Hi @tgalopin & all

This package is extremely useful, thanks for all the hard work. I am currently using it in a site where I need to be able to set a target when for certain links. Is there a simple way to configure this ?

I'm already using an extension provided by @olegatro to allow relative URI's. I thought perhaps it would be possible to modify that extension ?

Thanks for any help, PhR

This is very big commit, sorry for that. I created these all files by running foreach loop which created multiple node and NodeVisitor files for me in appropriate directory.

Sanitizer added because of this previous reported XSS in MathML

Hello,

I'm having out of memory exceptions when using HTML sanitizer (version 1.3.0) on a malformed string.

php.CRITICAL: Fatal Error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 352256 bytes) {"exception":"[object] (Symfony\\Component\\ErrorHandler\\Error\\OutOfMemoryError(code: 0): Error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 352256 bytes) at /srv/web/vendor/masterminds/html5/src/HTML5/Parser/Tokenizer.php:1054)"

Here is a snippet to reproduce the issue:

The message comes from a chat which truncates messages when they are too long, leading to some invalid html content. (Fun fact, this message comes from production).

<?php
/** @var SanitizerInterface $sanitizer   */
$sanitizer->sanitize("<p>Apr\u00e8s s&#039;il y a un gros bug et que tout le monde en profite, mon avis l\u00e0 dessus peut changer. Mais normalement non, pas de reset pour les joueurs arriv\u00e9s avec la beta publique.<\/p>\n\n<p>Par contre certains \u00e9quilibrages changeront, c&#");

Hi, I'm trying to use html-sanitizer to allow users to create articles in a Blog style application I'm building. I can't figure out why sanitizer is removing src attribute from images tags.

The config I'm using is this one $this->sanitizerConfig = [ 'extensions' => ['basic', 'code', 'image', 'list', 'table'], 'tags' => [ 'a' => [ 'allowed_hosts' => null, 'allow_mailto' => true, ], 'img' => [ 'allowed_attributes' => ['src', 'alt', 'title', 'width', 'height'], 'allowed_hosts' => null, 'allow_data_uri' => true, 'force_https' => false, ], 'div' => [ 'allowed_attributes' => ['class'], ], 'span' => [ 'allowed_attributes' => ['class'], ], 'table' => [ 'allowed_attributes' => ['class'], ], 'p' => [ 'allowed_attributes' => ['class'], ], 'h1' => [ 'allowed_attributes' => ['class'], ], 'h2' => [ 'allowed_attributes' => ['class'], ], 'h3' => [ 'allowed_attributes' => ['class'], ], 'h4' => [ 'allowed_attributes' => ['class'], ], ], ]; this is the html before sanitizing "<p><img src="/images/uploaded/articles/1b75dd06bf92c5e04e1491af441491fe9a7d7bab.png" alt="Test image" width="960" height="638" /></p>" and this is what I get from sanitize method.

"<p><img alt="Test image" width="960" height="638" /></p>"

Thanks for your help.

When allow_data_uri is set to true on img and allowed_hosts is left at the default null like below, allowed_hosts is effectively overwritten by an array containing only null causing all other images to be blocked.

"img" => [ "allowed_hosts" => null, // Example: ["trusted1.com", "google.com"] "allow_data_uri" => true ]

I propose this small change to only add the null value if allowedHosts is already an array.

In my project at the moment I need to purify 2 properties in different entities with the same extensions, so I create a simple helper.

class SanitizerHelper
{
    private const SANITIZER_WHITE_LIST = ['basic', 'code', 'image', 'list', 'table', 'iframe', 'extra'];

    public static function sanitize(string $html)
    {
        $sanitizer = Sanitizer::create(['extensions' => self::SANITIZER_WHITE_LIST]);

        return $sanitizer->sanitize($html);
    }
}

The idea is to create a static method to pass extensions as first args and content as second args : Actual

 $sanitizer = Sanitizer::create(['extensions' => self::SANITIZER_WHITE_LIST]);
 $safeHtml = sanitizer->sanitize($untrustedHtml);

After

$safeHtml = HtmlSanitizer\Sanitizer::sanitize([
    'extensions' => ['basic', 'code', 'image', 'list', 'table', 'iframe', 'details', 'extra'],
     $untrustedHtml)

WDYT ?

It would be great to have a comparison between this package and the HTMLPurifier library which is out there since a long time (what are the differences in the feature they support, etc...)

https://github.com/tgalopin/html-sanitizer/blob/82da21fbb6ca4ed6ac3458391612529958b0a69f/src/Sanitizer/StringSanitizerTrait.php#L23

This replacement is breaking URLs and replacing valid =

Hi,

I recently got the following error:

Notice: Undefined offset: 2

here: https://github.com/tgalopin/html-sanitizer/blob/d2dd64cf1a3739167802aa00217df0f17e67372a/src/Sanitizer/UrlSanitizerTrait.php#L83

I got this error after adding a subdomain to allowed_hosts like sub.example.org and this causes the function to be called with the following parameters if a url like https://example.org in a href attribute is sanitized:

$uriParts = ['org', 'example']; 
$trustedParts = ['org', 'example', 'sub'];

Is a subdomain not allowed in allowed_hosts or is this a bug?

Concern 01

Is there any possibility to allow case sensitive attributes with this package along with a config setting.

I have HTML like below and it removes case sensitive attributes even I add the attribute's named categoryType under allowed_attributes for div tag.

Ex:

<div class="custom" categoryType="books"></div>

Sanitizer is returning for above HTML as below.

<div class="custom"></div>

I have debug your library and found it identify the attribute as "categorytype" (all letters are in lower case). But could we have case sensitive attributes ?

Concern 02

Sanitizer package is removing empty strings value of a attribute like below. (="")

Ex:

<a rel="" href="https://github.com/tgalopin/html-sanitizer/">HTML Sanitizer</a>

Sanitizer returns

<a rel href="https://github.com/tgalopin/html-sanitizer/">HTML Sanitizer</a>

But could we have empty string as attribute value. May be we can allow this feature as well with a config setting.
<a rel="" href="https://github.com/tgalopin/html-sanitizer/">HTML Sanitizer</a>