fixed src removal from image tags with relative urls, add iframe tag to allowed list

This commit is contained in:
Ro 2022-01-07 15:45:35 -08:00
parent fdf2319783
commit b70308d990
5 changed files with 78 additions and 8360 deletions

View file

@ -7,6 +7,11 @@ use League\CommonMark\Extension\FrontMatter\FrontMatterExtension;
use League\CommonMark\Extension\FrontMatter\Output\RenderedContentWithFrontMatter; use League\CommonMark\Extension\FrontMatter\Output\RenderedContentWithFrontMatter;
use League\CommonMark\MarkdownConverter; use League\CommonMark\MarkdownConverter;
use League\CommonMark\CommonMarkConverter; use League\CommonMark\CommonMarkConverter;
use HtmlSanitizer\Extension\Basic\BasicExtension;
use HtmlSanitizer\Extension\Iframe\IframeExtension;
use HtmlSanitizer\SanitizerBuilder;
use function _\orderBy; use function _\orderBy;
class Contents class Contents
@ -63,16 +68,35 @@ class Contents
->parse(file_get_contents($file)); ->parse(file_get_contents($file));
//never trust the front end. clean it up //never trust the front end. clean it up
$sanitizer = HtmlSanitizer\Sanitizer::create([
"extensions" => ["basic", "image", "list", "code"], $builder = new SanitizerBuilder();
$builder->registerExtension(new BasicExtension());
$builder->registerExtension(new IframeExtension());
//relative-a and relative-image
$builder->registerExtension(
new \HtmlSanitizer\Extension\Relative\A\AExtension()
);
$builder->registerExtension(
new \HtmlSanitizer\Extension\Relative\Image\ImageExtension()
);
$detergent = [
"extensions" => ["basic", "relative-a", "relative-image", "iframe"],
"tags" => [ "tags" => [
"div" => [
"allowed_attributes" => ["class", "title"],
],
"img" => [ "img" => [
"allowed_attributes" => ["src", "alt", "title", "class"], "allowed_attributes" => ["src", "alt", "title", "class"],
"allowed_hosts" => null, ],
"allow_relative_links" => true, "iframe" => [
"allowed_attributes" => ["height", "width", "title", "src"],
], ],
], ],
]); ];
$sanitizer = $builder->build($detergent);
$scrubbed = $sanitizer->sanitize($result->getContent()); $scrubbed = $sanitizer->sanitize($result->getContent());

View file

@ -26,6 +26,7 @@
"tgalopin/html-sanitizer": "^1.4", "tgalopin/html-sanitizer": "^1.4",
"phpmailer/phpmailer": "^6.4", "phpmailer/phpmailer": "^6.4",
"league/commonmark": "^2.1", "league/commonmark": "^2.1",
"symfony/yaml": "^5.4" "symfony/yaml": "^5.4",
"olegatro/html-sanitizer-relative": "^1.0"
} }
} }

44
composer.lock generated
View file

@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically" "This file is @generated automatically"
], ],
"content-hash": "aaecaa98ed680188418b8aff96553235", "content-hash": "cfedfb006726f5c6b4bac05285ccf5e8",
"packages": [ "packages": [
{ {
"name": "dflydev/dot-access-data", "name": "dflydev/dot-access-data",
@ -858,6 +858,48 @@
}, },
"time": "2018-02-13T20:26:39+00:00" "time": "2018-02-13T20:26:39+00:00"
}, },
{
"name": "olegatro/html-sanitizer-relative",
"version": "1.0.0",
"source": {
"type": "git",
"url": "https://github.com/olegatro/html-sanitizer-relative.git",
"reference": "1a4d4683c0c162653da6dcfe6050476dd8bfc026"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/olegatro/html-sanitizer-relative/zipball/1a4d4683c0c162653da6dcfe6050476dd8bfc026",
"reference": "1a4d4683c0c162653da6dcfe6050476dd8bfc026",
"shasum": ""
},
"require": {
"ext-dom": "*",
"php": ">=7.1",
"tgalopin/html-sanitizer": "^1.4"
},
"type": "library",
"autoload": {
"psr-4": {
"HtmlSanitizer\\": "src"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Oleg Scherbakov",
"email": "shcherbakov.oleg88@gmail.com"
}
],
"description": "Extension for html-sanitizer library by allowing relative urls in the A and Image tags",
"support": {
"issues": "https://github.com/olegatro/html-sanitizer-relative/issues",
"source": "https://github.com/olegatro/html-sanitizer-relative/tree/1.0.0"
},
"time": "2021-02-05T13:39:44+00:00"
},
{ {
"name": "phpmailer/phpmailer", "name": "phpmailer/phpmailer",
"version": "v6.5.1", "version": "v6.5.1",

View file

@ -31,7 +31,8 @@
"license": "UNLICENSED", "license": "UNLICENSED",
"author": "Are0h", "author": "Are0h",
"scripts": { "scripts": {
"watch": "sass --watch src/styles:public/assets/css & npx parcel watch src/com/Start.js --dist-dir public/assets/scripts --public-url /assets/scripts" "watch": "sass --watch src/styles:public/assets/css & npx parcel watch src/com/Start.js --dist-dir public/assets/scripts --public-url /assets/scripts",
"build": "sass src/styles:public/assets/css & npx parcel build src/com/Start.js --dist-dir public/assets/scripts --public-url /assets/scripts"
}, },
"description": "Front end script for the most chill blog framework ever.", "description": "Front end script for the most chill blog framework ever.",
"repository": "https://code.playvicio.us/Are0h/Fipamo" "repository": "https://code.playvicio.us/Are0h/Fipamo"

File diff suppressed because one or more lines are too long