Merge pull request from GHSA-xrqq-wqh4-5hg2

Fix/advisory 2

Author: darylldoyle

composer.json

@@ -25,7 +25,8 @@
     "require": {
         "ext-dom": "*",
         "ext-libxml": "*",
-        "php": "^7.0 || ^8.0"
+        "php": "^7.0 || ^8.0",
+        "ezyang/htmlpurifier": "^4.16"
     },
     "require-dev": {
         "phpunit/phpunit": "^6.5 || ^8.5"

src/Sanitizer.php

@@ -7,6 +7,8 @@
 use enshrined\svgSanitize\data\TagInterface;
 use enshrined\svgSanitize\data\XPath;
 use enshrined\svgSanitize\ElementReference\Resolver;
+use HTMLPurifier;
+use HTMLPurifier_Config;
 
 /**
  * Class Sanitizer
@@ -646,7 +648,9 @@ public function setUseNestingLimit($limit)
     protected function cleanUnsafeNodes(\DOMNode $currentElement) {
         // Replace CDATA node with encoded text node
         if ($currentElement instanceof \DOMCdataSection) {
-            $textNode = $currentElement->ownerDocument->createTextNode($currentElement->nodeValue);
+            $purifier = new HTMLPurifier(HTMLPurifier_Config::createDefault());
+            $clean_html = $purifier->purify($currentElement->nodeValue);
+            $textNode = $currentElement->ownerDocument->createTextNode($clean_html);
             $currentElement->parentNode->replaceChild($textNode, $currentElement);
         // If the element doesn't have a tagname, remove it and continue with next iteration
         } elseif (!$currentElement instanceof \DOMElement && !$currentElement instanceof \DOMText) {

src/data/AllowedTags.php

@@ -19,75 +19,9 @@ public static function getTags()
         return array (
             // HTML
             'a',
-            'abbr',
-            'acronym',
-            'address',
-            'area',
-            'article',
-            'aside',
-            'audio',
-            'bdi',
-            'bdo',
-            'blink',
-            'button',
-            'canvas',
-            'caption',
-            'cite',
-            'col',
-            'colgroup',
-            'content',
-            'data',
-            'datalist',
-            'decorator',
-            'del',
-            'details',
-            'dfn',
-            'dir',
-            'div',
-            'element',
-            'fieldset',
-            'figcaption',
-            'figure',
             'font',
-            'footer',
-            'form',
-            'header',
-            'hgroup',
-            'html',
             'image',
-            'input',
-            'ins',
-            'kbd',
-            'label',
-            'legend',
-            'li',
-            'main',
-            'map',
-            'mark',
-            'marquee',
-            'meter',
-            'nav',
-            'optgroup',
-            'option',
-            'output',
-            'progress',
-            'q',
-            'rp',
-            'rt',
-            'samp',
-            'section',
-            'select',
-            'shadow',
-            'source',
-            'spacer',
             'style',
-            'summary',
-            'template',
-            'textarea',
-            'time',
-            'track',
-            'video',
-            'wbr',
 
             // SVG
             'svg',
@@ -158,37 +92,6 @@ public static function getTags()
             'feTile',
             'feTurbulence',
 
-            //MathML
-            'math',
-            'menclose',
-            'merror',
-            'mfenced',
-            'mfrac',
-            'mglyph',
-            'mi',
-            'mlabeledtr',
-            'mmuliscripts',
-            'mn',
-            'mo',
-            'mover',
-            'mpadded',
-            'mphantom',
-            'mroot',
-            'mrow',
-            'ms',
-            'mpspace',
-            'msqrt',
-            'mystyle',
-            'msub',
-            'msup',
-            'msubsup',
-            'mtable',
-            'mtd',
-            'mtext',
-            'mtr',
-            'munder',
-            'munderover',
-
             //text
             '#text'
         );

tests/SanitizerTest.php

@@ -323,4 +323,36 @@ public function cdataSectionIsSanitized()
 
 		self::assertXmlStringEqualsXmlString($expected, $cleanData);
 	}
+
+    /**
+     * @test
+     */
+    public function cdataBackgroundSectionIsSanitized()
+    {
+        $dataDirectory = __DIR__ . '/data';
+        $initialData = file_get_contents($dataDirectory . '/cdataTwoTest.svg');
+        $expected = file_get_contents($dataDirectory . '/cdataTwoClean.svg');
+
+        $sanitizer = new Sanitizer();
+        $sanitizer->minify(false);
+        $cleanData = $sanitizer->sanitize($initialData);
+
+        self::assertXmlStringEqualsXmlString($expected, $cleanData);
+    }
+
+    /**
+     * @test
+     */
+    public function formDataisSanitized()
+    {
+        $dataDirectory = __DIR__ . '/data';
+        $initialData = file_get_contents($dataDirectory . '/formDataTest.svg');
+        $expected = file_get_contents($dataDirectory . '/formDataClean.svg');
+
+        $sanitizer = new Sanitizer();
+        $sanitizer->minify(false);
+        $cleanData = $sanitizer->sanitize($initialData);
+
+        self::assertXmlStringEqualsXmlString($expected, $cleanData);
+    }
 }