0

Trying to implement a form that sanitizes html input according to https://symfony.com/doc/current/html_sanitizer.html#sanitizing-html-from-form-input but I cannot make it work properly. Here is my setup:

html_sanitizer.yaml

framework:
    html_sanitizer:
        sanitizers:
            app.post_sanitizer:
                allow_safe_elements: true
                #allow_static_elements: true
                allow_relative_medias: true
                allowed_link_schemes: ['http', 'https', 'href']
                allow_relative_links: true
                allow_elements:
                    img: '*'
                    div: '*'
                    span: '*'
                    p: '*'
                    a: '*'
                    i: '*'

ActivityRichTextFormType.php

class ActivityRichTextFormType extends AbstractType
{

    public function __construct(
        private readonly HtmlSanitizerInterface $appPostSanitizer,
    ) {
    }

    public function buildForm(FormBuilderInterface $builder, array $options): void
    {
        //$data1 = $options['data']->getContent();
        //$data1 = $this->appPostSanitizer->sanitize($data1);
        //$options['data']->setContent($data1);

        $builder->add('content', TextareaType::class,
            ['label' => '', 'empty_data' => '']
        );
    }

    public function configureOptions(OptionsResolver $resolver): void
    {
        $resolver->setDefaults([
            'data_class' => ActRichText::class,
            'sanitize_html' => true,
            'sanitizer' => 'app.post_sanitizer',
            'translation_domain' => false
        ]);
    }
}

entity field:

    #[ORM\Column(type: Types::TEXT , nullable: true)]
    #[Assert\Length(max: 2255)]
    private ?string $content = null;

then to test functionality I enter something like

<h2>Testing html form</h2>
<script>// <![CDATA[
(function(i,s,o,g,r,a,m){var ql=document.querySelectorAll('A[quiz],DIV[quiz]'); 
// ]]></script>

When I just use 'sanitize_html' => true, 'sanitizer' => 'app.post_sanitizer', in the resolver, the html text does NOT get sanitized. i.e. the script tag is kept in the content.

As a temporary workaround I added a manual sanitizer:

        $data1 = $options['data']->getContent();
        $data1 = $this->appPostSanitizer->sanitize($data1);
        $options['data']->setContent($data1);

when i remove comments and activate this workaround, the html DOES get sanitized and the script tag is removed.

Any hints why the sanitize_html in the resolver does not work?
Thanks!

Update:
Created a fresh new project to test this issue and uploaded it at github symfony-html-sanitizer.
I used a Model instead of an Entity to simplify things if anyone would like to check it out.

Improve this question
7
  • What is "ActRichText::class"? For the symfony form integration it must be "TextType forms, or any form extending this type (such as TextareaType)". Is ActRichText and extension of TextType or perhaps another type? That might be the problem. Commented Oct 1, 2023 at 2:19
  • ActRichText is the entity that has the field $content . Instead of listing the whole entity i only posted the 1 field used in the form. Commented Oct 1, 2023 at 10:52
  • Yes, but why are you declaring a type of ArtRichText in the options, when the entity type is Types:TEXT ? What happens if you omit: data_class' => ActRichText::class,? Commented Oct 1, 2023 at 16:14
  • @JasonOlson : i checked it, nothing changes if I omit it. I use it as it is suggested at symfony.com/doc/current/forms.html#creating-form-classes. As said in this page although not always necessary, it's generally a good idea to explicitly specify the data_class option. Commented Oct 2, 2023 at 9:12
  • Adding a manual sanitizer at the form type does not work that well either. My best option for now is to add a manual sanitizer at the controller inside the form isSubmitted isValid check. Commented Oct 2, 2023 at 9:37

1 Answer 1

Reset to default
-1

$sanitizedInput = htmlspecialchars($_POST['inputField'], ENT_QUOTES, 'UTF-8');

echo htmlspecialchars($sanitizedInput, ENT_QUOTES, 'UTF-8');

var cleanHTML = DOMPurify.sanitize(dirtyHTML);

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.