Merge remote-tracking branch 'upstream/develop' into user-contact

[friendica.git] / src / Content / Text / HTML.php

diff --git a/src/Content/Text/HTML.php b/src/Content/Text/HTML.php
index c3c43822ab9e6e7e09dbdf363b863f694e3e6c40..0e117a2205b9a7676897dd9f15e2f9a35a61d69a 100644 (file)
--- a/src/Content/Text/HTML.php
+++ b/src/Content/Text/HTML.php
@@ -1,6 +1,6 @@
 <?php
 /**
- * @copyright Copyright (C) 2020, Friendica
+ * @copyright Copyright (C) 2010-2021, the Friendica project
  *
  * @license GNU AGPL version 3 or any later version
  *
@@ -143,6 +143,7 @@ class HTML
         */
        public static function toBBCode($message, $basepath = '')
        {
+               DI::profiler()->startRecording('rendering');
                $message = str_replace("\r", "", $message);
 
                $message = Strings::performWithEscapedBlocks($message, '#<pre><code.*</code></pre>#iUs', function ($message) {
@@ -167,6 +168,10 @@ class HTML
 
                        $message = mb_convert_encoding($message, 'HTML-ENTITIES', "UTF-8");
 
+                       if (empty($message)) {
+                               return '';
+                       }
+
                        @$doc->loadHTML($message, LIBXML_HTML_NODEFDTD);
 
                        XML::deleteNode($doc, 'style');
@@ -392,6 +397,7 @@ class HTML
                        $message = self::qualifyURLs($message, $basepath);
                }
 
+               DI::profiler()->stopRecording();
                return $message;
        }
 
@@ -581,6 +587,7 @@ class HTML
         */
        public static function toPlaintext(string $html, $wraplength = 75, $compact = false)
        {
+               DI::profiler()->startRecording('rendering');
                $message = str_replace("\r", "", $html);
 
                $doc = new DOMDocument();
@@ -588,6 +595,11 @@ class HTML
 
                $message = mb_convert_encoding($message, 'HTML-ENTITIES', "UTF-8");
 
+               if (empty($message)) {
+                       DI::profiler()->stopRecording();
+                       return '';
+               }
+
                @$doc->loadHTML($message, LIBXML_HTML_NODEFDTD);
 
                $message = $doc->saveHTML();
@@ -597,6 +609,11 @@ class HTML
                // Collecting all links
                $urls = self::collectURLs($message);
 
+               if (empty($message)) {
+                       DI::profiler()->stopRecording();
+                       return '';
+               }
+
                @$doc->loadHTML($message, LIBXML_HTML_NODEFDTD);
 
                self::tagToBBCode($doc, 'html', [], '', '');
@@ -677,6 +694,7 @@ class HTML
 
                $message = self::quoteLevel(trim($message), $wraplength);
 
+               DI::profiler()->stopRecording();
                return trim($message);
        }
 
@@ -689,9 +707,11 @@ class HTML
         */
        public static function toMarkdown($html)
        {
+               DI::profiler()->startRecording('rendering');
                $converter = new HtmlConverter(['hard_break' => true]);
                $markdown = $converter->convert($html);
 
+               DI::profiler()->stopRecording();
                return $markdown;
        }
 
@@ -789,22 +809,6 @@ class HTML
                ]);
        }
 
-       /**
-        * Get html for contact block.
-        *
-        * @deprecated since version 2019.03
-        * @see ContactBlock::getHTML()
-        * @return string
-        * @throws \Friendica\Network\HTTPException\InternalServerErrorException
-        * @throws \ImagickException
-        */
-       public static function contactBlock()
-       {
-               $a = DI::app();
-
-               return ContactBlock::getHTML($a->profile);
-       }
-
        /**
         * Format contacts as picture links or as text links
         *
@@ -837,7 +841,7 @@ class HTML
                $redir = false;
 
                if ($redirect) {
-                       $url = Contact::magicLink($contact['url']);
+                       $url = Contact::magicLinkByContact($contact);
                        if (strpos($url, 'redir/') === 0) {
                                $sparkle = ' sparkle';
                        }
@@ -953,4 +957,69 @@ class HTML
        {
                return str_replace('&amp;', '&', $s);
        }
+
+       /**
+        * Clean an HTML text for potentially harmful code
+        *
+        * @param string $text
+        * @param array  $allowedIframeDomains List of allowed iframe source domains without the scheme
+        * @return string
+        */
+       public static function purify(string $text, array $allowedIframeDomains = []): string
+       {
+               // Allows cid: URL scheme
+               \HTMLPurifier_URISchemeRegistry::instance()->register('cid', new HTMLPurifier_URIScheme_cid());
+
+               $config = \HTMLPurifier_HTML5Config::createDefault();
+               $config->set('HTML.Doctype', 'HTML5');
+
+               // Used to remove iframe with src attribute filtered out
+               $config->set('AutoFormat.RemoveEmpty', true);
+
+               $config->set('HTML.SafeIframe', true);
+
+               array_walk($allowedIframeDomains, function (&$domain) {
+                       // Allow the domain and all its eventual sub-domains
+                       $domain = '(?:(?!-)[A-Za-z0-9-]{1,63}(?<!-)\.)*' . preg_quote(trim($domain, '/'), '%');
+               });
+
+               $config->set('URI.SafeIframeRegexp',
+                       '%^https://(?:
+                               ' . implode('|', $allowedIframeDomains) . '
+                       )
+                       (?:/|$) # Prevents bogus domains like youtube.com.fake.tld
+                       %xi'
+               );
+
+               $config->set('Attr.AllowedRel', [
+                       'noreferrer' => true,
+                       'noopener' => true,
+               ]);
+               $config->set('Attr.AllowedFrameTargets', [
+                       '_blank' => true,
+               ]);
+
+               $config->set('AutoFormat.RemoveEmpty.Predicate', [
+                       'colgroup' => [],        // |
+                       'th'       => [],        // |
+                       'td'       => [],        // |
+                       'iframe'   => ['src'],   // ↳ Default HTMLPurify values
+                       'i'        => ['class'], // Allows forkawesome icons
+               ]);
+
+               // Uncomment to debug HTMLPurifier behavior
+               //$config->set('Core.CollectErrors', true);
+               //$config->set('Core.MaintainLineNumbers', true);
+
+               $HTMLPurifier = new \HTMLPurifier($config);
+
+               $text = $HTMLPurifier->purify($text);
+
+               /** @var \HTMLPurifier_ErrorCollector $errorCollector */
+               // Uncomment to debug HTML Purifier behavior
+               //$errorCollector = $HTMLPurifier->context->get('ErrorCollector');
+               //var_dump($errorCollector->getRaw());
+
+               return $text;
+       }
 }