/** * Removes unwanted attributes from a particular tag * * @param string $fullTag (e.g. '<a onclick="alert('XSS');">') * @param string $attributes (e.g. 'a onclick="alert('XSS');"') * @return string */ protected function removeAttribute($fullTag, $attributes) { $replacement = $this->attributeFinder->findAttributes($attributes, function () { return ''; }); return str_ireplace($attributes, $replacement, $fullTag); }
/** * Search for the attribute in the tags, and clean it if found * * @param string $fullTag (e.g. '<a href="javascript:alert('XSS');">') * @param string $attributes (e.g. 'a href="javascript:alert('XSS');"') * @return string */ protected function cleanAttributes($fullTag, $attributes) { $replacement = $this->attrFinder->findAttributes($attributes, function ($fullAttribute, $attributeContents) { return $this->cleanAttribute($fullAttribute, $attributeContents); }); return str_ireplace($attributes, $replacement, $fullTag); }
/** * Replaces the tag with an empty string if the 'http-equiv' is set to 'refresh' * * @param string $fullTag (e.g. '<meta http-equiv="refresh">') * @param string $attributes (e.g. 'meta http-equiv="refresh"') * @return string */ protected function cleanTag($fullTag, $attributes) { $isRefreshTag = false; $this->attrFinder->findAttributes($attributes, function ($full, $contents) use(&$isRefreshTag) { $cleanedContents = $this->attributeContentCleaner->filter($contents); if (preg_match('/refresh/i', $cleanedContents)) { $isRefreshTag = true; } return $full; }); if ($isRefreshTag) { $fullTag = ''; } return $fullTag; }