SimplePie_Sanitize

Used for data cleanup and post-processing.

Defined (1)

The class is defined in the following location(s).

/wp-includes/SimplePie/Sanitize.php  
  1. class SimplePie_Sanitize 
  3.     // Private vars 
  4.     var $base; 
  5.  
  6.     // Options 
  7.     var $remove_div = true; 
  8.     var $image_handler = ''; 
  9.     var $strip_htmltags = array('base', 'blink', 'body', 'doctype', 'embed', 'font', 'form', 'frame', 'frameset', 'html', 'iframe', 'input', 'marquee', 'meta', 'noscript', 'object', 'param', 'script', 'style'); 
  10.     var $encode_instead_of_strip = false; 
  11.     var $strip_attributes = array('bgsound', 'class', 'expr', 'id', 'style', 'onclick', 'onerror', 'onfinish', 'onmouseover', 'onmouseout', 'onfocus', 'onblur', 'lowsrc', 'dynsrc'); 
  12.     var $strip_comments = false; 
  13.     var $output_encoding = 'UTF-8'; 
  14.     var $enable_cache = true; 
  15.     var $cache_location = './cache'; 
  16.     var $cache_name_function = 'md5'; 
  17.     var $timeout = 10; 
  18.     var $useragent = ''; 
  19.     var $force_fsockopen = false; 
  20.     var $replace_url_attributes = null; 
  21.  
  22.     public function __construct() 
  24.         // Set defaults 
  25.         $this->set_url_replacements(null); 
  27.  
  28.     public function remove_div($enable = true) 
  30.         $this->remove_div = (bool) $enable; 
  32.  
  33.     public function set_image_handler($page = false) 
  35.         if ($page) 
  37.             $this->image_handler = (string) $page; 
  39.         else 
  41.             $this->image_handler = false; 
  44.  
  45.     public function set_registry(SimplePie_Registry $registry) 
  47.         $this->registry = $registry; 
  49.  
  50.     public function pass_cache_data($enable_cache = true, $cache_location = './cache', $cache_name_function = 'md5', $cache_class = 'SimplePie_Cache') 
  52.         if (isset($enable_cache)) 
  54.             $this->enable_cache = (bool) $enable_cache; 
  56.  
  57.         if ($cache_location) 
  59.             $this->cache_location = (string) $cache_location; 
  61.  
  62.         if ($cache_name_function) 
  64.             $this->cache_name_function = (string) $cache_name_function; 
  67.  
  68.     public function pass_file_data($file_class = 'SimplePie_File', $timeout = 10, $useragent = '', $force_fsockopen = false) 
  70.         if ($timeout) 
  72.             $this->timeout = (string) $timeout; 
  74.  
  75.         if ($useragent) 
  77.             $this->useragent = (string) $useragent; 
  79.  
  80.         if ($force_fsockopen) 
  82.             $this->force_fsockopen = (string) $force_fsockopen; 
  85.  
  86.     public function strip_htmltags($tags = array('base', 'blink', 'body', 'doctype', 'embed', 'font', 'form', 'frame', 'frameset', 'html', 'iframe', 'input', 'marquee', 'meta', 'noscript', 'object', 'param', 'script', 'style')) 
  88.         if ($tags) 
  90.             if (is_array($tags)) 
  92.                 $this->strip_htmltags = $tags; 
  94.             else 
  96.                 $this->strip_htmltags = explode(', ', $tags); 
  99.         else 
  101.             $this->strip_htmltags = false; 
  104.  
  105.     public function encode_instead_of_strip($encode = false) 
  107.         $this->encode_instead_of_strip = (bool) $encode; 
  109.  
  110.     public function strip_attributes($attribs = array('bgsound', 'class', 'expr', 'id', 'style', 'onclick', 'onerror', 'onfinish', 'onmouseover', 'onmouseout', 'onfocus', 'onblur', 'lowsrc', 'dynsrc')) 
  112.         if ($attribs) 
  114.             if (is_array($attribs)) 
  116.                 $this->strip_attributes = $attribs; 
  118.             else 
  120.                 $this->strip_attributes = explode(', ', $attribs); 
  123.         else 
  125.             $this->strip_attributes = false; 
  128.  
  129.     public function strip_comments($strip = false) 
  131.         $this->strip_comments = (bool) $strip; 
  133.  
