Skip to content

[HtmlSanitizer] Add blockBodyElements that will block all known elements by default. #49920

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: 7.3
Choose a base branch
from
Open

[HtmlSanitizer] Add blockBodyElements that will block all known elements by default. #49920

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2271,6 +2271,10 @@ private function addHtmlSanitizerSection(ArrayNodeDefinition $rootNode, callable
->info('Allows all static elements and attributes from the W3C Sanitizer API standard.')
->defaultFalse()
->end()
->booleanNode('block_body_elements')
->info('Blocks all static body elements and remove attributes.')
->defaultFalse()
->end()
->arrayNode('allow_elements')
->info('Configures the elements that the sanitizer should retain from the input. The element name is the key, the value is either a list of allowed attributes for this element or "*" to allow the default set of attributes (https://wicg.github.io/sanitizer-api/#default-configuration).')
->example(['i' => '*', 'a' => ['title'], 'span' => 'class'])
Expand Down
4 changes: 4 additions & 0 deletions src/Symfony/Bundle/FrameworkBundle/DependencyInjection/FrameworkExtension.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2931,6 +2931,10 @@ private function registerHtmlSanitizerConfiguration(array $config, ContainerBuil
$def->addMethodCall('allowStaticElements', [], true);
}

if ($sanitizerConfig['block_body_elements']) {
$def->addMethodCall('blockBodyElements', [], true);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't this be done before the calls to allow safe or static elements, in case both are enabled ?

}

// Configures elements
foreach ($sanitizerConfig['allow_elements'] as $element => $attributes) {
$def->addMethodCall('allowElement', [$element, $attributes], true);
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/html_sanitizer.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
'html_sanitizer' => [
'sanitizers' => [
'custom' => [
'block_body_elements' => true,
'allow_safe_elements' => true,
'allow_static_elements' => true,
'allow_elements' => [
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/html_sanitizer.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
<config xmlns="http://symfony.com/schema/dic/symfony" http-method-override="false">
<html-sanitizer>
<sanitizer name="custom"
block-body-elements="true"
allow-safe-elements="true"
allow-static-elements="true"
force-https-urls="true"
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/html_sanitizer.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ framework:
html_sanitizer:
sanitizers:
custom:
block_body_elements: true
allow_safe_elements: true
allow_static_elements: true
allow_elements:
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTestCase.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2175,6 +2175,7 @@ public function testHtmlSanitizer()
[
['allowSafeElements', [], true],
['allowStaticElements', [], true],
['blockBodyElements', [], true],
['allowElement', ['iframe', 'src'], true],
['allowElement', ['custom-tag', ['data-attr', 'data-attr-1']], true],
['allowElement', ['custom-tag-2', '*'], true],
Expand Down
17 changes: 17 additions & 0 deletions src/Symfony/Component/HtmlSanitizer/HtmlSanitizerConfig.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,23 @@ public function allowSafeElements(): static
return $clone;
}

/**
* Blocks all static body elements and remove attributes.
*
* All scripts will be removed.
*/
public function blockBodyElements(): static
{
$elements = array_keys(W3CReference::BODY_ELEMENTS);

$clone = clone $this;
foreach ($elements as $element) {
$clone = $clone->blockElement($element, '*');
}

return $clone;
}

/**
* Allows only a given list of schemes to be used in links href attributes.
*
Expand Down
4 changes: 4 additions & 0 deletions src/Symfony/Component/HtmlSanitizer/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ use Symfony\Component\HtmlSanitizer\HtmlSanitizer;
// By default, an element not added to the allowed or blocked elements
// will be dropped, including its children
$config = (new HtmlSanitizerConfig())
// Blocks all static body elements and remove attributes.
// All scripts will be removed.
->blockBodyElements()

// Allow "safe" elements and attributes. All scripts will be removed
// as well as other dangerous behaviors like CSS injection
->allowSafeElements()
Expand Down
12 changes: 12 additions & 0 deletions src/Symfony/Component/HtmlSanitizer/Tests/HtmlSanitizerCustomTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -393,6 +393,18 @@ public function testAllowMediasRelative()
);
}

public function testBlockBodyElements()
{
$config = (new HtmlSanitizerConfig())
->blockBodyElements()
;

$this->assertSame(
'If you need help : Visit Symfony',
$this->sanitize($config, '<head><title>Hello World</title></head><body><p><span class="red" data-info="info">If you need help : </span><a href="https://symfony.com"/>Visit Symfony</a></p><script>prompt("test");</script></body>')
);
}

public function testCustomAttributeSanitizer()
{
$config = (new HtmlSanitizerConfig())
Expand Down