pkp#7916 Replaced html purifier with symfony html sanitizer

classes/core/PKPString.php

@@ -19,7 +19,10 @@
 
 use HTMLPurifier;
 use HTMLPurifier_Config;
+use Illuminate\Support\Str;
 use PKP\config\Config;
+use Symfony\Component\HtmlSanitizer\HtmlSanitizer;
+use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig;
 use Stringy\Stringy;
 
 class PKPString
@@ -406,16 +409,62 @@ public static function getAmbiguousExtensionsMap()
      */
     public static function stripUnsafeHtml($input, $configKey = 'allowed_html')
     {
-        static $purifier;
-        if (!isset($purifier)) {
-            $config = HTMLPurifier_Config::createDefault();
-            $config->set('Core.Encoding', 'utf-8');
-            $config->set('HTML.Doctype', 'HTML 4.01 Transitional');
-            $config->set('HTML.Allowed', Config::getVar('security', $configKey));
-            $config->set('Cache.SerializerPath', 'cache');
-            $purifier = new HTMLPurifier($config);
+        // static $purifier;
+        // if (!isset($purifier)) {
+        //     $config = HTMLPurifier_Config::createDefault();
+        //     $config->set('Core.Encoding', 'utf-8');
+        //     $config->set('HTML.Doctype', 'HTML 4.01 Transitional');
+        //     $config->set('HTML.Allowed', Config::getVar('security', $configKey));
+        //     $config->set('Cache.SerializerPath', 'cache');
+        //     $purifier = new HTMLPurifier($config);
+        // }
+        // return $purifier->purify((string) $input);
+
+        static $sanitizer;
+        static $allowedTagToAttributeMap;
+
+        if (!isset($htmlTagToAttributeMap)) {
+            Str::of(Config::getVar('security', $configKey))
+                ->explode(',')
+                ->each(function(string $allowedTagWithAttr) use (&$allowedTagToAttributeMap) {
+
+                    // Extract the tag itself (e.g. div, p, a ...)
+                    preg_match('/\[[^][]+]\K|\w+/', $allowedTagWithAttr, $matches);
+                    $allowedTag = collect($matches)->first();
+
+                    // Extract the attributes associated with tag (e.g. class, href ...)
+                    preg_match("/\[([^\]]*)\]/", $allowedTagWithAttr, $matches);
+                    $allowedAttributes = collect($matches)->last();
+
+                    if($allowedTag) {
+                        $allowedTagToAttributeMap[$allowedTag] = Str::of($allowedAttributes)
+                            ->explode('|')
+                            ->filter()
+                            ->toArray();
+                    }
+                });
         }
-        return $purifier->purify((string) $input);
+
+        if(!isset($sanitizer)) {
+
+            $config = (new HtmlSanitizerConfig())
+                ->allowLinkSchemes(['https', 'http', 'mailto'])
+                ->allowMediaSchemes(['https', 'http']);
+
+            collect($allowedTagToAttributeMap)
+                ->each(function(array $attributes, string $tag) use (&$config){
+                    $config = $config->allowElement($tag, $attributes);
+                });
+
+            $sanitizer = new HtmlSanitizer($config);
+        }
+
+        return $sanitizer->sanitize(
+            strip_tags(
+                $input, 
+                array_keys($allowedTagToAttributeMap)
+            )
+        );
     }
 
     /**

composer.json

@@ -1,36 +1,36 @@
 {
 	"require": {
-		"ralouphie/getallheaders": "*",
-		"components/jqueryui": "1.*",
+		"adodb/adodb-php": "v5.20.18",
 		"components/jquery": "^3.5",
-		"wikimedia/less.php": "3.*",
-		"phpmailer/phpmailer": "6.*",
-		"smarty/smarty": "4.*",
-		"ezyang/htmlpurifier": "4.*",
-		"moxiecode/plupload": "2.*",
-		"tinymce/tinymce": "^5.7",
-		"michelf/php-markdown": "1.*",
-		"slim/slim": "3.*",
-		"pimple/pimple": "3.*",
-		"laravel/framework": "^9.0",
+		"components/jqueryui": "1.*",
+		"composer/semver": "^3.3",
+		"cweagans/composer-patches": "^1.7",
+		"dflydev/base32-crockford": "^1.0",
+		"doctrine/dbal": "^3.5",
+		"elcobvg/laravel-opcache": "^0.5.0",
 		"firebase/php-jwt": "5.*",
-		"adodb/adodb-php": "v5.20.18",
+		"geoip2/geoip2": "~2.0",
 		"gettext/gettext": "5.*",
-		"sokil/php-isocodes": "^4.1",
-		"doctrine/dbal": "^3.5",
+		"gettext/translator": "1.*",
 		"guzzlehttp/guzzle": "^7.0",
+		"kevinlebrun/colors.php": "^1.0",
+		"laravel/framework": "^9.0",
 		"league/flysystem": "^3.0",
 		"league/flysystem-sftp-v3": "^3.0",
-		"cweagans/composer-patches": "^1.7",
-		"kevinlebrun/colors.php": "^1.0",
+		"michelf/php-markdown": "1.*",
+		"moxiecode/plupload": "2.*",
+		"phpmailer/phpmailer": "6.*",
+		"pimple/pimple": "3.*",
+		"ralouphie/getallheaders": "*",
+		"slim/slim": "3.*",
+		"smarty/smarty": "4.*",
+		"sokil/php-isocodes": "^4.1",
+		"sokil/php-isocodes-db-i18n": "^4.0",
+		"symfony/html-sanitizer": "^6.2",
 		"symfony/mailer": "^6.0",
-		"gettext/translator": "1.*",
-		"elcobvg/laravel-opcache": "^0.5.0",
-		"composer/semver": "^3.3",
-		"dflydev/base32-crockford": "^1.0",
-		"geoip2/geoip2": "~2.0",
+		"tinymce/tinymce": "^5.7",
 		"voku/stringy": "^6.5",
-		"sokil/php-isocodes-db-i18n": "^4.0"
+		"wikimedia/less.php": "3.*"
 	},
 	"require-dev": {
 		"phpunit/phpunit": "~9",
@@ -44,7 +44,7 @@
 		"component-dir": "lib/components",
 		"vendor-dir": "lib/vendor",
 		"platform": {
-			"php": "8.0.2"
+			"php": "8.1"
 		},
 		"allow-plugins": {
 			"cweagans/composer-patches": true,