From 10e2d32a794d975fa7527e749f9c07fe4e73c1df Mon Sep 17 00:00:00 2001 From: "Edward Z. Yang" Date: Mon, 25 May 2009 23:38:49 -0400 Subject: [PATCH] Lock configuration objects to a single namespace, to help prevent bugs. * Also, fix a slight bug with URI definition clearing. Signed-off-by: Edward Z. Yang --- NEWS | 5 +++++ TODO | 2 -- library/HTMLPurifier/Config.php | 20 +++++++++++++++++++- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index d017d399..3630ff36 100644 --- a/NEWS +++ b/NEWS @@ -34,8 +34,13 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier ! Implement %Attr.AllowedClasses, which allows administrators to restrict classes users can use to a specified finite set of classes, and %Attr.ForbiddenClasses, which is the logical inverse. +- Fix bug where URIDefinition would not get cleared if it's directives got + changed. . Created script maintenance/rename-config.php for renaming a configuration directive while maintaining its alias. This script does not change source code. +. Implement namespace locking for definition construction, to prevent + bugs where a directive is used for definition construction but is not + used to construct the cache hash. 3.3.0, released 2009-02-16 ! Implement CSS property 'overflow' when %CSS.AllowTricky is true. diff --git a/TODO b/TODO index 03a70ebf..de07f378 100644 --- a/TODO +++ b/TODO @@ -20,8 +20,6 @@ afraid to cast your vote for the next feature to be implemented! - Think about allowing explicit order of operations hooks for transforms - Allow more relaxed "class" definition than NMTOKENS for appropriate doctypes -- Lock when configuring Definition objects so we CAN'T access configuration - directives outside of what dependency has been registered. FUTURE VERSIONS --------------- diff --git a/library/HTMLPurifier/Config.php b/library/HTMLPurifier/Config.php index be8bd0b8..34231ddf 100644 --- a/library/HTMLPurifier/Config.php +++ b/library/HTMLPurifier/Config.php @@ -81,6 +81,11 @@ class HTMLPurifier_Config public $chatty = true; /** + * Current lock; only gets to this namespace are allowed. + */ + private $lock; + + /** * @param $definition HTMLPurifier_ConfigSchema that defines what directives * are allowed. */ @@ -157,6 +162,13 @@ class HTMLPurifier_Config E_USER_ERROR); return; } + if ($this->lock) { + list($ns) = explode('.', $key); + if ($ns !== $this->lock) { + $this->triggerError('Cannot get value of namespace ' . $ns . ' when lock for ' . $this->lock . ' is active, this probably indicates a Definition setup method is accessing directives that are not within its namespace', E_USER_ERROR); + return; + } + } return $this->plist->get($key); } @@ -285,7 +297,7 @@ class HTMLPurifier_Config // reset definitions if the directives they depend on changed // this is a very costly process, so it's discouraged // with finalization - if ($namespace == 'HTML' || $namespace == 'CSS') { + if ($namespace == 'HTML' || $namespace == 'CSS' || $namespace == 'URI') { $this->definitions[$namespace] = null; } @@ -326,8 +338,12 @@ class HTMLPurifier_Config */ public function getDefinition($type, $raw = false) { if (!$this->finalized) $this->autoFinalize(); + // temporarily suspend locks, so we can handle recursive definition calls + $lock = $this->lock; + $this->lock = null; $factory = HTMLPurifier_DefinitionCacheFactory::instance(); $cache = $factory->create($type, $this); + $this->lock = $lock; if (!$raw) { // see if we can quickly supply a definition if (!empty($this->definitions[$type])) { @@ -369,7 +385,9 @@ class HTMLPurifier_Config return $this->definitions[$type]; } // set it up + $this->lock = $type; $this->definitions[$type]->setup($this); + $this->lock = null; // save in cache $cache->set($this->definitions[$type], $this); return $this->definitions[$type]; -- 2.11.4.GIT