Remark about bypassing host list with punycode.
[htmlpurifier.git] / library / HTMLPurifier / URIFilter / HostBlacklist.php
blob55fde3bf4d37c72e3ec9f72e5860718543bc82b7
1 <?php
3 // It's not clear to me whether or not Punycode means that hostnames
4 // do not have canonical forms anymore. As far as I can tell, it's
5 // not a problem (punycoding should be identity when no Unicode
6 // points are involved), but I'm not 100% sure
7 class HTMLPurifier_URIFilter_HostBlacklist extends HTMLPurifier_URIFilter
9 public $name = 'HostBlacklist';
10 protected $blacklist = array();
11 public function prepare($config) {
12 $this->blacklist = $config->get('URI.HostBlacklist');
13 return true;
15 public function filter(&$uri, $config, $context) {
16 foreach($this->blacklist as $blacklisted_host_fragment) {
17 if (strpos($uri->host, $blacklisted_host_fragment) !== false) {
18 return false;
21 return true;
25 // vim: et sw=4 sts=4