php-content

core/php-content

Fork 0

Commit graph

Author	SHA1	Message	Date
Claude	e7e7e5be89	fix: add factories, fix HtmlSanitiser HTML5 elements, fix TestCase Some checks are pending CI / PHP 8.3 (push) Waiting to run Details CI / PHP 8.4 (push) Waiting to run Details - Create Database/Factories for ContentWebhookEndpoint, ContentWebhookLog, ContentItem, ContentTaxonomy, ContentBrief - Register HTML5 elements (section, article, figure, figcaption, mark) with HTMLPurifier custom definitions - Use RefreshDatabase trait in TestCase with SQLite in-memory DB - Update Pest.php to use custom Tests\TestCase Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-23 07:01:48 +00:00
Snider	fa4893d064	fix(security): require HTMLPurifier for XSS sanitisation The previous getSanitisedContent() method fell back to strip_tags() when HTMLPurifier was unavailable. This fallback was insecure as strip_tags() does not sanitise attributes, allowing XSS via onclick, onerror, and javascript: URLs. Changes: - Created Services/HtmlSanitiser.php using HTMLPurifier as the sole sanitiser - Added ezyang/htmlpurifier as a required dependency in composer.json - Added boot-time validation that throws RuntimeException if missing - Removed insecure strip_tags() fallback from ContentItem model - Added 30+ unit tests covering XSS attack vectors Closes SEC-002 from TODO.md Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-29 12:34:35 +00:00

Author

SHA1

Message

Date

Claude

e7e7e5be89

fix: add factories, fix HtmlSanitiser HTML5 elements, fix TestCase

CI / PHP 8.3 (push) Waiting to run

Details

CI / PHP 8.4 (push) Waiting to run

Details

- Create Database/Factories for ContentWebhookEndpoint, ContentWebhookLog,
  ContentItem, ContentTaxonomy, ContentBrief
- Register HTML5 elements (section, article, figure, figcaption, mark)
  with HTMLPurifier custom definitions
- Use RefreshDatabase trait in TestCase with SQLite in-memory DB
- Update Pest.php to use custom Tests\TestCase

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-23 07:01:48 +00:00

Snider

fa4893d064

fix(security): require HTMLPurifier for XSS sanitisation

The previous getSanitisedContent() method fell back to strip_tags() when
HTMLPurifier was unavailable. This fallback was insecure as strip_tags()
does not sanitise attributes, allowing XSS via onclick, onerror, and
javascript: URLs.

Changes:
- Created Services/HtmlSanitiser.php using HTMLPurifier as the sole sanitiser
- Added ezyang/htmlpurifier as a required dependency in composer.json
- Added boot-time validation that throws RuntimeException if missing
- Removed insecure strip_tags() fallback from ContentItem model
- Added 30+ unit tests covering XSS attack vectors

Closes SEC-002 from TODO.md

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-01-29 12:34:35 +00:00

2 commits