Allow iframes

Hi, i'm trying to allow iframes to display Google Maps iframes. But i'm drowning in the documentation dans Google can't help me either.

Someone can help me ? Thanks.

Iframes are not currently supported by HTML Purifier.

Ok. I'm trying to create a new filter, using the YouTube's filter as a base. But i dont't know how to tell HTMLPurifier to use my new filter. I created "GoogleMaps.php" in the Filter folder and added :

$purifierConfig->set('Filter.GoogleMaps', true);

But i get this warning :

Warning: Cannot set undefined directive Filter.GoogleMaps to value on line 7 in file D:\Apache\insalan6\lib\purifier.inc.php in D:\Apache\insalan6\lib\purifier\HTMLPurifier\Config.php on line 564

Use %Filter.Custom.

Thanks for all the help. It's probably not bulletproof, but if someone has the same problem, here is my quick filter :

class HTMLPurifier_Filter_GoogleMaps extends HTMLPurifier_Filter { public $name = 'GoogleMaps'; public function preFilter($html, $config, $context) { $pre_regex = '#]+src="(http://maps\.google\.fr/maps/[^">]+)">#s'; $pre_replace = 'Google Maps'; return preg_replace($pre_regex, $pre_replace, $html); } public function postFilter($html, $config, $context) { $post_regex = '#]+)">Google Maps#'; return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html); } protected function postFilterCallback($matches) { return ''; } }

Wrong tag :

class HTMLPurifier_Filter_GoogleMaps extends HTMLPurifier_Filter
{

    public $name = 'GoogleMaps';

    public function preFilter($html, $config, $context) {
        $pre_regex = '#]+src="(http://maps\.google\.fr/maps/[^">]+)">#s';
        $pre_replace = 'Google Maps';
        return preg_replace($pre_regex, $pre_replace, $html);
    }

    public function postFilter($html, $config, $context) {
        $post_regex = '#]+)">Google Maps#';
        return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html);
    }

    protected function postFilterCallback($matches) {
        return '';
    }
}

Didn't read all the help, my bad :S

class HTMLPurifier_Filter_GoogleMaps extends HTMLPurifier_Filter
{

    public $name = 'GoogleMaps';

    public function preFilter($html, $config, $context) {
        $pre_regex = '#<iframe[^>]+src="(http://maps\.google\.fr/maps/[^">]+)"></iframe>#s';
        $pre_replace = '<a class="googlemaps-embed" href="\1">Google Maps</a>';
        return preg_replace($pre_regex, $pre_replace, $html);
    }

    public function postFilter($html, $config, $context) {
        $post_regex = '#<a class="googlemaps-embed" href="(http://maps\.google\.fr/maps/[^">]+)">Google Maps</a>#';
        return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html);
    }

    protected function postFilterCallback($matches) {
        return '<iframe width="425" height="350" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" src="'.$matches[1].'"></iframe>';
    }
}

People that understand the hazard and want to allow the iframe and all the inside parameters (width, height, style...) can try to use this very simple custom filter, work for me in combination with tinymce:

First create the file MyIframe.php:

class HTMLPurifier_Filter_MyIframe extends HTMLPurifier_Filter
{

    public $name = 'MyIframe';

    public function preFilter($html, $config, $context) {
        return preg_replace("/iframe/", "img", $html);
    }

    public function postFilter($html, $config, $context) {
       $post_regex = '#<img ([^>]+)>#';
        return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html);
    }

    protected function postFilterCallback($matches) {
        return '<iframe '.$matches[1].'></iframe>';
    }
}

and put in the filter directory, after this add the config line to your setting:

$config->set('Filter.Custom',  array( new HTMLPurifier_Filter_MyIframe() ));

that's all, allow any kind of iframe (google maps, vimeo, youtube etc...) of course could be dangerous bla,bla,bla... :P

i hope that can help someone ceers

Ops, a little fix to prevent the normal img tag substitutions:

class HTMLPurifier_Filter_MyIframe extends HTMLPurifier_Filter
{

    public $name = 'MyIframe';

    public function preFilter($html, $config, $context) {
        return preg_replace("/iframe/", "img class=\"MyIframe\" ", $html);
    }

    public function postFilter($html, $config, $context) {
       $post_regex = '#<img class="MyIframe" ([^>]+)>#';
        return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html);
    }

    protected function postFilterCallback($matches) {
        return '<iframe '.$matches[1].'></iframe>';
    }
}

This is great except there's a bug in here too. If you are passing in an iframe tag with a closing iframe tag, you will wind up replacing the closing iframe tag with

</img class="MyIframe" >

On postFilter, it gets messed up. To fix this problem, just replace $html in the preFilter with:

preg_replace("/<\/iframe>/", "", $html)

Thank you Jab SO MUCH for your solution. It saved me hours of trying to figure out what to do to get this to work!!!

Hi

I wonder if anyone could bring this together and be a little more explicit about which files we are editing and provide a version of the code that includes shmuel613's amendment. My specific confusion is which instance ( or both ? ) of $html do I replace with

preg_replace("/<\/iframe>/", "", $html)

in the preFilter ?

Cheers

El B

If you need HTMLpurifier to remove all tags but the iframe, you can't use image or anchor as placeholders like in the codes above.

Here is my solution to get iframes when no other tags are allowed :

class HTMLPurifier_Filter_CustomIframesSupport extends HTMLPurifier_Filter
{

    public $name = 'CustomIframesSupport';

    public function preFilter($html, $config, $context) {
        $html = preg_replace('#<iframe([^>]+)>#i', '[[[custom-iframes-support $1]]]', $html);
        $html = preg_replace('#<\/iframe>#i', '', $html);
        return $html;
    }

    public function postFilter($html, $config, $context) {
        $post_regex = '#\[\[\[custom-iframes-support ([^<]+?)\]\]\]#';
        $html = preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html);
        return $html;
    }

    protected function postFilterCallback($matches) {
        return '<iframe'.$matches[1].'></iframe>';
    }
}

You guys should be careful you're not bypassing HTML Purifier's attribute whitelisting with your solutions. Iframe event handler attributes exist, after all.

Also, heads-up, take extra special care allowing other tags to be injected after HTML Purifier has run. I don't currently have a payload (no time, and I'm not a pentester) but consider the implications of constellations like <iframe dummy="]]]<script>alert('xss');</script>" />. Note: That isn't a working payload on the last offered iframe support; HTML Purifier will strip it between the pre- and post-filters - but I wanted to put this here to illustrate the general principle.