[FrameworkBundle][TwigBundle][Form] Add Twig filter, form-type extension and improve service definitions for HtmlSanitizer

nicolas-grekas · nicolas-grekas · commit 213c03ae5ab3 · 2022-05-13T11:02:40.000+02:00
diff --git a/src/Symfony/Bridge/Twig/Extension/HtmlSanitizerExtension.php b/src/Symfony/Bridge/Twig/Extension/HtmlSanitizerExtension.php
@@ -0,0 +1,40 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bridge\Twig\Extension;
+
+use Psr\Container\ContainerInterface;
+use Twig\Extension\AbstractExtension;
+use Twig\TwigFilter;
+
+/**
+ * @author Titouan Galopin <galopintitouan@gmail.com>
+ */
+final class HtmlSanitizerExtension extends AbstractExtension
+{
+    public function __construct(
+        private ContainerInterface $sanitizers,
+        private string $defaultName = 'default',
+    ) {
+    }
+
+    public function getFilters(): array
+    {
+        return [
+            new TwigFilter('sanitize_html', $this->sanitize(...), ['is_safe' => ['html']]),
+        ];
+    }
+
+    public function sanitize(string $html, string $sanitizer = null): string
+    {
+        return $this->sanitizers->get($sanitizer ?? $this->defaultName)->sanitize($html);
+    }
+}
diff --git a/src/Symfony/Bridge/Twig/UndefinedCallableHandler.php b/src/Symfony/Bridge/Twig/UndefinedCallableHandler.php
@@ -24,6 +24,7 @@ class UndefinedCallableHandler
     private const FILTER_COMPONENTS = [
         'humanize' => 'form',
         'trans' => 'translation',
+        'sanitize_html' => 'html-sanitizer',
         'yaml_encode' => 'yaml',
         'yaml_dump' => 'yaml',
     ];
@@ -61,6 +62,7 @@ class UndefinedCallableHandler
     ];
 
     private const FULL_STACK_ENABLE = [
+        'html-sanitizer' => 'enable "framework.html_sanitizer"',
         'form' => 'enable "framework.form"',
         'security-core' => 'add the "SecurityBundle"',
         'security-http' => 'add the "SecurityBundle"',
diff --git a/src/Symfony/Bridge/Twig/composer.json b/src/Symfony/Bridge/Twig/composer.json
@@ -28,6 +28,7 @@
         "symfony/dependency-injection": "^5.4|^6.0",
         "symfony/finder": "^5.4|^6.0",
         "symfony/form": "^6.1",
+        "symfony/html-sanitizer": "^6.1",
         "symfony/http-foundation": "^5.4|^6.0",
         "symfony/http-kernel": "^5.4|^6.0",
         "symfony/intl": "^5.4|^6.0",
@@ -65,6 +66,7 @@
         "symfony/finder": "",
         "symfony/asset": "For using the AssetExtension",
         "symfony/form": "For using the FormExtension",
+        "symfony/html-sanitizer": "For using the HtmlSanitizerExtension",
         "symfony/http-kernel": "For using the HttpKernelExtension",
         "symfony/routing": "For using the RoutingExtension",
         "symfony/translation": "For using the TranslationExtension",
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Compiler/UnusedTagsPass.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Compiler/UnusedTagsPass.php
@@ -49,6 +49,7 @@ class UnusedTagsPass implements CompilerPassInterface
         'form.type',
         'form.type_extension',
         'form.type_guesser',
+        'html_sanitizer',
         'http_client.client',
         'kernel.cache_clearer',
         'kernel.cache_warmer',
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
@@ -2129,10 +2129,6 @@ private function addHtmlSanitizerSection(ArrayNodeDefinition $rootNode, callable
                     ->{$enableIfStandalone('symfony/html-sanitizer', HtmlSanitizerInterface::class)}()
                     ->fixXmlConfig('sanitizer')
                     ->children()
-                        ->scalarNode('default')
-                            ->defaultNull()
-                            ->info('Default sanitizer to use when injecting without named binding.')
-                        ->end()
                         ->arrayNode('sanitizers')
                             ->useAttributeAsKey('name')
                             ->arrayPrototype()
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
@@ -485,6 +485,9 @@ public function load(array $configs, ContainerBuilder $container)
                 $container->removeDefinition('form.type_extension.form.validator');
                 $container->removeDefinition('form.type_guesser.validator');
             }
+            if (!$this->isConfigEnabled($container, $config['html_sanitizer'])) {
+                $container->removeDefinition('form.type_extension.form.html_sanitizer');
+            }
         } else {
             $container->removeDefinition('console.command.form_debug');
         }
@@ -2740,13 +2743,14 @@ private function registerHtmlSanitizerConfiguration(array $config, ContainerBuil
 
             // Create the sanitizer and link its config
             $sanitizerId = 'html_sanitizer.sanitizer.'.$sanitizerName;
-            $container->register($sanitizerId, HtmlSanitizer::class)->addArgument(new Reference($configId));
+            $container->register($sanitizerId, HtmlSanitizer::class)
+                ->addTag('html_sanitizer', ['sanitizer' => $sanitizerName])
+                ->addArgument(new Reference($configId));
 
-            $container->registerAliasForArgument($sanitizerId, HtmlSanitizerInterface::class, $sanitizerName);
+            if ('default' !== $sanitizerName) {
+                $container->registerAliasForArgument($sanitizerId, HtmlSanitizerInterface::class, $sanitizerName);
+            }
         }
-
-        $default = $config['default'] ? 'html_sanitizer.sanitizer.'.$config['default'] : 'html_sanitizer';
-        $container->setAlias(HtmlSanitizerInterface::class, new Reference($default));
     }
 
     private function resolveTrustedHeaders(array $headers): int
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/form.php b/src/Symfony/Bundle/FrameworkBundle/Resources/config/form.php
@@ -19,10 +19,12 @@
 use Symfony\Component\Form\Extension\Core\Type\FileType;
 use Symfony\Component\Form\Extension\Core\Type\FormType;
 use Symfony\Component\Form\Extension\Core\Type\SubmitType;
+use Symfony\Component\Form\Extension\Core\Type\TextType;
 use Symfony\Component\Form\Extension\Core\Type\TransformationFailureExtension;
 use Symfony\Component\Form\Extension\DependencyInjection\DependencyInjectionExtension;
 use Symfony\Component\Form\Extension\HttpFoundation\HttpFoundationRequestHandler;
 use Symfony\Component\Form\Extension\HttpFoundation\Type\FormTypeHttpFoundationExtension;
+use Symfony\Component\Form\Extension\HttpFoundation\Type\TextTypeHtmlSanitizerExtension;
 use Symfony\Component\Form\Extension\Validator\Type\FormTypeValidatorExtension;
 use Symfony\Component\Form\Extension\Validator\Type\RepeatedTypeValidatorExtension;
 use Symfony\Component\Form\Extension\Validator\Type\SubmitTypeValidatorExtension;
@@ -113,6 +115,10 @@
             ->args([service('translator')->ignoreOnInvalid()])
             ->tag('form.type_extension', ['extended-type' => FormType::class])
 
+        ->set('form.type_extension.form.html_sanitizer', TextTypeHtmlSanitizerExtension::class)
+            ->args([tagged_locator('html_sanitizer', 'sanitizer')])
+            ->tag('form.type_extension', ['extended-type' => TextType::class])
+
         ->set('form.type_extension.form.http_foundation', FormTypeHttpFoundationExtension::class)
             ->args([service('form.type_extension.form.request_handler')])
             ->tag('form.type_extension')
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/html_sanitizer.php b/src/Symfony/Bundle/FrameworkBundle/Resources/config/html_sanitizer.php
@@ -13,13 +13,18 @@
 
 use Symfony\Component\HtmlSanitizer\HtmlSanitizer;
 use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig;
+use Symfony\Component\HtmlSanitizer\HtmlSanitizerInterface;
 
 return static function (ContainerConfigurator $container) {
     $container->services()
-        ->set('html_sanitizer.config', HtmlSanitizerConfig::class)
+        ->set('html_sanitizer.config.default', HtmlSanitizerConfig::class)
             ->call('allowSafeElements')
 
-        ->set('html_sanitizer', HtmlSanitizer::class)
+        ->set('html_sanitizer.sanitizer.default', HtmlSanitizer::class)
             ->args([service('html_sanitizer.config')])
+            ->tag('html_sanitizer', ['name' => 'default'])
+
+        ->alias('html_sanitizer', 'html_sanitizer.sanitizer.default')
+        ->alias(HtmlSanitizerInterface::class, 'html_sanitizer')
     ;
 };
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/schema/symfony-1.0.xsd b/src/Symfony/Bundle/FrameworkBundle/Resources/config/schema/symfony-1.0.xsd
@@ -826,7 +826,6 @@
             <xsd:element name="sanitizer" type="sanitizer" minOccurs="0" maxOccurs="unbounded" />
         </xsd:sequence>
         <xsd:attribute name="enabled" type="xsd:boolean" />
-        <xsd:attribute name="default" type="xsd:string" />
     </xsd:complexType>
 
     <xsd:complexType name="sanitizer">
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php
@@ -652,7 +652,6 @@ class_exists(SemaphoreStore::class) && SemaphoreStore::isSupported() ? 'semaphor
             ],
             'html_sanitizer' => [
                 'enabled' => !class_exists(FullStack::class) && class_exists(HtmlSanitizer::class),
-                'default' => null,
                 'sanitizers' => [],
             ],
             'exceptions' => [],
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/html_sanitizer.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/html_sanitizer.php
@@ -3,9 +3,8 @@
 $container->loadFromExtension('framework', [
     'http_method_override' => false,
     'html_sanitizer' => [
-        'default' => 'my.sanitizer',
         'sanitizers' => [
-            'my.sanitizer' => [
+            'default' => [
                 'allow_safe_elements' => true,
                 'allow_all_static_elements' => true,
                 'allow_elements' => [
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/html_sanitizer.xml b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/html_sanitizer.xml
@@ -6,8 +6,8 @@
                         http://symfony.com/schema/dic/symfony https://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
 
     <config xmlns="http://symfony.com/schema/dic/symfony" http-method-override="false">
-        <html-sanitizer default="my.sanitizer">
-            <sanitizer name="my.sanitizer"
+        <html-sanitizer>
+            <sanitizer name="default"
                 allow-safe-elements="true"
                 allow-all-static-elements="true"
                 force-https-urls="true"
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/html_sanitizer.yml b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/html_sanitizer.yml
@@ -1,9 +1,8 @@
 framework:
     http_method_override: false
     html_sanitizer:
-        default: my.sanitizer
         sanitizers:
-            my.sanitizer:
+            default:
                 allow_safe_elements: true
                 allow_all_static_elements: true
                 allow_elements:
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php
@@ -2030,27 +2030,16 @@ public function testHtmlSanitizer()
         $container = $this->createContainerFromFile('html_sanitizer');
 
         // html_sanitizer service
-        $this->assertTrue($container->hasDefinition('html_sanitizer'), '->registerHtmlSanitizerConfiguration() loads html_sanitizer.php');
-        $this->assertSame(HtmlSanitizer::class, $container->getDefinition('html_sanitizer')->getClass());
-        $this->assertCount(1, $args = $container->getDefinition('html_sanitizer')->getArguments());
-        $this->assertSame('html_sanitizer.config', (string) $args[0]);
-
-        // html_sanitizer.config service
-        $this->assertTrue($container->hasDefinition('html_sanitizer.config'), '->registerHtmlSanitizerConfiguration() loads html_sanitizer.php');
-        $this->assertSame(HtmlSanitizerConfig::class, $container->getDefinition('html_sanitizer.config')->getClass());
-        $this->assertCount(1, $calls = $container->getDefinition('html_sanitizer.config')->getMethodCalls());
-        $this->assertSame(['allowSafeElements', []], $calls[0]);
-
-        // my.sanitizer
-        $this->assertTrue($container->hasDefinition('html_sanitizer.sanitizer.my.sanitizer'), '->registerHtmlSanitizerConfiguration() loads custom sanitizer');
-        $this->assertSame(HtmlSanitizer::class, $container->getDefinition('html_sanitizer.sanitizer.my.sanitizer')->getClass());
-        $this->assertCount(1, $args = $container->getDefinition('html_sanitizer.sanitizer.my.sanitizer')->getArguments());
-        $this->assertSame('html_sanitizer.config.my.sanitizer', (string) $args[0]);
-
-        // my.sanitizer config
-        $this->assertTrue($container->hasDefinition('html_sanitizer.config.my.sanitizer'), '->registerHtmlSanitizerConfiguration() loads custom sanitizer');
-        $this->assertSame(HtmlSanitizerConfig::class, $container->getDefinition('html_sanitizer.config.my.sanitizer')->getClass());
-        $this->assertCount(23, $calls = $container->getDefinition('html_sanitizer.config.my.sanitizer')->getMethodCalls());
+        $this->assertTrue($container->hasAlias('html_sanitizer'), '->registerHtmlSanitizerConfiguration() loads html_sanitizer.php');
+        $this->assertSame('html_sanitizer.sanitizer.default', (string) $container->getAlias('html_sanitizer'));
+        $this->assertSame(HtmlSanitizer::class, $container->getDefinition('html_sanitizer.sanitizer.default')->getClass());
+        $this->assertCount(1, $args = $container->getDefinition('html_sanitizer.sanitizer.default')->getArguments());
+        $this->assertSame('html_sanitizer.config.default', (string) $args[0]);
+
+        // config
+        $this->assertTrue($container->hasDefinition('html_sanitizer.config.default'), '->registerHtmlSanitizerConfiguration() loads custom sanitizer');
+        $this->assertSame(HtmlSanitizerConfig::class, $container->getDefinition('html_sanitizer.config.default')->getClass());
+        $this->assertCount(23, $calls = $container->getDefinition('html_sanitizer.config.default')->getMethodCalls());
         $this->assertSame(
             [
                 ['allowSafeElements', [], true],
@@ -2092,11 +2081,11 @@ static function ($call) {
         );
 
         // Named alias
-        $this->assertSame('html_sanitizer.sanitizer.my.sanitizer', (string) $container->getAlias(HtmlSanitizerInterface::class.' $mySanitizer'), '->registerHtmlSanitizerConfiguration() creates appropriate named alias');
-        $this->assertSame('html_sanitizer.sanitizer.all.sanitizer', (string) $container->getAlias(HtmlSanitizerInterface::class.' $allSanitizer'), '->registerHtmlSanitizerConfiguration() creates appropriate named alias');
+        $this->assertSame('html_sanitizer.sanitizer.all.sanitizer', (string) $container->getAlias(HtmlSanitizerInterface::class.' $allSanitizer'));
+        $this->assertFalse($container->hasAlias(HtmlSanitizerInterface::class.' $default'));
 
         // Default alias
-        $this->assertSame('html_sanitizer.sanitizer.my.sanitizer', (string) $container->getAlias(HtmlSanitizerInterface::class), '->registerHtmlSanitizerConfiguration() creates appropriate default alias');
+        $this->assertSame('html_sanitizer', (string) $container->getAlias(HtmlSanitizerInterface::class));
     }
 
     protected function createContainer(array $data = [])
diff --git a/src/Symfony/Bundle/TwigBundle/DependencyInjection/TwigExtension.php b/src/Symfony/Bundle/TwigBundle/DependencyInjection/TwigExtension.php
@@ -19,6 +19,7 @@
 use Symfony\Component\DependencyInjection\Reference;
 use Symfony\Component\Form\AbstractRendererEngine;
 use Symfony\Component\Form\Form;
+use Symfony\Component\HtmlSanitizer\HtmlSanitizerInterface;
 use Symfony\Component\HttpKernel\DependencyInjection\Extension;
 use Symfony\Component\Mailer\Mailer;
 use Symfony\Component\Translation\Translator;
@@ -54,6 +55,10 @@ public function load(array $configs, ContainerBuilder $container)
             $loader->load('console.php');
         }
 
+        if (!$container::willBeAvailable('symfony/html-sanitizer', HtmlSanitizerInterface::class, ['symfony/twig-bundle'])) {
+            $container->removeDefinition('twig.extension.htmlsanitizer');
+        }
+
         if ($container::willBeAvailable('symfony/mailer', Mailer::class, ['symfony/twig-bundle'])) {
             $loader->load('mailer.php');
         }
diff --git a/src/Symfony/Bundle/TwigBundle/Resources/config/twig.php b/src/Symfony/Bundle/TwigBundle/Resources/config/twig.php
@@ -18,6 +18,7 @@
 use Symfony\Bridge\Twig\Extension\AssetExtension;
 use Symfony\Bridge\Twig\Extension\CodeExtension;
 use Symfony\Bridge\Twig\Extension\ExpressionExtension;
+use Symfony\Bridge\Twig\Extension\HtmlSanitizerExtension;
 use Symfony\Bridge\Twig\Extension\HttpFoundationExtension;
 use Symfony\Bridge\Twig\Extension\HttpKernelExtension;
 use Symfony\Bridge\Twig\Extension\HttpKernelRuntime;
@@ -118,6 +119,9 @@
 
         ->set('twig.extension.expression', ExpressionExtension::class)
 
+        ->set('twig.extension.htmlsanitizer', HtmlSanitizerExtension::class)
+            ->args([tagged_locator('html_sanitizer', 'sanitizer')])
+
         ->set('twig.extension.httpkernel', HttpKernelExtension::class)
 
         ->set('twig.runtime.httpkernel', HttpKernelRuntime::class)
diff --git a/src/Symfony/Component/Form/Extension/HtmlSanitizer/Type/TextTypeHtmlSanitizerExtension.php b/src/Symfony/Component/Form/Extension/HtmlSanitizer/Type/TextTypeHtmlSanitizerExtension.php
@@ -0,0 +1,66 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Form\Extension\HttpFoundation\Type;
+
+use Psr\Container\ContainerInterface;
+use Symfony\Component\Form\AbstractTypeExtension;
+use Symfony\Component\Form\Extension\Core\Type\TextType;
+use Symfony\Component\Form\FormBuilderInterface;
+use Symfony\Component\Form\FormEvent;
+use Symfony\Component\Form\FormEvents;
+use Symfony\Component\OptionsResolver\OptionsResolver;
+
+/**
+ * @author Titouan Galopin <galopintitouan@gmail.com>
+ */
+class TextTypeHtmlSanitizerExtension extends AbstractTypeExtension
+{
+    public function __construct(
+        private ContainerInterface $sanitizers,
+        private string $defaultName = 'default',
+    ) {
+    }
+
+    public static function getExtendedTypes(): iterable
+    {
+        return [TextType::class];
+    }
+
+    public function configureOptions(OptionsResolver $resolver)
+    {
+        $resolver
+            ->setDefaults(['sanitize_html' => false, 'sanitizer' => null])
+            ->setAllowedTypes('sanitize_html', 'bool')
+            ->setAllowedTypes('sanitizer', ['string', 'null'])
+        ;
+    }
+
+    public function buildForm(FormBuilderInterface $builder, array $options)
+    {
+        if (!$options['sanitize_html']) {
+            return;
+        }
+
+        $sanitizers = $this->sanitizers;
+        $sanitizer = $options['sanitizer'] ?? $this->defaultName;
+
+        $builder->addEventListener(
+            FormEvents::PRE_SUBMIT,
+            static function (FormEvent $event) use ($sanitizers, $sanitizer) {
+                if (is_scalar($data = $event->getData()) && '' !== trim($data)) {
+                    $event->setData($sanitizers->get($sanitizer)->sanitize($data));
+                }
+            },
+            10000 /* as soon as possible */
+        );
+    }
+}
