HTMLPurifier Breaking Images

Question

I'm trying to run HTMLPurifier on user input from a WYSIWYG (CK Editor) and the images are breaking.

Unfiltered Input:

<img alt="laugh" src="/lib/ckeditor/plugins/smiley/images/teeth_smile.gif" title="laugh">

After running through purifier with default settings:

<img alt="&quot;laugh&quot;" src="%5C" title="&quot;laugh&quot;">

I have tried changing the configuration settings; but I the src is never preserved. Any thoughts?

Answer 1

I have a suspicion that magic_quotes could be a reason..?

Also did you try $config->set('Core.RemoveInvalidImg',true);. Which version are you using? (Try older or newer)

Answer 2

Had the same problem. This fixed it

if (get_magic_quotes_gpc()) {
function stripslashes_gpc(&$value)
{
    $value = stripslashes($value);
}
array_walk_recursive($_GET, 'stripslashes_gpc');
array_walk_recursive($_POST, 'stripslashes_gpc');
array_walk_recursive($_COOKIE, 'stripslashes_gpc');
array_walk_recursive($_REQUEST, 'stripslashes_gpc');

}

Answer 3

I don't know what htmlpurifier is, but the img tag you have there is perfectly legitimate (except it is unclosed) before running it. After you run it, it is doubly escaping things and that just seems like garbage. %5C is the url code for a backslash. Seems like it is trying to escape the forward slash with a backslash and then it chokes. What is this program? Can I recommend HTML Tidy?

Answer 4

Coming back to an old post, I thought this little snippet might help others ending up here..

I fixed a multitude of unusual activity in my code to do with escaping characters by adding this line to my .htaccess file

php_flag magic_quotes_gpc Off

From PHP documentation "This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0" http://www.php.net/manual/en/security.magicquotes.what.php

Also, here are other ways to disable magic quotes http://www.php.net/manual/en/security.magicquotes.disabling.php