fix: corrected HTML sanitizer configuration (#2497)

thorsten · Jun 11, 2023 · 5495a55 · 5495a55
1 parent be1a20d
commit 5495a55
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/phpmyfaq/src/phpMyFAQ/Helper/FaqHelper.php b/phpmyfaq/src/phpMyFAQ/Helper/FaqHelper.php
@@ -235,7 +235,11 @@ public function createFaqUrl(FaqEntity $faqEntity, int $categoryId): string
     public function cleanUpContent(string $content): string
     {
         $htmlSanitizer = new HtmlSanitizer(
-            (new HtmlSanitizerConfig())->allowSafeElements()
+            (new HtmlSanitizerConfig())
+                ->allowSafeElements()
+                ->allowStaticElements()
+                ->allowRelativeLinks()
+                ->allowRelativeMedias()
         );
 
         return $htmlSanitizer->sanitize($content);

diff --git a/tests/phpMyFAQ/Helper/FaqHelperTest.php b/tests/phpMyFAQ/Helper/FaqHelperTest.php
@@ -63,7 +63,7 @@ public function testCreateFaqUrl(): void
     public function testCleanUpContent(): void
     {
         $content = '<p>Some text <script>alert("Hello, world!");</script><img src=foo onerror=alert(document.cookie)></p>';
-        $expectedOutput = '<p>Some text <img /></p>';
+        $expectedOutput = '<p>Some text <img src="foo" /></p>';
 
         $actualOutput = $this->faqHelper->cleanUpContent($content);