admin管理员组文章数量:1434380
This is kind of a special bination of tags that I want to allow in HTMLPurifier, but can't seem to get the bination to work.
I can get script tags to work, but then embed tags get removed (I enable the script tags with HTML.Trusted = true). When I get embed tags back in, script tags are stripped out (I remove HTML.Trusted). The following is my config:
$config->set('HTML.Trusted', true);
$config->set('HTML.SafeEmbed', true);
$config->set('HTML.SafeObject', true);
$config->set('Output.FlashCompat', true);
I even tried adding in the following which made things worse:
$config->set('HTML.Allowed', 'object[width|height|data],param[name|value],embed[src|type|allowscriptaccess|allowfullscreen|width|height],script[src|type]');
Also, I can't seem to get iframes to work no matter what. I tried adding:
$config->set('HTML.DefinitionID', 'enduser-customize.html iframe');
$config->set('HTML.DefinitionRev', 1);
$config->set('Cache.DefinitionImpl', null); // remove this later!
$def = $config->getHTMLDefinition(true);
$iframe = $def->addElement(
'iframe', // name
'Block', // content set
'Empty', // allowed children
'Common', // attribute collection
array( // attributes
'src*' => 'URI#embedded',
'width' => 'Pixels#1000',
'height' => 'Pixels#1000',
'frameborder=' => 'Number',
'name' => 'ID',
)
);
$iframe->excludes = array('iframe' => true);
Any help on getting the entire bo to work, or even script tags with object/param and embed would be GREATLY appreciated!!!
Oh yeah, this is obviously not for all users, just "special" users.
Thanks!
PS - please don't link me to .html
UPDATE
I found a solution for adding iframes at the bottom of the thread here: .php?3,4646
The current configuration is now:
$config->set('HTML.Trusted', true);
$config->set('HTML.SafeEmbed', true);
$config->set('HTML.SafeObject', true);
$config->set('Output.FlashCompat', true);
$config->set('Filter.Custom', array( new HTMLPurifier_Filter_MyIframe() ));
UPDATE TO THE UPDATE
If you're having trouble with my ment in the HTMLPurifier forum, it may be because I mean for the method to look like this:
public function preFilter($html, $config, $context) {
return preg_replace("/iframe/", "img class=\"MyIframe\" ", preg_replace("/<\/iframe>/", "", $html));
}
This is kind of a special bination of tags that I want to allow in HTMLPurifier, but can't seem to get the bination to work.
I can get script tags to work, but then embed tags get removed (I enable the script tags with HTML.Trusted = true). When I get embed tags back in, script tags are stripped out (I remove HTML.Trusted). The following is my config:
$config->set('HTML.Trusted', true);
$config->set('HTML.SafeEmbed', true);
$config->set('HTML.SafeObject', true);
$config->set('Output.FlashCompat', true);
I even tried adding in the following which made things worse:
$config->set('HTML.Allowed', 'object[width|height|data],param[name|value],embed[src|type|allowscriptaccess|allowfullscreen|width|height],script[src|type]');
Also, I can't seem to get iframes to work no matter what. I tried adding:
$config->set('HTML.DefinitionID', 'enduser-customize.html iframe');
$config->set('HTML.DefinitionRev', 1);
$config->set('Cache.DefinitionImpl', null); // remove this later!
$def = $config->getHTMLDefinition(true);
$iframe = $def->addElement(
'iframe', // name
'Block', // content set
'Empty', // allowed children
'Common', // attribute collection
array( // attributes
'src*' => 'URI#embedded',
'width' => 'Pixels#1000',
'height' => 'Pixels#1000',
'frameborder=' => 'Number',
'name' => 'ID',
)
);
$iframe->excludes = array('iframe' => true);
Any help on getting the entire bo to work, or even script tags with object/param and embed would be GREATLY appreciated!!!
Oh yeah, this is obviously not for all users, just "special" users.
Thanks!
PS - please don't link me to http://htmlpurifier/docs/enduser-customize.html
UPDATE
I found a solution for adding iframes at the bottom of the thread here: http://htmlpurifier/phorum/read.php?3,4646
The current configuration is now:
$config->set('HTML.Trusted', true);
$config->set('HTML.SafeEmbed', true);
$config->set('HTML.SafeObject', true);
$config->set('Output.FlashCompat', true);
$config->set('Filter.Custom', array( new HTMLPurifier_Filter_MyIframe() ));
UPDATE TO THE UPDATE
If you're having trouble with my ment in the HTMLPurifier forum, it may be because I mean for the method to look like this:
public function preFilter($html, $config, $context) {
return preg_replace("/iframe/", "img class=\"MyIframe\" ", preg_replace("/<\/iframe>/", "", $html));
}
- HTML Purifier rocks! Why wouldn't I want to use it? ;) – shmuel613 Commented Feb 14, 2011 at 9:03
-
To be truly correct, you should probably be extending
HTMLPurifier_Filter. The solution is otherwise great though; I am using this but whitelisting domains that I trust instead (e.g. youtube's new iframe embedding). – El Yobo Commented Mar 15, 2011 at 0:48
1 Answer
Reset to default 6Found the solution through the HTMLPurifier Google group (thank you Edward Z. Yang!!!). The solution to allow for object, embed, and script tags to exist on the page at the same time is to REMOVE "object, " from the $mon array in HTMLModuleManager.php __construct() method. This will of course make it so that no one can add object tags unless you specify it in your config.
My final config is now:
$config->set('HTML.Trusted', true);
$config->set('HTML.SafeObject', true);
$config->set('Output.FlashCompat', true);
$config->set('Filter.Custom', array( new HTMLPurifier_Filter_SafeIframe() ));
I really hope these instructions can help other developers who would like to use HTMLPurifier. Compared to what we were originally using to clean and scrub ining text from our wysiwyg editor, HTMLPurifier is approximately 85% faster!
本文标签:
版权声明:本文标题:javascript - How do I allow script, object, param, embed, and iframe tags in HTMLPurifier? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744354503a2602238.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论