Welcome! » Log In » Create A New Profile

is my config safe? thank you

Posted by boynet 
boynet
is my config safe? thank you
October 08, 2012 10:08AM
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.SafeObject', true);
$config->set('Output.FlashCompat', true);
$config->set('URI.DisableExternalResources', false);
$config->set('Filter.Custom', array(new HTMLPurifier_Filter_youtube2()));
$config->set('HTML.Allowed', 'p,a[href|rel|target],img[class|src|height|width],div[style],span[style],strong,br,h1,h2,h3,h4,h5,blockquote,small,i,u');
$config->set('CSS.AllowedProperties', array('float', 'color','background-color', 'background', 'font-size', 'font-family', 'text-decoration', 'font-weight', 'font-style', 'font-size','text-align'));
$purifier = new HTMLPurifier($config);

i am using it with ckeditor and i need users to be able to style theire article and add youtube embed video this is the filter:(found on stackoverflow)

<?/**
 * Based on: http://sachachua.com/blog/2011/08/drupal-html-purifier-embedding-iframes-youtube/
 * Iframe filter that does some primitive whitelisting in a somewhat recognizable and tweakable way
 */
class HTMLPurifier_Filter_youtube2 extends HTMLPurifier_Filter
{
    public $name = &#039;youtube2&#039;;

    /**
     *
     * @param string $html
     * @param HTMLPurifier_Config $config
     * @param HTMLPurifier_Context $context
     * @return string
     */
    public function preFilter($html, HTMLPurifier_Config $config, HTMLPurifier_Context $context)
    {
        $html = preg_replace(&#039;#<iframe#i&#039;, &#039;<img class="youtube2"&#039;, $html);
        $html = preg_replace(&#039;#</iframe>#i&#039;, &#039;</img>&#039;, $html);
        return $html;
    }

    /**
     *
     * @param string $html
     * @param HTMLPurifier_Config $config
     * @param HTMLPurifier_Context $context
     * @return string
     */
    public function postFilter($html, HTMLPurifier_Config $config, HTMLPurifier_Context $context)
    {
        $post_regex = &#039;#<img class="youtube2"([^>]+?)>#&#039;;
        return preg_replace_callback($post_regex, array($this, &#039;postFilterCallback&#039;), $html);
    }

    /**
     *
     * @param array $matches
     * @return string
     */
    protected function postFilterCallback($matches)
    {
        // Domain Whitelist
        $youTubeMatch = preg_match(&#039;#src="https?://www.youtube(-nocookie)?.com/#i&#039;, $matches[1]);
        $vimeoMatch = preg_match(&#039;#src="http://player.vimeo.com/#i&#039;, $matches[1]);
        if ($youTubeMatch || $vimeoMatch) {
            $extra = &#039; frameborder="0"&#039;;
            if ($youTubeMatch) {
                $extra .= &#039; allowfullscreen&#039;;
            } elseif ($vimeoMatch) {
                $extra .= &#039; webkitAllowFullScreen mozallowfullscreen allowFullScreen&#039;;
            }
            return &#039;<iframe &#039; . $matches[1] . $extra . &#039;></iframe>&#039;;
        } else {
            return &#039;&#039;;
        }
    }
}
?>
Re: is my config safe? thank you
October 08, 2012 05:03PM

Looks OK, at a cursory glance. The vanilla config is safe and the filter looks sensible.

boynet
Re: is my config safe? thank you
October 09, 2012 09:29AM

thanks :)

Sorry, you do not have permission to post/reply in this forum.