library/HTMLPurifier/URISchemeRegistry.php

   1 <?php
   2
   3 require_once 'HTMLPurifier/URIScheme/http.php';
   4 require_once 'HTMLPurifier/URIScheme/https.php';
   5 require_once 'HTMLPurifier/URIScheme/mailto.php';
   6 require_once 'HTMLPurifier/URIScheme/ftp.php';
   7 require_once 'HTMLPurifier/URIScheme/nntp.php';
   8 require_once 'HTMLPurifier/URIScheme/news.php';
   9
  10 HTMLPurifier_ConfigSchema::define(
  11     'URI', 'AllowedSchemes', array(
  12         'http'  => true, // "Hypertext Transfer Protocol", nuf' said
  13         'https' => true, // HTTP over SSL (Secure Socket Layer)
  14         // quite useful, but not necessary
  15         'mailto' => true,// Email
  16         'ftp'   => true, // "File Transfer Protocol"
  17         // for Usenet, these two are similar, but distinct
  18         'nntp'  => true, // individual Netnews articles
  19         'news'  => true  // newsgroup or individual Netnews articles
  20     ), 'lookup',
  21     'Whitelist that defines the schemes that a URI is allowed to have.  This '.
  22     'prevents XSS attacks from using pseudo-schemes like javascript or mocha.'
  23 );
  24
  25 HTMLPurifier_ConfigSchema::define(
  26     'URI', 'OverrideAllowedSchemes', true, 'bool',
  27     'If this is set to true (which it is by default), you can override '.
  28     '%URI.AllowedSchemes by simply registering a HTMLPurifier_URIScheme '.
  29     'to the registry.  If false, you will also have to update that directive '.
  30     'in order to add more schemes.'
  31 );
  32
  33 /**
  34  * Registry for retrieving specific URI scheme validator objects.
  35  */
  36 class HTMLPurifier_URISchemeRegistry
  37 {
  38
  39     /**
  40      * Retrieve sole instance of the registry.
  41      * @param $prototype Optional prototype to overload sole instance with,
  42      *                   or bool true to reset to default registry.
  43      * @note Pass a registry object $prototype with a compatible interface and
  44      *       the function will copy it and return it all further times.
  45      */
  46     public static function instance($prototype = null) {
  47         static $instance = null;
  48         if ($prototype !== null) {
  49             $instance = $prototype;
  50         } elseif ($instance === null || $prototype == true) {
  51             $instance = new HTMLPurifier_URISchemeRegistry();
  52         }
  53         return $instance;
  54     }
  55
  56     /**
  57      * Cache of retrieved schemes.
  58      */
  59     protected $schemes = array();
  60
  61     /**
  62      * Retrieves a scheme validator object
  63      * @param $scheme String scheme name like http or mailto
  64      * @param $config HTMLPurifier_Config object
  65      * @param $config HTMLPurifier_Context object
  66      */
  67     public function getScheme($scheme, $config, $context) {
  68         if (!$config) $config = HTMLPurifier_Config::createDefault();
  69         $null = null; // for the sake of passing by reference
  70
  71         // important, otherwise attacker could include arbitrary file
  72         $allowed_schemes = $config->get('URI', 'AllowedSchemes');
  73         if (!$config->get('URI', 'OverrideAllowedSchemes') &&
  74             !isset($allowed_schemes[$scheme])
  75         ) {
  76             return $null;
  77         }
  78
  79         if (isset($this->schemes[$scheme])) return $this->schemes[$scheme];
  80         if (!isset($allowed_schemes[$scheme])) return $null;
  81
  82         $class = 'HTMLPurifier_URIScheme_' . $scheme;
  83         if (!class_exists($class)) return $null;
  84         $this->schemes[$scheme] = new $class();
  85         return $this->schemes[$scheme];
  86     }
  87
  88     /**
  89      * Registers a custom scheme to the cache, bypassing reflection.
  90      * @param $scheme Scheme name
  91      * @param $scheme_obj HTMLPurifier_URIScheme object
  92      */
  93     public function register($scheme, $scheme_obj) {
  94         $this->schemes[$scheme] = $scheme_obj;
  95     }
  96
  97 }
  98
  99