HTMLPurifier allow class attribute

About

Asked 31/7, 2012 at 19:51 Answered 1/8, 2012 at 12:0

How can i allow "class" in HTMLPurifier? I am trying to purify this:

 <div class="txt_r" id="test">Blah</div>

And i get:

 <div id="test">Blah</div>

Why class is dissapeared? I am using next config:

 $config->set('Attr.EnableID', true);
 $config->set('CSS.Trusted', true);
 $config->set('HTML.AllowedAttributes', 'style, src, class');

Hooch answered 31/7, 2012 at 19:51 Comment(4)

Why are you using CSS.Trusted? – Schapira 31/7, 2012 at 20:1

I am not sure, for enabling inline css? – Hooch 31/7, 2012 at 20:24

No, that's wrong. I really made a big mistake calling these configuration directives "Trusted", they should really be called "UnsafeAllowXSS". Turn it off if you don't know why you're using it. – Schapira 1/8, 2012 at 15:32

Well tnx for advice, but if i turn this off, i dont know how to allow CSS like: top, left, bottom, right and something more. – Hooch 1/8, 2012 at 16:3

Your problem is probably that HTML.AllowedAttributes doesn't actually work that way. :) From the docs:

The syntax is "tag.attr" or "*.attr" for the global attributes (style, id, class, dir, lang, xml:lang).

What you probably want is...

$config->set('HTML.AllowedAttributes', 'img.src,*.style,*.class');

You also shouldn't use HTML.AllowedAttributes by itself, but in tandem with HTML.AllowedElements:

$config->set('HTML.AllowedElements', 'img,div');

Alternatively, use neither HTML.AllowedAttributes nor HTML.AllowedElements and instead use HTML.Allowed. That would look something like this:

$config->set('HTML.Allowed', 'div, *[style|class], img[src]');

Arriaga answered 1/8, 2012 at 12:0 Comment(6)

Hi, tnx for the answer, it will be useful for the future :) I found solution this morning: $config = HTMLPurifier_Config::createDefault(); $config->set('Attr.EnableID', true); $config->set('CSS.Trusted', true); I dont even know why i filtered attributes, when i need all of them. And i hope this still filters JS :S – Hooch 1/8, 2012 at 12:28

The default Whitelist of HTML Purifier's is robust, safe and rigorously tested. You'd have to go out of your way to teach it to accept <script> or other trickery. You should definitely be safe. :) (Though you really ought to re-evaluate if you need CSS.Trusted, as Edward already said.) – Arriaga 1/8, 2012 at 13:28

Well, i re-evaluated CSS.Trusted and removed it, but now top, left, botom and right properties in inline css is missing :( Now i feel like cat chasing own tail :) – Hooch 1/8, 2012 at 16:4

left, right, bottom, top all depend on position. The combination lets someone using your site cover up parts of the site embedding their content, thereby impeding its use, defacing the site, or otherwise screw with your layout maliciously (e.g. phishing). But take a look at htmlpurifier.org/live/configdoc/plain.html#CSS.AllowTricky - that should be what you want; continue to stay away from CSS.Trusted. – Arriaga 1/8, 2012 at 17:9

@Arriaga In laravel purifier config:

'HTML.Allowed'             => 'div,b,strong,i,em,a[href|title],ul,ol,li,p[style],br,span[style],img[width|height|alt|src]'

. I updated p[style] to p[style|class]. Is there any way to specify class? So that I want to allow only a custom class like "my-class". – Leukoderma 27/12, 2016 at 19:34

@user2356198 That seems like a different question to me. You'll want to ask it as a question - then more people have a chance to help you. :) – Arriaga 29/12, 2016 at 12:19

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags