1<?php 2 3// SPDX-FileCopyrightText: 2004-2023 Ryan Parman, Sam Sneddon, Ryan McCue 4// SPDX-License-Identifier: BSD-3-Clause 5 6declare(strict_types=1); 7 8namespace SimplePie; 9 10use DOMDocument; 11use DOMXPath; 12use InvalidArgumentException; 13use Psr\Http\Client\ClientInterface; 14use Psr\Http\Message\RequestFactoryInterface; 15use Psr\Http\Message\UriFactoryInterface; 16use SimplePie\Cache\Base; 17use SimplePie\Cache\BaseDataCache; 18use SimplePie\Cache\CallableNameFilter; 19use SimplePie\Cache\DataCache; 20use SimplePie\Cache\NameFilter; 21use SimplePie\HTTP\Client; 22use SimplePie\HTTP\ClientException; 23use SimplePie\HTTP\FileClient; 24use SimplePie\HTTP\Psr18Client; 25 26/** 27 * Used for data cleanup and post-processing 28 * 29 * 30 * This class can be overloaded with {@see \SimplePie\SimplePie::set_sanitize_class()} 31 * 32 * @todo Move to using an actual HTML parser (this will allow tags to be properly stripped, and to switch between HTML and XHTML), this will also make it easier to shorten a string while preserving HTML tags 33 */ 34class Sanitize implements RegistryAware 35{ 36 // Private vars 37 /** @var string */ 38 public $base = ''; 39 40 // Options 41 /** @var bool */ 42 public $remove_div = true; 43 /** @var string */ 44 public $image_handler = ''; 45 /** @var string[] */ 46 public $strip_htmltags = ['base', 'blink', 'body', 'doctype', 'embed', 'font', 'form', 'frame', 'frameset', 'html', 'iframe', 'input', 'marquee', 'meta', 'noscript', 'object', 'param', 'script', 'style']; 47 /** @var bool */ 48 public $encode_instead_of_strip = false; 49 /** @var string[] */ 50 public $strip_attributes = ['bgsound', 'expr', 'id', 'style', 'onclick', 'onerror', 'onfinish', 'onmouseover', 'onmouseout', 'onfocus', 'onblur', 'lowsrc', 'dynsrc']; 51 /** @var string[] */ 52 public $rename_attributes = []; 53 /** @var array<string, array<string, string>> */ 54 public $add_attributes = ['audio' => ['preload' => 'none'], 'iframe' => ['sandbox' => 'allow-scripts allow-same-origin'], 'video' => ['preload' => 'none']]; 55 /** @var bool */ 56 public $strip_comments = false; 57 /** @var string */ 58 public $output_encoding = 'UTF-8'; 59 /** @var bool */ 60 public $enable_cache = true; 61 /** @var string */ 62 public $cache_location = './cache'; 63 /** @var string&(callable(string): string) */ 64 public $cache_name_function = 'md5'; 65 66 /** 67 * @var NameFilter 68 */ 69 private $cache_namefilter; 70 /** @var int */ 71 public $timeout = 10; 72 /** @var string */ 73 public $useragent = ''; 74 /** @var bool */ 75 public $force_fsockopen = false; 76 /** @var array<string, string|string[]> */ 77 public $replace_url_attributes = []; 78 /** 79 * @var array<int, mixed> Custom curl options 80 * @see SimplePie::set_curl_options() 81 */ 82 private $curl_options = []; 83 84 /** @var Registry */ 85 public $registry; 86 87 /** 88 * @var DataCache|null 89 */ 90 private $cache = null; 91 92 /** 93 * @var int Cache duration (in seconds) 94 */ 95 private $cache_duration = 3600; 96 97 /** 98 * List of domains for which to force HTTPS. 99 * @see \SimplePie\Sanitize::set_https_domains() 100 * Array is a tree split at DNS levels. Example: 101 * array('biz' => true, 'com' => array('example' => true), 'net' => array('example' => array('www' => true))) 102 * @var true|array<string, true|array<string, true|array<string, array<string, true|array<string, true|array<string, true>>>>>> 103 */ 104 public $https_domains = []; 105 106 /** 107 * @var Client|null 108 */ 109 private $http_client = null; 110 111 public function __construct() 112 { 113 // Set defaults 114 $this->set_url_replacements(null); 115 } 116 117 /** 118 * @return void 119 */ 120 public function remove_div(bool $enable = true) 121 { 122 $this->remove_div = (bool) $enable; 123 } 124 125 /** 126 * @param string|false $page 127 * @return void 128 */ 129 public function set_image_handler($page = false) 130 { 131 if ($page) { 132 $this->image_handler = (string) $page; 133 } else { 134 $this->image_handler = ''; 135 } 136 } 137 138 /** 139 * @return void 140 */ 141 public function set_registry(\SimplePie\Registry $registry) 142 { 143 $this->registry = $registry; 144 } 145 146 /** 147 * @param (string&(callable(string): string))|NameFilter $cache_name_function 148 * @param class-string<Cache> $cache_class 149 * @return void 150 */ 151 public function pass_cache_data(bool $enable_cache = true, string $cache_location = './cache', $cache_name_function = 'md5', string $cache_class = Cache::class, ?DataCache $cache = null) 152 { 153 $this->enable_cache = $enable_cache; 154 155 if ($cache_location) { 156 $this->cache_location = $cache_location; 157 } 158 159 // @phpstan-ignore-next-line Enforce PHPDoc type. 160 if (!is_string($cache_name_function) && !$cache_name_function instanceof NameFilter) { 161 throw new InvalidArgumentException(sprintf( 162 '%s(): Argument #3 ($cache_name_function) must be of type %s', 163 __METHOD__, 164 NameFilter::class 165 ), 1); 166 } 167 168 // BC: $cache_name_function could be a callable as string 169 if (is_string($cache_name_function)) { 170 // trigger_error(sprintf('Providing $cache_name_function as string in "%s()" is deprecated since SimplePie 1.8.0, provide as "%s" instead.', __METHOD__, NameFilter::class), \E_USER_DEPRECATED); 171 $this->cache_name_function = $cache_name_function; 172 173 $cache_name_function = new CallableNameFilter($cache_name_function); 174 } 175 176 $this->cache_namefilter = $cache_name_function; 177 178 if ($cache !== null) { 179 $this->cache = $cache; 180 } 181 } 182 183 /** 184 * Set a PSR-18 client and PSR-17 factories 185 * 186 * Allows you to use your own HTTP client implementations. 187 */ 188 final public function set_http_client( 189 ClientInterface $http_client, 190 RequestFactoryInterface $request_factory, 191 UriFactoryInterface $uri_factory 192 ): void { 193 $this->http_client = new Psr18Client($http_client, $request_factory, $uri_factory); 194 } 195 196 /** 197 * @deprecated since SimplePie 1.9.0, use \SimplePie\Sanitize::set_http_client() instead. 198 * @param class-string<File> $file_class 199 * @param array<int, mixed> $curl_options 200 * @return void 201 */ 202 public function pass_file_data(string $file_class = File::class, int $timeout = 10, string $useragent = '', bool $force_fsockopen = false, array $curl_options = []) 203 { 204 // trigger_error(sprintf('SimplePie\Sanitize::pass_file_data() is deprecated since SimplePie 1.9.0, please use "SimplePie\Sanitize::set_http_client()" instead.'), \E_USER_DEPRECATED); 205 if ($timeout) { 206 $this->timeout = $timeout; 207 } 208 209 if ($useragent) { 210 $this->useragent = $useragent; 211 } 212 213 if ($force_fsockopen) { 214 $this->force_fsockopen = $force_fsockopen; 215 } 216 217 $this->curl_options = $curl_options; 218 // Invalidate the registered client. 219 $this->http_client = null; 220 } 221 222 /** 223 * @param string[]|string|false $tags Set a list of tags to strip, or set empty string to use default tags, or false to strip nothing. 224 * @return void 225 */ 226 public function strip_htmltags($tags = ['base', 'blink', 'body', 'doctype', 'embed', 'font', 'form', 'frame', 'frameset', 'html', 'iframe', 'input', 'marquee', 'meta', 'noscript', 'object', 'param', 'script', 'style']) 227 { 228 if ($tags) { 229 if (is_array($tags)) { 230 $this->strip_htmltags = $tags; 231 } else { 232 $this->strip_htmltags = explode(',', $tags); 233 } 234 } else { 235 $this->strip_htmltags = []; 236 } 237 } 238 239 /** 240 * @return void 241 */ 242 public function encode_instead_of_strip(bool $encode = false) 243 { 244 $this->encode_instead_of_strip = $encode; 245 } 246 247 /** 248 * @param string[]|string $attribs 249 * @return void 250 */ 251 public function rename_attributes($attribs = []) 252 { 253 if ($attribs) { 254 if (is_array($attribs)) { 255 $this->rename_attributes = $attribs; 256 } else { 257 $this->rename_attributes = explode(',', $attribs); 258 } 259 } else { 260 $this->rename_attributes = []; 261 } 262 } 263 264 /** 265 * @param string[]|string $attribs 266 * @return void 267 */ 268 public function strip_attributes($attribs = ['bgsound', 'expr', 'id', 'style', 'onclick', 'onerror', 'onfinish', 'onmouseover', 'onmouseout', 'onfocus', 'onblur', 'lowsrc', 'dynsrc']) 269 { 270 if ($attribs) { 271 if (is_array($attribs)) { 272 $this->strip_attributes = $attribs; 273 } else { 274 $this->strip_attributes = explode(',', $attribs); 275 } 276 } else { 277 $this->strip_attributes = []; 278 } 279 } 280 281 /** 282 * @param array<string, array<string, string>> $attribs 283 * @return void 284 */ 285 public function add_attributes(array $attribs = ['audio' => ['preload' => 'none'], 'iframe' => ['sandbox' => 'allow-scripts allow-same-origin'], 'video' => ['preload' => 'none']]) 286 { 287 $this->add_attributes = $attribs; 288 } 289 290 /** 291 * @return void 292 */ 293 public function strip_comments(bool $strip = false) 294 { 295 $this->strip_comments = $strip; 296 } 297 298 /** 299 * @return void 300 */ 301 public function set_output_encoding(string $encoding = 'UTF-8') 302 { 303 $this->output_encoding = $encoding; 304 } 305 306 /** 307 * Set element/attribute key/value pairs of HTML attributes 308 * containing URLs that need to be resolved relative to the feed 309 * 310 * Defaults to |a|@href, |area|@href, |audio|@src, |blockquote|@cite, 311 * |del|@cite, |form|@action, |img|@longdesc, |img|@src, |input|@src, 312 * |ins|@cite, |q|@cite, |source|@src, |video|@src 313 * 314 * @since 1.0 315 * @param array<string, string|string[]>|null $element_attribute Element/attribute key/value pairs, null for default 316 * @return void 317 */ 318 public function set_url_replacements(?array $element_attribute = null) 319 { 320 if ($element_attribute === null) { 321 $element_attribute = [ 322 'a' => 'href', 323 'area' => 'href', 324 'audio' => 'src', 325 'blockquote' => 'cite', 326 'del' => 'cite', 327 'form' => 'action', 328 'img' => [ 329 'longdesc', 330 'src' 331 ], 332 'input' => 'src', 333 'ins' => 'cite', 334 'q' => 'cite', 335 'source' => 'src', 336 'video' => [ 337 'poster', 338 'src' 339 ] 340 ]; 341 } 342 $this->replace_url_attributes = $element_attribute; 343 } 344 345 /** 346 * Set the list of domains for which to force HTTPS. 347 * @see \SimplePie\Misc::https_url() 348 * Example array('biz', 'example.com', 'example.org', 'www.example.net'); 349 * 350 * @param string[] $domains list of domain names ['biz', 'example.com', 'example.org', 'www.example.net'] 351 * 352 * @return void 353 */ 354 public function set_https_domains(array $domains) 355 { 356 $this->https_domains = []; 357 foreach ($domains as $domain) { 358 $domain = trim($domain, ". \t\n\r\0\x0B"); 359 $segments = array_reverse(explode('.', $domain)); 360 /** @var true|array<string, true|array<string, true|array<string, array<string, true|array<string, true|array<string, true>>>>>> */ // Needed for PHPStan. 