Jul 3, 2024
diff --git a/html_sanitizer.rst b/html_sanitizer.rst
                ->dropElement('figure')
        );

 Default Action
 ~~~~~~~~~~~~~~

 By default, unconfigured tags are dropped along with their children. If you would rather not lose all children elements by default, you can configure the default action to be ``Block``. Specific elements can still be dropped if needed.

    .. code-block:: yaml

        # config/packages/html_sanitizer.yaml
        framework:
            html_sanitizer:
                sanitizers:
                    app.post_sanitizer:
                        # ...

                        # remove all tags by default, but process their children
                        default_action: 'block'
                        # remove <figure> and its children
                        drop_elements: ['figure']

    .. code-block:: xml

        <!-- config/packages/html_sanitizer.xml -->
        <?xml version="1.0" encoding="UTF-8" ?>
        <container xmlns="http://symfony.com/schema/dic/services"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xmlns:framework="http://symfony.com/schema/dic/symfony"
            xsi:schemaLocation="http://symfony.com/schema/dic/services
                https://symfony.com/schema/dic/services/services-1.0.xsd
                http://symfony.com/schema/dic/symfony https://symfony.com/schema/dic/symfony/symfony-1.0.xsd">

            <framework:config>
                <framework:html-sanitizer>
                    <!-- remove all tags by default, but process their children -->
                    <framework:default-action>block</framework:default-action>

                    <!-- remove <figure> and its children -->
                    <framework:drop-element>figure</framework:drop-element>
                </framework:html-sanitizer>
            </framework:config>
        </container>

    .. code-block:: php

        // config/packages/framework.php
        use Symfony\Config\FrameworkConfig;

        return static function (FrameworkConfig $framework): void {
            $framework->htmlSanitizer()
                ->sanitizer('app.post_sanitizer')
                    // remove all tags by default, but process their children
                    ->defaultAction('block')
                    // remove <figure> and its children
                    ->dropElement('figure')
            ;
        };

    .. code-block:: php-standalone

        use Symfony\Component\HtmlSanitizer\HtmlSanitizer;
        use Symfony\Component\HtmlSanitizer\HtmlSanitizerAction;
        use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig;

        $postSanitizer = new HtmlSanitizer(
            (new HtmlSanitizerConfig())
                // remove all tags by default, but process their children
                ->defaultAction(HtmlSanitizerAction::Block)
                // remove <figure> and its children
                ->dropElement('figure')
        );

 .. note::

    Configuring a default action of ``Allow`` will allow all tags but they will not have any attributes. You probably should still disallow at least ``script`` tags if you want to do this, but generally speaking using an explicit allowlist is going to be much safer.

 Allow Attributes
 ~~~~~~~~~~~~~~~~
Original file line number	Diff line number	Diff line change
Expand Up		@@ -462,6 +462,80 @@
		->dropElement('figure')
		);

		Default Action
		~~~~~~~~~~~~~~

		By default, unconfigured tags are dropped along with their children. If you would rather not lose all children elements by default, you can configure the default action to be ``Block``. Specific elements can still be dropped if needed.

		.. code-block:: yaml

		# config/packages/html_sanitizer.yaml
		framework:
		html_sanitizer:
		sanitizers:
		app.post_sanitizer:
		# ...

		# remove all tags by default, but process their children
		default_action: 'block'
		# remove <figure> and its children
		drop_elements: ['figure']
Check failure on line 482 in html_sanitizer.rst View workflow job for this annotation GitHub Actions/ Code Blocks [Cache Warmup] In ArrayNode.php line 304: Unrecognized option "default_action" under "framework.html_sanitizer.saniti zers.app.post_sanitizer". Available options are "allow_attributes", "allow_ elements", "allow_relative_links", "allow_relative_medias", "allow_safe_ele ments", "allow_static_elements", "allowed_link_hosts", "allowed_link_scheme s", "allowed_media_hosts", "allowed_media_schemes", "block_elements", "drop _attributes", "drop_elements", "force_attributes", "force_https_urls", "max _input_length", "with_attribute_sanitizers", "without_attribute_sanitizers" .

		.. code-block:: xml

		<!-- config/packages/html_sanitizer.xml -->
		<?xml version="1.0" encoding="UTF-8" ?>
		<container xmlns="http://symfony.com/schema/dic/services"
		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		xmlns:framework="http://symfony.com/schema/dic/symfony"
		xsi:schemaLocation="http://symfony.com/schema/dic/services
		https://symfony.com/schema/dic/services/services-1.0.xsd
		http://symfony.com/schema/dic/symfony https://symfony.com/schema/dic/symfony/symfony-1.0.xsd">

		<framework:config>
		<framework:html-sanitizer>
		<!-- remove all tags by default, but process their children -->
		<framework:default-action>block</framework:default-action>

		<!-- remove <figure> and its children -->
		<framework:drop-element>figure</framework:drop-element>
		</framework:html-sanitizer>
		</framework:config>
		</container>

		.. code-block:: php
Check failure on line 506 in html_sanitizer.rst View workflow job for this annotation GitHub Actions/ Lint (DOCtor-RST) `Please do not use ".. code-block:: php", use "::" instead.`

		// config/packages/framework.php
		use Symfony\Config\FrameworkConfig;

		return static function (FrameworkConfig $framework): void {
		$framework->htmlSanitizer()
		->sanitizer('app.post_sanitizer')
		// remove all tags by default, but process their children
		->defaultAction('block')
		// remove <figure> and its children
		->dropElement('figure')
		;
		};
Check failure on line 519 in html_sanitizer.rst View workflow job for this annotation GitHub Actions/ Code Blocks `[Cache Warmup] 2024-07-03T09:36:51+00:00 [critical] Uncaught Error: Call to undefined method Symfony\Config\Framework\HtmlSanitizer\SanitizerConfig::defaultAction()`

		.. code-block:: php-standalone

		use Symfony\Component\HtmlSanitizer\HtmlSanitizer;
		use Symfony\Component\HtmlSanitizer\HtmlSanitizerAction;
		use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig;

		$postSanitizer = new HtmlSanitizer(
		(new HtmlSanitizerConfig())
		// remove all tags by default, but process their children
		->defaultAction(HtmlSanitizerAction::Block)
		// remove <figure> and its children
		->dropElement('figure')
		);

		.. note::

		Configuring a default action of ``Allow`` will allow all tags but they will not have any attributes. You probably should still disallow at least ``script`` tags if you want to do this, but generally speaking using an explicit allowlist is going to be much safer.

		Allow Attributes
		~~~~~~~~~~~~~~~~

Expand Down