-
Notifications
You must be signed in to change notification settings - Fork 15
/
Sanitizer.php
215 lines (190 loc) · 6.59 KB
/
Sanitizer.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
<?php
declare(strict_types=1);
/*
* This file is part of the TYPO3 project.
*
* It is free software; you can redistribute it and/or modify it under the terms
* of the MIT License (MIT). For the full copyright and license information,
* please read the LICENSE file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/
namespace TYPO3\HtmlSanitizer;
use DOMDocumentFragment;
use DOMNode;
use DOMNodeList;
use Masterminds\HTML5;
use TYPO3\HtmlSanitizer\Serializer\Rules;
use TYPO3\HtmlSanitizer\Serializer\RulesInterface;
use TYPO3\HtmlSanitizer\Visitor\VisitorInterface;
/**
* HTML Sanitizer in a nutshell:
*
* + `Behavior` contains declarative settings for a particular process for sanitizing HTML.
* + `Visitor` (multiple different visitors can exist at the same time) are actually doing the
* work based on the declared `Behavior`. Visitors can modify nodes or mark them for deletion.
* + `Sanitizer` can be considered as the working instance, invoking visitors, parsing and
* serializing HTML. In general this instance does not contain much logic on how to handle
* particular nodes, attributes or values
*
* This `Sanitizer` class is agnostic specific configuration - it's purpose is to parse HTML,
* invoke all registered visitors (they actually do the work and contain specific logic) and
* finally provide HTML serialization as string again.
*/
class Sanitizer
{
protected const mastermindsDefaultOptions = [
// Whether the serializer should aggressively encode all characters as entities.
'encode_entities' => false,
'encode_attributes' => true,
// Prevents the parser from automatically assigning the HTML5 namespace to the DOM document.
// (adjusted due to https://github.com/Masterminds/html5-php/issues/181#issuecomment-643767471)
'disable_html_ns' => true,
];
/**
* @var VisitorInterface[]
*/
protected $visitors = [];
/**
* @var ?Behavior
*/
protected $behavior = null;
/**
* @var HTML5
*/
protected $parser;
/**
* @var DOMDocumentFragment
* @deprecated since v2.1.0, not required anymore
*/
protected $root;
/**
* @var Context
*/
protected $context;
/**
* @param Behavior|VisitorInterface ...$items
*
* @todo use `__construct(Behavior $behavior, VisitorInterface ...$visitors)`
* (which would have been a breaking change with a PHP fatal error)
*/
public function __construct(...$items)
{
$this->visitors = [];
foreach ($items as $item) {
if ($item instanceof VisitorInterface) {
$this->visitors[] = $item;
} elseif ($item instanceof Behavior && $this->behavior === null) {
$this->behavior = $item;
}
}
$this->parser = $this->createParser();
}
public function sanitize(string $html, ?InitiatorInterface $initiator = null): string
{
$root = $this->parse($html);
// @todo drop deprecated property
$this->root = $root;
$this->handle($root, $initiator);
$rules = $this->createRules($initiator);
$serialized = $this->serialize($root, $rules);
$this->closeRulesStream($rules);
return $serialized;
}
protected function parse(string $html): DOMDocumentFragment
{
return $this->parser->parseFragment($html);
}
protected function handle(DOMNode $domNode, ?InitiatorInterface $initiator = null): DOMNode
{
$this->context = new Context($this->parser, $initiator);
$this->beforeTraverse();
$this->traverseNodeList($domNode->childNodes);
$this->afterTraverse();
return $domNode;
}
/**
* Custom implementation of `\Masterminds\HTML5::save` and `\Masterminds\HTML5::saveHTML`.
*/
protected function serialize(DOMNode $domNode, RulesInterface $rules): string
{
$rules->traverse($domNode);
return stream_get_contents($rules->getStream(), -1, 0);
}
protected function beforeTraverse(): void
{
foreach ($this->visitors as $visitor) {
$visitor->beforeTraverse($this->context);
}
}
protected function traverse(DOMNode $domNode): void
{
foreach ($this->visitors as $visitor) {
$result = $visitor->enterNode($domNode);
$domNode = $this->replaceNode($domNode, $result);
if ($domNode === null) {
return;
}
}
if ($domNode->hasChildNodes()) {
$this->traverseNodeList($domNode->childNodes);
}
foreach ($this->visitors as $visitor) {
$result = $visitor->leaveNode($domNode);
$domNode = $this->replaceNode($domNode, $result);
if ($domNode === null) {
return;
}
}
}
/**
* Traverses node-list (child-nodes) in reverse(!) order to allow
* directly removing child nodes, keeping node-list indexes.
*
* @param DOMNodeList $domNodeList
*/
protected function traverseNodeList(DOMNodeList $domNodeList): void
{
for ($i = $domNodeList->length - 1; $i >= 0; $i--) {
/** @var DOMNode $item */
$item = $domNodeList->item($i);
$this->traverse($item);
}
}
protected function afterTraverse(): void
{
foreach ($this->visitors as $visitor) {
$visitor->afterTraverse($this->context);
}
}
protected function replaceNode(DOMNode $source, ?DOMNode $target): ?DOMNode
{
if ($target === null) {
$source->parentNode->removeChild($source);
} elseif ($source !== $target) {
if ($source->ownerDocument !== $target->ownerDocument
&& $source->ownerDocument !== null
&& $target->ownerDocument !== null
) {
$target = $source->ownerDocument->importNode($target, true);
}
$source->parentNode->replaceChild($target, $source);
}
return $target;
}
protected function createRules(?InitiatorInterface $initiator = null): Rules
{
$stream = fopen('php://temp', 'wb');
return (new Rules($stream, self::mastermindsDefaultOptions))
->withBehavior($this->behavior ?? new Behavior())
->withInitiator($initiator);
}
protected function closeRulesStream(RulesInterface $rules): bool
{
return fclose($rules->getStream());
}
protected function createParser(): HTML5
{
return new HTML5(self::mastermindsDefaultOptions);
}
}