Collaboration diagram for enshrined\svgSanitize\Sanitizer:

Public Member Functions
	__construct ()

	setXMLOptions ($xmlOptions)
	Set XML options to use when saving XML See: DOMDocument::saveXML. More...

	getXMLOptions ()
	Get XML options to use when saving XML See: DOMDocument::saveXML. More...

	getAllowedTags ()
	Get the array of allowed tags. More...

	setAllowedTags (TagInterface $allowedTags)
	Set custom allowed tags. More...

	getAllowedAttrs ()
	Get the array of allowed attributes. More...

	setAllowedAttrs (AttributeInterface $allowedAttrs)
	Set custom allowed attributes. More...

	removeRemoteReferences ($removeRemoteRefs=false)
	Should we remove references to remote files? More...

	getXmlIssues ()
	Get XML issues. More...

	sanitize ($dirty)
	Sanitize the passed string. More...

	minify ($shouldMinify=false)
	Should we minify the output? More...

	removeXMLTag ($removeXMLTag=false)
	Should we remove the XML tag in the header? More...

	useThreshold ($useThreshold=1000)
	Whether `<use ... xlink:href="#identifier">` elements shall be removed in case expansion would exceed this threshold. More...

	setUseNestingLimit ($limit)
	Set the nesting limit for <use> tags. More...

Protected Member Functions
	resetInternal ()
	Set up the DOMDocument. More...

	setUpBefore ()
	Set up libXML before we start. More...

	resetAfter ()
	Reset the class after use. More...

	removeDoctype ()
	Remove the XML Doctype It may be caught later on output but that seems to be buggy, so we need to make sure it's gone. More...

	cleanAttributesOnWhitelist (\DOMElement $element)
	Only allow attributes that are on the whitelist. More...

	cleanXlinkHrefs (\DOMElement $element)
	Clean the xlink:hrefs of script and data embeds. More...

	cleanHrefs (\DOMElement $element)
	Clean the hrefs of script and data embeds. More...

	isHrefSafeValue ($value)
	Only allow whitelisted starts to be within the href. More...

	removeNonPrintableCharacters ($value)
	Removes non-printable ASCII characters from string & trims it. More...

	hasRemoteReference ($value)
	Does this attribute value have a remote reference? More...

	isAriaAttribute ($attributeName)
	Check to see if an attribute is an aria attribute or not. More...

	isDataAttribute ($attributeName)
	Check to see if an attribute is an data attribute or not. More...

	isUseTagDirty (\DOMElement $element)
	Make sure our use tag is only referencing internal resources. More...

	isUseTagExceedingThreshold (\DOMElement $element)
	Determines whether `<use ... xlink:href="#identifier">` is expanded recursively in order to create DoS scenarios. More...

Protected Attributes
	$xmlDocument

	$allowedTags

	$allowedAttrs

	$xmlLoaderValue

	$minifyXML = false

	$removeRemoteReferences = false

	$useThreshold = 1000

	$removeXMLTag = false

	$xmlOptions = LIBXML_NOEMPTYTAG

	$xmlIssues = array()

	$elementReferenceResolver

	$useNestingLimit = 15

Detailed Description

Definition at line 18 of file Sanitizer.php.

Constructor & Destructor Documentation

◆ __construct()

enshrined\svgSanitize\Sanitizer::__construct ( )

Definition at line 84 of file Sanitizer.php.

    {
        // Load default tags/attributes
        $this->allowedAttrs = array_map('strtolower', AllowedAttributes::getAttributes());
        $this->allowedTags = array_map('strtolower', AllowedTags::getTags());
    }

References enshrined\svgSanitize\data\AllowedAttributes\getAttributes(), and enshrined\svgSanitize\data\AllowedTags\getTags().

Here is the call graph for this function:

Member Function Documentation

◆ cleanAttributesOnWhitelist()

enshrined\svgSanitize\Sanitizer::cleanAttributesOnWhitelist ( \DOMElement $element )

protected

Only allow attributes that are on the whitelist.

Parameters

\DOMElement $element

This is used for when a namespace isn't imported properly. Such as xlink:href when the xlink namespace isn't imported. We have to do this as the link is still ran in this case.

Definition at line 347 of file Sanitizer.php.

    {
        for ($x = $element->attributes->length - 1; $x >= 0; $x--) {
            // get attribute name
            $attrName = $element->attributes->item($x)->name;
 
            // Remove attribute if not in whitelist
            if (!in_array(strtolower($attrName), $this->allowedAttrs) && !$this->isAriaAttribute(strtolower($attrName)) && !$this->isDataAttribute(strtolower($attrName))) {
 
                $element->removeAttribute($attrName);
                $this->xmlIssues[] = array(
                    'message' => 'Suspicious attribute \'' . $attrName . '\'',
                    'line' => $element->getLineNo(),
                );
            }
 
            if (false !== strpos($attrName, 'href')) {
                $href = $element->getAttribute($attrName);
                if (false === $this->isHrefSafeValue($href)) {
                    $element->removeAttribute($attrName);
                    $this->xmlIssues[] = array(
                        'message' => 'Suspicious attribute \'href\'',
                        'line'    => $element->getLineNo(),
                    );
                }
            }
 
            // Do we want to strip remote references?
            if($this->removeRemoteReferences) {
                // Remove attribute if it has a remote reference
                if (isset($element->attributes->item($x)->value) && $this->hasRemoteReference($element->attributes->item($x)->value)) {
                    $element->removeAttribute($attrName);
                    $this->xmlIssues[] = array(
                        'message' => 'Suspicious attribute \'' . $attrName . '\'',
                        'line' => $element->getLineNo(),
                    );
                }
            }
        }
    }

References $x, enshrined\svgSanitize\Sanitizer\isAriaAttribute(), enshrined\svgSanitize\Sanitizer\isDataAttribute(), enshrined\svgSanitize\Sanitizer\isHrefSafeValue(), and enshrined\svgSanitize\Sanitizer\removeRemoteReferences().

Here is the call graph for this function:

◆ cleanHrefs()

enshrined\svgSanitize\Sanitizer::cleanHrefs ( \DOMElement $element )

protected

Clean the hrefs of script and data embeds.

Parameters

\DOMElement $element

Definition at line 415 of file Sanitizer.php.

    {
        $href = $element->getAttribute('href');
        if (false === $this->isHrefSafeValue($href)) {
            $element->removeAttribute('href');
            $this->xmlIssues[] = array(
                'message' => 'Suspicious attribute \'href\'',
                'line' => $element->getLineNo(),
            );
        }
    }

References enshrined\svgSanitize\Sanitizer\isHrefSafeValue().

Here is the call graph for this function:

◆ cleanXlinkHrefs()

enshrined\svgSanitize\Sanitizer::cleanXlinkHrefs ( \DOMElement $element )

protected

Clean the xlink:hrefs of script and data embeds.

Parameters

\DOMElement $element

Definition at line 398 of file Sanitizer.php.

    {
        $xlinks = $element->getAttributeNS('http://www.w3.org/1999/xlink', 'href');
        if (false === $this->isHrefSafeValue($xlinks)) {
            $element->removeAttributeNS( 'http://www.w3.org/1999/xlink', 'href' );
            $this->xmlIssues[] = array(
                'message' => 'Suspicious attribute \'href\'',
                'line' => $element->getLineNo(),
            );
        }
    }

References enshrined\svgSanitize\Sanitizer\isHrefSafeValue().

Here is the call graph for this function:

◆ getAllowedAttrs()

enshrined\svgSanitize\Sanitizer::getAllowedAttrs ( )

Get the array of allowed attributes.

Returns: array

Definition at line 149 of file Sanitizer.php.

    {
        return $this->allowedAttrs;
    }

References enshrined\svgSanitize\Sanitizer\$allowedAttrs.

◆ getAllowedTags()

enshrined\svgSanitize\Sanitizer::getAllowedTags ( )

Get the array of allowed tags.

Returns: array

Definition at line 129 of file Sanitizer.php.

    {
        return $this->allowedTags;
    }

References enshrined\svgSanitize\Sanitizer\$allowedTags.

◆ getXmlIssues()

enshrined\svgSanitize\Sanitizer::getXmlIssues ( )

Get XML issues.

Returns: array

Definition at line 179 of file Sanitizer.php.

                                   {
        return $this->xmlIssues;
    }

References enshrined\svgSanitize\Sanitizer\$xmlIssues.

