Implement whitelist for sanitizer: `allowed_html_elements_with_attributes()` by Inverle · Pull Request #53 · FreshRSS/simplepie

Inverle · 2025-09-14T16:16:17Z

From FreshRSS/FreshRSS#7924

Inverle · 2025-09-14T20:20:49Z

Maybe now

Alkarex · 2025-09-14T21:53:15Z

Thanks 👍🏻
If you ca, it would be nice to:

Add a minimal test (there are examples in the test directory)
Open the same PR at https://github.com/simplepie/simplepie

Inverle · 2025-09-25T21:25:07Z

done (test added, PR not opened yet)

Inverle · 2025-09-27T11:41:22Z

Attempting to fix CI, have to wait for approval so no idea if this works

Inverle · 2025-09-28T18:29:02Z

simplepie#947

Inverle · 2025-10-20T19:25:47Z

What should be done now?

Alkarex · 2025-10-21T14:57:34Z

Sorry for the delay. I rewrote the approach to iterate the elements and attributes. I was not so happy of the two layers of XPath.

Please double-check my changes 638515c (not tested)
If that is good enough, please update upstream PR accordingly
We will merge here

Inverle · 2025-10-25T10:25:54Z

Please double-check my changes 638515c (not tested)

WIP

tests/SanitizeTest.php

* Fixed sanitization output returning `<!DOCTYPE html>` regardless of input * Custom elements are not allowed anymore * Added `allow_data_attr` and `allow_aria_attr` parameters * Don't remove children of the disallowed element * Replaced `removeAttribute()` with `removeAttributeNS()` to ensure all disallowed attributes are removed * For example `xmlns` was not being removed correctly * Fixed test using incorrect variable `$sanitize` instead of `$sanitize_whitelist`

Inverle · 2025-10-25T14:58:08Z

If that is good enough, please update upstream PR accordingly

@Alkarex Please review the new changes before I do that (and run the tests workflow)

I have also updated FreshRSS/FreshRSS#7924 for FreshRSS testing. Seems to work fine with my feeds

src/Sanitize.php

Inverle · 2025-10-29T16:20:49Z

Ready for review

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>

Inverle · 2025-10-29T21:28:00Z

Though I don't understand why removeAttributeNode() and removeAttribute() behave differently

Inverle · 2025-10-29T21:36:15Z

Looks like CI didn't print all the unsupported functions at once..

Alkarex · 2025-10-29T21:45:46Z

Looks like CI didn't print all the unsupported functions at once..

Yes, that would have been likely caught by simplepie#939

Inverle · 2025-10-29T21:56:17Z

Everything still works

Alkarex · 2025-10-29T22:15:25Z

Please double-check 4a16e57 and I think we are good to go

Inverle · 2025-10-29T22:23:53Z

Looks fine

FreshRSS/simplepie#53

* Implement whitelist for SimplePie sanitizer ref: #7770 (comment) FreshRSS/simplepie#53 simplepie/simplepie#947 * Remove `<plaintext>` from whitelist * Improve order * Remove some tags from whitelist * Revert partially * sync * Display contents of `<noscript>` and `<noembed>` * sync * Allow use of `<track>` * sync again * Sync to SimplePie fork FreshRSS/simplepie#53 * Alphabetic order * Reduce list of stripped attributes * Temporarily strip some attributes --------- Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>

Implement whitelist for sanitizer: whitelist_tags()

2693848

Inverle mentioned this pull request Sep 14, 2025

Implement whitelist for SimplePie sanitizer FreshRSS/FreshRSS#7924

Merged

Inverle added 2 commits September 14, 2025 21:37

PHPStan fix

24fa1d1

Fix brace syntax

6062b37

Inverle force-pushed the sanitize-whitelist branch from ba1255d to 8b7c7b4 Compare September 25, 2025 20:57

Add a basic sanitize test

423a14e

Inverle force-pushed the sanitize-whitelist branch from 8b7c7b4 to 423a14e Compare September 27, 2025 11:40

Inverle mentioned this pull request Sep 28, 2025

Implement whitelist for sanitizer: allowed_html_elements_with_attributes() simplepie/simplepie#947

Closed

Rewrote iterate logic

638515c

Merge branch 'freshrss' into pr/Inverle/53

3ad56ce

Inverle commented Oct 25, 2025

View reviewed changes

tests/SanitizeTest.php Outdated Show resolved Hide resolved

Inverle changed the title ~~Implement whitelist for sanitizer: whitelist_tags()~~ Implement whitelist for sanitizer: allowed_html_elements_with_attributes() Oct 25, 2025