Welcome! » Log In » Create A New Profile

New configurable option - disable CSS filters

Posted by Thimble 
Forum List Message List New Topic
Thimble
New configurable option - disable CSS filters
October 02, 2010 01:17PM

Hello, would it be possible to create a new configurable option, something like:

CSS.disable = boolean

I need that HTMLPurifier doesn't touch style property of element and keeps it as it is. The only solution I have found is to customize file HTMLPurifier/AttrDef/CSS.php as follows:

class HTMLPurifier_AttrDef_CSS extends HTMLPurifier_AttrDef
{

    public function validate($css, $config, $context) {

      return $css;

      .........

It would be much better if I wouldn't have to make this custom change and rather use configurable option.

Reply Quote
Ambush Commander
Re: New configurable option - disable CSS filters
October 02, 2010 05:38PM

Why do you want to do this? It completely breaks our security guarantees.

Reply Quote
Thimble
Re: New configurable option - disable CSS filters
October 03, 2010 12:22AM

Well, it would be just configurable option disabled by default. I don't use HTMLPurifier for security purposes but mainly for make valid my non-valid code from WYSIWYG editor.

I think that this new option wouldn't hurt anything, if it is disabled by default.

Reply Quote
Ambush Commander
Re: New configurable option - disable CSS filters
October 03, 2010 04:59AM

That's use-case is not really what HTML Purifier is for. I usually recommend people use Tidy or something similar if they don't care about security.

Reply Quote
Thimble
Re: New configurable option - disable CSS filters
October 03, 2010 05:11AM

Tidy doesn't work very well for my case, it is not 100% correct, sometimes it doesn't produce valid code.

HTMLPurifier is good in this, but it touches my style attributes. And I don't get why 'position:absolute' is dangerous and needs to be filtered out ?

Please think it over and try including this configurable option to not use CSS filters at all if desired, it would make my life and maybe others much easier.

Reply Quote
Ambush Commander
Re: New configurable option - disable CSS filters
October 03, 2010 05:23AM

Imagine if you had some "Login" link on your page. A user would expect to be able to click on it and then type their password. If you allow absolute CSS positioning, someone could style an alternate login link and then have it render on top of the real one. Instant phishing.

It sounds like you might want a CSS.Trusted though, akin to %HTML.Trusted

Reply Quote
Thimble
Re: New configurable option - disable CSS filters
October 03, 2010 05:37AM

Thanks for quick reply. Yes, if CSS.Trusted would exist, it would probably solve my problem.

Example you are talking about is surely possible but not at each scenario.

Would be possible to implement CSS.Trusted, please ?

Reply Quote
Ambush Commander
Re: New configurable option - disable CSS filters
October 03, 2010 05:57AM

It's on my TODO list. Your hack should be ok (if you don't care about CSS validity) for now.

Reply Quote
Thimble
Re: New configurable option - disable CSS filters
October 03, 2010 06:05AM

Thanks, will be looking forward to it !

Reply Quote
Ambush Commander
Re: New configurable option - disable CSS filters
November 12, 2010 01:45PM

Whoo 2600th assert!

http://repo.or.cz/w/htmlpurifier.git/commit/cfc4ee1faf9e340a29b93d21590ea306140c6b71

Reply Quote
Newer Topic Older Topic
Author:
Your Email:

Subject:

HTML input is enabled. Make sure you escape all HTML and angled brackets with < and >.

Auto-paragraphing is enabled. Double newlines will be converted to paragraphs; for single newlines, use the pre tag.

Allowed tags: a, abbr, acronym, b, blockquote, caption, cite, code, dd, del, dfn, div, dl, dt, em, i, ins, kbd, li, ol, p, pre, s, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, var.

For inputting literal code such as HTML and PHP for display, use CDATA tags to auto-escape your angled brackets, and pre to preserve newlines: 

<pre><![CDATA[
Place code here
]]></pre>

Power users, you can hide this notice with: 

.htmlpurifier-help {display:none;}

Message: