-        ) {
-            $result = str_replace('%s', rawurlencode($result), $munge);
-        }
-        
-        return $result;
+        return $uri->toString();
         
     }
     

library/HTMLPurifier/ConfigSchema/schema/URI.Munge.txt

@@ -6,7 +6,7 @@ DEFAULT: NULL
 
 <p>
     Munges all browsable (usually http, https and ftp)
-    absolute URI's into another URI, usually a URI redirection service.
+    absolute URIs into another URI, usually a URI redirection service.
     This directive accepts a URI, formatted with a <code>%s</code> where 
     the url-encoded original URI should be inserted (sample: 
     <code>http://www.google.com/url?q=%s</code>).
@@ -19,13 +19,58 @@ DEFAULT: NULL
         Prevent PageRank leaks, while being fairly transparent 
         to users (you may also want to add some client side JavaScript to 
         override the text in the statusbar). <strong>Notice</strong>:
-        Many security experts believe that this form of protection does
-not deter spam-bots. 
+        Many security experts believe that this form of protection does not deter spam-bots. 
     </li>
     <li>
         Redirect users to a splash page telling them they are leaving your
-        website. While this is poor usability practice, it is often
-mandated
+        website. While this is poor usability practice, it is often mandated
         in corporate environments.
     </li>
 </ul>
+<p>
+    You may want to also use %URI.MungeSecretKey along with this directive
+    in order to enforce what URIs your redirector script allows. Open
+    redirector scripts can be a security risk and negatively affect the
+    reputation of your domain name.
+</p>
+<p>
+    Starting with HTML Purifier 3.1.1, there is also these substitutions:
+</p>
+<table>
+    <thead>
+        <tr>
+            <th>Key</th>
+            <th>Description</th>
+            <th>Example <code>&lt;a href=""&gt;</code></th>
+        </tr>
+    </thead>
+    <tbody>
+        <tr>
+            <td>%r</td>
+            <td>1 - The URI embeds a resource<br />(blank) - The URI is merely a link</td>
+            <td></td>
+        </tr>
+        <tr>
+            <td>%n</td>
+            <td>The name of the tag this URI came from</td>
+            <td>a</td>
+        </tr>
+        <tr>
+            <td>%m</td>
+            <td>The name of the attribute this URI came from</td>
+            <td>href</td>
+        </tr>
+        <tr>
+            <td>%p</td>
+            <td>The name of the CSS property this URI came from, or blank if irrelevant</td>
+            <td></td>
+        </tr>
+    </tbody>
+</table>
+<p>
+    Admittedly, these letters are somewhat arbitrary; the only stipulation
+    was that they couldn't be a through f. r is for resource (I would have preferred
+    e, but you take what you can get), n is for name, m
+    was picked because it came after n (and I couldn't use a), p is for
+    property.
+</p>

library/HTMLPurifier/ConfigSchema/schema/URI.MungeResources.txt

@@ -0,0 +1,12 @@
+URI.MungeResources
+TYPE: bool
+VERSION: 3.1.1
+DEFAULT: false
+--DESCRIPTION--
+<p>
+    If true, any URI munging directives like %URI.Munge or %URI.SecureMunge
+    will also apply to embedded resources, such as <code>&lt;img src=""&gt;</code>.
+    Be careful enabling this directive if you have a redirector script
+    that does not use the <code>Location</code> HTTP header; all of your images
+    and other embedded resources will break.
+</ul>

library/HTMLPurifier/ConfigSchema/schema/URI.MungeSecretKey.txt

@@ -0,0 +1,29 @@
+URI.MungeSecretKey
+TYPE: string/null
+VERSION: 3.1.1
+DEFAULT: NULL
+--DESCRIPTION--
+<p>
+    This directive enables secure checksum generation along with %URI.Munge.
+    It should be set to a secure key that is not shared with anyone else.
+    The checksum can be placed in the URI using %t. Use of this checksum
+    affords an additional level of protection by allowing a redirector
+    to check if a URI has passed through HTML Purifier with this line:
+</p>
+
+<pre>$checksum === sha1($secret_key . ':' . $url)</pre>
+
+<p>
+    If the output is TRUE, the redirector script should accept the URI.
+</p>
+
+<p>
+    Please note that it would still be possible for an attacker to procure
+    secure hashes en-mass by abusing your website's Preview feature or the
+    like, but this service affords an additional level of protection
+    that should be combined with website blacklisting.
+</p>
+
+<p>
+    Remember this has no effect if %URI.Munge is not on.
+</p>

library/HTMLPurifier/ConfigSchema/schema/URI.SecureMunge.txt

@@ -1,33 +0,0 @@
-URI.SecureMunge
-TYPE: string/null
-VERSION: 3.1.1
-DEFAULT: NULL
---DESCRIPTION--
-<p>
-    Like %URI.Munge, this directive munges browsable external resources
-    into another URI redirection service. %URI.SecureMunge accepts a URI
-    with a %s located where the original URI should be substituted in,
-    and %t located where the secure checksum should be provided.
-    However, this directive affords
-    an additional level of protection by generating a secure checksum from
-    the URI as well as a secret key provided by %URI.SecureMungeSecretKey.
-    Any redirector script can check this key by using:
-</p>
-
-<pre>$checksum === sha1($secret_key . ':' . $url)</pre>
-
-<p>
-    If the output is TRUE, the redirector script should accept the URI.
-</p>
-
-<p>
-    Please note that it would still be possible for an attacker to procure
-    secure hashes en-mass by abusing your website's Preview feature or the
-    like, but this service affords an additional level of protection
-    that should be combined with website blacklisting.
-</p>
-
-<p>
-    <strong>This is a post-filter.</strong> This filter may conflict with other
-    post-filters that deal with external links.
-</p>

