Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

[HtmlSanitizer] Some minor changes in the config API #44814

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 7, 2022
Merged

[HtmlSanitizer] Some minor changes in the config API #44814

merged 1 commit into from
Jan 7, 2022

Conversation

javiereguiluz
Copy link
Member

Q A
Branch? 6.1
Bug fix? no
New feature? no
Deprecations? no
Tickets -
License MIT
Doc PR -

First of all, thanks to @tgalopin for this superb contribution 馃檱

This PR makes 3 little changes:

(1) Fix two minor typos

(2) Rename allowAllStaticElements() as allowStaticElements() to be consistent with the rest of methods, which don't include the All word.

(3) A proposal to change this default value:

-public function allowElement(string $element, array|string $allowedAttributes = []): static
+public function allowElement(string $element, array|string $allowedAttributes = '*'): static

In my opinion, when you want to allow some element, most of the times you want to allow the standard attributes on them too. So, the following should allow <div> and their standard attributes:

->allowElement('div')

Forcing to write it as ->allowElement('div', '*') seems cumbersome. The previous behavior (forbid all attributes) would now be like this:

->allowElement('div', [])

@javiereguiluz javiereguiluz added this to the 6.1 milestone Dec 28, 2021
@tgalopin
Copy link
Contributor

tgalopin commented Dec 28, 2021
edited by nicolas-grekas
Loading

Thanks for 1!

I'm fine with 2, I included the "all" to clarify the fact that all elements would be added, meaning possibly CSS injection issues, clickjacking issues, ... If we think the new name is enough, I'm good with it, it's good to have shorter names.

For 3, I have more reserves. I do think the sanitizer shouldn't have behaviors where the default includes everything. Your proposal would for instance allow style attributes by default, which probably shouldn't happen. I think I'm -1 on this 3rd point.

@javiereguiluz
Copy link
Member Author

I've reverted all the changes related to (3). Thanks.

@tgalopin
Copy link
Contributor

tgalopin commented Jan 5, 2022

Could you update the README as well with the new method name?

@javiereguiluz
Copy link
Member Author

@tgalopin done! Sorry I forgot about this!

@fabpot fabpot force-pushed the tweak_html_sanitizer branch from f2cb841 to 84470ef Compare January 7, 2022 18:32
@fabpot
Copy link
Member

fabpot commented Jan 7, 2022

Thank you @javiereguiluz.

@fabpot fabpot merged commit 098ff62 into symfony:6.1 Jan 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

@fancyweb fancyweb fancyweb approved these changes

Assignees
No one assigned
Labels
HtmlSanitizer Status: Reviewed
Projects
None yet
Milestone
6.1
Development

Successfully merging this pull request may close these issues.
5 participants
@javiereguiluz @tgalopin @fabpot @fancyweb @carsonbot
Morty Proxy This is a proxified and sanitized view of the page, visit original site.