This is kind of a special combination of tags that I want to allow in HTMLPurifier, but can't seem to get the combination to work.
I can get script tags to work, but then embed tags get removed (I enable the script tags with HTML.Trusted = true). When I get embed tags back in, script tags are stripped out (I remove HTML.Trusted). The following is my config:
$config->set('HTML.Trusted', true);
$config->set('HTML.SafeEmbed', true);
$config->set('HTML.SafeObject', true);
$config->set('Output.FlashCompat', true);
I even tried adding in the following which made things worse:
$config->set('HTML.Allowed', 'object[width|height|data],param[name|value],embed[src|type|allowscriptaccess|allowfullscreen|width|height],script[src|type]');
Also, I can't seem to get iframes to work no matter what. I tried adding:
$config->set('HTML.DefinitionID', 'enduser-customize.html iframe');
$config->set('HTML.DefinitionRev', 1);
$config->set('Cache.DefinitionImpl', null); // remove this later!
$def = $config->getHTMLDefinition(true);
$iframe = $def->addElement(
'iframe', // name
'Block', // content set
'Empty', // allowed children
'Common', // attribute collection
array( // attributes
'src*' => 'URI#embedded',
'width' => 'Pixels#1000',
'height' => 'Pixels#1000',
'frameborder=' => 'Number',
'name' => 'ID',
)
);
$iframe->excludes = array('iframe' => true);
Any help on getting the entire combo to work, or even script tags with object/param and embed would be GREATLY appreciated!!!
Oh yeah, this is obviously not for all users, just "special" users.
Thanks!
PS - please don't link me to http://htmlpurifier.org/docs/enduser-customize.html
UPDATE
I found a solution for adding iframes at the bottom of the thread here: http://htmlpurifier.org/phorum/read.php?3,4646
The current configuration is now:
$config->set('HTML.Trusted', true);
$config->set('HTML.SafeEmbed', true);
$config->set('HTML.SafeObject', true);
$config->set('Output.FlashCompat', true);
$config->set('Filter.Custom', array( new HTMLPurifier_Filter_MyIframe() ));
UPDATE TO THE UPDATE
If you're having trouble with my comment in the HTMLPurifier forum, it may be because I mean for the method to look like this:
public function preFilter($html, $config, $context) {
return preg_replace("/iframe/", "img class=\"MyIframe\" ", preg_replace("/<\/iframe>/", "", $html));
}
HTMLPurifier_Filter
. The solution is otherwise great though; I am using this but whitelisting domains that I trust instead (e.g. youtube's new iframe embedding). – Consensual