Initial implementation of URISchemeRegistry (fixed overload bug in process). Also, add extra notes to some of the unit tests.

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@210 48356398-32a2-884e-a903-53898d9a118a
2025-08-06 06:07:26 +02:00 · 2006-08-12 03:56:27 +00:00
parent 4ab6cab15c
commit c2ec56b872
8 changed files with 80 additions and 3 deletions
--- a/library/HTMLPurifier/ConfigDef.php
+++ b/library/HTMLPurifier/ConfigDef.php
@@ -29,6 +29,7 @@ class HTMLPurifier_ConfigDef {
            return;
        }
        if (isset($def->info[$namespace][$name])) {
+            // this behavior is at risk of change
            trigger_error('Cannot redefine directive', E_USER_ERROR);
            return;
        }
--- a/library/HTMLPurifier/URIScheme.php
+++ b/library/HTMLPurifier/URIScheme.php
@@ -3,7 +3,7 @@
 class HTMLPurifier_URIScheme
 {
    
-    function validateComponents() {
+    function validateComponents($authority, $path, $query, $fragment) {
        
    }
    
--- a/library/HTMLPurifier/URIScheme/http.php
+++ b/library/HTMLPurifier/URIScheme/http.php
@@ -0,0 +1,13 @@
+<?php
+
+require_once 'HTMLPurifier/URIScheme.php';
+
+class HTMLPurifier_URIScheme_http extends HTMLPurifier_URIScheme {
+    
+    function validateComponents($authority, $path, $query, $fragment) {
+        
+    }
+    
+}
+
+?>
--- a/library/HTMLPurifier/URISchemeRegistry.php
+++ b/library/HTMLPurifier/URISchemeRegistry.php
@@ -1,5 +1,21 @@
 <?php

+HTMLPurifier_ConfigDef::define(
+    'URI', 'AllowedSchemes', array(
+        'http'  => true, // "Hypertext Transfer Protocol", nuf' said
+        'https' => true, // HTTP over SSL (Secure Socket Layer)
+        // quite useful, but not necessary
+        'mailto' => true,// Email
+        'ftp'   => true, // "File Transfer Protocol"
+        'irc'   => true, // "Internet Relay Chat", usually needs another app
+        // for Usenet, these two are similar, but distinct
+        'nntp'  => true, // individual Netnews articles
+        'news'  => true  // newsgroup or individual Netnews articles),
+    ),
+    'Whitelist that defines the schemes that a URI is allowed to have.  This '.
+    'prevents XSS attacks from using pseudo-schemes like javascript or mocha.'
+);
+
 class HTMLPurifier_URISchemeRegistry
 {
    
@@ -16,7 +32,25 @@ class HTMLPurifier_URISchemeRegistry
        return $instance;
    }
    
-    function &getScheme($scheme) {}
+    var $schemes = array();
+    var $_scheme_dir = null;
+    
+    function &getScheme($scheme, $config = null) {
+        if (!$config) $config = HTMLPurifier_Config::createDefault();
+        $null = null; // for the sake of passing by reference
+        if (isset($this->schemes[$scheme])) return $this->schemes[$scheme];
+        if (empty($this->_dir)) $this->_dir = dirname(__FILE__) . '/URIScheme/';
+        
+        // important, otherwise attacker could include arbitrary file
+        $allowed_schemes = $config->get('URI', 'AllowedSchemes');
+        if (!isset($allowed_schemes[$scheme])) return $null;
+        
+        @include_once $this->_dir . $scheme . '.php';
+        $class = 'HTMLPurifier_URIScheme_' . $scheme;
+        if (!class_exists($class)) return $null;
+        $this->schemes[$scheme] = new $class();
+        return $this->schemes[$scheme];
+    }
    
 }