[ Index ]

PHP Cross Reference of phpBB-3.3.7-deutsch

title

Body

[close]

/vendor/s9e/text-formatter/src/Configurator/TemplateChecks/ -> DisallowUnsafeDynamicURL.php (source)

   1  <?php
   2  
   3  /**
   4  * @package   s9e\TextFormatter
   5  * @copyright Copyright (c) 2010-2021 The s9e authors
   6  * @license   http://www.opensource.org/licenses/mit-license.php The MIT License
   7  */
   8  namespace s9e\TextFormatter\Configurator\TemplateChecks;
   9  
  10  use DOMAttr;
  11  use DOMElement;
  12  use DOMText;
  13  use DOMXPath;
  14  use s9e\TextFormatter\Configurator\Helpers\NodeLocator;
  15  use s9e\TextFormatter\Configurator\Items\Attribute;
  16  use s9e\TextFormatter\Configurator\Items\Tag;
  17  
  18  /**
  19  * This primary use of this check is to ensure that dynamic content cannot be used to create
  20  * javascript: links
  21  */
  22  class DisallowUnsafeDynamicURL extends AbstractDynamicContentCheck
  23  {
  24      /**
  25      * @var string Regexp used to exclude nodes that start with a hardcoded scheme part, a hardcoded
  26      *             local part, or a fragment
  27      */
  28      protected $safeUrlRegexp = '(^(?:(?!data|\\w*script)\\w+:|[^:]*[#/?]))i';
  29  
  30      /**
  31      * {@inheritdoc}
  32      */
  33  	protected function getNodes(DOMElement $template)
  34      {
  35          return NodeLocator::getURLNodes($template->ownerDocument);
  36      }
  37  
  38      /**
  39      * {@inheritdoc}
  40      */
  41  	protected function isSafe(Attribute $attribute)
  42      {
  43          return $attribute->isSafeAsURL();
  44      }
  45  
  46      /**
  47      * {@inheritdoc}
  48      */
  49  	protected function checkAttributeNode(DOMAttr $attribute, Tag $tag)
  50      {
  51          if (!$this->isSafeUrl($attribute->value))
  52          {
  53              parent::checkAttributeNode($attribute, $tag);
  54          }
  55      }
  56  
  57      /**
  58      * {@inheritdoc}
  59      */
  60  	protected function checkElementNode(DOMElement $element, Tag $tag)
  61      {
  62          if (!$this->elementHasSafeUrl($element))
  63          {
  64              parent::checkElementNode($element, $tag);
  65          }
  66      }
  67  
  68      /**
  69      * Test whether every branch of a given xsl:choose element contains a known-safe URL
  70      *
  71      * @param  DOMElement $choose
  72      * @return bool
  73      */
  74  	protected function chooseHasSafeUrl(DOMElement $choose)
  75      {
  76          $xpath        = new DOMXPath($choose->ownerDocument);
  77          $hasOtherwise = false;
  78          foreach ($xpath->query('xsl:when | xsl:otherwise', $choose) as $branch)
  79          {
  80              if (!$this->elementHasSafeUrl($branch))
  81              {
  82                  return false;
  83              }
  84              if ($branch->nodeName === 'xsl:otherwise')
  85              {
  86                  $hasOtherwise = true;
  87              }
  88          }
  89  
  90          return $hasOtherwise;
  91      }
  92  
  93      /**
  94      * Test whether given element contains a known-safe URL
  95      *
  96      * @param  DOMElement $element
  97      * @return bool
  98      */
  99  	protected function elementHasSafeUrl(DOMElement $element)
 100      {
 101          if ($element->firstChild instanceof DOMElement && $element->firstChild->nodeName === 'xsl:choose')
 102          {
 103              return $this->chooseHasSafeUrl($element->firstChild);
 104          }
 105  
 106          return $element->firstChild instanceof DOMText && $this->isSafeUrl($element->firstChild->textContent);
 107      }
 108  
 109      /**
 110      * Test whether given URL is known to be safe
 111      *
 112      * @param  string $url
 113      * @return bool
 114      */
 115  	protected function isSafeUrl($url)
 116      {
 117          return (bool) preg_match($this->safeUrlRegexp, $url);
 118      }
 119  }


Generated: Thu Mar 24 21:31:15 2022 Cross-referenced by PHPXref 0.7.1