Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a new html_input option #255

Merged
merged 3 commits into from
Jul 2, 2016
Merged

Add a new html_input option #255

merged 3 commits into from
Jul 2, 2016

Conversation

mnapoli
Copy link
Contributor

@mnapoli mnapoli commented Jun 28, 2016

See #253, this is still WIP. That was easier than I thought, however I think it will require some more thinking. I'm pushing it "as-is" so that we can progress on what to do:

  • what name for the option controlling "allowing unsafe links"?
  • do the constants on the Environment class make sense to you?

Feel free to send any other comment about the code, including small coding style stuff, I don't mind at all.

The new html_input option allows 3 different behaviors:

  • strip HTML input
  • allow HTML input
  • escape HTML input

@mnapoli
Copy link
Contributor Author

mnapoli commented Jun 28, 2016

What I first wanted to do is to remove the safe option completely and, if set by the user, cascade its value to the new html_input option (if it's not set). However I'm not sure the Environment class or the Configuration class is the best place for adding such custom logic about a specific option, so as of now I have kept safe as it is.

Maybe it would make sense to have "getters" for each option value on the Configuration class? That would allow implementing some logic for each config value. But that's maybe a bit too much changes for a single pull request.

@mnapoli
Add a new html_input option
3c25037 
Fixes thephpleague#253. The new `html_input` option allows 3 different behaviors:

- `strip` HTML input
- `allow` HTML input
- `escape` HTML input
@mnapoli mnapoli force-pushed the html-input-escaping branch from 45f4bf2 to 3c25037 Compare June 28, 2016 19:37
@mnapoli
Copy link
Contributor Author

mnapoli commented Jun 28, 2016

FYI I have opened a discussion on Reddit about "how secure" escaping HTML could be: https://fr.reddit.com/r/PHP/comments/4qbf4g/improving_handling_of_untrusted_html_input_in/

@colinodell
Copy link
Member

I'm wondering if maybe we need 4 options:

  • strip - Don't render any HTML nodes
  • allow_raw - Render HTML nodes as-is
  • allow_filtered - Run HTML content through HTMLPurifier and render that
  • escape - Escape HTML entities

@colinodell
Copy link
Member

What I first wanted to do is to remove the safe option completely and, if set by the user, cascade its value to the new html_input option (if it's not set). However I'm not sure the Environment class or the Configuration class is the best place for adding such custom logic about a specific option, so as of now I have kept safe as it is.

That's fine. I'd be okay tackling that afterwards (as a separate PR).

Maybe it would make sense to have "getters" for each option value on the Configuration class? That would allow implementing some logic for each config value. But that's maybe a bit too much changes for a single pull request.

Its possible for other developers to create extensions which have their own configuration options. I don't know if your proposed change might lead them to think they must extend Configuration to add their own getters.

What name for the option controlling "allowing unsafe links"?

How about allow_unsafe_links (boolean)?

Do the constants on the Environment class make sense to you?

I like the idea of constants. Perhaps we can put them on CommonMarkCoreExtension instead? Thoughts?

@colinodell
Copy link
Member

Thinking out loud again:

Putting the constants on CommonMarkCoreExtension keeps them out of the general-purpose Environment. However, Environment already contains default configuration options. So maybe its better to keep everything in one place?

@mnapoli
Copy link
Contributor Author

mnapoli commented Jun 29, 2016

As a user they would be much easier to find on the Environment class.

allow_filtered - Run HTML content through HTMLPurifier and render that

Could make sense but it would mean requiring that package as a dependency. Also users can run the whole generated HTML (from CommonMark) into HTMLPurifier themselves, the only advantage of integrating it directly into this library is more guidance for users. However that could also be solved with the documentation: explain that allow is unsafe and that using HTMLPurifier is recommended with untrusted HTML? (I'm just afraid this library might overstep its role of Markdown parser with the inclusion of HTMLPurifier)

How about allow_unsafe_links (boolean)?

Sounds good, I'll have a look at it tonight.

@mnapoli
Add a new allow_unsafe_links option
2bf7847 
See thephpleague#253 and thephpleague#255. The `safe` option is now deprecated in favor of the `allow_unsafe_links` and `html_input` options.

The `allow_unsafe_links` is `true` by default for BC reasons.
@mnapoli
Copy link
Contributor Author

mnapoli commented Jun 29, 2016

I have pushed a new commit to add a new allow_unsafe_links option.

@mnapoli mnapoli changed the title [WIP] Add a new html_input option Add a new html_input option Jul 2, 2016
@mnapoli mnapoli mentioned this pull request Jul 2, 2016
Closed
@mnapoli
Copy link
Contributor Author

mnapoli commented Jul 2, 2016

FYI I've replaced htmlentities() with htmlspecialchars() (see https://fr.reddit.com/r/PHP/comments/4qbf4g/improving_handling_of_untrusted_html_input_in/d4te6ms?context=3 for the reason).

This PR should be good for review now.

@colinodell
Copy link
Member

This looks perfect to me! Thank you so much for implementing this. I'll release a new version with this change momentarily.

@colinodell colinodell merged commit 1675311 into thephpleague:master Jul 2, 2016
@colinodell
Copy link
Member

0.14.0 has been released with this change!

The new options have been added to the documentation's Configuration page. I've also created a Security page encouraging users to use this new option.

Thanks again for implementing this!

@mnapoli
Copy link
Contributor Author

mnapoli commented Jul 2, 2016

Awesome thanks for the quick merge. I had no idea where the documentation was, it's a separate repository?

@mnapoli mnapoli deleted the html-input-escaping branch July 2, 2016 21:13
@GrahamCampbell
Copy link
Member

https://github.com/thephpleague/commonmark/tree/gh-pages

@mnapoli
Copy link
Contributor Author

mnapoli commented Jul 2, 2016

Ohh I didn't even think about checking that, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mnapoli @colinodell @GrahamCampbell