Code Coverage for /src/src/CSSMin.php

	Code Coverage
	Lines			Functions and Methods				Classes and Traits
Total	98.61% covered (success)	98.61%	142 / 144	91.67% covered (success)	91.67%	11 / 12	CRAP	0.00% covered (danger)	0.00%	0 / 1
CSSMin	99.30% covered (success)	99.30%	142 / 143	91.67% covered (success)	91.67%	11 / 12	44	0.00% covered (danger)	0.00%	0 / 1
getLocalFileReferences	100.00% covered (success)	100.00%	17 / 17	100.00% covered (success)	100.00%	1 / 1	7
encodeImageAsDataURI	87.50% covered (warning)	87.50%	7 / 8	0.00% covered (danger)	0.00%	0 / 1	4.03
encodeStringAsDataURI	100.00% covered (success)	100.00%	16 / 16	100.00% covered (success)	100.00%	1 / 1	2
serializeStringValue	100.00% covered (success)	100.00%	5 / 5	100.00% covered (success)	100.00%	1 / 1	1
getMimeType	100.00% covered (success)	100.00%	2 / 2	100.00% covered (success)	100.00%	1 / 1	1
buildUrlValue	100.00% covered (success)	100.00%	3 / 3	100.00% covered (success)	100.00%	1 / 1	2
remap	100.00% covered (success)	100.00%	50 / 50	100.00% covered (success)	100.00%	1 / 1	4
isRemoteUrl	100.00% covered (success)	100.00%	1 / 1	100.00% covered (success)	100.00%	1 / 1	2
isLocalUrl	100.00% covered (success)	100.00%	1 / 1	100.00% covered (success)	100.00%	1 / 1	4
getUrlRegex		n/a	0 / 0		n/a	0 / 0	2
resolveUrl	100.00% covered (success)	100.00%	14 / 14	100.00% covered (success)	100.00%	1 / 1	5
remapOne	100.00% covered (success)	100.00%	19 / 19	100.00% covered (success)	100.00%	1 / 1	9
minify	100.00% covered (success)	100.00%	7 / 7	100.00% covered (success)	100.00%	1 / 1	1

1	<?php
2	/**
3	* Copyright 2010 Trevor Parscal <tparscal@wikimedia.org>
4	*
5	* Licensed under the Apache License, Version 2.0 (the "License");
6	* you may not use this file except in compliance with the License.
7	* You may obtain a copy of the License at
8	*
9	* http://www.apache.org/licenses/LICENSE-2.0
10	*
11	* Unless required by applicable law or agreed to in writing, software
12	* distributed under the License is distributed on an "AS IS" BASIS,
13	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14	* See the License for the specific language governing permissions and
15	* limitations under the License.
16	*
17	* @file
18	* @license Apache-2.0
19	*/
20
21	namespace Wikimedia\Minify;
22
23	use Net_URL2;
24
25	/**
26	* Transforms CSS data.
27	*
28	* This class provides minification, URL remapping, URL extracting, and data-URL embedding.
29	*/
30	class CSSMin {
31
32	/**
33	* Strip marker for comments
34	*/
35	private const PLACEHOLDER = "\x7fPLACEHOLDER\x7f";
36
37	/**
38	* Maximum file size to embed in a stylesheet.
39	*
40	* Use of `@embed` is generally discouraged (see T121730, T118514, and T120984).
41	*
42	* In a nut shell: Stylesheets, and thus any images we embed inside of them,
43	* are required to be fully downloaded by a browser before literally any content
44	* or interface component can be rendered on-screen. Embedding an image means
45	* you are saying it is more important to render this image than to render the
46	* page content (or that it is undesirable to render even the first paragraph
47	* of an article unless this image is also immediately there in the first paint).
48	*
49	* There are some cases where a small image can be worth embedding, for example
50	* if the image's file size is comparable or smaller than to size of the URL from
51	* which it would be lazy-loaded when CSS rules are applied. In that case, embedding
52	* the file content in place of the web address could be an uncompromising win for
53	* all users.
54	*
55	* To avoid mistakes and protect performance we put an arbitrary limit on this.
56	* If a file is larger than this limit, it should probably be loaded using the
57	* default CSS behaviour (by URL, without `@embed` instruction), or embedded as
58	* SVG directly in the HTML response if it is such a vital part of the page.
59	*
60	* See encodeImageAsDataURI().
61	*/
62	private const DATA_URI_SIZE_LIMIT = 32768;
63
64	private const EMBED_REGEX = '\/\\s\@embed\s\\/';
65	private const COMMENT_REGEX = '\/\.?\*\/';
66
67	/**
68	* List of common image files extensions and MIME-types
69	*/
70	private const MIME_TYPES = [
71	'gif' => 'image/gif',
72	'jpe' => 'image/jpeg',
73	'jpeg' => 'image/jpeg',
74	'jpg' => 'image/jpeg',
75	'png' => 'image/png',
76	'tif' => 'image/tiff',
77	'tiff' => 'image/tiff',
78	'xbm' => 'image/x-xbitmap',
79	'svg' => 'image/svg+xml',
80	];
81
82	/**
83	* Get a list of local files referenced in a stylesheet (includes non-existent files).
84	*
85	* @param string $source CSS stylesheet source to process
86	* @param string $path File path where the source was read from
87	* @return string[] List of local file references
88	*/
89	public static function getLocalFileReferences( $source, $path ) {
90	$stripped = preg_replace( '/' . self::COMMENT_REGEX . '/s', '', $source );
91	$path = rtrim( $path, '/' ) . '/';
92	$files = [];
93
94	$rFlags = PREG_OFFSET_CAPTURE \| PREG_SET_ORDER;
95	if ( preg_match_all( '/' . self::getUrlRegex() . '/J', $stripped, $matches, $rFlags ) ) {
96	foreach ( $matches as $match ) {
97	$url = $match['file'][0];
98
99	// Skip fully-qualified and protocol-relative URLs and data URIs
100	if (
101	strpos( $url, '//' ) === 0 \|\|
102	parse_url( $url, PHP_URL_SCHEME )
103	) {
104	break;
105	}
106
107	// Strip trailing anchors - T115436
108	$anchor = strpos( $url, '#' );
109	if ( $anchor !== false ) {
110	$url = substr( $url, 0, $anchor );
111
112	// '#some-anchors' is not a file
113	if ( $url === '' ) {
114	break;
115	}
116	}
117
118	$files[] = $path . $url;
119	}
120	}
121	return $files;
122	}
123
124	/**
125	* Encode an image file as a data URI.
126	*
127	* If the image file has a suitable MIME type and size, encode it as a data URI, base64-encoded
128	* for binary files or just percent-encoded otherwise. Return false if the image type is
129	* unfamiliar or file exceeds the size limit.
130	*
131	* @param string $file Image file to encode.
132	* @param string\|null $type File's MIME type or null. If null, CSSMin will
133	* try to autodetect the type.
134	* @return string\|false Image contents encoded as a data URI or false.
135	*/
136	public static function encodeImageAsDataURI( $file, $type = null ) {
137	// Fast-fail for files that exceed the maximum data URI length
138	if ( filesize( $file ) >= self::DATA_URI_SIZE_LIMIT ) {
139	trigger_error( "File exceeds limit for embedded files: $file", E_USER_WARNING );
140	return false;
141	}
142
143	if ( $type === null ) {
144	$type = self::getMimeType( $file );
145	}
146	if ( !$type ) {
147	return false;
148	}
149
150	return self::encodeStringAsDataURI( file_get_contents( $file ), $type );
151	}
152
153	/**
154	* Encode file contents as a data URI with chosen MIME type.
155	*
156	* The URI will be base64-encoded for binary files or just percent-encoded otherwise.
157	*
158	* @since 2.0.0
159	* @param string $contents File contents to encode.
160	* @param string $type File's MIME type.
161	* @return string Image contents encoded as a data URI or false.
162	*/
163	public static function encodeStringAsDataURI( $contents, $type ) {
164	// Try #1: Non-encoded data URI
165	// Remove XML declaration, it's not needed with data URI usage
166	$contents = preg_replace( "/<\\?xml.*?\\?>/", '', $contents );
167	// The regular expression matches ASCII whitespace and printable characters.
168	if ( preg_match( '/^[\r\n\t\x20-\x7e]+$/', $contents ) ) {
169	// Do not base64-encode non-binary files (sensible SVGs).
170	// (This often produces longer URLs, but they compress better, yielding a net smaller size.)
171	$encoded = rawurlencode( $contents );
172	// Unencode some things that don't need to be encoded, to make the encoding smaller
173	$encoded = strtr( $encoded, [
174	'%20' => ' ', // Unencode spaces
175	'%2F' => '/', // Unencode slashes
176	'%3A' => ':', // Unencode colons
177	'%3D' => '=', // Unencode equals signs
178	'%0A' => ' ', // Change newlines to spaces
179	'%0D' => ' ', // Change carriage returns to spaces
180	'%09' => ' ', // Change tabs to spaces
181	] );
182	// Consolidate runs of multiple spaces in a row
183	$encoded = preg_replace( '/ {2,}/', ' ', $encoded );
184	// Remove leading and trailing spaces
185	$encoded = trim( $encoded, ' ' );
186	return 'data:' . $type . ',' . $encoded;
187	}
188
189	// Try #2: Encoded data URI
190	return 'data:' . $type . ';base64,' . base64_encode( $contents );
191	}
192
193	/**
194	* Serialize a string (escape and quote) for use as a CSS string value.
195	* https://drafts.csswg.org/cssom/#serialize-a-string
196	*
197	* @param string $value
198	* @return string
199	*/
200	public static function serializeStringValue( $value ) {
201	$value = strtr( $value, [ "\0" => "\u{FFFD}", '\\' => '\\\\', '"' => '\\"' ] );
202	$value = preg_replace_callback( '/[\x01-\x1f\x7f]/', static function ( $match ) {
203	return '\\' . base_convert( (string)ord( $match[0] ), 10, 16 ) . ' ';
204	}, $value );
205	return '"' . $value . '"';
206	}
207
208	/**
209	* @param string $file
210	* @return bool\|string
211	*/
212	public static function getMimeType( $file ) {
213	// Infer the MIME-type from the file extension
214	$ext = strtolower( pathinfo( $file, PATHINFO_EXTENSION ) );
215	return self::MIME_TYPES[$ext] ?? mime_content_type( realpath( $file ) );
216	}
217
218	/**
219	* Build a CSS 'url()' value for the given URL, quoting parentheses (and other funny characters)
220	* and escaping quotes as necessary.
221	*
222	* See http://www.w3.org/TR/css-syntax-3/#consume-a-url-token
223	*
224	* @param string $url URL to process
225	* @return string 'url()' value, usually just `"url($url)"`, quoted/escaped if necessary
226	*/
227	public static function buildUrlValue( $url ) {
228	// The list below has been crafted to match URLs such as:
229	// scheme://user@domain:port/~user/fi%20le.png?query=yes&really=y+s
230	// data:image/png;base64,R0lGODlh/+==
231	if ( preg_match( '!^[\w:@/~.%+;,?&=-]+$!', $url ) ) {
232	return "url($url)";
233	} else {
234	return 'url("' . strtr( $url, [ '\\' => '\\\\', '"' => '\\"' ] ) . '")';
235	}
236	}
237
238	/**
239	* Remaps CSS URL paths and automatically embeds data URIs for CSS rules
240	* or url() values preceded by an `/ * @embed * /` comment.
241	*
242	* @param string $source CSS data to remap
243	* @param string $local File path where the source was read from
244	* @param string $remote Full URL to the file's directory (may be protocol-relative, trailing slash is optional)
245	* @param bool $embedData If false, never do any data URI embedding,
246	* even if `/ * @embed * /` is found.
247	* @return string Remapped CSS data
248	*/
249	public static function remap( $source, $local, $remote, $embedData = true ) {
250	// High-level overview:
251	// * For each CSS rule in $source that includes at least one url() value:
252	// * Check for an @embed comment at the start indicating that all URIs should be embedded
253	// * For each url() value:
254	// * Check for an @embed comment directly preceding the value
255	// * If either @embed comment exists:
256	// * Embedding the URL as data: URI, if it's possible / allowed
257	// * Otherwise remap the URL to work in generated stylesheets
258
259	// Guard against trailing slashes, because "some/remote/../foo.png"
260	// resolves to "some/remote/foo.png" on (some?) clients (T29052).
261	// But, don't turn "/" into "" since that is invalid as base URL (T282280).
262	$remote = $remote === '/' ? $remote : rtrim( $remote, '/' );
263
264	// Disallow U+007F DELETE, which is illegal anyway, and which
265	// we use for comment placeholders.
266	$source = strtr( $source, "\x7f", "?" );
267
268	// Replace all comments by a placeholder so they will not interfere with the remapping.
269	// Warning: This will also catch on anything looking like the start of a comment between
270	// quotation marks (e.g. "foo /* bar").
271	$comments = [];
272
273	$pattern = '/(?!' . self::EMBED_REGEX . ')(' . self::COMMENT_REGEX . ')/s';
274
275	$source = preg_replace_callback(
276	$pattern,
277	static function ( $match ) use ( &$comments ) {
278	$comments[] = $match[ 0 ];
279	return self::PLACEHOLDER . ( count( $comments ) - 1 ) . 'x';
280	},
281	$source
282	);
283
284	// Note: This will not correctly handle cases where ';', '{' or '}'
285	// appears in the rule itself, e.g. in a quoted string. You are advised
286	// not to use such characters in file names. We also match start/end of
287	// the string to be consistent in edge-cases ('@import url(…)').
288	$pattern = '/(?:^\|[;{])\K[^;{}]' . self::getUrlRegex() . '[^;}](?=[;}]\|$)/J';
289
290	$source = preg_replace_callback(
291	$pattern,
292	static function ( $matchOuter ) use ( $local, $remote, $embedData ) {
293	$rule = $matchOuter[0];
294
295	// Check for global @embed comment and remove it. Allow other comments to be present
296	// before @embed (they have been replaced with placeholders at this point).
297	$embedAll = false;
298	$rule = preg_replace(
299	'/^((?:\s+\|' .
300	self::PLACEHOLDER .
301	'(\d+)x)*)' .
302	self::EMBED_REGEX .
303	'\s*/',
304	'$1',
305	$rule,
306	1,
307	$embedAll
308	);
309
310	// Build two versions of current rule: with remapped URLs
311	// and with embedded data: URIs (where possible).
312	$pattern = '/(?P<embed>' . self::EMBED_REGEX . '\s*\|)' . self::getUrlRegex() . '/J';
313
314	return preg_replace_callback(
315	$pattern,
316	static function ( $match ) use ( $local, $remote, $embedData, $embedAll ) {
317	// For each url reference in the CSS, call remapOne()
318	// to insert either a remapped URL or an embedded data URI.
319	// We enable use of data URIs if both of these are true:
320	// 1. The PHP caller enabled the option,
321	// 2. and, the CSS declared `@embed` either above the rule
322	// for all URLs inside that block, or above the individual
323	// property for that one property.
324	$embedOne = $embedData && ( $embedAll \|\| $match['embed'] );
325	$remapped = self::remapOne(
326	$match['file'],
327	$match['query'],
328	$local,
329	$remote,
330	$embedOne
331	);
332	return self::buildUrlValue( $remapped );
333	},
334	$rule
335	);
336	}, $source );
337
338	// Re-insert comments
339	$pattern = '/' . self::PLACEHOLDER . '(\d+)x/';
340	return preg_replace_callback( $pattern, static function ( $match ) use ( &$comments ) {
341	return $comments[ $match[1] ];
342	}, $source );
343	}
344
345	/**
346	* Is this CSS rule referencing a remote URL?
347	*
348	* @param string $maybeUrl
349	* @return bool
350	*/
351	protected static function isRemoteUrl( $maybeUrl ) {
352	return strpos( $maybeUrl, '//' ) === 0 \|\| parse_url( $maybeUrl, PHP_URL_SCHEME );
353	}
354
355	/**
356	* Is this CSS rule referencing a local URL?
357	*
358	* @param string $maybeUrl
359	* @return bool
360	*/
361	protected static function isLocalUrl( $maybeUrl ) {
362	// Accept "/" (known local)
363	// Accept "/anything" (known local)
364	// Reject "//anything" (known remote)
365	// Reject "" (invalid/uncertain)
366	return $maybeUrl === '/' \|\| ( isset( $maybeUrl[1] ) && $maybeUrl[0] === '/' && $maybeUrl[1] !== '/' );
367	}
368
369	/**
370	* @codeCoverageIgnore
371	* @return string
372	*/
373	private static function getUrlRegex() {
374	static $urlRegex;
375	if ( $urlRegex === null ) {
376	$urlRegex = '(' .
377	// Unquoted url
378	'url$\s(?P<file>[^\s\'"][^\?$]+?)(?P<query>\?[^\)]?\|)\s*\)' .
379	// Single quoted url
380	'\|url$\s\'(?P<file>[^\?\']+?)(?P<query>\?[^\']?\|)\'\s*$' .
381	// Double quoted url
382	'\|url$\s"(?P<file>[^\?"]+?)(?P<query>\?[^"]?\|)"\s*$' .
383	')';
384	}
385	return $urlRegex;
386	}
387
388	/**
389	* Resolve a possibly-relative URL against a base URL.
