X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=src%2FContent%2FText%2FHTML.php;h=51515137e56ddd00f3d576e93f4998b7652bf025;hb=2b5f1f8bca010bb6972e7080c02230b04c7b61d3;hp=975be8b1ffadadcb0d64d8785c01daf41e92da26;hpb=a6423031eba1236127160ced3028e36401f40536;p=friendica.git

diff --git a/src/Content/Text/HTML.php b/src/Content/Text/HTML.php
index 975be8b1ff..51515137e5 100644
--- a/src/Content/Text/HTML.php
+++ b/src/Content/Text/HTML.php
@@ -1,6 +1,6 @@
 <?php
 /**
- * @copyright Copyright (C) 2020, Friendica
+ * @copyright Copyright (C) 2010-2021, the Friendica project
  *
  * @license GNU AGPL version 3 or any later version
  *
@@ -605,6 +605,10 @@ class HTML
 		// Collecting all links
 		$urls = self::collectURLs($message);
 
+		if (empty($message)) {
+			return '';
+		}
+
 		@$doc->loadHTML($message, LIBXML_HTML_NODEFDTD);
 
 		self::tagToBBCode($doc, 'html', [], '', '');
@@ -961,4 +965,69 @@ class HTML
 	{
 		return str_replace('&amp;', '&', $s);
 	}
+
+	/**
+	 * Clean an HTML text for potentially harmful code
+	 *
+	 * @param string $text
+	 * @param array  $allowedIframeDomains List of allowed iframe source domains without the scheme
+	 * @return string
+	 */
+	public static function purify(string $text, array $allowedIframeDomains = []): string
+	{
+		// Allows cid: URL scheme
+		\HTMLPurifier_URISchemeRegistry::instance()->register('cid', new HTMLPurifier_URIScheme_cid());
+
+		$config = \HTMLPurifier_HTML5Config::createDefault();
+		$config->set('HTML.Doctype', 'HTML5');
+
+		// Used to remove iframe with src attribute filtered out
+		$config->set('AutoFormat.RemoveEmpty', true);
+
+		$config->set('HTML.SafeIframe', true);
+
+		array_walk($allowedIframeDomains, function (&$domain) {
+			// Allow the domain and all its eventual sub-domains
+			$domain = '(?:(?!-)[A-Za-z0-9-]{1,63}(?<!-)\.)*' . preg_quote(trim($domain, '/'), '%');
+		});
+
+		$config->set('URI.SafeIframeRegexp',
+			'%^https://(?:
+				' . implode('|', $allowedIframeDomains) . '
+			)
+			(?:/|$) # Prevents bogus domains like youtube.com.fake.tld
+			%xi'
+		);
+
+		$config->set('Attr.AllowedRel', [
+			'noreferrer' => true,
+			'noopener' => true,
+		]);
+		$config->set('Attr.AllowedFrameTargets', [
+			'_blank' => true,
+		]);
+
+		$config->set('AutoFormat.RemoveEmpty.Predicate', [
+			'colgroup' => [],        // |
+			'th'       => [],        // |
+			'td'       => [],        // |
+			'iframe'   => ['src'],   // â³ Default HTMLPurify values
+			'i'        => ['class'], // Allows forkawesome icons
+		]);
+
+		// Uncomment to debug HTMLPurifier behavior
+		//$config->set('Core.CollectErrors', true);
+		//$config->set('Core.MaintainLineNumbers', true);
+
+		$HTMLPurifier = new \HTMLPurifier($config);
+
+		$text = $HTMLPurifier->purify($text);
+
+		/** @var \HTMLPurifier_ErrorCollector $errorCollector */
+		// Uncomment to debug HTML Purifier behavior
+		//$errorCollector = $HTMLPurifier->context->get('ErrorCollector');
+		//var_dump($errorCollector->getRaw());
+
+		return $text;
+	}
 }