We've been mostly relying on the 3rd party xss cleaner to make sure user submitted content is clean. This PR fixes up any leftover holes in the bbcode parser that allow xss vulnerabilities, and as a result, the 3rd party library isn't needed anymore. It cleans responsibly by first, running `htmlspecialchars()` over the content, followed by sanitizing the untrusted urls and whitelisting their protocol.
- this resolves some larastan property issues but in return has revealed quite a few issues with our castings and such. baseline has been regenerated so we can work through them. The properties in docblocks are in order and match everything in DB schema wise.
Bbcode is always sanitized first before being saved, which causes html entities. However, when content is edited again, the html entities aren't decoded before the user edits them, which causes the user to remove the html entities before updating the content. This commit now decodes the html back to text and will resanitize again upon save.
- github action updated with new ruleset in pint.json
- codebase linted with new ruleset
- contributors can now run `./vendor/bin/pint`
- action workflow will auto correct any lint issues upon commit/opened pull request
Roardom