Login/Register
with HTMLpurifier, how to add a couple attributes to the default whitelist, e.g. 'onclick'
Asked Answered
Solved htmlpurifier
A

2

3

Two questions:

I have been reading docs and SO posts.. and know how to do it the long way (defining each and every element and attribute myself), but all I want to do is add 2 or 3 attributes to the default whitelist.. so that I do not have to constantly find and add more elements/attributes to, e.g., HTML.AllowedElements and/or HTML.AllowedAttributes.

Specifically, now, (for internal trusted users) I need to allow javascript attributes (input from tinymce). Question #1.) Is there a way to just add an attribute (to what HTMLpurifier allows) without causing the whole default sets of allowed elements/attributes to be effectively wiped out (overwritten by ONLY what is explicitly written in HTML.AllowedElements or HTML.AllowedAttributes)?

For what I need right now (the javascript attributes), I got excited when I saw in this thread:

Whitelist Forms in HTML Purifier Configuration

...where Edward Z. Yang says, "... [$config->set('HTML.Trusted', true);] allows JavaScript."

...but even after setting this: $config->set('HTML.Trusted', true);, HTMLpurifier 4.4.0 is still stripping e.g. any input onclick="dostuff();" attribute. Why? Question #2.) Is there a quick way to add just the javascript attributes to the allowed list?

Acidimetry answered 2/5, 2012 at 2:11 Comment(0)
G
1

  1. You're losing onclick because HTML Purifier doesn't know about that attribute, and if HTML Purifier passed everything through when you turned on %HTML.Trusted you might as well just not use HTML Purifier at all.

  2. HTML Purifier has attribute collections for just this case; 'Common' is probably the right one to insert them into.

But... why? The real name of %HTML.Trusted really should be %HTML.UnsafeMakeMyApplicationVulnerable

Garrulity answered 2/5, 2012 at 14:55 Comment(5)
I realize javascript attributes are unsafe. I need to allow them for a few trusted users. Why use HTML Purifier? ...because I want to config. it strict for the untrusted users, while loosening it up for trusted users.. but all the while keeping myself and them (all of us) keenly aware of specifically what we are allowing, and when. I want to consciously, myself make each and every exception to the lockdown that is the default HTML Purifier, on a case-by-case basis, so admin in the middle can track liability details, if every needed. I'll have to put my questions in another comment.Acidimetry
ok, just so I understand: (please correct me where I am wrong): * despite the threads that suggest $config->set('HTML.Trusted', true) will allow javascript attributes to pass through, as of today, this is untrue. * it is reasonable to think you might add javascript attributes to the %HTML.Trusted attribute collection in the future. * to allow javascript attributes, today, the only way is by following directions, from where, here? - htmlpurifier.org/docs/enduser-customize.html ? ('attribute collections' seems to need some digging to find, let alone wrap ones head around.)Acidimetry
Yes, that all seems essentially accurate. The relevant file is library/HTMLPurifier/HTMLModule/CommonAttributes.php, there is no explicit documentation about it unfortunately.Garrulity
also, I wanted to understand - as soon as I use %HTML.AllowedAttributes, then that forces me to then have to define each and every attribute I want allowed? Is that correct? Can you point me to where is that default (attribute and element) list, so I can work from them, rather than discovering them in steps/piecemeal?Acidimetry
Yes. The point is to make you think carefully about why you want to overload the default whitelist, which already been very carefully vetted and should work for most users, unless you drastically want to change what your whitelist looks like. Check out htmlpurifier.org/live/smoketests/printDefinition.php for the precise configuration details. Check out the "Forbidden" directives too.Garrulity
Q
1

HTMLPurifier does not support onClick and similar java script related attributes to any HTML element as a default behaviour.So if you wish to allow such attribute any way, you may add such attribute to specific element in following way. 

$config = HTMLPurifier_Config::createDefault();
$def = $config->maybeGetRawHTMLDefinition()
$def->addAttribute('a', 'onclick', 'Text');

But be careful, this may lead to xss attack as you are allowing any java script code to be there in that attribute.

Quinquevalent answered 10/5, 2017 at 9:22 Comment(1)
Thank you for this code snippet, which may provide some immediate help. A proper explanation would greatly improve its educational value by showing why this is a good solution to the problem, and make it more useful to future readers with similar, but not identical, questions. Please edit your answer to add explanation, and give an indication of what limitations and assumptions apply.Pusillanimous

© 2022 - 2024 — McMap. All rights reserved.