refactor(sanitizer): split HtmlPurifierSanitizer into modular components

BREAKING CHANGE: HtmlPurifierSanitizer internal structure has been reorganized

- Create new namespace KaririCode\Sanitizer\Processor\Domain\HtmlPurifier
- Split functionality into specialized classes:
  - Config/Configuration: Manage allowed tags and attributes
  - Dom/DomHandler: Handle DOM operations
  - NodeSanitizer/NodeSanitizer: Process DOM nodes
  - Cleaner/InputCleaner: Pre-process input
  - Cleaner/OutputCleaner: Post-process output
  - AttributeCleaner/AttributeCleaner: Handle attribute sanitization

Author: walmir-silva

src/Processor/Domain/HtmlPurifier/Cleaner/AttributeCleaner.php

@@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+
+namespace KaririCode\Sanitizer\Processor\Domain\HtmlPurifier\Cleaner;
+
+use KaririCode\Sanitizer\Processor\Domain\HtmlPurifier\Configuration;
+
+final class AttributeCleaner
+{
+    public function __construct(
+        private readonly Configuration $config
+    ) {
+    }
+
+    public function cleanAttributes(\DOMElement $element): void
+    {
+        if (!in_array(strtolower($element->tagName), $this->config->getAllowedTags(), true)) {
+            return;
+        }
+
+        $attributes = iterator_to_array($element->attributes);
+        foreach ($attributes as $attr) {
+            $attrName = $attr->name;
+            $tagName = strtolower($element->tagName);
+
+            if (!$this->isAttributeAllowed($attrName, $tagName)) {
+                $element->removeAttribute($attrName);
+            }
+        }
+    }
+
+    private function isAttributeAllowed(string $attrName, string $tagName): bool
+    {
+        $allowedAttributes = $this->config->getAllowedAttributes();
+
+        return isset($allowedAttributes[$attrName])
+               && in_array($tagName, $allowedAttributes[$attrName], true);
+    }
+}

src/Processor/Domain/HtmlPurifier/Cleaner/InputCleaner.php

@@ -0,0 +1,18 @@
+<?php
+
+declare(strict_types=1);
+
+namespace KaririCode\Sanitizer\Processor\Domain\HtmlPurifier\Cleaner;
+
+final class InputCleaner
+{
+    public function clean(string $input): string
+    {
+        // Remove scripts and inline events
+        $input = preg_replace('/<script\b[^>]*>(.*?)<\/script>/is', '', $input);
+        $input = preg_replace('/\bon\w+\s*=\s*"[^"]*"/i', '', $input);
+        $input = preg_replace('/<!--.*?-->/s', '', $input);
+
+        return $input;
+    }
+}

src/Processor/Domain/HtmlPurifier/Cleaner/OutputCleaner.php

@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+namespace KaririCode\Sanitizer\Processor\Domain\HtmlPurifier\Cleaner;
+
+final class OutputCleaner
+{
+    public function clean(string $output): string
+    {
+        // Remove any remaining HTML comments
+        $output = preg_replace('/<!--.*?-->/s', '', $output);
+
+        // Normalize whitespace
+        $output = preg_replace('/^\s+|\s+$/m', '', $output);
+        $output = preg_replace('/\s+/', ' ', $output);
+
+        return trim($output);
+    }
+}

src/Processor/Domain/HtmlPurifier/Configuration.php

@@ -0,0 +1,43 @@
+<?php
+
+declare(strict_types=1);
+
+namespace KaririCode\Sanitizer\Processor\Domain\HtmlPurifier;
+
+final class Configuration
+{
+    private const DEFAULT_ALLOWED_TAGS = [
+        'p', 'br', 'strong', 'em', 'u', 'ol', 'ul', 'li',
+        'a', 'img', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
+    ];
+    private const DEFAULT_ALLOWED_ATTRIBUTES = [
+        'href' => ['a'],
+        'src' => ['img'],
+        'alt' => ['img'],
+    ];
+
+    private array $allowedTags;
+    private array $allowedAttributes;
+
+    public function __construct()
+    {
+        $this->allowedTags = self::DEFAULT_ALLOWED_TAGS;
+        $this->allowedAttributes = self::DEFAULT_ALLOWED_ATTRIBUTES;
+    }
+
+    public function configure(array $options): void
+    {
+        $this->allowedTags = $options['allowedTags'] ?? $this->allowedTags;
+        $this->allowedAttributes = $options['allowedAttributes'] ?? $this->allowedAttributes;
+    }
+
+    public function getAllowedTags(): array
+    {
+        return $this->allowedTags;
+    }
+
+    public function getAllowedAttributes(): array
+    {
+        return $this->allowedAttributes;
+    }
+}

src/Processor/Domain/HtmlPurifier/DomHandler.php

@@ -0,0 +1,44 @@
+<?php
+
+declare(strict_types=1);
+
+namespace KaririCode\Sanitizer\Processor\Domain\HtmlPurifier;
+
+final class DomHandler
+{
+    private \DOMDocument $dom;
+    private ?\DOMElement $root = null;
+
+    public function __construct()
+    {
+        $this->dom = new \DOMDocument('1.0', 'UTF-8');
+    }
+
+    public function loadHtml(string $input): void
+    {
+        $wrappedInput = '<div id="temp-root">' . $input . '</div>';
+        libxml_use_internal_errors(true);
+
+        $this->dom->loadHTML(
+            mb_convert_encoding($wrappedInput, 'HTML-ENTITIES', 'UTF-8'),
+            LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD
+        );
+
+        $this->root = $this->dom->getElementById('temp-root');
+    }
+
+    public function getRoot(): ?\DOMElement
+    {
+        return $this->root;
+    }
+
+    public function saveHtml(\DOMNode $node): string
+    {
+        return $this->dom->saveHTML($node) ?: '';
+    }
+
+    public function createDocumentFragment(): \DOMDocumentFragment
+    {
+        return $this->dom->createDocumentFragment();
+    }
+}

src/Processor/Domain/HtmlPurifier/NodeSanitizer.php

@@ -0,0 +1,47 @@
+<?php
+
+declare(strict_types=1);
+
+namespace KaririCode\Sanitizer\Processor\Domain\HtmlPurifier;
+
+final class NodeSanitizer
+{
+    public function __construct(
+        private readonly Configuration $config
+    ) {
+    }
+
+    public function sanitizeNode(\DOMNode $node): void
+    {
+        if (!$node->hasChildNodes()) {
+            return;
+        }
+
+        $children = iterator_to_array($node->childNodes);
+
+        foreach ($children as $child) {
+            if ($child instanceof \DOMElement) {
+                $tagName = strtolower($child->tagName);
+
+                // First, recursively process the child nodes
+                $this->sanitizeNode($child);
+
+                // Then, check if the current tag is allowed
+                if (!in_array($tagName, $this->config->getAllowedTags(), true)) {
+                    $this->unwrapNode($node, $child);
+                }
+            }
+        }
+    }
+
+    private function unwrapNode(\DOMNode $parent, \DOMElement $element): void
+    {
+        $fragment = $parent->ownerDocument->createDocumentFragment();
+
+        while ($element->firstChild) {
+            $fragment->appendChild($element->firstChild);
+        }
+
+        $parent->replaceChild($fragment, $element);
+    }
+}

src/Processor/Domain/HtmlPurifierSanitizer.php

@@ -6,146 +6,53 @@
 
 use KaririCode\Contract\Processor\ConfigurableProcessor;
 use KaririCode\Sanitizer\Processor\AbstractSanitizerProcessor;
+use KaririCode\Sanitizer\Processor\Domain\HtmlPurifier\Cleaner\InputCleaner;
+use KaririCode\Sanitizer\Processor\Domain\HtmlPurifier\Cleaner\OutputCleaner;
+use KaririCode\Sanitizer\Processor\Domain\HtmlPurifier\Configuration;
+use KaririCode\Sanitizer\Processor\Domain\HtmlPurifier\DomHandler;
+use KaririCode\Sanitizer\Processor\Domain\HtmlPurifier\NodeSanitizer;
 
 final class HtmlPurifierSanitizer extends AbstractSanitizerProcessor implements ConfigurableProcessor
 {
-    private const DEFAULT_ALLOWED_TAGS = ['p', 'br', 'strong', 'em', 'u', 'ol', 'ul', 'li', 'a', 'img'];
-    private const DEFAULT_ALLOWED_ATTRIBUTES = ['href' => ['a'], 'src' => ['img'], 'alt' => ['img']];
-    private const DEFAULT_ENCODING = 'UTF-8';
-
-    private array $allowedTags;
-    private array $allowedAttributes;
-    private string $encoding;
+    private Configuration $config;
+    private DomHandler $domHandler;
+    private NodeSanitizer $nodeSanitizer;
+    private InputCleaner $inputCleaner;
+    private OutputCleaner $outputCleaner;
 
     public function __construct()
     {
-        $this->allowedTags = self::DEFAULT_ALLOWED_TAGS;
-        $this->allowedAttributes = self::DEFAULT_ALLOWED_ATTRIBUTES;
-        $this->encoding = self::DEFAULT_ENCODING;
+        $this->config = new Configuration();
+        $this->domHandler = new DomHandler();
+        $this->nodeSanitizer = new NodeSanitizer($this->config);
+        $this->inputCleaner = new InputCleaner();
+        $this->outputCleaner = new OutputCleaner();
     }
 
