DEVHIDE
Login Or Sign up

Sanitizing HTML from Form Input not working (symfony6.3 php 8.2)

262 Views Asked by At

Trying to implement a form that sanitizes html input according to https://symfony.com/doc/current/html_sanitizer.html#sanitizing-html-from-form-input but I cannot make it work properly. Here is my setup:

html_sanitizer.yaml

framework:
    html_sanitizer:
        sanitizers:
            app.post_sanitizer:
                allow_safe_elements: true
                #allow_static_elements: true
                allow_relative_medias: true
                allowed_link_schemes: ['http', 'https', 'href']
                allow_relative_links: true
                allow_elements:
                    img: '*'
                    div: '*'
                    span: '*'
                    p: '*'
                    a: '*'
                    i: '*'

ActivityRichTextFormType.php

class ActivityRichTextFormType extends AbstractType
{

    public function __construct(
        private readonly HtmlSanitizerInterface $appPostSanitizer,
    ) {
    }

    public function buildForm(FormBuilderInterface $builder, array $options): void
    {
        //$data1 = $options['data']->getContent();
        //$data1 = $this->appPostSanitizer->sanitize($data1);
        //$options['data']->setContent($data1);

        $builder->add('content', TextareaType::class,
            ['label' => '', 'empty_data' => '']
        );
    }

    public function configureOptions(OptionsResolver $resolver): void
    {
        $resolver->setDefaults([
            'data_class' => ActRichText::class,
            'sanitize_html' => true,
            'sanitizer' => 'app.post_sanitizer',
            'translation_domain' => false
        ]);
    }
}

entity field:

    #[ORM\Column(type: Types::TEXT , nullable: true)]
    #[Assert\Length(max: 2255)]
    private ?string $content = null;

then to test functionality I enter something like

<h2>Testing html form</h2>
<script>// <![CDATA[
(function(i,s,o,g,r,a,m){var ql=document.querySelectorAll('A[quiz],DIV[quiz]'); 
// ]]></script>

When I just use 'sanitize_html' => true, 'sanitizer' => 'app.post_sanitizer', in the resolver, the html text does NOT get sanitized. i.e. the script tag is kept in the content.

As a temporary workaround I added a manual sanitizer:

        $data1 = $options['data']->getContent();
        $data1 = $this->appPostSanitizer->sanitize($data1);
        $options['data']->setContent($data1);

when i remove comments and activate this workaround, the html DOES get sanitized and the script tag is removed.

Any hints why the sanitize_html in the resolver does not work?
Thanks!

Update:
Created a fresh new project to test this issue and uploaded it at github symfony-html-sanitizer.
I used a Model instead of an Entity to simplify things if anyone would like to check it out.

php forms symfony sanitization symfony6
Original Q&A
1

There are 1 best solutions below

1
Ankita Sharma On

$sanitizedInput = htmlspecialchars($_POST['inputField'], ENT_QUOTES, 'UTF-8');

echo htmlspecialchars($sanitizedInput, ENT_QUOTES, 'UTF-8');

var cleanHTML = DOMPurify.sanitize(dirtyHTML);

Related Questions in PHP

Related Questions in FORMS

Related Questions in SYMFONY

Related Questions in SANITIZATION

Related Questions in SYMFONY6

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.