Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[HtmlSanitizer] Some minor changes in the config API#44814

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
fabpot merged 1 commit intosymfony:6.1fromjaviereguiluz:tweak_html_sanitizer
Jan 7, 2022

Conversation

@javiereguiluz
Copy link
Member

QA
Branch?6.1
Bug fix?no
New feature?no
Deprecations?no
Tickets-
LicenseMIT
Doc PR-

First of all, thanks to@tgalopin for this superb contribution 🙇

This PR makes 3 little changes:

(1) Fix two minor typos

(2) RenameallowAllStaticElements() asallowStaticElements() to be consistent with the rest of methods, which don't include theAll word.

(3) A proposal to change this default value:

-public function allowElement(string $element, array|string $allowedAttributes = []): static+public function allowElement(string $element, array|string $allowedAttributes = '*'): static

In my opinion, when you want to allow some element, most of the times you want to allow the standard attributes on them too. So, the following should allow<div> and their standard attributes:

->allowElement('div')

Forcing to write it as->allowElement('div', '*') seems cumbersome. The previous behavior (forbid all attributes) would now be like this:

->allowElement('div', [])

@tgalopin
Copy link
Contributor

tgalopin commentedDec 28, 2021
edited by nicolas-grekas
Loading

Thanks for 1!

I'm fine with 2, I included the "all" to clarify the fact that all elements would be added, meaning possibly CSS injection issues, clickjacking issues, ... If we think the new name is enough, I'm good with it, it's good to have shorter names.

For 3, I have more reserves. I do think the sanitizer shouldn't have behaviors where the default includes everything. Your proposal would for instance allow style attributes by default, which probably shouldn't happen. I think I'm -1 on this 3rd point.

@javiereguiluz
Copy link
MemberAuthor

I've reverted all the changes related to (3). Thanks.

@tgalopin
Copy link
Contributor

Could you update the README as well with the new method name?

@javiereguiluz
Copy link
MemberAuthor

@tgalopin done! Sorry I forgot about this!

@fabpot
Copy link
Member

Thank you@javiereguiluz.

@fabpotfabpot merged commit098ff62 intosymfony:6.1Jan 7, 2022
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@fabpotfabpotfabpot approved these changes

+1 more reviewer

@fancywebfancywebfancyweb approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Projects

None yet

Milestone

6.1

Development

Successfully merging this pull request may close these issues.

5 participants

@javiereguiluz@tgalopin@fabpot@fancyweb@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp