First draft of an Activity-Sanitizer
This commit is contained in:
parent
48632a7e1b
commit
1397d864bb
4 changed files with 212 additions and 33 deletions
|
@ -68,7 +68,7 @@ class Activity extends Base_Object {
|
||||||
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-context
|
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-context
|
||||||
*
|
*
|
||||||
* @var string
|
* @var string
|
||||||
* | ObjectType
|
* | Base_Object
|
||||||
* | Link
|
* | Link
|
||||||
* | null
|
* | null
|
||||||
*/
|
*/
|
||||||
|
@ -82,7 +82,7 @@ class Activity extends Base_Object {
|
||||||
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-object-term
|
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-object-term
|
||||||
*
|
*
|
||||||
* @var string
|
* @var string
|
||||||
* | Base_Objectr
|
* | Base_Object
|
||||||
* | Link
|
* | Link
|
||||||
* | null
|
* | null
|
||||||
*/
|
*/
|
||||||
|
@ -97,7 +97,7 @@ class Activity extends Base_Object {
|
||||||
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-actor
|
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-actor
|
||||||
*
|
*
|
||||||
* @var string
|
* @var string
|
||||||
* | \ActivityPhp\Type\Extended\AbstractActor
|
* | Actor
|
||||||
* | array<Actor>
|
* | array<Actor>
|
||||||
* | array<Link>
|
* | array<Link>
|
||||||
* | Link
|
* | Link
|
||||||
|
@ -116,8 +116,8 @@ class Activity extends Base_Object {
|
||||||
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-target
|
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-target
|
||||||
*
|
*
|
||||||
* @var string
|
* @var string
|
||||||
* | ObjectType
|
* | Base_Object
|
||||||
* | array<ObjectType>
|
* | array<Base_Object>
|
||||||
* | Link
|
* | Link
|
||||||
* | array<Link>
|
* | array<Link>
|
||||||
*/
|
*/
|
||||||
|
@ -132,7 +132,7 @@ class Activity extends Base_Object {
|
||||||
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-result
|
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-result
|
||||||
*
|
*
|
||||||
* @var string
|
* @var string
|
||||||
* | ObjectType
|
* | Base_Object
|
||||||
* | Link
|
* | Link
|
||||||
* | null
|
* | null
|
||||||
*/
|
*/
|
||||||
|
@ -149,7 +149,7 @@ class Activity extends Base_Object {
|
||||||
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-origin
|
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-origin
|
||||||
*
|
*
|
||||||
* @var string
|
* @var string
|
||||||
* | ObjectType
|
* | Base_Object
|
||||||
* | Link
|
* | Link
|
||||||
* | null
|
* | null
|
||||||
*/
|
*/
|
||||||
|
@ -162,7 +162,7 @@ class Activity extends Base_Object {
|
||||||
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-instrument
|
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-instrument
|
||||||
*
|
*
|
||||||
* @var string
|
* @var string
|
||||||
* | ObjectType
|
* | Base_Object
|
||||||
* | Link
|
* | Link
|
||||||
* | null
|
* | null
|
||||||
*/
|
*/
|
||||||
|
@ -176,7 +176,7 @@ class Activity extends Base_Object {
|
||||||
*
|
*
|
||||||
* @see https://www.w3.org/TR/activitypub/#object-without-create
|
* @see https://www.w3.org/TR/activitypub/#object-without-create
|
||||||
*
|
*
|
||||||
* @param string|Base_Objectr|Link|null $object
|
* @param string|Base_Object|Link|null $object
|
||||||
*
|
*
|
||||||
* @return void
|
* @return void
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -49,9 +49,9 @@ class Base_Object {
|
||||||
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-attachment
|
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-attachment
|
||||||
*
|
*
|
||||||
* @var string
|
* @var string
|
||||||
* | ObjectType
|
* | Base_Object
|
||||||
* | Link
|
* | Link
|
||||||
* | array<ObjectType>
|
* | array<Base_Object>
|
||||||
* | array<Link>
|
* | array<Link>
|
||||||
* | null
|
* | null
|
||||||
*/
|
*/
|
||||||
|
@ -65,9 +65,9 @@ class Base_Object {
|
||||||
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-attributedto
|
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-attributedto
|
||||||
*
|
*
|
||||||
* @var string
|
* @var string
|
||||||
* | ObjectType
|
* | Base_Object
|
||||||
* | Link
|
* | Link
|
||||||
* | array<ObjectType>
|
* | array<Base_Object>
|
||||||
* | array<Link>
|
* | array<Link>
|
||||||
* | null
|
* | null
|
||||||
*/
|
*/
|
||||||
|
@ -80,9 +80,9 @@ class Base_Object {
|
||||||
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-audience
|
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-audience
|
||||||
*
|
*
|
||||||
* @var string
|
* @var string
|
||||||
* | ObjectType
|
* | Base_Object
|
||||||
* | Link
|
* | Link
|
||||||
* | array<ObjectType>
|
* | array<Base_Object>
|
||||||
* | array<Link>
|
* | array<Link>
|
||||||
* | null
|
* | null
|
||||||
*/
|
*/
|
||||||
|
@ -115,7 +115,7 @@ class Base_Object {
|
||||||
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-context
|
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-context
|
||||||
*
|
*
|
||||||
* @var string
|
* @var string
|
||||||
* | ObjectType
|
* | Base_Object
|
||||||
* | Link
|
* | Link
|
||||||
* | null
|
* | null
|
||||||
*/
|
*/
|
||||||
|
@ -210,9 +210,9 @@ class Base_Object {
|
||||||
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-inreplyto
|
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-inreplyto
|
||||||
*
|
*
|
||||||
* @var string
|
* @var string
|
||||||
* | ObjectType
|
* | Base_Object
|
||||||
* | Link
|
* | Link
|
||||||
* | array<ObjectType>
|
* | array<Base_Object>
|
||||||
* | array<Link>
|
* | array<Link>
|
||||||
* | null
|
* | null
|
||||||
*/
|
*/
|
||||||
|
@ -225,9 +225,9 @@ class Base_Object {
|
||||||
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-location
|
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-location
|
||||||
*
|
*
|
||||||
* @var string
|
* @var string
|
||||||
* | ObjectType
|
* | Base_Object
|
||||||
* | Link
|
* | Link
|
||||||
* | array<ObjectType>
|
* | array<Base_Object>
|
||||||
* | array<Link>
|
* | array<Link>
|
||||||
* | null
|
* | null
|
||||||
*/
|
*/
|
||||||
|
@ -239,7 +239,7 @@ class Base_Object {
|
||||||
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-preview
|
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-preview
|
||||||
*
|
*
|
||||||
* @var string
|
* @var string
|
||||||
* | ObjectType
|
* | Base_Object
|
||||||
* | Link
|
* | Link
|
||||||
* | null
|
* | null
|
||||||
*/
|
*/
|
||||||
|
@ -287,7 +287,7 @@ class Base_Object {
|
||||||
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-summary
|
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-summary
|
||||||
*
|
*
|
||||||
* @var string
|
* @var string
|
||||||
* | ObjectType
|
* | Base_Object
|
||||||
* | Link
|
* | Link
|
||||||
* | null
|
* | null
|
||||||
*/
|
*/
|
||||||
|
@ -313,9 +313,9 @@ class Base_Object {
|
||||||
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-tag
|
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-tag
|
||||||
*
|
*
|
||||||
* @var string
|
* @var string
|
||||||
* | ObjectType
|
* | Base_Object
|
||||||
* | Link
|
* | Link
|
||||||
* | array<ObjectType>
|
* | array<Base_Object>
|
||||||
* | array<Link>
|
* | array<Link>
|
||||||
* | null
|
* | null
|
||||||
*/
|
*/
|
||||||
|
@ -348,9 +348,9 @@ class Base_Object {
|
||||||
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-to
|
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-to
|
||||||
*
|
*
|
||||||
* @var string
|
* @var string
|
||||||
* | ObjectType
|
* | Base_Object
|
||||||
* | Link
|
* | Link
|
||||||
* | array<ObjectType>
|
* | array<Base_Object>
|
||||||
* | array<Link>
|
* | array<Link>
|
||||||
* | null
|
* | null
|
||||||
*/
|
*/
|
||||||
|
@ -363,9 +363,9 @@ class Base_Object {
|
||||||
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-bto
|
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-bto
|
||||||
*
|
*
|
||||||
* @var string
|
* @var string
|
||||||
* | ObjectType
|
* | Base_Object
|
||||||
* | Link
|
* | Link
|
||||||
* | array<ObjectType>
|
* | array<Base_Object>
|
||||||
* | array<Link>
|
* | array<Link>
|
||||||
* | null
|
* | null
|
||||||
*/
|
*/
|
||||||
|
@ -378,9 +378,9 @@ class Base_Object {
|
||||||
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-cc
|
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-cc
|
||||||
*
|
*
|
||||||
* @var string
|
* @var string
|
||||||
* | ObjectType
|
* | Base_Object
|
||||||
* | Link
|
* | Link
|
||||||
* | array<ObjectType>
|
* | array<Base_Object>
|
||||||
* | array<Link>
|
* | array<Link>
|
||||||
* | null
|
* | null
|
||||||
*/
|
*/
|
||||||
|
@ -393,9 +393,9 @@ class Base_Object {
|
||||||
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-bcc
|
* @see https://www.w3.org/TR/activitystreams-vocabulary/#dfn-bcc
|
||||||
*
|
*
|
||||||
* @var string
|
* @var string
|
||||||
* | ObjectType
|
* | Base_Object
|
||||||
* | Link
|
* | Link
|
||||||
* | array<ObjectType>
|
* | array<Base_Object>
|
||||||
* | array<Link>
|
* | array<Link>
|
||||||
* | null
|
* | null
|
||||||
*/
|
*/
|
||||||
|
@ -433,7 +433,7 @@ class Base_Object {
|
||||||
*
|
*
|
||||||
* @see https://www.w3.org/TR/activitypub/#source-property
|
* @see https://www.w3.org/TR/activitypub/#source-property
|
||||||
*
|
*
|
||||||
* @var ObjectType
|
* @var Base_Object
|
||||||
*/
|
*/
|
||||||
protected $source;
|
protected $source;
|
||||||
|
|
||||||
|
|
136
includes/class-sanitizer.php
Normal file
136
includes/class-sanitizer.php
Normal file
|
@ -0,0 +1,136 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
namespace Activitypub;
|
||||||
|
|
||||||
|
class Sanitizer {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sanitize a multi-dimensional array
|
||||||
|
*
|
||||||
|
* @param array $array The array to sanitize.
|
||||||
|
*
|
||||||
|
* @return array The sanitized array.
|
||||||
|
*/
|
||||||
|
public static function sanitize_array( $array ) {
|
||||||
|
$sanitized_array = array();
|
||||||
|
|
||||||
|
foreach ( $array as $key => $value ) {
|
||||||
|
$key = self::sanitize_key( $key );
|
||||||
|
|
||||||
|
if (
|
||||||
|
in_array(
|
||||||
|
$key,
|
||||||
|
array(
|
||||||
|
'summary_map',
|
||||||
|
'summaryMap',
|
||||||
|
'content_map',
|
||||||
|
'contentMap',
|
||||||
|
),
|
||||||
|
true
|
||||||
|
)
|
||||||
|
) {
|
||||||
|
$sanitized_array[ $key ] = self::sanitize_map( $value );
|
||||||
|
} elseif (
|
||||||
|
in_array(
|
||||||
|
$key,
|
||||||
|
array(
|
||||||
|
'inbox',
|
||||||
|
'outbox',
|
||||||
|
'followers',
|
||||||
|
'following',
|
||||||
|
),
|
||||||
|
true
|
||||||
|
)
|
||||||
|
) {
|
||||||
|
if ( is_string( $value ) ) {
|
||||||
|
$sanitized_array[ $key ] = sanitize_url( $value );
|
||||||
|
} else {
|
||||||
|
$sanitized_array[ $key ] = '';
|
||||||
|
}
|
||||||
|
} elseif ( in_array( $key, array( 'summary', 'content' ), true ) ) {
|
||||||
|
$sanitized_array[ $key ] = self::sanitize_html( $value );
|
||||||
|
} elseif ( is_array( $value ) ) {
|
||||||
|
$sanitized_array[ $key ] = self::sanitize_array( $value );
|
||||||
|
} else {
|
||||||
|
$sanitized_array[ $key ] = self::sanitize_value( $value );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return $sanitized_array;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sanitize a value.
|
||||||
|
*
|
||||||
|
* @param string $value The value to sanitize.
|
||||||
|
*
|
||||||
|
* @return string The sanitized value.
|
||||||
|
*/
|
||||||
|
public static function sanitize_value( $value ) {
|
||||||
|
if ( is_email( $value ) ) {
|
||||||
|
return sanitize_email( $value );
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( filter_var( $value, FILTER_VALIDATE_URL ) ) {
|
||||||
|
return sanitize_url( $value );
|
||||||
|
}
|
||||||
|
|
||||||
|
return sanitize_text_field( $value );
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sanitize HTML.
|
||||||
|
*
|
||||||
|
* @param string $value The value to sanitize.
|
||||||
|
*
|
||||||
|
* @return string The sanitized value.
|
||||||
|
*/
|
||||||
|
public static function sanitize_html( $value ) {
|
||||||
|
if ( is_array( $value ) ) {
|
||||||
|
return '';
|
||||||
|
}
|
||||||
|
|
||||||
|
global $allowedtags;
|
||||||
|
$tags = array_merge(
|
||||||
|
$allowedtags,
|
||||||
|
array( 'p' => array() )
|
||||||
|
);
|
||||||
|
|
||||||
|
$value = \preg_replace( '@<(script|style)[^>]*?>.*?</\\1>@si', '', $value );
|
||||||
|
$value = \strip_shortcodes( $value );
|
||||||
|
$value = \wptexturize( $value );
|
||||||
|
$value = \wp_kses( $value, $tags );
|
||||||
|
|
||||||
|
return $value;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sanitize a translation map
|
||||||
|
*
|
||||||
|
* @param array $map The map to sanitize.
|
||||||
|
*
|
||||||
|
* @return array The sanitized map.
|
||||||
|
*/
|
||||||
|
public static function sanitize_map( $map ) {
|
||||||
|
$sanitized_map = array();
|
||||||
|
|
||||||
|
foreach ( $map as $key => $value ) {
|
||||||
|
$key = self::sanitize_key( $key );
|
||||||
|
|
||||||
|
$sanitized_map[ $key ] = self::sanitize_html( $value );
|
||||||
|
}
|
||||||
|
|
||||||
|
return $sanitized_map;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sanitize an array key
|
||||||
|
*
|
||||||
|
* @param string $key The key to sanitize.
|
||||||
|
*
|
||||||
|
* @return string The sanitized key.
|
||||||
|
*/
|
||||||
|
public static function sanitize_key( $key ) {
|
||||||
|
return \preg_replace( '/[^a-zA-Z0-9_\-]/', '', $key );
|
||||||
|
}
|
||||||
|
}
|
43
tests/test-class-activitypub-sanitizer.php
Normal file
43
tests/test-class-activitypub-sanitizer.php
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
<?php
|
||||||
|
class Test_Activitypub_Sanitizer extends WP_UnitTestCase {
|
||||||
|
/**
|
||||||
|
* @dataProvider the_data_provider
|
||||||
|
*/
|
||||||
|
public function test_sanitize_array( $source, $target ) {
|
||||||
|
$sanitizer = new Activitypub\Sanitizer();
|
||||||
|
$this->assertEquals( $target, $sanitizer->sanitize_array( $source ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
public function the_data_provider() {
|
||||||
|
return array(
|
||||||
|
array(
|
||||||
|
array(
|
||||||
|
'type"§$' => '<p>Create</p>',
|
||||||
|
'content' => '<p>Content</p><script>content</script>',
|
||||||
|
'contentMap' => array(
|
||||||
|
'en' => '<p>Content</p><script>content</script>',
|
||||||
|
),
|
||||||
|
'nameMap' => array(
|
||||||
|
'en' => '<div>Content</div><script>content</script>',
|
||||||
|
),
|
||||||
|
'inbox' => 'https://example.org/inbox',
|
||||||
|
'outbox' => 'example.org/outbox',
|
||||||
|
'name' => 'Gifts\'+OR+1=1--',
|
||||||
|
),
|
||||||
|
array(
|
||||||
|
'type' => 'Create',
|
||||||
|
'content' => '<p>Content</p>',
|
||||||
|
'contentMap' => array(
|
||||||
|
'en' => '<p>Content</p>',
|
||||||
|
),
|
||||||
|
'nameMap' => array(
|
||||||
|
'en' => 'Content',
|
||||||
|
),
|
||||||
|
'inbox' => 'https://example.org/inbox',
|
||||||
|
'outbox' => 'http://example.org/outbox',
|
||||||
|
'name' => 'Gifts\'+OR+1=1--',
|
||||||
|
),
|
||||||
|
),
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in a new issue