Welcome! » Log In » Create A New Profile

I want to keep style tags but not script tags

Posted by Jeff Whiting 
Jeff Whiting
I want to keep style tags but not script tags
March 27, 2012 12:18PM

I am trying to purify html such that the script tags are removed but style tags (and their contents) are left in. I've tried lots of configuration options and haven't been able to find the right combination to make things work like I would like. Yes I do realize the falacy of keeping style tags but to make a long story short that is what I need to do. Also it is not an option to extract the styles and add them back in later (ala Filter.ExtractStyleBlocks), I need them to actually stay in the html.

These are the following config parameters I've used and their results:

$config->set('HTML.Trusted', true); Keeps the style tags but also keeps javascript and a bunch of other stuff so I don't want to use this.

$config->set('CSS.Trusted', true) Only seems to apply to the style attribute.

$config->set('HTML.AllowedElements', array('img', 'a', 'b', 'strong', 'i', 'em', 'u', 'span', 'div', 'br', 'p', 'hr', 'table', 'tbody', 'thead', 'tr', 'th', 'td', 'style')); $config->set('Core.HiddenElements', array('script' => true)); The contents of the style tag stick around but the style tag itself is gone.

I even tried modifying Filter.ExtractStyleBlocks and not have it extract the style tags but leave them in and it didn't work.

Is there a config option(s) that will let me filter javascript but leave style alone? Do I have to add my own element (http://htmlpurifier.org/docs/enduser-customize.html)?

Thanks for the help.

Re: I want to keep style tags but not script tags
March 27, 2012 02:13PM

Check the docu for %Filter.ExtractStyleBlocks. You need to do a little extra to add the styles back in.

Jeff Whiting
Re: I want to keep style tags but not script tags
March 27, 2012 02:57PM

I've looked at %Filter.ExtractStyleBlocks originally. However, I don't want to move the styles around which is all that %Filter.ExtractStyleBlocks will let me do (extract and then append).

I'm running the purify over lots of small pieces of text and it doesn't really make sense to extract the style tags. I want them to stay in their original location unmodified.

I've been poking around the code and style tags must be handled in a special way as http://htmlpurifier.org/live/smoketests/printDefinition.php never shows style tags as an allowed tag regardless of the settings I use. If need be I can modify the core (and contribute back) if I have an idea of where to start looking.

Re: I want to keep style tags but not script tags
March 27, 2012 03:34PM

You do know style tags in your body are invalid, right?

The main problem with preserving the style tags inline is that browsers parse CSS in all sorts of strange ways, and it's not really clear how to make sure the CSS gets parsed correctly. This has been a source of security vulnerabilities in the past. But if you still want to, I don't see why you can't just append the inline style tag to the end of the HTML that gets spit out.

Jeff Whiting
Re: I want to keep style tags but not script tags
March 28, 2012 01:39AM

I'm aware it isn't "valid" html. Hence the "to make a long story short." So even though it is an ugly hack I've now configured the purifier to allow for style tags. If anyone else ever needs to do something like this, this is what I did to get it working.

redacted

It took me a long time to figure this out mostly because I had to really understand the internals of HTMLPurifier to know what to put for each of the values, how to format them, and how all of them interact with each other.

Edited 1 time(s). Last edit at 03/28/2012 01:45AM by Ambush Commander.

Re: I want to keep style tags but not script tags
March 28, 2012 01:44AM

You're vulnerable to XSS with that code, because you're not doing any validation. (I've edited it out of the post because I prefer that vulnerable code not be in the searchable archives.)

udAL
Re: I want to keep style tags but not script tags
February 20, 2018 01:05PM

Well I need exactly what you removed...

Author:
Your Email:

Subject:

HTML input is enabled. Make sure you escape all HTML and angled brackets with < and >.

Auto-paragraphing is enabled. Double newlines will be converted to paragraphs; for single newlines, use the pre tag.

Allowed tags: a, abbr, acronym, b, blockquote, caption, cite, code, dd, del, dfn, div, dl, dt, em, i, ins, kbd, li, ol, p, pre, s, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, var.

For inputting literal code such as HTML and PHP for display, use CDATA tags to auto-escape your angled brackets, and pre to preserve newlines:

<pre><![CDATA[
Place code here
]]></pre>

Power users, you can hide this notice with:

.htmlpurifier-help {display:none;}

Message: