Whitelist Forms in HTML Purifier Configuration
Asked Answered
H

1

2

I use HTML Purifier to clean input in my CMS. Many of my clients like to have PayPal donation buttons in their site, but HTML Purifier strips the forms out.

I noticed that HTML Purifier has a HTMLPurifier_HTMLModule_Forms class, but I don't know if that does what I want. If it does, how do I enable it?

Huskey answered 6/7, 2010 at 19:6 Comment(0)
H
5
$config->set('HTML.Trusted', true);
$config->set('Attr.EnableID', true);

should turn on Forms (I think they’re enabled by default in the trusted set.) Of course, this also allows JavaScript too, so it might not be what you’re looking for...

Halda answered 19/7, 2010 at 17:14 Comment(4)
Thanks! I will check this out. Why did you include Atrr.EnableID?Huskey
Otherwise, form naming won't work. name="" shares a namespace with Ids.Halda
@Edward , do you know any reason why it might not work to allow e.g. onclick="doSomething();" when I enable HTML.Trusted? I just added $config->set('HTML.Trusted', true); to my config. (because I need javascript attributes (for internal trusted users)), but htmlpurifier still strips them out. Do you know why that might be?, or how I can allow javascript attributes (without defining every single attribute to allow, in HTML.AllowedAttributes)? (I want to use the default whitelist, since i don't know where to see that default list spelled out so I can copy and paste, and add to it.)Malinowski
It totally would work. I just haven't gotten around to adding it.Halda

© 2022 - 2024 — McMap. All rights reserved.