Skip to content

[Form][FrameworkBundle][TwigBundle] Add Twig filter, form-type extension and improve service definitions for HtmlSanitizer #46335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 14, 2022
Merged

[Form][FrameworkBundle][TwigBundle] Add Twig filter, form-type extension and improve service definitions for HtmlSanitizer #46335

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions src/Symfony/Bridge/Twig/Extension/HtmlSanitizerExtension.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
<?php

/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace Symfony\Bridge\Twig\Extension;

use Psr\Container\ContainerInterface;
use Twig\Extension\AbstractExtension;
use Twig\TwigFilter;

/**
* @author Titouan Galopin <galopintitouan@gmail.com>
*/
final class HtmlSanitizerExtension extends AbstractExtension
{
public function __construct(
private ContainerInterface $sanitizers,
private string $defaultSanitizer = 'default',
) {
}

public function getFilters(): array
{
return [
new TwigFilter('sanitize_html', $this->sanitize(...), ['is_safe' => ['html']]),
];
}

public function sanitize(string $html, string $sanitizer = null): string
{
return $this->sanitizers->get($sanitizer ?? $this->defaultSanitizer)->sanitize($html);
}
}
52 changes: 52 additions & 0 deletions src/Symfony/Bridge/Twig/Tests/Extension/HtmlSanitizerExtensionTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
<?php

/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace Symfony\Bridge\Twig\Tests\Extension;

use PHPUnit\Framework\TestCase;
use Symfony\Bridge\Twig\Extension\HtmlSanitizerExtension;
use Symfony\Component\DependencyInjection\ServiceLocator;
use Symfony\Component\HtmlSanitizer\HtmlSanitizerInterface;
use Twig\Environment;
use Twig\Loader\ArrayLoader;

class HtmlSanitizerExtensionTest extends TestCase
{
public function testSanitizeHtml()
{
$loader = new ArrayLoader([
'foo' => '{{ "foobar"|sanitize_html }}',
'bar' => '{{ "foobar"|sanitize_html("bar") }}',
]);

$twig = new Environment($loader, ['debug' => true, 'cache' => false, 'autoescape' => 'html', 'optimizations' => 0]);

$fooSanitizer = $this->createMock(HtmlSanitizerInterface::class);
$fooSanitizer->expects($this->once())
->method('sanitize')
->with('foobar')
->willReturn('foo');

$barSanitizer = $this->createMock(HtmlSanitizerInterface::class);
$barSanitizer->expects($this->once())
->method('sanitize')
->with('foobar')
->willReturn('bar');

$twig->addExtension(new HtmlSanitizerExtension(new ServiceLocator([
'foo' => fn () => $fooSanitizer,
'bar' => fn () => $barSanitizer,
]), 'foo'));

$this->assertSame('foo', $twig->render('foo'));
$this->assertSame('bar', $twig->render('bar'));
}
}
2 changes: 2 additions & 0 deletions src/Symfony/Bridge/Twig/UndefinedCallableHandler.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ class UndefinedCallableHandler
private const FILTER_COMPONENTS = [
'humanize' => 'form',
'trans' => 'translation',
'sanitize_html' => 'html-sanitizer',
'yaml_encode' => 'yaml',
'yaml_dump' => 'yaml',
];
Expand Down Expand Up @@ -61,6 +62,7 @@ class UndefinedCallableHandler
];

private const FULL_STACK_ENABLE = [
'html-sanitizer' => 'enable "framework.html_sanitizer"',
'form' => 'enable "framework.form"',
'security-core' => 'add the "SecurityBundle"',
'security-http' => 'add the "SecurityBundle"',
Expand Down
2 changes: 2 additions & 0 deletions src/Symfony/Bridge/Twig/composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@
"symfony/dependency-injection": "^5.4|^6.0",
"symfony/finder": "^5.4|^6.0",
"symfony/form": "^6.1",
"symfony/html-sanitizer": "^6.1",
"symfony/http-foundation": "^5.4|^6.0",
"symfony/http-kernel": "^5.4|^6.0",
"symfony/intl": "^5.4|^6.0",
Expand Down Expand Up @@ -65,6 +66,7 @@
"symfony/finder": "",
"symfony/asset": "For using the AssetExtension",
"symfony/form": "For using the FormExtension",
"symfony/html-sanitizer": "For using the HtmlSanitizerExtension",
"symfony/http-kernel": "For using the HttpKernelExtension",
"symfony/routing": "For using the RoutingExtension",
"symfony/translation": "For using the TranslationExtension",
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Compiler/UnusedTagsPass.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ class UnusedTagsPass implements CompilerPassInterface
'form.type',
'form.type_extension',
'form.type_guesser',
'html_sanitizer',
'http_client.client',
'kernel.cache_clearer',
'kernel.cache_warmer',
Expand Down
4 changes: 0 additions & 4 deletions src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2129,10 +2129,6 @@ private function addHtmlSanitizerSection(ArrayNodeDefinition $rootNode, callable
->{$enableIfStandalone('symfony/html-sanitizer', HtmlSanitizerInterface::class)}()
->fixXmlConfig('sanitizer')
->children()
->scalarNode('default')
->defaultNull()
->info('Default sanitizer to use when injecting without named binding.')
->end()
->arrayNode('sanitizers')
->useAttributeAsKey('name')
->arrayPrototype()
Expand Down
15 changes: 10 additions & 5 deletions src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@
use Symfony\Component\ExpressionLanguage\ExpressionLanguage;
use Symfony\Component\Finder\Finder;
use Symfony\Component\Form\ChoiceList\Factory\CachingFactoryDecorator;
use Symfony\Component\Form\Extension\HtmlSanitizer\Type\TextTypeHtmlSanitizerExtension;
use Symfony\Component\Form\Form;
use Symfony\Component\Form\FormTypeExtensionInterface;
use Symfony\Component\Form\FormTypeGuesserInterface;
Expand Down Expand Up @@ -485,6 +486,9 @@ public function load(array $configs, ContainerBuilder $container)
$container->removeDefinition('form.type_extension.form.validator');
$container->removeDefinition('form.type_guesser.validator');
}
if (!$this->isConfigEnabled($container, $config['html_sanitizer']) || !class_exists(TextTypeHtmlSanitizerExtension::class)) {
$container->removeDefinition('form.type_extension.form.html_sanitizer');
}
} else {
$container->removeDefinition('console.command.form_debug');
}
Expand Down Expand Up @@ -2740,13 +2744,14 @@ private function registerHtmlSanitizerConfiguration(array $config, ContainerBuil

// Create the sanitizer and link its config
$sanitizerId = 'html_sanitizer.sanitizer.'.$sanitizerName;
$container->register($sanitizerId, HtmlSanitizer::class)->addArgument(new Reference($configId));
$container->register($sanitizerId, HtmlSanitizer::class)
->addTag('html_sanitizer', ['sanitizer' => $sanitizerName])
->addArgument(new Reference($configId));

$container->registerAliasForArgument($sanitizerId, HtmlSanitizerInterface::class, $sanitizerName);
if ('default' !== $sanitizerName) {
$container->registerAliasForArgument($sanitizerId, HtmlSanitizerInterface::class, $sanitizerName);
}
}

$default = $config['default'] ? 'html_sanitizer.sanitizer.'.$config['default'] : 'html_sanitizer';
$container->setAlias(HtmlSanitizerInterface::class, new Reference($default));
}

private function resolveTrustedHeaders(array $headers): int
Expand Down
6 changes: 6 additions & 0 deletions src/Symfony/Bundle/FrameworkBundle/Resources/config/form.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,10 @@
use Symfony\Component\Form\Extension\Core\Type\FileType;
use Symfony\Component\Form\Extension\Core\Type\FormType;
use Symfony\Component\Form\Extension\Core\Type\SubmitType;
use Symfony\Component\Form\Extension\Core\Type\TextType;
use Symfony\Component\Form\Extension\Core\Type\TransformationFailureExtension;
use Symfony\Component\Form\Extension\DependencyInjection\DependencyInjectionExtension;
use Symfony\Component\Form\Extension\HtmlSanitizer\Type\TextTypeHtmlSanitizerExtension;
use Symfony\Component\Form\Extension\HttpFoundation\HttpFoundationRequestHandler;
use Symfony\Component\Form\Extension\HttpFoundation\Type\FormTypeHttpFoundationExtension;
use Symfony\Component\Form\Extension\Validator\Type\FormTypeValidatorExtension;
Expand Down Expand Up @@ -113,6 +115,10 @@
->args([service('translator')->ignoreOnInvalid()])
->tag('form.type_extension', ['extended-type' => FormType::class])

->set('form.type_extension.form.html_sanitizer', TextTypeHtmlSanitizerExtension::class)
->args([tagged_locator('html_sanitizer', 'sanitizer')])
->tag('form.type_extension', ['extended-type' => TextType::class])

->set('form.type_extension.form.http_foundation', FormTypeHttpFoundationExtension::class)
->args([service('form.type_extension.form.request_handler')])
->tag('form.type_extension')
Expand Down
9 changes: 7 additions & 2 deletions src/Symfony/Bundle/FrameworkBundle/Resources/config/html_sanitizer.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,18 @@

use Symfony\Component\HtmlSanitizer\HtmlSanitizer;
use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig;
use Symfony\Component\HtmlSanitizer\HtmlSanitizerInterface;

return static function (ContainerConfigurator $container) {
$container->services()
->set('html_sanitizer.config', HtmlSanitizerConfig::class)
->set('html_sanitizer.config.default', HtmlSanitizerConfig::class)
->call('allowSafeElements')

->set('html_sanitizer', HtmlSanitizer::class)
->set('html_sanitizer.sanitizer.default', HtmlSanitizer::class)
->args([service('html_sanitizer.config')])
->tag('html_sanitizer', ['name' => 'default'])

->alias('html_sanitizer', 'html_sanitizer.sanitizer.default')
->alias(HtmlSanitizerInterface::class, 'html_sanitizer')
;
};
1 change: 0 additions & 1 deletion src/Symfony/Bundle/FrameworkBundle/Resources/config/schema/symfony-1.0.xsd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -826,7 +826,6 @@
<xsd:element name="sanitizer" type="sanitizer" minOccurs="0" maxOccurs="unbounded" />
</xsd:sequence>
<xsd:attribute name="enabled" type="xsd:boolean" />
<xsd:attribute name="default" type="xsd:string" />
</xsd:complexType>

<xsd:complexType name="sanitizer">
Expand Down
1 change: 0 additions & 1 deletion src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/ConfigurationTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -652,7 +652,6 @@ class_exists(SemaphoreStore::class) && SemaphoreStore::isSupported() ? 'semaphor
],
'html_sanitizer' => [
'enabled' => !class_exists(FullStack::class) && class_exists(HtmlSanitizer::class),
'default' => null,
'sanitizers' => [],
],
'exceptions' => [],
Expand Down
3 changes: 1 addition & 2 deletions src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/html_sanitizer.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,8 @@
$container->loadFromExtension('framework', [
'http_method_override' => false,
'html_sanitizer' => [
'default' => 'my.sanitizer',
'sanitizers' => [
'my.sanitizer' => [
'default' => [
'allow_safe_elements' => true,
'allow_all_static_elements' => true,
'allow_elements' => [
Expand Down
4 changes: 2 additions & 2 deletions src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/html_sanitizer.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
http://symfony.com/schema/dic/symfony https://symfony.com/schema/dic/symfony/symfony-1.0.xsd">

<config xmlns="http://symfony.com/schema/dic/symfony" http-method-override="false">
<html-sanitizer default="my.sanitizer">
<sanitizer name="my.sanitizer"
<html-sanitizer>
<sanitizer name="default"
allow-safe-elements="true"
allow-all-static-elements="true"
force-https-urls="true"
Expand Down
3 changes: 1 addition & 2 deletions src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/html_sanitizer.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,8 @@
framework:
http_method_override: false
html_sanitizer:
default: my.sanitizer
sanitizers:
my.sanitizer:
default:
allow_safe_elements: true
allow_all_static_elements: true
allow_elements:
Expand Down
37 changes: 13 additions & 24 deletions src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2030,27 +2030,16 @@ public function testHtmlSanitizer()
$container = $this->createContainerFromFile('html_sanitizer');

// html_sanitizer service
$this->assertTrue($container->hasDefinition('html_sanitizer'), '->registerHtmlSanitizerConfiguration() loads html_sanitizer.php');
$this->assertSame(HtmlSanitizer::class, $container->getDefinition('html_sanitizer')->getClass());
$this->assertCount(1, $args = $container->getDefinition('html_sanitizer')->getArguments());
$this->assertSame('html_sanitizer.config', (string) $args[0]);

// html_sanitizer.config service
$this->assertTrue($container->hasDefinition('html_sanitizer.config'), '->registerHtmlSanitizerConfiguration() loads html_sanitizer.php');
$this->assertSame(HtmlSanitizerConfig::class, $container->getDefinition('html_sanitizer.config')->getClass());
$this->assertCount(1, $calls = $container->getDefinition('html_sanitizer.config')->getMethodCalls());
$this->assertSame(['allowSafeElements', []], $calls[0]);

// my.sanitizer
$this->assertTrue($container->hasDefinition('html_sanitizer.sanitizer.my.sanitizer'), '->registerHtmlSanitizerConfiguration() loads custom sanitizer');
$this->assertSame(HtmlSanitizer::class, $container->getDefinition('html_sanitizer.sanitizer.my.sanitizer')->getClass());
$this->assertCount(1, $args = $container->getDefinition('html_sanitizer.sanitizer.my.sanitizer')->getArguments());
$this->assertSame('html_sanitizer.config.my.sanitizer', (string) $args[0]);

