Added allowed values support for specific attributes, added tests, added source tags to the basic whitelist

Author: MirazMac

src/BasicWhitelist.php

@@ -22,11 +22,21 @@ public function __construct()
         parent::setProtocols(static::getBasicProtocols());
     }
 
+    /**
+     * Returns the basic allowed protocols
+     *
+     * @return     array
+     */
     public static function getBasicProtocols() : array
     {
         return ['http', 'https', 'ftp', '//', 'mailto', 'data'];
     }
 
+    /**
+     * Gets the basic tags.
+     *
+     * @return     array
+     */
     public static function getBasicTags() : array
     {
         return [
@@ -271,6 +281,9 @@ public static function getBasicTags() : array
         'xml:lang'
         ],
         'sup' => [],
+        'source' => [
+            'src', 'type', 'sizes', 'srcset', 'media'
+        ],
         'table' => [
         'align',
         'bgcolor',

src/Sanitizer.php

@@ -4,11 +4,30 @@
 
 namespace MirazMac\HtmlSanitizer;
 
+use function \chr;
+use function \html_entity_decode;
+use function \htmlspecialchars;
+use function \libxml_clear_errors;
+use function \libxml_disable_entity_loader;
+use function \libxml_use_internal_errors;
+use function \mb_strlen;
+use function \mb_strpos;
+use function \mb_strtolower;
+use function \mb_substr;
+use function \parse_url;
+use function \preg_match;
+use function \range;
+use function \str_replace;
+use function \trim;
+use function \version_compare;
+
 /**
  * HtmlSanitizer
  *
- * A lightweight library to make sanitizing HTML easier on PHP. Has no dependencies except Native DomDocument support,
- * faster than any other sanization library present for PHP
+ * A lightweight library to make sanitizing HTML easier on PHP.
+ * Has no dependencies except native PHP extensions like dom, libxml, mbstring.
+ *
+ * Should be faster than any other sanization library present for PHP
  *
  * @author Miraz Mac <mirazmac@gmail.com>
  * @link https://mirazmac.com
@@ -37,17 +56,12 @@ public function __construct(Whitelist $whitelist)
      *
      * @param  string $html
      * @return string
-     * @throws \RuntimeException If failed to convert the HTML into UTF-8 via mb_convert_encoding()
+     * @throws \InvalidArgumentException If supplied HTML is not valid UTF-8
      */
     public function sanitize(string $html) : string
     {
-        // Because..
-        libxml_use_internal_errors(true);
-        libxml_clear_errors(true);
-
-        // deprecated in PHP 8.0
-        if (version_compare(\PHP_VERSION, '8.0.0', '<')) {
-            libxml_disable_entity_loader(true);
+        if (!$this->isValidUtf8($html)) {
+            throw new \InvalidArgumentException("Provided HTML must be valid utf-8");
         }
 
         // Remove NULL characters (ignored by some browsers).
@@ -57,41 +71,56 @@ public function sanitize(string $html) : string
             return '';
         }
 
-        // Construct the DOM Document
-        $dom = new \DOMDocument('1.0', 'UTF-8');
-
-        // Fix encoding issues
-        $html = @mb_convert_encoding($html, 'HTML-ENTITIES', 'UTF-8');
+        // Because..
+        $previousState = libxml_use_internal_errors(true);
+        libxml_clear_errors();
 
-        if (empty($html)) {
-            throw new \RuntimeException("Failed to convert the HTML into UTF-8 via mb_convert_encoding();");
+        // deprecated in PHP 8.0
+        if (\PHP_VERSION_ID < 80000) {
+            libxml_disable_entity_loader(true);
         }
 
-        // Nah, we're not HTMLPurifier (fuck that bloated ass library btw)
+        // Construct the DOM Document
+        $dom = new \DOMDocument('1.0', 'UTF-8');
+
+        // Nah
         $dom->strictErrorChecking = false;
         // nope
         $dom->validateOnParse = false;
         $dom->substituteEntities = false;
+        // Don't even try
         $dom->resolveExternals  = false;
         // whenever possible, please..
         $dom->recover = true;
-        // should this be a option to customize?
-        // idk
         $dom->formatOutput = false;
-        // same question
         $dom->preserveWhiteSpace  = false;
 
         // no shit sherlock
         $dom->encoding = 'UTF-8';
 
         // Finally load the HTML
-        $dom->loadHTML($html);
+        $dom->loadHTML(
+            // Prepend the utf-8 encoding tags
+            // ugly hack but works better than mb_convert_encoding()
+            '<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta charset="UTF-8">'
+            .
+            $html,
+            \LIBXML_NOERROR | \LIBXML_NOWARNING | \LIBXML_HTML_NODEFDTD
+        );
 
         // Why again? Apparently it gets set to NULL after calling loadHTML(), so set it back to UTF-8 again,
         // otherwise saveHTML produces weird results
         $dom->encoding = 'UTF-8';
 
-        return trim($dom->saveHTML($this->doSanitize($dom)));
+        $html = trim($dom->saveHTML($this->doSanitize($dom)));
+
+        // Clear the errors
+        libxml_clear_errors();
+
+        // Restore the state
+        libxml_use_internal_errors($previousState);
+
+        return $html;
     }
 
     /**
@@ -140,6 +169,12 @@ protected function doSanitize($html)
                 continue; // no further action required, let's proceed to the next one
             }
 
+            // Remove attribute if value doesn't match with an explicitly defined list
+            if (!$this->whitelist->isValueAllowed($html->nodeName, $name, $value)) {
+                $html->removeAttribute($name);
+                continue;
+            }
+
             // Handle boolean/blank attributes
             if (HtmlDataMap::isBooleanAttribute($name) || $this->whitelist->isBooleanAttribute($name)) {
                 // If it's already empty or a valid boolean don't change anything
@@ -161,6 +196,7 @@ protected function doSanitize($html)
                 );
             }
 
+
             // Regardless of all this, every attribute gets escaped
             $html->setAttribute(
                 $name,
@@ -214,7 +250,7 @@ protected function filterURL(string $element, $value) : string
      * @param  string $string
      * @return string
      */
-    protected function escapeAttribute(string $string) : string
+    public function escapeAttribute(string $string) : string
     {
         $string = html_entity_decode($string, ENT_QUOTES, 'UTF-8');
         return htmlspecialchars($string, ENT_QUOTES, 'UTF-8', true);
@@ -255,4 +291,16 @@ protected function stripDangerousProtocols($uri) : string
 
         return $uri;
     }
+
+    /**
+     * Determines whether the specified string is valid utf 8.
+     *
+     * @param      string  $string   The string
+     *
+     * @return     bool
+     */
+    protected function isValidUtf8(string $string): bool
+    {
+        return '' === $string || 1 === preg_match('/^./us', $string);
+    }
 }

src/Whitelist.php

@@ -4,6 +4,12 @@
 
 namespace MirazMac\HtmlSanitizer;
 
+use function \array_merge;
+use function \array_reverse;
+use function \explode;
+use function \in_array;
+use function \is_array;
+
 /**
  * Whitelist
  *
@@ -41,6 +47,13 @@ class Whitelist
      */
     protected $treatAsBoolean = [];
 
+    /**
+     * Allowed values for specific attributes
+     *
+     * @var        array
+     */
+    protected $values = [];
+
     /**
      * Internally required tags
      *
@@ -141,6 +154,30 @@ public function removeAttribute(string $tagName, $attributes) : Whitelist
         return $this;
     }
 
+    /**
+     * Sets list of allowed values for an attribute under a tag name.
+     * If this is set and the value of the attribute doesn't match with these, the attribute will be removed.
+     * This mainly should be used for custom data attributes where you only want a specific set of values.
+     *
+     * @param      string           $tagName    The tag name
+     * @param      string           $attribute  The attribute
+     * @param      array            $values     The values
+     *
+     * @throws     \LogicException  If tag isn't allowed
+     *
+     * @return     self
+     */
+    public function setAllowedValues(string $tagName, string $attribute, array $values)
+    {
+        if (!$this->isTagAllowed($tagName)) {
+            throw new \LogicException("Failed to allow values on attribute `{$attribute}` on tag `{$tagName}`, because the tag itself isn't allowed.");
+        }
+
+        $this->values[$tagName][$attribute] = $values;
+
+        return $this;
+    }
+
     /**
      * Add one or many protocols to the whitelist
      *
@@ -424,6 +461,25 @@ public function isHostAllowed(string $tagName, string $host) : bool
         return false;
     }
 
+    /**
+     * Determines if value is allowed for an attribute under.
+     *
+     * @param      string  $tagName    The tag name
+     * @param      string  $attribute  The attribute
+     * @param      string  $value      The value
+     *
+     * @return     bool
+     */
+    public function isValueAllowed(string $tagName, string $attribute, $value) : bool
+    {
+        // Allowed by default unless added explicitly
+        if (!isset($this->values[$tagName][$attribute])) {
+            return true;
+        }
+
+        return in_array($value, $this->values[$tagName][$attribute]);
+    }
+
     /**
      * Iteratively ensures the host domain is allowed
      * Taken from tgalopin/html-sanitizer

tests/SanitizerTest.php

@@ -28,7 +28,7 @@ public function setUp() : void
      */
     public function testSimpleHTML() : void
     {
-        $string = $this->sanitizer->sanitize('<div id="fake"><h5 class="foo">Lorem ipsum</h5></div>');
+        $string = $this->sanitizer->sanitize('<script>alert("hello");</script><div id="fake"><h5 class="foo">Lorem ipsum</h5></div>');
         $this->assertEquals("Lorem ipsum", $string);
     }
 
@@ -41,6 +41,15 @@ public function testEmptyString() : void
         $this->assertEmpty($this->sanitizer->sanitize(''));
     }
 
+    /**
+     * Tests unicode strings remaining as is
+     */
+    public function testUnicodeString() : void
+    {
+        $string = $this->basicSanitizer->sanitize('<p>আমি বাংলায় গান গাই</p>');
+        $this->assertEquals('<p>আমি বাংলায় গান গাই</p>', $string);
+    }
+
     /**
      * tests host filtering
      *
@@ -71,12 +80,22 @@ public function testCustomAttribute() : void
         $this->assertEquals('<img src="1.png" data-src="1.png">', $string);
     }
 
+    /**
+     * Test allowed values for an attribute
+     */
+    public function testAllowedValues()
+    {
+        $string = $this->basicSanitizer->sanitize('<a href="#" title="four">hey</a>');
+        $this->assertEquals('<a href="#">hey</a>', $string);
+    }
+
     protected function getBasicWhitelist()
     {
         $whitelist = new BasicWhitelist;
         // Allow support for a few attribute for testing
         $whitelist->allowAttribute('img', ['data-src', 'data-lazyload'])
                   ->setAllowedHosts('img', ['google.com'])
+                  ->setAllowedValues('a', 'title', ['one', 'two', 'three'])
                   ->treatAttributesAsURL(['data-src'])
                   ->treatAttributesAsBoolean(['data-lazyload']);
         return $whitelist;