Skip to content

Backported fix for backward-compatibility issue on XMLSanitizer #246

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
alongosz merged 1 commit into from
Apr 8, 2025
Merged

Backported fix for backward-compatibility issue on XMLSanitizer #246

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 1 addition & 6 deletions src/lib/RichText/XMLSanitizer.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ final class XMLSanitizer
{
public function sanitizeXMLString(string $xmlString): string
{
$xmlString = $this->decodeHTMLEntities($xmlString);
$xmlString = $this->removeComments($xmlString);
$xmlString = $this->removeDangerousTags($xmlString);
$xmlString = $this->sanitizeDocType($xmlString);
Expand All @@ -45,11 +44,6 @@ public function convertCDATAToText(DOMDocument $document): DOMDocument
return $document;
}

private function decodeHTMLEntities(string $xmlString): string
{
return html_entity_decode($xmlString, ENT_XML1, 'UTF-8');
}

private function removeComments(string $xmlString): string
{
$xmlString = preg_replace('/<!--\s?.*?\s?-->/s', '', $xmlString);
Expand Down Expand Up @@ -124,6 +118,7 @@ private function filterEntitiesFromDocType(string $entitiesBlock): array
$entityDefinitions = [];

foreach ($lines as $line) {
$line = html_entity_decode($line, ENT_XML1, 'UTF-8');
$line = trim($line);

if (preg_match('/<!ENTITY\s+(\S+)\s+(SYSTEM|PUBLIC)\s+/i', $line, $matches)) {
Expand Down
3 changes: 2 additions & 1 deletion src/lib/eZ/RichText/DOMDocumentFactory.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,8 @@ public function loadXMLString(string $xmlString): DOMDocument
// - substitute entities
// - disable network access
// - relax parser limits for document size/complexity
$success = $document->loadXML($this->xmlSanitizer->sanitizeXMLString($xmlString), LIBXML_NOENT | LIBXML_DTDLOAD | LIBXML_NONET | LIBXML_PARSEHUGE);
$xmlString = $this->xmlSanitizer->sanitizeXMLString($xmlString);
$success = $document->loadXML($xmlString, LIBXML_NOENT | LIBXML_DTDLOAD | LIBXML_NONET | LIBXML_PARSEHUGE);
if (!$success) {
throw new InvalidXmlException('$xmlString', libxml_get_errors());
}
Expand Down
15 changes: 14 additions & 1 deletion tests/lib/eZ/RichText/DOMDocumentFactoryTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,20 @@ public function testEntityReferencesThrowsInvalidXmlException(): void
$this->domDocumentFactory->loadXMLString($xml);
}

public function testEncodedTagContentIsLeftAlone(): void
{
$xml = <<<EOT
<?xml version="1.0"?>
<para>By placing your order you agree to our <link>data &amp; privacy regulations</link>.</para>

EOT;

$doc = $this->domDocumentFactory->loadXMLString($xml);
$docXMLString = $doc->saveXML();

self::assertSame($xml, $docXMLString);
}

public function testRemoveEncodedEntities(): void
{
$xml = <<<EOT
Expand Down Expand Up @@ -114,7 +128,6 @@ public function testRemoveEncodedEntities(): void
*/
public function testHandleDoctype(string $xml, string $stringNotContainsString): void
{
$xml =
$doc = $this->domDocumentFactory->loadXMLString($xml);
$docXMLString = $doc->saveXML();
self::assertIsString($docXMLString);
Expand Down
Loading