tgalopin
relative URLs
Note: the Sanitizer does not allow relative URLs: they are always filtered out for security reasons.
Any chance to disable this setting ?
Hi @alartigue, created temporary solution if you need
https://github.com/olegatro/html-sanitizer_local_uri
Hello @olegatro and @alartigue!
I think this could be a setting inside the A and Image extensions, something like 'allow_relative_links' => false. However, note that detecting a relative path is much more difficult than detecting a URL, which is why I didn't implement it to avoid security issues in the future.
If you are interested in providing a PR for this, I would be glad to give you a hand :) .
Hello, I've implemented @olegatro extension and it worked like a charm. Thanks a lot! @tgalopin , I'm not a security expert, I don't think I'm capable of writting this piece of code :(
@olegatro if you have a few minutes to create a Composer package for your work, it could be a nice way to let @alartigue use the feature easily perhaps :) ?
I'm glad you found a good solution for this!
Hi @tgalopin , I will try send PR in the nearest future.
Will it be right solution to check allow_relative_links setting here (before setAttribute) ?
@tgalopin @olegatro I'd really be interested in seeing this effort resolved with a new config feature. I try to use sanitizer with my Symfony project, and having a config option allow_relative_links would be the best outcome for me.
For those wondering about integration of fix by @olegatro (Thanks!), I made the following configurations in my Symfony 5 project to adopt the solution:
-
Downloaded and copied the Sanitizer directory (see the GitHub page) to my
srcproject directory. -
Added this line to the composer.json (tells autoloader where to look for
Sanitizernamespace):
"autoload": {
"psr-4": {
"App\\": "src/",
"Sanitizer\\": "src/Sanitizer/"
}
},
- Added these definitions to my
services.yaml:
# Read at: https://github.com/tgalopin/html-sanitizer-bundle#registering-an-extension
Sanitizer\Extension\A\AExtension:
tags: [{ name: 'html_sanitizer.extension' }]
# Read at: https://github.com/tgalopin/html-sanitizer-bundle#registering-an-extension
Sanitizer\Extension\Image\ImageExtension:
tags: [{ name: 'html_sanitizer.extension' }]
- In
config/packages/html_sanitizer.yamlchanged config in this way:
html_sanitizer:
default_sanitizer: 'default'
sanitizers:
default:
# Read https://github.com/tgalopin/html-sanitizer/blob/master/docs/1-getting-started.md#extensions
# to learn more about which extensions you would like to enable.
extensions:
- 'basic'
- 'list'
- 'table'
#- 'image'
# - 'code'
# - 'iframe'
- 'extra'
# https://github.com/tgalopin/html-sanitizer-bundle#registering-an-extension
# https://github.com/olegatro/html-sanitizer_local_uri
# See classes in src/Sanitizer/Extension directory
- 'custom-a'
- 'custom-image'
Hello. Has anyone else used this extension ? I'm trying to get it running, I'm still a "rookie" at playing with these packages and extensions. I can't seem to get this to work, my guess is that autoload does not find the Sanitizer namespace. I've tried adding it manually to composer.json. I've tried putting the extension files in various places, nothing seems to work, my code fails when it reaches the
$builder->registerExtension(new ImageExtension());
I don't use Symfony, I'm just in "basic" mode. Any help would be appreciated !!
@Phroggy78 Hi!
If you have problem with that https://github.com/olegatro/html-sanitizer_local_uri
write me issue with full code + including use statements.
You can write issue here https://github.com/olegatro/html-sanitizer_local_uri
I think the problem is with your composer.json
To better understand what might be the problem, join chat room on Slack ( https://phpchat.co/) and share details of your problem there including the composer.json "autoload" key. Mine is below. If you're placing your package under "vendor" directory, your namespaces should be pointing to the vendor directory. I have "Sanitizer\": "src/Sanitizer/" because I placed the downloaded folder under my src/Sanitizer directory. You should change it accordingly.
"autoload": { "psr-4": { "App\": "src/", "Sanitizer\": "src/Sanitizer/" } },
I tried the following :
- I placed the downloaded folder "Sanitizer" in "html_sanitizer"
- I modified the composer.json in html_sanitizer and added a line in autoload to point to the Sanitizer directory :
{ "name": "tgalopin/html-sanitizer", "description": "Sanitize untrustworthy HTML user input", "type": "library", "license": "MIT", "authors": [ { "name": "Titouan Galopin", "email": "[email protected]" } ], "autoload": { "psr-4": { "HtmlSanitizer\": "src", "Sanitizer\": "Sanitizer" } }, "autoload-dev": { "psr-4": { "Tests\HtmlSanitizer\": "tests" } },
"require": {
"php": ">=7.1",
"ext-dom": "*",
"league/uri-parser": "^1.4.1",
"masterminds/html5": "^2.4",
"psr/log": "^1.0"
},
"require-dev": {
"phpunit/phpunit": "^7.4",
"symfony/var-dumper": "^4.1"
}
}
It still does not work. What am I doing wrong ? Do I need a specific composer.json for the extension?
PhR
/html-sanitizer_local_uri
@olegatro Hi is this feature in the stable release? Or is this package available via composer?
@S-DICKSON Hi.
Hi is this feature in the stable release?
unfortunately no
Or is this package available via composer?
unfortunately no
Sorry about that. I hope that in future find some time to add this feature to the this package or publish a separate composer project.
ping @tgalopin , @Phroggy78 , @S-DICKSON , @voltel , @alartigue
Hi all.
A small announcement - I published composer version of the relative urls https://github.com/olegatro/html-sanitizer-relative
For those of you who used my old repository (https://github.com/olegatro/html-sanitizer_local_uri) and would like to migrate - read below
The composer version implements the same logic as the code in the old repository
Composer version has two differences:
Namespace:
before
Sanitizer\Extension\Image\ImageExtension
Sanitizer\Extension\A\AExtension
after
HtmlSanitizer\Extension\Relative\Image\ImageExtension
HtmlSanitizer\Extension\Relative\A\AExtension
Tag names in the settings:
before
custom-a
custom-image
after
relative-a
relative-image
Because repositories have different namespaces and tag names, it will be more easily migrate from one version to other.
Be aware - it is still temporary solution - in the future I hope we find time to add this feature to the main repository
@olegatro great work, thanks!
Would you be down to open a PR on this repo with the option?
@tgalopin
Yes, on the next week (I hope).
The code will be a little different and will be include iframe tag.
Awesome! You can also ping me at galopintitouan [at] gmail [dot] com if you want to chat about it before opening the PR, if you're not sure about certain things.