HTML Purifier - 更改默认允许的 HTML 标签配置 [英] HTML Purifier - Change default allowed HTML tags configuration

问题描述

我想允许用户可以在我的论坛中使用有限的 HTML 标记白名单.所以我像这样配置了 HTML Purifier:

I want to allow a limited white list of HTML tags that users can use in my forum. So I have configured the HTML Purifier like so:

$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.Allowed', 'p,a[href|rel|target|title],img[src],span[style],strong,em,ul,ol,li');
$purifier = new HTMLPurifier($config);

我想知道的是，HTML Purifier 的默认配置是否仍然适用，除了接受的 HTML 标签数量减少之外或者我是否需要重新设置每个可能的配置参数手动?

What I am wondering is, does the default configuration of the HTML Purifier still apply, with the exception of a reduced number of accepted HTML tags or do I need to re-set every possible configuration parameter manually?

此外，我是否应该以任何方式调整默认配置以确保安全?我对整个 XSS 保护不熟悉，对 HTML Purifier 不熟悉，并没有发现手册提供了很多基本"技巧和提示.

Additionally, should I tweak the default configuration in any way to stay safe? I am new to the whole XSS protection thing, new to HTML Purifier and didn't find that the manual gave a lot of 'basic' tips and hints.

推荐答案

HTML Purifier 在默认情况下是安全的，您通过更改 %HTML.Allowed 对其施加的任何限制都只能保证减少允许的标记集.查看 http://htmlpurifier.org/live/smoketests/printDefinition.php 以查看调整配置如何更改允许的标记集.

HTML Purifier is safe by default and any restrictions you impose on it by changing %HTML.Allowed are guaranteed only to reduce the permitted tag set. Check out http://htmlpurifier.org/live/smoketests/printDefinition.php to see how tweaking configuration changes the allowed tagset.

这篇关于HTML Purifier - 更改默认允许的 HTML 标签配置的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！