Skip to content

[HtmlSanitizer] allowed_link_hosts and allowed_media_hosts are empty array instead of null when not set #46647

New issue
New issue
Closed
Closed
[HtmlSanitizer] allowed_link_hosts and allowed_media_hosts are empty array instead of null when not set#46647
Labels
BugHtmlSanitizerStatus: Needs Review
@plfort

Description

@plfort
plfort
opened on Jun 11, 2022

Symfony version(s) affected

6.1.*

Description

According to HtmlSanitizerConfig documentation, allowLinkHosts and allowMediaHosts default value must be null to allow any hosts:

symfony/src/Symfony/Component/HtmlSanitizer/HtmlSanitizerConfig.php

Lines 171 to 185 in 013857a

/**
* Allows only a given list of hosts to be used in links href attributes.
*
* All other hosts will be dropped. By default all hosts are allowed
* ($allowedLinkHosts = null).
*
* @param list<string>|null $allowLinkHosts
*/
public function allowLinkHosts(?array $allowLinkHosts): static
{
$clone = clone $this;
$clone->allowedLinkHosts = $allowLinkHosts;
return $clone;
}

symfony/src/Symfony/Component/HtmlSanitizer/HtmlSanitizerConfig.php

Lines 213 to 227 in 013857a

/**
* Allows only a given list of hosts to be used in media source attributes (img, audio, video, ...).
*
* All other hosts will be dropped. By default all hosts are allowed
* ($allowMediaHosts = null).
*
* @param list<string>|null $allowMediaHosts
*/
public function allowMediaHosts(?array $allowMediaHosts): static
{
$clone = clone $this;
$clone->allowedMediaHosts = $allowMediaHosts;
return $clone;
}

These values are set from FrameworkBundle configuration where we use arrayNode to describe them, so we get an empty array instead of null.

The result is that every URLs are filtered by default

How to reproduce

Configure a basic sanitizer

framework:
  html_sanitizer:
    sanitizers:
        app.default_sanitizer:
            allow_safe_elements: true
$sanitized = $appDefaultSanitizer->sanitize('<a href="https://symfony.com">hello</a>');
// <a>hello</a>

Possible Solution

No response

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugHtmlSanitizerStatus: Needs Review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions