core/php-content
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
30 commits 2 branches 0 tags 418 KiB
Commit graph

5 commits

Author SHA1 Message Date
Claude
2b804a8c47
fix: resolve pre-existing test failures uncovered by Pint fix
All checks were successful
CI / PHP 8.3 (push) Successful in 1m43s
Details
CI / PHP 8.4 (push) Successful in 1m44s
Details 
- Enable Attr.EnableID in HTMLPurifier so id attributes are preserved
- Move URI config before maybeGetRawHTMLDefinition() (config finalization)
- Reorder status attribute checks: circuit broken before disabled
- Use make() for signature tests needing null secrets (bypass auto-gen)
- Register webhook route stub in test setUp for URL generation test
- Use Mockery mock for CdnPurgeService stub to satisfy type hint

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-23 12:29:00 +00:00
Claude
a332148056
fix: move config directives before definition finalization and use Mockery for CdnPurgeService stub
Some checks failed
CI / PHP 8.3 (push) Failing after 1m30s
Details
CI / PHP 8.4 (push) Failing after 1m28s
Details 
- Move URI config calls before maybeGetRawHTMLDefinition() which
  finalizes the config and prevents further set() calls
- Use Mockery::mock()->shouldIgnoreMissing() for CdnPurgeService stub
  to satisfy type hint in ContentItemObserver

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-23 12:20:12 +00:00
Claude
381a97aa03
fix: resolve test failures for HTMLPurifier and CdnManager
Some checks failed
CI / PHP 8.3 (push) Failing after 1m33s
Details
CI / PHP 8.4 (push) Failing after 1m31s
Details 
HTMLPurifier: set HTML.DefinitionID and HTML.DefinitionRev which
are required when using maybeGetRawHTMLDefinition().

CdnManager: bind a stub in tests when Plug\Cdn\CdnManager class
is not available (external dependency not in test environment).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-23 11:57:46 +00:00
Claude
e7e7e5be89
fix: add factories, fix HtmlSanitiser HTML5 elements, fix TestCase
Some checks are pending
CI / PHP 8.3 (push) Waiting to run
Details
CI / PHP 8.4 (push) Waiting to run
Details 
- Create Database/Factories for ContentWebhookEndpoint, ContentWebhookLog,
  ContentItem, ContentTaxonomy, ContentBrief
- Register HTML5 elements (section, article, figure, figcaption, mark)
  with HTMLPurifier custom definitions
- Use RefreshDatabase trait in TestCase with SQLite in-memory DB
- Update Pest.php to use custom Tests\TestCase

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-23 07:01:48 +00:00
Snider
fa4893d064 fix(security): require HTMLPurifier for XSS sanitisation 
The previous getSanitisedContent() method fell back to strip_tags() when
HTMLPurifier was unavailable. This fallback was insecure as strip_tags()
does not sanitise attributes, allowing XSS via onclick, onerror, and
javascript: URLs.

Changes:
- Created Services/HtmlSanitiser.php using HTMLPurifier as the sole sanitiser
- Added ezyang/htmlpurifier as a required dependency in composer.json
- Added boot-time validation that throws RuntimeException if missing
- Removed insecure strip_tags() fallback from ContentItem model
- Added 30+ unit tests covering XSS attack vectors

Closes SEC-002 from TODO.md

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-29 12:34:35 +00:00