enshrined\svgSanitize\Sanitizer Class Reference

Collaboration diagram for enshrined\svgSanitize\Sanitizer:

Public Member Functions
	__construct ()
	getAllowedTags ()
	Get the array of allowed tags. More...
	setAllowedTags (TagInterface $allowedTags)
	Set custom allowed tags. More...
	getAllowedAttrs ()
	Get the array of allowed attributes. More...
	setAllowedAttrs (AttributeInterface $allowedAttrs)
	Set custom allowed attributes. More...
	removeRemoteReferences ($removeRemoteRefs=false)
	Should we remove references to remote files? More...
	sanitize ($dirty)
	Sanitize the passed string. More...
	minify ($shouldMinify=false)
	Should we minify the output? More...

Data Fields
const	SCRIPT_REGEX = '/(?:\w+script|data):/xi'
	Regex to catch script and data values in attributes. More...
const	REMOTE_REFERENCE_REGEX = '/url\(([\'"]?(?:http|https):)[\'"]?([^\'"\)]*)[\'"]?\)/xi'
	Regex to test for remote URLs in linked assets. More...

Protected Member Functions
	resetInternal ()
	Set up the DOMDocument. More...
	setUpBefore ()
	Set up libXML before we start. More...
	resetAfter ()
	Reset the class after use. More...
	removeDoctype ()
	Remove the XML Doctype It may be caught later on output but that seems to be buggy, so we need to make sure it's gone. More...
	startClean (\DOMNodeList $elements)
	Start the cleaning with tags, then we move onto attributes and hrefs later. More...
	cleanAttributesOnWhitelist (\DOMElement $element)
	Only allow attributes that are on the whitelist. More...
	cleanXlinkHrefs (\DOMElement &$element)
	Clean the xlink:hrefs of script and data embeds. More...
	cleanHrefs (\DOMElement &$element)
	Clean the hrefs of script and data embeds. More...
	hasRemoteReference ($value)
	Does this attribute value have a remote reference? More...

Protected Attributes
	$xmlDocument
	$allowedTags
	$allowedAttrs
	$xmlLoaderValue
	$minifyXML = false
	$removeRemoteReferences = false

Detailed Description

Definition at line 18 of file Sanitizer.php.

Constructor & Destructor Documentation

__construct()

enshrined\svgSanitize\Sanitizer::__construct

(

)

Definition at line 64 of file Sanitizer.php.

References enshrined\svgSanitize\data\AllowedAttributes\getAttributes(), enshrined\svgSanitize\data\AllowedTags\getTags(), and enshrined\svgSanitize\Sanitizer\resetInternal().

    {
        $this->resetInternal();

        // Load default tags/attributes
        $this->allowedAttrs = AllowedAttributes::getAttributes();
        $this->allowedTags = AllowedTags::getTags();
    }

Here is the call graph for this function:

Member Function Documentation

cleanAttributesOnWhitelist()

enshrined\svgSanitize\Sanitizer::cleanAttributesOnWhitelist ( \DOMElement  $element )

protected

Only allow attributes that are on the whitelist.

Parameters

\DOMElement

$element

Definition at line 256 of file Sanitizer.php.

References $x, enshrined\svgSanitize\Sanitizer\hasRemoteReference(), and enshrined\svgSanitize\Sanitizer\removeRemoteReferences().

Referenced by enshrined\svgSanitize\Sanitizer\startClean().

    {
        for ($x = $element->attributes->length - 1; $x >= 0; $x--) {
            // get attribute name
            $attrName = $element->attributes->item($x)->name;

            // Remove attribute if not in whitelist
            if (!in_array(strtolower($attrName), $this->allowedAttrs)) {
                $element->removeAttribute($attrName);
            }

            // Do we want to strip remote references?
            if($this->removeRemoteReferences) {
                // Remove attribute if it has a remote reference
                if (isset($element->attributes->item($x)->value) && $this->hasRemoteReference($element->attributes->item($x)->value)) {
                    $element->removeAttribute($attrName);
                }
            }
        }
    }

Here is the call graph for this function:

Here is the caller graph for this function:

cleanHrefs()

enshrined\svgSanitize\Sanitizer::cleanHrefs ( \DOMElement &  $element )

protected

Clean the hrefs of script and data embeds.

Parameters

\DOMElement

$element

Definition at line 295 of file Sanitizer.php.

Referenced by enshrined\svgSanitize\Sanitizer\startClean().

    {
        $href = $element->getAttribute('href');
        if (preg_match(self::SCRIPT_REGEX, $href) === 1) {
            $element->removeAttribute('href');
        }
    }

Here is the caller graph for this function:

cleanXlinkHrefs()

enshrined\svgSanitize\Sanitizer::cleanXlinkHrefs ( \DOMElement &  $element )

protected

Clean the xlink:hrefs of script and data embeds.

Parameters

\DOMElement

$element

Definition at line 282 of file Sanitizer.php.

Referenced by enshrined\svgSanitize\Sanitizer\startClean().

    {
        $xlinks = $element->getAttributeNS('http://www.w3.org/1999/xlink', 'href');
        if (preg_match(self::SCRIPT_REGEX, $xlinks) === 1) {
            $element->removeAttributeNS('http://www.w3.org/1999/xlink', 'href');
        }
    }

Here is the caller graph for this function:

getAllowedAttrs()

enshrined\svgSanitize\Sanitizer::getAllowedAttrs

(

)

Get the array of allowed attributes.

Returns

array

Definition at line 114 of file Sanitizer.php.

References enshrined\svgSanitize\Sanitizer\$allowedAttrs.

    {
        return $this->allowedAttrs;
    }

getAllowedTags()

enshrined\svgSanitize\Sanitizer::getAllowedTags

(

)

Get the array of allowed tags.

Returns

array

Definition at line 94 of file Sanitizer.php.

References enshrined\svgSanitize\Sanitizer\$allowedTags.

    {
        return $this->allowedTags;
    }

hasRemoteReference()

enshrined\svgSanitize\Sanitizer::hasRemoteReference (   $value )

protected

Does this attribute value have a remote reference?

Parameters

$value

Returns

bool

Definition at line 309 of file Sanitizer.php.

Referenced by enshrined\svgSanitize\Sanitizer\cleanAttributesOnWhitelist().

    {
        if (preg_match(self::REMOTE_REFERENCE_REGEX, $value) === 1) {
            return true;
        }

        return false;
    }

Here is the caller graph for this function:

minify()

enshrined\svgSanitize\Sanitizer::minify

(

$shouldMinify = false

)

Should we minify the output?

Parameters

bool

$shouldMinify

Definition at line 323 of file Sanitizer.php.

    {
        $this->minifyXML = (bool) $shouldMinify;
    }

removeDoctype()

enshrined\svgSanitize\Sanitizer::removeDoctype ( )

protected

Remove the XML Doctype It may be caught later on output but that seems to be buggy, so we need to make sure it's gone.

Definition at line 215 of file Sanitizer.php.

Referenced by enshrined\svgSanitize\Sanitizer\sanitize().

    {
        foreach ($this->xmlDocument->childNodes as $child) {
            if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
                $child->parentNode->removeChild($child);
            }
        }
    }

Here is the caller graph for this function:

removeRemoteReferences()

enshrined\svgSanitize\Sanitizer::removeRemoteReferences

(

$removeRemoteRefs = false

)

Should we remove references to remote files?

Parameters

bool

$removeRemoteRefs

Definition at line 134 of file Sanitizer.php.

Referenced by enshrined\svgSanitize\Sanitizer\cleanAttributesOnWhitelist().

    {
        $this->removeRemoteReferences = $removeRemoteRefs;
    }

Here is the caller graph for this function:

resetAfter()

enshrined\svgSanitize\Sanitizer::resetAfter ( )

protected

Reset the class after use.

Definition at line 202 of file Sanitizer.php.

References enshrined\svgSanitize\Sanitizer\resetInternal().

Referenced by enshrined\svgSanitize\Sanitizer\sanitize().

    {
        // Reset DOMDocument to a clean state in case we use it again
        $this->resetInternal();

        // Reset the entity loader3
        libxml_disable_entity_loader($this->xmlLoaderValue);
    }

Here is the call graph for this function:

Here is the caller graph for this function:

resetInternal()

enshrined\svgSanitize\Sanitizer::resetInternal ( )

protected

Set up the DOMDocument.

Definition at line 76 of file Sanitizer.php.

Referenced by enshrined\svgSanitize\Sanitizer\__construct(), and enshrined\svgSanitize\Sanitizer\resetAfter().

    {
        $this->xmlDocument = new DOMDocument();
        $this->xmlDocument->preserveWhiteSpace = false;
        $this->xmlDocument->strictErrorChecking = false;
        $this->xmlDocument->formatOutput = true;

        // Maybe don't format the output
        if($this->minifyXML) {
            $this->xmlDocument->formatOutput = false;
        }
    }

Here is the caller graph for this function:

sanitize()

enshrined\svgSanitize\Sanitizer::sanitize

(

$dirty

)

Sanitize the passed string.

Parameters

string

$dirty

Returns

string

Definition at line 145 of file Sanitizer.php.

References enshrined\svgSanitize\Sanitizer\removeDoctype(), enshrined\svgSanitize\Sanitizer\resetAfter(), enshrined\svgSanitize\Sanitizer\setUpBefore(), and enshrined\svgSanitize\Sanitizer\startClean().

    {
        // Don't run on an empty string
        if (empty($dirty)) {
            return '';
        }

        // Strip php tags
        $dirty = preg_replace('/<\?(=|php)(.+?)\?>/i', '', $dirty);

        $this->setUpBefore();

        $loaded = $this->xmlDocument->loadXML($dirty);

        // If we couldn't parse the XML then we go no further. Reset and return false
        if (!$loaded) {
            $this->resetAfter();
            return false;
        }

        $this->removeDoctype();

        // Grab all the elements
        $allElements = $this->xmlDocument->getElementsByTagName("*");

        // Start the cleaning proccess
        $this->startClean($allElements);

        // Save cleaned XML to a variable
        $clean = $this->xmlDocument->saveXML($this->xmlDocument->documentElement, LIBXML_NOEMPTYTAG);

        $this->resetAfter();

        // Remove any extra whitespaces when minifying
        if($this->minifyXML) {
            $clean = preg_replace('/\s+/', ' ', $clean);
        }

        // Return result
        return $clean;
    }

Here is the call graph for this function:

setAllowedAttrs()

enshrined\svgSanitize\Sanitizer::setAllowedAttrs

(

AttributeInterface

$allowedAttrs

)

Set custom allowed attributes.

Parameters

AttributeInterface

$allowedAttrs

Definition at line 124 of file Sanitizer.php.

    {
        $this->allowedAttrs = $allowedAttrs::getAttributes();
    }

setAllowedTags()

enshrined\svgSanitize\Sanitizer::setAllowedTags

(

TagInterface

$allowedTags

)

Set custom allowed tags.

Parameters

TagInterface

$allowedTags

Definition at line 104 of file Sanitizer.php.

    {
        $this->allowedTags = $allowedTags::getTags();
    }

setUpBefore()

enshrined\svgSanitize\Sanitizer::setUpBefore ( )

protected

Set up libXML before we start.

Definition at line 190 of file Sanitizer.php.

Referenced by enshrined\svgSanitize\Sanitizer\sanitize().

    {
        // Turn off the entity loader
        $this->xmlLoaderValue = libxml_disable_entity_loader(true);

        // Suppress the errors because we don't really have to worry about formation before cleansing
        libxml_use_internal_errors(true);
    }

Here is the caller graph for this function:

startClean()

enshrined\svgSanitize\Sanitizer::startClean ( \DOMNodeList  $elements )

protected

Start the cleaning with tags, then we move onto attributes and hrefs later.

Parameters

\DOMNodeList

$elements

Definition at line 229 of file Sanitizer.php.

References enshrined\svgSanitize\Sanitizer\cleanAttributesOnWhitelist(), enshrined\svgSanitize\Sanitizer\cleanHrefs(), and enshrined\svgSanitize\Sanitizer\cleanXlinkHrefs().

Referenced by enshrined\svgSanitize\Sanitizer\sanitize().

    {
        // loop through all elements
        // we do this backwards so we don't skip anything if we delete a node
        // see comments at: http://php.net/manual/en/class.domnamednodemap.php
        for ($i = $elements->length - 1; $i >= 0; $i--) {
            $currentElement = $elements->item($i);

            // If the tag isn't in the whitelist, remove it and continue with next iteration
            if (!in_array(strtolower($currentElement->tagName), $this->allowedTags)) {
                $currentElement->parentNode->removeChild($currentElement);
                continue;
            }

            $this->cleanAttributesOnWhitelist($currentElement);

            $this->cleanXlinkHrefs($currentElement);

            $this->cleanHrefs($currentElement);
        }
    }

Here is the call graph for this function:

Here is the caller graph for this function:

Field Documentation

$allowedAttrs

enshrined\svgSanitize\Sanitizer::$allowedAttrs

protected

Definition at line 44 of file Sanitizer.php.

Referenced by enshrined\svgSanitize\Sanitizer\getAllowedAttrs().

$allowedTags

enshrined\svgSanitize\Sanitizer::$allowedTags

protected

Definition at line 39 of file Sanitizer.php.

Referenced by enshrined\svgSanitize\Sanitizer\getAllowedTags().

$minifyXML

enshrined\svgSanitize\Sanitizer::$minifyXML = false

protected

Definition at line 54 of file Sanitizer.php.

$removeRemoteReferences

enshrined\svgSanitize\Sanitizer::$removeRemoteReferences = false

protected

Definition at line 59 of file Sanitizer.php.

$xmlDocument

enshrined\svgSanitize\Sanitizer::$xmlDocument

protected

Definition at line 34 of file Sanitizer.php.

$xmlLoaderValue

enshrined\svgSanitize\Sanitizer::$xmlLoaderValue

protected

Definition at line 49 of file Sanitizer.php.

REMOTE_REFERENCE_REGEX

const enshrined\svgSanitize\Sanitizer::REMOTE_REFERENCE_REGEX = '/url\(([\'"]?(?:http|https):)[\'"]?([^\'"\)]*)[\'"]?\)/xi'

Regex to test for remote URLs in linked assets.

Definition at line 29 of file Sanitizer.php.

SCRIPT_REGEX

const enshrined\svgSanitize\Sanitizer::SCRIPT_REGEX = '/(?:\w+script|data):/xi'

Regex to catch script and data values in attributes.

Definition at line 24 of file Sanitizer.php.

---

The documentation for this class was generated from the following file:

• Services/MediaObjects/lib/svg-sanitizer-master/src/Sanitizer.php