From 926985bac7c96e5ec915d9db567cbba573d60180 Mon Sep 17 00:00:00 2001 From: Titouan Galopin Date: Sat, 12 Oct 2024 10:35:33 +0200 Subject: [PATCH] [HtmlSanitizer] Fix force_attributes not replacing existing attribute in initial data --- .../HtmlSanitizer/Tests/HtmlSanitizerCustomTest.php | 12 ++++++++++++ .../Component/HtmlSanitizer/Visitor/DomVisitor.php | 2 +- .../Component/HtmlSanitizer/Visitor/Node/Node.php | 4 ++-- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/src/Symfony/Component/HtmlSanitizer/Tests/HtmlSanitizerCustomTest.php b/src/Symfony/Component/HtmlSanitizer/Tests/HtmlSanitizerCustomTest.php index f44c62414f4f4..edf2faf517ba8 100644 --- a/src/Symfony/Component/HtmlSanitizer/Tests/HtmlSanitizerCustomTest.php +++ b/src/Symfony/Component/HtmlSanitizer/Tests/HtmlSanitizerCustomTest.php @@ -232,10 +232,17 @@ public function testForceAttribute() { $config = (new HtmlSanitizerConfig()) ->allowElement('div') + ->allowElement('img', '*') ->allowElement('a', ['href']) ->forceAttribute('a', 'rel', 'noopener noreferrer') + ->forceAttribute('img', 'loading', 'lazy') ; + $this->assertSame( + ' My image

', + $this->sanitize($config, ' My image

') + ); + $this->assertSame( 'Hello world', $this->sanitize($config, 'Hello world') @@ -250,6 +257,11 @@ public function testForceAttribute() '

Hello

world', $this->sanitize($config, '

Hello

world') ); + + $this->assertSame( + 'Hello world', + $this->sanitize($config, 'Hello world') + ); } public function testForceHttps() diff --git a/src/Symfony/Component/HtmlSanitizer/Visitor/DomVisitor.php b/src/Symfony/Component/HtmlSanitizer/Visitor/DomVisitor.php index 8cda8cf2a8bd0..c28db52e1fac0 100644 --- a/src/Symfony/Component/HtmlSanitizer/Visitor/DomVisitor.php +++ b/src/Symfony/Component/HtmlSanitizer/Visitor/DomVisitor.php @@ -120,7 +120,7 @@ private function enterNode(string $domNodeName, \DOMNode $domNode, Cursor $curso // Force configured attributes foreach ($this->forcedAttributes[$domNodeName] ?? [] as $attribute => $value) { - $node->setAttribute($attribute, $value); + $node->setAttribute($attribute, $value, true); } $cursor->node->addChild($node); diff --git a/src/Symfony/Component/HtmlSanitizer/Visitor/Node/Node.php b/src/Symfony/Component/HtmlSanitizer/Visitor/Node/Node.php index 46a6b17a443de..002b8e808dac4 100644 --- a/src/Symfony/Component/HtmlSanitizer/Visitor/Node/Node.php +++ b/src/Symfony/Component/HtmlSanitizer/Visitor/Node/Node.php @@ -58,10 +58,10 @@ public function getAttribute(string $name): ?string return $this->attributes[$name] ?? null; } - public function setAttribute(string $name, ?string $value): void + public function setAttribute(string $name, ?string $value, bool $override = false): void { // Always use only the first declaration (ease sanitization) - if (!\array_key_exists($name, $this->attributes)) { + if ($override || !\array_key_exists($name, $this->attributes)) { $this->attributes[$name] = $value; } } pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Alternative Proxies: