Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

[HtmlSanitizer] Add ability to sanitize a whole document #58524

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: 7.4
Choose a base branch
Loading
from
Open

[HtmlSanitizer] Add ability to sanitize a whole document #58524

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
[HtmlSanitizer] Add ability to sanitize a whole document
  • Loading branch information
@tgalopin
tgalopin committed Oct 12, 2024
commit 04b6207fdfaf70051c38bcd16958ad5a05db37e2
49 changes: 10 additions & 39 deletions 49 src/Symfony/Component/HtmlSanitizer/HtmlSanitizer.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,15 +25,14 @@ final class HtmlSanitizer implements HtmlSanitizerInterface
private ParserInterface $parser;

/**
* @var array<string, DomVisitor>
* @var ?DomVisitor
*/
private array $domVisitors = [];
private ?DomVisitor $domVisitor = null;

public function __construct(
private HtmlSanitizerConfig $config,
?ParserInterface $parser = null,
) {
$this->config = $config;
$this->parser = $parser ?? new MastermindsParser();
}

Expand All @@ -58,7 +57,7 @@ private function sanitizeWithContext(string $context, string $input): string
}

// Other context: build a DOM visitor
$this->domVisitors[$context] ??= $this->createDomVisitorForContext($context);
$this->domVisitor ??= $this->createDomVisitor();

// Prevent DOS attack induced by extremely long HTML strings
if (-1 !== $this->config->getMaxInputLength() && \strlen($input) > $this->config->getMaxInputLength()) {
Expand All @@ -80,7 +79,9 @@ private function sanitizeWithContext(string $context, string $input): string
}

// Visit the DOM tree and render the sanitized nodes
return $this->domVisitors[$context]->visit($parsed)?->render() ?? '';
$sanitized = $this->domVisitor->visit($context, $parsed)?->render() ?? '';

return W3CReference::CONTEXT_DOCUMENT === $context ? '<!DOCTYPE html>'.$sanitized : $sanitized;
}

private function isValidUtf8(string $html): bool
Expand All @@ -89,50 +90,20 @@ private function isValidUtf8(string $html): bool
return '' === $html || preg_match('//u', $html);
}

private function createDomVisitorForContext(string $context): DomVisitor
private function createDomVisitor(): DomVisitor
{
$elementsConfig = [];

// Head: only a few elements are allowed
if (W3CReference::CONTEXT_HEAD === $context) {
foreach ($this->config->getAllowedElements() as $allowedElement => $allowedAttributes) {
if (\array_key_exists($allowedElement, W3CReference::HEAD_ELEMENTS)) {
$elementsConfig[$allowedElement] = $allowedAttributes;
}
}

foreach ($this->config->getBlockedElements() as $blockedElement => $v) {
if (\array_key_exists($blockedElement, W3CReference::HEAD_ELEMENTS)) {
$elementsConfig[$blockedElement] = HtmlSanitizerAction::Block;
}
}

foreach ($this->config->getDroppedElements() as $droppedElement => $v) {
if (\array_key_exists($droppedElement, W3CReference::HEAD_ELEMENTS)) {
$elementsConfig[$droppedElement] = HtmlSanitizerAction::Drop;
}
}

return new DomVisitor($this->config, $elementsConfig);
}

// Body: allow any configured element that isn't in <head>
foreach ($this->config->getAllowedElements() as $allowedElement => $allowedAttributes) {
if (!\array_key_exists($allowedElement, W3CReference::HEAD_ELEMENTS)) {
$elementsConfig[$allowedElement] = $allowedAttributes;
}
$elementsConfig[$allowedElement] = $allowedAttributes;
}

foreach ($this->config->getBlockedElements() as $blockedElement => $v) {
if (!\array_key_exists($blockedElement, W3CReference::HEAD_ELEMENTS)) {
$elementsConfig[$blockedElement] = HtmlSanitizerAction::Block;
}
$elementsConfig[$blockedElement] = HtmlSanitizerAction::Block;
}

foreach ($this->config->getDroppedElements() as $droppedElement => $v) {
if (!\array_key_exists($droppedElement, W3CReference::HEAD_ELEMENTS)) {
$elementsConfig[$droppedElement] = HtmlSanitizerAction::Drop;
}
$elementsConfig[$droppedElement] = HtmlSanitizerAction::Drop;
}

return new DomVisitor($this->config, $elementsConfig);
Expand Down
6 changes: 6 additions & 0 deletions 6 src/Symfony/Component/HtmlSanitizer/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,12 @@ $sanitizer->sanitize($userInput);
// Sanitize the given string for a usage in a <head> tag
$sanitizer->sanitizeFor('head', $userInput);

// Sanitize the given string for a usage in a <body> tag
$sanitizer->sanitizeFor('body', $userInput);

// Sanitize the given string as a whole document (including <head> and <body>)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Sanitize the given string as a whole document (including <head> and <body>)
// Sanitize the given string as a whole document (including <html>, <head> and <body>)

$sanitizer->sanitizeFor('document', $userInput);

// Sanitize the given string for a usage in another tag
$sanitizer->sanitizeFor('title', $userInput); // Will encode as HTML entities
$sanitizer->sanitizeFor('textarea', $userInput); // Will encode as HTML entities
Expand Down
3 changes: 3 additions & 0 deletions 3 src/Symfony/Component/HtmlSanitizer/Reference/W3CReference.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,16 @@ final class W3CReference
* A parent element name can be passed as an argument to {@see HtmlSanitizer::sanitizeFor()}.
* When doing so, depending on the given context, different elements will be allowed.
*/
public const CONTEXT_DOCUMENT = 'document';
public const CONTEXT_HEAD = 'head';
public const CONTEXT_BODY = 'body';
public const CONTEXT_TEXT = 'text';

// Which context to apply depending on the passed parent element name
public const CONTEXTS_MAP = [
'document' => self::CONTEXT_DOCUMENT,
'head' => self::CONTEXT_HEAD,
'body' => self::CONTEXT_BODY,
'textarea' => self::CONTEXT_TEXT,
'title' => self::CONTEXT_TEXT,
];
Expand Down
26 changes: 26 additions & 0 deletions 26 src/Symfony/Component/HtmlSanitizer/Tests/HtmlSanitizerAllTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,32 @@ private function createSanitizer(): HtmlSanitizer
);
}

/**
* @dataProvider provideSanitizeDocument
*/
public function testSanitizeDocument(string $input, string $expected)
{
$this->assertSame($expected, $this->createSanitizer()->sanitizeFor('document', $input));
}

public static function provideSanitizeDocument()
{
$heads = iterator_to_array(self::provideSanitizeHead());
$bodies = iterator_to_array(self::provideSanitizeBody());

$cases = [];
foreach ($heads as $head) {
foreach ($bodies as $body) {
$cases[] = [
'<!DOCTYPE html><html><head>'.$head[0].'</head><body>'.$body[0].'</body></html>',
'<!DOCTYPE html><html><head>'.$head[1].'</head><body>'.$body[1].'</body></html>',
];
}
}

return $cases;
}

/**
* @dataProvider provideSanitizeHead
*/
Expand Down
80 changes: 74 additions & 6 deletions 80 src/Symfony/Component/HtmlSanitizer/Visitor/DomVisitor.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@

use Symfony\Component\HtmlSanitizer\HtmlSanitizerAction;
use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig;
use Symfony\Component\HtmlSanitizer\Reference\W3CReference;
use Symfony\Component\HtmlSanitizer\TextSanitizer\StringSanitizer;
use Symfony\Component\HtmlSanitizer\Visitor\AttributeSanitizer\AttributeSanitizerInterface;
use Symfony\Component\HtmlSanitizer\Visitor\Model\Cursor;
Expand Down Expand Up @@ -51,6 +52,13 @@ final class DomVisitor
*/
private array $attributeSanitizers = [];

/**
* Registry of elements configuration for each sanitization context used in the document.
*
* @var array<string, array<string, HtmlSanitizerAction|array<string, bool>>> $elementsConfigByContext
*/
private array $elementsConfigByContext = [];

/**
* @param array<string, HtmlSanitizerAction|array<string, bool>> $elementsConfig Registry of allowed/blocked elements:
* * If an element is present as a key and contains an array, the element should be allowed
Expand All @@ -75,9 +83,9 @@ public function __construct(
$this->defaultAction = $config->getDefaultAction();
}

public function visit(\DOMDocumentFragment $domNode): ?NodeInterface
public function visit(?string $context, \DOMDocumentFragment $domNode): ?NodeInterface
{
$cursor = new Cursor(new DocumentNode());
$cursor = new Cursor([$context], new DocumentNode());
$this->visitChildren($domNode, $cursor);

return $cursor->node;
Expand All @@ -87,24 +95,35 @@ private function visitNode(\DOMNode $domNode, Cursor $cursor): void
{
$nodeName = StringSanitizer::htmlLower($domNode->nodeName);

if (array_key_exists($nodeName, W3CReference::CONTEXTS_MAP)) {
$cursor->contextsPath[] = $nodeName;
}

