Html Sanitizer Laravel Package

Technical Evaluation

Architecture Fit

• Modular & Extensible: The package follows a declarative pattern (Behavior + Visitor + Builder), making it highly adaptable to custom sanitization rules. This aligns well with Laravel’s dependency injection and service container patterns, allowing for seamless integration into existing Laravel services or middleware.
• XSS Mitigation Focus: Specialized for XSS-safe markup, it complements Laravel’s built-in security layers (e.g., Blade auto-escaping) but provides fine-grained control for user-generated HTML (e.g., rich-text editors, CMS content).
• Immutable Design: The Behavior class enforces immutability (e.g., withTags(), withoutNodes()), which aligns with Laravel’s functional programming trends and reduces side effects in sanitization logic.

Integration Feasibility

• Laravel Compatibility:
  • PHP 8.1+: Fully compatible with Laravel’s latest LTS (PHP 8.2+).
  • DOM Extension: Requires PHP’s dom extension (enabled by default in Laravel).
  • No Framework Lock-in: Agnostic to TYPO3, making it a drop-in solution for Laravel’s HTML sanitization needs.
• Middleware Integration: Can be wrapped in Laravel’s middleware (e.g., SanitizeHtmlMiddleware) to sanitize input/output globally.
• Service Provider: Can be bootstrapped as a Laravel service (e.g., HtmlSanitizerServiceProvider) with configurable presets (e.g., CommonBuilder, StrictBuilder).

Technical Risk

• Learning Curve:
  • Behavior/Visitor Pattern: Requires understanding of declarative sanitization rules (e.g., Tag::ALLOW_CHILDREN, Attr::MANDATORY). Documentation is sparse but examples (e.g., CommonBuilder) provide a starting point.
  • DOM Manipulation: Underlying use of DOMDocument may be unfamiliar to Laravel devs accustomed to query builders (e.g., str_get_html).
• Performance Overhead:
  • DOM Parsing: Sanitizing large HTML strings (e.g., CMS pages) could introduce latency. Benchmark against alternatives like HTMLPurifier or DOMSanitizer.
  • Memory Usage: DOM operations are memory-intensive; test with high-volume inputs.
• Edge Cases:
  • Custom Elements: The ALLOW_CUSTOM_ELEMENTS flag enables hyphenated tags (e.g., <my-component>), which may conflict with Laravel’s Blade components or Tailwind CSS.
  • Attribute Validation: Regex-based validation (e.g., RegExpAttrValue) requires careful tuning to avoid false positives/negatives.

Key Questions

1. Use Case Priority:
   • Is this for user-generated content (e.g., comments, rich-text fields) or system-generated HTML (e.g., email templates)?
   • Do you need predefined presets (e.g., CommonBuilder) or fully custom rules?
2. Performance Requirements:
   • Will this sanitize small snippets (e.g., 1KB) or large documents (e.g., 10MB)?
   • Are there throughput benchmarks for your expected workload?
3. Maintenance Trade-offs:
   • Should you extend the package (e.g., custom visitors) or wrap it (e.g., Laravel facade)?
   • How will you handle future breaking changes (e.g., CommonBuilder deprecations)?
4. Alternatives:
   • Compare with:
     • HTMLPurifier (more features, heavier).
     • DOMSanitizer (simpler, less flexible).
     • Laravel’s built-in Str::of()->markdown() (limited to Markdown).

Integration Approach

Stack Fit

• Laravel Ecosystem:
  • Request/Response: Integrate as middleware to sanitize:
    • User input (e.g., request()->input('html_content')).
    • Blade output (e.g., @sanitize($unsafeHtml)).
  • Validation: Extend Laravel’s FormRequest with custom sanitization rules:

    public function rules() {
        return [
            'bio' => ['required', new SanitizeHtmlRule($this->sanitizer)],
        ];
    }
    

  • Artisan Commands: Sanitize CLI-generated HTML (e.g., email templates).
• Testing:
  • Use Laravel’s HttpTests to verify sanitization of malicious payloads (e.g., <script>alert(1)</script>).
  • Mock Sanitizer in unit tests with createMock(Sanitizer::class).

Migration Path

1. Pilot Phase:
   • Start with non-critical HTML (e.g., user avatars, non-executable fields).
   • Use CommonBuilder as a baseline, then customize.
2. Incremental Rollout:
   • Phase 1: Sanitize input (e.g., form submissions).
   • Phase 2: Sanitize output (e.g., Blade templates).
   • Phase 3: Replace legacy strip_tags() calls with Sanitizer.
3. Deprecation Strategy:
   • Wrap legacy sanitization in a decorator pattern to ease transition:

     class LegacySanitizerDecorator implements SanitizerInterface {
         public function sanitize(string $html): string {
             return strip_tags($html, '<b><i><u>');
         }
     }
     

Compatibility

• Laravel Versions:
  • Tested on Laravel 10+ (PHP 8.1+). For older versions, ensure dom extension is enabled.
• Package Conflicts:
  • No known conflicts with Laravel core or popular packages (e.g., spatie/laravel-html).
  • Avoid naming collisions (e.g., Behavior class may shadow Laravel’s Illuminate\Support\Behavior).
• Database Storage:
  • If storing sanitized HTML in MySQL, ensure the column uses TEXT (not VARCHAR) to avoid truncation.

Sequencing

1. Setup:
   • Install via Composer:

     composer require typo3/html-sanitizer
     

   • Publish config (if needed) to config/sanitizer.php:

     return [
         'presets' => [
             'default' => \TYPO3\HtmlSanitizer\Builder\CommonBuilder::class,
             'strict'  => \App\Sanitizer\StrictBuilder::class,
         ],
     ];
     

2. Configuration:
   • Register a service provider:

     // app/Providers/SanitizerServiceProvider.php
     public function register() {
         $this->app->singleton(Sanitizer::class, function ($app) {
             $builder = $app['config']['sanitizer.presets.default'];
             return new Sanitizer($builder->build());
         });
     }
     

3. Usage:
   • Middleware:

     // app/Http/Middleware/SanitizeHtml.php
     public function handle($request, Closure $next) {
         $request->merge([
             'sanitized_content' => $this->sanitizer->sanitize($request->content),
         ]);
         return $next($request);
     }
     

   • Facade:

     // app/Facades/Sanitizer.php
     public static function clean(string $html): string {
         return app(Sanitizer::class)->sanitize($html);
     }
     

   • Blade Directive:

     // app/Providers/BladeServiceProvider.php
     Blade::directive('sanitize', function ($expression) {
         return "<?php echo app(\TYPO3\HtmlSanitizer\Sanitizer::class)->sanitize({$expression}); ?>";
     });
     

     Usage: @sanitize($unsafeHtml)

Operational Impact

Maintenance

• Dependency Updates:
  • Monitor for breaking changes (e.g., CommonBuilder deprecations in v3.0).
  • Pin version in composer.json if stability is critical:

    "typo3/html-sanitizer": "^2.3"
    

• Custom Rules:
  • Document custom Behavior/Visitor implementations in a SANITIZATION_RULES.md file.
  • Use PHPStan or Psalm to catch misconfigurations (e.g., invalid tag names).
• Testing:
  • Add XSS test vectors to your test suite (e.g., OWASP XSS Payloads).
  • Example test case:

    public function test_s