Search Results

Search found 21 results on 1 pages for 'htmlpurifier'.

Page 1/1 | 1 

  • Efficient way to handle multiple HTMLPurifier configs.

    - by anomareh
    I'm using HTMLPurifier in a current project and I'm not sure about the most efficient way to go about handling multiple configs. For the most part the only major thing changing is the allowed tags. Currently I have a private method, in each class using HTMLPurifier, that gets called when a config is needed and it creates one from the default. I'm not really happy with this as if 2 classes are using the same config, that's duplicating code, and what if a class needs 2 configs? It just feels messy. The one upside to it, is it's lazy in the sense that it's not creating anything until it's needed. The various classes could be used and never have to purify anything. So I don't want to be creating a bunch of config objects that might not even be used. I just recently found out that you can create a new instance of HTMLPurifier and directly set config options like so: $purifier = new HTMLPurifier(); $purifier->config->set('HTML.Allowed', ''); I'm not sure if that's bad form at all or not, and if it isn't I'm not really sure of a good way to put it to use. My latest idea was to create a config handler class that would just return an HTMLPurifier config for use in subsequent purify calls. At some point it could probably be expanded to allow the setting of configs, but just from the start I figured they'd just be hardcoded and run a method parameter through a switch to grab the requested config. Perhaps I could just send the stored purifier instance as an argument and have the method directly set the config on it like shown above? This to me seems the best of the few ways I thought of, though I'm not sure if such a task warrants me creating a class to handle it, and if so, if I'm handling it in the best way. I'm not too familiar with the inner workings of HTMLPurifier so I'm not sure if there are any better mechanisms in place for handling multiple configs. Thanks for any insight anyone can offer.

    Read the article

  • using htmlpurifier for input or output escaping/filtering

    - by user214545
    I am processing a user input from the public with a javascript WYSIWYG editor and I'm planning on using htmlpurifier to cleanse the text. I thought it would be enough to use htmlpurifier on the input, stored the cleaned input in the database,and then output it without further escaping/filtering. But I've heard other opinions that you should always escape the output. Can someone explain why I should need to cleans the output if I'm already cleaning the input?

    Read the article

  • Whitelist element with class of, using htmlpurifier

    - by mcgrailm
    I want to only allow the span element only when it has a certain class in htmlpurifier does anyone know how to do this, right now I have $config->set('HTML.Allowed','a[href],p,ol,li,ul,img[src],blockquote,em,span[class]'); $config->set('Attr.AllowedClasses',"allowed"); but that allows all spans and only allows class allowed I like that it only allows the "allowed" class but I only want it to allow span when the value of its class is "allowed" thanks

    Read the article

  • Whielist element with class of, using htmlpurifier

    - by mcgrailm
    I want to only allow the span element only when it has a certain class in htmlpurifier does anyone know how to do this, right now I have $config->set('HTML.Allowed','a[href],p,ol,li,ul,img[src],blockquote,em,span[class]'); $config->set('Attr.AllowedClasses',"allowed"); but that allows all spans and only allows class allowed I like that it only allows the "allowed" class but I only want it to allow span when the value of its class is "allowed" thanks

    Read the article

  • PHP & HTML Purifier error: Undefined variable: dirty_html

    - by TaG
    I'm trying to install HTML Purifier http://htmlpurifier.org/ but I get the following error Undefined variable: dirty_html. I was wondering how can I fix this problem? Here is the PHP code. require_once '../../htmlpurifier/library/HTMLPurifier.auto.php'; $config = HTMLPurifier_Config::createDefault(); $config->set('Core.Encoding', 'UTF-8'); // replace with your encoding $config->set('HTML.Doctype', 'XHTML 1.0 Strict'); // replace with your doctype $purifier = new HTMLPurifier($config); $clean_html = $purifier->purify($dirty_html);

    Read the article

  • PHP: How To Integrate HTML Purifier To Fileter User Submitted Data?

    - by TaG
    I have this script that collects data from users and I wanted to check their data for malicious code like XSS and SQL injections by using HTML Purifier http://htmlpurifier.org/ but how do I add it to my php form submission script? Here is my HTML purifier code require_once '../../htmlpurifier/library/HTMLPurifier.auto.php'; $config = HTMLPurifier_Config::createDefault(); $config->set('Core.Encoding', 'UTF-8'); // replace with your encoding $config->set('HTML.Doctype', 'XHTML 1.0 Strict'); // replace with your doctype $purifier = new HTMLPurifier($config); $clean_html = $purifier->purify($dirty_html); Here is my PHP form submission code. if (isset($_POST['submitted'])) { // Handle the form. $mysqli = mysqli_connect("localhost", "root", "", "sitename"); $dbc = mysqli_query($mysqli,"SELECT users.*, profile.* FROM users INNER JOIN contact_info ON contact_info.user_id = users.user_id WHERE users.user_id=3"); $about_me = mysqli_real_escape_string($mysqli, $_POST['about_me']); $interests = mysqli_real_escape_string($mysqli, $_POST['interests']); if (mysqli_num_rows($dbc) == 0) { $mysqli = mysqli_connect("localhost", "root", "", "sitename"); $dbc = mysqli_query($mysqli,"INSERT INTO profile (user_id, about_me, interests) VALUES ('$user_id', '$about_me', '$interests')"); } if ($dbc == TRUE) { $dbc = mysqli_query($mysqli,"UPDATE profile SET about_me = '$about_me', interests = '$interests' WHERE user_id = '$user_id'"); echo '<p class="changes-saved">Your changes have been saved!</p>'; } if (!$dbc) { // There was an error...do something about it here... print mysqli_error($mysqli); return; } }

    Read the article

  • PHP & HTML Purifier Error: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given

    - by TaG
    I'm trying to Integrate HTML Purifier http://htmlpurifier.org/ to filter my user submitted data but I get the following error below. And I was wondering how can I fix this problem? I get the following error. on line 22: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given line 22 is. if (mysqli_num_rows($dbc) == 0) { Here is the php code. if (isset($_POST['submitted'])) { // Handle the form. require_once '../../htmlpurifier/library/HTMLPurifier.auto.php'; $config = HTMLPurifier_Config::createDefault(); $config->set('Core.Encoding', 'UTF-8'); // replace with your encoding $config->set('HTML.Doctype', 'XHTML 1.0 Strict'); // replace with your doctype $purifier = new HTMLPurifier($config); $mysqli = mysqli_connect("localhost", "root", "", "sitename"); $dbc = mysqli_query($mysqli,"SELECT users.*, profile.* FROM users INNER JOIN contact_info ON contact_info.user_id = users.user_id WHERE users.user_id=3"); $about_me = mysqli_real_escape_string($mysqli, $purifier->purify($_POST['about_me'])); $interests = mysqli_real_escape_string($mysqli, $purifier->purify($_POST['interests'])); if (mysqli_num_rows($dbc) == 0) { $mysqli = mysqli_connect("localhost", "root", "", "sitename"); $dbc = mysqli_query($mysqli,"INSERT INTO profile (user_id, about_me, interests) VALUES ('$user_id', '$about_me', '$interests')"); } if ($dbc == TRUE) { $dbc = mysqli_query($mysqli,"UPDATE profile SET about_me = '$about_me', interests = '$interests' WHERE user_id = '$user_id'"); echo '<p class="changes-saved">Your changes have been saved!</p>'; } if (!$dbc) { // There was an error...do something about it here... print mysqli_error($mysqli); return; } }

    Read the article

  • HTML Purifier Coding Help?

    - by TaG
    I read the http://htmlpurifier.org/docs/enduser-youtube.html doc, but I still can't figure out where to put the code to allow object, param and embed tags and Use experimental features with my htmlpurifier. Can someone please show me how to do this?

    Read the article

  • PHPUnit and autoloaders: Determining whether code is running in test-scope?

