feat: sms: scheme#454
Open
maxfenton wants to merge 4 commits into
Open
Conversation
maxfenton
force-pushed
the
mf/374-sms-links
branch
3 times, most recently
from
d9c96d8 to
e32b1c8
Compare
Author
|
Can anyone help with this? |
maxfenton
force-pushed
the
mf/374-sms-links
branch
from
e32b1c8 to
0c6679f
Compare
The previous sanitizeBody approach (strip <>"' then strip script/alert/javascript)
left residual content after multi-pass stripping. For example:
<script>alert("xss")</script>
→ after step 1: scriptalert(xss)/script
→ after step 2: (xss)/ ← fails test expectation of empty string
Decode URL encoding first to catch encoded payloads, then reject the entire
body value if angle brackets are present (the primary HTML injection vector),
rather than attempting partial character stripping that can be bypassed.
Also re-encode the output so decoded bodies (e.g. Hello%20World) round-trip
correctly through the URL attribute context.
Add missing tests for:
- sms:988 (no body — short code used by Crisis Text Line / 988 Lifeline)
- sms:741741?body=SEIZE (RFC 5724 ?body= input normalised to &body= output)
- sms:741741&body=SEIZE (short code with body round-trip)
…ttributes URISchemeRegistry::getScheme() can receive null when a URI has no scheme (relative URIs). PHP 8.5 deprecates null as an array offset — add an early return for null scheme. SplObjectStorage::attach(), contains(), detach() are deprecated in PHP 8.5 in favour of offsetSet(), offsetExists(), offsetUnset(). Update RemoveSpansWithoutAttributes to use the new method names.
Author
|
Back again to try to get this approved. Fixed a bug on my side that I didn't see when the ci PHP 8.5 was failing. Please add sms support to htmlpurifier |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ref: #374
Ref: https://www.rfc-editor.org/rfc/rfc5724.html
Adds support for
sms:scheme URLs with examples:sms:555sms:555?body=HOME(part of the spec)sms:555&body=HOME(commonly used across the web)