From 93e5160ec0c0b47633b24448404277b5173c26af Mon Sep 17 00:00:00 2001 From: Titouan Galopin Date: Sun, 11 Dec 2022 19:08:44 +0100 Subject: [PATCH] Fix HtmlSanitizer default configuration behavior for allowed schemes --- .../FrameworkExtension.php | 8 ++++-- .../FrameworkExtensionTest.php | 2 ++ .../Tests/TextSanitizer/UrlSanitizerTest.php | 27 +++++++++++++++++++ 3 files changed, 35 insertions(+), 2 deletions(-) diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php index 788d8929627ec..44c6eef0b4b60 100644 --- a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php +++ b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php @@ -2738,10 +2738,14 @@ private function registerHtmlSanitizerConfiguration(array $config, ContainerBuil // Settings $def->addMethodCall('forceHttpsUrls', [$sanitizerConfig['force_https_urls']], true); - $def->addMethodCall('allowLinkSchemes', [$sanitizerConfig['allowed_link_schemes']], true); + if ($sanitizerConfig['allowed_link_schemes']) { + $def->addMethodCall('allowLinkSchemes', [$sanitizerConfig['allowed_link_schemes']], true); + } $def->addMethodCall('allowLinkHosts', [$sanitizerConfig['allowed_link_hosts']], true); $def->addMethodCall('allowRelativeLinks', [$sanitizerConfig['allow_relative_links']], true); - $def->addMethodCall('allowMediaSchemes', [$sanitizerConfig['allowed_media_schemes']], true); + if ($sanitizerConfig['allowed_media_schemes']) { + $def->addMethodCall('allowMediaSchemes', [$sanitizerConfig['allowed_media_schemes']], true); + } $def->addMethodCall('allowMediaHosts', [$sanitizerConfig['allowed_media_hosts']], true); $def->addMethodCall('allowRelativeMedias', [$sanitizerConfig['allow_relative_medias']], true); diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php index 4b643f27cbe31..d0268990e0fb4 100644 --- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php +++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php @@ -2140,7 +2140,9 @@ public function testHtmlSanitizerDefaultNullAllowedLinkMediaHost() $calls = $container->getDefinition('html_sanitizer.config.custom_default')->getMethodCalls(); $this->assertContains(['allowLinkHosts', [null], true], $calls); + $this->assertContains(['allowRelativeLinks', [false], true], $calls); $this->assertContains(['allowMediaHosts', [null], true], $calls); + $this->assertContains(['allowRelativeMedias', [false], true], $calls); } public function testHtmlSanitizerDefaultConfig() diff --git a/src/Symfony/Component/HtmlSanitizer/Tests/TextSanitizer/UrlSanitizerTest.php b/src/Symfony/Component/HtmlSanitizer/Tests/TextSanitizer/UrlSanitizerTest.php index 3216244e9ed10..18fec32dee43d 100644 --- a/src/Symfony/Component/HtmlSanitizer/Tests/TextSanitizer/UrlSanitizerTest.php +++ b/src/Symfony/Component/HtmlSanitizer/Tests/TextSanitizer/UrlSanitizerTest.php @@ -45,6 +45,33 @@ public function provideSanitize() 'output' => null, ]; + yield [ + 'input' => 'http://trusted.com/link.php', + 'allowedSchemes' => null, + 'allowedHosts' => null, + 'forceHttps' => false, + 'allowRelative' => false, + 'output' => 'http://trusted.com/link.php', + ]; + + yield [ + 'input' => 'https://trusted.com/link.php', + 'allowedSchemes' => null, + 'allowedHosts' => null, + 'forceHttps' => false, + 'allowRelative' => false, + 'output' => 'https://trusted.com/link.php', + ]; + + yield [ + 'input' => 'data:text/plain;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7', + 'allowedSchemes' => null, + 'allowedHosts' => null, + 'forceHttps' => false, + 'allowRelative' => false, + 'output' => 'data:text/plain;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7', + ]; + yield [ 'input' => 'https://trusted.com/link.php', 'allowedSchemes' => ['https'],