SproutCMS

This is the code documentation for the SproutCMS project

More info
Project:
Home   Sprout SproutModules

Search documentation

Search term:

What to search:





Path or filename:

source of /sprout/Helpers/RichTextSanitiser.php

  1. <?php
  2. /*
  3.  * Copyright (C) 2017 Karmabunny Pty Ltd.
  4.  *
  5.  * This file is a part of SproutCMS.
  6.  *
  7.  * SproutCMS is free software: you can redistribute it and/or modify it under the terms
  8.  * of the GNU General Public License as published by the Free Software Foundation, either
  9.  * version 2 of the License, or (at your option) any later version.
  10.  *
  11.  * For more information, visit <http://getsproutcms.com>.
  12.  */
  13.  
  14. namespace Sprout\Helpers;
  15.  
  16. use \DOMNode;
  17. use \DOMDocument;
  18.  
  19. /**
  20.  * Helper that strictly validates and sanitises user submitted HTML
  21.  * Intended for use with front-end instances of TinyMCE to ensure XSS is impossible.
  22.  *
  23.  * @note Operates in a whitelist mode; if a tag or attribute doesn't appear on the list it won't appear on the output.
  24.  */
  25. final class RichTextSanitiser
  26. {
  27.     const ATTR_TYPE_TEXT = 0;
  28.     const ATTR_TYPE_URL = 1;
  29.     const ATTR_TYPE_CLASS = 2;
  30.     const ATTR_TYPE_SRC = 3;
  31.     const ATTR_TYPE_STYLE = 4;
  32.  
  33.     private $dom_doc;
  34.     private $errors = [];
  35.     private $permitted_tags;
  36.  
  37.     /**
  38.      * @var bool Permit only local (i.e. on the current server) resources in src attributes
  39.      */
  40.     private $local_resources = false;
  41.  
  42.     /**
  43.      * The default set of tags (and attributes) that are permitted
  44.      */
  45.     public static $default_permitted_tags = [
  46.         'div' => [
  47.             'class' => self::ATTR_TYPE_CLASS,
  48.         ],
  49.         'p' => [
  50.             'class' => self::ATTR_TYPE_CLASS,
  51.             'style' => self::ATTR_TYPE_STYLE
  52.         ],
  53.  
  54.         'span' => [
  55.             'class' => self::ATTR_TYPE_CLASS,
  56.         ],
  57.         'strong' => null,
  58.         'em' => null,
  59.  
  60.         'h1' => [
  61.             'class' => self::ATTR_TYPE_CLASS,
  62.         ],
  63.         'h2' => [
  64.             'class' => self::ATTR_TYPE_CLASS,
  65.         ],
  66.         'h3' => [
  67.             'class' => self::ATTR_TYPE_CLASS,
  68.         ],
  69.         'h4' => [
  70.             'class' => self::ATTR_TYPE_CLASS,
  71.         ],
  72.         'h5' => [
  73.             'class' => self::ATTR_TYPE_CLASS,
  74.         ],
  75.         'h6' => [
  76.             'class' => self::ATTR_TYPE_CLASS,
  77.         ],
  78.         'h7' => [
  79.             'class' => self::ATTR_TYPE_CLASS,
  80.         ],
  81.  
  82.         'img' => [
  83.             'src' => self::ATTR_TYPE_SRC,
  84.             'alt' => self::ATTR_TYPE_TEXT
  85.         ],
  86.         'a' => [
  87.             'class' => self::ATTR_TYPE_CLASS,
  88.             'href' => self::ATTR_TYPE_URL,
  89.             'title' => self::ATTR_TYPE_TEXT
  90.         ],
  91.  
  92.         'ul' => [
  93.             'class' => self::ATTR_TYPE_CLASS
  94.         ],
  95.         'ol' => [
  96.             'class' => self::ATTR_TYPE_CLASS
  97.         ],
  98.  
  99.         'li' => [
  100.             'class' => self::ATTR_TYPE_CLASS
  101.         ],
  102.     ];
  103.  
  104.     /**
  105.      * Construct the sanitiser given a string of HTML
  106.      *
  107.      * @param string $richtextData The HTML to sanitise
  108.      * @param array $permitted_tags An optional array of permitted tags to override the defaults
  109.      */
  110.     public function __construct($richtextData, $permitted_tags = null)
  111.     {
  112.         // PHP-8+ deprecated this because it's disabled by default.
  113.         if (PHP_VERSION_ID < 80000) {
  114.             libxml_disable_entity_loader();
  115.         }
  116.  
  117.         $this->dom_doc = new DOMDocument();
  118.         if (!@$this->dom_doc->loadHTML($richtextData, LIBXML_NOCDATA)) {
  119.             $this->errors[] = 'There were errors in parsing the given HTML.';
  120.         }
  121.  
  122.         if ($permitted_tags) {
  123.             $this->permitted_tags = $permitted_tags;
  124.         } else {
  125.             $this->permitted_tags = static::$default_permitted_tags;
  126.         }
  127.     }
  128.  
  129.  
  130.     /**
  131.      * Gets a sanitised copy of the HTML
  132.      *
  133.      * @return string HTML with any elements or attributes not appearing on the whitelist removed
  134.      */
  135.     public function sanitise()
  136.     {
  137.         ob_start();
  138.  
  139.         $this->sanitiseNode($this->dom_doc);
  140.  
  141.         return ob_get_clean();
  142.     }
  143.  
  144.  
  145.     /**
  146.      * Checks whether any errors occurred during sanitising
  147.      *
  148.      * @return bool
  149.      */
  150.     public function hasErrors()
  151.     {
  152.         return count($this->errors) > 0;
  153.     }
  154.  
  155.  
  156.     /**
  157.      * Get the list of errors produced during @see RichTextSanitiser::sanitise
  158.      *
  159.      * @return array An array of error messages. Obviously, you must HTML encode each entry for them to be safe
  160.      *               for web use as they may contain values from the DOM.
  161.      */
  162.     public function getErrors()
  163.     {
  164.         return $this->errors;
  165.     }
  166.  
  167.  
  168.     /**
  169.      * Set whether to only allow local resources to be referenced by automatically fetching attributes
  170.      * e.g. the src attribute on an <img> tag. Does not apply to the href attribute as that won't be
  171.      * automatically fetched by a browser.
  172.      *
  173.      * @param bool $local True if only local resources are allowed, false if any resource is permitted
  174.      * @return void
  175.      */
  176.     public function setLocalResources($local)
  177.     {
  178.         $this->local_resources = (bool)$local;
  179.     }
  180.  
  181.  
  182.     /**
  183.      * Recursively sanitises a node and its children, echoing any output in order of appearance
  184.      *
  185.      * @param DOMNode $node The node to sanitise
  186.      */
  187.     private function sanitiseNode(DOMNode $node)
  188.     {
  189.         switch ($node->nodeType) {
  190.         case XML_ELEMENT_NODE:
  191.         {
  192.             // These get thrown in for free by DOMDocument::loadXML (thanks guys)
  193.             // so just omit them and parse their children instead
  194.             if ($node->nodeName === 'html' or $node->nodeName === 'body') {
  195.                 foreach ($node->childNodes as $child) {
  196.                     $this->sanitiseNode($child);
  197.                 }
  198.  
  199.                 return;
  200.             }
  201.  
  202.             if (!array_key_exists($node->nodeName, $this->permitted_tags)) {
  203.                 $this->errors[] = "Disallowed tag '{$node->nodeName}'";
  204.  
  205.                 return;
  206.             }
  207.  
  208.             $attributes = [];
  209.             if ($node->hasAttributes()) {
  210.                 $allowed_attrs = $this->permitted_tags[$node->nodeName];
  211.                 if (!is_array($allowed_attrs)) {
  212.                     $this->errors[] = "'{$node->nodeName}' elements are not permitted to contain any attributes";
  213.  
  214.                     return;
  215.                 }
  216.  
  217.                 foreach ($node->attributes as $attr) {
  218.                     if (!array_key_exists($attr->name, $allowed_attrs)) {
  219.                         $this->errors[] = "Invalid attribute '{$attr->name}' for '{$node->nodeName}' element.";
  220.  
  221.                         return;
  222.                     }
  223.  
  224.                     $encoded = $this->encodeAttributeValue($allowed_attrs[$attr->name], $attr->value);
  225.                     if (!empty($encoded)) {
  226.                         $attributes[] = sprintf('%s="%s"', $attr->name, $encoded);
  227.                     }
  228.                 }
  229.             }
  230.  
  231.             echo "<{$node->nodeName}";
  232.  
  233.             if (count($attributes)) {
  234.                 echo ' ', implode(' ', $attributes);
  235.             }
  236.  
  237.             if ($node->hasChildNodes()) {
  238.                 echo '>';
  239.  
  240.                 foreach ($node->childNodes as $child) {
  241.                     $this->sanitiseNode($child);
  242.                 }
  243.  
  244.                 echo "</{$node->nodeName}>";
  245.             } else {
  246.                 echo ' />';
  247.             }
  248.  
  249.             break;
  250.         }
  251.  
  252.         case XML_TEXT_NODE:
  253.         {
  254.             echo htmlspecialchars($node->nodeValue, ENT_COMPAT | ENT_HTML401 | ENT_DISALLOWED, 'UTF-8', false);
  255.             break;
  256.         }
  257.  
  258.         case XML_HTML_DOCUMENT_NODE:
  259.         case XML_DOCUMENT_NODE:
  260.         {
  261.             foreach ($node->childNodes as $child) {
  262.                 $this->sanitiseNode($child);
  263.             }
  264.  
  265.             break;
  266.         }
  267.  
  268.         default:
  269.             break;
  270.         }
  271.     }
  272.  
  273.     /**
  274.      * Encodes the value of an attribute using the correct encoding based on type
  275.      *
  276.      * @param int $type The attribute type code, e.g. ATTR_TYPE_URL
  277.      * @param string $value The attribute value as seen in the DOM
  278.      * @return string|bool A safely encoded attribute value or false if the value fails the checks
  279.      */
  280.     private function encodeAttributeValue($type, $value)
  281.     {
  282.         $value = trim($value);
  283.  
  284.         switch ($type) {
  285.         case self::ATTR_TYPE_URL:
  286.         {
  287.             $url = parse_url($value);
  288.  
  289.             if ($url == false or strcasecmp($url['scheme'], 'javascript') == 0) {
  290.                 return false;
  291.             }
  292.  
  293.             break;
  294.         }
  295.  
  296.         case self::ATTR_TYPE_SRC:
  297.         {
  298.             if ($this->local_resources) {
  299.                 $url = parse_url($value);
  300.  
  301.                 if ($url == false) {
  302.                     return false;
  303.                 }
  304.  
  305.                 // See if the domain specified actually matches the server's primary domain
  306.                 if (!empty($url['host'])) {
  307.                     // Unfortunately HTTP_HOST is the best option that isn't stupidly complicated or
  308.                     // prone to breakage, e.g. Url::base().
  309.  
  310.                     // TODO: this needs to handle subsites and all that mess
  311.                     $base_domain = $_SERVER['HTTP_HOST'];
  312.                     if (strcasecmp($url['host'], $base_domain) !== 0) {
  313.                         return false;
  314.                     }
  315.                 }
  316.             }
  317.  
  318.             break;
  319.         }
  320.  
  321.         case self::ATTR_TYPE_STYLE:
  322.         {
  323.             if ($this->local_resources) {
  324.                 // TODO: style attributes are tricky; I can force a browser to fetch a remote resource with them
  325.                 //       so we either disallow (breaks TinyMCE styling) or parse and whitelist some CSS attributes
  326.  
  327.                 return false;
  328.             }
  329.  
  330.             break;
  331.         }
  332.  
  333.         default:
  334.             break;
  335.         }
  336.  
  337.         return htmlspecialchars($value, ENT_COMPAT | ENT_HTML401 | ENT_DISALLOWED, 'UTF-8', false);
  338.     }
  339. }
  340.  
Powered by Pelzini, version 0.9.0 Documentation is made available under the GNU Free Documentation License 1.2.
Generated: Monday, 3rd April, 2023 at 02:59 pm