starred/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2026-05-04 18:08:46 +03:00
Code Issues 784 Packages Projects Releases 15 Wiki Activity
Files
ec0b0384a20f10a5ec44197a3fd5ca8f9fc543aa
BookStack/app/Util/HtmlDescriptionFilter.php
Dan Brown 18364d1e6e WYSIWYG: Added inline code support to minimal editor 
Used for comments and descriptions.
Also updated shortcut handling that we're not registering shortcuts for
edits which can't use the related formatting types.

For #6003
2026-04-16 11:11:06 +01:00

81 lines
2.1 KiB
PHP
Raw Blame History

<?php
namespace BookStack\Util;
use DOMAttr;
use DOMElement;
use DOMNode;
/**
* Filter to ensure HTML input for description content remains simple and
* to a limited allow-list of elements and attributes.
* More for consistency and to prevent nuisance rather than for security
* (which would be done via a separate content filter and CSP).
*/
class HtmlDescriptionFilter
{
/**
* @var array<string, string[]>
*/
protected static array $allowedAttrsByElements = [
'p' => [],
'a' => ['href', 'title', 'target', 'data-mention-user-id'],
'ol' => [],
'ul' => [],
'li' => [],
'strong' => [],
'span' => [],
'em' => [],
'br' => [],
'code' => [],
];
public static function filterFromString(string $html): string
{
if (empty(trim($html))) {
return '';
}
$doc = new HtmlDocument($html);
$topLevel = [...$doc->getBodyChildren()];
foreach ($topLevel as $child) {
/** @var DOMNode $child */
if ($child instanceof DOMElement) {
static::filterElement($child);
} else {
$child->parentNode->removeChild($child);
}
}
return $doc->getBodyInnerHtml();
}
protected static function filterElement(DOMElement $element): void
{
$elType = strtolower($element->tagName);
$allowedAttrs = static::$allowedAttrsByElements[$elType] ?? null;
if (is_null($allowedAttrs)) {
$element->remove();
return;
}
$attrs = $element->attributes;
for ($i = $attrs->length - 1; $i >= 0; $i--) {
/** @var DOMAttr $attr */
$attr = $attrs->item($i);
$name = strtolower($attr->name);
if (!in_array($name, $allowedAttrs)) {
$element->removeAttribute($attr->name);
}
}
$childNodes = [...$element->childNodes];
foreach ($childNodes as $child) {
if ($child instanceof DOMElement) {
static::filterElement($child);
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink