"A & B" turns it into "A & B"
Closed this issue · 3 comments
Hi @stevebauman thank you so much for the package, Im having problems trying to purify (text) something simple like "A & B
" it turns it into "A & B
", how can I allow some letters to stay the same?
'text' => [
'Core.Encoding' => 'utf-8',
'HTML.Doctype' => 'HTML 4.01 Transitional',
'HTML.Allowed' => '',
'HTML.ForbiddenElements' => 'script,meta',
'AutoFormat.AutoParagraph' => false,
'AutoFormat.RemoveEmpty' => false,
],
The idea for this 'text' configuration is to just clean any malicious stuff
Appreciate any help
Hi @nam-co,
Please create an issue on the core HTML Purifier repository, as Purify simply wraps this library:
https://github.com/ezyang/htmlpurifier
I did however find a report of this issue there, and this appears to be intentional:
Thanks Steve, I will check it out, in your personal opinion do you think the laravel "string" validation is enough to keep the DB secure from a simple text input?
Happy to help @nam-co!
in your personal opinion do you think the laravel "string" validation is enough to keep the DB secure from a simple text input?
Yes, as long as you escape the content normally when outputting it in Vue/Blade using double curly brackets ({{ name }}
), or by using htmlspecialchars()
in PHP (which Laravel's Blade does automatically when using double curly brackets).
The database can contain any un-sanitized value. It's only when you output it to HTML to where it poses a security threat and must be escaped 👍