/**
* @param HTMLPurifier_URI $uri
* @param HTMLPurifier_Config $config
* @param HTMLPurifier_Context $context
* @return bool
*/
public function filter(&$uri, $config, $context)
{
// check if filter not applicable
if (!$config->get('HTML.SafeIframe')) {
return true;
}
// check if the filter should actually trigger
if (!$context->get('EmbeddedURI', true)) {
return true;
}
$token = $context->get('CurrentToken', true);
if (!($token && $token->name == 'iframe')) {
return true;
}
// check if we actually have some whitelists enabled
if ($this->regexp === null) {
return false;
}
// actually check the whitelists
if (!preg_match($this->regexp, $uri->toString())) {
return false;
}
// Make sure that if we're an HTTPS site, the iframe is also HTTPS
if (is_https() && $uri->scheme == 'http') {
// Convert it to a protocol-relative URL
$uri->scheme = null;
}
return $uri;
}
/**
* check if data is valid, check and allow
*
* @param HTMLPurifier_URI $uri
* @param HTMLPurifier_Token $token
* @return boolean
*/
protected function _checkData($uri, $token)
{
$result = FALSE;
if ($token->name === 'img' && isset($token->attr['src'])) {
$imgSrc = $token->attr['src'];
$imgSrc = str_replace(array("\r", "\n"), '', $imgSrc);
if (preg_match('/([a-z\\/]*);base64,(.*)/', $imgSrc, $matches)) {
$mimetype = $matches[1];
$base64 = $matches[2];
if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) {
Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' Found base64 image: ' . $base64);
}
$tmpPath = tempnam(Tinebase_Core::getTempDir(), 'tine20_tmp_imgdata');
file_put_contents($tmpPath, @base64_decode($base64));
// @todo check given mimetype or all images types?
if (!Tinebase_ImageHelper::isImageFile($tmpPath)) {
if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) {
Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' URI data is no image file: ' . $uri->toString());
}
} else {
if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) {
Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' Verified ' . $mimetype . ' image.');
}
$result = TRUE;
}
}
} else {
if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) {
Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' Only allow images data uris, discarding: ' . $token->name);
}
}
return $result;
}
/**
* check external url
*
* @param HTMLPurifier_URI $uri
* @param HTMLPurifier_Token $token
* @return boolean
*
* @todo we need a preference / on demand button if loading external ressources is allowed
* @todo use a different namespace for src= e.g. tine20:src= $context->attr[tine20:URI] = OR use "library/extjs/blank.gif?resourceURI"
*/
protected function _checkExternalUrl($uri, $token)
{
$result = in_array($uri->scheme, array('http', 'https', 'mailto'));
// only allow external urls in anchors for the moment
$result = $result && $token->name === 'a';
// if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG)) Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__
// . ' Moving uri to another namespace and replace current uri with blank.gif: ' . $uri->toString());
// //$scheme, $userinfo, $host, $port, $path, $query, $fragment
// $uri = new HTMLPurifier_URI('http', null, $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'], null,
// '/index.php', 'Felamimail.getResource&uri=' . base64_encode($uri->toString()) . '&type=' . $token->name, null);
if (!$result) {
if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) {
Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' Remove URI: ' . $uri->toString());
}
}
return $result;
}
/**
* @param HTMLPurifier_URI $uri
* @param HTMLPurifier_Config $config
* @param HTMLPurifier_Context $context
* @return bool
*/
public function filter(&$uri, $config, $context)
{
// check if filter not applicable
if (!$config->get('HTML.SafeIframe')) {
return true;
}
// check if the filter should actually trigger
if (!$context->get('EmbeddedURI', true)) {
return true;
}
$token = $context->get('CurrentToken', true);
if (!($token && $token->name == 'iframe')) {
return true;
}
// check if we actually have some whitelists enabled
if ($this->regexp === null) {
return false;
}
// actually check the whitelists
return preg_match($this->regexp, $uri->toString());
}
/**
* @param HTMLPurifier_URI $uri
* @param HTMLPurifier_Config $config
* @param HTMLPurifier_Context $context
*/
protected function makeReplace($uri, $config, $context)
{
$string = $uri->toString();
// always available
$this->replace['%s'] = $string;
$this->replace['%r'] = $context->get('EmbeddedURI', true);
$token = $context->get('CurrentToken', true);
$this->replace['%n'] = $token ? $token->name : null;
$this->replace['%m'] = $context->get('CurrentAttr', true);
$this->replace['%p'] = $context->get('CurrentCSSProperty', true);
// not always available
if ($this->secretKey) {
$this->replace['%t'] = hash_hmac("sha256", $string, $this->secretKey);
}
}
protected function assertToString($expect_uri, $scheme, $userinfo, $host, $port, $path, $query, $fragment)
{
$uri = new HTMLPurifier_URI($scheme, $userinfo, $host, $port, $path, $query, $fragment);
$string = $uri->toString();
$this->assertIdentical($string, $expect_uri);
}
