I was recommended by some people to use htmlpurifier, basically i have a website that inserts data into a database on when outputting that data to a webpage i want htmlpurifier to remove anything bad like code tags etc convert html to it's safe equivalent and so forth.

I currently use htmlentities() in PHP with ENT_QUOTES to convert both single and double quotes to there safe equivalent.

I have gone through the documentation and am very confused.

1) I downloaded the latest standalone version and included it in my top.inc.php so it's included on every webpage on my site and below the include i placed the following code as stated in the documentation:

$purifier = new HTMLPurifier(); $clean_html = $purifier->purify($dirty_html);

Now from what i understand this should now work?

I have a guestbook i delibrately placed some js code in guestbook comment field that would display a popup and submitted it to database and removed the htmlentities() when outputting from database and thought htmlpurifier would now convert that code to it's html safe equivalent and just dusplay the html code and convert html characters like <> to it's html eqivalent but instead i am getting the popup showing instead which obviously means i am either doing something wrong or i am misunderstanding how to use htmlpurifier.

All i want is for htmlpurifier to only purify code that i tell it to, for example maybe there is a way i can add a div id so htmlpurifier only deals with anything in the div ?

To my understanding am i rite in thinking htmlpurifier will also alter the html code of my webpages if it finds anything to be invalid markup etc? i don't want that just to sort out the code i want it to sort out as just explained.

I am confused and not sure what i need to do. I have gone over the docs several time to no luck and yes my page encoding is UTF-8 and is XHTML 1 transitional as is 100% valid.

Sorry if i sounds confusing but just am not getting any of it at all.

Thanks PHP

I'm a Drupal Nube and am working my way through the new stuff. HTML Purifier seems like a really cool module but I'm not clear about the installation. The directions say:

* Extract the "library" folder and place it inside your modules/htmlpurifier directory.

I'm not clear where to get the library to extract and place or what library we're talking about. Can anyone give me a little more insight?

Thank you.

I'm struggling a bit to understand exactly what I can expect of HTML Purifier vs. Tidy. I am a bit confused about the term 'filter', I think, so apologies if I'm expecting the wrong thing here.

I'm looking at using HTML Purifier as a drop in replacement for Tidy (which I have obviously configured to my needs as below) to make sure my HTML is valid on entry through an internal CMS. An example that Tidy can do, but Purifier seems to struggle with, is where both b and strong are being used around a bit of text. I want to convert to strong and keep the tags in the correct location.

For example, the text:

<b>bold text is strong</strong> and normal text isn't.

Tidy makes this:

<strong>bold text is strong</strong> and normal text isn't.

And purifier makes this:

<b>bold text is strong and normal text isn't.</b>

Is it possible to get the Tidy behaviour in Purifier, or am I looking at the wrong tool for what I'm attempting?

Many thanks!

require_once '../../library/HTMLPurifier.auto.php';

$config = HTMLPurifier_Config::createDefault();
$config->set('Core.Encoding', 'UTF-8');
$config->set('HTML.Allowed', 'a[href],b,blockquote,em,i,pre');
$config->set('HTML.Trusted', true);
$def = $config->getHTMLDefinition(true);
$purifier = new HTMLPurifier($config);

// untrusted input HTML
$html = '<b>Simple</b>  Yes cool <div><b><a href="" rel="nofollow"><b>Simple</b> and short</a></div>

<i>Italic</i>

<pre>Awesome

Code 

here</pre>
';
$pure_html = $purifier->purify($html);
echo $pure_html ;

$comment = nl2br($comment);
$comment = preg_replace( "/(<br\s?\/?>)+/i","<br />", $comment );    //double br's treatment
$comment = stripslashes($comment);                                   // slashes gone

    $config = HTMLPurifier_Config::createDefault();
    $config->set('HTML.Allowed', 'a[href|[title],br,blockquote,code,strong,em,p');
    $config->set('AutoFormat.AutoParagraph','true');
    $config->set('AutoFormat.RemoveEmpty','true');

    $config->set('HTML.BlockWrapper','p');

    $purifier = new HTMLPurifier($config);
    $comment = $purifier->purify($comment);

the BlockWrapper will be ignored whats wrong?? my input:

<blockquote>quote</blockquote>

i want this output:

<blockquote><p>quote</p></blockquote>

However, with one email PHP throws this exception and stops working:

Fatal error: Maximum function nesting level of '100' reached, aborting! in C:\Users\Sebastian Hoitz\Documents\Entwicklung\kt_cli\trunk\library\HTMLPurifier\Token\Text.php on line 26

This happens in this method:

HTMLPurifier_Lexer_DOMLex->tokenizeDOM()

How can I help you find this bug? Do you need the HTML of the email?

We're having an issues with Purifier on Snow Leopard. All attribute content gets stripped out when running HTML through "HTMLPurifier()".

The same code runs just fine on our Ubuntu server, but the only way to get it to work on a MacBookPro is to open the file "HTMLPurifier.standalone.php", and then re-save it. Doing so solves the problem until the next reboot when the process needs repeating.

The same issue exists in the non-standalone library, but I have no idea which file to open / re-save.

Looks like there's some weird character encoding issue somewhere in the attribute handling code, but I've no idea where to look to fix it. Any help would be appreciated.

Cheers.

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

So it goes like this

<-----Start quote---->

In this part, we will examine implementing <?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> Asynchronous event

<-----End quote ------->

I can't comprehend the reason for having that piece of xml there, but anyway how do i remove that? Thanks a lot

Greetings

The code : require_once 'HTMLPurifier/HTMLPurifier.auto.php'; $purificateur = new HTMLPurifier();

Gives me : Fatal error: Cannot access protected property HTMLPurifier_ConfigSchema::$singleton in /home/comparateur/proteinesbox.com/HTMLPurifier/HTMLPurifier/ConfigSchema.php on line 72

Thanks for advance :)

I'm new with HTMLPurifier. And I will use the AutoFormat.Linkify option The option works fine if I write links like: http://google.de but nothing I write google.de or www.google.de. Is there a solution to "fix" this?

Kind Regards

Here's how I was thinking about doing it... inside a globally included file, I'd add something like this:

$_REQUEST_UNTRUSTED = array();
$_REQUEST_TRUSTED = array();
foreach($_REQUEST as $key => $value) {
	$_REQUEST_UNTRUSTED[$key] = $value;
	$_REQUEST_TRUSTED[$key] = $purifier->purify($value);
}
$_REQUEST = $_REQUEST_TRUSTED;

That way everything inside the $_REQUEST used throughout the system would be completely clean. And, if for some reason I need to get the raw data (for example, in a CMS admin where you need to submit entire HTML documents via POST) you could still access the _UNTRUSTED array.

Does this approach sound like a good or bad idea?

One thing that concerns me is the performance hit this might put on our system. Purifier is a pretty major library and it might be overkill to use it for this purpose since I'm not really cleaning the output, just the input. I ran some tests stuffing 50 or so variables in the $_REQUEST and then running through a version of the above code 20 times and I was disappointed to see almost three seconds added to the total processing time based on some calculations with microtime. Without the purify calls the same page looping through the array takes no time at all.

Any direction you can give would be appreciated. If we just need to tune it for this purpose to make it perform better or use something else better suited for this approach, please let me know. I haven't really looked into what options I should use as far as the filters go, I just loaded up the standalone and ran it.

Thanks!

<script type="text/javascript">
<!--
some javascript code here
//-->
</script>

becomes

<script type="text/javascript">
some javascript code here
//</script>

I have set Output.CommentScriptContents to false and HTML.Trusted to true. If I set Output.CommentScriptContents to true HTMLPurifier adds its own comments. I would like it to just keep the comments already there. Is this possible?

Again a new question. I am not getting the base tag to work. Take this snippet as example:

<base href="http://htmlpurifier.org/art/" />

<img src="bglogo.png" alt="" />

Solution 1: The img src is modified to: http://htmlpurifier.org/art/bglogo.png

Solution 2: The base tag is allowed, no modifications are made.

I don't get one of the two solutions to work.... Any help please.

At first I would like to thank developers for such fine tool, it became the present find for me.

There were only a few small questions. 1. Whether probably to make so, what html purifier automatically would delete double blanks? Output.Newline allows to transform a blank into a tag , for example, but it would be desirable to learn how to transform 2 and more blanks into one 2. Whether probably to make so, what html purifier automatically would transform unnecessary inverted commas in their HTML-essence? 3. How to me to prohibit certain attributes of a tag? For example I do not want that users would use attribute class in tags div and span

In advance thanks!

Brand new user of this, my gosh, über-library. Thanks for the tremendous work.

I'm stumped by a very simple thing. The «unpurified» HTML I used for a test contains a tag with the style attribute, which has a font-family instruction. Seems like multi-words font families trigger HTML Purifier to double quote them, which is unusual but certainly proper (I don't know the standard, but I'm sure I'm a loose coder for not double quoting them). What is odd though, is that the double quotes are transformed by Purifier into their corresponding entity.

INPUT:

<span style="font-family:arial black, avant garde;">something</span>

OUTPUT:

<span style="font-family:"arial black", "avant garde";">something</span>

An explanation of that behaviour would be nice, and instructions on how to prevent it if need be would be also useful.

NOTE: the -- & quot; -- entity does not show in the output above, since it is replaced by -- " --

Thanks

require_once('includes/htmlpurifier/library/HTMLPurifier.auto.php');

$config = HTMLPurifier_Config::createDefault();
$config->set('Core.Encoding', 'utf-8');
$config->set('HTML.Doctype', 'XHTML 1.0 Strict');

$purifier = new HTMLPurifier($config);

$old_html = '•';
$new_html = $purifier->purify( $old_html );

echo $new_html;

I get this:

•

what am I doing wrong here? :p

regards

I'm extremely new to all this html purification, but I employed the light version successfully to fix my WYSIWYG editor to make it XHTML compliant. However, I have noticed that if I add an external image to a content item it gets stripped. Is this normal?

How do I fix it?

Thanks for the help, RJP1

<ul>
  <li>
    <p>Content</p>
  </li>
  <li>
    <p>Content</p>
  </li>
</ul>

which makes issues for coloring and styling. So I'd like to allow P, but disallow LI>P (strip paragraphs if direct children of list items).

Can CSS or XPath selectors be used for element lists (allow, forbid)? If not, are there any plans to do so?

Thanks!

I have also posted this question on Stack Overflow, if you'd prefer to answer it there: http://stackoverflow.com/questions/3189396/whitelist-forms-in-html-purifier-configuration

Where inside this engine do I best hook in to perform this? I imagine it has to be some kind of hook that runs late. Also, the 'target' attribute is not part of my generally allowed set of attributes (HTML.AllowdAttributes).

Any hints appreciated!

I have some problems when using the HTML.SafeObject option. The difference in our system is that when this option is set on our LMS takes 27.64Mb in order to render the page, but when the HTML.SafeObject is commented the page is loaded with 14.42Mb. Did somebody already have this kind of memory leak problems?

I'm using the HTMLPurifier 4.1 but is the same thing if you test it with HTMLPurifier 3.3.

If i'm using a server configuration with a memory limit of 20mb I get this fatal error:

htmlpurifier/library/HTMLPurifier/DefinitionCache/Serializer.php on line 33

Our configuration:

$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.Allowed', 'i,b,sub,sup');

Input:

<b>Option 1:</b> a<b

Expected Output:

<b>Option 1:</b> a&lt;b

Actual Output:

<b>Option 1:</b> a<b></b>

Even worse when haven something like that: Input:

<b>Option 1:</b> a<c (normal case)

Expected Output:

<b>Option 1:</b> a&lt;c (normal case)

Actual Output:

<b>Option 1:</b> a

Another: Input:

Dear <your-name-here>, you are...

Expected Output:

Dear <your-name-here>, you are...

Actual Output:

Dear , you are...

It seems that in either case the < followed by a non-whitespace character is recognized as a tag which is in my opinion wrong. With this behaviour user input like "Dear , you are..." ist not possible. Am I missing some configuration settings?

Thanks for any help on this.

Regards Michael

<?xml:options >

replaced with

<?xml:options >

I have a question - what parameters should be set if I want to save the attribute "name" as a result

 $config = HTMLPurifier_Config::createDefault();

        // configuration goes here:
        $config->set('Core.Encoding', 'UTF-8');
        $config->set('HTML.Doctype', 'HTML 4.01 Transitional');
        $config->set('HTML.TidyLevel', 'heavy');
        $config->set('Filter.ExtractStyleBlocks.TidyImpl', true);
        $config->set('HTML.AllowedElements', 'a,b,i,u,p,br,ul,ol,li,img,span,div');
	$config->set('Core.EscapeInvalidChildren', true);
        //$config->set('HTML.Trusted', true);
        $config->set('Attr.EnableID', true);
        $config->set('HTML.SafeObject', true);
        $config->set('Output.FlashCompat', true);
        $config->set('Filter.YouTube', true);
	$config->set('Cache.DefinitionImpl', null);
	$config->set('HTML.SafeEmbed', true);


        $purifier = new HTMLPurifier($config);

        
        $pure_html = $purifier->purify($dirty_html);

But when I try to purify <a style="jjj" href="kkk"><div>what</div></a> it returns: <a href="kkk" rel="nofollow"></a><div><a href="kkk" rel="nofollow">what</a></div><a href="kkk" rel="nofollow"></a> Any Ideas how to correct it will be really appreciated. Thanks

i would like to use html purifier on an iso8859-7 site ( i really have problems using greek because pretty much all the chars are going escaped) but i want ONLY to disallow the external resources.

How can i skip all the other filters?

now i use the following code to config the purifier

$config = HTMLPurifier_Config::createDefault();

$config->set('Core.Encoding', 'ISO-8859-7');

$config->set('URI.DisableExternalResources', true);

but as a result i escape all the greek chars BUT the images are still there....

i really i dont care about html filtering except the image filtering so i want to escape the filtering of the greek chars and make work the DisableExternalResources option...

thx in advance

<span style="text-align:right">Text</span>

The examples i've seen so far consider just one attribute but this is an special case as there's on property inside the attribute!!. This is how far i got:

$def->addAttribute('span', 'style', 'Enum#text-align')); But then, how do i check if it is right, left,...?

Does anybody know how to solve this if there's a way??

Thanks