1<?php 2 3 4namespace ComboStrap\Web; 5 6 7use ComboStrap\LogUtility; 8 9class Sanitizer 10{ 11 12 public static function sanitize($content, $suffixMessage = "", $canonical = "security") 13 { 14 /** 15 * Nodes 16 */ 17 $forbiddenNodes = ["script", "style", "iframe"]; 18 foreach ($forbiddenNodes as $forbiddenNode) { 19 $pattern = "<$forbiddenNode"; 20 $result = preg_match_all("/$pattern/im", $content, $matches); 21 if ($result) { 22 return self::logAndReturnTheEmptyString("You can't used a $forbiddenNode node$suffixMessage.", $canonical); 23 } 24 } 25 26 /** 27 * Attribute 28 */ 29 $pattern = "style="; 30 $result = preg_match_all("/$pattern/im", $content, $matches); 31 if ($result) { 32 return self::logAndReturnTheEmptyString("You can't used a style attribute $suffixMessage", $canonical); 33 } 34 35 $pattern = "on[a-zA-Z]*="; 36 $result = preg_match_all("/$pattern/im", $content, $matches); 37 if ($result) { 38 return self::logAndReturnTheEmptyString("You can't used an callback handler on attribute $suffixMessage", $canonical); 39 } 40 41 return $content; 42 43 } 44 45 /** 46 * Created to be sure that the content returned is empty 47 * @param string $string 48 * @param $canonical 49 * @return string 50 */ 51 private static function logAndReturnTheEmptyString(string $string, $canonical): string 52 { 53 LogUtility::msg($string, LogUtility::LVL_MSG_ERROR, $canonical); 54 return ""; 55 } 56 57} 58