Welcome! » Log In » Create A New Profile

how to add a couple attributes to the default whitelist, e.g. 'onclick'

Posted by purushagovinda 
Forum List Message List New Topic
purushagovinda
how to add a couple attributes to the default whitelist, e.g. 'onclick'
May 02, 2012 11:00AM

Two questions:

I have been reading fiddling with htmlpurifier config settings and reading the docs, and came to the conclusion (erroneously?) that as far as telling htmlpurifier which elements/attributes should be allowed, I have to either leave the default whitelist alone as it is, or I have to specify every single elements/attributes that should be allowed. Is this correct? I would love to be able to just add 2 or 3 attributes to the default whitelist.. so that I do not have to constantly find and add more elements/attributes to, e.g., HTML.AllowedElements and/or HTML.AllowedAttributes.

On the other hand, I would not mind specifying them myself if I could find the default list of allowed elements/attributes, that I could copy and paste, and then add to.

Anyway, specifically now, (for internal trusted users) I need to allow javascript attributes (input from tinymce).

Question #1:

Is there a way to just add an attribute (to what HTMLpurifier allows) without causing the whole default sets of allowed elements/attributes to be effectively wiped out (overwritten by ONLY what is explicitly written in HTML.AllowedElements or HTML.AllowedAttributes)?

For what I need right now (the javascript attributes), I got excited when I saw in this thread:

http://stackoverflow.com/questions/3189396/whitelist-forms-in-html-purifier-configuration

...where Edward Z. Yang says, "... [$config->set('HTML.Trusted', true);] allows JavaScript."

...but even after setting this: 

$config->set('HTML.Trusted', true);

, HTMLpurifier 4.4.0 is still stripping e.g. any input onclick="dostuff();" attribute. Why?

Question #2:

Is there a quick way to add just the javascript attributes to the allowed list?

Thanks for your time, sincerely

-Govinda

Reply Quote
Ambush Commander
Re: how to add a couple attributes to the default whitelist, e.g. 'onclick'
May 02, 2012 11:08AM

Dupe http://stackoverflow.com/questions/10406841/with-htmlpurifier-how-to-add-a-couple-attributes-to-the-default-whitelist-e-g

Reply Quote
purushagovinda
Re: how to add a couple attributes to the default whitelist, e.g. 'onclick'
May 02, 2012 12:12PM

thanks so much for your time!

I'll keep discussion over there on SO then. I was not sure where you prefer to correspond. Are you Edward? Are you the sole man behind support? (You have accomplished an astonishing amount of code in recent years ;-)

Again, just thanks.

Reply Quote
Newer Topic Older Topic
Author:
Your Email:

Subject:

HTML input is enabled. Make sure you escape all HTML and angled brackets with < and >.

Auto-paragraphing is enabled. Double newlines will be converted to paragraphs; for single newlines, use the pre tag.

Allowed tags: a, abbr, acronym, b, blockquote, caption, cite, code, dd, del, dfn, div, dl, dt, em, i, ins, kbd, li, ol, p, pre, s, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, var.

For inputting literal code such as HTML and PHP for display, use CDATA tags to auto-escape your angled brackets, and pre to preserve newlines: 

<pre><![CDATA[
Place code here
]]></pre>

Power users, you can hide this notice with: 

.htmlpurifier-help {display:none;}

Message: