Is there documentation on this or why it is not allowed? (not the tag, the attribute)

However when we pass in:

Array
(
    [0] => p
    [1] => ul
    [2] => ol
    [3] => li
    [4] => strong
    [5] => em
    [6] => u
    [7] => span
    [8] => hr
    [9] => div
    [10] => br
    [11] => b
    [13] => i
)

We get errors like: Element '0' is not supported Element '1' is not supported etc.

What format should the input be?

$config->set('HTML', 'AllowedElements', (array) $tags['tags']);

$tags['tags'] is the above array.

Secondly how come we can't set 'style' as an attribute so styles can be added to elements?

<font style="...">

Another problem appears than I try to resave flash generated by HTMLPurifier. It adds another <!--[if IE]><embed><![endif]--> block. So than I save html second time I have 2 <!--[if IE]><embed><![endif]--> blocks, than 3 and so on.

Could anybody help me?

I'm having a problem where style="background-image: url(http://www.blah.com/image.gif);" is begin converted to style="background-image: url("http://www.blah.com/image.gif");" which is creating the problem of double-quotes within double-quotes. Is this a problem with HTML Purifier or am I doing something wrong?

Best, D4P

Is there an easy way to disallow everything by default?

I have a question regarding HTMLPurifier that a thorough read of the (very good, btw) docs has not helped me find a solution to. So I figured I would turn to the experts :D

I have a client whose CMS is using HTMLPurifier to filter user-generated content. They are interested in allowing users to include widgets provided by a third party, who provides users with an "embed code" for the widgets that employs the SCRIPT tag, with the SRC attribute pointing to a JavaScript file hosted by the third party. (In some ways therefore this is similar to the problem of embedding videos from sites like YouTube.)

My thought was that it would be OK to allow this as long as SCRIPT is strictly set to only be included if the SRC is pointing to a valid, whitelisted domain that we know belongs to the third party. But the problem I've run into in implementing this is that I have not been able to find a way to get HTMLPurifier to allow SCRIPT tags _at all_ except by setting %HTML.Trusted to true. (I tried adding SCRIPT to the list of tags in %HTML.AllowedElements and adding the Scripting module via %HTML.AllowedModules, but neither allowed the tag through.)

Setting %HTML.Trusted to true appears to pass the tag through, but this approach makes me nervous because turning Trusted on seems to relax a bunch of other constraints as well, so using it to solve this problem feels a bit like swatting a fly with a shovel.

I can't do anything with whitelisting by SRC until I can get HTMLPurifier to allow SCRIPT tags through, though. So my question is: is there a way to solve this problem without resorting to %HTML.Trusted?

Thanks in advance for any help!

-- Jason Lefkowitz

<table>
 <tr>
  <td>foo</td>
 </tr>
</table>

gets converted to

<table><tr><td>foo</td>
 </tr></table>

by the purifier. It seems to only maintain indentation on closing tags. Is there anyway to get it to maintain indents for the opening "table" and "tr" tags?

I was wondering what the current status re: Core.CollectErrors is - is there a chance the feature might be completed in the near future, or is it low-priority? :)

(I'm already using it in its current form, but would need completion for my project. As an example, when...

<html>
  <head>
    <title>blah</title>
  </head>
  <body style="background-color:#000000; color:#ffffff;">
    <div>Something.</div>
  </body>
</html>

...is turned into...

<div>Something.</div>

...because the ruleset does not allow for 'head' and 'body' and 'html' tags, then there's no notification.)

<ctag:pagination per_page="10" />

I've tried adding `ctag:pagination` to HTML.Allowed and `ctag:pagination.*` to HTML.AllowedAttributes, however I get the error

Notice: Cannot allow attribute '*' if element 'ctag:pagination' is not allowed/supported (for information on implementing this, see the support forums) in /Users/ollie/Sites/SacrificeApp/Sacrifice/application/vendors/HTMLPurifier/HTMLPurifier/HTMLDefinition.php  on line 316

Am I doing something wrong. Can custom html elements not be added?

when will HTML Purifier support HTML5? For example tags like , and end tags without slashes e.g. ?

Would it be good from a security and a purification standpoint to only trigger HTML purifier if say a < is found? The thought being that if there is not a < then the string shouldn't have any html thus shouldnt need to be run through purifier.

Thus, the characters that go in must be exactly the same as what is extracted for the print job.

However, of course I'd like to ensure that the data on the server (from upload through extraction) is filtered/cleaned

Is there a way to allow all kinds of characters, extract them exactly the same, but protect the system too?

I know you can filter going in, just not sure how I'd get it all out the same and still keep the system happy.

Thanks so much :-)

Thanks

function cleanComments($user_input_data)
{
  $purifier = new HTMLPurifier();
$purfier_config = HTMLPurifier_Config::createDefault();
$purfier_config->set('HTML.DefinitionID', 'User Content Filter');
$purfier_config->set('HTML.DefinitionRev', 1);
// these are allowed html tags, means white list
$purfier_config->set('HTML.Allowed', 'a,strong,em,p,span,img,li,ul,ol,sup,sub,small,big,code,blockquote,h1,h2,h3,h4,h5');
// these are allowed html attributes, coool!
$purfier_config->set('HTML.AllowedAttributes', 'a.href,a.title,span.style,span.class,span.id,p.style,img.src,img.style,img.alt,img.title,img.width,img.height');
// auto link given url string
$purfier_config->set('AutoFormat.Linkify', true);
// auto format \r\n lines
//$purfier_config->set('AutoFormat.AutoParagraph', true);
// clean empty tags
$purfier_config->set('AutoFormat.RemoveEmpty', true);
// cache dir, just for symfony of course, you can change to another path
//$purfier_config->set('Cache.SerializerPath', sfConfig::get('sf_cache_dir'));
// translation type, 
$purfier_config->set('HTML.Doctype', 'XHTML 1.0 Transitional');
// allow youtube videos
$purfier_config->set('Filter.YouTube', true);
$purfier_config->set('HTML.TidyLevel', 'heavy');
// now clean your data
$cleanHtml = $purifier->purify($user_input_data, $purfier_config);
  return $cleanHtml;
}
$html = '<object width="425" height="350"><param name="movie" value="http://www.youtube.com/v/BdU--T8rLns"></param><param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/v/BdU--T8rLns" type="application/x-shockwave-flash" wmode="transparent" width="425" height="350"></embed></object><a>';
$html .= ' kkkk <a href="http://www.google.it/">pippo</a><p>pippo</p><em>ddd</em><div>pippo</div>'; 
echo(cleanComments($html));

Bye

What is the the default configuration for HTMLpurifier? ie: what tags are stripped ...etc

can u list the default configuration please :)!

Thanks, Kayed Qunibi

The plugin: htmlpurifier_pi.php:

function purify($html)
{
	if (empty($html) || trim((string)$html) === '')
	{
		log_message('error','htmlpurifier_pi::purify : The html you sent to the HTML Purifier is empty...I wonder how is that possible...');
		return FALSE;
	}
	
	if (is_array($html))
	{
		foreach ($html as $key => $value)
		{
			$html[$key] = purify($value);
		}
		
		return $html;
	}
	else
	{
		require_once(APPPATH . 'plugins/htmlpurifier/HTMLPurifier.standalone.php'); 
		
		$allowed_tags = 'p,em,i,strong,b,a[href],ul,ol,li,code,pre,blockquote';
		
		$config = HTMLPurifier_Config::createDefault();
		$config->set('HTML.Doctype', 'XHTML 1.0 Strict');
		$config->set('HTML.Allowed', $allowed_tags);
		$config->set('HTML.TidyLevel', 'heavy');
		$config->set('AutoFormat.Linkify', 'true');
		$config->set('AutoFormat.AutoParagraph', 'true');
		$htmlpurifier = new HTMLPurifier($config);
		
		log_message('debug','HTML Purified!');
		return $htmlpurifier->purify($html);
	}
} // End of purify

The example:

$this->load->plugin('htmlpurifier_pi.php');
$body = purify(markdown($this->input->post('body')));

Now if I post the following comment:

This is a list:

* This is a list item
* This is another list item

1. This is the first item of an ordered list
2. This is the second item of an ordered list

Quote:

> Only idiots
> never change their minds

Here is the code that I get:

<p>This is a list:</p>

<p></p>

<ul><li>This is a list item</li>
<li>This is another list item</li>
</ul>

<ol><li>This is the first item of an ordered list</li>
<li>This is the second item of an ordered list</li>
</ol>

<p>Quote:</p>

<p></p>

<blockquote>
  <p>Only idiots
  never change their minds</p>
</blockquote>

See? I get a bunch of empty p tags. How could I get rid of those p tags please?

I hope this is the right forum to ask this question, so here goes...

I'm considering using the Phorum software along with HTML Purifier primarily so I can integrate a WYSIWYG editor like CKEditor or YUI. Is there a demo site utilizing such a configuration that anyone can direct me to? I don't want to force my users to know and type arcane mark-up. If anyone can point me in the direction of a demo site, I'd greatly appreciate it.

Thanks,

-Steve

I have been looking into ways to overcome a problem I have with my website and wondered if I could ask you for some more details.

Basically I am coding a website in which I want to allow members of my site to post html/css so they can decorate their profile backgrounds, pages etc!

However I am aware that you can sanitise user input but am confused as to the allowing html, etc!

So by using this script would this ensure that the user input is made safe?

I would want to allow users to use things like etc but not necessarily tables and stuff. Thanks

I am thinking of this idea to write something like html purifier, basically I want to know your opinion of what's wrong with doing it this way: 3 basic steps

1) Convert charset encoding to utf8, like this: if charset is already reported as utf-8 or ascii, then validate that it does not contain illegal chars and strip low bytecode chars (except tab, newline and space) If utf8 does not pass the test for well-formdness, then recode it using iconv UTF-8 to UTF-8 with //IGNORE flag or similarly can use mb_convert_encoding using the "none" as default character If charset is anything other than utf8 then convert it to utf8 using either utf8_encode or iconv or mb_convert_encoding, depending on what extension is available and of cause utf8_encode only works on latin1

2) Fix the html string by running it through Tidy. This will take care of closing unclosed tags, can also remove garbage from MS-Word created HTML. It will also add necessary <html><body></body></html> to the html fragment.

3) The actual stripping off the dangerous tags: do with with DOMDocument/DOMElement classes of php. Since by now we have valid UTF-8 string and fixed HTML, we should be able to load the document into DOMDocument without problems.

Now we can use DOM interface or even Xpath to find all tags that are not on our whitelist (or on our blacklist), and can also find all tags that have dangerous attributes and remove all of them.

The DOMElement removes all decendents, so nesting is solved right there.

Now we have the clean DOMDocument and can dump it back as a string, there are also some tricks to only dump the contents of what's inside the tag, so the actual <html><body></body></html> will not be included in the result if we don't want that.

This looks easy and uses only the extensions that are already in php - mbstring or iconv, tidy and DOM

What's your take on this approach?

I already have written my own utf-8 sanitizor class that validates and recodes the utf-8 string if necessary, so I am 100% confident that my string is 100% utf-8

Is there a way for me to tell the purifier to skip its' charset validation and only do the html tags related work?

So basically I have already done the charset validation/sanitization, and I only need to remove dangerous html tags and maybe fix the bad html.

Could I use this great programme on my website and forums at http://www.codesupplier.com/ and http://www.codesupplier.com/apps/forums/ or not? Please tell me... Thanks.

Cheers!

Thanks in advance

CSJakharia

I tried this but then also values in the attribute does not remove spaces $config = HTMLPurifier_Config::createDefault(); $config->set('HTML.Doctype', 'XHTML 1.0 Transitional'); $config->set('HTML.TidyLevel', 'heavy'); $config->set('Attr.EnableID', true); $config->set('AutoFormat.RemoveEmpty.RemoveNbsp', true); $config->set('AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions',array());

$obj = new HTMLPurifier($config);

But this does not converts

<span style="color:#ffffff;font-family:arial;font-size:small;"><b>  Type</b></span>

to

<span style="color:#ffffff;font-family:arial;font-size:small;"><b>Type</b></span>

It does not removes extra trailing spaces

Thanks in advance

CSJakharia

Can anyone provide any insight on this?

As it stands now, I have this config and flashvars is filtered out:

require_once 'HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$config->set('Core.Encoding', 'UTF-8');
$config->set('HTML.Doctype', 'XHTML 1.0 Transitional');
// $config->set('Output.TidyFormat', true);
$config->set('AutoFormat.AutoParagraph', true);
$config->set('AutoFormat.DisplayLinkURI', true);
$config->set('AutoFormat.Linkify', true);
$config->set('AutoFormat.RemoveEmpty', true);
$config->set('AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions', array('td', 'th'));
$config->set('AutoFormat.RemoveEmpty.RemoveNbsp', true);
$config->set('HTML.SafeObject', true);
$config->set('HTML.SafeEmbed', true);
$config->set('HTML.Trusted', true);
$config->set('HTML.TidyLevel', 'light');
$config->set('HTML.EnableAttrID', true);
// $config->set('HTML.Allowed', 'flashvars', 'object', 'embed', 'param');
$config->set('HTML.Allowed', array('param', 'object', 'embed', 'flashvars'));
$config->set('Cache.SerializerPath', Base::clientPath().Cache::DIRECTORY);
$config->set('Filter.YouTube', true);
// $config->set('Filter.Embed', true);
// $config->set('Filter.Playlist', true);

$purifier = new HTMLPurifier($config);
$this->post_data[$var_name] = $purifier->purify($post_value);

On a side note, I was _trying_ to write my own filter, but could never get it to run. Is there something I need to do to activate the plugin?

I was wonder if you had time if you could take a look at a project I have been working on to validate php input and give me any feed back. It can work in conjunction with HTMLPurifier.

https://www.assembla.com/wiki/show/phpInputValidator/

Thanks

I'm trying to allow the "height" attribute on the table element, and I can't seem to get it to work properly.

My config is this:

		$config->set('Core', 'Encoding', 'ISO-8859-1');
		$config->set('Core', 'CollectErrors', true);
		$config->set('HTML', 'Doctype', 'XHTML 1.0 Transitional');
		$config->set('Core', 'EscapeNonASCIICharacters', true);
		$config->set('Core', 'EscapeInvalidTags', true);
		$config->set('HTML', 'Trusted', true);
		$config->set('HTML', 'SafeObject', true);
		$config->set('HTML', 'SafeEmbed', true);
		$config->set('HTML', 'EnableAttrID', true);
		$config->set('HTML', 'TidyLevel', 'medium');
		$config->set('Filter', 'YouTube', true);
		$config->set('Cache', 'DefinitionImpl', null); // remove this later!
				
		$config->set('HTML', 'DefinitionID', '1');
		$config->set('HTML', 'DefinitionRev', 2);

$def =& $config->getHTMLDefinition(true);
$def->addAttribute('table', 'height', new HTMLPurifier_AttrDef_Enum(array(0 => '*')));

I have tried to define the value array in multiple ways, but nothing seems to work. If anybody sees what I'm doing wrong, I'd appreciate the input.

Would it be possible to create an RSS feed for your news or releases? I would like to keep up to date on your releases since I am using it on 3 projects. I hate blindly coming to the site wondering if there is a new release or not.

Thanks!