commit | author | age
|
7ac944
|
1 |
<?php |
AM |
2 |
|
|
3 |
/** |
|
4 |
+-----------------------------------------------------------------------+ |
|
5 |
| This file is part of the Roundcube Webmail client | |
|
6 |
| Copyright (C) 2008-2012, The Roundcube Dev Team | |
|
7 |
| | |
|
8 |
| Licensed under the GNU General Public License version 3 or | |
|
9 |
| any later version with exceptions for skins & plugins. | |
|
10 |
| See the README file for a full license statement. | |
|
11 |
| | |
|
12 |
| PURPOSE: | |
|
13 |
| Utility class providing HTML sanityzer (based on Washtml class) | |
|
14 |
+-----------------------------------------------------------------------+ |
|
15 |
| Author: Thomas Bruederli <roundcube@gmail.com> | |
|
16 |
| Author: Aleksander Machniak <alec@alec.pl> | |
|
17 |
| Author: Frederic Motte <fmotte@ubixis.com> | |
|
18 |
+-----------------------------------------------------------------------+ |
|
19 |
*/ |
|
20 |
|
|
21 |
/** |
|
22 |
* Washtml, a HTML sanityzer. |
|
23 |
* |
|
24 |
* Copyright (c) 2007 Frederic Motte <fmotte@ubixis.com> |
|
25 |
* All rights reserved. |
|
26 |
* |
|
27 |
* Redistribution and use in source and binary forms, with or without |
|
28 |
* modification, are permitted provided that the following conditions |
|
29 |
* are met: |
|
30 |
* 1. Redistributions of source code must retain the above copyright |
|
31 |
* notice, this list of conditions and the following disclaimer. |
|
32 |
* 2. Redistributions in binary form must reproduce the above copyright |
|
33 |
* notice, this list of conditions and the following disclaimer in the |
|
34 |
* documentation and/or other materials provided with the distribution. |
|
35 |
* |
|
36 |
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR |
|
37 |
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES |
|
38 |
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
|
39 |
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, |
|
40 |
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
|
41 |
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
|
42 |
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
|
43 |
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
|
44 |
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
|
45 |
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
|
46 |
* |
|
47 |
* OVERVIEW: |
|
48 |
* |
|
49 |
* Wahstml take an untrusted HTML and return a safe html string. |
|
50 |
* |
|
51 |
* SYNOPSIS: |
|
52 |
* |
|
53 |
* $washer = new washtml($config); |
|
54 |
* $washer->wash($html); |
|
55 |
* It return a sanityzed string of the $html parameter without html and head tags. |
|
56 |
* $html is a string containing the html code to wash. |
|
57 |
* $config is an array containing options: |
|
58 |
* $config['allow_remote'] is a boolean to allow link to remote images. |
|
59 |
* $config['blocked_src'] string with image-src to be used for blocked remote images |
|
60 |
* $config['show_washed'] is a boolean to include washed out attributes as x-washed |
|
61 |
* $config['cid_map'] is an array where cid urls index urls to replace them. |
|
62 |
* $config['charset'] is a string containing the charset of the HTML document if it is not defined in it. |
|
63 |
* $washer->extlinks is a reference to a boolean that is set to true if remote images were removed. (FE: show remote images link) |
|
64 |
* |
|
65 |
* INTERNALS: |
|
66 |
* |
|
67 |
* Only tags and attributes in the static lists $html_elements and $html_attributes |
|
68 |
* are kept, inline styles are also filtered: all style identifiers matching |
|
69 |
* /[a-z\-]/i are allowed. Values matching colors, sizes, /[a-z\-]/i and safe |
|
70 |
* urls if allowed and cid urls if mapped are kept. |
|
71 |
* |
|
72 |
* Roundcube Changes: |
|
73 |
* - added $block_elements |
|
74 |
* - changed $ignore_elements behaviour |
|
75 |
* - added RFC2397 support |
|
76 |
* - base URL support |
|
77 |
* - invalid HTML comments removal before parsing |
|
78 |
* - "fixing" unitless CSS values for XHTML output |
|
79 |
* - base url resolving |
|
80 |
*/ |
|
81 |
|
|
82 |
/** |
|
83 |
* Utility class providing HTML sanityzer |
|
84 |
* |
|
85 |
* @package Framework |
|
86 |
* @subpackage Utils |
|
87 |
*/ |
|
88 |
class rcube_washtml |
|
89 |
{ |
|
90 |
/* Allowed HTML elements (default) */ |
|
91 |
static $html_elements = array('a', 'abbr', 'acronym', 'address', 'area', 'b', |
|
92 |
'basefont', 'bdo', 'big', 'blockquote', 'br', 'caption', 'center', |
|
93 |
'cite', 'code', 'col', 'colgroup', 'dd', 'del', 'dfn', 'dir', 'div', 'dl', |
|
94 |
'dt', 'em', 'fieldset', 'font', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', |
|
95 |
'ins', 'label', 'legend', 'li', 'map', 'menu', 'nobr', 'ol', 'p', 'pre', 'q', |
|
96 |
's', 'samp', 'small', 'span', 'strike', 'strong', 'sub', 'sup', 'table', |
|
97 |
'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'tt', 'u', 'ul', 'var', 'wbr', 'img', |
|
98 |
// form elements |
ffd5ff
|
99 |
'button', 'input', 'textarea', 'select', 'option', 'optgroup', |
AM |
100 |
// SVG |
|
101 |
'svg', 'altglyph', 'altglyphdef', 'altglyphitem', 'animate', 'animatecolor', |
|
102 |
'animatemotion', 'animatetransform', 'circle', 'clippath', 'defs', 'desc', |
|
103 |
'ellipse', 'font', 'g', 'glyph', 'glyphref', 'hkern', 'image', 'line', |
|
104 |
'lineargradient', 'marker', 'mask', 'mpath', 'path', 'pattern', |
|
105 |
'polygon', 'polyline', 'radialgradient', 'rect', 'set', 'stop', 'switch', 'symbol', |
|
106 |
'text', 'textpath', 'tref', 'tspan', 'use', 'view', 'vkern', 'filter', |
|
107 |
// SVG Filters |
|
108 |
'feblend', 'fecolormatrix', 'fecomponenttransfer', 'fecomposite', |
|
109 |
'feconvolvematrix', 'fediffuselighting', 'fedisplacementmap', |
|
110 |
'feflood', 'fefunca', 'fefuncb', 'fefuncg', 'fefuncr', 'fegaussianblur', |
|
111 |
'feimage', 'femerge', 'femergenode', 'femorphology', 'feoffset', |
|
112 |
'fespecularlighting', 'fetile', 'feturbulence', |
7ac944
|
113 |
); |
AM |
114 |
|
|
115 |
/* Ignore these HTML tags and their content */ |
|
116 |
static $ignore_elements = array('script', 'applet', 'embed', 'object', 'style'); |
|
117 |
|
|
118 |
/* Allowed HTML attributes */ |
|
119 |
static $html_attribs = array('name', 'class', 'title', 'alt', 'width', 'height', |
|
120 |
'align', 'nowrap', 'col', 'row', 'id', 'rowspan', 'colspan', 'cellspacing', |
|
121 |
'cellpadding', 'valign', 'bgcolor', 'color', 'border', 'bordercolorlight', |
|
122 |
'bordercolordark', 'face', 'marginwidth', 'marginheight', 'axis', 'border', |
|
123 |
'abbr', 'char', 'charoff', 'clear', 'compact', 'coords', 'vspace', 'hspace', |
|
124 |
'cellborder', 'size', 'lang', 'dir', 'usemap', 'shape', 'media', |
|
125 |
// attributes of form elements |
ffd5ff
|
126 |
'type', 'rows', 'cols', 'disabled', 'readonly', 'checked', 'multiple', 'value', |
AM |
127 |
// SVG |
|
128 |
'accent-height', 'accumulate', 'additivive', 'alignment-baseline', |
|
129 |
'ascent', 'attributename', 'attributetype', 'azimuth', 'basefrequency', 'baseprofile', |
|
130 |
'baseline-shift', 'begin', 'bias', 'by', 'clip', 'clip-path', 'clip-rule', |
|
131 |
'color', 'color-interpolation', 'color-interpolation-filters', 'color-profile', |
|
132 |
'color-rendering', 'cx', 'cy', 'd', 'dx', 'dy', 'diffuseconstant', 'direction', |
|
133 |
'display', 'divisor', 'dur', 'edgemode', 'elevation', 'end', 'fill', 'fill-opacity', |
|
134 |
'fill-rule', 'filter', 'flood-color', 'flood-opacity', 'font-family', 'font-size', |
|
135 |
'font-size-adjust', 'font-stretch', 'font-style', 'font-variant', 'font-weight', |
|
136 |
'fx', 'fy', 'g1', 'g2', 'glyph-name', 'glyphref', 'gradientunits', 'gradienttransform', |
|
137 |
'image-rendering', 'in', 'in2', 'k', 'k1', 'k2', 'k3', 'k4', 'kerning', 'keypoints', |
|
138 |
'keysplines', 'keytimes', 'lengthadjust', 'letter-spacing', 'kernelmatrix', |
|
139 |
'kernelunitlength', 'lighting-color', 'local', 'marker-end', 'marker-mid', |
|
140 |
'marker-start', 'markerheight', 'markerunits', 'markerwidth', 'maskcontentunits', |
|
141 |
'maskunits', 'max', 'mask', 'mode', 'min', 'numoctaves', 'offset', 'operator', |
|
142 |
'opacity', 'order', 'orient', 'orientation', 'origin', 'overflow', 'paint-order', |
|
143 |
'path', 'pathlength', 'patterncontentunits', 'patterntransform', 'patternunits', |
|
144 |
'points', 'preservealpha', 'r', 'rx', 'ry', 'radius', 'refx', 'refy', 'repeatcount', |
|
145 |
'repeatdur', 'restart', 'rotate', 'scale', 'seed', 'shape-rendering', 'specularconstant', |
|
146 |
'specularexponent', 'spreadmethod', 'stddeviation', 'stitchtiles', 'stop-color', |
|
147 |
'stop-opacity', 'stroke-dasharray', 'stroke-dashoffset', 'stroke-linecap', |
|
148 |
'stroke-linejoin', 'stroke-miterlimit', 'stroke-opacity', 'stroke', 'stroke-width', |
|
149 |
'surfacescale', 'targetx', 'targety', 'transform', 'text-anchor', 'text-decoration', |
|
150 |
'text-rendering', 'textlength', 'u1', 'u2', 'unicode', 'values', 'viewbox', |
|
151 |
'visibility', 'vert-adv-y', 'version', 'vert-origin-x', 'vert-origin-y', 'word-spacing', |
|
152 |
'wrap', 'writing-mode', 'xchannelselector', 'ychannelselector', 'x', 'x1', 'x2', |
|
153 |
'xmlns', 'y', 'y1', 'y2', 'z', 'zoomandpan', |
|
154 |
// XML |
|
155 |
'xml:id', 'xlink:title' |
7ac944
|
156 |
); |
AM |
157 |
|
cb3e2f
|
158 |
/* Elements which could be empty and be returned in short form (<tag />) */ |
AM |
159 |
static $void_elements = array('area', 'base', 'br', 'col', 'command', 'embed', 'hr', |
ffd5ff
|
160 |
'img', 'input', 'keygen', 'link', 'meta', 'param', 'source', 'track', 'wbr', |
AM |
161 |
// SVG |
|
162 |
'altglyph', 'altglyphdef', 'altglyphitem', 'animate', 'animatecolor', |
|
163 |
'animatemotion', 'animatetransform', 'circle', 'clippath', 'defs', 'desc', |
|
164 |
'ellipse', 'font', 'g', 'glyph', 'glyphref', 'hkern', 'image', 'line', |
|
165 |
'lineargradient', 'marker', 'mask', 'mpath', 'path', 'pattern', |
|
166 |
'polygon', 'polyline', 'radialgradient', 'rect', 'set', 'stop', 'switch', 'symbol', |
|
167 |
'text', 'textpath', 'tref', 'tspan', 'use', 'view', 'vkern', 'filter', |
7ac944
|
168 |
); |
ffd5ff
|
169 |
|
AM |
170 |
/* Attributes that may contain insecure content */ |
|
171 |
static $insecure_attribs = array('href', 'to', 'from'); |
7ac944
|
172 |
|
AM |
173 |
/* State for linked objects in HTML */ |
|
174 |
public $extlinks = false; |
|
175 |
|
|
176 |
/* Current settings */ |
|
177 |
private $config = array(); |
|
178 |
|
|
179 |
/* Registered callback functions for tags */ |
|
180 |
private $handlers = array(); |
|
181 |
|
|
182 |
/* Allowed HTML elements */ |
|
183 |
private $_html_elements = array(); |
|
184 |
|
|
185 |
/* Ignore these HTML tags but process their content */ |
|
186 |
private $_ignore_elements = array(); |
|
187 |
|
cb3e2f
|
188 |
/* Elements which could be empty and be returned in short form (<tag />) */ |
AM |
189 |
private $_void_elements = array(); |
7ac944
|
190 |
|
AM |
191 |
/* Allowed HTML attributes */ |
|
192 |
private $_html_attribs = array(); |
|
193 |
|
a89940
|
194 |
/* Max nesting level */ |
AM |
195 |
private $max_nesting_level; |
|
196 |
|
7ac944
|
197 |
|
AM |
198 |
/** |
|
199 |
* Class constructor |
|
200 |
*/ |
|
201 |
public function __construct($p = array()) |
|
202 |
{ |
ffd5ff
|
203 |
$this->_html_elements = array_flip((array)$p['html_elements']) + array_flip(self::$html_elements); |
AM |
204 |
$this->_html_attribs = array_flip((array)$p['html_attribs']) + array_flip(self::$html_attribs); |
|
205 |
$this->_insecure_attribs = array_flip((array)$p['insecure_attribs']) + array_flip(self::$insecure_attribs); |
|
206 |
$this->_ignore_elements = array_flip((array)$p['ignore_elements']) + array_flip(self::$ignore_elements); |
|
207 |
$this->_void_elements = array_flip((array)$p['void_elements']) + array_flip(self::$void_elements); |
7ac944
|
208 |
|
cb3e2f
|
209 |
unset($p['html_elements'], $p['html_attribs'], $p['ignore_elements'], $p['void_elements']); |
7ac944
|
210 |
|
AM |
211 |
$this->config = $p + array('show_washed' => true, 'allow_remote' => false, 'cid_map' => array()); |
|
212 |
} |
|
213 |
|
|
214 |
/** |
|
215 |
* Register a callback function for a certain tag |
|
216 |
*/ |
|
217 |
public function add_callback($tagName, $callback) |
|
218 |
{ |
|
219 |
$this->handlers[$tagName] = $callback; |
|
220 |
} |
|
221 |
|
|
222 |
/** |
|
223 |
* Check CSS style |
|
224 |
*/ |
|
225 |
private function wash_style($style) |
|
226 |
{ |
05d419
|
227 |
$result = array(); |
7ac944
|
228 |
|
AM |
229 |
foreach (explode(';', $style) as $declaration) { |
|
230 |
if (preg_match('/^\s*([a-z\-]+)\s*:\s*(.*)\s*$/i', $declaration, $match)) { |
|
231 |
$cssid = $match[1]; |
|
232 |
$str = $match[2]; |
|
233 |
$value = ''; |
|
234 |
|
05d419
|
235 |
foreach ($this->explode_style($str) as $val) { |
AM |
236 |
if (preg_match('/^url\(/i', $val)) { |
|
237 |
if (preg_match('/^url\(\s*[\'"]?([^\'"\)]*)[\'"]?\s*\)/iu', $val, $match)) { |
|
238 |
$url = $match[1]; |
|
239 |
if (($src = $this->config['cid_map'][$url]) |
|
240 |
|| ($src = $this->config['cid_map'][$this->config['base_url'].$url]) |
|
241 |
) { |
|
242 |
$value .= ' url('.htmlspecialchars($src, ENT_QUOTES) . ')'; |
7ac944
|
243 |
} |
05d419
|
244 |
else if (preg_match('!^(https?:)?//[a-z0-9/._+-]+$!i', $url, $m)) { |
AM |
245 |
if ($this->config['allow_remote']) { |
|
246 |
$value .= ' url('.htmlspecialchars($m[0], ENT_QUOTES).')'; |
|
247 |
} |
|
248 |
else { |
|
249 |
$this->extlinks = true; |
|
250 |
} |
7ac944
|
251 |
} |
05d419
|
252 |
else if (preg_match('/^data:.+/i', $url)) { // RFC2397 |
AM |
253 |
$value .= ' url('.htmlspecialchars($url, ENT_QUOTES).')'; |
|
254 |
} |
7ac944
|
255 |
} |
AM |
256 |
} |
05d419
|
257 |
else if (!preg_match('/^(behavior|expression)/i', $val)) { |
7ac944
|
258 |
// whitelist ? |
05d419
|
259 |
$value .= ' ' . $val; |
7ac944
|
260 |
|
AM |
261 |
// #1488535: Fix size units, so width:800 would be changed to width:800px |
49e260
|
262 |
if (preg_match('/^(left|right|top|bottom|width|height)/i', $cssid) |
05d419
|
263 |
&& preg_match('/^[0-9]+$/', $val) |
7ac944
|
264 |
) { |
AM |
265 |
$value .= 'px'; |
|
266 |
} |
|
267 |
} |
|
268 |
} |
|
269 |
|
|
270 |
if (isset($value[0])) { |
05d419
|
271 |
$result[] = $cssid . ':' . $value; |
7ac944
|
272 |
} |
AM |
273 |
} |
|
274 |
} |
|
275 |
|
05d419
|
276 |
return implode('; ', $result); |
7ac944
|
277 |
} |
AM |
278 |
|
|
279 |
/** |
|
280 |
* Take a node and return allowed attributes and check values |
|
281 |
*/ |
|
282 |
private function wash_attribs($node) |
|
283 |
{ |
ffd5ff
|
284 |
$t = ''; |
7ac944
|
285 |
$washed = ''; |
AM |
286 |
|
ffd5ff
|
287 |
foreach ($node->attributes as $name => $attr) { |
AM |
288 |
$key = strtolower($name); |
|
289 |
$value = $attr->nodeValue; |
7ac944
|
290 |
|
AM |
291 |
if (isset($this->_html_attribs[$key]) || |
ffd5ff
|
292 |
(isset($this->_insecure_attribs[$key]) |
AM |
293 |
&& ($value = trim($value)) |
1f910c
|
294 |
&& !preg_match('!^(javascript|vbscript|data:text)!i', $value) |
7ac944
|
295 |
&& preg_match('!^([a-z][a-z0-9.+-]+:|//|#).+!i', $value)) |
AM |
296 |
) { |
ffd5ff
|
297 |
$t .= ' ' . $attr->nodeName . '="' . htmlspecialchars($value, ENT_QUOTES) . '"'; |
7ac944
|
298 |
} |
AM |
299 |
else if ($key == 'style' && ($style = $this->wash_style($value))) { |
049940
|
300 |
// replace double quotes to prevent syntax error and XSS issues (#1490227) |
AM |
301 |
$t .= ' style="' . str_replace('"', '"', $style) . '"'; |
7ac944
|
302 |
} |
ffd5ff
|
303 |
else if ($key == 'background' || $key == 'href' |
AM |
304 |
|| ($key == 'src' && preg_match('/^(img|source)$/i', $node->tagName)) |
|
305 |
|| ($key == 'poster' && strtolower($node->tagName) == 'video') |
|
306 |
) { |
7ac944
|
307 |
if (($src = $this->config['cid_map'][$value]) |
AM |
308 |
|| ($src = $this->config['cid_map'][$this->config['base_url'].$value]) |
|
309 |
) { |
|
310 |
$t .= ' ' . $key . '="' . htmlspecialchars($src, ENT_QUOTES) . '"'; |
|
311 |
} |
|
312 |
else if (preg_match('/^(http|https|ftp):.+/i', $value)) { |
|
313 |
if ($this->config['allow_remote']) { |
|
314 |
$t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"'; |
|
315 |
} |
|
316 |
else { |
|
317 |
$this->extlinks = true; |
|
318 |
if ($this->config['blocked_src']) { |
|
319 |
$t .= ' ' . $key . '="' . htmlspecialchars($this->config['blocked_src'], ENT_QUOTES) . '"'; |
|
320 |
} |
|
321 |
} |
|
322 |
} |
|
323 |
else if (preg_match('/^data:.+/i', $value)) { // RFC2397 |
|
324 |
$t .= ' ' . $key . '="' . htmlspecialchars($value, ENT_QUOTES) . '"'; |
|
325 |
} |
|
326 |
} |
|
327 |
else { |
ffd5ff
|
328 |
$washed .= ($washed ? ' ' : '') . $attr->nodeName; |
7ac944
|
329 |
} |
AM |
330 |
} |
|
331 |
|
|
332 |
return $t . ($washed && $this->config['show_washed'] ? ' x-washed="'.$washed.'"' : ''); |
|
333 |
} |
|
334 |
|
|
335 |
/** |
|
336 |
* The main loop that recurse on a node tree. |
7883ec
|
337 |
* It output only allowed tags with allowed attributes and allowed inline styles |
AM |
338 |
* |
|
339 |
* @param DOMNode $node HTML element |
|
340 |
* @param int $level Recurrence level (safe initial value found empirically) |
7ac944
|
341 |
*/ |
7883ec
|
342 |
private function dumpHtml($node, $level = 20) |
7ac944
|
343 |
{ |
AM |
344 |
if (!$node->hasChildNodes()) { |
|
345 |
return ''; |
a89940
|
346 |
} |
AM |
347 |
|
|
348 |
$level++; |
|
349 |
|
|
350 |
if ($this->max_nesting_level > 0 && $level == $this->max_nesting_level - 1) { |
|
351 |
// log error message once |
|
352 |
if (!$this->max_nesting_level_error) { |
|
353 |
$this->max_nesting_level_error = true; |
|
354 |
rcube::raise_error(array('code' => 500, 'type' => 'php', |
|
355 |
'line' => __LINE__, 'file' => __FILE__, |
|
356 |
'message' => "Maximum nesting level exceeded (xdebug.max_nesting_level={$this->max_nesting_level})"), |
|
357 |
true, false); |
|
358 |
} |
|
359 |
return '<!-- ignored -->'; |
7ac944
|
360 |
} |
AM |
361 |
|
|
362 |
$node = $node->firstChild; |
|
363 |
$dump = ''; |
|
364 |
|
|
365 |
do { |
e7d1a8
|
366 |
switch ($node->nodeType) { |
7ac944
|
367 |
case XML_ELEMENT_NODE: //Check element |
AM |
368 |
$tagName = strtolower($node->tagName); |
|
369 |
if ($callback = $this->handlers[$tagName]) { |
|
370 |
$dump .= call_user_func($callback, $tagName, |
a89940
|
371 |
$this->wash_attribs($node), $this->dumpHtml($node, $level), $this); |
7ac944
|
372 |
} |
AM |
373 |
else if (isset($this->_html_elements[$tagName])) { |
a89940
|
374 |
$content = $this->dumpHtml($node, $level); |
ffd5ff
|
375 |
$dump .= '<' . $tagName; |
AM |
376 |
|
|
377 |
if ($tagName == 'svg') { |
|
378 |
$xpath = new DOMXPath($node->ownerDocument); |
|
379 |
foreach ($xpath->query('namespace::*') as $ns) { |
|
380 |
if ($ns->nodeName != 'xmlns:xml') { |
|
381 |
$dump .= ' ' . $ns->nodeName . '="' . $ns->nodeValue . '"'; |
|
382 |
} |
|
383 |
} |
|
384 |
} |
|
385 |
|
|
386 |
$dump .= $this->wash_attribs($node); |
|
387 |
|
|
388 |
if ($content === '' && isset($this->_void_elements[$tagName])) { |
|
389 |
$dump .= ' />'; |
|
390 |
} |
|
391 |
else { |
|
392 |
$dump .= ">$content</$tagName>"; |
|
393 |
} |
7ac944
|
394 |
} |
AM |
395 |
else if (isset($this->_ignore_elements[$tagName])) { |
|
396 |
$dump .= '<!-- ' . htmlspecialchars($tagName, ENT_QUOTES) . ' not allowed -->'; |
|
397 |
} |
|
398 |
else { |
|
399 |
$dump .= '<!-- ' . htmlspecialchars($tagName, ENT_QUOTES) . ' ignored -->'; |
a89940
|
400 |
$dump .= $this->dumpHtml($node, $level); // ignore tags not its content |
7ac944
|
401 |
} |
AM |
402 |
break; |
|
403 |
|
|
404 |
case XML_CDATA_SECTION_NODE: |
|
405 |
$dump .= $node->nodeValue; |
|
406 |
break; |
|
407 |
|
|
408 |
case XML_TEXT_NODE: |
|
409 |
$dump .= htmlspecialchars($node->nodeValue); |
|
410 |
break; |
|
411 |
|
|
412 |
case XML_HTML_DOCUMENT_NODE: |
a89940
|
413 |
$dump .= $this->dumpHtml($node, $level); |
7ac944
|
414 |
break; |
AM |
415 |
} |
e7d1a8
|
416 |
} |
AM |
417 |
while($node = $node->nextSibling); |
7ac944
|
418 |
|
AM |
419 |
return $dump; |
|
420 |
} |
|
421 |
|
|
422 |
/** |
|
423 |
* Main function, give it untrusted HTML, tell it if you allow loading |
|
424 |
* remote images and give it a map to convert "cid:" urls. |
|
425 |
*/ |
|
426 |
public function wash($html) |
|
427 |
{ |
|
428 |
// Charset seems to be ignored (probably if defined in the HTML document) |
|
429 |
$node = new DOMDocument('1.0', $this->config['charset']); |
|
430 |
$this->extlinks = false; |
|
431 |
|
|
432 |
$html = $this->cleanup($html); |
|
433 |
|
|
434 |
// Find base URL for images |
|
435 |
if (preg_match('/<base\s+href=[\'"]*([^\'"]+)/is', $html, $matches)) { |
|
436 |
$this->config['base_url'] = $matches[1]; |
|
437 |
} |
|
438 |
else { |
|
439 |
$this->config['base_url'] = ''; |
|
440 |
} |
a89940
|
441 |
|
AM |
442 |
// Detect max nesting level (for dumpHTML) (#1489110) |
|
443 |
$this->max_nesting_level = (int) @ini_get('xdebug.max_nesting_level'); |
7ac944
|
444 |
|
ffd5ff
|
445 |
// SVG need to be parsed as XML |
AM |
446 |
$xml = stripos($html, '<svg') !== false || stripos($html, '<?xml') !== false; |
|
447 |
$method = $xml ? 'loadXML' : 'loadHTML'; |
|
448 |
$options = 0; |
|
449 |
|
bfd24f
|
450 |
// Use optimizations if supported |
ffd5ff
|
451 |
if (PHP_VERSION_ID >= 50400) { |
AM |
452 |
$options = LIBXML_PARSEHUGE | LIBXML_COMPACT | LIBXML_NONET; |
bfd24f
|
453 |
} |
ffd5ff
|
454 |
|
AM |
455 |
@$node->{$method}($html, $options); |
bfd24f
|
456 |
|
7ac944
|
457 |
return $this->dumpHtml($node); |
AM |
458 |
} |
|
459 |
|
|
460 |
/** |
|
461 |
* Getter for config parameters |
|
462 |
*/ |
|
463 |
public function get_config($prop) |
|
464 |
{ |
|
465 |
return $this->config[$prop]; |
|
466 |
} |
|
467 |
|
|
468 |
/** |
|
469 |
* Clean HTML input |
|
470 |
*/ |
|
471 |
private function cleanup($html) |
|
472 |
{ |
ffd5ff
|
473 |
$html = trim($html); |
AM |
474 |
|
7ac944
|
475 |
// special replacements (not properly handled by washtml class) |
AM |
476 |
$html_search = array( |
|
477 |
'/(<\/nobr>)(\s+)(<nobr>)/i', // space(s) between <NOBR> |
|
478 |
'/<title[^>]*>[^<]*<\/title>/i', // PHP bug #32547 workaround: remove title tag |
|
479 |
'/^(\0\0\xFE\xFF|\xFF\xFE\0\0|\xFE\xFF|\xFF\xFE|\xEF\xBB\xBF)/', // byte-order mark (only outlook?) |
|
480 |
'/<html\s[^>]+>/i', // washtml/DOMDocument cannot handle xml namespaces |
|
481 |
); |
|
482 |
|
|
483 |
$html_replace = array( |
|
484 |
'\\1'.' '.'\\3', |
|
485 |
'', |
|
486 |
'', |
|
487 |
'<html>', |
|
488 |
); |
ffd5ff
|
489 |
|
7ac944
|
490 |
$html = preg_replace($html_search, $html_replace, trim($html)); |
AM |
491 |
|
ffd5ff
|
492 |
// Replace all of those weird MS Word quotes and other high characters |
c72507
|
493 |
$badwordchars = array( |
b6a640
|
494 |
"\xe2\x80\x98", // left single quote |
R |
495 |
"\xe2\x80\x99", // right single quote |
|
496 |
"\xe2\x80\x9c", // left double quote |
|
497 |
"\xe2\x80\x9d", // right double quote |
|
498 |
"\xe2\x80\x94", // em dash |
ffd5ff
|
499 |
"\xe2\x80\xa6" // elipses |
b6a640
|
500 |
); |
ffd5ff
|
501 |
|
c72507
|
502 |
$fixedwordchars = array( |
b6a640
|
503 |
"'", |
R |
504 |
"'", |
|
505 |
'"', |
|
506 |
'"', |
|
507 |
'—', |
|
508 |
'...' |
|
509 |
); |
ffd5ff
|
510 |
|
c72507
|
511 |
$html = str_replace($badwordchars, $fixedwordchars, $html); |
b6a640
|
512 |
|
7ac944
|
513 |
// PCRE errors handling (#1486856), should we use something like for every preg_* use? |
AM |
514 |
if ($html === null && ($preg_error = preg_last_error()) != PREG_NO_ERROR) { |
|
515 |
$errstr = "Could not clean up HTML message! PCRE Error: $preg_error."; |
|
516 |
|
|
517 |
if ($preg_error == PREG_BACKTRACK_LIMIT_ERROR) { |
|
518 |
$errstr .= " Consider raising pcre.backtrack_limit!"; |
|
519 |
} |
|
520 |
if ($preg_error == PREG_RECURSION_LIMIT_ERROR) { |
|
521 |
$errstr .= " Consider raising pcre.recursion_limit!"; |
|
522 |
} |
|
523 |
|
|
524 |
rcube::raise_error(array('code' => 620, 'type' => 'php', |
|
525 |
'line' => __LINE__, 'file' => __FILE__, |
|
526 |
'message' => $errstr), true, false); |
a89940
|
527 |
|
7ac944
|
528 |
return ''; |
AM |
529 |
} |
|
530 |
|
|
531 |
// fix (unknown/malformed) HTML tags before "wash" |
ffec85
|
532 |
$html = preg_replace_callback('/(<(?!\!)[\/]*)([^\s>]+)([^>]*)/', array($this, 'html_tag_callback'), $html); |
7ac944
|
533 |
|
AM |
534 |
// Remove invalid HTML comments (#1487759) |
|
535 |
// Don't remove valid conditional comments |
1bce14
|
536 |
// Don't remove MSOutlook (<!-->) conditional comments (#1489004) |
2d233b
|
537 |
$html = preg_replace('/<!--[^-<>\[\n]+>/', '', $html); |
c72507
|
538 |
|
AM |
539 |
// fix broken nested lists |
|
540 |
self::fix_broken_lists($html); |
7ac944
|
541 |
|
AM |
542 |
// turn relative into absolute urls |
|
543 |
$html = self::resolve_base($html); |
|
544 |
|
|
545 |
return $html; |
|
546 |
} |
|
547 |
|
|
548 |
/** |
|
549 |
* Callback function for HTML tags fixing |
|
550 |
*/ |
|
551 |
public static function html_tag_callback($matches) |
|
552 |
{ |
|
553 |
$tagname = $matches[2]; |
|
554 |
$tagname = preg_replace(array( |
|
555 |
'/:.*$/', // Microsoft's Smart Tags <st1:xxxx> |
ffd5ff
|
556 |
'/[^a-z0-9_\[\]\!?-]/i', // forbidden characters |
7ac944
|
557 |
), '', $tagname); |
AM |
558 |
|
ffec85
|
559 |
// fix invalid closing tags - remove any attributes (#1489446) |
AM |
560 |
if ($matches[1] == '</') { |
|
561 |
$matches[3] = ''; |
|
562 |
} |
|
563 |
|
|
564 |
return $matches[1] . $tagname . $matches[3]; |
7ac944
|
565 |
} |
AM |
566 |
|
|
567 |
/** |
|
568 |
* Convert all relative URLs according to a <base> in HTML |
|
569 |
*/ |
|
570 |
public static function resolve_base($body) |
|
571 |
{ |
|
572 |
// check for <base href=...> |
|
573 |
if (preg_match('!(<base.*href=["\']?)([hftps]{3,5}://[a-z0-9/.%-]+)!i', $body, $regs)) { |
|
574 |
$replacer = new rcube_base_replacer($regs[2]); |
|
575 |
$body = $replacer->replace($body); |
|
576 |
} |
|
577 |
|
|
578 |
return $body; |
|
579 |
} |
|
580 |
|
c72507
|
581 |
/** |
AM |
582 |
* Fix broken nested lists, they are not handled properly by DOMDocument (#1488768) |
|
583 |
*/ |
|
584 |
public static function fix_broken_lists(&$html) |
|
585 |
{ |
|
586 |
// do two rounds, one for <ol>, one for <ul> |
|
587 |
foreach (array('ol', 'ul') as $tag) { |
|
588 |
$pos = 0; |
|
589 |
while (($pos = stripos($html, '<' . $tag, $pos)) !== false) { |
|
590 |
$pos++; |
|
591 |
|
|
592 |
// make sure this is an ol/ul tag |
|
593 |
if (!in_array($html[$pos+2], array(' ', '>'))) { |
|
594 |
continue; |
|
595 |
} |
|
596 |
|
|
597 |
$p = $pos; |
|
598 |
$in_li = false; |
|
599 |
$li_pos = 0; |
|
600 |
|
|
601 |
while (($p = strpos($html, '<', $p)) !== false) { |
|
602 |
$tt = strtolower(substr($html, $p, 4)); |
|
603 |
|
|
604 |
// li open tag |
|
605 |
if ($tt == '<li>' || $tt == '<li ') { |
|
606 |
$in_li = true; |
|
607 |
$p += 4; |
|
608 |
} |
|
609 |
// li close tag |
|
610 |
else if ($tt == '</li' && in_array($html[$p+4], array(' ', '>'))) { |
|
611 |
$li_pos = $p; |
|
612 |
$p += 4; |
|
613 |
$in_li = false; |
|
614 |
} |
|
615 |
// ul/ol closing tag |
|
616 |
else if ($tt == '</' . $tag && in_array($html[$p+4], array(' ', '>'))) { |
|
617 |
break; |
|
618 |
} |
|
619 |
// nested ol/ul element out of li |
|
620 |
else if (!$in_li && $li_pos && ($tt == '<ol>' || $tt == '<ol ' || $tt == '<ul>' || $tt == '<ul ')) { |
|
621 |
// find closing tag of this ul/ol element |
|
622 |
$element = substr($tt, 1, 2); |
|
623 |
$cpos = $p; |
|
624 |
do { |
|
625 |
$tpos = stripos($html, '<' . $element, $cpos+1); |
|
626 |
$cpos = stripos($html, '</' . $element, $cpos+1); |
|
627 |
} |
|
628 |
while ($tpos !== false && $cpos !== false && $cpos > $tpos); |
|
629 |
|
|
630 |
// not found, this is invalid HTML, skip it |
|
631 |
if ($cpos === false) { |
|
632 |
break; |
|
633 |
} |
|
634 |
|
|
635 |
// get element content |
|
636 |
$end = strpos($html, '>', $cpos); |
|
637 |
$len = $end - $p + 1; |
|
638 |
$element = substr($html, $p, $len); |
|
639 |
|
|
640 |
// move element to the end of the last li |
|
641 |
$html = substr_replace($html, '', $p, $len); |
|
642 |
$html = substr_replace($html, $element, $li_pos, 0); |
|
643 |
|
|
644 |
$p = $end; |
|
645 |
} |
|
646 |
else { |
|
647 |
$p++; |
|
648 |
} |
|
649 |
} |
|
650 |
} |
|
651 |
} |
|
652 |
} |
05d419
|
653 |
|
AM |
654 |
/** |
|
655 |
* Explode css style value |
|
656 |
*/ |
|
657 |
protected function explode_style($style) |
|
658 |
{ |
|
659 |
$style = trim($style); |
|
660 |
|
|
661 |
// first remove comments |
|
662 |
$pos = 0; |
|
663 |
while (($pos = strpos($style, '/*', $pos)) !== false) { |
|
664 |
$end = strpos($style, '*/', $pos+2); |
|
665 |
|
|
666 |
if ($end === false) { |
|
667 |
$style = substr($style, 0, $pos); |
|
668 |
} |
|
669 |
else { |
|
670 |
$style = substr_replace($style, '', $pos, $end - $pos + 2); |
|
671 |
} |
|
672 |
} |
|
673 |
|
|
674 |
$strlen = strlen($style); |
|
675 |
$result = array(); |
|
676 |
|
|
677 |
// explode value |
|
678 |
for ($p=$i=0; $i < $strlen; $i++) { |
|
679 |
if (($style[$i] == "\"" || $style[$i] == "'") && $style[$i-1] != "\\") { |
|
680 |
if ($q == $style[$i]) { |
|
681 |
$q = false; |
|
682 |
} |
|
683 |
else if (!$q) { |
|
684 |
$q = $style[$i]; |
|
685 |
} |
|
686 |
} |
|
687 |
|
|
688 |
if (!$q && $style[$i] == ' ' && !preg_match('/[,\(]/', $style[$i-1])) { |
|
689 |
$result[] = substr($style, $p, $i - $p); |
|
690 |
$p = $i + 1; |
|
691 |
} |
|
692 |
} |
|
693 |
|
|
694 |
$result[] = (string) substr($style, $p); |
|
695 |
|
|
696 |
return $result; |
|
697 |
} |
c72507
|
698 |
} |