Use HTMLPurifier

Author: tatevikg1

composer.json

@@ -78,7 +78,8 @@
         "webklex/php-imap": "^6.2",
         "ext-imap": "*",
         "tatevikgr/rss-feed": "dev-main",
-        "ext-pdo": "*"
+        "ext-pdo": "*",
+        "ezyang/htmlpurifier": "^4.19"
     },
     "require-dev": {
         "phpunit/phpunit": "^9.5",

config/services.yml

@@ -51,7 +51,20 @@ services:
     tags:
       - { name: 'doctrine.dbal.schema_filter', connection: 'default' }
 
-  PhpList\Core\Domain\Messaging\MessageHandler\CampaignProcessorMessageHandler:
-    autowire: true
+  HTMLPurifier_Config:
+    class: HTMLPurifier_Config
+    factory: [ 'HTMLPurifier_Config', 'createDefault' ]
+    calls:
+      - [ set, [ 'Cache.SerializerPath', '%kernel.cache_dir%/htmlpurifier' ] ]
+      - [ set, [ 'HTML.ForbiddenElements', [ 'script', 'style' ] ] ]
+      - [ set, [ 'CSS.Disable', true ] ]
+      - [ set, [ 'URI.DisableJavaScript', true ] ]
+      - [ set, [ 'URI.DisableDataURI', true ] ]
+      - [ set, [ 'HTML.Doctype', 'HTML5' ] ]
+      - [ set, [ 'HTML.Allowed', 'p,br,b,strong,i,em,u,a[href|title],ul,ol,li,blockquote,img[src|alt|title],span,div'] ]
+
+  HTMLPurifier:
+    class: HTMLPurifier
     arguments:
-      $maxMailSize: '%messaging.max_mail_size%'
+      - '@HTMLPurifier_Config'
+

config/services/messenger.yml

@@ -29,6 +29,11 @@ services:
         autoconfigure: true
         tags: [ 'messenger.message_handler' ]
 
+    PhpList\Core\Domain\Messaging\MessageHandler\CampaignProcessorMessageHandler:
+        autowire: true
+        arguments:
+            $maxMailSize: '%messaging.max_mail_size%'
+
     PhpList\Core\Domain\Subscription\MessageHandler\DynamicTableMessageHandler:
         autowire: true
         autoconfigure: true

src/Domain/Messaging/Service/Manager/MessageDataManager.php

@@ -5,6 +5,7 @@
 namespace PhpList\Core\Domain\Messaging\Service\Manager;
 
 use Doctrine\ORM\EntityManagerInterface;
+use HTMLPurifier;
 use PhpList\Core\Domain\Messaging\Model\Message;
 use PhpList\Core\Domain\Messaging\Model\MessageData;
 use PhpList\Core\Domain\Messaging\Repository\MessageDataRepository;
@@ -14,6 +15,7 @@ class MessageDataManager
     public function __construct(
         private readonly MessageDataRepository $messageDataRepository,
         private readonly EntityManagerInterface $entityManager,
+        private readonly HTMLPurifier $purifier,
     ) {
     }
 
@@ -68,30 +70,11 @@ public function setMessageData(Message $campaign, string $name, mixed $value): v
         $entity->setData($value !== null ? (string) $value : null);
     }
 
-    /**
-     * Remove potentially harmful JavaScript from HTML content.
-     *
-     * This is a conservative cleaner: removes <script> blocks, javascript: URLs,
-     * and inline event handlers (on*) attributes.
-     */
-    private function disableJavascript(string $html): string
-    {
-        // Remove script tags and their content
-        $clean = preg_replace('#<script\b[^>]*>.*?</script>#is', '', $html) ?? $html;
-
-        // Remove on*="..." event handler attributes
-        $clean = preg_replace('/\s+on[a-zA-Z]+\s*=\s*("[^"]*"|\'[^\']*\'|[^\s>]+)/i', '', $clean) ?? $clean;
-
-        // Neutralize javascript: and data: URIs in href/src/style
-        $clean = preg_replace('/\b(href|src)\s*=\s*("|\')\s*(javascript:|data:)[^\2]*\2/i', '$1="#"', $clean) ?? $clean;
-        return preg_replace('/\bstyle\s*=\s*("|\')[^\1]*\1/i', '', $clean) ?? $clean;
-    }
-
     private function normalizeValueByName(string $name, mixed $value)
     {
         return match ($name) {
             'subject', 'campaigntitle' => is_string($value) ? strip_tags($value) : $value,
-            'message' => is_string($value) ? $this->disableJavascript($value) : $value,
+            'message' => is_string($value) ? $this->purifier->purify($value) : $value,
             'excludelist' => is_array($value) ? array_filter($value, fn ($val) => is_numeric($val)) : $value,
             'footer' => is_string($value) ? preg_replace('/<!--.*?-->/', '', $value) : $value,
             default => $value,