/** * {@inheritdoc} */ public function isSafeAsURL() { try { $regexpInfo = RegexpParser::parse($this->vars['regexp']); // Match any number of "(" optionally followed by "?:" $captureStart = '(?>\\((?:\\?:)?)*'; // Regexps that start with a fixed scheme are considered safe. As a special case, we // allow the scheme part to end with a single ? to allow the regexp "https?" $regexp = '#^\\^' . $captureStart . '(?!data|\\w*script)[a-z0-9]+\\??:#i'; if (preg_match($regexp, $regexpInfo['regexp']) && strpos($regexpInfo['modifiers'], 'm') === false) { return true; } // Test whether this regexp could allow any character that's disallowed in URLs $regexp = RegexpParser::getAllowedCharacterRegexp($this->vars['regexp']); foreach (ContextSafeness::getDisallowedCharactersAsURL() as $char) { if (preg_match($regexp, $char)) { return false; } } return true; } catch (Exception $e) { // If anything unexpected happens, we'll consider this filter is not safe return false; } }
/** * @testdox getDisallowedCharactersAsURL() returns a list of strings */ public function testGetDisallowedCharactersAsURL() { $disallowedChars = ContextSafeness::getDisallowedCharactersAsURL(); $this->assertInternalType('array', $disallowedChars); foreach ($disallowedChars as $char) { $this->assertInternalType('string', $char); } }
public function isSafeAsURL() { try { $regexpInfo = RegexpParser::parse($this->vars['regexp']); $captureStart = '(?>\\((?:\\?:)?)*'; $regexp = '#^\\^' . $captureStart . '(?!data|\\w*script)[a-z0-9]+\\??:#i'; if (\preg_match($regexp, $regexpInfo['regexp']) && \strpos($regexpInfo['modifiers'], 'm') === \false) { return \true; } $regexp = RegexpParser::getAllowedCharacterRegexp($this->vars['regexp']); foreach (ContextSafeness::getDisallowedCharactersAsURL() as $char) { if (\preg_match($regexp, $char)) { return \false; } } return \true; } catch (Exception $e) { return \false; } }