Skip to content

Commit cbc0b2a

Browse files
rdeltourrdeltour
committed
feat: improve checking of data URLs
This commit introduces the following checks: - `RSC-029`(new): check that `data` URLs are not used when they would result in a top-level browsing context - check `data` URLs for foreign resource restrictions (fallbacks) An OPFItem instance can now represent a manifest item defined as a data URL. A `hasDataurl("")` method will tell if this is the case. Fix #1238, fix #1239.
1 parent 20b5142 commit cbc0b2a

File tree

47 files changed

+806
-70
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

47 files changed

+806
-70
lines changed

src/main/java/com/adobe/epubcheck/messages/DefaultSeverities.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -340,6 +340,7 @@ private void initialize()
340340
severities.put(MessageId.RSC_026, Severity.ERROR);
341341
severities.put(MessageId.RSC_027, Severity.WARNING);
342342
severities.put(MessageId.RSC_028, Severity.ERROR);
343+
severities.put(MessageId.RSC_029, Severity.ERROR);
343344

344345
// Scripting
345346
severities.put(MessageId.SCP_001, Severity.SUPPRESSED); // checking scripts is out of scope

src/main/java/com/adobe/epubcheck/messages/MessageId.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -334,6 +334,7 @@ public enum MessageId implements Comparable<MessageId>
334334
RSC_026("RSC-026"),
335335
RSC_027("RSC-027"),
336336
RSC_028("RSC-028"),
337+
RSC_029("RSC-029"),
337338

338339
// Messages relating to scripting
339340
SCP_001("SCP-001"),

src/main/java/com/adobe/epubcheck/ocf/OCFContainer.java

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -130,8 +130,9 @@ public boolean isRemote(URL url)
130130
}
131131
else
132132
{
133-
return !(URLUtils.isSameOrigin(url, rootURL));
133+
return URLUtils.isRemote(url, rootURL);
134134
}
135135
}
136136

137+
137138
}

src/main/java/com/adobe/epubcheck/opf/OPFChecker.java

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -210,7 +210,7 @@ protected boolean checkContent()
210210
// only check the filename in single-file mode
211211
// (it is checked by the container checker in full-publication mode)
212212
// and for local resources (i.e. computed to a file URL)
213-
if (!context.container.isPresent() && !item.isRemote())
213+
if (!context.container.isPresent() && !item.isRemote() && !item.hasDataURL())
214214
{
215215
new OCFFilenameChecker(item.getPath(), context, item.getLocation()).check();
216216
}
@@ -378,6 +378,10 @@ else if (isBlessedStyleType(mimeType))
378378

379379
protected void checkItemContent(OPFItem item)
380380
{
381+
// We do not currently support checking resources defined as data URLs
382+
if (item.hasDataURL()) {
383+
return;
384+
}
381385
// Create a new validation context for the OPF item
382386
// FIXME 2022 set context OPFItem here
383387
// (instead of from XRefChecker in the builder code)

src/main/java/com/adobe/epubcheck/opf/OPFChecker30.java

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -186,6 +186,12 @@ else if (!overlayTextChecker.isCorrectOverlay(docURL, mo))
186186
@Override
187187
protected void checkSpineItem(OPFItem item, OPFHandler opfHandler)
188188
{
189+
// Items with `data:` URLs are not allowed in the spine
190+
if (item.hasDataURL()) {
191+
report.message(MessageId.RSC_029, item.getLocation());
192+
return;
193+
}
194+
189195
String mimeType = item.getMimeType();
190196

191197
if (item.getProperties()

src/main/java/com/adobe/epubcheck/opf/OPFItem.java

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -109,6 +109,13 @@ private OPFItem(Builder builder)
109109
{
110110
this.path = url.toHumanString();
111111
}
112+
// If the item is defined with a data URL, return
113+
// the URL string truncated arbitrarily to 30 chars
114+
else if ("data".equals(url.scheme()))
115+
{
116+
String urlString = url.toString();
117+
this.path = url.toString().substring(0, Math.min(urlString.length(), 30)) + "…";
118+
}
112119
// If a container is present (full-publication check)
113120
// the item path is relative to the root of the container
114121
else if (builder.container.isPresent())
@@ -289,6 +296,16 @@ public boolean isFixedLayout()
289296
return fixedLayout;
290297
}
291298

299+
/**
300+
* Returns <code>true</code> iff this item is a remote resource.
301+
*
302+
* @return <code>true</code> iff this item is a remote resource.
303+
*/
304+
public boolean hasDataURL()
305+
{
306+
return "data".equals(url.scheme());
307+
}
308+
292309
/**
293310
* Returns <code>true</code> iff this item is a remote resource.
294311
*

src/main/java/com/adobe/epubcheck/opf/ValidationContext.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -141,7 +141,7 @@ private String computePath()
141141
{
142142
if (container.isPresent() && !container.get().isRemote(url))
143143
{
144-
if (!url.path().isEmpty())
144+
if (url.path() != null && !url.path().isEmpty())
145145
{
146146
return url.path().substring(1);
147147
}
@@ -181,7 +181,7 @@ public boolean isRemote(URL url)
181181
}
182182
else
183183
{
184-
return !(URLUtils.isSameOrigin(url, this.url));
184+
return URLUtils.isRemote(url, this.url);
185185
}
186186
}
187187

0 commit comments

Comments
 (0)