Welcome!
» Log In
» Create A New Profile
Show all posts by user
Questions about using HTML Purifier answered here. No problem is too small.
Re: encode HTML entities - 6 weeks ago
you mean so they just display like this <p>a paragraph in <b> bold </b> or not. </p> the answer is no. you can disallow those tags. but you can't just entity them. you would be best of using something like preg_replace() for doing that. then use htmlentities() on it. ImpressCMS: Make A Lasting Impression Edited 1 time(s). Last edit at 04/04/2013 03:20PM by vaughan.by vaughan - Support
Re: Limit width of table is it possible? - 7 weeks ago
http://jsfiddle.net/am4FV/12/ .content { max-width: 600px !important; border:1px solid #444; } .content table { max-width: 594px !important; border: 3px solid #cecece; /* careful of borders & padding */ display: block; } ImpressCMS: Make A Lasting Impressionby vaughan - Support
Re: Limit width of table is it possible? - 7 weeks ago
why not use CSS? set the max-width of that table or div div.content-table { max-width: 600px !important; } that way if some uses width greater than 600px inside that div element max-width will reduce it to max of 600px; ImpressCMS: Make A Lasting Impressionby vaughan - Support
Re: Creating a text-only version of submitted HTML - 8 weeks ago
you could purify with htmlpurifier 1st. then store the clean HTML. then once that's done, use this script to convert to text for email usage. https://code.google.com/p/iaml/source/browse/trunk/org.openiaml.model.runtime/src/include/html2text ImpressCMS: Make A Lasting Impressionby vaughan - Support
Re: XSS against nature - 8 weeks ago
errrr short answer Nope. it's not the same for each. for 1, Javascript is a client-side language, PHP is a server-side language. Sometimes it's not a particular issue with the server script, but could be a flaw in the Browser itself. javascript is a dangerous language to allow untrusted users to use, more so because it's client-side, which means not only can it destroy the integrity of your serverby vaughan - Internals
Re: Purifier not removing script tags? - 2 months ago
i'm unable to reproduce either. tried with localhost (LAMPP) & online server host PHP5.4+ works as it should either with $_POST or $var. ImpressCMS: Make A Lasting Impressionby vaughan - Support
Re: Problem with HTML.TargetBlank and HTML.Nofollow - 2 months ago
ok, got you now. :) I always read books from the back. lol ImpressCMS: Make A Lasting Impressionby vaughan - Support
Re: Problem with HTML.TargetBlank and HTML.Nofollow - 2 months ago
well after reading up, bean a while. parent="_blank" was invalid under XHTML W3C spec. so no pages would validate if that was used, which is why a javascript trick was created to use rel="external" to open links in a new window/tab. the reasoning given by w3C for not being valid, is that it should be up to the user to decide if they want to open in new window or same page (afterall there's the rby vaughan - Support
Re: New Version - 3 months ago
Thanks Edward. the download page for the 4.5.0 standalone, gives you a warning that you are attempting to download a deprecated version btw. thought i'd let you know. ImpressCMS: Make A Lasting Impressionby vaughan - General
Re: When to use HTML Purifier with CodeIgniter - 3 months ago
if your forms don't accept html, then you don't need htmlpurifier & shouldn't use it. it's for HTML content only. use proper validation, typecasting, and htmlspecialchars/entities on output display ImpressCMS: Make A Lasting Impressionby vaughan - General
Re: Problem with HTML.TargetBlank and HTML.Nofollow - 3 months ago
parent="_blank" is not recommended anyway, _blank is not valid xhtml so if you use it with xhtml doc types it will not validate. best way being as you are using rel is instead of using parent, use rel="external" instead. along with nofollow, rel="external nofollow" ImpressCMS: Make A Lasting Impressionby vaughan - Support
Re: Universal filter for third-party content embedding - 3 months ago
i think serialize should be fine looking at it. ImpressCMS: Make A Lasting Impressionby vaughan - General
Re: Universal filter for third-party content embedding - 3 months ago
http://htmlpurifier.org/live/configdoc/plain.html#URI.SafeIframeRegexp URI.SafeIframeRegexp works fine for youtube, vimeo, google etc using iframes. not sure about googlemaps, but i think it should. i've looked through your filter & it looks ok to me, security wise it is sound. i have 1 question tho, I haven't tested it, but noticing the usage of parse_url() in the filter, wouldn't this cby vaughan - General
Re: IMG SRC - 3 months ago
Hello, i have problem with Htmlpurifier settings. If my input is for example (its URL for logging out): <img src="http://www.example.com/app/public/user/login/logout"> Htmlpurifier is not able to purify this input. Only add "ALT" but the code is processed and user is logged out. Is any possibility to handle this? My htmlpurifier settings is: require_once('htmlpurifier/library/HTMLPby vaughan - Support
Re: Important About Using htmlpurifier - 3 months ago
just to clarify you did actually change require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php'; to require_once 'your servers path to/htmlpurifier/library/HTMLPurifier.auto.php'; ImpressCMS: Make A Lasting Impressionby vaughan - General
Re: TinyMCE advanced and HTMLpurifier - 4 months ago
it should work with that. i'm presuming you have added style to the allowed attributes for span element? also i'm not sure about this attribute in span style : data-mce-style= is that html5 by any chance? ImpressCMS: Make A Lasting Impressionby vaughan - Support
Re: TinyMCE advanced and HTMLpurifier - 4 months ago
i don't see where tinymce is producing code like <body id="tinymce" class="mceContentBody " onload="window.parent.tinyMCE.get('bform-annoucement-content').onLoad.dispatch();" contenteditable="true" spellcheck="false" dir="ltr"> it should not be saving body tags in the content. otherwise your page when its rendered to the browser will have 2 body tags & that's not realistic. i wouldby vaughan - Support
Re: Help me understand the proper use of html purifier :) - 5 months ago
The example: I have a simple form which contains the following - An input field (name) which should only allow alpha (utf-8) symbols (so no stuff like ', etc). - A textarea, a simple textarea which doesn't allow any of the htlm stuff (strips the tags) and on output it uses preg_replace to make paragraphs out of \n etc. (on edit it just returns it). So should I use htmlpurifier for a input field,by vaughan - Support
Re: How do I download/extract the SIG files? - 5 months ago
you need to download the zip or tar/gz files themselves. the sig files are only signature files used to verify the files in the zips, kind of like a check that they haven't been maliciously tampered with or to verify that you have all the correct files, but is not actually required for htmlpurifier to function. ie. htmlpurifier-4.4.0.zip.sig htmlpurifier-4.4.0.zip htmlpurifier-4.4.0.tar.gz.sigby vaughan - General
Re: How can i user HTML Purifier - 5 months ago
if i understand you correctly, you want to allow your users to type in html/php code, but you don't want the code to be parsed, only displayed. ie. like below <div class="test">test</div> in which case then use htmlspecialchars when displaying the data. but for the javascript i'm not fully certain what you require there or what you are trying to achieve. you might also look intby vaughan - Support
Re: Featruerequest: Enable/Disable htmlspecialchars() - 7 months ago
Does this mean that htmlspecialchars will take care of everything else? I've read around 12 different posts about this on stackoverflow and there's no simple answer provided. I use pdo in my code so sql injection isn't a problem, I'm just concerned with xss. PDO doesn't necessarily prevent SQL Injection. it may prevent 1st order injection, but not necessarily 2nd order injection. Also if if useby vaughan - Support
Re: Remove class from Div or span - 7 months ago
omit class & style from Allowed attributes, or add them to forbidden attributes. ImpressCMS: Make A Lasting Impressionby vaughan - Support
Re: Extract Style Blocks & CSSTidy - 8 months ago
thanks, how would we go about that? ImpressCMS: Make A Lasting Impressionby vaughan - Support
Extract Style Blocks & CSSTidy - 8 months ago
Hi Edward, just wondering if there's a possibility of using another system other than csstidy when enabling the extract style blocks in config. as you're probably aware, csstidy is no longer being developed, well there hasn't been any updates or development on it in the last few years. csstidy as it stands does not support css3. but on that note, is htmlpurifier compatible with css3? would itby vaughan - Support
User List - 10 months ago
Hi Edward, Could you possibly update the users list on the front page for ImpressCMS thanks. we are now using version 4.4.0, our SVN has changed since. new url to SVN is http://www.assembla.com/code/impresscms/subversion/nodes/trunk/htdocs/libraries/htmlpurifier?rev=11754by vaughan - General
Re: HTML Purifier cuts my text - 1 year ago
what is your max post size & memory set at in php.ini?by vaughan - Support
Re: When to use HTML Purifier - 2 years ago
I have to say I am a little confused... assuming that the page we are working with has received a $_POST['txtName'] would $name = filter_input(INPUT_POST, $txtName, FILTER_SANITIZE_STRING); be wrong? What I am aiming for is to filter the post data and assign it to the var $name, so I can use name in the execute array... BTW as stated above, I very much appreciate you taking the time to engage inby vaughan - General
Re: When to use HTML Purifier - 2 years ago
Thanks for the input. Regarding the example I gave above this is what I have come up with, any input? $name = filter_input(INPUT_POST, $txtName, FILTER_SANITIZE_STRING); $sql = 'SELECT * FROM users WHERE name = :name'; $sth = $dbh->prepare($sql); $sth->execute(array(':name' => $name)); Would this be considered properly escaped and sanitized? When would I need to use htmlspecialchars?by vaughan - General
Re: When to use HTML Purifier - 2 years ago
you can apply filters to the text fields. when dealing with $_POST & $_GET use filter_input(INPUT_POST, $txt, FILTER_SANITIZE_STRING) there are different filters for different data types such as INT, FLOAT, URL, EMAIL etc. see http://www.php.net/manual/en/ref.filter.php for more info. simply escaping the input is not enough. make sure your Charsets are correct too. it makes a difference ifby vaughan - General
Re: HTML.SafeIframe Option - 2 years ago
many are starting to use em now. vimeo does for sure as default <iframe src="http://player.vimeo.com/video/20559041" width="400" height="225" frameborder="0"></iframe><p><a href="http://vimeo.com/20559041">AUCAN - Heartless</a> from <a href="http://vimeo.com/user1342215">SHIROPPO STUDIO</a> on <a href="http://vimeo.com">Vimeo</a>.</p>by vaughan - Internals