Skip to content

Commit e39431f

Browse files
nicolas-grekasnicolas-grekas
committed
bug #58547 [HtmlSanitizer] Fix force_attributes not replacing existing attribute in initial data (tgalopin)
This PR was merged into the 6.4 branch. Discussion ---------- [HtmlSanitizer] Fix `force_attributes` not replacing existing attribute in initial data | Q | A | ------------- | --- | Branch? | 6.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | Fix #58065 | License | MIT Fix the override of an existing attribute value. Commits ------- 926985b [HtmlSanitizer] Fix force_attributes not replacing existing attribute in initial data
2 parents 70ac958 + 926985b commit e39431f

File tree

3 files changed

+15
-3
lines changed

3 files changed

+15
-3
lines changed

src/Symfony/Component/HtmlSanitizer/Tests/HtmlSanitizerCustomTest.php

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -232,10 +232,17 @@ public function testForceAttribute()
232232
{
233233
$config = (new HtmlSanitizerConfig())
234234
->allowElement('div')
235+
->allowElement('img', '*')
235236
->allowElement('a', ['href'])
236237
->forceAttribute('a', 'rel', 'noopener noreferrer')
238+
->forceAttribute('img', 'loading', 'lazy')
237239
;
238240

241+
$this->assertSame(
242+
'<img title="My image" src="https://example.com/image.png" loading="lazy" />',
243+
$this->sanitize($config, '<img title="My image" src="https://example.com/image.png" loading="eager" onerror="alert(\'1234\')" />')
244+
);
245+
239246
$this->assertSame(
240247
'<a rel="noopener noreferrer">Hello</a> world',
241248
$this->sanitize($config, '<a>Hello</a> world')
@@ -250,6 +257,11 @@ public function testForceAttribute()
250257
'<div>Hello</div> world',
251258
$this->sanitize($config, '<div style="width: 100px">Hello</div> world')
252259
);
260+
261+
$this->assertSame(
262+
'<a href="https://symfony.com" rel="noopener noreferrer">Hello</a> world',
263+
$this->sanitize($config, '<a href="https://symfony.com" rel="noopener">Hello</a> world')
264+
);
253265
}
254266

255267
public function testForceHttps()

src/Symfony/Component/HtmlSanitizer/Visitor/DomVisitor.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -120,7 +120,7 @@ private function enterNode(string $domNodeName, \DOMNode $domNode, Cursor $curso
120120

121121
// Force configured attributes
122122
foreach ($this->forcedAttributes[$domNodeName] ?? [] as $attribute => $value) {
123-
$node->setAttribute($attribute, $value);
123+
$node->setAttribute($attribute, $value, true);
124124
}
125125

126126
$cursor->node->addChild($node);

src/Symfony/Component/HtmlSanitizer/Visitor/Node/Node.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -58,10 +58,10 @@ public function getAttribute(string $name): ?string
5858
return $this->attributes[$name] ?? null;
5959
}
6060

61-
public function setAttribute(string $name, ?string $value): void
61+
public function setAttribute(string $name, ?string $value, bool $override = false): void
6262
{
6363
// Always use only the first declaration (ease sanitization)
64-
if (!\array_key_exists($name, $this->attributes)) {
64+
if ($override || !\array_key_exists($name, $this->attributes)) {
6565
$this->attributes[$name] = $value;
6666
}
6767
}

0 commit comments

Comments
 (0)