361 $node = &$this->https_domains; 362 foreach ($segments as $segment) {//Build a tree 363 if ($node === true) { 364 break; 365 } 366 if (!isset($node[$segment])) { 367 $node[$segment] = []; 368 } 369 $node = &$node[$segment]; 370 } 371 $node = true; 372 } 373 } 374 375 /** 376 * Check if the domain is in the list of forced HTTPS. 377 * 378 * @return bool 379 */ 380 protected function is_https_domain(string $domain) 381 { 382 $domain = trim($domain, '. '); 383 $segments = array_reverse(explode('.', $domain)); 384 $node = &$this->https_domains; 385 foreach ($segments as $segment) {//Explore the tree 386 if (isset($node[$segment])) { 387 $node = &$node[$segment]; 388 } else { 389 break; 390 } 391 } 392 return $node === true; 393 } 394 395 /** 396 * Force HTTPS for selected Web sites. 397 * 398 * @return string 399 */ 400 public function https_url(string $url) 401 { 402 return ( 403 strtolower(substr($url, 0, 7)) === 'http://' 404 && ($parsed = parse_url($url, PHP_URL_HOST)) !== false // Malformed URL 405 && $parsed !== null // Missing host 406 && $this->is_https_domain($parsed) // Should be forced? 407 ) ? substr_replace($url, 's', 4, 0) // Add the 's' to HTTPS 408 : $url; 409 } 410 411 /** 412 * @param int-mask-of<SimplePie::CONSTRUCT_*> $type 413 * @param string $base 414 * @return string Sanitized data; false if output encoding is changed to something other than UTF-8 and conversion fails 415 */ 416 public function sanitize(string $data, int $type, string $base = '') 417 { 418 $data = trim($data); 419 if ($data !== '' || $type & \SimplePie\SimplePie::CONSTRUCT_IRI) { 420 if ($type & \SimplePie\SimplePie::CONSTRUCT_MAYBE_HTML) { 421 if (preg_match('/(&(#(x[0-9a-fA-F]+|[0-9]+)|[a-zA-Z0-9]+)|<\/[A-Za-z][^\x09\x0A\x0B\x0C\x0D\x20\x2F\x3E]*' . \SimplePie\SimplePie::PCRE_HTML_ATTRIBUTE . '>)/', $data)) { 422 $type |= \SimplePie\SimplePie::CONSTRUCT_HTML; 423 } else { 424 $type |= \SimplePie\SimplePie::CONSTRUCT_TEXT; 425 } 426 } 427 428 if ($type & \SimplePie\SimplePie::CONSTRUCT_BASE64) { 429 $data = base64_decode($data); 430 } 431 432 if ($type & (\SimplePie\SimplePie::CONSTRUCT_HTML | \SimplePie\SimplePie::CONSTRUCT_XHTML)) { 433 if (!class_exists('DOMDocument')) { 434 throw new \SimplePie\Exception('DOMDocument not found, unable to use sanitizer'); 435 } 436 $document = new \DOMDocument(); 437 $document->encoding = 'UTF-8'; 438 439 // PHPStan seems to have trouble resolving int-mask because bitwise 440 // operators are used when operators are used when passing this parameter. 441 // https://github.com/phpstan/phpstan/issues/9384 442 /** @var int-mask-of<SimplePie::CONSTRUCT_*> $type */ 443 $data = $this->preprocess($data, $type); 444 445 set_error_handler([Misc::class, 'silence_errors']); 446 $document->loadHTML($data); 447 restore_error_handler(); 448 449 $xpath = new \DOMXPath($document); 450 451 // Strip comments 452 if ($this->strip_comments) { 453 /** @var \DOMNodeList<\DOMComment> */ 454 $comments = $xpath->query('//comment()'); 455 456 foreach ($comments as $comment) { 457 $parentNode = $comment->parentNode; 458 assert($parentNode !== null, 'For PHPStan, comment must have a parent'); 459 $parentNode->removeChild($comment); 460 } 461 } 462 463 // Strip out HTML tags and attributes that might cause various security problems. 464 // Based on recommendations by Mark Pilgrim at: 465 // https://web.archive.org/web/20110902041826/http://diveintomark.org:80/archives/2003/06/12/how_to_consume_rss_safely 466 if ($this->strip_htmltags) { 467 foreach ($this->strip_htmltags as $tag) { 468 $this->strip_tag($tag, $document, $xpath, $type); 469 } 470 } 471 472 if ($this->rename_attributes) { 473 foreach ($this->rename_attributes as $attrib) { 474 $this->rename_attr($attrib, $xpath); 475 } 476 } 477 478 if ($this->strip_attributes) { 479 foreach ($this->strip_attributes as $attrib) { 480 $this->strip_attr($attrib, $xpath); 481 } 482 } 483 484 if ($this->add_attributes) { 485 foreach ($this->add_attributes as $tag => $valuePairs) { 486 $this->add_attr($tag, $valuePairs, $document); 487 } 488 } 489 490 // Replace relative URLs 491 $this->base = $base; 492 foreach ($this->replace_url_attributes as $element => $attributes) { 493 $this->replace_urls($document, $element, $attributes); 494 } 495 496 // If image handling (caching, etc.) is enabled, cache and rewrite all the image tags. 497 if ($this->image_handler !== '' && $this->enable_cache) { 498 $images = $document->getElementsByTagName('img'); 499 500 foreach ($images as $img) { 501 if ($img->hasAttribute('src')) { 502 $image_url = $this->cache_namefilter->filter($img->getAttribute('src')); 503 $cache = $this->get_cache($image_url); 504 505 if ($cache->get_data($image_url, false)) { 506 $img->setAttribute('src', $this->image_handler . $image_url); 507 } else { 508 try { 509 $file = $this->get_http_client()->request( 510 Client::METHOD_GET, 511 $img->getAttribute('src'), 512 ['X-FORWARDED-FOR' => $_SERVER['REMOTE_ADDR']] 513 ); 514 } catch (ClientException $th) { 515 continue; 516 } 517 518 if ((!Misc::is_remote_uri($file->get_final_requested_uri()) || ($file->get_status_code() === 200 || $file->get_status_code() > 206 && $file->get_status_code() < 300))) { 519 if ($cache->set_data($image_url, ['headers' => $file->get_headers(), 'body' => $file->get_body_content()], $this->cache_duration)) { 520 $img->setAttribute('src', $this->image_handler . $image_url); 521 } else { 522 trigger_error("$this->cache_location is not writable. Make sure you've set the correct relative or absolute path, and that the location is server-writable.", E_USER_WARNING); 523 } 524 } 525 } 526 } 527 } 528 } 529 530 // Get content node 531 $div = null; 532 if (($item = $document->getElementsByTagName('body')->item(0)) !== null) { 533 $div = $item->firstChild; 534 } 535 // Finally, convert to a HTML string 536 $data = trim((string) $document->saveHTML($div)); 537 538 if ($this->remove_div) { 539 $data = preg_replace('/^<div' . \SimplePie\SimplePie::PCRE_XML_ATTRIBUTE . '>/', '', $data); 540 // Cast for PHPStan, it is unable to validate a non-literal regex above. 541 $data = preg_replace('/<\/div>$/', '', (string) $data); 542 } else { 543 $data = preg_replace('/^<div' . \SimplePie\SimplePie::PCRE_XML_ATTRIBUTE . '>/', '<div>', $data); 544 } 545 546 // Cast for PHPStan, it is unable to validate a non-literal regex above. 547 $data = str_replace('</source>', '', (string) $data); 548 } 549 550 if ($type & \SimplePie\SimplePie::CONSTRUCT_IRI) { 551 $absolute = $this->registry->call(Misc::class, 'absolutize_url', [$data, $base]); 552 if ($absolute !== false) { 553 $data = $absolute; 554 } 555 } 556 557 if ($type & (\SimplePie\SimplePie::CONSTRUCT_TEXT | \SimplePie\SimplePie::CONSTRUCT_IRI)) { 558 $data = htmlspecialchars($data, ENT_COMPAT, 'UTF-8'); 559 } 560 561 if ($this->output_encoding !== 'UTF-8') { 562 // This really returns string|false but changing encoding is uncommon and we are going to deprecate it, so let’s just lie to PHPStan in the interest of cleaner annotations. 563 /** @var string */ 564 $data = $this->registry->call(Misc::class, 'change_encoding', [$data, 'UTF-8', $this->output_encoding]); 565 } 566 } 567 return $data; 568 } 569 570 /** 571 * @param int-mask-of<SimplePie::CONSTRUCT_*> $type 572 * @return string 573 */ 574 protected function preprocess(string $html, int $type) 575 { 576 $ret = ''; 577 $html = preg_replace('%</?(?:html|body)[^>]*?'.'>%is', '', $html); 578 if ($type & ~\SimplePie\SimplePie::CONSTRUCT_XHTML) { 579 // Atom XHTML constructs are wrapped with a div by default 580 // Note: No protection if $html contains a stray </div>! 581 $html = '<div>' . $html . '</div>'; 582 $ret .= '<!DOCTYPE html>'; 583 $content_type = 'text/html'; 584 } else { 585 $ret .= '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">'; 586 $content_type = 'application/xhtml+xml'; 587 } 588 589 $ret .= '<html><head>'; 590 $ret .= '<meta http-equiv="Content-Type" content="' . $content_type . '; charset=utf-8" />'; 591 $ret .= '</head><body>' . $html . '</body></html>'; 592 return $ret; 593 } 594 595 /** 596 * @param array<string>|string $attributes 597 * @return void 598 */ 599 public function replace_urls(DOMDocument $document, string $tag, $attributes) 600 { 601 if (!is_array($attributes)) { 602 $attributes = [$attributes]; 603 } 604 605 if (!is_array($this->strip_htmltags) || !in_array($tag, $this->strip_htmltags)) { 606 $elements = $document->getElementsByTagName($tag); 607 foreach ($elements as $element) { 608 foreach ($attributes as $attribute) { 609 if ($element->hasAttribute($attribute)) { 610 $value = $this->registry->call(Misc::class, 'absolutize_url', [$element->getAttribute($attribute), $this->base]); 611 if ($value !== false) { 612 $value = $this->https_url($value); 613 $element->setAttribute($attribute, $value); 614 } 615 } 616 } 617 } 618 } 619 } 620 621 /** 622 * @param array<int, string> $match 623 * @return string 624 */ 625 public function do_strip_htmltags(array $match) 626 { 627 if ($this->encode_instead_of_strip) { 628 if (isset($match[4]) && !in_array(strtolower($match[1]), ['script', 'style'])) { 629 $match[1] = htmlspecialchars($match[1], ENT_COMPAT, 'UTF-8'); 630 $match[2] = htmlspecialchars($match[2], ENT_COMPAT, 'UTF-8'); 631 return "<$match[1]$match[2]>$match[3]</$match[1]>"; 632 } else { 633 return htmlspecialchars($match[0], ENT_COMPAT, 'UTF-8'); 634 } 635 } elseif (isset($match[4]) && !in_array(strtolower($match[1]), ['script', 'style'])) { 636 return $match[4]; 637 } else { 638 return ''; 639 } 640 } 641 642 /** 643 * @param int-mask-of<SimplePie::CONSTRUCT_*> $type 644 * @return void 645 */ 646 protected function strip_tag(string $tag, DOMDocument $document, DOMXPath $xpath, int $type) 647 { 648 $elements = $xpath->query('body//' . $tag); 649 650 if ($elements === false) { 651 throw new \SimplePie\Exception(sprintf( 652 '%s(): Possibly malformed expression, check argument #1 ($tag)', 653 __METHOD__ 654 ), 1); 655 } 656 657 if ($this->encode_instead_of_strip) { 658 foreach ($elements as $element) { 659 $fragment = $document->createDocumentFragment(); 660 661 // For elements which aren't script or style, include the tag itself 662 if (!in_array($tag, ['script', 'style'])) { 663 $text = '<' . $tag; 664 if ($element->attributes !== null) { 665 $attrs = []; 666 foreach ($element->attributes as $name => $attr) { 667 $value = $attr->value; 668 669 // In XHTML, empty values should never exist, so we repeat the value 670 if (empty($value) && ($type & \SimplePie\SimplePie::CONSTRUCT_XHTML)) { 671 $value = $name; 672 } 673 // For HTML, empty is fine 674 elseif (empty($value) && ($type & \SimplePie\SimplePie::CONSTRUCT_HTML)) { 675 $attrs[] = $name; 676 continue; 677 } 678 679 // Standard attribute text 680 $attrs[] = $name . '="' . $attr->value . '"'; 681 } 682 $text .= ' ' . implode(' ', $attrs); 683 } 684 $text .= '>'; 685 $fragment->appendChild(new \DOMText($text)); 686 } 687 688 $number = $element->childNodes->length; 689 for ($i = $number; $i > 0; $i--) { 690 if (($child = $element->childNodes->item(0)) !== null) { 691 $fragment->appendChild($child); 692 } 693 } 694 695 if (!in_array($tag, ['script', 'style'])) { 696 $fragment->appendChild(new \DOMText('</' . $tag . '>')); 697 } 698 699 if (($parentNode = $element->parentNode) !== null) { 700 $parentNode->replaceChild($fragment, $element); 701 } 702 } 703 704 return; 705 } elseif (in_array($tag, ['script', 'style'])) { 706 foreach ($elements as $element) { 707 if (($parentNode = $element->parentNode) !== null) { 708 $parentNode->removeChild($element); 709 } 710 } 711 712 return; 713 } else { 714 foreach ($elements as $element) { 715 $fragment = $document->createDocumentFragment(); 716 $number = $element->childNodes->length; 717 for ($i = $number; $i > 0; $i--) { 718 if (($child = $element->childNodes->item(0)) !== null) { 719 $fragment->appendChild($child); 720 } 721 } 722 723 if (($parentNode = $element->parentNode) !== null) { 724 $parentNode->replaceChild($fragment, $element); 725 } 726 } 727 } 728 } 729 730 /** 731 * @return void 732 */ 733 protected function strip_attr(string $attrib, DOMXPath $xpath) 734 { 735 $elements = $xpath->query('//*[@' . $attrib . ']'); 736 737 if ($elements === false) { 738 throw new \SimplePie\Exception(sprintf( 739 '%s(): Possibly malformed expression, check argument #1 ($attrib)', 740 __METHOD__ 741 ), 1); 742 } 743 744 /** @var \DOMElement $element */ 745 foreach ($elements as $element) { 746 $element->removeAttribute($attrib); 747 } 748 } 749 750 /** 751 * @return void 752 */ 753 protected function rename_attr(string $attrib, DOMXPath $xpath) 754 { 755 $elements = $xpath->query('//*[@' . $attrib . ']'); 756 757 if ($elements === false) { 758 throw new \SimplePie\Exception(sprintf( 759 '%s(): Possibly malformed expression, check argument #1 ($attrib)', 760 __METHOD__ 761 ), 1); 762 } 763 764 /** @var \DOMElement $element */ 765 foreach ($elements as $element) { 766 $element->setAttribute('data-sanitized-' . $attrib, $element->getAttribute($attrib)); 767 $element->removeAttribute($attrib); 768 } 769 } 770 771 /** 772 * @param array<string, string> $valuePairs 773 * @return void 774 */ 775 protected function add_attr(string $tag, array $valuePairs, DOMDocument $document) 776 { 777 $elements = $document->getElementsByTagName($tag); 778 /** @var \DOMElement $element */ 779 foreach ($elements as $element) { 780 foreach ($valuePairs as $attrib => $value) { 781 $element->setAttribute($attrib, $value); 782 } 783 } 784 } 785 786 /** 787 * Get a DataCache 788 * 789 * @param string $image_url Only needed for BC, can be removed in SimplePie 2.0.0 790 * 791 * @return DataCache 792 */ 793 private function get_cache(string $image_url = ''): DataCache 794 { 795 if ($this->cache === null) { 796 // @trigger_error(sprintf('Not providing as PSR-16 cache implementation is deprecated since SimplePie 1.8.0, please use "SimplePie\SimplePie::set_cache()".'), \E_USER_DEPRECATED); 797 $cache = $this->registry->call(Cache::class, 'get_handler', [ 798 $this->cache_location, 799 $image_url, 800 Base::TYPE_IMAGE 801 ]); 802 803 return new BaseDataCache($cache); 804 } 805 806 return $this->cache; 807 } 808 809 /** 810 * Get a HTTP client 811 */ 812 private function get_http_client(): Client 813 { 814 if ($this->http_client === null) { 815 $this->http_client = new FileClient( 816 $this->registry, 817 [ 818 'timeout' => $this->timeout, 819 'redirects' => 5, 820 'useragent' => $this->useragent, 821 'force_fsockopen' => $this->force_fsockopen, 822 'curl_options' => $this->curl_options, 823 ] 824 ); 825 } 826 827 return $this->http_client; 828 } 829} 830 831class_alias('SimplePie\Sanitize', 'SimplePie_Sanitize'); 832