[github/wallabag/wallabag.git] / inc / 3rdparty / htmlpurifier / HTMLPurifier / AttrDef / CSS / URI.php

<?php\r
\r
/**\r
 * Validates a URI in CSS syntax, which uses url('http://example.com')\r
 * @note While theoretically speaking a URI in a CSS document could\r
 *       be non-embedded, as of CSS2 there is no such usage so we're\r
 *       generalizing it. This may need to be changed in the future.\r
 * @warning Since HTMLPurifier_AttrDef_CSS blindly uses semicolons as\r
 *          the separator, you cannot put a literal semicolon in\r
 *          in the URI. Try percent encoding it, in that case.\r
 */\r
class HTMLPurifier_AttrDef_CSS_URI extends HTMLPurifier_AttrDef_URI\r
{\r
\r
    public function __construct()\r
    {\r
        parent::__construct(true); // always embedded\r
    }\r
\r
    /**\r
     * @param string $uri_string\r
     * @param HTMLPurifier_Config $config\r
     * @param HTMLPurifier_Context $context\r
     * @return bool|string\r
     */\r
    public function validate($uri_string, $config, $context)\r
    {\r
        // parse the URI out of the string and then pass it onto\r
        // the parent object\r
\r
        $uri_string = $this->parseCDATA($uri_string);\r
        if (strpos($uri_string, 'url(') !== 0) {\r
            return false;\r
        }\r
        $uri_string = substr($uri_string, 4);\r
        $new_length = strlen($uri_string) - 1;\r
        if ($uri_string[$new_length] != ')') {\r
            return false;\r
        }\r
        $uri = trim(substr($uri_string, 0, $new_length));\r
\r
        if (!empty($uri) && ($uri[0] == "'" || $uri[0] == '"')) {\r
            $quote = $uri[0];\r
            $new_length = strlen($uri) - 1;\r
            if ($uri[$new_length] !== $quote) {\r
                return false;\r
            }\r
            $uri = substr($uri, 1, $new_length - 1);\r
        }\r
\r
        $uri = $this->expandCSSEscape($uri);\r
\r
        $result = parent::validate($uri, $config, $context);\r
\r
        if ($result === false) {\r
            return false;\r
        }\r
\r
        // extra sanity check; should have been done by URI\r
        $result = str_replace(array('"', "\\", "\n", "\x0c", "\r"), "", $result);\r
\r
        // suspicious characters are ()'; we're going to percent encode\r
        // them for safety.\r
        $result = str_replace(array('(', ')', "'"), array('%28', '%29', '%27'), $result);\r
\r
        // there's an extra bug where ampersands lose their escaping on\r
        // an innerHTML cycle, so a very unlucky query parameter could\r
        // then change the meaning of the URL.  Unfortunately, there's\r
        // not much we can do about that...\r
        return "url(\"$result\")";\r
    }\r
}\r
\r
// vim: et sw=4 sts=4\r
Commit	Line	Data
d4949327 NL	1	<?php\r
	2	\r
	3	/**\r
	4	* Validates a URI in CSS syntax, which uses url('http://example.com')\r
	5	* @note While theoretically speaking a URI in a CSS document could\r
	6	* be non-embedded, as of CSS2 there is no such usage so we're\r
	7	* generalizing it. This may need to be changed in the future.\r
	8	* @warning Since HTMLPurifier_AttrDef_CSS blindly uses semicolons as\r
	9	* the separator, you cannot put a literal semicolon in\r
	10	* in the URI. Try percent encoding it, in that case.\r
	11	*/\r
	12	class HTMLPurifier_AttrDef_CSS_URI extends HTMLPurifier_AttrDef_URI\r
	13	{\r
	14	\r
	15	public function __construct()\r
	16	{\r
	17	parent::__construct(true); // always embedded\r
	18	}\r
	19	\r
	20	/**\r
	21	* @param string $uri_string\r
	22	* @param HTMLPurifier_Config $config\r
	23	* @param HTMLPurifier_Context $context\r
	24	* @return bool\|string\r
	25	*/\r
	26	public function validate($uri_string, $config, $context)\r
	27	{\r
	28	// parse the URI out of the string and then pass it onto\r
	29	// the parent object\r
	30	\r
	31	$uri_string = $this->parseCDATA($uri_string);\r
	32	if (strpos($uri_string, 'url(') !== 0) {\r
	33	return false;\r
	34	}\r
	35	$uri_string = substr($uri_string, 4);\r
	36	$new_length = strlen($uri_string) - 1;\r
	37	if ($uri_string[$new_length] != ')') {\r
	38	return false;\r
	39	}\r
	40	$uri = trim(substr($uri_string, 0, $new_length));\r
	41	\r
	42	if (!empty($uri) && ($uri[0] == "'" \|\| $uri[0] == '"')) {\r
	43	$quote = $uri[0];\r
	44	$new_length = strlen($uri) - 1;\r
	45	if ($uri[$new_length] !== $quote) {\r
	46	return false;\r
	47	}\r
	48	$uri = substr($uri, 1, $new_length - 1);\r
	49	}\r
	50	\r
	51	$uri = $this->expandCSSEscape($uri);\r
	52	\r
	53	$result = parent::validate($uri, $config, $context);\r
	54	\r
	55	if ($result === false) {\r
	56	return false;\r
	57	}\r
	58	\r
	59	// extra sanity check; should have been done by URI\r
	60	$result = str_replace(array('"', "\\", "\n", "\x0c", "\r"), "", $result);\r
	61	\r
	62	// suspicious characters are ()'; we're going to percent encode\r
	63	// them for safety.\r
	64	$result = str_replace(array('(', ')', "'"), array('%28', '%29', '%27'), $result);\r
65	\r
66	// there's an extra bug where ampersands lose their escaping on\r
67	// an innerHTML cycle, so a very unlucky query parameter could\r
68	// then change the meaning of the URL. Unfortunately, there's\r
69	// not much we can do about that...\r
70	return "url(\"$result\")";\r
71	}\r
72	}\r
73	\r
74	// vim: et sw=4 sts=4\r