I want to have users store the url in my database I'm using php mysql and htmlpurifier I was wondering if the following code was a good way to filter out bad data before I store it in the database? Here is the Partial PHP code. $url = mysqli_real_escape_string($mysqli, $purifier->purify(htmlspecialchars(strip_tags($_POST['url']))); ...
I'm using HTMLPurifier in a current project and I'm not sure about the most efficient way to go about handling multiple configs. For the most part the only major thing changing is the allowed tags. Currently I have a private method, in each class using HTMLPurifier, that gets called when a config is needed and it creates one from the de...
As per the HTML Purifier smoketest, 'malformed' URIs are occasionally discarded to leave behind an attribute-less anchor tag, e.g. <a href="javascript:document.location='http://www.google.com/'">XSS</a> becomes <a>XSS</a> ...as well as occasionally being stripped down to the protocol, e.g. <a href="http://1113982867/">XSS&...
I want to only allow the span element only when it has a certain class in htmlpurifier does anyone know how to do this, right now I have $config->set('HTML.Allowed','a[href],p,ol,li,ul,img[src],blockquote,em,span[class]'); $config->set('Attr.AllowedClasses',"allowed"); but that allows all spans and only allows class allowed I l...
Hi, as you can see by the subject am looking for a tool for cleaning up a HTML string in php using a HTML id property, example: According to the following PHP string I wish to clean the HTML erasing the black11 $test = ' <div id="block1"> <div id="block11">Hello1 <span>more html here...</span></div> <div id="block12">Hello2 <s...
Premise I'd like to use HTML Purifier to transform <body> tags to <div> tags, to preserve inline styling on the <body> element, e.g. <body style="background:color#000000;">Hi there.</body> would turn to <div style="background:color#000000;">Hi there.</div>. I'm looking at a combination of a custom tag and a TagTransform class. Current ...
I am processing a user input from the public with a javascript WYSIWYG editor and I'm planning on using htmlpurifier to cleanse the text. I thought it would be enough to use htmlpurifier on the input, stored the cleaned input in the database,and then output it without further escaping/filtering. But I've heard other opinions that you s...
I'm trying to set some configurations for HTMLPurifier, and everything works on my dev machine, but on test, it fails. with the error Class 'HTMLPurifier_config' not found. but if I remove config, it runs no problem. I'm using HTMLPurifier 4.0.0 $config=HTMLPurifier_config::createDefault(); $config->set('AutoFormat','Aut...
Greetings, I'm trying to prevent XSS and improper html from input fields using CKEditor (a javascript WYSIWYG editor). How should I filter this data on the server side? The two options I'm comparing are PHP Tidy and HTML Purifier. I'm interested in speed, security, and valid nesting. Edit: According to HTML Purifier, Tidy does not...
I use HTML Purifier to clean input in my CMS. Many of my clients like to have PayPal donation buttons in their site, but HTML Purifier strips the forms out. I noticed that HTML Purifier has a HTMLPurifier_HTMLModule_Forms class, but I don't know if that does what I want. If it does, how do I enable it? Thanks! Looks like I might h...
I am using htmlpurifier library for sanitizing my incoming parameters. But it is not filtering null bytes (for e.g. %00). Am I missing something or the library does not support it? Will I be required to use a reg-ex? Thanks for any answers. Edit: I am using htmlpurifier with config options $config = HTMLPurifier_Config::createDefault...
I am trying to pass some XML tags (abcdef>) through htmlpurifier. Since the tags itself are not supported, I am trying to add an element first and then adding it to allowedElements. However this is not working, i'm just getting a blank page. Any ideas please on what I am doing wrong, or if there is an easier way to achieve what i am look...
Using the latest release of HTMLPurifier with default configs. The following code will cause the oh-so-lovely blank white page in PHP. Am I missing something? Even if I set HTML.TidyLevel to light or none it still breaks. Here is a partial log of the errors thrown when trying to purify the code below: http://pastie.org/private/13f0htscq...
This is related to http://stackoverflow.com/questions/3290766/htmlpurifier-adding-to-ignore-list. I have added a couple tags to the whitelist. I have this code now - $config->set('HTML', 'AllowedElements', array("customreport", "column", "columnseq")); $def = $config->getHTMLDefinition(true); $def->addElement("customreport", 'Block', ...
Okay right now I have too include the code below on every single page and every time I have too change the following piece of code every time I place it in a new web page. Is there a way I can include all this code one time and have it affect every web page and have the code work like it should? Here is the piece of code I have to chang...
Hi there, I am trying to get UTF-8 encoding working with CKEditor/PHP/MySQL/HTMLPurifier. I have converted the character sets of the database tables/fields to utf8-unicode-ci. I have set the following in the ckeditor config: config.entities = true; config.entities_latin = true; config.entities_greek = true; config.entitles_processNum...
We have recently implemented htmlpurifier in our web-based application. Earlier we used to have regexes to match commonly known XSS injections (script, img, etc. etc). We realized that this wasn't good enough and hence moved to htmlpurifier. Now given that htmlpurifier is slow in working (very slow compared to the regex method we had ear...
I've installed CKeditor on a client's site that allows them to enter some text using a WYSIYG editor. It is locked down for the most part, only allowing bold, italic, unordered lists, etc. I also run the user submitted HTML through HTML purifier to make sure they don't get smart and start trying to add tables, for example. It is also a ...
Hello again, everyone! Naturally I am still fighting with HTML Purifier… So, my /config/purifier.php looks like: <?php defined('SYSPATH') or die('No direct access allowed.'); return array( 'settings' => array( 'HTML.Allowed' =>'a,b,strong,p,ul,ol,li,img[src],i,u,span,', 'HTML.MaxImgLength' => 250, 'CSS.MaxImgLength' =>...
I was wondering how can I stop html purifier from turning my & signs to & and into & instead? ...