allowing data-* attributes with HTMLPurifier

StackOverflow https://stackoverflow.com/questions/17083848

  •  31-05-2022
  •  | 
  •  

Question

Currently I am using this code with HTMLPurifier to allow data-* HTML tag attributes:

    $def = $config->getHTMLDefinition(true);
    $def->addAttribute('div', 'data-aaa', 'Text');
    $def->addAttribute('div', 'data-bbb', 'Text');
    // ...

Is there a way I can allow all data-* attributes at once, preferable on all the HTML tags? (they are not a security problem in my case - to the best of my knowledge of course)

Était-ce utile?

La solution 2

Nope, it's not possible without modifying the validate attributes strategy.

Autres conseils

It's not a full solution, but I was able to globally white-list individual data- attributes with the follow code, allowing them to be placed on any element without having to itemize each element type for each attribute.

$def = $config->getHTMLDefinition(true);
$def->info_global_attr['data-aaa-xxx'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-bbb-yyy'] = new HTMLPurifier_AttrDef_Text;
$def->info_global_attr['data-ccc-zzz'] = new HTMLPurifier_AttrDef_Text;

This coded can be improved, but I altered the AttrValidator.php I added the following function:

    /*=======================================
    ==--    LLS start wildcard handling
    ==--
    ==--    data-*          ^data-(((?![\s=]).)+)
    =========================================*/
    private function checkWildCardAttributes($deflist, $attr_key, $value, $config, $context) {
        $result = false;
        foreach ($deflist as $def_key => $def_value) {
            if (strpos($def_key, '*') !== FALSE) {
                // found a wildcard
                // does wildcard match this attr
                $re = implode('(((?![\s=]).)+)',explode("*",$def_key));
                preg_match('#^'.$re.'#',$attr_key,$wcout);
                if (count($wcout)>0) {
                    // the attribute matched against the wildcard definition
                    $result = $deflist[$attr_key]->validate(
                        $value,
                        $config,
                        $context
                    );
                    break;
                }
            }
        }
        return $result;
    }

in the function validateToken find the following line:

// put the results into effect

Just before this line add this:

                /*=======================================
                ==--    start wildcard handling
                =========================================*/
                if (!$result) {
                    // definitions
                    $result = $this->checkWildCardAttributes($defs, $attr_key, $value, $config, $context);
                    if (!$result) {
                        // global definitions
                        $result = $this->checkWildCardAttributes($d_defs, $attr_key, $value, $config, $context);
                    }   
                }   
                //=======================================


            // put the results into effect
            if ($result === false || $result === null) {

After this you can use * wildcards in your attribute definition. example:

    // See: AttrValidator.php in the HTMLPurifier for the wildcard addition
    $def->info_global_attr['data-*'] = new HTMLPurifier_AttrDef_Text;

Like i said, it can be improved... but it does the job :)

Have fun....

Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top