Merge branch '6.4' into 7.3

xabbuh · xabbuh · commit 3855e827adb1 · 2025-10-30T14:22:58.000+01:00
* 6.4:
  fix ext-redis 6.2.0 compatibility
  [HtmlSanitizer] Remove `srcdoc` from allowed attributes
diff --git a/Reference/W3CReference.php b/Reference/W3CReference.php
@@ -368,7 +368,7 @@ final class W3CReference
         'span' => true,
         'spellcheck' => true,
         'src' => true,
-        'srcdoc' => true,
+        // 'srcdoc' => false, // XSS vector if not properly sandboxed, should be enabled explicitly with ->allowAttribute('srcdoc', 'iframe')->forceAttribute('iframe', 'sandbox', '')
         'srclang' => true,
         'srcset' => true,
         'standby' => true,
diff --git a/Tests/Fixtures/baseline-attribute-allow-list.json b/Tests/Fixtures/baseline-attribute-allow-list.json
@@ -182,7 +182,6 @@
   "span",
   "spellcheck",
   "src",
-  "srcdoc",
   "srclang",
   "srcset",
   "standby",
diff --git a/Tests/HtmlSanitizerAllTest.php b/Tests/HtmlSanitizerAllTest.php
@@ -569,6 +569,23 @@ public static function provideSanitizeBody()
         }
     }
 
+    public function testIFrameDefaultsAreSafe()
+    {
+        $sanitizer = new HtmlSanitizer((new HtmlSanitizerConfig())
+            ->allowElement('iframe', '*')
+        );
+        $input = '<iframe src="javascript:alert()" onload="alert()" srcdoc="<script>alert()</script>">XSS</iframe>';
+        $this->assertSame('<iframe>XSS</iframe>', $sanitizer->sanitize($input));
+
+        $sanitizer = new HtmlSanitizer((new HtmlSanitizerConfig())
+            ->allowElement('iframe', '*')
+            ->allowAttribute('srcdoc', 'iframe')
+            ->forceAttribute('iframe', 'sandbox', '')
+        );
+        $input = '<iframe src="javascript:alert()" onload="alert()" srcdoc="<script>alert()</script>">XSS-prevented by sandbox</iframe>';
+        $this->assertSame('<iframe srcdoc="&lt;script&gt;alert()&lt;/script&gt;" sandbox>XSS-prevented by sandbox</iframe>', $sanitizer->sanitize($input));
+    }
+
     public function testUnlimitedLength()
     {
         $sanitizer = new HtmlSanitizer((new HtmlSanitizerConfig())->withMaxInputLength(-1));
diff --git a/Tests/HtmlSanitizerConfigTest.php b/Tests/HtmlSanitizerConfigTest.php
@@ -109,7 +109,7 @@ public function testAllowElementStandardAttributes()
         $config = new HtmlSanitizerConfig();
         $config = $config->allowElement('div', '*');
         $this->assertSame(['div'], array_keys($config->getAllowedElements()));
-        $this->assertCount(211, $config->getAllowedElements()['div']);
+        $this->assertCount(210, $config->getAllowedElements()['div']);
         $this->assertSame([], $config->getBlockedElements());
     }
 

Original file line number	Diff line number	Diff line change
`@@ -109,7 +109,7 @@ public function testAllowElementStandardAttributes()`
`109`	`109`	`$config = new HtmlSanitizerConfig();`
`110`	`110`	`$config = $config->allowElement('div', '*');`
`111`	`111`	`$this->assertSame(['div'], array_keys($config->getAllowedElements()));`
`112`		`- $this->assertCount(211, $config->getAllowedElements()['div']);`
	`112`	`+ $this->assertCount(210, $config->getAllowedElements()['div']);`
`113`	`113`	`$this->assertSame([], $config->getBlockedElements());`
`114`	`114`	`}`
`115`	`115`