library/HTMLPurifier/URIFilter/Munge.php

   1 <?php
   2
   3 class HTMLPurifier_URIFilter_Munge extends HTMLPurifier_URIFilter
   4 {
   5     /**
   6      * @type string
   7      */
   8     public $name = 'Munge';
   9
  10     /**
  11      * @type bool
  12      */
  13     public $post = true;
  14
  15     /**
  16      * @type string
  17      */
  18     private $target;
  19
  20     /**
  21      * @type HTMLPurifier_URIParser
  22      */
  23     private $parser;
  24
  25     /**
  26      * @type bool
  27      */
  28     private $doEmbed;
  29
  30     /**
  31      * @type string
  32      */
  33     private $secretKey;
  34
  35     /**
  36      * @type array
  37      */
  38     protected $replace = array();
  39
  40     /**
  41      * @param HTMLPurifier_Config $config
  42      * @return bool
  43      */
  44     public function prepare($config)
  45     {
  46         $this->target = $config->get('URI.' . $this->name);
  47         $this->parser = new HTMLPurifier_URIParser();
  48         $this->doEmbed = $config->get('URI.MungeResources');
  49         $this->secretKey = $config->get('URI.MungeSecretKey');
  50         return true;
  51     }
  52
  53     /**
  54      * @param HTMLPurifier_URI $uri
  55      * @param HTMLPurifier_Config $config
  56      * @param HTMLPurifier_Context $context
  57      * @return bool
  58      */
  59     public function filter(&$uri, $config, $context)
  60     {
  61         if ($context->get('EmbeddedURI', true) && !$this->doEmbed) {
  62             return true;
  63         }
  64
  65         $scheme_obj = $uri->getSchemeObj($config, $context);
  66         if (!$scheme_obj) {
  67             return true;
  68         } // ignore unknown schemes, maybe another postfilter did it
  69         if (!$scheme_obj->browsable) {
  70             return true;
  71         } // ignore non-browseable schemes, since we can't munge those in a reasonable way
  72         if ($uri->isBenign($config, $context)) {
  73             return true;
  74         } // don't redirect if a benign URL
  75
  76         $this->makeReplace($uri, $config, $context);
  77         $this->replace = array_map('rawurlencode', $this->replace);
  78
  79         $new_uri = strtr($this->target, $this->replace);
  80         $new_uri = $this->parser->parse($new_uri);
  81         // don't redirect if the target host is the same as the
  82         // starting host
  83         if ($uri->host === $new_uri->host) {
  84             return true;
  85         }
  86         $uri = $new_uri; // overwrite
  87         return true;
  88     }
  89
  90     /**
  91      * @param HTMLPurifier_URI $uri
  92      * @param HTMLPurifier_Config $config
  93      * @param HTMLPurifier_Context $context
  94      */
  95     protected function makeReplace($uri, $config, $context)
  96     {
  97         $string = $uri->toString();
  98         // always available
  99         $this->replace['%s'] = $string;
 100         $this->replace['%r'] = $context->get('EmbeddedURI', true);
 101         $token = $context->get('CurrentToken', true);
 102         $this->replace['%n'] = $token ? $token->name : null;
 103         $this->replace['%m'] = $context->get('CurrentAttr', true);
 104         $this->replace['%p'] = $context->get('CurrentCSSProperty', true);
 105         // not always available
 106         if ($this->secretKey) {
 107             $this->replace['%t'] = sha1($this->secretKey . ':' . $string);
 108         }
 109     }
 110 }
 111
 112 // vim: et sw=4 sts=4