From 31ff6b69df0272f139d95c2c37899adb711110eb Mon Sep 17 00:00:00 2001
From: David Cook <dcook@prosentient.com.au>
Date: Wed, 20 Nov 2024 00:21:35 +0000
Subject: [PATCH] Bug 38488: Add Template::Toolkit filter for C4::Scrubber

This change adds a Template::Toolkit filter which is invoked
via " | scrub_html type => 'note' ".

Test plan:
0. Apply the patch
1. prove t/Koha/Plugins/HtmlScrubber.t

Signed-off-by: Brendan Lawlor <blawlor@clamsnet.org>

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer@bsz-bw.de>
---
 Koha/Template/Plugin/HtmlScrubber.pm | 77 ++++++++++++++++++++++++++++
 t/Koha/Plugins/HtmlScrubber.t        | 59 +++++++++++++++++++++
 2 files changed, 136 insertions(+)
 create mode 100644 Koha/Template/Plugin/HtmlScrubber.pm
 create mode 100755 t/Koha/Plugins/HtmlScrubber.t

diff --git a/Koha/Template/Plugin/HtmlScrubber.pm b/Koha/Template/Plugin/HtmlScrubber.pm
new file mode 100644
index 0000000000..676944ee7a
--- /dev/null
+++ b/Koha/Template/Plugin/HtmlScrubber.pm
@@ -0,0 +1,77 @@
+package Koha::Template::Plugin::HtmlScrubber;
+
+# This file is part of Koha.
+#
+# Koha is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# Koha is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Koha; if not, see <http://www.gnu.org/licenses>.
+
+use Modern::Perl;
+use base 'Template::Plugin::Filter';
+
+use C4::Scrubber;
+
+sub init {
+    my $self = shift;
+    my $name = 'scrub_html';
+    $self->{_DYNAMIC} = 1;
+    $self->install_filter($name);
+    $self->{cached_filters} = {};
+    return $self;
+}
+
+sub filter {
+    my ( $self, $text, $args, $config ) = @_;
+    my $type = $config->{type} || 'default';
+    if ($type) {
+        if ( !$self->{cached_filters}->{$type} ) {
+            my $new_scrubber = C4::Scrubber->new($type);
+            if ($new_scrubber) {
+                $self->{cached_filters}->{$type} = $new_scrubber;
+            }
+        }
+        my $scrubber = $self->{cached_filters}->{$type};
+        if ($scrubber) {
+            my $scrubbed = $scrubber->scrub($text);
+            return $scrubbed;
+        }
+    }
+
+    #NOTE: If you don't have a scrubber, just return what was passed in
+    return $text;
+}
+
+1;
+
+=head1 NAME
+
+Koha::Template::Plugin::HtmlScrubber - TT plugin for scrubbing HTML to limited elements and attributes
+
+=head1 SYNOPSIS
+
+[% USE HtmlScrubber %]
+
+[% content.note | scrub_html type => 'note' %]
+
+This filter scrubs HTML using profiles predefined in C4::Scrubber
+
+=head1 METHODS
+
+=head2 init
+
+This method installs the filter name and declares it as a dynamic filter
+
+=head2 filter
+
+Returns a scrubbed version of HTML content
+
+=cut
diff --git a/t/Koha/Plugins/HtmlScrubber.t b/t/Koha/Plugins/HtmlScrubber.t
new file mode 100755
index 0000000000..33b4b6f1b5
--- /dev/null
+++ b/t/Koha/Plugins/HtmlScrubber.t
@@ -0,0 +1,59 @@
+#!/usr/bin/perl
+
+# This file is part of Koha.
+#
+# Koha is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# Koha is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Koha; if not, see <http://www.gnu.org/licenses>.
+
+use Modern::Perl;
+
+use Test::More tests => 2;
+use Template;
+
+subtest 'test scrubbing using default scrubber' => sub {
+    plan tests => 1;
+    my $template = Template->new(
+        {
+            PLUGIN_BASE => 'Koha::Template::Plugin',
+        }
+    );
+
+    my $tt = <<EOF;
+[%- USE HtmlScrubber %]
+[%- '<script>alert("boo!")</script><p>Hello!</p>' | scrub_html -%]
+[%- '<div id="stuff">Hello!</div>' | scrub_html -%]
+EOF
+
+    my $output;
+    $template->process( \$tt, {}, \$output );
+    is( $output, 'Hello!Hello!', 'Default scrubber removes all HTML' );
+};
+
+subtest 'test scrubbing using "note" type' => sub {
+    plan tests => 1;
+    my $template = Template->new(
+        {
+            PLUGIN_BASE => 'Koha::Template::Plugin',
+        }
+    );
+
+    my $tt = <<EOF;
+[%- USE HtmlScrubber %]
+[%- '<script>alert("boo!")</script><p>Hello!</p>' | scrub_html type => 'note' -%]
+[%- '<div id="stuff">Hello!</div>' | scrub_html type => 'note' -%]
+EOF
+
+    my $output;
+    $template->process( \$tt, {}, \$output );
+    is( $output, '<p>Hello!</p><div>Hello!</div>', '<script> element and "id" attribute stripped out' );
+};