diff --git a/NEWS b/NEWS index 31c2b87b..59b02114 100644 --- a/NEWS +++ b/NEWS @@ -4,6 +4,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier 1.1.0, unknown release date - Made URI validator more forgiving: will ignore leading and trailing quotes, apostrophes and less than or greater than signs. +- Enforce alphanumeric namespace and directive names for configuration. 1.0.1, unknown release date - Fixed slight bug in DOMLex attribute parsing diff --git a/library/HTMLPurifier/ConfigDef.php b/library/HTMLPurifier/ConfigDef.php index fb47aef1..5800acd1 100644 --- a/library/HTMLPurifier/ConfigDef.php +++ b/library/HTMLPurifier/ConfigDef.php @@ -86,6 +86,11 @@ class HTMLPurifier_ConfigDef { E_USER_ERROR); return; } + if (!ctype_alnum($name)) { + trigger_error('Directive name must be alphanumeric', + E_USER_ERROR); + return; + } if (isset($def->info[$namespace][$name])) { if ( $def->info[$namespace][$name]->type !== $type || @@ -127,6 +132,11 @@ class HTMLPurifier_ConfigDef { trigger_error('Cannot redefine namespace', E_USER_ERROR); return; } + if (!ctype_alnum($namespace)) { + trigger_error('Namespace name must be alphanumeric', + E_USER_ERROR); + return; + } $def->info[$namespace] = array(); $def->info_namespace[$namespace] = new HTMLPurifier_ConfigEntity_Namespace(); $backtrace = debug_backtrace(); diff --git a/tests/HTMLPurifier/ConfigDefTest.php b/tests/HTMLPurifier/ConfigDefTest.php index 194d591b..401690ff 100644 --- a/tests/HTMLPurifier/ConfigDefTest.php +++ b/tests/HTMLPurifier/ConfigDefTest.php @@ -231,6 +231,24 @@ class HTMLPurifier_ConfigDefTest extends UnitTestCase $this->swallowErrors(); + // define a directive with bad characters + HTMLPurifier_ConfigDef::define( + 'Core', 'Core.Attr', 10, 'int', + 'No periods! >:-(' + ); + + $this->assertError('Directive name must be alphanumeric'); + $this->assertNoErrors(); + $this->swallowErrors(); + + // define a namespace with bad characters + HTMLPurifier_ConfigDef::defineNamespace( + 'Foobar&Gromit', $description + ); + + $this->assertError('Namespace name must be alphanumeric'); + $this->assertNoErrors(); + $this->swallowErrors(); }