Start with HTML Sanitizer documentation

Author: wouterj

html_sanitizer.rst

@@ -0,0 +1,235 @@
+HTML Sanitizer
+==============
+
+.. versionadded:: 6.1
+
+    The HTML Sanitizer component was introduced in Symfony 6.1.
+
+The HTML Sanitizer components aims at sanitizing/cleaning untrusted HTML
+code (e.g. created by a WYSIWYG editor in the browser) into HTML that can
+be trusted. It is based on the `HTML Sanitizer W3C Standard Proposal`_.
+
+The HTML sanitizer creates a new HTML structure from scratch, taking only
+the elements and attributes that are allowed (by configuration). This means
+that the returned HTML very predicatable (it only contains allowed
+elements), but it does not work well with badly formatted input (e.g.
+invalid HTML). The sanitizer is targetted for two use-cases:
+
+* Preventing security attacks based on XSS or other technologies relying on
+  execution of malicious code on the visitors browsers;
+* Generating HTML that always respect a certain format (only certain
+  tags, attributes, hosts, etc.) to be able to consistently style the
+  resulting output with CSS. This also protects your application against
+  attacks related to e.g. changing the CSS of the whole page.
+
+Installation
+------------
+
+You can install the HTML Sanitizer component with:
+
+.. code-block:: terminal
+
+    $ composer require symfony/http-client
+
+Basic Usage
+-----------
+
+Use the :class:`Symfony\\Component\\HtmlSanitizer\\HtmlSanitizer` class to
+sanitize the HTML. In the Symfony framework, this class is available as the
+``html_sanitizer`` service. This service will be :doc:`autowired </service_container/autowiring>`
+automatically when type-hinting for
+:class:`Symfony\\Contracts\\HtmlSanitizer\\HtmlSanitizerInterface`:
+
+.. configuration-block::
+
+    .. code-block:: php-symfony
+
+        // src/Controller/BlogPostController.php
+        namespace App\Controller;
+
+        // ...
+        use Symfony\Contracts\HtmlSanitizer\HtmlSanitizerInterface;
+
+        class BlogPostController extends AbstractController
+        {
+            public function createAction(HTMLSanitizerInterface $htmlSanitizer, Request $request): Response
+            {
+                $unsafeContents = $request->request->get('post_contents');
+
+                $safeContents = $htmlSanitizer->sanitize($unsafeContents);
+                // ... proceed using the safe HTML
+            }
+        }
+
+    .. code-block:: php-standalone
+
+        use Symfony\Contracts\HtmlSanitizer\HtmlSanitizer;
+        use Symfony\Contracts\HtmlSanitizer\HtmlSanitizerConfig;
+
+        $htmlSanitizer = new HtmlSanitizer(
+            (new HtmlSanitizerConfig())->allowSafeElements()
+        );
+
+        // unsafe HTML (e.g. from a WYSIWYG editor in the browser)
+        $unsafePostContents = ...;
+
+        $safePostContents = $htmlSanitizer->sanitize($unsafePostContents);
+        // ... proceed using the safe HTML
+
+.. note::
+
+    The default configuration of the HTML sanitizer allows all "safe"
+    elements and attributes, as defined by the `W3C Standard Proposal`_. In
+    practice, this means that the resulting code will not contain any
+    scripts, styles or other elements that can cause the website to behave
+    or look different. Later in this article, you'll learn how to
+    :ref:`fully customize the HTML sanitizer <html-sanitizer-configuration>`.
+
+Sanitizing HTML for a Specific Context
+--------------------------------------
+
+The default :method:`Symfony\\Component\\HtmlSanitizer\\HtmlSanitizer::sanitize`
+method cleans the HTML code for usage in the ``<body>`` element. Using the
+:method:`Symfony\\Component\\HtmlSanitizer\\HtmlSanitizer::sanitizeFor`
+method, you can instruct HTML sanitizer to customize this for the
+``<head>`` or a more specific HTML tag::
+
+    // tags not allowed in <head> will be removed
+    $safeInput = $htmlSanitizer->sanitizeFor('head', $userInput);
+
+    // encodes the returned HTML using HTML entities
+    $safeInput = $htmlSanitizer->sanitizeFor('title', $userInput);
+    $safeInput = $htmlSanitizer->sanitizeFor('textarea', $userInput);
+
+    // uses the <body> context, removing tags only allowed in <head>
+    $safeInput = $htmlSanitizer->sanitizeFor('body', $userInput);
+    $safeInput = $htmlSanitizer->sanitizeFor('section', $userInput);
+
+.. _html-sanitizer-configuration:
+
+Configuration
+-------------
+
+The behavior of the HTML sanitizer can be fully customized. This allows you
+to explicitly state which elements, attributes and even attribute values
+are allowed.
+
+You can do this by defining a new HTML sanitizer in the configuration:
+
+.. configuration-block::
+
+    .. code-block:: yaml
+
+        # config/packages/html_sanitizer.yaml
+        framework:
+            html_sanitizer:
+                sanitizers:
+                    app.post_sanitizer:
+                        block_elements:
+                            - h1
+
+    .. code-block:: xml
+
+        <!-- config/packages/html_sanitizer.xml -->
+        <?xml version="1.0" encoding="UTF-8" ?>
+        <container xmlns="http://symfony.com/schema/dic/services"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xmlns:framework="http://symfony.com/schema/dic/symfony"
+            xsi:schemaLocation="http://symfony.com/schema/dic/services
+                https://symfony.com/schema/dic/services/services-1.0.xsd
+                http://symfony.com/schema/dic/symfony https://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
+
+            <framework:config>
+                <framework:html-sanitizer>
+                    <framework:sanitizer name="app.post_sanitizer">
+                        <framework:block-element name="h1"/>
+                    </framework:sanitizer>
+                </framework:html-sanitizer>
+            </framework:config>
+        </container>
+
+    .. code-block:: php
+
+        // config/packages/framework.php
+        use Symfony\Config\FrameworkConfig;
+
+        return static function (FrameworkConfig $framework) {
+            $framework->htmlSanitizer()
+                ->sanitizer('app.post_sanitizer')
+                    ->blockElement('h1')
+            ;
+        };
+
+This configuration defines a new ``app.post_sanitizer`` service. This service
+will be :doc:`autowired </service_container/autowiring>` for services
+having an ``HtmlSanitizerInterface $appPostSanitizer`` parameter.
+
+Allow Element Baselines
+~~~~~~~~~~~~~~~~~~~~~~~
+
+allow_safe_elements: true
+allow_all_static_elements: true
+
+Allow Elements
+~~~~~~~~~~~~~~
+
+allow_elements:
+    iframe: 'src'
+    custom-tag: ['data-attr', 'data-attr-1']
+    custom-tag-2: '*'
+
+Block and Drop Elements
+~~~~~~~~~~~~~~~~~~~~~~~
+
+block_elements:
+    - section
+drop_elements:
+    - video
+
+Allow Attributes
+~~~~~~~~~~~~~~~~
+
+allow_attributes:
+    src: ['iframe']
+    data-attr: '*'
+
+Drop Attributes
+~~~~~~~~~~~~~~~
+
+drop_attributes:
+    data-attr: [custom-tag]
+    data-attr-1: []
+    data-attr-2: '*'
+
+Force Attribute Values
+~~~~~~~~~~~~~~~~~~~~~~
+
+force_attributes:
+    a:
+        rel: noopener noreferrer
+    h1:
+        class: bp4-heading
+
+Force/Allow Links
+~~~~~~~~~~~~~~~~~
+
+force_https_urls: true
+allowed_link_schemes: ['http', 'https', 'mailto']
+allowed_link_hosts: ['symfony.com']
+allow_relative_links: true
+
+Allow Media
+~~~~~~~~~~~
+
+allowed_media_schemes: ['http', 'https', 'data']
+allowed_media_hosts: ['symfony.com']
+allow_relative_medias: true
+
+Custom Attribute Sanitizers
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+with_attribute_sanitizers:
+    - App\Sanitizer\CustomAttributeSanitizer
+
+_ `HTML Sanitizer W3C Standard Proposal`: https://wicg.github.io/sanitizer-api/
+_ `W3C Standard Proposal`: https://wicg.github.io/sanitizer-api/