fix: sanitize error output in server validation logs

Escape dynamic error messages with htmlspecialchars() before concatenating into HTML strings stored in validation_logs. Add a Purify-based mutator on Server model as defense-in-depth, with a dedicated HTMLPurifier config that allows only safe structural tags. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-14 03:19:51 +00:00 · 2026-03-26 18:36:36 +01:00
parent e39678aea5
commit 103d5b6c06
7 changed files with 102 additions and 5 deletions
@@ -49,6 +49,17 @@ return [
            'AutoFormat.RemoveEmpty' => false,
        ],

+        'validation_logs' => [
+            'Core.Encoding' => 'utf-8',
+            'HTML.Doctype' => 'HTML 4.01 Transitional',
+            'HTML.Allowed' => 'a[href|title|target|class],br,div[class],pre[class],span[class],p[class]',
+            'HTML.ForbiddenElements' => '',
+            'CSS.AllowedProperties' => '',
+            'AutoFormat.AutoParagraph' => false,
+            'AutoFormat.RemoveEmpty' => false,
+            'Attr.AllowedFrameTargets' => ['_blank'],
+        ],
+
    ],

    /*