groove/Part-DB-server
1
0
Fork 0
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2026-06-17 08:01:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Use HTML sanatizer to harden HTML rendering on log_details page

Browse source 
Should be more safe than use |raw directly and for these smalls things performance hit is zero.
This commit is contained in:
Jan Böhmer 2026-06-10 23:43:07 +02:00
parent b357ee196c
commit 8421636b1c
4 changed files with 80 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

1
composer.json
View file

@ -70,6 +70,7 @@
"symfony/flex": "^v2.3.1",
"symfony/form": "7.4.*",
"symfony/framework-bundle": "7.4.*",
"symfony/html-sanitizer": "7.4.*",
"symfony/http-client": "7.4.*",
"symfony/http-kernel": "7.4.*",
"symfony/mailer": "7.4.*",

76
composer.lock generated
View file

@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
"content-hash": "d6bda397c505e1e6d540c814a2368fbb",
"content-hash": "1307bf553d1543704e3c03398dec06c7",
"packages": [
{
"name": "amphp/amp",
@ -13095,6 +13095,80 @@
],
"time": "2026-05-23T18:04:28+00:00"
},
{
"name": "symfony/html-sanitizer",
"version": "v7.4.13",
"source": {
"type": "git",
"url": "https://github.com/symfony/html-sanitizer.git",
"reference": "761f6c49dfd103ee08b3cd09ece588b069e18ec9"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/symfony/html-sanitizer/zipball/761f6c49dfd103ee08b3cd09ece588b069e18ec9",
"reference": "761f6c49dfd103ee08b3cd09ece588b069e18ec9",
"shasum": ""
},
"require": {
"ext-dom": "*",
"league/uri": "^6.5|^7.0",
"masterminds/html5": "^2.7.2",
"php": ">=8.2",
"symfony/deprecation-contracts": "^2.5|^3"
},
"type": "library",
"autoload": {
"psr-4": {
"Symfony\\Component\\HtmlSanitizer\\": ""
},
"exclude-from-classmap": [
"/Tests/"
]
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Titouan Galopin",
"email": "galopintitouan@gmail.com"
},
{
"name": "Symfony Community",
"homepage": "https://symfony.com/contributors"
}
],
"description": "Provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM.",
"homepage": "https://symfony.com",
"keywords": [
"Purifier",
"html",
"sanitizer"
],
"support": {
"source": "https://github.com/symfony/html-sanitizer/tree/v7.4.13"
},
"funding": [
{
"url": "https://symfony.com/sponsor",
"type": "custom"
},
{
"url": "https://github.com/fabpot",
"type": "github"
},
{
"url": "https://github.com/nicolas-grekas",
"type": "github"
},
{
"url": "https://tidelift.com/funding/github/packagist/symfony/symfony",
"type": "tidelift"
}
],
"time": "2026-05-24T11:20:33+00:00"
},
{
"name": "symfony/http-client",
"version": "v7.4.13",

2
config/reference.php
View file

@ -653,7 +653,7 @@ use Symfony\Component\Config\Loader\ParamConfigurator as Param;
* time_based_uuid_node?: scalar|Param|null,
* },
* html_sanitizer?: bool|array{ // HtmlSanitizer configuration
* enabled?: bool|Param, // Default: false
* enabled?: bool|Param, // Default: true
* sanitizers?: array<string, array{ // Default: []
* allow_safe_elements?: bool|Param, // Allows "safe" elements and attributes. // Default: false
* allow_static_elements?: bool|Param, // Allows all static elements and attributes from the W3C Sanitizer API standard. // Default: false

6
templates/log_system/details/log_details.html.twig
View file

@ -58,7 +58,7 @@
</tr>
<tr>
<td>{% trans %}log.target{% endtrans %}</td>
<td>{{ target_html|raw }}</td>
<td>{{ target_html|sanitize_html }}</td>
</tr>
</table>
@ -111,7 +111,7 @@
{% elseif log_entry is instanceof('App\\Entity\\LogSystem\\CollectionElementDeleted') %}
{% include "log_system/details/_extra_collection_element_deleted.html.twig" %}
{% else %}
{{ extra_html | raw }}
{{ extra_html | sanitize_html }}
{% endif %}
</div>
{% endblock %}
{% endblock %}