HtmlPurifier - 允许数据attibute [英] HtmlPurifier - allow data attibute

问题描述

我试图用htmlPurifier为所有的 span 允许一些 data-attribute ，但没办法.. 。

我有这个字符串：

 < p> 
 < word class =word>我的< / word> 
< word class =word>名称< / word> 
< / span> 
 < word class =word>是< / word> 
< word class =word> Zooboo< / word> 
< / span> 
< p> 
  

我的htmlpurifier配置：

  $ this-> HTMLpurifierConfigInverseTransform = \HTMLPurifier_Config :: createDefault（）; 
 $ this-> HTMLpurifierConfigInverseTransform-> set（'HTML.Allowed'，'span，u，strong，em'）; 
 $ this-> HTMLpurifierConfigInverseTransform-> set（'HTML.ForbiddenElements'，'word，p'）; 
 $ this-> HTMLpurifierConfigInverseTransform-> set（'CSS.AllowedProperties'，'font-weight，font-style，text-decoration'）; 
 $ this-> HTMLpurifierConfigInverseTransform-> set（'AutoFormat.RemoveEmpty'，true）; 
  

我这样净化我的 $ value

  $ purifier = new \HTMLPurifier（$ this-> HTMLpurifierConfigInverseTransform）; 
 var_dump（$ purifier-> purify（$ value））; die; 
  

得到这个：

 < span>我的名字< / span>< span>是Zoobo< / span> 
  

但是如何保存我的数据属性 id ， data-time-start ， data-time-end 在我的 span ？

我需要这个：

 < span data- time-start =1data-time-end =5id =5>我的名字  

我试着用这个配置测试：

  $ this-> HTMLpurifierConfigInverseTransform-> set（'HTML.Allowed'，'span [data-time-start]，u，strong，em'）; 
  

但错误消息：

用户警告：元素'span'中属性'data-time-start'不支持
（关于实现这个的信息，请参阅支持
论坛）

感谢您的帮助!!

编辑1

我尝试在这个代码行允许ID在firdt时间：

  $ this-> HTMLpurifierConfigInverseTransform-> set（'Attr.EnableID'，true）; 
  

不适合我...

编辑2

对于 data - * 但是没有发生任何事情...

  $ def = $ this-> HTMLpurifierConfigInverseTransform-> getHTMLDefinition（true）; 
 $ def-> addAttribute（'sub'，'data-time-start'，'CDATA'）; 
 $ def-> addAttribute（'sub'，'data-time-end'，'CDATA'）; 
  

解决方案HTML Purifier知道HTML的结构，这个知识作为其白名单过程的基础。如果您将标准属性添加到白名单中，则不允许该属性的任意内容 - 它能够理解该属性，并仍然会拒绝无意义的内容。

例如，如果您的某个属性带有数字值，那么HTML Purifier将会拒绝尝试为该属性输入值foo的HTML。

如果您添加自定义属性，只需将其添加到白名单中，不会告诉HTML Purifier如何处理这些属性：在这些属性中可以预期哪些数据？哪些数据是恶意的？

有大量文档可以告诉HTML Purifier您的自定义属性的结构：自定义

< a> -tag：

  $ config = HTMLPurifier_Config :: createDefault（）; 
 $ config-> set（'HTML.DefinitionID'，'enduser-customize.html tutorial'）; 
 $ config-> set（'HTML.DefinitionRev'，1）; 
 $ config-> set（'Cache.DefinitionImpl'，null）; //稍后删除！ 
 $ def = $ config-> getHTMLDefinition（true）; 
 $ def-> addAttribute（'a'，'target'，'Enum＃_blank，_self，_target，_top'）; 
  

这将添加目标作为字段只接受值_ blank，_ self，_ target和_ top。这比实际的HTML定义要严格一些，但是对于大多数情况来说完全是足够的。

这是您需要为 data-时间开始和数据时间结束。有关可能的配置，请查看官方的HTML Purifier文档（如上所链接）。从你的例子中我最好的猜测是，你不希望 Enum＃... 但是 Number ，就像这样。
$ b $ $ $ p $ $ $ $ $ $ $ $ $ $ def-> addAttribute（'span'，'data-time-start'，'Number'）;
$ def-> addAttribute（'span'，'data-time-end'，'Number'）;

...但查看一下，看看最适合您的用例。 （当你实现这个功能的时候，不要忘了你也需要按照你现在的方式列出白名单中的属性。）

<对于 id ，您应该包含 Attr.EnableID = true 作为你配置的一部分。

我希望有帮助！ b $ b

I'm trying to allow some data-attribute with htmlPurifier for all my span but no way...

I have this string:

<p>
    <span data-time-start="1" data-time-end="5" id="5">
       <word class="word">My</word>
       <word class="word">Name</word>
    </span>
    <span data-time-start="6" data-time-end="15" id="88">
       <word class="word">Is</word>
       <word class="word">Zooboo</word>
    </span>
<p>

My htmlpurifier config:

$this->HTMLpurifierConfigInverseTransform = \HTMLPurifier_Config::createDefault();
$this->HTMLpurifierConfigInverseTransform->set('HTML.Allowed', 'span,u,strong,em');
$this->HTMLpurifierConfigInverseTransform->set('HTML.ForbiddenElements', 'word,p');
$this->HTMLpurifierConfigInverseTransform->set('CSS.AllowedProperties', 'font-weight, font-style, text-decoration');
$this->HTMLpurifierConfigInverseTransform->set('AutoFormat.RemoveEmpty', true);

I purify my $value like this:

$purifier = new \HTMLPurifier($this->HTMLpurifierConfigInverseTransform);
var_dump($purifier->purify($value));die;

And get this :

<span>My Name</span><span>Is Zoobo</span>

But how to conserve my data attributes id, data-time-start, data-time-end in my span ?

I need to have this :

<span data-time-start="1" data-time-end="5" id="5">My Name</span data-time-start="6" data-time-end="15" id="88"><span>Is Zoobo</span>

I tried to test with this config:

$this->HTMLpurifierConfigInverseTransform->set('HTML.Allowed', 'span[data-time-start],u,strong,em');

but error message :

User Warning: Attribute 'data-time-start' in element 'span' not supported (for information on implementing this, see the support forums)

Thanks for your help !!

EDIT 1

I tried to allow ID in the firdt time with this code line:

$this->HTMLpurifierConfigInverseTransform->set('Attr.EnableID', true);

It doesn't work for me ...

EDIT 2

For data-* attributes, I add this line but nothing happened too...

$def = $this->HTMLpurifierConfigInverseTransform->getHTMLDefinition(true);
$def->addAttribute('sub', 'data-time-start', 'CDATA');
$def->addAttribute('sub', 'data-time-end', 'CDATA');

解决方案

HTML Purifier is aware of the structure of HTML and uses this knowledge as basis of its white-listing process. If you add a standard attribute to a whitelist, it doesn't allow arbitrary content for that attribute - it understands the attribute and will still reject content that makes no sense.

For example, if you had an attribute somewhere that took numeric values, HTML Purifier would still deny HTML that tried to enter the value 'foo' for that attribute.

If you add custom attributes, just adding it to the whitelist does not teach HTML Purifier how to handle the attributes: What data can it expect in those attributes? What data is malicious?

There's extensive documentation how you can tell HTML Purifier about the structure of your custom attributes here: Customize

There's a code example for the 'target' attribute of the <a>-tag:

$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.DefinitionID', 'enduser-customize.html tutorial');
$config->set('HTML.DefinitionRev', 1);
$config->set('Cache.DefinitionImpl', null); // remove this later!
$def = $config->getHTMLDefinition(true);
$def->addAttribute('a', 'target', 'Enum#_blank,_self,_target,_top');

That would add target as a field that accepts only the values "_blank", "_self", "_target" and "_top". That's a bit stricter than the actual HTML definition, but for most purposes entirely sufficient.

That's the general approach you will need to take for data-time-start and data-time-end. For possible configuration, check out the official HTML Purifier documentation (as linked above). My best guess from your example is that you don't want Enum#... but Number, like this...

$def->addAttribute('span', 'data-time-start', 'Number');
$def->addAttribute('span', 'data-time-end', 'Number');

...but check it out and see what suits your use-case best. (While you're implementing this, don't forget you also need to list the attributes in the whitelist as you're currently doing.)

For id, you should include Attr.EnableID = true as part of your configuration.

I hope that helps!

这篇关于HtmlPurifier - 允许数据attibute的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！