starred/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2026-05-04 18:08:46 +03:00
Code Issues 784 Packages Projects Releases 15 Wiki Activity

Content Filtering: Covered new config options and filters with tests

Browse Source
This commit is contained in:
Dan Brown
2026-02-16 10:11:48 +00:00
parent 035be66ebc
commit 8a221f64e4
5 changed files with 96 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/Config/app.php
View File

@@ -42,17 +42,17 @@ return [
// Even when overridden the WYSIWYG editor may still escape script content.
'allow_content_scripts' => env('ALLOW_CONTENT_SCRIPTS', false),
// Control the behaviour of page content filtering.
// Control the behaviour of content filtering, primarily used for page content.
// This setting is a collection of characters which represent different available filters:
// - j - Filter out JavaScript based content
// - h - Filter out unexpected, potentially dangerous, HTML elements
// - j - Filter out JavaScript and unknown binary data based content
// - h - Filter out unexpected, and potentially dangerous, HTML elements
// - f - Filter out unexpected form elements
// - a - Run content through a more complex allow-list filter
// This defaults to using all filters, unless ALLOW_CONTENT_SCRIPTS is set to true in which case no filters are used.
// Note: These filters are a best attempt, and may not be 100% effective. They are typically a layer used in addition to other security measures.
// TODO - Add to example env
// TODO - Remove allow_content_scripts option above
'content_filtering' => env('CONTENT_FILTERING', env('ALLOW_CONTENT_SCRIPTS', false) === true ? '' : 'jfha'),
'content_filtering' => env('APP_CONTENT_FILTERING', env('ALLOW_CONTENT_SCRIPTS', false) === true ? '' : 'jhfa'),
// Allow server-side fetches to be performed to potentially unknown
// and user-provided locations. Primarily used in exports when loading

3
app/Entities/Tools/PageContent.php
View File

@@ -341,7 +341,8 @@ class PageContent
$contentId = $this->page->id;
$contentTime = $this->page->updated_at?->timestamp ?? time();
$appVersion = AppVersion::get();
return "page-content-cache::{$appVersion}::{$contentId}::{$contentTime}::{$contentHash}";
$filterConfig = config('app.content_filtering') ?? '';
return "page-content-cache::{$filterConfig}::{$appVersion}::{$contentId}::{$contentTime}::{$contentHash}";
}
/**