The Tiki community is now using Composer: https://sourceforge.net/p/tikiwiki/code/HEAD/tree/trunk/composer.json

And there is a package here: https://packagist.org/packages/ezyang/htmlpurifier

Please update http://htmlpurifier.org/ with SF link to code (the URL changed) above and indication of use of 4.5

Many thanks for HTML Purifier!

M ;-)

And just for information is there any player limit that i can add to URI.SafeIframeRegexp?

I apologize if there is something new on the HTML5 front with htmlpurifier but everything I have read says it has not been implemented and probably won't be. It seems the current solution is to add custom elements to support at least a subset of the tags, etc.

Would a donation/investment (in other words $) change this? It seems the demand is there, and if this indeed would provide the resources for you to get HTML5 support implemented, I would be willing to lead a fundraiser from interested parties to get what is needed.

Thanks! atDev

E.g. for http://example.com I'd like it to consider http://example.com, http://www.example.com and http://sub.example.com all as local addresses.

I am currently using the Form_validation helper in codeigniter to make sure the data is what I expect if not then i will not pass it to the model (MVC). Also I am using the global xss_clean filter.

To my understand HTML Purifier should be only used when user data is going to be echo'd/outputted as HTML in a table, forum, blog (etc.) Is my understanding of this correct? I am asking because my student login form will be used to enter data into a database. Then my student queue page which will be creating a html jquery table will be used to SELECT ... FROM ... that database. So this is confusing me because in the output for the student queue page the data will be database housed. it wont just be posted directly.

So in turn my train of thought goes as follows :

>> Validate data making sure it is what you expect

>> Filter the data with xss_clean like I currently am.

>> Use PDO prepared queries to insert the data to the DB

>> now this step confuses me as to how I should echo my database data? should i use HTML Purifier at this step?

Sorry if this question has been asked a million times, I just can't seem to find what I am looking for. I am not fully gripping the concept of HTML purifier.

Is it possible to make a new (at least a minor) release ?

Thank you.

How can I allow <br clear="all"> if my config is:

$config->set('HTML.Allowed', 'br[clear]');

which is not working, and HTMLPurifier change it to <p>&nbsp;</p>

Thank you very much.

I'm guessing there must be something I'm doing wrong?

I have the POST data getting filtered like this: $cleaned = $purifier->purify($_POST['rawdata']);

Thanks!

$config = HTMLPurifier_Config::createDefault(); $purifier = new HTMLPurifier($config); $clean_html = $purifier->purify($dirty_html); ?>

but getting warning error and a fatal error so i know i made some mistake plz u r expert help me in simple manner so that my site get secured you can also mail me pearlvishu[at]gmail[dot]com or if u r on fb - fb.com/vishalworld000 plz hepl guyz

I was thinking about third-party content embedding (YouTube videos, <object>, <iframe> etc).

Am i right that there is no universal solutions for this task right now?

Is this solution demanded by the developers and users?

I though maybe i should create a universal configurable filter to accomplish this task.

Who's interested? I'm looking for your opinion. Feature requests and any ideas are most welcome.

We can even start an "official" whitelist of popular services.

Slava Fomin II Let's make this World a Better place!

I've read that older versions of HTML Purifier can be used on PHP4 (specifically the 2.x version), however they've all got SIG extensions, and I don't have any clue what to do about those - when I download the file, it gives me an extremely small (perhaps 50kb) SIG file.

What's the procedure to get this extracted and ready for deployment?

Thanks, J

To reproduce this, plug in the following HTML into the HTML Purifier demo.

<DIV><PRE style="WORD-WRAP: break-word" id=PreBody><PRE><PRE style="WORD-WRAP: break-word" id=PreBody><PRE><FONT size=2 face=Arial>

Missing content!!

<B>1) Details:</B>   

By default, HTML Purifier may remove some of your spacing indentation. Turn on CollectErrors or experimental features order to fully preserve whitespace.

<B>2) Instruction Instruction Instruction:</B>   
  
By default, HTML Purifier may remove some of your spacing indentation. Turn on CollectErrors or experimental features order to fully preserve whitespace.

<B>3) Instruction Instruction Instruction:</B> 

More text. Instruction Instruction Instruction.
<B>Acceptance:</B>

More missing content.

</FONT>

The result is simply:

<div><pre></pre><pre></pre><pre></pre><pre></pre></div>

I'm glad HTML Purifier is aggressively cleaning up this mess, but perhaps too much text was removed?

i am using it with ckeditor and i need users to be able to style theire article and add youtube embed video this is the filter:(found on stackoverflow)

<?/**
 * Based on: http://sachachua.com/blog/2011/08/drupal-html-purifier-embedding-iframes-youtube/
 * Iframe filter that does some primitive whitelisting in a somewhat recognizable and tweakable way
 */
class HTMLPurifier_Filter_youtube2 extends HTMLPurifier_Filter
{
    public $name = 'youtube2';

    /**
     *
     * @param string $html
     * @param HTMLPurifier_Config $config
     * @param HTMLPurifier_Context $context
     * @return string
     */
    public function preFilter($html, HTMLPurifier_Config $config, HTMLPurifier_Context $context)
    {
        $html = preg_replace('#<iframe#i', '<img class="youtube2"', $html);
        $html = preg_replace('#</iframe>#i', '</img>', $html);
        return $html;
    }

    /**
     *
     * @param string $html
     * @param HTMLPurifier_Config $config
     * @param HTMLPurifier_Context $context
     * @return string
     */
    public function postFilter($html, HTMLPurifier_Config $config, HTMLPurifier_Context $context)
    {
        $post_regex = '#<img class="youtube2"([^>]+?)>#';
        return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html);
    }

    /**
     *
     * @param array $matches
     * @return string
     */
    protected function postFilterCallback($matches)
    {
        // Domain Whitelist
        $youTubeMatch = preg_match('#src="https?://www.youtube(-nocookie)?.com/#i', $matches[1]);
        $vimeoMatch = preg_match('#src="http://player.vimeo.com/#i', $matches[1]);
        if ($youTubeMatch || $vimeoMatch) {
            $extra = ' frameborder="0"';
            if ($youTubeMatch) {
                $extra .= ' allowfullscreen';
            } elseif ($vimeoMatch) {
                $extra .= ' webkitAllowFullScreen mozallowfullscreen allowFullScreen';
            }
            return '<iframe ' . $matches[1] . $extra . '></iframe>';
        } else {
            return '';
        }
    }
}
?>

http://trac.qcu.be/projects/qcubed/browser/framework/branches/2.0/includes/external_libraries/htmlpurifier

It would be kind if you could update the same on the front page :)

Regards, Vaibhav

Is there a mailing list that will notify when a new version of HTML Purifier has been released? I looked at the mailing list link above but it is a general one. Current topics include support queries, "joke pictures - really funny", but no formal release announcements that I can see.

I'd like to have release notifications come in to members of my Dev team so I can ensure that someone is aware of it no matter who is present, away, etc. For that, I really need a simple release notification that goes out which is only release notifications. I don't want my Devs getting auto sent support queries for the library, etc.

Is there a release notification list I can sign up for that I've missed? If not, would it be possible to set something up as it would be extremely useful and for others also, I'm sure.

Thanks,

H.

Could you possibly update the users list on the front page for ImpressCMS thanks.

we are now using version 4.4.0, our SVN has changed since.

new url to SVN is http://www.assembla.com/code/impresscms/subversion/nodes/trunk/htdocs/libraries/htmlpurifier?rev=11754

install htmlpurifier in ubuntu

apt-get install php-pear

pear channel-discover htmlpurifier.org

pear install hp/HTMLPurifier

If using WAMP With Pear installed, same steps as above, without the "apt-get".

I am one of the developers of the QCubed project. It is a PHP framework and we want to include (ship) HTMLPurifier in our up coming release. However, our project has a MIT License and HTMLPurifier has LGPL v 2.1+. As far as I can see, they are compatible (specially since we are not modifying HTMLPurifier source).

In case there are any conflicts, please tell us. We would want to make workarounds for the same.

Regards, Vaibhav

Thx! (•̀ᴗ•́)و

I am new to all of this and am not catching on too quickly! My first question...is using the simple HTML5 "!DOCTYPE HTML " not allowed with HTML PURIFIER?

