mirror/php-flarum
1
0
Fork 0
mirror of https://github.com/flarum/core.git synced 2025-08-31 03:50:15 +02:00
Code Issues Releases Wiki Activity

Add HTMLPurifier after formatters are run.

Browse Source 
After a morning of searching, it seems there is no PHP Markdown library
that has built-in XSS/sanitization support. The recommended solution is
to use HTMLPurifier.

This actually works out OK, though, as it’s probably a good idea to
enforce sanitization regardless of which formatters are enabled, and to
not leave them with the responsibility of sanitization (it’s a big
responsibility). Since we cache rendered posts, the slow speed of
HTMLPurifier isn’t a concern.

Note that HTMLPurifier requires a file to be loaded by Composer, but
Studio does not yet support this, so for now I have included it
manually.
This commit is contained in:
Toby Zerner
2015-06-02 11:36:25 +09:30
parent fb3038d128
commit 6cf1dbe648
3 changed files with 122 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
composer.json
View File

@@ -14,7 +14,8 @@
"tobscure/permissible": "dev-master",
"misd/linkify": "1.1.*",
"oyejorge/less.php": "dev-master",
"intervention/image": "dev-master"
"intervention/image": "dev-master",
"ezyang/htmlpurifier": "dev-master"
},
"require-dev": {
"fzaninotto/faker": "1.4.0",