From e98a90fe1e2e4d3f8961138689a14504848f4983 Mon Sep 17 00:00:00 2001 From: Jonny Barnes Date: Thu, 2 Jun 2022 09:40:34 +0100 Subject: [PATCH] =?UTF-8?q?Switch=20to=20Symfony=E2=80=99s=20HTML=20Saniti?= =?UTF-8?q?zer=20package?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/Providers/AppServiceProvider.php | 11 ++ app/Traits/FilterHtml.php | 14 +- composer.json | 4 +- composer.lock | 271 +++++++++++++++++++-------- 4 files changed, 212 insertions(+), 88 deletions(-) diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php index 1de324c9..cfcba9ef 100644 --- a/app/Providers/AppServiceProvider.php +++ b/app/Providers/AppServiceProvider.php @@ -15,6 +15,8 @@ use Lcobucci\JWT\Configuration; use Lcobucci\JWT\Signer\Hmac\Sha256; use Lcobucci\JWT\Signer\Key\InMemory; use Lcobucci\JWT\Validation\Constraint\SignedWith; +use Symfony\Component\HtmlSanitizer\HtmlSanitizer; +use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig; class AppServiceProvider extends ServiceProvider { @@ -91,6 +93,15 @@ class AppServiceProvider extends ServiceProvider return $config; }); + + // Configure HtmlSanitizer + $this->app->bind(HtmlSanitizer::class, function () { + return new HtmlSanitizer( + (new HtmlSanitizerConfig()) + ->allowSafeElements() + ->forceAttribute('a', 'rel', 'noopener nofollow') + ); + }); } /** diff --git a/app/Traits/FilterHtml.php b/app/Traits/FilterHtml.php index 1a2951c2..b077dde7 100644 --- a/app/Traits/FilterHtml.php +++ b/app/Traits/FilterHtml.php @@ -4,21 +4,13 @@ declare(strict_types=1); namespace App\Traits; -use HtmlSanitizer\Sanitizer; +use Illuminate\Support\Facades\App; +use Symfony\Component\HtmlSanitizer\HtmlSanitizer; trait FilterHtml { public function filterHtml(string $html): string { - return Sanitizer::create([ - 'extensions' => [ - 'basic', - 'code', - 'image', - 'list', - 'table', - 'extra', - ], - ])->sanitize($html); + return App::make(HtmlSanitizer::class)->sanitize($html); } } diff --git a/composer.json b/composer.json index d8544add..623bfdd0 100644 --- a/composer.json +++ b/composer.json @@ -10,9 +10,9 @@ "license": "CC0-1.0", "require": { "php": "^8.0", + "ext-dom": "*", "ext-intl": "*", "ext-json": "*", - "ext-dom": "*", "cviebrock/eloquent-sluggable": "^9.0", "fruitcake/laravel-cors": "^2.0", "guzzlehttp/guzzle": "^7.0.1", @@ -31,7 +31,7 @@ "predis/predis": "~1.0", "spatie/browsershot": "~3.0", "spatie/commonmark-highlighter": "^3.0", - "tgalopin/html-sanitizer": "^1.1" + "symfony/html-sanitizer": "^6.1" }, "require-dev": { "barryvdh/laravel-debugbar": "^3.0", diff --git a/composer.lock b/composer.lock index 1782e503..9ef6b05b 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "55bc26fbd6415b029f9d6ebaa19f6bd5", + "content-hash": "076c4cf5d0f658b12cb4c27452335b4b", "packages": [ { "name": "asm89/stack-cors", @@ -2841,43 +2841,51 @@ "time": "2022-04-17T13:12:02+00:00" }, { - "name": "league/uri-parser", - "version": "1.4.1", + "name": "league/uri", + "version": "6.6.0", "source": { "type": "git", - "url": "https://github.com/thephpleague/uri-parser.git", - "reference": "671548427e4c932352d9b9279fdfa345bf63fa00" + "url": "https://github.com/thephpleague/uri.git", + "reference": "4147f19b9de3b5af6a258f35d7a0efbbf9963298" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/thephpleague/uri-parser/zipball/671548427e4c932352d9b9279fdfa345bf63fa00", - "reference": "671548427e4c932352d9b9279fdfa345bf63fa00", + "url": "https://api.github.com/repos/thephpleague/uri/zipball/4147f19b9de3b5af6a258f35d7a0efbbf9963298", + "reference": "4147f19b9de3b5af6a258f35d7a0efbbf9963298", "shasum": "" }, "require": { - "php": ">=7.0.0" + "ext-json": "*", + "league/uri-interfaces": "^2.3", + "php": "^7.4 || ^8.0", + "psr/http-message": "^1.0" + }, + "conflict": { + "league/uri-schemes": "^1.0" }, "require-dev": { - "friendsofphp/php-cs-fixer": "^2.0", - "phpstan/phpstan": "^0.9.2", - "phpstan/phpstan-phpunit": "^0.9.4", - "phpstan/phpstan-strict-rules": "^0.9.0", - "phpunit/phpunit": "^6.0" + "friendsofphp/php-cs-fixer": "^v3.3.2", + "php-http/psr7-integration-tests": "^1.1", + "phpstan/phpstan": "^1.2.0", + "phpstan/phpstan-deprecation-rules": "^1.0", + "phpstan/phpstan-phpunit": "^1.0.0", + "phpstan/phpstan-strict-rules": "^1.1.0", + "phpunit/phpunit": "^9.5.10", + "psr/http-factory": "^1.0" }, "suggest": { - "ext-intl": "Allow parsing RFC3987 compliant hosts", - "league/uri-schemes": "Allow validating and normalizing URI parsing results" + "ext-fileinfo": "Needed to create Data URI from a filepath", + "ext-intl": "Needed to improve host validation", + "league/uri-components": "Needed to easily manipulate URI objects", + "psr/http-factory": "Needed to use the URI factory" }, "type": "library", "extra": { "branch-alias": { - "dev-master": "1.x-dev" + "dev-master": "6.x-dev" } }, "autoload": { - "files": [ - "src/functions_include.php" - ], "psr-4": { "League\\Uri\\": "src" } @@ -2893,21 +2901,113 @@ "homepage": "https://nyamsprod.com" } ], - "description": "userland URI parser RFC 3986 compliant", - "homepage": "https://github.com/thephpleague/uri-parser", + "description": "URI manipulation library", + "homepage": "https://uri.thephpleague.com", "keywords": [ + "data-uri", + "file-uri", + "ftp", + "hostname", + "http", + "https", + "middleware", + "parse_str", "parse_url", - "parser", + "psr-7", + "query-string", + "querystring", + "rfc3986", + "rfc3987", + "rfc6570", + "uri", + "uri-template", + "url", + "ws" + ], + "support": { + "docs": "https://uri.thephpleague.com", + "forum": "https://thephpleague.slack.com", + "issues": "https://github.com/thephpleague/uri/issues", + "source": "https://github.com/thephpleague/uri/tree/6.6.0" + }, + "funding": [ + { + "url": "https://github.com/sponsors/nyamsprod", + "type": "github" + } + ], + "time": "2022-05-28T05:44:35+00:00" + }, + { + "name": "league/uri-interfaces", + "version": "2.3.0", + "source": { + "type": "git", + "url": "https://github.com/thephpleague/uri-interfaces.git", + "reference": "00e7e2943f76d8cb50c7dfdc2f6dee356e15e383" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/thephpleague/uri-interfaces/zipball/00e7e2943f76d8cb50c7dfdc2f6dee356e15e383", + "reference": "00e7e2943f76d8cb50c7dfdc2f6dee356e15e383", + "shasum": "" + }, + "require": { + "ext-json": "*", + "php": "^7.2 || ^8.0" + }, + "require-dev": { + "friendsofphp/php-cs-fixer": "^2.19", + "phpstan/phpstan": "^0.12.90", + "phpstan/phpstan-phpunit": "^0.12.19", + "phpstan/phpstan-strict-rules": "^0.12.9", + "phpunit/phpunit": "^8.5.15 || ^9.5" + }, + "suggest": { + "ext-intl": "to use the IDNA feature", + "symfony/intl": "to use the IDNA feature via Symfony Polyfill" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.x-dev" + } + }, + "autoload": { + "psr-4": { + "League\\Uri\\": "src/" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Ignace Nyamagana Butera", + "email": "nyamsprod@gmail.com", + "homepage": "https://nyamsprod.com" + } + ], + "description": "Common interface for URI representation", + "homepage": "http://github.com/thephpleague/uri-interfaces", + "keywords": [ "rfc3986", "rfc3987", "uri", "url" ], "support": { - "issues": "https://github.com/thephpleague/uri-parser/issues", - "source": "https://github.com/thephpleague/uri-parser/tree/master" + "issues": "https://github.com/thephpleague/uri-interfaces/issues", + "source": "https://github.com/thephpleague/uri-interfaces/tree/2.3.0" }, - "time": "2018-11-22T07:55:51+00:00" + "funding": [ + { + "url": "https://github.com/sponsors/nyamsprod", + "type": "github" + } + ], + "time": "2021-06-28T04:27:21+00:00" }, { "name": "masterminds/html5", @@ -5295,6 +5395,75 @@ ], "time": "2022-04-15T08:08:08+00:00" }, + { + "name": "symfony/html-sanitizer", + "version": "v6.1.0", + "source": { + "type": "git", + "url": "https://github.com/symfony/html-sanitizer.git", + "reference": "28d19124099e860ef52da06ae251e37738b750fe" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/symfony/html-sanitizer/zipball/28d19124099e860ef52da06ae251e37738b750fe", + "reference": "28d19124099e860ef52da06ae251e37738b750fe", + "shasum": "" + }, + "require": { + "ext-dom": "*", + "league/uri": "^6.5", + "masterminds/html5": "^2.7.2", + "php": ">=8.1" + }, + "type": "library", + "autoload": { + "psr-4": { + "Symfony\\Component\\HtmlSanitizer\\": "" + }, + "exclude-from-classmap": [ + "/Tests/" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Titouan Galopin", + "email": "galopintitouan@gmail.com" + }, + { + "name": "Symfony Community", + "homepage": "https://symfony.com/contributors" + } + ], + "description": "Provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM.", + "homepage": "https://symfony.com", + "keywords": [ + "Purifier", + "html", + "sanitizer" + ], + "support": { + "source": "https://github.com/symfony/html-sanitizer/tree/v6.1.0" + }, + "funding": [ + { + "url": "https://symfony.com/sponsor", + "type": "custom" + }, + { + "url": "https://github.com/fabpot", + "type": "github" + }, + { + "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", + "type": "tidelift" + } + ], + "time": "2022-05-06T15:18:34+00:00" + }, { "name": "symfony/http-foundation", "version": "v6.1.0", @@ -6871,54 +7040,6 @@ ], "time": "2022-05-21T13:34:40+00:00" }, - { - "name": "tgalopin/html-sanitizer", - "version": "1.5.0", - "source": { - "type": "git", - "url": "https://github.com/tgalopin/html-sanitizer.git", - "reference": "5d02dcb6f2ea4f505731eac440798caa1b3b0913" - }, - "dist": { - "type": "zip", - "url": "https://api.github.com/repos/tgalopin/html-sanitizer/zipball/5d02dcb6f2ea4f505731eac440798caa1b3b0913", - "reference": "5d02dcb6f2ea4f505731eac440798caa1b3b0913", - "shasum": "" - }, - "require": { - "ext-dom": "*", - "league/uri-parser": "^1.4.1", - "masterminds/html5": "^2.4", - "php": ">=7.1", - "psr/log": "^1.0|^2.0|^3.0" - }, - "require-dev": { - "phpunit/phpunit": "^7.4", - "symfony/var-dumper": "^4.1" - }, - "type": "library", - "autoload": { - "psr-4": { - "HtmlSanitizer\\": "src" - } - }, - "notification-url": "https://packagist.org/downloads/", - "license": [ - "MIT" - ], - "authors": [ - { - "name": "Titouan Galopin", - "email": "galopintitouan@gmail.com" - } - ], - "description": "Sanitize untrustworthy HTML user input", - "support": { - "issues": "https://github.com/tgalopin/html-sanitizer/issues", - "source": "https://github.com/tgalopin/html-sanitizer/tree/1.5.0" - }, - "time": "2021-09-14T08:27:50+00:00" - }, { "name": "tijsverkoyen/css-to-inline-styles", "version": "2.2.4", @@ -12216,9 +12337,9 @@ "prefer-lowest": false, "platform": { "php": "^8.0", + "ext-dom": "*", "ext-intl": "*", - "ext-json": "*", - "ext-dom": "*" + "ext-json": "*" }, "platform-dev": [], "plugin-api-version": "2.3.0"