function test() { generate_mock_once('HTMLPurifier_URIScheme'); $config = HTMLPurifier_Config::create(array('URI.AllowedSchemes' => 'http, telnet', 'URI.OverrideAllowedSchemes' => true)); $context = new HTMLPurifier_Context(); $registry = new HTMLPurifier_URISchemeRegistry(); $this->assertIsA($registry->getScheme('http', $config, $context), 'HTMLPurifier_URIScheme_http'); $scheme_http = new HTMLPurifier_URISchemeMock(); $scheme_telnet = new HTMLPurifier_URISchemeMock(); $scheme_foobar = new HTMLPurifier_URISchemeMock(); // register a new scheme $registry->register('telnet', $scheme_telnet); $this->assertIdentical($registry->getScheme('telnet', $config, $context), $scheme_telnet); // overload a scheme, this is FINAL (forget about defaults) $registry->register('http', $scheme_http); $this->assertIdentical($registry->getScheme('http', $config, $context), $scheme_http); // when we register a scheme, it's automatically allowed $registry->register('foobar', $scheme_foobar); $this->assertIdentical($registry->getScheme('foobar', $config, $context), $scheme_foobar); // now, test when overriding is not allowed $config = HTMLPurifier_Config::create(array('URI.AllowedSchemes' => 'http, telnet', 'URI.OverrideAllowedSchemes' => false)); $this->assertNull($registry->getScheme('foobar', $config, $context)); // scheme not allowed and never registered $this->assertNull($registry->getScheme('ftp', $config, $context)); }
/** * Retrieves a scheme object corresponding to the URI's scheme/default * @param $config Instance of HTMLPurifier_Config * @param $context Instance of HTMLPurifier_Context * @return Scheme object appropriate for validating this URI */ function getSchemeObj($config, &$context) { $registry =& HTMLPurifier_URISchemeRegistry::instance(); if ($this->scheme !== null) { $scheme_obj = $registry->getScheme($this->scheme, $config, $context); if (!$scheme_obj) { return false; } // invalid scheme, clean it out } else { // no scheme: retrieve the default one $def = $config->getDefinition('URI'); $scheme_obj = $registry->getScheme($def->defaultScheme, $config, $context); if (!$scheme_obj) { // something funky happened to the default scheme object trigger_error('Default scheme object "' . $def->defaultScheme . '" was not readable', E_USER_WARNING); return false; } } return $scheme_obj; }
public function filter(&$uri, $config, $context) { if ($context->get('EmbeddedURI', true) && !$this->doEmbed) { return true; } $scheme_obj = $uri->getSchemeObj($config, $context); if (!$scheme_obj) { return true; } // ignore unknown schemes, maybe another postfilter did it if (!$scheme_obj->browsable) { return true; } // ignore non-browseable schemes // don't redirect if target host is our host if ($uri->isLocal($config, $context)) { $uri_definition = $config->getDefinition('URI'); // but do redirect if we're currently on a secure scheme, // and the target scheme is insecure $current_scheme_obj = HTMLPurifier_URISchemeRegistry::instance()->getScheme($uri_definition->defaultScheme, $config, $context); if ($scheme_obj->secure || !$current_scheme_obj->secure) { return true; } // target scheme was not secure, but we were secure } $this->makeReplace($uri, $config, $context); $this->replace = array_map('rawurlencode', $this->replace); $new_uri = strtr($this->target, $this->replace); $new_uri = $this->parser->parse($new_uri); // don't redirect if the target host is the same as the // starting host if ($uri->host === $new_uri->host) { return true; } $uri = $new_uri; // overwrite return true; }
public function getDefaultScheme($config, $context) { return HTMLPurifier_URISchemeRegistry::instance()->getScheme($this->defaultScheme, $config, $context); }
function __construct() { global $sugar_config; $config = HTMLPurifier_Config::createDefault(); if (!is_dir(sugar_cached("htmlclean"))) { create_cache_directory("htmlclean/"); } $config->set('HTML.Doctype', 'XHTML 1.0 Transitional'); $config->set('Core.Encoding', 'UTF-8'); $hidden_tags = ['script' => true, 'style' => true, 'title' => true, 'head' => true]; $config->set('Core.HiddenElements', $hidden_tags); $config->set('Cache.SerializerPath', sugar_cached("htmlclean")); $config->set('URI.Base', $sugar_config['site_url']); $config->set('CSS.Proprietary', true); $config->set('HTML.TidyLevel', 'light'); $config->set('HTML.ForbiddenElements', ['body' => true, 'html' => true]); $config->set('AutoFormat.RemoveEmpty', false); $config->set('Cache.SerializerPermissions', 0775); // for style //$config->set('Filter.ExtractStyleBlocks', true); $config->set('Filter.ExtractStyleBlocks.TidyImpl', false); // can't use csstidy, GPL if (!empty($GLOBALS['sugar_config']['html_allow_objects'])) { // for object $config->set('HTML.SafeObject', true); // for embed $config->set('HTML.SafeEmbed', true); } $config->set('Output.FlashCompat', true); // for iframe and xmp $config->set('Filter.Custom', [new HTMLPurifier_Filter_Xmp()]); // for link $config->set('HTML.DefinitionID', 'Sugar HTML Def'); $config->set('HTML.DefinitionRev', 2); $config->set('Cache.SerializerPath', sugar_cached('htmlclean/')); // IDs are namespaced $config->set('Attr.EnableID', true); $config->set('Attr.IDPrefix', 'sugar_text_'); if ($def = $config->maybeGetRawHTMLDefinition()) { $form = $def->addElement('link', 'Flow', 'Empty', 'Core', ['href*' => 'URI', 'rel' => 'Enum#stylesheet', 'type' => 'Enum#text/css']); $iframe = $def->addElement('iframe', 'Flow', 'Optional: #PCDATA | Flow | Block', 'Core', ['src*' => 'URI', 'frameborder' => 'Enum#0,1', 'marginwidth' => 'Pixels', 'marginheight' => 'Pixels', 'scrolling' => 'Enum#|yes,no,auto', 'align' => 'Enum#top,middle,bottom,left,right,center', 'height' => 'Length', 'width' => 'Length']); $iframe->excludes = ['iframe']; } $uri = $config->getDefinition('URI'); $uri->addFilter(new SugarURIFilter(), $config); HTMLPurifier_URISchemeRegistry::instance()->register('cid', new HTMLPurifier_URIScheme_cid()); $this->purifier = new HTMLPurifier($config); }
protected function tearDownSchemeRegistryMock() { HTMLPurifier_URISchemeRegistry::instance($this->oldRegistry); }