Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wiki.techinc.nl/includes/parser/RemexStripTagHandler.php

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

131 lines
3.3 KiB
PHP
Raw Normal View History

Use Remex in Sanitizer::stripAllTags() Using a real HTML tokenizer fixes bugs when < or > appear in attribute values. The old implementation used delimiterReplace(), which didn't handle this case: > print Sanitizer::stripAllTags( '<p data-foo="a&lt;b>c">Hello</p>' ); c">Hello We also can't use PHP's built-in strip_tags() because it doesn't handle <?php and <? correctly: > print strip_tags('1<span class="<?php">2</span>3'); 1 > print strip_tags('1<span class="<?">2</span>3'); 1 Bug: T179978 Change-Id: I53b98e6c877c00c03ff110914168b398559c9c3e
2017-11-14 22:22:31 +00:00
<?php
Add Sanitizer::removeSomeTags() which uses Remex to tokenize The existing Sanitizer::removeHTMLtags() method, in addition to having dodgy capitalization, uses regular expressions to parse the HTML. That produces corner cases like T298401 and T67747 and is not guaranteed to yield balanced or well-formed HTML. Instead, introduce and use a new Sanitizer::removeSomeTags() method which is guaranteed to always return balanced and well-formed HTML. Note that Sanitizer::removeHTMLtags()/::removeSomeTags() take a callback argument which (as far as I can tell) is never used outside core. Mark that argument as @internal, and clean up the version used by ::removeSomeTags(). Use the new ::removeSomeTags() method in the two places where DISPLAYTITLE is handled (following up on T67747). The use by the legacy parser is more difficult to replace (and would have a performace cost), so leave the old ::removeHTMLtags() method in place for that call site for now: when the legacy parser is replaced by Parsoid the need for the old ::removeHTMLtags() will go away. In a follow-up patch we'll rename ::removeHTMLtags() and mark it @internal so that we can deprecate ::removeHTMLtags() for external use. Some benchmarking code added. On my machine, with PHP 7.4, the new method tidies short 30-character title strings at a rate of about 6764/s while the tidy-based method being replaced here managed 6384/s. Sanitizer::removeHTMLtags blazes through short strings 20x faster (120,915/s); some of this difference is due to the set up cost of creating the tag whitelist and the Remex pipeline, so further optimizations could doubtless be done if Sanitizer::removeSomeTags() is more widely used. Bug: T299722 Bug: T67747 Change-Id: Ic864c01471c292f11799c4fbdac4d7d30b8bc50f
2022-01-21 22:03:26 +00:00
namespace MediaWiki\Parser;
Bump wikimedia/remex-html to 2.3.2 and drop 2.3.1 This is a bug fix release of RemexHtml, required by the latest version of Parsoid. RemexHtml migrated to a new namespace in 2.3.2. Since we don't support aliases in our phan configuration in core, update all uses to the new namespace to satisfy phan. Depends-On: I30f01f4a2a5479bb82c9b952ffa68a478215828a Depends-On: Iedf446635ee2112cfe637d8ebcf8092f0976bd17 Change-Id: I74fc929e4a66b28bfb1800ff0cd751c86e4a9f50
2021-08-08 20:50:34 +00:00
use Wikimedia\RemexHtml\Tokenizer\Attributes;
use Wikimedia\RemexHtml\Tokenizer\NullTokenHandler;
Use Remex in Sanitizer::stripAllTags() Using a real HTML tokenizer fixes bugs when < or > appear in attribute values. The old implementation used delimiterReplace(), which didn't handle this case: > print Sanitizer::stripAllTags( '<p data-foo="a&lt;b>c">Hello</p>' ); c">Hello We also can't use PHP's built-in strip_tags() because it doesn't handle <?php and <? correctly: > print strip_tags('1<span class="<?php">2</span>3'); 1 > print strip_tags('1<span class="<?">2</span>3'); 1 Bug: T179978 Change-Id: I53b98e6c877c00c03ff110914168b398559c9c3e
2017-11-14 22:22:31 +00:00
/**
Add Sanitizer::removeSomeTags() which uses Remex to tokenize The existing Sanitizer::removeHTMLtags() method, in addition to having dodgy capitalization, uses regular expressions to parse the HTML. That produces corner cases like T298401 and T67747 and is not guaranteed to yield balanced or well-formed HTML. Instead, introduce and use a new Sanitizer::removeSomeTags() method which is guaranteed to always return balanced and well-formed HTML. Note that Sanitizer::removeHTMLtags()/::removeSomeTags() take a callback argument which (as far as I can tell) is never used outside core. Mark that argument as @internal, and clean up the version used by ::removeSomeTags(). Use the new ::removeSomeTags() method in the two places where DISPLAYTITLE is handled (following up on T67747). The use by the legacy parser is more difficult to replace (and would have a performace cost), so leave the old ::removeHTMLtags() method in place for that call site for now: when the legacy parser is replaced by Parsoid the need for the old ::removeHTMLtags() will go away. In a follow-up patch we'll rename ::removeHTMLtags() and mark it @internal so that we can deprecate ::removeHTMLtags() for external use. Some benchmarking code added. On my machine, with PHP 7.4, the new method tidies short 30-character title strings at a rate of about 6764/s while the tidy-based method being replaced here managed 6384/s. Sanitizer::removeHTMLtags blazes through short strings 20x faster (120,915/s); some of this difference is due to the set up cost of creating the tag whitelist and the Remex pipeline, so further optimizations could doubtless be done if Sanitizer::removeSomeTags() is more widely used. Bug: T299722 Bug: T67747 Change-Id: Ic864c01471c292f11799c4fbdac4d7d30b8bc50f
2022-01-21 22:03:26 +00:00
* Helper class for Sanitizer::stripAllTags().
Use Remex in Sanitizer::stripAllTags() Using a real HTML tokenizer fixes bugs when < or > appear in attribute values. The old implementation used delimiterReplace(), which didn't handle this case: > print Sanitizer::stripAllTags( '<p data-foo="a&lt;b>c">Hello</p>' ); c">Hello We also can't use PHP's built-in strip_tags() because it doesn't handle <?php and <? correctly: > print strip_tags('1<span class="<?php">2</span>3'); 1 > print strip_tags('1<span class="<?">2</span>3'); 1 Bug: T179978 Change-Id: I53b98e6c877c00c03ff110914168b398559c9c3e
2017-11-14 22:22:31 +00:00
* @internal
*/
Simplify RemexStripTagHandler by extending NullTokenHandler Reduce code size and improve forwards compatibility. Change-Id: I844d06923cbe965581e911afe8c9d91e8e61079c
2019-08-16 04:39:52 +00:00
class RemexStripTagHandler extends NullTokenHandler {
Make Sanitizer::stripAllTags() strip css and js tag contents We use Sanitizer::stripAllTags primarily to remove formatting from html so that we can use it in places like notifications, emails, search result blurbs etc etc. It is very unlikely we want the raw contents of css and/or js tags anywhere in those places, so lets surpress that content, to make it more readable as template styles are showing up in more and more places. Bug: T228856 Change-Id: I7930361068ddcf3a6c2fdebd0177d142f025b64f
2021-12-21 23:22:46 +00:00
private $insideNonVisibleTag = false;
Use Remex in Sanitizer::stripAllTags() Using a real HTML tokenizer fixes bugs when < or > appear in attribute values. The old implementation used delimiterReplace(), which didn't handle this case: > print Sanitizer::stripAllTags( '<p data-foo="a&lt;b>c">Hello</p>' ); c">Hello We also can't use PHP's built-in strip_tags() because it doesn't handle <?php and <? correctly: > print strip_tags('1<span class="<?php">2</span>3'); 1 > print strip_tags('1<span class="<?">2</span>3'); 1 Bug: T179978 Change-Id: I53b98e6c877c00c03ff110914168b398559c9c3e
2017-11-14 22:22:31 +00:00
private $text = '';
Remove "Squiz.WhiteSpace.FunctionSpacing" from phpcs exclusions Change-Id: I78b3315f26ab91b6b443f5b028a635552f82f5a3
2019-05-11 01:17:43 +00:00
Use Remex in Sanitizer::stripAllTags() Using a real HTML tokenizer fixes bugs when < or > appear in attribute values. The old implementation used delimiterReplace(), which didn't handle this case: > print Sanitizer::stripAllTags( '<p data-foo="a&lt;b>c">Hello</p>' ); c">Hello We also can't use PHP's built-in strip_tags() because it doesn't handle <?php and <? correctly: > print strip_tags('1<span class="<?php">2</span>3'); 1 > print strip_tags('1<span class="<?">2</span>3'); 1 Bug: T179978 Change-Id: I53b98e6c877c00c03ff110914168b398559c9c3e
2017-11-14 22:22:31 +00:00
public function getResult() {
return $this->text;
}
Simplify RemexStripTagHandler by extending NullTokenHandler Reduce code size and improve forwards compatibility. Change-Id: I844d06923cbe965581e911afe8c9d91e8e61079c
2019-08-16 04:39:52 +00:00
public function characters( $text, $start, $length, $sourceStart, $sourceLength ) {
Make Sanitizer::stripAllTags() strip css and js tag contents We use Sanitizer::stripAllTags primarily to remove formatting from html so that we can use it in places like notifications, emails, search result blurbs etc etc. It is very unlikely we want the raw contents of css and/or js tags anywhere in those places, so lets surpress that content, to make it more readable as template styles are showing up in more and more places. Bug: T228856 Change-Id: I7930361068ddcf3a6c2fdebd0177d142f025b64f
2021-12-21 23:22:46 +00:00
if ( !$this->insideNonVisibleTag ) {
$this->text .= substr( $text, $start, $length );
}
Use Remex in Sanitizer::stripAllTags() Using a real HTML tokenizer fixes bugs when < or > appear in attribute values. The old implementation used delimiterReplace(), which didn't handle this case: > print Sanitizer::stripAllTags( '<p data-foo="a&lt;b>c">Hello</p>' ); c">Hello We also can't use PHP's built-in strip_tags() because it doesn't handle <?php and <? correctly: > print strip_tags('1<span class="<?php">2</span>3'); 1 > print strip_tags('1<span class="<?">2</span>3'); 1 Bug: T179978 Change-Id: I53b98e6c877c00c03ff110914168b398559c9c3e
2017-11-14 22:22:31 +00:00
}
Remove "Squiz.WhiteSpace.FunctionSpacing" from phpcs exclusions Change-Id: I78b3315f26ab91b6b443f5b028a635552f82f5a3
2019-05-11 01:17:43 +00:00
Simplify RemexStripTagHandler by extending NullTokenHandler Reduce code size and improve forwards compatibility. Change-Id: I844d06923cbe965581e911afe8c9d91e8e61079c
2019-08-16 04:39:52 +00:00
public function startTag( $name, Attributes $attrs, $selfClose, $sourceStart, $sourceLength ) {
Make Sanitizer::stripAllTags() strip css and js tag contents We use Sanitizer::stripAllTags primarily to remove formatting from html so that we can use it in places like notifications, emails, search result blurbs etc etc. It is very unlikely we want the raw contents of css and/or js tags anywhere in those places, so lets surpress that content, to make it more readable as template styles are showing up in more and more places. Bug: T228856 Change-Id: I7930361068ddcf3a6c2fdebd0177d142f025b64f
2021-12-21 23:22:46 +00:00
if ( $this->isNonVisibleTag( $name ) ) {
$this->insideNonVisibleTag = true;
}
Preserve whitespace in search index text content Certain html tags imply a word break, but our html stripping doesn't understand that at all. Adjust the html stripping to inject whitespace for all block level tags (per MDN) along with the <br> element. Bug: T195389 Change-Id: I9fbfac765ea88628e4f9b2794fb54e1cd0060203
2018-09-10 23:39:09 +00:00
// Inject whitespace for typical block-level tags to
// prevent merging unrelated<br>words.
if ( $this->isBlockLevelTag( $name ) ) {
$this->text .= ' ';
}
Use Remex in Sanitizer::stripAllTags() Using a real HTML tokenizer fixes bugs when < or > appear in attribute values. The old implementation used delimiterReplace(), which didn't handle this case: > print Sanitizer::stripAllTags( '<p data-foo="a&lt;b>c">Hello</p>' ); c">Hello We also can't use PHP's built-in strip_tags() because it doesn't handle <?php and <? correctly: > print strip_tags('1<span class="<?php">2</span>3'); 1 > print strip_tags('1<span class="<?">2</span>3'); 1 Bug: T179978 Change-Id: I53b98e6c877c00c03ff110914168b398559c9c3e
2017-11-14 22:22:31 +00:00
}
Remove "Squiz.WhiteSpace.FunctionSpacing" from phpcs exclusions Change-Id: I78b3315f26ab91b6b443f5b028a635552f82f5a3
2019-05-11 01:17:43 +00:00
Simplify RemexStripTagHandler by extending NullTokenHandler Reduce code size and improve forwards compatibility. Change-Id: I844d06923cbe965581e911afe8c9d91e8e61079c
2019-08-16 04:39:52 +00:00
public function endTag( $name, $sourceStart, $sourceLength ) {
Make Sanitizer::stripAllTags() strip css and js tag contents We use Sanitizer::stripAllTags primarily to remove formatting from html so that we can use it in places like notifications, emails, search result blurbs etc etc. It is very unlikely we want the raw contents of css and/or js tags anywhere in those places, so lets surpress that content, to make it more readable as template styles are showing up in more and more places. Bug: T228856 Change-Id: I7930361068ddcf3a6c2fdebd0177d142f025b64f
2021-12-21 23:22:46 +00:00
if ( $this->isNonVisibleTag( $name ) ) {
$this->insideNonVisibleTag = false;
}
Preserve whitespace in search index text content Certain html tags imply a word break, but our html stripping doesn't understand that at all. Adjust the html stripping to inject whitespace for all block level tags (per MDN) along with the <br> element. Bug: T195389 Change-Id: I9fbfac765ea88628e4f9b2794fb54e1cd0060203
2018-09-10 23:39:09 +00:00
// Inject whitespace for typical block-level tags to
// prevent merging unrelated<br>words.
if ( $this->isBlockLevelTag( $name ) ) {
$this->text .= ' ';
}
Use Remex in Sanitizer::stripAllTags() Using a real HTML tokenizer fixes bugs when < or > appear in attribute values. The old implementation used delimiterReplace(), which didn't handle this case: > print Sanitizer::stripAllTags( '<p data-foo="a&lt;b>c">Hello</p>' ); c">Hello We also can't use PHP's built-in strip_tags() because it doesn't handle <?php and <? correctly: > print strip_tags('1<span class="<?php">2</span>3'); 1 > print strip_tags('1<span class="<?">2</span>3'); 1 Bug: T179978 Change-Id: I53b98e6c877c00c03ff110914168b398559c9c3e
2017-11-14 22:22:31 +00:00
}
Remove "Squiz.WhiteSpace.FunctionSpacing" from phpcs exclusions Change-Id: I78b3315f26ab91b6b443f5b028a635552f82f5a3
2019-05-11 01:17:43 +00:00
Preserve whitespace in search index text content Certain html tags imply a word break, but our html stripping doesn't understand that at all. Adjust the html stripping to inject whitespace for all block level tags (per MDN) along with the <br> element. Bug: T195389 Change-Id: I9fbfac765ea88628e4f9b2794fb54e1cd0060203
2018-09-10 23:39:09 +00:00
// Per https://developer.mozilla.org/en-US/docs/Web/HTML/Block-level_elements
// retrieved on sept 12, 2018. <br> is not block level but was added anyways.
// The following is a complete list of all HTML block level elements
// (although "block-level" is not technically defined for elements that are
// new in HTML5).
// Structured as tag => true to allow O(1) membership test.
Convert some private static arrays to constants Remove @since for some private ones as we don't guarantee anything about private class members. Change-Id: Ifb898353c02082e9ef69d67f69339345c6cd154d
2019-10-16 01:24:50 +00:00
private const BLOCK_LEVEL_TAGS = [
Preserve whitespace in search index text content Certain html tags imply a word break, but our html stripping doesn't understand that at all. Adjust the html stripping to inject whitespace for all block level tags (per MDN) along with the <br> element. Bug: T195389 Change-Id: I9fbfac765ea88628e4f9b2794fb54e1cd0060203
2018-09-10 23:39:09 +00:00
'address' => true,
'article' => true,
'aside' => true,
'blockquote' => true,
'br' => true,
'canvas' => true,
'dd' => true,
'div' => true,
'dl' => true,
'dt' => true,
'fieldset' => true,
'figcaption' => true,
'figure' => true,
'footer' => true,
'form' => true,
'h1' => true,
'h2' => true,
'h3' => true,
'h4' => true,
'h5' => true,
'h6' => true,
'header' => true,
'hgroup' => true,
'hr' => true,
'li' => true,
'main' => true,
'nav' => true,
'noscript' => true,
'ol' => true,
'output' => true,
'p' => true,
'pre' => true,
'section' => true,
'table' => true,
Improve RemexStripTagHandler working with tables HTML, generated by some infoboxes and perhaps other places, gets stripped in a way that merges words together that should not be merged. Add tr, th, and td to the list of tags that should force word separation. Bug: T218001 Change-Id: Ib374339628b1f543ea4e07f24aa3e3b76f3117b5
2019-03-14 20:06:27 +00:00
'td' => true,
Preserve whitespace in search index text content Certain html tags imply a word break, but our html stripping doesn't understand that at all. Adjust the html stripping to inject whitespace for all block level tags (per MDN) along with the <br> element. Bug: T195389 Change-Id: I9fbfac765ea88628e4f9b2794fb54e1cd0060203
2018-09-10 23:39:09 +00:00
'tfoot' => true,
Improve RemexStripTagHandler working with tables HTML, generated by some infoboxes and perhaps other places, gets stripped in a way that merges words together that should not be merged. Add tr, th, and td to the list of tags that should force word separation. Bug: T218001 Change-Id: Ib374339628b1f543ea4e07f24aa3e3b76f3117b5
2019-03-14 20:06:27 +00:00
'th' => true,
'tr' => true,
Preserve whitespace in search index text content Certain html tags imply a word break, but our html stripping doesn't understand that at all. Adjust the html stripping to inject whitespace for all block level tags (per MDN) along with the <br> element. Bug: T195389 Change-Id: I9fbfac765ea88628e4f9b2794fb54e1cd0060203
2018-09-10 23:39:09 +00:00
'ul' => true,
'video' => true,
];
/**
* Detect block level tags. Of course css can make anything a block
* level tag, but this is still better than nothing.
*
* @param string $tagName HTML tag name
* @return bool True when tag is an html block level element
*/
private function isBlockLevelTag( $tagName ) {
$key = strtolower( trim( $tagName ) );
Convert some private static arrays to constants Remove @since for some private ones as we don't guarantee anything about private class members. Change-Id: Ifb898353c02082e9ef69d67f69339345c6cd154d
2019-10-16 01:24:50 +00:00
return isset( self::BLOCK_LEVEL_TAGS[$key] );
Preserve whitespace in search index text content Certain html tags imply a word break, but our html stripping doesn't understand that at all. Adjust the html stripping to inject whitespace for all block level tags (per MDN) along with the <br> element. Bug: T195389 Change-Id: I9fbfac765ea88628e4f9b2794fb54e1cd0060203
2018-09-10 23:39:09 +00:00
}
Make Sanitizer::stripAllTags() strip css and js tag contents We use Sanitizer::stripAllTags primarily to remove formatting from html so that we can use it in places like notifications, emails, search result blurbs etc etc. It is very unlikely we want the raw contents of css and/or js tags anywhere in those places, so lets surpress that content, to make it more readable as template styles are showing up in more and more places. Bug: T228856 Change-Id: I7930361068ddcf3a6c2fdebd0177d142f025b64f
2021-12-21 23:22:46 +00:00
private const NON_VISIBLE_TAGS = [
'style' => true,
'script' => true,
];
/**
* Detect block tags which by default are non-visible items.
* Of course css can make anything non-visible,
* but this is still better than nothing.
*
* We use this primarily to hide TemplateStyles
* from output in notifications/emails etc.
*
* @param string $tagName HTML tag name
* @return bool True when tag is a html element which should be filtered out
*/
private function isNonVisibleTag( $tagName ) {
$key = strtolower( trim( $tagName ) );
return isset( self::NON_VISIBLE_TAGS[$key] );
}
Use Remex in Sanitizer::stripAllTags() Using a real HTML tokenizer fixes bugs when < or > appear in attribute values. The old implementation used delimiterReplace(), which didn't handle this case: > print Sanitizer::stripAllTags( '<p data-foo="a&lt;b>c">Hello</p>' ); c">Hello We also can't use PHP's built-in strip_tags() because it doesn't handle <?php and <? correctly: > print strip_tags('1<span class="<?php">2</span>3'); 1 > print strip_tags('1<span class="<?">2</span>3'); 1 Bug: T179978 Change-Id: I53b98e6c877c00c03ff110914168b398559c9c3e
2017-11-14 22:22:31 +00:00
}
Reference in a new issue Copy permalink