mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2025-07-31 19:30:21 +02:00
Initial implementation of URISchemeRegistry (fixed overload bug in process). Also, add extra notes to some of the unit tests.
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@210 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
@@ -29,6 +29,7 @@ class HTMLPurifier_ConfigDef {
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (isset($def->info[$namespace][$name])) {
|
if (isset($def->info[$namespace][$name])) {
|
||||||
|
// this behavior is at risk of change
|
||||||
trigger_error('Cannot redefine directive', E_USER_ERROR);
|
trigger_error('Cannot redefine directive', E_USER_ERROR);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
@@ -3,7 +3,7 @@
|
|||||||
class HTMLPurifier_URIScheme
|
class HTMLPurifier_URIScheme
|
||||||
{
|
{
|
||||||
|
|
||||||
function validateComponents() {
|
function validateComponents($authority, $path, $query, $fragment) {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
13
library/HTMLPurifier/URIScheme/http.php
Normal file
13
library/HTMLPurifier/URIScheme/http.php
Normal file
@@ -0,0 +1,13 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
require_once 'HTMLPurifier/URIScheme.php';
|
||||||
|
|
||||||
|
class HTMLPurifier_URIScheme_http extends HTMLPurifier_URIScheme {
|
||||||
|
|
||||||
|
function validateComponents($authority, $path, $query, $fragment) {
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
?>
|
@@ -1,5 +1,21 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
|
HTMLPurifier_ConfigDef::define(
|
||||||
|
'URI', 'AllowedSchemes', array(
|
||||||
|
'http' => true, // "Hypertext Transfer Protocol", nuf' said
|
||||||
|
'https' => true, // HTTP over SSL (Secure Socket Layer)
|
||||||
|
// quite useful, but not necessary
|
||||||
|
'mailto' => true,// Email
|
||||||
|
'ftp' => true, // "File Transfer Protocol"
|
||||||
|
'irc' => true, // "Internet Relay Chat", usually needs another app
|
||||||
|
// for Usenet, these two are similar, but distinct
|
||||||
|
'nntp' => true, // individual Netnews articles
|
||||||
|
'news' => true // newsgroup or individual Netnews articles),
|
||||||
|
),
|
||||||
|
'Whitelist that defines the schemes that a URI is allowed to have. This '.
|
||||||
|
'prevents XSS attacks from using pseudo-schemes like javascript or mocha.'
|
||||||
|
);
|
||||||
|
|
||||||
class HTMLPurifier_URISchemeRegistry
|
class HTMLPurifier_URISchemeRegistry
|
||||||
{
|
{
|
||||||
|
|
||||||
@@ -16,7 +32,25 @@ class HTMLPurifier_URISchemeRegistry
|
|||||||
return $instance;
|
return $instance;
|
||||||
}
|
}
|
||||||
|
|
||||||
function &getScheme($scheme) {}
|
var $schemes = array();
|
||||||
|
var $_scheme_dir = null;
|
||||||
|
|
||||||
|
function &getScheme($scheme, $config = null) {
|
||||||
|
if (!$config) $config = HTMLPurifier_Config::createDefault();
|
||||||
|
$null = null; // for the sake of passing by reference
|
||||||
|
if (isset($this->schemes[$scheme])) return $this->schemes[$scheme];
|
||||||
|
if (empty($this->_dir)) $this->_dir = dirname(__FILE__) . '/URIScheme/';
|
||||||
|
|
||||||
|
// important, otherwise attacker could include arbitrary file
|
||||||
|
$allowed_schemes = $config->get('URI', 'AllowedSchemes');
|
||||||
|
if (!isset($allowed_schemes[$scheme])) return $null;
|
||||||
|
|
||||||
|
@include_once $this->_dir . $scheme . '.php';
|
||||||
|
$class = 'HTMLPurifier_URIScheme_' . $scheme;
|
||||||
|
if (!class_exists($class)) return $null;
|
||||||
|
$this->schemes[$scheme] = new $class();
|
||||||
|
return $this->schemes[$scheme];
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@@ -5,7 +5,7 @@ require_once 'HTMLPurifier/AttrDef/URI.php';
|
|||||||
|
|
||||||
// WARNING: INCOMPLETE UNIT TESTS!
