mirror/php-htmlpurifier
1
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-07-30 19:00:10 +02:00
Code Issues Releases Wiki Activity

Properly use HMAC for secure munging.

Browse Source 
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
This commit is contained in:
Edward Z. Yang
2013-09-13 21:16:50 -07:00
parent fac747bdbd
commit cf44f399f8
6 changed files with 12 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
tests/HTMLPurifier/HTMLT/munge-extra.htmlt
View File

@@ -6,6 +6,6 @@ URI.MungeResources = true
<a href="http://example.com">Link</a>
<img src="http://example.com" style="background-image:url(http://example.com);" alt="example.com" />
--EXPECT--
<a href="/redirect?s=http%3A%2F%2Fexample.com&amp;t=c15354f3953dfec262c55b1403067e0d045a3059&amp;r=&amp;n=a&amp;m=href&amp;p=">Link</a>
<img src="/redirect?s=http%3A%2F%2Fexample.com&amp;t=c15354f3953dfec262c55b1403067e0d045a3059&amp;r=1&amp;n=img&amp;m=src&amp;p=" style="background-image:url(&quot;/redirect?s=http%3A%2F%2Fexample.com&amp;t=c15354f3953dfec262c55b1403067e0d045a3059&amp;r=1&amp;n=img&amp;m=style&amp;p=background-image&quot;);" alt="example.com" />
<a href="/redirect?s=http%3A%2F%2Fexample.com&amp;t=c763c4a30204eee8470a3292e0f0cd91a639654d039d45f1495a50207847e954&amp;r=&amp;n=a&amp;m=href&amp;p=">Link</a>
<img src="/redirect?s=http%3A%2F%2Fexample.com&amp;t=c763c4a30204eee8470a3292e0f0cd91a639654d039d45f1495a50207847e954&amp;r=1&amp;n=img&amp;m=src&amp;p=" style="background-image:url(&quot;/redirect?s=http%3A%2F%2Fexample.com&amp;t=c763c4a30204eee8470a3292e0f0cd91a639654d039d45f1495a50207847e954&amp;r=1&amp;n=img&amp;m=style&amp;p=background-image&quot;);" alt="example.com" />
--# vim: et sw=4 sts=4

2
tests/HTMLPurifier/HTMLT/secure-munge.htmlt
View File

@@ -5,6 +5,6 @@ URI.MungeSecretKey = "foo"
<a href="http://localhost">foo</a>
<img src="http://localhost" alt="local" />
--EXPECT--
<a href="/redirect.php?url=http%3A%2F%2Flocalhost&amp;check=8e8223ae8fac24561104180ea549c21fbd111be7">foo</a>
<a href="/redirect.php?url=http%3A%2F%2Flocalhost&amp;check=c0efad89696082f5cb925d28636b0f4260f346391c92c70c8e9eba72591c2a73">foo</a>
<img src="http://localhost" alt="local" />
--# vim: et sw=4 sts=4

4
tests/HTMLPurifier/URIFilter/MungeTest.php
View File

@@ -107,7 +107,7 @@ class HTMLPurifier_URIFilter_MungeTest extends HTMLPurifier_URIFilterHarness
public function testSecureMungeStandard()
{
$this->setSecureMunge();
$this->assertFiltering('http://google.com', '/redirect.php?url=http%3A%2F%2Fgoogle.com&checksum=0072e2f817fd2844825def74e54443debecf0892');
$this->assertFiltering('http://google.com', '/redirect.php?url=http%3A%2F%2Fgoogle.com&checksum=46267a796aca0ea5839f24c4c97ad2648373a4eca31b1c0d1fa7c7ff26798f79');
}
public function testSecureMungeIgnoreUnknownSchemes()
@@ -127,7 +127,7 @@ class HTMLPurifier_URIFilter_MungeTest extends HTMLPurifier_URIFilterHarness
{
$this->setSecureMunge();
$this->setMunge('/links/%s/%t');
$this->assertFiltering('http://google.com', '/links/http%3A%2F%2Fgoogle.com/0072e2f817fd2844825def74e54443debecf0892');
$this->assertFiltering('http://google.com', '/links/http%3A%2F%2Fgoogle.com/46267a796aca0ea5839f24c4c97ad2648373a4eca31b1c0d1fa7c7ff26798f79');
}
public function testMungeIgnoreSameDomain()