search

mewebstudio / Purifier

HTMLPurifier for Laravel 5/6/7/8/9/10/11
MIT License
1.87k stars 230 forks source link

[Idea] Custom cast for Purified HTML, to be easily used inside Eloquent Model casts #152

Closed tabacitu closed 2 years ago

tabacitu commented 2 years ago

Hey @mewebstudio - excellent job on this package, thanks a lot for creating and maintaining it🙏 I have an idea on how to make this even easier for us to use in Laravel Models. Happy to create a complete PR if you agree.

What do you think about this package also prividing a custom cast? The way I see it, that would make it dead-simple to purify HTML inside Eloquent Models, without having to use accessors or mutators, which take up quite a few lines, and more time to write.

For example, say a model has two attributes where HTML is stored - you'll want both purified. So instead of having to do this to clean up the outputs:

<?php

namespace App\Models;

use Illuminate\Database\Eloquent\Model;

class User extends Model
{
    public function getBioAttribute($value)
    {
        return clean($value);
    }

    public function getHistoryAttribute($value)
    {
        return clean($value);
    }
}

Devs could just do:

<?php

namespace App\Models;

use Mews\Casts\CleanHtml;
use Illuminate\Database\Eloquent\Model;

class User extends Model
{
    protected $casts = [
        'bio' => CleanHtml::class,
        'history' => CleanHtml::class,
    ];
}

I'll come back with the questions for your thoughts inside the PR, after I've thought on them myself and found solutions/arguments. For now, please just tell me if you like the idea - if so, I'll start working on a PR or ask someone else in the Backpack for Laravel core team to do so.

Let me know. Cheers!

tabacitu commented 2 years ago

Note to self. Just so I don't forget. If I do create the PR, some of the questions that need to be addressed sooner or later:

(1) Do we clean on input, output, or both? Or do we create multiple casts, like CleanHtmlInput, CleanHtmlOutput and CleanHtml (both input and output), and let the dev decide where they want the cleaning to be done, by using the cast they want?

(2) What do we call the Casts class? Html? PurifiedHtml? CleanHtml? Something else?

(3) I believe CustomCasts are only supported starting with L7, so we'll need to either drop support for some Laravel versions, or instruct people in the docs that this feature can only be used in L7+ - which one would be better?

mewebstudio commented 2 years ago

Hello, Cristian.

First of all, I apologize for my bad English :)

Thanks for your suggestion.

However, eloquent models need to be as pure as possible. It would be a better method to clean the values in the requests coming with a middleware instead of using it this way. This is how I use it.

If you send PR we can offer that as an option too, thanks.

Best regards :)

iPhone’umdan gönderildi

Cristian Tabacitu @.***> şunları yazdı (8 Eki 2021 14:38):

 Note to self. Just so I don't forget. If I do create the PR, some of the questions that need to be addressed sooner or later:

(1) Do we clean on input, output, or both? Or do we create multiple casts, like CleanHtmlInput, CleanHtmlOutput and CleanHtml (both input and output), and let the dev decide where they want the cleaning to be done, by using the cast they want?

(2) What do we call the Casts class? Html? PurifiedHtml? CleanHtml? Something else?

(3) I believe CustomCasts are only supported starting with L7, so we'll need to either drop support for some Laravel versions, or instruct people in the docs that this feature can only be used in L7+ - which one would be better?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

tabacitu commented 2 years ago

Excellent - glad to hear that @mewebstudio . I admit cleaning the HTML in the Model is not for everyone. And it's probably not a good idea if what you're after is input-cleaning.

But I know a lot of people that are looking for output-cleaning, and will find this very useful. For that use case, I would argue the best place to do it is inside the Model. That way it's done every time that attribute is used, before it's shown on a page.

I've just submitted https://github.com/mewebstudio/Purifier/pull/154 . I'm going to close this issue, we can move the conversation there.

Cheers!

mewebstudio commented 2 years ago

Ok, I'll review it as soon as possible, thank you :)

iPhone’umdan gönderildi

Cristian Tabacitu @.***> şunları yazdı (9 Eki 2021 09:56):

Excellent - glad to hear that @mewebstudio . I admit cleaning the HTML in the Model is not for everyone. And it's probably not a good idea if what you're after is input-cleaning.

But I know a lot of people that are looking for output-cleaning, and will find this very useful. For that use case, I would argue the best place to do it is inside the Model. That way it's done every time that attribute is used, before it's shown on a page.

I've just submitted #154 . I'm going to close this issue, we can move the conversation there.

Cheers!