silverstripe /
silverstripe-framework
| Total Complexity | 77 |
| Total Lines | 367 |
| Duplicated Lines | 0 % |
| Changes | 0 | ||
Complex classes like HTMLEditorSanitiser often do a lot of different things. To break such a class down, we need to identify a cohesive component within that class. A common approach to find such a component is to look for fields/methods that share the same prefixes, or suffixes.
Once you have determined the fields that belong together, you can apply the Extract Class refactoring. If the component makes sense as a sub-class, Extract Subclass is also a candidate, and is often faster.
While breaking up the class, it is a good idea to analyze how other classes use HTMLEditorSanitiser, and based on these observations, apply Extract Interface, too.
| 1 | <?php |
||
| 19 | class HTMLEditorSanitiser |
||
| 20 | { |
||
| 21 | use Configurable; |
||
| 22 | use Injectable; |
||
| 23 | |||
| 24 | /** |
||
| 25 | * rel attribute to add to link elements which have a target attribute (usually "_blank") |
||
| 26 | * this is to done to prevent reverse tabnabbing - see https://www.owasp.org/index.php/Reverse_Tabnabbing |
||
| 27 | * noopener includes the behaviour we want, though some browsers don't yet support it and rely |
||
| 28 | * upon using noreferrer instead - see https://caniuse.com/rel-noopener for current browser compatibility |
||
| 29 | * set this to null if you would like to disable this behaviour |
||
| 30 | * set this to an empty string if you would like to remove rel attributes that were previously set |
||
| 31 | * |
||
| 32 | * @var string |
||
| 33 | */ |
||
| 34 | private static $link_rel_value = 'noopener noreferrer'; |
||
| 35 | |||
| 36 | /** @var stdClass - $element => $rule hash for whitelist element rules where the element name isn't a pattern */ |
||
| 37 | protected $elements = []; |
||
| 38 | /** @var stdClass - Sequential list of whitelist element rules where the element name is a pattern */ |
||
| 39 | protected $elementPatterns = []; |
||
| 40 | |||
| 41 | /** @var stdClass - The list of attributes that apply to all further whitelisted elements added */ |
||
| 42 | protected $globalAttributes = []; |
||
| 43 | |||
| 44 | /** |
||
| 45 | * Construct a sanitiser from a given HTMLEditorConfig |
||
| 46 | * |
||
| 47 | * Note that we build data structures from the current state of HTMLEditorConfig - later changes to |
||
| 48 | * the passed instance won't cause this instance to update it's whitelist |
||
| 49 | * |
||
| 50 | * @param HTMLEditorConfig $config |
||
| 51 | */ |
||
| 52 | public function __construct(HTMLEditorConfig $config) |
||
| 53 | { |
||
| 54 | $valid = $config->getOption('valid_elements'); |
||
| 55 | if ($valid) { |
||
| 56 | $this->addValidElements($valid); |
||
| 57 | } |
||
| 58 | |||
| 59 | $valid = $config->getOption('extended_valid_elements'); |
||
| 60 | if ($valid) { |
||
| 61 | $this->addValidElements($valid); |
||
| 62 | } |
||
| 63 | } |
||
| 64 | |||
| 65 | /** |
||
| 66 | * Given a TinyMCE pattern (close to unix glob style), create a regex that does the match |
||
| 67 | * |
||
| 68 | * @param $str - The TinyMCE pattern |
||
|
Documentation
Bug
introduced
by
|
|||
| 69 | * @return string - The equivalent regex |
||
| 70 | */ |
||
| 71 | protected function patternToRegex($str) |
||
| 72 | { |
||
| 73 | return '/^' . preg_replace('/([?+*])/', '.$1', $str) . '$/'; |
||
| 74 | } |
||
| 75 | |||
| 76 | /** |
||
| 77 | * Given a valid_elements string, parse out the actual element and attribute rules and add to the |
||
| 78 | * internal whitelist |
||
| 79 | * |
||
| 80 | * Logic based heavily on javascript version from tiny_mce_src.js |
||
| 81 | * |
||
| 82 | * @param string $validElements - The valid_elements or extended_valid_elements string to add to the whitelist |
||
| 83 | */ |
||
| 84 | protected function addValidElements($validElements) |
||
| 85 | { |
||
| 86 | $elementRuleRegExp = '/^([#+\-])?([^\[\/]+)(?:\/([^\[]+))?(?:\[([^\]]+)\])?$/'; |
||
| 87 | $attrRuleRegExp = '/^([!\-])?(\w+::\w+|[^=:<]+)?(?:([=:<])(.*))?$/'; |
||
| 88 | $hasPatternsRegExp = '/[*?+]/'; |
||
| 89 | |||
| 90 | foreach (explode(',', $validElements) as $validElement) { |
||
| 91 | if (preg_match($elementRuleRegExp, $validElement, $matches)) { |
||
| 92 | $prefix = isset($matches[1]) ? $matches[1] : null; |
||
| 93 | $elementName = isset($matches[2]) ? $matches[2] : null; |
||
| 94 | $outputName = isset($matches[3]) ? $matches[3] : null; |
||
| 95 | $attrData = isset($matches[4]) ? $matches[4] : null; |
||
| 96 | |||
| 97 | // Create the new element |
||
| 98 | $element = new stdClass(); |
||
| 99 | $element->attributes = []; |
||
| 100 | $element->attributePatterns = []; |
||
| 101 | |||
| 102 | $element->attributesRequired = []; |
||
| 103 | $element->attributesDefault = []; |
||
| 104 | $element->attributesForced = []; |
||
| 105 | |||
| 106 | foreach (['#' => 'paddEmpty', '-' => 'removeEmpty'] as $match => $means) { |
||
| 107 | $element->$means = ($prefix === $match); |
||
| 108 | } |
||
| 109 | |||
| 110 | // Copy attributes from global rule into current rule |
||
| 111 | if ($this->globalAttributes) { |
||
| 112 | $element->attributes = array_merge($element->attributes, $this->globalAttributes); |
||
| 113 | } |
||
| 114 | |||
| 115 | // Attributes defined |
||
| 116 | if ($attrData) { |
||
| 117 | foreach (explode('|', $attrData) as $attr) { |
||
| 118 | if (preg_match($attrRuleRegExp, $attr, $matches)) { |
||
| 119 | $attr = new stdClass(); |
||
| 120 | |||
| 121 | $attrType = isset($matches[1]) ? $matches[1] : null; |
||
| 122 | $attrName = isset($matches[2]) ? str_replace('::', ':', $matches[2]) : null; |
||
| 123 | $prefix = isset($matches[3]) ? $matches[3] : null; |
||
| 124 | $value = isset($matches[4]) ? $matches[4] : null; |
||
| 125 | |||
| 126 | // Required |
||
| 127 | if ($attrType === '!') { |
||
| 128 | $element->attributesRequired[] = $attrName; |
||
| 129 | $attr->required = true; |
||
| 130 | } elseif ($attrType === '-') { |
||
| 131 | // Denied from global |
||
| 132 | unset($element->attributes[$attrName]); |
||
| 133 | continue; |
||
| 134 | } |
||
| 135 | |||
| 136 | // Default value |
||
| 137 | if ($prefix) { |
||
| 138 | if ($prefix === '=') { // Default value |
||
| 139 | $element->attributesDefault[$attrName] = $value; |
||
| 140 | $attr->defaultValue = $value; |
||
| 141 | } elseif ($prefix === ':') { |
||
| 142 | // Forced value |
||
| 143 | $element->attributesForced[$attrName] = $value; |
||
| 144 | $attr->forcedValue = $value; |
||
| 145 | } elseif ($prefix === '<') { |
||
| 146 | // Required values |
||
| 147 | $attr->validValues = explode('?', $value); |
||
| 148 | } |
||
| 149 | } |
||
| 150 | |||
| 151 | // Check for attribute patterns |
||
| 152 | if (preg_match($hasPatternsRegExp, $attrName)) { |
||
| 153 | $attr->pattern = $this->patternToRegex($attrName); |
||
| 154 | $element->attributePatterns[] = $attr; |
||
| 155 | } else { |
||
| 156 | $element->attributes[$attrName] = $attr; |
||
| 157 | } |
||
| 158 | } |
||
| 159 | } |
||
| 160 | } |
||
| 161 | |||
