Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong implementation of method setHtmlBody() #16

Closed
allush opened this issue Sep 19, 2015 · 12 comments
Closed

Wrong implementation of method setHtmlBody() #16

allush opened this issue Sep 19, 2015 · 12 comments

Comments

@allush
Copy link

allush commented Sep 19, 2015 

public function setHtmlBody($html)
    {
        if (is_string($html)) {
            $this->_html = HtmlPurifier::process($html);
        }

        return $this;
    }

HtmlPurifier::process($html) It cuts a lot of styles from the property "style". for example 'border-radius' excluded from result html.

i think, that using HtmlPurifier::process($html) is the wrong approach. better to use a simple assignment.
@nickcv-ln
Copy link
Owner

I'm ok about making the change, but maybe it should still be an option.

I could add a new configuration option for the module to choose whether or not you want to purify the html input. This would be useful in case the html text is coming from a user input.

@allush
Copy link
Author

allush commented Sep 22, 2015

@nickcv-ln good, option is ok.

@andrey-bahrachev
Copy link

@nickcv-ln Using HtmlPurifier within setHtmlBody() method absolutely doesn't make sense, because it totally strips out applied html layout thus making htmlLayout property useless which is wrong.

@nickcv-ln
Copy link
Owner

@andrey-bahrachev if the html body is coming from a for the purifier prevents the user from injecting potential malicious code, so I still think it could be an option, I can default it to false

@nickcv-ln
Copy link
Owner

the more I think about it the more I think you guys are right.
It's up to the developer really at this point.

I will just scrap the purifier from setHtmlBody

@andrey-bahrachev
Copy link

Yeah, it makes sense to make it optional, but don't use the purifier inside the setHtmlBody() method, put it into the compose() method of the Mailer class before the layout view is rendered.

@nickcv-ln
Copy link
Owner

@andrey-bahrachev I see what you mean.

Doing it now btw

@andrey-bahrachev
Copy link

Cool, thanks a lot!

@nickcv-ln
Copy link
Owner

@andrey-bahrachev looking at it right now the only way to do it on just the user input before I render the view is if I loop through every single parameter sent through the view and use the purifier on each one that is a string, basically ignoring every user input if they are part of an object sent as a parameter.

If I do apply the purifier to the rendered view there is the issue that It might strip some code that the developer actually wanted to be there.
Probably it would be best to leave the developer in charge of sanitising the user input.

@andrey-bahrachev
Copy link

Ah, that's right.

nickcv-ln added a commit that referenced this issue Oct 22, 2015
@nickcv-ln
fixed issues #16 and #19, amended some incorrect text, the documentat…
ad6f9de 
…ion and the readme file
@nickcv-ln
Copy link
Owner

pushed the new release! thanks @andrey-bahrachev and @allush

@andrey-bahrachev
Copy link

Awesome! Thanks :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@andrey-bahrachev @allush @nickcv-ln