lib/htmlpurifier/HTMLPurifier/AttrDef/URI.php

   1 <?php
   2
   3 require_once 'HTMLPurifier/AttrDef.php';
   4 require_once 'HTMLPurifier/URIParser.php';
   5 require_once 'HTMLPurifier/URIScheme.php';
   6 require_once 'HTMLPurifier/URISchemeRegistry.php';
   7 require_once 'HTMLPurifier/AttrDef/URI/Host.php';
   8 require_once 'HTMLPurifier/PercentEncoder.php';
   9 require_once 'HTMLPurifier/AttrDef/URI/Email.php';
  10
  11 // special case filtering directives
  12
  13 HTMLPurifier_ConfigSchema::define(
  14     'URI', 'Munge', null, 'string/null', '
  15 <p>
  16     Munges all browsable (usually http, https and ftp)
  17     absolute URI\'s into another URI, usually a URI redirection service.
  18     This directive accepts a URI, formatted with a <code>%s</code> where
  19     the url-encoded original URI should be inserted (sample:
  20     <code>http://www.google.com/url?q=%s</code>).
  21 </p>
  22 <p>
  23     Uses for this directive:
  24 </p>
  25 <ul>
  26     <li>
  27         Prevent PageRank leaks, while being fairly transparent
  28         to users (you may also want to add some client side JavaScript to
  29         override the text in the statusbar). <strong>Notice</strong>:
  30         Many security experts believe that this form of protection does not deter spam-bots.
  31     </li>
  32     <li>
  33         Redirect users to a splash page telling them they are leaving your
  34         website. While this is poor usability practice, it is often mandated
  35         in corporate environments.
  36     </li>
  37 </ul>
  38 <p>
  39     This directive has been available since 1.3.0.
  40 </p>
  41 ');
  42
  43 // disabling directives
  44
  45 HTMLPurifier_ConfigSchema::define(
  46     'URI', 'Disable', false, 'bool', '
  47 <p>
  48     Disables all URIs in all forms. Not sure why you\'d want to do that
  49     (after all, the Internet\'s founded on the notion of a hyperlink).
  50     This directive has been available since 1.3.0.
  51 </p>
  52 ');
  53 HTMLPurifier_ConfigSchema::defineAlias('Attr', 'DisableURI', 'URI', 'Disable');
  54
  55 HTMLPurifier_ConfigSchema::define(
  56     'URI', 'DisableResources', false, 'bool', '
  57 <p>
  58     Disables embedding resources, essentially meaning no pictures. You can
  59     still link to them though. See %URI.DisableExternalResources for why
  60     this might be a good idea. This directive has been available since 1.3.0.
  61 </p>
  62 ');
  63
  64 /**
  65  * Validates a URI as defined by RFC 3986.
  66  * @note Scheme-specific mechanics deferred to HTMLPurifier_URIScheme
  67  */
  68 class HTMLPurifier_AttrDef_URI extends HTMLPurifier_AttrDef
  69 {
  70
  71     var $parser;
  72     var $embedsResource;
  73
  74     /**
  75      * @param $embeds_resource_resource Does the URI here result in an extra HTTP request?
  76      */
  77     function HTMLPurifier_AttrDef_URI($embeds_resource = false) {
  78         $this->parser = new HTMLPurifier_URIParser();
  79         $this->embedsResource = (bool) $embeds_resource;
  80     }
  81
  82     function validate($uri, $config, &$context) {
  83
  84         if ($config->get('URI', 'Disable')) return false;
  85
  86         $uri = $this->parseCDATA($uri);
  87
  88         // parse the URI
  89         $uri = $this->parser->parse($uri);
  90         if ($uri === false) return false;
  91
  92         // add embedded flag to context for validators
  93         $context->register('EmbeddedURI', $this->embedsResource);
  94
  95         $ok = false;
  96         do {
  97
  98             // generic validation
  99             $result = $uri->validate($config, $context);
 100             if (!$result) break;
 101
 102             // chained filtering
 103             $uri_def =& $config->getDefinition('URI');
 104             $result = $uri_def->filter($uri, $config, $context);
 105             if (!$result) break;
 106
 107             // scheme-specific validation
 108             $scheme_obj = $uri->getSchemeObj($config, $context);
 109             if (!$scheme_obj) break;
 110             if ($this->embedsResource && !$scheme_obj->browsable) break;
 111             $result = $scheme_obj->validate($uri, $config, $context);
 112             if (!$result) break;
 113
 114             // survived gauntlet
 115             $ok = true;
 116
 117         } while (false);
 118
 119         $context->destroy('EmbeddedURI');
 120         if (!$ok) return false;
 121
 122         // back to string
 123         $result = $uri->toString();
 124
 125         // munge entire URI if necessary
 126         if (
 127             !is_null($uri->host) && // indicator for authority
 128             !empty($scheme_obj->browsable) &&
 129             !is_null($munge = $config->get('URI', 'Munge'))
 130         ) {
 131             $result = str_replace('%s', rawurlencode($result), $munge);
 132         }
 133
 134         return $result;
 135
 136     }
 137
 138 }
 139
 140