[HtmlSanitizer] Remove srcdoc from allowed attributes

Spomky · nicolas-grekas · commit 03f9c2eed8ca · 2025-10-29T10:25:59.000+01:00
The `srcdoc` attribute is unlisted from the standard attributes to prevent potential misconfiguration.
It must now be explicitly enabled, and it is STRONGLY advised to `-&gt;forceAttribute('iframe', 'sandbox', '')` when doing so.
A new test ensures that `&lt;iframe&gt;` elements with unsafe attributes, including `srcdoc`, are sanitized correctly.
diff --git a/Reference/W3CReference.php b/Reference/W3CReference.php
@@ -368,7 +368,7 @@ final class W3CReference
         'span' => true,
         'spellcheck' => true,
         'src' => true,
-        'srcdoc' => true,
+        // 'srcdoc' => false, // XSS vector if not properly sandboxed, should be enabled explicitly with ->allowAttribute('srcdoc', 'iframe')->forceAttribute('iframe', 'sandbox', '')
         'srclang' => true,
         'srcset' => true,
         'standby' => true,
diff --git a/Tests/Fixtures/baseline-attribute-allow-list.json b/Tests/Fixtures/baseline-attribute-allow-list.json
@@ -182,7 +182,6 @@
   "span",
   "spellcheck",
   "src",
-  "srcdoc",
   "srclang",
   "srcset",
   "standby",
diff --git a/Tests/HtmlSanitizerAllTest.php b/Tests/HtmlSanitizerAllTest.php
@@ -568,6 +568,23 @@ public static function provideSanitizeBody()
         }
     }
 
+    public function testIFrameDefaultsAreSafe()
+    {
+        $sanitizer = new HtmlSanitizer((new HtmlSanitizerConfig())
+            ->allowElement('iframe', '*')
+        );
+        $input = '<iframe src="javascript:alert()" onload="alert()" srcdoc="<script>alert()</script>">XSS</iframe>';
+        $this->assertSame('<iframe>XSS</iframe>', $sanitizer->sanitize($input));
+
+        $sanitizer = new HtmlSanitizer((new HtmlSanitizerConfig())
+            ->allowElement('iframe', '*')
+            ->allowAttribute('srcdoc', 'iframe')
+            ->forceAttribute('iframe', 'sandbox', '')
+        );
+        $input = '<iframe src="javascript:alert()" onload="alert()" srcdoc="<script>alert()</script>">XSS-prevented by sandbox</iframe>';
+        $this->assertSame('<iframe srcdoc="&lt;script&gt;alert()&lt;/script&gt;" sandbox>XSS-prevented by sandbox</iframe>', $sanitizer->sanitize($input));
+    }
+
     public function testUnlimitedLength()
     {
         $sanitizer = new HtmlSanitizer((new HtmlSanitizerConfig())->withMaxInputLength(-1));
diff --git a/Tests/HtmlSanitizerConfigTest.php b/Tests/HtmlSanitizerConfigTest.php
@@ -109,7 +109,7 @@ public function testAllowElementStandardAttributes()
         $config = new HtmlSanitizerConfig();
         $config = $config->allowElement('div', '*');
         $this->assertSame(['div'], array_keys($config->getAllowedElements()));
-        $this->assertCount(211, $config->getAllowedElements()['div']);
+        $this->assertCount(210, $config->getAllowedElements()['div']);
         $this->assertSame([], $config->getBlockedElements());
     }
 

Original file line number	Diff line number	Diff line change
`@@ -109,7 +109,7 @@ public function testAllowElementStandardAttributes()`
`109`	`109`	`$config = new HtmlSanitizerConfig();`
`110`	`110`	`$config = $config->allowElement('div', '*');`
`111`	`111`	`$this->assertSame(['div'], array_keys($config->getAllowedElements()));`
`112`		`- $this->assertCount(211, $config->getAllowedElements()['div']);`
	`112`	`+ $this->assertCount(210, $config->getAllowedElements()['div']);`
`113`	`113`	`$this->assertSame([], $config->getBlockedElements());`
`114`	`114`	`}`
`115`	`115`