  134.     public function set_output_encoding($encoding = 'UTF-8') 
  136.         $this->output_encoding = (string) $encoding; 
  138.  
  139.     /** 
  140.      * Set element/attribute key/value pairs of HTML attributes 
  141.      * containing URLs that need to be resolved relative to the feed 
  143.      * Defaults to |a|@href, |area|@href, |blockquote|@cite, |del|@cite,  
  144.      * |form|@action, |img|@longdesc, |img|@src, |input|@src, |ins|@cite,  
  145.      * |q|@cite 
  147.      * @since 1.0 
  148.      * @param array|null $element_attribute Element/attribute key/value pairs, null for default 
  149.      */ 
  150.     public function set_url_replacements($element_attribute = null) 
  152.         if ($element_attribute === null) 
  154.             $element_attribute = array( 
  155.                 'a' => 'href',  
  156.                 'area' => 'href',  
  157.                 'blockquote' => 'cite',  
  158.                 'del' => 'cite',  
  159.                 'form' => 'action',  
  160.                 'img' => array( 
  161.                     'longdesc',  
  162.                     'src' 
  163.  ),  
  164.                 'input' => 'src',  
  165.                 'ins' => 'cite',  
  166.                 'q' => 'cite' 
  167.  ); 
  169.         $this->replace_url_attributes = (array) $element_attribute; 
  171.  
  172.     public function sanitize($data, $type, $base = '') 
  174.         $data = trim($data); 
  175.         if ($data !== '' || $type & SIMPLEPIE_CONSTRUCT_IRI) 
  177.             if ($type & SIMPLEPIE_CONSTRUCT_MAYBE_HTML) 
  179.                 if (preg_match('/(&(#(x[0-9a-fA-F]+|[0-9]+)|[a-zA-Z0-9]+)|<\/[A-Za-z][^\x09\x0A\x0B\x0C\x0D\x20\x2F\x3E]*' . SIMPLEPIE_PCRE_HTML_ATTRIBUTE . '>)/', $data)) 
  181.                     $type |= SIMPLEPIE_CONSTRUCT_HTML; 
  183.                 else 
  185.                     $type |= SIMPLEPIE_CONSTRUCT_TEXT; 
  188.  
  189.             if ($type & SIMPLEPIE_CONSTRUCT_BASE64) 
  191.                 $data = base64_decode($data); 
  193.  
  194.             if ($type & (SIMPLEPIE_CONSTRUCT_HTML | SIMPLEPIE_CONSTRUCT_XHTML)) 
  196.  
  197.                 if (!class_exists('DOMDocument')) 
  199.                     $this->registry->call('Misc', 'error', array('DOMDocument not found, unable to use sanitizer', E_USER_WARNING, __FILE__, __LINE__)); 
  200.                     return ''; 
  202.                 $document = new DOMDocument(); 
  203.                 $document->encoding = 'UTF-8'; 
  204.                 $data = $this->preprocess($data, $type); 
  205.  
  206.                 set_error_handler(array('SimplePie_Misc', 'silence_errors')); 
  207.                 $document->loadHTML($data); 
  208.                 restore_error_handler(); 
  209.  
  210.                 // Strip comments 
  211.                 if ($this->strip_comments) 
  213.                     $xpath = new DOMXPath($document); 
  214.                     $comments = $xpath->query('//comment()'); 
  215.  
  216.                     foreach ($comments as $comment) 
  218.                         $comment->parentNode->removeChild($comment); 
  221.  
  222.                 // Strip out HTML tags and attributes that might cause various security problems. 
  223.                 // Based on recommendations by Mark Pilgrim at: 
  224.                 // http://diveintomark.org/archives/2003/06/12/how_to_consume_rss_safely 
  225.                 if ($this->strip_htmltags) 
  227.                     foreach ($this->strip_htmltags as $tag) 
  229.                         $this->strip_tag($tag, $document, $type); 
  232.  
  233.                 if ($this->strip_attributes) 
  235.                     foreach ($this->strip_attributes as $attrib) 
  237.                         $this->strip_attr($attrib, $document); 
  240.  
  241.                 // Replace relative URLs 
  242.                 $this->base = $base; 
  243.                 foreach ($this->replace_url_attributes as $element => $attributes) 
  245.                     $this->replace_urls($document, $element, $attributes); 
  247.  
  248.                 // If image handling (caching, etc.) is enabled, cache and rewrite all the image tags. 
  249.                 if (isset($this->image_handler) && ((string) $this->image_handler) !== '' && $this->enable_cache) 
  251.                     $images = $document->getElementsByTagName('img'); 
  252.                     foreach ($images as $img) 
  254.                         if ($img->hasAttribute('src')) 
  256.                             $image_url = call_user_func($this->cache_name_function, $img->getAttribute('src')); 
  257.                             $cache = $this->registry->call('Cache', 'get_handler', array($this->cache_location, $image_url, 'spi')); 
  258.  
  259.                             if ($cache->load()) 
  261.                                 $img->setAttribute('src', $this->image_handler . $image_url); 
  263.                             else 
  265.                                 $file = $this->registry->create('File', array($img->getAttribute('src'), $this->timeout, 5, array('X-FORWARDED-FOR' => $_SERVER['REMOTE_ADDR']), $this->useragent, $this->force_fsockopen)); 
  266.                                 $headers = $file->headers; 
  267.  
  268.                                 if ($file->success && ($file->method & SIMPLEPIE_FILE_SOURCE_REMOTE === 0 || ($file->status_code === 200 || $file->status_code > 206 && $file->status_code < 300))) 
  270.                                     if ($cache->save(array('headers' => $file->headers, 'body' => $file->body))) 
  272.                                         $img->setAttribute('src', $this->image_handler . $image_url); 
  274.                                     else 
  276.                                         trigger_error("$this->cache_location is not writeable. Make sure you've set the correct relative or absolute path, and that the location is server-writable.", E_USER_WARNING); 
  283.  
  284.                 // Remove the DOCTYPE 
  285.                 // Seems to cause segfaulting if we don't do this 
  286.                 if ($document->firstChild instanceof DOMDocumentType) 
  288.                     $document->removeChild($document->firstChild); 
  290.  
  291.                 // Move everything from the body to the root 
  292.                 $real_body = $document->getElementsByTagName('body')->item(0)->childNodes->item(0); 
  293.                 $document->replaceChild($real_body, $document->firstChild); 
  294.  
  295.                 // Finally, convert to a HTML string 
  296.                 $data = trim($document->saveHTML()); 
  297.  
  298.                 if ($this->remove_div) 
  300.                     $data = preg_replace('/^<div' . SIMPLEPIE_PCRE_XML_ATTRIBUTE . '>/', '', $data); 
  301.                     $data = preg_replace('/<\/div>$/', '', $data); 
  303.                 else 
  305.                     $data = preg_replace('/^<div' . SIMPLEPIE_PCRE_XML_ATTRIBUTE . '>/', '<div>', $data); 
  308.  
  309.             if ($type & SIMPLEPIE_CONSTRUCT_IRI) 
  311.                 $absolute = $this->registry->call('Misc', 'absolutize_url', array($data, $base)); 
  312.                 if ($absolute !== false) 
  314.                     $data = $absolute; 
  317.  
  318.             if ($type & (SIMPLEPIE_CONSTRUCT_TEXT | SIMPLEPIE_CONSTRUCT_IRI)) 
  320.                 $data = htmlspecialchars($data, ENT_COMPAT, 'UTF-8'); 
  322.  
  323.             if ($this->output_encoding !== 'UTF-8') 
  325.                 $data = $this->registry->call('Misc', 'change_encoding', array($data, 'UTF-8', $this->output_encoding)); 
  328.         return $data; 
  330.  
  331.     protected function preprocess($html, $type) 
  333.         $ret = ''; 
  334.         if ($type & ~SIMPLEPIE_CONSTRUCT_XHTML) 
  336.             // Atom XHTML constructs are wrapped with a div by default 
  337.             // Note: No protection if $html contains a stray </div>! 
  338.             $html = '<div>' . $html . '</div>'; 
  339.             $ret .= '<!DOCTYPE html>'; 
  340.             $content_type = 'text/html'; 
  342.         else 
  344.             $ret .= '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">'; 
  345.             $content_type = 'application/xhtml+xml'; 
  347.  
  348.         $ret .= '<html><head>'; 
  349.         $ret .= '<meta http-equiv="Content-Type" content="' . $content_type . '; charset=utf-8" />'; 
  350.         $ret .= '</head><body>' . $html . '</body></html>'; 
  351.         return $ret; 
  353.  
  354.     public function replace_urls($document, $tag, $attributes) 
  356.         if (!is_array($attributes)) 
  358.             $attributes = array($attributes); 
  360.  
  361.         if (!is_array($this->strip_htmltags) || !in_array($tag, $this->strip_htmltags)) 
  363.             $elements = $document->getElementsByTagName($tag); 
  364.             foreach ($elements as $element) 
  366.                 foreach ($attributes as $attribute) 
  368.                     if ($element->hasAttribute($attribute)) 
  370.                         $value = $this->registry->call('Misc', 'absolutize_url', array($element->getAttribute($attribute), $this->base)); 
  371.                         if ($value !== false) 
  373.                             $element->setAttribute($attribute, $value); 
  380.  
  381.     public function do_strip_htmltags($match) 
  383.         if ($this->encode_instead_of_strip) 
  385.             if (isset($match[4]) && !in_array(strtolower($match[1]), array('script', 'style'))) 
  387.                 $match[1] = htmlspecialchars($match[1], ENT_COMPAT, 'UTF-8'); 
  388.                 $match[2] = htmlspecialchars($match[2], ENT_COMPAT, 'UTF-8'); 
  389.                 return "<$match[1]$match[2]>$match[3]</$match[1]>"; 
  391.             else 
  393.                 return htmlspecialchars($match[0], ENT_COMPAT, 'UTF-8'); 
  396.         elseif (isset($match[4]) && !in_array(strtolower($match[1]), array('script', 'style'))) 
  398.             return $match[4]; 
  400.         else 
  402.             return ''; 
  405.  
  406.     protected function strip_tag($tag, $document, $type) 
  408.         $xpath = new DOMXPath($document); 
  409.         $elements = $xpath->query('body//' . $tag); 
  410.         if ($this->encode_instead_of_strip) 
  412.             foreach ($elements as $element) 
  414.                 $fragment = $document->createDocumentFragment(); 
  415.  
  416.                 // For elements which aren't script or style, include the tag itself 
  417.                 if (!in_array($tag, array('script', 'style'))) 
  419.                     $text = '<' . $tag; 
  420.                     if ($element->hasAttributes()) 
  422.                         $attrs = array(); 
  423.                         foreach ($element->attributes as $name => $attr) 
  425.                             $value = $attr->value; 
  426.  
  427.                             // In XHTML, empty values should never exist, so we repeat the value 
  428.                             if (empty($value) && ($type & SIMPLEPIE_CONSTRUCT_XHTML)) 
  430.                                 $value = $name; 
  432.                             // For HTML, empty is fine 
  433.                             elseif (empty($value) && ($type & SIMPLEPIE_CONSTRUCT_HTML)) 
  435.                                 $attrs[] = $name; 
  436.                                 continue; 
  438.  
  439.                             // Standard attribute text 
  440.                             $attrs[] = $name . '="' . $attr->value . '"'; 
  442.                         $text .= ' ' . implode(' ', $attrs); 
  444.                     $text .= '>'; 
  445.                     $fragment->appendChild(new DOMText($text)); 
  447.  
  448.                 $number = $element->childNodes->length; 
  449.                 for ($i = $number; $i > 0; $i--) 
  451.                     $child = $element->childNodes->item(0); 
  452.                     $fragment->appendChild($child); 
  454.  
  455.                 if (!in_array($tag, array('script', 'style'))) 
  457.                     $fragment->appendChild(new DOMText('</' . $tag . '>')); 
  459.  
  460.                 $element->parentNode->replaceChild($fragment, $element); 
  462.  
  463.             return; 
  465.         elseif (in_array($tag, array('script', 'style'))) 
  467.             foreach ($elements as $element) 
  469.                 $element->parentNode->removeChild($element); 
  471.  
  472.             return; 
  474.         else 
  476.             foreach ($elements as $element) 
  478.                 $fragment = $document->createDocumentFragment(); 
  479.                 $number = $element->childNodes->length; 
  480.                 for ($i = $number; $i > 0; $i--) 
  482.                     $child = $element->childNodes->item(0); 
  483.                     $fragment->appendChild($child); 
  485.  
  486.                 $element->parentNode->replaceChild($fragment, $element); 
  490.  
  491.     protected function strip_attr($attrib, $document) 
  493.         $xpath = new DOMXPath($document); 
  494.         $elements = $xpath->query('//*[@' . $attrib . ']'); 
  495.  
  496.         foreach ($elements as $element) 
  498.             $element->removeAttribute($attrib);