| 162 | // Global rule, store away these for later usage |
||
| 163 | if (!$this->globalAttributes && $elementName == '@') { |
||
| 164 | $this->globalAttributes = $element->attributes; |
||
| 165 | } |
||
| 166 | |||
| 167 | // Handle substitute elements such as b/strong |
||
| 168 | if ($outputName) { |
||
| 169 | $element->outputName = $elementName; |
||
| 170 | $this->elements[$outputName] = $element; |
||
| 171 | } |
||
| 172 | |||
| 173 | // Add pattern or exact element |
||
| 174 | if (preg_match($hasPatternsRegExp, $elementName)) { |
||
| 175 | $element->pattern = $this->patternToRegex($elementName); |
||
| 176 | $this->elementPatterns[] = $element; |
||
| 177 | } else { |
||
| 178 | $this->elements[$elementName] = $element; |
||
| 179 | } |
||
| 180 | } |
||
| 181 | } |
||
| 182 | } |
||
| 183 | |||
| 184 | /** |
||
| 185 | * Given an element tag, return the rule structure for that element |
||
| 186 | * @param string $tag The element tag |
||
| 187 | * @return stdClass The element rule |
||
| 188 | */ |
||
| 189 | protected function getRuleForElement($tag) |
||
| 190 | { |
||
| 191 | if (isset($this->elements[$tag])) { |
||
| 192 | return $this->elements[$tag]; |
||
| 193 | } |
||
| 194 | foreach ($this->elementPatterns as $element) { |
||
| 195 | if (preg_match($element->pattern, $tag)) { |
||
| 196 | return $element; |
||
| 197 | } |
||
| 198 | } |
||
| 199 | return null; |
||
| 200 | } |
||
| 201 | |||
| 202 | /** |
||
| 203 | * Given an attribute name, return the rule structure for that attribute |
||
| 204 | * |
||
| 205 | * @param object $elementRule |
||
| 206 | * @param string $name The attribute name |
||
| 207 | * @return stdClass The attribute rule |
||
| 208 | */ |
||
| 209 | protected function getRuleForAttribute($elementRule, $name) |
||
| 220 | } |
||
| 221 | |||
| 222 | /** |
||
| 223 | * Given a DOMElement and an element rule, check if that element passes the rule |
||
| 224 | * @param DOMElement $element The element to check |
||
| 225 | * @param stdClass $rule The rule to check against |
||
| 226 | * @return bool True if the element passes (and so can be kept), false if it fails (and so needs stripping) |
||
| 227 | */ |
||
| 228 | protected function elementMatchesRule($element, $rule = null) |
||
| 258 | } |
||
| 259 | |||
| 260 | /** |
||
| 261 | * Given a DOMAttr and an attribute rule, check if that attribute passes the rule |
||
| 262 | * @param DOMAttr $attr - the attribute to check |
||
| 263 | * @param stdClass $rule - the rule to check against |
||
| 264 | * @return bool - true if the attribute passes (and so can be kept), false if it fails (and so needs stripping) |
||
| 265 | */ |
||
| 266 | protected function attributeMatchesRule($attr, $rule = null) |
||
| 280 | } |
||
| 281 | |||
| 282 | /** |
||
| 283 | * Given an SS_HTMLValue instance, will remove and elements and attributes that are |
||
| 284 | * not explicitly included in the whitelist passed to __construct on instance creation |
||
| 285 | * |
||
| 286 | * @param HTMLValue $html - The HTMLValue to remove any non-whitelisted elements & attributes from |
||
| 287 | */ |
||
| 288 | public function sanitise(HTMLValue $html) |
||
| 363 | } |
||
| 364 | } |
||
| 365 | } |
||
| 366 | |||
| 367 | /** |
||
| 368 | * Adds rel="noopener noreferrer" to link elements with a target attribute |
||
| 369 | * |
||
| 370 | * @param DOMElement $el |
||
| 371 | * @param string|null $linkRelValue |
||
| 372 | */ |
||
| 373 | private function addRelValue(DOMElement $el, $linkRelValue) |
||
| 389 |
Loading history...
