Login/Register
How can I configure HTML Purifier to allow data URIs for image src?
Asked Answered
Solved phprich-text-editorhtmlpurifier
F

1

11

How can I allow base64 data for the the src attribute of image tags? I see code like this:

$config->set('URI.AllowedSchemes', array('http' => true, 'https' => true, 'mailto' => true, 'ftp' => true, 'nntp' => true, 'news' => true, 'data' => true));

In this case, is it data => true which allows the base64? And if so, how can I allow base64 data only for the src attribute of the img tag? (I do not want to allow data URIs in other situations.)

I thought of doing something like: 

$ def-> addAttribute ('a', 'target', 'Enum # _blank, _self, _target, _top');

But in my case like this: 

$ def-> addAtribute ('img', 'src', 'Enum # data, http, https, ...);

Is this possible?

Fielding answered 23/10, 2014 at 8:36 Comment(4)
So you want to only allow data URLs for image SRC attribute? Or you want src attribute for images to always be data URLs?Solubility
"So you want to only allow data URLs for image SRC attribute?" Yes ;) I want to allow for image SRC attribute : data, http, https, ressources/img/photo1.png ... For cons, I just want to allow the base64, so the data for the src attribute of the image tag. I will not allow the data on other tagsFielding
So only src attribute on img elements are allowed to be data urls?Solubility
Yes ;) only src attribute on img elements are allowed to be data urlsFielding
C
22

Easy: just only have data in your allowed schemes:

$config->set('URI.AllowedSchemes', array('data' => true));
Constantinople answered 23/10, 2014 at 21:2 Comment(3)
Thanks but this way the data (like base64) may be passed to any tag attributes? As the href attribute of the tag <a>. Can there be a security breach ?Fielding
Yes. We validate the contents of the data to make sure it's image data and has the right content-type, so it should be OK.Constantinople
@EdwardZ.Yang is there support for cid?Microparasite

© 2022 - 2024 — McMap. All rights reserved.