// Visit recursively if the node was not dropped
if ($this->enterNode($nodeName, $domNode, $cursor)) {
$this->visitChildren($domNode, $cursor);
$cursor->node = $cursor->node->getParent();
}

if (array_key_exists($nodeName, W3CReference::CONTEXTS_MAP)) {
array_pop($cursor->contextsPath);
}
}

private function enterNode(string $domNodeName, \DOMNode $domNode, Cursor $cursor): bool
{
if (!\array_key_exists($domNodeName, $this->elementsConfig)) {
$context = array_reverse($cursor->contextsPath)[0] ?? 'body';
$this->elementsConfigByContext[$context] ??= $this->createContextElementsConfig($context);

if (!\array_key_exists($domNodeName, $this->elementsConfigByContext[$context])) {
$action = $this->defaultAction;
$allowedAttributes = [];
} else {
if (\is_array($this->elementsConfig[$domNodeName])) {
if (\is_array($this->elementsConfigByContext[$context][$domNodeName])) {
$action = HtmlSanitizerAction::Allow;
$allowedAttributes = $this->elementsConfig[$domNodeName];
$allowedAttributes = $this->elementsConfigByContext[$context][$domNodeName];
} else {
$action = $this->elementsConfig[$domNodeName];
$action = $this->elementsConfigByContext[$context][$domNodeName];
$allowedAttributes = [];
}
}
Expand Down Expand Up @@ -185,4 +204,53 @@ private function setAttributes(string $domNodeName, \DOMNode $domNode, Node $nod
}
}
}

private function createContextElementsConfig(string $context): array
{
$elementsConfig = [];

// Head: only a few elements are allowed
if (W3CReference::CONTEXT_HEAD === $context) {
foreach ($this->config->getAllowedElements() as $allowedElement => $allowedAttributes) {
if (\array_key_exists($allowedElement, W3CReference::HEAD_ELEMENTS)) {
$elementsConfig[$allowedElement] = $allowedAttributes;
}
}

foreach ($this->config->getBlockedElements() as $blockedElement => $v) {
if (\array_key_exists($blockedElement, W3CReference::HEAD_ELEMENTS)) {
$elementsConfig[$blockedElement] = HtmlSanitizerAction::Block;
}
}

foreach ($this->config->getDroppedElements() as $droppedElement => $v) {
if (\array_key_exists($droppedElement, W3CReference::HEAD_ELEMENTS)) {
$elementsConfig[$droppedElement] = HtmlSanitizerAction::Drop;
}
}

return $elementsConfig;
}

// Body: allow any configured element that isn't in <head>
foreach ($this->config->getAllowedElements() as $allowedElement => $allowedAttributes) {
if (!\array_key_exists($allowedElement, W3CReference::HEAD_ELEMENTS)) {
$elementsConfig[$allowedElement] = $allowedAttributes;
}
}

foreach ($this->config->getBlockedElements() as $blockedElement => $v) {
if (!\array_key_exists($blockedElement, W3CReference::HEAD_ELEMENTS)) {
$elementsConfig[$blockedElement] = HtmlSanitizerAction::Block;
}
}

foreach ($this->config->getDroppedElements() as $droppedElement => $v) {
if (!\array_key_exists($droppedElement, W3CReference::HEAD_ELEMENTS)) {
$elementsConfig[$droppedElement] = HtmlSanitizerAction::Drop;
}
}

return $elementsConfig;
}
}
6 changes: 4 additions & 2 deletions 6 src/Symfony/Component/HtmlSanitizer/Visitor/Model/Cursor.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,9 @@
*/
final class Cursor
{
public function __construct(public ?NodeInterface $node)
{
public function __construct(
public array $contextsPath,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest documenting the type with @param list<string> $contextsPath

public ?NodeInterface $node
) {
}
}
Loading
Morty Proxy This is a proxified and sanitized view of the page, visit original site.