function test()
{
generate_mock_once('HTMLPurifier_URIScheme');
$config = HTMLPurifier_Config::create(array('URI.AllowedSchemes' => 'http, telnet', 'URI.OverrideAllowedSchemes' => true));
$context = new HTMLPurifier_Context();
$registry = new HTMLPurifier_URISchemeRegistry();
$this->assertIsA($registry->getScheme('http', $config, $context), 'HTMLPurifier_URIScheme_http');
$scheme_http = new HTMLPurifier_URISchemeMock();
$scheme_telnet = new HTMLPurifier_URISchemeMock();
$scheme_foobar = new HTMLPurifier_URISchemeMock();
// register a new scheme
$registry->register('telnet', $scheme_telnet);
$this->assertIdentical($registry->getScheme('telnet', $config, $context), $scheme_telnet);
// overload a scheme, this is FINAL (forget about defaults)
$registry->register('http', $scheme_http);
$this->assertIdentical($registry->getScheme('http', $config, $context), $scheme_http);
// when we register a scheme, it's automatically allowed
$registry->register('foobar', $scheme_foobar);
$this->assertIdentical($registry->getScheme('foobar', $config, $context), $scheme_foobar);
// now, test when overriding is not allowed
$config = HTMLPurifier_Config::create(array('URI.AllowedSchemes' => 'http, telnet', 'URI.OverrideAllowedSchemes' => false));
$this->assertNull($registry->getScheme('foobar', $config, $context));
// scheme not allowed and never registered
$this->assertNull($registry->getScheme('ftp', $config, $context));
}
/**
* Retrieves a scheme object corresponding to the URI's scheme/default
* @param $config Instance of HTMLPurifier_Config
* @param $context Instance of HTMLPurifier_Context
* @return Scheme object appropriate for validating this URI
*/
function getSchemeObj($config, &$context)
{
$registry =& HTMLPurifier_URISchemeRegistry::instance();
if ($this->scheme !== null) {
$scheme_obj = $registry->getScheme($this->scheme, $config, $context);
if (!$scheme_obj) {
return false;
}
// invalid scheme, clean it out
} else {
// no scheme: retrieve the default one
$def = $config->getDefinition('URI');
$scheme_obj = $registry->getScheme($def->defaultScheme, $config, $context);
if (!$scheme_obj) {
// something funky happened to the default scheme object
trigger_error('Default scheme object "' . $def->defaultScheme . '" was not readable', E_USER_WARNING);
return false;
}
}
return $scheme_obj;
}
public function filter(&$uri, $config, $context)
{
if ($context->get('EmbeddedURI', true) && !$this->doEmbed) {
return true;
}
$scheme_obj = $uri->getSchemeObj($config, $context);
if (!$scheme_obj) {
return true;
}
// ignore unknown schemes, maybe another postfilter did it
if (!$scheme_obj->browsable) {
return true;
}
// ignore non-browseable schemes
// don't redirect if target host is our host
if ($uri->isLocal($config, $context)) {
$uri_definition = $config->getDefinition('URI');
// but do redirect if we're currently on a secure scheme,
// and the target scheme is insecure
$current_scheme_obj = HTMLPurifier_URISchemeRegistry::instance()->getScheme($uri_definition->defaultScheme, $config, $context);
if ($scheme_obj->secure || !$current_scheme_obj->secure) {
return true;
}
// target scheme was not secure, but we were secure
}
$this->makeReplace($uri, $config, $context);
$this->replace = array_map('rawurlencode', $this->replace);
$new_uri = strtr($this->target, $this->replace);
$new_uri = $this->parser->parse($new_uri);
// don't redirect if the target host is the same as the
// starting host
if ($uri->host === $new_uri->host) {
return true;
}
$uri = $new_uri;
// overwrite
return true;
}
public function getDefaultScheme($config, $context)
{
return HTMLPurifier_URISchemeRegistry::instance()->getScheme($this->defaultScheme, $config, $context);
}
function __construct()
{
global $sugar_config;
$config = HTMLPurifier_Config::createDefault();
if (!is_dir(sugar_cached("htmlclean"))) {
create_cache_directory("htmlclean/");
}
$config->set('HTML.Doctype', 'XHTML 1.0 Transitional');
$config->set('Core.Encoding', 'UTF-8');
$hidden_tags = ['script' => true, 'style' => true, 'title' => true, 'head' => true];
$config->set('Core.HiddenElements', $hidden_tags);
$config->set('Cache.SerializerPath', sugar_cached("htmlclean"));
$config->set('URI.Base', $sugar_config['site_url']);
$config->set('CSS.Proprietary', true);
$config->set('HTML.TidyLevel', 'light');
$config->set('HTML.ForbiddenElements', ['body' => true, 'html' => true]);
$config->set('AutoFormat.RemoveEmpty', false);
$config->set('Cache.SerializerPermissions', 0775);
// for style
//$config->set('Filter.ExtractStyleBlocks', true);
$config->set('Filter.ExtractStyleBlocks.TidyImpl', false);
// can't use csstidy, GPL
if (!empty($GLOBALS['sugar_config']['html_allow_objects'])) {
// for object
$config->set('HTML.SafeObject', true);
// for embed
$config->set('HTML.SafeEmbed', true);
}
$config->set('Output.FlashCompat', true);
// for iframe and xmp
$config->set('Filter.Custom', [new HTMLPurifier_Filter_Xmp()]);
// for link
$config->set('HTML.DefinitionID', 'Sugar HTML Def');
$config->set('HTML.DefinitionRev', 2);
$config->set('Cache.SerializerPath', sugar_cached('htmlclean/'));
// IDs are namespaced
$config->set('Attr.EnableID', true);
$config->set('Attr.IDPrefix', 'sugar_text_');
if ($def = $config->maybeGetRawHTMLDefinition()) {
$form = $def->addElement('link', 'Flow', 'Empty', 'Core', ['href*' => 'URI', 'rel' => 'Enum#stylesheet', 'type' => 'Enum#text/css']);
$iframe = $def->addElement('iframe', 'Flow', 'Optional: #PCDATA | Flow | Block', 'Core', ['src*' => 'URI', 'frameborder' => 'Enum#0,1', 'marginwidth' => 'Pixels', 'marginheight' => 'Pixels', 'scrolling' => 'Enum#|yes,no,auto', 'align' => 'Enum#top,middle,bottom,left,right,center', 'height' => 'Length', 'width' => 'Length']);
$iframe->excludes = ['iframe'];
}
$uri = $config->getDefinition('URI');
$uri->addFilter(new SugarURIFilter(), $config);
HTMLPurifier_URISchemeRegistry::instance()->register('cid', new HTMLPurifier_URIScheme_cid());
$this->purifier = new HTMLPurifier($config);
}
protected function tearDownSchemeRegistryMock()
{
HTMLPurifier_URISchemeRegistry::instance($this->oldRegistry);
}