library/HTMLPurifier/ConfigSchema/schema/URI.SecureMungeSecretKey.txt

@@ -1,11 +0,0 @@
-URI.SecureMungeSecretKey
-TYPE: string/null
-VERSION: 3.1.1
-DEFAULT: NULL
---DESCRIPTION--
-<p>
-    This is the secret key used in conjunction with %URI.SecureMunge. Your
-    redirector script needs to know about this key, and no one else should
-    know about this key. Please see the above
-    directive for more details.
-</p>

library/HTMLPurifier/URIDefinition.php

@@ -28,7 +28,7 @@ class HTMLPurifier_URIDefinition extends HTMLPurifier_Definition
         $this->registerFilter(new HTMLPurifier_URIFilter_DisableExternalResources());
         $this->registerFilter(new HTMLPurifier_URIFilter_HostBlacklist());
         $this->registerFilter(new HTMLPurifier_URIFilter_MakeAbsolute());
-        $this->registerFilter(new HTMLPurifier_URIFilter_SecureMunge());
+        $this->registerFilter(new HTMLPurifier_URIFilter_Munge());
     }
     
     public function registerFilter($filter) {

library/HTMLPurifier/URIFilter/Munge.php

@@ -0,0 +1,48 @@
+<?php
+
+class HTMLPurifier_URIFilter_Munge extends HTMLPurifier_URIFilter
+{
+    public $name = 'Munge';
+    public $post = true;
+    private $target, $parser, $doEmbed, $secretKey;
+    
+    protected $replace = array();
+    
+    public function prepare($config) {
+        $this->target    = $config->get('URI', $this->name);
+        $this->parser    = new HTMLPurifier_URIParser();
+        $this->doEmbed   = $config->get('URI', 'MungeResources');
+        $this->secretKey = $config->get('URI', 'MungeSecretKey');
+        return true;
+    }
+    public function filter(&$uri, $config, $context) {
+        if ($context->get('EmbeddedURI', true) && !$this->doEmbed) return true;
+        
+        $scheme_obj = $uri->getSchemeObj($config, $context);
+        if (!$scheme_obj) return true; // ignore unknown schemes, maybe another postfilter did it
+        if (is_null($uri->host) || empty($scheme_obj->browsable)) {
+            return true;
+        }
+        
+        $this->makeReplace($uri, $config, $context);
+        $this->replace = array_map('rawurlencode', $this->replace);
+        
+        $new_uri = strtr($this->target, $this->replace);
+        $uri = $this->parser->parse($new_uri); // overwrite
+        return true;
+    }
+    
+    protected function makeReplace($uri, $config, $context) {
+        $string = $uri->toString();
+        // always available
+        $this->replace['%s'] = $string;
+        $this->replace['%r'] = $context->get('EmbeddedURI', true);
+        $token = $context->get('CurrentToken', true);
+        $this->replace['%n'] = $token ? $token->name : null;
+        $this->replace['%m'] = $context->get('CurrentAttr', true);
+        $this->replace['%p'] = $context->get('CurrentCSSProperty', true);
+        // not always available
+        if ($this->secretKey) $this->replace['%t'] = sha1($this->secretKey . ':' . $string);
+    }
+    
+}

library/HTMLPurifier/URIFilter/SecureMunge.php

@@ -1,33 +0,0 @@
-<?php
-
-class HTMLPurifier_URIFilter_SecureMunge extends HTMLPurifier_URIFilter
-{
-    public $name = 'SecureMunge';
-    public $post = true;
-    private $target, $secretKey, $parser;
-    public function prepare($config) {
-        $this->target = $config->get('URI', 'SecureMunge');
-        $this->secretKey = $config->get('URI', 'SecureMungeSecretKey');
-        $this->parser = new HTMLPurifier_URIParser();
-        if (!$this->secretKey) {
-            trigger_error('URI.SecureMunge is being ignored due to lack of value for URI.SecureMungeSecretKey', E_USER_WARNING);
-            return false;
-        }
-        return true;
-    }
-    public function filter(&$uri, $config, $context) {
-        if (!$this->target || !$this->secretKey) return true;
-        if ($context->get('EmbeddedURI', true)) return true; // abort for embedded URIs
-        $scheme_obj = $uri->getSchemeObj($config, $context);
-        if (!$scheme_obj) return true; // ignore unknown schemes, maybe another postfilter did it
-        if (is_null($uri->host) || empty($scheme_obj->browsable)) {
-            return true;
-        }
-        $string = $uri->toString();
-        $checksum = sha1($this->secretKey . ':' . $string);
-        $new_uri = str_replace('%s', rawurlencode($string), $this->target);
-        $new_uri = str_replace('%t', $checksum, $new_uri);
-        $uri = $this->parser->parse($new_uri); // overwrite
-        return true;
-    }
-}