我如何允许< audio> HTML Purifier的元素? [英] How can I allow <audio> elements with HTML Purifier?
问题描述
如何允许HTML Purifier包含元素?
我尝试过$config->set('HTML.Allowed', 'audio');,但是现在它将删除所有其他元素,包括<p>, <br>等.
然后我尝试了$def->addAttribute('audio', 'src', 'CDATA');,但是它不起作用.
HTML.Allowed是所有允许标签的白名单,因此,您想做的就是将$config->get('HTML.Allowed')与,audio作为值连接起来.
也就是说,HTML Purifier的安全性方法可以感知HTML风格-例如,不仅仅是白名单标签和属性,它还可以确保标签在其所处的上下文中有意义,并且属性值看起来像预期的那样,这意味着它实际上必须理解您要提供的HTML定义.例如,您不希望在<div> -tag中嵌入<td> -tag,这没有任何意义.而且您不希望在HTML中使用width="foo",这也没有任何意义.
据我所知,HTML Purifier仍不了解其围绕HTML5的方式,因此<audio>标记可能不是它固有的标记.您必须查看自定义!"最终用户文档,该文档将告诉您如何添加HTML Purifier无法识别的标签和属性.
要引用链接文档中最生动的代码示例(此代码向HTML Purifier提供有关<form>标记的信息):
输入一些代码的时间:
$config = HTMLPurifier_Config::createDefault(); $config->set('HTML.DefinitionID', 'enduser-customize.html tutorial'); $config->set('HTML.DefinitionRev', 1); $config->set('Cache.DefinitionImpl', null); // remove this later! $def = $config->getHTMLDefinition(true); [...] $form = $def->addElement( 'form', // name 'Block', // content set 'Flow', // allowed children 'Common', // attribute collection array( // attributes 'action*' => 'URI', 'method' => 'Enum#get|post', 'name' => 'ID' ) ); $form->excludes = array('form' => true);每个参数都对应于我们提出的问题之一.注意,我们在action属性的末尾添加了一个星号,以指示它是必需的.如果有人指定了没有该属性的表单,标签将被删除.另外,末尾的额外行是特殊的额外声明,可防止表单相互嵌套.
按照这些说明使您的净化例程了解<audio>后,可以将标记<audio>添加到配置白名单中.
How can I allow elements with HTML Purifier?
I have tried $config->set('HTML.Allowed', 'audio');, but now it will delete all other elements including <p>, <br> etc.
I then tried $def->addAttribute('audio', 'src', 'CDATA'); but it's not working.
HTML.Allowed is a whitelist of all allowed tags, so what you presumably want to do is concatenate $config->get('HTML.Allowed') with ,audio as a value.
That said, HTML Purifier's approach to security is HTML flavour aware - as in, rather than just whitelist tags and attributes, it also ensures that tags make sense in the context they're in and attribute values look as expected, which means it has to actually understand the HTML definition you're feeding it. For example, you don't want a <td>-tag embedded in a <div>-tag, that makes no sense; and you wouldn't want width="foo" in your HTML, that also makes no sense.
Since as far as I know, HTML Purifier still does not yet know its way around HTML5, the <audio> tag is probably not one it is inherently aware of. You'll have to look at the "Customize!" end-user documentation, where it will tell you how to add tags and attributes that HTML Purifier is not aware of.
To quote the most vivid code example from the linked documentation (this code teaches HTML Purifier about the <form> tag):
Time for some code:
$config = HTMLPurifier_Config::createDefault(); $config->set('HTML.DefinitionID', 'enduser-customize.html tutorial'); $config->set('HTML.DefinitionRev', 1); $config->set('Cache.DefinitionImpl', null); // remove this later! $def = $config->getHTMLDefinition(true); [...] $form = $def->addElement( 'form', // name 'Block', // content set 'Flow', // allowed children 'Common', // attribute collection array( // attributes 'action*' => 'URI', 'method' => 'Enum#get|post', 'name' => 'ID' ) ); $form->excludes = array('form' => true);Each of the parameters corresponds to one of the questions we asked. Notice that we added an asterisk to the end of the action attribute to indicate that it is required. If someone specifies a form without that attribute, the tag will be axed. Also, the extra line at the end is a special extra declaration that prevents forms from being nested within each other.
Once you've followed those instructions to make your purifying routine aware of <audio>, adding the tag <audio> to your configuration whitelist will work.
这篇关于我如何允许< audio> HTML Purifier的元素?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
