[PHP] DOMElement - attributes and namespace
Here's my function - private function filterAttributes($node) { // filters the attribute names and content $attributes = $node-attributes; foreach ($attributes as $attribute) { // allow colon as it is used in namespace attributes - // needs to be tested though, may require different handling?? // I should get a MathML document and try it out. $pattern = '/[^a-z0-9:-]+/i'; $clean = strtolower(preg_replace($pattern,'',$attribute-name)); if (strcmp($clean,$attribute-name) != 0) { $this-policyReport(Invalid Attribute Name); } $saniAtt[] = $clean; if (strcmp($clean,value) != 0) { if ($clean == src) { $saniVal[] = $this-obfus($attribute-value,1); } elseif ($clean == data) { $saniVal[] = $this-obfus($attribute-value,1); } elseif ($clean == code) { $saniVal[] = $this-obfus($attribute-value,1); } else { $saniVal[] = $this-obfus($attribute-value); } } else { // do not alter value attributes $saniVal[] = $attribute-value; } $oldAtt[] = $attribute-name; } if (isset($oldAtt)) { for ($i=0; $isizeof($oldAtt);$i++) { $node-removeAttribute($oldAtt[$i]); } } if (isset($saniAtt)) { for ($i=0; $isizeof($saniAtt);$i++) { $check = . $saniAtt[$i] . ; if (substr_count($this-blacklist, $check) == 0) { $node-setAttribute($saniAtt[$i],$saniVal[$i]); } else { $string = Blacklisted Event Attribute: . $saniAtt[$i]; $this-policyReport($string); } } } } (entire class here - http://www.clfsrpm.net/xss/cspfilter_class.phps) Here's the problem - $attributes = $node-attributes; creates a list that has both regular attributes and namespaced attributes. But I don't know how to programatically tell them apart. Here's the problem - when the attribute involves a namespace, IE xml:lang - $node-removeAttribute($oldAtt[$i]); doesn't remove it. $node-setAttribute($saniAtt[$i],$saniVal[$i]); creates a new attribute WITHOUT the namespace. So if we have xml:lang=something after the function is run, the result is that there is an additional attribute lang=filtered something but xml:lang remains with the unfiltered attribute content. If I knew a way to tell whether or not an attribute was namespaced I could deal with it by using the correct $node-removeAttributeNS and $node-setAttributeNS for those attributes, but I don't know how to tell them apart programatically. It seems that $attribute-name when the attribute is foo:bar will just return bar, and I can't tell if it was originally foo:bar, xml:bar, freak:bar, or just plain bar. The extremely sparse documentation in the php manual on this area isn't exactly helping me figure it out. Any help would be appreciated. To see the problem - http://www.clfsrpm.net/xss/dom_script_test.php Put p xml:bar = javascript:something elseA Paragraph/p into the textarea and hit submit - and you'll see what the function does with the attribute. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] DOMElement - attributes and namespace
Michael A. Peters wrote: Here's the problem - $attributes = $node-attributes; creates a list that has both regular attributes and namespaced attributes. But I don't know how to programatically tell them apart. http://phpbuilder.com/manual/en/class.domattr.php What would be really nice is if I could do $attribute-namespace the same way I could do $attribute-name and $attribute-value That would easily allow me to solve the problem. Is there a reason why that isn't part of the DOMAttr class? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] DOMElement - attributes and namespace
Michael A. Peters wrote: Michael A. Peters wrote: Here's the problem - $attributes = $node-attributes; creates a list that has both regular attributes and namespaced attributes. But I don't know how to programatically tell them apart. http://phpbuilder.com/manual/en/class.domattr.php What would be really nice is if I could do $attribute-namespace the same way I could do $attribute-name and $attribute-value That would easily allow me to solve the problem. Is there a reason why that isn't part of the DOMAttr class? I found a dirty fix - it works but isn't proper. I think this is a bug in either $node-elements or DOMAttr Either the first needs to provide a way to tell what is before the : when a : exists in an attribute name or the second needs to either provide it in DOMAttr-name or provide another way to access what (if anything) is before a semicolon. At some point I'll get the guts to report it as a bug just to be told it isn't a bug with the standard response that says it isn't a bug and absolutely no explanation as to why. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] DOMElement - attributes and namespace
Michael A. Peters wrote: At some point I'll get the guts to report it as a bug just to be told it isn't a bug with the standard response that says it isn't a bug and absolutely no explanation as to why. Bug ID 47747 Clear demonstration test case - http://www.clfsrpm.net/bugs/domattr.phps http://www.clfsrpm.net/bugs/domattr.php I'll wait to see what they say, but if anyone knows how to get the xml:lang from the attribute list w/o knowing it is xml: - I would really like to know. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] DOMElement - attributes and namespace
Michael A. Peters wrote: Michael A. Peters wrote: At some point I'll get the guts to report it as a bug just to be told it isn't a bug with the standard response that says it isn't a bug and absolutely no explanation as to why. Bug ID 47747 Clear demonstration test case - http://www.clfsrpm.net/bugs/domattr.phps http://www.clfsrpm.net/bugs/domattr.php I'll wait to see what they say, but if anyone knows how to get the xml:lang from the attribute list w/o knowing it is xml: - I would really like to know. It was my misunderstanding. Properly fixing my code to deal with it is a PITA but is doable. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php