|
// WARNING: INCOMPLETE UNIT TESTS!
|
||||||
// we are currently abstaining IPv6 and percent-encode fixing unit tests
|
// we are currently abstaining IPv6 and percent-encode fixing unit tests
|
||||||
// as well as recomposition tests
|
// we also need to test all the configuration directives defined by this class
|
||||||
|
|
||||||
class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
|
class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
|
||||||
{
|
{
|
||||||
@@ -15,6 +15,8 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
|
|||||||
generate_mock_once('HTMLPurifier_URIScheme');
|
generate_mock_once('HTMLPurifier_URIScheme');
|
||||||
generate_mock_once('HTMLPurifier_URISchemeRegistry');
|
generate_mock_once('HTMLPurifier_URISchemeRegistry');
|
||||||
|
|
||||||
|
$old_registry = HTMLPurifier_URISchemeRegistry::instance();
|
||||||
|
|
||||||
// finally, lets get a copy of the actual class
|
// finally, lets get a copy of the actual class
|
||||||
$def = new HTMLPurifier_AttrDef_URI();
|
$def = new HTMLPurifier_AttrDef_URI();
|
||||||
|
|
||||||
@@ -186,6 +188,9 @@ class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// reset to regular implementation
|
||||||
|
HTMLPurifier_URISchemeRegistry::instance($old_registry);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@@ -50,6 +50,9 @@ class HTMLPurifier_ConfigDefTest extends UnitTestCase
|
|||||||
$this->swallowErrors();
|
$this->swallowErrors();
|
||||||
|
|
||||||
// test overloading already defined value
|
// test overloading already defined value
|
||||||
|
// ACTUALLY, we probably should allow this behavior, which simply
|
||||||
|
// means that two class files need that directive. Using debug_backtrace
|
||||||
|
// we could probably figure which files those are too! :-D
|
||||||
HTMLPurifier_ConfigDef::define('Core', 'Name', 89,
|
HTMLPurifier_ConfigDef::define('Core', 'Name', 89,
|
||||||
'What, you\'re not allowed to overload directives? Bummer!');
|
'What, you\'re not allowed to overload directives? Bummer!');
|
||||||
$this->assertError('Cannot redefine directive');
|
$this->assertError('Cannot redefine directive');
|
||||||
|
20
tests/HTMLPurifier/URISchemeRegistryTest.php
Normal file
20
tests/HTMLPurifier/URISchemeRegistryTest.php
Normal file
@@ -0,0 +1,20 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
require_once 'HTMLPurifier/URISchemeRegistry.php';
|
||||||
|
|
||||||
|
class HTMLPurifier_URISchemeRegistryTest extends UnitTestCase
|
||||||
|
{
|
||||||
|
|
||||||
|
function test() {
|
||||||
|
|
||||||
|
$registry =& HTMLPurifier_URISchemeRegistry::instance();
|
||||||
|
$this->assertIsA($registry->getScheme('http'), 'HTMLPurifier_URIScheme_http');
|
||||||
|
|
||||||
|
// to come: overloading and custom schemes, as well as changing the
|
||||||
|
// configuration values used by this class
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
?>
|
@@ -67,6 +67,7 @@ $test_files[] = 'IDAccumulatorTest.php';
|
|||||||
$test_files[] = 'TagTransformTest.php';
|
$test_files[] = 'TagTransformTest.php';
|
||||||
$test_files[] = 'AttrTransform/LangTest.php';
|
$test_files[] = 'AttrTransform/LangTest.php';
|
||||||
$test_files[] = 'AttrTransform/TextAlignTest.php';
|
$test_files[] = 'AttrTransform/TextAlignTest.php';
|
||||||
|
$test_files[] = 'URISchemeRegistryTest.php';
|
||||||
|
|
||||||
$test_file_lookup = array_flip($test_files);
|
$test_file_lookup = array_flip($test_files);
|
||||||
|
|
||||||
|
Reference in New Issue
Block a user