library/HTMLPurifier/AttrDef/URI.php

   1 <?php
   2
   3 require_once 'HTMLPurifier/AttrDef.php';
   4 require_once 'HTMLPurifier/URIParser.php';
   5 require_once 'HTMLPurifier/URIScheme.php';
   6 require_once 'HTMLPurifier/URISchemeRegistry.php';
   7 require_once 'HTMLPurifier/AttrDef/URI/Host.php';
   8 require_once 'HTMLPurifier/PercentEncoder.php';
   9 require_once 'HTMLPurifier/AttrDef/URI/Email.php';
  10
  11 // special case filtering directives
  12
  13 HTMLPurifier_ConfigSchema::define(
  14     'URI', 'Munge', null, 'string/null', '
  15 <p>
  16     Munges all browsable (usually http, https and ftp)
  17     absolute URI\'s into another URI, usually a URI redirection service.
  18     This directive accepts a URI, formatted with a <code>%s</code> where
  19     the url-encoded original URI should be inserted (sample:
  20     <code>http://www.google.com/url?q=%s</code>).
  21 </p>
  22 <p>
  23     Uses for this directive:
  24 </p>
  25 <ul>
  26     <li>
  27         Prevent PageRank leaks, while being fairly transparent
  28         to users (you may also want to add some client side JavaScript to
  29         override the text in the statusbar). <strong>Notice</strong>:
  30         Many security experts believe that this form of protection does not deter spam-bots.
  31     </li>
  32     <li>
  33         Redirect users to a splash page telling them they are leaving your
  34         website. While this is poor usability practice, it is often mandated
  35         in corporate environments.
  36     </li>
  37 </ul>
  38 <p>
  39     This directive has been available since 1.3.0.
  40 </p>
  41 ');
  42
  43 // disabling directives
  44
  45 HTMLPurifier_ConfigSchema::define(
  46     'URI', 'Disable', false, 'bool', '
  47 <p>
  48     Disables all URIs in all forms. Not sure why you\'d want to do that
  49     (after all, the Internet\'s founded on the notion of a hyperlink).
  50     This directive has been available since 1.3.0.
  51 </p>
  52 ');
  53 HTMLPurifier_ConfigSchema::defineAlias('Attr', 'DisableURI', 'URI', 'Disable');
  54
  55 HTMLPurifier_ConfigSchema::define(
  56     'URI', 'DisableResources', false, 'bool', '
  57 <p>
  58     Disables embedding resources, essentially meaning no pictures. You can
  59     still link to them though. See %URI.DisableExternalResources for why
  60     this might be a good idea. This directive has been available since 1.3.0.
  61 </p>
  62 ');
  63
  64 /**
  65  * Validates a URI as defined by RFC 3986.
  66  * @note Scheme-specific mechanics deferred to HTMLPurifier_URIScheme
  67  */
  68 class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
  69 {
  70
  71     var $parser, $percentEncoder;
  72     var $embedsResource;
  73
  74     /**
  75      * @param $embeds_resource_resource Does the URI here result in an extra HTTP request?
  76      */
  77     function HTMLPurifier_AttrDef_URI($embeds_resource = false) {
  78         $this->parser = new HTMLPurifier_URIParser();
  79         $this->percentEncoder = new HTMLPurifier_PercentEncoder();
  80         $this->embedsResource = (bool) $embeds_resource;
  81     }
  82
  83     function validate($uri, $config, &$context) {
  84
  85         if ($config->get('URI', 'Disable')) return false;
  86
  87         // initial operations
  88         $uri = $this->parseCDATA($uri);
  89         $uri = $this->percentEncoder->normalize($uri);
  90
  91         // parse the URI
  92         $uri = $this->parser->parse($uri);
  93         if ($uri === false) return false;
  94
  95         // add embedded flag to context for validators
  96         $context->register('EmbeddedURI', $this->embedsResource);
  97
  98         $ok = false;
  99         do {
 100
 101             // generic validation
 102             $result = $uri->validate($config, $context);
 103             if (!$result) break;
 104
 105             // chained filtering
 106             $uri_def =& $config->getDefinition('URI');
 107             $result = $uri_def->filter($uri, $config, $context);
 108             if (!$result) break;
 109
 110             // scheme-specific validation
 111             $scheme_obj = $uri->getSchemeObj($config, $context);
 112             if (!$scheme_obj) break;
 113             if ($this->embedsResource && !$scheme_obj->browsable) break;
 114             $result = $scheme_obj->validate($uri, $config, $context);
 115             if (!$result) break;
 116
 117             // survived gauntlet
 118             $ok = true;
 119
 120         } while (false);
 121
 122         $context->destroy('EmbeddedURI');
 123         if (!$ok) return false;
 124
 125         // munge scheme off if necessary (this must be last)
 126         if (!is_null($uri->scheme) && is_null($uri->host)) {
 127             if ($uri_def->defaultScheme == $uri->scheme) {
 128                 $uri->scheme = null;
 129             }
 130         }
 131
 132         // back to string
 133         $result = $uri->toString();
 134
 135         // munge entire URI if necessary
 136         if (
 137             !is_null($uri->host) && // indicator for authority
 138             !empty($scheme_obj->browsable) &&
 139             !is_null($munge = $config->get('URI', 'Munge'))
 140         ) {
 141             $result = str_replace('%s', rawurlencode($result), $munge);
 142         }
 143
 144         return $result;
 145
 146     }
 147
 148 }
 149
 150