/** * @param HTMLPurifier_URI $uri * @param HTMLPurifier_Config $config * @param HTMLPurifier_Context $context * @return bool */ public function filter(&$uri, $config, $context) { // check if filter not applicable if (!$config->get('HTML.SafeIframe')) { return true; } // check if the filter should actually trigger if (!$context->get('EmbeddedURI', true)) { return true; } $token = $context->get('CurrentToken', true); if (!($token && $token->name == 'iframe')) { return true; } // check if we actually have some whitelists enabled if ($this->regexp === null) { return false; } // actually check the whitelists if (!preg_match($this->regexp, $uri->toString())) { return false; } // Make sure that if we're an HTTPS site, the iframe is also HTTPS if (is_https() && $uri->scheme == 'http') { // Convert it to a protocol-relative URL $uri->scheme = null; } return $uri; }
/** * check if data is valid, check and allow * * @param HTMLPurifier_URI $uri * @param HTMLPurifier_Token $token * @return boolean */ protected function _checkData($uri, $token) { $result = FALSE; if ($token->name === 'img' && isset($token->attr['src'])) { $imgSrc = $token->attr['src']; $imgSrc = str_replace(array("\r", "\n"), '', $imgSrc); if (preg_match('/([a-z\\/]*);base64,(.*)/', $imgSrc, $matches)) { $mimetype = $matches[1]; $base64 = $matches[2]; if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) { Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' Found base64 image: ' . $base64); } $tmpPath = tempnam(Tinebase_Core::getTempDir(), 'tine20_tmp_imgdata'); file_put_contents($tmpPath, @base64_decode($base64)); // @todo check given mimetype or all images types? if (!Tinebase_ImageHelper::isImageFile($tmpPath)) { if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) { Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' URI data is no image file: ' . $uri->toString()); } } else { if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) { Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' Verified ' . $mimetype . ' image.'); } $result = TRUE; } } } else { if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) { Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' Only allow images data uris, discarding: ' . $token->name); } } return $result; }
/** * check external url * * @param HTMLPurifier_URI $uri * @param HTMLPurifier_Token $token * @return boolean * * @todo we need a preference / on demand button if loading external ressources is allowed * @todo use a different namespace for src= e.g. tine20:src= $context->attr[tine20:URI] = OR use "library/extjs/blank.gif?resourceURI" */ protected function _checkExternalUrl($uri, $token) { $result = in_array($uri->scheme, array('http', 'https', 'mailto')); // only allow external urls in anchors for the moment $result = $result && $token->name === 'a'; // if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG)) Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ // . ' Moving uri to another namespace and replace current uri with blank.gif: ' . $uri->toString()); // //$scheme, $userinfo, $host, $port, $path, $query, $fragment // $uri = new HTMLPurifier_URI('http', null, $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'], null, // '/index.php', 'Felamimail.getResource&uri=' . base64_encode($uri->toString()) . '&type=' . $token->name, null); if (!$result) { if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) { Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' Remove URI: ' . $uri->toString()); } } return $result; }
/** * @param HTMLPurifier_URI $uri * @param HTMLPurifier_Config $config * @param HTMLPurifier_Context $context * @return bool */ public function filter(&$uri, $config, $context) { // check if filter not applicable if (!$config->get('HTML.SafeIframe')) { return true; } // check if the filter should actually trigger if (!$context->get('EmbeddedURI', true)) { return true; } $token = $context->get('CurrentToken', true); if (!($token && $token->name == 'iframe')) { return true; } // check if we actually have some whitelists enabled if ($this->regexp === null) { return false; } // actually check the whitelists return preg_match($this->regexp, $uri->toString()); }
/** * @param HTMLPurifier_URI $uri * @param HTMLPurifier_Config $config * @param HTMLPurifier_Context $context */ protected function makeReplace($uri, $config, $context) { $string = $uri->toString(); // always available $this->replace['%s'] = $string; $this->replace['%r'] = $context->get('EmbeddedURI', true); $token = $context->get('CurrentToken', true); $this->replace['%n'] = $token ? $token->name : null; $this->replace['%m'] = $context->get('CurrentAttr', true); $this->replace['%p'] = $context->get('CurrentCSSProperty', true); // not always available if ($this->secretKey) { $this->replace['%t'] = hash_hmac("sha256", $string, $this->secretKey); } }
protected function assertToString($expect_uri, $scheme, $userinfo, $host, $port, $path, $query, $fragment) { $uri = new HTMLPurifier_URI($scheme, $userinfo, $host, $port, $path, $query, $fragment); $string = $uri->toString(); $this->assertIdentical($string, $expect_uri); }