I want to allow a limited white list of HTML tags that users can use in my forum. So I have configured the HTML Purifier like so:
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.Allowed', 'p,a[href|rel|target|title],img[src],span[style],strong,em,ul,ol,li');
$purifier = new HTMLPurifier($config);
What I am wondering is, does the default configuration of the HTML Purifier still apply, with the exception of a reduced number of accepted HTML tags or do I need to re-set every possible configuration parameter manually?
Additionally, should I tweak the default configuration in any way to stay safe? I am new to the whole XSS protection thing, new to HTML Purifier and didn't find that the manual gave a lot of 'basic' tips and hints.
HTML Purifier is safe by default and any restrictions you impose on it by changing %HTML.Allowed are guaranteed only to reduce the permitted tag set. Check out http://htmlpurifier.org/live/smoketests/printDefinition.php to see how tweaking configuration changes the allowed tagset.
Why not just use a DOM parser and check if tag type is in allowed white list of HTML tags?
Converting the input to a DOM node list you should be able to loop through all the DOM nodes and check if the type is allowed that way. php.net has great examples for how to do this written by others like you trying to solve the input sanitization problem.
More information here: http://php.net/manual/en/class.domdocument.php
来源:https://stackoverflow.com/questions/13261271/html-purifier-change-default-allowed-html-tags-configuration