Hello again, everyone! Naturally I am still fighting with HTML Purifier…
So, my /config/purifier.php looks like:
<?php defined('SYSPATH') or die('No direct access allowed.');
return array(
'settings' => array(
'HTML.Allowed' =>'a,b,strong,p,ul,ol,li,img[src],i,u,span,',
'HTML.MaxImgLength' => 250,
'CSS.MaxImgLength' => '250px'
),
);
?>
and, HTML Purifier overloads the Security::clean_xss() method to use its own filter.
I have created two helper functions for data sanitation: clean_whitelist(), which strips anything not allowed by my HTML.Allowed setting in the config file. and clean_all(), which strips all tags and ignores fields that are passed in as ignore
public static function clean_all(array $dirty_data, array $ignore) {
$config = Kohana::config('purifier');
$settings = $config['settings'];
$config->set('settings', array ('HTML.Allowed'=>''));
foreach($dirty_data as $key => $value) {
if( ! in_array($key, $ignore)) {
$dirty_data[$key] = Security::xss_clean($dirty_data[$key]);
}
}
return $dirty_data;
}
public static function clean_whitelist($dirty_data) {
return Security::xss_clean($dirty_data);
}
clean_whitelist() works as intended, but, clean_all still allows tags. Not entirely sure why, as when I var_dump a new load of Kohana::config('purifier') after I have called $config->set, the file it displays my HTML.Allowed => ''…
Any ideas on why it continues to use a whitelist as opposed to using the config file I've built at runtime?
Thanks, as always, to anyone contributing!