◆ getXMLOptions()

enshrined\svgSanitize\Sanitizer::getXMLOptions ( )

Get XML options to use when saving XML See: DOMDocument::saveXML.

Returns: int

Definition at line 119 of file Sanitizer.php.

    {
        return $this->xmlOptions;
    }

References enshrined\svgSanitize\Sanitizer\$xmlOptions.

◆ hasRemoteReference()

enshrined\svgSanitize\Sanitizer::hasRemoteReference ( $value )

protected

Does this attribute value have a remote reference?

Parameters

$value

Returns: bool

Definition at line 500 of file Sanitizer.php.

    {
        $value = $this->removeNonPrintableCharacters($value);
 
        $wrapped_in_url = preg_match('~^url\‍(\s*[\'"]\s*(.*)\s*[\'"]\s*\‍)$~xi', $value, $match);
        if (!$wrapped_in_url){
            return false;
        }
 
        $value = trim($match[1], '\'"');
 
        return preg_match('~^((https?|ftp|file):)?//~xi', $value);
    }

References enshrined\svgSanitize\Sanitizer\removeNonPrintableCharacters().

Here is the call graph for this function:

◆ isAriaAttribute()

enshrined\svgSanitize\Sanitizer::isAriaAttribute ( $attributeName )

protected

Check to see if an attribute is an aria attribute or not.

Parameters

$attributeName

Returns: bool

Definition at line 552 of file Sanitizer.php.

    {
        return strpos($attributeName, 'aria-') === 0;
    }

Referenced by enshrined\svgSanitize\Sanitizer\cleanAttributesOnWhitelist().

Here is the caller graph for this function:

◆ isDataAttribute()

enshrined\svgSanitize\Sanitizer::isDataAttribute ( $attributeName )

protected

Check to see if an attribute is an data attribute or not.

Parameters

$attributeName

Returns: bool

Definition at line 564 of file Sanitizer.php.

    {
        return strpos($attributeName, 'data-') === 0;
    }

Referenced by enshrined\svgSanitize\Sanitizer\cleanAttributesOnWhitelist().

Here is the caller graph for this function:

◆ isHrefSafeValue()

enshrined\svgSanitize\Sanitizer::isHrefSafeValue ( $value )

protected

Only allow whitelisted starts to be within the href.

This will stop scripts etc from being passed through, with or without attempting to hide bypasses. This stops the need for us to use a complicated script regex.

Parameters

$value

Returns: bool

Definition at line 436 of file Sanitizer.php.

                                               {
 
        // Allow fragment identifiers.
        if ('#' === substr($value, 0, 1)) {
            return true;
        }
 
        // Allow relative URIs.
        if ('/' === substr($value, 0, 1)) {
            return true;
        }
 
        // Allow HTTPS domains.
        if ('https://' === substr($value, 0, 8)) {
            return true;
        }
 
        // Allow HTTP domains.
        if ('http://' === substr($value, 0, 7)) {
            return true;
        }
 
        // Allow known data URIs.
        if (in_array(substr($value, 0, 14), array(
            'data:image/png', // PNG
            'data:image/gif', // GIF
            'data:image/jpg', // JPG
            'data:image/jpe', // JPEG
            'data:image/pjp', // PJPEG
        ))) {
           return true;
        }
 
        // Allow known short data URIs.
        if (in_array(substr($value, 0, 12), array(
            'data:img/png', // PNG
            'data:img/gif', // GIF
            'data:img/jpg', // JPG
            'data:img/jpe', // JPEG
            'data:img/pjp', // PJPEG
        ))) {
            return true;
        }
 
        return false;
    }

Referenced by enshrined\svgSanitize\Sanitizer\cleanAttributesOnWhitelist(), enshrined\svgSanitize\Sanitizer\cleanHrefs(), and enshrined\svgSanitize\Sanitizer\cleanXlinkHrefs().

Here is the caller graph for this function:

◆ isUseTagDirty()

enshrined\svgSanitize\Sanitizer::isUseTagDirty ( \DOMElement $element )

protected

Make sure our use tag is only referencing internal resources.

Parameters

\DOMElement $element

Returns: bool

Definition at line 575 of file Sanitizer.php.

    {
        $href = Helper::getElementHref($element);
        return $href && strpos($href, '#') !== 0;
    }

◆ isUseTagExceedingThreshold()

enshrined\svgSanitize\Sanitizer::isUseTagExceedingThreshold ( \DOMElement $element )

protected

Determines whether <use ... xlink:href="#identifier"> is expanded recursively in order to create DoS scenarios.

The amount of a actually used element needs to be below $this->useThreshold.

Parameters

\DOMElement $element

Returns: bool

Definition at line 589 of file Sanitizer.php.

    {
        if ($this->useThreshold <= 0) {
            return false;
        }
        $useId = Helper::extractIdReferenceFromHref(
            Helper::getElementHref($element)
        );
        if ($useId === null) {
            return false;
        }
        foreach ($this->elementReferenceResolver->findByElementId($useId) as $subject) {
            if ($subject->countUse() >= $this->useThreshold) {
                return true;
            }
        }
        return false;
    }

◆ minify()

enshrined\svgSanitize\Sanitizer::minify ( $shouldMinify = false )

Should we minify the output?

Parameters

bool $shouldMinify

Definition at line 519 of file Sanitizer.php.

    {
        $this->minifyXML = (bool) $shouldMinify;
    }

◆ removeDoctype()

enshrined\svgSanitize\Sanitizer::removeDoctype ( )

protected

Remove the XML Doctype It may be caught later on output but that seems to be buggy, so we need to make sure it's gone.

Definition at line 271 of file Sanitizer.php.

    {
        foreach ($this->xmlDocument->childNodes as $child) {
            if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
                $child->parentNode->removeChild($child);
            }
        }
    }

Referenced by enshrined\svgSanitize\Sanitizer\sanitize().

Here is the caller graph for this function:

◆ removeNonPrintableCharacters()

enshrined\svgSanitize\Sanitizer::removeNonPrintableCharacters ( $value )

protected

Removes non-printable ASCII characters from string & trims it.

Parameters

string $value

Returns: bool

Definition at line 489 of file Sanitizer.php.

    {
        return trim(preg_replace('/[^ -~]/xu','',$value));
    }

Referenced by enshrined\svgSanitize\Sanitizer\hasRemoteReference().

Here is the caller graph for this function:

◆ removeRemoteReferences()

enshrined\svgSanitize\Sanitizer::removeRemoteReferences ( $removeRemoteRefs = false )

Should we remove references to remote files?

Parameters

bool $removeRemoteRefs

Definition at line 169 of file Sanitizer.php.

    {
        $this->removeRemoteReferences = $removeRemoteRefs;
    }

References enshrined\svgSanitize\Sanitizer\removeRemoteReferences().

Referenced by enshrined\svgSanitize\Sanitizer\cleanAttributesOnWhitelist(), and enshrined\svgSanitize\Sanitizer\removeRemoteReferences().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ removeXMLTag()

enshrined\svgSanitize\Sanitizer::removeXMLTag ( $removeXMLTag = false )

Should we remove the XML tag in the header?

Parameters

bool $removeXMLTag

Definition at line 529 of file Sanitizer.php.

    {
        $this->removeXMLTag = (bool) $removeXMLTag;
    }

Referenced by enshrined\svgSanitize\Sanitizer\sanitize().

Here is the caller graph for this function:

◆ resetAfter()

enshrined\svgSanitize\Sanitizer::resetAfter ( )

protected

Reset the class after use.

Definition at line 261 of file Sanitizer.php.

    {
        // Reset the entity loader
        libxml_disable_entity_loader($this->xmlLoaderValue);
    }

Referenced by enshrined\svgSanitize\Sanitizer\sanitize().

Here is the caller graph for this function:

◆ resetInternal()

enshrined\svgSanitize\Sanitizer::resetInternal ( )

protected

Set up the DOMDocument.

Definition at line 94 of file Sanitizer.php.

    {
        $this->xmlDocument = new \DOMDocument();
        $this->xmlDocument->preserveWhiteSpace = false;
        $this->xmlDocument->strictErrorChecking = false;
        $this->xmlDocument->formatOutput = !$this->minifyXML;
    }

References enshrined\svgSanitize\Sanitizer\$minifyXML.

Referenced by enshrined\svgSanitize\Sanitizer\sanitize().

Here is the caller graph for this function:

◆ sanitize()

enshrined\svgSanitize\Sanitizer::sanitize ( $dirty )

Sanitize the passed string.

Parameters

string $dirty

Returns: string

Definition at line 190 of file Sanitizer.php.

    {
        // Don't run on an empty string
        if (empty($dirty)) {
            return '';
        }
 
        // Strip php tags
        $dirty = preg_replace('/<\?(=|php)(.+?)\?>/i', '', $dirty);
 
        $this->resetInternal();
        $this->setUpBefore();
 
        $loaded = $this->xmlDocument->loadXML($dirty);
 
        // If we couldn't parse the XML then we go no further. Reset and return false
        if (!$loaded) {
            $this->resetAfter();
            return false;
        }
 
        $this->removeDoctype();
 
        // Pre-process all identified elements
        $xPath = new XPath($this->xmlDocument);
        $this->elementReferenceResolver = new Resolver($xPath, $this->useNestingLimit);
        $this->elementReferenceResolver->collect();
        $elementsToRemove = $this->elementReferenceResolver->getElementsToRemove();
 
        // Grab all the elements
        $allElements = $this->xmlDocument->getElementsByTagName("*");
 
        // Start the cleaning proccess
        $this->startClean($allElements, $elementsToRemove);
 
        // Save cleaned XML to a variable
        if ($this->removeXMLTag) {
            $clean = $this->xmlDocument->saveXML($this->xmlDocument->documentElement, $this->xmlOptions);
        } else {
            $clean = $this->xmlDocument->saveXML($this->xmlDocument, $this->xmlOptions);
        }
 
        $this->resetAfter();
 
        // Remove any extra whitespaces when minifying
        if ($this->minifyXML) {
            $clean = preg_replace('/\s+/', ' ', $clean);
        }
 
        // Return result
        return $clean;
    }

References enshrined\svgSanitize\Sanitizer\removeDoctype(), enshrined\svgSanitize\Sanitizer\removeXMLTag(), enshrined\svgSanitize\Sanitizer\resetAfter(), enshrined\svgSanitize\Sanitizer\resetInternal(), and enshrined\svgSanitize\Sanitizer\setUpBefore().

Here is the call graph for this function:

◆ setAllowedAttrs()

enshrined\svgSanitize\Sanitizer::setAllowedAttrs ( AttributeInterface $allowedAttrs )

Set custom allowed attributes.

Parameters

AttributeInterface $allowedAttrs

Definition at line 159 of file Sanitizer.php.

    {
        $this->allowedAttrs = array_map('strtolower', $allowedAttrs::getAttributes());
    }

◆ setAllowedTags()

enshrined\svgSanitize\Sanitizer::setAllowedTags ( TagInterface $allowedTags )

Set custom allowed tags.

Parameters

TagInterface $allowedTags

Definition at line 139 of file Sanitizer.php.

    {
        $this->allowedTags = array_map('strtolower', $allowedTags::getTags());
    }

◆ setUpBefore()

enshrined\svgSanitize\Sanitizer::setUpBefore ( )

protected

Set up libXML before we start.

Definition at line 246 of file Sanitizer.php.

    {
        // Turn off the entity loader
        $this->xmlLoaderValue = libxml_disable_entity_loader(true);
 
        // Suppress the errors because we don't really have to worry about formation before cleansing
        libxml_use_internal_errors(true);
 
        // Reset array of altered XML
        $this->xmlIssues = array();
    }

Referenced by enshrined\svgSanitize\Sanitizer\sanitize().

Here is the caller graph for this function:

◆ setUseNestingLimit()

enshrined\svgSanitize\Sanitizer::setUseNestingLimit ( $limit )

Set the nesting limit for <use> tags.

Parameters

$limit

Definition at line 613 of file Sanitizer.php.

    {
        $this->useNestingLimit = (int) $limit;
    }

◆ setXMLOptions()

enshrined\svgSanitize\Sanitizer::setXMLOptions ( $xmlOptions )

Set XML options to use when saving XML See: DOMDocument::saveXML.

Parameters

int $xmlOptions

Definition at line 108 of file Sanitizer.php.

    {
        $this->xmlOptions = $xmlOptions;
    }

References enshrined\svgSanitize\Sanitizer\$xmlOptions.

