tgalopin / html-sanitizer-bundle Goto Github PK
View Code? Open in Web Editor NEWSanitize untrustworthy HTML user input (Symfony integration for https://github.com/tgalopin/html-sanitizer)
License: MIT License
Sanitize untrustworthy HTML user input (Symfony integration for https://github.com/tgalopin/html-sanitizer)
License: MIT License
If we pass null value to sanitize method, we have the following error :
TypeError : HtmlSanitizer\Bundle\Twig\TwigExtension::sanitize(): Argument #1 ($html) must be of type string, null given, called in ...
It should be okay to accept nullable value. In the sanitize() method, if null, just return null.
According to the library documentation, should not be removed when using the basic extension
basic allows the insertion of basic HTML elements: a, b, br, blockquote, div, del, em, figcaption, figure, h1, h2, h3, h4, h5, h6, i, p, q, small, span, strong, sub, sup, u
but in my case, it is removed.
My Service Config:
html_sanitizer:
default_sanitizer: 'default'
sanitizers:
default:
extensions:
- 'basic'
- 'list'
- 'table'
Extending the InputType
App\Form\Extension\TextInputTypeExtension:
arguments:
$sanitizer: '@html_sanitizer.default'
Inside the Extension
public function buildForm(FormBuilderInterface $builder, array $options): void
{
$builder->addEventListener(FormEvents::PRE_SUBMIT, function (FormEvent $event) use ($builder) {
if (null != $event->getData()) {
$data = $this->sanitizer->sanitize($event->getData());
$event->setData(trim($data));
}
});
}
If I dump $event->getData()
I get the string containing the <u>
, eg. <p><strong><u>Registrierung</u> und Anmeldung</strong></p>
but after the sanitizing, $data
just resolves to <p><strong>Registrierung und Anmeldung</strong></p>
Any idea why?
Sanitizer services are currently registered as 'html_sanitizer.'.$name
in the container. But this means that some values of $name
can make it override the other services of the bundle, leading to unexpected behavior.
It would be better to name the services 'html_sanitizer.sanitizer.'.$name
, avoiding any clash with other services (this is a common mistake in bundles allowing to define a list of services with a configurable name suffix).
But that change would be a BC break for anyone referencing the service directly, so it would require bumping to 2.0.
Currently, the recommendation for the registry is to inject a Symfony service locator, typehinting the PSR ContainerInterface. But that does not help with autowiring.
The handling of a default sanitizer is also not handled by the registry, forcing all places using the registry to also inject the name of the default sanitizer (look at the form type extension and the twig extension for instance).
A solution could be to implement a dedicated SanitizerRegistry, with a get(string $name = null): SanitizerInterface
method (which will also help static analysis of code using the registry btw), which would deal with the ServiceLocator and the default name internally.
And this SanitizerRegistry could be exposed to autowiring.
Hello, is it possible to allow the tags attributes (like class, style, etc) for specifics (or all ) tags in one time in yaml ?
Currently, I've to do this in my config file :
html_sanitizer:
default_sanitizer: 'default'
sanitizers:
default:
extensions:
- 'basic'
- 'list'
- 'table'
- 'image'
- 'code'
tags:
span:
allowed_attributes:
- style
- class
table:
allowed_attributes:
- style
- class
thead:
allowed_attributes:
- style
- class
As of 4.2.5 symfony started to throw this deprecation
Not implementing the static getExtendedTypes() method in HtmlSanitizer\Bundle\Form\TextTypeExtension when implementing the Symfony\Component\Form\FormTypeExtensionInterface is deprecated since Symfony 4.2. The method will be added to the interface in 5.0.
Can this be fixed in the next release ?
Im having problems with a custom sanitizer extension that i created for a project im working on. The extension is manually register with the tag name using YAML like this:
app.sanitizer.iframe_custom:
class: App\Sanitizer\CustomIframeExtension
tags:
- { name: html_sanitizer.extension }
The problem its that this extension is not register though the sanitizer builder.
I debug the code and i found that in the HtmlSanitizerExtension when it call to "findTaggedServiceIds('html_sanitizer.extension')" my sanitizer extension service its not found.
If i debug my kernel, and use the findTaggedServiceIds('html_sanitizer.extension') in my Kernel.php its found the service by tag... its like when HtmlSanitizerExtension is loaded my services arent currently loaded.
Some suggestion of what can i do?
Thanks and regards!
tgalopin/html-sanitizer has a "details" extension, but when adding it in html_sanitizer.yaml
, I get the following error:
You have requested a non-existent sanitizer extension "details" (available extensions: basic, code, image, iframe, list, table, extra)
It looks like the bundle lacks support for this extension, doesn't it?
Hi,
I'm getting the error You have requested a non-existent sanitizer extension "basic" (available extensions: )
My use case is that I try to decorate the Symfony translator:
services.yaml:
app.translator.sanitizer:
class: App\Translation\SanitizerTranslator
decorates: translator
arguments:
- '@app.translator.sanitizer.inner'
- '@html_sanitizer.translations'
html_sanitizer.yaml:
html_sanitizer:
sanitizers:
translations:
extensions: ['basic']
It only works if I set extensions
to []
in the html_sanitizer.yaml. I also created a command where the my custom sanitizer works:
App\Command\TranslationsCommand:
arguments:
$sanitizer: '@html_sanitizer.translations'
Any idea why this does not work on my translator decorator?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.