Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[HtmlSanitizer] Add docs for the new HtmlSanitizer defaultAction config #20019

Open
wants to merge 1 commit into
base: 7.2
Choose a base branch
from
+74 −0
Open

[HtmlSanitizer] Add docs for the new HtmlSanitizer defaultAction config #20019

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 74 additions & 0 deletions html_sanitizer.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -462,6 +462,80 @@
->dropElement('figure')
);

Default Action
~~~~~~~~~~~~~~

By default, unconfigured tags are dropped along with their children. If you would rather not lose all children elements by default, you can configure the default action to be ``Block``. Specific elements can still be dropped if needed.

.. code-block:: yaml

# config/packages/html_sanitizer.yaml
framework:
html_sanitizer:
sanitizers:
app.post_sanitizer:
# ...

# remove all tags by default, but process their children
default_action: 'block'
# remove <figure> and its children
drop_elements: ['figure']

Check failure on line 482 in html_sanitizer.rst

View workflow job for this annotation

GitHub Actions / Code Blocks 

[Cache Warmup] In ArrayNode.php line 304:
                                                                               
  Unrecognized option "default_action" under "framework.html_sanitizer.saniti  
  zers.app.post_sanitizer". Available options are "allow_attributes", "allow_  
  elements", "allow_relative_links", "allow_relative_medias", "allow_safe_ele  
  ments", "allow_static_elements", "allowed_link_hosts", "allowed_link_scheme  
  s", "allowed_media_hosts", "allowed_media_schemes", "block_elements", "drop  
  _attributes", "drop_elements", "force_attributes", "force_https_urls", "max  
  _input_length", "with_attribute_sanitizers", "without_attribute_sanitizers"  
  .

.. code-block:: xml

<!-- config/packages/html_sanitizer.xml -->
<?xml version="1.0" encoding="UTF-8" ?>
<container xmlns="http://symfony.com/schema/dic/services"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:framework="http://symfony.com/schema/dic/symfony"
xsi:schemaLocation="http://symfony.com/schema/dic/services
https://symfony.com/schema/dic/services/services-1.0.xsd
http://symfony.com/schema/dic/symfony https://symfony.com/schema/dic/symfony/symfony-1.0.xsd">

<framework:config>
<framework:html-sanitizer>
<!-- remove all tags by default, but process their children -->
<framework:default-action>block</framework:default-action>

<!-- remove <figure> and its children -->
<framework:drop-element>figure</framework:drop-element>
</framework:html-sanitizer>
</framework:config>
</container>

.. code-block:: php

Check failure on line 506 in html_sanitizer.rst

View workflow job for this annotation

GitHub Actions / Lint (DOCtor-RST) 

Please do not use ".. code-block:: php", use "::" instead.

// config/packages/framework.php
use Symfony\Config\FrameworkConfig;

return static function (FrameworkConfig $framework): void {
$framework->htmlSanitizer()
->sanitizer('app.post_sanitizer')
// remove all tags by default, but process their children
->defaultAction('block')
// remove <figure> and its children
->dropElement('figure')
;
};

Check failure on line 519 in html_sanitizer.rst

View workflow job for this annotation

GitHub Actions / Code Blocks 

[Cache Warmup] 2024-07-03T09:36:51+00:00 [critical] Uncaught Error: Call to undefined method Symfony\Config\Framework\HtmlSanitizer\SanitizerConfig::defaultAction()

.. code-block:: php-standalone

use Symfony\Component\HtmlSanitizer\HtmlSanitizer;
use Symfony\Component\HtmlSanitizer\HtmlSanitizerAction;
use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig;

$postSanitizer = new HtmlSanitizer(
(new HtmlSanitizerConfig())
// remove all tags by default, but process their children
->defaultAction(HtmlSanitizerAction::Block)
// remove <figure> and its children
->dropElement('figure')
);

.. note::

Configuring a default action of ``Allow`` will allow all tags but they will not have any attributes. You probably should still disallow at least ``script`` tags if you want to do this, but generally speaking using an explicit allowlist is going to be much safer.

Allow Attributes
~~~~~~~~~~~~~~~~

Expand Down
Loading