Merge pull request #59 from olegatro/relative-links

tgalopin · web-flow · commit 5d02dcb6f2ea · 2021-09-14T10:27:50.000+02:00
add allow_relative_links setting
diff --git a/docs/1-getting-started.md b/docs/1-getting-started.md
@@ -93,6 +93,11 @@ $sanitizer = HtmlSanitizer\Sanitizer::create([
              * If true, mailto links will be accepted.
              */
             'allow_mailto' => false,
+            
+            /*
+             * If true, relative links will be accepted.
+             */
+            'allow_relative_links' => false,
         ],
         
         'img' => [
@@ -111,6 +116,11 @@ $sanitizer = HtmlSanitizer\Sanitizer::create([
              * If true, images data-uri URLs will be accepted.
              */
             'allow_data_uri' => false,
+            
+            /*
+             * If true, relative links will be accepted.
+             */
+            'allow_relative_links' => false,
         ],
         
         'iframe' => [
@@ -124,6 +134,11 @@ $sanitizer = HtmlSanitizer\Sanitizer::create([
              *      'allowed_hosts' => ['trusted1.com', 'google.com'],
              */
             'allowed_hosts' => null,
+            
+            /*
+             * If true, relative links will be accepted.
+             */
+            'allow_relative_links' => false,
         ],
     ],
 ]);
diff --git a/src/Extension/Basic/NodeVisitor/ANodeVisitor.php b/src/Extension/Basic/NodeVisitor/ANodeVisitor.php
@@ -41,6 +41,7 @@ public function __construct(array $config = [])
             $this->config['allowed_schemes'],
             $this->config['allowed_hosts'],
             $this->config['allow_mailto'],
+            $this->config['allow_relative_links'],
             $this->config['force_https']
         );
     }
@@ -61,6 +62,7 @@ public function getDefaultConfiguration(): array
             'allowed_schemes' => ['http', 'https'],
             'allowed_hosts' => null,
             'allow_mailto' => true,
+            'allow_relative_links' => false,
             'force_https' => false,
             'rel' => null,
         ];
diff --git a/src/Extension/Basic/Sanitizer/AHrefSanitizer.php b/src/Extension/Basic/Sanitizer/AHrefSanitizer.php
@@ -23,13 +23,15 @@ class AHrefSanitizer
     private $allowedSchemes;
     private $allowedHosts;
     private $allowMailTo;
+    private $allowRelativeLinks;
     private $forceHttps;
 
-    public function __construct(array $allowedSchemes, ?array $allowedHosts, bool $allowMailTo, bool $forceHttps)
+    public function __construct(array $allowedSchemes, ?array $allowedHosts, bool $allowMailTo, bool $allowRelativeLinks, bool $forceHttps)
     {
         $this->allowedSchemes = $allowedSchemes;
         $this->allowedHosts = $allowedHosts;
         $this->allowMailTo = $allowMailTo;
+        $this->allowRelativeLinks = $allowRelativeLinks;
         $this->forceHttps = $forceHttps;
     }
 
@@ -46,6 +48,14 @@ public function sanitize(?string $input): ?string
             }
         }
 
+        if ($this->allowRelativeLinks) {
+            $allowedSchemes[] = null;
+
+            if (\is_array($this->allowedHosts)) {
+                $allowedHosts[] = null;
+            }
+        }
+
         if (!$sanitized = $this->sanitizeUrl($input, $allowedSchemes, $allowedHosts, $this->forceHttps)) {
             return null;
         }
diff --git a/src/Extension/Iframe/NodeVisitor/IframeNodeVisitor.php b/src/Extension/Iframe/NodeVisitor/IframeNodeVisitor.php
@@ -40,6 +40,7 @@ public function __construct(array $config = [])
         $this->sanitizer = new IframeSrcSanitizer(
             $this->config['allowed_schemes'],
             $this->config['allowed_hosts'],
+            $this->config['allow_relative_links'],
             $this->config['force_https']
         );
     }
@@ -64,6 +65,7 @@ public function getDefaultConfiguration(): array
         return [
             'allowed_schemes' => ['http', 'https'],
             'allowed_hosts' => null,
+            'allow_relative_links' => false,
             'force_https' => false,
         ];
     }
diff --git a/src/Extension/Iframe/Sanitizer/IframeSrcSanitizer.php b/src/Extension/Iframe/Sanitizer/IframeSrcSanitizer.php
@@ -22,17 +22,30 @@ class IframeSrcSanitizer
 
     private $allowedSchemes;
     private $allowedHosts;
+    private $allowRelativeLinks;
     private $forceHttps;
 
-    public function __construct(array $allowedSchemes, ?array $allowedHosts, bool $forceHttps)
+    public function __construct(array $allowedSchemes, ?array $allowedHosts, bool $allowRelativeLinks, bool $forceHttps)
     {
         $this->allowedSchemes = $allowedSchemes;
         $this->allowedHosts = $allowedHosts;
+        $this->allowRelativeLinks = $allowRelativeLinks;
         $this->forceHttps = $forceHttps;
     }
 
     public function sanitize(?string $input): ?string
     {
-        return $this->sanitizeUrl($input, $this->allowedSchemes, $this->allowedHosts, $this->forceHttps);
+        $allowedSchemes = $this->allowedSchemes;
+        $allowedHosts = $this->allowedHosts;
+
+        if ($this->allowRelativeLinks) {
+            $allowedSchemes[] = null;
+
+            if (\is_array($this->allowedHosts)) {
+                $allowedHosts[] = null;
+            }
+        }
+
+        return $this->sanitizeUrl($input, $allowedSchemes, $allowedHosts, $this->forceHttps);
     }
 }
diff --git a/src/Extension/Image/NodeVisitor/ImgNodeVisitor.php b/src/Extension/Image/NodeVisitor/ImgNodeVisitor.php
@@ -41,6 +41,7 @@ public function __construct(array $config = [])
             $this->config['allowed_schemes'],
             $this->config['allowed_hosts'],
             $this->config['allow_data_uri'],
+            $this->config['allow_relative_links'],
             $this->config['force_https']
         );
     }
@@ -61,6 +62,7 @@ public function getDefaultConfiguration(): array
             'allowed_schemes' => ['http', 'https'],
             'allowed_hosts' => null,
             'allow_data_uri' => false,
+            'allow_relative_links' => false,
             'force_https' => false,
         ];
     }
diff --git a/src/Extension/Image/Sanitizer/ImgSrcSanitizer.php b/src/Extension/Image/Sanitizer/ImgSrcSanitizer.php
@@ -23,13 +23,15 @@ class ImgSrcSanitizer
     private $allowedSchemes;
     private $allowedHosts;
     private $allowDataUri;
+    private $allowRelativeLinks;
     private $forceHttps;
 
-    public function __construct(array $allowedSchemes, ?array $allowedHosts, bool $allowDataUri, bool $forceHttps)
+    public function __construct(array $allowedSchemes, ?array $allowedHosts, bool $allowDataUri, bool $allowRelativeLinks, bool $forceHttps)
     {
         $this->allowedSchemes = $allowedSchemes;
         $this->allowedHosts = $allowedHosts;
         $this->allowDataUri = $allowDataUri;
+        $this->allowRelativeLinks = $allowRelativeLinks;
         $this->forceHttps = $forceHttps;
     }
 
@@ -38,13 +40,20 @@ public function sanitize(?string $input): ?string
         $allowedSchemes = $this->allowedSchemes;
         $allowedHosts = $this->allowedHosts;
 
-        if ($this->allowDataUri) {
+        if ($this->allowDataUri && !$this->allowRelativeLinks) {
             $allowedSchemes[] = 'data';
             if (null !== $allowedHosts) {
                 $allowedHosts[] = null;
             }
         }
 
