开发者

Whitelist element with class of, using htmlpurifier

I want to only allow the span element only when it has a certain class in htmlpurifier

does anyone know how to do this, right now I have

  $config->set('HTML.Allowed','a[href],p,ol,li,ul,img[src],blockquote,em,span[class]');
  $config->set('Attr.AllowedClasses',"allowed");

but that 开发者_如何学Pythonallows all spans and only allows class allowed I like that it only allows the "allowed" class but I only want it to allow span when the value of its class is "allowed"

thanks


Ad hoc solution: redefine the class in span to be required, and set it so it has N possible values. The making it required will cause the tag to be removed if it doesn't exist.


Ok so based on Ambush-comander's suggestion I was able to remove all spans that did not have a specific class the idea is that if the class it required then it the element doesn't have that class the element will be removed.

I did some research and found htmlpurifier customize page which explains how to add an attribute following their instructions i only need an additonal four lines of code so here is what how I did it

 // more configuration stuff up here
    $config->set('HTML.DefinitionID', 'enduser-customize.html editor');
    $config->set('HTML.DefinitionRev', 1);
    $def = $config->getHTMLDefinition(true);
    $def->addAttribute('span', 'class*', new HTMLPurifier_AttrDef_Enum(
      array('allowed')
    ));
 // purify down here

the * in class makes the class requried and becuse we only allow the "allowed" class everything else gets striped. now, there is one caveats to doing it this way. if someone put that class in there span then it would be allowed in my case I'm not really using "allowed" I'm using something else that will be replaced by html purifier

hth someone else

and thanks to ambush and pinkgothic for all their help!


You left a comment over at my similar question. I still don't have a solution, due to the injector/purification order which in my case is pivotal, but the injector solution should work for you, since you don't depend on 'pre-processing', so to speak.

As far as I can see, you have two decent three thorough four options:

  1. You can use the attribute solution in my question to blank all attributes if you don't mind left-over <span> and </span> tags in your HTML. If you do mind them, you could combine that solution with an empty-tag-stripping injector, though then order of execution is very, very likely to cripple you anew. (So I imagine. If not - superb, you have your answer! :) )

  2. You can use injectors. They're a fairly extensive and detailed feature of HTML Purifier, so I can't conjure up an example that'll fix things for you out of the box. But! You might want to look at the thread on the HTML Purifier forum where the injector 'Linkify' was created, that's a fairly thorough take on the subject, not to mention the injector I mentioned in #1 might help you figure them out, too.

  3. Something I'm investigating right now for my purposes are PHP's built-in DOM methods. This is a solid alternative if #1 and #2 fail you for some reason, but of course costly as far as resources go.

  4. Regular expressions. I'm really only mentioning this as a last resort and it's not even a serious suggestion. It'd probably be reasonably safe to use a regex on already purified HTML, but it seems like such a waste of a good HTML parser. (But then, admittedly, so does #3.)

Good luck.


In docummentation there is nothing about configuring values of attributes. However if you use class only once I think there will not be any problem if you will do as you wrote. ;)

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