tgalopin / html-sanitizer-bundle Goto Github PK

If we pass null value to sanitize method, we have the following error :

TypeError : HtmlSanitizer\Bundle\Twig\TwigExtension::sanitize(): Argument #1 ($html) must be of type string, null given, called in ...

It should be okay to accept nullable value. In the sanitize() method, if null, just return null.

According to the library documentation, should not be removed when using the basic extension

basic allows the insertion of basic HTML elements: a, b, br, blockquote, div, del, em, figcaption, figure, h1, h2, h3, h4, h5, h6, i, p, q, small, span, strong, sub, sup, u

but in my case, it is removed.

My Service Config:

html_sanitizer:
    default_sanitizer: 'default'
    sanitizers:
        default:
            extensions:
                - 'basic'
                - 'list'
                - 'table'

Extending the InputType

    App\Form\Extension\TextInputTypeExtension:
        arguments:
            $sanitizer: '@html_sanitizer.default'

Inside the Extension

public function buildForm(FormBuilderInterface $builder, array $options): void
    {
        $builder->addEventListener(FormEvents::PRE_SUBMIT, function (FormEvent $event) use ($builder) {
            if (null != $event->getData()) {
                $data = $this->sanitizer->sanitize($event->getData());
                $event->setData(trim($data));
            }
        });
    }

If I dump $event->getData() I get the string containing the <u>, eg. <p><strong><u>Registrierung</u> und Anmeldung</strong></p> but after the sanitizing, $data just resolves to <p><strong>Registrierung und Anmeldung</strong></p>

Any idea why?

Sanitizer services are currently registered as 'html_sanitizer.'.$name in the container. But this means that some values of $name can make it override the other services of the bundle, leading to unexpected behavior.

It would be better to name the services 'html_sanitizer.sanitizer.'.$name, avoiding any clash with other services (this is a common mistake in bundles allowing to define a list of services with a configurable name suffix).
But that change would be a BC break for anyone referencing the service directly, so it would require bumping to 2.0.

Currently, the recommendation for the registry is to inject a Symfony service locator, typehinting the PSR ContainerInterface. But that does not help with autowiring.
The handling of a default sanitizer is also not handled by the registry, forcing all places using the registry to also inject the name of the default sanitizer (look at the form type extension and the twig extension for instance).

A solution could be to implement a dedicated SanitizerRegistry, with a get(string $name = null): SanitizerInterface method (which will also help static analysis of code using the registry btw), which would deal with the ServiceLocator and the default name internally.
And this SanitizerRegistry could be exposed to autowiring.

Hello, is it possible to allow the tags attributes (like class, style, etc) for specifics (or all ) tags in one time in yaml ?

Currently, I've to do this in my config file :

html_sanitizer:
    default_sanitizer: 'default'
    sanitizers:
        default:
            extensions:
                - 'basic'
                - 'list'
                - 'table'
                - 'image'
                - 'code'
                
            tags:
                span:
                    allowed_attributes:
                        - style
                        - class

                table:
                    allowed_attributes:
                        - style
                        - class

                thead:
                    allowed_attributes:
                        - style
                        - class

As of 4.2.5 symfony started to throw this deprecation

Not implementing the static getExtendedTypes() method in HtmlSanitizer\Bundle\Form\TextTypeExtension when implementing the Symfony\Component\Form\FormTypeExtensionInterface is deprecated since Symfony 4.2. The method will be added to the interface in 5.0.

Can this be fixed in the next release ?

Im having problems with a custom sanitizer extension that i created for a project im working on. The extension is manually register with the tag name using YAML like this:

    app.sanitizer.iframe_custom:
        class: App\Sanitizer\CustomIframeExtension
        tags:
          - { name: html_sanitizer.extension }

The problem its that this extension is not register though the sanitizer builder.

I debug the code and i found that in the HtmlSanitizerExtension when it call to "findTaggedServiceIds('html_sanitizer.extension')" my sanitizer extension service its not found.

If i debug my kernel, and use the findTaggedServiceIds('html_sanitizer.extension') in my Kernel.php its found the service by tag... its like when HtmlSanitizerExtension is loaded my services arent currently loaded.

Some suggestion of what can i do?

Thanks and regards!

tgalopin/html-sanitizer has a "details" extension, but when adding it in html_sanitizer.yaml, I get the following error:

You have requested a non-existent sanitizer extension "details" (available extensions: basic, code, image, iframe, list, table, extra)

It looks like the bundle lacks support for this extension, doesn't it?

Hi,
I'm getting the error You have requested a non-existent sanitizer extension "basic" (available extensions: )

My use case is that I try to decorate the Symfony translator:

services.yaml:

    app.translator.sanitizer:
        class:     App\Translation\SanitizerTranslator
        decorates: translator
        arguments:
            - '@app.translator.sanitizer.inner'
            - '@html_sanitizer.translations'

html_sanitizer.yaml:

html_sanitizer:
    sanitizers:
        translations:
            extensions: ['basic']

It only works if I set extensions to [] in the html_sanitizer.yaml. I also created a command where the my custom sanitizer works:

    App\Command\TranslationsCommand:
        arguments:
            $sanitizer: '@html_sanitizer.translations'

Any idea why this does not work on my translator decorator?