    - by pinkgothic
    Premise I know that writing code to act differently when a test is run is hilariously bad practise, but I may've actually come across a scenario in which it may be necessary. Specifically, I'm trying to test a very specific wrapper for HTML Purifier in the Zend framework - a View Helper, to be exact. The HTML Purifier autoloader is necessary because it uses a different logic to the autoloaders we otherwise have. Problem require()-ing the autoloader at the top of my View Helper class, gives me the following in test-scope: HTML Purifier autoloader registrar is not compatible with non-static object methods due to PHP Bug #44144; Please do not use HTMLPurifier.autoload.php (or any file that includes this file); instead, place the code: spl_autoload_register(array('HTMLPurifier_Bootstrap', 'autoload')) after your own autoloaders. Replacing the require() with spl_autoload_register(array('HTMLPurifier_Bootstrap', 'autoload')) as advertised means the test runs fine, but the View Helper dies a terrible death claiming: Zend_Log[3707]: ErrorController caught LogicException "Passed array does not specify an existing static method (class 'HTMLPurifier_Bootstrap' not found)" (Our test folder structure is slightly different to our Zend folder structure by necessity.) Question(s) After tinkering with it, I'm thinking I'll need to pick an autoloader-loading depending on whether things are in the test scope or not. Do I have another option to include HTMLPurifier's autoloading routine in both cases that I'm not seeing due to tunnel vision? If not, do I have to find a means to differentiate between test-environment and production-environment this with my own code (e.g. APPLICATION_ENV) - or does PHPUnit support this godawful hackery of mine natively by setting a constant that I could check whether its been defined(), or similar shenanigans? (My Google-fu here is weak! I'm probably just doing it wrong.)

    Read the article

  • PHP URL Security Question

    - by TaG
    I want to have users store the url in my database I'm using php mysql and htmlpurifier I was wondering if the following code was good way to filter out bad data? Here is the Partial PHP code. $url = mysqli_real_escape_string($mysqli, $purifier->purify(htmlspecialchars(strip_tags($_POST['url'])));

    Read the article

  • â?? in my hmtl after purify

    - by mmcgrail
    I have a database the i am rebuilding the table structure was crap so I'm porting some of the data from one table to another. This data appears to have been copy past from MSO product so as I'm getting the data I clean it up with htmlpurifier and some alittle str_replace in php here the clean function function clean_html($html) { $config = HTMLPurifier_Config::createDefault(); $config->set('AutoFormat','RemoveEmpty',true); $config->set('HTML','AllowedAttributes','href,src'); $config->set('HTML','AllowedElements','p,em,strong,a,ul,li,ol,img'); $purifier = new HTMLPurifier($config); $html = $purifier->purify($html); $html = str_replace('&nbsp;',' ',$html); $html = str_replace("\r",'',$html); $html = str_replace("\n",'',$html); $html = str_replace("\t",'',$html); $html = str_replace(' ',' ',$html); $html = str_replace('<p> </p>','',$html); $html = str_replace(chr(160),' ',$html); return trim($html); } but when I put the results into my new table and out put them to the ckeditor I get those three characters. I then have a javascript function that is called to remove special characters from the content of the ckeditor too. it doesn't clean it either function remove_special(str) { var rExps=[ /[\xC0-\xC2]/g, /[\xE0-\xE2]/g, /[\xC8-\xCA]/g, /[\xE8-\xEB]/g, /[\xCC-\xCE]/g, /[\xEC-\xEE]/g, /[\xD2-\xD4]/g, /[\xF2-\xF4]/g, /[\xD9-\xDB]/g, /[\xF9-\xFB]/g, /\xD1/,/\xF1/g, "/[\u00a0|\u1680|[\u2000-\u2009]|u200a|\u200b|\u2028|\u2029|\u202f|\u205f|\u3000|\xa0]/g", /\u000b/g,'/[\u180e|\u000c]/g', /\u2013/g, /\u2014/g, /\xa9/g,/\xae/g,/\xb7/g,/\u2018/g,/\u2019/g,/\u201c/g,/\u201d/g,/\u2026/g]; var repChar=['A','a','E','e','I','i','O','o','U','u','N','n',' ','\t','','-','--','(c)','(r)','*',"'","'",'"','"','...']; for(var i=0; i<rExps.length; i++) { str=str.replace(rExps[i],repChar[i]); } for (var x = 0; x < str.length; x++) { charcode = str.charCodeAt(x); if ((charcode < 32 || charcode > 126) && charcode !=10 && charcode != 13) { str = str.replace(str.charAt(x), ""); } } return str; } Does anyone know off hand what I need to do to get rid of them. I think they may be some sort of quote

    Read the article

  • clean html a string by element id using php

    - by user327140
    Hi, as you can see by the subject am looking for a tool for cleaning up a HTML string in php using a HTML id property, example: According to the following PHP string I wish to clean the HTML erasing the black11 $test = ' <div id="block1"> <div id="block11">Hello1 <span>more html here...</span></div> <div id="block12">Hello2 <span>more html here...</span></div> </div> <div id="block2"></div> '; Will became $test = ' <div id="block1"> <div id="block12">Hello2 <span>more html here...</span></div> </div> <div id="block2"></div> '; I already tried the tool from htmlpurifier.org and can't get the desirable result. Only thing I achieved was removing elements by tag; erasing id; erasing class. Is there any simple way to achieve this using purifier or other? Thanks in advance,

    Read the article

  • HTML Purifier: Removing an element conditionally based on its attributes

    - by pinkgothic
    As per the HTML Purifier smoketest, 'malformed' URIs are occasionally discarded to leave behind an attribute-less anchor tag, e.g. <a href="javascript:document.location='http://www.google.com/'">XSS</a> becomes <a>XSS</a> ...as well as occasionally being stripped down to the protocol, e.g. <a href="http://1113982867/">XSS</a> becomes <a href="http:/">XSS</a> While that's unproblematic, per se, it's a bit ugly. Instead of trying to strip these out with regular expressions, I was hoping to use HTML Purifier's own library capabilities / injectors / plug-ins / whathaveyou. Point of reference: Handling attributes Conditionally removing an attribute in HTMLPurifier is easy. Here the library offers the class HTMLPurifier_AttrTransform with the method confiscateAttr(). While I don't personally use the functionality of confiscateAttr(), I do use an HTMLPurifier_AttrTransform as per this thread to add target="_blank" to all anchors. // more configuration stuff up here $htmlDef = $htmlPurifierConfiguration->getHTMLDefinition(true); $anchor = $htmlDef->addBlankElement('a'); $anchor->attr_transform_post[] = new HTMLPurifier_AttrTransform_Target(); // purify down here HTMLPurifier_AttrTransform_Target is a very simple class, of course. class HTMLPurifier_AttrTransform_Target extends HTMLPurifier_AttrTransform { public function transform($attr, $config, $context) { // I could call $this->confiscateAttr() here to throw away an // undesired attribute $attr['target'] = '_blank'; return $attr; } } That part works like a charm, naturally. Handling elements Perhaps I'm not squinting hard enough at HTMLPurifier_TagTransform, or am looking in the wrong place(s), or generally amn't understanding it, but I can't seem to figure out a way to conditionally remove elements. Say, something to the effect of: // more configuration stuff up here $htmlDef = $htmlPurifierConfiguration->getHTMLDefinition(true); $anchor = $htmlDef->addElementHandler('a'); $anchor->elem_transform_post[] = new HTMLPurifier_ElementTransform_Cull(); // add target as per 'point of reference' here // purify down here With the Cull class extending something that has a confiscateElement() ability, or comparable, wherein I could check for a missing href attribute or a href attribute with the content http:/. HTMLPurifier_Filter I understand I could create a filter, but the examples (Youtube.php and ExtractStyleBlocks.php) suggest I'd be using regular expressions in that, which I'd really rather avoid, if it is at all possible. I'm hoping for an onboard or quasi-onboard solution that makes use of HTML Purifier's excellent parsing capabilities. Returning null in a child-class of HTMLPurifier_AttrTransform unfortunately doesn't cut it. Anyone have any smart ideas, or am I stuck with regexes? :)

    Read the article

  • PHP and MySQL problem?

