bookstack/app/Util/HtmlNonceApplicator.php

<?php

namespace BookStack\Util;

use DOMDocument;
use DOMElement;
use DOMNodeList;
use DOMXPath;

class HtmlNonceApplicator
{
    protected static $placeholder = '[CSP_NONCE_VALUE]';

    /**
     * Prepare the given HTML content with nonce attributes including a placeholder
     * value which we can target later.
     */
    public static function prepare(string $html): string
    {
        if (empty($html)) {
            return $html;
        }

        $html = '<?xml encoding="utf-8" ?><body>' . $html . '</body>';
        libxml_use_internal_errors(true);
        $doc = new DOMDocument();
        $doc->loadHTML($html, LIBXML_SCHEMA_CREATE);
        $xPath = new DOMXPath($doc);

        // Apply to scripts
        $scriptElems = $xPath->query('//script');
        static::addNonceAttributes($scriptElems, static::$placeholder);

        // Apply to styles
        $styleElems = $xPath->query('//style');
        static::addNonceAttributes($styleElems, static::$placeholder);

        $returnHtml = '';
        $topElems = $doc->documentElement->childNodes->item(0)->childNodes;
        foreach ($topElems as $child) {
            $content = $doc->saveHTML($child);
            $returnHtml .= $content;
        }

        return $returnHtml;
    }

    /**
     * Apply the give nonce value to the given prepared HTML.
     */
    public static function apply(string $html, string $nonce): string
    {
        return str_replace(static::$placeholder, $nonce, $html);
    }

    protected static function addNonceAttributes(DOMNodeList $nodes, string $attrValue): void
    {
        /** @var DOMElement $node */
        foreach ($nodes as $node) {
            $node->setAttribute('nonce', $attrValue);
        }
    }
}
Started application of CSP headers 2021-09-04 06:32:42 +08:00			`<?php`

			`namespace BookStack\Util;`

			`use DOMDocument;`
			`use DOMElement;`
			`use DOMNodeList;`
			`use DOMXPath;`

			`class HtmlNonceApplicator`
			`{`
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`protected static $placeholder = '[CSP_NONCE_VALUE]';`

Started application of CSP headers 2021-09-04 06:32:42 +08:00			`/**`
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`* Prepare the given HTML content with nonce attributes including a placeholder`
			`* value which we can target later.`
Started application of CSP headers 2021-09-04 06:32:42 +08:00			`*/`
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`public static function prepare(string $html): string`
Started application of CSP headers 2021-09-04 06:32:42 +08:00			`{`
			`if (empty($html)) {`
			`return $html;`
			`}`

Altered the parsing of custom head to prevent htmlentities on content Was causing things like emjoi within script content to be somewhat mangled. Instead we force UTF8 only parsing via XML declaration. Added test to cover. For #2923 2021-09-12 23:19:17 +08:00			`$html = '<?xml encoding="utf-8" ?><body>' . $html . '</body>';`
Started application of CSP headers 2021-09-04 06:32:42 +08:00			`libxml_use_internal_errors(true);`
			`$doc = new DOMDocument();`
Altered the parsing of custom head to prevent htmlentities on content Was causing things like emjoi within script content to be somewhat mangled. Instead we force UTF8 only parsing via XML declaration. Added test to cover. For #2923 2021-09-12 23:19:17 +08:00			`$doc->loadHTML($html, LIBXML_SCHEMA_CREATE);`
Started application of CSP headers 2021-09-04 06:32:42 +08:00			`$xPath = new DOMXPath($doc);`

			`// Apply to scripts`
			`$scriptElems = $xPath->query('//script');`
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`static::addNonceAttributes($scriptElems, static::$placeholder);`
Started application of CSP headers 2021-09-04 06:32:42 +08:00
			`// Apply to styles`
			`$styleElems = $xPath->query('//style');`
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`static::addNonceAttributes($styleElems, static::$placeholder);`
Started application of CSP headers 2021-09-04 06:32:42 +08:00
			`$returnHtml = '';`
			`$topElems = $doc->documentElement->childNodes->item(0)->childNodes;`
			`foreach ($topElems as $child) {`
Applied latest styleci changes 2021-09-07 05:19:06 +08:00			`$content = $doc->saveHTML($child);`
Fixed issue with HTML tags in custom head scripts Fixes a strange issue of HTML tags within script tags being malformed when part of the HTML custom head content due to the PHP parsing we do. DOMDocument seemed to cause this upon load. Adding LIBXML_SCHEMA_CREATE to the ->loadHTML call seems to fix this but not really sure why. Doesn't seem to cause further issues though. Tested with multiple scripts and styles and comments and meta tags. - Also added new testing class to cover. - As part of testing, added new folder within tests to house setting specific tests. For #2914 2021-09-06 06:52:39 +08:00			`$returnHtml .= $content;`
Started application of CSP headers 2021-09-04 06:32:42 +08:00			`}`

			`return $returnHtml;`
			`}`

Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`/**`
			`* Apply the give nonce value to the given prepared HTML.`
			`*/`
			`public static function apply(string $html, string $nonce): string`
			`{`
			`return str_replace(static::$placeholder, $nonce, $html);`
			`}`

			`protected static function addNonceAttributes(DOMNodeList $nodes, string $attrValue): void`
Started application of CSP headers 2021-09-04 06:32:42 +08:00			`{`
			`/** @var DOMElement $node */`
			`foreach ($nodes as $node) {`
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`$node->setAttribute('nonce', $attrValue);`
Started application of CSP headers 2021-09-04 06:32:42 +08:00			`}`
			`}`
			`}`