[3.1.1] Round up imagecrash support with HTML.MaxImgLength

- Add $max to AttrDef/HTML/Pixels.php - Add %HTML.MaxImgLength - CSS width/height allows percents when MaxImgLength is disabled git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1762 48356398-32a2-884e-a903-53898d9a118a
2025-08-05 21:57:26 +02:00 · 2008-05-23 02:09:43 +00:00
parent fcebb7731d
commit eb9f9bc7f6
11 changed files with 142 additions and 24 deletions
--- a/library/HTMLPurifier/AttrDef/HTML/Pixels.php
+++ b/library/HTMLPurifier/AttrDef/HTML/Pixels.php
@@ -6,6 +6,12 @@
 class HTMLPurifier_AttrDef_HTML_Pixels extends HTMLPurifier_AttrDef
 {
    
+    protected $max;
+    
+    public function __construct($max = null) {
+        $this->max = $max;
+    }
+    
    public function validate($string, $config, $context) {
        
        $string = trim($string);
@@ -24,11 +30,18 @@ class HTMLPurifier_AttrDef_HTML_Pixels extends HTMLPurifier_AttrDef
        // crash operating systems, see <http://ha.ckers.org/imagecrash.html>
        // WARNING, above link WILL crash you if you're using Windows
        
-        if ($int > 1200) return '1200';
+        if ($this->max !== null && $int > $this->max) return (string) $this->max;
        
        return (string) $int;
        
    }
    
+    public function make($string) {
+        if ($string === '') $max = null;
+        else $max = (int) $string;
+        $class = get_class($this);
+        return new $class($max);
+    }
+    
 }

--- a/library/HTMLPurifier/CSSDefinition.php
+++ b/library/HTMLPurifier/CSSDefinition.php
@@ -149,21 +149,26 @@ class HTMLPurifier_CSSDefinition extends HTMLPurifier_Definition
            new HTMLPurifier_AttrDef_CSS_Percentage()
        ));
        
+        $trusted_wh = new HTMLPurifier_AttrDef_CSS_Composite(array(
+            new HTMLPurifier_AttrDef_CSS_Length('0'),
+            new HTMLPurifier_AttrDef_CSS_Percentage(true),
+            new HTMLPurifier_AttrDef_Enum(array('auto'))
+        ));
+        $max = $config->get('CSS', 'MaxImgLength');
+        
        $this->info['width'] =
        $this->info['height'] =
-        new HTMLPurifier_AttrDef_Switch('img',
-            // For img tags:
-            new HTMLPurifier_AttrDef_CSS_Composite(array(
-                new HTMLPurifier_AttrDef_CSS_Length('0', $config->get('CSS', 'MaxImgLength')),
-                new HTMLPurifier_AttrDef_Enum(array('auto'))
-            )),
-            // For everyone else:
-            new HTMLPurifier_AttrDef_CSS_Composite(array(
-                new HTMLPurifier_AttrDef_CSS_Length('0'),
-                new HTMLPurifier_AttrDef_CSS_Percentage(true),
-                new HTMLPurifier_AttrDef_Enum(array('auto'))
-            ))
-        );
+            $max === null ?
+            $trusted_wh : 
+            new HTMLPurifier_AttrDef_Switch('img',
+                // For img tags:
+                new HTMLPurifier_AttrDef_CSS_Composite(array(
+                    new HTMLPurifier_AttrDef_CSS_Length('0', $max),
+                    new HTMLPurifier_AttrDef_Enum(array('auto'))
+                )),
+                // For everyone else:
+                $trusted_wh
+            );
        
        $this->info['text-decoration'] = new HTMLPurifier_AttrDef_CSS_TextDecoration();
        
--- a/library/HTMLPurifier/ConfigSchema/schema.ser
+++ b/library/HTMLPurifier/ConfigSchema/schema.ser
--- a/library/HTMLPurifier/ConfigSchema/schema/CSS.MaxImgLength.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/CSS.MaxImgLength.txt
@@ -8,4 +8,8 @@ VERSION: 3.1.1
 effectively the <code>width</code> and <code>height</code> properties.
 Only absolute units of measurement (in, pt, pc, mm, cm) and pixels (px) are allowed. This is
 in place to prevent imagecrash attacks, disable with null at your own risk.
+ This directive is similar to %HTML.MaxImgLength, and both should be
+ concurrently edited, although there are
+ subtle differences in the input format (the CSS max is a number with
+ a unit).
 </p>
--- a/library/HTMLPurifier/ConfigSchema/schema/HTML.MaxImgLength.txt
+++ b/library/HTMLPurifier/ConfigSchema/schema/HTML.MaxImgLength.txt
@@ -0,0 +1,13 @@
+HTML.MaxImgLength
+TYPE: int/null
+DEFAULT: 1200
+VERSION: 3.1.1
+--DESCRIPTION--
+<p>
+ This directive controls the maximum number of pixels in the width and
+ height attributes in <code>img</code> tags. This is
+ in place to prevent imagecrash attacks, disable with null at your own risk.
+ This directive is similar to %CSS.MaxImgLength, and both should be
+ concurrently edited, although there are
+ subtle differences in the input format (the HTML max is an integer).
+</p>
--- a/library/HTMLPurifier/HTMLModule/Image.php
+++ b/library/HTMLPurifier/HTMLModule/Image.php
@@ -11,19 +11,24 @@ class HTMLPurifier_HTMLModule_Image extends HTMLPurifier_HTMLModule
    public $name = 'Image';
    
    public function setup($config) {
+        $max = $config->get('HTML', 'MaxImgLength');
        $img = $this->addElement(
            'img', 'Inline', 'Empty', 'Common',
            array(
                'alt*' => 'Text',
                // According to the spec, it's Length, but percents can
-                // be abused, so we allow only Pixels. A trusted module
-                // could overload this with the real value.
-                'height' => 'Pixels',
-                'width' => 'Pixels',
+                // be abused, so we allow only Pixels.
+                'height' => 'Pixels#' . $max,
+                'width'  => 'Pixels#' . $max,
                'longdesc' => 'URI', 
                'src*' => new HTMLPurifier_AttrDef_URI(true), // embedded
            )
        );
+        if ($max === null || $config->get('HTML', 'Trusted')) {
+            $img->attr['height'] =
+            $img->attr['width'] = 'Length';
+        }
+        
        // kind of strange, but splitting things up would be inefficient
        $img->attr_transform_pre[] =
        $img->attr_transform_post[] =