I have successfully developed a function that accomplishes the following:
- It accepts a string as input, which can be either an entire HTML document or an HTML "snippet" (even if it's broken).
- It creates a DOMDocument from the input and iterates through all nodes.
- Whenever it comes across a node with an element outside of a whitelist of basic structural elements, it marks it for deletion. For instance,
<script>is not whitelisted. - If a node has any attribute starting with "on," it is promptly removed using
removeAttribute. The same applies to any "style" attribute, and any "href" attribute whose value begins with "javascript:". - Once all nodes have been processed, the marked nodes are deleted (
). This step is deferred because deleting them in the first loop can cause confusion for the parser.$node->parentNode->removeChild($node) - The resulting document is then saved using
saveHTMLand returned as a cleaned/secured HTML document/snippet represented as a string.
Based on my assessment, there seems to be no exploitable vulnerabilities in this process. Unless there is a flaw in the DOM parser, which is beyond my control/concern.
However, could there be another "onsomething" attribute or some other potential vulnerability that I am overlooking?
I am quite confident in the output of cleaning any HTML sourced from an untrusted external/user-provided origin after being processed by this function. But perhaps I am overconfident?
(I really wish that strip_tags could handle this automatically so I wouldn't have had to develop my own solution.)