390	*
391	* @param string $base
392	* @param string $url
393	* @return string
394	*/
395	private static function resolveUrl( string $base, string $url ): string {
396	// Net_URL2::resolve() doesn't allow for resolving against server-less URLs.
397	// We need this as for MediaWiki/ResourceLoader, the remote base path may either
398	// be separate (e.g. a separate domain), or simply local (like "/w"). In the
399	// local case, we don't want to needlessly include the server in the output.
400	$isServerless = self::isLocalUrl( $base );
401	if ( $isServerless ) {
402	$base = "https://placeholder.invalid$base";
403	}
404	// Net_URL2::resolve() doesn't allow for protocol-relative URLs, but we want to.
405	$isProtoRelative = strpos( $base, '//' ) === 0;
406	if ( $isProtoRelative ) {
407	$base = "https:$base";
408	}
409
410	$baseUrl = new Net_URL2( $base );
411	$ret = $baseUrl->resolve( $url );
412	if ( $isProtoRelative ) {
413	$ret->setScheme( false );
414	}
415	if ( $isServerless ) {
416	$ret->setScheme( false );
417	$ret->setHost( false );
418	}
419	return $ret->getURL();
420	}
421
422	/**
423	* Remap or embed a CSS URL path.
424	*
425	* @param string $file URL to remap/embed
426	* @param string $query
427	* @param string $local File path where the source was read from
428	* @param string $remote Full URL to the file's directory (may be protocol-relative, trailing slash is optional)
429	* @param bool $embed Whether to do any data URI embedding
430	* @return string Remapped/embedded URL data
431	*/
432	public static function remapOne( $file, $query, $local, $remote, $embed ) {
433	// The full URL possibly with query, as passed to the 'url()' value in CSS
434	$url = $file . $query;
435
436	// Expand local URLs with absolute paths to a full URL (possibly protocol-relative).
437	if ( self::isLocalUrl( $url ) ) {
438	return self::resolveUrl( $remote, $url );
439	}
440
441	// Pass through fully-qualified and protocol-relative URLs and data URIs, as well as local URLs if
442	// we can't expand them.
443	// Also skips anchors or the rare `behavior` property specifying application's default behavior
444	if (
445	self::isRemoteUrl( $url ) \|\|
446	( $url[0] ?? '' ) === '#'
447	) {
448	return $url;
449	}
450
451	// The $remote must have a trailing slash beyond this point for correct path resolution.
452	if ( ( $remote[-1] ?? '' ) !== '/' ) {
453	$remote .= '/';
454	}
455
456	if ( $local === false ) {
457	// CSS specifies a path that is neither a local file path, nor a local URL.
458	// It is probably already a fully-qualitied URL or data URI, but try to expand
459	// it just in case.
460	$url = self::resolveUrl( $remote, $url );
461	} else {
462	// We drop the query part here and instead make the path relative to $remote
463	$url = self::resolveUrl( $remote, $file );
464	// Path to the actual file on the filesystem
465	$localFile = "{$local}/{$file}";
466	if ( file_exists( $localFile ) ) {
467	if ( $embed ) {
468	$data = self::encodeImageAsDataURI( $localFile );
469	if ( $data !== false ) {
470	return $data;
471	}
472	}
473	// Add version parameter as the first five hex digits
474	// of the MD5 hash of the file's contents.
475	$url .= '?' . substr( md5_file( $localFile ), 0, 5 );
476	}
477	// If any of these conditions failed (file missing, we don't want to embed it
478	// or it's not embeddable), return the URL (possibly with ?timestamp part)
479	}
480	return $url;
481	}
482
483	/**
484	* Removes whitespace from CSS data
485	*
486	* @param string $css CSS data to minify
487	* @return string Minified CSS data
488	*/
489	public static function minify( $css ) {
490	return trim(
491	str_replace(
492	[ '; ', ': ', ' {', '{ ', ', ', '} ', ';}', '( ', ' )', '[ ', ' ]' ],
493	[ ';', ':', '{', '{', ',', '}', '}', '(', ')', '[', ']' ],
494	preg_replace( [ '/\s+/', '/\/\.?\*\//s' ], [ ' ', '' ], $css )
495	)
496	);
497	}
498	}
499
500	/**
501	* @deprecated since 2.1.0 Use Wikimedia\Minify\CSSMin instead
502	*/
503	class_alias( CSSMin::class, 'CSSMin' );