Merge pull request #38 from slackhq/allow-empty-policies

Updating to allow empty allow lists, and adding tests
slackhq · Dec 21, 2021 · eaf8799 · eaf8799
2 parents 756bd40 + 22e0123
commit eaf8799
Show file tree

Hide file tree

Showing 11 changed files with 755 additions and 355 deletions.
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -15,7 +15,7 @@
             "name": "HHVM: Run Script",
             "type": "hhvm",
             "request": "launch",
-            "script": "src/index.hack",
+            "script": "src/main.hack",
             "hhvmArgs": [
                 "-v",
                 "Eval.JitEnableRenameFunction=true",

diff --git a/src/Definition/HTMLDefinition.hack b/src/Definition/HTMLDefinition.hack
@@ -1820,7 +1820,6 @@ class HTMLPurifier_HTMLDefinition extends HTMLPurifier\HTMLPurifier_Definition {
 			"fieldset" => true,
 		];
 		$this->info_content_sets['Block'] = $block_info;
-
 	}
 
 	// RAW CUSTOMIZATION STUFF --------------------------------------------
@@ -1916,12 +1915,12 @@ class HTMLPurifier_HTMLDefinition extends HTMLPurifier\HTMLPurifier_Definition {
 			C\is_empty($allowed_attributes)
 		) {
 			$allowed = (string)$config->def->defaults['HTML.Allowed'];
-			if ($allowed !== '') {
+			if ($allowed is string && $allowed !== '') {
 				list($allowed_elements, $allowed_attributes) = $this->parseTinyMCEAllowedList($allowed);
 			}
 		}
 
-		if ($allowed_elements is dict<_, _> && !C\is_empty($allowed_elements)) {
+		if ($allowed_elements is dict<_, _>) {
 			foreach ($this->info as $name => $d) {
 				if (!C\contains_key($allowed_elements, $name)) {
 					unset($this->info[$name]);

diff --git a/src/Enums/HTMLAttributes.hack b/src/Enums/HTMLAttributes.hack
@@ -0,0 +1,131 @@
+namespace HTMLPurifier\Enums;
+
+enum HtmlAttributes: string {
+	ACCEPT = "accept";
+	ACCEPTCHARSET = "accept-charset";
+	ACCESSKEY = "accesskey";
+	ACTION = "action";
+	ALIGN = "align";
+	ALLOW = "allow";
+	ALLOWFULLSCREEN = 'allowfullscreen';
+	ALT = "alt";
+	ASYNC = "async";
+	AUTOCAPITALIZE = "autocapitalize";
+	AUTOCOMPLETE = "autocomplete";
+	AUTOFOCUS = "autofocus";
+	AUTOPLAY = "autoplay";
+	BGCOLOR = "bgcolor";
+	BORDER = "border";
+	BUFFERED = "buffered";
+	CHALLENGE = "challenge";
+	CHARSET = "charset";
+	CHECKED = "checked";
+	CITE = "cite";
+	CLASSES = "class"; // cannot be named "CLASS"
+	CODE = "code";
+	CODEBASE = "codebase";
+	COLOR = "color";
+	COLS = "cols";
+	COLSPAN = "colspan";
+	CONTENT = "content";
+	CONTENTEDITABLE = "contenteditable";
+	CONTEXTMENU = "contextmenu";
+	CONTROLS = "controls";
+	COORDS = "coords";
+	CROSSORIGIN = "crossorigin";
+	CSP = "csp";
+	DATA = "data";
+	DATETIME = "datetime";
+	DECODING = "decoding";
+	DEFAULT = "default";
+	DEFER = "defer";
+	DIR = "dir";
+	DIRNAME = "dirname";
+	DISABLED = "disabled";
+	DOWNLOAD = "download";
+	DRAGGABLE = "draggable";
+	DROPZONE = "dropzone";
+	ENCTYPE = "enctype";
+	FOR = "for";
+	FORM = "form";
+	FORMACTION = "formaction";
+	HEADERS = "headers";
+	HEIGHT = "height";
+	HIDDEN = "hidden";
+	HIGH = "high";
+	HREF = "href";
+	HREFLANG = "hreflang";
+	HTTPEQUIV = "http-equiv";
+	ICON = "icon";
+	ID = "id";
+	IMPORTANCE = "importance";
+	INTEGRITY = "integrity";
+	ISMAP = "ismap";
+	ITEMPROP = "itemprop";
+	KEYTYPE = "keytype";
+	KIND = "kind";
+	LABEL = "label";
+	LANG = "lang";
+	LANGUAGE = "language";
+	LAZYLOAD = "lazyload";
+	LIST = "list";
+	LOOP = "loop";
+	LOW = "low";
+	MANIFEST = "manifest";
+	MAX = "max";
+	MAXLENGTH = "maxlength";
+	MINLENGTH = "minlength";
+	MEDIA = "media";
+	METHOD = "method";
+	MIN = "min";
+	MULTIPLE = "multiple";
+	MUTED = "muted";
+	NAME = "name";
+	NOVALIDATE = "novalidate";
+	OPEN = "open";
+	OPTIMUM = "optimum";
+	PATTERN = "pattern";
+	PING = "ping";
+	PLACEHOLDER = "placeholder";
+	POSTER = "poster";
+	PRELOAD = "preload";
+	RADIOGROUP = "radiogroup";
+	READONLY = "readonly";
+	REFERRERPOLICY = "referrerpolicy";
+	REL = "rel";
+	REQUIRED = "required";
+	REVERSED = "reversed";
+	ROWS = "rows";
+	ROWSPAN = "rowspan";
+	SANDBOX = "sandbox";
+	SCOPE = "scope";
+	SCOPED = "scoped";
+	SELECTED = "selected";
+	SHAPE = "shape";
+	SIZE = "size";
+	SIZES = "sizes";
+	SLOT = "slot";
+	SPAN = "span";
+	SPELLCHECK = "spellcheck";
+	SRC = "src";
+	SRCDOC = "srcdoc";
+	SRCLANG = "srclang";
+	SRCSET = "srcset";
+	START = "start";
+	STEP = "step";
+	STYLE = "style";
+	SUMMARY = "summary";
+	TABINDEX = "tabindex";
+	TARGET = "target";
+	TITLE = "title";
+	TRANSLATE = "translate";
+	TYPE = "type";
+	USEMAP = "usemap";
+	VALUE = "value";
+	WIDTH = "width";
+	WRAP = "wrap";
+	DATA_CHECKED = "data-checked";
+	DATA_CLOG_CLICK = "data-clog-click";
+	DATA_CLOG_UI_ELEMENT = "data-clog-ui-element";
+	DATA_CLOG_UI_STEP = "data-clog-ui-step";
+}
diff --git a/src/Enums/HTMLTags.hack b/src/Enums/HTMLTags.hack
@@ -0,0 +1,185 @@
+namespace HTMLPurifier\Enums;
+
+/**
+ * The HtmlTags enums are meant to be added to policies when a developer
+ * would like to allow the corresponding tag to remain in HTML.
+ *
+ * For example, if a developer has an empty policy, and adds HtmlTags::B
+ * via one of the addTag functions defined in src/Policy.hack, their 
+ * policy will then permit the presence of <b> tags in the clean HTML.
+ *
+ * Please note that this list of HTML Tags is incomplete. In order for a
+ * tag to be used, it must also be defined in the HTMLDefinition info 
+ * property (found in src/Definition/HTMLDefinition). The following tags
+ * have been dropped from HtmlTags as attempting to add them to a policy
+ * would result in a thrown error:
+ * 		HtmlTags::HTML,
+ * 		HtmlTags::BASE,
+ * 		HtmlTags::HEAD,
+ * 		HtmlTags::LINK,
+ * 		HtmlTags::META,
+ * 		HtmlTags::STYLE,
+ * 		HtmlTags::TITLE,
+ * 		HtmlTags::BODY,
+ * 		HtmlTags::FIGURE,
+ * 		HtmlTags::DATA,
+ * 		HtmlTags::RB,
+ * 		HtmlTags::RP,
+ * 		HtmlTags::RT,
+ * 		HtmlTags::RTC,
+ * 		HtmlTags::RUBY,
+ * 		HtmlTags::TIME,
+ * 		HtmlTags::AREA,
+ * 		HtmlTags::MAP,
+ * 		HtmlTags::VIDEO,
+ * 		HtmlTags::APPLET,
+ * 		HtmlTags::EMBED,
+ * 		HtmlTags::NOEMBED,
+ * 		HtmlTags::OBJECT,
+ * 		HtmlTags::PARAM,
+ * 		HtmlTags::CANVAS,
+ * 		HtmlTags::NOSCRIPT,
+ * 		HtmlTags::SCRIPT,
+ * 		HtmlTags::BUTTON,
+ * 		HtmlTags::DATALIST,
+ * 		HtmlTags::FIELDSET,
+ * 		HtmlTags::FORM,
+ * 		HtmlTags::INPUT,
+ * 		HtmlTags::LABEL,
+ * 		HtmlTags::LEGEND,
+ * 		HtmlTags::METER,
+ * 		HtmlTags::OPTGROUP,
+ * 		HtmlTags::OPTION,
+ * 		HtmlTags::OUTPUT,
+ * 		HtmlTags::SELECT,
+ * 		HtmlTags::TEXTAREA,
+ * 		HtmlTags::DETAILS,
+ * 		HtmlTags::MENUITEM,
+ * 		HtmlTags::CONTENT,
+ * 		HtmlTags::ELEMENT,
+ * 		HtmlTags::SHADOW,
+ * 		HtmlTags::SLOT,
+ * 		HtmlTags::TEMPLATE,
+ * 		HtmlTags::BGSOUND,
+ * 		HtmlTags::BLINK,
+ * 		HtmlTags::COMMAND,
+ * 		HtmlTags::FRAME,
+ * 		HtmlTags::FRAMESET,
+ * 		HtmlTags::IMAGE,
+ * 		HtmlTags::ISINDEX,
+ * 		HtmlTags::KEYGEN,
+ * 		HtmlTags::LISTING,
+ * 		HtmlTags::MARQUEE,
+ * 		HtmlTags::MULTICOL,
+ * 		HtmlTags::NEXTID,
+ * 		HtmlTags::NOBR,
+ * 		HtmlTags::NOFRAMES,
+ * 		HtmlTags::PLAINTEXT,
+ * 		HtmlTags::SPACER,
+ * 		HtmlTags::XMP,
+ */
+
+enum HtmlTags: string {
+	//Content sectioningSection
+	ADDRESS = "address";
+	ARTICLE = "article";
+	ASIDE = "aside";
+	FOOTER = "footer";
+	HEADER = "header";
+	H1 = "h1";
+	H2 = "h2";
+	H3 = "h3";
+	H4 = "h4";
+	H5 = "h5";
+	H6 = "h6";
+	HGROUP = "hgroup";
+	MAIN = "main";
+	NAV = "nav";
+	SECTION = "section";
+
+	//Text content
+	BLOCKQUOTE = "blockquote";
+	DD = "dd";
+	DIR = "dir";
+	DIV = "div";
+	DL = "dl";
+	DT = "dt";
+	FIGCAPTION = "figcaption";
+	HR = "hr";
+	LI = "li";
+	OL = "ol";
+	P = "p";
+	PRE = "pre";
+	UL = "ul";
+
+	//Inline text semantics
+	A = "a";
+	ABBR = "abbr";
+	B = "b";
+	BDI = "bdi";
+	BDO = "bdo";
+	BR = "br";
+	CITE = "cite";
+	CODE = "code";
+	DFN = "dfn";
+	EM = "em";
+	I = "i";
+	KBD = "kbd";
+	MARK = "mark";
+	Q = "q";
+	S = "s";
+	SAMP = "samp";
+	SMALL = "small";
+	SPAN = "span";
+	STRONG = "strong";
+	SUB = "sub";
+	SUP = "sup";
+	TT = "tt";
+	U = "u";
+	VAR = "var";
+	WBR = "wbr";
+
+	//Image and multimedia
+	AUDIO = "audio";
+	IMG = "img";
+	TRACK = "track";
+
+	//Embedded content
+	IFRAME = "iframe";
+	PICTURE = "picture";
+	SOURCE = "source";
+
+	//Demarcating edits
+	DEL = "del";
+	INS = "ins";
+
+	//Table content
+	CAPTION = "caption";
+	COL = "col";
+	COLGROUP = "colgroup";
+	TABLE = "table";
+	TBODY = "tbody";
+	TD = "td";
+	TFOOT = "tfoot";
+	TH = "th";
+	THEAD = "thead";
+	TR = "tr";
+
+	//Forms
+	BUTTON = "button";
+	PROGRESS = "progress";
+	TEXTAREA = "textarea";
+
+	//Interactive elements
+	DIALOG = "dialog";
+	MENU = "menu";
+	SUMMARY = "summary";
+
+	//Obsolete and deprecated elements
+	ACRONYM = "acronym";
+	BASEFONT = "basefont";
+	BIG = "big";
+	CENTER = "center";
+	FONT = "font";
+	STRIKE = "strike";
+}
diff --git a/src/Injector.hack b/src/Injector.hack
@@ -112,31 +112,15 @@ abstract class HTMLPurifier_Injector {
 	 */
 	public function checkNeeded(HTMLPurifier_Config $config): string {
 		$def = TypeAssert\matches<Definition\HTMLPurifier_HTMLDefinition>($config->getHTMLDefinition());
-		$i = 0;
-		$index = 0;
 		foreach ($this->needed as $element => $attributes) {
-			if ($i is int) {
-				$i = $element;
-			}
-			if ($i is string && !C\contains_key($def->info, $i)) {
-				return $i;
-			}
-			if (!($element is vec<_>)) {
-				$index++;
-				$i = $index;
-				continue;
+			if (!C\contains_key($def->info, $element)) {
+				return $element;
 			}
 			foreach ($attributes as $name) {
-				if (
-					$element is string &&
-					C\contains_key($def->info, $element) &&
-					!C\contains_key($def->info[$element]->attr, $name)
-				) {
+				if (!C\contains_key($def->info[$element]->attr, $name)) {
 					return "$element.$name";
 				}
 			}
-			$index++;
-			$i = $index;
 		}
 		return '';
 	}