XmlTypeCheck.php

Go to the documentation of this file.

<?php
class XmlTypeCheck {
    public $wellFormed = null;

    public $filterMatch = false;

    public $filterMatchType = false;

    public $rootElement = '';

    protected $elementData = [];

    protected $elementDataContext = [];

    protected $stackDepth = 0;

    protected $filterCallback;

    private $parserOptions = [
        'processing_instruction_handler' => null,
        'external_dtd_handler' => '',
        'dtd_handler' => '',
        'require_safe_dtd' => true
    ];

    function __construct( $input, $filterCallback = null, $isFile = true, $options = [] ) {
        $this->filterCallback = $filterCallback;
        $this->parserOptions = array_merge( $this->parserOptions, $options );
        $this->validateFromInput( $input, $isFile );
    }

    public static function newFromFilename( $fname, $filterCallback = null ) {
        return new self( $fname, $filterCallback, true );
    }

    public static function newFromString( $string, $filterCallback = null ) {
        return new self( $string, $filterCallback, false );
    }

    public function getRootElement() {
        return $this->rootElement;
    }

    private function validateFromInput( $xml, $isFile ) {
        $reader = new XMLReader();
        if ( $isFile ) {
            $s = $reader->open( $xml, null, LIBXML_NOERROR | LIBXML_NOWARNING );
        } else {
            $s = $reader->XML( $xml, null, LIBXML_NOERROR | LIBXML_NOWARNING );
        }
        if ( $s !== true ) {
            // Couldn't open the XML
            $this->wellFormed = false;
        } else {
            $oldDisable = libxml_disable_entity_loader( true );
            $reader->setParserProperty( XMLReader::SUBST_ENTITIES, true );
            try {
                $this->validate( $reader );
            } catch ( Exception $e ) {
                // Calling this malformed, because we didn't parse the whole
                // thing. Maybe just an external entity refernce.
                $this->wellFormed = false;
                $reader->close();
                libxml_disable_entity_loader( $oldDisable );
                throw $e;
            }
            $reader->close();
            libxml_disable_entity_loader( $oldDisable );
        }
    }

    private function readNext( XMLReader $reader ) {
        set_error_handler( [ $this, 'XmlErrorHandler' ] );
        $ret = $reader->read();
        restore_error_handler();
        return $ret;
    }

    public function XmlErrorHandler( $errno, $errstr ) {
        $this->wellFormed = false;
    }

    private function validate( $reader ) {
        // First, move through anything that isn't an element, and
        // handle any processing instructions with the callback
        do {
            if ( !$this->readNext( $reader ) ) {
                // Hit the end of the document before any elements
                $this->wellFormed = false;
                return;
            }
            if ( $reader->nodeType === XMLReader::PI ) {
                $this->processingInstructionHandler( $reader->name, $reader->value );
            }
            if ( $reader->nodeType === XMLReader::DOC_TYPE ) {
                $this->DTDHandler( $reader );
            }
        } while ( $reader->nodeType != XMLReader::ELEMENT );

        // Process the rest of the document
        do {
            switch ( $reader->nodeType ) {
                case XMLReader::ELEMENT:
                    $name = $this->expandNS(
                        $reader->name,
                        $reader->namespaceURI
                    );
                    if ( $this->rootElement === '' ) {
                        $this->rootElement = $name;
                    }
                    $empty = $reader->isEmptyElement;
                    $attrs = $this->getAttributesArray( $reader );
                    $this->elementOpen( $name, $attrs );
                    if ( $empty ) {
                        $this->elementClose();
                    }
                    break;

                case XMLReader::END_ELEMENT:
                    $this->elementClose();
                    break;

                case XMLReader::WHITESPACE:
                case XMLReader::SIGNIFICANT_WHITESPACE:
                case XMLReader::CDATA:
                case XMLReader::TEXT:
                    $this->elementData( $reader->value );
                    break;

                case XMLReader::ENTITY_REF:
                    // Unexpanded entity (maybe external?),
                    // don't send to the filter (xml_parse didn't)
                    break;

                case XMLReader::COMMENT:
                    // Don't send to the filter (xml_parse didn't)
                    break;

                case XMLReader::PI:
                    // Processing instructions can happen after the header too
                    $this->processingInstructionHandler(
                        $reader->name,
                        $reader->value
                    );
                    break;
                case XMLReader::DOC_TYPE:
                    // We should never see a doctype after first
                    // element.
                    $this->wellFormed = false;
                    break;
                default:
                    // One of DOC, ENTITY, END_ENTITY,
                    // NOTATION, or XML_DECLARATION
                    // xml_parse didn't send these to the filter, so we won't.
            }
        } while ( $this->readNext( $reader ) );

        if ( $this->stackDepth !== 0 ) {
            $this->wellFormed = false;
        } elseif ( $this->wellFormed === null ) {
            $this->wellFormed = true;
        }
    }

    private function getAttributesArray( XMLReader $r ) {
        $attrs = [];
        while ( $r->moveToNextAttribute() ) {
            if ( $r->namespaceURI === 'http://www.w3.org/2000/xmlns/' ) {
                // XMLReader treats xmlns attributes as normal
                // attributes, while xml_parse doesn't
                continue;
            }
            $name = $this->expandNS( $r->name, $r->namespaceURI );
            $attrs[$name] = $r->value;
        }
        return $attrs;
    }

