athphane/relaticle-comments
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: preserve mention data attributes through HTML sanitization

Browse Source 
Filament's sanitizer strips data-id, data-label and data-char from
mention spans, breaking both display (unstyled @mention) and editing
(@-only shown in RichEditor). Register a package-scoped sanitizer that
explicitly allows these attributes on span elements.

Also fix double-replacement bug in renderBodyWithMentions() where both
the rich-editor regex and str_replace fallback could run on the same
mention, producing nested styled spans.
This commit is contained in:
ilyapashayan
2026-04-01 01:10:05 +04:00
parent 48fbd3c9d7
commit 541d11ab90
5 changed files with 85 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
tests/Feature/ContentSanitizationTest.php
View File

@@ -155,6 +155,26 @@ it('strips onclick handler from elements', function () {
expect($comment->body)->toContain('click me');
});
it('preserves mention data attributes in comment body', function () {
$user = User::factory()->create();
$post = Post::factory()->create();
$body = '<span data-type="mention" data-id="1" data-label="max" data-char="@">@max</span>';
$comment = Comment::factory()->create([
'commentable_id' => $post->id,
'commentable_type' => $post->getMorphClass(),
'commenter_id' => $user->getKey(),
'commenter_type' => $user->getMorphClass(),
'body' => $body,
]);
expect($comment->body)->toContain('data-type="mention"');
expect($comment->body)->toContain('data-id="1"');
expect($comment->body)->toContain('data-label="max"');
expect($comment->body)->toContain('data-char="@"');
});
it('sanitizes content submitted through livewire component', function () {
$user = User::factory()->create();
$post = Post::factory()->create();

22
tests/Feature/MentionDisplayTest.php
View File

@@ -51,6 +51,28 @@ it('renders multiple mentions with styled spans', function () {
expect($rendered)->toContain('comment-mention');
});
it('renders rich-editor mention span as styled mention', function () {
$user = User::factory()->create();
$alice = User::factory()->create(['name' => 'Alice']);
$post = Post::factory()->create();
$comment = Comment::factory()->create([
'commentable_id' => $post->id,
'commentable_type' => $post->getMorphClass(),
'commenter_id' => $user->getKey(),
'commenter_type' => $user->getMorphClass(),
'body' => '<p><span data-type="mention" data-id="'.$alice->id.'" data-label="Alice" data-char="@">@Alice</span> said hi</p>',
]);
$comment->mentions()->attach($alice->id, ['commenter_type' => $alice->getMorphClass()]);
$rendered = $comment->renderBodyWithMentions();
expect($rendered)->toContain('comment-mention');
expect($rendered)->toContain('@Alice</span>');
expect($rendered)->not->toContain('data-type="mention"');
});
it('does not style non-mentioned @text', function () {
$user = User::factory()->create();
$post = Post::factory()->create();

11
tests/Feature/MentionParserTest.php
View File

@@ -10,6 +10,17 @@ use Relaticle\Comments\Models\Comment;
use Relaticle\Comments\Tests\Models\Post;
use Relaticle\Comments\Tests\Models\User;
it('parses rich-editor mention spans using data-id', function () {
$john = User::factory()->create(['name' => 'john']);
$parser = app(MentionParser::class);
$body = '<p>Hello <span data-type="mention" data-id="'.$john->id.'" data-label="john" data-char="@">@john</span></p>';
$result = $parser->parse($body);
expect($result)->toHaveCount(1);
expect($result->first())->toBe($john->id);
});
it('parses @username from plain text body', function () {
User::factory()->create(['name' => 'john']);
User::factory()->create(['name' => 'jane']);