HTMLPurifier 4.4.0
|
00001 <?php 00002 00012 class HTMLPurifier_AttrDef_CSS_URI extends HTMLPurifier_AttrDef_URI 00013 { 00014 00015 public function __construct() { 00016 parent::__construct(true); // always embedded 00017 } 00018 00019 public function validate($uri_string, $config, $context) { 00020 // parse the URI out of the string and then pass it onto 00021 // the parent object 00022 00023 $uri_string = $this->parseCDATA($uri_string); 00024 if (strpos($uri_string, 'url(') !== 0) return false; 00025 $uri_string = substr($uri_string, 4); 00026 $new_length = strlen($uri_string) - 1; 00027 if ($uri_string[$new_length] != ')') return false; 00028 $uri = trim(substr($uri_string, 0, $new_length)); 00029 00030 if (!empty($uri) && ($uri[0] == "'" || $uri[0] == '"')) { 00031 $quote = $uri[0]; 00032 $new_length = strlen($uri) - 1; 00033 if ($uri[$new_length] !== $quote) return false; 00034 $uri = substr($uri, 1, $new_length - 1); 00035 } 00036 00037 $uri = $this->expandCSSEscape($uri); 00038 00039 $result = parent::validate($uri, $config, $context); 00040 00041 if ($result === false) return false; 00042 00043 // extra sanity check; should have been done by URI 00044 $result = str_replace(array('"', "\\", "\n", "\x0c", "\r"), "", $result); 00045 00046 // suspicious characters are ()'; we're going to percent encode 00047 // them for safety. 00048 $result = str_replace(array('(', ')', "'"), array('%28', '%29', '%27'), $result); 00049 00050 // there's an extra bug where ampersands lose their escaping on 00051 // an innerHTML cycle, so a very unlucky query parameter could 00052 // then change the meaning of the URL. Unfortunately, there's 00053 // not much we can do about that... 00054 00055 return "url(\"$result\")"; 00056 00057 } 00058 00059 } 00060 00061 // vim: et sw=4 sts=4