/**
* Removes unwanted attributes from a particular tag
*
* @param string $fullTag (e.g. '<a onclick="alert('XSS');">')
* @param string $attributes (e.g. 'a onclick="alert('XSS');"')
* @return string
*/
protected function removeAttribute($fullTag, $attributes)
{
$replacement = $this->attributeFinder->findAttributes($attributes, function () {
return '';
});
return str_ireplace($attributes, $replacement, $fullTag);
}
/**
* Search for the attribute in the tags, and clean it if found
*
* @param string $fullTag (e.g. '<a href="javascript:alert('XSS');">')
* @param string $attributes (e.g. 'a href="javascript:alert('XSS');"')
* @return string
*/
protected function cleanAttributes($fullTag, $attributes)
{
$replacement = $this->attrFinder->findAttributes($attributes, function ($fullAttribute, $attributeContents) {
return $this->cleanAttribute($fullAttribute, $attributeContents);
});
return str_ireplace($attributes, $replacement, $fullTag);
}
/**
* Replaces the tag with an empty string if the 'http-equiv' is set to 'refresh'
*
* @param string $fullTag (e.g. '<meta http-equiv="refresh">')
* @param string $attributes (e.g. 'meta http-equiv="refresh"')
* @return string
*/
protected function cleanTag($fullTag, $attributes)
{
$isRefreshTag = false;
$this->attrFinder->findAttributes($attributes, function ($full, $contents) use(&$isRefreshTag) {
$cleanedContents = $this->attributeContentCleaner->filter($contents);
if (preg_match('/refresh/i', $cleanedContents)) {
$isRefreshTag = true;
}
return $full;
});
if ($isRefreshTag) {
$fullTag = '';
}
return $fullTag;
}
