+ private boolean checkAttrInContext(String nodeName,String attrName,String attrValue){
+ /* The intent here is to prevent external content from being loaded by the user's browser.
+ It's extra paranoid, so will strip some legitimate stuff like an alt="http://www.indymedia.org"
+ */
+ if (! MirGlobal.config().getBoolean("Localizer.HTML.KillWebBugs")) {
+ return true;
+ }
+ else {
+ if ((nodeName.toLowerCase()).equals("a") && (attrName.toLowerCase()).equals("href") || (nodeName.toLowerCase()).equals("form") && (attrName.toLowerCase()).equals("action")){
+ return true; //because we still love the web, even if it doesn't return the favor
+ }
+ else {
+ List externalPrefixes = StringRoutines.splitString(MirGlobal.config().getString("Localizer.HTML.ExternalLocationAttributeValuePrefixes"), ";");
+ List whitelist = StringRoutines.splitString(MirGlobal.config().getString("Localizer.HTML.WhitelistedExternalLocationAttributeValuePrefixes"), ";");
+ Iterator i = externalPrefixes.iterator();
+ while (i.hasNext()) {
+ if ((stripWhitespace(attrValue.toLowerCase())).startsWith(((String) i.next()).toLowerCase())) {
+ // we have hit a bad prefix, but we need to check the whitelist
+ Iterator wl=whitelist.iterator();
+ while (wl.hasNext()){
+ if ((stripWhitespace(attrValue.toLowerCase())).startsWith(((String) wl.next()).toLowerCase())) {
+ return true; //say, for example, something on a trusted server
+ }
+ }
+ return false; //don't let this attribute through
+ }
+ }
+ return true; //didn't seem to be an external prefix, so it's fine
+ }
+ }
+ }