如何在HTMLPurifier中允许脚本,对象,参数,嵌入和iframe标记? [英] How do I allow script, object, param, embed, and iframe tags in HTMLPurifier?
问题描述
这是我想在HTMLPurifier中允许的一种特殊标签组合,但似乎无法使组合起作用。
This is kind of a special combination of tags that I want to allow in HTMLPurifier, but can't seem to get the combination to work.
我可以得到脚本标签工作,但然后嵌入标签被删除(我启用HTML.Trusted = true的脚本标签)。当我重新嵌入标签时,脚本标签被删除(我删除了HTML.Trusted)。以下是我的配置:
I can get script tags to work, but then embed tags get removed (I enable the script tags with HTML.Trusted = true). When I get embed tags back in, script tags are stripped out (I remove HTML.Trusted). The following is my config:
$config->set('HTML.Trusted', true);
$config->set('HTML.SafeEmbed', true);
$config->set('HTML.SafeObject', true);
$config->set('Output.FlashCompat', true);
我甚至尝试添加以下内容,这使事情变得更糟:
I even tried adding in the following which made things worse:
$config->set('HTML.Allowed', 'object[width|height|data],param[name|value],embed[src|type|allowscriptaccess|allowfullscreen|width|height],script[src|type]');
此外,无论如何,我似乎无法让iframe工作。我尝试添加:
Also, I can't seem to get iframes to work no matter what. I tried adding:
$config->set('HTML.DefinitionID', 'enduser-customize.html iframe');
$config->set('HTML.DefinitionRev', 1);
$config->set('Cache.DefinitionImpl', null); // remove this later!
$def = $config->getHTMLDefinition(true);
$iframe = $def->addElement(
'iframe', // name
'Block', // content set
'Empty', // allowed children
'Common', // attribute collection
array( // attributes
'src*' => 'URI#embedded',
'width' => 'Pixels#1000',
'height' => 'Pixels#1000',
'frameborder=' => 'Number',
'name' => 'ID',
)
);
$iframe->excludes = array('iframe' => true);
任何有关使整个组合工作的帮助,甚至包含object / param和embed的脚本标记都会有帮助非常感谢!!!
Any help on getting the entire combo to work, or even script tags with object/param and embed would be GREATLY appreciated!!!
哦,是的,这显然不适合所有用户,只是特殊用户。
Oh yeah, this is obviously not for all users, just "special" users.
谢谢!
PS - 请不要将我链接到 http://htmlpurifier.org/docs/enduser-customize.html
PS - please don't link me to http://htmlpurifier.org/docs/enduser-customize.html
更新
我找到了一个在线程底部添加iframe的解决方案: http://htmlpurifier.org/phorum/read.php?3,4646
I found a solution for adding iframes at the bottom of the thread here: http://htmlpurifier.org/phorum/read.php?3,4646
现在的配置是:
$config->set('HTML.Trusted', true);
$config->set('HTML.SafeEmbed', true);
$config->set('HTML.SafeObject', true);
$config->set('Output.FlashCompat', true);
$config->set('Filter.Custom', array( new HTMLPurifier_Filter_MyIframe() ));
更新更新
如果您在HTMLPurifier论坛中的评论有问题,可能是因为我的意思是这个方法看起来像这样:
If you're having trouble with my comment in the HTMLPurifier forum, it may be because I mean for the method to look like this:
public function preFilter($html, $config, $context) {
return preg_replace("/iframe/", "img class=\"MyIframe\" ", preg_replace("/<\/iframe>/", "", $html));
}
推荐答案
通过HTMLPurifier找到解决方案Google小组(谢谢Edward Z. Yang !!!)。允许对象,嵌入和脚本标记同时存在于页面上的解决方案是从HTMLModuleManager.php __construct()方法中的$ common数组中删除object。这当然会使得没有人可以添加对象标签,除非你在配置中指定它。
Found the solution through the HTMLPurifier Google group (thank you Edward Z. Yang!!!). The solution to allow for object, embed, and script tags to exist on the page at the same time is to REMOVE "object, " from the $common array in HTMLModuleManager.php __construct() method. This will of course make it so that no one can add object tags unless you specify it in your config.
我的最终配置现在是:
$config->set('HTML.Trusted', true);
$config->set('HTML.SafeObject', true);
$config->set('Output.FlashCompat', true);
$config->set('Filter.Custom', array( new HTMLPurifier_Filter_SafeIframe() ));
我真的希望这些说明可以帮助其他想要使用HTMLPurifier的开发人员。与我们最初用于清理和擦除wysiwyg编辑器中传入文本的内容相比,HTMLPurifier的速度提高了大约85%!
I really hope these instructions can help other developers who would like to use HTMLPurifier. Compared to what we were originally using to clean and scrub incoming text from our wysiwyg editor, HTMLPurifier is approximately 85% faster!
这篇关于如何在HTMLPurifier中允许脚本,对象,参数,嵌入和iframe标记?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
