css-sanitizer
Classes to parse and sanitize CSS
 All Classes Files Functions Variables Pages
css-sanitizer Documentation

![Latest Stable Version] ![License]

Wikimedia CSS Parser & Sanitizer

This library implements a CSS tokenizer, parser and grammar matcher in PHP that mostly follows the CSS Syntax Module Level 3 candidate recommendation dated 20 February 2014, the CSS Values and Units Module Level 3, and the CSS Selectors Level 3 grammar. It also provides a sanitizer that recognizes various CSS3 modules.

Usage

use Wikimedia;
use Wikimedia;
/** Parse a stylesheet from a string **/
$parser = Parser::newFromString( $cssText );
$stylesheet = $parser->parseStylesheet();
/** Report any parser errors **/
foreach ( $parser->getParseErrors() as list( $code, $line, $pos ) ) {
    // $code is a string that should be suitable as a key for an i18n library.
    // See errors.md for details.
    $error = lookupI18nMessage( "css-parse-error-$code" );
    echo "Parse error: $error at line $line character $pos\n";
}
/** Apply sanitization to the stylesheet **/
// If you need to customize the defaults, copy the code of this method and
// modify it.
$sanitizer = StylesheetSanitizer::newDefault();
$newStylesheet = $sanitizer->sanitize( $stylesheet );
/** Report any sanitizer errors **/
foreach ( $sanitizer->getSanitizationErrors() as list( $code, $line, $pos ) ) {
    // $code is a string that should be suitable as a key for an i18n library.
    // See errors.md for details.
    $error = lookupI18nMessage( "css-sanitization-error-$code" );
    echo "Sanitization error: $error at line $line character $pos\n";
}
/** Convert the sanitized stylesheet back to text **/
$newText = (string)$newStylesheet;
// Or if you'd rather have it minified too
$minifiedText = Wikimedia::stringify( $newStylesheet, [ 'minify' => true ] );

Running tests

composer install --prefer-dist
composer test

History

We required a CSS sanitizer with several properties:

  • Strict parsing according to modern standards.
  • Includes line and character position for all errors.
  • Configurable to limit unsafe constructs such as external URL references.
  • Errors are easily localizable.

We could not find a library that fit these requirements, so we created one.