fix(formatter): prevent stored XSS by disabling default HTML safety

tuxes3 · tuxes3 · commit b98cb482b080 · 2025-09-22T11:07:25.000-05:00
Formatters no longer treat their output as HTML safe by default. This closes a stored XSS vector where unsanitized user input could inject script content.

Existing formatters must now explicitly implement isHtmlSafe() to return true *and* ensure proper escaping/sanitization before claiming safety.

BREAKING CHANGE: Default formatter behavior changed; outputs are now considered unsafe HTML unless explicitly marked safe. Audit custom formatter implementations.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -45,7 +45,7 @@ jobs:
                   SYMFONY_REQUIRE: ${{ matrix.symfony }}
               uses: ramsey/composer-install@v2
             - name: Run test suite on PHP ${{ matrix.php }} and Symfony ${{ matrix.symfony }}
-              run: vendor/bin/simple-phpunit
+              run: vendor/bin/phpunit
             - name: Run ECS
               run: vendor/bin/ecs
             - name: Run PHPStan
diff --git a/Makefile b/Makefile
@@ -35,6 +35,6 @@ phpstan:
 
 ## PHP Unit tests
 phpunit:
-	vendor/bin/simple-phpunit
+	vendor/bin/phpunit
 
 
diff --git a/composer.json b/composer.json
@@ -27,7 +27,6 @@
         "symfony/translation": "^6.4|^7.0",
         "symfony/form": "^6.4|^7.0",
         "symfony/stopwatch": "^6.4|^7.0",
-        "symfony/test-pack": "^1.1.0",
         "symfony/orm-pack": "^2.4.1"
     },
     "require-dev": {
@@ -38,7 +37,10 @@
         "doctrine/doctrine-bundle": "^2.5.5",
         "whatwedo/php-coding-standard": "^1.0",
         "symfony/twig-bundle": "^6.4|^7.0",
-        "phpstan/phpstan": "^1.7"
+        "phpstan/phpstan": "^1.7",
+        "phpunit/phpunit": "^10",
+        "symfony/test-pack": "^1.0",
+        "slevomat/coding-standard": "8.22.1"
     },
     "autoload": {
         "psr-4": {
diff --git a/src/Formatter/AbstractFormatter.php b/src/Formatter/AbstractFormatter.php
@@ -8,6 +8,8 @@
 
 abstract class AbstractFormatter implements FormatterInterface
 {
+    public const OPT_HTML_SAFE = 'html_safe';
+
     /**
      * @var array<string, mixed>
      */
@@ -34,7 +36,18 @@ public function processOptions(array $options = []): void
         $this->options = $resolver->resolve($options);
     }
 
+    public function isHtmlSafe(): bool
+    {
+        return (bool) ($this->options[self::OPT_HTML_SAFE] ?? false);
+    }
+
+    protected function escapeHTML(string $value): string
+    {
+        return htmlspecialchars($value, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
+    }
+
     protected function configureOptions(OptionsResolver $resolver): void
     {
+        $resolver->setDefault(self::OPT_HTML_SAFE, false);
     }
 }
diff --git a/src/Formatter/BadgeFormatter.php b/src/Formatter/BadgeFormatter.php
@@ -26,7 +26,7 @@ public function getHtml(mixed $value): string
     {
         $this->processOptions(($this->options[self::OPT_CONFIGURATION])($value, $this->options));
         return $this->twig->render($this->options[self::OPT_TEMPLATE], [
-            'value' => $this->getString($value),
+            'value' => $this->escapeHTML($this->getString($value)),
             'type' => $this->options[self::OPT_TYPE],
             'background_color_class' => $this->options[self::OPT_BACKGROUND_COLOR_CLASS],
             'background_color_hex' => $this->options[self::OPT_BACKGROUND_COLOR_HEX],
@@ -43,6 +43,7 @@ protected function configureOptions(OptionsResolver $resolver): void
             self::OPT_TYPE => 'neutral',
             self::OPT_LINK => null,
             self::OPT_CONFIGURATION => static fn (mixed $value, array $options): array => $options,
+            self::OPT_HTML_SAFE => true,
         ]);
         $resolver->setAllowedTypes(self::OPT_BACKGROUND_COLOR_CLASS, ['string', 'null']);
         $resolver->setAllowedTypes(self::OPT_BACKGROUND_COLOR_HEX, ['string', 'null']);
diff --git a/src/Formatter/CollectionFormatter.php b/src/Formatter/CollectionFormatter.php
@@ -5,6 +5,7 @@
 namespace araise\CoreBundle\Formatter;
 
