1 : <?php
2 :
3 : /**
4 : * Validates a URI in CSS syntax, which uses url('http://example.com')
5 : * @note While theoretically speaking a URI in a CSS document could
6 : * be non-embedded, as of CSS2 there is no such usage so we're
7 : * generalizing it. This may need to be changed in the future.
8 : * @warning Since HTMLPurifier_AttrDef_CSS blindly uses semicolons as
9 : * the separator, you cannot put a literal semicolon in
10 : * in the URI. Try percent encoding it, in that case.
11 : */
12 1 : class HTMLPurifier_AttrDef_CSS_URI extends HTMLPurifier_AttrDef_URI
13 : {
14 :
15 : public function __construct() {
16 0 : parent::__construct(true); // always embedded
17 0 : }
18 :
19 : public function validate($uri_string, $config, $context) {
20 : // parse the URI out of the string and then pass it onto
21 : // the parent object
22 :
23 0 : $uri_string = $this->parseCDATA($uri_string);
24 0 : if (strpos($uri_string, 'url(') !== 0) return false;
25 0 : $uri_string = substr($uri_string, 4);
26 0 : $new_length = strlen($uri_string) - 1;
27 0 : if ($uri_string[$new_length] != ')') return false;
28 0 : $uri = trim(substr($uri_string, 0, $new_length));
29 :
30 0 : if (!empty($uri) && ($uri[0] == "'" || $uri[0] == '"')) {
31 0 : $quote = $uri[0];
32 0 : $new_length = strlen($uri) - 1;
33 0 : if ($uri[$new_length] !== $quote) return false;
34 0 : $uri = substr($uri, 1, $new_length - 1);
35 0 : }
36 :
37 0 : $keys = array( '(', ')', ',', ' ', '"', "'");
38 0 : $values = array('\\(', '\\)', '\\,', '\\ ', '\\"', "\\'");
39 0 : $uri = str_replace($values, $keys, $uri);
40 :
41 0 : $result = parent::validate($uri, $config, $context);
42 :
43 0 : if ($result === false) return false;
44 :
45 : // escape necessary characters according to CSS spec
46 : // except for the comma, none of these should appear in the
47 : // URI at all
48 0 : $result = str_replace($keys, $values, $result);
49 :
50 0 : return "url($result)";
51 :
52 : }
53 :
54 : }
55 :
|