OXDEV-5017 Add HTML sanitize extension

Author: liulka-oxid

CHANGELOG-2.x.md

@@ -1,9 +1,18 @@
 # Change Log for OXID Twig engine component
 
+## v2.8.0 - unreleased
+
+### Added
+- Template Filter to sanitize HTML content
+
+### Changed
+- Extension `include_content` uses HTML sanitizer
+
 ## v2.7.0 - unreleased
 
 ### Added
 - Improved template rendering performance
+- Template Filter to sanitize HTML content
 
 ## v2.6.0 - 2025-04-09
 

services.yaml

@@ -259,6 +259,9 @@ services:
   OxidEsales\Twig\Extensions\IncludeContentExtension:
     tags: ['twig.extension']
 
+  OxidEsales\Twig\Extensions\Filters\SanitizeHtmlExtension:
+    tags: ['twig.extension']
+
   OxidEsales\EshopCommunity\Internal\Framework\Templating\TemplateEngineInterface:
     class: OxidEsales\Twig\TwigEngine
     arguments:

src/Extensions/Filters/SanitizeHtmlExtension.php

@@ -0,0 +1,38 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\Twig\Extensions\Filters;
+
+use OxidEsales\EshopCommunity\Internal\Framework\Html\HtmlSanitizerInterface;
+use Twig\Extension\AbstractExtension;
+use Twig\TwigFilter;
+
+class SanitizeHtmlExtension extends AbstractExtension
+{
+    public function __construct(
+        private readonly HtmlSanitizerInterface $sanitizer,
+    ) {
+    }
+
+    public function getFilters(): array
+    {
+        return [
+            new TwigFilter(
+                'sanitize_html',
+                $this->sanitize(...),
+                ['is_safe' => ['html']]
+            ),
+        ];
+    }
+
+    public function sanitize(string $html): string
+    {
+        return $this->sanitizer->sanitize($html);
+    }
+}

src/Extensions/IncludeContentExtension.php

@@ -9,6 +9,7 @@
 
 namespace OxidEsales\Twig\Extensions;
 
+use OxidEsales\EshopCommunity\Internal\Framework\Html\HtmlSanitizerInterface;
 use OxidEsales\EshopCommunity\Internal\Transition\Adapter\TemplateLogic\ContentFactory;
 use OxidEsales\Twig\TokenParser\IncludeContentTokenParser;
 use Twig\Error\LoaderError;
@@ -18,8 +19,10 @@
 
 class IncludeContentExtension extends AbstractExtension
 {
-    public function __construct(private ContentFactory $contentFactory)
-    {
+    public function __construct(
+        private ContentFactory $contentFactory,
+        private readonly HtmlSanitizerInterface $sanitizer
+    ) {
     }
 
     /**
@@ -50,6 +53,6 @@ public function content(string $name): string
             throw new LoaderError("Template is not active.");
         }
 
-        return $content->oxcontents__oxcontent->value;
+        return $this->sanitizer->sanitize($content->oxcontents__oxcontent->value);
     }
 }

tests/Integration/Extensions/Filters/SanitizeHtmlExtensionTest.php

@@ -0,0 +1,53 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\Twig\Extensions\Filters;
+
+use OxidEsales\EshopCommunity\Core\Di\ContainerFacade;
+use OxidEsales\EshopCommunity\Internal\Framework\Html\HtmlSanitizerInterface;
+use OxidEsales\EshopCommunity\Tests\ContainerTrait;
+use OxidEsales\Twig\Tests\Integration\Extensions\AbstractExtensionTestCase;
+
+final class SanitizeHtmlExtensionTest extends AbstractExtensionTestCase
+{
+    use ContainerTrait;
+
+    private string $unsafeHtml = '<div><script> alert("SPAM MESSAGE") </script></div>';
+    private string $safeHtml = '<div></div>';
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->createContainer();
+    }
+
+    public function testSanitizerShouldEliminateUnsafeTags(): void
+    {
+        $this->setParameter('oxid_esales.html_sanitizer_enabled', true);
+        $this->attachContainerToContainerFactory();
+        $this->extension = new SanitizeHtmlExtension(ContainerFacade::get(HtmlSanitizerInterface::class));
+        $template = "{{ '" . $this->unsafeHtml . "' | sanitize_html }}";
+
+        $result = $this->getTemplate($template)->render([]);
+
+        $this->assertEquals($this->safeHtml, $result);
+    }
+
+    public function testSanitizerShouldPassEverythingWhenDisabled(): void
+    {
+        $this->setParameter('oxid_esales.html_sanitizer_enabled', false);
+        $this->attachContainerToContainerFactory();
+        $this->extension = new SanitizeHtmlExtension(ContainerFacade::get(HtmlSanitizerInterface::class));
+        $template = "{{ '" . $this->unsafeHtml . "' | sanitize_html }}";
+
+        $result = $this->getTemplate($template)->render([]);
+
+        $this->assertEquals($this->unsafeHtml, $result);
+    }
+}

tests/Integration/Extensions/IncludeContentExtensionTest.php

@@ -10,7 +10,10 @@
 namespace OxidEsales\Twig\Tests\Integration\Extensions;
 
 use OxidEsales\EshopCommunity\Application\Model\Content;
+use OxidEsales\EshopCommunity\Core\Di\ContainerFacade;
+use OxidEsales\EshopCommunity\Internal\Framework\Html\HtmlSanitizerInterface;
 use OxidEsales\EshopCommunity\Internal\Transition\Adapter\TemplateLogic\ContentFactory;
+use OxidEsales\EshopCommunity\Tests\ContainerTrait;
 use OxidEsales\Twig\Extensions\IncludeContentExtension;
 use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\MockObject\MockBuilder;
@@ -23,9 +26,11 @@
 
 final class IncludeContentExtensionTest extends AbstractExtensionTestCase
 {
-	private MockBuilder $contentMockBuilder;
+    use ContainerTrait;
 
-	protected function setUp(): void
+    private MockBuilder $contentMockBuilder;
+
+    protected function setUp(): void
     {
         parent::setUp();
 
@@ -54,6 +59,10 @@ protected function setUp(): void
             'oxactive' => false,
             'oxcontent' => 'Not active content'
         ]);
+        $SpamContentMock = $this->prepareContentMock(0, [
+            'oxactive' => true,
+            'oxcontent' => 'not spam<script>alert("spam")</script>'
+        ]);
 
         /** @var MockObject|ContentFactory $contentFactoryMock */
         $contentFactoryMock = $this
@@ -68,10 +77,17 @@ protected function setUp(): void
                 ['ident', 'english', $enContentMock],
                 ['ident', 'twig_code', $twigContentMock],
                 ['ident', 'dynamic_content', $dynamicContentMock],
-                ['ident', 'not_active', $notActiveContentMock]
+                ['ident', 'not_active', $notActiveContentMock],
+                ['ident', 'spam', $SpamContentMock]
             ]);
 
-        $this->extension = new IncludeContentExtension($contentFactoryMock);
+        $this->setParameter('oxid_esales.html_sanitizer_enabled', true);
+        $this->attachContainerToContainerFactory();
+
+        $this->extension = new IncludeContentExtension(
+            $contentFactoryMock,
+            ContainerFacade::get(HtmlSanitizerInterface::class)
+        );
     }
 
     #[DataProvider('contentProvider')]
@@ -99,6 +115,10 @@ public static function contentProvider(): array
                 "{% set content_name = 'dynamic_content' %}{% include_content content_name %}",
                 "Dynamic content"
             ],
+            [
+                "{% set content_name = 'spam' %}{% include_content content_name %}",
+                "not spam"
+            ],
         ];
     }