@@ -473,6 +473,100 @@ This can also be used to remove elements from the allow list.
473473 ->dropElement('figure')
474474 );
475475
476+ html-sanitizer-default-action :
477+
478+ Default Action for Unconfigured Elements
479+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
480+
481+ .. versionadded :: 7.2
482+
483+ The ``defaultAction() `` method was introduced in Symfony 7.2.
484+
485+ By default, elements that are not explicitly allowed, blocked, or dropped
486+ will be removed along with their children. You can change this behavior
487+ by configuring the default action using the ``defaultAction() `` method.
488+
489+ The method accepts an ``HtmlSanitizerAction `` enum with three possible values:
490+
491+ * ``HtmlSanitizerAction::Drop `` (default): Remove the element and its children
492+ * ``HtmlSanitizerAction::Block ``: Remove the element but keep its children
493+ * ``HtmlSanitizerAction::Allow ``: Keep the element (without any attributes)
494+
495+ .. configuration-block ::
496+
497+ .. code-block :: yaml
498+
499+ # config/packages/html_sanitizer.yaml
500+ framework :
501+ html_sanitizer :
502+ sanitizers :
503+ app.post_sanitizer :
504+ # set the default action for unconfigured elements
505+ default_action : ' block' # or 'allow', 'drop'
506+ allow_elements :
507+ p : ' *'
508+
509+ code-block :: xml
510+
511+ <!-- config/packages/html_sanitizer.xml -->
512+ <?xml version =" 1.0" encoding =" UTF-8"
513+ <container xmlns =" http://symfony.com/schema/dic/services"
514+ xmlns : xsi =" http://www.w3.org/2001/XMLSchema-instance"
515+ xmlns : framework =" http://symfony.com/schema/dic/symfony"
516+ xsi : schemaLocation =" http://symfony.com/schema/dic/services
517+ https://symfony.com/schema/dic/services/services-1.0.xsd
518+ http://symfony.com/schema/dic/symfony https://symfony.com/schema/dic/symfony/symfony-1.0.xsd" >
519+
520+ <framework : config >
521+ <framework : html-sanitizer >
522+ <!-- set the default action for unconfigured elements -->
523+ <framework : sanitizer name =" app.post_sanitizer" default-action =" block"
524+ <framework : allow-element name =" p"
525+ <framework : attribute >*</framework : attribute >
526+ </framework : allow-element >
527+ </framework : sanitizer >
528+ </framework : html-sanitizer >
529+ </framework : config >
530+ </container >
531+
532+ code-block :: php
533+
534+ // config/packages/framework.php
535+ use Symfony\Config\FrameworkConfig;
536+
537+ return static function (FrameworkConfig $framework): void {
538+ $framework->htmlSanitizer()
539+ ->sanitizer('app.post_sanitizer')
540+ // set the default action for unconfigured elements
541+ ->defaultAction('block') // or 'allow', 'drop'
542+ ->allowElement('p', '*')
543+ ;
544+ };
545+
546+ code-block :: php-standalone
547+
548+ use Symfony\Component\HtmlSanitizer\HtmlSanitizer;
549+ use Symfony\Component\HtmlSanitizer\HtmlSanitizerAction;
550+ use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig;
551+
552+ $postSanitizer = new HtmlSanitizer(
553+ (new HtmlSanitizerConfig())
554+ // set the default action for unconfigured elements
555+ ->defaultAction(HtmlSanitizerAction::Block)
556+ ->allowElement('p')
557+ );
558+
559+
560+ explicitly configured (e.g., ``<span> ``), the sanitizer will remove the
561+ ``<span> `` element but keep its children, instead of dropping both the
562+ element and its children.
563+
564+ .. note ::
565+
566+ When using ``HtmlSanitizerAction::Allow `` as the default action, the
567+ unconfigured elements will be preserved but without any attributes for
568+ security reasons.
569+
476570Allow Attributes
477571~~~~~~~~~~~~~~~~
478572
0 commit comments