forked from TYPO3/html-sanitizer
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Sanitizer.php
146 lines (127 loc) · 4.07 KB
/
Sanitizer.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
<?php
declare(strict_types=1);
/*
* This file is part of the TYPO3 project.
*
* It is free software; you can redistribute it and/or modify it under the terms
* of the MIT License (MIT). For the full copyright and license information,
* please read the LICENSE file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/
namespace TYPO3\HtmlSanitizer;
use DOMDocumentFragment;
use DOMNode;
use Masterminds\HTML5;
use TYPO3\HtmlSanitizer\Visitor\VisitorInterface;
/**
* HTML Sanitizer in a nutshell:
*
* + `Behavior` contains declarative settings for a particular process for sanitizing HTML.
* + `Visitor` (multiple different visitors can exist at the same time) are actually doing the
* work based on the declared `Behavior`. Visitors can modify nodes or mark them for deletion.
* + `Sanitizer` can be considered as the working instance, invoking visitors, parsing and
* serializing HTML. In general this instance does not contain much logic on how to handle
* particular nodes, attributes or values
*
* This `Sanitizer` class is agnostic specific configuration - it's purpose is to parse HTML,
* invoke all registered visitors (they actually do the work and contain specific logic) and
* finally provide HTML serialization as string again.
*/
class Sanitizer
{
/**
* @var VisitorInterface[]
*/
protected $visitors = [];
/**
* @var HTML5
*/
protected $parser;
/**
* @var DOMDocumentFragment
*/
protected $root;
/**
* @var Context
*/
protected $context;
public function __construct(VisitorInterface ...$visitors)
{
$this->visitors = $visitors;
$this->parser = $this->createParser();
}
public function sanitize(string $html): string
{
$this->root = $this->parse($html);
$this->context = new Context($this->parser);
$this->beforeTraverse();
foreach ($this->root->childNodes as $childNode) {
$this->traverse($childNode);
}
$this->afterTraverse();
return $this->serialize($this->root);
}
protected function parse(string $html): DOMDocumentFragment
{
return $this->parser->parseFragment($html);
}
protected function serialize(DOMNode $document): string
{
return $this->parser->saveHTML($document);
}
protected function beforeTraverse(): void
{
foreach ($this->visitors as $visitor) {
$visitor->beforeTraverse($this->context);
}
}
protected function traverse(DOMNode $node): void
{
foreach ($this->visitors as $visitor) {
$result = $visitor->enterNode($node);
$node = $this->replaceNode($node, $result);
if ($node === null) {
return;
}
}
if ($node->hasChildNodes()) {
foreach ($node->childNodes as $childNode) {
$this->traverse($childNode);
}
}
foreach ($this->visitors as $visitor) {
$result = $visitor->leaveNode($node);
$node = $this->replaceNode($node, $result);
if ($node === null) {
return;
}
}
}
protected function afterTraverse(): void
{
foreach ($this->visitors as $visitor) {
$visitor->afterTraverse($this->context);
}
}
protected function replaceNode(DOMNode $source, ?DOMNode $target): ?DOMNode
{
if ($target === null) {
$source->parentNode->removeChild($source);
} elseif ($source !== $target) {
if ($source->ownerDocument !== $target->ownerDocument) {
$source->ownerDocument->importNode($target);
}
$source->parentNode->replaceChild($target, $source);
}
return $target;
}
protected function createParser(): HTML5
{
// set parser & applies work-around
// https://github.com/Masterminds/html5-php/issues/181#issuecomment-643767471
return new HTML5([
'disable_html_ns' => true,
]);
}
}