Welcome! » Log In » Create A New Profile

style attirbute completely removed??

Posted by KishoreKumar 
Forum List Message List New Topic
KishoreKumar
style attirbute completely removed??
December 24, 2007 12:39AM

hi..

i am using a RTE EDITOR ( free rich text editor ) i am passing the html generated by it through the HTMLpurifier.

but the output of HTMLpurifier is everything except the style attributes in my HTML. why so? then the purpose of using an rte editor is defeated. can some one tell me. will there be any xss using style attribute also? why is it removed by HTMLpurifier ? i want to allow that attribute what should i do?

example: rte generated html: 


<h1 style="font-family: tahoma; color: rgb(255, 0, 0); font-weight: bold; font-style: italic; text-decoration: underline line-through; text-align: center;"><font size="7">adf</font></h1>

the output of HTMLpurifier is 


<h1><font size="7">adf</font></h1>
Reply Quote
Ambush Commander
Re: style attirbute completely removed??
December 24, 2007 08:46PM

As you can see here, HTML Purifier by default preserves style attributes. Two things:

  1. Make sure magic quotes is off
  2. Make sure you've allowed the style attribute if you've restricted allowed tags/attributes
Reply Quote
KishroeKumar
Re: style attirbute completely removed??
December 26, 2007 12:22AM 

HTMLPurifier_ConfigSchema::define(
    'HTML', 'AllowedAttributes', null, 'lookup/null', '
<p>
    If HTML Purifier\'s attribute set is unsatisfactory, overload it! 
    The syntax is "tag.attr" or "*.attr" for the global attributes 
    (style, id, class, dir, lang, xml:lang).
</p>
<p>
    <strong>Warning:</strong> If another directive conflicts with the 
    elements here, <em>that</em> directive will win and override. For 
    example, %HTML.EnableAttrID will take precedence over *.id in this 
    directive.  You must set that directive to true before you can use 
    IDs at all. This directive has been available since 1.3.0.
</p>
');
Reply Quote
kishorekumar
Re: style attirbute completely removed??
December 26, 2007 12:25AM

this is my allowed attributes. i urgently need to fix up this. i cant read the entire documentation. what i did is. just simply downloaded and extracted the zip file. and using 

<?php
    require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php';
    
    $purifier = new HTMLPurifier();
    $clean_html = $purifier->purify($dirty_html);
?>

this part of code to parse the html. then why is style atttribute not working for me. kindly suggest. asap.

Reply Quote
Ambush Commander
Re: style attirbute completely removed??
December 26, 2007 10:24AM

Magic quotes.

Reply Quote
Newer Topic Older Topic
Author:
Your Email:

Subject:

HTML input is enabled. Make sure you escape all HTML and angled brackets with &lt; and &gt;.

Auto-paragraphing is enabled. Double newlines will be converted to paragraphs; for single newlines, use the pre tag.

Allowed tags: a, abbr, acronym, b, blockquote, caption, cite, code, dd, del, dfn, div, dl, dt, em, i, ins, kbd, li, ol, p, pre, s, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, var.

For inputting literal code such as HTML and PHP for display, use CDATA tags to auto-escape your angled brackets, and pre to preserve newlines: 

<pre><![CDATA[
Place code here
]]></pre>

Power users, you can hide this notice with: 

.htmlpurifier-help {display:none;}

Message: