Strip unnecessary HTML attributes from federated content (#2643)

Author: pfefferle

.github/changelog/2619-clean-html

@@ -0,0 +1,4 @@
+Significance: patch
+Type: changed
+
+Reduce federated content size by removing unnecessary HTML attributes.

includes/class-sanitize.php

@@ -215,4 +215,79 @@ public static function content( $content ) {
 	public static function strip_whitespace( $content ) {
 		return \trim( \preg_replace( '/>[\n\r\t]+</', '><', $content ) );
 	}
+
+	/**
+	 * Clean HTML for ActivityPub federation.
+	 *
+	 * Keeps all WordPress allowed tags but removes global attributes like
+	 * class, id, style, data-*, aria-* that increase payload size.
+	 *
+	 * @see https://github.com/Automattic/wordpress-activitypub/issues/2619
+	 *
+	 * @param string $content The HTML content to clean.
+	 *
+	 * @return string The cleaned HTML content.
+	 */
+	public static function clean_html( $content ) {
+		if ( empty( $content ) ) {
+			return $content;
+		}
+
+		// Start with all WordPress allowed post tags.
+		$allowed_html = \wp_kses_allowed_html( 'post' );
+
+		// Global attributes to remove from all elements.
+		$remove_attrs = array(
+			'aria-controls',
+			'aria-current',
+			'aria-describedby',
+			'aria-details',
+			'aria-expanded',
+			'aria-hidden',
+			'aria-label',
+			'aria-labelledby',
+			'aria-live',
+			'class',
+			'data-*',
+			'decoding',
+			'dir',
+			'hidden',
+			'id',
+			'lang',
+			'loading',
+			'role',
+			'style',
+			'tabindex',
+			'title',
+			'xml:lang',
+		);
+
+		/**
+		 * Filter the global attributes to remove from all elements.
+		 *
+		 * @param array $remove_attrs Global attributes to remove.
+		 */
+		$remove_attrs = \apply_filters( 'activitypub_remove_html_attributes', $remove_attrs );
+
+		// Remove global attributes from all tags.
+		foreach ( $allowed_html as $tag => $attrs ) {
+			$allowed_html[ $tag ] = \array_diff_key( $attrs, \array_flip( $remove_attrs ) );
+		}
+
+		// Re-add class and title for anchors (needed for microformats).
+		$allowed_html['a']['class'] = true;
+		$allowed_html['a']['title'] = true;
+
+		// Re-add class for spans (needed for microformats).
+		$allowed_html['span']['class'] = true;
+
+		/**
+		 * Filter the final allowed HTML for ActivityPub content.
+		 *
+		 * @param array $allowed_html The allowed HTML structure for wp_kses.
+		 */
+		$allowed_html = \apply_filters( 'activitypub_allowed_html', $allowed_html );
+
+		return \wp_kses( $content, $allowed_html, \wp_allowed_protocols() );
+	}
 }

includes/class-shortcodes.php

@@ -191,6 +191,7 @@ public static function content( $attributes, $content, $tag ) {
 		// Replace script and style elements.
 		$content = \preg_replace( '@<(script|style)[^>]*?>.*?</\\1>@si', '', $content );
 		$content = \strip_shortcodes( $content );
+		$content = Sanitize::clean_html( $content );
 		$content = Sanitize::strip_whitespace( $content );
 
 		add_shortcode( 'ap_content', array( 'Activitypub\Shortcodes', 'content' ) );

tests/phpunit/tests/includes/class-test-sanitize.php

@@ -385,4 +385,158 @@ public function strip_whitespace_provider() {
 	public function test_strip_whitespace( $input, $expected ) {
 		$this->assertSame( $expected, Sanitize::strip_whitespace( $input ) );
 	}
+
+	/**
+	 * Data provider for clean_html tests.
+	 *
+	 * @return array Test data with input and expected output.
+	 */
+	public function clean_html_provider() {
+		return array(
+			'empty_string'             => array( '', '' ),
+			'removes_class_from_p'     => array(
+				'<p class="wp-block-paragraph">Hello</p>',
+				'<p>Hello</p>',
+			),
+			'preserves_class_on_a'     => array(
+				'<a href="https://example.com" class="u-url mention">Link</a>',
+				'<a href="https://example.com" class="u-url mention">Link</a>',
+			),
+			'removes_id'               => array(
+				'<span id="main-content">Content</span>',
+				'<span>Content</span>',
+			),
+			'removes_style'            => array(
+				'<span style="color: red;">Styled</span>',
+				'<span>Styled</span>',
+			),
+			'removes_data_attributes'  => array(
+				'<span data-id="123" data-custom="value">Content</span>',
+				'<span>Content</span>',
+			),
+			'strips_loading_decoding'  => array(
+				'<img src="image.jpg" loading="lazy" decoding="async" alt="Test" />',
+				'<img src="image.jpg" alt="Test" />',
+			),
+			'preserves_href'           => array(
+				'<a href="https://example.com">Link</a>',
+				'<a href="https://example.com">Link</a>',
+			),
+			'strips_bad_protocol'      => array(
+				'<a href="javascript:alert(1)">Link</a>',
+				'<a href="alert(1)">Link</a>',
+			),
+			'preserves_img_essentials' => array(
+				'<img src="image.jpg" alt="Desc" width="300" height="200" />',
+				'<img src="image.jpg" alt="Desc" width="300" height="200" />',
+			),
+			'preserves_title'          => array(
+				'<a href="https://example.com" title="Example">Link</a>',
+				'<a href="https://example.com" title="Example">Link</a>',
+			),
+			'preserves_rel_and_target' => array(
+				'<a href="https://example.com" rel="me" target="_blank">Link</a>',
+				'<a href="https://example.com" rel="me" target="_blank">Link</a>',
+			),
+			'strips_lang_dir'          => array(
+				'<p lang="en" dir="ltr">Hello</p>',
+				'<p>Hello</p>',
+			),
+			'preserves_cite'           => array(
+				'<blockquote cite="https://example.com">Quote</blockquote>',
+				'<blockquote cite="https://example.com">Quote</blockquote>',
+			),
+			'preserves_video_attrs'    => array(
+				'<video src="video.mp4" width="640" height="360" controls poster="thumb.jpg"></video>',
+				'<video src="video.mp4" width="640" height="360" controls poster="thumb.jpg"></video>',
+			),
+			'preserves_audio_attrs'    => array(
+				'<audio src="audio.mp3" controls></audio>',
+				'<audio src="audio.mp3" controls></audio>',
+			),
+			'strips_hreflang'          => array(
+				'<a href="https://example.de" hreflang="de">German</a>',
+				'<a href="https://example.de">German</a>',
+			),
+			'preserves_details_open'   => array(
+				'<details open><summary>Title</summary></details>',
+				'<details open><summary>Title</summary></details>',
+			),
+			'self_closing_tags'        => array(
+				'<br class="clear" />',
+				'<br />',
+			),
+			'no_attributes'            => array(
+				'<p>Simple paragraph</p>',
+				'<p>Simple paragraph</p>',
+			),
+			'plain_text'               => array(
+				'Just plain text',
+				'Just plain text',
+			),
+			'complex_wordpress_figure' => array(
+				'<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="768" src="https://example.com/image.jpg" alt="Test" class="wp-image-123" data-id="123" /><figcaption class="wp-element-caption">Caption</figcaption></figure>',
+				'<figure><img width="1024" height="768" src="https://example.com/image.jpg" alt="Test" /><figcaption>Caption</figcaption></figure>',
+			),
+		);
+	}
+
+	/**
+	 * Test clean_html with various inputs.
+	 *
+	 * @dataProvider clean_html_provider
+	 * @covers ::clean_html
+	 *
+	 * @param string $input    Input value.
+	 * @param string $expected Expected output.
+	 */
+	public function test_clean_html( $input, $expected ) {
+		$this->assertSame( $expected, Sanitize::clean_html( $input ) );
+	}
+
+	/**
+	 * Test that null input returns null.
+	 *
+	 * @covers ::clean_html
+	 */
+	public function test_clean_html_null() {
+		$this->assertNull( Sanitize::clean_html( null ) );
+	}
+
+	/**
+	 * Test the activitypub_allowed_html filter.
+	 *
+	 * @covers ::clean_html
+	 */
+	public function test_allowed_html_filter() {
+		add_filter(
+			'activitypub_allowed_html',
+			function ( $allowed_html ) {
+				// Add data-custom attribute to span.
+				$allowed_html['span']['data-custom'] = true;
+				return $allowed_html;
+			}
+		);
+
+		$input    = '<span data-custom="allowed" data-other="removed">Content</span>';
+		$expected = '<span data-custom="allowed">Content</span>';
+		$this->assertSame( $expected, Sanitize::clean_html( $input ) );
+
+		remove_all_filters( 'activitypub_allowed_html' );
+	}
+
+	/**
+	 * Test that rel attribute is preserved on anchors.
+	 *
+	 * @covers ::clean_html
+	 */
+	public function test_rel_attribute_preserved() {
+		$input    = '<a href="https://example.com" rel="mention">Link</a>';
+		$expected = '<a href="https://example.com" rel="mention">Link</a>';
+		$this->assertSame( $expected, Sanitize::clean_html( $input ) );
+
+		$input    = '<a href="https://example.com" rel="nofollow">Link</a>';
+		$expected = '<a href="https://example.com" rel="nofollow">Link</a>';
+		$this->assertSame( $expected, Sanitize::clean_html( $input ) );
+	}
 }

tests/phpunit/tests/includes/transformer/class-test-post.php

@@ -796,7 +796,8 @@ public function test_reply_block_transforms_to_mention_link_when_first_block() {
 		$object = Post::transform( $post )->to_object();
 
 		// Assert that the reply block was transformed into a mention link.
-		$this->assertStringContainsString( '<p class="ap-reply-mention"><a rel="mention ugc" href="https://example.com/posts/123" title="@[email protected]">@author</a></p>', $object->get_content() );
+		// Note: clean_html() strips class from <p> and the mention link doesn't include u-in-reply-to class.
+		$this->assertStringContainsString( '<p><a rel="mention ugc" href="https://example.com/posts/123" title="@[email protected]">@author</a></p>', $object->get_content() );
 
 		// Clean up.
 		remove_filter( 'activitypub_pre_http_get_remote_object', $filter_remote_object );
@@ -827,7 +828,8 @@ public function test_reply_block_not_transformed_when_not_first_block() {
 		$content = $object->get_content();
 
 		// Assert that the reply block was not transformed into a mention link.
-		$this->assertStringContainsString( '<div class="activitypub-reply-block wp-block-activitypub-reply" aria-label="Reply" data-in-reply-to="https://example.com/posts/123"><p><a title="This post is a response to the referenced content." aria-label="This post is a response to the referenced content." href="https://example.com/posts/123" class="u-in-reply-to" target="_blank">&#8620;example.com/posts/123</a></p></div>', $content );
+		// Note: clean_html() strips class/aria-label/data-* from <div> but preserves class/title on <a>.
+		$this->assertStringContainsString( '<div><p><a title="This post is a response to the referenced content." href="https://example.com/posts/123" class="u-in-reply-to" target="_blank">&#8620;example.com/posts/123</a></p></div>', $content );
 	}
 
 	/**
@@ -882,10 +884,12 @@ public function test_multiple_reply_blocks_only_first_becomes_mention() {
 		$content = $object->get_content();
 
 		// Assert that the first reply block was transformed into a mention link.
-		$this->assertStringContainsString( '<p class="ap-reply-mention"><a rel="mention ugc" href="https://example.com/posts/123" title="@[email protected]">@author1</a></p>', $content );
+		// Note: clean_html() strips class from <p> and the mention link doesn't include u-in-reply-to class.
+		$this->assertStringContainsString( '<p><a rel="mention ugc" href="https://example.com/posts/123" title="@[email protected]">@author1</a></p>', $content );
 
 		// Assert that the second reply block was NOT transformed into a mention link (should remain as regular reply block).
-		$this->assertStringContainsString( '<div class="activitypub-reply-block wp-block-activitypub-reply" aria-label="Reply" data-in-reply-to="https://other.site/posts/456"><p><a title="This post is a response to the referenced content." aria-label="This post is a response to the referenced content." href="https://other.site/posts/456" class="u-in-reply-to" target="_blank">&#8620;other.site/posts/456</a></p></div>', $content );
+		// Note: clean_html() strips class/aria-label/data-* from <div> but preserves class/title on <a>.
+		$this->assertStringContainsString( '<div><p><a title="This post is a response to the referenced content." href="https://other.site/posts/456" class="u-in-reply-to" target="_blank">&#8620;other.site/posts/456</a></p></div>', $content );
 
 		// Clean up.
 		remove_filter( 'activitypub_pre_http_get_remote_object', $filter_remote_object );