Switch from HTMLPurifier to Purify

Currently we use vanilla `HTMLPurifier` to escape HTML text before showing it to the user. Use the wrapper library `Purify` instead fpor better ergonomics which is a "Laravel wrapper" for HTMLPurifier. https://github.com/stevebauman/purify Resolves #745
openmultiplechoice · May 5, 2024 · 966a60d · 966a60d
1 parent b8b75a3
commit 966a60d
Show file tree

Hide file tree

Showing 8 changed files with 189 additions and 28 deletions.
diff --git a/composer.json b/composer.json
@@ -10,14 +10,14 @@
     "require": {
         "php": "^8.1",
         "doctrine/dbal": "^3.8",
-        "ezyang/htmlpurifier": "^4.17",
         "guzzlehttp/guzzle": "^7.0.1",
         "laravel/framework": "^10.0",
         "laravel/octane": "^2.3",
         "laravel/sanctum": "^3.2",
         "laravel/socialite": "^5.5",
         "laravel/tinker": "^2.5",
-        "socialiteproviders/keycloak": "^5.1"
+        "socialiteproviders/keycloak": "^5.1",
+        "stevebauman/purify": "^6.2"
     },
     "require-dev": {
         "fakerphp/faker": "^1.9.1",

diff --git a/composer.lock b/composer.lock
diff --git a/config/purify.php b/config/purify.php
@@ -0,0 +1,115 @@
+<?php
+
+use Stevebauman\Purify\Definitions\Html5Definition;
+
+return [
+
+    /*
+    |--------------------------------------------------------------------------
+    | Default Config
+    |--------------------------------------------------------------------------
+    |
+    | This option defines the default config that is provided to HTMLPurifier.
+    |
+    */
+
+    'default' => 'default',
+
+    /*
+    |--------------------------------------------------------------------------
+    | Config sets
+    |--------------------------------------------------------------------------
+    |
+    | Here you may configure various sets of configuration for differentiated use of HTMLPurifier.
+    | A specific set of configuration can be applied by calling the "config($name)" method on
+    | a Purify instance. Feel free to add/remove/customize these attributes as you wish.
+    |
+    | Documentation: http://htmlpurifier.org/live/configdoc/plain.html
+    |
+    |   Core.Encoding               The encoding to convert input to.
+    |   HTML.Doctype                Doctype to use during filtering.
+    |   HTML.Allowed                The allowed HTML Elements with their allowed attributes.
+    |   HTML.ForbiddenElements      The forbidden HTML elements. Elements that are listed in this
+    |                               string will be removed, however their content will remain.
+    |   CSS.AllowedProperties       The Allowed CSS properties.
+    |   AutoFormat.AutoParagraph    Newlines are converted in to paragraphs whenever possible.
+    |   AutoFormat.RemoveEmpty      Remove empty elements that contribute no semantic information to the document.
+    |
+    */
+
+    'configs' => [
+
+        'default' => [
+            'Core.Encoding' => 'utf-8',
+            'HTML.Doctype' => 'HTML 4.01 Transitional',
+            'HTML.Allowed' => 'h1,h2,h3,h4,h5,h6,b,strong,i,em,s,del,a[href|title],ul,ol,li,p[style],br,span,img[width|height|alt|src],blockquote',
+            'HTML.ForbiddenElements' => '',
+            'CSS.AllowedProperties' => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align',
+            'AutoFormat.AutoParagraph' => false,
+            'AutoFormat.RemoveEmpty' => false,
+        ],
+
+    ],
+
+    /*
+    |--------------------------------------------------------------------------
+    | HTMLPurifier definitions
+    |--------------------------------------------------------------------------
+    |
+    | Here you may specify a class that augments the HTML definitions used by
+    | HTMLPurifier. Additional HTML5 definitions are provided out of the box.
+    | When specifying a custom class, make sure it implements the interface:
+    |
+    |   \Stevebauman\Purify\Definitions\Definition
+    |
+    | Note that these definitions are applied to every Purifier instance.
+    |
+    | Documentation: http://htmlpurifier.org/docs/enduser-customize.html
+    |
+    */
+
+    'definitions' => Html5Definition::class,
+
+    /*
+    |--------------------------------------------------------------------------
+    | HTMLPurifier CSS definitions
+    |--------------------------------------------------------------------------
+    |
+    | Here you may specify a class that augments the CSS definitions used by
+    | HTMLPurifier. When specifying a custom class, make sure it implements
+    | the interface:
+    |
+    |   \Stevebauman\Purify\Definitions\CssDefinition
+    |
+    | Note that these definitions are applied to every Purifier instance.
+    |
+    | CSS should be extending $definition->info['css-attribute'] = values
+    | See HTMLPurifier_CSSDefinition for further explanation
+    |
+    */
+
+    'css-definitions' => null,
+
+    /*
+    |--------------------------------------------------------------------------
+    | Serializer
+    |--------------------------------------------------------------------------
+    |
+    | The storage implementation where HTMLPurifier can store its serializer files.
+    | If the filesystem cache is in use, the path must be writable through the
+    | storage disk by the web server, otherwise an exception will be thrown.
+    |
+    */
+
+    'serializer' => [
+        'driver' => env('CACHE_DRIVER', 'file'),
+        'cache' => \Stevebauman\Purify\Cache\CacheDefinitionCache::class,
+    ],
+
+    // 'serializer' => [
+    //    'disk' => env('FILESYSTEM_DISK', 'local'),
+    //    'path' => 'purify',
+    //    'cache' => \Stevebauman\Purify\Cache\FilesystemDefinitionCache::class,
+    // ],
+
+];
diff --git a/resources/views/deck.blade.php b/resources/views/deck.blade.php
@@ -4,10 +4,6 @@
 