     public function configure(array $options): void
     {
-        $this->allowedTags = $options['allowedTags'] ?? $this->allowedTags;
-        $this->allowedAttributes = $options['allowedAttributes'] ?? $this->allowedAttributes;
-        $this->encoding = $options['encoding'] ?? $this->encoding;
+        $this->config->configure($options);
     }
 
     public function process(mixed $input): string
     {
         $input = $this->guardAgainstNonString($input);
-        $input = $this->sanitizeHtml($input);
-
-        $dom = new \DOMDocument('1.0', $this->encoding);
-        $this->loadHtmlToDom($dom, $input);
-        $this->filterNodes($dom->getElementsByTagName('*'));
+        $input = $this->inputCleaner->clean($input);
 
-        return $this->cleanHtmlOutput($dom->saveHTML());
-    }
+        $this->domHandler->loadHtml($input);
 
-    private function filterNodes(\DOMNodeList $nodes): void
-    {
-        for ($i = $nodes->length - 1; $i >= 0; --$i) {
-            $node = $nodes->item($i);
-            if (!$this->isAllowedTag($node->nodeName)) {
-                $this->unwrapNode($node);
-            } else {
-                $this->filterAttributes($node);
-            }
+        $root = $this->domHandler->getRoot();
+        if (!$root) {
+            return '';
         }
-    }
-
-    private function filterAttributes(\DOMElement $element): void
-    {
-        for ($i = $element->attributes->length - 1; $i >= 0; --$i) {
-            /** @var DOMNode */
-            $attr = $element->attributes->item($i);
-            if (!$this->isAllowedAttribute($element->nodeName, $attr->name)) {
-                $element->removeAttribute($attr->name);
-            }
-        }
-    }
-
-    private function sanitizeHtml(string $html): string
-    {
-        $html = $this->removeScripts($html);
 
-        return $this->removeComments($html);
-    }
-
-    private function loadHtmlToDom(\DOMDocument $dom, string $html): void
-    {
-        libxml_use_internal_errors(true);
-        $isLoaded = $dom->loadHTML(mb_convert_encoding($html, 'HTML-ENTITIES', $this->encoding), LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD);
-        $errors = libxml_get_errors();
-        libxml_clear_errors();
-    }
-
-    private function cleanHtmlOutput(string $output): string
-    {
-        $output = preg_replace('/^<!DOCTYPE.+?>/', '', $output);
-        $output = str_replace(['<html>', '</html>', '<body>', '</body>'], '', $output);
-
-        return trim($output);
-    }
-
-    private function isAllowedTag(string $tagName): bool
-    {
-        return in_array(strtolower($tagName), $this->allowedTags, true);
-    }
-
-    private function isAllowedAttribute(string $elementName, string $attributeName): bool
-    {
-        return isset($this->allowedAttributes[strtolower($attributeName)])
-               && in_array(strtolower($elementName), $this->allowedAttributes[strtolower($attributeName)], true);
-    }
-
-    private function unwrapNode(\DOMNode $node): void
-    {
-        $parent = $node->parentNode;
-        while ($node->firstChild) {
-            $parent->insertBefore($node->firstChild, $node);
-        }
-        $parent->removeChild($node);
-    }
-
-    private function removeScripts(string $html): string
-    {
-        return $this->removeElementsByTagName('script', $html);
-    }
-
-    private function removeComments(string $html): string
-    {
-        return $this->removeElementsByXPath('//comment()', $html);
-    }
-
-    private function removeElementsByTagName(string $tagName, string $html): string
-    {
-        $dom = new \DOMDocument();
-        libxml_use_internal_errors(true);
-        $dom->loadHTML(mb_convert_encoding($html, 'HTML-ENTITIES', $this->encoding), LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD);
-        libxml_clear_errors();
-
-        $elements = $dom->getElementsByTagName($tagName);
-        while ($elements->length > 0) {
-            $elements->item(0)->parentNode->removeChild($elements->item(0));
-        }
-
-        return $dom->saveHTML();
-    }
-
-    private function removeElementsByXPath(string $query, string $html): string
-    {
-        $dom = new \DOMDocument();
-        libxml_use_internal_errors(true);
-        $dom->loadHTML(mb_convert_encoding($html, 'HTML-ENTITIES', $this->encoding), LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD);
-        libxml_clear_errors();
+        $this->nodeSanitizer->sanitizeNode($root);
 
-        $xpath = new \DOMXPath($dom);
-        foreach ($xpath->query($query) as $element) {
-            $element->parentNode->removeChild($element);
+        $output = '';
+        foreach ($root->childNodes as $child) {
+            $output .= $this->domHandler->saveHtml($child);
         }
 
-        return $dom->saveHTML();
+        return $this->outputCleaner->clean($output);
     }
 }