stevebauman / purify

A Laravel wrapper for HTMLPurifier by ezyang
MIT License
447 stars 35 forks source link

"A & B" turns it into "A & B" #75

Closed nam-co closed 1 year ago

nam-co commented 1 year ago

Hi @stevebauman thank you so much for the package, Im having problems trying to purify (text) something simple like "A & B" it turns it into "A & B", how can I allow some letters to stay the same?

        'text' => [
            'Core.Encoding' => 'utf-8',
            'HTML.Doctype' => 'HTML 4.01 Transitional',
            'HTML.Allowed' => '',
            'HTML.ForbiddenElements' => 'script,meta',
            'AutoFormat.AutoParagraph' => false,
            'AutoFormat.RemoveEmpty' => false,
        ],

The idea for this 'text' configuration is to just clean any malicious stuff

Appreciate any help

stevebauman commented 1 year ago

Hi @nam-co,

Please create an issue on the core HTML Purifier repository, as Purify simply wraps this library:

https://github.com/ezyang/htmlpurifier

I did however find a report of this issue there, and this appears to be intentional:

https://github.com/ezyang/htmlpurifier/issues/177

nam-co commented 1 year ago

Thanks Steve, I will check it out, in your personal opinion do you think the laravel "string" validation is enough to keep the DB secure from a simple text input?

stevebauman commented 1 year ago

Happy to help @nam-co!

in your personal opinion do you think the laravel "string" validation is enough to keep the DB secure from a simple text input?

Yes, as long as you escape the content normally when outputting it in Vue/Blade using double curly brackets ({{ name }}), or by using htmlspecialchars() in PHP (which Laravel's Blade does automatically when using double curly brackets).

The database can contain any un-sanitized value. It's only when you output it to HTML to where it poses a security threat and must be escaped 👍