ILIAS  release_5-2 Revision v5.2.25-18-g3f80b828510
Static Public Member Functions | Static Private Member Functions
Sanitizer Class Reference
+ Collaboration diagram for Sanitizer:

Static Public Member Functions

static validateTagAttributes ( $attribs, $element)
 Take an array of attribute names and values and normalize or discard illegal values for the given element type. More...
 
static checkCss ( $value)
 Pick apart some CSS and check it for forbidden or unsafe structures. More...
 
static fixTagAttributes ( $text, $element)
 Take a tag soup fragment listing an HTML element's attributes and normalize it to well-formed XML, discarding unwanted attributes. More...
 
static encodeAttribute ( $text)
 Encode an attribute value for HTML output. More...
 
static safeEncodeAttribute ( $text)
 Encode an attribute value for HTML tags, with extra armoring against further wiki processing. More...
 
static escapeId ( $id)
 Given a value escape it so that it can be used in an id attribute and return it, this does not validate the value however (see first link) More...
 
static escapeClass ( $class)
 Given a value, escape it so that it can be used as a CSS class and return it. More...
 
static decodeTagAttributes ( $text)
 Return an associative array of attribute names and values from a partial tag string. More...
 
static normalizeCharReferencesCallback ( $matches)
 
static normalizeEntity ( $name)
 If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the named entity reference as is. More...
 
static decCharReference ( $codepoint)
 
static hexCharReference ( $codepoint)
 
static decodeCharReferences ( $text)
 Decode any character references, numeric or named entities, in the text and return a UTF-8 string. More...
 
static decodeCharReferencesCallback ( $matches)
 
static decodeEntity ( $name)
 If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the UTF-8 encoding of that character. More...
 
static attributeWhitelist ( $element)
 Fetch the whitelist of acceptable attributes for a given element name. More...
 
static setupAttributeWhitelist ()
 
static stripAllTags ( $text)
 Take a fragment of (potentially invalid) HTML and return a version with any tags removed, encoded as plain text. More...
 
static hackDocType ()
 Hack up a private DOCTYPE with HTML's standard entity declarations. More...
 
static cleanUrl ( $url, $hostname=true)
 

Static Private Member Functions

static removeHTMLtags ( $text, $processCallback=null, $args=array())
 Cleans up HTML, removes dangerous tags and attributes, and removes HTML comments. More...
 
static removeHTMLcomments ( $text)
 Remove '', and everything between. More...
 
static armorLinksCallback ( $matches)
 Regex replace callback for armoring links against further processing. More...
 
static getTagAttributeCallback ( $set)
 Pick the appropriate attribute value from a match set from the MW_ATTRIBS_REGEX matches. More...
 
static normalizeAttributeValue ( $text)
 Normalize whitespace and character references in an XML source- encoded text for an attribute value. More...
 
static normalizeWhitespace ( $text)
 
static normalizeCharReferences ( $text)
 Ensure that any entities and character references are legal for XML and XHTML specifically. More...
 
static validateCodepoint ( $codepoint)
 Returns true if a given Unicode codepoint is a valid character in XML. More...
 
static decodeChar ( $codepoint)
 Return UTF-8 string for a codepoint if that is a valid character reference, otherwise U+FFFD REPLACEMENT CHARACTER. More...
 

Detailed Description

Definition at line 330 of file Sanitizer.php.

Member Function Documentation

◆ armorLinksCallback()

static Sanitizer::armorLinksCallback (   $matches)
staticprivate

Regex replace callback for armoring links against further processing.

Parameters
array$matches
Returns
string

Definition at line 777 of file Sanitizer.php.

779 {

◆ attributeWhitelist()

static Sanitizer::attributeWhitelist (   $element)
static

Fetch the whitelist of acceptable attributes for a given element name.

Parameters
string$element
Returns
array

Definition at line 1046 of file Sanitizer.php.

1048 {
1049 static $list;
1050 if( !isset( $list ) ) {
1051 $list = Sanitizer::setupAttributeWhitelist();
1052 }
1053 return isset( $list[$element] )
1054 ? $list[$element]
Sanitizer\setupAttributeWhitelist
static setupAttributeWhitelist()
Definition: Sanitizer.php:1060

◆ checkCss()

static Sanitizer::checkCss (   $value)
static

Pick apart some CSS and check it for forbidden or unsafe structures.

Returns a sanitized string, or false if it was just too evil.

Currently URL references, 'expression', 'tps' are forbidden.

Parameters
string$value
Returns
mixed

Definition at line 611 of file Sanitizer.php.

613 {
614 $stripped = Sanitizer::decodeCharReferences( $value );
615
616 // Remove any comments; IE gets token splitting wrong
617 $stripped = StringUtils::delimiterReplace( '/*', '*/', ' ', $stripped );
618
619 $value = $stripped;
620
621 // ... and continue checks
622 $stripped = preg_replace_callback(
623 '!\\\\([0-9A-Fa-f]{1,6})[ \\n\\r\\t\\f]?!',
624 function($hit){
625 return codepointToUtf8(hexdec($hit[1]));
626 },
627 $stripped
628 );
629 $stripped = str_replace( '\\', '', $stripped );
630 if( preg_match( '/(?:expression|tps*:\/\/|url\\s*\‍().*/is',
631 $stripped ) ) {
632 # haxx0r
633 return false;
634 }
635
codepointToUtf8
codepointToUtf8( $codepoint)
Return UTF-8 sequence for a given Unicode code point.
Definition: UtfNormalUtil.php:38
Sanitizer\decodeCharReferences
static decodeCharReferences( $text)
Decode any character references, numeric or named entities, in the text and return a UTF-8 string.
Definition: Sanitizer.php:978

◆ cleanUrl()

static Sanitizer::cleanUrl (   $url,
  $hostname = true 
)
static

NOTE: The original preg_replace/e IMPLICITLY adds a forward-slash on double quotes This could be a bug, but we will just mimic this behaviour 1:1 for now.

Definition at line 1237 of file Sanitizer.php.

1239 {
1240 # Normalize any HTML entities in input. They will be
1241 # re-escaped by makeExternalLink().
1242
1243 $url = Sanitizer::decodeCharReferences( $url );
1244
1245 # Escape any control characters introduced by the above step
1246 $url = preg_replace_callback(
1247 '/[\][<>"\\x00-\\x20\\x7F]/',
1248 function($hit) {
1249 if($hit[0] === '"') {
1255 return urlencode ('\\"');
1256 } else {
1257 return urlencode($hit[0]);
1258 }
1259 },
1260 $url
1261 );
1262
1263 # Validate hostname portion
1264 $matches = array();
1265 if( preg_match( '!^([^:]+:)(//[^/]+)?(.*)$!iD', $url, $matches ) ) {
1266 list( /* $whole */, $protocol, $host, $rest ) = $matches;
1267
1268 // Characters that will be ignored in IDNs.
1269 // http://tools.ietf.org/html/3454#section-3.1
1270 // Strip them before further processing so blacklists and such work.
1271 $strip = "/
1272 \\s| # general whitespace
1273 \xc2\xad| # 00ad SOFT HYPHEN
1274 \xe1\xa0\x86| # 1806 MONGOLIAN TODO SOFT HYPHEN
1275 \xe2\x80\x8b| # 200b ZERO WIDTH SPACE
1276 \xe2\x81\xa0| # 2060 WORD JOINER
1277 \xef\xbb\xbf| # feff ZERO WIDTH NO-BREAK SPACE
1278 \xcd\x8f| # 034f COMBINING GRAPHEME JOINER
1279 \xe1\xa0\x8b| # 180b MONGOLIAN FREE VARIATION SELECTOR ONE
1280 \xe1\xa0\x8c| # 180c MONGOLIAN FREE VARIATION SELECTOR TWO
1281 \xe1\xa0\x8d| # 180d MONGOLIAN FREE VARIATION SELECTOR THREE
1282 \xe2\x80\x8c| # 200c ZERO WIDTH NON-JOINER
1283 \xe2\x80\x8d| # 200d ZERO WIDTH JOINER
1284 [\xef\xb8\x80-\xef\xb8\x8f] # fe00-fe00f VARIATION SELECTOR-1-16
1285 /xuD";
1286
1287 $host = preg_replace( $strip, '', $host );
1288
1289 // @fixme: validate hostnames here
1290
1291 return $protocol . $host . $rest;
1292 } else {
1293 return $url;
$rest
$rest
Definition: goto.php:48
$url
$url
Definition: shib_logout.php:72

◆ decCharReference()

static Sanitizer::decCharReference (   $codepoint)
static

Definition at line 937 of file Sanitizer.php.

939 {
940 $point = intval( $codepoint );
941 if( Sanitizer::validateCodepoint( $point ) ) {
942 return sprintf( '&#%d;', $point );
943 } else {
944 return null;
sprintf
sprintf('%.4f', $callTime)
Definition: 01pharSimple.php:87
Sanitizer\validateCodepoint
static validateCodepoint( $codepoint)
Returns true if a given Unicode codepoint is a valid character in XML.
Definition: Sanitizer.php:960

◆ decodeChar()

static Sanitizer::decodeChar (   $codepoint)
staticprivate

Return UTF-8 string for a codepoint if that is a valid character reference, otherwise U+FFFD REPLACEMENT CHARACTER.

Parameters
int$codepoint
Returns
string

Definition at line 1010 of file Sanitizer.php.

1012 {
1013 if( Sanitizer::validateCodepoint( $codepoint ) ) {
1014 return codepointToUtf8( $codepoint );
1015 } else {
1016 return UTF8_REPLACEMENT;
UTF8_REPLACEMENT
const UTF8_REPLACEMENT
Definition: UtfNormal.php:68

◆ decodeCharReferences()

static Sanitizer::decodeCharReferences (   $text)
static

Decode any character references, numeric or named entities, in the text and return a UTF-8 string.

Parameters
string$text
Returns
string

Definition at line 978 of file Sanitizer.php.

980 {
981 return preg_replace_callback(
982 MW_CHAR_REFS_REGEX,
983 array( 'Sanitizer', 'decodeCharReferencesCallback' ),
MW_CHAR_REFS_REGEX
const MW_CHAR_REFS_REGEX
Regular expression to match various types of character references in Sanitizer::normalizeCharReferenc...
Definition: Sanitizer.php:30

Referenced by Title\escapeFragmentForURL(), and Title\newFromText().

+ Here is the caller graph for this function:

◆ decodeCharReferencesCallback()

static Sanitizer::decodeCharReferencesCallback (   $matches)
static
Parameters
string$matches
Returns
string

Definition at line 989 of file Sanitizer.php.

991 {
992 if( $matches[1] != '' ) {
993 return Sanitizer::decodeEntity( $matches[1] );
994 } elseif( $matches[2] != '' ) {
995 return Sanitizer::decodeChar( intval( $matches[2] ) );
996 } elseif( $matches[3] != '' ) {
997 return Sanitizer::decodeChar( hexdec( $matches[3] ) );
998 } elseif( $matches[4] != '' ) {
999 return Sanitizer::decodeChar( hexdec( $matches[4] ) );
1000 }
1001 # Last case should be an ampersand by itself
Sanitizer\decodeChar
static decodeChar( $codepoint)
Return UTF-8 string for a codepoint if that is a valid character reference, otherwise U+FFFD REPLACEM...
Definition: Sanitizer.php:1010
Sanitizer\decodeEntity
static decodeEntity( $name)
If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the UTF-8 encoding of that chara...
Definition: Sanitizer.php:1026

◆ decodeEntity()

static Sanitizer::decodeEntity (   $name)
static

If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the UTF-8 encoding of that character.

Otherwise, returns pseudo-entity source (eg &foo;)

Parameters
string$name
Returns
string

Definition at line 1026 of file Sanitizer.php.

1028 {
1029 global $wgHtmlEntities, $wgHtmlEntityAliases;
1030
1031 if ( isset( $wgHtmlEntityAliases[$name] ) ) {
1032 $name = $wgHtmlEntityAliases[$name];
1033 }
1034 if( isset( $wgHtmlEntities[$name] ) ) {
1035 return codepointToUtf8( $wgHtmlEntities[$name] );
1036 } else {
1037 return "&$name;";
$wgHtmlEntities
global $wgHtmlEntities
List of all named character entities defined in HTML 4.01 http://www.w3.org/TR/html4/sgml/entities....
Definition: Sanitizer.php:61
$wgHtmlEntityAliases
global $wgHtmlEntityAliases
Character entity aliases accepted by MediaWiki.
Definition: Sanitizer.php:319

◆ decodeTagAttributes()

static Sanitizer::decodeTagAttributes (   $text)
static

Return an associative array of attribute names and values from a partial tag string.

Attribute names are forces to lowercase, character references are decoded to UTF-8 text.

Parameters
string
Returns
array

Definition at line 789 of file Sanitizer.php.

791 {
792 $attribs = array();
793
794 if( trim( $text ) == '' ) {
795 return $attribs;
796 }
797
798 $pairs = array();
799 if( !preg_match_all(
800 MW_ATTRIBS_REGEX,
801 $text,
802 $pairs,
803 PREG_SET_ORDER ) ) {
804 return $attribs;
805 }
806
807 foreach( $pairs as $set ) {
808 $attribute = strtolower( $set[1] );
809 $value = Sanitizer::getTagAttributeCallback( $set );
810
811 // Normalize whitespace
812 $value = preg_replace( '/[\t\r\n ]+/', ' ', $value );
813 $value = trim( $value );
814
815 // Decode character references
816 $attribs[$attribute] = Sanitizer::decodeCharReferences( $value );
817 }
MW_ATTRIBS_REGEX
const MW_ATTRIBS_REGEX
Definition: Sanitizer.php:43
Sanitizer\getTagAttributeCallback
static getTagAttributeCallback( $set)
Pick the appropriate attribute value from a match set from the MW_ATTRIBS_REGEX matches.
Definition: Sanitizer.php:827
$text
$text
Definition: example_020.php:127

◆ encodeAttribute()

static Sanitizer::encodeAttribute (   $text)
static

Encode an attribute value for HTML output.

Parameters
$text
Returns
HTML-encoded text fragment

Definition at line 679 of file Sanitizer.php.

681 {
682 $encValue = htmlspecialchars( $text );
683
684 // Whitespace is normalized during attribute decoding,
685 // so if we've been passed non-spaces we must encode them
686 // ahead of time or they won't be preserved.
687 $encValue = strtr( $encValue, array(
688 "\n" => '&#10;',
689 "\r" => '&#13;',
690 "\t" => '&#9;',
691 ) );
692

◆ escapeClass()

static Sanitizer::escapeClass (   $class)
static

Given a value, escape it so that it can be used as a CSS class and return it.

Todo:
For extra validity, input should be validated UTF-8.
See also
http://www.w3.org/TR/CSS21/syndata.html Valid characters/format
Parameters
string$class
Returns
string

Definition at line 763 of file Sanitizer.php.

765 {
766 // Convert ugly stuff to underscores and kill underscores in ugly places
767 return rtrim(preg_replace(
768 array('/(^[0-9\\-])|[\\x00-\\x20!"#$%&\'()*+,.\\/:;<=>?@[\\]^`{|}~]|\\xC2\\xA0/','/_+/'),
769 '_',

◆ escapeId()

static Sanitizer::escapeId (   $id)
static

Given a value escape it so that it can be used in an id attribute and return it, this does not validate the value however (see first link)

See also
http://www.w3.org/TR/html401/types.html#type-name Valid characters in the id and name attributes
http://www.w3.org/TR/html401/struct/links.html#h-12.2.3 Anchors with the id attribute
Parameters
string$id
Returns
string

Definition at line 741 of file Sanitizer.php.

743 {
744 static $replace = array(
745 '%3A' => ':',
746 '%' => '.'
747 );
748
749 $id = urlencode( Sanitizer::decodeCharReferences( strtr( $id, ' ', '_' ) ) );
750

◆ fixTagAttributes()

static Sanitizer::fixTagAttributes (   $text,
  $element 
)
static

Take a tag soup fragment listing an HTML element's attributes and normalize it to well-formed XML, discarding unwanted attributes.

Output is safe for further wikitext processing, with escaping of values that could trigger problems.

  • Normalizes attribute names to lowercase
  • Discards attributes not on a whitelist for the given element
  • Turns broken or invalid entities into plaintext
  • Double-quotes all attribute values
  • Attributes without values are given the name as attribute
  • Double attributes are discarded
  • Unsafe style attributes are discarded
  • Prepends space if there are attributes.
Parameters
string$text
string$element
Returns
string

Definition at line 656 of file Sanitizer.php.

658 {
659 if( trim( $text ) == '' ) {
660 return '';
661 }
662
663 $stripped = Sanitizer::validateTagAttributes(
664 Sanitizer::decodeTagAttributes( $text ), $element );
665
666 $attribs = array();
667 foreach( $stripped as $attribute => $value ) {
668 $encAttribute = htmlspecialchars( $attribute );
669 $encValue = Sanitizer::safeEncodeAttribute( $value );
670
671 $attribs[] = "$encAttribute=\"$encValue\"";
672 }
Sanitizer\validateTagAttributes
static validateTagAttributes( $attribs, $element)
Take an array of attribute names and values and normalize or discard illegal values for the given ele...
Definition: Sanitizer.php:575
Sanitizer\decodeTagAttributes
static decodeTagAttributes( $text)
Return an associative array of attribute names and values from a partial tag string.
Definition: Sanitizer.php:789
Sanitizer\safeEncodeAttribute
static safeEncodeAttribute( $text)
Encode an attribute value for HTML tags, with extra armoring against further wiki processing.
Definition: Sanitizer.php:700

◆ getTagAttributeCallback()

static Sanitizer::getTagAttributeCallback (   $set)
staticprivate

Pick the appropriate attribute value from a match set from the MW_ATTRIBS_REGEX matches.

Parameters
array$set
Returns
string

Definition at line 827 of file Sanitizer.php.

829 {
830 if( isset( $set[6] ) ) {
831 # Illegal #XXXXXX color with no quotes.
832 return $set[6];
833 } elseif( isset( $set[5] ) ) {
834 # No quotes.
835 return $set[5];
836 } elseif( isset( $set[4] ) ) {
837 # Single-quoted
838 return $set[4];
839 } elseif( isset( $set[3] ) ) {
840 # Double-quoted
841 return $set[3];
842 } elseif( !isset( $set[2] ) ) {
843 # In XHTML, attributes must have a value.
844 # For 'reduced' form, return explicitly the attribute name here.
845 return $set[1];
846 } else {
847 throw new MWException( "Tag conditions not met. This should never happen and is a bug." );

◆ hackDocType()

static Sanitizer::hackDocType ( )
static

Hack up a private DOCTYPE with HTML's standard entity declarations.

PHP 4 seemed to know these if you gave it an HTML doctype, but PHP 5.1 doesn't.

Use for passing XHTML fragments to PHP's XML parsing functions

Returns
string

Definition at line 1227 of file Sanitizer.php.

1229 {
1230 global $wgHtmlEntities;
1231 $out = "<!DOCTYPE html [\n";
1232 foreach( $wgHtmlEntities as $entity => $codepoint ) {
1233 $out .= "<!ENTITY $entity \"&#$codepoint;\">";
1234 }
1235 $out .= "]>\n";

◆ hexCharReference()

static Sanitizer::hexCharReference (   $codepoint)
static

Definition at line 946 of file Sanitizer.php.

948 {
949 $point = hexdec( $codepoint );
950 if( Sanitizer::validateCodepoint( $point ) ) {
951 return sprintf( '&#x%x;', $point );
952 } else {
953 return null;

◆ normalizeAttributeValue()

static Sanitizer::normalizeAttributeValue (   $text)
staticprivate

Normalize whitespace and character references in an XML source- encoded text for an attribute value.

See http://www.w3.org/TR/REC-xml/#AVNormalize for background, but note that we're not returning the value, but are returning XML source fragments that will be slapped into output.

Parameters
string$text
Returns
string

Definition at line 861 of file Sanitizer.php.

863 {
864 return str_replace( '"', '&quot;',
865 self::normalizeWhitespace(

◆ normalizeCharReferences()

static Sanitizer::normalizeCharReferences (   $text)
staticprivate

Ensure that any entities and character references are legal for XML and XHTML specifically.

Any stray bits will be &-escaped to result in a valid text fragment.

a. any named char refs must be known in XHTML b. any numeric char refs must be legal chars, not invalid or forbidden c. use &#x, not &#X d. fix or reject non-valid attributes

Parameters
string$text
Returns
string

Definition at line 888 of file Sanitizer.php.

890 {
891 return preg_replace_callback(
892 MW_CHAR_REFS_REGEX,
893 array( 'Sanitizer', 'normalizeCharReferencesCallback' ),

◆ normalizeCharReferencesCallback()

static Sanitizer::normalizeCharReferencesCallback (   $matches)
static
Parameters
string$matches
Returns
string

Definition at line 898 of file Sanitizer.php.

900 {
901 $ret = null;
902 if( $matches[1] != '' ) {
903 $ret = Sanitizer::normalizeEntity( $matches[1] );
904 } elseif( $matches[2] != '' ) {
905 $ret = Sanitizer::decCharReference( $matches[2] );
906 } elseif( $matches[3] != '' ) {
907 $ret = Sanitizer::hexCharReference( $matches[3] );
908 } elseif( $matches[4] != '' ) {
909 $ret = Sanitizer::hexCharReference( $matches[4] );
910 }
911 if( is_null( $ret ) ) {
912 return htmlspecialchars( $matches[0] );
913 } else {
914 return $ret;
Sanitizer\decCharReference
static decCharReference( $codepoint)
Definition: Sanitizer.php:937
Sanitizer\normalizeEntity
static normalizeEntity( $name)
If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the named entity reference as is...
Definition: Sanitizer.php:926
Sanitizer\hexCharReference
static hexCharReference( $codepoint)
Definition: Sanitizer.php:946
$ret
$ret
Definition: parser.php:6

◆ normalizeEntity()

static Sanitizer::normalizeEntity (   $name)
static

If the named entity is defined in the HTML 4.0/XHTML 1.0 DTD, return the named entity reference as is.

If the entity is a MediaWiki-specific alias, returns the HTML equivalent. Otherwise, returns HTML-escaped text of pseudo-entity source (eg &foo;)

Parameters
string$name
Returns
string

Definition at line 926 of file Sanitizer.php.

928 {
929 global $wgHtmlEntities, $wgHtmlEntityAliases;
930 if ( isset( $wgHtmlEntityAliases[$name] ) ) {
931 return "&{$wgHtmlEntityAliases[$name]};";
932 } elseif( isset( $wgHtmlEntities[$name] ) ) {
933 return "&$name;";
934 } else {
935 return "&amp;$name;";

◆ normalizeWhitespace()

static Sanitizer::normalizeWhitespace (   $text)
staticprivate

Definition at line 867 of file Sanitizer.php.

869 {
870 return preg_replace(
871 '/\r\n|[\x20\x0d\x0a\x09]/',
872 ' ',

◆ removeHTMLcomments()

static Sanitizer::removeHTMLcomments (   $text)
staticprivate

Remove '', and everything between.

To avoid leaving blank lines, when a comment is both preceded and followed by a newline (ignoring spaces), trim leading and trailing spaces and one of the newlines.

Parameters
string$text
Returns
string

Definition at line 526 of file Sanitizer.php.

528 {
529 wfProfileIn( __METHOD__ );
530 while (($start = strpos($text, '<!--')) !== false) {
531 $end = strpos($text, '-->', $start + 4);
532 if ($end === false) {
533 # Unterminated comment; bail out
534 break;
535 }
536
537 $end += 3;
538
539 # Trim space and newline if the comment is both
540 # preceded and followed by a newline
541 $spaceStart = max($start - 1, 0);
542 $spaceLen = $end - $spaceStart;
543 while (substr($text, $spaceStart, 1) === ' ' && $spaceStart > 0) {
544 $spaceStart--;
545 $spaceLen++;
546 }
547 while (substr($text, $spaceStart + $spaceLen, 1) === ' ')
548 $spaceLen++;
549 if (substr($text, $spaceStart, 1) === "\n" and substr($text, $spaceStart + $spaceLen, 1) === "\n") {
550 # Remove the comment, leading and trailing
551 # spaces, and leave only one newline.
552 $text = substr_replace($text, "\n", $spaceStart, $spaceLen + 1);
553 }
554 else {
555 # Remove just the comment.
556 $text = substr_replace($text, '', $start, $end - $start);
557 }
558 }
559 wfProfileOut( __METHOD__ );

◆ removeHTMLtags()

static Sanitizer::removeHTMLtags (   $text,
  $processCallback = null,
  $args = array() 
)
staticprivate

Cleans up HTML, removes dangerous tags and attributes, and removes HTML comments.

Parameters
string$text
callback$processCallbackto do any variable or parameter replacements in HTML attribute values
array$argsfor the processing callback
Returns
string

Definition at line 340 of file Sanitizer.php.

