/**
* Replaces the tag with an empty string if the 'http-equiv' is set to 'refresh'
*
* @param string $fullTag (e.g. '<meta http-equiv="refresh">')
* @param string $attributes (e.g. 'meta http-equiv="refresh"')
* @return string
*/
protected function cleanTag($fullTag, $attributes)
{
$isRefreshTag = false;
$this->attrFinder->findAttributes($attributes, function ($full, $contents) use(&$isRefreshTag) {
$cleanedContents = $this->attributeContentCleaner->filter($contents);
if (preg_match('/refresh/i', $cleanedContents)) {
$isRefreshTag = true;
}
return $full;
});
if ($isRefreshTag) {
$fullTag = '';
}
return $fullTag;
}
/**
* Search the attribute content for any potential exploits, and return empty string
*
* @param string $fullAttribute (e.g. 'href="javascript:alert('XSS');"')
* @param string $attributeContents (e.g. 'javascript:alert('XSS');')
* @return string
*/
protected function cleanAttribute($fullAttribute, $attributeContents)
{
// decode entities, compact words etc.
$cleanedContents = $this->attributeContentCleaner->filter($attributeContents);
if (preg_match($this->contentRegex, $cleanedContents)) {
return '';
}
return $fullAttribute;
}
