From 9956cae048be64752ff3b7e78ee03b926a65a118 Mon Sep 17 00:00:00 2001 From: Adrien Roches Date: Sun, 1 Jan 2023 19:37:01 +0100 Subject: [PATCH] [HtmlSanitizer] Add that will block all known elements by default. --- .../DependencyInjection/Configuration.php | 4 ++++ .../DependencyInjection/FrameworkExtension.php | 4 ++++ .../Fixtures/php/html_sanitizer.php | 1 + .../Fixtures/xml/html_sanitizer.xml | 1 + .../Fixtures/yml/html_sanitizer.yml | 1 + .../FrameworkExtensionTestCase.php | 1 + .../HtmlSanitizer/HtmlSanitizerConfig.php | 17 +++++++++++++++++ src/Symfony/Component/HtmlSanitizer/README.md | 4 ++++ .../Tests/HtmlSanitizerCustomTest.php | 12 ++++++++++++ 9 files changed, 45 insertions(+) diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php index c5378238b92a4..1697d605ae106 100644 --- a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php +++ b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php @@ -2271,6 +2271,10 @@ private function addHtmlSanitizerSection(ArrayNodeDefinition $rootNode, callable ->info('Allows all static elements and attributes from the W3C Sanitizer API standard.') ->defaultFalse() ->end() + ->booleanNode('block_body_elements') + ->info('Blocks all static body elements and remove attributes.') + ->defaultFalse() + ->end() ->arrayNode('allow_elements') ->info('Configures the elements that the sanitizer should retain from the input. The element name is the key, the value is either a list of allowed attributes for this element or "*" to allow the default set of attributes (https://wicg.github.io/sanitizer-api/#default-configuration).') ->example(['i' => '*', 'a' => ['title'], 'span' => 'class']) diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php index e2223da1ab3d5..96334749f4579 100644 --- a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php +++ b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php @@ -2931,6 +2931,10 @@ private function registerHtmlSanitizerConfiguration(array $config, ContainerBuil $def->addMethodCall('allowStaticElements', [], true); } + if ($sanitizerConfig['block_body_elements']) { + $def->addMethodCall('blockBodyElements', [], true); + } + // Configures elements foreach ($sanitizerConfig['allow_elements'] as $element => $attributes) { $def->addMethodCall('allowElement', [$element, $attributes], true); diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/html_sanitizer.php b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/html_sanitizer.php index 2d117e8380a45..90279e90988d9 100644 --- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/html_sanitizer.php +++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/html_sanitizer.php @@ -5,6 +5,7 @@ 'html_sanitizer' => [ 'sanitizers' => [ 'custom' => [ + 'block_body_elements' => true, 'allow_safe_elements' => true, 'allow_static_elements' => true, 'allow_elements' => [ diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/html_sanitizer.xml b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/html_sanitizer.xml index 771652c8d1a28..20b5277df76b4 100644 --- a/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/html_sanitizer.xml +++ b/src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/html_sanitizer.xml @@ -8,6 +8,7 @@ blockElement($element, '*'); + } + + return $clone; + } + /** * Allows only a given list of schemes to be used in links href attributes. * diff --git a/src/Symfony/Component/HtmlSanitizer/README.md b/src/Symfony/Component/HtmlSanitizer/README.md index 70cdc476e258d..5fbd350792fe6 100644 --- a/src/Symfony/Component/HtmlSanitizer/README.md +++ b/src/Symfony/Component/HtmlSanitizer/README.md @@ -14,6 +14,10 @@ use Symfony\Component\HtmlSanitizer\HtmlSanitizer; // By default, an element not added to the allowed or blocked elements // will be dropped, including its children $config = (new HtmlSanitizerConfig()) + // Blocks all static body elements and remove attributes. + // All scripts will be removed. + ->blockBodyElements() + // Allow "safe" elements and attributes. All scripts will be removed // as well as other dangerous behaviors like CSS injection ->allowSafeElements() diff --git a/src/Symfony/Component/HtmlSanitizer/Tests/HtmlSanitizerCustomTest.php b/src/Symfony/Component/HtmlSanitizer/Tests/HtmlSanitizerCustomTest.php index f44c62414f4f4..dc7d641ea53e0 100644 --- a/src/Symfony/Component/HtmlSanitizer/Tests/HtmlSanitizerCustomTest.php +++ b/src/Symfony/Component/HtmlSanitizer/Tests/HtmlSanitizerCustomTest.php @@ -393,6 +393,18 @@ public function testAllowMediasRelative() ); } + public function testBlockBodyElements() + { + $config = (new HtmlSanitizerConfig()) + ->blockBodyElements() + ; + + $this->assertSame( + 'If you need help : Visit Symfony', + $this->sanitize($config, 'Codestin Search App

If you need help : Visit Symfony

') + ); + } + public function testCustomAttributeSanitizer() { $config = (new HtmlSanitizerConfig())