Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[HtmlSanitizer] Use the native HTML5 parser when using PHP 8.4+#61366

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
nicolas-grekas merged 1 commit intosymfony:7.4fromnicolas-grekas:hs-php84
Aug 12, 2025

Conversation

@nicolas-grekas
Copy link
Member

@nicolas-grekasnicolas-grekas commentedAug 8, 2025
edited
Loading

QA
Branch?7.4
Bug fix?no
New feature?yes
Deprecations?yes
Issues#53666
LicenseMIT

Together with#61356, this PR allows removing any dependency on masterminds/html5 in favor of the native HTML5 capabilities of PHP 8.4 on Symfony 8

In order to do so, this we:

  • Use the native HTML5 parser when using PHP 8.4+
  • DeprecateMastermindsParser; useNativeParser instead
  • [BC BREAK]ParserInterface::parse() can now return\Dom\Node|\DOMNode|null instead of just\DOMNode|null
  • Add argument$context toParserInterface::parse()

Note thatDomVisitor is internal so no BC breaks there.
AndStringSanitizer::htmlLower() can leveragestrtolower() since PHP 8.2 thanks tohttps://wiki.php.net/rfc/strtolower-ascii

dmaicher reacted with thumbs up emoji
@nicolas-grekasnicolas-grekasforce-pushed thehs-php84 branch 2 times, most recently from98b6dab to1c40c66CompareAugust 12, 2025 10:43
Copy link
Member

@alexandre-dauboisalexandre-daubois left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Nice!

nicolas-grekas added a commit that referenced this pull requestAug 12, 2025
…ext arg to ParserInterface::parse() (nicolas-grekas)This PR was merged into the 8.0 branch.Discussion----------[HtmlSanitizer] Remove MastermindsParser and add $context arg to ParserInterface::parse()| Q             | A| ------------- | ---| Branch?       | 8.0| Bug fix?      | no| New feature?  | yes| Deprecations? | no| Issues        | -| License       | MITFollows#61366Commits-------b291f58 [HtmlSanitizer] Remove MastermindsParser and add $context arg to ParserInterface::parse()
@nicolas-grekasnicolas-grekas deleted the hs-php84 branchAugust 12, 2025 16:44
// Remove NULL character
$input =str_replace(\chr(0),'',$input);
// Remove NULL character and HTML entities for null byte
$input =str_replace([\chr(0),'�','�','�','�'],'',$input);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

$input =str_replace([\chr(0),'�','�','�','�'],'',$input);

Why not like this?

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

The native parser already turns variants of� into. We cannot really hook there. I think this is what the spec says to do.
Also: removing characters is a know vector for attacks, because it breaks content scanners.

xabbuh reacted with thumbs up emoji
This was referencedOct 27, 2025
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@xabbuhxabbuhxabbuh left review comments

@GromNaNGromNaNGromNaN approved these changes

@alexandre-dauboisalexandre-dauboisalexandre-daubois approved these changes

Assignees

No one assigned

Projects

None yet

Milestone

7.4

Development

Successfully merging this pull request may close these issues.

5 participants

@nicolas-grekas@GromNaN@xabbuh@alexandre-daubois@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp