]>
Commit | Line | Data |
---|---|---|
d4949327 NL |
1 | <?php\r |
2 | \r | |
3 | /**\r | |
4 | * Validates a URI in CSS syntax, which uses url('http://example.com')\r | |
5 | * @note While theoretically speaking a URI in a CSS document could\r | |
6 | * be non-embedded, as of CSS2 there is no such usage so we're\r | |
7 | * generalizing it. This may need to be changed in the future.\r | |
8 | * @warning Since HTMLPurifier_AttrDef_CSS blindly uses semicolons as\r | |
9 | * the separator, you cannot put a literal semicolon in\r | |
10 | * in the URI. Try percent encoding it, in that case.\r | |
11 | */\r | |
12 | class HTMLPurifier_AttrDef_CSS_URI extends HTMLPurifier_AttrDef_URI\r | |
13 | {\r | |
14 | \r | |
15 | public function __construct()\r | |
16 | {\r | |
17 | parent::__construct(true); // always embedded\r | |
18 | }\r | |
19 | \r | |
20 | /**\r | |
21 | * @param string $uri_string\r | |
22 | * @param HTMLPurifier_Config $config\r | |
23 | * @param HTMLPurifier_Context $context\r | |
24 | * @return bool|string\r | |
25 | */\r | |
26 | public function validate($uri_string, $config, $context)\r | |
27 | {\r | |
28 | // parse the URI out of the string and then pass it onto\r | |
29 | // the parent object\r | |
30 | \r | |
31 | $uri_string = $this->parseCDATA($uri_string);\r | |
32 | if (strpos($uri_string, 'url(') !== 0) {\r | |
33 | return false;\r | |
34 | }\r | |
35 | $uri_string = substr($uri_string, 4);\r | |
36 | $new_length = strlen($uri_string) - 1;\r | |
37 | if ($uri_string[$new_length] != ')') {\r | |
38 | return false;\r | |
39 | }\r | |
40 | $uri = trim(substr($uri_string, 0, $new_length));\r | |
41 | \r | |
42 | if (!empty($uri) && ($uri[0] == "'" || $uri[0] == '"')) {\r | |
43 | $quote = $uri[0];\r | |
44 | $new_length = strlen($uri) - 1;\r | |
45 | if ($uri[$new_length] !== $quote) {\r | |
46 | return false;\r | |
47 | }\r | |
48 | $uri = substr($uri, 1, $new_length - 1);\r | |
49 | }\r | |
50 | \r | |
51 | $uri = $this->expandCSSEscape($uri);\r | |
52 | \r | |
53 | $result = parent::validate($uri, $config, $context);\r | |
54 | \r | |
55 | if ($result === false) {\r | |
56 | return false;\r | |
57 | }\r | |
58 | \r | |
59 | // extra sanity check; should have been done by URI\r | |
60 | $result = str_replace(array('"', "\\", "\n", "\x0c", "\r"), "", $result);\r | |
61 | \r | |
62 | // suspicious characters are ()'; we're going to percent encode\r | |
63 | // them for safety.\r | |
64 | $result = str_replace(array('(', ')', "'"), array('%28', '%29', '%27'), $result);\r | |
65 | \r | |
66 | // there's an extra bug where ampersands lose their escaping on\r | |
67 | // an innerHTML cycle, so a very unlucky query parameter could\r | |
68 | // then change the meaning of the URL. Unfortunately, there's\r | |
69 | // not much we can do about that...\r | |
70 | return "url(\"$result\")";\r | |
71 | }\r | |
72 | }\r | |
73 | \r | |
74 | // vim: et sw=4 sts=4\r |