"A & B" turns it into "A & B"

Question

"A & B" turns it into "A & B"

Closed this issue a year ago · 3 comments

Hi @stevebauman thank you so much for the package, Im having problems trying to purify (text) something simple like "A & B" it turns it into "A & B", how can I allow some letters to stay the same?

        'text' => [
            'Core.Encoding' => 'utf-8',
            'HTML.Doctype' => 'HTML 4.01 Transitional',
            'HTML.Allowed' => '',
            'HTML.ForbiddenElements' => 'script,meta',
            'AutoFormat.AutoParagraph' => false,
            'AutoFormat.RemoveEmpty' => false,
        ],

The idea for this 'text' configuration is to just clean any malicious stuff

Appreciate any help

Answer 1 · 2023-06-19T15:31:58.000Z

Hi @nam-co,

Please create an issue on the core HTML Purifier repository, as Purify simply wraps this library:

https://github.com/ezyang/htmlpurifier

I did however find a report of this issue there, and this appears to be intentional:

ezyang/htmlpurifier#177

Answer 2 · 2023-06-19T17:53:13.000Z

Thanks Steve, I will check it out, in your personal opinion do you think the laravel "string" validation is enough to keep the DB secure from a simple text input?

Answer 3 · 2023-06-19T17:59:12.000Z

Happy to help @nam-co!

in your personal opinion do you think the laravel "string" validation is enough to keep the DB secure from a simple text input?

Yes, as long as you escape the content normally when outputting it in Vue/Blade using double curly brackets ({{ name }}), or by using htmlspecialchars() in PHP (which Laravel's Blade does automatically when using double curly brackets).

The database can contain any un-sanitized value. It's only when you output it to HTML to where it poses a security threat and must be escaped 👍