// my.sanitizer config
$this->assertTrue($container->hasDefinition('html_sanitizer.config.my.sanitizer'), '->registerHtmlSanitizerConfiguration() loads custom sanitizer');
$this->assertSame(HtmlSanitizerConfig::class, $container->getDefinition('html_sanitizer.config.my.sanitizer')->getClass());
$this->assertCount(23, $calls = $container->getDefinition('html_sanitizer.config.my.sanitizer')->getMethodCalls());
$this->assertTrue($container->hasAlias('html_sanitizer'), '->registerHtmlSanitizerConfiguration() loads html_sanitizer.php');
$this->assertSame('html_sanitizer.sanitizer.default', (string) $container->getAlias('html_sanitizer'));
$this->assertSame(HtmlSanitizer::class, $container->getDefinition('html_sanitizer.sanitizer.default')->getClass());
$this->assertCount(1, $args = $container->getDefinition('html_sanitizer.sanitizer.default')->getArguments());
$this->assertSame('html_sanitizer.config.default', (string) $args[0]);

// config
$this->assertTrue($container->hasDefinition('html_sanitizer.config.default'), '->registerHtmlSanitizerConfiguration() loads custom sanitizer');
$this->assertSame(HtmlSanitizerConfig::class, $container->getDefinition('html_sanitizer.config.default')->getClass());
$this->assertCount(23, $calls = $container->getDefinition('html_sanitizer.config.default')->getMethodCalls());
$this->assertSame(
[
['allowSafeElements', [], true],
Expand Down Expand Up @@ -2092,11 +2081,11 @@ static function ($call) {
);

// Named alias
$this->assertSame('html_sanitizer.sanitizer.my.sanitizer', (string) $container->getAlias(HtmlSanitizerInterface::class.' $mySanitizer'), '->registerHtmlSanitizerConfiguration() creates appropriate named alias');
$this->assertSame('html_sanitizer.sanitizer.all.sanitizer', (string) $container->getAlias(HtmlSanitizerInterface::class.' $allSanitizer'), '->registerHtmlSanitizerConfiguration() creates appropriate named alias');
$this->assertSame('html_sanitizer.sanitizer.all.sanitizer', (string) $container->getAlias(HtmlSanitizerInterface::class.' $allSanitizer'));
$this->assertFalse($container->hasAlias(HtmlSanitizerInterface::class.' $default'));

// Default alias
$this->assertSame('html_sanitizer.sanitizer.my.sanitizer', (string) $container->getAlias(HtmlSanitizerInterface::class), '->registerHtmlSanitizerConfiguration() creates appropriate default alias');
$this->assertSame('html_sanitizer', (string) $container->getAlias(HtmlSanitizerInterface::class));
}

protected function createContainer(array $data = [])
Expand Down
5 changes: 5 additions & 0 deletions src/Symfony/Bundle/TwigBundle/DependencyInjection/TwigExtension.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
use Symfony\Component\DependencyInjection\Reference;
use Symfony\Component\Form\AbstractRendererEngine;
use Symfony\Component\Form\Form;
use Symfony\Component\HtmlSanitizer\HtmlSanitizerInterface;
use Symfony\Component\HttpKernel\DependencyInjection\Extension;
use Symfony\Component\Mailer\Mailer;
use Symfony\Component\Translation\Translator;
Expand Down Expand Up @@ -54,6 +55,10 @@ public function load(array $configs, ContainerBuilder $container)
$loader->load('console.php');
}

if (!$container::willBeAvailable('symfony/html-sanitizer', HtmlSanitizerInterface::class, ['symfony/twig-bundle'])) {
$container->removeDefinition('twig.extension.htmlsanitizer');
}

if ($container::willBeAvailable('symfony/mailer', Mailer::class, ['symfony/twig-bundle'])) {
$loader->load('mailer.php');
}
Expand Down
4 changes: 4 additions & 0 deletions src/Symfony/Bundle/TwigBundle/Resources/config/twig.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
use Symfony\Bridge\Twig\Extension\AssetExtension;
use Symfony\Bridge\Twig\Extension\CodeExtension;
use Symfony\Bridge\Twig\Extension\ExpressionExtension;
use Symfony\Bridge\Twig\Extension\HtmlSanitizerExtension;
use Symfony\Bridge\Twig\Extension\HttpFoundationExtension;
use Symfony\Bridge\Twig\Extension\HttpKernelExtension;
use Symfony\Bridge\Twig\Extension\HttpKernelRuntime;
Expand Down Expand Up @@ -118,6 +119,9 @@

->set('twig.extension.expression', ExpressionExtension::class)

->set('twig.extension.htmlsanitizer', HtmlSanitizerExtension::class)
->args([tagged_locator('html_sanitizer', 'sanitizer')])

->set('twig.extension.httpkernel', HttpKernelExtension::class)

->set('twig.runtime.httpkernel', HttpKernelRuntime::class)
Expand Down
Loading