# Allow iframes

Posted by ZeK
 ZeK Allow iframes June 04, 2010 06:15PM

Hi, i'm trying to allow iframes to display Google Maps iframes. But i'm drowning in the documentation dans Google can't help me either.

Someone can help me ? Thanks.

 Re: Allow iframes June 04, 2010 06:20PM Admin Registered: 7 years ago Posts: 2,845

Iframes are not currently supported by HTML Purifier.

 ZeK Re: Allow iframes June 04, 2010 06:40PM

Ok. I'm trying to create a new filter, using the YouTube's filter as a base. But i dont't know how to tell HTMLPurifier to use my new filter. I created "GoogleMaps.php" in the Filter folder and added :

``` \$purifierConfig->set('Filter.GoogleMaps', true); ```

But i get this warning :

``` Warning: Cannot set undefined directive Filter.GoogleMaps to value on line 7 in file D:\Apache\insalan6\lib\purifier.inc.php in D:\Apache\insalan6\lib\purifier\HTMLPurifier\Config.php on line 564 ```

 Re: Allow iframes June 04, 2010 06:53PM Admin Registered: 7 years ago Posts: 2,845
 ZeK Re: Allow iframes June 04, 2010 07:11PM

Thanks for all the help. It's probably not bulletproof, but if someone has the same problem, here is my quick filter :

``` class HTMLPurifier_Filter_GoogleMaps extends HTMLPurifier_Filter { public \$name = 'GoogleMaps'; public function preFilter(\$html, \$config, \$context) { \$pre_regex = '#]+src="(http://maps\.google\.fr/maps/[^">]+)">#s'; \$pre_replace = 'Google Maps'; return preg_replace(\$pre_regex, \$pre_replace, \$html); } public function postFilter(\$html, \$config, \$context) { \$post_regex = '#]+)">Google Maps#'; return preg_replace_callback(\$post_regex, array(\$this, 'postFilterCallback'), \$html); } protected function postFilterCallback(\$matches) { return ''; } } ```

 ZeK Re: Allow iframes June 04, 2010 07:11PM

Wrong tag :

```class HTMLPurifier_Filter_GoogleMaps extends HTMLPurifier_Filter
{

public function preFilter(\$html, \$config, \$context) {
return preg_replace(\$pre_regex, \$pre_replace, \$html);
}

public function postFilter(\$html, \$config, \$context) {
return preg_replace_callback(\$post_regex, array(\$this, 'postFilterCallback'), \$html);
}

protected function postFilterCallback(\$matches) {
return '';
}
}
```
 ZeK Re: Allow iframes June 04, 2010 07:13PM

```class HTMLPurifier_Filter_GoogleMaps extends HTMLPurifier_Filter
{

public function preFilter(\$html, \$config, \$context) {
return preg_replace(\$pre_regex, \$pre_replace, \$html);
}

public function postFilter(\$html, \$config, \$context) {
return preg_replace_callback(\$post_regex, array(\$this, 'postFilterCallback'), \$html);
}

protected function postFilterCallback(\$matches) {
return '<iframe width="425" height="350" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" src="'.\$matches[1].'"></iframe>';
}
}
```
 Jab Re: Allow iframes October 28, 2010 09:17PM

People that understand the hazard and want to allow the iframe and all the inside parameters (width, height, style...) can try to use this very simple custom filter, work for me in combination with tinymce:

First create the file MyIframe.php:

```class HTMLPurifier_Filter_MyIframe extends HTMLPurifier_Filter
{

public \$name = 'MyIframe';

public function preFilter(\$html, \$config, \$context) {
return preg_replace("/iframe/", "img", \$html);
}

public function postFilter(\$html, \$config, \$context) {
\$post_regex = '#<img ([^>]+)>#';
return preg_replace_callback(\$post_regex, array(\$this, 'postFilterCallback'), \$html);
}

protected function postFilterCallback(\$matches) {
return '<iframe '.\$matches[1].'></iframe>';
}
}
```

and put in the filter directory, after this add the config line to your setting:

```\$config->set('Filter.Custom',  array( new HTMLPurifier_Filter_MyIframe() ));
```

that's all, allow any kind of iframe (google maps, vimeo, youtube etc...) of course could be dangerous bla,bla,bla... :P

i hope that can help someone ceers

 Jab Re: Allow iframes October 31, 2010 01:51PM

Ops, a little fix to prevent the normal img tag substitutions:

```class HTMLPurifier_Filter_MyIframe extends HTMLPurifier_Filter
{

public \$name = 'MyIframe';

public function preFilter(\$html, \$config, \$context) {
return preg_replace("/iframe/", "img class=\"MyIframe\" ", \$html);
}

public function postFilter(\$html, \$config, \$context) {
\$post_regex = '#<img class="MyIframe" ([^>]+)>#';
return preg_replace_callback(\$post_regex, array(\$this, 'postFilterCallback'), \$html);
}

protected function postFilterCallback(\$matches) {
return '<iframe '.\$matches[1].'></iframe>';
}
}
```
 Re: Allow iframes November 10, 2010 06:52AM Registered: 3 years ago Posts: 1

This is great except there's a bug in here too. If you are passing in an iframe tag with a closing iframe tag, you will wind up replacing the closing iframe tag with

`</img class="MyIframe" >`

On postFilter, it gets messed up. To fix this problem, just replace \$html in the preFilter with:

`preg_replace("/<\/iframe>/", "", \$html)`

Thank you Jab SO MUCH for your solution. It saved me hours of trying to figure out what to do to get this to work!!!

 El B Re: Allow iframes July 05, 2011 10:09AM

Hi

I wonder if anyone could bring this together and be a little more explicit about which files we are editing and provide a version of the code that includes shmuel613's amendment. My specific confusion is which instance ( or both ? ) of \$html do I replace with

`preg_replace("/<\/iframe>/", "", \$html)`

in the preFilter ?

Cheers

El B

 Adrien Re: Allow iframes July 26, 2011 09:59AM

If you need HTMLpurifier to remove all tags but the iframe, you can't use image or anchor as placeholders like in the codes above.

Here is my solution to get iframes when no other tags are allowed :

```class HTMLPurifier_Filter_CustomIframesSupport extends HTMLPurifier_Filter
{

public \$name = 'CustomIframesSupport';

public function preFilter(\$html, \$config, \$context) {
\$html = preg_replace('#<iframe([^>]+)>#i', '[[[custom-iframes-support \$1]]]', \$html);
\$html = preg_replace('#<\/iframe>#i', '', \$html);
return \$html;
}

public function postFilter(\$html, \$config, \$context) {
\$post_regex = '#\[\[\[custom-iframes-support ([^<]+?)\]\]\]#';
\$html = preg_replace_callback(\$post_regex, array(\$this, 'postFilterCallback'), \$html);
return \$html;
}

protected function postFilterCallback(\$matches) {
return '<iframe'.\$matches[1].'></iframe>';
}
}
```
 Re: Allow iframes August 04, 2011 04:58AM Registered: 4 years ago Posts: 66

You guys should be careful you're not bypassing HTML Purifier's attribute whitelisting with your solutions. Iframe event handler attributes exist, after all.

Also, heads-up, take extra special care allowing other tags to be injected after HTML Purifier has run. I don't currently have a payload (no time, and I'm not a pentester) but consider the implications of constellations like <iframe dummy="]]]<script>alert('xss');</script>" />. Note: That isn't a working payload on the last offered iframe support; HTML Purifier will strip it between the pre- and post-filters - but I wanted to put this here to illustrate the general principle.

Author:

Subject:

HTML input is enabled. Make sure you escape all HTML and angled brackets with `&lt;` and `&gt;`.

Auto-paragraphing is enabled. Double newlines will be converted to paragraphs; for single newlines, use the `pre` tag.

Allowed tags: `a`, `abbr`, `acronym`, `b`, `blockquote`, `caption`, `cite`, `code`, `dd`, `del`, `dfn`, `div`, `dl`, `dt`, `em`, `i`, `ins`, `kbd`, `li`, `ol`, `p`, `pre`, `s`, `strike`, `strong`, `sub`, `sup`, `table`, `tbody`, `td`, `tfoot`, `th`, `thead`, `tr`, `tt`, `u`, `ul`, `var`.

For inputting literal code such as HTML and PHP for display, use CDATA tags to auto-escape your angled brackets, and `pre` to preserve newlines:

```<pre><![CDATA[
Place code here
]]></pre>```

Power users, you can hide this notice with:

`.htmlpurifier-help {display:none;}`

Message: