public function toString()
{
// reconstruct authority
$authority = null;
// there is a rendering difference between a null authority
// (http:foo-bar) and an empty string authority
// (http:///foo-bar).
if (!is_null($this->host)) {
$authority = '';
if (!is_null($this->userinfo)) {
$authority .= $this->userinfo . '@';
}
$authority .= $this->host;
if (!is_null($this->port)) {
$authority .= ':' . $this->port;
}
}
// Reconstruct the result
// One might wonder about parsing quirks from browsers after
// this reconstruction. Unfortunately, parsing behavior depends
// on what *scheme* was employed (file:///foo is handled *very*
// differently than http:///foo), so unfortunately we have to
// defer to the schemes to do the right thing.
$result = '';
if (!is_null($this->scheme)) {
$result .= $this->scheme . ':';
}
if (!is_null($authority)) {
$result .= '//' . $authority;
}
$result .= $this->path;
if (!is_null($this->query)) {
$result .= '?' . $this->query;
}
if (!is_null($this->fragment)) {
$result .= '#' . $this->fragment;
}
return $result;
} /**
* @param HTMLPurifier_URI $uri
* @param HTMLPurifier_Config $config
* @param HTMLPurifier_Context $context
* @return bool
*/
public function filter(&$uri, $config, $context)
{
// check if filter not applicable
if (!$config->get('HTML.SafeIframe')) {
return true;
}
// check if the filter should actually trigger
if (!$context->get('EmbeddedURI', true)) {
return true;
}
$token = $context->get('CurrentToken', true);
if (!($token && $token->name == 'iframe')) {
return true;
}
// check if we actually have some whitelists enabled
if ($this->regexp === null) {
return false;
}
// actually check the whitelists
if (!preg_match($this->regexp, $uri->toString())) {
return false;
}
// Make sure that if we're an HTTPS site, the iframe is also HTTPS
if (is_https() && $uri->scheme == 'http') {
// Convert it to a protocol-relative URL
$uri->scheme = null;
}
return $uri;
}
