bookstack/app/Util/HtmlNonceApplicator.php

<?php

namespace BookStack\Util;

use DOMElement;
use DOMNodeList;

class HtmlNonceApplicator
{
    protected static string $placeholder = '[CSP_NONCE_VALUE]';

    /**
     * Prepare the given HTML content with nonce attributes including a placeholder
     * value which we can target later.
     */
    public static function prepare(string $html): string
    {
        if (empty($html)) {
            return $html;
        }

        // LIBXML_SCHEMA_CREATE was found to be required here otherwise
        // the PHP DOMDocument handling will attempt to format/close
        // HTML tags within scripts and therefore change JS content.
        $doc = new HtmlDocument($html, LIBXML_SCHEMA_CREATE);

        // Apply to scripts
        $scriptElems = $doc->queryXPath('//script');
        static::addNonceAttributes($scriptElems, static::$placeholder);

        // Apply to styles
        $styleElems = $doc->queryXPath('//style');
        static::addNonceAttributes($styleElems, static::$placeholder);

        return $doc->getBodyInnerHtml();
    }

    /**
     * Apply the give nonce value to the given prepared HTML.
     */
    public static function apply(string $html, string $nonce): string
    {
        return str_replace(static::$placeholder, $nonce, $html);
    }

    protected static function addNonceAttributes(DOMNodeList $nodes, string $attrValue): void
    {
        /** @var DOMElement $node */
        foreach ($nodes as $node) {
            $node->setAttribute('nonce', $attrValue);
        }
    }
}
Started application of CSP headers 2021-09-04 06:32:42 +08:00			`<?php`

			`namespace BookStack\Util;`

			`use DOMElement;`
			`use DOMNodeList;`

			`class HtmlNonceApplicator`
			`{`
HTML: Aligned and standardised DOMDocument usage Adds a thin wrapper for DOMDocument to simplify and align usage within all areas of BookStack. Also means we move away from old depreacted mb_convert_encoding usage. Closes #4638 2023-11-14 23:46:32 +08:00			`protected static string $placeholder = '[CSP_NONCE_VALUE]';`
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00
Started application of CSP headers 2021-09-04 06:32:42 +08:00			`/**`
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`* Prepare the given HTML content with nonce attributes including a placeholder`
			`* value which we can target later.`
Started application of CSP headers 2021-09-04 06:32:42 +08:00			`*/`
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`public static function prepare(string $html): string`
Started application of CSP headers 2021-09-04 06:32:42 +08:00			`{`
			`if (empty($html)) {`
			`return $html;`
			`}`

HTML: Aligned and standardised DOMDocument usage Adds a thin wrapper for DOMDocument to simplify and align usage within all areas of BookStack. Also means we move away from old depreacted mb_convert_encoding usage. Closes #4638 2023-11-14 23:46:32 +08:00			`// LIBXML_SCHEMA_CREATE was found to be required here otherwise`
			`// the PHP DOMDocument handling will attempt to format/close`
			`// HTML tags within scripts and therefore change JS content.`
			`$doc = new HtmlDocument($html, LIBXML_SCHEMA_CREATE);`
Started application of CSP headers 2021-09-04 06:32:42 +08:00
			`// Apply to scripts`
HTML: Aligned and standardised DOMDocument usage Adds a thin wrapper for DOMDocument to simplify and align usage within all areas of BookStack. Also means we move away from old depreacted mb_convert_encoding usage. Closes #4638 2023-11-14 23:46:32 +08:00			`$scriptElems = $doc->queryXPath('//script');`
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`static::addNonceAttributes($scriptElems, static::$placeholder);`
Started application of CSP headers 2021-09-04 06:32:42 +08:00
			`// Apply to styles`
HTML: Aligned and standardised DOMDocument usage Adds a thin wrapper for DOMDocument to simplify and align usage within all areas of BookStack. Also means we move away from old depreacted mb_convert_encoding usage. Closes #4638 2023-11-14 23:46:32 +08:00			`$styleElems = $doc->queryXPath('//style');`
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`static::addNonceAttributes($styleElems, static::$placeholder);`
Started application of CSP headers 2021-09-04 06:32:42 +08:00
HTML: Aligned and standardised DOMDocument usage Adds a thin wrapper for DOMDocument to simplify and align usage within all areas of BookStack. Also means we move away from old depreacted mb_convert_encoding usage. Closes #4638 2023-11-14 23:46:32 +08:00			`return $doc->getBodyInnerHtml();`
Started application of CSP headers 2021-09-04 06:32:42 +08:00			`}`

Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`/**`
			`* Apply the give nonce value to the given prepared HTML.`
			`*/`
			`public static function apply(string $html, string $nonce): string`
			`{`
			`return str_replace(static::$placeholder, $nonce, $html);`
			`}`

			`protected static function addNonceAttributes(DOMNodeList $nodes, string $attrValue): void`
Started application of CSP headers 2021-09-04 06:32:42 +08:00			`{`
			`/** @var DOMElement $node */`
			`foreach ($nodes as $node) {`
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`$node->setAttribute('nonce', $attrValue);`
Started application of CSP headers 2021-09-04 06:32:42 +08:00			`}`
			`}`
			`}`