[Summary view] [Print] [Text view]

   1  <?php
   2  
   3  /**
   4   * Validates a URI in CSS syntax, which uses url('http://example.com')
   5   * @note While theoretically speaking a URI in a CSS document could
   6   *       be non-embedded, as of CSS2 there is no such usage so we're
   7   *       generalizing it. This may need to be changed in the future.
   8   * @warning Since HTMLPurifier_AttrDef_CSS blindly uses semicolons as
   9   *          the separator, you cannot put a literal semicolon in
  10   *          in the URI. Try percent encoding it, in that case.
  11   */
  12  class HTMLPurifier_AttrDef_CSS_URI extends HTMLPurifier_AttrDef_URI
  13  {
  14  
  15      public function __construct()
  16      {
  17          parent::__construct(true); // always embedded
  18      }
  19  
  20      /**
  21       * @param string $uri_string
  22       * @param HTMLPurifier_Config $config
  23       * @param HTMLPurifier_Context $context
  24       * @return bool|string
  25       */
  26      public function validate($uri_string, $config, $context)
  27      {
  28          // parse the URI out of the string and then pass it onto
  29          // the parent object
  30  
  31          $uri_string = $this->parseCDATA($uri_string);
  32          if (strpos($uri_string, 'url(') !== 0) {
  33              return false;
  34          }
  35          $uri_string = substr($uri_string, 4);
  36          $new_length = strlen($uri_string) - 1;
  37          if ($uri_string[$new_length] != ')') {
  38              return false;
  39          }
  40          $uri = trim(substr($uri_string, 0, $new_length));
  41  
  42          if (!empty($uri) && ($uri[0] == "'" || $uri[0] == '"')) {
  43              $quote = $uri[0];
  44              $new_length = strlen($uri) - 1;
  45              if ($uri[$new_length] !== $quote) {
  46                  return false;
  47              }
  48              $uri = substr($uri, 1, $new_length - 1);
  49          }
  50  
  51          $uri = $this->expandCSSEscape($uri);
  52  
  53          $result = parent::validate($uri, $config, $context);
  54  
  55          if ($result === false) {
  56              return false;
  57          }
  58  
  59          // extra sanity check; should have been done by URI
  60          $result = str_replace(array('"', "\\", "\n", "\x0c", "\r"), "", $result);
  61  
  62          // suspicious characters are ()'; we're going to percent encode
  63          // them for safety.
  64          $result = str_replace(array('(', ')', "'"), array('%28', '%29', '%27'), $result);
  65  
  66          // there's an extra bug where ampersands lose their escaping on
  67          // an innerHTML cycle, so a very unlucky query parameter could
  68          // then change the meaning of the URL.  Unfortunately, there's
  69          // not much we can do about that...
  70          return "url(\"$result\")";
  71      }
  72  }
  73  
  74  // vim: et sw=4 sts=4