Welcome! » Log In » Create A New Profile

DisplayRemoteLinkURI injector

Posted by tpaksu 
DisplayRemoteLinkURI injector
March 21, 2012 08:19AM

I've created a new injector named AutoFilter.DisplayRemoteLinkURI and explained at the link below about how to add it. It works like DisplayLinkURI but just for remote URL's. Local URL's stay the same. And I couldn't figure how to use DisableExternal URIFilter inside it, so I wrote a temporary function to check if link is remote or local.


Just wanted to inform you. If it's hacking the core and not allowed, I'd remove that.

Re: DisplayRemoteLinkURI injector
March 22, 2012 09:07PM

It seems basically reasonable. I'm wondering if it should be integrated into the existing code, or should live as a standalone; I think I'd be interested in putting this into the core.

Re: DisplayRemoteLinkURI injector
March 23, 2012 03:16AM

Thank you, some people would need it too, I think. But I still think the remote or local check should be different from what I've applied inside the code. Your code in DisableExternals filter seems more reliable to me.

Re: DisplayRemoteLinkURI injector
March 24, 2012 09:24PM

OK. You're running into something of a bad design decision in HTML Purifier, but what I would suggest is parsing the URI with HTMLPurifier_URI and then invoking the appropriate filter on it. But it's all a bit convoluted.

Re: DisplayRemoteLinkURI injector
March 24, 2012 09:33PM

Yes, I know that'd be a bad design decision if i would cross-cable them. Well, I think the current code would work fine. How much can an URI be complicated, right?

Re: DisplayRemoteLinkURI injector
March 24, 2012 09:38PM

Well, it can be pretty complicated. "What if it's a mailto?" Cross-cabling may be the right thing to do.

Re: DisplayRemoteLinkURI injector
March 24, 2012 09:41PM

Well, using php's parse_url gives the domain even if it is a mailto. And how can a mail be remote or local? It should always be considered as remote in my opinion.

Re: DisplayRemoteLinkURI injector
March 24, 2012 09:47PM

By the heuristic in your code, mail is local (it has no authority segment.) You probably care about whether or not the scheme is browsable or not as well.

Re: DisplayRemoteLinkURI injector
March 24, 2012 09:54PM

yes I just tested and it gives any host information that i expected. And considered as local. I expected the result would be like this :

Array ( "scheme" => "mailto:", "host" => "gmail.com", "username" = "tpaksu" )

But it gives the mail adress as "path". And BTW, "javascript:" href's would be a problem too. What else may happen?

Re: DisplayRemoteLinkURI injector
March 24, 2012 11:20PM

The reason why this is the case is because you only have an authority if you have a // after the scheme. So mailto doesn't, so you go straight to the path.

In general, managing the different schemes is the trickiest part of handling this, which is why I suggest using HTML Purifier's built in stuff. Check out library/HTMLPurifier/AttrTransform/Nofollow.php for an eample.

Your Email:


HTML input is enabled. Make sure you escape all HTML and angled brackets with < and >.

Auto-paragraphing is enabled. Double newlines will be converted to paragraphs; for single newlines, use the pre tag.

Allowed tags: a, abbr, acronym, b, blockquote, caption, cite, code, dd, del, dfn, div, dl, dt, em, i, ins, kbd, li, ol, p, pre, s, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, var.

For inputting literal code such as HTML and PHP for display, use CDATA tags to auto-escape your angled brackets, and pre to preserve newlines:

Place code here

Power users, you can hide this notice with:

.htmlpurifier-help {display:none;}