tags:

views:

149

answers:

4
+1  Q: 

Whitelist element with class of, using htmlpurifier

I want to only allow the span element only when it has a certain class in htmlpurifier

does anyone know how to do this, right now I have

  $config->set('HTML.Allowed','a[href],p,ol,li,ul,img[src],blockquote,em,span[class]');
  $config->set('Attr.AllowedClasses',"allowed");

but that allows all spans and only allows class allowed I like that it only allows the "allowed" class but I only want it to allow span when the value of its class is "allowed"

thanks

A: 

In docummentation there is nothing about configuring values of attributes. However if you use class only once I think there will not be any problem if you will do as you wrote. ;)

hsz  2010-04-15 14:48:13
spans still show up that's the problem what I have only blocks out class that are not "allowed" but lets every span in the door
mcgrailm  2010-04-15 14:50:19
sorry meant to put this on another post
mcgrailm  2010-04-15 19:05:59
+1  A: 

You left a comment over at my similar question. I still don't have a solution, due to the injector/purification order which in my case is pivotal, but the injector solution should work for you, since you don't depend on 'pre-processing', so to speak.

As far as I can see, you have two decent three thorough four options:

  1. You can use the attribute solution in my question to blank all attributes if you don't mind left-over <span> and </span> tags in your HTML. If you do mind them, you could combine that solution with an empty-tag-stripping injector, though then order of execution is very, very likely to cripple you anew. (So I imagine. If not - superb, you have your answer! :) )

  2. You can use injectors. They're a fairly extensive and detailed feature of HTML Purifier, so I can't conjure up an example that'll fix things for you out of the box. But! You might want to look at the thread on the HTML Purifier forum where the injector 'Linkify' was created, that's a fairly thorough take on the subject, not to mention the injector I mentioned in #1 might help you figure them out, too.

  3. Something I'm investigating right now for my purposes are PHP's built-in DOM methods. This is a solid alternative if #1 and #2 fail you for some reason, but of course costly as far as resources go.

  4. Regular expressions. I'm really only mentioning this as a last resort and it's not even a serious suggestion. It'd probably be reasonably safe to use a regex on already purified HTML, but it seems like such a waste of a good HTML parser. (But then, admittedly, so does #3.)

Good luck.

pinkgothic  2010-04-15 15:54:39
ok so options 2 sounds like the right direction. supposing I write the injector code where do I put the class file and how do I include it ? I've never made a class before 8 ^ (
mcgrailm  2010-04-15 16:43:45
You would put the class file under `library/HTMLPurifier/Injector` and give it a fancy name, e.g. `FancyName.php`. The class itself would be `HTMLPurifier_Injector_FancyName`. Including (or, rather, using) it works by telling HTML Purifier to use it via its configuration: `$config->set('AutoFormat.Custom', array('FancyName'));` should do the trick. If not, `$config->set('AutoFormat.Custom', array(new HTMLPurifier_Injector_FancyName()));` definitely ought to.
pinkgothic  2010-04-15 17:08:49
For now I'm using a DOMDocument solution for my own problem, by the way. If you want to take a look, I posted it up as an answer: http://stackoverflow.com/questions/2638640/html-purifier-removing-an-element-conditionally-based-on-its-attributes/2647388#2647388 -- but if you can solve it better using an Injector, you totally should. This is just a heads-up.
pinkgothic  2010-04-15 17:11:21
@pinkgothic, thanks for that I will look in to this, did you see Ambush Commander's post ? do you know how to do what he's talking about i wasn't able to find any documentation on requiring a class
mcgrailm  2010-04-15 18:45:09
+2  A: 

Ad hoc solution: redefine the class in span to be required, and set it so it has N possible values. The making it required will cause the tag to be removed if it doesn't exist.

Edward Z. Yang  2010-04-15 17:49:43
thats sounds good how do I make it required
mcgrailm  2010-04-15 18:04:06
I got it!!! not sure how I should show how it's done if I should edit my post or supply it in an answer
mcgrailm  2010-04-15 19:09:49
@mcgrailm: You can answer your own question and then even accept that as the correct answer. :)
pinkgothic  2010-04-15 20:42:51
yeat but it was only ond Ambush's suggestion that I was able to figure it out
mcgrailm  2010-04-15 20:52:01
You can give him upvotes for other questions he's answered to 'make up' for the lack of accepting? You should definitely accept the right, most complete answer. And I'm certainly interested in how you solved this :]
pinkgothic  2010-04-16 07:43:16
@pinkgothic I posted solution
mcgrailm  2010-04-16 15:49:31
+1  A: 

Ok so based on Ambush-comander's suggestion I was able to remove all spans that did not have a specific class the idea is that if the class it required then it the element doesn't have that class the element will be removed.

I did some research and found htmlpurifier customize page which explains how to add an attribute following their instructions i only need an additonal four lines of code so here is what how I did it

 // more configuration stuff up here
    $config->set('HTML.DefinitionID', 'enduser-customize.html editor');
    $config->set('HTML.DefinitionRev', 1);
    $def = $config->getHTMLDefinition(true);
    $def->addAttribute('span', 'class*', new HTMLPurifier_AttrDef_Enum(
      array('allowed')
    ));
 // purify down here

the * in class makes the class requried and becuse we only allow the "allowed" class everything else gets striped. now, there is one caveats to doing it this way. if someone put that class in there span then it would be allowed in my case I'm not really using "allowed" I'm using something else that will be replaced by html purifier

hth someone else

and thanks to ambush and pinkgothic for all their help!

mcgrailm  2010-04-16 13:51:06
Great, it's good to hear that the docs are clear enough that my one-liner can turn into a solution.
Edward Z. Yang  2010-04-16 16:46:17
Sahweet. I can probably use this for my case, too. I'll take a closer look on monday. Thank you for sharing that! @Ambush Commander: You're like a superhero, aces. :]
pinkgothic  2010-04-16 17:33:28
@mcgrailm: Awesome, I finally managed to give this a shot and in combination with the suggested #1, this is working like a charm for me! :D Thank you so much for sharing that! Eee, HTML Purifier *and* a oneliner (well. Sort of!). I am in heaven!
pinkgothic  2010-04-19 08:34:12

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases