1<?php 2 3 4namespace ComboStrap; 5 6 7class Sanitizer 8{ 9 10 public static function sanitize($content, $suffixMessage = "", $canonical = "security") 11 { 12 /** 13 * Nodes 14 */ 15 $forbiddenNodes = ["script", "style", "iframe"]; 16 foreach ($forbiddenNodes as $forbiddenNode) { 17 $pattern = "<$forbiddenNode"; 18 $result = preg_match_all("/$pattern/im", $content, $matches); 19 if ($result) { 20 return self::logAndReturnTheEmptyString("You can't used a $forbiddenNode node$suffixMessage.", $canonical); 21 } 22 } 23 24 /** 25 * Attribute 26 */ 27 $pattern = "style="; 28 $result = preg_match_all("/$pattern/im", $content, $matches); 29 if ($result) { 30 return self::logAndReturnTheEmptyString("You can't used a style attribute $suffixMessage", $canonical); 31 } 32 33 $pattern = "on[a-zA-Z]*="; 34 $result = preg_match_all("/$pattern/im", $content, $matches); 35 if ($result) { 36 return self::logAndReturnTheEmptyString("You can't used an callback handler on attribute $suffixMessage", $canonical); 37 } 38 39 return $content; 40 41 } 42 43 /** 44 * Created to be sure that the content returned is empty 45 * @param string $string 46 * @param $canonical 47 * @return string 48 */ 49 private static function logAndReturnTheEmptyString(string $string, $canonical): string 50 { 51 LogUtility::msg($string, LogUtility::LVL_MSG_ERROR, $canonical); 52 return ""; 53 } 54 55} 56