I have a Symfony website where users can mention others when commenting on posts. When the comments rendered, if there are "<"script">" tags they are also being executed as javascript.
Example comment in the database: I think <a href="https://www.examplesite.com/burak">@joanna</a> was right
When I render this comment without a "raw" filter the HTML tags are being escaped and the problem disappears. However, the whole link shows up in the comments and mentions are not being clickable anymore.
I tried the custom filter below but that did not work either.
class FilterBlackListedExtension extends \Twig_Extension
{
private $blacklistedTags = ['script', 'p'];
public function getFilters()
{
return array(
new \Twig_SimpleFilter('filter_black_listed', array($this, 'htmlFilter')),
);
}
public function htmlFilter($html)
{
foreach ($this->blacklistedTags as $tag) {
preg_replace('/(<' . $tag . '>)(.*)(<\/' . $tag . '>)/', '', $html);
}
return $html; // maybe even apply the raw filter also afterwards.
}
public function getName()
{
return 'filter_black_listed_extension';
}
}
What I exactly need is a filter that will escape javascript but not HTML. Note: I already tried escape("js") and that did not work too. It also brought up hex like characters in the comment.