 use Doctrine\Common\Collections\Collection;
+use Symfony\Component\OptionsResolver\OptionsResolver;
 
 class CollectionFormatter extends AbstractFormatter
 {
@@ -29,9 +30,15 @@ public function getHtml(mixed $value): string
         }
         $str = '<ul>';
         foreach ($value as $singleValue) {
-            $str .= '<li>'.$singleValue.'</li>';
+            $str .= '<li>'.$this->escapeHTML($singleValue).'</li>';
         }
 
         return $str.'</ul>';
     }
+
+    protected function configureOptions(OptionsResolver $resolver): void
+    {
+        parent::configureOptions($resolver);
+        $resolver->setDefault(self::OPT_HTML_SAFE, true);
+    }
 }
diff --git a/src/Formatter/EmailFormatter.php b/src/Formatter/EmailFormatter.php
@@ -27,9 +27,9 @@ public function getHtml(mixed $value): string
 
         return $value ? sprintf(
             '<a href="mailto:%s" title="%s">%s</a>',
-            $value,
-            $title,
-            $value
+            $this->escapeHTML($value),
+            $this->escapeHTML($title),
+            $this->escapeHTML($value)
         ) : '';
     }
 }
diff --git a/src/Formatter/Nl2brFormatter.php b/src/Formatter/Nl2brFormatter.php
@@ -4,6 +4,8 @@
 
 namespace araise\CoreBundle\Formatter;
 
+use Symfony\Component\OptionsResolver\OptionsResolver;
+
 class Nl2brFormatter extends AbstractFormatter
 {
     public function getString(mixed $value): string
@@ -13,6 +15,12 @@ public function getString(mixed $value): string
 
     public function getHtml(mixed $value): string
     {
-        return nl2br($value);
+        return nl2br($this->escapeHTML($value));
+    }
+
+    protected function configureOptions(OptionsResolver $resolver): void
+    {
+        parent::configureOptions($resolver);
+        $resolver->setDefault(self::OPT_HTML_SAFE, true);
     }
 }
diff --git a/src/Formatter/TwigFormatter.php b/src/Formatter/TwigFormatter.php
@@ -57,5 +57,6 @@ protected function configureOptions(OptionsResolver $resolver): void
     {
         $resolver->setRequired(self::OPT_TEMPLATE);
         $resolver->setAllowedTypes(self::OPT_TEMPLATE, 'string');
+        $resolver->setDefault(self::OPT_HTML_SAFE, true);
     }
 }
diff --git a/src/Formatter/WysiwygFormatter.php b/src/Formatter/WysiwygFormatter.php
@@ -29,6 +29,8 @@
 
 namespace araise\CoreBundle\Formatter;
 
+use Symfony\Component\OptionsResolver\OptionsResolver;
+
 class WysiwygFormatter extends AbstractFormatter
 {
     public function getString(mixed $value): string
@@ -42,4 +44,10 @@ public function getHtml(mixed $value): string
 
         return $value ? sprintf('<blockquote>%s</blockquote>', $value) : '';
     }
+
+    protected function configureOptions(OptionsResolver $resolver): void
+    {
+        parent::configureOptions($resolver);
+        $resolver->setDefault(self::OPT_HTML_SAFE, true);
+    }
 }
diff --git a/tests/AbstractFormatterTestBase.php b/tests/AbstractFormatterTestBase.php
@@ -8,7 +8,7 @@
 use araise\CoreBundle\Manager\FormatterManager;
 use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
 
-abstract class AbstractFormatterTest extends KernelTestCase
+abstract class AbstractFormatterTestBase extends KernelTestCase
 {
     protected function getFormatter(string $formatterClass): FormatterInterface
     {
diff --git a/tests/BadgeFormatterTest.php b/tests/BadgeFormatterTest.php
@@ -4,7 +4,7 @@
 
 use araise\CoreBundle\Formatter\BadgeFormatter;
 
-class BadgeFormatterTest extends AbstractFormatterTest
+class BadgeFormatterTest extends AbstractFormatterTestBase
 {
     public function testGetHtml(): void
     {
diff --git a/tests/BooleanFormatterTest.php b/tests/BooleanFormatterTest.php
@@ -6,7 +6,7 @@
 
 use araise\CoreBundle\Formatter\BooleanFormatter;
 
-class BooleanFormatterTest extends AbstractFormatterTest
+class BooleanFormatterTest extends AbstractFormatterTestBase
 {
     public function testFormatter(): void
     {
diff --git a/tests/CollectionFormatterTest.php b/tests/CollectionFormatterTest.php
@@ -6,7 +6,7 @@
 
 use araise\CoreBundle\Formatter\CollectionFormatter;
 
-class CollectionFormatterTest extends AbstractFormatterTest
+class CollectionFormatterTest extends AbstractFormatterTestBase
 {
     public function testFormatter(): void
     {
diff --git a/tests/CountryAlpha2FormatterTest.php b/tests/CountryAlpha2FormatterTest.php
@@ -6,7 +6,7 @@
 
 use araise\CoreBundle\Formatter\CountryAlpha2Formatter;
 
-class CountryAlpha2FormatterTest extends AbstractFormatterTest
+class CountryAlpha2FormatterTest extends AbstractFormatterTestBase
 {
     public function testFormatter(): void
     {
diff --git a/tests/CountryAlpha3FormatterTest.php b/tests/CountryAlpha3FormatterTest.php
@@ -6,7 +6,7 @@
 
 use araise\CoreBundle\Formatter\CountryAlpha3Formatter;
 
-class CountryAlpha3FormatterTest extends AbstractFormatterTest
+class CountryAlpha3FormatterTest extends AbstractFormatterTestBase
 {
     public function testFormatter(): void
     {
diff --git a/tests/DateFormatterTest.php b/tests/DateFormatterTest.php
@@ -6,7 +6,7 @@
 
 use araise\CoreBundle\Formatter\DateFormatter;
 
-class DateFormatterTest extends AbstractFormatterTest
+class DateFormatterTest extends AbstractFormatterTestBase
 {
     public function testFormatter(): void
     {
diff --git a/tests/DateTimeFormatterTest.php b/tests/DateTimeFormatterTest.php
@@ -6,7 +6,7 @@
 
 use araise\CoreBundle\Formatter\DateTimeFormatter;
 
-class DateTimeFormatterTest extends AbstractFormatterTest
+class DateTimeFormatterTest extends AbstractFormatterTestBase
 {
     public function testFormatter(): void
     {
diff --git a/tests/DefaultFormatterTest.php b/tests/DefaultFormatterTest.php
@@ -6,7 +6,7 @@
 
 use araise\CoreBundle\Formatter\DefaultFormatter;
 
-class DefaultFormatterTest extends AbstractFormatterTest
+class DefaultFormatterTest extends AbstractFormatterTestBase
 {
     public function testFormatter(): void
     {
diff --git a/tests/EmailFormatterTest.php b/tests/EmailFormatterTest.php
@@ -6,7 +6,7 @@
 
 use araise\CoreBundle\Formatter\EmailFormatter;
 
-class EmailFormatterTest extends AbstractFormatterTest
+class EmailFormatterTest extends AbstractFormatterTestBase
 {
     public function testFormatter(): void
     {
diff --git a/tests/EnumFormatterTest.php b/tests/EnumFormatterTest.php
@@ -7,7 +7,7 @@
 use araise\CoreBundle\Formatter\EnumFormatter;
 use araise\CoreBundle\Tests\App\Enum\TestEnum;
 
-class EnumFormatterTest extends AbstractFormatterTest
+class EnumFormatterTest extends AbstractFormatterTestBase
 {
     public function testFormatter(): void
     {
diff --git a/tests/InfoFormatterTest.php b/tests/InfoFormatterTest.php
@@ -6,7 +6,7 @@
 
 use araise\CoreBundle\Formatter\InfoFormatter;
 
-class InfoFormatterTest extends AbstractFormatterTest
+class InfoFormatterTest extends AbstractFormatterTestBase
 {
     public function testFormatter(): void
     {
diff --git a/tests/MoneyFormatterTest.php b/tests/MoneyFormatterTest.php
@@ -6,7 +6,7 @@
 
 use araise\CoreBundle\Formatter\MoneyFormatter;
 
-class MoneyFormatterTest extends AbstractFormatterTest
+class MoneyFormatterTest extends AbstractFormatterTestBase
 {
     public function testFormatter(): void
     {
diff --git a/tests/Nl2brFormatterTest.php b/tests/Nl2brFormatterTest.php
@@ -6,7 +6,7 @@
 
 use araise\CoreBundle\Formatter\Nl2brFormatter;
 
-class Nl2brFormatterTest extends AbstractFormatterTest
+class Nl2brFormatterTest extends AbstractFormatterTestBase
 {
     public function testFormatter(): void
     {
diff --git a/tests/PercentageFormatterTest.php b/tests/PercentageFormatterTest.php
@@ -6,7 +6,7 @@
 
 use araise\CoreBundle\Formatter\PercentageFormatter;
 
-class PercentageFormatterTest extends AbstractFormatterTest
+class PercentageFormatterTest extends AbstractFormatterTestBase
 {
     public function testFormatter(): void
     {
diff --git a/tests/TranslationFormatterTest.php b/tests/TranslationFormatterTest.php
@@ -6,7 +6,7 @@
 
 use araise\CoreBundle\Formatter\TranslationFormatter;
 
-class TranslationFormatterTest extends AbstractFormatterTest
+class TranslationFormatterTest extends AbstractFormatterTestBase
 {
     public function testFormatter(): void
     {
diff --git a/tests/TwigFormatterTest.php b/tests/TwigFormatterTest.php
@@ -6,7 +6,7 @@
 
 use araise\CoreBundle\Formatter\TwigFormatter;
 
-class TwigFormatterTest extends AbstractFormatterTest
+class TwigFormatterTest extends AbstractFormatterTestBase
 {
     public function testFormatter(): void
     {
diff --git a/tests/Util/StringConverterTest.php b/tests/Util/StringConverterTest.php
@@ -5,13 +5,12 @@
 namespace araise\CoreBundle\Tests\Util;
 
 use araise\CoreBundle\Util\StringConverter;
+use PHPUnit\Framework\Attributes\DataProvider;
 use Symfony\Bundle\FrameworkBundle\Test\KernelTestCase;
 
 class StringConverterTest extends KernelTestCase
 {
-    /**
-     * @dataProvider dataProvider
-     */
+    #[DataProvider('dataProvider')]
     public function testString(mixed $input, string $expected): void
     {
         $output = StringConverter::toString($input);
@@ -23,7 +22,7 @@ public function testString(mixed $input, string $expected): void
     /**
      * @return array<string, array<string, mixed>>
      */
-    public function dataProvider(): array
+    public static function dataProvider(): array
     {
         $objectPlain = new \stdClass();
         $objectStringify = new class() {
diff --git a/tests/WysiwygFormatterTest.php b/tests/WysiwygFormatterTest.php
@@ -6,7 +6,7 @@
 
 use araise\CoreBundle\Formatter\WysiwygFormatter;
 
-class WysiwygFormatterTest extends AbstractFormatterTest
+class WysiwygFormatterTest extends AbstractFormatterTestBase
 {
     public function testFormatter(): void
     {

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,8 @@`
`8`	`8`
`9`	`9`	`abstract class AbstractFormatter implements FormatterInterface`
`10`	`10`	`{`
	`11`	`+ public const OPT_HTML_SAFE = 'html_safe';`
	`12`	`+`
`11`	`13`	`/**`
`12`	`14`	`* @var array<string, mixed>`
`13`	`15`	`*/`
`@@ -34,7 +36,18 @@ public function processOptions(array $options = []): void`
`34`	`36`	`$this->options = $resolver->resolve($options);`
`35`	`37`	`}`
`36`	`38`
	`39`	`+ public function isHtmlSafe(): bool`
	`40`	`+ {`
	`41`	`+ return (bool) ($this->options[self::OPT_HTML_SAFE] ?? false);`
	`42`	`+ }`
	`43`	`+`
	`44`	`+ protected function escapeHTML(string $value): string`
	`45`	`+ {`
	`46`	`+ return htmlspecialchars($value, ENT_QUOTES \| ENT_SUBSTITUTE, 'UTF-8');`
	`47`	`+ }`
	`48`	`+`
`37`	`49`	`protected function configureOptions(OptionsResolver $resolver): void`
`38`	`50`	`{`
	`51`	`+ $resolver->setDefault(self::OPT_HTML_SAFE, false);`
`39`	`52`	`}`
`40`	`53`	`}`
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`	`namespace araise\CoreBundle\Formatter;`
`6`	`6`
`7`	`7`	`use Doctrine\Common\Collections\Collection;`
	`8`	`+use Symfony\Component\OptionsResolver\OptionsResolver;`
`8`	`9`
`9`	`10`	`class CollectionFormatter extends AbstractFormatter`
`10`	`11`	`{`
`@@ -29,9 +30,15 @@ public function getHtml(mixed $value): string`
`29`	`30`	`}`
`30`	`31`	`$str = '<ul>';`
`31`	`32`	`foreach ($value as $singleValue) {`
`32`		`- $str .= '<li>'.$singleValue.'</li>';`
	`33`	`+ $str .= '<li>'.$this->escapeHTML($singleValue).'</li>';`
`33`	`34`	`}`
`34`	`35`
`35`	`36`	`return $str.'</ul>';`
`36`	`37`	`}`
	`38`	`+`
	`39`	`+ protected function configureOptions(OptionsResolver $resolver): void`
	`40`	`+ {`
	`41`	`+ parent::configureOptions($resolver);`
	`42`	`+ $resolver->setDefault(self::OPT_HTML_SAFE, true);`
	`43`	`+ }`
`37`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -27,9 +27,9 @@ public function getHtml(mixed $value): string`
`27`	`27`
`28`	`28`	`return $value ? sprintf(`
`29`	`29`	`'<a href="mailto:%s" title="%s">%s</a>',`
`30`		`- $value,`
`31`		`- $title,`
`32`		`- $value`
	`30`	`+ $this->escapeHTML($value),`
	`31`	`+ $this->escapeHTML($title),`
	`32`	`+ $this->escapeHTML($value)`
`33`	`33`	`) : '';`
`34`	`34`	`}`
`35`	`35`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,8 @@`
`4`	`4`
`5`	`5`	`namespace araise\CoreBundle\Formatter;`
`6`	`6`
	`7`	`+use Symfony\Component\OptionsResolver\OptionsResolver;`
	`8`	`+`
`7`	`9`	`class Nl2brFormatter extends AbstractFormatter`
`8`	`10`	`{`
`9`	`11`	`public function getString(mixed $value): string`
`@@ -13,6 +15,12 @@ public function getString(mixed $value): string`
`13`	`15`
`14`	`16`	`public function getHtml(mixed $value): string`
`15`	`17`	`{`
`16`		`- return nl2br($value);`
	`18`	`+ return nl2br($this->escapeHTML($value));`
	`19`	`+ }`
	`20`	`+`
	`21`	`+ protected function configureOptions(OptionsResolver $resolver): void`
	`22`	`+ {`
	`23`	`+ parent::configureOptions($resolver);`
	`24`	`+ $resolver->setDefault(self::OPT_HTML_SAFE, true);`
`17`	`25`	`}`
`18`	`26`	`}`
Original file line number	Diff line number	Diff line change
`@@ -57,5 +57,6 @@ protected function configureOptions(OptionsResolver $resolver): void`
`57`	`57`	`{`
`58`	`58`	`$resolver->setRequired(self::OPT_TEMPLATE);`
`59`	`59`	`$resolver->setAllowedTypes(self::OPT_TEMPLATE, 'string');`
	`60`	`+ $resolver->setDefault(self::OPT_HTML_SAFE, true);`
`60`	`61`	`}`
`61`	`62`	`}`
Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,8 @@`
`29`	`29`
`30`	`30`	`namespace araise\CoreBundle\Formatter;`
`31`	`31`
	`32`	`+use Symfony\Component\OptionsResolver\OptionsResolver;`
	`33`	`+`
`32`	`34`	`class WysiwygFormatter extends AbstractFormatter`
`33`	`35`	`{`
`34`	`36`	`public function getString(mixed $value): string`
`@@ -42,4 +44,10 @@ public function getHtml(mixed $value): string`
`42`	`44`
`43`	`45`	`return $value ? sprintf('<blockquote>%s</blockquote>', $value) : '';`
`44`	`46`	`}`
	`47`	`+`
	`48`	`+ protected function configureOptions(OptionsResolver $resolver): void`
	`49`	`+ {`
	`50`	`+ parent::configureOptions($resolver);`
	`51`	`+ $resolver->setDefault(self::OPT_HTML_SAFE, true);`
	`52`	`+ }`
`45`	`53`	`}`