[HtmlSanitizer] Add ability to sanitize a whole document

tgalopin · tgalopin · commit 04b6207fdfaf · 2024-10-12T10:03:28.000+02:00
diff --git a/src/Symfony/Component/HtmlSanitizer/HtmlSanitizer.php b/src/Symfony/Component/HtmlSanitizer/HtmlSanitizer.php
@@ -25,15 +25,14 @@ final class HtmlSanitizer implements HtmlSanitizerInterface
     private ParserInterface $parser;
 
     /**
-     * @var array<string, DomVisitor>
+     * @var ?DomVisitor
      */
-    private array $domVisitors = [];
+    private ?DomVisitor $domVisitor = null;
 
     public function __construct(
         private HtmlSanitizerConfig $config,
         ?ParserInterface $parser = null,
     ) {
-        $this->config = $config;
         $this->parser = $parser ?? new MastermindsParser();
     }
 
@@ -58,7 +57,7 @@ private function sanitizeWithContext(string $context, string $input): string
         }
 
         // Other context: build a DOM visitor
-        $this->domVisitors[$context] ??= $this->createDomVisitorForContext($context);
+        $this->domVisitor ??= $this->createDomVisitor();
 
         // Prevent DOS attack induced by extremely long HTML strings
         if (-1 !== $this->config->getMaxInputLength() && \strlen($input) > $this->config->getMaxInputLength()) {
@@ -80,7 +79,9 @@ private function sanitizeWithContext(string $context, string $input): string
         }
 
         // Visit the DOM tree and render the sanitized nodes
-        return $this->domVisitors[$context]->visit($parsed)?->render() ?? '';
+        $sanitized = $this->domVisitor->visit($context, $parsed)?->render() ?? '';
+
+        return W3CReference::CONTEXT_DOCUMENT === $context ? '<!DOCTYPE html>'.$sanitized : $sanitized;
     }
 
     private function isValidUtf8(string $html): bool
@@ -89,50 +90,20 @@ private function isValidUtf8(string $html): bool
         return '' === $html || preg_match('//u', $html);
     }
 
-    private function createDomVisitorForContext(string $context): DomVisitor
+    private function createDomVisitor(): DomVisitor
     {
         $elementsConfig = [];
 
-        // Head: only a few elements are allowed
-        if (W3CReference::CONTEXT_HEAD === $context) {
-            foreach ($this->config->getAllowedElements() as $allowedElement => $allowedAttributes) {
-                if (\array_key_exists($allowedElement, W3CReference::HEAD_ELEMENTS)) {
-                    $elementsConfig[$allowedElement] = $allowedAttributes;
-                }
-            }
-
-            foreach ($this->config->getBlockedElements() as $blockedElement => $v) {
-                if (\array_key_exists($blockedElement, W3CReference::HEAD_ELEMENTS)) {
-                    $elementsConfig[$blockedElement] = HtmlSanitizerAction::Block;
-                }
-            }
-
-            foreach ($this->config->getDroppedElements() as $droppedElement => $v) {
-                if (\array_key_exists($droppedElement, W3CReference::HEAD_ELEMENTS)) {
-                    $elementsConfig[$droppedElement] = HtmlSanitizerAction::Drop;
-                }
-            }
-
-            return new DomVisitor($this->config, $elementsConfig);
-        }
-
-        // Body: allow any configured element that isn't in <head>
         foreach ($this->config->getAllowedElements() as $allowedElement => $allowedAttributes) {
-            if (!\array_key_exists($allowedElement, W3CReference::HEAD_ELEMENTS)) {
-                $elementsConfig[$allowedElement] = $allowedAttributes;
-            }
+            $elementsConfig[$allowedElement] = $allowedAttributes;
         }
 
         foreach ($this->config->getBlockedElements() as $blockedElement => $v) {
-            if (!\array_key_exists($blockedElement, W3CReference::HEAD_ELEMENTS)) {
-                $elementsConfig[$blockedElement] = HtmlSanitizerAction::Block;
-            }
+            $elementsConfig[$blockedElement] = HtmlSanitizerAction::Block;
         }
 
         foreach ($this->config->getDroppedElements() as $droppedElement => $v) {
-            if (!\array_key_exists($droppedElement, W3CReference::HEAD_ELEMENTS)) {
-                $elementsConfig[$droppedElement] = HtmlSanitizerAction::Drop;
-            }
+            $elementsConfig[$droppedElement] = HtmlSanitizerAction::Drop;
         }
 
         return new DomVisitor($this->config, $elementsConfig);
diff --git a/src/Symfony/Component/HtmlSanitizer/README.md b/src/Symfony/Component/HtmlSanitizer/README.md
@@ -98,6 +98,12 @@ $sanitizer->sanitize($userInput);
 // Sanitize the given string for a usage in a <head> tag
 $sanitizer->sanitizeFor('head', $userInput);
 
+// Sanitize the given string for a usage in a <body> tag
+$sanitizer->sanitizeFor('body', $userInput);
+
+// Sanitize the given string as a whole document (including <head> and <body>)
+$sanitizer->sanitizeFor('document', $userInput);
+
 // Sanitize the given string for a usage in another tag
 $sanitizer->sanitizeFor('title', $userInput); // Will encode as HTML entities
 $sanitizer->sanitizeFor('textarea', $userInput); // Will encode as HTML entities
diff --git a/src/Symfony/Component/HtmlSanitizer/Reference/W3CReference.php b/src/Symfony/Component/HtmlSanitizer/Reference/W3CReference.php
@@ -28,13 +28,16 @@ final class W3CReference
      * A parent element name can be passed as an argument to {@see HtmlSanitizer::sanitizeFor()}.
      * When doing so, depending on the given context, different elements will be allowed.
      */
+    public const CONTEXT_DOCUMENT = 'document';
     public const CONTEXT_HEAD = 'head';
     public const CONTEXT_BODY = 'body';
     public const CONTEXT_TEXT = 'text';
 
     // Which context to apply depending on the passed parent element name
     public const CONTEXTS_MAP = [
+        'document' => self::CONTEXT_DOCUMENT,
         'head' => self::CONTEXT_HEAD,
+        'body' => self::CONTEXT_BODY,
         'textarea' => self::CONTEXT_TEXT,
         'title' => self::CONTEXT_TEXT,
     ];
diff --git a/src/Symfony/Component/HtmlSanitizer/Tests/HtmlSanitizerAllTest.php b/src/Symfony/Component/HtmlSanitizer/Tests/HtmlSanitizerAllTest.php
@@ -31,6 +31,32 @@ private function createSanitizer(): HtmlSanitizer
         );
     }
 
+    /**
+     * @dataProvider provideSanitizeDocument
+     */
+    public function testSanitizeDocument(string $input, string $expected)
+    {
+        $this->assertSame($expected, $this->createSanitizer()->sanitizeFor('document', $input));
+    }
+
+    public static function provideSanitizeDocument()
+    {
+        $heads = iterator_to_array(self::provideSanitizeHead());
+        $bodies = iterator_to_array(self::provideSanitizeBody());
+
+        $cases = [];
+        foreach ($heads as $head) {
+            foreach ($bodies as $body) {
+                $cases[] = [
+                    '<!DOCTYPE html><html><head>'.$head[0].'</head><body>'.$body[0].'</body></html>',
+                    '<!DOCTYPE html><html><head>'.$head[1].'</head><body>'.$body[1].'</body></html>',
+                ];
+            }
+        }
+
+        return $cases;
+    }
+
     /**
      * @dataProvider provideSanitizeHead
      */
diff --git a/src/Symfony/Component/HtmlSanitizer/Visitor/DomVisitor.php b/src/Symfony/Component/HtmlSanitizer/Visitor/DomVisitor.php
@@ -13,6 +13,7 @@
 
 use Symfony\Component\HtmlSanitizer\HtmlSanitizerAction;
 use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig;
+use Symfony\Component\HtmlSanitizer\Reference\W3CReference;
 use Symfony\Component\HtmlSanitizer\TextSanitizer\StringSanitizer;
 use Symfony\Component\HtmlSanitizer\Visitor\AttributeSanitizer\AttributeSanitizerInterface;
 use Symfony\Component\HtmlSanitizer\Visitor\Model\Cursor;
@@ -51,6 +52,13 @@ final class DomVisitor
      */
     private array $attributeSanitizers = [];
 
+    /**
+     * Registry of elements configuration for each sanitization context used in the document.
+     *
+     * @var array<string, array<string, HtmlSanitizerAction|array<string, bool>>> $elementsConfigByContext
+     */
+    private array $elementsConfigByContext = [];
+
     /**
      * @param array<string, HtmlSanitizerAction|array<string, bool>> $elementsConfig Registry of allowed/blocked elements:
      *                                                                               * If an element is present as a key and contains an array, the element should be allowed
@@ -75,9 +83,9 @@ public function __construct(
         $this->defaultAction = $config->getDefaultAction();
     }
 
-    public function visit(\DOMDocumentFragment $domNode): ?NodeInterface
+    public function visit(?string $context, \DOMDocumentFragment $domNode): ?NodeInterface
     {
-        $cursor = new Cursor(new DocumentNode());
+        $cursor = new Cursor([$context], new DocumentNode());
         $this->visitChildren($domNode, $cursor);
 
         return $cursor->node;
@@ -87,24 +95,35 @@ private function visitNode(\DOMNode $domNode, Cursor $cursor): void
     {
         $nodeName = StringSanitizer::htmlLower($domNode->nodeName);
 
+        if (array_key_exists($nodeName, W3CReference::CONTEXTS_MAP)) {
+            $cursor->contextsPath[] = $nodeName;
+        }
+
         // Visit recursively if the node was not dropped
         if ($this->enterNode($nodeName, $domNode, $cursor)) {
             $this->visitChildren($domNode, $cursor);
             $cursor->node = $cursor->node->getParent();
         }
+
+        if (array_key_exists($nodeName, W3CReference::CONTEXTS_MAP)) {
+            array_pop($cursor->contextsPath);
+        }
     }
 
     private function enterNode(string $domNodeName, \DOMNode $domNode, Cursor $cursor): bool
     {
-        if (!\array_key_exists($domNodeName, $this->elementsConfig)) {
+        $context = array_reverse($cursor->contextsPath)[0] ?? 'body';
+        $this->elementsConfigByContext[$context] ??= $this->createContextElementsConfig($context);
+
+        if (!\array_key_exists($domNodeName, $this->elementsConfigByContext[$context])) {
             $action = $this->defaultAction;
             $allowedAttributes = [];
         } else {
-            if (\is_array($this->elementsConfig[$domNodeName])) {
+            if (\is_array($this->elementsConfigByContext[$context][$domNodeName])) {
                 $action = HtmlSanitizerAction::Allow;
-                $allowedAttributes = $this->elementsConfig[$domNodeName];
+                $allowedAttributes = $this->elementsConfigByContext[$context][$domNodeName];
             } else {
-                $action = $this->elementsConfig[$domNodeName];
+                $action = $this->elementsConfigByContext[$context][$domNodeName];
                 $allowedAttributes = [];
             }
         }
@@ -185,4 +204,53 @@ private function setAttributes(string $domNodeName, \DOMNode $domNode, Node $nod
             }
         }
     }
+
+    private function createContextElementsConfig(string $context): array
+    {
+        $elementsConfig = [];
+
+        // Head: only a few elements are allowed
+        if (W3CReference::CONTEXT_HEAD === $context) {
+            foreach ($this->config->getAllowedElements() as $allowedElement => $allowedAttributes) {
+                if (\array_key_exists($allowedElement, W3CReference::HEAD_ELEMENTS)) {
+                    $elementsConfig[$allowedElement] = $allowedAttributes;
+                }
+            }
+
+            foreach ($this->config->getBlockedElements() as $blockedElement => $v) {
+                if (\array_key_exists($blockedElement, W3CReference::HEAD_ELEMENTS)) {
+                    $elementsConfig[$blockedElement] = HtmlSanitizerAction::Block;
+                }
+            }
+
+            foreach ($this->config->getDroppedElements() as $droppedElement => $v) {
+                if (\array_key_exists($droppedElement, W3CReference::HEAD_ELEMENTS)) {
+                    $elementsConfig[$droppedElement] = HtmlSanitizerAction::Drop;
+                }
+            }
+
+            return $elementsConfig;
+        }
+
+        // Body: allow any configured element that isn't in <head>
+        foreach ($this->config->getAllowedElements() as $allowedElement => $allowedAttributes) {
+            if (!\array_key_exists($allowedElement, W3CReference::HEAD_ELEMENTS)) {
+                $elementsConfig[$allowedElement] = $allowedAttributes;
+            }
+        }
+
+        foreach ($this->config->getBlockedElements() as $blockedElement => $v) {
+            if (!\array_key_exists($blockedElement, W3CReference::HEAD_ELEMENTS)) {
+                $elementsConfig[$blockedElement] = HtmlSanitizerAction::Block;
+            }
+        }
+
+        foreach ($this->config->getDroppedElements() as $droppedElement => $v) {
+            if (!\array_key_exists($droppedElement, W3CReference::HEAD_ELEMENTS)) {
+                $elementsConfig[$droppedElement] = HtmlSanitizerAction::Drop;
+            }
+        }
+
+        return $elementsConfig;
+    }
 }
diff --git a/src/Symfony/Component/HtmlSanitizer/Visitor/Model/Cursor.php b/src/Symfony/Component/HtmlSanitizer/Visitor/Model/Cursor.php
@@ -20,7 +20,9 @@
  */
 final class Cursor
 {
-    public function __construct(public ?NodeInterface $node)
-    {
+    public function __construct(
+        public array $contextsPath,
+        public ?NodeInterface $node
+    ) {
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,9 @@`
`20`	`20`	`*/`
`21`	`21`	`final class Cursor`
`22`	`22`	`{`
`23`		`- public function __construct(public ?NodeInterface $node)`
`24`		`- {`
	`23`	`+ public function __construct(`
	`24`	`+ public array $contextsPath,`
	`25`	`+ public ?NodeInterface $node`
	`26`	`+ ) {`
`25`	`27`	`}`
`26`	`28`	`}`