Added method to check the URI and removed the dependency on Zend_Uri.

git-svn-id: http://framework.zend.com/svn/framework/standard/trunk@20613 44c647ce-9c0f-0410-b52a-842ac1e357ba

library/Zend/Markup/Renderer/Html.php

@@ -21,10 +21,6 @@
  */
 
 /**
- * @see Zend_Uri
- */
-require_once 'Zend/Uri.php';
-/**
  * @see Zend_Filter_HtmlEntities
  */
 require_once 'Zend/Filter/HtmlEntities.php';
@@ -472,4 +468,43 @@ class Zend_Markup_Renderer_Html extends Zend_Markup_Renderer_RendererAbstract
         return false;
     }
 
+    /**
+     * Check if the URI is valid
+     *
+     * @param string $uri
+     *
+     * @return bool
+     */
+    public static function isValidUri($uri)
+    {
+        if (!preg_match('/^([a-z][a-z+\-.]*):/i', $uri, $matches)) {
+            return false;
+        }
+
+        $scheme = strtolower($matches[1]);
+
+        switch ($scheme) {
+            case 'javascript':
+                // JavaScript scheme is not allowed for security reason
+                return false;
+
+            case 'http':
+            case 'https':
+            case 'ftp':
+                $components = @parse_url($uri);
+
+                if ($components === false) {
+                    return false;
+                }
+
+                if (!isset($components['host'])) {
+                    return false;
+                }
+
+                return true;
+
+            default:
+                return true;
+        }
+    }
 }

library/Zend/Markup/Renderer/Html/Img.php

@@ -21,6 +21,10 @@
  */
 
 /**
+ * @see Zend_Markup_Renderer_Html
+ */
+require_once 'Zend/Markup/Renderer/Html.php';
+/**
  * @see Zend_Markup_Renderer_Html_HtmlAbstract
  */
 require_once 'Zend/Markup/Renderer/Html/HtmlAbstract.php';
@@ -47,10 +51,14 @@ class Zend_Markup_Renderer_Html_Img extends Zend_Markup_Renderer_Html_HtmlAbstra
      */
     public function convert(Zend_Markup_Token $token, $text)
     {
-        $url = $text;
+        $uri = $text;
+
+        if (!preg_match('/^([a-z][a-z+\-.]*):/i', $uri)) {
+            $uri = 'http://' . $uri;
+        }
 
         // check if the URL is valid
-        if (!Zend_Uri::check($url)) {
+        if (!Zend_Markup_Renderer_Html::isValidUri($uri)) {
             return $text;
         }
 
@@ -65,7 +73,7 @@ class Zend_Markup_Renderer_Html_Img extends Zend_Markup_Renderer_Html_HtmlAbstra
             }
         }
 
-        return "<img src=\"{$url}\" alt=\"{$alt}\"" . Zend_Markup_Renderer_Html::renderAttributes($token) . " />";
+        return "<img src=\"{$uri}\" alt=\"{$alt}\"" . Zend_Markup_Renderer_Html::renderAttributes($token) . " />";
     }
 
 }

library/Zend/Markup/Renderer/Html/Url.php

@@ -21,6 +21,10 @@
  */
 
 /**
+ * @see Zend_Markup_Renderer_Html
+ */
+require_once 'Zend/Markup/Renderer/Html.php';
+/**
  * @see Zend_Markup_Renderer_Html_HtmlAbstract
  */
 require_once 'Zend/Markup/Renderer/Html/HtmlAbstract.php';
@@ -48,21 +52,23 @@ class Zend_Markup_Renderer_Html_Url extends Zend_Markup_Renderer_Html_HtmlAbstra
     public function convert(Zend_Markup_Token $token, $text)
     {
         if ($token->hasAttribute('url')) {
-            $url = $token->getAttribute('url');
+            $uri = $token->getAttribute('url');
         } else {
-            $url = $text;
+            $uri = $text;
         }
 
-        //if (subs)
+        if (!preg_match('/^([a-z][a-z+\-.]*):/i', $uri)) {
+            $uri = 'http://' . $uri;
+        }
 
         // check if the URL is valid
-        if (!Zend_Uri::check($url)) {
+        if (!Zend_Markup_Renderer_Html::isValidUri($uri)) {
             return $text;
         }
 
         $attributes = Zend_Markup_Renderer_Html::renderAttributes($token);
 
-        return "<a href=\"{$url}\"{$attributes}>{$text}</a>";
+        return "<a href=\"{$uri}\"{$attributes}>{$text}</a>";
     }
 
 }

tests/Zend/Markup/BbcodeAndHtmlTest.php

@@ -106,13 +106,12 @@ class Zend_Markup_BbcodeAndHtmlTest extends PHPUnit_Framework_TestCase
             $this->_markup->render('[url]http://framework.zend.com/[/url]'));
         $this->assertEquals('<a href="http://framework.zend.com/">foo</a>',
             $this->_markup->render('[url=http://framework.zend.com/]foo[/url]'));
-        $this->assertEquals('bar', $this->_markup->render('[url="invalid"]bar[/url]'));
+        $this->assertEquals('bar', $this->_markup->render('[url="javascript:alert(1)"]bar[/url]'));
 
         $this->assertEquals('<img src="http://framework.zend.com/images/logo.png" alt="logo" />',
             $this->_markup->render('[img]http://framework.zend.com/images/logo.png[/img]'));
         $this->assertEquals('<img src="http://framework.zend.com/images/logo.png" alt="Zend Framework" />',
             $this->_markup->render('[img alt="Zend Framework"]http://framework.zend.com/images/logo.png[/img]'));
-        $this->assertEquals('invalid', $this->_markup->render('[img]invalid[/img]'));
 
     }
 
@@ -466,6 +465,15 @@ BBCODE;
         $this->assertEquals('<em>FOO&amp;BAR</em>baz', $m->render('[i]foo&bar[/i]baz'));
     }
 
+    public function testValidUri()
+    {
+        $this->assertTrue(Zend_Markup_Renderer_Html::isValidUri("http://www.example.com"));
+        $this->assertTrue(!Zend_Markup_Renderer_Html::isValidUri("www.example.com"));
+        $this->assertTrue(!Zend_Markup_Renderer_Html::isValidUri("http:///test"));
+        $this->assertTrue(Zend_Markup_Renderer_Html::isValidUri("https://www.example.com"));
+        $this->assertTrue(Zend_Markup_Renderer_Html::isValidUri("magnet:?xt=urn:bitprint:XZBS763P4HBFYVEMU5OXQ44XK32OMLIN.HGX3CO3BVF5AG2G34MVO3OHQLRSUF4VJXQNLQ7A &xt=urn:ed2khash:aa52fb210465bddd679d6853b491ccce&"));
+        $this->assertTrue(!Zend_Markup_Renderer_Html::isValidUri("javascript:alert(1)"));
+    }
 }
 
 // Call Zend_Markup_BbcodeAndHtmlTest::main()