1
0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-10-30 23:52:40 +01:00
BookStack/app/Util/HtmlNonceApplicator.php

64 lines
1.7 KiB
PHP
Raw Normal View History

2021-09-04 00:32:42 +02:00
<?php
namespace BookStack\Util;
use DOMDocument;
use DOMElement;
use DOMNodeList;
use DOMXPath;
class HtmlNonceApplicator
{
protected static $placeholder = '[CSP_NONCE_VALUE]';
2021-09-04 00:32:42 +02:00
/**
* Prepare the given HTML content with nonce attributes including a placeholder
* value which we can target later.
2021-09-04 00:32:42 +02:00
*/
public static function prepare(string $html): string
2021-09-04 00:32:42 +02:00
{
if (empty($html)) {
return $html;
}
$html = '<body>' . $html . '</body>';
libxml_use_internal_errors(true);
$doc = new DOMDocument();
$doc->loadHTML(mb_convert_encoding($html, 'HTML-ENTITIES', 'UTF-8'));
$xPath = new DOMXPath($doc);
// Apply to scripts
$scriptElems = $xPath->query('//script');
static::addNonceAttributes($scriptElems, static::$placeholder);
2021-09-04 00:32:42 +02:00
// Apply to styles
$styleElems = $xPath->query('//style');
static::addNonceAttributes($styleElems, static::$placeholder);
2021-09-04 00:32:42 +02:00
$returnHtml = '';
$topElems = $doc->documentElement->childNodes->item(0)->childNodes;
foreach ($topElems as $child) {
$returnHtml .= $doc->saveHTML($child);
}
return $returnHtml;
}
/**
* Apply the give nonce value to the given prepared HTML.
*/
public static function apply(string $html, string $nonce): string
{
return str_replace(static::$placeholder, $nonce, $html);
}
protected static function addNonceAttributes(DOMNodeList $nodes, string $attrValue): void
2021-09-04 00:32:42 +02:00
{
/** @var DOMElement $node */
foreach ($nodes as $node) {
$node->setAttribute('nonce', $attrValue);
2021-09-04 00:32:42 +02:00
}
}
}