Modifying htmlpurifier allowed tags for this markup

陌路散爱 提交于 2019-12-21 05:25:09

问题


My html purifier settings now allow only these tags

$configuration->set('HTML.Allowed', 'p,ul,ol,li');

I want to allow indentation of lists and my editor uses this html

<ul style="margin-left: 40px;">

How should I change my HTMLPurifier Allowed tags? I thought to add style, but I think it would be better to specify exactly which style is allowed, which in this case would be margin-left. What is the right way to change the HTML.Allowed for this case?


回答1:


Allow the style attributes, and then modify the allowed CSS attributes using %CSS.AllowedProperties.

$configuration->set('HTML.Allowed', 'p,ul[style],ol,li');
$configuration->set('CSS.AllowedProperties', 'margin-left');

P.S. I'm surprised how many people don't understand how HTML Purifier works.




回答2:


At the least, you want to allow attributes for tags which purifier supports, like so:

$configuration->set('HTML.Allowed', 'p,ul[style],ol,li');

I'm not sure if you can also allow/restrict the content of the attributes, though.




回答3:


I suggest you don't allow attributes at all. Allowing the style attribute causes an XSS vulnerability in IE7 (and possibly other versions, I am not sure at the moment) but the point is, it's too dangerous. You should parse the HTML yourself, and replace the users' with constant strings in your code. Allowing HTML is a really dangerous practice. For better security, you may want to try something like markdown or create your own very simple markup type language (like BBcode) for your users to use.




回答4:


Like SamT said regarding the XSS vulnerability in IE7, be wary of allowing access to the style attribute because of a genius Microsoft move that allowed the use of javascript in CSS by way of "expression()" (also known as Dynamic Properties). http://msdn.microsoft.com/en-us/library/ms537634(v=vs.85).aspx

Regarding its removal in IE8, where Microsoft blatantly admits that it exposed users to additional vulnerabilities: http://blogs.msdn.com/b/ie/archive/2008/10/16/ending-expressions.aspx

example:

<a href="" style="width: expression(alert('XSS'));">blah</a>

The above would pop up a javascript alert box in MSIE 5 through 7. According to the docs on the MSDN, it should also work on IE8 when Quirks mode is active. It also might also occur on IE9 in quirks mode but I can't be sure.

If at all possible, avoid allowing access to the style attribute. You never know when another future browser will get the genius idea to add in the same mistake Microsoft made.



来源:https://stackoverflow.com/questions/6230323/modifying-htmlpurifier-allowed-tags-for-this-markup

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!