+        if ($this->allowRelativeLinks) {
+            $allowedSchemes[] = null;
+            if (null !== $allowedHosts) {
+                $allowedHosts[] = null;
+            }
+        }
+
         if (!$sanitized = $this->sanitizeUrl($input, $allowedSchemes, $allowedHosts, $this->forceHttps)) {
             return null;
         }
diff --git a/tests/Sanitizer/AHrefSanitizerTest.php b/tests/Sanitizer/AHrefSanitizerTest.php
@@ -23,6 +23,7 @@ public function provideUrls()
             'allowedSchemes' => ['http', 'https'],
             'allowedHosts' => null,
             'allowMailTo' => false,
+            'allowRelativeLinks' => false,
             'forceHttps' => false,
             'input' => 'https://trusted.com/link.php',
             'output' => 'https://trusted.com/link.php',
@@ -32,6 +33,7 @@ public function provideUrls()
             'allowedSchemes' => ['http', 'https'],
             'allowedHosts' => ['trusted.com'],
             'allowMailTo' => false,
+            'allowRelativeLinks' => false,
             'forceHttps' => false,
             'input' => 'https://trusted.com/link.php',
             'output' => 'https://trusted.com/link.php',
@@ -41,6 +43,7 @@ public function provideUrls()
             'allowedSchemes' => ['http', 'https'],
             'allowedHosts' => ['trusted.com'],
             'allowMailTo' => false,
+            'allowRelativeLinks' => false,
             'forceHttps' => false,
             'input' => 'https://untrusted.com/link.php',
             'output' => null,
@@ -50,6 +53,7 @@ public function provideUrls()
             'allowedSchemes' => ['http', 'https'],
             'allowedHosts' => null,
             'allowMailTo' => false,
+            'allowRelativeLinks' => false,
             'forceHttps' => false,
             'input' => '/link.php',
             'output' => null,
@@ -59,16 +63,28 @@ public function provideUrls()
             'allowedSchemes' => ['http', 'https'],
             'allowedHosts' => null,
             'allowMailTo' => true,
+            'allowRelativeLinks' => false,
             'forceHttps' => false,
             'input' => '/link.php',
             'output' => null,
         ];
 
+        yield [
+            'allowedSchemes' => ['http', 'https'],
+            'allowedHosts' => null,
+            'allowMailTo' => true,
+            'allowRelativeLinks' => true,
+            'forceHttps' => false,
+            'input' => '/link.php',
+            'output' => '/link.php',
+        ];
+
         // Force HTTPS
         yield [
             'allowedSchemes' => ['http', 'https'],
             'allowedHosts' => ['trusted.com'],
             'allowMailTo' => false,
+            'allowRelativeLinks' => false,
             'forceHttps' => true,
             'input' => 'http://trusted.com/link.php',
             'output' => 'https://trusted.com/link.php',
@@ -79,6 +95,7 @@ public function provideUrls()
             'allowedSchemes' => ['http', 'https'],
             'allowedHosts' => null,
             'allowMailTo' => true,
+            'allowRelativeLinks' => false,
             'forceHttps' => false,
             'input' => 'data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7',
             'output' => null,
@@ -88,6 +105,7 @@ public function provideUrls()
             'allowedSchemes' => ['http', 'https'],
             'allowedHosts' => null,
             'allowMailTo' => true,
+            'allowRelativeLinks' => false,
             'forceHttps' => true,
             'input' => 'data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7',
             'output' => null,
@@ -98,6 +116,7 @@ public function provideUrls()
             'allowedSchemes' => ['http', 'https'],
             'allowedHosts' => null,
             'allowMailTo' => false,
+            'allowRelativeLinks' => false,
             'forceHttps' => false,
             'input' => 'mailto:test@gmail.com',
             'output' => null,
@@ -107,6 +126,7 @@ public function provideUrls()
             'allowedSchemes' => ['http', 'https'],
             'allowedHosts' => null,
             'allowMailTo' => true,
+            'allowRelativeLinks' => false,
             'forceHttps' => false,
             'input' => 'mailto:test@gmail.com',
             'output' => 'mailto:test@gmail.com',
@@ -116,6 +136,7 @@ public function provideUrls()
             'allowedSchemes' => ['http', 'https'],
             'allowedHosts' => ['trusted.com'],
             'allowMailTo' => true,
+            'allowRelativeLinks' => false,
             'forceHttps' => false,
             'input' => 'mailto:test@gmail.com',
             'output' => 'mailto:test@gmail.com',
@@ -125,6 +146,7 @@ public function provideUrls()
             'allowedSchemes' => ['http', 'https'],
             'allowedHosts' => ['trusted.com'],
             'allowMailTo' => true,
+            'allowRelativeLinks' => false,
             'forceHttps' => true,
             'input' => 'mailto:test@gmail.com',
             'output' => 'mailto:test@gmail.com',
@@ -134,6 +156,7 @@ public function provideUrls()
             'allowedSchemes' => ['http', 'https'],
             'allowedHosts' => null,
             'allowMailTo' => true,
+            'allowRelativeLinks' => false,
             'forceHttps' => false,
             'input' => 'mailto:invalid',
             'output' => null,
@@ -143,6 +166,7 @@ public function provideUrls()
             'allowedSchemes' => ['http', 'https'],
             'allowedHosts' => null,
             'allowMailTo' => true,
+            'allowRelativeLinks' => false,
             'forceHttps' => false,
             'input' => 'mailto:',
             'output' => null,
@@ -152,6 +176,7 @@ public function provideUrls()
             'allowedSchemes' => ['https'],
             'allowedHosts' => null,
             'allowMailTo' => true,
+            'allowRelativeLinks' => false,
             'forceHttps' => false,
             'input' => 'http://trusted.com/link.php',
             'output' => null,
@@ -161,8 +186,8 @@ public function provideUrls()
     /**
      * @dataProvider provideUrls
      */
-    public function testSanitize($allowedSchemes, $allowedHosts, $allowMailTo, $forceHttps, $input, $expected)
+    public function testSanitize($allowedSchemes, $allowedHosts, $allowMailTo, $allowRelativeLinks, $forceHttps, $input, $expected)
     {
-        $this->assertSame($expected, (new AHrefSanitizer($allowedSchemes, $allowedHosts, $allowMailTo, $forceHttps))->sanitize($input));
+        $this->assertSame($expected, (new AHrefSanitizer($allowedSchemes, $allowedHosts, $allowMailTo, $allowRelativeLinks, $forceHttps))->sanitize($input));
     }
 }
diff --git a/tests/Sanitizer/IframeSrcSanitizerTest.php b/tests/Sanitizer/IframeSrcSanitizerTest.php
diff --git a/tests/Sanitizer/ImgSrcSanitizerTest.php b/tests/Sanitizer/ImgSrcSanitizerTest.php

Original file line number	Diff line number	Diff line change
`@@ -23,13 +23,15 @@ class AHrefSanitizer`
`23`	`23`	`private $allowedSchemes;`
`24`	`24`	`private $allowedHosts;`
`25`	`25`	`private $allowMailTo;`
	`26`	`+ private $allowRelativeLinks;`
`26`	`27`	`private $forceHttps;`
`27`	`28`
`28`		`- public function __construct(array $allowedSchemes, ?array $allowedHosts, bool $allowMailTo, bool $forceHttps)`
	`29`	`+ public function __construct(array $allowedSchemes, ?array $allowedHosts, bool $allowMailTo, bool $allowRelativeLinks, bool $forceHttps)`
`29`	`30`	`{`
`30`	`31`	`$this->allowedSchemes = $allowedSchemes;`
`31`	`32`	`$this->allowedHosts = $allowedHosts;`
`32`	`33`	`$this->allowMailTo = $allowMailTo;`
	`34`	`+ $this->allowRelativeLinks = $allowRelativeLinks;`
`33`	`35`	`$this->forceHttps = $forceHttps;`
`34`	`36`	`}`
`35`	`37`
`@@ -46,6 +48,14 @@ public function sanitize(?string $input): ?string`
`46`	`48`	`}`
`47`	`49`	`}`
`48`	`50`
	`51`	`+ if ($this->allowRelativeLinks) {`
	`52`	`+ $allowedSchemes[] = null;`
	`53`	`+`
	`54`	`+ if (\is_array($this->allowedHosts)) {`
	`55`	`+ $allowedHosts[] = null;`
	`56`	`+ }`
	`57`	`+ }`
	`58`	`+`
`49`	`59`	`if (!$sanitized = $this->sanitizeUrl($input, $allowedSchemes, $allowedHosts, $this->forceHttps)) {`
`50`	`60`	`return null;`
`51`	`61`	`}`