144 lines
3.4 KiB
PHP
144 lines
3.4 KiB
PHP
<?php
|
|
|
|
namespace Kirby\Sane;
|
|
|
|
/**
|
|
* Sane handler for HTML files
|
|
* @since 3.5.8
|
|
*
|
|
* @package Kirby Sane
|
|
* @author Bastian Allgeier <bastian@getkirby.com>,
|
|
* Lukas Bestle <lukas@getkirby.com>
|
|
* @link https://getkirby.com
|
|
* @copyright Bastian Allgeier
|
|
* @license https://opensource.org/licenses/MIT
|
|
*/
|
|
class Html extends DomHandler
|
|
{
|
|
/**
|
|
* Global list of allowed attribute prefixes
|
|
*
|
|
* @var array
|
|
*/
|
|
public static $allowedAttrPrefixes = [
|
|
'aria-',
|
|
'data-',
|
|
];
|
|
|
|
/**
|
|
* Global list of allowed attributes
|
|
*
|
|
* @var array
|
|
*/
|
|
public static $allowedAttrs = [
|
|
'class',
|
|
'id',
|
|
];
|
|
|
|
/**
|
|
* Allowed hostnames for HTTP(S) URLs
|
|
*
|
|
* @var array
|
|
*/
|
|
public static $allowedDomains = true;
|
|
|
|
/**
|
|
* Associative array of all allowed tag names with the value
|
|
* of either an array with the list of all allowed attributes
|
|
* for this tag, `true` to allow any attribute from the
|
|
* `allowedAttrs` list or `false` to allow the tag without
|
|
* any attributes
|
|
*
|
|
* @var array
|
|
*/
|
|
public static $allowedTags = [
|
|
'a' => ['href', 'rel', 'title', 'target'],
|
|
'abbr' => ['title'],
|
|
'b' => true,
|
|
'body' => true,
|
|
'blockquote' => true,
|
|
'br' => true,
|
|
'code' => true,
|
|
'dl' => true,
|
|
'dd' => true,
|
|
'del' => true,
|
|
'div' => true,
|
|
'dt' => true,
|
|
'em' => true,
|
|
'footer' => true,
|
|
'h1' => true,
|
|
'h2' => true,
|
|
'h3' => true,
|
|
'h4' => true,
|
|
'h5' => true,
|
|
'h6' => true,
|
|
'hr' => true,
|
|
'html' => true,
|
|
'i' => true,
|
|
'ins' => true,
|
|
'li' => true,
|
|
'small' => true,
|
|
'span' => true,
|
|
'strong' => true,
|
|
'sub' => true,
|
|
'sup' => true,
|
|
'ol' => true,
|
|
'p' => true,
|
|
'pre' => true,
|
|
's' => true,
|
|
'u' => true,
|
|
'ul' => true,
|
|
];
|
|
|
|
/**
|
|
* Array of explicitly disallowed tags
|
|
*
|
|
* IMPORTANT: Use lower-case names here because
|
|
* of the case-insensitive matching
|
|
*
|
|
* @var array
|
|
*/
|
|
public static $disallowedTags = [
|
|
'iframe',
|
|
'meta',
|
|
'object',
|
|
'script',
|
|
'style',
|
|
];
|
|
|
|
/**
|
|
* List of attributes that may contain URLs
|
|
*
|
|
* @var array
|
|
*/
|
|
public static $urlAttrs = [
|
|
'href',
|
|
'src',
|
|
'xlink:href',
|
|
];
|
|
|
|
/**
|
|
* The document type (`'HTML'` or `'XML'`)
|
|
*
|
|
* @var string
|
|
*/
|
|
protected static $type = 'HTML';
|
|
|
|
/**
|
|
* Returns the sanitization options for the handler
|
|
*
|
|
* @return array
|
|
*/
|
|
protected static function options(): array
|
|
{
|
|
return array_merge(parent::options(), [
|
|
'allowedAttrPrefixes' => static::$allowedAttrPrefixes,
|
|
'allowedAttrs' => static::$allowedAttrs,
|
|
'allowedNamespaces' => [],
|
|
'allowedPIs' => [],
|
|
'allowedTags' => static::$allowedTags,
|
|
'disallowedTags' => static::$disallowedTags,
|
|
'urlAttrs' => static::$urlAttrs,
|
|
]);
|
|
}
|
|
}
|