Domovská stránka Prehľadávať Pomoc
Prihlásiť sa
LBP
/
FressRSS
zrkadlo https://github.com/FreshRSS/FreshRSS.git
4
0
Fork 0
Súbory Issues 0 Wiki
Strom: 8b73573a32
Branche Tagy
FressRSS
/
lib
/
simplepie
/
simplepie
/
src
/
Sanitize.php

Sanitize.php 27 KB
História Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787 
  1. <?php
    2. 

  2. 

  3. // SPDX-FileCopyrightText: 2004-2023 Ryan Parman, Sam Sneddon, Ryan McCue
    4. 

  4. // SPDX-License-Identifier: BSD-3-Clause
    5. 

  5. 

  6. declare(strict_types=1);
    7. 

  7. 

  8. namespace SimplePie;
    9. 

  9. 

  10. use DOMDocument;
    11. 

  11. use DOMXPath;
    12. 

  12. use InvalidArgumentException;
    13. 

  13. use Psr\Http\Client\ClientInterface;
    14. 

  14. use Psr\Http\Message\RequestFactoryInterface;
    15. 

  15. use Psr\Http\Message\UriFactoryInterface;
    16. 

  16. use SimplePie\Cache\Base;
    17. 

  17. use SimplePie\Cache\BaseDataCache;
    18. 

  18. use SimplePie\Cache\CallableNameFilter;
    19. 

  19. use SimplePie\Cache\DataCache;
    20. 

  20. use SimplePie\Cache\NameFilter;
    21. 

  21. use SimplePie\HTTP\Client;
    22. 

  22. use SimplePie\HTTP\ClientException;
    23. 

  23. use SimplePie\HTTP\FileClient;
    24. 

  24. use SimplePie\HTTP\Psr18Client;
    25. 

  25. 

  26. /**
    27. 

  27.  * Used for data cleanup and post-processing
    28. 

  28.  *
    29. 

  29.  *
    30. 

  30.  * This class can be overloaded with {@see \SimplePie\SimplePie::set_sanitize_class()}
    31. 

  31.  *
    32. 

  32.  * @todo Move to using an actual HTML parser (this will allow tags to be properly stripped, and to switch between HTML and XHTML), this will also make it easier to shorten a string while preserving HTML tags
    33. 

  33.  */
    34. 

  34. class Sanitize implements RegistryAware
    35. 

  35. {
    36. 

  36.     // Private vars
    37. 

  37.     /** @var string */
    38. 

  38.     public $base = '';
    39. 

  39. 

  40.     // Options
    41. 

  41.     /** @var bool */
    42. 

  42.     public $remove_div = true;
    43. 

  43.     /** @var string */
    44. 

  44.     public $image_handler = '';
    45. 

  45.     /** @var string[] */
    46. 

  46.     public $strip_htmltags = ['base', 'blink', 'body', 'doctype', 'embed', 'font', 'form', 'frame', 'frameset', 'html', 'iframe', 'input', 'marquee', 'meta', 'noscript', 'object', 'param', 'script', 'style'];
    47. 

  47.     /** @var bool */
    48. 

  48.     public $encode_instead_of_strip = false;
    49. 

  49.     /** @var string[] */
    50. 

  50.     public $strip_attributes = ['bgsound', 'expr', 'id', 'style', 'onclick', 'onerror', 'onfinish', 'onmouseover', 'onmouseout', 'onfocus', 'onblur', 'lowsrc', 'dynsrc'];
    51. 

  51.     /** @var string[] */
    52. 

  52.     public $rename_attributes = [];
    53. 

  53.     /** @var array<string, array<string, string>> */
    54. 

  54.     public $add_attributes = ['audio' => ['preload' => 'none'], 'iframe' => ['sandbox' => 'allow-scripts allow-same-origin'], 'video' => ['preload' => 'none']];
    55. 

  55.     /** @var bool */
    56. 

  56.     public $strip_comments = false;
    57. 

  57.     /** @var string */
    58. 

  58.     public $output_encoding = 'UTF-8';
    59. 

  59.     /** @var bool */
    60. 

  60.     public $enable_cache = true;
    61. 

  61.     /** @var string */
    62. 

  62.     public $cache_location = './cache';
    63. 

  63.     /** @var string */
    64. 

  64.     public $cache_name_function = 'md5';
    65. 

  65. 

  66.     /**
    67. 

  67.      * @var NameFilter
    68. 

  68.      */
    69. 

  69.     private $cache_namefilter;
    70. 

  70.     /** @var int */
    71. 

  71.     public $timeout = 10;
    72. 

  72.     /** @var string */
    73. 

  73.     public $useragent = '';
    74. 

  74.     /** @var bool */
    75. 

  75.     public $force_fsockopen = false;
    76. 

  76.     /** @var array<string, string|string[]> */
    77. 

  77.     public $replace_url_attributes = [];
    78. 

  78.     /**
    79. 

  79.      * @var array<int, mixed> Custom curl options
    80. 

  80.      * @see SimplePie::set_curl_options()
    81. 

  81.      */
    82. 

  82.     private $curl_options = [];
    83. 

  83. 

  84.     /** @var Registry */
    85. 

  85.     public $registry;
    86. 

  86. 

  87.     /**
    88. 

  88.      * @var DataCache|null
    89. 

  89.      */
    90. 

  90.     private $cache = null;
    91. 

  91. 

  92.     /**
    93. 

  93.      * @var int Cache duration (in seconds)
    94. 

  94.      */
    95. 

  95.     private $cache_duration = 3600;
    96. 

  96. 

  97.     /**
    98. 

  98.      * List of domains for which to force HTTPS.
    99. 

  99.      * @see \SimplePie\Sanitize::set_https_domains()
    100. 

  100.      * Array is a tree split at DNS levels. Example:
    101. 

  101.      * array('biz' => true, 'com' => array('example' => true), 'net' => array('example' => array('www' => true)))
    102. 

  102.      * @var true|array<string, true|array<string, true|array<string, array<string, true|array<string, true|array<string, true>>>>>>
    103. 

  103.      */
    104. 

  104.     public $https_domains = [];
    105. 

  105. 

  106.     /**
    107. 

  107.      * @var Client|null
    108. 

  108.      */
    109. 

  109.     private $http_client = null;
    110. 

  110. 

  111.     public function __construct()
    112. 

  112.     {
    113. 

  113.         // Set defaults
    114. 

  114.         $this->set_url_replacements(null);
    115. 

  115.     }
    116. 

  116. 

  117.     /**
    118. 

  118.      * @return void
    119. 

  119.      */
    120. 

  120.     public function remove_div(bool $enable = true)
    121. 

  121.     {
    122. 

  122.         $this->remove_div = (bool) $enable;
    123. 

  123.     }
    124. 

  124. 

  125.     /**
    126. 

  126.      * @param string|false $page
    127. 

  127.      * @return void
    128. 

  128.      */
    129. 

  129.     public function set_image_handler($page = false)
    130. 

  130.     {
    131. 

  131.         if ($page) {
    132. 

  132.             $this->image_handler = (string) $page;
    133. 

  133.         } else {
    134. 

  134.             $this->image_handler = '';
    135. 

  135.         }
    136. 

  136.     }
    137. 

  137. 

  138.     /**
    139. 

  139.      * @return void
    140. 

  140.      */
    141. 

  141.     public function set_registry(\SimplePie\Registry $registry)
    142. 

  142.     {
    143. 

  143.         $this->registry = $registry;
    144. 

  144.     }
    145. 

  145. 

  146.     /**
    147. 

  147.      * @param string|NameFilter $cache_name_function
    148. 

  148.      * @param class-string<Cache> $cache_class
    149. 

  149.      * @return void
    150. 

  150.      */
    151. 

  151.     public function pass_cache_data(bool $enable_cache = true, string $cache_location = './cache', $cache_name_function = 'md5', string $cache_class = Cache::class, ?DataCache $cache = null)
    152. 

  152.     {
    153. 

  153.         $this->enable_cache = $enable_cache;
    154. 

  154. 

  155.         if ($cache_location) {
    156. 

  156.             $this->cache_location = $cache_location;
    157. 

  157.         }
    158. 

  158. 

  159.         // @phpstan-ignore-next-line Enforce PHPDoc type.
    160. 

  160.         if (!is_string($cache_name_function) && !$cache_name_function instanceof NameFilter) {
    161. 

  161.             throw new InvalidArgumentException(sprintf(
    162. 

  162.                 '%s(): Argument #3 ($cache_name_function) must be of type %s',
    163. 

  163.                 __METHOD__,
    164. 

  164.                 NameFilter::class
    165. 

  165.             ), 1);
    166. 

  166.         }
    167. 

  167. 

  168.         // BC: $cache_name_function could be a callable as string
    169. 

  169.         if (is_string($cache_name_function)) {
    170. 

  170.             // trigger_error(sprintf('Providing $cache_name_function as string in "%s()" is deprecated since SimplePie 1.8.0, provide as "%s" instead.', __METHOD__, NameFilter::class), \E_USER_DEPRECATED);
    171. 

  171.             $this->cache_name_function = (string) $cache_name_function;
    172. 

  172. 

  173.             $cache_name_function = new CallableNameFilter($cache_name_function);
    174. 

  174.         }
    175. 

  175. 

  176.         $this->cache_namefilter = $cache_name_function;
    177. 

  177. 

  178.         if ($cache !== null) {
    179. 

  179.             $this->cache = $cache;
    180. 

  180.         }
    181. 

  181.     }
    182. 

  182. 

  183.     /**
    184. 

  184.      * Set a PSR-18 client and PSR-17 factories
    185. 

  185.      *
    186. 

  186.      * Allows you to use your own HTTP client implementations.
    187. 

  187.      */
    188. 

  188.     final public function set_http_client(
    189. 

  189.         ClientInterface $http_client,
    190. 

  190.         RequestFactoryInterface $request_factory,
    191. 

  191.         UriFactoryInterface $uri_factory
    192. 

  192.     ): void {
    193. 

  193.         $this->http_client = new Psr18Client($http_client, $request_factory, $uri_factory);
    194. 

  194.     }
    195. 

  195. 

  196.     /**
    197. 

  197.      * @deprecated since SimplePie 1.9.0, use \SimplePie\Sanitize::set_http_client() instead.
    198. 

  198.      * @param class-string<File> $file_class
    199. 

  199.      * @param array<int, mixed> $curl_options
    200. 

  200.      * @return void
    201. 

  201.      */
    202. 

  202.     public function pass_file_data(string $file_class = File::class, int $timeout = 10, string $useragent = '', bool $force_fsockopen = false, array $curl_options = [])
    203. 

  203.     {
    204. 

  204.         // trigger_error(sprintf('SimplePie\Sanitize::pass_file_data() is deprecated since SimplePie 1.9.0, please use "SimplePie\Sanitize::set_http_client()" instead.'), \E_USER_DEPRECATED);
    205. 

  205.         if ($timeout) {
    206. 

  206.             $this->timeout = $timeout;
    207. 

  207.         }
    208. 

  208. 

  209.         if ($useragent) {
    210. 

  210.             $this->useragent = $useragent;
    211. 

  211.         }
    212. 

  212. 

  213.         if ($force_fsockopen) {
    214. 

  214.             $this->force_fsockopen = $force_fsockopen;
    215. 

  215.         }
    216. 

  216. 

  217.         $this->curl_options = $curl_options;
    218. 

  218.         // Invalidate the registered client.
    219. 

  219.         $this->http_client = null;
    220. 

  220.     }
    221. 

  221. 

  222.     /**
    223. 

  223.      * @param string[]|string $tags
    224. 

  224.      * @return void
    225. 

  225.      */
    226. 

  226.     public function strip_htmltags($tags = ['base', 'blink', 'body', 'doctype', 'embed', 'font', 'form', 'frame', 'frameset', 'html', 'iframe', 'input', 'marquee', 'meta', 'noscript', 'object', 'param', 'script', 'style'])
    227. 

  227.     {
    228. 

  228.         if ($tags) {
    229. 

  229.             if (is_array($tags)) {
    230. 

  230.                 $this->strip_htmltags = $tags;
    231. 

  231.             } else {
    232. 

  232.                 $this->strip_htmltags = explode(',', $tags);
    233. 

  233.             }
    234. 

  234.         } else {
    235. 

  235.             $this->strip_htmltags = [];
    236. 

  236.         }
    237. 

  237.     }
    238. 

  238. 

  239.     /**
    240. 

  240.      * @return void
    241. 

  241.      */
    242. 

  242.     public function encode_instead_of_strip(bool $encode = false)
    243. 

  243.     {
    244. 

  244.         $this->encode_instead_of_strip = $encode;
    245. 

  245.     }
    246. 

  246. 

  247.     /**
    248. 

  248.      * @param string[]|string $attribs
    249. 

  249.      * @return void
    250. 

  250.      */
    251. 

  251.     public function rename_attributes($attribs = [])
    252. 

  252.     {
    253. 

  253.         if ($attribs) {
    254. 

  254.             if (is_array($attribs)) {
    255. 

  255.                 $this->rename_attributes = $attribs;
    256. 

  256.             } else {
    257. 

  257.                 $this->rename_attributes = explode(',', $attribs);
    258. 

  258.             }
    259. 

  259.         } else {
    260. 

  260.             $this->rename_attributes = [];
    261. 

  261.         }
    262. 

  262.     }
    263. 

  263. 

  264.     /**
    265. 

  265.      * @param string[]|string $attribs
    266. 

  266.      * @return void
    267. 

  267.      */
    268. 

  268.     public function strip_attributes($attribs = ['bgsound', 'expr', 'id', 'style', 'onclick', 'onerror', 'onfinish', 'onmouseover', 'onmouseout', 'onfocus', 'onblur', 'lowsrc', 'dynsrc'])
    269. 

  269.     {
    270. 

  270.         if ($attribs) {
    271. 

  271.             if (is_array($attribs)) {
    272. 

  272.                 $this->strip_attributes = $attribs;
    273. 

  273.             } else {
    274. 

  274.                 $this->strip_attributes = explode(',', $attribs);
    275. 

  275.             }
    276. 

  276.         } else {
    277. 

  277.             $this->strip_attributes = [];
    278. 

  278.         }
    279. 

  279.     }
    280. 

  280. 

  281.     /**
    282. 

  282.      * @param array<string, array<string, string>> $attribs
    283. 

  283.      * @return void
    284. 

  284.      */
    285. 

  285.     public function add_attributes(array $attribs = ['audio' => ['preload' => 'none'], 'iframe' => ['sandbox' => 'allow-scripts allow-same-origin'], 'video' => ['preload' => 'none']])
    286. 

  286.     {
    287. 

  287.         $this->add_attributes = $attribs;
    288. 

  288.     }
    289. 

  289. 

  290.     /**
    291. 

  291.      * @return void
    292. 

  292.      */
    293. 

  293.     public function strip_comments(bool $strip = false)
    294. 

  294.     {
    295. 

  295.         $this->strip_comments = $strip;
    296. 

  296.     }
    297. 

  297. 

  298.     /**
    299. 

  299.      * @return void
    300. 

  300.      */
    301. 

  301.     public function set_output_encoding(string $encoding = 'UTF-8')
    302. 

  302.     {
    303. 

  303.         $this->output_encoding = $encoding;
    304. 

  304.     }
    305. 

  305. 

  306.     /**
    307. 

  307.      * Set element/attribute key/value pairs of HTML attributes
    308. 

  308.      * containing URLs that need to be resolved relative to the feed
    309. 

  309.      *
    310. 

  310.      * Defaults to |a|@href, |area|@href, |audio|@src, |blockquote|@cite,
    311. 

  311.      * |del|@cite, |form|@action, |img|@longdesc, |img|@src, |input|@src,
    312. 

  312.      * |ins|@cite, |q|@cite, |source|@src, |video|@src
    313. 

  313.      *
    314. 

  314.      * @since 1.0
    315. 

  315.      * @param array<string, string|string[]>|null $element_attribute Element/attribute key/value pairs, null for default
    316. 

  316.      * @return void
    317. 

  317.      */
    318. 

  318.     public function set_url_replacements(?array $element_attribute = null)
    319. 

  319.     {
    320. 

  320.         if ($element_attribute === null) {
    321. 

  321.             $element_attribute = [
    322. 

  322.                 'a' => 'href',
    323. 

  323.                 'area' => 'href',
    324. 

  324.                 'audio' => 'src',
    325. 

  325.                 'blockquote' => 'cite',
    326. 

  326.                 'del' => 'cite',
    327. 

  327.                 'form' => 'action',
    328. 

  328.                 'img' => [
    329. 

  329.                     'longdesc',
    330. 

  330.                     'src'
    331. 

  331.                 ],
    332. 

  332.                 'input' => 'src',
    333. 

  333.                 'ins' => 'cite',
    334. 

  334.                 'q' => 'cite',
    335. 

  335.                 'source' => 'src',
    336. 

  336.                 'video' => [
    337. 

  337.                     'poster',
    338. 

  338.                     'src'
    339. 

  339.                 ]
    340. 

  340.             ];
    341. 

  341.         }
    342. 

  342.         $this->replace_url_attributes = $element_attribute;
    343. 

  343.     }
    344. 

  344. 

  345.     /**
    346. 

  346.      * Set the list of domains for which to force HTTPS.
    347. 

  347.      * @see \SimplePie\Misc::https_url()
    348. 

  348.      * Example array('biz', 'example.com', 'example.org', 'www.example.net');
    349. 

  349.      *
    350. 

  350.      * @param string[] $domains list of domain names ['biz', 'example.com', 'example.org', 'www.example.net']
    351. 

  351.      *
    352. 

  352.      * @return void
    353. 

  353.      */
    354. 

  354.     public function set_https_domains(array $domains)
    355. 

  355.     {
    356. 

  356.         $this->https_domains = [];
    357. 

  357.         foreach ($domains as $domain) {
    358. 

  358.             $domain = trim($domain, ". \t\n\r\0\x0B");
    359. 

  359.             $segments = array_reverse(explode('.', $domain));
    360. 

  360.             /** @var true|array<string, true|array<string, true|array<string, array<string, true|array<string, true|array<string, true>>>>>> */ // Needed for PHPStan.
    361. 

  361.             $node = &$this->https_domains;
    362. 

  362.             foreach ($segments as $segment) {//Build a tree
    363. 

  363.                 if ($node === true) {
    364. 

  364.                     break;
    365. 

  365.                 }
    366. 

  366.                 if (!isset($node[$segment])) {
    367. 

  367.                     $node[$segment] = [];
    368. 

  368.                 }
    369. 

  369.                 $node = &$node[$segment];
    370. 

  370.             }
    371. 

  371.             $node = true;
    372. 

  372.         }
    373. 

  373.     }
    374. 

  374. 

  375.     /**
    376. 

  376.      * Check if the domain is in the list of forced HTTPS.
    377. 

  377.      *
    378. 

  378.      * @return bool
    379. 

  379.      */
    380. 

  380.     protected function is_https_domain(string $domain)
    381. 

  381.     {
    382. 

  382.         $domain = trim($domain, '. ');
    383. 

  383.         $segments = array_reverse(explode('.', $domain));
    384. 

  384.         $node = &$this->https_domains;
    385. 

  385.         foreach ($segments as $segment) {//Explore the tree
    386. 

  386.             if (isset($node[$segment])) {
    387. 

  387.                 $node = &$node[$segment];
    388. 

  388.             } else {
    389. 

  389.                 break;
    390. 

  390.             }
    391. 

  391.         }
    392. 

  392.         return $node === true;
    393. 

  393.     }
    394. 

  394. 

  395.     /**
    396. 

  396.      * Force HTTPS for selected Web sites.
    397. 

  397.      *
    398. 

  398.      * @return string
    399. 

  399.      */
    400. 

  400.     public function https_url(string $url)
    401. 

  401.     {
    402. 

  402.         return (
    403. 

  403.             strtolower(substr($url, 0, 7)) === 'http://'
    404. 

  404.             && ($parsed = parse_url($url, PHP_URL_HOST)) !== false // Malformed URL
    405. 

  405.             && $parsed !== null // Missing host
    406. 

  406.             && $this->is_https_domain($parsed) // Should be forced?
    407. 

  407.         ) ? substr_replace($url, 's', 4, 0) // Add the 's' to HTTPS
    408. 

  408.         : $url;
    409. 

  409.     }
    410. 

  410. 

  411.     /**
    412. 

  412.      * @param int-mask-of<SimplePie::CONSTRUCT_*> $type
    413. 

  413.      * @param string $base
    414. 

  414.      * @return string|bool|string[]
    415. 

  415.      */
    416. 

  416.     public function sanitize(string $data, int $type, string $base = '')
    417. 

  417.     {
    418. 

  418.         $data = trim($data);
    419. 

  419.         if ($data !== '' || $type & \SimplePie\SimplePie::CONSTRUCT_IRI) {
    420. 

  420.             if ($type & \SimplePie\SimplePie::CONSTRUCT_MAYBE_HTML) {
    421. 

  421.                 if (preg_match('/(&(#(x[0-9a-fA-F]+|[0-9]+)|[a-zA-Z0-9]+)|<\/[A-Za-z][^\x09\x0A\x0B\x0C\x0D\x20\x2F\x3E]*' . \SimplePie\SimplePie::PCRE_HTML_ATTRIBUTE . '>)/', $data)) {
    422. 

  422.                     $type |= \SimplePie\SimplePie::CONSTRUCT_HTML;
    423. 

  423.                 } else {
    424. 

  424.                     $type |= \SimplePie\SimplePie::CONSTRUCT_TEXT;
    425. 

  425.                 }
    426. 

  426.             }
    427. 

  427. 

  428.             if ($type & \SimplePie\SimplePie::CONSTRUCT_BASE64) {
    429. 

  429.                 $data = base64_decode($data);
    430. 

  430.             }
    431. 

  431. 

  432.             if ($type & (\SimplePie\SimplePie::CONSTRUCT_HTML | \SimplePie\SimplePie::CONSTRUCT_XHTML)) {
    433. 

  433.                 if (!class_exists('DOMDocument')) {
    434. 

  434.                     throw new \SimplePie\Exception('DOMDocument not found, unable to use sanitizer');
    435. 

  435.                 }
    436. 

  436.                 $document = new \DOMDocument();
    437. 

  437.                 $document->encoding = 'UTF-8';
    438. 

  438. 

  439.                 $data = $this->preprocess($data, $type);
    440. 

  440. 

  441.                 set_error_handler([Misc::class, 'silence_errors']);
    442. 

  442.                 $document->loadHTML($data);
    443. 

  443.                 restore_error_handler();
    444. 

  444. 

  445.                 $xpath = new \DOMXPath($document);
    446. 

  446. 

  447.                 // Strip comments
    448. 

  448.                 if ($this->strip_comments) {
    449. 

  449.                     $comments = $xpath->query('//comment()');
    450. 

  450. 

  451.                     foreach ($comments as $comment) {
    452. 

  452.                         $comment->parentNode->removeChild($comment);
    453. 

  453.                     }
    454. 

  454.                 }
    455. 

  455. 

  456.                 // Strip out HTML tags and attributes that might cause various security problems.
    457. 

  457.                 // Based on recommendations by Mark Pilgrim at:
    458. 

  458.                 // https://web.archive.org/web/20110902041826/http://diveintomark.org:80/archives/2003/06/12/how_to_consume_rss_safely
    459. 

  459.                 if ($this->strip_htmltags) {
    460. 

  460.                     foreach ($this->strip_htmltags as $tag) {
    461. 

  461.                         $this->strip_tag($tag, $document, $xpath, $type);
    462. 

  462.                     }
    463. 

  463.                 }
    464. 

  464. 

  465.                 if ($this->rename_attributes) {
    466. 

  466.                     foreach ($this->rename_attributes as $attrib) {
    467. 

  467.                         $this->rename_attr($attrib, $xpath);
    468. 

  468.                     }
    469. 

  469.                 }
    470. 

  470. 

  471.                 if ($this->strip_attributes) {
    472. 

  472.                     foreach ($this->strip_attributes as $attrib) {
    473. 

  473.                         $this->strip_attr($attrib, $xpath);
    474. 

  474.                     }
    475. 

  475.                 }
    476. 

  476. 

  477.                 if ($this->add_attributes) {
    478. 

  478.                     foreach ($this->add_attributes as $tag => $valuePairs) {
    479. 

  479.                         $this->add_attr($tag, $valuePairs, $document);
    480. 

  480.                     }
    481. 

  481.                 }
    482. 

  482. 

  483.                 // Replace relative URLs
    484. 

  484.                 $this->base = $base;
    485. 

  485.                 foreach ($this->replace_url_attributes as $element => $attributes) {
    486. 

  486.                     $this->replace_urls($document, $element, $attributes);
    487. 

  487.                 }
    488. 

  488. 

  489.                 // If image handling (caching, etc.) is enabled, cache and rewrite all the image tags.
    490. 

  490.                 if ($this->image_handler !== '' && $this->enable_cache) {
    491. 

  491.                     $images = $document->getElementsByTagName('img');
    492. 

  492. 

  493.                     foreach ($images as $img) {
    494. 

  494.                         if ($img->hasAttribute('src')) {
    495. 

  495.                             $image_url = $this->cache_namefilter->filter($img->getAttribute('src'));
    496. 

  496.                             $cache = $this->get_cache($image_url);
    497. 

  497. 

  498.                             if ($cache->get_data($image_url, false)) {
    499. 

  499.                                 $img->setAttribute('src', $this->image_handler . $image_url);
    500. 

  500.                             } else {
    501. 

  501.                                 try {
    502. 

  502.                                     $file = $this->get_http_client()->request(
    503. 

  503.                                         Client::METHOD_GET,
    504. 

  504.                                         $img->getAttribute('src'),
    505. 

  505.                                         ['X-FORWARDED-FOR' => $_SERVER['REMOTE_ADDR']]
    506. 

  506.                                     );
    507. 

  507.                                 } catch (ClientException $th) {
    508. 

  508.                                     continue;
    509. 

  509.                                 }
    510. 

  510. 

  511.                                 if ((!Misc::is_remote_uri($file->get_final_requested_uri()) || ($file->get_status_code() === 200 || $file->get_status_code() > 206 && $file->get_status_code() < 300))) {
    512. 

  512.                                     if ($cache->set_data($image_url, ['headers' => $file->get_headers(), 'body' => $file->get_body_content()], $this->cache_duration)) {
    513. 

  513.                                         $img->setAttribute('src', $this->image_handler . $image_url);
    514. 

  514.                                     } else {
    515. 

  515.                                         trigger_error("$this->cache_location is not writable. Make sure you've set the correct relative or absolute path, and that the location is server-writable.", E_USER_WARNING);
    516. 

  516.                                     }
    517. 

  517.                                 }
    518. 

  518.                             }
    519. 

  519.                         }
    520. 

  520.                     }
    521. 

  521.                 }
    522. 

  522. 

  523.                 // Get content node
    524. 

  524.                 $div = $document->getElementsByTagName('body')->item(0)->firstChild;
    525. 

  525.                 // Finally, convert to a HTML string
    526. 

  526.                 $data = trim($document->saveHTML($div));
    527. 

  527. 

  528.                 if ($this->remove_div) {
    529. 

  529.                     $data = preg_replace('/^<div' . \SimplePie\SimplePie::PCRE_XML_ATTRIBUTE . '>/', '', $data);
    530. 

  530.                     $data = preg_replace('/<\/div>$/', '', $data);
    531. 

  531.                 } else {
    532. 

  532.                     $data = preg_replace('/^<div' . \SimplePie\SimplePie::PCRE_XML_ATTRIBUTE . '>/', '<div>', $data);
    533. 

  533.                 }
    534. 

  534. 

  535.                 $data = str_replace('</source>', '', $data);
    536. 

  536.             }
    537. 

  537. 

  538.             if ($type & \SimplePie\SimplePie::CONSTRUCT_IRI) {
    539. 

  539.                 $absolute = $this->registry->call(Misc::class, 'absolutize_url', [$data, $base]);
    540. 

  540.                 if ($absolute !== false) {
    541. 

  541.                     $data = $absolute;
    542. 

  542.                 }
    543. 

  543.             }
    544. 

  544. 

  545.             if ($type & (\SimplePie\SimplePie::CONSTRUCT_TEXT | \SimplePie\SimplePie::CONSTRUCT_IRI)) {
    546. 

  546.                 $data = htmlspecialchars($data, ENT_COMPAT, 'UTF-8');
    547. 

  547.             }
    548. 

  548. 

  549.             if ($this->output_encoding !== 'UTF-8') {
    550. 

  550.                 $data = $this->registry->call(Misc::class, 'change_encoding', [$data, 'UTF-8', $this->output_encoding]);
    551. 

  551.             }
    552. 

  552.         }
    553. 

  553.         return $data;
    554. 

  554.     }
    555. 

  555. 

  556.     /**
    557. 

  557.      * @param int-mask-of<SimplePie::CONSTRUCT_*> $type
    558. 

  558.      * @return string
    559. 

  559.      */
    560. 

  560.     protected function preprocess(string $html, int $type)
    561. 

  561.     {
    562. 

  562.         $ret = '';
    563. 

  563.         $html = preg_replace('%</?(?:html|body)[^>]*?'.'>%is', '', $html);
    564. 

  564.         if ($type & ~\SimplePie\SimplePie::CONSTRUCT_XHTML) {
    565. 

  565.             // Atom XHTML constructs are wrapped with a div by default
    566. 

  566.             // Note: No protection if $html contains a stray </div>!
    567. 

  567.             $html = '<div>' . $html . '</div>';
    568. 

  568.             $ret .= '<!DOCTYPE html>';
    569. 

  569.             $content_type = 'text/html';
    570. 

  570.         } else {
    571. 

  571.             $ret .= '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">';
    572. 

  572.             $content_type = 'application/xhtml+xml';
    573. 

  573.         }
    574. 

  574. 

  575.         $ret .= '<html><head>';
    576. 

  576.         $ret .= '<meta http-equiv="Content-Type" content="' . $content_type . '; charset=utf-8" />';
    577. 

  577.         $ret .= '</head><body>' . $html . '</body></html>';
    578. 

  578.         return $ret;
    579. 

  579.     }
    580. 

