HtmlSanitizerConfig
in package
Tags
Table of Contents
Properties
- $allowedElements : array<string, array<string, true>>
- Elements that should be retained, with their allowed attributes.
- $allowedLinkHosts : array<int, string>|null
- Links hosts that should be retained (by default, all hosts are allowed).
- $allowedLinkSchemes : array<int, string>
- Links schemes that should be retained, other being dropped.
- $allowedMediaHosts : array<int, string>|null
- Image/Audio/Video hosts that should be retained (by default, all hosts are allowed).
- $allowedMediaSchemes : array<int, string>
- Image/Audio/Video schemes that should be retained, other being dropped.
- $allowRelativeLinks : bool
- Should the sanitizer allow relative links (by default, they are dropped).
- $allowRelativeMedias : bool
- Should the sanitizer allow relative media URL (by default, they are dropped).
- $attributeSanitizers : array<int, AttributeSanitizerInterface>
- Sanitizers that should be applied to specific attributes in addition to standard sanitization.
- $blockedElements : array<string, true>
- Elements that should be removed but their children should be retained.
- $defaultAction : HtmlSanitizerAction
- $droppedElements : array<string, true>
- Elements that should be removed.
- $forcedAttributes : array<string, array<string, string>>
- Attributes that should always be added to certain elements.
- $forceHttpsUrls : bool
- Should the URL in the sanitized document be transformed to HTTPS if they are using HTTP.
- $maxInputLength : int
Methods
- __construct() : mixed
- allowAttribute() : static
- Configures the given attribute as allowed.
- allowElement() : static
- Configures the given element as allowed.
- allowLinkHosts() : static
- Allows only a given list of hosts to be used in links href attributes.
- allowLinkSchemes() : static
- Allows only a given list of schemes to be used in links href attributes.
- allowMediaHosts() : static
- Allows only a given list of hosts to be used in media source attributes (img, audio, video, ...).
- allowMediaSchemes() : static
- Allows only a given list of schemes to be used in media source attributes (img, audio, video, ...).
- allowRelativeLinks() : static
- Allows relative URLs to be used in links href attributes.
- allowRelativeMedias() : static
- Allows relative URLs to be used in media source attributes (img, audio, video, ...).
- allowSafeElements() : static
- Allows "safe" elements and attributes.
- allowStaticElements() : static
- Allows all static elements and attributes from the W3C Sanitizer API standard.
- blockElement() : static
- Configures the given element as blocked.
- defaultAction() : static
- Sets the default action for elements which are not otherwise specifically allowed or blocked.
- dropAttribute() : static
- Configures the given attribute as dropped.
- dropElement() : static
- Configures the given element as dropped.
- forceAttribute() : static
- Forcefully set the value of a given attribute on a given element.
- forceHttpsUrls() : static
- Transforms URLs using the HTTP scheme to use the HTTPS scheme instead.
- getAllowedElements() : array<string, array<string, true>>
- getAllowedLinkHosts() : array<int, string>|null
- getAllowedLinkSchemes() : array<int, string>
- getAllowedMediaHosts() : array<int, string>|null
- getAllowedMediaSchemes() : array<int, string>
- getAllowRelativeLinks() : bool
- getAllowRelativeMedias() : bool
- getAttributeSanitizers() : array<int, AttributeSanitizerInterface>
- getBlockedElements() : array<string, true>
- getDefaultAction() : HtmlSanitizerAction
- getDroppedElements() : array<string, true>
- getForcedAttributes() : array<string, array<string, string>>
- getForceHttpsUrls() : bool
- getMaxInputLength() : int
- withAttributeSanitizer() : static
- Registers a custom attribute sanitizer.
- withMaxInputLength() : static
- withoutAttributeSanitizer() : static
- Unregisters a custom attribute sanitizer.
Properties
$allowedElements
Elements that should be retained, with their allowed attributes.
private
array<string, array<string, true>>
$allowedElements
= []
$allowedLinkHosts
Links hosts that should be retained (by default, all hosts are allowed).
private
array<int, string>|null
$allowedLinkHosts
= null
$allowedLinkSchemes
Links schemes that should be retained, other being dropped.
private
array<int, string>
$allowedLinkSchemes
= ['http', 'https', 'mailto', 'tel']
$allowedMediaHosts
Image/Audio/Video hosts that should be retained (by default, all hosts are allowed).
private
array<int, string>|null
$allowedMediaHosts
= null
$allowedMediaSchemes
Image/Audio/Video schemes that should be retained, other being dropped.
private
array<int, string>
$allowedMediaSchemes
= ['http', 'https', 'data']
$allowRelativeLinks
Should the sanitizer allow relative links (by default, they are dropped).
private
bool
$allowRelativeLinks
= false
$allowRelativeMedias
Should the sanitizer allow relative media URL (by default, they are dropped).
private
bool
$allowRelativeMedias
= false
$attributeSanitizers
Sanitizers that should be applied to specific attributes in addition to standard sanitization.
private
array<int, AttributeSanitizerInterface>
$attributeSanitizers
$blockedElements
Elements that should be removed but their children should be retained.
private
array<string, true>
$blockedElements
= []
$defaultAction
private
HtmlSanitizerAction
$defaultAction
= \Symfony\Component\HtmlSanitizer\HtmlSanitizerAction::Drop
$droppedElements
Elements that should be removed.
private
array<string, true>
$droppedElements
= []
$forcedAttributes
Attributes that should always be added to certain elements.
private
array<string, array<string, string>>
$forcedAttributes
= []
$forceHttpsUrls
Should the URL in the sanitized document be transformed to HTTPS if they are using HTTP.
private
bool
$forceHttpsUrls
= false
$maxInputLength
private
int
$maxInputLength
= 20000
Methods
__construct()
public
__construct() : mixed
allowAttribute()
Configures the given attribute as allowed.
public
allowAttribute(string $attribute, array<int, string>|string $allowedElements) : static
Allowed attributes are attributes the sanitizer should retain from the input.
A list of allowed elements for this attribute can be passed as a second argument. Passing "*" will allow all currently allowed elements to use this attribute.
Parameters
- $attribute : string
- $allowedElements : array<int, string>|string
Return values
staticallowElement()
Configures the given element as allowed.
public
allowElement(string $element[, array<int, string>|string $allowedAttributes = [] ]) : static
Allowed elements are elements the sanitizer should retain from the input.
A list of allowed attributes for this element can be passed as a second argument. Passing "*" will allow all standard attributes on this element. By default, no attributes are allowed on the element.
Parameters
- $element : string
- $allowedAttributes : array<int, string>|string = []
Return values
staticallowLinkHosts()
Allows only a given list of hosts to be used in links href attributes.
public
allowLinkHosts(array<int, string>|null $allowLinkHosts) : static
All other hosts will be dropped. By default all hosts are allowed ($allowedLinkHosts = null).
Parameters
- $allowLinkHosts : array<int, string>|null
Return values
staticallowLinkSchemes()
Allows only a given list of schemes to be used in links href attributes.
public
allowLinkSchemes(array<int, string> $allowLinkSchemes) : static
All other schemes will be dropped.
Parameters
- $allowLinkSchemes : array<int, string>
Return values
staticallowMediaHosts()
Allows only a given list of hosts to be used in media source attributes (img, audio, video, ...).
public
allowMediaHosts(array<int, string>|null $allowMediaHosts) : static
All other hosts will be dropped. By default all hosts are allowed ($allowMediaHosts = null).
Parameters
- $allowMediaHosts : array<int, string>|null
Return values
staticallowMediaSchemes()
Allows only a given list of schemes to be used in media source attributes (img, audio, video, ...).
public
allowMediaSchemes(array<int, string> $allowMediaSchemes) : static
All other schemes will be dropped.
Parameters
- $allowMediaSchemes : array<int, string>
Return values
staticallowRelativeLinks()
Allows relative URLs to be used in links href attributes.
public
allowRelativeLinks([bool $allowRelativeLinks = true ]) : static
Parameters
- $allowRelativeLinks : bool = true
Return values
staticallowRelativeMedias()
Allows relative URLs to be used in media source attributes (img, audio, video, ...).
public
allowRelativeMedias([bool $allowRelativeMedias = true ]) : static
Parameters
- $allowRelativeMedias : bool = true
Return values
staticallowSafeElements()
Allows "safe" elements and attributes.
public
allowSafeElements() : static
All scripts will be removed, as well as other dangerous behaviors like CSS injection.
Return values
staticallowStaticElements()
Allows all static elements and attributes from the W3C Sanitizer API standard.
public
allowStaticElements() : static
All scripts will be removed but the output may still contain other dangerous behaviors like CSS injection (click-jacking), CSS expressions, ...
Return values
staticblockElement()
Configures the given element as blocked.
public
blockElement(string $element) : static
Blocked elements are elements the sanitizer should remove from the input, but retain their children.
Parameters
- $element : string
Return values
staticdefaultAction()
Sets the default action for elements which are not otherwise specifically allowed or blocked.
public
defaultAction(HtmlSanitizerAction $action) : static
Note that a default action of Allow will allow all tags but they will not have any attributes.
Parameters
- $action : HtmlSanitizerAction
Return values
staticdropAttribute()
Configures the given attribute as dropped.
public
dropAttribute(string $attribute, array<int, string>|string $droppedElements) : static
Dropped attributes are attributes the sanitizer should remove from the input.
A list of elements on which to drop this attribute can be passed as a second argument. Passing "*" will drop this attribute from all currently allowed elements.
Note: when using an empty configuration, all unknown attributes are dropped automatically. This method let you drop attributes that were allowed earlier in the configuration.
Parameters
- $attribute : string
- $droppedElements : array<int, string>|string
Return values
staticdropElement()
Configures the given element as dropped.
public
dropElement(string $element) : static
Dropped elements are elements the sanitizer should remove from the input, including their children.
Note: when using an empty configuration, all unknown elements are dropped automatically. This method let you drop elements that were allowed earlier in the configuration, or explicitly drop some if you changed the default action.
Parameters
- $element : string
Return values
staticforceAttribute()
Forcefully set the value of a given attribute on a given element.
public
forceAttribute(string $element, string $attribute, string $value) : static
The attribute will be created on the nodes if it didn't exist.
Parameters
- $element : string
- $attribute : string
- $value : string
Return values
staticforceHttpsUrls()
Transforms URLs using the HTTP scheme to use the HTTPS scheme instead.
public
forceHttpsUrls([bool $forceHttpsUrls = true ]) : static
Parameters
- $forceHttpsUrls : bool = true
Return values
staticgetAllowedElements()
public
getAllowedElements() : array<string, array<string, true>>
Return values
array<string, array<string, true>>getAllowedLinkHosts()
public
getAllowedLinkHosts() : array<int, string>|null
Return values
array<int, string>|nullgetAllowedLinkSchemes()
public
getAllowedLinkSchemes() : array<int, string>
Return values
array<int, string>getAllowedMediaHosts()
public
getAllowedMediaHosts() : array<int, string>|null
Return values
array<int, string>|nullgetAllowedMediaSchemes()
public
getAllowedMediaSchemes() : array<int, string>
Return values
array<int, string>getAllowRelativeLinks()
public
getAllowRelativeLinks() : bool
Return values
boolgetAllowRelativeMedias()
public
getAllowRelativeMedias() : bool
Return values
boolgetAttributeSanitizers()
public
getAttributeSanitizers() : array<int, AttributeSanitizerInterface>
Return values
array<int, AttributeSanitizerInterface>getBlockedElements()
public
getBlockedElements() : array<string, true>
Return values
array<string, true>getDefaultAction()
public
getDefaultAction() : HtmlSanitizerAction
Return values
HtmlSanitizerActiongetDroppedElements()
public
getDroppedElements() : array<string, true>
Return values
array<string, true>getForcedAttributes()
public
getForcedAttributes() : array<string, array<string, string>>
Return values
array<string, array<string, string>>getForceHttpsUrls()
public
getForceHttpsUrls() : bool
Return values
boolgetMaxInputLength()
public
getMaxInputLength() : int
Return values
intwithAttributeSanitizer()
Registers a custom attribute sanitizer.
public
withAttributeSanitizer(AttributeSanitizerInterface $sanitizer) : static
Parameters
- $sanitizer : AttributeSanitizerInterface
Return values
staticwithMaxInputLength()
public
withMaxInputLength(int $maxInputLength) : static
Parameters
- $maxInputLength : int
-
The maximum length of the input string in bytes -1 means no limit
Return values
staticwithoutAttributeSanitizer()
Unregisters a custom attribute sanitizer.
public
withoutAttributeSanitizer(AttributeSanitizerInterface $sanitizer) : static
Parameters
- $sanitizer : AttributeSanitizerInterface