Hello 👋
Thanks for your support on this package, it's so helpful for us!

I have a quick question, if I may.
I'd like to know more about the cache directory, and what is it used for?

We had a problem upgrading where we had two purifiers configured (loose and strict), originally we had two separate caches configured for each html profiles as that seemed the most sensible. After upgrading we got errors like this:

 User Warning: Base directory /Users/xxx/symfony/app/cache/loca_/htmlpurifier-loose does not exist,  
                      please create or change using %Cache.SerializerPath   

Once we removed the cache at a profile level and used the default_cache_serializer_path directive it worked.

Is it acceptable to use the same cache for multiple profiles (with different config) ?

And is the above a known issue?

Thanks in advance!

Could you update the composer.json to also support Symfony 6, which will be released by the end of this month (November)?

The last commit was about a year ago. I'd like to know whether this bundle is still maintained or is dead.

Hey,

Can you tag a new version please for cache warmer ?
v0.2.3...master

Thanks ! :-)

It's not possible to install it on Standard Symfony 3.0.6 with composer.
Any plans to do this step?

With Symfony 4.2 instanciating a root-less TreeBuilder is deprecated:
A tree builder without a root node is deprecated since Symfony 4.2 and will not be supported anymore in 5.0.
Trace:
{ /app/vendor/symfony/config/Definition/Builder/TreeBuilder.php:30 { if (null === $name) { @trigger_error('A tree builder without a root node is deprecated since Symfony 4.2 and will not be supported anymore in 5.0.', E_USER_DEPRECATED); } else { } /app/vendor/exercise/htmlpurifier-bundle/DependencyInjection/Configuration.php:15 { { $treeBuilder = new TreeBuilder(); $rootNode = $treeBuilder->root('exercise_html_purifier'); } }

A simple fix could like like this: sensiolabs/SensioFrameworkExtraBundle@7db9568

Hi,

starting with Symfony 4.2 all FormTypes need to implement the getExtendedTypes method:

https://symfony.com/blog/new-in-symfony-4-2-improved-form-type-extensions

Not implementing the static getExtendedTypes() method in Exercise\HTMLPurifierBundle\Form\TypeExtension\HTMLPurifierTextTypeExtension when implementing the Symfony\Component\Form\FormTypeExtensionInterface is deprecated since Symfony 4.2. The method will be added to the interface in 5.0.

Cheers
Matthias

Trying to add the purify_html option to my forms text type and currently getting this error:

An error has occurred resolving the options of the form "Symfony\Component\Form\Extension\Core\Type\TextType": The option "purify_html" does not exist. Defined options are: "action", "allow_extra_fields", "allow_file_upload", "attr", "attr_translation_parameters", "auto_initialize", "block_name", "block_prefix", "by_reference", "compound", "constraints", "csrf_field_name", "csrf_message", "csrf_protection", "csrf_token_id", "csrf_token_manager", "data", "data_class", "disabled", "empty_data", "error_bubbling", "error_mapping", "extra_fields_message", "help", "help_attr", "help_html", "help_translation_parameters", "inherit_data", "invalid_message", "invalid_message_parameters", "label", "label_attr", "label_format", "label_translation_parameters", "mapped", "method", "post_max_size_message", "property_path", "required", "row_attr", "translation_domain", "trim", "upload_max_size_message", "validation_groups".

• Symfony Version: 4.4.2
• Is Symfony using flex? Nope

I have the bundle registered inside config/bundles.php and the below inside my services.yml

# config/services.yml
    Exercise\HtmlPurifierBundle\HtmlPurifiersRegistry:
        tags:
            - name: exercise.html_purifier
              profile: default

Why you're checking if data is scalar instead of string? Purify a boolean or integer value makes no sense, isn't it?

I use this bundle in my project, i want to konw how to setting config.yml.
this is the raw HTMLPurifier code.

<?php
$dirty_html = <<<EOF
<img src="/my.jpg" data-type="5" alt="" data-image-size="100,200" />
EOF;

$config = HTMLPurifier_Config::createDefault();
$def = $config->getHTMLDefinition(true);
$def->addAttribute('img', 'data-type', 'Text');
$def->addAttribute('img', 'data-image-size', 'Text');
$purifier = new HTMLPurifier($config);

It seems 9712ab7 is causing some issues for one of my apps.

I have this config:

exercise_html_purifier:
    html_profiles:
        default:
            config:
                Cache.SerializerPermissions: 0o777

Using 4.1 however my config is overwritten by the new default config it seems.

I'm moving a project to Symfony4 from other framework where it defined like so:

<?php

namespace A\Namespace;

class HTMLPurifierConfig extends \HTMLPurifier_Config
{
    public static function create($config, $schema = null)
    {
        $ret = parent::create($config, $schema);

        $def = $ret->getHTMLDefinition(true);

        $def->info_tag_transform['div'] = new \HTMLPurifier_TagTransform_Simple('p');
        $def->info_tag_transform['h1'] = new \HTMLPurifier_TagTransform_Simple('h4');
        $def->info_tag_transform['h2'] = new \HTMLPurifier_TagTransform_Simple('h5');
        $def->info_tag_transform['h3'] = new \HTMLPurifier_TagTransform_Simple('h6');

...

Is it possible to introduce a config setting to override standard \HTMLPurifier_Config with a custom one from bundle config?

The line <tag name="kernel.cache_warmer" /> has been removed from the file ./Resources/config/html_purifier.xml, and so the cache warmer is not being run on the framework startup.

Further, when the cache is being built, there are issues with key="$paths" unless it is removed OR a key="$htmlPurifier" is added on the next line.

Both of these for the block <service id="exercise_html_purifier.cache_warmer.serializer" ..., work.

<argument>%exercise_html_purifier.cache_warmer.serializer.paths%</argument>
<argument type="service" id="HTMLPurifier" />
<tag name="kernel.cache_warmer" />

OR

<argument key="$paths">%exercise_html_purifier.cache_warmer.serializer.paths%</argument>
<argument key="$htmlPurifier" type="service" id="HTMLPurifier" />
<tag name="kernel.cache_warmer" />

@cystbear: Would you like to assume ownership of the exercise/htmlpurifier-bundle package on Packagist? The repository is not currently setup with a commit hook, so that would at least need to be setup. Beyond that, the bundle could probably benefit from Travis CI integration, listing the appropriate Symfony2 version in its composer.json, and receiving a proper git tag (there is only a master branch so that could easily start at v1.0.0).

Let me know if you're interested and I'll swap our names on the maintainers list. Thanks.

Since 3.0, parameter was typehinted to string, which breaks stuff for everybody passing null there. Nullable getters are very widespread, please don't make us do
{{ activity.getNote ? activity.getNote|purify }} on each instance. It's fine this typehint is present in HTMLPurifierRuntime, but twig filter should be a closure typehinted to ?string that shouldn't pass null along to HTMLPurifierRuntime

In one of the example this is mentioned to whitelist tags:

HTML.Allowed: |
                    *[id|class|name],
                    a[href|title|rel|target],
                    img[src|alt|height|width],
                    h1,u,ul,ol,li,strong

Does *[id|class|name], implies that all elements that contains id,class,name are allowed? For example a div element (which is not in the list), but with a id attribute is allowed?

When you try to get purified some array elements, default listener doesn't work.

I override listener to do something like this:

    public function purifySubmittedData(FormEvent $event)
    {
        $event->setData($this->purifyResult($event->getData()));
    }

    protected function purifyResult($data)
    {
        if (\is_array($data)) {
            array_walk($data, function (&$item) {
                $item = $this->purifyResult($item);
            });
        }

        if (\is_string($data)) {
            return $this->getPurifier()->purify($data);
        }

        return $data;
    }

What do you think about this?

The current stable release will trigger deprecation warnings in Symfony 2.7. This has already been fixed in the master branch, but it is not released yet. Can you please release a new version with this fix ?

I installed this via composer and get this error. I'm using the latest version of symfony2.

Do I have to add the htmlpurifier library on my include path in some way?

Thanks.

I have an API controller endpoint that receives Post data. The fields are validated using FOSRestBundle RequestParam annotation so there is no form required. What I want to do is use HTMLPurifier to filter each input value primarily for XSS before using them.

For example I get a JSON object that looks something like this:
{ "emailAddress": "[email protected]", "maxResults": 10, "subject": "</a><a href=\"https://www.google.com\" target=\"_blank\">Subject" }

Back in the Zend 1 days I simply called something like:
$this->HTMLPurifier->purify($this->getRequest()->getParam('subject')
and it would return the sanitized string.

Anybody used this package this way or have an example of it's use in a controller? Thanks

Since I installed Exercise/HTMLPurifierBundle, I have an error every time I clear the cache on my Symfony server:

[Symfony\Component\Filesystem\Exception\IOException]
Failed to remove file "/var/www/nrdb/app/cache/prod_old/htmlpurifier/URI/4.6.0,8d03c8ec0e84e7feb92afd4c0f1735841b5fdacf,1.ser".

And indeed, the directory app/cache/prod/htmlpurifier/HTML is owned by www-data with permission 755, so my user cannot delete the files in it.

I applied the setfacl commands to set up the permissions in app/cache and app/log, but that doesn't seem to do the trick.

$ ls -la app/cache/prod
total 656
drwxrwxr-x+  11 alsciende www-data   4096 Jan 26 03:43 .
drwxrwxr-x+   5 www-data  www-data   4096 Jan 26 03:43 ..
drwxrwxr-x+   2 alsciende www-data   4096 Jan 26 03:45 annotations
-rw-rw-r--+   1 alsciende www-data 194989 Jan 26 03:43 appProdProjectContainer.php
-rw-rw-r--+   1 alsciende www-data  70159 Jan 26 03:43 appProdUrlGenerator.php
-rw-rw-r--+   1 alsciende www-data  79081 Jan 26 03:43 appProdUrlMatcher.php
drwxrwxr-x+   3 alsciende www-data   4096 Jan 26 03:43 assetic
-rw-rw-r--+   1 alsciende www-data   4904 Jan 26 03:43 classes.map
-rw-r--r--+   1 www-data  www-data 189453 Jan 26 03:43 classes.php
drwxrwxr-x+   3 alsciende www-data   4096 Jan 26 03:42 doctrine
drwxrwxr-x+   2 www-data  www-data   4096 Jan 26 03:43 fosJsRouting
drwxrwxr-x+   3 alsciende www-data   4096 Jan 26 03:45 htmlpurifier
drwxrwxr-x+   4 www-data  www-data   4096 Jan 26 03:43 http_cache
drwxrwxr-x+   2 alsciende www-data   4096 Jan 26 03:45 sessions
-rw-r--r--+   1 alsciende www-data  27882 Jan 26 03:43 templates.php
drwxrwxr-x+   2 www-data  www-data   4096 Jan 26 03:43 translations
drwxrwxr-x+ 105 alsciende www-data   4096 Jan 26 03:43 twig
$ ls -la app/cache/prod/htmlpurifier/
total 24
drwxrwxr-x+  3 alsciende www-data 4096 Jan 26 03:45 .
drwxrwxr-x+ 11 alsciende www-data 4096 Jan 26 03:43 ..
drwxr-xr-x+  2 www-data  www-data 4096 Jan 26 03:45 HTML

Hi,

would you tag this bundle please ?

In the readme a[target] is whitelisted but HTML purifier needs additional configuration to actually allow the target attribute.

https://github.com/Exercise/HTMLPurifierBundle#whitelist-attributes
http://htmlpurifier.org/docs
http://htmlpurifier.org/live/configdoc/plain.html#Attr.AllowedFrameTargets

This could lead to some wrong configurations.

Maybe adding Attr.AllowedFrameTargets to the example could improve this?

I have upgraded the bundle to the latest version and I observe the following error:

The option "purify_html_profile" with value null is expected to be of type "string", but is of type "NULL".

This error occurs on fields which are modify any of the form options through a form event subscriber like:

        $parent  = $field->getParent();
        $options = $field->getConfig()->getOptions();
        $name    = $field->getName();

        $parent->remove($name);
        $parent->add($name, $type, \array_merge($options, ['disabled' => $disabled]));

In this code I disable the field based on some condition, the field does not have purify_html yet the error occurs. I noticed the following in the form extension:

            ->setAllowedTypes('purify_html_profile', 'string')
            ->setNormalizer('purify_html_profile', function (Options $options, $profile) {
                if (!$options['purify_html']) {
                    return null;
                }

I believe this is causing the issue since it requires the profile to be a string, yet it is normalized to null.

I tried to remove cache_serializer_path from symfony cache folder to another (tmp), as it described in readme, but its not work.
As i understood, it must be something like this (config.yml):

exercise_html_purifier:
    default_cache_serializer_path: null
    custom:
        Cache.SerializerPath: 'tmp/htmlpurifier'

and i call this service as: $this->kernel->getContainer()->get('exercise_html_purifier.custom')

In this case, folder not removed to /tmp path, but htmlpurifier restore folder in symfony cache ;-)

And, i tried another ways, like these:

exercise_html_purifier:
    default_cache_serializer_path: null
    html_profiles:
        custom:
            config:
                Cache.SerializerPath: 'tmp/htmlpurifier'

or

exercise_html_purifier:
    default_cache_serializer_path: null
    html_profiles:
        custom:
            Cache.SerializerPath: 'tmp/htmlpurifier'

And this is not work at all.

The form type extension disables the trim option when the purify_html option is enabled, saying that the listener already trims.
But the trimmed value is not always written back to the event. If trimming makes it empty, the value is not replaced in the event.

Method "Symfony\Component\DependencyInjection\Extension\Extension::getAlias()" might add "string" as a native return type declaration in the future. Do the same in child class "Exercise\HTMLPurifierBundle\DependencyInjection\ExerciseHTMLPurifierExtension" now to avoid errors or add an explicit @return annotation to suppress this message.

Method "Symfony\Component\Config\Definition\ConfigurationInterface::getConfigTreeBuilder()" might add "TreeBuilder" as a native return type declaration in the future. Do the same in implementation "Exercise\HTMLPurifierBundle\DependencyInjection\Configuration" now to avoid errors or add an explicit @return annotation to suppress this message.

Method "Symfony\Component\HttpKernel\CacheWarmer\WarmableInterface::warmUp()" might add "array" as a native return type declaration in the future. Do the same in implementation "Exercise\HTMLPurifierBundle\CacheWarmer\SerializerCacheWarmer" now to avoid errors or add an explicit @return annotation to suppress this message.

I adapted the code some times ago to accept the "< video >" tags, but it is not working anymore since versions 0.2.X and I really don't know why. The "< video >" tag is still present after purrifying, but the "src" element is removed.

Any hints to figure this out?

use Symfony\Component\Form\DataTransformerInterface;

class HTMLPurifierTransformer implements DataTransformerInterface
{
    private $purifier;

    /**
     * Constructor.
     *
     * @param \HTMLPurifier $purifier
     */
    public function __construct()
    {
          //Find full HTML5 config : https://github.com/kennberg/php-htmlpurfier-html5
          $config = \HTMLPurifier_Config::createDefault();
          $config->set('HTML.Doctype', 'HTML 4.01 Transitional');
          $config->set('HTML.SafeIframe', true);

          // Set some HTML5 properties
          $config->set('HTML.DefinitionID', 'html5-definitions'); // unqiue id
          $config->set('HTML.DefinitionRev', 1);
          if ($def = $config->maybeGetRawHTMLDefinition()) {
            // http://developers.whatwg.org/the-video-element.html#the-video-element
            $def->addElement('video', 'Block', 'Optional: (source, Flow) | (Flow, source) | Flow', 'Common', array(
              'src' => 'URI',
              'type' => 'Text',
              'width' => 'Length',
              'height' => 'Length',
              'poster' => 'URI',
              'preload' => 'Enum#auto,metadata,none',
              'controls' => 'Bool',
            ));
          }
          $this->purifier = new \HTMLPurifier($config);
    }
           ...

Hello,

When doing a composer install I'm getting the following warning:

Deprecation Notice: Class Exercise\HTMLPurifierBundle\Form\TypeExtension\ForwardCompatTypeExtensionTrait located in ./vendor/exercise/htmlpurifier-bundle/src/Form/TypeExtension/forward_compat_trait.inc.php does not comply with psr-4 autoloading standard. It will not autoload anymore in Composer v2.0. in phar:///usr/bin/composer/src/Composer/Autoload/ClassMapGenerator.php:201
Warning: Ambiguous class resolution, "Exercise\HTMLPurifierBundle\Form\TypeExtension\ForwardCompatTypeExtensionTrait" was found in both "/home/anonymous/app/vendor/exercise/htmlpurifier-bundle/src/Form/TypeExtension/forward_compat_trait.inc.php" and "/home/anonymous/app/vendor/exercise/htmlpurifier-bundle/src/Form/TypeExtension/ForwardCompatTypeExtensionTrait.php", the first will be used.

Can you fix psr-0 autoloading please?

I often have this error that comes and goes by itself, after refreshing the page again, I don't know who is responsible but I note it anyway in case it serves

With the following configuration:

exercise_html_purifier:
    default:
        HTML.Allowed: '*[id|class|name|style|alt|title|height|width],a[href|rel|target],img[src],br,div,u,em,ul,ol,li,strong,span,p,i'
        HTML.SafeIframe: true
        URI.SafeIframeRegexp: '#(.*)#'
        URI.AllowedSchemes: ['data', 'http', 'https', 'mailto', 'tel']

If I purify <span style="color:#FF0000;>test</span>, the result is <span style="color:#FF0000;>test</span>.
If I purify <span style="color:#FF0000FF;>test</span>, the result is <span>test</span>.
It seems that alpha canal is not accepted?

Hello,

I want to use URI.Munge but with the nofollow property and it doesn't work.

URI.Munge: '/redirect?url=%s' 
HTML.Nofollow: true 
HTML.TargetBlank: true 
HTML.TargetNoopener: true 
HTML.TargetNoreferrer: true 

Is it possible or it needs an update ?

Thanks.

The "Symfony\Component\HttpKernel\DependencyInjection\Extension" class is considered internal since Symfony 7.1, to be deprecated in 8.1; use Symfony\Component\DependencyInjection\Extension\Extension instead. It may change without further notice. You should not use it from "Exercise\HTMLPurifierBundle\DependencyInjection\ExerciseHTMLPurifierExtension".

Env / SF2.8
I'm trying to add config for allowing iframe from YouTube, here's my config.yml:

# HTMLPurifierBundle
exercise_html_purifier:
    default:
        Cache.SerializerPath: "%kernel.root_dir%/cache/htmlpurifier"
    custom:
        HTML.SafeIframe: true
        URI.SafeIframeRegexp: '%^http://www.youtube.com/embed/%'

But I've got this error:

ParameterNotFoundException in ParameterBag.php line 84:
You have requested a non-existent parameter "^http://www.youtube.com/embed/".

What's wrong?
Thanks!

I would like to add support for an element. I can do it like this in the controller:

        $config = $this->get('exercise_html_purifier.config.default');
        $def = $config->getHTMLDefinition(true);
        $section = $def->addElement(
            'section',
            'Block',  // content set
            'Flow', // allowed children
            'Common');
        $section->excludes = array('section' => true);

How can I do it systemwide?