core/php-content
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
php-content/tests/Unit
History
Snider fa4893d064 fix(security): require HTMLPurifier for XSS sanitisation 
The previous getSanitisedContent() method fell back to strip_tags() when
HTMLPurifier was unavailable. This fallback was insecure as strip_tags()
does not sanitise attributes, allowing XSS via onclick, onerror, and
javascript: URLs.

Changes:
- Created Services/HtmlSanitiser.php using HTMLPurifier as the sole sanitiser
- Added ezyang/htmlpurifier as a required dependency in composer.json
- Added boot-time validation that throws RuntimeException if missing
- Removed insecure strip_tags() fallback from ContentItem model
- Added 30+ unit tests covering XSS attack vectors

Closes SEC-002 from TODO.md

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-29 12:34:35 +00:00
..
.gitkeep Initial commit 2026-01-26 23:24:57 +00:00
ContentSearchServiceTest.php refactor: update namespaces for L1/L2 package convention 2026-01-27 17:34:49 +00:00
ContentWebhookEndpointTest.php refactor: rename namespace Core\Content to Core\Mod\Content 2026-01-27 16:24:53 +00:00
HtmlSanitiserTest.php fix(security): require HTMLPurifier for XSS sanitisation 2026-01-29 12:34:35 +00:00
McpHandlersTest.php refactor: rename namespace Core\Content to Core\Mod\Content 2026-01-27 16:24:53 +00:00
ProcessContentWebhookTest.php refactor: update namespaces for L1/L2 package convention 2026-01-27 17:34:49 +00:00