Merge pull request #89 from ohader/reject/CVE-2023-28426

Revert changes introduced for GHSA-xrqq-wqh4-5hg2 (CVE-2023-28426)

composer.json

@@ -25,8 +25,7 @@
     "require": {
         "ext-dom": "*",
         "ext-libxml": "*",
-        "php": "^5.6 || ^7.0 || ^8.0",
-        "ezyang/htmlpurifier": "^4.16"
+        "php": "^5.6 || ^7.0 || ^8.0"
     },
     "require-dev": {
         "phpunit/phpunit": "^5.7 || ^6.5 || ^8.5"

src/Sanitizer.php

@@ -7,8 +7,6 @@
 use enshrined\svgSanitize\data\TagInterface;
 use enshrined\svgSanitize\data\XPath;
 use enshrined\svgSanitize\ElementReference\Resolver;
-use HTMLPurifier;
-use HTMLPurifier_Config;
 
 /**
  * Class Sanitizer
@@ -648,9 +646,7 @@ public function setUseNestingLimit($limit)
     protected function cleanUnsafeNodes(\DOMNode $currentElement) {
         // Replace CDATA node with encoded text node
         if ($currentElement instanceof \DOMCdataSection) {
-            $purifier = new HTMLPurifier(HTMLPurifier_Config::createDefault());
-            $clean_html = $purifier->purify($currentElement->nodeValue);
-            $textNode = $currentElement->ownerDocument->createTextNode($clean_html);
+            $textNode = $currentElement->ownerDocument->createTextNode($currentElement->nodeValue);
             $currentElement->parentNode->replaceChild($textNode, $currentElement);
         // If the element doesn't have a tagname, remove it and continue with next iteration
         } elseif (!$currentElement instanceof \DOMElement && !$currentElement instanceof \DOMText) {