exercise / htmlpurifierbundle Goto Github PK
View Code? Open in Web Editor NEWHTML Purifier is a standards-compliant HTML filter library written in PHP.
Home Page: http://htmlpurifier.org/
License: Other
HTML Purifier is a standards-compliant HTML filter library written in PHP.
Home Page: http://htmlpurifier.org/
License: Other
I would like to add support for an element. I can do it like this in the controller:
$config = $this->get('exercise_html_purifier.config.default');
$def = $config->getHTMLDefinition(true);
$section = $def->addElement(
'section',
'Block', // content set
'Flow', // allowed children
'Common');
$section->excludes = array('section' => true);
How can I do it systemwide?
Hello ๐
Thanks for your support on this package, it's so helpful for us!
I have a quick question, if I may.
I'd like to know more about the cache directory, and what is it used for?
We had a problem upgrading where we had two purifiers configured (loose and strict), originally we had two separate caches configured for each html profiles as that seemed the most sensible. After upgrading we got errors like this:
User Warning: Base directory /Users/xxx/symfony/app/cache/loca_/htmlpurifier-loose does not exist,
please create or change using %Cache.SerializerPath
Once we removed the cache at a profile level and used the default_cache_serializer_path
directive it worked.
Is it acceptable to use the same cache for multiple profiles (with different config) ?
And is the above a known issue?
Thanks in advance!
The line <tag name="kernel.cache_warmer" />
has been removed from the file ./Resources/config/html_purifier.xml
, and so the cache warmer is not being run on the framework startup.
Further, when the cache is being built, there are issues with key="$paths"
unless it is removed OR a key="$htmlPurifier"
is added on the next line.
Both of these for the block <service id="exercise_html_purifier.cache_warmer.serializer" ...
, work.
<argument>%exercise_html_purifier.cache_warmer.serializer.paths%</argument>
<argument type="service" id="HTMLPurifier" />
<tag name="kernel.cache_warmer" />
OR
<argument key="$paths">%exercise_html_purifier.cache_warmer.serializer.paths%</argument>
<argument key="$htmlPurifier" type="service" id="HTMLPurifier" />
<tag name="kernel.cache_warmer" />
Hi,
would you tag this bundle please ?
Why you're checking if data is scalar instead of string? Purify a boolean or integer value makes no sense, isn't it?
The last commit was about a year ago. I'd like to know whether this bundle is still maintained or is dead.
It seems 9712ab7 is causing some issues for one of my apps.
I have this config:
exercise_html_purifier:
html_profiles:
default:
config:
Cache.SerializerPermissions: 0o777
Using 4.1 however my config is overwritten by the new default config it seems.
Hello,
When doing a composer install I'm getting the following warning:
Deprecation Notice: Class Exercise\HTMLPurifierBundle\Form\TypeExtension\ForwardCompatTypeExtensionTrait located in ./vendor/exercise/htmlpurifier-bundle/src/Form/TypeExtension/forward_compat_trait.inc.php does not comply with psr-4 autoloading standard. It will not autoload anymore in Composer v2.0. in phar:///usr/bin/composer/src/Composer/Autoload/ClassMapGenerator.php:201
Warning: Ambiguous class resolution, "Exercise\HTMLPurifierBundle\Form\TypeExtension\ForwardCompatTypeExtensionTrait" was found in both "/home/anonymous/app/vendor/exercise/htmlpurifier-bundle/src/Form/TypeExtension/forward_compat_trait.inc.php" and "/home/anonymous/app/vendor/exercise/htmlpurifier-bundle/src/Form/TypeExtension/ForwardCompatTypeExtensionTrait.php", the first will be used.
Can you fix psr-0 autoloading please?
@cystbear: Would you like to assume ownership of the exercise/htmlpurifier-bundle package on Packagist? The repository is not currently setup with a commit hook, so that would at least need to be setup. Beyond that, the bundle could probably benefit from Travis CI integration, listing the appropriate Symfony2 version in its composer.json
, and receiving a proper git tag (there is only a master
branch so that could easily start at v1.0.0
).
Let me know if you're interested and I'll swap our names on the maintainers list. Thanks.
Could you update the composer.json
to also support Symfony 6, which will be released by the end of this month (November)?
Hello,
I want to use URI.Munge but with the nofollow property and it doesn't work.
URI.Munge: '/redirect?url=%s'
HTML.Nofollow: true
HTML.TargetBlank: true
HTML.TargetNoopener: true
HTML.TargetNoreferrer: true
Is it possible or it needs an update ?
Thanks.
In one of the example this is mentioned to whitelist tags:
HTML.Allowed: |
*[id|class|name],
a[href|title|rel|target],
img[src|alt|height|width],
h1,u,ul,ol,li,strong
Does *[id|class|name],
implies that all elements that contains id,class,name are allowed? For example a div element (which is not in the list), but with a id attribute is allowed?
When you try to get purified some array elements, default listener doesn't work.
I override listener to do something like this:
public function purifySubmittedData(FormEvent $event)
{
$event->setData($this->purifyResult($event->getData()));
}
protected function purifyResult($data)
{
if (\is_array($data)) {
array_walk($data, function (&$item) {
$item = $this->purifyResult($item);
});
}
if (\is_string($data)) {
return $this->getPurifier()->purify($data);
}
return $data;
}
What do you think about this?
I use this bundle in my project, i want to konw how to setting config.yml.
this is the raw HTMLPurifier code.
<?php
$dirty_html = <<<EOF
<img src="/my.jpg" data-type="5" alt="" data-image-size="100,200" />
EOF;
$config = HTMLPurifier_Config::createDefault();
$def = $config->getHTMLDefinition(true);
$def->addAttribute('img', 'data-type', 'Text');
$def->addAttribute('img', 'data-image-size', 'Text');
$purifier = new HTMLPurifier($config);
Hi,
starting with Symfony 4.2 all FormTypes need to implement the getExtendedTypes
method:
https://symfony.com/blog/new-in-symfony-4-2-improved-form-type-extensions
Not implementing the static getExtendedTypes() method in Exercise\HTMLPurifierBundle\Form\TypeExtension\HTMLPurifierTextTypeExtension when implementing the Symfony\Component\Form\FormTypeExtensionInterface is deprecated since Symfony 4.2. The method will be added to the interface in 5.0.
Cheers
Matthias
I tried to remove cache_serializer_path from symfony cache folder to another (tmp), as it described in readme, but its not work.
As i understood, it must be something like this (config.yml):
exercise_html_purifier:
default_cache_serializer_path: null
custom:
Cache.SerializerPath: 'tmp/htmlpurifier'
and i call this service as: $this->kernel->getContainer()->get('exercise_html_purifier.custom')
In this case, folder not removed to /tmp path, but htmlpurifier restore folder in symfony cache ;-)
And, i tried another ways, like these:
exercise_html_purifier:
default_cache_serializer_path: null
html_profiles:
custom:
config:
Cache.SerializerPath: 'tmp/htmlpurifier'
or
exercise_html_purifier:
default_cache_serializer_path: null
html_profiles:
custom:
Cache.SerializerPath: 'tmp/htmlpurifier'
And this is not work at all.
With Symfony 4.2 instanciating a root-less TreeBuilder is deprecated:
A tree builder without a root node is deprecated since Symfony 4.2 and will not be supported anymore in 5.0.
Trace:
{ /app/vendor/symfony/config/Definition/Builder/TreeBuilder.php:30 { if (null === $name) { @trigger_error('A tree builder without a root node is deprecated since Symfony 4.2 and will not be supported anymore in 5.0.', E_USER_DEPRECATED); } else { } /app/vendor/exercise/htmlpurifier-bundle/DependencyInjection/Configuration.php:15 { { $treeBuilder = new TreeBuilder(); $rootNode = $treeBuilder->root('exercise_html_purifier'); } }
A simple fix could like like this: sensiolabs/SensioFrameworkExtraBundle@7db9568
I'm moving a project to Symfony4 from other framework where it defined like so:
<?php
namespace A\Namespace;
class HTMLPurifierConfig extends \HTMLPurifier_Config
{
public static function create($config, $schema = null)
{
$ret = parent::create($config, $schema);
$def = $ret->getHTMLDefinition(true);
$def->info_tag_transform['div'] = new \HTMLPurifier_TagTransform_Simple('p');
$def->info_tag_transform['h1'] = new \HTMLPurifier_TagTransform_Simple('h4');
$def->info_tag_transform['h2'] = new \HTMLPurifier_TagTransform_Simple('h5');
$def->info_tag_transform['h3'] = new \HTMLPurifier_TagTransform_Simple('h6');
...
Is it possible to introduce a config setting to override standard \HTMLPurifier_Config with a custom one from bundle config?
I adapted the code some times ago to accept the "< video >" tags, but it is not working anymore since versions 0.2.X and I really don't know why. The "< video >" tag is still present after purrifying, but the "src" element is removed.
Any hints to figure this out?
use Symfony\Component\Form\DataTransformerInterface;
class HTMLPurifierTransformer implements DataTransformerInterface
{
private $purifier;
/**
* Constructor.
*
* @param \HTMLPurifier $purifier
*/
public function __construct()
{
//Find full HTML5 config : https://github.com/kennberg/php-htmlpurfier-html5
$config = \HTMLPurifier_Config::createDefault();
$config->set('HTML.Doctype', 'HTML 4.01 Transitional');
$config->set('HTML.SafeIframe', true);
// Set some HTML5 properties
$config->set('HTML.DefinitionID', 'html5-definitions'); // unqiue id
$config->set('HTML.DefinitionRev', 1);
if ($def = $config->maybeGetRawHTMLDefinition()) {
// http://developers.whatwg.org/the-video-element.html#the-video-element
$def->addElement('video', 'Block', 'Optional: (source, Flow) | (Flow, source) | Flow', 'Common', array(
'src' => 'URI',
'type' => 'Text',
'width' => 'Length',
'height' => 'Length',
'poster' => 'URI',
'preload' => 'Enum#auto,metadata,none',
'controls' => 'Bool',
));
}
$this->purifier = new \HTMLPurifier($config);
}
...
It's not possible to install it on Standard Symfony 3.0.6 with composer.
Any plans to do this step?
The current stable release will trigger deprecation warnings in Symfony 2.7. This has already been fixed in the master branch, but it is not released yet. Can you please release a new version with this fix ?
Trying to add the purify_html
option to my forms text type and currently getting this error:
An error has occurred resolving the options of the form "Symfony\Component\Form\Extension\Core\Type\TextType": The option "purify_html" does not exist. Defined options are: "action", "allow_extra_fields", "allow_file_upload", "attr", "attr_translation_parameters", "auto_initialize", "block_name", "block_prefix", "by_reference", "compound", "constraints", "csrf_field_name", "csrf_message", "csrf_protection", "csrf_token_id", "csrf_token_manager", "data", "data_class", "disabled", "empty_data", "error_bubbling", "error_mapping", "extra_fields_message", "help", "help_attr", "help_html", "help_translation_parameters", "inherit_data", "invalid_message", "invalid_message_parameters", "label", "label_attr", "label_format", "label_translation_parameters", "mapped", "method", "post_max_size_message", "property_path", "required", "row_attr", "translation_domain", "trim", "upload_max_size_message", "validation_groups".
I have the bundle registered inside config/bundles.php
and the below inside my services.yml
# config/services.yml
Exercise\HtmlPurifierBundle\HtmlPurifiersRegistry:
tags:
- name: exercise.html_purifier
profile: default
I have upgraded the bundle to the latest version and I observe the following error:
The option "purify_html_profile" with value null is expected to be of type "string", but is of type "NULL".
This error occurs on fields which are modify any of the form options through a form event subscriber like:
$parent = $field->getParent();
$options = $field->getConfig()->getOptions();
$name = $field->getName();
$parent->remove($name);
$parent->add($name, $type, \array_merge($options, ['disabled' => $disabled]));
In this code I disable the field based on some condition, the field does not have purify_html
yet the error occurs. I noticed the following in the form extension:
->setAllowedTypes('purify_html_profile', 'string')
->setNormalizer('purify_html_profile', function (Options $options, $profile) {
if (!$options['purify_html']) {
return null;
}
I believe this is causing the issue since it requires the profile to be a string, yet it is normalized to null.
