Merge pull request #148 from incentify-platform/add-null-support

mewebstudio · web-flow · commit c81d5ed0140f · 2021-03-24T21:34:22.000+03:00
Allow explicit non string types through without being cast to empty strings
diff --git a/README.md b/README.md
@@ -70,10 +70,11 @@ Config file `config/purifier.php` should like this
 ```php
 
 return [
-    'encoding'      => 'UTF-8',
-    'finalize'      => true,
-    'cachePath'     => storage_path('app/purifier'),
-    'cacheFileMode' => 0755,
+    'encoding'           => 'UTF-8',
+    'finalize'           => true,
+    'ignoreNonStrings'   => false,
+    'cachePath'          => storage_path('app/purifier'),
+    'cacheFileMode'      => 0755,
     'settings'      => [
         'default' => [
             'HTML.Doctype'             => 'HTML 4.01 Transitional',
diff --git a/config/purifier.php b/config/purifier.php
@@ -17,10 +17,11 @@
  */
 
 return [
-    'encoding'      => 'UTF-8',
-    'finalize'      => true,
-    'cachePath'     => storage_path('app/purifier'),
-    'cacheFileMode' => 0755,
+    'encoding'           => 'UTF-8',
+    'finalize'           => true,
+    'ignoreNonStrings'   => false,
+    'cachePath'          => storage_path('app/purifier'),
+    'cacheFileMode'      => 0755,
     'settings'      => [
         'default' => [
             'HTML.Doctype'             => 'HTML 4.01 Transitional',
diff --git a/src/Purifier.php b/src/Purifier.php
@@ -273,6 +273,13 @@ public function clean($dirty, $config = null, \Closure $postCreateConfigHook = n
             }
         }
 
+        //If $dirty is not an explicit string, bypass purification assuming configuration allows this
+        $ignoreNonStrings = $this->config->get('purifier.ignoreNonStrings', false);
+        $stringTest = is_string($dirty);
+        if($stringTest === false && $ignoreNonStrings === true) {
+            return $dirty;
+        }
+
         return $this->purifier->purify($dirty, $configObject);
     }
 
diff --git a/tests/PurifierTest.php b/tests/PurifierTest.php
@@ -111,6 +111,79 @@ public function testCleaningWithCustomConfigAndPostCreateHook()
         $this->assertSame('<p><a href="https://example.com">https://example.com</a></p>', $pureHtml);
     }
 
+    public function testCleaningNullPassThru() {
+        $testConfig = require __DIR__.'/../config/purifier.php';
+        $configRepo = new Repository(['purifier'=>$testConfig]);
+
+        //$purifier = $this->app->make('purifier');
+        $purifier = new Purifier(new Filesystem(), $configRepo);
+
+        //test default config value is expected
+        $this->assertEquals(false, $configRepo->get('purifier.ignoreNonStrings'));
+
+        //Test default behavior is unchanged without nullPassThru Config value of true
+        $html = null;
+        $pureHtml = $purifier->clean($html);
+        $this->assertEquals('', $pureHtml);
+        $html = false;
+        $pureHtml = $purifier->clean($html);
+        $this->assertEquals('', $pureHtml);
+
+        $html = [
+            'good'=>'<span id="some-id">This is my H1 title',
+            'bad'=>'<script>alert(\'XSS\');</script>',
+            'empty'=>null,
+            'bool'=>false,
+            'bool2'=>true,
+            'float'=>4.321,
+        ];
+        $expectedHtml = [
+            'good'=>'<p><span>This is my H1 title</span></p>',
+            'bad'=>'',
+            'empty'=>'',
+            'bool'=>'',
+            'bool2'=>'<p>1</p>',
+            'float'=>'<p>4.321</p>'
+        ];
+        $pureHtml = $purifier->clean($html);
+        $this->assertEquals($expectedHtml, $pureHtml);
+
+
+        //Test behavior as expected with nullPassThru Config value of true
+        $configRepo->set('purifier.ignoreNonStrings', true);
+        $purifier = new Purifier(new Filesystem(), $configRepo);
+        $this->assertEquals(true, $configRepo->get('purifier.ignoreNonStrings'));
+
+        $html = null;
+        $pureHtml = $purifier->clean($html);
+        $this->assertEquals(null, $pureHtml);
+
+        $html = false;
+        $pureHtml = $purifier->clean($html);
+        $this->assertEquals(false, $pureHtml);
+
+        $html = [
+            'good'=>'<span id="some-id">This is my H1 title',
+            'bad'=>'<script>alert(\'XSS\');</script>',
+            'empty'=>null,
+            'emptyStr'=>'',
+            'bool'=>false,
+            'bool2'=>true,
+            'float'=>4.321,
+        ];
+        $expectedHtml = [
+            'good'=>'<p><span>This is my H1 title</span></p>',
+            'bad'=>'',
+            'empty'=>null,
+            'emptyStr'=>'',
+            'bool'=>false,
+            'bool2'=>true,
+            'float'=>4.321,
+        ];
+        $pureHtml = $purifier->clean($html);
+        $this->assertEquals($expectedHtml, $pureHtml);
+    }
+
     public function testCustomDefinitions()
     {
         /** @var HTMLPurifier $purifier */

Original file line number	Diff line number	Diff line change
`@@ -273,6 +273,13 @@ public function clean($dirty, $config = null, \Closure $postCreateConfigHook = n`
`273`	`273`	`}`
`274`	`274`	`}`
`275`	`275`
	`276`	`+ //If $dirty is not an explicit string, bypass purification assuming configuration allows this`
	`277`	`+ $ignoreNonStrings = $this->config->get('purifier.ignoreNonStrings', false);`
	`278`	`+ $stringTest = is_string($dirty);`
	`279`	`+ if($stringTest === false && $ignoreNonStrings === true) {`
	`280`	`+ return $dirty;`
	`281`	`+ }`
	`282`	`+`
`276`	`283`	`return $this->purifier->purify($dirty, $configObject);`
`277`	`284`	`}`
`278`	`285`