fix: preserve mention data attributes through HTML sanitization
Filament's sanitizer strips data-id, data-label and data-char from mention spans, breaking both display (unstyled @mention) and editing (@-only shown in RichEditor). Register a package-scoped sanitizer that explicitly allows these attributes on span elements. Also fix double-replacement bug in renderBodyWithMentions() where both the rich-editor regex and str_replace fallback could run on the same mention, producing nested styled spans.
This commit is contained in:
ilyapashayan
@@ -18,6 +18,8 @@ use Relaticle\Comments\Livewire\Comments;
|
||||
use Relaticle\Comments\Livewire\Reactions;
|
||||
use Spatie\LaravelPackageTools\Package;
|
||||
use Spatie\LaravelPackageTools\PackageServiceProvider;
|
||||
use Symfony\Component\HtmlSanitizer\HtmlSanitizer;
|
||||
use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig;
|
||||
|
||||
class CommentsServiceProvider extends PackageServiceProvider
|
||||
{
|
||||
@@ -51,6 +53,27 @@ class CommentsServiceProvider extends PackageServiceProvider
|
||||
MentionResolver::class,
|
||||
fn () => new (CommentsConfig::getMentionResolver())
|
||||
);
|
||||
|
||||
$this->app->scoped(
|
||||
'comments.html_sanitizer',
|
||||
fn (): HtmlSanitizer => new HtmlSanitizer(
|
||||
(new HtmlSanitizerConfig)
|
||||
->allowSafeElements()
|
||||
->allowRelativeLinks()
|
||||
->allowRelativeMedias()
|
||||
->allowAttribute('class', allowedElements: '*')
|
||||
->allowAttribute('data-color', allowedElements: '*')
|
||||
->allowAttribute('data-from-breakpoint', allowedElements: '*')
|
||||
->allowAttribute('data-type', allowedElements: '*')
|
||||
->allowAttribute('data-id', allowedElements: 'span')
|
||||
->allowAttribute('data-label', allowedElements: 'span')
|
||||
->allowAttribute('data-char', allowedElements: 'span')
|
||||
->allowAttribute('style', allowedElements: '*')
|
||||
->allowAttribute('width', allowedElements: 'img')
|
||||
->allowAttribute('height', allowedElements: 'img')
|
||||
->withMaxInputLength(500000)
|
||||
),
|
||||
);
|
||||
}
|
||||
|
||||
public function packageBooted(): void
|
||||
|
||||
@@ -9,7 +9,6 @@ use Illuminate\Database\Eloquent\Relations\HasMany;
|
||||
use Illuminate\Database\Eloquent\Relations\MorphTo;
|
||||
use Illuminate\Database\Eloquent\Relations\MorphToMany;
|
||||
use Illuminate\Database\Eloquent\SoftDeletes;
|
||||
use Illuminate\Support\Str;
|
||||
use Relaticle\Comments\CommentsConfig;
|
||||
use Relaticle\Comments\Database\Factories\CommentFactory;
|
||||
|
||||
@@ -23,7 +22,7 @@ class Comment extends Model
|
||||
parent::boot();
|
||||
|
||||
static::saving(function (self $comment): void {
|
||||
$comment->body = Str::sanitizeHtml($comment->body);
|
||||
$comment->body = app('comments.html_sanitizer')->sanitize($comment->body);
|
||||
});
|
||||
|
||||
static::deleting(function (self $comment): void {
|
||||
@@ -153,16 +152,15 @@ class Comment extends Model
|
||||
$escapedName = e($name);
|
||||
$styledSpan = '<span class="comment-mention">@'.$escapedName.'</span>';
|
||||
|
||||
// Replace rich-editor mention spans (data-type="mention" with @Name as text content)
|
||||
$body = preg_replace(
|
||||
'/<(?:span|a)[^>]*data-type="mention"[^>]*>@?' . preg_quote($escapedName, '/') . '<\/(?:span|a)>/',
|
||||
$styledSpan,
|
||||
$body
|
||||
);
|
||||
$pattern = '/<(?:span|a)[^>]*data-type="mention"[^>]*>@?' . preg_quote($escapedName, '/') . '<\/(?:span|a)>/';
|
||||
|
||||
// Replace plain-text mentions
|
||||
$body = str_replace("@{$name}", $styledSpan, $body);
|
||||
$body = str_replace("@{$name}", $styledSpan, $body);
|
||||
if (preg_match($pattern, $body)) {
|
||||
$body = preg_replace($pattern, $styledSpan, $body);
|
||||
} else {
|
||||
// Fallback for plain-text mentions
|
||||
$body = str_replace("@{$name}", $styledSpan, $body);
|
||||
$body = str_replace("@{$name}", $styledSpan, $body);
|
||||
}
|
||||
}
|
||||
|
||||
return $body;
|
||||
|
||||
Reference in New Issue
Block a user