‪TYPO3CMS  10.4
DefaultSanitizerBuilder.php
Go to the documentation of this file.
1 <?php
2 
3 declare(strict_types=1);
4 
5 /*
6  * This file is part of the TYPO3 project.
7  *
8  * It is free software; you can redistribute it and/or modify it under the terms
9  * of the MIT License (MIT). For the full copyright and license information,
10  * please read the LICENSE file that was distributed with this source code.
11  *
12  * The TYPO3 project - inspiring people to share!
13  */
14 
16 
19 use TYPO3\HtmlSanitizer\Behavior;
20 use TYPO3\HtmlSanitizer\Builder\CommonBuilder;
21 use TYPO3\HtmlSanitizer\Sanitizer;
22 use TYPO3\HtmlSanitizer\Visitor\CommonVisitor;
23 
30 class ‪DefaultSanitizerBuilder extends CommonBuilder implements ‪SingletonInterface
31 {
35  private ‪$behavior;
36 
37  public function ‪__construct()
38  {
39  parent::__construct();
40  // + URL must be on local host, or is absolute URI path
41  $isOnCurrentHost = new Behavior\ClosureAttrValue(
42  function (string $value): bool {
43  return ‪GeneralUtility::isValidUrl($value) && GeneralUtility::isOnCurrentHost($value)
44  || GeneralUtility::isAbsPath($value) && GeneralUtility::isAllowedAbsPath($value); // @todo incorrect abs path!
45  }
46  );
47  // + starting with `t3://`
48  $isTypo3Uri = new Behavior\RegExpAttrValue('#^t3://#');
49  // + TYPO3 spam protected email address using JavaScript
50  $isSpamProtectedEmailUri = new Behavior\RegExpAttrValue('#^javascript:linkTo_UnCryptMailto#');
51 
52  // extends common attributes for TYPO3-specific URIs
53  $this->srcAttr->addValues($isOnCurrentHost);
54  $this->srcsetAttr->addValues($isOnCurrentHost);
55  $this->hrefAttr->addValues($isOnCurrentHost, $isTypo3Uri, $isSpamProtectedEmailUri);
56 
57  // @todo `style` used in Introduction Package, inline CSS should be removed
58  $this->globalAttrs[] = new Behavior\Attr('style');
59  }
60 
61  public function ‪build(): Sanitizer
62  {
64  $visitor = GeneralUtility::makeInstance(CommonVisitor::class, ‪$behavior);
65  return GeneralUtility::makeInstance(Sanitizer::class, ‪$behavior, $visitor);
66  }
67 
68  protected function ‪createBasicTags(): array
69  {
71  $tags = parent::createBasicTags();
72  // `... onclick="openPic(...)"` used in ContentObjectRenderer and AbstractMenuContentObject
73  // @todo get rid of `onclick` since it conflicts with Content-Security-Policy
74  $tags['a']->addAttrs(
75  (new Behavior\Attr('onclick'))
76  ->addValues(new Behavior\RegExpAttrValue('#^openPic\‍(#'))
77  );
78  return $tags;
79  }
80 
81  protected function ‪createBehavior(): Behavior
82  {
83  if (!isset($this->behavior)) {
84  $this->behavior = parent::createBehavior()->withName('default');
85  }
86  return ‪$this->behavior;
87  }
88 }
‪TYPO3\CMS\Core\Html
Definition: DefaultSanitizerBuilder.php:15
‪TYPO3\CMS\Core\Html\DefaultSanitizerBuilder
Definition: DefaultSanitizerBuilder.php:31
‪TYPO3\CMS\Core\Html\DefaultSanitizerBuilder\__construct
‪__construct()
Definition: DefaultSanitizerBuilder.php:36
‪TYPO3\CMS\Core\Html\DefaultSanitizerBuilder\createBehavior
‪createBehavior()
Definition: DefaultSanitizerBuilder.php:80
‪TYPO3\CMS\Core\Html\DefaultSanitizerBuilder\$behavior
‪Behavior $behavior
Definition: DefaultSanitizerBuilder.php:34
‪TYPO3\CMS\Core\Utility\GeneralUtility\isValidUrl
‪static bool isValidUrl($url)
Definition: GeneralUtility.php:944
‪TYPO3\CMS\Core\SingletonInterface
Definition: SingletonInterface.php:23
‪TYPO3\CMS\Core\Utility\GeneralUtility
Definition: GeneralUtility.php:46
‪TYPO3\CMS\Core\Html\DefaultSanitizerBuilder\createBasicTags
‪createBasicTags()
Definition: DefaultSanitizerBuilder.php:67
‪TYPO3\CMS\Core\Html\DefaultSanitizerBuilder\build
‪build()
Definition: DefaultSanitizerBuilder.php:60