1. Won't the HTML Purifier's autoloader conflict with my autoloader?

2. Is the HTML Purifier standalone version the one to use if I have my own autoloader?

I've read the documentation and can't quite figure it out.

Edited 1 time(s). Last edit at 05/09/2013 02:37AM by tonex.

<embed src="http://cnettv.cnet.com/av/video/cbsnews/atlantis2/cbsnews_player_embed.swf" type="application/x-shockwave-flash" background="#333333" width="425" height="279" allowFullScreen="true" allowScriptAccess="always" FlashVars="si=254&contentValue=50145567&shareUrl=http://www.cbsnews.com/video/watch/?id=50145567n" />

Upon packaging the latest version of your great software for opensuse, I have recognized that the Pear packages in the /get directory are somehow wrong. They are very big (more then twice as big as the previous release) and can't be unpackacked.

In the previous release I have recognized several '*.bak' files within the package, which should also be removed.

I kindly request to check the packages...

Best regards, Johannes

My site is written in PHP in the Zend Framework running on Godaddy Linux hosting. Here's the code:

require_once 'libraries/htmlpurifier-4.5.0/library/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);            
$username = $_POST['loginUsername'];
$password = $_POST['loginPassword'];       
// After the above lines execute the site just keeps trying to load with no results.
$clean_username = $purifier->purify($username);     
$clean_password = $purifier->purify($password);

I've previously been having good luck with your library, and commend you on it. This is the first issue I've had, and first post on the forum so bear with me if you need more information. Thanks in advance.

How do I allow ONLY youtube or vimeo iframes

I have these

$config->set('HTML.AllowedElements', array('a','b','p','i','em','u', 'br', 'div', 'img', 'strong','iframe'));
$config->set('HTML.AllowedAttributes', array('a.href', 'img.src', '*.alt', '*.title', '*.border', 'a.target', 'a.rel','iframe.src'));
$config->set('HTML.SafeIframe', true);
$config->set('URI.SafeIframeRegexp', '%^http://(www.youtube.com/embed/|player.vimeo.com/video/)%'); 

but the iframe is still completely removed, whether I have the iframe in HTML.Allowed... or not

Edited 1 time(s). Last edit at 04/16/2013 11:44PM by amommy.

I know HTMLPurifier isn't planning on supporting full HTML documents until the 5.x series but I thought there might be a hack or modification to get it to allow <html>, <head>, <body> and <style> tags.

I saw a similar question which has this suggested workaround:

$config->set('Core.LexerImpl', 'DirectLex');
$config->set('HTML.AllowedElements', array('html','head', 'body', 'style', 'div', 'p'));

But that didn't solve it for me, HTMLPurifier 4.5 still removes the <html>, <head> and <body> tags.

Can anyone suggest a possible hack or workaround? Thanks

Edited 1 time(s). Last edit at 04/10/2013 05:57AM by coder49.

if check security option on
htmlawed $options=array('safe' => 1,'deny_attribute'=>'style','comment' => 0,);
 (remove applet, embed, iframe, object, script, onclick, style attribute. CDATA & comments are turned to text) 

Switch
case 0
htmlawed  $options = array( 'elements' => 'p br', 
'keep_bad' => 0,
'comment' => 1,
'safe' => 1);
 (remove applet, embed, iframe, object, script, onclick, comments and cdata and allow only p and br elements)
then use html2text (convert to text)

case 1
htmlawed $options = array('elements' => 'a, b, blockquote, br, code, em, font, h1, h2, h3, h4, h5, h6, hr, i, li, ol, p, pre, q, s, small, strike, strong, sub, sup',
'keep_bad' => 0,
'comment' => 1,'safe' => 1);


case 2:
htmlawed $options = array('elements' => 'a, abbr, acronym, address, b, bdo, big, blockquote, br, caption, center, cite, code, col, colgroup, dd, del, dfn, dir, div, dl, dt, em, embed, fieldset, font, h1, h2, h3, h4, h5, h6, hr, i, iframe, img, ins, label, legend, li, noscript, ol, p, param, pre, q, s, samp, small, span, strike, strong, style, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul',
                  'keep_bad' => 0,
                  'comment' => 1,
                  'safe' => 1);

testing each one individually not as a switch case using htmlpurified works for the most part. but using it above so far I have to add

$config = HTMLPurifier_Config::createDefault();
$config->set( 'HTML.Allowed', '....');	
$config->set( ''HTML.ForbiddenElements', '....');
.......more $configs if necessary
$purifier = new HTMLPurifier($config);

each time I want to use hp. How do I just create one instance and maybe, if better use singleton with injection

Is it possible via HTMLpurifier to encode HTML entities like

<p> paragraph </p>

, or

<b> bold </b>

, etc to not format the code but instead just push the tags without ruining my formatting of the page.

In short just like htmlentites() work in php.

Regards, tusharvikky

I have installed HTMLpurifier as per the simple instructions and as soon as I pass a large CSS style sheet, I get this error in the Apache error log:

PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 129238227 bytes) in /var/www/xxxxx.php on line 122, referer: http://xxxxx

I have tried the standalone version and the full version and I get the same result.

I am running a VirtualBox machine(details below) to emulate as closely as possible the production environment where the code will be hosted.

I have uploaded the same set of code to the production environment and I get the same result.

My CSS file is not huge - 2.3kB. Surely no reason to use 128MB of RAM. My best guess is it's getting stuck in some kind of infinite loop.

Any assistance most gratefully received.

--------------------------------------------------------------------

Debian Squeeze
Linux lamp 2.6.32-5-686 #1 SMP Mon Feb 25 01:04:36 UTC 2013 i686
Server: Apache/2.2.16 (Debian)
PHP/5.3.10-1~dotdeb.1
MySQL
Server version: 5.1.66-0+squeeze1
MySQL client version: mysqlnd 5.0.8-dev - 20102224 - $Revision: 321634 $
PHPmyAdmin
Version information: 3.3.7deb7

Can purifier do this job for me?

Does HTML Purifier prevent SQL Injection like mysql_real_escape_string ?

Thanks, Ant

1. I absolutely HATE Microsoft smart quotes. Anyway of replacing these (and the single apostrophe) through HTMLPurifier or does this have to be done afterwords using something like str_replace?

2. RSS Feeds config I've stored some RSS feed content directly into my database without sanitising or touching it - straight out of the feed and into the db.

Now I want to display one of these feed items. Here's the config I've been using. I want to show images and all the content but I want to make sure it's all SAFE without penalising them too much. Can you please let me know if you think this is OK?

$config = HTMLPurifier_Config::createDefault();
$config->set('Core', 	'EscapeNonASCIICharacters', true);
$config->set('HTML', 	'Allowed', 	$allowedTags);
$config->set('HTML', 	'TargetBlank', 	true);
$config->set('HTML', 	'SafeObject', 	true);
$config->set('Output', 	'FlashCompat', 	true);
$config->set('Output', 	'TidyFormat', 	true);
$config->set('AutoFormat', 'AutoParagraph', false);
$config->set('AutoFormat', 'RemoveEmpty', true);
$config->set('AutoFormat', 'RemoveEmpty.RemoveNbsp', true);
$purifier = new HTMLPurifier($config);

Thanks! Richard :o)

eg. for string like: "http://www.google.com/search?q=abc&ie=utf"

the & will be converted into

&

which is a fair default.

In my use case though, such links are used in href attribute and is passed via json response, do I need to do XSS filter with html purifier, if so how to preserve such url correctly?

PS: not necessarily google.com, but can be any user-input links.

I'm trying to validate user generated HTML that goes into a database and I have found this tool. I have manually inserted a script tag with an alert into a field that I retrieve via php. However, when I process the data with HTML Purifier and then echo it, my browser still displays the hideous alert.

Am I missing some configuration? Will it by default only disable scripts that are malicious?

I have being playing with the config for a bit and I've only gotten this far:

$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.ForbiddenElements', array('script','style','applet'));
$purifier = new HTMLPurifier($config);

$requisitos_p = $_POST["requisitos"];
$requisitos = $purifier->purify( $requisitos_p );

echo $requisitos;

Any help would be appreciated,

Thanks!

$config->set('URI.SafeIframeRegexp', '%^http://(www.youtube(?:-nocookie)?.com/embed/| |player.vimeo.com/video/| |www.liveleak.com/ll_embed|(\w+).wrzuta.pl/film/)%');

Edited 1 time(s). Last edit at 03/04/2013 05:57AM by muaidb.

<img alt="picture" src="https://domain/images/image.jpg" style="width: 300px; height: 300px;" />

replaced with

<img alt="" src="%5C" />

I'm having a tough time figuring out what the correct behavior of the purifier is!

assets/htmlpurifier/maintenance/rename-config.php

assets/htmlpurifier/library/HTMLPurifier/StringHashParser.php

assets/htmlpurifier/maintenance/flush.php

etc.

are raising flags, too. Some of them are path manipulation errors, XSS vulnerabilities, and command inject vulnerabilities.

My question is, which files are absolutely necessary for htmlpurifier to run, and which files can I get rid of?

function clean_html( $string ) {
      require_once( DIR_FS_HTML_PURIFIER . 'library/HTMLPurifier.auto.php' ); 
      $config = HTMLPurifier_Config::createDefault();
      $purifier = new HTMLPurifier( $config );
      $string = $purifier->purify($string);
      return $string;
}

FYI, I also get java console errors related to the name of the malicious javascript function, evil: Timestamp: 13-02-19 05:43:16 PM Error: uncaught exception: ReferenceError: evil is not defined

In general, shouldn't the purify function only change the string content without messing with SESSION variables???

I'm thinking perhaps the problem is related to the poorly defined javascript.

If I define the 'evil' javascript function, I get no java console error but the SESSION variables still get broken.

Help!

Thanks, Marc

Edited 2 time(s). Last edit at 02/19/2013 04:59PM by mwmurphy.

This:

<pre>
 <code><span class="sql1-reservedword"><strong><font color="#0000ff">SELECT
 </font></strong></span></code></pre>

Becomes this:

<pre> <code><span class="sql1-reservedword"><strong></strong></span></code></pre>

But if I delete the

 tag, I get this:

 <code><span class="sql1-reservedword"><strong><font color="#0000ff">SELECT
 </font></strong></span></code>

#2 Is there a way to get it to ignore the pre altogether (or stop removing line breaks and spacing)?

http://narod.ru/disk/64890823001.150f69b52b236db449089abdd3f14922/KoreanRandom's_contoured_2012.12.27.rar.html

I'm new to HTMLPurifier, is there an easy way to change the "src" in all images into "data-src" to provide better protection for my users?

Thank you!

I started learning php about an year ago (sporadically), and about a few months ago I decided to create an application which I use to learn important php concepts and at the end, security.

For the framework I chose codeigniter and for now I feel really comfortable with it. About 2 weeks ago I started learning in more detail about security (from lerning how to program with security in mind, to informing myself about projects such as htmlpurifier) and how can I protect my application from stuff.

While codeigniter got me covered with session encoding, sql injection (via the active record), csrf I kinda didn't understand how to protect my app from xss, because I don't think I understand xss properly and when some other stuff will be less expensive in protecting user form input.

So for the sake of clarification, I would be grateful if somebody can explain the use of htmlpurifier on an exaple

The example: I have a simple form which contains the following - An input field (name) which should only allow alpha (utf-8) symbols (so no stuff like ', etc). - A textarea, a simple textarea which doesn't allow any of the htlm stuff (strips the tags) and on output it uses preg_replace to make paragraphs out of \n etc. (on edit it just returns it).

So should I use htmlpurifier for a input field, which only accepts alpha? (uses preg_match("/^([a-z])+$/i", $str)? to filter), or should I use purifier on top of it?

Should I use purifier on an textarea which uses strip_tags(), or should I use purifier (and how should I configure it to prorerlly strip tags?).

I guess that on form element such as dropdown and radio button using a purifier makes no sense?

I read in the documentation (at least the parts that I could understand to be honest, i am lacking in knowledge) that in order to speed up html purifier, one should purify on input, and not on output? So the question is when should I purify on output?

Other than on form submision should I purify somewhere else too?

Can someone point out what are the classical mistakes that people do when using htmlpurifier, and some common knolwedge guidelines about it?

I am trying to work with the sfXSSSafePlugin for symfony that is based on HtmlPurifier 4.3

When I execute $config->maybeGetRawHTMLDefinition() I get the following error,

"Cannot retrieve raw version without specifying %HTML.DefinitionID"

This is because the content in $config is the default from the Schema.ser - It does not contain %type.definitionID.

If I try to avoid executing that statement, I get the following error

"Cannot use non-block element as block wrapper"

Please help me as it is very urgent.

Thank you

Edited 1 time(s). Last edit at 12/20/2012 06:16AM by Hope.

Im obviously doing it wrong somewhere but i can't find much information about it from the usual sources.

include('HTMLPurifier.standalone.php'); $config = HTMLPurifier_Config::createDefault(); $config->set('CSS.AllowTricky', true);

As i understand it this config should allow display:block on img tags?

Edited 2 time(s). Last edit at 12/19/2012 10:14AM by cosmicsafari.

Signature system on this forum looks kinda awkward.

1. It displayed strange:

a). It's not visually delimited from the message.

b). It doesn't respect newlines. My signature right now is displayed in a single line.

2. Looks like it cached or copied to the message itself. When i update the signature in my profile it doesn't update on a post page.

Slava Fomin II

Let's make this World a Better place!