PHP Labware forum

Regex performance problem

2024-07-02T15:05:59Z

Sorry I posted the issue previously here.
https://github.com/kesar/HTMLawed/issues/30

There is a regex that performs very slow in certain scenarios (I'm using HTMLawed indirectly through GLPI). I experience the issue with PHP 7, but not with PHP 8.

Not sure how to workaround it.

Expose list of tags that need a close tag

2023-08-08T09:38:06Z

If you want to use `hook_tag` method, you currently have to make a copy of the HTML tags that require a close tag. You can see that being recommended in the docs in https://bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s3.4.9.

I think it would be an improvement if that would not be necessary.

One idea would be to simply expose this as a constant. That way we can simply plug in that constant instead.

One way to do that would be:

interface HtmLawedConstants {
public const EMPTY_ELEMENTS = ['img', ..];
}

This would work for both the OPP and function version.

New version 1.2.15 of htmLawed released on 4 August 2023

2023-08-05T04:30:28Z

New version 1.2.15 of htmLawed released on 4 August 2023:

* Proper checking of attribute formaction for security

* Transformation for deprecated attribute bgcolor for tbody, tfoot, and thead

* Support for URL schemes ws and wss

formaction is allowed in safe mode

2023-08-03T09:07:50Z

The following code is not caught by the safe mode of HtmLawed:

' does not contain "formaction

But, if you click on the following code, it will execute the javascript.

I would suggest to disallow the formaction attribute in safe mode.

Let me know if it would be helpful for me to contribute such a change.

New version 1.2.14 of htmLawed released on 25 May 2023

2023-05-25T21:17:31Z

Fixes the 'srcset in source' issue reported in this post.

Bug: srcset attribute not allowed on source tags

2023-05-23T21:52:55Z

In addition to `img`, `source` should also support this attribute:

Patch: https://github.com/fossar/HTMLawed/pull/15/commits/7d9aaee4ed5fa18637ac37de24362e0aca990a19.patch

New version 1.2.13 of htmLawed released on 1 May 2023

2023-04-30T01:34:56Z

New version 1.2.13 of htmLawed released on 1 May 2023 to fix issues with nesting for 'details' /'ruby' attributes, handling of self-closing tags, and parsing of $config['schemes'] in v1.2.8-12 – all noted in this post – and handling of multiple values in 'sizes' attribute.

Problems after updating from 1.2.4 to 1.2.12

2023-04-29T01:16:35Z

Hi,

I recently updated from 1.2.4 to 1.2.12 and had to modify htmLawed slightly to get our test suite working. Here are the issues I encountered:

(1) Depending on the “safe” configuration either ", app, javascript; *: data, javascript, file, http, https" or "; *: file, http, https” is appended to the end of the user-provided “schemes” configuration. The documentation doesn’t mention that anything will be appended to the config string so I assume this is a bug. It looks like an operator precedence/parentheses issue, potentially complicated by the ternary operator precedence changing between PHP 7 and 8:

$x = (isset($C['schemes'][2]) && strpos($C['schemes'], ':')
        ? strtolower($C['schemes'])
        : 'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, tel, telnet')
       . (empty($C['safe'])
          ? ', app, javascript; *: data, javascript, '
          : '; *:')
       . 'file, http, https';

(2) Only

is allowed as a child of

and all other tags are removed despite

supporting flow content. I believe this is happening because in hl_balance() the

element is listed in $validMomKidAr. It is also listed in $otherValidMomKidAr which seems like the correct place for it.

(3) A
tag is stripped out but a
with a space before the / is not stripped out. I believe this is happening due to a change in the regex used in hl_tag() which detects the end of the tag by looking for whitespace or >. Having it also stop on / appears to fix the problem.

(4) The tag is not allowed to have text directly inside it. As a result an example from MDN:


明日 (Ashita)

gets turned into


     (Ashita)

New version 1.2.12 of htmLawed with minor fix released

2023-04-25T20:04:18Z

New version 1.2.12 of htmLawed released on 25 Apr 2023: Fixes issue that prevented use of attribute 'sizes' in 'img' and 'source' elements.

Allow URLS in inline styles when "safe" is set to 1

2023-03-05T02:44:23Z

I'd like to allow to allow URLs to be used when using inline styles (i.e. specifying an external url in the background-image property)

The documentation states "With $config["safe"] = 1, all URLs are disallowed in the style attribute values" but I cannot find a setting that corresponds to this (so that I can re-enable them.)

Bug: sizes attribute not allowed on img tags

2023-02-09T10:11:25Z

htmLawed correctly allows using the srcset attribute on img tags:

'srcset'=>array('img'=>1)

But if the srcset attribute uses width descriptors, the sizes attribute must also be present, or the srcset itself will be ignored (https://developer.mozilla.org/en-US/docs/Web/API/HTMLImageElement/srcset).

So, this entry in $attrEleAr:

'sizes'=>array('link'=>1)

should be changed to:

'sizes'=>array('img'=>1, 'link'=>1)

to allow srcset and sizes to be used together.

New version 1.2.11 of htmLawed released on 23 Jan. 2023

2023-01-23T07:12:44Z

New version 1.2.11 of htmLawed released on 23 Jan. 2023: Fixes an XSS vulnerability arising from a lack of inspection for the alphabetical HTML entity for colon character in URLs

Bug/exploit with "javascript:"

2022-12-28T04:50:04Z

With config option "safe" set to 1, the following snippet is not properly mitigated and presents an exploit:

Beans

Certain special characters are replaced with HTML entities, and it's even possible to load external scripts (the script in this example is just an alert window)

New version 1.2.10 of htmLawed released on 5 Nov. 2022

2022-11-06T01:44:08Z

New version 1.2.10 of htmLawed released on 5 Nov. 2022:

* Class methods can now be specified as $config hook and hook_tag functions (ref.)

* Corrects a PHP notice if $config["schemes"] mistakenly lacks colons (ref.)

htmLawed suggestion: 'hook_tag' and 'hook' using is_callable()

2022-10-28T17:23:47Z

It would add a lot of flexibility to htmLawed implementation if these two config parameters were verified using is_callable() rather than function_exists(), then called using call_user_func().

This is something I've been manually editing into the library for a few years now in order to encapsulate the called hook functions as static methods of my project's existing sanitizer class (which serves as a façade for htmLawed or similar libs).

Could this approach be officially incorporated into htmLawed in a future release?