  580. 

  581.     /**
    582. 

  582.      * @param array<string>|string $attributes
    583. 

  583.      * @return void
    584. 

  584.      */
    585. 

  585.     public function replace_urls(DOMDocument $document, string $tag, $attributes)
    586. 

  586.     {
    587. 

  587.         if (!is_array($attributes)) {
    588. 

  588.             $attributes = [$attributes];
    589. 

  589.         }
    590. 

  590. 

  591.         if (!is_array($this->strip_htmltags) || !in_array($tag, $this->strip_htmltags)) {
    592. 

  592.             $elements = $document->getElementsByTagName($tag);
    593. 

  593.             foreach ($elements as $element) {
    594. 

  594.                 foreach ($attributes as $attribute) {
    595. 

  595.                     if ($element->hasAttribute($attribute)) {
    596. 

  596.                         $value = $this->registry->call(Misc::class, 'absolutize_url', [$element->getAttribute($attribute), $this->base]);
    597. 

  597.                         if ($value !== false) {
    598. 

  598.                             $value = $this->https_url($value);
    599. 

  599.                             $element->setAttribute($attribute, $value);
    600. 

  600.                         }
    601. 

  601.                     }
    602. 

  602.                 }
    603. 

  603.             }
    604. 

  604.         }
    605. 

  605.     }
    606. 

  606. 

  607.     /**
    608. 

  608.      * @param array<int, string> $match
    609. 

  609.      * @return string
    610. 

  610.      */
    611. 

  611.     public function do_strip_htmltags(array $match)
    612. 

  612.     {
    613. 

  613.         if ($this->encode_instead_of_strip) {
    614. 

  614.             if (isset($match[4]) && !in_array(strtolower($match[1]), ['script', 'style'])) {
    615. 

  615.                 $match[1] = htmlspecialchars($match[1], ENT_COMPAT, 'UTF-8');
    616. 

  616.                 $match[2] = htmlspecialchars($match[2], ENT_COMPAT, 'UTF-8');
    617. 

  617.                 return "&lt;$match[1]$match[2]&gt;$match[3]&lt;/$match[1]&gt;";
    618. 

  618.             } else {
    619. 

  619.                 return htmlspecialchars($match[0], ENT_COMPAT, 'UTF-8');
    620. 

  620.             }
    621. 

  621.         } elseif (isset($match[4]) && !in_array(strtolower($match[1]), ['script', 'style'])) {
    622. 

  622.             return $match[4];
    623. 

  623.         } else {
    624. 

  624.             return '';
    625. 

  625.         }
    626. 

  626.     }
    627. 

  627. 

  628.     /**
    629. 

  629.      * @param int-mask-of<SimplePie::CONSTRUCT_*> $type
    630. 

  630.      * @return void
    631. 

  631.      */
    632. 

  632.     protected function strip_tag(string $tag, DOMDocument $document, DOMXPath $xpath, int $type)
    633. 

  633.     {
    634. 

  634.         $elements = $xpath->query('body//' . $tag);
    635. 

  635.         if ($this->encode_instead_of_strip) {
    636. 

  636.             foreach ($elements as $element) {
    637. 

  637.                 $fragment = $document->createDocumentFragment();
    638. 

  638. 

  639.                 // For elements which aren't script or style, include the tag itself
    640. 

  640.                 if (!in_array($tag, ['script', 'style'])) {
    641. 

  641.                     $text = '<' . $tag;
    642. 

  642.                     if ($element->hasAttributes()) {
    643. 

  643.                         $attrs = [];
    644. 

  644.                         foreach ($element->attributes as $name => $attr) {
    645. 

  645.                             $value = $attr->value;
    646. 

  646. 

  647.                             // In XHTML, empty values should never exist, so we repeat the value
    648. 

  648.                             if (empty($value) && ($type & \SimplePie\SimplePie::CONSTRUCT_XHTML)) {
    649. 

  649.                                 $value = $name;
    650. 

  650.                             }
    651. 

  651.                             // For HTML, empty is fine
    652. 

  652.                             elseif (empty($value) && ($type & \SimplePie\SimplePie::CONSTRUCT_HTML)) {
    653. 

  653.                                 $attrs[] = $name;
    654. 

  654.                                 continue;
    655. 

  655.                             }
    656. 

  656. 

  657.                             // Standard attribute text
    658. 

  658.                             $attrs[] = $name . '="' . $attr->value . '"';
    659. 

  659.                         }
    660. 

  660.                         $text .= ' ' . implode(' ', $attrs);
    661. 

  661.                     }
    662. 

  662.                     $text .= '>';
    663. 

  663.                     $fragment->appendChild(new \DOMText($text));
    664. 

  664.                 }
    665. 

  665. 

  666.                 $number = $element->childNodes->length;
    667. 

  667.                 for ($i = $number; $i > 0; $i--) {
    668. 

  668.                     $child = $element->childNodes->item(0);
    669. 

  669.                     $fragment->appendChild($child);
    670. 

  670.                 }
    671. 

  671. 

  672.                 if (!in_array($tag, ['script', 'style'])) {
    673. 

  673.                     $fragment->appendChild(new \DOMText('</' . $tag . '>'));
    674. 

  674.                 }
    675. 

  675. 

  676.                 $element->parentNode->replaceChild($fragment, $element);
    677. 

  677.             }
    678. 

  678. 

  679.             return;
    680. 

  680.         } elseif (in_array($tag, ['script', 'style'])) {
    681. 

  681.             foreach ($elements as $element) {
    682. 

  682.                 $element->parentNode->removeChild($element);
    683. 

  683.             }
    684. 

  684. 

  685.             return;
    686. 

  686.         } else {
    687. 

  687.             foreach ($elements as $element) {
    688. 

  688.                 $fragment = $document->createDocumentFragment();
    689. 

  689.                 $number = $element->childNodes->length;
    690. 

  690.                 for ($i = $number; $i > 0; $i--) {
    691. 

  691.                     $child = $element->childNodes->item(0);
    692. 

  692.                     $fragment->appendChild($child);
    693. 

  693.                 }
    694. 

  694. 

  695.                 $element->parentNode->replaceChild($fragment, $element);
    696. 

  696.             }
    697. 

  697.         }
    698. 

  698.     }
    699. 

  699. 

  700.     /**
    701. 

  701.      * @return void
    702. 

  702.      */
    703. 

  703.     protected function strip_attr(string $attrib, DOMXPath $xpath)
    704. 

  704.     {
    705. 

  705.         $elements = $xpath->query('//*[@' . $attrib . ']');
    706. 

  706. 

  707.         /** @var \DOMElement $element */
    708. 

  708.         foreach ($elements as $element) {
    709. 

  709.             $element->removeAttribute($attrib);
    710. 

  710.         }
    711. 

  711.     }
    712. 

  712. 

  713.     /**
    714. 

  714.      * @return void
    715. 

  715.      */
    716. 

  716.     protected function rename_attr(string $attrib, DOMXPath $xpath)
    717. 

  717.     {
    718. 

  718.         $elements = $xpath->query('//*[@' . $attrib . ']');
    719. 

  719. 

  720.         /** @var \DOMElement $element */
    721. 

  721.         foreach ($elements as $element) {
    722. 

  722.             $element->setAttribute('data-sanitized-' . $attrib, $element->getAttribute($attrib));
    723. 

  723.             $element->removeAttribute($attrib);
    724. 

  724.         }
    725. 

  725.     }
    726. 

  726. 

  727.     /**
    728. 

  728.      * @param array<string, string> $valuePairs
    729. 

  729.      * @return void
    730. 

  730.      */
    731. 

  731.     protected function add_attr(string $tag, array $valuePairs, DOMDocument $document)
    732. 

  732.     {
    733. 

  733.         $elements = $document->getElementsByTagName($tag);
    734. 

  734.         /** @var \DOMElement $element */
    735. 

  735.         foreach ($elements as $element) {
    736. 

  736.             foreach ($valuePairs as $attrib => $value) {
    737. 

  737.                 $element->setAttribute($attrib, $value);
    738. 

  738.             }
    739. 

  739.         }
    740. 

  740.     }
    741. 

  741. 

  742.     /**
    743. 

  743.      * Get a DataCache
    744. 

  744.      *
    745. 

  745.      * @param string $image_url Only needed for BC, can be removed in SimplePie 2.0.0
    746. 

  746.      *
    747. 

  747.      * @return DataCache
    748. 

  748.      */
    749. 

  749.     private function get_cache(string $image_url = ''): DataCache
    750. 

  750.     {
    751. 

  751.         if ($this->cache === null) {
    752. 

  752.             // @trigger_error(sprintf('Not providing as PSR-16 cache implementation is deprecated since SimplePie 1.8.0, please use "SimplePie\SimplePie::set_cache()".'), \E_USER_DEPRECATED);
    753. 

  753.             $cache = $this->registry->call(Cache::class, 'get_handler', [
    754. 

  754.                 $this->cache_location,
    755. 

  755.                 $image_url,
    756. 

  756.                 Base::TYPE_IMAGE
    757. 

  757.             ]);
    758. 

  758. 

  759.             return new BaseDataCache($cache);
    760. 

  760.         }
    761. 

  761. 

  762.         return $this->cache;
    763. 

  763.     }
    764. 

  764. 

  765.     /**
    766. 

  766.      * Get a HTTP client
    767. 

  767.      */
    768. 

  768.     private function get_http_client(): Client
    769. 

  769.     {
    770. 

  770.         if ($this->http_client === null) {
    771. 

  771.             $this->http_client = new FileClient(
    772. 

  772.                 $this->registry,
    773. 

  773.                 [
    774. 

  774.                     'timeout' => $this->timeout,
    775. 

  775.                     'redirects' => 5,
    776. 

  776.                     'useragent' => $this->useragent,
    777. 

  777.                     'force_fsockopen' => $this->force_fsockopen,
    778. 

  778.                     'curl_options' => $this->curl_options,
    779. 

  779.                 ]
    780. 

  780.             );
    781. 

  781.         }
    782. 

  782. 

  783.         return $this->http_client;
    784. 

  784.     }
    785. 

  785. }
    786. 

  786. 

  787. class_alias('SimplePie\Sanitize', 'SimplePie_Sanitize');
    788.