I'm using this code to configure HTML Purifier:
$config = \HTMLPurifier_Config::createDefault();
$config->set('HTML.Allowed', 'div,p,ol,ul,li,br'); // only allow these tags
$purifier = new \HTMLPurifier($config);
What I've found is that while HTMLPurifier does strip tags such as style and table, the content inside of these tags is still included in the purified output.
How can I get HTML Purifier to not return content in tags that are not allowed?
EDIT:
I found the Core.HiddenElements setting, which makes it seem like the contents on the style tag should not be shown in the output, but with my configuration they are.
I tried adding the following to my code, but it didn't make any difference (the contents of style tags are still shown):
$config->set('Core.HiddenElements', array (
'script' => true,
'style' => true,
'table' => true
));
Related
I have in the database the path to the files that i want to get outputed.
like:
<audio src="/yii2-biblioteca/frontend/web/uploads/audio/lya1.mp3" controls type="audio/mpeg">
and i am using:
<?=HtmlPurifier::process($model->audio)?>
for the output.
I used the same thing for images and it's ok, it works, but for the audio and for the pdf embed not so much.
At the beginning the pdf worked, i changed some things with a js funtion, it was not suppos to have a negative impact. I reversed all back to when it was good, but it's not working now.
the pdf exemple: <embed src="/yii2-biblioteca/frontend/web/uploads/pdf/dying.pdf" type="application/pdf" width="100%" height="100%" />
Yii2's HTMLPurifier wrapper takes a second argument:
echo HtmlPurifier::process($html, [
// options go here
]);
For <embed>, you should be able to use the HTML.SafeEmbed setting:
echo HtmlPurifier::process($html, [
'HTML.SafeEmbed' => true,
]);
Unfortunately, for <audio>, the underlying problem here is that HTML Purifier isn't HTML5-aware, which is going to make adding that a lot more complicated.
There are user-supplied patches to allow HTML Purifier to understand HTML5, but as far as I know, none has been audited and so it's hard to say what this will do to the security of your site. (Arguably, HTML Purifier with userland supplied HTML5 definitions is still better than no HTML Purifier at all, though.)
I've given some rough instructions about how to make HTML Purifier (the library itself, not its Yii2 wrapper) aware of only the <audio> tag over on another question. Quoting the relevant pieces:
You'll have to look at the "Customize!" end-user documentation, where it will tell you how to add tags and attributes that HTML Purifier is not aware of.
To quote the most vivid code example from the linked documentation
(this code teaches HTML Purifier about the <form> tag):
Time for some code:
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.DefinitionID', 'enduser-customize.html tutorial');
$config->set('HTML.DefinitionRev', 1);
$config->set('Cache.DefinitionImpl', null); // remove this later!
$def = $config->getHTMLDefinition(true);
[...]
$form = $def->addElement(
'form', // name
'Block', // content set
'Flow', // allowed children
'Common', // attribute collection
array( // attributes
'action*' => 'URI',
'method' => 'Enum#get|post',
'name' => 'ID'
)
);
$form->excludes = array('form' => true);
Each of the parameters corresponds to one of the questions we asked. Notice that we added an asterisk to the end of the action attribute to
indicate that it is required. If someone specifies a form without that
attribute, the tag will be axed. Also, the extra line at the end is a
special extra declaration that prevents forms from being nested within
each other.
Once you've followed those instructions to make your purifying routine
aware of <audio>, adding the tag <audio> to your configuration
whitelist will work.
So, in brief, if you want to be able to purify just <audio> tags without losing them altogether, you're going to have to do some research on the tags' capability and add the information to HTML Purifier.
You could base your code on what you can find in xemlock/htmlpurifier-html5's HTML5Definition.php file if you don't want to work on it from scratch.
So far I can only load a specific CSS file for a specific action by include that CSS file within <body> tag from the corresponding view file. But I want to include that CSS file within <head> tag when a specific action is called?
In your template, this can be achieved by linking to the css file using the block option:
Creates a link(s) to a CSS style-sheet. If the block option is set to true, the link tags are added to the css block which you can print inside the head tag of the document.
I.e. anywhere in the relevant template:
$this->Html->css('special', ['block' => true]);
This is output by the fetch call in the layout:
<?= $this->fetch('css') ?>
I'm having some issue of using ExtJS-5 to set some Hyberlink which also could be dynamically changed(according to a REST GET call).
Now I'm able to set a label as a Hyberlink using it's 'html' config which makes it clickable and jump to another page. Also according to the DOC file, if I assign the 'text' config to a 'Label' it will disable the 'html' property and only display the 'text'. So now I can change the 'text' of label Dynamically but they are not clickable.
Questions:
Should I use 'Label' for what I'm trying to do or use something else?
DOC shows 'Label' has no getText or getHTML method, then how to read its 'value'? like I want to pass it to the BackEnd. (getValue() doesn't work)
Label is perfectly fine for doing this
ExtJS doesn't provide any method of getting text value, cause we can read it directly
I've managed to build a page that will display data from the database dynamically. However, this code which is saved in the database:
<p>This is the content for the radio page.</p>
Displays like this:
<p>This is the content for the radio page.</p>
The HTML tags aren't rendered. I understand that Symfony (for security purposes) renders any HTML code like this for security reasons. I want Symfony (obviously) to render these HTML tags. How can I achieve this just for this purpose only, so that Symfony still sanitises any HTML tag that is saved to the database elsewhere on the site?
For your information as well, this is the code that I am using to pull the data from the database:
public function mainpageAction($slug)
{
$content = $this->getDoctrine()
->getRepository('SiteMainBundle:Content')
->find($slug);
if (!$content) {
throw $this->createNotFoundException('No product found for slug '.$slug);
}
return $this->render('SiteMainBundle:Default:page.html.twig', array('content' => $content, 'slug' => $slug));
}
Also, just so I can learn more about Symfony, is the rendering of the HTML tags just the sole job of PHP or could it be rendered properly using Twig?
Many thanks!
If you want to do that, you need to use the raw filter in the twig template. Like described in the twig documentation, the raw filter marks the value as safe which means that in an environment with automatic escaping enabled this variable will not be escaped if raw is the last filter applied to it.
In your case, it's : {{ content | raw }}
I am trying to modify the HTML output in a Drupal 7 theme that I am creating.
Basically, instead of the < li >s containing just plain < a >s with text, I want to include some additional HTML inside the < a >.
I know that it's possible to modify the HTML created by the menus in Drupal. I can see the following call in page.tpl.php:
<?php print theme('links__system_main_menu', array(
'links' => $main_menu,
'attributes' => array(
'id' => 'main-menu',
'class' => array('links', 'clearfix'),
),
'heading' => array(
'text' => t(''),
'level' => 'h2',
'class' => array('element-invisible'),
),
)); ?>
which apparently calls the theme function, which creates the output. One way to modify the output would be to modify the theme_links function in theme.inc, right?
http://api.drupal.org/api/drupal/includes--theme.inc/function/theme_links
I also know that you can put a hook in template.php to override the function which creates the HTML. I can't figure out how to create the actual override function. Can somebody point me in the right direction, please?
What you would do is implement a hook to modify the output, not modify the "theme.inc" file directly.
For example, the accepted answer on this page: Drupal Override Custom Menu Template
And as a general rule, when you want to modify the output of something, either implement a hook (in a module or in the template.php of the active theme) or use a template with a predefined file name when such a case exists (when no template already exists, you can also modify the list of template suggestions using a module or the theme).