Add sanitization reporting

amp.php

@@ -95,6 +95,7 @@ function amp_after_setup_theme() {
 	add_action( 'wp_loaded', 'amp_add_options_menu' );
 	add_action( 'parse_query', 'amp_correct_query_when_is_front_page' );
 	AMP_Post_Type_Support::add_post_type_support();
+	AMP_Mutation_Utils::init();
 }
 add_action( 'after_setup_theme', 'amp_after_setup_theme', 5 );
 

includes/class-amp-autoloader.php

@@ -83,6 +83,7 @@ class AMP_Autoloader {
 		'AMP_DOM_Utils'                               => 'includes/utils/class-amp-dom-utils',
 		'AMP_HTML_Utils'                              => 'includes/utils/class-amp-html-utils',
 		'AMP_Image_Dimension_Extractor'               => 'includes/utils/class-amp-image-dimension-extractor',
+		'AMP_Mutation_Utils'                          => 'includes/utils/class-amp-mutation-utils',
 		'AMP_String_Utils'                            => 'includes/utils/class-amp-string-utils',
 		'AMP_WP_Utils'                                => 'includes/utils/class-amp-wp-utils',
 		'AMP_Widget_Archives'                         => 'includes/widgets/class-amp-widget-archives',

includes/class-amp-theme-support.php

@@ -752,7 +752,9 @@ public static function start_output_buffering() {
 	 * @see AMP_Theme_Support::start_output_buffering()
 	 */
 	public static function finish_output_buffering() {
-		echo self::prepare_response( ob_get_clean() ); // WPCS: xss ok.
+		$output = self::prepare_response( ob_get_clean() );
+		AMP_Mutation_Utils::add_header();
+		echo $output; // WPCS: xss ok.
 	}
 
 	/**
@@ -785,6 +787,9 @@ public static function prepare_response( $response ) {
 			'content_max_width'    => ! empty( $content_width ) ? $content_width : AMP_Post_Template::CONTENT_MAX_WIDTH, // Back-compat.
 			'use_document_element' => true,
 		);
+		if ( AMP_Mutation_Utils::is_authorized() ) {
+			$args['mutation_callback'] = 'AMP_Mutation_Utils::track_removed';
+		}
 
 		// First ensure the mandatory amp attribute is present on the html element, as otherwise it will be stripped entirely.
 		if ( ! $dom->documentElement->hasAttribute( 'amp' ) && ! $dom->documentElement->hasAttribute( '⚡️' ) ) {

includes/sanitizers/class-amp-audio-sanitizer.php

@@ -81,7 +81,7 @@ public function sanitize() {
 			 * @see: https://github.com/ampproject/amphtml/issues/2261
 			 */
 			if ( 0 === $new_node->childNodes->length && empty( $new_attributes['src'] ) ) {
-				$node->parentNode->removeChild( $node );
+				$this->remove_child( $node );
 			} else {
 				$node->parentNode->replaceChild( $new_node, $node );
 			}

includes/sanitizers/class-amp-base-sanitizer.php

@@ -304,4 +304,46 @@ public function maybe_enforce_https_src( $src, $force_https = false ) {
 
 		return $src;
 	}
+
+	/**
+	 * Removes a child of a node.
+	 *
+	 * Also, calls the mutation callback for it.
+	 * This tracks all the nodes that were removed.
+	 *
+	 * @since 0.7
+	 *
+	 * @param DOMNode $child The node to remove.
+	 * @return void.
+	 */
+	public function remove_child( $child ) {
+		if ( method_exists( $child->parentNode, 'removeChild' ) ) { // phpcs:ignore WordPress.NamingConventions.ValidVariableName.NotSnakeCaseMemberVar.
+			$child->parentNode->removeChild( $child ); // phpcs:ignore WordPress.NamingConventions.ValidVariableName.NotSnakeCaseMemberVar.
+			if ( isset( $this->args['mutation_callback'] ) ) {
+				call_user_func( $this->args['mutation_callback'], $child, 'removed' );
+			}
+		}
+	}
+
+	/**
+	 * Removes an attribute of a node.
+	 *
+	 * Also, calls the mutation callback for it.
+	 * This tracks all the attributes that were removed.
+	 *
+	 * @since 0.7
+	 *
+	 * @param DOMNode $node The node for which to remove the attribute.
+	 * @param string  $attribute The attribute to remove from the node.
+	 * @return void.
+	 */
+	public function remove_attribute( $node, $attribute ) {
+		if ( method_exists( $node, 'removeAttribute' ) ) {
+			$node->removeAttribute( $attribute );
+			if ( isset( $this->args['mutation_callback'] ) ) {
+				call_user_func( $this->args['mutation_callback'], $node, 'removed_attr', $attribute );
+			}
+		}
+	}
+
 }

includes/sanitizers/class-amp-blacklist-sanitizer.php

@@ -73,13 +73,13 @@ private function strip_attributes_recursive( $node, $bad_attributes, $bad_protoc
 				$attribute      = $node->attributes->item( $i );
 				$attribute_name = strtolower( $attribute->name );
 				if ( in_array( $attribute_name, $bad_attributes, true ) ) {
-					$node->removeAttribute( $attribute_name );
+					$this->remove_attribute( $node, $attribute_name );
 					continue;
 				}
 
 				// The on* attributes (like onclick) are a special case.
 				if ( 0 === stripos( $attribute_name, 'on' ) && 'on' !== $attribute_name ) {
-					$node->removeAttribute( $attribute_name );
+					$this->remove_attribute( $node, $attribute_name );
 					continue;
 				} elseif ( 'a' === $node_name ) {
 					$this->sanitize_a_attribute( $node, $attribute );
@@ -112,10 +112,10 @@ private function strip_tags( $node, $tag_names ) {
 			for ( $i = $length - 1; $i >= 0; $i-- ) {
 				$element     = $elements->item( $i );
 				$parent_node = $element->parentNode;
-				$parent_node->removeChild( $element );
+				$this->remove_child( $element );
 
 				if ( 'body' !== $parent_node->nodeName && AMP_DOM_Utils::is_node_empty( $parent_node ) ) {
-					$parent_node->parentNode->removeChild( $parent_node );
+					$this->remove_child( $parent_node );
 				}
 			}
 		}
@@ -134,13 +134,13 @@ private function sanitize_a_attribute( $node, $attribute ) {
 			$old_value = $attribute->value;
 			$new_value = trim( preg_replace( self::PATTERN_REL_WP_ATTACHMENT, '', $old_value ) );
 			if ( empty( $new_value ) ) {
-				$node->removeAttribute( $attribute_name );
+				$this->remove_attribute( $node, $attribute_name );
 			} elseif ( $old_value !== $new_value ) {
 				$node->setAttribute( $attribute_name, $new_value );
 			}
 		} elseif ( 'rev' === $attribute_name ) {
 			// rev removed from HTML5 spec, which was used by Jetpack Markdown.
-			$node->removeAttribute( $attribute_name );
+			$this->remove_attribute( $node, $attribute_name );
 		} elseif ( 'target' === $attribute_name ) {
 			// _blank is the only allowed value and it must be lowercase.
 			// replace _new with _blank and others should simply be removed.
@@ -150,7 +150,7 @@ private function sanitize_a_attribute( $node, $attribute ) {
 				$node->setAttribute( $attribute_name, '_blank' );
 			} else {
 				// Only _blank is allowed.
-				$node->removeAttribute( $attribute_name );
+				$this->remove_attribute( $node, $attribute_name );
 			}
 		}
 	}
@@ -219,7 +219,7 @@ private function replace_node_with_children( $node, $bad_attributes, $bad_protoc
 
 		// Remove the node from the parent, if defined.
 		if ( $node->parentNode ) {
-			$node->parentNode->removeChild( $node );
+			$this->remove_child( $node );
 		}
 	}
 

includes/sanitizers/class-amp-form-sanitizer.php

@@ -85,7 +85,7 @@ public function sanitize() {
 					$node->setAttribute( 'action', $action_url );
 				}
 			} elseif ( 'post' === $method ) {
-				$node->removeAttribute( 'action' );
+				$this->remove_attribute( $node, 'action' );
 				if ( ! $xhr_action ) {
 					// record that action was converted tp action-xhr.
 					$action_url = add_query_arg( '_wp_amp_action_xhr_converted', 1, $action_url );

includes/sanitizers/class-amp-iframe-sanitizer.php

@@ -74,7 +74,7 @@ public function sanitize() {
 			 * @see: https://github.com/ampproject/amphtml/issues/2261
 			 */
 			if ( empty( $new_attributes['src'] ) ) {
-				$node->parentNode->removeChild( $node );
+				$this->remove_child( $node );
 				continue;
 			}
 
@@ -95,11 +95,11 @@ public function sanitize() {
 				$parent_node->replaceChild( $new_node, $node );
 			} else {
 				// AMP does not like iframes in <p> tags.
-				$parent_node->removeChild( $node );
+				$this->remove_child( $node );
 				$parent_node->parentNode->insertBefore( $new_node, $parent_node->nextSibling );
 
 				if ( AMP_DOM_Utils::is_node_empty( $parent_node ) ) {
-					$parent_node->parentNode->removeChild( $parent_node );
+					$this->remove_child( $parent_node );
 				}
 			}
 		}
@@ -193,4 +193,5 @@ private function build_placeholder( $parent_attributes ) {
 
 		return $placeholder_node;
 	}
+
 }

includes/sanitizers/class-amp-img-sanitizer.php

@@ -74,7 +74,7 @@ public function sanitize() {
 			}
 
 			if ( ! $node->hasAttribute( 'src' ) || '' === $node->getAttribute( 'src' ) ) {
-				$node->parentNode->removeChild( $node );
+				$this->remove_child( $node );
 				continue;
 			}
 

includes/sanitizers/class-amp-tag-and-attribute-sanitizer.php

@@ -704,6 +704,9 @@ private function sanitize_disallowed_attributes_in_node( $node, $attr_spec_list
 
 		foreach ( $attrs_to_remove as $attr ) {
 			$node->removeAttributeNode( $attr );
+			if ( isset( $this->args['mutation_callback'], $attr->name ) ) {
+				call_user_func( $this->args['mutation_callback'], $node, 'removed_attr', $attr->name );
+			}
 		}
 	}
 
@@ -809,7 +812,7 @@ private function delegated_sanitize_disallowed_attribute_values_in_node( $node,
 				( true === $attr_spec_list[ $attr_name ][ AMP_Rule_Spec::VALUE_URL ][ AMP_Rule_Spec::ALLOW_EMPTY ] ) ) {
 				$node->setAttribute( $attr_name, '' );
 			} else {
-				$node->removeAttribute( $attr_name );
+				$this->remove_attribute( $node, $attr_name );
 			}
 		}
 	}
@@ -1448,13 +1451,13 @@ private function remove_node( $node ) {
 		 */
 		$parent = $node->parentNode;
 		if ( $node && $parent ) {
-			$parent->removeChild( $node );
+			$this->remove_child( $node );
 		}
 		while ( $parent && ! $parent->hasChildNodes() && $this->root_element !== $parent ) {
 			$node   = $parent;
 			$parent = $parent->parentNode;
 			if ( $parent ) {
-				$parent->removeChild( $node );
+				$this->remove_child( $node );
 			}
 		}
 	}

includes/sanitizers/class-amp-video-sanitizer.php

@@ -93,7 +93,7 @@ public function sanitize() {
 			 * See: https://github.com/ampproject/amphtml/issues/2261
 			 */
 			if ( 0 === $new_node->childNodes->length && empty( $new_attributes['src'] ) ) {
-				$node->parentNode->removeChild( $node );
+				$this->remove_child( $node );
 			} else {
 				$node->parentNode->replaceChild( $new_node, $node );
 			}