athphane/relaticle-comments
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: preserve mention data attributes through HTML sanitization

Browse Source 
Filament's sanitizer strips data-id, data-label and data-char from
mention spans, breaking both display (unstyled @mention) and editing
(@-only shown in RichEditor). Register a package-scoped sanitizer that
explicitly allows these attributes on span elements.

Also fix double-replacement bug in renderBodyWithMentions() where both
the rich-editor regex and str_replace fallback could run on the same
mention, producing nested styled spans.
This commit is contained in:
ilyapashayan
2026-04-01 01:10:05 +04:00
parent 48fbd3c9d7
commit 541d11ab90
5 changed files with 85 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/CommentsServiceProvider.php
View File

@@ -18,6 +18,8 @@ use Relaticle\Comments\Livewire\Comments;
use Relaticle\Comments\Livewire\Reactions;
use Spatie\LaravelPackageTools\Package;
use Spatie\LaravelPackageTools\PackageServiceProvider;
use Symfony\Component\HtmlSanitizer\HtmlSanitizer;
use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig;
class CommentsServiceProvider extends PackageServiceProvider
{
@@ -51,6 +53,27 @@ class CommentsServiceProvider extends PackageServiceProvider
MentionResolver::class,
fn () => new (CommentsConfig::getMentionResolver())
);
$this->app->scoped(
'comments.html_sanitizer',
fn (): HtmlSanitizer => new HtmlSanitizer(
(new HtmlSanitizerConfig)
->allowSafeElements()
->allowRelativeLinks()
->allowRelativeMedias()
->allowAttribute('class', allowedElements: '*')
->allowAttribute('data-color', allowedElements: '*')
->allowAttribute('data-from-breakpoint', allowedElements: '*')
->allowAttribute('data-type', allowedElements: '*')
->allowAttribute('data-id', allowedElements: 'span')
->allowAttribute('data-label', allowedElements: 'span')
->allowAttribute('data-char', allowedElements: 'span')
->allowAttribute('style', allowedElements: '*')
->allowAttribute('width', allowedElements: 'img')
->allowAttribute('height', allowedElements: 'img')
->withMaxInputLength(500000)
),
);
}
public function packageBooted(): void