From 8421636b1c78947e6abfff908ff2d6a88dc4490f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20B=C3=B6hmer?= Date: Wed, 10 Jun 2026 23:43:07 +0200 Subject: [PATCH] Use HTML sanatizer to harden HTML rendering on log_details page Should be more safe than use |raw directly and for these smalls things performance hit is zero. --- composer.json | 1 + composer.lock | 76 ++++++++++++++++++- config/reference.php | 2 +- .../log_system/details/log_details.html.twig | 6 +- 4 files changed, 80 insertions(+), 5 deletions(-) diff --git a/composer.json b/composer.json index a1f15834..f08f824d 100644 --- a/composer.json +++ b/composer.json @@ -70,6 +70,7 @@ "symfony/flex": "^v2.3.1", "symfony/form": "7.4.*", "symfony/framework-bundle": "7.4.*", + "symfony/html-sanitizer": "7.4.*", "symfony/http-client": "7.4.*", "symfony/http-kernel": "7.4.*", "symfony/mailer": "7.4.*", diff --git a/composer.lock b/composer.lock index e7cb8570..a0e43cfc 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "d6bda397c505e1e6d540c814a2368fbb", + "content-hash": "1307bf553d1543704e3c03398dec06c7", "packages": [ { "name": "amphp/amp", @@ -13095,6 +13095,80 @@ ], "time": "2026-05-23T18:04:28+00:00" }, + { + "name": "symfony/html-sanitizer", + "version": "v7.4.13", + "source": { + "type": "git", + "url": "https://github.com/symfony/html-sanitizer.git", + "reference": "761f6c49dfd103ee08b3cd09ece588b069e18ec9" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/symfony/html-sanitizer/zipball/761f6c49dfd103ee08b3cd09ece588b069e18ec9", + "reference": "761f6c49dfd103ee08b3cd09ece588b069e18ec9", + "shasum": "" + }, + "require": { + "ext-dom": "*", + "league/uri": "^6.5|^7.0", + "masterminds/html5": "^2.7.2", + "php": ">=8.2", + "symfony/deprecation-contracts": "^2.5|^3" + }, + "type": "library", + "autoload": { + "psr-4": { + "Symfony\\Component\\HtmlSanitizer\\": "" + }, + "exclude-from-classmap": [ + "/Tests/" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Titouan Galopin", + "email": "galopintitouan@gmail.com" + }, + { + "name": "Symfony Community", + "homepage": "https://symfony.com/contributors" + } + ], + "description": "Provides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM.", + "homepage": "https://symfony.com", + "keywords": [ + "Purifier", + "html", + "sanitizer" + ], + "support": { + "source": "https://github.com/symfony/html-sanitizer/tree/v7.4.13" + }, + "funding": [ + { + "url": "https://symfony.com/sponsor", + "type": "custom" + }, + { + "url": "https://github.com/fabpot", + "type": "github" + }, + { + "url": "https://github.com/nicolas-grekas", + "type": "github" + }, + { + "url": "https://tidelift.com/funding/github/packagist/symfony/symfony", + "type": "tidelift" + } + ], + "time": "2026-05-24T11:20:33+00:00" + }, { "name": "symfony/http-client", "version": "v7.4.13", diff --git a/config/reference.php b/config/reference.php index ecf0b0aa..71b08412 100644 --- a/config/reference.php +++ b/config/reference.php @@ -653,7 +653,7 @@ use Symfony\Component\Config\Loader\ParamConfigurator as Param; * time_based_uuid_node?: scalar|Param|null, * }, * html_sanitizer?: bool|array{ // HtmlSanitizer configuration - * enabled?: bool|Param, // Default: false + * enabled?: bool|Param, // Default: true * sanitizers?: array {% trans %}log.target{% endtrans %} - {{ target_html|raw }} + {{ target_html|sanitize_html }} @@ -111,7 +111,7 @@ {% elseif log_entry is instanceof('App\\Entity\\LogSystem\\CollectionElementDeleted') %} {% include "log_system/details/_extra_collection_element_deleted.html.twig" %} {% else %} - {{ extra_html | raw }} + {{ extra_html | sanitize_html }} {% endif %} -{% endblock %} \ No newline at end of file +{% endblock %}