Content filtering: Updated config and readme attribution

.env.example.complete

@@ -351,10 +351,25 @@ EXPORT_PDF_COMMAND_TIMEOUT=15
 # Only used if 'ALLOW_UNTRUSTED_SERVER_FETCHING=true' which disables security protections.
 WKHTMLTOPDF=false
 
-# Allow <script> tags in page content
+# Allow JavaScript, and other potentiall dangerous content in page content.
+# This also removes CSP-level JavaScript control.
 # Note, if set to 'true' the page editor may still escape scripts.
+# DEPRECATED: Use 'APP_CONTENT_FILTERING' instead as detailed below. Activiting this option
+# effectively sets APP_CONTENT_FILTERING='' (No filtering)
 ALLOW_CONTENT_SCRIPTS=false
 
+# Control the behaviour of content filtering, primarily used for page content.
+# This setting is a string of characters which represent different available filters:
+# - j - Filter out JavaScript and unknown binary data based content
+# - h - Filter out unexpected, and potentially dangerous, HTML elements
+# - f - Filter out unexpected form elements
+# - a - Run content through a more complex allowlist filter
+# This defaults to using all filters, unless ALLOW_CONTENT_SCRIPTS is set to true in which case no filters are used.
+# Note: These filters are a best-attempt and may not be 100% effective. They are typically a layer used in addition to other security measures.
+# Note: The default value will always be the most-strict, so it's advised to leave this unset in your own configuration
+# to ensure you are always using the full range of filters.
+APP_CONTENT_FILTERING="jfha"
+
 # Indicate if robots/crawlers should crawl your instance.
 # Can be 'true', 'false' or 'null'.
 # The behaviour of the default 'null' option will depend on the 'app-public' admin setting.

app/Config/app.php

@@ -37,21 +37,14 @@ return [
     // The limit for all uploaded files, including images and attachments in MB.
     'upload_limit' => env('FILE_UPLOAD_SIZE_LIMIT', 50),
 
-    // Allow <script> tags to entered within page content.
-    // <script> tags are escaped by default.
-    // Even when overridden the WYSIWYG editor may still escape script content.
-    'allow_content_scripts' => env('ALLOW_CONTENT_SCRIPTS', false),
-
     // Control the behaviour of content filtering, primarily used for page content.
-    // This setting is a collection of characters which represent different available filters:
+    // This setting is a string of characters which represent different available filters:
     // - j - Filter out JavaScript and unknown binary data based content
     // - h - Filter out unexpected, and potentially dangerous, HTML elements
     // - f - Filter out unexpected form elements
-    // - a - Run content through a more complex allow-list filter
+    // - a - Run content through a more complex allowlist filter
     // This defaults to using all filters, unless ALLOW_CONTENT_SCRIPTS is set to true in which case no filters are used.
-    // Note: These filters are a best attempt, and may not be 100% effective. They are typically a layer used in addition to other security measures.
-    // TODO - Add to example env
-    // TODO - Remove allow_content_scripts option above
+    // Note: These filters are a best-attempt and may not be 100% effective. They are typically a layer used in addition to other security measures.
     'content_filtering' => env('APP_CONTENT_FILTERING', env('ALLOW_CONTENT_SCRIPTS', false) === true ? '' : 'jhfa'),
 
     // Allow server-side fetches to be performed to potentially unknown

readme.md

@@ -155,7 +155,7 @@ The website which contains the project docs & blog can be found in the [BookStac
 The BookStack source is provided under the [MIT License](https://github.com/BookStackApp/BookStack/blob/development/LICENSE). 
 
 The libraries used by, and included with, BookStack are provided under their own licenses and copyright.
-The licenses for many of our core dependencies can be found in the attribution list below but this is not an exhaustive list of all projects used within BookStack. 
+The licenses for many of our core dependencies can be found in the attribution list below, but this is not an exhaustive list of all projects used within BookStack. 
 
 ## 👪 Attribution
 
@@ -187,5 +187,6 @@ Note: This is not an exhaustive list of all libraries and projects that would be
 * [PHPStan](https://phpstan.org/) & [Larastan](https://github.com/nunomaduro/larastan) - _[MIT](https://github.com/phpstan/phpstan/blob/master/LICENSE) and [MIT](https://github.com/nunomaduro/larastan/blob/master/LICENSE.md)_
 * [PHP_CodeSniffer](https://github.com/squizlabs/PHP_CodeSniffer) - _[BSD 3-Clause](https://github.com/squizlabs/PHP_CodeSniffer/blob/master/licence.txt)_
 * [JakeArchibald/IDB-Keyval](https://github.com/jakearchibald/idb-keyval) - _[Apache-2.0](https://github.com/jakearchibald/idb-keyval/blob/main/LICENCE)_
+* [HTML Purifier](https://github.com/ezyang/htmlpurifier) and [htmlpurifier-html5](https://github.com/xemlock/htmlpurifier-html5) - _[LGPL-2.1](https://github.com/ezyang/htmlpurifier/blob/master/LICENSE) and [MIT](https://github.com/xemlock/htmlpurifier-html5/blob/master/LICENSE)_
 
-For a detailed breakdown of the JavaScript & PHP projects imported & used via NPM & composer package managers, along with their licenses, please see the [dev/licensing/js-library-licenses.txt](dev/licensing/js-library-licenses.txt) and [dev/licensing/php-library-licenses.txt](dev/licensing/php-library-licenses.txt) files. 
+For a detailed breakdown of the JavaScript & PHP projects imported and used via NPM & composer package managers, along with their licenses, please see the [dev/licensing/js-library-licenses.txt](dev/licensing/js-library-licenses.txt) and [dev/licensing/php-library-licenses.txt](dev/licensing/php-library-licenses.txt) files. 

tests/Unit/ConfigTest.php

@@ -177,6 +177,13 @@ class ConfigTest extends TestCase
         });
     }
 
+    public function test_content_filtering_can_be_disabled()
+    {
+        $this->runWithEnv(['APP_CONTENT_FILTERING' => "", 'ALLOW_CONTENT_SCRIPTS' => null], function () {
+            $this->assertEquals('', config('app.content_filtering'));
+        });
+    }
+
     public function test_allow_content_scripts_disables_content_filtering()
     {
         $this->runWithEnv(['APP_CONTENT_FILTERING' => null, 'ALLOW_CONTENT_SCRIPTS' => 'true'], function () {