kariricode-sanitizer/src/Rule/Html/HtmlEncodeRule.php at 04162bf9b0d15bfe5d6b0c37be9e2b401451e991 · KaririCode-Framework/kariricode-sanitizer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<?php

declare(strict_types=1);

namespace KaririCode\Sanitizer\Rule\Html;

use KaririCode\Sanitizer\Contract\SanitizationContext;
use KaririCode\Sanitizer\Contract\SanitizationRule;

/**
 * Encodes HTML special characters for XSS prevention.
 *
 * Parameters: flags (int, default ENT_QUOTES|ENT_SUBSTITUTE), encoding (string, default 'UTF-8').
 *
 * @author  Walmir Silva <walmir.silva@kariricode.org>
 *
 * @since   3.1.0 ARFA 1.3
 */
final readonly class HtmlEncodeRule implements SanitizationRule
{
    #[\Override]
    public function sanitize(mixed $value, SanitizationContext $context): mixed
    {
        if (! \is_string($value)) {
            return $value;
        }

        $flagsRaw = $context->getParameter('flags', ENT_QUOTES | ENT_SUBSTITUTE);
        $flags = \is_int($flagsRaw) ? $flagsRaw : ENT_QUOTES | ENT_SUBSTITUTE;
        $encodingRaw = $context->getParameter('encoding', 'UTF-8');
        $encoding = \is_string($encodingRaw) ? $encodingRaw : 'UTF-8';
        $doubleEncodeRaw = $context->getParameter('double_encode', true);
        $doubleEncode = \is_bool($doubleEncodeRaw) ? $doubleEncodeRaw : (bool) $doubleEncodeRaw;

        return htmlspecialchars($value, $flags, $encoding, $doubleEncode);
    }

    #[\Override]
    public function getName(): string
    {
        return 'html.encode';
    }
}