views:

26

answers:

0

Hello again, everyone! Naturally I am still fighting with HTML Purifier…

So, my /config/purifier.php looks like:

<?php defined('SYSPATH') or die('No direct access allowed.');
return array(
    'settings' => array(
        'HTML.Allowed' =>'a,b,strong,p,ul,ol,li,img[src],i,u,span,',
  'HTML.MaxImgLength' => 250,
  'CSS.MaxImgLength' => '250px'
            ),
);
?>

and, HTML Purifier overloads the Security::clean_xss() method to use its own filter.

I have created two helper functions for data sanitation: clean_whitelist(), which strips anything not allowed by my HTML.Allowed setting in the config file. and clean_all(), which strips all tags and ignores fields that are passed in as ignore

 public static function clean_all(array $dirty_data, array $ignore) {
  $config = Kohana::config('purifier');
  $settings =  $config['settings'];
  $config->set('settings', array ('HTML.Allowed'=>''));
  foreach($dirty_data as $key => $value) {
   if( ! in_array($key, $ignore)) {
    $dirty_data[$key] = Security::xss_clean($dirty_data[$key]);
   }
  } 
  return $dirty_data;
 }

 public static function clean_whitelist($dirty_data) {
  return Security::xss_clean($dirty_data);
 }

clean_whitelist() works as intended, but, clean_all still allows tags. Not entirely sure why, as when I var_dump a new load of Kohana::config('purifier') after I have called $config->set, the file it displays my HTML.Allowed => ''…

Any ideas on why it continues to use a whitelist as opposed to using the config file I've built at runtime?

Thanks, as always, to anyone contributing!