pkp#7916 updated implementation symfony html sanitizer

touhidurabir · Jun 19, 2023 · a85bb73 · a85bb73
1 parent a27095a
commit a85bb73
Showing 1 changed file with 17 additions and 22 deletions.
diff --git a/classes/core/PKPString.php b/classes/core/PKPString.php
@@ -403,30 +403,21 @@ public static function getAmbiguousExtensionsMap()
      * onclick(...) attributes, javascript: urls, and special characters.
      *
      * @param string $input input string
-     * @param string $configKey The config section key['allowed_html', 'allowed_title_html']
+     * @param string $key   The config section key['allowed_html', 'allowed_title_html']
      *
      * @return string
      */
-    public static function stripUnsafeHtml($input, $configKey = 'allowed_html')
+    public static function stripUnsafeHtml(string $input, string $key = 'allowed_html'): string
     {
-        // static $purifier;
-        // if (!isset($purifier)) {
-        //     $config = HTMLPurifier_Config::createDefault();
-        //     $config->set('Core.Encoding', 'utf-8');
-        //     $config->set('HTML.Doctype', 'HTML 4.01 Transitional');
-        //     $config->set('HTML.Allowed', Config::getVar('security', $configKey));
-        //     $config->set('Cache.SerializerPath', 'cache');
-        //     $purifier = new HTMLPurifier($config);
-        // }
-        // return $purifier->purify((string) $input);
-
         static $sanitizer;
+        static $configKey;
         static $allowedTagToAttributeMap;
 
-        if (!isset($htmlTagToAttributeMap)) {
-            Str::of(Config::getVar('security', $configKey))
+        if ($configKey !== $key) {
+            $configKey = $key;
+            $allowedTagToAttributeMap = Str::of(Config::getVar('security', $configKey))
                 ->explode(',')
-                ->each(function(string $allowedTagWithAttr) use (&$allowedTagToAttributeMap) {
+                ->mapWithKeys(function(string $allowedTagWithAttr) {
 
                     // Extract the tag itself (e.g. div, p, a ...)
                     preg_match('/\[[^][]+]\K|\w+/', $allowedTagWithAttr, $matches);
@@ -437,11 +428,15 @@ public static function stripUnsafeHtml($input, $configKey = 'allowed_html')
                     $allowedAttributes = collect($matches)->last();
 
                     if($allowedTag) {
-                        $allowedTagToAttributeMap[$allowedTag] = Str::of($allowedAttributes)
-                            ->explode('|')
-                            ->filter()
-                            ->toArray();
+                        return [
+                            $allowedTag => Str::of($allowedAttributes)
+                                ->explode('|')
+                                ->filter()
+                                ->toArray()
+                        ];
                     }
+
+                    return [];
                 });
         }
 
@@ -451,7 +446,7 @@ public static function stripUnsafeHtml($input, $configKey = 'allowed_html')
                 ->allowLinkSchemes(['https', 'http', 'mailto'])
                 ->allowMediaSchemes(['https', 'http']);
 
-            collect($allowedTagToAttributeMap)
+            $allowedTagToAttributeMap
                 ->each(function(array $attributes, string $tag) use (&$config){
                     $config = $config->allowElement($tag, $attributes);
                 });
@@ -462,7 +457,7 @@ public static function stripUnsafeHtml($input, $configKey = 'allowed_html')
         return $sanitizer->sanitize(
             strip_tags(
                 $input, 
-                array_keys($allowedTagToAttributeMap)
+                $allowedTagToAttributeMap->keys()->toArray()
             )
         );
     }