[Serializer] Add SanitizeDenormalizer for automatic sanitization #62117
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,131 @@ | ||
| <?php | ||
|
|
||
| /* | ||
| * This file is part of the Symfony package. | ||
| * | ||
| * (c) Fabien Potencier <fabien@symfony.com> | ||
| * | ||
| * For the full copyright and license information, please view the LICENSE | ||
| * file that was distributed with this source code. | ||
| */ | ||
|
|
||
| namespace Symfony\Component\Serializer\Normalizer; | ||
|
|
||
| use Psr\Container\ContainerInterface; | ||
| use Symfony\Component\HtmlSanitizer\HtmlSanitizerInterface; | ||
| use Symfony\Component\Serializer\Attribute\Context; | ||
| use Symfony\Component\Serializer\Exception\BadMethodCallException; | ||
| use Symfony\Component\Serializer\Exception\LogicException; | ||
|
|
||
| /** | ||
| * Denormalizer that sanitizes string properties based on the Context attribute. | ||
| * | ||
| * @author Mohamed Senoussi <lesfootix@gmail.com> | ||
| */ | ||
| final class SanitizeDenormalizer implements DenormalizerInterface, DenormalizerAwareInterface | ||
| { | ||
| use DenormalizerAwareTrait; | ||
momito69 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| public const SANITIZER = 'sanitizer'; | ||
| public const SANITIZE_HTML = 'sanitize_html'; | ||
| public const DEFAULT_SANITIZER = 'default'; | ||
|
|
||
| public function __construct( | ||
| private ContainerInterface $sanitizers, | ||
| ) { | ||
| } | ||
|
|
||
| public function getSupportedTypes(?string $format): array | ||
| { | ||
| return ['native-string' => false, 'native-array' => false, '*' => false]; | ||
| } | ||
|
|
||
| public function denormalize(mixed $data, string $type, ?string $format = null, array $context = []): mixed | ||
| { | ||
| if (!isset($this->denormalizer)) { | ||
| throw new BadMethodCallException('Please set a denormalizer before calling denormalize()!'); | ||
| } | ||
|
|
||
| if (!\is_array($data)) { | ||
| return $this->denormalizer->denormalize($data, $type, $format, $context); | ||
| } | ||
|
|
||
| $reflection = new \ReflectionClass($type); | ||
| $sanitizedData = $data; | ||
|
|
||
| foreach ($reflection->getProperties() as $property) { | ||
| $name = $property->getName(); | ||
| if (!isset($data[$name])) { | ||
|
Member
There was a problem hiding this comment. this is broken as it forgets about the support of many advanced features of the ObjectNormalizer (name converters, serialized names, etc...). |
||
| continue; | ||
| } | ||
|
|
||
| foreach ($property->getAttributes(Context::class) as $attribute) { | ||
|
Member
There was a problem hiding this comment. This does not make any sense. You should read |
||
| $attributeContext = $attribute->newInstance(); | ||
| if (($attributeContext->denormalizationContext[self::SANITIZE_HTML] ?? false) !== true) { | ||
| continue; | ||
| } | ||
| $sanitizer = $this->getSanitizer($attributeContext->denormalizationContext[self::SANITIZER] ?? self::DEFAULT_SANITIZER); | ||
| $sanitizedData[$name] = $this->sanitizeValue($data[$name], $sanitizer, $name); | ||
| $context['sanitized'] = true; | ||
| } | ||
| } | ||
|
|
||
| return $this->denormalizer->denormalize($sanitizedData, $type, $format, $context); | ||
| } | ||
|
|
||
| public function supportsDenormalization(mixed $data, string $type, ?string $format = null, array $context = []): bool | ||
| { | ||
| if (!isset($this->denormalizer)) { | ||
| return false; | ||
| } | ||
|
|
||
| if (!class_exists($type)) { | ||
|
Member
There was a problem hiding this comment. In my previous review, I asked for this serializer to be a serializer applied on the string, not applied at the object level. |
||
| return false; | ||
| } | ||
|
|
||
| if (isset($context['sanitized'])) { | ||
| return false; | ||
| } | ||
|
|
||
| $reflection = new \ReflectionClass($type); | ||
| foreach ($reflection->getProperties() as $property) { | ||
