Welcome! » Log In » Create A New Profile

Param insertion on object tags...

Posted by Emmett 
Param insertion on object tags...
December 04, 2007 12:52PM

Hi - back again with a new question.

I need to inject a <param name="enablejsurls" value="false" /> tag into all object tags.

I feel like I'm very close...but I really need to take that final step.

Thanks, Emmett

#!/usr/bin/php -q
<?php
	require_once &#039;lib/htmlpurifier-2.1.2/library/HTMLPurifier.auto.php&#039;;
	require_once &#039;lib/htmlpurifier-2.1.2/library/HTMLPurifier/AttrTransform.php&#039;;
	
	$config = HTMLPurifier_Config::createDefault();
	$config->set(&#039;HTML&#039;, &#039;DefinitionID&#039;, &#039;allow flash movies&#039;);
	$config->set(&#039;HTML&#039;, &#039;DefinitionRev&#039;, 1);
	$config->set(&#039;Core&#039;, &#039;DefinitionCache&#039;, null); //remove this later
	$def =& $config->getHTMLDefinition(true);
	
	$param =& $def->addElement(
		&#039;param&#039;,
		false, //only appears in object tags, remove elsewhere
		&#039;Empty&#039;,
		false,
		array(
			&#039;name&#039; => &#039;Text&#039;, 
			&#039;value&#039; => &#039;Text&#039;
		)
	);
	
	class HTMLPurifier_AttrTransform_ParamValidator extends HTMLPurifier_AttrTransform 
	{
		var $name = "Paramter validation";
		
		function transform($attr, $config, &$context) {
			if ($attr[&#039;name&#039;] == &#039;allowscriptaccess&#039;) {
				$attr[&#039;value&#039;] = &#039;never&#039;;
			}
			if ($attr[&#039;name&#039;] == &#039;wmode&#039;) {
				$attr[&#039;value&#039;] = &#039;window&#039;;				
			}
			return $attr;
		}
	}
	$param->attr_transform_post[] = new HTMLPurifier_AttrTransform_ParamValidator();
	
	$object =& $def->addElement(
		&#039;object&#039;,
		&#039;Inline&#039;,
		&#039;Optional: param | #PCDATA&#039;,
		false,
		array(
			&#039;type*&#039; => &#039;Enum#application/x-shockwave-flash&#039;,
			&#039;width*&#039; => &#039;Pixels&#039;,
			&#039;height*&#039; => &#039;Pixels&#039;,
			&#039;data&#039;	=> &#039;Text&#039;
		)
	);
	
	
	$embed =& $def->addElement(
		&#039;embed&#039;,
		&#039;Block&#039;,
		&#039;Empty&#039;,
		false,
		array(
			&#039;type*&#039; => &#039;Enum#application/x-shockwave-flash&#039;,
			&#039;width*&#039; => &#039;Pixels&#039;,
			&#039;height*&#039; => &#039;Pixels&#039;,
			&#039;src*&#039; => &#039;URI&#039;,
			&#039;flashvars&#039; => &#039;Text&#039;,
			&#039;allowscriptaccess&#039; => &#039;Enum#never&#039;,
			&#039;enablejsurls&#039; => &#039;Enum#false&#039;,
			&#039;enablehref&#039; => &#039;Enum#false&#039;,
			&#039;bgcolor&#039; => &#039;Text&#039;,
			//these will all be ignored by the injector
			&#039;wmode&#039; => &#039;Text&#039;,
			&#039;pluginspage&#039; => &#039;URI&#039;,
			&#039;saveembedtags&#039; => &#039;Text&#039;,
			&#039;salign&#039; => &#039;Text&#039;,
			&#039;scale&#039; => &#039;Text&#039;,
			&#039;name&#039; => &#039;Text&#039;
		)
	);

	class HTMLPurifier_AttrTransform_EmbedValidator extends HTMLPurifier_AttrTransform 
	{
		var $name = "Embed validation";
	
		function transform($attr, $config, &$context) {
			$attr[&#039;allowscriptaccess&#039;] = &#039;never&#039;;
			$attr[&#039;enablejsurls&#039;] = &#039;false&#039;;
			$attr[&#039;enablehref&#039;] = &#039;false&#039;;
			return $attr;
		}
	}
	$embed->attr_transform_post[] = new HTMLPurifier_AttrTransform_EmbedValidator();

			
	$purifier = new HTMLPurifier();
	$clean_html = $purifier->purify($_SERVER[&#039;argv&#039;][1], $config);
	echo $clean_html . "\n";
?>
Re: Param insertion on object tags...
December 04, 2007 06:04PM

Try this. I've updated it with some security/flexibility updates, and added the functionality you asked for.

I really really really hope you checked the security of all the attributes you're letting pass through. Text is very permissive.

<?php
$config->set(&#039;AutoFormat&#039;, &#039;Custom&#039;, array(&#039;AddParam&#039;));
$config->set(&#039;HTML&#039;, &#039;DefinitionID&#039;, &#039;allow flash movies&#039;);
$config->set(&#039;HTML&#039;, &#039;DefinitionRev&#039;, 1);
$config->set(&#039;Core&#039;, &#039;DefinitionCache&#039;, null); //remove this later
$def =& $config->getHTMLDefinition(true);

$param =& $def->addElement(
    &#039;param&#039;,
    false, //only appears in object tags, remove elsewhere
    &#039;Empty&#039;,
    false,
    array(
        // this by default is insecure, and must have a validator
        &#039;name&#039; => &#039;Text&#039;, 
        &#039;value&#039; => &#039;Text&#039;
    )
);

class HTMLPurifier_AttrTransform_ParamValidator extends HTMLPurifier_AttrTransform 
{
    var $name = "ParamValidator";
    var $uri;
    
    function HTMLPurifier_AttrTransform_ParamValidator() {
        $this->uri = new HTMLPurifier_AttrDef_URI();
    }
    
    function transform($attr, $config, &$context) {
        switch ($attr[&#039;name&#039;]) {
            case &#039;allowscriptaccess&#039;:
                $attr[&#039;value&#039;] = &#039;never&#039;;
                break;
            case &#039;wmode&#039;:
                $attr[&#039;value&#039;] = &#039;window&#039;;
                break;
            case &#039;enablejsurls&#039;:
                $attr[&#039;value&#039;] = &#039;false&#039;;
                break;
            case &#039;movie&#039;:
                $attr[&#039;value&#039;] = $this->uri->validate($attr[&#039;movie&#039;], $config, $context);
                break;
            // probably more
            default:
                $attr[&#039;name&#039;] = $attr[&#039;value&#039;] = null;
        }
        return $attr;
    }
}
$param->attr_transform_post[] = new HTMLPurifier_AttrTransform_ParamValidator();

$object =& $def->addElement(
    &#039;object&#039;,
    &#039;Inline&#039;,
    &#039;Optional: param | #PCDATA&#039;,
    false,
    array(
        &#039;type*&#039; => &#039;Enum#application/x-shockwave-flash&#039;,
        &#039;width*&#039; => &#039;Pixels&#039;,
        &#039;height*&#039; => &#039;Pixels&#039;,
        &#039;data&#039;    => &#039;Text&#039;
    )
);
$object->attr_transform_post[] = new HTMLPurifier_AttrTransform_ObjectValidator();

class HTMLPurifier_AttrTransform_ObjectValidator extends HTMLPurifier_AttrTransform
{
    var $name = "ObjectValidator";

    function transform($attr, $config, &$context) {
        if (!isset($attr[&#039;type&#039;])) $attr[&#039;type&#039;] = &#039;application/x-shockwave-flash&#039;;
        return $attr;
    }
}


$embed =& $def->addElement(
    &#039;embed&#039;,
    &#039;Block&#039;,
    &#039;Empty&#039;,
    false,
    array(
        &#039;type*&#039; => &#039;Enum#application/x-shockwave-flash&#039;,
        &#039;width*&#039; => &#039;Pixels&#039;,
        &#039;height*&#039; => &#039;Pixels&#039;,
        &#039;src*&#039; => &#039;URI&#039;,
        &#039;flashvars&#039; => &#039;Text&#039;,
        &#039;allowscriptaccess&#039; => &#039;Enum#never&#039;,
        &#039;enablejsurls&#039; => &#039;Enum#false&#039;,
        &#039;enablehref&#039; => &#039;Enum#false&#039;,
        &#039;bgcolor&#039; => &#039;Text&#039;,
        //these will all be ignored by the injector
        &#039;wmode&#039; => &#039;Text&#039;,
        &#039;pluginspage&#039; => &#039;URI&#039;,
        &#039;saveembedtags&#039; => &#039;Text&#039;,
        &#039;salign&#039; => &#039;Text&#039;,
        &#039;scale&#039; => &#039;Text&#039;,
        &#039;name&#039; => &#039;Text&#039;
    )
);

class HTMLPurifier_AttrTransform_EmbedValidator extends HTMLPurifier_AttrTransform 
{
    var $name = "EmbedValidator";