    - by TaG
    When my code is stored and saved and out putted I keep getting these slashes \\\\\ in my output text. how can I get rid of these slashes? Here is the PHP code. if (isset($_POST['submitted'])) { // Handle the form. require_once '../../htmlpurifier/library/HTMLPurifier.auto.php'; $config = HTMLPurifier_Config::createDefault(); $config->set('Core.Encoding', 'UTF-8'); // replace with your encoding $config->set('HTML.Doctype', 'XHTML 1.0 Strict'); // replace with your doctype $purifier = new HTMLPurifier($config); $mysqli = mysqli_connect("localhost", "root", "", "sitename"); $dbc = mysqli_query($mysqli,"SELECT users.*, profile.* FROM users INNER JOIN contact_info ON contact_info.user_id = users.user_id WHERE users.user_id=3"); $about_me = mysqli_real_escape_string($mysqli, $purifier->purify($_POST['about_me'])); $interests = mysqli_real_escape_string($mysqli, $purifier->purify($_POST['interests'])); if (mysqli_num_rows($dbc) == 0) { $mysqli = mysqli_connect("localhost", "root", "", "sitename"); $dbc = mysqli_query($mysqli,"INSERT INTO profile (user_id, about_me, interests) VALUES ('$user_id', '$about_me', '$interests')"); } if ($dbc == TRUE) { $dbc = mysqli_query($mysqli,"UPDATE profile SET about_me = '$about_me', interests = '$interests' WHERE user_id = '$user_id'"); echo '<p class="changes-saved">Your changes have been saved!</p>'; } if (!$dbc) { // There was an error...do something about it here... print mysqli_error($mysqli); return; } } Here is the XHTML code. <form method="post" action="index.php"> <fieldset> <ul> <li><label for="about_me">About Me: </label> <textarea rows="8" cols="60" name="about_me" id="about_me"><?php if (isset($_POST['about_me'])) { echo mysqli_real_escape_string($mysqli, $_POST['about_me']); } else if(!empty($about_me)) { echo mysqli_real_escape_string($mysqli, $about_me); } ?></textarea></li> <li><label for="my-interests">My Interests: </label> <textarea rows="8" cols="60" name="interests" id="interests"><?php if (isset($_POST['interests'])) { echo mysqli_real_escape_string($mysqli, $_POST['interests']); } else if(!empty($interests)) { echo mysqli_real_escape_string($mysqli, $interests); } ?></textarea></li> <li><input type="submit" name="submit" value="Save Changes" class="save-button" /> <input type="hidden" name="submitted" value="true" /> <input type="submit" name="submit" value="Preview Changes" class="preview-changes-button" /></li> </ul> </fieldset> </form>

    Read the article

  • PHP submit problem

    - by TaG
    I'm trying to check if the username is available and display it for the user to see when they check there account settings, which I have done. BUT when the user tries to fill out another field I get the Your username is unavailable! which should not pop up because its the users username already. I want to know how can I fix this problem using PHP so that the users name is displayed every time the user views their account settings and it wont cause problems when a user submits additional info? Here is the PHP code. if (isset($_POST['submitted'])) { require_once '../htmlpurifier/library/HTMLPurifier.auto.php'; $config = HTMLPurifier_Config::createDefault(); $config->set('Core.Encoding', 'UTF-8'); $config->set('HTML.Doctype', 'XHTML 1.0 Strict'); $config->set('HTML.TidyLevel', 'heavy'); $config->set('HTML.SafeObject', true); $config->set('HTML.SafeEmbed', true); $purifier = new HTMLPurifier($config); $mysqli = mysqli_connect("localhost", "root", "", "sitename"); $dbc = mysqli_query($mysqli,"SELECT users.* FROM users WHERE user_id=3"); $first_name = mysqli_real_escape_string($mysqli, $purifier->purify(htmlentities(strip_tags($_POST['first_name'])))); $username = mysqli_real_escape_string($mysqli, $purifier->purify(htmlentities(strip_tags($_POST['username'])))); if($_POST['username']) { $u = "SELECT user_id FROM users WHERE username = '$username'"; $r = mysqli_query ($mysqli, $u) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($mysqli)); if (mysqli_num_rows($r) == TRUE) { $username = NULL; echo '<p class="error">Your username is unavailable!</p>'; } else if(mysqli_num_rows($r) == 0) { $username = mysqli_real_escape_string($mysqli, $purifier->purify(htmlentities(strip_tags($_POST['username'])))); if ($_POST['password1'] == $_POST['password2']) { $sha512 = hash('sha512', $_POST['password1']); $password = mysqli_real_escape_string($mysqli, $purifier->purify(strip_tags($sha512))); } else { $password = NULL; } if($password == NULL) { echo '<p class="error">Your password did not match the confirmed password!</p>'; } else { if (mysqli_num_rows($dbc) == 0) { $mysqli = mysqli_connect("localhost", "root", "", "sitename"); $dbc = mysqli_query($mysqli,"INSERT INTO users (user_id, first_name, username, password) VALUES ('$user_id', '$first_name', '$username', '$password')"); } if ($dbc == TRUE) { $dbc = mysqli_query($mysqli,"UPDATE users SET first_name = '$first_name', username = '$username', password = '$password' WHERE user_id = '$user_id'"); echo '<p class="changes-saved">Your changes have been saved!</p>'; } if (!$dbc) { print mysqli_error($mysqli); return; } } } } } Here is the html form. <form method="post" action="index.php"> <fieldset> <ul> <li><label for="first_name">First Name: </label><input type="text" name="first_name" id="first_name" size="25" class="input-size" value="<?php if (isset($_POST['first_name'])) { echo stripslashes(htmlentities(strip_tags($_POST['first_name']))); } else if(!empty($first_name)) { echo stripslashes(htmlentities(strip_tags($first_name))); } ?>" /></li> <li><label for="username">UserName: </label><input type="text" name="username" id="username" size="25" class="input-size" value="<?php if (isset($_POST['username'])) { echo stripslashes(htmlentities(strip_tags($_POST['username']))); } else if(!empty($username)) { echo stripslashes(htmlentities(strip_tags($username))); } ?>" /><br /><span>(ex: CSSKing, butterball)</span></li> <li><label for="password1">Password: </label><input type="password" name="password1" id="password1" size="25" class="input-size" value="<?php if (isset($_POST['password1'])) { echo stripslashes(htmlentities(strip_tags($_POST['password1']))); } ?>" /></li> <li><label for="password2">Confirm Password: </label><input type="password" name="password2" id="password2" size="25" class="input-size" value="<?php if (isset($_POST['password2'])) { echo stripslashes(htmlentities(strip_tags($_POST['password2']))); } ?>" /></li> <li><input type="submit" name="submit" value="Save Changes" class="save-button" /> <input type="hidden" name="submitted" value="true" /> <input type="submit" name="submit" value="Preview Changes" class="preview-changes-button" /></li> </ul> </fieldset> </form>

    Read the article

  • PHP - HTML Purifier - hello w<o>rld/world tutorial striptags

    - by JW
    I am just looking into using HTML Purifier to ensure that a user-inputed string (that represents the name of a person) is sanitized. I do not want to allow any html tags, script, markup etc - I just want the alpha, numeric and normal punctuation characters. The sheer number of options available for HTML Purifier is daunting and, as far as i can see, the docs do not seem to have a beggining/middle or end see: http://htmlpurifier.org/docs Is there a simple hello world tutorial online that shows how to sanitize a string removing all the bad stuff out of it. I am also considering just using strip tags: http://php.net/manual/en/function.strip-tags.php or PHP's in built data sanitizing http://us.php.net/manual/en/book.filter.php

    Read the article

  • Keeping Track of Dependant Third-party Library Releases

    - by Sonny
    I am building a web application that is dependent upon several third-party libraries. What is a good strategy for making sure that you're always using the most fully patched versions? A simple method would be to keep the versions written down and visit the websites at regular intervals, but I am looking for some way to get the information 'pushed' to me if possible. I figured that there might be others out there who have needed to do the same thing and have worked out a good solution. Here are a few libraries I am using: Zend Framework jQuery HTMLPurifier Markdownify InnovaStudio WYSIWYG Editor Fancybox MojoZoom

    Read the article

  • A PHP Function that verify code language

    - by tymc
    Hi, I have a form with 2 textareas; the first one allows user to send HTML Code, the second allows to send CSS Code. I have to verify with a PHP function, if the language is correct. If the language is correct, for security, i have to check that there is not PHP code or SQL Injection or whatever. What do you think ? Is there a way to do that ? Where can I find this kind of function ? Is "HTML Purifier" http://htmlpurifier.org/ a good solution ?

    Read the article

1