Welcome! » Log In » Create A New Profile

Ruleset validation.

Posted by Drak 
Forum List Message List New Topic
Drak
Ruleset validation.
June 12, 2010 11:52AM

HTMLPurifier does not do a good job of validating it's configuration and handling unexpected values gracefully. In some cases, HTMLPurifier can terminate abruptly if its configuration is not set properly.

Would it be possible to provide an API to validate added rules? I didnt see a bug tracker to log the request, so I apologize if this is the wrong place.

Drak

Reply Quote
Ambush Commander
Re: Ruleset validation.
June 12, 2010 02:17PM

I've not considered this too useful, since usually a programmer will write up a bunch of rules and test it, and if it doesn't work they'll fix their rule. Are you dynamically generating configurations?

Reply Quote
Drak
Re: Ruleset validation.
June 19, 2010 09:19PM

We are integrating an interface into Zikula (http://zikula.org) so the rules can be configured via a form (and stored to the database). As such we have no way to validate if the rules will work, they'll just hose the site next pageload because we cannot validate them. IMO, it's the job of the HTMLPurifier not to accept invalid rulesets, so it should both either provide a way to validate rules, or at the very least throw an exception if it breaks so we can catch it.

Reply Quote
Ambush Commander
Re: Ruleset validation.
June 19, 2010 09:27PM

You should check out HTMLPurifier_Printer_ConfigForm, which was built for this purpose. You could also just try running HTML Purifier with the config they give you, and bugger out if something bad happens.

Reply Quote
Newer Topic Older Topic
Author:
Your Email:

Subject:

HTML input is enabled. Make sure you escape all HTML and angled brackets with < and >.

Auto-paragraphing is enabled. Double newlines will be converted to paragraphs; for single newlines, use the pre tag.

Allowed tags: a, abbr, acronym, b, blockquote, caption, cite, code, dd, del, dfn, div, dl, dt, em, i, ins, kbd, li, ol, p, pre, s, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, var.

For inputting literal code such as HTML and PHP for display, use CDATA tags to auto-escape your angled brackets, and pre to preserve newlines: 

<pre><![CDATA[
Place code here
]]></pre>

Power users, you can hide this notice with: 

.htmlpurifier-help {display:none;}

Message: