feat: handle sms: scheme

Author: maxfenton

library/HTMLPurifier.includes.php

@@ -232,5 +232,6 @@
 require 'HTMLPurifier/URIScheme/news.php';
 require 'HTMLPurifier/URIScheme/nntp.php';
 require 'HTMLPurifier/URIScheme/tel.php';
+require 'HTMLPurifier/URIScheme/sms.php';
 require 'HTMLPurifier/VarParser/Flexible.php';
 require 'HTMLPurifier/VarParser/Native.php';

library/HTMLPurifier.safe-includes.php

@@ -226,5 +226,6 @@
 require_once $__dir . '/HTMLPurifier/URIScheme/news.php';
 require_once $__dir . '/HTMLPurifier/URIScheme/nntp.php';
 require_once $__dir . '/HTMLPurifier/URIScheme/tel.php';
+require_once $__dir . '/HTMLPurifier/URIScheme/sms.php';
 require_once $__dir . '/HTMLPurifier/VarParser/Flexible.php';
 require_once $__dir . '/HTMLPurifier/VarParser/Native.php';

library/HTMLPurifier/ConfigSchema/schema.ser

@@ -9,6 +9,7 @@ array (
   'nntp' => true,
   'news' => true,
   'tel' => true,
+  'sms' => true,
 )
 --DESCRIPTION--
 Whitelist that defines the schemes that a URI is allowed to have.  This

library/HTMLPurifier/ConfigSchema/schema/URI.AllowedSchemes.txt

@@ -0,0 +1,99 @@
+<?php
+
+/**
+ * Validates sms (for text messaging).
+ *
+ * The relevant specification for this protocol is RFC 5724.
+ * This class normalizes SMS numbers so that they only include
+ * digits, optionally with a leading plus for international numbers.
+ *
+ * According to RFC 5724, SMS URIs support the 'body' parameter
+ * using the format: sms:number?body=message
+ * However, the format: sms:number&body=message is commonly used on
+ * the web, so it is also supported here.
+ */
+
+class HTMLPurifier_URIScheme_sms extends HTMLPurifier_URIScheme
+{
+    /**
+     * @type bool
+     */
+    public $browsable = false;
+
+    /**
+     * @type bool
+     */
+    public $may_omit_host = true;
+
+    /**
+     * @param HTMLPurifier_URI $uri
+     * @param HTMLPurifier_Config $config
+     * @param HTMLPurifier_Context $context
+     * @return bool
+     */
+    public function doValidate(&$uri, $config, $context)
+    {
+        $uri->userinfo = null;
+        $uri->host     = null;
+        $uri->port     = null;
+
+        // Handle SMS URIs with &body= syntax (non-standard but common)
+        if (strpos($uri->path, '&body=') !== false) {
+            $parts = explode('&body=', $uri->path, 2);
+            $phone_number = $parts[0];
+            $body_content = isset($parts[1]) ? $parts[1] : '';
+
+            // Clean the phone number part
+            $phone_number = preg_replace(
+                '/(?!^\+)[^\d]/',
+                '',
+                rawurldecode($phone_number)
+            );
+
+            // Sanitize the body content
+            $body_content = $this->sanitizeBody($body_content);
+
+            // Reconstruct the path
+            if (!empty($body_content)) {
+                $uri->path = $phone_number . '&body=' . $body_content;
+            } else {
+                $uri->path = $phone_number;
+            }
+        } else {
+            // Clean the phone number (no body parameter)
+            $uri->path = preg_replace(
+                '/(?!^\+)[^\d]/',
+                '',
+                rawurldecode($uri->path)
+            );
+        }
+
+        // Handle standard ?body= syntax in query parameters
+        if (!is_null($uri->query) && strpos($uri->query, 'body=') === 0) {
+            $body_content = substr($uri->query, 5); // Remove 'body='
+            $body_content = $this->sanitizeBody($body_content);
+
+            if (!empty($body_content)) {
+                $uri->query = 'body=' . $body_content;
+            } else {
+                $uri->query = null;
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * Sanitizes SMS body content
+     * @param string $body
+     * @return string
+     */
+    private function sanitizeBody($body)
+    {
+        // Remove potentially dangerous characters
+        $sanitized = preg_replace('/[<>"\']/', '', $body);
+        // Remove any remaining script-like content
+        $sanitized = preg_replace('/script|alert|javascript/i', '', $sanitized);
+        return $sanitized;
+    }
+}

library/HTMLPurifier/URIScheme/sms.php

@@ -25,6 +25,10 @@ public function testIntegration()
         $this->assertDef('tel:+15555555555');
         $this->assertDef('tel:+15555 555 555', 'tel:+15555555555');
         $this->assertDef('tel:+15555%20555%20555', 'tel:+15555555555');
+        $this->assertDef('sms:+15555555555');
+        $this->assertDef('sms:+15555 555 555', 'sms:+15555555555');
+        $this->assertDef('sms:+15555%20555%20555', 'sms:+15555555555');
+        $this->assertDef('sms:5555&body=HOME', 'sms:5555&body=HOME');
     }
 
     public function testIntegrationWithPercentEncoder()

tests/HTMLPurifier/AttrDef/URITest.php

@@ -44,6 +44,14 @@ public function testPreserveAltSchemeWithTel()
         $this->assertFiltering('tel:+15555%20555%20555');
     }
 
+    public function testPreserveAltSchemeWithSms()
+    {
+        $this->assertFiltering('sms:+15555555555');
+        $this->assertFiltering('sms:+15555 555 555');
+        $this->assertFiltering('sms:+15555%20555%20555');
+        $this->assertFiltering('sms:5555&body=HOME');
+    }
+
     public function testFilterIgnoreHTTPSpecialCase()
     {
         $this->assertFiltering('http:/', 'http://example.com/');

tests/HTMLPurifier/URIFilter/MakeAbsoluteTest.php

@@ -81,6 +81,28 @@ public function testTelURI()
         );
     }
 
+    public function testSmsURI()
+    {
+        $this->assertParsing(
+            'sms:+1 (555) 555-5555',
+            'sms', null, null, null, '+1 (555) 555-5555', null, null
+        );
+        $this->assertParsing(
+          'sms:+1%20(555)%20555-5555',
+          'sms', null, null, null, '+1%20(555)%20555-5555', null, null
+        );
+        $this->assertParsing(
+            'sms:5555&body=HOME',
+            'sms',
+            null,
+            null,
+            null,
+            '5555',
+            'body=HOME',
+            null
+        );
+    }
+
     public function testIPv4Address()
     {
         $this->assertParsing(

tests/HTMLPurifier/URIParserTest.php

@@ -215,6 +215,82 @@ public function test_tel_strip_letters()
         );
     }
 
+    public function test_sms_strip_punctuation()
+    {
+        $this->assertValidation(
+            'sms:+1 (555) 555-5555', 'sms:+15555555555'
+        );
+    }
+
+    public function test_sms_with_url_encoding()
+    {
+        $this->assertValidation(
+            'sms:+1%20(555)%20555-5555', 'sms:+15555555555'
+        );
+    }
+
+    public function test_sms_regular()
+    {
+        $this->assertValidation(
+            'sms:+15555555555'
+        );
+    }
+
+    public function test_sms_no_plus()
+    {
+        $this->assertValidation(
+            'sms:555-555-5555', 'sms:5555555555'
+        );
+    }
+
+    public function test_sms_strip_letters()
+    {
+        $this->assertValidation(
+            'sms:abcd1234',
+            'sms:1234'
+        );
+    }
+
+    public function test_sms_with_body_query()
+    {
+        $this->assertValidation(
+            'sms:5555&body=HOME',
+            'sms:5555&body=HOME'
+        );
+    }
+
+    public function test_sms_strip_invalid_params()
+    {
+        $this->assertValidation(
+            'sms:+15555555555&body=Hello&subject=Test',
+            'sms:+15555555555&body=Hello'
+        );
+    }
+
+    public function test_sms_with_url_encoded_body()
+    {
+        $this->assertValidation(
+            'sms:5555&body=Hello%20World',
+            'sms:5555&body=Hello%20World'
+        );
+    }
+
+    public function test_sms_strip_dangerous_query_params()
+    {
+        $this->assertValidation(
+            'sms:5555&body=<script>alert("xss")</script>&subject=Test',
+            'sms:5555&body='
+        );
+    }
+
+    public function test_sms_strip_invalid_query_params()
+    {
+        $this->assertValidation(
+            'sms:5555&body=HOME&invalid=param&subject=Test',
+            'sms:5555&body=HOME'
+        );
+    }
+
     public function test_data_png()
     {
         $this->assertValidation(