with HTMLpurifier, how to add a couple attributes to the default whitelist, e.g. 'onclick'

和自甴很熟 提交于 2019-12-11 02:36:08

问题


Two questions:

I have been reading docs and SO posts.. and know how to do it the long way (defining each and every element and attribute myself), but all I want to do is add 2 or 3 attributes to the default whitelist.. so that I do not have to constantly find and add more elements/attributes to, e.g., HTML.AllowedElements and/or HTML.AllowedAttributes.

Specifically, now, (for internal trusted users) I need to allow javascript attributes (input from tinymce). Question #1.) Is there a way to just add an attribute (to what HTMLpurifier allows) without causing the whole default sets of allowed elements/attributes to be effectively wiped out (overwritten by ONLY what is explicitly written in HTML.AllowedElements or HTML.AllowedAttributes)?

For what I need right now (the javascript attributes), I got excited when I saw in this thread:

Whitelist Forms in HTML Purifier Configuration

...where Edward Z. Yang says, "... [$config->set('HTML.Trusted', true);] allows JavaScript."

...but even after setting this: $config->set('HTML.Trusted', true);, HTMLpurifier 4.4.0 is still stripping e.g. any input onclick="dostuff();" attribute. Why? Question #2.) Is there a quick way to add just the javascript attributes to the allowed list?


回答1:


  1. You're losing onclick because HTML Purifier doesn't know about that attribute, and if HTML Purifier passed everything through when you turned on %HTML.Trusted you might as well just not use HTML Purifier at all.

  2. HTML Purifier has attribute collections for just this case; 'Common' is probably the right one to insert them into.

But... why? The real name of %HTML.Trusted really should be %HTML.UnsafeMakeMyApplicationVulnerable




回答2:


HTMLPurifier does not support onClick and similar java script related attributes to any HTML element as a default behaviour.So if you wish to allow such attribute any way, you may add such attribute to specific element in following way.

$config = HTMLPurifier_Config::createDefault();
$def = $config->maybeGetRawHTMLDefinition()
$def->addAttribute('a', 'onclick', 'Text');

But be careful, this may lead to xss attack as you are allowing any java script code to be there in that attribute.



来源:https://stackoverflow.com/questions/10406841/with-htmlpurifier-how-to-add-a-couple-attributes-to-the-default-whitelist-e-g

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!