    function transform($attr, $config, &$context) {
        $attr[&#039;allowscriptaccess&#039;] = &#039;never&#039;;
        $attr[&#039;enablejsurls&#039;] = &#039;false&#039;;
        $attr[&#039;enablehref&#039;] = &#039;false&#039;;
        return $attr;
    }
}
$embed->attr_transform_post[] = new HTMLPurifier_AttrTransform_EmbedValidator();

class HTMLPurifier_Injector_AddParam extends HTMLPurifier_Injector
{
    var $name = &#039;AddParam&#039;;
    var $needed  = array(&#039;object&#039;, &#039;param&#039;);
    function handleElement(&$token) {
        if ($token->name == &#039;object&#039;) {
            $token = array(
                $token,
                new HTMLPurifier_Token_Start(&#039;param&#039;, array(&#039;name&#039; => &#039;enablejsurls&#039;, &#039;value&#039; => &#039;false&#039;))
            );
        }
    }
}
Re: Param insertion on object tags...
December 04, 2007 11:18PM

That works great. Thank you so much.

Re: Param insertion on object tags...
March 19, 2008 02:51AM

Very good, thank you very much.

Jeremy
Re: Param insertion on object tags...
May 05, 2008 12:15PM

I am new to html purifier and i have to say i am deeply impressed. I have been playing with the system for a day now and i just really do not under stand how i am suppose to implement this into the purifier.

This is a true noob question here... if i wanted to add this object class into the current purifier tree how would i do that? what file(s) would i need to edit? i am just trying to understand the best ways to manipulate the system and i am trying to learn how to customize it for my needs.

thanks! Jeremy

Re: Param insertion on object tags...
May 05, 2008 12:22PM

Hi Jeremy -

I had a similar kind of question when i started! You would make an entirely new php file with the class in it, starting with something like:

#!/usr/bin/php -q
<?php
	require_once &#039;lib/htmlpurifier-2.1.3/library/HTMLPurifier.auto.php&#039;;
	require_once &#039;lib/htmlpurifier-2.1.3/library/HTMLPurifier/AttrTransform.php&#039;;
	
	$config = HTMLPurifier_Config::createDefault();
	$config->set(&#039;AutoFormat&#039;, &#039;Custom&#039;, array(&#039;AddParam&#039;));
	$config->set(&#039;HTML&#039;, &#039;DefinitionID&#039;, &#039;allow flash movies&#039;);
        $config->set(&#039;HTML&#039;, &#039;DefinitionRev&#039;, 1);
	$config->set(&#039;Core&#039;, &#039;DefinitionCache&#039;, null); //remove this later
	$def =& $config->getHTMLDefinition(true);

Then the class definition goes after that...and then ending with something like:

			
	$purifier = new HTMLPurifier();
	$clean_html = $purifier->purify($_SERVER[&#039;argv&#039;][1], $config);
	echo $clean_html . "\n";
?>
Re: Param insertion on object tags...
May 05, 2008 03:03PM

Emmet, thank you for your informative explanation!

Jeremy, some of the code here may be a little out of date. I'm going run this by the latest version 3.1.0rc1 and see if anything breaks. Thanks!

Jeremy
Re: Param insertion on object tags...
May 05, 2008 03:43PM

thanks for both of your replies. I am still having some trouble with this so i will wait to see if there was a version conflict from the Admin. I am still confused when i should be using $purifier = new HTMLPurifier($config); or $params['data'] = $purifier->purify( $params['data'], $config ); from waht i can tell i only use one. i have been using $purifier = new HTMLPurifier($config); but my ojects still are getting removed form posts and i havent figured out how to use span tags in posts yet... ie: just gets cleaned out

Re: Param insertion on object tags...
May 05, 2008 03:57PM

Hi Jeremy, can we see some code?

Re: Param insertion on object tags...
May 05, 2008 04:09PM

i am trying to integrate this into a deeply developed system. i am trying to edit this one class. this is for display purposes only. i am using this event to render the posts on page load &lt;pre&gt;&lt;![CDATA[ function RenderItemAsHtml( &amp; $params ) { global $inc_path;

IncludeOnce::File($inc_path.'/../p/textcleaner/htmlpurifier/library/HTMLPurifier.auto.php'); $allowed_htmltags = ''; $allowed_htmltags .= 'p'; $allowed_htmltags .= ',a[href|target|title|name]'; $allowed_htmltags .= ',img[src|alt|class]'; $config = HTMLPurifier_Config::createDefault(); $config-&gt;set('HTML', 'DefinitionID', 'allow attribute target'); $config-&gt;set('HTML', 'DefinitionRev', 1); $config-&gt;set('Core', 'DefinitionCache', null); // remove this later! $config-&gt;set('Core', 'Encoding', 'UTF-8'); $config-&gt;set('HTML', 'Doctype', 'XHTML 1.0 Transitional'); $config-&gt;set('HTML', 'Allowed', $allowed_htmltags); $def =&amp; $config-&gt;getHTMLDefinition(true); $def-&gt;addAttribute('a', 'target', 'Enum#_blank,_self,_target,_top'); $purifier = new HTMLPurifier($config); $params['data'] = $purifier-&gt;purify( $params['data'] ); } ]]&gt;&lt;/pre&gt; at first i had a problem with the links not opening in a new window but i found the answer to that. The problems i am having are listed as: - objects will not work. (this is important because i deal with realtors and they love posting videos of houses.... ) - the other issue is i use the tinymce editor, so some sites use like to have a little slogan in their posts and they add a style to it, it normally looks something like this &lt;pre&gt;&lt;![CDATA[ &lt;span style=&quot;color: #ff9e3d;&quot;&gt;&lt;strong&gt;My slogan!!&lt;/strong&gt;&lt;/span&gt; ]]&gt;&lt;/pre&gt;

i have realized that almost all the style is removed there are no bold or italics at all.. most likely my stupidity just need a crash course i guess. i cleaned out the code that i was using for the object and embed obviously

thanks for you responses btw.

Re: Param insertion on object tags...
May 05, 2008 04:12PM

What is the value of $params['data'] before it gets purified?

Re: Param insertion on object tags...
May 05, 2008 04:18PM

for the object test i am using &lt;pre&gt;&lt;![CDATA[ code removed ]]&gt;&lt;/pre&gt;

Re: Param insertion on object tags...
May 05, 2008 04:22PM

for the image and formatting &lt;pre&gt;&lt;![CDATA[ code removed ]]&gt;&lt;/pre&gt;

Re: Param insertion on object tags...
May 05, 2008 07:57PM

I mean, at runtime, what's the value of $param['data']? It would also be helpful if you condensed your use-cases.

Re: Param insertion on object tags...
May 06, 2008 11:17AM

sorry about that. This is the value of $params['data'] as soon as i step into the event, before purify. I have everything resolved now except the objects will not display &lt;pre&gt;&lt;![CDATA[ code removed ]]&gt;&lt;/pre&gt;

Re: Param insertion on object tags...
May 07, 2008 01:34PM

thanks for your help. I got this resolved now.

Re: Param insertion on object tags...
May 31, 2008 10:00AM

I added the code to allow object and embed but I am getting several fatal errors with the latest version of htmlpurifier. After a few fixes I got rid of the errors, but embed code is being removed :( Anyone got this working with the latest version?

Matt
Re: Param insertion on object tags...
July 22, 2008 02:14AM

If we are using the standalone version, to use this class do we:

1. make a new php file 2. Put the beginning part:


#!/usr/bin/php -q
<?php
	require_once &#039;HTMLPurifier.standalone.php&#039;;
	
	$config = HTMLPurifier_Config::createDefault();
	$config->set(&#039;AutoFormat&#039;, &#039;Custom&#039;, array(&#039;AddParam&#039;));
	$config->set(&#039;HTML&#039;, &#039;DefinitionID&#039;, &#039;allow flash movies&#039;);
        $config->set(&#039;HTML&#039;, &#039;DefinitionRev&#039;, 1);
	$config->set(&#039;Core&#039;, &#039;DefinitionCache&#039;, null); //remove this later
	$def =& $config->getHTMLDefinition(true);

3. Put the class:


$param =& $def->addElement(
.
.
.
.
                new HTMLPurifier_Token_Start(&#039;param&#039;, array(&#039;name&#039; => &#039;enablejsurls&#039;, &#039;value&#039; => &#039;false&#039;))
            );
        }
    }
}

4. Put the end:

$purifier = new HTMLPurifier();
	$clean_html = $purifier->purify($_SERVER[&#039;argv&#039;][1], $config);
	echo $clean_html . "\n";
?>

5. Put it in the same directory as HTMLPurifier.standalone.php

Is that all, or do you need add some code when you are setting up the purifier to let it know to use the new class?


$config = HTMLPurifier_Config::createDefault();
		
		
		$config->set(&#039;Core&#039;, &#039;Encoding&#039;, &#039;ISO-8859-1&#039;);
		$config->set(&#039;URI&#039;, &#039;Base&#039;, &#039;http://mysite.com/&#039;);
		$config->set(&#039;URI&#039;, &#039;DisableExternalResources&#039;, true);
		$config->set(&#039;URI&#039;, &#039;MakeAbsolute&#039;, true);
		$purifier = new HTMLPurifier($config);
		$the_code = $purifier->purify($input);

Thank you very much,

Matt

Sorry, you do not have permission to post/reply in this forum.