[RFC] New component HtmlSanitizer #44144
Description
Description
Following discussions with @DocFX and @nicolas-grekas, I'm opening this PR to request for comments on the idea of creating a new HtmlSanitizer component for Symfony 6.1, based on a package I developed: html-sanitizer.
Presentation
html-sanitizer is a package I developed in 2018 as I needed a way to clean HTML while controlling precisely the resulting output. The alternatives at the time were limited, the biggest one being HTMLPurifier but it doesn't fit the same need (see the comparison).
html-sanitizer aims at cleaning user-provided HTML to safely display it in a web page. It has two main roles:
- preventing security attacks based on XSS or other technologies relying on execution of malicious code on the visitors browsers
- generating HTML that always respect a certain format (only certain tags/attributes/hosts/... allowed) to be able to consistently style the resulting output with CSS
Proposal to integrate it to Symfony
I would like to propose the integration of this package under the Symfony namespace. I have several reasons why I think it would make sense:
- HTML sanitation is a very common issue when dealing with content provided by users. In most of these cases, a WYSIWYG editor is required, and when using such editor, it is important for security purposes to filter the input before displaying it ;
- This package works well (it is used in the symfony/demo application), is well used (installed 469k+ times) and is extensively tested (a lot of tests inspired from OWASP, Drupal and other key actors in this area) ;
- While it's a stable and used package, keeping in under my personal namespace probably prevents some people to use it, as it means I'm the only one maintaining it ;
- Integrating this package in Symfony would help when we will address the problem of WYSIWYG editors in Symfony UX (it'll happen for sure at some point) as we will be able to more safely rely on it to provide security ;
- The package already follows most (all?) Symfony best practices, is based on Symfony BC promise and had a complete integration with Symfony through its bundle ;
Example
See the bundle README for an example of usage in Symfony: