How to allow certain HTML tags in a form field in Symfony 1.2

牧云@^-^@ 提交于 2020-01-14 06:05:11

问题


I'm playing around with Symfony and have encountered a road block.

I created a model "CmsPage" which has a field called "content" which is stored as a clob (this is specific to doctrine I believe). When I created the app I set "--escaping-strategy=on" so if I enter any html when editing a CmsPage that gets encoded with html entities or something along those lines. I would like to allow html in this field and a quick googling hasn't helped much. Maybe I'm searching for the wrong terms.

Anywho I would like to disable character escaping for this field and possibly only allow a small selection of html tags. What is the correct way to do this in Symfony?


回答1:


From http://www.librosweb.es/symfony_1_1_en/capitulo7/output_escaping.html

Every template has access to an $sf_data variable, which is a container object referencing all the escaped variables. [skipped] $sf_data also gives you access to the unescaped, or raw, data. This is useful when a variable stores HTML code meant to be interpreted by the browser, provided that you trust this variable. Call the getRaw() method when you need to output the raw data.

echo $sf_data->getRaw('test'); => alert(document.cookie)You will have to access raw data each time you need variables containing HTML to be really interpreted as HTML. You can now understand why the default layout uses $sf_data->getRaw('sf_content') to include the template, rather than a simpler $sf_content, which breaks when output escaping is activated.




回答2:


You can use http://htmlpurifier.org/ It is great tool for your needs.

Here is small configuration for htmlpurifier. These rules perfect match with TinyMce editor.

$purifier = new HTMLPurifier();
$purfier_config = HTMLPurifier_Config::createDefault();
$purfier_config->set('HTML.DefinitionID', 'User Content Filter');
$purfier_config->set('HTML.DefinitionRev', 1);
// these are allowed html tags, means white list
$purfier_config->set('HTML.Allowed', 'a,strong,em,p,span,img,li,ul,ol,sup,sub,small,big,code,blockquote,h1,h2,h3,h4,h5');
// these are allowed html attributes, coool!
$purfier_config->set('HTML.AllowedAttributes', 'a.href,a.title,span.style,span.class,span.id,p.style,img.src,img.style,img.alt,img.title,img.width,img.height');
// auto link given url string
$purfier_config->set('AutoFormat.Linkify', true);
// auto format \r\n lines
$purfier_config->set('AutoFormat.AutoParagraph', true);
// clean empty tags
$purfier_config->set('AutoFormat.RemoveEmpty', true);
// cache dir, just for symfony of course, you can change to another path
$purfier_config->set('Cache.SerializerPath', sfConfig::get('sf_cache_dir'));
// translation type, 
$purfier_config->set('HTML.Doctype', 'XHTML 1.0 Transitional');
// allow youtube videos
$purfier_config->set('Filter.YouTube', true);
$purfier_config->set('HTML.TidyLevel', 'heavy');
// now clean your data
$clean_nice_html_data = $purifier->purify($user_input_data, $purfier_config);

Now you can insert data to databse with html tags, and you don't need to escape your data, because, htmlpurifier clean nasty, dangerous data for you, and only accept your allowed tags and attributes.

I hope it helps.



来源:https://stackoverflow.com/questions/1320524/how-to-allow-certain-html-tags-in-a-form-field-in-symfony-1-2

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!