From 52fcd16c41ea9abb08db63b4115ff86c2be8f26d Mon Sep 17 00:00:00 2001 From: Nate Wiebe Date: Thu, 22 Dec 2022 12:01:29 -0500 Subject: [PATCH 1/2] Replate abandoned html sanitizer with symfony component --- Service/MarkdownParser.php | 45 +++++++------------------------------- composer.json | 4 ++-- 2 files changed, 10 insertions(+), 39 deletions(-) diff --git a/Service/MarkdownParser.php b/Service/MarkdownParser.php index 8d7533e..bdc3063 100644 --- a/Service/MarkdownParser.php +++ b/Service/MarkdownParser.php @@ -2,52 +2,23 @@ namespace Northern\MarkdownBundle\Service; -use HtmlSanitizer\Sanitizer; -use HtmlSanitizer\SanitizerInterface; +use Symfony\Component\HtmlSanitizer\HtmlSanitizer; +use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig; class MarkdownParser implements MarkdownParserInterface { private \Parsedown $parsedown; - private SanitizerInterface $sanitizer; + private HtmlSanitizer $sanitizer; public function __construct() { $this->parsedown = new \Parsedown(); - $this->sanitizer = Sanitizer::create( - [ - 'max_input_length' => 1000000, - 'extensions' => ['basic', 'list', 'table', 'image', 'code', 'extra'], - 'tags' => [ - 'a' => [ - 'allowed_schemes' => ['http', 'https', null], - 'allowed_attributes' => ['href', 'name', 'title'], - ], - 'code' => ['allowed_attributes' => ['class']], - 'em' => ['allowed_attributes' => ['class']], - 'th' => ['allowed_attributes' => ['style']], - 'td' => ['allowed_attributes' => ['style']], - 'h1' => [ - 'allowed_attributes' => ['id', 'name'], - ], - 'h2' => [ - 'allowed_attributes' => ['id', 'name'], - ], - 'h3' => [ - 'allowed_attributes' => ['id', 'name'], - ], - 'h4' => [ - 'allowed_attributes' => ['id', 'name'], - ], - 'h5' => [ - 'allowed_attributes' => ['id', 'name'], - ], - 'h6' => [ - 'allowed_attributes' => ['id', 'name'], - ], - ], - ] - ); + + $sanitizerConfig = new HtmlSanitizerConfig(); + $sanitizerConfig = $sanitizerConfig->withMaxInputLength(1_000_000); + + $this->sanitizer = new HtmlSanitizer($sanitizerConfig); } public function convertMarkdownToHtml(string $markdown): string diff --git a/composer.json b/composer.json index f44fef0..7f3fe88 100644 --- a/composer.json +++ b/composer.json @@ -3,13 +3,13 @@ "description": "Symfony bundle for including parsedown for converting markdown to html", "type": "symfony-bundle", "require": { - "php": ">=7.4", + "php": ">=8.1", "erusev/parsedown": "^1.7", "symfony/cache-contracts": "^2.0|^3.0", "symfony/config": "^5.4|^6.0", "symfony/dependency-injection": "^5.4|^6.0", "symfony/framework-bundle": "^5.4|^6.0", - "tgalopin/html-sanitizer": "^1.3", + "symfony/html-sanitizer": "^6.1", "twig/twig": "^2.12|^3.0" }, "autoload": { From 2f3ea74df6dcdce81f36b323060e17dd4a185dd1 Mon Sep 17 00:00:00 2001 From: Nate Wiebe Date: Thu, 22 Dec 2022 12:20:35 -0500 Subject: [PATCH 2/2] Configure sanitizer similarly to before --- Service/MarkdownParser.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Service/MarkdownParser.php b/Service/MarkdownParser.php index bdc3063..0b2c7df 100644 --- a/Service/MarkdownParser.php +++ b/Service/MarkdownParser.php @@ -17,6 +17,9 @@ public function __construct() $sanitizerConfig = new HtmlSanitizerConfig(); $sanitizerConfig = $sanitizerConfig->withMaxInputLength(1_000_000); + $sanitizerConfig = $sanitizerConfig->allowSafeElements(); + $sanitizerConfig = $sanitizerConfig->allowAttribute('class', '*'); + $sanitizerConfig = $sanitizerConfig->allowAttribute('style', '*'); $this->sanitizer = new HtmlSanitizer($sanitizerConfig); }