◆ useThreshold()

enshrined\svgSanitize\Sanitizer::useThreshold ( $useThreshold = 1000 )

Whether <use ... xlink:href="#identifier"> elements shall be removed in case expansion would exceed this threshold.

Parameters

int $useThreshold

Definition at line 540 of file Sanitizer.php.

    {
        $this->useThreshold = (int)$useThreshold;
    }

Field Documentation

◆ $allowedAttrs

enshrined\svgSanitize\Sanitizer::$allowedAttrs

protected

Definition at line 34 of file Sanitizer.php.

Referenced by enshrined\svgSanitize\Sanitizer\getAllowedAttrs().

◆ $allowedTags

enshrined\svgSanitize\Sanitizer::$allowedTags

protected

Definition at line 29 of file Sanitizer.php.

Referenced by enshrined\svgSanitize\Sanitizer\getAllowedTags().

◆ $elementReferenceResolver

enshrined\svgSanitize\Sanitizer::$elementReferenceResolver

protected

Definition at line 74 of file Sanitizer.php.

◆ $minifyXML

enshrined\svgSanitize\Sanitizer::$minifyXML = false

protected

Definition at line 44 of file Sanitizer.php.

Referenced by enshrined\svgSanitize\Sanitizer\resetInternal().

◆ $removeRemoteReferences

enshrined\svgSanitize\Sanitizer::$removeRemoteReferences = false

protected

Definition at line 49 of file Sanitizer.php.

◆ $removeXMLTag

enshrined\svgSanitize\Sanitizer::$removeXMLTag = false

protected

Definition at line 59 of file Sanitizer.php.

◆ $useNestingLimit

enshrined\svgSanitize\Sanitizer::$useNestingLimit = 15

protected

Definition at line 79 of file Sanitizer.php.

◆ $useThreshold

enshrined\svgSanitize\Sanitizer::$useThreshold = 1000

protected

Definition at line 54 of file Sanitizer.php.

◆ $xmlDocument

enshrined\svgSanitize\Sanitizer::$xmlDocument

protected

Definition at line 24 of file Sanitizer.php.

◆ $xmlIssues

enshrined\svgSanitize\Sanitizer::$xmlIssues = array()

protected

Definition at line 69 of file Sanitizer.php.

Referenced by enshrined\svgSanitize\Sanitizer\getXmlIssues().

◆ $xmlLoaderValue

enshrined\svgSanitize\Sanitizer::$xmlLoaderValue

protected

Definition at line 39 of file Sanitizer.php.

◆ $xmlOptions

enshrined\svgSanitize\Sanitizer::$xmlOptions = LIBXML_NOEMPTYTAG

protected

Definition at line 64 of file Sanitizer.php.

Referenced by enshrined\svgSanitize\Sanitizer\getXMLOptions(), and enshrined\svgSanitize\Sanitizer\setXMLOptions().

The documentation for this class was generated from the following file:

libs/composer/vendor/enshrined/svg-sanitize/src/Sanitizer.php

Public Member Functions

Protected Member Functions

Protected Attributes

Detailed Description

Constructor & Destructor Documentation

◆ __construct()

Member Function Documentation

◆ cleanAttributesOnWhitelist()

◆ cleanHrefs()

◆ cleanXlinkHrefs()

◆ getAllowedAttrs()

◆ getAllowedTags()

◆ getXmlIssues()

◆ getXMLOptions()

◆ hasRemoteReference()

◆ isAriaAttribute()

◆ isDataAttribute()

◆ isHrefSafeValue()

◆ isUseTagDirty()

◆ isUseTagExceedingThreshold()

◆ minify()

◆ removeDoctype()

◆ removeNonPrintableCharacters()

◆ removeRemoteReferences()

◆ removeXMLTag()

◆ resetAfter()

◆ resetInternal()

◆ sanitize()

◆ setAllowedAttrs()

◆ setAllowedTags()

◆ setUpBefore()

◆ setUseNestingLimit()

◆ setXMLOptions()

◆ useThreshold()

Field Documentation

◆ $allowedAttrs

◆ $allowedTags

◆ $elementReferenceResolver

◆ $minifyXML

◆ $removeRemoteReferences

◆ $removeXMLTag

◆ $useNestingLimit

◆ $useThreshold

◆ $xmlDocument

◆ $xmlIssues

◆ $xmlLoaderValue

◆ $xmlOptions