Second question...

If the stand alone version does everything the full version does but runs quicker, why offer the full version at all? Why not just offer the stand alone?

Thanks!

<?php and ?>

'HTML.Allowed', 'b[class]'

'Attr.AllowedClasses', 'red'

Since my HTML text is minified, the output looks something like this

::input:: <p><ul><li>item</li><li><b class="red">item2</li></ul></p> ::output:: item<b class="red">item2</b> When when rendered, looks like, "itemitem2"

Since them items are block level elements, is there a way to add a space between them? So the output would look like,

::output:: item <b class="red">item2</b>

require_once './HTMLPurifier.standalone.php';

$config = HTMLPurifier_Config::createDefault();

$config->set('HTML.Allowed', 'p,span,em,ul,ol,li');

$purifier = new HTMLPurifier($config);

$output= $purifier->purify($input);

$input:

<script>abc</script><p>p1</p><div>123</div>

$output:

<script>abc</script><p>p1</p><div>123</div>

Works fine on your demo page: output is <p>p1</p>123

What am i doing wrong?

Thanks

David

$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.DefinitionID', 'enduser-customize.html tutorial');
$config->set('HTML.DefinitionRev', 1);
$config->set('Cache.DefinitionImpl', null); // TODO: remove this later!
$def = $config->getHTMLDefinition(true);

But when i tried it still cache, not turn off .. pls help me turn of cache in htmlpurifer

Test 1

Test 2

I've been doing some searching and haven't found anything solid on this and just thought I'd ask.

I'm allowing my users to edit email templates. The email templates are html so I'm happy to use htmlpurifier to strip out all scripts and non compliant html code.

However, I do have special tags that get replaced when the email gets sent out. They're all surrounded by square brackets. Ex: [CONTENT] [UNSUBSCRIBE]

These tags are placed in displayable html &lt;pre&gt;&lt;![CDATA[&lt;div&gt;[CONTENT]&lt;/div&gt;]]&gt;&lt;/pre&gt; as well in links &lt;pre&gt;&lt;![CDATA[ &lt;a href=&quot;[UNSUBSCRIBE]&quot;&gt;Unsubscribe&lt;/a&gt; ]]&gt;&lt;/pre&gt;

Does anyone know of a way to have htmlpurifier not convert the square brackets? If I run href=&quot;[UNSUBSCRIBE]&quot; through the purifier I get href=&quot;%5BUNSUBSCRIBE%5B&quot;

Thanks for any info on this.

<code>
code here
</code>

to enter code, so using the pre + cdata method isnt possible, its also not possible to use jquery to process the submission and dynamically code into pre + cdata since cdata isnt part of the dom, just xml

Does htmlpurifier have any functionality in which to help doing that? obviously it cant be done on the way out html purifier since the stuff inside the code block is going to be blocked by purifier, and I would really like to avoid doing manual string processing for all the same reasons that htmlpurifier exists.

Cheers Dale

<div style="font-size:12px;">text2</div> is return <div>text2</div>

my config file is:

$config = HTMLPurifier_Config::createDefault();

$config -> set('Core.Encoding', 'UTF-8');

$config -> set('HTML.Doctype', 'XHTML 1.0 Transitional');

$config -> set('HTML.TidyLevel','medium');

$config->set('HTML.AllowedAttributes', '*.style,a.href,a.title');

$config->set('HTML.AllowedElements','div,a,strong,span,em,p,u,i,b,sup,sub,small,ul,li,ol,big,code,blockquote,hr,h1,h2,h3,h4,h5');

$config->set('CSS.AllowedProperties', array('float', 'color','background-color', 'background', 'font-size', 'font-family', 'text-decoration', 'font-weight', 'font-style', 'font-size'));

$config->set('AutoFormat.RemoveSpansWithoutAttributes', true);

$config->set('CSS.AllowTricky','true');

$schemes = array('http' => true, 'https' => true);

$config -> set('URI.AllowedSchemes', $schemes);

$purifier = new HTMLPurifier($config);

$content = $purifier -> purify($dirty_html);

return $content;

i want see <span STYLE and <div STYLE HOW CAN ? DO?