Moodle is using a modified version of HTML Purifier - you can see a diff between Moodle and vanilla version below. This is a bit problematic for me as that forces me to use (in Debian, I'm a Maintainer) the version bundled with Moodle - and I'd prefer to use your version, that is already packaged for Debian. The adjustments that Moodle did are necessary, to re-implement them I would need to extend few classes: * HTMLPurifier_AttrDef_Lang * HTMLPurifier_HTMLModule_Text * HTMLPurifier_HTMLModule_XMLCommonAttributes

Could you suggest some way of having HTML Purifier to use the extended classes (how could I inject them). Of course I would like to do it without modifying/patching the HTML Purifier code.

cheers, Tomek

diff -ru vanilla/HTMLPurifier/AttrDef/Lang.php moodle/HTMLPurifier/AttrDef/Lang.php
--- vanilla/HTMLPurifier/AttrDef/Lang.php	2010-06-01 04:22:39.000000000 +0100
+++ moodle/HTMLPurifier/AttrDef/Lang.php	2010-05-22 01:04:23.000000000 +0100
@@ -9,6 +9,10 @@
 
     public function validate($string, $config, $context) {
 
+// moodle change - we use special lang strings unfortunatelly
+        return preg_replace('/[^0-9a-zA-Z_-]/', '', $string);
+// moodle change end
+
         $string = trim($string);
         if (!$string) return false;
 
diff -ru vanilla/HTMLPurifier/HTMLModule/Text.php moodle/HTMLPurifier/HTMLModule/Text.php
--- vanilla/HTMLPurifier/HTMLModule/Text.php	2010-06-01 04:22:39.000000000 +0100
+++ moodle/HTMLPurifier/HTMLModule/Text.php	2010-05-22 01:04:23.000000000 +0100
@@ -45,6 +45,13 @@
         $this->addElement('span', 'Inline', 'Inline', 'Common');
         $this->addElement('br',   'Inline', 'Empty',  'Core');
 
+        // Moodle specific elements - start
+        $this->addElement('nolink',  'Inline', 'Flow');
+        $this->addElement('tex',     'Inline', 'Flow');
+        $this->addElement('algebra', 'Inline', 'Flow');
+        $this->addElement('lang',    'Inline', 'Flow', 'I18N');
+        // Moodle specific elements - end
+        
         // Block Phrasal --------------------------------------------------
         $this->addElement('address',     'Block', 'Inline', 'Common');
         $this->addElement('blockquote',  'Block', 'Optional: Heading | Block | List', 'Common', array('cite' => 'URI') );
diff -ru vanilla/HTMLPurifier/HTMLModule/XMLCommonAttributes.php moodle/HTMLPurifier/HTMLModule/XMLCommonAttributes.php
--- vanilla/HTMLPurifier/HTMLModule/XMLCommonAttributes.php	2010-06-01 04:22:39.000000000 +0100
+++ moodle/HTMLPurifier/HTMLModule/XMLCommonAttributes.php	2010-05-22 01:04:23.000000000 +0100
@@ -5,9 +5,11 @@
     public $name = 'XMLCommonAttributes';
 
     public $attr_collections = array(
+/* moodle comment - xml:lang breaks our multilang
         'Lang' => array(
             'xml:lang' => 'LanguageCode',
         )
+*/
     );
 }
 
diff -ru vanilla/HTMLPurifier/Lexer.php moodle/HTMLPurifier/Lexer.php
--- vanilla/HTMLPurifier/Lexer.php	2010-06-01 04:22:39.000000000 +0100
+++ moodle/HTMLPurifier/Lexer.php	2010-07-06 01:04:03.000000000 +0100
@@ -252,8 +252,10 @@
     public function normalize($html, $config, $context) {
 
         // normalize newlines to \n
-        $html = str_replace("\r\n", "\n", $html);
-        $html = str_replace("\r", "\n", $html);
+        if ($config->get('Output.Newline')!=="\n") {
+            $html = str_replace("\r\n", "\n", $html);
+            $html = str_replace("\r", "\n", $html);
+        }
 
         if ($config->get('HTML.Trusted')) {
             // escape convoluted CDATA

In an effort to stop them from being removed by HTMLPurifier we used the addElement method. We seem to be able to get them all to work EXCEPT HEAD.

                        $oDef = $oConfig->getHTMLDefinition(true);

                        $oDef->addElement(
                                'style', // name
                                false, // content set
                                'Optional: #PCDATA', // allowed children
                                'Common', // attribute collection
                                array( // attributes
                                        'type' => 'CDATA',
                                ));

                        $oDef->addElement(
                                'title', // name
                                false, // content set
                                'Optional: #PCDATA', // allowed children
                                'I18N', // attribute collection
                                array( // attributes
                                ));

                        $oDef->addElement(
                                'meta', // name
                                false, // content set
                                'Empty', // allowed children
                                'I18N', // attribute collection
                                array( // attributes
                                        'http-equiv' => 'CDATA',
                                        'name' => 'CDATA',
                                        'content' => 'CDATA',
                                        'scheme' => 'CDATA',
                                ));

                        $oDef->addElement(
                                'head', // name
                                false, // content set
                                'Optional: Flow | #PCDATA | title | style | meta', // allowed children
                                'Common', // attribute collection
                                array( // attributes
                                ));

                        $oDef->addElement(
                                'body', // name
                                false, // content set
                                'Optional: Flow | #PCDATA | Inline', // allowed children
                                'Common', // attribute collection
                                array( // attributes
                                ));

                        $html = $oDef->addElement(
                                'html',  // name
                                false, // content set
                                'Optional: Flow | #PCDATA | head | body | title | style | meta', // allowed children
                                'Common', // attribute collection
                                array( // attributes
#                                       'action*' => 'URI',
#                                       'method' => 'Enum#get|post',
#                                       'name' => 'ID'
                                ));
                        $html->excludes = array('html'=>true);

You may ask why we have title, style, meta inside the html. It's because the HEAD isn't working yet. So in the meantime we put them there since they seem to render even though they are children of HEAD.

Would it be possible to provide an API to validate added rules? I didnt see a bug tracker to log the request, so I apologize if this is the wrong place.

Drak

Test results in Test

Does the library support non-latin domains or is this feature on your to-do list? Any ideas for quick fix of the issue?

Thanks!

Georgi

<p><span style="font-family: ">
<p align="left">Installation and Testing of the Electrical & Instrumentation</p>
<p align="left">Works</p>
<p align="left">&bull; Installation of Primary & Secondary Containment</p>
</span></p>
<p> </p>
<p> </p>

Produces the following purified output:

<p>
</p><p align="left">Installation and Testing of the Electrical &amp; Instrumentation</p>
<p align="left">Works</p>
<p align="left">• Installation of Primary &amp; Secondary Containment</p>

The purified output is valid, of course, but it still contains an empty element.

If you run that through again, it's further purified, to remove the empty paragraph:

<p align="left">Installation and Testing of the Electrical &amp; Instrumentation</p>
<p align="left">Works</p>
<p align="left">• Installation of Primary &amp; Secondary Containment</p>

Should Purifier run on a loop, repeatedly purifying until no changes are made to the HTML string?

TRiG.

Custom filters, on the other hand (subclasses of HTMLPurifier_Filter) operate on html strings with regular expressions.

Would it be possible to add an interface for custom filters that operate directly on the DOM tree? I imagine this could be more powerful than regex filtering.

The parsing is a quite expensive operation (right?), so I guess it's a good idea to only do it once.

See also http://drupal.org/node/808868

HTMLpurifier 4.1.0 works perfectly here, except for a few special input cases, where it enters a neverending loop:

require_once 'htmlpurifier/library/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$t = '<i><ul></ul></i>';
$p = $purifier->purify($t);

You can replace the I tag with B or STRONG and it will still run forever.

This is running on PHP 5.3.2.

Best regards Lars

If you put background-position: "center 0px", the purifier turns it into "0px center" (verified in the demo).

<div style="height: 500px; width: 500px;background-position: center 0px; background-image: url(logo.jpg);></div>

From here: http://www.w3schools.com/css/pr_background-position.asp

The first value is the horizontal position and the second value is the vertical.

I think this is because the background-position code just classifies any value of center as being either a vertical or horizontal measurement, and does not take into account if the center was the first or second word it encountered.

I modified HTMLPurifier_AttrDef_CSS_BackgroundPosition to classify center values as either "ch" or "cv" instead of just "c".

This is my modified code:

class HTMLPurifier_AttrDef_CSS_BackgroundPosition extends HTMLPurifier_AttrDef
{

    protected $length;
    protected $percentage;

    public function __construct() {
        $this->length     = new HTMLPurifier_AttrDef_CSS_Length();
        $this->percentage = new HTMLPurifier_AttrDef_CSS_Percentage();
    }

    public function validate($string, $config, $context) {
        $string = $this->parseCDATA($string);
        $bits = explode(' ', $string);
		
        $keywords = array();
        $keywords['h'] = false; // left, right
        $keywords['v'] = false; // top, bottom
        $keywords['ch'] = false; // center (first word)
        $keywords['cv'] = false; // center (second word)
        $measures = array();

        $i = 0;

        $lookup = array(
            'top' => 'v',
            'bottom' => 'v',
            'left' => 'h',
            'right' => 'h',
            'center' => 'c'
        );

        foreach ($bits as $bit) {
            if ($bit === '') continue;

            // test for keyword
            $lbit = ctype_lower($bit) ? $bit : strtolower($bit);
            if (isset($lookup[$lbit])) {
                $status = $lookup[$lbit];
				if($status == 'c'){
					if(!$i)
                		$status = 'ch';
					else
                		$status = 'cv';
				}
				$keywords[$status] = $lbit;
                $i++;
            }

            // test for length
            $r = $this->length->validate($bit, $config, $context);
            if ($r !== false) {
                $measures[] = $r;
                $i++;
            }

            // test for percentage
            $r = $this->percentage->validate($bit, $config, $context);
            if ($r !== false) {
                $measures[] = $r;
                $i++;
            }

        }
		
        if (!$i) return false; // no valid values were caught

        $ret = array();

        // first keyword
		// fix "center 0px" being turned into "0px center"
		/* Original code had a bug that changes "center 0px" to "0px center"
		   because it first takes from measures before c keywords
		*/
		/*
        if     ($keywords['h'])     $ret[] = $keywords['h'];
        elseif (count($measures))   $ret[] = array_shift($measures);
        elseif ($keywords['c']) {
            $ret[] = $keywords['c'];
            $keywords['c'] = false; // prevent re-use: center = center center
        }

        if     ($keywords['v'])     $ret[] = $keywords['v'];
        elseif (count($measures))   $ret[] = array_shift($measures);
        elseif ($keywords['c'])     $ret[] = $keywords['c'];
		*/
		
        if     ($keywords['h'])     $ret[] = $keywords['h'];
        elseif ($keywords['ch']) { //get ch before measurements
            $ret[] = $keywords['ch'];
            $keywords['cv'] = false; // prevent re-use: center = center center
        }
        elseif (count($measures))   $ret[] = array_shift($measures);

        if     ($keywords['v'])     $ret[] = $keywords['v'];
        elseif ($keywords['cv'])     $ret[] = $keywords['cv'];
        elseif (count($measures))   $ret[] = array_shift($measures);

        if (empty($ret)) return false;
        return implode(' ', $ret);

    }

}

Thanks for all your support!

Anyways, right now I want to set it up so that she can do something like

<flash src="file.swf" height="250" width="300">

on her update page and it will get replaced with a SWFObject call (or something along those lines).

There isn't exactly a lot of documentation I have found on screwing with the guts of HTMLpurifier instead of working with what's already there, so I'm working a lot on guesswork and trying to interpret the code as written. I've already made one successful hack, making AutoParagraph fire on single newlines instead of double newlines (not a functionality everyone needs, but important for this particular site) but this is certainly MUCH more involved :X

What I have so far (not much yet <.<;;;) is

<?php
class HTMLPurifier_Injector_AutoFlashTag extends HTMLPurifier_Injector
{

    public $name = 'AutoFlashTag';
    public $needed = array('flash' => array('src','height','width');

    public function handleElement(&$token) {
        $src = $token->start->attr['src'];
        $height = $token->start->attr['src'];
        $width = $token->start->attr['src'];

but to move on I need to know some things that I can't seem to just figure out.

First, since I'm using a non-existent tag, I'm sure I need to create a definition for it somewhere or else it will just get deleted or escaped before I even get this far, right? How do I do this and insure that the tag is allowed? What needs to change in my $config declarations? Since the page will ALSO have non-trusted user input (for example, a comment system) I need to be able to either have this tag (and then get rid of it) or not have this tag on different $configs.

As for actually continuing the process, the way I see it there's a couple approaches I can take. If there's a way to delete the tag entirely and insert a string where it was that would be the easiest, but if not then there's a couple things that can be done but each are substantially more complex.

Finally, once the injector is made, how do I actually hook it in so that it can be used? Without being able to use it I can't expiriment and try to solve the problem myself.

Thanks for your help, I realize I'm asking kind of a lot here!

I don't think this already exists, so I'm putting it in as a suggestion for now. I'd like to index HTML fragments with Zend_Search_Lucene, and from what I gather, it requires a whole HTML document (with metadata). I thought it would be nice to have a method that passes back a fragment of HTML as a valid full document, with title and metadata included. I feel that would be a useful feature, but I'm not sure of the other applications for this method.

All the best.

can you name a date, at witch the version 4.0 will get stable?

Is there any version of HTMLPurifier that can be compiled with Phalanger?

I have use cases where I only need to run MakeWellFormed AND ValidateAttributes and I already checked that changing the "Core" strategy fix my issue.

I looking into the code but it seems there is no way to alter the strategy because strategy is set during initialization and it is a private property.

Am I missing anything?

Is it possible to add some way to alter the strategy object without altering the core htmlpurifier code?

I added the lines

$r['b'] = new HTMLPurifier_TagTransform_Simple('strong');
$r['i'] = new HTMLPurifier_TagTransform_Simple('em');

into XHTMLAndHTML4.php in the Tidy HTMLModule, and in my script through

$config->set('HTML', 'TidyAdd', 'b');
$config->set('HTML', 'TidyAdd', 'i');

these additional Tidy rules are enforced - which works fine.

I wanted to suggest to maybe add these rules as optional (only gets used if specifically chosen through TidyAdd) to Tidy, also a few other HTML tags like <big> or <small> could be added to help replace tags which should better not be used nowadays, although <b> and <i> are by far the most commonly still used (especially by users). These tags are not deprecated, that's why it should only be optional, or it could also be an own module independent of Tidy.

If something like this already exists than I apologize for bringing it up (and would be glad to hear where to find it) - I just thought it would be great to have this feature included without having to edit the library itself :-) And I did not know of any other way to easily convert one tag to another with HTMLPurifier (which is probably also not a common use case).

All HTML Purifier tests on PHP 5.2.6
1) Equal expectation fails at character 0 with [Invalid encoding utf8] and [] -> Expected error not caught
        in test_convertToUTF8_spuriousEncoding
        in HTMLPurifier_EncoderTest
2) Identical expectation [Integer: 1] fails with [Integer: -1] because [Integer: 1] differs from [Integer: -1] by 2 at [/Users/dgm/workspace/htmlpurifier/tests/HTMLPurifier/LengthTest.php line 68]
        in testCompareTo
        in HTMLPurifier_LengthTest
FAILURES!!!
Test cases run: 195/195, Passes: 2426, Failures: 2, Exceptions: 0

I'm testing on a mac, fwiw.

I would like to know if there is a way to remove a tag without attribute.

For example: I want to keep

<span class="myClass">

but I don't want

<span>

to avoid span tags in my content with no utility.

Is-there a way to do that ?

Best regards.

Is there a filter for this website out for your Html purifier?

It would not be very hard it is similar to the youtube filter. I am just not experienced enough to go about creating it.

All it must do is look for the playlist id number under the embed line. I can supply sample code if needed.

I have looked through the youtube.php and it is rather simple .. Sorta. Does of one or two things it is doing that I haven't seen in php coding before. Such as the \1 action.

Second question. How do I go about adding support for style? Tried config line but I wasn't sure how to set it up. The doc file you have doesn't really clarify it well.

Edit: Just noticed this might be a the wrong forum. For this topic.

Not so much the first question but the second question yes. Sorry about that.

1.) embed swf files

and more specifically

2.) embed the swf file of the JW Flv player (to show flv movies hosted on my server).

I have been searching through the forums and I trying to find out how much of this is already in place (as not to re-invent the wheel). I have found various classes already made, but I don't know which, if any, is suited for my purpose:

1.) SafeEmbed and SafeObject

2.) The second post here: http://htmlpurifier.org/phorum/read.php?2,1102,1102 If this one works, do I need to apply the injector patch seen here:

http://htmlpurifier.org/phorum/read.php?3,921,946#msg-946

3.) Maybe a modified version of the youtube class you made?

Thanks for getting me started in the right direction.

I have so far created a new filter file called Movie.php (in this file i have based on YouTube.php)

class HTMLPurifier_Filter_Movie extends HTMLPurifier_Filter
{
    
    public $name = 'Movie';
    
    public function preFilter($html, $config, $context, $movieurl, $height, $width) {
        $pre_regex = '#<object[^>]+>.+?'.$movieurl.'([A-Za-z0-9\-_]+).+?</object>#s';
        $pre_replace = '<span class="movie-embed">\1</span>';
        return preg_replace($pre_regex, $pre_replace, $html);
    }
    
    public function postFilter($html, $config, $context, $movieurl, $height, $width) {
        $post_regex = '#<span class="movie-embed">([A-Za-z0-9\-_]+)</span>#';
        $post_replace = '<object width="'.$width.'" height="'.$height.'" '.
            'data="'.$movieurl.'\1">'.
            '<param name="movie" value="'.$movieurl.'\1"></param>'.
            '<param name="wmode" value="transparent"></param>'.
            ''.
            '</object>';
        return preg_replace($post_regex, $post_replace, $html);
    }
    
}

as you can see i've added $movieurl, $height, & $width flags to the functions.

I'm thinking i can create a new config() option in purifier, where we can set the url, height & width from the config script, and then pass these to the filter.

something like an extra option in config..

$Config->set('HTML', 'MovieURL', 'url to movie');
$Config->set('HTML', 'MovieHeight', 425);
$Config->set('HTML', 'MovieWidth', 380);

these options could then be passed to the filter that requires them such as when $Config->set('Filter', 'Movie', true); is enabled.

I'm not so sure on how to add extra config options though to purifier though. wondering if you could provide some help in that regard

thanks

Vaughan

This is a request for mockups for two different types of interfaces; a non-JavaScript interface, and a JavaScript interface.

The non-JavaScript interface would be a normal listing of errors. If we look at the W3C validator, we can immediately rip and steal some ideas:

Line 4, Column 5: error text

<body>Context HTML</body>

Explanation text

I must admit, however, that I haven't used the validator very much and, when I have, found it's interface clunky for fixing errors in my documents. Also, with a little more context-sensitivity we can give much more helpful messages than W3C; HTML Purifier knows about the most common remedies to problems and can suggest them accordingly to users.

The JavaScript interface might be a regular text editor, but with icons and highlighted lines in places where there were errors. A user could click the icon to bring up the error console, and then make the appropriate changes and dismiss it. Admittedly, I don't know how feasible this is.

Think big, think grand. We'll pare things down with technical considerations later.

• HTML5 as a full-fledged document language. This means we treat it as if people were actually serving their pages as HTML5. This is not immediately useful, but will be once browsers start adding support for HTML5.
• HTML5 as a meta-language that can be converted to HTML4. The premise behind this is we can turn HTML5 into HTML4 + CSS which will look the same as it would look in a browser that supports HTML5. So a user can write <l>Line</l> and get back the valid HTML 4.01 code <div class="html5-l">Line</div>; the former is much shorter.

The downside of doing any of these early-bird implementations is that we will have to be very careful to keep them in sync with the specification.

Are there any comments?

I was hoping that it would be possible to limit the possible values for a given element's attribute.

For example: how would I limit div.class to only have the values of "code", "quote", or "plain"? And, also, not specifying the class attribute at all should be valid.

Thanks, Eric

Initial Objective: I need to allow flashvars to pass through the purifier

current configuration:

$config = HTMLPurifier_Config::createDefault();	

$config->set('HTML', 'DefinitionID', 'allow flash movies');
$config->set('HTML', 'DefinitionRev', 1);
$config->set('HTML', 'SafeEmbed', true); 
$config->set('HTML', 'SafeObject', true);

$config->set('Core', 'DefinitionCache', null);

$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($dirty_html);
return $clean_html;

Just looking for some direction. The ultimate goal is to allow all object/embed/param to pass. HTML Purifier works on a whitelist ideology, im looking for more of a blacklist approach when it comes to objects/embed/param flash. However, it would seem that using my above config is good enough as long as I could get the flashvars param/attribute to pass.