htmlpurifier

HTMLPurifier, check entire HTML document

|▌冷眼眸甩不掉的悲伤 提交于 2019-12-10 19:12:02
问题 I'm using HTMLPurifier to check for XSS in an entire HTML document. The problem is that it appears to strip out anyything that isn’t inside <body> tags. But, I want to keep everything, just look out for serious XSS attacks. Any ideas how to allow <HTML> , <HEAD> , <META> etc.? 回答1: David, I just searched on the HTMLPurifier support forum and saw that you've been busy. But perhaps you missed the posting from a few months ago that addresses your exact issue, specifically the reply: Full

Allowing full html to be parsed in HTMLPurifier

筅森魡賤 提交于 2019-12-10 10:55:53
问题 This is a problem I've had for a long time - I currently accept a full html page from the user as input and want to filter / clean it out. the problem with HTMLpurifier is that it removes the head , html , and body tags - as well as the styles in the head. I've google , looked at the forums , tried implementing what was written , and to no luck. Can someone help ? What I want : To keep the HTML , HEAD , STYLE , BODY TAGS What I have done : $config->set('HTML.DefinitionID', 'test'); $config-

htmlpurifier remove inline css

倾然丶 夕夏残阳落幕 提交于 2019-12-09 17:07:14
问题 I am using htmlpurifier to clean up user content. I am trying to remove inline style attributes like <div style="float:left">some text</div> I want to remove the whole style attribute. How to do it using htmlpurifier? 回答1: You can tweak the AllowedProperties configuration by passing it an array of valid css attributes that should not be removed (white-list approach). However, the following should remove all css attributes $config->set('CSS.AllowedProperties', array()); See this online demo of

HTML Purifier to clean event attributes

时光怂恿深爱的人放手 提交于 2019-12-08 10:36:10
问题 I'm working to address some Stored XSS vulnerabilities and I am using HTMLPurifier. I have an input box on the page and if I type '" onclick="alert(1);" the code is saved to the database and executed on the client. This is happening even after running the input and output through purifier. It seems as if HTMLpurifier only strips these attr when included within html tag. I'm wondering if there is some config for purifier that will strip just the event attr's or any other suggestions on how to

How can I configure HTML Purifier to allow data URIs for image src?

回眸只為那壹抹淺笑 提交于 2019-12-06 23:49:45
问题 How can I allow base64 data for the the src attribute of image tags? I see code like this: $config->set('URI.AllowedSchemes', array('http' => true, 'https' => true, 'mailto' => true, 'ftp' => true, 'nntp' => true, 'news' => true, 'data' => true)); In this case, is it data => true which allows the base64? And if so, how can I allow base64 data only for the src attribute of the img tag? (I do not want to allow data URIs in other situations.) I thought of doing something like: $ def->

� in my html after purify

走远了吗. 提交于 2019-12-06 03:57:04
I have a database the I am rebuilding the table structure was crap so I'm porting some of the data from one table to another. This data appears to have been copy-pasted from MSO product so as I'm getting the data I clean it up with htmlpurifier and some str_replace in php. Here is the clean function: function clean_html($html) { $config = HTMLPurifier_Config::createDefault(); $config->set('AutoFormat','RemoveEmpty',true); $config->set('HTML','AllowedAttributes','href,src'); $config->set('HTML','AllowedElements','p,em,strong,a,ul,li,ol,img'); $purifier = new HTMLPurifier($config); $html =

How do I allow script, object, param, embed, and iframe tags in HTMLPurifier?

怎甘沉沦 提交于 2019-12-05 22:46:08
问题 This is kind of a special combination of tags that I want to allow in HTMLPurifier, but can't seem to get the combination to work. I can get script tags to work, but then embed tags get removed (I enable the script tags with HTML.Trusted = true). When I get embed tags back in, script tags are stripped out (I remove HTML.Trusted). The following is my config: $config->set('HTML.Trusted', true); $config->set('HTML.SafeEmbed', true); $config->set('HTML.SafeObject', true); $config->set('Output

HTMLPurifier Breaking Images

拜拜、爱过 提交于 2019-12-05 19:23:03
I'm trying to run HTMLPurifier on user input from a WYSIWYG (CK Editor) and the images are breaking. Unfiltered Input: <img alt="laugh" src="/lib/ckeditor/plugins/smiley/images/teeth_smile.gif" title="laugh"> After running through purifier with default settings: <img alt=""laugh"" src="%5C" title=""laugh""> I have tried changing the configuration settings; but I the src is never preserved. Any thoughts? I have a suspicion that magic_quotes could be a reason..? Also did you try $config->set('Core.RemoveInvalidImg',true); . Which version are you using? (Try older or newer) Had the same problem.

HTML Purifier - Change default allowed HTML tags configuration

时光毁灭记忆、已成空白 提交于 2019-12-05 10:11:53
I want to allow a limited white list of HTML tags that users can use in my forum. So I have configured the HTML Purifier like so: $config = HTMLPurifier_Config::createDefault(); $config->set('HTML.Allowed', 'p,a[href|rel|target|title],img[src],span[style],strong,em,ul,ol,li'); $purifier = new HTMLPurifier($config); What I am wondering is, does the default configuration of the HTML Purifier still apply, with the exception of a reduced number of accepted HTML tags or do I need to re-set every possible configuration parameter manually? Additionally, should I tweak the default configuration in any

htmlpurifier with borderRadius

白昼怎懂夜的黑 提交于 2019-12-05 09:37:01
问题 How do I allow borderRadius with htmlpurifier? I found this but it doesn't seem to work with current version of htmlpurifier, perhaps they changed the way you add your own css? http://htmlpurifier.org/phorum/read.php?2,6154,6154 $config = HTMLPurifier_Config::createDefault(); // add some custom CSS3 properties $css_definition = $config->getDefinition('CSS'); $border_radius = $info['border-top-left-radius'] = $info['border-top-right-radius'] = $info['border-bottom-left-radius'] = $info['border