URI.php 2.5 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677
  1. <?php
  2. /**
  3. * Validates a URI in CSS syntax, which uses url('http://example.com')
  4. * @note While theoretically speaking a URI in a CSS document could
  5. * be non-embedded, as of CSS2 there is no such usage so we're
  6. * generalizing it. This may need to be changed in the future.
  7. * @warning Since HTMLPurifier_AttrDef_CSS blindly uses semicolons as
  8. * the separator, you cannot put a literal semicolon in
  9. * in the URI. Try percent encoding it, in that case.
  10. */
  11. class HTMLPurifier_AttrDef_CSS_URI extends HTMLPurifier_AttrDef_URI
  12. {
  13. public function __construct()
  14. {
  15. parent::__construct(true); // always embedded
  16. }
  17. /**
  18. * @param string $uri_string
  19. * @param HTMLPurifier_Config $config
  20. * @param HTMLPurifier_Context $context
  21. * @return bool|string
  22. */
  23. public function validate($uri_string, $config, $context)
  24. {
  25. // parse the URI out of the string and then pass it onto
  26. // the parent object
  27. $uri_string = $this->parseCDATA($uri_string);
  28. if (strpos($uri_string, 'url(') !== 0) {
  29. return false;
  30. }
  31. $uri_string = substr($uri_string, 4);
  32. if (strlen($uri_string) == 0) {
  33. return false;
  34. }
  35. $new_length = strlen($uri_string) - 1;
  36. if ($uri_string[$new_length] != ')') {
  37. return false;
  38. }
  39. $uri = trim(substr($uri_string, 0, $new_length));
  40. if (!empty($uri) && ($uri[0] == "'" || $uri[0] == '"')) {
  41. $quote = $uri[0];
  42. $new_length = strlen($uri) - 1;
  43. if ($uri[$new_length] !== $quote) {
  44. return false;
  45. }
  46. $uri = substr($uri, 1, $new_length - 1);
  47. }
  48. $uri = $this->expandCSSEscape($uri);
  49. $result = parent::validate($uri, $config, $context);
  50. if ($result === false) {
  51. return false;
  52. }
  53. // extra sanity check; should have been done by URI
  54. $result = str_replace(array('"', "\\", "\n", "\x0c", "\r"), "", $result);
  55. // suspicious characters are ()'; we're going to percent encode
  56. // them for safety.
  57. $result = str_replace(array('(', ')', "'"), array('%28', '%29', '%27'), $result);
  58. // there's an extra bug where ampersands lose their escaping on
  59. // an innerHTML cycle, so a very unlucky query parameter could
  60. // then change the meaning of the URL. Unfortunately, there's
  61. // not much we can do about that...
  62. return "url(\"$result\")";
  63. }
  64. }
  65. // vim: et sw=4 sts=4