HTMLPurifier allowing specific attribute values

StackOverflow https://stackoverflow.com/questions/18580550

  •  27-06-2022
  •  | 
  •  

Question

The textbox editor my users are allowed gives them a nice range of options to make their descriptions look unique. And one of those options is the ability to indent paragraphs, which is the following HTML:

<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"></blockquote>

Now, in HTMLPurifier you can allow attributes/certain HTML, e.g:

$config->set('HTML.Allowed', 'blockquote[style],a[href]');

Style and href of course being allowed attributes. Although, allowing them the style attribute can lead to some problems. So is there any way that I can restrict it to just allowing the style attribute, if it is set to 

margin: 0 0 0 40px; border: none; padding: 0px;

EDIT

This is a good answer: https://stackoverflow.com/a/6231024/2574433

However, can you restrict it further to support something like this:

$config->set('CSS.AllowedProperties', 'margin: 0 0 0 40px;');
Était-ce utile?

La solution 2

No, that kind of specificity is not possible without patching the library yourself.

If you have control over the input HTML, one thing you can do is disable inline styles, and provide these "pre-set" styles as classes available to code.

If you would like to patch HTML Purifier to have higher specificity, you'll want to look at the AttrDef classes which specify how attributes like margin are validated; you can see the correspondence in HTMLPurifier_CSSDefinition.

Autres conseils

K so I had to go full on beast mode with this one and piece together random pieces of documentation. Here is an example if you want to enable flex box CSS into your CSS.AllowedProperties area (don't even have to configure that).

$config = HTMLPurifier_Config::createDefault();
$config->set('CSS.AllowImportant', true);
$config->set('CSS.AllowTricky', true);
$config->set('CSS.Proprietary', true);
$config->set('CSS.Trusted', true);

$css_definition = $config->getDefinition('CSS');

// redefine this to add the flex attribute
$css_definition->info['display'] = new HTMLPurifier_AttrDef_Enum(
    [
        'inline',
        'block',
        'list-item',
        'run-in',
        'compact',
        'marker',
        'table',
        'inline-block',
        'inline-table',
        'table-row-group',
        'table-header-group',
        'table-footer-group',
        'table-row',
        'table-column-group',
        'table-column',
        'table-cell',
        'table-caption',
        'none',
        'flex'
    ]
);
$css_definition->info['flex-direction'] = new HTMLPurifier_AttrDef_Enum(
    [
        'column',
        'column-reverse',
        'row',
        'row-reverse'
    ]
);
$css_definition->info['flex-wrap'] = new HTMLPurifier_AttrDef_Enum(
    [
        'wrap',
        'nowrap',
        'wrap-reverse'
    ]
);
$css_definition->info['justify-content'] = new HTMLPurifier_AttrDef_Enum(
    [
        'center',
        'flex-start',
        'flex-end',
        'space-around',
        'space-between'
    ]
);
$css_definition->info['align-items'] = new HTMLPurifier_AttrDef_Enum(
    [
        'center',
        'flex-start',
        'flex-end',
        'stretch',
        'baseline'
    ]
);
$css_definition->info['align-content'] = new HTMLPurifier_AttrDef_Enum(
    [
        'space-between',
        'space-around',
        'stretch',
        'center',
        'flex-start',
        'flex-end'
    ]
);
$css_definition->info['flex-basis'] = new HTMLPurifier_AttrDef_CSS_Percentage();

$purifier = new HTMLPurifier($config);
Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top