Skip to content

Add details on html_sanitizer -> allowed_link_schemes config #17446

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Add details on html_sanitizer -> allowed_link_schemes config #17446

wants to merge 1 commit into from

Conversation

Stoakes
Copy link

@Stoakes Stoakes commented Nov 20, 2022
edited by OskarStark
Loading

Hello,

I had hard times getting HTMLSanitizer to work correctly: href attribute was always removed from a tag.

After a bunch of tests and searches, I found that allowed_link_schemes config parameter had to be set.

This behaviour is logical but undocumented, so here is a quick edit to try to make it clearer.

Thanks

PS: As a side note here was my initial (and not working) configuration. Not obvious why href was always removed.

html_sanitizer:
    sanitizers:
        app.sanitizer:
            allow_safe_elements: true
            allow_elements:
                list: '*'
                table: 'class'
                code: '*'
                a: ['href']
            allowed_media_schemes: ['http', 'https', 'mailto']
            allow_relative_medias: false

@OskarStark OskarStark changed the title Add details on html_sanitizer allowed_link_schemes config Add details on html_sanitizer -> allowed_link_schemes config Nov 20, 2022
OskarStark
OskarStark reviewed Nov 20, 2022
View reviewed changes
@OskarStark
Copy link
Contributor

friendly ping @tgalopin

@tgalopin
Copy link
Contributor

Allowing href in links is supposed to be the default (it's in the "safe" elements and attributes), this feels like a bug.

I think you should open a bug issue on symfony/symfony instead. To ease the fixing of the bug, the ideal bug issue would be to reproduce the issue in a dedicated repository that I can easily clone and have a look myself. Here, the bug is that by default (without configuration linked to the a element or the href attribute), "a hrefs" should be allowed.

@javiereguiluz javiereguiluz mentioned this pull request Dec 8, 2022
Closed
@javiereguiluz
Copy link
Member

OK, I've opened the issue symfony/symfony#48556 to handle this, so I'm closing here.

Thanks @Stoakes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@OskarStark OskarStark OskarStark left review comments

Assignees
No one assigned
Labels
Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Stoakes @OskarStark @tgalopin @javiereguiluz @carsonbot