Skip to content

Commit

Permalink
Merge branch '6.4' into 7.0
Browse files Browse the repository at this point in the history
* 6.4:
  [Messenger] Fix requiring symfony/deprecation-contracts
  [AssetMapper] Warn of missing or incompat dependencies
  Added missing Uzbek translations.
  [Messenger] [Sqs] Add `AddFifoStamp` middleware
  DX: nullable_type_declaration
  [HtmlSanitizer] Add support for sanitizing unlimited length of HTML document
  [Validator] Add missing Finnish translations
  [FrameworkBundle][Routing][Translation][Workflow] Move some compiler passes from FrameworkBundle to components
  • Loading branch information
nicolas-grekas committed Oct 19, 2023
2 parents dfb1005 + 9920830 commit 54891da
Show file tree
Hide file tree
Showing 4 changed files with 25 additions and 1 deletion.
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
CHANGELOG
=========

6.4
---

* Add support for sanitizing unlimited length of HTML document

6.1
---

Expand Down
2 changes: 1 addition & 1 deletion HtmlSanitizer.php
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ private function sanitizeWithContext(string $context, string $input): string
$this->domVisitors[$context] ??= $this->createDomVisitorForContext($context);

// Prevent DOS attack induced by extremely long HTML strings
if (\strlen($input) > $this->config->getMaxInputLength()) {
if (-1 !== $this->config->getMaxInputLength() && \strlen($input) > $this->config->getMaxInputLength()) {
$input = substr($input, 0, $this->config->getMaxInputLength());
}

Expand Down
8 changes: 8 additions & 0 deletions HtmlSanitizerConfig.php
Original file line number Diff line number Diff line change
Expand Up @@ -405,8 +405,16 @@ public function withoutAttributeSanitizer(AttributeSanitizerInterface $sanitizer
return $clone;
}

/**
* @param int $maxInputLength The maximum length of the input string in bytes
* -1 means no limit
*/
public function withMaxInputLength(int $maxInputLength): static
{
if ($maxInputLength < -1) {
throw new \InvalidArgumentException(sprintf('The maximum input length must be greater than -1, "%d" given.', $maxInputLength));
}

$clone = clone $this;
$clone->maxInputLength = $maxInputLength;

Expand Down
11 changes: 11 additions & 0 deletions Tests/HtmlSanitizerAllTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -561,4 +561,15 @@ public static function provideSanitizeBody()
yield $case[0] => $case;
}
}

public function testUnlimitedLength()
{
$sanitizer = new HtmlSanitizer((new HtmlSanitizerConfig())->withMaxInputLength(-1));

$input = str_repeat('a', 10_000_000);

$sanitized = $sanitizer->sanitize($input);

$this->assertSame(\strlen($input), \strlen($sanitized));
}
}

0 comments on commit 54891da

Please sign in to comment.