How do I allow script, object, param, embed, and iframe tags in HTMLPurifier?

怎甘沉沦 提交于 2019-12-05 22:46:08

问题


This is kind of a special combination of tags that I want to allow in HTMLPurifier, but can't seem to get the combination to work.

I can get script tags to work, but then embed tags get removed (I enable the script tags with HTML.Trusted = true). When I get embed tags back in, script tags are stripped out (I remove HTML.Trusted). The following is my config:

        $config->set('HTML.Trusted', true);
        $config->set('HTML.SafeEmbed', true);
        $config->set('HTML.SafeObject', true);
        $config->set('Output.FlashCompat', true);

I even tried adding in the following which made things worse:

        $config->set('HTML.Allowed', 'object[width|height|data],param[name|value],embed[src|type|allowscriptaccess|allowfullscreen|width|height],script[src|type]');

Also, I can't seem to get iframes to work no matter what. I tried adding:

        $config->set('HTML.DefinitionID', 'enduser-customize.html iframe');
        $config->set('HTML.DefinitionRev', 1);
        $config->set('Cache.DefinitionImpl', null); // remove this later!
        $def = $config->getHTMLDefinition(true);
        $iframe = $def->addElement(
            'iframe',   // name
            'Block',  // content set
            'Empty', // allowed children
            'Common', // attribute collection
            array( // attributes
                'src*' => 'URI#embedded',
                'width' => 'Pixels#1000',
                'height' => 'Pixels#1000',
                'frameborder=' => 'Number',
                'name' => 'ID',
            )
        );
        $iframe->excludes = array('iframe' => true);

Any help on getting the entire combo to work, or even script tags with object/param and embed would be GREATLY appreciated!!!

Oh yeah, this is obviously not for all users, just "special" users.

Thanks!

PS - please don't link me to http://htmlpurifier.org/docs/enduser-customize.html


UPDATE

I found a solution for adding iframes at the bottom of the thread here: http://htmlpurifier.org/phorum/read.php?3,4646

The current configuration is now:

        $config->set('HTML.Trusted', true);
        $config->set('HTML.SafeEmbed', true);
        $config->set('HTML.SafeObject', true);
        $config->set('Output.FlashCompat', true);
        $config->set('Filter.Custom',  array( new HTMLPurifier_Filter_MyIframe() ));

UPDATE TO THE UPDATE

If you're having trouble with my comment in the HTMLPurifier forum, it may be because I mean for the method to look like this:

public function preFilter($html, $config, $context) {
    return preg_replace("/iframe/", "img class=\"MyIframe\" ", preg_replace("/<\/iframe>/", "", $html));
}

回答1:


Found the solution through the HTMLPurifier Google group (thank you Edward Z. Yang!!!). The solution to allow for object, embed, and script tags to exist on the page at the same time is to REMOVE "object, " from the $common array in HTMLModuleManager.php __construct() method. This will of course make it so that no one can add object tags unless you specify it in your config.

My final config is now:

        $config->set('HTML.Trusted', true);
        $config->set('HTML.SafeObject', true);
        $config->set('Output.FlashCompat', true);
        $config->set('Filter.Custom',  array( new HTMLPurifier_Filter_SafeIframe() ));

I really hope these instructions can help other developers who would like to use HTMLPurifier. Compared to what we were originally using to clean and scrub incoming text from our wysiwyg editor, HTMLPurifier is approximately 85% faster!



来源:https://stackoverflow.com/questions/4135755/how-do-i-allow-script-object-param-embed-and-iframe-tags-in-htmlpurifier

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!