[Caja] cajole_html is refusing

Thu, 09 Jul 2009 17:08:47 -0700 


Reviewers: ihab.awad,

Description:
cajole_html uses a unique PluginEnvironment
that allows limited filesystem references,
but barfs on most uses of #fragments.

this change relaxes the restriction on #fragments.
so now <a href="#foo"> is allowed,
and if href="foo.html" is allowed,
then href="foo.html#bar" is also allowed.

there's no testcase in this change because there
isn't already a test structure for any of this.
(emma says 0% coverage)
I might add tests later.

Please review this at http://codereview.appspot.com/88149

Affected files:
  M     src/com/google/caja/plugin/FileSystemEnvironment.java


Index: src/com/google/caja/plugin/FileSystemEnvironment.java
===================================================================
--- src/com/google/caja/plugin/FileSystemEnvironment.java       (revision 3563)
+++ src/com/google/caja/plugin/FileSystemEnvironment.java       (working copy)
@@ -23,6 +23,7 @@
 import java.io.IOException;
 import java.io.Reader;
 import java.net.URI;
+import java.net.URISyntaxException;

 /**
  * @author [email protected]
@@ -47,14 +48,33 @@
     }
   }

+  /** Return a new URI with a different fragment. */
+  private URI refragUri(URI uri, String frag) throws URISyntaxException {
+    return new URI(uri.getScheme(), uri.getSchemeSpecificPart(), frag);
+  }
+
   public String rewriteUri(ExternalReference ref, String mimeType) {
-    File f = toFileUnderSameDirectory(ref.getUri());
-    if (f == null) {
-      String uristr = ref.getUri().toString();
-      if (uristr.equals("#")) { return uristr; }
-      else { return null; }
-    }
- return new File(directory, ".").toURI().relativize(f.toURI()).toString(); 
+    try {
+      URI fragless = refragUri(ref.getUri(), null);
+
+      // allow uri references within the base directory
+      File f = toFileUnderSameDirectory(fragless);
+      if (f != null) {
+        URI base = new File(directory, ".").toURI();
+        URI rel = base.relativize(fragless);
+        return refragUri(rel, ref.getUri().getFragment()).toString();
+      }
+
+      // allow bare fragments
+      URI self = ref.getReferencePosition().source().getUri();
+      String uristr = self.relativize(ref.getUri()).toString();
+      if (uristr.startsWith("#")) {
+        return uristr;
+      }
+    } catch (URISyntaxException e) { }
+
+    // denied
+    return null;
   }

   protected abstract Reader newReader(File f) throws FileNotFoundException;
@@ -70,7 +90,7 @@
       // Not a "file://..." URL so cannot be relative to a directory
       return null;
     }
-
+
     if (uri.getAuthority() != null
         || uri.getFragment() != null
         || uri.getQuery() != null) {

Reply via email to