Skip to content

Commit 867cfda

Browse files
committed
minor #46062 [HtmlSanitizer] Add HtmlSanitizerConfig::withMaxInputLength() (nicolas-grekas)
This PR was merged into the 6.1 branch. Discussion ---------- [HtmlSanitizer] Add HtmlSanitizerConfig::withMaxInputLength() | Q | A | ------------- | --- | Branch? | 6.1 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | Fix #symfony/symfony#44798 (review) | License | MIT | Doc PR | - Commits ------- 070f2cfc03 [HtmlSanitizer] Add HtmlSanitizerConfig::withMaxInputLength()
2 parents 83aeeeb + e1cfb2a commit 867cfda

File tree

2 files changed

+18
-5
lines changed

2 files changed

+18
-5
lines changed

HtmlSanitizer.php

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -25,18 +25,16 @@
2525
final class HtmlSanitizer implements HtmlSanitizerInterface
2626
{
2727
private HtmlSanitizerConfig $config;
28-
private int $maxInputLength;
2928
private ParserInterface $parser;
3029

3130
/**
3231
* @var array<string, DomVisitor>
3332
*/
3433
private array $domVisitors = [];
3534

36-
public function __construct(HtmlSanitizerConfig $config, int $maxInputLength = 20000, ParserInterface $parser = null)
35+
public function __construct(HtmlSanitizerConfig $config, ParserInterface $parser = null)
3736
{
3837
$this->config = $config;
39-
$this->maxInputLength = $maxInputLength;
4038
$this->parser = $parser ?? new MastermindsParser();
4139
}
4240

@@ -64,8 +62,8 @@ private function sanitizeWithContext(string $context, string $input): string
6462
$this->domVisitors[$context] ??= $this->createDomVisitorForContext($context);
6563

6664
// Prevent DOS attack induced by extremely long HTML strings
67-
if (\strlen($input) > $this->maxInputLength) {
68-
$input = substr($input, 0, $this->maxInputLength);
65+
if (\strlen($input) > $this->config->getMaxInputLength()) {
66+
$input = substr($input, 0, $this->config->getMaxInputLength());
6967
}
7068

7169
// Only operate on valid UTF-8 strings. This is necessary to prevent cross

HtmlSanitizerConfig.php

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,8 @@ class HtmlSanitizerConfig
9292
*/
9393
private array $attributeSanitizers;
9494

95+
private int $maxInputLength = 20_000;
96+
9597
public function __construct()
9698
{
9799
$this->attributeSanitizers = [
@@ -405,6 +407,19 @@ public function withoutAttributeSanitizer(AttributeSanitizerInterface $sanitizer
405407
return $clone;
406408
}
407409

410+
public function withMaxInputLength(int $maxInputLength): static
411+
{
412+
$clone = clone $this;
413+
$clone->maxInputLength = $maxInputLength;
414+
415+
return $clone;
416+
}
417+
418+
public function getMaxInputLength(): int
419+
{
420+
return $this->maxInputLength;
421+
}
422+
408423
/**
409424
* @return array<string, array<string, true>>
410425
*/

0 commit comments

Comments
 (0)