php · symfony/html-sanitizerHeads-up
symfony/html-sanitizer: Expanded URL sanitization for additional attributes and meta refresh
UrlAttributeSanitizer now sanitizes 'data', 'codebase', 'archive', 'longdesc' attributes.
What changed
UrlAttributeSanitizer now sanitizes 'data', 'codebase', 'archive', 'longdesc' attributes. A new MetaRefreshAttributeSanitizer sanitizes URLs inside <meta http-equiv="refresh" content="...">.
Who it affects
Integrators who explicitly allow elements like <object>, <applet>, <iframe>, <img>, or <meta> with URL-bearing attributes (e.g., via allowElement or allowAttribute). Default configurations are not affected.
What to do today
Update symfony/html-sanitizer to the latest patched version (6.4, 7.4, 8.0, or 8.1) to ensure URL sanitization covers the newly added attributes and meta refresh.
The trail
Collected→
Audited→
Written→
Published