How do I allow script, object, param, embed, and iframe tags in HTMLPurifier?
Asked Answered
C

1

7

This is kind of a special combination of tags that I want to allow in HTMLPurifier, but can't seem to get the combination to work.

I can get script tags to work, but then embed tags get removed (I enable the script tags with HTML.Trusted = true). When I get embed tags back in, script tags are stripped out (I remove HTML.Trusted). The following is my config:

        $config->set('HTML.Trusted', true);
        $config->set('HTML.SafeEmbed', true);
        $config->set('HTML.SafeObject', true);
        $config->set('Output.FlashCompat', true);

I even tried adding in the following which made things worse:

        $config->set('HTML.Allowed', 'object[width|height|data],param[name|value],embed[src|type|allowscriptaccess|allowfullscreen|width|height],script[src|type]');

Also, I can't seem to get iframes to work no matter what. I tried adding:

        $config->set('HTML.DefinitionID', 'enduser-customize.html iframe');
        $config->set('HTML.DefinitionRev', 1);
        $config->set('Cache.DefinitionImpl', null); // remove this later!
        $def = $config->getHTMLDefinition(true);
        $iframe = $def->addElement(
            'iframe',   // name
            'Block',  // content set
            'Empty', // allowed children
            'Common', // attribute collection
            array( // attributes
                'src*' => 'URI#embedded',
                'width' => 'Pixels#1000',
                'height' => 'Pixels#1000',
                'frameborder=' => 'Number',
                'name' => 'ID',
            )
        );
        $iframe->excludes = array('iframe' => true);

Any help on getting the entire combo to work, or even script tags with object/param and embed would be GREATLY appreciated!!!

Oh yeah, this is obviously not for all users, just "special" users.

Thanks!

PS - please don't link me to http://htmlpurifier.org/docs/enduser-customize.html


UPDATE

I found a solution for adding iframes at the bottom of the thread here: http://htmlpurifier.org/phorum/read.php?3,4646

The current configuration is now:

        $config->set('HTML.Trusted', true);
        $config->set('HTML.SafeEmbed', true);
        $config->set('HTML.SafeObject', true);
        $config->set('Output.FlashCompat', true);
        $config->set('Filter.Custom',  array( new HTMLPurifier_Filter_MyIframe() ));

UPDATE TO THE UPDATE

If you're having trouble with my comment in the HTMLPurifier forum, it may be because I mean for the method to look like this:

public function preFilter($html, $config, $context) {
    return preg_replace("/iframe/", "img class=\"MyIframe\" ", preg_replace("/<\/iframe>/", "", $html));
}
Chinua answered 9/11, 2010 at 16:2 Comment(2)
HTML Purifier rocks! Why wouldn't I want to use it? ;)Chinua
To be truly correct, you should probably be extending HTMLPurifier_Filter. The solution is otherwise great though; I am using this but whitelisting domains that I trust instead (e.g. youtube's new iframe embedding).Consensual
C
6

Found the solution through the HTMLPurifier Google group (thank you Edward Z. Yang!!!). The solution to allow for object, embed, and script tags to exist on the page at the same time is to REMOVE "object, " from the $common array in HTMLModuleManager.php __construct() method. This will of course make it so that no one can add object tags unless you specify it in your config.

My final config is now:

        $config->set('HTML.Trusted', true);
        $config->set('HTML.SafeObject', true);
        $config->set('Output.FlashCompat', true);
        $config->set('Filter.Custom',  array( new HTMLPurifier_Filter_SafeIframe() ));

I really hope these instructions can help other developers who would like to use HTMLPurifier. Compared to what we were originally using to clean and scrub incoming text from our wysiwyg editor, HTMLPurifier is approximately 85% faster!

Chinua answered 10/11, 2010 at 13:8 Comment(2)
How do I get a copy of the HTMLPurifier_Filter_SafeIframe class?Pro
see this questionTackling

© 2022 - 2024 — McMap. All rights reserved.