342 {
343 global $wgUseTidy;
344
345 static $htmlpairs, $htmlsingle, $htmlsingleonly, $htmlnest, $tabletags,
346 $htmllist, $listtags, $htmlsingleallowed, $htmlelements, $staticInitialised;
347
348 wfProfileIn( __METHOD__ );
349
350 if ( !$staticInitialised ) {
351
352 $htmlpairs = array( # Tags that must be closed
353 'b', 'del', 'i', 'ins', 'u', 'font', 'big', 'small', 'sub', 'sup', 'h1',
354 'h2', 'h3', 'h4', 'h5', 'h6', 'cite', 'code', 'em', 's',
355 'strike', 'strong', 'tt', 'var', 'div', 'center',
356 'blockquote', 'ol', 'ul', 'dl', 'table', 'caption', 'pre',
357 'ruby', 'rt' , 'rb' , 'rp', 'p', 'span', 'u'
358 );
359 $htmlsingle = array(
360 'br', 'hr', 'li', 'dt', 'dd'
361 );
362 $htmlsingleonly = array( # Elements that cannot have close tags
363 'br', 'hr'
364 );
365 $htmlnest = array( # Tags that can be nested--??
366 'table', 'tr', 'td', 'th', 'div', 'blockquote', 'ol', 'ul',
367 'dl', 'font', 'big', 'small', 'sub', 'sup', 'span'
368 );
369 $tabletags = array( # Can only appear inside table, we will close them
370 'td', 'th', 'tr',
371 );
372 $htmllist = array( # Tags used by list
373 'ul','ol',
374 );
375 $listtags = array( # Tags that can appear in a list
376 'li',
377 );
378
379 $htmlsingleallowed = array_merge( $htmlsingle, $tabletags );
380 $htmlelements = array_merge( $htmlsingle, $htmlpairs, $htmlnest );
381
382 # Convert them all to hashtables for faster lookup
383 $vars = array( 'htmlpairs', 'htmlsingle', 'htmlsingleonly', 'htmlnest', 'tabletags',
384 'htmllist', 'listtags', 'htmlsingleallowed', 'htmlelements' );
385 foreach ( $vars as $var ) {
386 $$var = array_flip( $$var );
387 }
388 $staticInitialised = true;
389 }
390
391 # Remove HTML comments
392 $text = Sanitizer::removeHTMLcomments( $text );
393 $bits = explode( '<', $text );
394 $text = str_replace( '>', '&gt;', array_shift( $bits ) );
395 if(!$wgUseTidy) {
396 $tagstack = $tablestack = array();
397 foreach ( $bits as $x ) {
398 $regs = array();
399 if( preg_match( '!^(/?)(\\w+)([^>]*?)(/{0,1}>)([^<]*)$!', $x, $regs ) ) {
400 list( /* $qbar */, $slash, $t, $params, $brace, $rest ) = $regs;
401 } else {
402 $slash = $t = $params = $brace = $rest = null;
403 }
404
405 $badtag = 0 ;
406 if ( isset( $htmlelements[$t = strtolower( $t )] ) ) {
407 # Check our stack
408 if ( $slash ) {
409 # Closing a tag...
410 if( isset( $htmlsingleonly[$t] ) ) {
411 $badtag = 1;
412 } elseif ( ( $ot = @array_pop( $tagstack ) ) != $t ) {
413 if ( isset( $htmlsingleallowed[$ot] ) ) {
414 # Pop all elements with an optional close tag
415 # and see if we find a match below them
416 $optstack = array();
417 array_push ($optstack, $ot);
418 while ( ( ( $ot = @array_pop( $tagstack ) ) != $t ) &&
419 isset( $htmlsingleallowed[$ot] ) )
420 {
421 array_push ($optstack, $ot);
422 }
423 if ( $t != $ot ) {
424 # No match. Push the optinal elements back again
425 $badtag = 1;
426 while ( $ot = @array_pop( $optstack ) ) {
427 array_push( $tagstack, $ot );
428 }
429 }
430 } else {
431 @array_push( $tagstack, $ot );
432 # <li> can be nested in <ul> or <ol>, skip those cases:
433 if(!(isset( $htmllist[$ot] ) && isset( $listtags[$t] ) )) {
434 $badtag = 1;
435 }
436 }
437 } else {
438 if ( $t == 'table' ) {
439 $tagstack = array_pop( $tablestack );
440 }
441 }
442 $newparams = '';
443 } else {
444 # Keep track for later
445 if ( isset( $tabletags[$t] ) &&
446 ! in_array( 'table', $tagstack ) ) {
447 $badtag = 1;
448 } else if ( in_array( $t, $tagstack ) &&
449 ! isset( $htmlnest [$t ] ) ) {
450 $badtag = 1 ;
451 # Is it a self closed htmlpair ? (bug 5487)
452 } else if( $brace == '/>' &&
453 isset( $htmlpairs[$t] ) ) {
454 $badtag = 1;
455 } elseif( isset( $htmlsingleonly[$t] ) ) {
456 # Hack to force empty tag for uncloseable elements
457 $brace = '/>';
458 } else if( isset( $htmlsingle[$t] ) ) {
459 # Hack to not close $htmlsingle tags
460 $brace = NULL;
461 } else if( isset( $tabletags[$t] )
462 && in_array($t ,$tagstack) ) {
463 // New table tag but forgot to close the previous one
464 $text .= "</$t>";
465 } else {
466 if ( $t == 'table' ) {
467 array_push( $tablestack, $tagstack );
468 $tagstack = array();
469 }
470 array_push( $tagstack, $t );
471 }
472
473 # Replace any variables or template parameters with
474 # plaintext results.
475 if( is_callable( $processCallback ) ) {
476 call_user_func_array( $processCallback, array( &$params, $args ) );
477 }
478
479 # Strip non-approved attributes from the tag
480 $newparams = Sanitizer::fixTagAttributes( $params, $t );
481 }
482 if ( ! $badtag ) {
483 $rest = str_replace( '>', '&gt;', $rest );
484 $close = ( $brace == '/>' && !$slash ) ? ' /' : '';
485 $text .= "<$slash$t$newparams$close>$rest";
486 continue;
487 }
488 }
489 $text .= '&lt;' . str_replace( '>', '&gt;', $x);
490 }
491 # Close off any remaining tags
492 while ( is_array( $tagstack ) && ($t = array_pop( $tagstack )) ) {
493 $text .= "</$t>\n";
494 if ( $t == 'table' ) { $tagstack = array_pop( $tablestack ); }
495 }
496 } else {
497 # this might be possible using tidy itself
498 foreach ( $bits as $x ) {
499 preg_match( '/^(\\/?)(\\w+)([^>]*?)(\\/{0,1}>)([^<]*)$/',
500 $x, $regs );
501 @list( /* $qbar */, $slash, $t, $params, $brace, $rest ) = $regs;
502 if ( isset( $htmlelements[$t = strtolower( $t )] ) ) {
503 if( is_callable( $processCallback ) ) {
504 call_user_func_array( $processCallback, array( &$params, $args ) );
505 }
506 $newparams = Sanitizer::fixTagAttributes( $params, $t );
507 $rest = str_replace( '>', '&gt;', $rest );
508 $text .= "<$slash$t$newparams$brace$rest";
509 } else {
510 $text .= '&lt;' . str_replace( '>', '&gt;', $x);
511 }
512 }
513 }
514 wfProfileOut( __METHOD__ );
Sanitizer\fixTagAttributes
static fixTagAttributes( $text, $element)
Take a tag soup fragment listing an HTML element's attributes and normalize it to well-formed XML,...
Definition: Sanitizer.php:656
Sanitizer\removeHTMLcomments
static removeHTMLcomments( $text)
Remove '', and everything between.
Definition: Sanitizer.php:526
$x
$x
Definition: example_009.php:98
$params
$params
Definition: example_049.php:96

◆ safeEncodeAttribute()

static Sanitizer::safeEncodeAttribute (   $text)
static

Encode an attribute value for HTML tags, with extra armoring against further wiki processing.

Parameters
$text
Returns
HTML-encoded text fragment

Definition at line 700 of file Sanitizer.php.

702 {
703 $encValue = Sanitizer::encodeAttribute( $text );
704
705 # Templates and links may be expanded in later parsing,
706 # creating invalid or dangerous output. Suppress this.
707 $encValue = strtr( $encValue, array(
708 '<' => '&lt;', // This should never happen,
709 '>' => '&gt;', // we've received invalid input
710 '"' => '&quot;', // which should have been escaped.
711 '{' => '&#123;',
712 '[' => '&#91;',
713 "''" => '&#39;&#39;',
714 'ISBN' => '&#73;SBN',
715 'RFC' => '&#82;FC',
716 'PMID' => '&#80;MID',
717 '|' => '&#124;',
718 '__' => '&#95;_',
719 ) );
720
721 # Stupid hack
722 $encValue = preg_replace_callback(
723 '/(' . wfUrlProtocols() . ')/',
724 array( 'Sanitizer', 'armorLinksCallback' ),
725 $encValue );
Sanitizer\encodeAttribute
static encodeAttribute( $text)
Encode an attribute value for HTML output.
Definition: Sanitizer.php:679
wfUrlProtocols
wfUrlProtocols()
Returns a regular expression of url protocols.
Definition: class.ilMWParserAdapter.php:26

◆ setupAttributeWhitelist()

static Sanitizer::setupAttributeWhitelist ( )
static
Todo:
Document it a bit
Returns
array

Definition at line 1060 of file Sanitizer.php.

1062 {
1063 $common = array( 'id', 'class', 'lang', 'dir', 'title', 'style' );
1064 $block = array_merge( $common, array( 'align' ) );
1065 $tablealign = array( 'align', 'char', 'charoff', 'valign' );
1066 $tablecell = array( 'abbr',
1067 'axis',
1068 'headers',
1069 'scope',
1070 'rowspan',
1071 'colspan',
1072 'nowrap', # deprecated
1073 'width', # deprecated
1074 'height', # deprecated
1075 'bgcolor' # deprecated
1076 );
1077
1078 # Numbers refer to sections in HTML 4.01 standard describing the element.
1079 # See: http://www.w3.org/TR/html4/
1080 $whitelist = array (
1081 # 7.5.4
1082 'div' => $block,
1083 'center' => $common, # deprecated
1084 'span' => $block, # ??
1085
1086 # 7.5.5
1087 'h1' => $block,
1088 'h2' => $block,
1089 'h3' => $block,
1090 'h4' => $block,
1091 'h5' => $block,
1092 'h6' => $block,
1093
1094 # 7.5.6
1095 # address
1096
1097 # 8.2.4
1098 # bdo
1099
1100 # 9.2.1
1101 'em' => $common,
1102 'strong' => $common,
1103 'cite' => $common,
1104 # dfn
1105 'code' => $common,
1106 # samp
1107 # kbd
1108 'var' => $common,
1109 # abbr
1110 # acronym
1111
1112 # 9.2.2
1113 'blockquote' => array_merge( $common, array( 'cite' ) ),
1114 # q
1115
1116 # 9.2.3
1117 'sub' => $common,
1118 'sup' => $common,
1119
1120 # 9.3.1
1121 'p' => $block,
1122
1123 # 9.3.2
1124 'br' => array( 'id', 'class', 'title', 'style', 'clear' ),
1125
1126 # 9.3.4
1127 'pre' => array_merge( $common, array( 'width' ) ),
1128
1129 # 9.4
1130 'ins' => array_merge( $common, array( 'cite', 'datetime' ) ),
1131 'del' => array_merge( $common, array( 'cite', 'datetime' ) ),
1132
1133 # 10.2
1134 'ul' => array_merge( $common, array( 'type' ) ),
1135 'ol' => array_merge( $common, array( 'type', 'start' ) ),
1136 'li' => array_merge( $common, array( 'type', 'value' ) ),
1137
1138 # 10.3
1139 'dl' => $common,
1140 'dd' => $common,
1141 'dt' => $common,
1142
1143 # 11.2.1
1144 'table' => array_merge( $common,
1145 array( 'summary', 'width', 'border', 'frame',
1146 'rules', 'cellspacing', 'cellpadding',
1147 'align', 'bgcolor',
1148 ) ),
1149
1150 # 11.2.2
1151 'caption' => array_merge( $common, array( 'align' ) ),
1152
1153 # 11.2.3
1154 'thead' => array_merge( $common, $tablealign ),
1155 'tfoot' => array_merge( $common, $tablealign ),
1156 'tbody' => array_merge( $common, $tablealign ),
1157
1158 # 11.2.4
1159 'colgroup' => array_merge( $common, array( 'span', 'width' ), $tablealign ),
1160 'col' => array_merge( $common, array( 'span', 'width' ), $tablealign ),
1161
1162 # 11.2.5
1163 'tr' => array_merge( $common, array( 'bgcolor' ), $tablealign ),
1164
1165 # 11.2.6
1166 'td' => array_merge( $common, $tablecell, $tablealign ),
1167 'th' => array_merge( $common, $tablecell, $tablealign ),
1168
1169 # 15.2.1
1170 'tt' => $common,
1171 'b' => $common,
1172 'i' => $common,
1173 'big' => $common,
1174 'small' => $common,
1175 'strike' => $common,
1176 's' => $common,
1177 'u' => $common,
1178
1179 # 15.2.2
1180 'font' => array_merge( $common, array( 'size', 'color', 'face' ) ),
1181 # basefont
1182
1183 # 15.3
1184 'hr' => array_merge( $common, array( 'noshade', 'size', 'width' ) ),
1185
1186 # XHTML Ruby annotation text module, simple ruby only.
1187 # http://www.w3c.org/TR/ruby/
1188 'ruby' => $common,
1189 # rbc
1190 # rtc
1191 'rb' => $common,
1192 'rt' => $common, #array_merge( $common, array( 'rbspan' ) ),
1193 'rp' => $common,
1194 );

◆ stripAllTags()

static Sanitizer::stripAllTags (   $text)
static

Take a fragment of (potentially invalid) HTML and return a version with any tags removed, encoded as plain text.

Warning: this return value must be further escaped for literal inclusion in HTML output as of 1.10!

Parameters
string$textHTML fragment
Returns
string

Definition at line 1206 of file Sanitizer.php.

1208 {
1209 # Actual <tags>
1210 $text = StringUtils::delimiterReplace( '<', '>', '', $text );
1211
1212 # Normalize &entities and whitespace
1213 $text = self::decodeCharReferences( $text );
1214 $text = self::normalizeWhitespace( $text );
1215
Sanitizer\normalizeWhitespace
static normalizeWhitespace( $text)
Definition: Sanitizer.php:867

◆ validateCodepoint()

static Sanitizer::validateCodepoint (   $codepoint)
staticprivate

Returns true if a given Unicode codepoint is a valid character in XML.

Parameters
int$codepoint
Returns
bool

Definition at line 960 of file Sanitizer.php.

962 {
963 return ($codepoint == 0x09)
964 || ($codepoint == 0x0a)
965 || ($codepoint == 0x0d)
966 || ($codepoint >= 0x20 && $codepoint <= 0xd7ff)
967 || ($codepoint >= 0xe000 && $codepoint <= 0xfffd)

◆ validateTagAttributes()

static Sanitizer::validateTagAttributes (   $attribs,
  $element 
)
static

Take an array of attribute names and values and normalize or discard illegal values for the given element type.

  • Discards attributes not on a whitelist for the given element
  • Unsafe style attributes are discarded
Parameters
array$attribs
string$element
Returns
array
Todo:

Check for legal values where the DTD limits things.

Check for unique id attribute :P

Definition at line 575 of file Sanitizer.php.

575 :P
576 */
577 static function validateTagAttributes( $attribs, $element ) {
578 $whitelist = array_flip( Sanitizer::attributeWhitelist( $element ) );
579 $out = array();
580 foreach( $attribs as $attribute => $value ) {
581 if( !isset( $whitelist[$attribute] ) ) {
582 continue;
583 }
584 # Strip javascript "expression" from stylesheets.
585 # http://msdn.microsoft.com/workshop/author/dhtml/overview/recalc.asp
586 if( $attribute == 'style' ) {
587 $value = Sanitizer::checkCss( $value );
588 if( $value === false ) {
589 # haxx0r
590 continue;
591 }
592 }
593
594 if ( $attribute === 'id' )
595 $value = Sanitizer::escapeId( $value );
596
597 // If this attribute was previously set, override it.
598 // Output should only have one attribute of each name.
599 $out[$attribute] = $value;
600 }
Sanitizer\checkCss
static checkCss( $value)
Pick apart some CSS and check it for forbidden or unsafe structures.
Definition: Sanitizer.php:611
Sanitizer\attributeWhitelist
static attributeWhitelist( $element)
Fetch the whitelist of acceptable attributes for a given element name.
Definition: Sanitizer.php:1046
Sanitizer\escapeId
static escapeId( $id)
Given a value escape it so that it can be used in an id attribute and return it, this does not valida...
Definition: Sanitizer.php:741
The documentation for this class was generated from the following file: