[HtmlSanitizer] Use the native HTML5 parser when using PHP 8.4+ #61366
+217
−97
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
48dda59 to
117bdf9
Compare
nicolas-grekas
commented
Aug 8, 2025
117bdf9 to
743f812
Compare
GromNaN
reviewed
Aug 11, 2025
GromNaN
reviewed
Aug 11, 2025
324d9b6 to
3383879
Compare
GromNaN
reviewed
Aug 12, 2025
98b6dab to
1c40c66
Compare
GromNaN
approved these changes
Aug 12, 2025
1c40c66 to
bf602fc
Compare
bf602fc to
d0f98ad
Compare
nicolas-grekas
added a commit
that referenced
this pull request
Aug 12, 2025
…ext arg to ParserInterface::parse() (nicolas-grekas) This PR was merged into the 8.0 branch. Discussion ---------- [HtmlSanitizer] Remove MastermindsParser and add $context arg to ParserInterface::parse() | Q | A | ------------- | --- | Branch? | 8.0 | Bug fix? | no | New feature? | yes | Deprecations? | no | Issues | - | License | MIT Follows #61366 Commits ------- b291f58 [HtmlSanitizer] Remove MastermindsParser and add $context arg to ParserInterface::parse()
xabbuh
reviewed
Aug 13, 2025
| // Remove NULL character | ||
| $input = str_replace(\chr(0), '', $input); | ||
| // Remove NULL character and HTML entities for null byte | ||
| $input = str_replace([\chr(0), '�', '�', '�', '�'], '�', $input); |
There was a problem hiding this comment.
$input = str_replace([\chr(0), '�', '�', '�', '�'], '', $input);Why not like this?
There was a problem hiding this comment.
The native parser already turns variants of � into �. We cannot really hook there. I think this is what the spec says to do.
Also: removing characters is a know vector for attacks, because it breaks content scanners.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Together with #61356, this PR allows removing any dependency on masterminds/html5 in favor of the native HTML5 capabilities of PHP 8.4 on Symfony 8
In order to do so, this we:
MastermindsParser; useNativeParserinsteadParserInterface::parse()can now return\Dom\Node|\DOMNode|nullinstead of just\DOMNode|null$contexttoParserInterface::parse()Note that
DomVisitoris internal so no BC breaks there.And
StringSanitizer::htmlLower()can leveragestrtolower()since PHP 8.2 thanks to https://wiki.php.net/rfc/strtolower-ascii