IMG SRC

Hello, i have problem with Htmlpurifier settings. If my input is for example (its URL for logging out):

<img src="http://www.example.com/app/public/user/login/logout">

Htmlpurifier is not able to purify this input. Only add "ALT" but the code is processed and user is logged out. Is any possibility to handle this?

My htmlpurifier settings is:

require_once('htmlpurifier/library/HTMLPurifier.auto.php');
    $config = HTMLPurifier_Config::createDefault();
    $config->set('Core.Encoding', 'UTF-8');
    $config->set('HTML.Doctype', 'HTML 4.01 Transitional');
    $config->set('Core.RemoveInvalidImg',true);
    $purifier = new HTMLPurifier($config);

$clean = $purifier->purify($dirty);

Thanks for any advice

Don't have your logout page be triggered by a GET request. That's silly, and no one does it anymore.

Htmlpurifier is not able to purify this input. Only add "ALT" but the code is processed and user is logged out. Is any possibility to handle this?

There's no (sane) way to handle this, because HTML Purifier doesn't know what a link may or may not cause. HTML Purifier is not your problem here, though, you generally have a CSRF vulnerability you need to take care of - so what you're looking for are solutions to prevent cross-site request forgery, e.g. securing your logout with a CSRF token.

If all you want to do is prevent a website to have the word 'logout' in them, you can write an attribute transformation that strips 'href' if its value contains 'logout'.

(Edit: Fixed formatting after an HTML escaping issue ravaged the forum.)

Edited 1 time(s). Last edit at 07/30/2012 01:57PM by pinkgothic.

Hi,

Below is the code for Image,

<img src="cid:ii_13caf061fab44f94" alt="Inline image 1">

HTML Purifier removes this image's src, I have tried HTML.Allowed as img[alt|src] and also set Core.RemoveInvalidImg to false.

but still not receiving the src as it is.

Please assist. Thanks in anticipation.

Regards Pankaj Garg

Hello, i have problem with Htmlpurifier settings. If my input is for example (its URL for logging out):

<img src="http://www.example.com/app/public/user/login/logout">

Htmlpurifier is not able to purify this input. Only add "ALT" but the code is processed and user is logged out. Is any possibility to handle this?

My htmlpurifier settings is:

require_once('htmlpurifier/library/HTMLPurifier.auto.php');
    $config = HTMLPurifier_Config::createDefault();
    $config->set('Core.Encoding', 'UTF-8');
    $config->set('HTML.Doctype', 'HTML 4.01 Transitional');
    $config->set('Core.RemoveInvalidImg',true);
    $purifier = new HTMLPurifier($config);

$clean = $purifier->purify($dirty);

Thanks for any advice

I'm pretty sure that the link in the img src is not a valid image file. it should be pointing to a gif, jpg, png file etc. which is why purifier is removing it.

ImpressCMS: Make A Lasting Impression

@Pankaj Garg: cid is not a supported URL 'schema'. You should use the HTML Purifier after cid references have been changed to URL references. :) If that's not possible, you may have to look into providing a URL schema handling class. (Note: You can use the HTML Purifier to pretransform the img-src to change cid into img-src, I've done this before in a project I used to work in. I think Edward may even have some code from me on that subject... dunno if he's still considering making it a feature, though. :) )

@vaughan: The reported problem is that HTML Purifier isn't removing it, though. And that is its expected/designed behaviour, too - it can't guess what a link is going to do and if the HTML is going to exploit an issue on the src-named server, it can only prevent exploits it knows about (those that would strike client-side, basically, or those that would strike the Purifier itself (e.g. by trying to get the parser to tie itself into a knot), not those of external applications... and this is a vulnerability in the external application, it's a CSRF issue).

Whooops it looks like I never got around to actually reviewing the CID patch (two years late, rawr!) -_- Probably should go look at that now...

HTML Purifier, Standards-Compliant HTML Filtering

Whooops it looks like I never got around to actually reviewing the CID patch (two years late, rawr!) -_- Probably should go look at that now...

It's been that long? ...time flies when you're having fun. :D I hope it's usable. If not, let me know, I'd be happy to tweak it so it fits.

OK, it looks like there are some changes that need to be made:

• It is special-cased for CSS URI tags, but there is not really a good reason why normal links couldn't also have CID handling. So the 'CID-ified' URI handler should be a decorator around the normal URI handler. Which leads to the next point:
• CID should be given a URIScheme. With this, the decorator can parse the URI first, and then check if it's a CID.
• Similarly, it probably isn't necessary to have an attr transform on top of everything else; the AttrDef can handle the translation itself.

I think those are the biggies.

HTML Purifier, Standards-Compliant HTML Filtering