Welcome! » Log In » Create A New Profile

Problem with HTML.Allowed ? Or misconfigure?

Posted by jmut 
Problem with HTML.Allowed ? Or misconfigure?
February 22, 2009 08:26AM

Have following code but somehow my allowhtml rules don't seem to work. I want to allow p align, a href, span lang, and all those font face,color but htmlpurifier somehow ignores my config. Any pointers? Goal is output to preserve those attributes that are already there.


$config = HTMLPurifier_Config::createDefault();
$config->set('Core', 'Encoding', 'UTF-8'); // replace with your encoding
$config->set('HTML', 'Doctype', 'XHTML 1.0 Transitional'); // replace with your doctype
$config->set('Cache', 'SerializerPath', '/tmp/htmlfilter/');

$allowedHtml = '
    a[rel|rev|charset|hreflang|tabindex|accesskey|type|name|href|target|title|class]
    strong,b,em,i,strike,u,
    p[align],ol[type|compact],ul,li,br,img[src|width|height|alt|title],
    sub,sup,
    blockquote,table[border|cellspacing|cellpadding|width|height|align|summary|bgcolor|background|bordercolor],
    tr[rowspan|width|height|align|valign|bgcolor|background|bordercolor],tbody,thead,tfoot,
    td[colspan|rowspan|width|height|align|valign|bgcolor|background|bordercolor|scope]
    th[colspan|rowspan|width|height|align|valign|scope],
    caption,div, span, code, pre,address, h1, h2, h3, h4, h5, h6, hr[size|noshade],
    font[face|size|color],dd,dl,dt,cite,abbr,acronym,del[datetime|cite],ins[datetime|cite],
    button,col[align|char|charoff|span|valign|width],colgroup[align|char|charoff|span|valign|width],
    dfn,fieldset, kbd,label[for],legend,optgroup[label|disabled],option[disabled|label|selected|value],
    q[cite],small,
    textarea[cols|rows|disabled|name|readonly],tt,var,big';

$config->set('HTML', 'Allowed', $allowedHtml);
$config->set('HTML', 'AllowedAttributes', '*.style,*.id,*.title,*.class');
$config->set('Attr', 'EnableID', true);
$Filter = new HTMLPurifier($config);

$html = &#039;<p align="justify">sdjflds</p>

<a href="/wiki/Old_Delhi" title="Old Delhi"></a>

<span lang="en-GB">skldjfd</span>

<font face="Arial, sans-serif"><font color="#ff00ff"><font color="#330033">something.d..d.kfsdkfd</font></font></font>&#039;;

echo $Filter->purify($html);
Re: Problem with HTML.Allowed ? Or misconfigure?
February 22, 2009 02:06PM

it's because you are using HTML.Allowed along with HTML.AllowedAttributes.

when using HTML.AllowedAttributes, you need to also be using HTML.AllowedElements

which means instead of using HTML.Allowed you should be using HTML.AllowedElements & HTML.AllowedAttributes instead.

for example (a sample from my own config that we use so you can see how it's done)

// Allowed Elements in HTML
$HTML_Allowed_Elms = &#039;a, abbr, acronym, b, blockquote, br, caption, cite, code, dd, del, dfn, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, i, img, ins, kbd, li, ol, p, pre, s, span, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, var&#039;;

// Allowed Element Attributes in HTML, element must also be allowed in Allowed Elements for these attributes to work.
$HTML_Allowed_Attr = &#039;a.href, a.rev, a.title, a.target, a.rel, abbr.title, acronym.title, blockquote.cite, div.align, div.style, div.class, div.id, font.size, font.color, h1.style, h2.style, h3.style, h4.style, h5.style, h6.style, img.src, img.alt, img.title, img.class, img.align, img.style, img.height, img.width, ol.style, p.style, span.style, span.class, span.id, table.class, table.id, table.border, table.cellpadding, table.cellspacing, table.style, table.width, td.abbr, td.align, td.class, td.id, td.colspan, td.rowspan, td.style, td.valign, tr.align, tr.class, tr.id, tr.style, tr.valign, th.abbr, th.align, th.class, th.id, th.colspan, th.rowspan, th.style, th.valign, ul.style&#039;;

$config = HTMLPurifier_Config::createDefault();

$config->set(&#039;Core&#039;, &#039;Encoding&#039;, &#039;UTF-8&#039;); // replace with your encoding
$config->set(&#039;HTML&#039;, &#039;Doctype&#039;, &#039;XHTML 1.0 Transitional&#039;); // replace with your doctype
$config->set(&#039;Cache&#039;, &#039;SerializerPath&#039;, &#039;/tmp/htmlfilter/&#039;);
$config->set(&#039;HTML&#039;, &#039;AllowedElements&#039;, $HTML_Allowed_Elms); // sets allowed html elements that can be used.
$config->set(&#039;HTML&#039;, &#039;AllowedAttributes&#039;, $HTML_Allowed_Attr); // sets allowed html attributes that can be used.

$Filter = new HTMLPurifier($config);

$html = &#039;<p align="justify">sdjflds</p>

<a href="/wiki/Old_Delhi" title="Old Delhi"></a>

<span lang="en-GB">skldjfd</span>

<font face="Arial, sans-serif"><font color="#ff00ff"><font color="#330033">something.d..d.kfsdkfd</font></font></font>&#039;;

echo $Filter->purify($html);
Re: Problem with HTML.Allowed ? Or misconfigure?
February 22, 2009 02:17PM

also forgot to mention because i notice you want rev & rel in your a tags. aswell as target

you also need to set Attr.AllowedRel & Attr.AllowedRev

$config->set(&#039;Attr&#039;, &#039;AllowedFrameTargets&#039;, &#039;_blank, _parent, _self, _top&#039;);
$config->set(&#039;Attr&#039;, &#039;AllowedRel&#039;, &#039;external, nofollow, external nofollow, lightbox&#039;);
$config->set(&#039;Attr&#039;, &#039;AllowedRev&#039;, &#039;&#039;);

note, i haven't set any allowed Rev values in my config because we don't allow it's use in our system yet, i included it here because you have assigned it

Re: Problem with HTML.Allowed ? Or misconfigure?
February 22, 2009 02:48PM

I should note that *[style|id|title|class] is totally valid syntax for %HTML.Allowed. Which means you can just remove %HTML.AllowedAttributes and it will just work.

Re: Problem with HTML.Allowed ? Or misconfigure?
February 22, 2009 05:21PM

Thanks a lot for thorough explanation. Cheers

Sorry, you do not have permission to post/reply in this forum.