‪TYPO3CMS  9.5
All Classes Namespaces Files Functions Variables Pages
DefaultSanitizerBuilder.php
Go to the documentation of this file.
1 <?php
2 
3 declare(strict_types = 1);
4 
5 /*
6  * This file is part of the TYPO3 project.
7  *
8  * It is free software; you can redistribute it and/or modify it under the terms
9  * of the MIT License (MIT). For the full copyright and license information,
10  * please read the LICENSE file that was distributed with this source code.
11  *
12  * The TYPO3 project - inspiring people to share!
13  */
14 
15 namespace ‪TYPO3\CMS\Core\Html;
16 
17 use ‪TYPO3\CMS\Core\Utility\GeneralUtility;
18 use TYPO3\HtmlSanitizer\Behavior;
19 use TYPO3\HtmlSanitizer\Builder\CommonBuilder;
20 use TYPO3\HtmlSanitizer\Sanitizer;
21 use TYPO3\HtmlSanitizer\Visitor\CommonVisitor;
22 
29 class ‪DefaultSanitizerBuilder extends CommonBuilder
30 {
31  public function ‪__construct()
32  {
33  parent::__construct();
34  // + URL must be on local host, or is absolute URI path
35  $isOnCurrentHost = new Behavior\ClosureAttrValue(
36  function (string $value): bool {
37  return GeneralUtility::isValidUrl($value) && GeneralUtility::isOnCurrentHost($value)
38  || GeneralUtility::isAbsPath($value) && GeneralUtility::isAllowedAbsPath($value); // @todo incorrect abs path!
39  }
40  );
41  // + starting with `t3://`
42  $isTypo3Uri = new Behavior\RegExpAttrValue('#^t3://#');
43  // + TYPO3 spam protected email address using JavaScript
44  $isSpamProtectedEmailUri = new Behavior\RegExpAttrValue('#^javascript:linkTo_UnCryptMailto#');
45 
46  // extends common attributes for TYPO3-specific URIs
47  $this->srcAttr->addValues($isOnCurrentHost);
48  $this->srcsetAttr->addValues($isOnCurrentHost);
49  $this->hrefAttr->addValues($isOnCurrentHost, $isTypo3Uri, $isSpamProtectedEmailUri);
50 
51  // @todo `style` used in Introduction Package, inline CSS should be removed
52  $this->globalAttrs[] = new Behavior\Attr('style');
53  }
54 
55  public function ‪build(): Sanitizer
56  {
57  $behavior = $this->‪createBehavior();
58  $visitor = GeneralUtility::makeInstance(CommonVisitor::class, $behavior);
59  return GeneralUtility::makeInstance(Sanitizer::class, $visitor);
60  }
61 
62  protected function ‪createBasicTags(): array
63  {
65  $tags = parent::createBasicTags();
66  // `... onclick="openPic(...)"` used in ContentObjectRenderer and AbstractMenuContentObject
67  // @todo get rid of `onclick` since it conflicts with Content-Security-Policy
68  $tags['a']->addAttrs(
69  (new Behavior\Attr('onclick'))
70  ->addValues(new Behavior\RegExpAttrValue('#^openPic\‍(#'))
71  );
72  return $tags;
73  }
74 
75  protected function ‪createBehavior(): Behavior
76  {
77  return parent::createBehavior()
78  ->withName('default');
79  }
80 }
‪TYPO3\CMS\Core\Html
Definition: DefaultSanitizerBuilder.php:15
‪TYPO3\CMS\Core\Html\DefaultSanitizerBuilder
Definition: DefaultSanitizerBuilder.php:30
‪TYPO3\CMS\Core\Html\DefaultSanitizerBuilder\__construct
‪__construct()
Definition: DefaultSanitizerBuilder.php:31
‪TYPO3\CMS\Core\Html\DefaultSanitizerBuilder\createBehavior
‪createBehavior()
Definition: DefaultSanitizerBuilder.php:75
‪TYPO3\CMS\Core\Utility\GeneralUtility
Definition: GeneralUtility.php:45
‪TYPO3\CMS\Core\Html\DefaultSanitizerBuilder\createBasicTags
‪createBasicTags()
Definition: DefaultSanitizerBuilder.php:62
‪TYPO3\CMS\Core\Html\DefaultSanitizerBuilder\build
‪build()
Definition: DefaultSanitizerBuilder.php:55