Code Coverage for /src/src/CSSMin.php

	Code Coverage
	Lines			Functions and Methods				Classes and Traits
Total	98.61% covered (success)	98.61%	142 / 144	91.67% covered (success)	91.67%	11 / 12	CRAP	0.00% covered (danger)	0.00%	0 / 1
CSSMin	99.30% covered (success)	99.30%	142 / 143	91.67% covered (success)	91.67%	11 / 12	44	0.00% covered (danger)	0.00%	0 / 1
getLocalFileReferences	100.00% covered (success)	100.00%	17 / 17	100.00% covered (success)	100.00%	1 / 1	7
encodeImageAsDataURI	87.50% covered (warning)	87.50%	7 / 8	0.00% covered (danger)	0.00%	0 / 1	4.03
encodeStringAsDataURI	100.00% covered (success)	100.00%	16 / 16	100.00% covered (success)	100.00%	1 / 1	2
serializeStringValue	100.00% covered (success)	100.00%	5 / 5	100.00% covered (success)	100.00%	1 / 1	1
getMimeType	100.00% covered (success)	100.00%	2 / 2	100.00% covered (success)	100.00%	1 / 1	1
buildUrlValue	100.00% covered (success)	100.00%	3 / 3	100.00% covered (success)	100.00%	1 / 1	2
remap	100.00% covered (success)	100.00%	50 / 50	100.00% covered (success)	100.00%	1 / 1	4
isRemoteUrl	100.00% covered (success)	100.00%	1 / 1	100.00% covered (success)	100.00%	1 / 1	2
isLocalUrl	100.00% covered (success)	100.00%	1 / 1	100.00% covered (success)	100.00%	1 / 1	4
getUrlRegex		n/a	0 / 0		n/a	0 / 0	2
resolveUrl	100.00% covered (success)	100.00%	14 / 14	100.00% covered (success)	100.00%	1 / 1	5
remapOne	100.00% covered (success)	100.00%	19 / 19	100.00% covered (success)	100.00%	1 / 1	9
minify	100.00% covered (success)	100.00%	7 / 7	100.00% covered (success)	100.00%	1 / 1	1

1	<?php
2	/**
3	* Copyright 2010 Trevor Parscal <tparscal@wikimedia.org>
4	*
5	* Licensed under the Apache License, Version 2.0 (the "License");
6	* you may not use this file except in compliance with the License.
7	* You may obtain a copy of the License at
8	*
9	* http://www.apache.org/licenses/LICENSE-2.0
10	*
11	* Unless required by applicable law or agreed to in writing, software
12	* distributed under the License is distributed on an "AS IS" BASIS,
13	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14	* See the License for the specific language governing permissions and
15	* limitations under the License.
16	*
17	* @file
18	* @license Apache-2.0
19	*/
20
21	namespace Wikimedia\Minify;
22
23	use Net_URL2;
24
25	/**
26	* Transforms CSS data.
27	*
28	* This class provides minification, URL remapping, URL extracting, and data-URL embedding.
29	*/
30	class CSSMin {
31
32	/**
33	* Strip marker for comments
34	*/
35	private const PLACEHOLDER = "\x7fPLACEHOLDER\x7f";
36
37	/**
38	* Maximum file size to embed in a stylesheet.
39	*
40	* Use of `@embed` is generally discouraged (see T121730, T118514, and T120984).
41	*
42	* In a nut shell: Stylesheets, and thus any images we embed inside of them,
43	* are required to be fully downloaded by a browser before literally any content
44	* or interface component can be rendered on-screen. Embedding an image means
45	* you are saying it is more important to render this image than to render the
46	* page content (or that it is undesirable to render even the first paragraph
47	* of an article unless this image is also immediately there in the first paint).
48	*
49	* There are some cases where a small image can be worth embedding, for example
50	* if the image's file size is comparable or smaller than to size of the URL from
51	* which it would be lazy-loaded when CSS rules are applied. In that case, embedding
52	* the file content in place of the web address could be an uncompromising win for
53	* all users.
54	*
55	* To avoid mistakes and protect performance, we put an arbitrary limit on this.
56	* If a file is larger than this limit, it should probably be loaded using the
57	* default CSS behaviour (by URL, without `@embed` instruction), or embedded as
58	* SVG directly in the HTML response if it is such a vital part of the page.
59	*
60	* See encodeImageAsDataURI().
61	*/
62	private const DATA_URI_SIZE_LIMIT = 32768;
63
64	private const EMBED_REGEX = '\/\\s\@embed\s\\/';
65	private const COMMENT_REGEX = '\/\.?\*\/';
66
67	/**
68	* List of common image files extensions and MIME-types
69	*/
70	private const MIME_TYPES = [
71	'gif' => 'image/gif',
72	'jpe' => 'image/jpeg',
73	'jpeg' => 'image/jpeg',
74	'jpg' => 'image/jpeg',
75	'png' => 'image/png',
76	'tif' => 'image/tiff',
77	'tiff' => 'image/tiff',
78	'xbm' => 'image/x-xbitmap',
79	'svg' => 'image/svg+xml',
80	];
81
82	/**
83	* Get a list of local files referenced in a stylesheet (includes non-existent files).
84	*
85	* @param string $source CSS stylesheet source to process
86	* @param string $path File path where the source was read from
87	* @return string[] List of local file references
88	*/
89	public static function getLocalFileReferences( $source, $path ) {
90	$stripped = preg_replace( '/' . self::COMMENT_REGEX . '/s', '', $source );
91	$path = rtrim( $path, '/' ) . '/';
92	$files = [];
93
94	$rFlags = PREG_OFFSET_CAPTURE \| PREG_SET_ORDER;
95	if ( preg_match_all( '/' . self::getUrlRegex() . '/J', $stripped, $matches, $rFlags ) ) {
96	foreach ( $matches as $match ) {
97	$url = $match['file'][0];
98
99	// Skip fully-qualified and protocol-relative URLs and data URIs
100	if (
101	strpos( $url, '//' ) === 0 \|\|
102	parse_url( $url, PHP_URL_SCHEME )
103	) {
104	break;
105	}
106
107	// Strip trailing anchors - T115436
108	$anchor = strpos( $url, '#' );
109	if ( $anchor !== false ) {
110	$url = substr( $url, 0, $anchor );
111
112	// '#some-anchors' is not a file
113	if ( $url === '' ) {
114	break;
115	}
116	}
117
118	$files[] = $path . $url;
119	}
120	}
121	return $files;
122	}
123
124	/**
125	* Encode an image file as a data URI.
126	*
127	* If the image file has a suitable MIME type and size, encode it as a data URI, base64-encoded
128	* for binary files or just percent-encoded otherwise. Return false if the image type is
129	* unfamiliar or the file exceeds the size limit.
130	*
131	* @param string $file Image file to encode.
132	* @param string\|null $type File's MIME type or null. If null, CSSMin will
133	* try to autodetect the type.
134	* @return string\|false Image contents encoded as a data URI or false.
135	*/
136	public static function encodeImageAsDataURI( $file, $type = null ) {
137	// Fast-fail for files that exceed the maximum data URI length
138	if ( filesize( $file ) >= self::DATA_URI_SIZE_LIMIT ) {
139	trigger_error( "File exceeds limit for embedded files: $file", E_USER_WARNING );
140	return false;
141	}
142
143	if ( $type === null ) {
144	$type = self::getMimeType( $file );
145	}
146	if ( !$type ) {
147	return false;
148	}
149
150	return self::encodeStringAsDataURI( file_get_contents( $file ), $type );
151	}
152
153	/**
154	* Encode file contents as a data URI with chosen MIME type.
155	*
156	* The URI will be base64-encoded for binary files or just percent-encoded otherwise.
157	*
158	* @since 2.0.0
159	* @param string $contents File contents to encode.
160	* @param string $type File's MIME type.
161	* @return string Image contents encoded as a data URI or false.
162	*/
163	public static function encodeStringAsDataURI( $contents, $type ) {
164	// Try #1: Non-encoded data URI
165	// Remove XML declaration, it's not needed with data URI usage
166	$contents = preg_replace( "/<\\?xml.*?\\?>/", '', $contents );
167	// The regular expression matches ASCII whitespace and printable characters.
168	if ( preg_match( '/^[\r\n\t\x20-\x7e]+$/', $contents ) ) {
169	// Do not base64-encode non-binary files (sensible SVGs).
170	// (This often produces longer URLs, but they compress better, yielding a net smaller size.)
171	$encoded = rawurlencode( $contents );
172	// Unencode some things that don't need to be encoded, to make the encoding smaller
173	$encoded = strtr( $encoded, [
174	// Unencode spaces
175	'%20' => ' ',
176	// Unencode slashes
177	'%2F' => '/',
178	// Unencode colons
179	'%3A' => ':',
180	// Unencode equals signs
181	'%3D' => '=',
182	// Change newlines to spaces
183	'%0A' => ' ',
184	// Change carriage returns to spaces
185	'%0D' => ' ',
186	// Change tabs to spaces
187	'%09' => ' ',
188	] );
189	// Consolidate runs of multiple spaces in a row
190	$encoded = preg_replace( '/ {2,}/', ' ', $encoded );
191	// Remove leading and trailing spaces
192	$encoded = trim( $encoded, ' ' );
193	return 'data:' . $type . ',' . $encoded;
194	}
195
196	// Try #2: Encoded data URI
197	return 'data:' . $type . ';base64,' . base64_encode( $contents );
198	}
199
200	/**
201	* Serialize a string (escape and quote) for use as a CSS string value.
202	* https://drafts.csswg.org/cssom/#serialize-a-string
203	*
204	* @param string $value
205	* @return string
206	*/
207	public static function serializeStringValue( $value ) {
208	$value = strtr( $value, [ "\0" => "\u{FFFD}", '\\' => '\\\\', '"' => '\\"' ] );
209	$value = preg_replace_callback( '/[\x01-\x1f\x7f]/', static function ( $match ) {
210	return '\\' . base_convert( (string)ord( $match[0] ), 10, 16 ) . ' ';
211	}, $value );
212	return '"' . $value . '"';
213	}
214
215	/**
216	* @param string $file
217	* @return bool\|string
218	*/
219	public static function getMimeType( $file ) {
220	// Infer the MIME-type from the file extension
221	$ext = strtolower( pathinfo( $file, PATHINFO_EXTENSION ) );
222	return self::MIME_TYPES[$ext] ?? mime_content_type( realpath( $file ) );
223	}
224
225	/**
226	* Build a CSS 'url()' value for the given URL, quoting parentheses (and other funny characters)
227	* and escaping quotes as necessary.
228	*
229	* See http://www.w3.org/TR/css-syntax-3/#consume-a-url-token
230	*
231	* @param string $url URL to process
232	* @return string 'url()' value, usually just `"url($url)"`, quoted/escaped if necessary
233	*/
234	public static function buildUrlValue( $url ) {
235	// The list below has been crafted to match URLs such as:
236	// scheme://user@domain:port/~user/fi%20le.png?query=yes&really=y+s
237	// data:image/png;base64,R0lGODlh/+==
238	if ( preg_match( '!^[\w:@/~.%+;,?&=-]+$!', $url ) ) {
239	return "url($url)";
240	} else {
241	return 'url("' . strtr( $url, [ '\\' => '\\\\', '"' => '\\"' ] ) . '")';
242	}
243	}
244
245	/**
246	* Remaps CSS URL paths and automatically embeds data URIs for CSS rules
247	* or url() values preceded by an `/ * @embed * /` comment.
248	*
249	* @param string $source CSS data to remap
250	* @param string $local File path where the source was read from
251	* @param string $remote Full URL to the file's directory (may be protocol-relative, trailing slash is optional)
252	* @param bool $embedData If false, never do any data URI embedding,
253	* even if `/ * @embed * /` is found.
254	* @return string Remapped CSS data
255	*/
256	public static function remap( $source, $local, $remote, $embedData = true ) {
257	// High-level overview:
258	// * For each CSS rule in $source that includes at least one url() value:
259	// * Check for an @embed comment at the start indicating that all URIs should be embedded
260	// * For each url() value:
261	// * Check for an @embed comment directly preceding the value
262	// * If either @embed comment exists:
263	// * Embedding the URL as data: URI, if it's possible / allowed
264	// * Otherwise remap the URL to work in generated stylesheets
265
266	// Guard against trailing slashes, because "some/remote/../foo.png"
267	// resolves to "some/remote/foo.png" on (some?) clients (T29052).
268	// But, don't turn "/" into "" since that is invalid as base URL (T282280).
269	$remote = $remote === '/' ? $remote : rtrim( $remote, '/' );
270
271	// Disallow U+007F DELETE, which is illegal anyway, and which
272	// we use for comment placeholders.
273	$source = strtr( $source, "\x7f", "?" );
274
275	// Replace all comments by a placeholder so they will not interfere with the remapping.
276	// Warning: This will also catch on anything looking like the start of a comment between
277	// quotation marks (e.g. "foo /* bar").
278	$comments = [];
279
280	$pattern = '/(?!' . self::EMBED_REGEX . ')(' . self::COMMENT_REGEX . ')/s';
281
282	$source = preg_replace_callback(
283	$pattern,
284	static function ( $match ) use ( &$comments ) {
285	$comments[] = $match[ 0 ];
286	return self::PLACEHOLDER . ( count( $comments ) - 1 ) . 'x';
287	},
288	$source
289	);
290
291	// Note: This will not correctly handle cases where ';', '{' or '}'
292	// appears in the rule itself, e.g. in a quoted string. You are advised
293	// not to use such characters in file names. We also match start/end of
294	// the string to be consistent in edge-cases ('@import url(…)').
295	$pattern = '/(?:^\|[;{])\K[^;{}]' . self::getUrlRegex() . '[^;}](?=[;}]\|$)/J';
296
297	$source = preg_replace_callback(
298	$pattern,
299	static function ( $matchOuter ) use ( $local, $remote, $embedData ) {
300	$rule = $matchOuter[0];
301
302	// Check for global @embed comment and remove it. Allow other comments to be present
303	// before @embed (they have been replaced with placeholders at this point).
304	$embedAll = false;
305	$rule = preg_replace(
306	'/^((?:\s+\|' .
307	self::PLACEHOLDER .
308	'(\d+)x)*)' .
309	self::EMBED_REGEX .
310	'\s*/',
311	'$1',
312	$rule,
313	1,
314	$embedAll
315	);
316
317	// Build two versions of current rule: with remapped URLs
318	// and with embedded data: URIs (where possible).
319	$pattern = '/(?P<embed>' . self::EMBED_REGEX . '\s*\|)' . self::getUrlRegex() . '/J';
320
321	return preg_replace_callback(
322	$pattern,
323	static function ( $match ) use ( $local, $remote, $embedData, $embedAll ) {
324	// For each url reference in the CSS, call remapOne()
325	// to insert either a remapped URL or an embedded data URI.
326	// We enable use of data URIs if both of these are true:
327	// 1. The PHP caller enabled the option,
328	// 2. and, the CSS declared `@embed` either above the rule
329	// for all URLs inside that block, or above the individual
330	// property for that one property.
331	$embedOne = $embedData && ( $embedAll \|\| $match['embed'] );
332	$remapped = self::remapOne(
333	$match['file'],
334	$match['query'],
335	$local,
336	$remote,
337	$embedOne
338	);
339	return self::buildUrlValue( $remapped );
340	},
341	$rule
342	);
343	}, $source );
344
345	// Re-insert comments
346	$pattern = '/' . self::PLACEHOLDER . '(\d+)x/';
347	return preg_replace_callback( $pattern, static function ( $match ) use ( &$comments ) {
348	return $comments[ $match[1] ];
349	}, $source );
350	}
351
352	/**
353	* Is this CSS rule referencing a remote URL?
354	*
355	* @param string $maybeUrl
356	* @return bool
357	*/
358	protected static function isRemoteUrl( $maybeUrl ) {
359	return strpos( $maybeUrl, '//' ) === 0 \|\| parse_url( $maybeUrl, PHP_URL_SCHEME );
360	}
361
362	/**
363	* Is this CSS rule referencing a local URL?
364	*
365	* @param string $maybeUrl
366	* @return bool
367	*/
368	protected static function isLocalUrl( $maybeUrl ) {
369	// Accept "/" (known local)
370	// Accept "/anything" (known local)
371	// Reject "//anything" (known remote)
372	// Reject "" (invalid/uncertain)
373	return $maybeUrl === '/' \|\| ( isset( $maybeUrl[1] ) && $maybeUrl[0] === '/' && $maybeUrl[1] !== '/' );
374	}
375
376	/**
377	* @codeCoverageIgnore
378	* @return string
379	*/
380	private static function getUrlRegex() {
381	static $urlRegex;
382	if ( $urlRegex === null ) {
383	$urlRegex = '(' .
384	// Unquoted url
385	'url$\s(?P<file>[^\s\'"][^\?$]+?)(?P<query>\?[^\)]?\|)\s*\)' .
386	// Single quoted url
387	'\|url$\s\'(?P<file>[^\?\']+?)(?P<query>\?[^\']?\|)\'\s*$' .
388	// Double quoted url
389	'\|url$\s"(?P<file>[^\?"]+?)(?P<query>\?[^"]?\|)"\s*$' .
390	')';
391	}
392	return $urlRegex;
393	}
394
395	/**
396	* Resolve a possibly-relative URL against a base URL.
397	*
398	* @param string $base
399	* @param string $url
400	* @return string
401	*/
402	private static function resolveUrl( string $base, string $url ): string {
403	// Net_URL2::resolve() doesn't allow for resolving against server-less URLs.
404	// We need this as for MediaWiki/ResourceLoader, the remote base path may either
405	// be separate (e.g. a separate domain), or simply local (like "/w"). In the
406	// local case, we don't want to needlessly include the server in the output.
407	$isServerless = self::isLocalUrl( $base );
408	if ( $isServerless ) {
409	$base = "https://placeholder.invalid$base";
410	}
411	// Net_URL2::resolve() doesn't allow for protocol-relative URLs, but we want to.
412	$isProtoRelative = strpos( $base, '//' ) === 0;
413	if ( $isProtoRelative ) {
414	$base = "https:$base";
415	}
416
417	$baseUrl = new Net_URL2( $base );
418	$ret = $baseUrl->resolve( $url );
419	if ( $isProtoRelative ) {
420	$ret->setScheme( false );
421	}
422	if ( $isServerless ) {
423	$ret->setScheme( false );
424	$ret->setHost( false );
425	}
426	return $ret->getURL();
427	}
428
429	/**
430	* Remap or embed a CSS URL path.
431	*
432	* @param string $file URL to remap/embed
433	* @param string $query
434	* @param string $local File path where the source was read from
435	* @param string $remote Full URL to the file's directory (may be protocol-relative, trailing slash is optional)
436	* @param bool $embed Whether to do any data URI embedding
437	* @return string Remapped/embedded URL data
438	*/
439	public static function remapOne( $file, $query, $local, $remote, $embed ) {
440	// The full URL possibly with query, as passed to the 'url()' value in CSS
441	$url = $file . $query;
442
443	// Expand local URLs with absolute paths to a full URL (possibly protocol-relative).
444	if ( self::isLocalUrl( $url ) ) {
445	return self::resolveUrl( $remote, $url );
446	}
447
448	// Pass through fully-qualified and protocol-relative URLs and data URIs, as well as local URLs if
449	// we can't expand them.
450	// Also skips anchors or the rare `behavior` property specifying application's default behavior
451	if (
452	self::isRemoteUrl( $url ) \|\|
453	( $url[0] ?? '' ) === '#'
454	) {
455	return $url;
456	}
457
458	// The $remote must have a trailing slash beyond this point for correct path resolution.
459	if ( ( $remote[-1] ?? '' ) !== '/' ) {
460	$remote .= '/';
461	}
462
463	if ( $local === false ) {
464	// CSS specifies a path that is neither a local file path, nor a local URL.
465	// It is probably already a fully-qualitied URL or data URI, but try to expand
466	// it just in case.
467	$url = self::resolveUrl( $remote, $url );
468	} else {
469	// We drop the query part here and instead make the path relative to $remote
470	$url = self::resolveUrl( $remote, $file );
471	// Path to the actual file on the filesystem
472	$localFile = "{$local}/{$file}";
473	if ( file_exists( $localFile ) ) {
474	if ( $embed ) {
475	$data = self::encodeImageAsDataURI( $localFile );
476	if ( $data !== false ) {
477	return $data;
478	}
479	}
480	// Add version parameter as the first five hex digits
481	// of the MD5 hash of the file's contents.
482	$url .= '?' . substr( md5_file( $localFile ), 0, 5 );
483	}
484	// If any of these conditions failed (file missing, we don't want to embed it
485	// or it's not embeddable), return the URL (possibly with ?timestamp part)
486	}
487	return $url;
488	}
489
490	/**
491	* Removes whitespace from CSS data
492	*
493	* @param string $css CSS data to minify
494	* @return string Minified CSS data
495	*/
496	public static function minify( $css ) {
497	return trim(
498	str_replace(
499	[ '; ', ': ', ' {', '{ ', ', ', '} ', ';}', '( ', ' )', '[ ', ' ]' ],
500	[ ';', ':', '{', '{', ',', '}', '}', '(', ')', '[', ']' ],
501	preg_replace( [ '/\s+/', '/\/\.?\*\//s' ], [ ' ', '' ], $css )
502	)
503	);
504	}
505	}
506
507	/**
508	* @deprecated since 2.1.0 Use Wikimedia\Minify\CSSMin instead
509	*/
510	class_alias( CSSMin::class, 'CSSMin' );