Get HTMLPurifier 4.5 to allow only one tag

Question 1

You say: "According to the documentation you have to add definitions like this".

Unless something fundamental has changed since the last time I checked the library (a year ago, about), that's not quite true - that part exists for if you want to teach HTML Purifier new attributes that it isn't natively aware of. For example, if you wanted to teach your HTML Purifier to accept non-standard <font> attributes, like align="", you'd need to alter the raw HTML definition.

However, if your whitelist consists purely of regular HTML elements (and yours does!), you just need to use the $config object:

$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.AllowedElements', array(
    'strong','a','p'
));
$config->set('HTML.AllowedAttributes', array(
    'a.href'
));
$purifier = new HTMLPurifier($config);

That should work. Are you running into problems with that constellation?

(Check out this document, too: http://htmlpurifier.org/live/INSTALL )

Question 2

The solution I found was to use the old way of configuring HTMLPurifier;

if($def = $config->maybeGetRawHTMLDefinition()) {
    $config->set('HTML.AllowedElements', array(
        'strong','a','p'
    ));
    $config->set('HTML.AllowedAttributes', array(
        'a.href'
    ));
}

How this works in relation with the HTMLDefinition I don't know. Maybe they have a compatability layer.

The biggest concern I have is that this is not using the $def variable returned - and that the changes I do to the config is not cached.