Skip to content

[HtmlSanitizer] Add blockBodyElements that will block all known elements by default. #49920

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: 7.3
Choose a base branch
from
Open

[HtmlSanitizer] Add blockBodyElements that will block all known elements by default. #49920

wants to merge 1 commit into from

Conversation

Neirda24
Copy link
Contributor

@Neirda24 Neirda24 commented Apr 4, 2023

Q A
Branch? 6.3
Bug fix? no
New feature? yes
Deprecations? no
Tickets Fix #48358
License MIT
Doc PR TBD

Add a way to block all body elements. Currently without any setup, the purge mode is the default.
Without the framework :

$config = (new HtmlSanitizerConfig())
    ->blockBodyElements()
;

With the framework :

framework:
    html_sanitizer:
        sanitizers:
            default:
               block_body_elements: true

@carsonbot carsonbot added this to the 6.3 milestone Apr 4, 2023
@Neirda24 Neirda24 mentioned this pull request Apr 4, 2023
Closed
@nicolas-grekas nicolas-grekas requested a review from tgalopin April 4, 2023 07:00
stof
stof reviewed Apr 4, 2023
View reviewed changes
src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
@@ -2931,6 +2931,10 @@ private function registerHtmlSanitizerConfiguration(array $config, ContainerBuil
$def->addMethodCall('allowStaticElements', [], true);
}

if ($sanitizerConfig['block_body_elements']) {
$def->addMethodCall('blockBodyElements', [], true);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't this be done before the calls to allow safe or static elements, in case both are enabled ?

@nicolas-grekas nicolas-grekas modified the milestones: 6.3, 6.4 May 23, 2023
@fabpot
Copy link
Member

fabpot commented Oct 6, 2023

@Neirda24 Any feedback?

@Neirda24
Copy link
Contributor Author

Neirda24 commented Oct 6, 2023

hey. Sorry forgot about this one. I'll get back on it as soon as I'm done with the feature flag one.

@nicolas-grekas nicolas-grekas modified the milestones: 6.4, 7.1 Nov 15, 2023
@xabbuh xabbuh modified the milestones: 7.1, 7.2 May 15, 2024
@Seldaek Seldaek mentioned this pull request Jun 14, 2024
Merged
fabpot added a commit that referenced this pull request Jun 29, 2024
@fabpot
feature #57399 [HtmlSanitizer] Add support for configuring the defaul…
98f511e 
…t action (Seldaek)

This PR was merged into the 7.2 branch.

Discussion
----------

[HtmlSanitizer] Add support for configuring the default action

| Q             | A
| ------------- | ---
| Branch?       | 7.2
| Bug fix?      | no
| New feature?  | yes
| Deprecations? | no
| Issues        | Fix #48358
| License       | MIT

The default action can be set to block or allow unconfigured elements instead of dropping them

Kinda replaces #49920 but it would need some work on the configuration handling side to allow configuring default actions. I am just using this as a library so I am not so keen on doing that part sorry but maybe `@Neirda24` might want to take care of it if this PR gets accepted.

Commits
-------

4fd1c4c [HtmlSanitizer] Add support for configuring the default action to block or allow unconfigured elements instead of dropping them
@fabpot fabpot modified the milestones: 7.2, 7.3 Nov 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stof stof stof left review comments

@tgalopin tgalopin Awaiting requested review from tgalopin

Assignees
No one assigned
Labels
Feature HtmlSanitizer Status: Needs Review
Projects
None yet
Milestone
7.3
Development

Successfully merging this pull request may close these issues.

[HtmlSanitizer] Add a blockAll helper
6 participants
@Neirda24 @fabpot @stof @nicolas-grekas @xabbuh @carsonbot