URI.php 2.2 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061
  1. <?php
  2. /**
  3. * Validates a URI in CSS syntax, which uses url('http://example.com')
  4. * @note While theoretically speaking a URI in a CSS document could
  5. * be non-embedded, as of CSS2 there is no such usage so we're
  6. * generalizing it. This may need to be changed in the future.
  7. * @warning Since HTMLPurifier_AttrDef_CSS blindly uses semicolons as
  8. * the separator, you cannot put a literal semicolon in
  9. * in the URI. Try percent encoding it, in that case.
  10. */
  11. class HTMLPurifier_AttrDef_CSS_URI extends HTMLPurifier_AttrDef_URI
  12. {
  13. public function __construct() {
  14. parent::__construct(true); // always embedded
  15. }
  16. public function validate($uri_string, $config, $context) {
  17. // parse the URI out of the string and then pass it onto
  18. // the parent object
  19. $uri_string = $this->parseCDATA($uri_string);
  20. if (strpos($uri_string, 'url(') !== 0) return false;
  21. $uri_string = substr($uri_string, 4);
  22. $new_length = strlen($uri_string) - 1;
  23. if ($uri_string[$new_length] != ')') return false;
  24. $uri = trim(substr($uri_string, 0, $new_length));
  25. if (!empty($uri) && ($uri[0] == "'" || $uri[0] == '"')) {
  26. $quote = $uri[0];
  27. $new_length = strlen($uri) - 1;
  28. if ($uri[$new_length] !== $quote) return false;
  29. $uri = substr($uri, 1, $new_length - 1);
  30. }
  31. $uri = $this->expandCSSEscape($uri);
  32. $result = parent::validate($uri, $config, $context);
  33. if ($result === false) return false;
  34. // extra sanity check; should have been done by URI
  35. $result = str_replace(array('"', "\\", "\n", "\x0c", "\r"), "", $result);
  36. // suspicious characters are ()'; we're going to percent encode
  37. // them for safety.
  38. $result = str_replace(array('(', ')', "'"), array('%28', '%29', '%27'), $result);
  39. // there's an extra bug where ampersands lose their escaping on
  40. // an innerHTML cycle, so a very unlucky query parameter could
  41. // then change the meaning of the URL. Unfortunately, there's
  42. // not much we can do about that...
  43. return "url(\"$result\")";
  44. }
  45. }
  46. // vim: et sw=4 sts=4