]>
Commit | Line | Data |
---|---|---|
d4949327 NL |
1 | <?php\r |
2 | \r | |
3 | class HTMLPurifier_URIFilter_Munge extends HTMLPurifier_URIFilter\r | |
4 | {\r | |
5 | /**\r | |
6 | * @type string\r | |
7 | */\r | |
8 | public $name = 'Munge';\r | |
9 | \r | |
10 | /**\r | |
11 | * @type bool\r | |
12 | */\r | |
13 | public $post = true;\r | |
14 | \r | |
15 | /**\r | |
16 | * @type string\r | |
17 | */\r | |
18 | private $target;\r | |
19 | \r | |
20 | /**\r | |
21 | * @type HTMLPurifier_URIParser\r | |
22 | */\r | |
23 | private $parser;\r | |
24 | \r | |
25 | /**\r | |
26 | * @type bool\r | |
27 | */\r | |
28 | private $doEmbed;\r | |
29 | \r | |
30 | /**\r | |
31 | * @type string\r | |
32 | */\r | |
33 | private $secretKey;\r | |
34 | \r | |
35 | /**\r | |
36 | * @type array\r | |
37 | */\r | |
38 | protected $replace = array();\r | |
39 | \r | |
40 | /**\r | |
41 | * @param HTMLPurifier_Config $config\r | |
42 | * @return bool\r | |
43 | */\r | |
44 | public function prepare($config)\r | |
45 | {\r | |
46 | $this->target = $config->get('URI.' . $this->name);\r | |
47 | $this->parser = new HTMLPurifier_URIParser();\r | |
48 | $this->doEmbed = $config->get('URI.MungeResources');\r | |
49 | $this->secretKey = $config->get('URI.MungeSecretKey');\r | |
50 | if ($this->secretKey && !function_exists('hash_hmac')) {\r | |
51 | throw new Exception("Cannot use %URI.MungeSecretKey without hash_hmac support.");\r | |
52 | }\r | |
53 | return true;\r | |
54 | }\r | |
55 | \r | |
56 | /**\r | |
57 | * @param HTMLPurifier_URI $uri\r | |
58 | * @param HTMLPurifier_Config $config\r | |
59 | * @param HTMLPurifier_Context $context\r | |
60 | * @return bool\r | |
61 | */\r | |
62 | public function filter(&$uri, $config, $context)\r | |
63 | {\r | |
64 | if ($context->get('EmbeddedURI', true) && !$this->doEmbed) {\r | |
65 | return true;\r | |
66 | }\r | |
67 | \r | |
68 | $scheme_obj = $uri->getSchemeObj($config, $context);\r | |
69 | if (!$scheme_obj) {\r | |
70 | return true;\r | |
71 | } // ignore unknown schemes, maybe another postfilter did it\r | |
72 | if (!$scheme_obj->browsable) {\r | |
73 | return true;\r | |
74 | } // ignore non-browseable schemes, since we can't munge those in a reasonable way\r | |
75 | if ($uri->isBenign($config, $context)) {\r | |
76 | return true;\r | |
77 | } // don't redirect if a benign URL\r | |
78 | \r | |
79 | $this->makeReplace($uri, $config, $context);\r | |
80 | $this->replace = array_map('rawurlencode', $this->replace);\r | |
81 | \r | |
82 | $new_uri = strtr($this->target, $this->replace);\r | |
83 | $new_uri = $this->parser->parse($new_uri);\r | |
84 | // don't redirect if the target host is the same as the\r | |
85 | // starting host\r | |
86 | if ($uri->host === $new_uri->host) {\r | |
87 | return true;\r | |
88 | }\r | |
89 | $uri = $new_uri; // overwrite\r | |
90 | return true;\r | |
91 | }\r | |
92 | \r | |
93 | /**\r | |
94 | * @param HTMLPurifier_URI $uri\r | |
95 | * @param HTMLPurifier_Config $config\r | |
96 | * @param HTMLPurifier_Context $context\r | |
97 | */\r | |
98 | protected function makeReplace($uri, $config, $context)\r | |
99 | {\r | |
100 | $string = $uri->toString();\r | |
101 | // always available\r | |
102 | $this->replace['%s'] = $string;\r | |
103 | $this->replace['%r'] = $context->get('EmbeddedURI', true);\r | |
104 | $token = $context->get('CurrentToken', true);\r | |
105 | $this->replace['%n'] = $token ? $token->name : null;\r | |
106 | $this->replace['%m'] = $context->get('CurrentAttr', true);\r | |
107 | $this->replace['%p'] = $context->get('CurrentCSSProperty', true);\r | |
108 | // not always available\r | |
109 | if ($this->secretKey) {\r | |
110 | $this->replace['%t'] = hash_hmac("sha256", $string, $this->secretKey);\r | |
111 | }\r | |
112 | }\r | |
113 | }\r | |
114 | \r | |
115 | // vim: et sw=4 sts=4\r |