| [ Index ] |
PHP Cross Reference of phpBB-3.3.10-deutsch |
[Summary view] [Print] [Text view]
1 <?php 2 3 /** 4 * @package s9e\TextFormatter 5 * @copyright Copyright (c) 2010-2022 The s9e authors 6 * @license http://www.opensource.org/licenses/mit-license.php The MIT License 7 */ 8 namespace s9e\TextFormatter\Configurator\TemplateChecks; 9 10 use DOMAttr; 11 use DOMElement; 12 use DOMText; 13 use DOMXPath; 14 use s9e\TextFormatter\Configurator\Helpers\NodeLocator; 15 use s9e\TextFormatter\Configurator\Items\Attribute; 16 use s9e\TextFormatter\Configurator\Items\Tag; 17 18 /** 19 * This primary use of this check is to ensure that dynamic content cannot be used to create 20 * javascript: links 21 */ 22 class DisallowUnsafeDynamicURL extends AbstractDynamicContentCheck 23 { 24 /** 25 * @var string Regexp used to exclude nodes that start with a hardcoded scheme part, a hardcoded 26 * local part, or a fragment 27 */ 28 protected $safeUrlRegexp = '(^(?:(?!data|\\w*script)\\w+:|[^:]*[#/?]))i'; 29 30 /** 31 * {@inheritdoc} 32 */ 33 protected function getNodes(DOMElement $template) 34 { 35 return NodeLocator::getURLNodes($template->ownerDocument); 36 } 37 38 /** 39 * {@inheritdoc} 40 */ 41 protected function isSafe(Attribute $attribute) 42 { 43 return $attribute->isSafeAsURL(); 44 } 45 46 /** 47 * {@inheritdoc} 48 */ 49 protected function checkAttributeNode(DOMAttr $attribute, Tag $tag) 50 { 51 if (!$this->isSafeUrl($attribute->value)) 52 { 53 parent::checkAttributeNode($attribute, $tag); 54 } 55 } 56 57 /** 58 * {@inheritdoc} 59 */ 60 protected function checkElementNode(DOMElement $element, Tag $tag) 61 { 62 if (!$this->elementHasSafeUrl($element)) 63 { 64 parent::checkElementNode($element, $tag); 65 } 66 } 67 68 /** 69 * Test whether every branch of a given xsl:choose element contains a known-safe URL 70 * 71 * @param DOMElement $choose 72 * @return bool 73 */ 74 protected function chooseHasSafeUrl(DOMElement $choose) 75 { 76 $xpath = new DOMXPath($choose->ownerDocument); 77 $hasOtherwise = false; 78 foreach ($xpath->query('xsl:when | xsl:otherwise', $choose) as $branch) 79 { 80 if (!$this->elementHasSafeUrl($branch)) 81 { 82 return false; 83 } 84 if ($branch->nodeName === 'xsl:otherwise') 85 { 86 $hasOtherwise = true; 87 } 88 } 89 90 return $hasOtherwise; 91 } 92 93 /** 94 * Test whether given element contains a known-safe URL 95 * 96 * @param DOMElement $element 97 * @return bool 98 */ 99 protected function elementHasSafeUrl(DOMElement $element) 100 { 101 if ($element->firstChild instanceof DOMElement && $element->firstChild->nodeName === 'xsl:choose') 102 { 103 return $this->chooseHasSafeUrl($element->firstChild); 104 } 105 106 return $element->firstChild instanceof DOMText && $this->isSafeUrl($element->firstChild->textContent); 107 } 108 109 /** 110 * Test whether given URL is known to be safe 111 * 112 * @param string $url 113 * @return bool 114 */ 115 protected function isSafeUrl($url) 116 { 117 return (bool) preg_match($this->safeUrlRegexp, $url); 118 } 119 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
| Generated: Wed Feb 22 20:16:20 2023 | Cross-referenced by PHPXref 0.7.1 |