Added ability for flexible configuration. Added media host clean

Author: MasterRO94

composer.json

@@ -14,7 +14,7 @@
 		}
 	],
 	"require": {
-		"php": ">=7.0.9",
+		"php": ">=7.4",
 		"laravel/framework": "^6.20.26|^7.0|^8.0|^9.0"
 	},
 	"require-dev": {

src/Cleaner.php

@@ -5,101 +5,100 @@
 namespace MasterRO\LaravelXSSFilter;
 
 use Illuminate\Support\Arr;
+use Illuminate\Support\Str;
 
-/**
- * Class Cleaner
- *
- * @package MasterRO\LaravelXSSFilter
- */
 class Cleaner
 {
-    /**
-     * @var string
-     */
-    protected $scriptsAndIframesPattern = '/(<script.*script>|<frame.*frame>|<iframe.*iframe>|<object.*object>|<embed.*embed>)/isU';
-
-    /**
-     * @var string
-     */
-    protected $inlineListenersPattern = '/(\bon[A-z]+=(\"|\').*(\"|\')(?=.*>)|(javascript:.*(?=.(\'|")??>)(\)|;)??))/isU';
-
-    /**
-     * @var string
-     */
-    protected $invalidHtmlInlineListenersPattern = '/\bon[A-z]+=(\"|\')?.*(\"|\')?(?=.*>)/isU';
-
-    /**
-     * Clean
-     *
-     * @param string $value
-     *
-     * @return string
-     */
+    protected CleanerConfig $config;
+
+    public function __construct(CleanerConfig $config)
+    {
+        $this->config = $config;
+    }
+
+    public function withConfig(CleanerConfig $config): Cleaner
+    {
+        $this->config = $config;
+
+        return $this;
+    }
+
+    public function config(): CleanerConfig
+    {
+        return $this->config;
+    }
+
     public function clean(string $value): string
     {
-        $value = $this->escapeScriptsAndIframes($value);
-        $value = config('xss-filter.escape_inline_listeners', false)
+        $value = $this->escapeElements($value);
+        $value = $this->cleanMediaElements($value);
+
+        return $this->config->shouldEscapeInlineListeners()
             ? $this->escapeInlineEventListeners($value)
             : $this->removeInlineEventListeners($value);
+    }
+
+    public function escapeElements(string $value): string
+    {
+        preg_match_all($this->config->elementsPattern(), $value, $matches);
+
+        foreach (Arr::get($matches, '0', []) as $htmlElement) {
+            $value = str_replace($htmlElement, e($htmlElement), $value);
+        }
 
         return $value;
     }
 
-    /**
-     * Escape Scripts And Iframes
-     *
-     * @param string $value
-     *
-     * @return string
-     */
-    protected function escapeScriptsAndIframes(string $value): string
+    public function cleanMediaElements(string $value): string
     {
-        preg_match_all($this->scriptsAndIframesPattern, $value, $matches);
+        if (! $this->config->allowedMediaHosts()) {
+            return $value;
+        }
 
-        foreach (Arr::get($matches, '0', []) as $script) {
-            $value = str_replace($script, e($script), $value);
+        $allowedUrls = collect($this->config->allowedMediaHosts())
+            ->map(
+                fn(string $host) => ! Str::startsWith($host, ['http', 'https'])
+                    ? ["http://{$host}", "https://{$host}"]
+                    : [$host]
+            )
+            ->flatten()
+            ->all();
+
+        preg_match_all($this->config->mediaElementsPattern(), $value, $matches);
+
+        foreach (Arr::get($matches, '0', []) as $htmlElement) {
+            preg_match_all('/src="(.*)"/isU', $htmlElement, $sources);
+
+            $urls = Arr::get($sources, '1', []);
+
+            foreach ($urls as $url) {
+                if (! Str::startsWith($url, $allowedUrls)) {
+                    $value = str_replace($url, '#!', $value);
+                }
+            }
         }
 
         return $value;
     }
 
-    /**
-     * Remove Inline Event Listeners
-     *
-     * @param string $value
-     *
-     * @return string
-     */
-    protected function removeInlineEventListeners(string $value): string
+    public function removeInlineEventListeners(string $value): string
     {
-        $string = preg_replace($this->inlineListenersPattern, '', $value);
-        $string = preg_replace($this->invalidHtmlInlineListenersPattern, '', $string);
+        foreach ($this->config->inlineListenersPatterns() as $pattern) {
+            $value = preg_replace($pattern, '', $value);
+        }
 
-        return ! is_string($string) ? '' : $string;
+        return ! is_string($value) ? '' : $value;
     }
 
-    /**
-     * Escape Inline Event Listeners
-     *
-     * @param string $value
-     *
-     * @return string
-     */
-    protected function escapeInlineEventListeners(string $value): string
+    public function escapeInlineEventListeners(string $value): string
     {
-        $string = preg_replace_callback($this->inlineListenersPattern, [$this, 'escapeEqualSign'], $value);
-        $string = preg_replace_callback($this->invalidHtmlInlineListenersPattern, [$this, 'escapeEqualSign'], $string);
+        foreach ($this->config->inlineListenersPatterns() as $pattern) {
+            $value = preg_replace_callback($pattern, [$this, 'escapeEqualSign'], $value);
+        }
 
-        return ! is_string($string) ? '' : $string;
+        return ! is_string($value) ? '' : $value;
     }
 
-    /**
-     * Escape Equal Sign
-     *
-     * @param array $matches
-     *
-     * @return string
-     */
     protected function escapeEqualSign(array $matches): string
     {
         return str_replace('=', '&#x3d;', $matches[0]);

src/CleanerConfig.php

@@ -0,0 +1,188 @@
+<?php
+
+declare(strict_types=1);
+
+namespace MasterRO\LaravelXSSFilter;
+
+use Illuminate\Support\Str;
+
+class CleanerConfig
+{
+    protected ?array $allowedElements = null;
+
+    protected array $blockedElements = ['script', 'frame', 'iframe', 'object', 'embed'];
+
+    protected array $mediaElements = ['img', 'audio', 'video', 'iframe'];
+
+    // If this value set to `true` inline listeners will be escaped, otherwise they will be removed.
+    protected bool $escapeInlineListeners = false;
+
+    /**
+     * Image/Audio/Video/Iframe hosts that should be retained (by default, all hosts are allowed).
+     *
+     * @var list<string>|null
+     */
+    protected ?array $allowedMediaHosts = null;
+
+    protected string $inlineListenersPattern = '/(\bon[A-z]+=(\"|\').*(\"|\')(?=.*>)|(javascript:.*(?=.(\'|")??>)(\)|;)??))/isU';
+
+    protected string $invalidHtmlInlineListenersPattern = '/\bon[A-z]+=(\"|\')?.*(\"|\')?(?=.*>)/isU';
+
+    public static function make(): CleanerConfig
+    {
+        return new static();
+    }
+
+    public static function fromArray(array $config): CleanerConfig
+    {
+        $config = static::make();
+
+        foreach ($config as $key => $value) {
+            $setter = Str::camel($key);
+
+            if (method_exists($config, $setter)) {
+                $config->{$setter}($value);
+            }
+        }
+
+        return $config;
+    }
+
+    /**
+     * Configures the given element as allowed.
+     *
+     * Allowed elements are elements the cleaner should retain from the input.
+     */
+    public function allowElement(string $element): CleanerConfig
+    {
+        $this->allowedElements[] = $element;
+
+        return $this;
+    }
+
+    /**
+     * Configures the given element as media.
+     *
+     * Allowed elements are elements the cleaner should retain from the input.
+     */
+    public function addMediaElement(string $element): CleanerConfig
+    {
+        $this->mediaElements[] = $element;
+
+        return $this;
+    }
+
+    /**
+     * Configures the given element as not media.
+     *
+     * Allowed elements are elements the cleaner should retain from the input.
+     */
+    public function removeMediaElement(string $element): CleanerConfig
+    {
+        $this->mediaElements = array_filter(
+            $this->mediaElements,
+            fn(string $el) => $el !== $element,
+        );
+
+        return $this;
+    }
+
+    /**
+     * Configures the given element as blocked.
+     *
+     * Blocked elements are elements the cleaner should escape from the input.
+     */
+    public function blockElement(string $element): CleanerConfig
+    {
+        $this->blockedElements[] = $element;
+
+        return $this;
+    }
+
+    /**
+     * Allows only a given list of hosts to be used in media source attributes (img, audio, video, iframe...).
+     *
+     * All other hosts will be dropped. By default, all hosts are allowed
+     * ($allowMediaHosts = null).
+     *
+     * @param list<string>|null $allowMediaHosts
+     */
+    public function allowMediaHosts(?array $allowMediaHosts): CleanerConfig
+    {
+        $this->allowedMediaHosts = $allowMediaHosts;
+
+        return $this;
+    }
+
+    public function elementsPattern(): string
+    {
+        $pattern = collect($this->blockedElements)
+            ->reject(fn(string $element) => $this->allowedElements && in_array($element, $this->allowedElements))
+            ->map(fn(string $element) => "<{$element}.*{$element}>")
+            ->implode('|');
+
+        return "/({$pattern})/isU";
+    }
+
+    public function mediaElementsPattern(): string
+    {
+        $pattern = collect($this->mediaElements)
+            ->map(fn(string $element) => "<{$element}.*{$element}>")
+            ->implode('|');
+
+        return "/({$pattern})/isU";
+    }
+
+    /**
+     * @return list<string>|array|string[]
+     */
+    public function inlineListenersPatterns(): array
+    {
+        return [$this->inlineListenersPattern, $this->invalidHtmlInlineListenersPattern];
+    }
+
+    public function shouldEscapeInlineListeners(): bool
+    {
+        return $this->escapeInlineListeners;
+    }
+
+    public function allowedMediaHosts(): ?array
+    {
+        return $this->allowedMediaHosts;
+    }
+
+    public function setAllowedElements(?array $allowedElements): CleanerConfig
+    {
+        $this->allowedElements = $allowedElements;
+
+        return $this;
+    }
+
+    public function setBlockedElements(array $blockedElements): CleanerConfig
+    {
+        $this->blockedElements = $blockedElements;
+
+        return $this;
+    }
+
+    public function setMediaElements(array $mediaElements): CleanerConfig
+    {
+        $this->mediaElements = $mediaElements;
+
+        return $this;
+    }
+
+    public function setEscapeInlineListeners(bool $escapeInlineListeners): CleanerConfig
+    {
+        $this->escapeInlineListeners = $escapeInlineListeners;
+
+        return $this;
+    }
+
+    public function setAllowedMediaHosts(?array $allowedMediaHosts): CleanerConfig
+    {
+        $this->allowedMediaHosts = $allowedMediaHosts;
+
+        return $this;
+    }
+}

src/XSSFilterServiceProvider.php

@@ -18,7 +18,6 @@ public function boot()
         $this->publishes([
             __DIR__ . '/xss-filter.php' => config_path('xss-filter.php'),
         ], 'config');
-
     }
 
     /**
@@ -29,6 +28,9 @@ public function boot()
     public function register()
     {
         $this->mergeConfigFrom(__DIR__ . '/xss-filter.php', 'xss-filter');
-    }
 
+        $this->app->singleton(Cleaner::class, static function () {
+            return new Cleaner(CleanerConfig::fromArray(config('xss-filter')));
+        });
+    }
 }