diff --git a/composer.json b/composer.json index 0bd22318c5..34e3917003 100644 --- a/composer.json +++ b/composer.json @@ -44,6 +44,7 @@ "symfony/web-link": "5.1.*", "symfony/yaml": "5.1.*", "symfonycasts/verify-email-bundle": "^1.0", + "tgalopin/html-sanitizer-bundle": "^1.2", "twig/markdown-extra": "^3.0", "wikimedia/composer-merge-plugin": "^1.4" }, diff --git a/composer.lock b/composer.lock index 8d785f0c35..fbf0ea5778 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "c4880da298d810b568e53fca29307f08", + "content-hash": "738b33106c8766b1b1028efd0d9fc94d", "packages": [ { "name": "alchemy/resource-component", @@ -184,21 +184,21 @@ }, { "name": "composer/package-versions-deprecated", - "version": "1.10.99", + "version": "1.10.99.1", "source": { "type": "git", "url": "https://github.com/composer/package-versions-deprecated.git", - "reference": "dd51b4443d58b34b6d9344cf4c288e621c9a826f" + "reference": "68c9b502036e820c33445ff4d174327f6bb87486" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/composer/package-versions-deprecated/zipball/dd51b4443d58b34b6d9344cf4c288e621c9a826f", - "reference": "dd51b4443d58b34b6d9344cf4c288e621c9a826f", + "url": "https://api.github.com/repos/composer/package-versions-deprecated/zipball/68c9b502036e820c33445ff4d174327f6bb87486", + "reference": "68c9b502036e820c33445ff4d174327f6bb87486", "shasum": "" }, "require": { "composer-plugin-api": "^1.1.0 || ^2.0", - "php": "^7" + "php": "^7 || ^8" }, "replace": { "ocramius/package-versions": "1.10.99" @@ -249,7 +249,7 @@ "type": "tidelift" } ], - "time": "2020-07-15T08:39:18+00:00" + "time": "2020-08-13T12:55:41+00:00" }, { "name": "doctrine/annotations", @@ -1741,16 +1741,16 @@ }, { "name": "giggsey/libphonenumber-for-php", - "version": "8.12.7.1", + "version": "8.12.8", "source": { "type": "git", "url": "https://github.com/giggsey/libphonenumber-for-php.git", - "reference": "fda8a51ad0769d82ce7023255e52e9c45efc1e75" + "reference": "5a6e4e730de52f55882d2db27016e2916f8791e9" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/giggsey/libphonenumber-for-php/zipball/fda8a51ad0769d82ce7023255e52e9c45efc1e75", - "reference": "fda8a51ad0769d82ce7023255e52e9c45efc1e75", + "url": "https://api.github.com/repos/giggsey/libphonenumber-for-php/zipball/5a6e4e730de52f55882d2db27016e2916f8791e9", + "reference": "5a6e4e730de52f55882d2db27016e2916f8791e9", "shasum": "" }, "require": { @@ -1805,7 +1805,7 @@ "phonenumber", "validation" ], - "time": "2020-07-25T15:34:01+00:00" + "time": "2020-08-13T17:48:08+00:00" }, { "name": "giggsey/locale", @@ -1977,23 +1977,23 @@ }, { "name": "laminas/laminas-zendframework-bridge", - "version": "1.0.4", + "version": "1.1.0", "source": { "type": "git", "url": "https://github.com/laminas/laminas-zendframework-bridge.git", - "reference": "fcd87520e4943d968557803919523772475e8ea3" + "reference": "4939c81f63a8a4968c108c440275c94955753b19" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/laminas/laminas-zendframework-bridge/zipball/fcd87520e4943d968557803919523772475e8ea3", - "reference": "fcd87520e4943d968557803919523772475e8ea3", + "url": "https://api.github.com/repos/laminas/laminas-zendframework-bridge/zipball/4939c81f63a8a4968c108c440275c94955753b19", + "reference": "4939c81f63a8a4968c108c440275c94955753b19", "shasum": "" }, "require": { - "php": "^5.6 || ^7.0" + "php": "^5.6 || ^7.0 || ^8.0" }, "require-dev": { - "phpunit/phpunit": "^5.7 || ^6.5 || ^7.5 || ^8.1", + "phpunit/phpunit": "^5.7 || ^6.5 || ^7.5 || ^8.1 || ^9.3", "squizlabs/php_codesniffer": "^3.5" }, "type": "library", @@ -2031,7 +2031,72 @@ "type": "community_bridge" } ], - "time": "2020-05-20T16:45:56+00:00" + "time": "2020-08-18T16:34:51+00:00" + }, + { + "name": "league/uri-parser", + "version": "1.4.1", + "source": { + "type": "git", + "url": "https://github.com/thephpleague/uri-parser.git", + "reference": "671548427e4c932352d9b9279fdfa345bf63fa00" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/thephpleague/uri-parser/zipball/671548427e4c932352d9b9279fdfa345bf63fa00", + "reference": "671548427e4c932352d9b9279fdfa345bf63fa00", + "shasum": "" + }, + "require": { + "php": ">=7.0.0" + }, + "require-dev": { + "friendsofphp/php-cs-fixer": "^2.0", + "phpstan/phpstan": "^0.9.2", + "phpstan/phpstan-phpunit": "^0.9.4", + "phpstan/phpstan-strict-rules": "^0.9.0", + "phpunit/phpunit": "^6.0" + }, + "suggest": { + "ext-intl": "Allow parsing RFC3987 compliant hosts", + "league/uri-schemes": "Allow validating and normalizing URI parsing results" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "1.x-dev" + } + }, + "autoload": { + "psr-4": { + "League\\Uri\\": "src" + }, + "files": [ + "src/functions_include.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Ignace Nyamagana Butera", + "email": "nyamsprod@gmail.com", + "homepage": "https://nyamsprod.com" + } + ], + "description": "userland URI parser RFC 3986 compliant", + "homepage": "https://github.com/thephpleague/uri-parser", + "keywords": [ + "parse_url", + "parser", + "rfc3986", + "rfc3987", + "uri", + "url" + ], + "time": "2018-11-22T07:55:51+00:00" }, { "name": "lstrojny/functional-php", @@ -2176,6 +2241,73 @@ ], "time": "2020-06-16T09:17:22+00:00" }, + { + "name": "masterminds/html5", + "version": "2.7.3", + "source": { + "type": "git", + "url": "https://github.com/Masterminds/html5-php.git", + "reference": "aad73dbfefd71d46072138109ce1288d96c329cc" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/Masterminds/html5-php/zipball/aad73dbfefd71d46072138109ce1288d96c329cc", + "reference": "aad73dbfefd71d46072138109ce1288d96c329cc", + "shasum": "" + }, + "require": { + "ext-ctype": "*", + "ext-dom": "*", + "ext-libxml": "*", + "php": ">=5.3.0" + }, + "require-dev": { + "phpunit/phpunit": "^4.8.35", + "sami/sami": "~2.0", + "satooshi/php-coveralls": "1.0.*" + }, + "type": "library", + "extra": { + "branch-alias": { + "dev-master": "2.7-dev" + } + }, + "autoload": { + "psr-4": { + "Masterminds\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Matt Butcher", + "email": "technosophos@gmail.com" + }, + { + "name": "Matt Farina", + "email": "matt@mattfarina.com" + }, + { + "name": "Asmir Mustafic", + "email": "goetas@gmail.com" + } + ], + "description": "An HTML5 parser and serializer.", + "homepage": "http://masterminds.github.io/html5-php", + "keywords": [ + "HTML5", + "dom", + "html", + "parser", + "querypath", + "serializer", + "xml" + ], + "time": "2020-07-05T07:53:37+00:00" + }, { "name": "monolog/monolog", "version": "2.1.1", @@ -2513,16 +2645,16 @@ }, { "name": "phpdocumentor/reflection-docblock", - "version": "5.2.0", + "version": "5.2.1", "source": { "type": "git", "url": "https://github.com/phpDocumentor/ReflectionDocBlock.git", - "reference": "3170448f5769fe19f456173d833734e0ff1b84df" + "reference": "d870572532cd70bc3fab58f2e23ad423c8404c44" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/phpDocumentor/ReflectionDocBlock/zipball/3170448f5769fe19f456173d833734e0ff1b84df", - "reference": "3170448f5769fe19f456173d833734e0ff1b84df", + "url": "https://api.github.com/repos/phpDocumentor/ReflectionDocBlock/zipball/d870572532cd70bc3fab58f2e23ad423c8404c44", + "reference": "d870572532cd70bc3fab58f2e23ad423c8404c44", "shasum": "" }, "require": { @@ -2561,7 +2693,7 @@ } ], "description": "With this component, a library can provide support for annotations via DocBlocks or otherwise retrieve information that is embedded in a DocBlock.", - "time": "2020-07-20T20:05:34+00:00" + "time": "2020-08-15T11:14:08+00:00" }, { "name": "phpdocumentor/type-resolver", @@ -8259,6 +8391,94 @@ "description": "Simple, stylish Email Verification for Symfony", "time": "2020-05-24T11:04:34+00:00" }, + { + "name": "tgalopin/html-sanitizer", + "version": "1.4.0", + "source": { + "type": "git", + "url": "https://github.com/tgalopin/html-sanitizer.git", + "reference": "56cca6b48de4e50d16a4f549e3e677ae0d561e91" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/tgalopin/html-sanitizer/zipball/56cca6b48de4e50d16a4f549e3e677ae0d561e91", + "reference": "56cca6b48de4e50d16a4f549e3e677ae0d561e91", + "shasum": "" + }, + "require": { + "ext-dom": "*", + "league/uri-parser": "^1.4.1", + "masterminds/html5": "^2.4", + "php": ">=7.1", + "psr/log": "^1.0" + }, + "require-dev": { + "phpunit/phpunit": "^7.4", + "symfony/var-dumper": "^4.1" + }, + "type": "library", + "autoload": { + "psr-4": { + "HtmlSanitizer\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Titouan Galopin", + "email": "galopintitouan@gmail.com" + } + ], + "description": "Sanitize untrustworthy HTML user input", + "time": "2020-02-03T16:51:08+00:00" + }, + { + "name": "tgalopin/html-sanitizer-bundle", + "version": "1.2.0", + "source": { + "type": "git", + "url": "https://github.com/tgalopin/html-sanitizer-bundle.git", + "reference": "df42087a1b1660eea37032f9ce3dc0997452d3e2" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/tgalopin/html-sanitizer-bundle/zipball/df42087a1b1660eea37032f9ce3dc0997452d3e2", + "reference": "df42087a1b1660eea37032f9ce3dc0997452d3e2", + "shasum": "" + }, + "require": { + "php": ">=7.1", + "symfony/framework-bundle": "^3.4|^4.0|^5.0", + "tgalopin/html-sanitizer": "^1.1" + }, + "require-dev": { + "phpunit/phpunit": "^7.4", + "symfony/form": "^4.1|^5.0", + "symfony/twig-bundle": "^4.1|^5.0", + "symfony/var-dumper": "^4.1|^5.0" + }, + "type": "symfony-bundle", + "autoload": { + "psr-4": { + "HtmlSanitizer\\Bundle\\": "src" + } + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "MIT" + ], + "authors": [ + { + "name": "Titouan Galopin", + "email": "galopintitouan@gmail.com" + } + ], + "description": "Symfony Bundle for https://github.com/tgalopin/html-sanitizer", + "time": "2019-11-23T09:46:29+00:00" + }, { "name": "twig/extra-bundle", "version": "v3.0.5", @@ -8696,16 +8916,16 @@ }, { "name": "composer/xdebug-handler", - "version": "1.4.2", + "version": "1.4.3", "source": { "type": "git", "url": "https://github.com/composer/xdebug-handler.git", - "reference": "fa2aaf99e2087f013a14f7432c1cd2dd7d8f1f51" + "reference": "ebd27a9866ae8254e873866f795491f02418c5a5" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/composer/xdebug-handler/zipball/fa2aaf99e2087f013a14f7432c1cd2dd7d8f1f51", - "reference": "fa2aaf99e2087f013a14f7432c1cd2dd7d8f1f51", + "url": "https://api.github.com/repos/composer/xdebug-handler/zipball/ebd27a9866ae8254e873866f795491f02418c5a5", + "reference": "ebd27a9866ae8254e873866f795491f02418c5a5", "shasum": "" }, "require": { @@ -8750,7 +8970,7 @@ "type": "tidelift" } ], - "time": "2020-06-04T11:16:35+00:00" + "time": "2020-08-19T10:27:58+00:00" }, { "name": "friendsofphp/php-cs-fixer", @@ -8851,16 +9071,16 @@ }, { "name": "nikic/php-parser", - "version": "v4.8.0", + "version": "v4.9.0", "source": { "type": "git", "url": "https://github.com/nikic/PHP-Parser.git", - "reference": "8c58eb4cd4f3883f82611abeac2efbc3dbed787e" + "reference": "aaee038b912e567780949787d5fe1977be11a778" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/nikic/PHP-Parser/zipball/8c58eb4cd4f3883f82611abeac2efbc3dbed787e", - "reference": "8c58eb4cd4f3883f82611abeac2efbc3dbed787e", + "url": "https://api.github.com/repos/nikic/PHP-Parser/zipball/aaee038b912e567780949787d5fe1977be11a778", + "reference": "aaee038b912e567780949787d5fe1977be11a778", "shasum": "" }, "require": { @@ -8868,7 +9088,7 @@ "php": ">=7.0" }, "require-dev": { - "ircmaxell/php-yacc": "^0.0.6", + "ircmaxell/php-yacc": "^0.0.7", "phpunit/phpunit": "^6.5 || ^7.0 || ^8.0 || ^9.0" }, "bin": [ @@ -8877,7 +9097,7 @@ "type": "library", "extra": { "branch-alias": { - "dev-master": "4.8-dev" + "dev-master": "4.9-dev" } }, "autoload": { @@ -8899,7 +9119,7 @@ "parser", "php" ], - "time": "2020-08-09T10:23:20+00:00" + "time": "2020-08-18T19:48:01+00:00" }, { "name": "php-cs-fixer/diff", diff --git a/config/bundles.php b/config/bundles.php index 720462b9e2..383eb038b7 100644 --- a/config/bundles.php +++ b/config/bundles.php @@ -14,4 +14,5 @@ return [ Symfony\Bundle\MakerBundle\MakerBundle::class => ['dev' => true], SymfonyCasts\Bundle\VerifyEmail\SymfonyCastsVerifyEmailBundle::class => ['all' => true], Misd\PhoneNumberBundle\MisdPhoneNumberBundle::class => ['all' => true], + HtmlSanitizer\Bundle\HtmlSanitizerBundle::class => ['all' => true], ]; diff --git a/config/packages/html_sanitizer.yaml b/config/packages/html_sanitizer.yaml new file mode 100644 index 0000000000..a5be19251a --- /dev/null +++ b/config/packages/html_sanitizer.yaml @@ -0,0 +1,17 @@ +html_sanitizer: + default_sanitizer: 'default' + sanitizers: + default: + # Read https://github.com/tgalopin/html-sanitizer/blob/master/docs/1-getting-started.md#extensions + # to learn more about which extensions you would like to enable. + extensions: + - 'basic' + # - 'list' + # - 'table' + # - 'image' + # - 'code' + # - 'iframe' + # - 'extra' + + # Read https://github.com/tgalopin/html-sanitizer/blob/master/docs/3-configuration-reference.md + # to discover all the available options for each extension. diff --git a/src/Core/GNUsocial.php b/src/Core/GNUsocial.php index f49a29df35..8bf33d2f4a 100644 --- a/src/Core/GNUsocial.php +++ b/src/Core/GNUsocial.php @@ -48,6 +48,7 @@ use App\Core\I18n\I18n; use App\Core\Queue\Queue; use App\Core\Router\Router; use Doctrine\ORM\EntityManagerInterface; +use HtmlSanitizer\SanitizerInterface; use Psr\Log\LoggerInterface; use Symfony\Component\Console\Event\ConsoleCommandEvent; use Symfony\Component\EventDispatcher\EventDispatcherInterface; @@ -56,7 +57,6 @@ use Symfony\Component\Form\FormFactoryInterface; use Symfony\Component\HttpFoundation\Session\SessionInterface; use Symfony\Component\HttpKernel\Event\RequestEvent; use Symfony\Component\HttpKernel\KernelEvents; -use Symfony\Component\Mailer\MailerInterface; use Symfony\Component\Messenger\MessageBusInterface; use Symfony\Component\Routing\Generator\UrlGeneratorInterface; use Symfony\Component\Routing\RouterInterface; @@ -80,9 +80,10 @@ class GNUsocial implements EventSubscriberInterface protected EventDispatcherInterface $event_dispatcher; protected SessionInterface $session; protected SSecurity $security; - protected MailerInterface $mailer; protected ModuleManager $module_manager; - protected Httpclientinterface $client; + protected HttpClientInterface $client; + protected SanitizerInterface $sanitizer; + /** * Symfony dependency injection gives us access to these services */ @@ -96,9 +97,9 @@ class GNUsocial implements EventSubscriberInterface EventDispatcherInterface $ed, SessionInterface $sess, SSecurity $sec, - MailerInterface $mail, ModuleManager $mm, - HttpClientInterface $cl) + HttpClientInterface $cl, + SanitizerInterface $san) { $this->logger = $logger; $this->translator = $trans; @@ -110,9 +111,9 @@ class GNUsocial implements EventSubscriberInterface $this->event_dispatcher = $ed; $this->session = $sess; $this->security = $sec; - $this->mailer = $mail; $this->module_manager = $mm; $this->client = $cl; + $this->saniter = $san; $this->initialize(); } @@ -131,8 +132,7 @@ class GNUsocial implements EventSubscriberInterface DB::setManager($this->entity_manager); Form::setFactory($this->form_factory); Queue::setMessageBus($this->message_bus); - Security::setHelper($this->security); - Mailer::setMailer($this->mailer); + Security::setHelper($this->security, $this->saniter); Router::setRouter($this->router, $this->url_generator); HTTPClient::setClient($this->client); diff --git a/src/Core/Mailer.php b/src/Core/Mailer.php deleted file mode 100644 index bc13c8bc24..0000000000 --- a/src/Core/Mailer.php +++ /dev/null @@ -1,49 +0,0 @@ -. - -// }}} - -/** - * Mailer wrapper - * - * @package GNUsocial - * @category Wrapper - * - * @author Hugo Sales - * @copyright 2020 Free Software Foundation, Inc http://www.fsf.org - * @license https://www.gnu.org/licenses/agpl.html GNU AGPL v3 or later - */ - -namespace App\Core; - -use Symfony\Component\Mailer\MailerInterface; - -abstract class Mailer -{ - private static MailerInterface $mailer; - public static function setMailer($m) - { - self::$mailer = $m; - } - - public static function __callStatic(string $method, array $args) - { - return self::{$method}(...$args); - } -} diff --git a/src/Core/Security.php b/src/Core/Security.php index b5530778f9..44d969bdef 100644 --- a/src/Core/Security.php +++ b/src/Core/Security.php @@ -30,19 +30,26 @@ namespace App\Core; +use HtmlSanitizer\SanitizerInterface; use Symfony\Component\Security\Core\Security as SSecurity; abstract class Security { private static ?SSecurity $security; + private static ?SanitizerInterface $sanitizer; - public static function setHelper($s): void + public static function setHelper($sec, $san): void { - self::$security = $s; + self::$security = $sec; + self::$sanitizer = $san; } public static function __callStatic(string $name, array $args) { - return self::$security->{$name}(...$args); + if (method_exists(self::$security, $name)) { + return self::$security->{$name}(...$args); + } else { + return self::$sanitizer->{$name}(...$args); + } } } diff --git a/symfony.lock b/symfony.lock index 14eda8a8ca..52873696b6 100644 --- a/symfony.lock +++ b/symfony.lock @@ -126,9 +126,15 @@ "laminas/laminas-zendframework-bridge": { "version": "1.0.4" }, + "league/uri-parser": { + "version": "1.4.1" + }, "lstrojny/functional-php": { "version": "1.11.0" }, + "masterminds/html5": { + "version": "2.7.3" + }, "monolog/monolog": { "version": "2.1.0" }, @@ -591,6 +597,21 @@ "symfony/yaml": { "version": "v5.1.0" }, + "tgalopin/html-sanitizer": { + "version": "1.4.0" + }, + "tgalopin/html-sanitizer-bundle": { + "version": "1.0", + "recipe": { + "repo": "github.com/symfony/recipes-contrib", + "branch": "master", + "version": "1.0", + "ref": "26a72f38eede2c53b5d3ccbed5c150e10a93268d" + }, + "files": [ + "config/packages/html_sanitizer.yaml" + ] + }, "twig/extra-bundle": { "version": "v3.0.3" },