Welcome! » Log In » Create A New Profile

%HTML.ForbiddenAttributes bug

Posted by akinas 
akinas
%HTML.ForbiddenAttributes bug
May 09, 2008 08:29AM

I think there is a bug in %HTML.ForbiddenAttributes

I have HTMLPurifier installed as PEAR module and using this:

require_once('HTMLPurifier.auto.php');
    
// define common config parameters
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML', 'ForbiddenAttributes', array('*.style'));
$config->set('Cache', 'SerializerPath', $path);

HTMLPurifier will not strip "style" attributes at all.

But changing "*.style" to "a.style" will strip "style" attribute from "a" tags.

print_r($config) displays this:

[HTML] => Array
                (
...
                    [ForbiddenAttributes] => Array
                        (
                            [*.style] => 1
                        )
...
Re: %HTML.ForbiddenAttributes bug
May 12, 2008 09:31PM

Hello, it appears ForbiddenAttributes is buggy in 3.1.0rc1. The 3.1.0 release will fix things up. Also, note you are using the wrong format for forbidden attributes (this is not in the docs, so it's not your fault!). The correct way of doing it would be passing 'style', or '*@style'. This is different from %HTML.AllowedAttributes, so beware!

Sorry, you do not have permission to post/reply in this forum.