Welcome! » Log In » Create A New Profile

New configurable option - disable CSS filters

Posted by Thimble 
New configurable option - disable CSS filters
October 02, 2010 01:17PM

Hello, would it be possible to create a new configurable option, something like:

CSS.disable = boolean

I need that HTMLPurifier doesn't touch style property of element and keeps it as it is. The only solution I have found is to customize file HTMLPurifier/AttrDef/CSS.php as follows:

class HTMLPurifier_AttrDef_CSS extends HTMLPurifier_AttrDef
{

    public function validate($css, $config, $context) {

      return $css;

      .........      

It would be much better if I wouldn't have to make this custom change and rather use configurable option.

Re: New configurable option - disable CSS filters
October 02, 2010 05:38PM

Why do you want to do this? It completely breaks our security guarantees.

Re: New configurable option - disable CSS filters
October 03, 2010 12:22AM

Well, it would be just configurable option disabled by default. I don't use HTMLPurifier for security purposes but mainly for make valid my non-valid code from WYSIWYG editor.

I think that this new option wouldn't hurt anything, if it is disabled by default.

Re: New configurable option - disable CSS filters
October 03, 2010 04:59AM

That's use-case is not really what HTML Purifier is for. I usually recommend people use Tidy or something similar if they don't care about security.

Re: New configurable option - disable CSS filters
October 03, 2010 05:11AM

Tidy doesn't work very well for my case, it is not 100% correct, sometimes it doesn't produce valid code.

HTMLPurifier is good in this, but it touches my style attributes. And I don't get why 'position:absolute' is dangerous and needs to be filtered out ?

Please think it over and try including this configurable option to not use CSS filters at all if desired, it would make my life and maybe others much easier.

Re: New configurable option - disable CSS filters
October 03, 2010 05:23AM

Imagine if you had some "Login" link on your page. A user would expect to be able to click on it and then type their password. If you allow absolute CSS positioning, someone could style an alternate login link and then have it render on top of the real one. Instant phishing.

It sounds like you might want a CSS.Trusted though, akin to %HTML.Trusted

Re: New configurable option - disable CSS filters
October 03, 2010 05:37AM

Thanks for quick reply. Yes, if CSS.Trusted would exist, it would probably solve my problem.

Example you are talking about is surely possible but not at each scenario.

Would be possible to implement CSS.Trusted, please ?

Re: New configurable option - disable CSS filters
October 03, 2010 05:57AM

It's on my TODO list. Your hack should be ok (if you don't care about CSS validity) for now.

Re: New configurable option - disable CSS filters
October 03, 2010 06:05AM

Thanks, will be looking forward to it !

Sorry, you do not have permission to post/reply in this forum.