    private function expandNS( $name, $namespaceURI ) {
        if ( $namespaceURI ) {
            $parts = explode( ':', $name );
            $localname = array_pop( $parts );
            return "$namespaceURI:$localname";
        }
        return $name;
    }

    private function elementOpen( $name, $attribs ) {
        $this->elementDataContext[] = [ $name, $attribs ];
        $this->elementData[] = '';
        $this->stackDepth++;
    }

    private function elementClose() {
        list( $name, $attribs ) = array_pop( $this->elementDataContext );
        $data = array_pop( $this->elementData );
        $this->stackDepth--;
        $callbackReturn = false;

        if ( is_callable( $this->filterCallback ) ) {
            $callbackReturn = call_user_func(
                $this->filterCallback,
                $name,
                $attribs,
                $data
            );
        }
        if ( $callbackReturn ) {
            // Filter hit!
            $this->filterMatch = true;
            $this->filterMatchType = $callbackReturn;
        }
    }

    private function elementData( $data ) {
        // Collect any data here, and we'll run the callback in elementClose
        $this->elementData[ $this->stackDepth - 1 ] .= trim( $data );
    }

    private function processingInstructionHandler( $target, $data ) {
        $callbackReturn = false;
        if ( $this->parserOptions['processing_instruction_handler'] ) {
            $callbackReturn = call_user_func(
                $this->parserOptions['processing_instruction_handler'],
                $target,
                $data
            );
        }
        if ( $callbackReturn ) {
            // Filter hit!
            $this->filterMatch = true;
            $this->filterMatchType = $callbackReturn;
        }
    }

    private function DTDHandler( XMLReader $reader ) {
        $externalCallback = $this->parserOptions['external_dtd_handler'];
        $generalCallback = $this->parserOptions['dtd_handler'];
        $checkIfSafe = $this->parserOptions['require_safe_dtd'];
        if ( !$externalCallback && !$generalCallback && !$checkIfSafe ) {
            return;
        }
        $dtd = $reader->readOuterXml();
        $callbackReturn = false;

        if ( $generalCallback ) {
            $callbackReturn = call_user_func( $generalCallback, $dtd );
        }
        if ( $callbackReturn ) {
            // Filter hit!
            $this->filterMatch = true;
            $this->filterMatchType = $callbackReturn;
            $callbackReturn = false;
        }

        $parsedDTD = $this->parseDTD( $dtd );
        if ( $externalCallback && isset( $parsedDTD['type'] ) ) {
            $callbackReturn = call_user_func(
                $externalCallback,
                $parsedDTD['type'],
                $parsedDTD['publicid'] ?? null,
                $parsedDTD['systemid'] ?? null
            );
        }
        if ( $callbackReturn ) {
            // Filter hit!
            $this->filterMatch = true;
            $this->filterMatchType = $callbackReturn;
            $callbackReturn = false;
        }

        if ( $checkIfSafe && isset( $parsedDTD['internal'] ) &&
            !$this->checkDTDIsSafe( $parsedDTD['internal'] )
        ) {
            $this->wellFormed = false;
        }
    }

    private function checkDTDIsSafe( $internalSubset ) {
        $offset = 0;
        $res = preg_match(
            '/^(?:\s*<!ENTITY\s+\S+\s+' .
                '(?:"(?:&[^"%&;]{1,64};|(?:[^"%&]|&amp;|&quot;){0,255})"' .
                '|\'(?:&[^"%&;]{1,64};|(?:[^\'%&]|&amp;|&apos;){0,255})\')\s*>' .
                '|\s*<!--(?:[^-]|-[^-])*-->' .
                '|\s*<!ATTLIST svg xmlns:xlink CDATA #FIXED ' .
                '"http:\/\/www.w3.org\/1999\/xlink">)*\s*$/',
            $internalSubset
        );

        return (bool)$res;
    }

    private function parseDTD( $dtd ) {
        $m = [];
        $res = preg_match(
            '/^<!DOCTYPE\s*\S+\s*' .
            '(?:(?P<typepublic>PUBLIC)\s*' .
                '(?:"(?P<pubquote>[^"]*)"|\'(?P<pubapos>[^\']*)\')' . // public identifer
                '\s*"(?P<pubsysquote>[^"]*)"|\'(?P<pubsysapos>[^\']*)\'' . // system identifier
            '|(?P<typesystem>SYSTEM)\s*' .
                '(?:"(?P<sysquote>[^"]*)"|\'(?P<sysapos>[^\']*)\')' .
            ')?\s*' .
            '(?:\[\s*(?P<internal>.*)\])?\s*>$/s',
            $dtd,
            $m
        );
        if ( !$res ) {
            $this->wellFormed = false;
            return [];
        }
        $parsed = [];
        foreach ( $m as $field => $value ) {
            if ( $value === '' || is_numeric( $field ) ) {
                continue;
            }
            switch ( $field ) {
                case 'typepublic':
                case 'typesystem':
                    $parsed['type'] = $value;
                    break;
                case 'pubquote':
                case 'pubapos':
                    $parsed['publicid'] = $value;
                    break;
                case 'pubsysquote':
                case 'pubsysapos':
                case 'sysquote':
                case 'sysapos':
                    $parsed['systemid'] = $value;
                    break;
                case 'internal':
                    $parsed['internal'] = $value;
                    break;
            }
        }
        return $parsed;
    }
}