bookstack/app/Util/HtmlContentFilter.php

<?php

namespace BookStack\Util;

use DOMAttr;
use DOMElement;
use DOMNodeList;

class HtmlContentFilter
{
    /**
     * Remove all the script elements from the given HTML document.
     */
    public static function removeScriptsFromDocument(HtmlDocument $doc)
    {
        // Remove standard script tags
        $scriptElems = $doc->queryXPath('//script');
        static::removeNodes($scriptElems);

        // Remove clickable links to JavaScript URI
        $badLinks = $doc->queryXPath('//*[' . static::xpathContains('@href', 'javascript:') . ']');
        static::removeNodes($badLinks);

        // Remove forms with calls to JavaScript URI
        $badForms = $doc->queryXPath('//*[' . static::xpathContains('@action', 'javascript:') . '] | //*[' . static::xpathContains('@formaction', 'javascript:') . ']');
        static::removeNodes($badForms);

        // Remove meta tag to prevent external redirects
        $metaTags = $doc->queryXPath('//meta[' . static::xpathContains('@content', 'url') . ']');
        static::removeNodes($metaTags);

        // Remove data or JavaScript iFrames
        $badIframes = $doc->queryXPath('//*[' . static::xpathContains('@src', 'data:') . '] | //*[' . static::xpathContains('@src', 'javascript:') . '] | //*[@srcdoc]');
        static::removeNodes($badIframes);

        // Remove attributes, within svg children, hiding JavaScript or data uris.
        // A bunch of svg element and attribute combinations expose xss possibilities.
        // For example, SVG animate tag can exploit javascript in values.
        $badValuesAttrs = $doc->queryXPath('//svg//@*[' . static::xpathContains('.', 'data:') . '] | //svg//@*[' . static::xpathContains('.', 'javascript:') . ']');
        static::removeAttributes($badValuesAttrs);

        // Remove elements with a xlink:href attribute
        // Used in SVG but deprecated anyway, so we'll be a bit more heavy-handed here.
        $xlinkHrefAttributes = $doc->queryXPath('//@*[contains(name(), \'xlink:href\')]');
        static::removeAttributes($xlinkHrefAttributes);

        // Remove 'on*' attributes
        $onAttributes = $doc->queryXPath('//@*[starts-with(name(), \'on\')]');
        static::removeAttributes($onAttributes);
    }

    /**
     * Remove scripts from the given HTML string.
     */
    public static function removeScriptsFromHtmlString(string $html): string
    {
        if (empty($html)) {
            return $html;
        }

        $doc = new HtmlDocument($html);
        static::removeScriptsFromDocument($doc);

        return $doc->getBodyInnerHtml();
    }

    /**
     * Create a xpath contains statement with a translation automatically built within
     * to affectively search in a cases-insensitive manner.
     */
    protected static function xpathContains(string $property, string $value): string
    {
        $value = strtolower($value);
        $upperVal = strtoupper($value);

        return 'contains(translate(' . $property . ', \'' . $upperVal . '\', \'' . $value . '\'), \'' . $value . '\')';
    }

    /**
     * Remove all the given DOMNodes.
     */
    protected static function removeNodes(DOMNodeList $nodes): void
    {
        foreach ($nodes as $node) {
            $node->parentNode->removeChild($node);
        }
    }

    /**
     * Remove all the given attribute nodes.
     */
    protected static function removeAttributes(DOMNodeList $attrs): void
    {
        /** @var DOMAttr $attr */
        foreach ($attrs as $attr) {
            $attrName = $attr->nodeName;
            /** @var DOMElement $parentNode */
            $parentNode = $attr->parentNode;
            $parentNode->removeAttribute($attrName);
        }
    }
}
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`<?php`

			`namespace BookStack\Util;`
Filtered scripts in custom HTML head for exports Since it appeared to cause problems in some scenarios. Related to #2490 2021-05-04 06:59:52 +08:00
Added filter for xlink:href svg xss Simply remove all such attributes 2021-09-04 05:34:49 +08:00			`use DOMAttr;`
Done a round of phpstan fixes 2021-11-06 08:32:01 +08:00			`use DOMElement;`
Filtered scripts in custom HTML head for exports Since it appeared to cause problems in some scenarios. Related to #2490 2021-05-04 06:59:52 +08:00			`use DOMNodeList;`

			`class HtmlContentFilter`
			`{`
			`/**`
Includes: Switched page to new system - Added mulit-level depth parsing. - Updating usage of HTML doc in page content to be efficient. - Removed now redundant PageContentTest cases. - Made some include system fixes based upon testing. 2023-11-28 03:54:47 +08:00			`* Remove all the script elements from the given HTML document.`
Filtered scripts in custom HTML head for exports Since it appeared to cause problems in some scenarios. Related to #2490 2021-05-04 06:59:52 +08:00			`*/`
Includes: Switched page to new system - Added mulit-level depth parsing. - Updating usage of HTML doc in page content to be efficient. - Removed now redundant PageContentTest cases. - Made some include system fixes based upon testing. 2023-11-28 03:54:47 +08:00			`public static function removeScriptsFromDocument(HtmlDocument $doc)`
Filtered scripts in custom HTML head for exports Since it appeared to cause problems in some scenarios. Related to #2490 2021-05-04 06:59:52 +08:00			`{`
			`// Remove standard script tags`
HTML: Aligned and standardised DOMDocument usage Adds a thin wrapper for DOMDocument to simplify and align usage within all areas of BookStack. Also means we move away from old depreacted mb_convert_encoding usage. Closes #4638 2023-11-14 23:46:32 +08:00			`$scriptElems = $doc->queryXPath('//script');`
Filtered scripts in custom HTML head for exports Since it appeared to cause problems in some scenarios. Related to #2490 2021-05-04 06:59:52 +08:00			`static::removeNodes($scriptElems);`

			`// Remove clickable links to JavaScript URI`
HTML: Aligned and standardised DOMDocument usage Adds a thin wrapper for DOMDocument to simplify and align usage within all areas of BookStack. Also means we move away from old depreacted mb_convert_encoding usage. Closes #4638 2023-11-14 23:46:32 +08:00			`$badLinks = $doc->queryXPath('//*[' . static::xpathContains('@href', 'javascript:') . ']');`
Filtered scripts in custom HTML head for exports Since it appeared to cause problems in some scenarios. Related to #2490 2021-05-04 06:59:52 +08:00			`static::removeNodes($badLinks);`

			`// Remove forms with calls to JavaScript URI`
HTML: Aligned and standardised DOMDocument usage Adds a thin wrapper for DOMDocument to simplify and align usage within all areas of BookStack. Also means we move away from old depreacted mb_convert_encoding usage. Closes #4638 2023-11-14 23:46:32 +08:00			`$badForms = $doc->queryXPath('//[' . static::xpathContains('@action', 'javascript:') . '] \| //[' . static::xpathContains('@formaction', 'javascript:') . ']');`
Filtered scripts in custom HTML head for exports Since it appeared to cause problems in some scenarios. Related to #2490 2021-05-04 06:59:52 +08:00			`static::removeNodes($badForms);`

			`// Remove meta tag to prevent external redirects`
HTML: Aligned and standardised DOMDocument usage Adds a thin wrapper for DOMDocument to simplify and align usage within all areas of BookStack. Also means we move away from old depreacted mb_convert_encoding usage. Closes #4638 2023-11-14 23:46:32 +08:00			`$metaTags = $doc->queryXPath('//meta[' . static::xpathContains('@content', 'url') . ']');`
Filtered scripts in custom HTML head for exports Since it appeared to cause problems in some scenarios. Related to #2490 2021-05-04 06:59:52 +08:00			`static::removeNodes($metaTags);`

			`// Remove data or JavaScript iFrames`
HTML: Aligned and standardised DOMDocument usage Adds a thin wrapper for DOMDocument to simplify and align usage within all areas of BookStack. Also means we move away from old depreacted mb_convert_encoding usage. Closes #4638 2023-11-14 23:46:32 +08:00			`$badIframes = $doc->queryXPath('//[' . static::xpathContains('@src', 'data:') . '] \| //[' . static::xpathContains('@src', 'javascript:') . '] \| //*[@srcdoc]');`
Filtered scripts in custom HTML head for exports Since it appeared to cause problems in some scenarios. Related to #2490 2021-05-04 06:59:52 +08:00			`static::removeNodes($badIframes);`

Widened svg content attribute xss filtering Takes care of additional cases that can occur. Closes #3705 2022-09-07 00:01:56 +08:00			`// Remove attributes, within svg children, hiding JavaScript or data uris.`
			`// A bunch of svg element and attribute combinations expose xss possibilities.`
Added content filtering of tags with javascript or data in values attr Case would be blocked by CSP but adding for cases where CSP may not be active when content taken externally. For #3636 2022-08-11 17:26:33 +08:00			`// For example, SVG animate tag can exploit javascript in values.`
HTML: Aligned and standardised DOMDocument usage Adds a thin wrapper for DOMDocument to simplify and align usage within all areas of BookStack. Also means we move away from old depreacted mb_convert_encoding usage. Closes #4638 2023-11-14 23:46:32 +08:00			`$badValuesAttrs = $doc->queryXPath('//svg//@[' . static::xpathContains('.', 'data:') . '] \| //svg//@[' . static::xpathContains('.', 'javascript:') . ']');`
Widened svg content attribute xss filtering Takes care of additional cases that can occur. Closes #3705 2022-09-07 00:01:56 +08:00			`static::removeAttributes($badValuesAttrs);`
Added content filtering of tags with javascript or data in values attr Case would be blocked by CSP but adding for cases where CSP may not be active when content taken externally. For #3636 2022-08-11 17:26:33 +08:00
Added filter for xlink:href svg xss Simply remove all such attributes 2021-09-04 05:34:49 +08:00			`// Remove elements with a xlink:href attribute`
			`// Used in SVG but deprecated anyway, so we'll be a bit more heavy-handed here.`
HTML: Aligned and standardised DOMDocument usage Adds a thin wrapper for DOMDocument to simplify and align usage within all areas of BookStack. Also means we move away from old depreacted mb_convert_encoding usage. Closes #4638 2023-11-14 23:46:32 +08:00			`$xlinkHrefAttributes = $doc->queryXPath('//@*[contains(name(), \'xlink:href\')]');`
Added filter for xlink:href svg xss Simply remove all such attributes 2021-09-04 05:34:49 +08:00			`static::removeAttributes($xlinkHrefAttributes);`

Filtered scripts in custom HTML head for exports Since it appeared to cause problems in some scenarios. Related to #2490 2021-05-04 06:59:52 +08:00			`// Remove 'on*' attributes`
HTML: Aligned and standardised DOMDocument usage Adds a thin wrapper for DOMDocument to simplify and align usage within all areas of BookStack. Also means we move away from old depreacted mb_convert_encoding usage. Closes #4638 2023-11-14 23:46:32 +08:00			`$onAttributes = $doc->queryXPath('//@*[starts-with(name(), \'on\')]');`
Added filter for xlink:href svg xss Simply remove all such attributes 2021-09-04 05:34:49 +08:00			`static::removeAttributes($onAttributes);`
Includes: Switched page to new system - Added mulit-level depth parsing. - Updating usage of HTML doc in page content to be efficient. - Removed now redundant PageContentTest cases. - Made some include system fixes based upon testing. 2023-11-28 03:54:47 +08:00			`}`

			`/**`
			`* Remove scripts from the given HTML string.`
			`*/`
			`public static function removeScriptsFromHtmlString(string $html): string`
			`{`
			`if (empty($html)) {`
			`return $html;`
			`}`

			`$doc = new HtmlDocument($html);`
			`static::removeScriptsFromDocument($doc);`
Filtered scripts in custom HTML head for exports Since it appeared to cause problems in some scenarios. Related to #2490 2021-05-04 06:59:52 +08:00
HTML: Aligned and standardised DOMDocument usage Adds a thin wrapper for DOMDocument to simplify and align usage within all areas of BookStack. Also means we move away from old depreacted mb_convert_encoding usage. Closes #4638 2023-11-14 23:46:32 +08:00			`return $doc->getBodyInnerHtml();`
Filtered scripts in custom HTML head for exports Since it appeared to cause problems in some scenarios. Related to #2490 2021-05-04 06:59:52 +08:00			`}`

Added extra HTML filtering of dangerous content In particular, That around the casing of dangerous values within attributes. This uses some xpath translation to handle different casing in contains searching. 2021-09-03 05:02:30 +08:00			`/**`
			`* Create a xpath contains statement with a translation automatically built within`
			`* to affectively search in a cases-insensitive manner.`
			`*/`
			`protected static function xpathContains(string $property, string $value): string`
			`{`
			`$value = strtolower($value);`
			`$upperVal = strtoupper($value);`
Applied latest styleci changes 2021-09-07 05:19:06 +08:00
Added extra HTML filtering of dangerous content In particular, That around the casing of dangerous values within attributes. This uses some xpath translation to handle different casing in contains searching. 2021-09-03 05:02:30 +08:00			`return 'contains(translate(' . $property . ', \'' . $upperVal . '\', \'' . $value . '\'), \'' . $value . '\')';`
			`}`

Filtered scripts in custom HTML head for exports Since it appeared to cause problems in some scenarios. Related to #2490 2021-05-04 06:59:52 +08:00			`/**`
Added filter for xlink:href svg xss Simply remove all such attributes 2021-09-04 05:34:49 +08:00			`* Remove all the given DOMNodes.`
Filtered scripts in custom HTML head for exports Since it appeared to cause problems in some scenarios. Related to #2490 2021-05-04 06:59:52 +08:00			`*/`
Fixed content parsing break with line html comment Fixes issues thrown in custom HMTL head & page content filtering when the content is comprised of only a single HTML comment. Adds tests to cover. For #2804 2021-06-13 19:53:04 +08:00			`protected static function removeNodes(DOMNodeList $nodes): void`
Filtered scripts in custom HTML head for exports Since it appeared to cause problems in some scenarios. Related to #2490 2021-05-04 06:59:52 +08:00			`{`
			`foreach ($nodes as $node) {`
			`$node->parentNode->removeChild($node);`
			`}`
			`}`
Added filter for xlink:href svg xss Simply remove all such attributes 2021-09-04 05:34:49 +08:00
			`/**`
			`* Remove all the given attribute nodes.`
			`*/`
			`protected static function removeAttributes(DOMNodeList $attrs): void`
			`{`
			`/** @var DOMAttr $attr */`
			`foreach ($attrs as $attr) {`
			`$attrName = $attr->nodeName;`
Done a round of phpstan fixes 2021-11-06 08:32:01 +08:00			`/** @var DOMElement $parentNode */`
			`$parentNode = $attr->parentNode;`
			`$parentNode->removeAttribute($attrName);`
Added filter for xlink:href svg xss Simply remove all such attributes 2021-09-04 05:34:49 +08:00			`}`
			`}`
Fixed content parsing break with line html comment Fixes issues thrown in custom HMTL head & page content filtering when the content is comprised of only a single HTML comment. Adds tests to cover. For #2804 2021-06-13 19:53:04 +08:00			`}`