tags:

views:

38

answers:

2
Q: 

HTMLPurifier Breaking Images

I'm trying to run HTMLPurifier on user input from a WYSIWYG (CK Editor) and the images are breaking.

Unfiltered Input:

<img alt="laugh" src="/lib/ckeditor/plugins/smiley/images/teeth_smile.gif" title="laugh">

After running through purifier with default settings:

<img alt="&quot;laugh&quot;" src="%5C" title="&quot;laugh&quot;">

I have tried changing the configuration settings; but I the src is never preserved. Any thoughts?

+1  A: 

I don't know what htmlpurifier is, but the img tag you have there is perfectly legitimate (except it is unclosed) before running it. After you run it, it is doubly escaping things and that just seems like garbage. %5C is the url code for a backslash. Seems like it is trying to escape the forward slash with a backslash and then it chokes. What is this program? Can I recommend HTML Tidy?

tandu  2010-10-09 05:33:52
Unary tags do not require a `/>` to close them in HTML; that's an XHTML idiom.
Stan Rogers  2010-10-09 06:27:07
Why would you bother to make HTML that cannot be XHTML. All XHTML can be HTML. The reverse it not true because of the above, for example.
tandu  2010-10-09 06:49:41
Thanks for your help, I started with HTML tidy but moved to purifier for XSS protection. As far as the html/xhtml I'm limited to what CK editor produces in this case. I may end up modifying it for a BB-code -like approach
pws5068  2010-10-09 15:04:57
If you generate XHTML but send it with the wrong MIME type, then it is wrong HTML. A conformant SGML parser would display an <img/> as <img>/ with trailing slash. It just so happens that modern browsers have workarounds for HTML with trailing garbage (= which the slash is for text/html).
mario  2010-10-09 08:23:28
+1  A: 

I have a suspicion that magic_quotes could be a reason..?

Also did you try $config->set('Core.RemoveInvalidImg',true);. Which version are you using? (Try older or newer)

mario  2010-10-09 05:54:24
I'm using version 4.1.1. I tried using the suggested config setting but no luck. I'm not running any other sanitization routines on the string, it is being stored to the database through a MySqli prepared statement.
pws5068  2010-10-09 15:08:45
I misread "magic quotes" for a call to mysql_escape_string. You were absolutely right, my php.ini file was set to automatically escape quotes with the directive: magic_quotes_gpc set to ON. Problem solved. Thank you!
pws5068  2010-10-09 15:20:47

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases