views:

149

answers:

4

I want to only allow the span element only when it has a certain class in htmlpurifier

does anyone know how to do this, right now I have

  $config->set('HTML.Allowed','a[href],p,ol,li,ul,img[src],blockquote,em,span[class]');
  $config->set('Attr.AllowedClasses',"allowed");

but that allows all spans and only allows class allowed I like that it only allows the "allowed" class but I only want it to allow span when the value of its class is "allowed"

thanks

A: 

In docummentation there is nothing about configuring values of attributes. However if you use class only once I think there will not be any problem if you will do as you wrote. ;)

hsz
spans still show up that's the problem what I have only blocks out class that are not "allowed" but lets every span in the door
mcgrailm
sorry meant to put this on another post
mcgrailm
+1  A: 

You left a comment over at my similar question. I still don't have a solution, due to the injector/purification order which in my case is pivotal, but the injector solution should work for you, since you don't depend on 'pre-processing', so to speak.

As far as I can see, you have two decent three thorough four options:

  1. You can use the attribute solution in my question to blank all attributes if you don't mind left-over <span> and </span> tags in your HTML. If you do mind them, you could combine that solution with an empty-tag-stripping injector, though then order of execution is very, very likely to cripple you anew. (So I imagine. If not - superb, you have your answer! :) )

  2. You can use injectors. They're a fairly extensive and detailed feature of HTML Purifier, so I can't conjure up an example that'll fix things for you out of the box. But! You might want to look at the thread on the HTML Purifier forum where the injector 'Linkify' was created, that's a fairly thorough take on the subject, not to mention the injector I mentioned in #1 might help you figure them out, too.

  3. Something I'm investigating right now for my purposes are PHP's built-in DOM methods. This is a solid alternative if #1 and #2 fail you for some reason, but of course costly as far as resources go.

  4. Regular expressions. I'm really only mentioning this as a last resort and it's not even a serious suggestion. It'd probably be reasonably safe to use a regex on already purified HTML, but it seems like such a waste of a good HTML parser. (But then, admittedly, so does #3.)

Good luck.

pinkgothic
ok so options 2 sounds like the right direction. supposing I write the injector code where do I put the class file and how do I include it ? I've never made a class before 8 ^ (
mcgrailm
You would put the class file under `library/HTMLPurifier/Injector` and give it a fancy name, e.g. `FancyName.php`. The class itself would be `HTMLPurifier_Injector_FancyName`. Including (or, rather, using) it works by telling HTML Purifier to use it via its configuration: `$config->set('AutoFormat.Custom', array('FancyName'));` should do the trick. If not, `$config->set('AutoFormat.Custom', array(new HTMLPurifier_Injector_FancyName()));` definitely ought to.
pinkgothic
For now I'm using a DOMDocument solution for my own problem, by the way. If you want to take a look, I posted it up as an answer: http://stackoverflow.com/questions/2638640/html-purifier-removing-an-element-conditionally-based-on-its-attributes/2647388#2647388 -- but if you can solve it better using an Injector, you totally should. This is just a heads-up.
pinkgothic
@pinkgothic, thanks for that I will look in to this, did you see Ambush Commander's post ? do you know how to do what he's talking about i wasn't able to find any documentation on requiring a class
mcgrailm
+2  A: 

Ad hoc solution: redefine the class in span to be required, and set it so it has N possible values. The making it required will cause the tag to be removed if it doesn't exist.

Edward Z. Yang
thats sounds good how do I make it required
mcgrailm
I got it!!! not sure how I should show how it's done if I should edit my post or supply it in an answer
mcgrailm
@mcgrailm: You can answer your own question and then even accept that as the correct answer. :)
pinkgothic
yeat but it was only ond Ambush's suggestion that I was able to figure it out
mcgrailm
You can give him upvotes for other questions he's answered to 'make up' for the lack of accepting? You should definitely accept the right, most complete answer. And I'm certainly interested in how you solved this :]
pinkgothic
@pinkgothic I posted solution
mcgrailm
+1  A: 

Ok so based on Ambush-comander's suggestion I was able to remove all spans that did not have a specific class the idea is that if the class it required then it the element doesn't have that class the element will be removed.

I did some research and found htmlpurifier customize page which explains how to add an attribute following their instructions i only need an additonal four lines of code so here is what how I did it

 // more configuration stuff up here
    $config->set('HTML.DefinitionID', 'enduser-customize.html editor');
    $config->set('HTML.DefinitionRev', 1);
    $def = $config->getHTMLDefinition(true);
    $def->addAttribute('span', 'class*', new HTMLPurifier_AttrDef_Enum(
      array('allowed')
    ));
 // purify down here

the * in class makes the class requried and becuse we only allow the "allowed" class everything else gets striped. now, there is one caveats to doing it this way. if someone put that class in there span then it would be allowed in my case I'm not really using "allowed" I'm using something else that will be replaced by html purifier

hth someone else

and thanks to ambush and pinkgothic for all their help!

mcgrailm
Great, it's good to hear that the docs are clear enough that my one-liner can turn into a solution.
Edward Z. Yang
Sahweet. I can probably use this for my case, too. I'll take a closer look on monday. Thank you for sharing that! @Ambush Commander: You're like a superhero, aces. :]
pinkgothic
@mcgrailm: Awesome, I finally managed to give this a shot and in combination with the suggested #1, this is working like a charm for me! :D Thank you so much for sharing that! Eee, HTML Purifier *and* a oneliner (well. Sort of!). I am in heaven!
pinkgothic