From ec86598446cdf193f866cc018518f63d7357099e Mon Sep 17 00:00:00 2001 From: "Edward Z. Yang" Date: Thu, 9 Sep 2010 00:01:26 -0400 Subject: [PATCH] Add support for file:// URI scheme. Signed-off-by: Edward Z. Yang --- NEWS | 2 ++ .../ConfigSchema/schema/URI.AllowedSchemes.txt | 4 ++-- library/HTMLPurifier/URIScheme/file.php | 26 ++++++++++++++++++++++ tests/HTMLPurifier/HTMLT/file-uri.htmlt | 5 +++++ tests/HTMLPurifier/URISchemeTest.php | 7 ++++++ 5 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 library/HTMLPurifier/URIScheme/file.php create mode 100644 tests/HTMLPurifier/HTMLT/file-uri.htmlt diff --git a/NEWS b/NEWS index 90497358..752ec364 100644 --- a/NEWS +++ b/NEWS @@ -18,6 +18,8 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier ! Add %CSS.ForbiddenProperties configuration directive. ! Add %HTML.FlashAllowFullScreen to permit embedded Flash objects to utilize full-screen mode. +! Add optional support for the file URI scheme, enable + by explicitly setting %URI.AllowedSchemes. - Fix improper handling of Internet Explorer conditional comments by parser. Thanks zmonteca for reporting. - Fix missing attributes bug when running on Mac Snow Leopard and APC. diff --git a/library/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt b/library/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt index ae3a913f..666635a5 100644 --- a/library/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt +++ b/library/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt @@ -12,6 +12,6 @@ array ( --DESCRIPTION-- Whitelist that defines the schemes that a URI is allowed to have. This prevents XSS attacks from using pseudo-schemes like javascript or mocha. -There is also support for the data URI scheme, but it is not -enabled by default. +There is also support for the data and file +URI schemes, but they are not enabled by default. --# vim: et sw=4 sts=4 diff --git a/library/HTMLPurifier/URIScheme/file.php b/library/HTMLPurifier/URIScheme/file.php new file mode 100644 index 00000000..407b6c17 --- /dev/null +++ b/library/HTMLPurifier/URIScheme/file.php @@ -0,0 +1,26 @@ +userinfo = null; + // file:// makes no provisions for accessing the resource + $uri->port = null; + // While it seems to work on Firefox, the querystring has + // no possible effect and is thus stripped. + $uri->query = null; + return true; + } + +} + +// vim: et sw=4 sts=4 diff --git a/tests/HTMLPurifier/HTMLT/file-uri.htmlt b/tests/HTMLPurifier/HTMLT/file-uri.htmlt new file mode 100644 index 00000000..5b9e34a8 --- /dev/null +++ b/tests/HTMLPurifier/HTMLT/file-uri.htmlt @@ -0,0 +1,5 @@ +--INI-- +URI.AllowedSchemes = file +--HTML-- +foo +--# vim: et sw=4 sts=4 diff --git a/tests/HTMLPurifier/URISchemeTest.php b/tests/HTMLPurifier/URISchemeTest.php index b4dd44cf..23b8b203 100644 --- a/tests/HTMLPurifier/URISchemeTest.php +++ b/tests/HTMLPurifier/URISchemeTest.php @@ -165,6 +165,13 @@ class HTMLPurifier_URISchemeTest extends HTMLPurifier_URIHarness ); } + function test_file_basic() { + $this->assertValidation( + 'file://user@MYCOMPUTER:12/foo/bar?baz#frag', + 'file://MYCOMPUTER/foo/bar#frag' + ); + } + } // vim: et sw=4 sts=4 -- 2.11.4.GIT