| foreach ($property->getAttributes(Context::class) as $attribute) { | ||
| $attributeContext = $attribute->newInstance(); | ||
| if (($attributeContext->denormalizationContext[self::SANITIZE_HTML] ?? false) === true) { | ||
| return true; | ||
| } | ||
| } | ||
| } | ||
|
|
||
| return false; | ||
| } | ||
|
|
||
| private function sanitizeValue(mixed $value, HtmlSanitizerInterface $sanitizer, string $propertyName): mixed | ||
| { | ||
| return match (true) { | ||
| \is_string($value) => $sanitizer->sanitize($value), | ||
| \is_array($value) => array_map(static function ($v) use ($sanitizer, $propertyName) { | ||
| if (!\is_string($v)) { | ||
| throw new LogicException(\sprintf('Cannot sanitize property "%s". Only string items are supported.', $propertyName)); | ||
| } | ||
|
|
||
| return $sanitizer->sanitize($v); | ||
| }, $value), | ||
| default => throw new LogicException(\sprintf('Cannot sanitize property "%s". Only string or array of strings are supported.', $propertyName)), | ||
| }; | ||
| } | ||
|
|
||
| private function getSanitizer(string $name): HtmlSanitizerInterface | ||
| { | ||
| if (!$this->sanitizers->has($name)) { | ||
| throw new LogicException(\sprintf('Sanitizer "%s" is not defined in the container.', $name)); | ||
| } | ||
|
|
||
| $sanitizer = $this->sanitizers->get($name); | ||
| if (!$sanitizer instanceof HtmlSanitizerInterface) { | ||
| throw new LogicException(\sprintf('Sanitizer "%s" must implement HtmlSanitizerInterface.', $name)); | ||
| } | ||
|
|
||
| return $sanitizer; | ||
| } | ||
| } | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| <?php | ||
|
|
||
| /* | ||
| * This file is part of the Symfony package. | ||
| * | ||
| * (c) Fabien Potencier <fabien@symfony.com> | ||
| * | ||
| * For the full copyright and license information, please view the LICENSE | ||
| * file that was distributed with this source code. | ||
| */ | ||
|
|
||
| namespace Symfony\Component\Serializer\Tests\Fixtures\Attributes; | ||
|
|
||
| use Symfony\Component\Serializer\Attribute\Context; | ||
| use Symfony\Component\Serializer\Normalizer\SanitizeDenormalizer; | ||
|
|
||
| /** | ||
| * @author Mohamed Senoussi <lesfootix@gmail.com> | ||
| */ | ||
| class SanitizeDummy | ||
| { | ||
| public function __construct( | ||
| public string $id, | ||
| public string $firstName, | ||
| public string $lastName, | ||
| #[Context( | ||
| denormalizationContext: [ SanitizeDenormalizer::SANITIZE_HTML => true ], | ||
| )] | ||
| public string $bio | ||
| ) {} | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| <?php | ||
|
|
||
| /* | ||
| * This file is part of the Symfony package. | ||
| * | ||
| * (c) Fabien Potencier <fabien@symfony.com> | ||
| * | ||
| * For the full copyright and license information, please view the LICENSE | ||
| * file that was distributed with this source code. | ||
| */ | ||
|
|
||
| namespace Symfony\Component\Serializer\Tests\Fixtures\Attributes; | ||
|
|
||
| /** | ||
| * @author Mohamed Senoussi <lesfootix@gmail.com> | ||
| */ | ||
| class SanitizeDummyWithArrayOfObject | ||
| { | ||
| public function __construct( | ||
| public string $id, | ||
| /** @var SanitizeDummy[] */ | ||
| public array $objects, | ||
| ) {} | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| <?php | ||
|
|
||
| /* | ||
| * This file is part of the Symfony package. | ||
| * | ||
| * (c) Fabien Potencier <fabien@symfony.com> | ||
| * | ||
| * For the full copyright and license information, please view the LICENSE | ||
| * file that was distributed with this source code. | ||
| */ | ||
|
|
||
| namespace Symfony\Component\Serializer\Tests\Fixtures\Attributes; | ||
|
|
||
| use Symfony\Component\Serializer\Attribute\Context; | ||
| use Symfony\Component\Serializer\Normalizer\SanitizeDenormalizer; | ||
|
|
||
| /** | ||
| * @author Mohamed Senoussi <lesfootix@gmail.com> | ||
| */ | ||
| class SanitizeDummyWithArrayOfString | ||
| { | ||
| public function __construct( | ||
| public string $id, | ||
| /** @var string[] */ | ||
| #[Context(denormalizationContext: [ SanitizeDenormalizer::SANITIZE_HTML => true ])] | ||
| public array $strings, | ||
| ) {} | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| <?php | ||
|
|
||
| /* | ||
| * This file is part of the Symfony package. | ||
| * | ||
| * (c) Fabien Potencier <fabien@symfony.com> | ||
| * | ||
| * For the full copyright and license information, please view the LICENSE | ||
| * file that was distributed with this source code. | ||
| */ | ||
|
|
||
| namespace Symfony\Component\Serializer\Tests\Fixtures\Attributes; | ||
|
|
||
| use Symfony\Component\Serializer\Attribute\Context; | ||
| use Symfony\Component\Serializer\Normalizer\SanitizeDenormalizer; | ||
|
|
||
| /** | ||
| * @author Mohamed Senoussi <lesfootix@gmail.com> | ||
| */ | ||
| class SanitizeDummyWithCustomSanitizer | ||
| { | ||
| public function __construct( | ||
| #[Context(denormalizationContext: [ SanitizeDenormalizer::SANITIZE_HTML => true, SanitizeDenormalizer::SANITIZER => 'custom' ])] | ||
| public string $foo | ||
| ) {} | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| <?php | ||
|
|
||
| /* | ||
| * This file is part of the Symfony package. | ||
| * | ||
| * (c) Fabien Potencier <fabien@symfony.com> | ||
| * | ||
| * For the full copyright and license information, please view the LICENSE | ||
| * file that was distributed with this source code. | ||
| */ | ||
|
|
||
| namespace Symfony\Component\Serializer\Tests\Fixtures\Attributes; | ||
|
|
||
| use Symfony\Component\Serializer\Attribute\Context; | ||
| use Symfony\Component\Serializer\Normalizer\SanitizeDenormalizer; | ||
|
|
||
| /** | ||
| * @author Mohamed Senoussi <lesfootix@gmail.com> | ||
| */ | ||
| class SanitizeDummyWithInvalidArray | ||
| { | ||
| public function __construct( | ||
| /** | ||
| * @var int[] | ||
| */ | ||
| #[Context(denormalizationContext: [ SanitizeDenormalizer::SANITIZE_HTML => true ])] | ||
| public array $foo | ||
| ) {} | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| <?php | ||
|
|
||
| /* | ||
| * This file is part of the Symfony package. | ||
| * | ||
| * (c) Fabien Potencier <fabien@symfony.com> | ||
| * | ||
| * For the full copyright and license information, please view the LICENSE | ||
| * file that was distributed with this source code. | ||
| */ | ||
|
|
||
| namespace Symfony\Component\Serializer\Tests\Fixtures\Attributes; | ||
|
|
||
| use Symfony\Component\Serializer\Attribute\Context; | ||
| use Symfony\Component\Serializer\Normalizer\SanitizeDenormalizer; | ||
|
|
||
| /** | ||
| * @author Mohamed Senoussi <lesfootix@gmail.com> | ||
| */ | ||
| class SanitizeDummyWithInvalidType | ||
| { | ||
| public function __construct( | ||
| #[Context(denormalizationContext: [ SanitizeDenormalizer::SANITIZE_HTML => true ])] | ||
| public int $foo | ||
| ) {} | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| <?php | ||
|
|
||
| /* | ||
| * This file is part of the Symfony package. | ||
| * | ||
| * (c) Fabien Potencier <fabien@symfony.com> | ||
| * | ||
| * For the full copyright and license information, please view the LICENSE | ||
| * file that was distributed with this source code. | ||
| */ | ||
|
|
||
| namespace Symfony\Component\Serializer\Tests\Fixtures\Attributes; | ||
|
|
||
| /** | ||
| * @author Mohamed Senoussi <lesfootix@gmail.com> | ||
| */ | ||
| class SanitizeDummyWithObject | ||
| { | ||
| public function __construct( | ||
| public string $id, | ||
| public SanitizeDummy $object, | ||
| ) {} | ||
| } |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this denormalizer needs to be removed from the config when the html-sanitizer component is not enabled (see how we handle other cross-component features in FrameworkExtension).