Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pkp/pkp-lib#7916 Replaced html purifier with symfony html sanitizer #9002

Merged
merged 6 commits into from
Jul 1, 2023
Merged

pkp/pkp-lib#7916 Replaced html purifier with symfony html sanitizer #9002

merged 6 commits into from
Jul 1, 2023

Conversation

touhidurabir
Copy link
Member

This PR aims to provide solution for #7916

@touhidurabir touhidurabir mentioned this pull request May 16, 2023
Closed
@touhidurabir touhidurabir force-pushed the i7916_main branch 2 times, most recently from a91dde9 to fd9be0c Compare June 19, 2023 06:35
asmecher
asmecher requested changes Jun 27, 2023
View reviewed changes
Copy link
Member

@asmecher asmecher left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @touhidurabir! I've given this a first review and added some comments. Could you move the work on the php-jwt update over to a separate PR? I've added some review comments separately on that to #9110.

classes/core/PKPString.php Outdated
$config->set('HTML.Allowed', Config::getVar('security', $configKey));
$config->set('Cache.SerializerPath', 'cache');
$purifier = new HTMLPurifier($config);
if (!$input) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is strictly supposed to deal with a null case, right? If so, then please use an exact test:

if ($input === null) {
    return '';
}

Otherwise, non-string values will get coerced into strings by the function's type hint and the if will not behave like it looks at first glance.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done .

classes/core/PKPString.php Outdated
static $configKey;
static $allowedTagToAttributeMap;

if ($configKey !== $key) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is meant to cache repeat calls with the same $configKey, right? We only have two different configurations for $configKey we use in practice at the moment; at the moment flipping back and forth between two values of $configKey will cause the parsing to be repeated. I'd suggest storing the parsed data in an array by $configKey.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved both the attributes tag map and sanitizer as static cache as both needed at the end .

classes/core/PKPString.php Outdated
});
}

if(!isset($sanitizer)) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will instantiate a sanitizer for the first value of $configKey, and after that it will be re-used regardless of whether the $configKey matches.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved both the attributes tag map and sanitizer as static cache as both needed at the end .

@asmecher asmecher merged commit d76fba0 into pkp:main Jul 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asmecher asmecher asmecher requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@touhidurabir @asmecher