 @section('content')
 
-@php
-    $purifier = new HTMLPurifier(HTMLPurifier_Config::createDefault());
-@endphp
-
 <div class="row mb-3">
     <div class="col">
         <h1 class="h4">{{ $deck->name }}
@@ -65,7 +61,7 @@ class="list-group-item list-group-item-action list-group-item-light"
         @if ($deck->description)
             <h2 class="h4">Description</h2>
             <div class="mb-3">
-                {!! $purifier->purify($deck->description) !!}
+                {!! Purify::clean($deck->description) !!}
             </div>
         @endif
 

diff --git a/resources/views/index.blade.php b/resources/views/index.blade.php
@@ -4,10 +4,6 @@
 
 @section('content')
 
-@php
-    $purifier = new HTMLPurifier(HTMLPurifier_Config::createDefault());
-@endphp
-
 <div class="row">
     <div class="{{ $info->isEmpty() ? 'col-lg-12' : 'col-lg-8' }}">
         <a href="/sessions/create" class="btn btn-primary mb-3"><i class="bi bi-rocket-takeoff"></i> {{ __('omc.newsession') }}</a>
@@ -22,7 +18,7 @@
                 <div class="alert alert-light" role="alert">
                     <h6 class="alert-heading"><a class="link-dark alert-link stretched-link" href="{{ url('info', $entry->id) }}">{{ $entry->title }}</a></h6>
                     <p><small><span class="font-monospace">{{ $entry->created_at->format('d.m.Y') }}</span> {!! $entry->is_pinned ? '<i class="bi bi-pin-angle"></i>' : '' !!}</small></p>
-                    <p>{!! $purifier->purify(preg_split("/<br>/", $entry->text)[0]) !!}</p>
+                    <p>{!! Purify::clean(preg_split("/<br>/", $entry->text)[0]) !!}</p>
                 </div>
             @endforeach
         </div>

diff --git a/resources/views/info-single.blade.php b/resources/views/info-single.blade.php
@@ -4,10 +4,6 @@
 
 @section('content')
 
-@php
-    $purifier = new HTMLPurifier(HTMLPurifier_Config::createDefault());
-@endphp
-
 <div class="row">
     <div class="col-md">
         <h1 class="h4"><a class="text-reset text-decoration-none" href="{{ url('info') }}">Info</a></h1>
@@ -20,7 +16,7 @@
                 {!! Auth::user()->is_admin ? '<a href="/info/'. $info->id .'/edit" class="text-reset text-decoration-none"><i class="bi bi-pencil"></i></a>' : '' !!}
             </small>
         </p>
-        <p>{!! $purifier->purify($info->text) !!}</p>
+        <p>{!! Purify::clean($info->text) !!}</p>
     </div>
 </div>
 

diff --git a/resources/views/info.blade.php b/resources/views/info.blade.php
@@ -4,10 +4,6 @@
 
 @section('content')
 
-@php
-    $purifier = new HTMLPurifier(HTMLPurifier_Config::createDefault());
-@endphp
-
 <div class="row">
     <div class="col-md">
         <h1 class="h4">Info</h1>
@@ -20,7 +16,7 @@
             <div class="alert alert-light" role="alert">
                 <h6 class="alert-heading"><a class="link-dark alert-link stretched-link" href="{{ url('info', $entry->id) }}">{{ $entry->title }}</a></h6>
                 <p><small><span class="font-monospace">{{ $entry->created_at->format('d.m.Y') }}</span> {!! $entry->is_pinned ? '<i class="bi bi-pin-angle"></i>' : '' !!}</small></p>
-                <p>{!! $purifier->purify(preg_split("/<br>/", $entry->text)[0]) !!}</p>
+                <p>{!! Purify::clean(preg_split("/<br>/", $entry->text)[0]) !!}</p>
             </div>
         </div>
     @endforeach

diff --git a/resources/views/messages.blade.php b/resources/views/messages.blade.php
@@ -4,16 +4,12 @@
 
 @section('content')
 
-@php
-    $purifier = new HTMLPurifier(HTMLPurifier_Config::createDefault());
-@endphp
-
 <div class="row">
     <div class="col-md">
         <h4>Your comments</h4>
         @forelse($messages as $message)
             <div class="rounded-2 bg-light p-2 mb-0">
-                {!! $purifier->purify($message->text) !!}
+                {!! Purify::clean($message->text) !!}
             </div>
             <p class="text-muted text-end">
                 <small>