Initial commit

public/kirby/src/Sane/Xml.php

@@ -0,0 +1,72 @@
+<?php
+
+namespace Kirby\Sane;
+
+use DOMDocumentType;
+use DOMElement;
+use Kirby\Exception\InvalidArgumentException;
+use Kirby\Toolkit\Str;
+
+/**
+ * Sane handler for XML files
+ * @since 3.5.4
+ *
+ * @package   Kirby Sane
+ * @author    Bastian Allgeier <bastian@getkirby.com>,
+ *            Lukas Bestle <lukas@getkirby.com>
+ * @link      https://getkirby.com
+ * @copyright Bastian Allgeier
+ * @license   https://opensource.org/licenses/MIT
+ */
+class Xml extends DomHandler
+{
+	/**
+	 * Custom callback for additional element sanitization
+	 * @internal
+	 *
+	 * @return array Array with exception objects for each modification
+	 */
+	public static function sanitizeElement(DOMElement $element, array $options): array
+	{
+		$errors = [];
+
+		// if we are validating an XML file, block all SVG and HTML namespaces
+		if (static::class === self::class) {
+			$xml        = simplexml_import_dom($element);
+			$namespaces = $xml->getDocNamespaces(false, false);
+
+			foreach ($namespaces as $namespace => $value) {
+				if (
+					Str::contains($value, 'html', true) === true ||
+					Str::contains($value, 'svg', true) === true
+				) {
+					$element->removeAttributeNS($value, $namespace);
+					$errors[] = new InvalidArgumentException(
+						'The namespace "' . $value . '" is not allowed' .
+						' (around line ' . $element->getLineNo() . ')'
+					);
+				}
+			}
+		}
+
+		return $errors;
+	}
+
+	/**
+	 * Custom callback for additional doctype validation
+	 * @internal
+	 */
+	public static function validateDoctype(DOMDocumentType $doctype, array $options): void
+	{
+		// if we are validating an XML file, block all SVG and HTML doctypes
+		if (
+			static::class === self::class &&
+			(
+				Str::contains($doctype->name, 'html', true) === true ||
+				Str::contains($doctype->name, 'svg', true) === true
+			)
+		) {
+			throw new InvalidArgumentException('The doctype is not allowed in XML files');
+		}
+	}
+}