3 require_once 'HTMLPurifier/AttrDef.php';
4 require_once 'HTMLPurifier/URIParser.php';
5 require_once 'HTMLPurifier/URIScheme.php';
6 require_once 'HTMLPurifier/URISchemeRegistry.php';
7 require_once 'HTMLPurifier/AttrDef/URI/Host.php';
8 require_once 'HTMLPurifier/PercentEncoder.php';
9 require_once 'HTMLPurifier/AttrDef/URI/Email.php';
11 // special case filtering directives
13 HTMLPurifier_ConfigSchema
::define(
14 'URI', 'Munge', null, 'string/null', '
16 Munges all browsable (usually http, https and ftp)
17 absolute URI\'s into another URI, usually a URI redirection service.
18 This directive accepts a URI, formatted with a <code>%s</code> where
19 the url-encoded original URI should be inserted (sample:
20 <code>http://www.google.com/url?q=%s</code>).
23 Uses for this directive:
27 Prevent PageRank leaks, while being fairly transparent
28 to users (you may also want to add some client side JavaScript to
29 override the text in the statusbar). <strong>Notice</strong>:
30 Many security experts believe that this form of protection does not deter spam-bots.
33 Redirect users to a splash page telling them they are leaving your
34 website. While this is poor usability practice, it is often mandated
35 in corporate environments.
39 This directive has been available since 1.3.0.
43 // disabling directives
45 HTMLPurifier_ConfigSchema
::define(
46 'URI', 'Disable', false, 'bool', '
48 Disables all URIs in all forms. Not sure why you\'d want to do that
49 (after all, the Internet\'s founded on the notion of a hyperlink).
50 This directive has been available since 1.3.0.
53 HTMLPurifier_ConfigSchema
::defineAlias('Attr', 'DisableURI', 'URI', 'Disable');
55 HTMLPurifier_ConfigSchema
::define(
56 'URI', 'DisableResources', false, 'bool', '
58 Disables embedding resources, essentially meaning no pictures. You can
59 still link to them though. See %URI.DisableExternalResources for why
60 this might be a good idea. This directive has been available since 1.3.0.
65 * Validates a URI as defined by RFC 3986.
66 * @note Scheme-specific mechanics deferred to HTMLPurifier_URIScheme
68 class HTMLPurifier_AttrDef_URI
extends HTMLPurifier_AttrDef
71 var $parser, $percentEncoder;
75 * @param $embeds_resource_resource Does the URI here result in an extra HTTP request?
77 function HTMLPurifier_AttrDef_URI($embeds_resource = false) {
78 $this->parser
= new HTMLPurifier_URIParser();
79 $this->percentEncoder
= new HTMLPurifier_PercentEncoder();
80 $this->embedsResource
= (bool) $embeds_resource;
83 function validate($uri, $config, &$context) {
85 if ($config->get('URI', 'Disable')) return false;
88 $uri = $this->parseCDATA($uri);
89 $uri = $this->percentEncoder
->normalize($uri);
92 $uri = $this->parser
->parse($uri);
93 if ($uri === false) return false;
95 // add embedded flag to context for validators
96 $context->register('EmbeddedURI', $this->embedsResource
);
101 // generic validation
102 $result = $uri->validate($config, $context);
106 $uri_def =& $config->getDefinition('URI');
107 $result = $uri_def->filter($uri, $config, $context);
110 // scheme-specific validation
111 $scheme_obj = $uri->getSchemeObj($config, $context);
112 if (!$scheme_obj) break;
113 if ($this->embedsResource
&& !$scheme_obj->browsable
) break;
114 $result = $scheme_obj->validate($uri, $config, $context);
122 $context->destroy('EmbeddedURI');
123 if (!$ok) return false;
125 // munge scheme off if necessary (this must be last)
126 if (!is_null($uri->scheme
) && is_null($uri->host
)) {
127 if ($uri_def->defaultScheme
== $uri->scheme
) {
133 $result = $uri->toString();
135 // munge entire URI if necessary
137 !is_null($uri->host
) && // indicator for authority
138 !empty($scheme_obj->browsable
) &&
139 !is_null($munge = $config->get('URI', 'Munge'))
141 $result = str_replace('%s', rawurlencode($result), $munge);