Content filtering: Updated config and readme attribution

ssddanbrown · ssddanbrown · commit 3fa1174e7a87 · 2026-02-16T13:46:45.000Z
diff --git a/.env.example.complete b/.env.example.complete
@@ -351,10 +351,25 @@ EXPORT_PDF_COMMAND_TIMEOUT=15
 # Only used if 'ALLOW_UNTRUSTED_SERVER_FETCHING=true' which disables security protections.
 WKHTMLTOPDF=false
 
-# Allow <script> tags in page content
+# Allow JavaScript, and other potentiall dangerous content in page content.
+# This also removes CSP-level JavaScript control.
 # Note, if set to 'true' the page editor may still escape scripts.
+# DEPRECATED: Use 'APP_CONTENT_FILTERING' instead as detailed below. Activiting this option
+# effectively sets APP_CONTENT_FILTERING='' (No filtering)
 ALLOW_CONTENT_SCRIPTS=false
 
+# Control the behaviour of content filtering, primarily used for page content.
+# This setting is a string of characters which represent different available filters:
+# - j - Filter out JavaScript and unknown binary data based content
+# - h - Filter out unexpected, and potentially dangerous, HTML elements
+# - f - Filter out unexpected form elements
+# - a - Run content through a more complex allowlist filter
+# This defaults to using all filters, unless ALLOW_CONTENT_SCRIPTS is set to true in which case no filters are used.
+# Note: These filters are a best-attempt and may not be 100% effective. They are typically a layer used in addition to other security measures.
+# Note: The default value will always be the most-strict, so it's advised to leave this unset in your own configuration
+# to ensure you are always using the full range of filters.
+APP_CONTENT_FILTERING="jfha"
+
 # Indicate if robots/crawlers should crawl your instance.
 # Can be 'true', 'false' or 'null'.
 # The behaviour of the default 'null' option will depend on the 'app-public' admin setting.
diff --git a/app/Config/app.php b/app/Config/app.php
@@ -37,21 +37,14 @@
     // The limit for all uploaded files, including images and attachments in MB.
     'upload_limit' => env('FILE_UPLOAD_SIZE_LIMIT', 50),
 
-    // Allow <script> tags to entered within page content.
-    // <script> tags are escaped by default.
-    // Even when overridden the WYSIWYG editor may still escape script content.
-    'allow_content_scripts' => env('ALLOW_CONTENT_SCRIPTS', false),
-
     // Control the behaviour of content filtering, primarily used for page content.
-    // This setting is a collection of characters which represent different available filters:
+    // This setting is a string of characters which represent different available filters:
     // - j - Filter out JavaScript and unknown binary data based content
     // - h - Filter out unexpected, and potentially dangerous, HTML elements
     // - f - Filter out unexpected form elements
-    // - a - Run content through a more complex allow-list filter
+    // - a - Run content through a more complex allowlist filter
     // This defaults to using all filters, unless ALLOW_CONTENT_SCRIPTS is set to true in which case no filters are used.
-    // Note: These filters are a best attempt, and may not be 100% effective. They are typically a layer used in addition to other security measures.
-    // TODO - Add to example env
-    // TODO - Remove allow_content_scripts option above
+    // Note: These filters are a best-attempt and may not be 100% effective. They are typically a layer used in addition to other security measures.
     'content_filtering' => env('APP_CONTENT_FILTERING', env('ALLOW_CONTENT_SCRIPTS', false) === true ? '' : 'jhfa'),
 
     // Allow server-side fetches to be performed to potentially unknown
diff --git a/readme.md b/readme.md
@@ -155,7 +155,7 @@ The website which contains the project docs & blog can be found in the [BookStac
 The BookStack source is provided under the [MIT License](https://github.com/BookStackApp/BookStack/blob/development/LICENSE). 
 
 The libraries used by, and included with, BookStack are provided under their own licenses and copyright.
-The licenses for many of our core dependencies can be found in the attribution list below but this is not an exhaustive list of all projects used within BookStack. 
+The licenses for many of our core dependencies can be found in the attribution list below, but this is not an exhaustive list of all projects used within BookStack. 
 
 ## 👪 Attribution
 
@@ -187,5 +187,6 @@ Note: This is not an exhaustive list of all libraries and projects that would be
 * [PHPStan](https://phpstan.org/) & [Larastan](https://github.com/nunomaduro/larastan) - _[MIT](https://github.com/phpstan/phpstan/blob/master/LICENSE) and [MIT](https://github.com/nunomaduro/larastan/blob/master/LICENSE.md)_
 * [PHP_CodeSniffer](https://github.com/squizlabs/PHP_CodeSniffer) - _[BSD 3-Clause](https://github.com/squizlabs/PHP_CodeSniffer/blob/master/licence.txt)_
 * [JakeArchibald/IDB-Keyval](https://github.com/jakearchibald/idb-keyval) - _[Apache-2.0](https://github.com/jakearchibald/idb-keyval/blob/main/LICENCE)_
+* [HTML Purifier](https://github.com/ezyang/htmlpurifier) and [htmlpurifier-html5](https://github.com/xemlock/htmlpurifier-html5) - _[LGPL-2.1](https://github.com/ezyang/htmlpurifier/blob/master/LICENSE) and [MIT](https://github.com/xemlock/htmlpurifier-html5/blob/master/LICENSE)_
 
-For a detailed breakdown of the JavaScript & PHP projects imported & used via NPM & composer package managers, along with their licenses, please see the [dev/licensing/js-library-licenses.txt](dev/licensing/js-library-licenses.txt) and [dev/licensing/php-library-licenses.txt](dev/licensing/php-library-licenses.txt) files. 
+For a detailed breakdown of the JavaScript & PHP projects imported and used via NPM & composer package managers, along with their licenses, please see the [dev/licensing/js-library-licenses.txt](dev/licensing/js-library-licenses.txt) and [dev/licensing/php-library-licenses.txt](dev/licensing/php-library-licenses.txt) files. 
diff --git a/tests/Unit/ConfigTest.php b/tests/Unit/ConfigTest.php
@@ -177,6 +177,13 @@ public function test_content_filtering_defaults_to_enabled()
         });
     }
 
+    public function test_content_filtering_can_be_disabled()
+    {
+        $this->runWithEnv(['APP_CONTENT_FILTERING' => "", 'ALLOW_CONTENT_SCRIPTS' => null], function () {
+            $this->assertEquals('', config('app.content_filtering'));
+        });
+    }
+
     public function test_allow_content_scripts_disables_content_filtering()
     {
         $this->runWithEnv(['APP_CONTENT_FILTERING' => null, 'ALLOW_CONTENT_SCRIPTS' => 'true'], function () {

Original file line number	Diff line number	Diff line change
`@@ -177,6 +177,13 @@ public function test_content_filtering_defaults_to_enabled()`
`177`	`177`	`});`
`178`	`178`	`}`
`179`	`179`
	`180`	`+ public function test_content_filtering_can_be_disabled()`
	`181`	`+ {`
	`182`	`+ $this->runWithEnv(['APP_CONTENT_FILTERING' => "", 'ALLOW_CONTENT_SCRIPTS' => null], function () {`
	`183`	`+ $this->assertEquals('', config('app.content_filtering'));`
	`184`	`+ });`
	`185`	`+ }`
	`186`	`+`
`180`	`187`	`public function test_allow_content_scripts_disables_content_filtering()`
`181`	`188`	`{`
`182`	`189`	`$this->runWithEnv(['APP_CONTENT_FILTERING' => null, 'ALLOW_CONTENT_SCRIPTS' => 'true'], function () {`