With the following configuration:
exercise_html_purifier:
default:
HTML.Allowed: '*[id|class|name|style|alt|title|height|width],a[href|rel|target],img[src],br,div,u,em,ul,ol,li,strong,span,p,i'
HTML.SafeIframe: true
URI.SafeIframeRegexp: '#(.*)#'
URI.AllowedSchemes: ['data', 'http', 'https', 'mailto', 'tel']
If I purify <span style="color:#FF0000;>test</span>
, the result is <span style="color:#FF0000;>test</span>
.
If I purify <span style="color:#FF0000FF;>test</span>
, the result is <span>test</span>
.
It seems that alpha canal is not accepted?
I have an API controller endpoint that receives Post data. The fields are validated using FOSRestBundle RequestParam annotation so there is no form required. What I want to do is use HTMLPurifier to filter each input value primarily for XSS before using them.
For example I get a JSON object that looks something like this:
{ "emailAddress": "[email protected]", "maxResults": 10, "subject": "</a><a href=\"https://www.google.com\" target=\"_blank\">Subject" }
Back in the Zend 1 days I simply called something like:
$this->HTMLPurifier->purify($this->getRequest()->getParam('subject')
and it would return the sanitized string.
Anybody used this package this way or have an example of it's use in a controller? Thanks
Since I installed Exercise/HTMLPurifierBundle, I have an error every time I clear the cache on my Symfony server:
[Symfony\Component\Filesystem\Exception\IOException]
Failed to remove file "/var/www/nrdb/app/cache/prod_old/htmlpurifier/URI/4.6.0,8d03c8ec0e84e7feb92afd4c0f1735841b5fdacf,1.ser".
And indeed, the directory app/cache/prod/htmlpurifier/HTML is owned by www-data with permission 755, so my user cannot delete the files in it.
I applied the setfacl commands to set up the permissions in app/cache and app/log, but that doesn't seem to do the trick.
$ ls -la app/cache/prod
total 656
drwxrwxr-x+ 11 alsciende www-data 4096 Jan 26 03:43 .
drwxrwxr-x+ 5 www-data www-data 4096 Jan 26 03:43 ..
drwxrwxr-x+ 2 alsciende www-data 4096 Jan 26 03:45 annotations
-rw-rw-r--+ 1 alsciende www-data 194989 Jan 26 03:43 appProdProjectContainer.php
-rw-rw-r--+ 1 alsciende www-data 70159 Jan 26 03:43 appProdUrlGenerator.php
-rw-rw-r--+ 1 alsciende www-data 79081 Jan 26 03:43 appProdUrlMatcher.php
drwxrwxr-x+ 3 alsciende www-data 4096 Jan 26 03:43 assetic
-rw-rw-r--+ 1 alsciende www-data 4904 Jan 26 03:43 classes.map
-rw-r--r--+ 1 www-data www-data 189453 Jan 26 03:43 classes.php
drwxrwxr-x+ 3 alsciende www-data 4096 Jan 26 03:42 doctrine
drwxrwxr-x+ 2 www-data www-data 4096 Jan 26 03:43 fosJsRouting
drwxrwxr-x+ 3 alsciende www-data 4096 Jan 26 03:45 htmlpurifier
drwxrwxr-x+ 4 www-data www-data 4096 Jan 26 03:43 http_cache
drwxrwxr-x+ 2 alsciende www-data 4096 Jan 26 03:45 sessions
-rw-r--r--+ 1 alsciende www-data 27882 Jan 26 03:43 templates.php
drwxrwxr-x+ 2 www-data www-data 4096 Jan 26 03:43 translations
drwxrwxr-x+ 105 alsciende www-data 4096 Jan 26 03:43 twig
$ ls -la app/cache/prod/htmlpurifier/
total 24
drwxrwxr-x+ 3 alsciende www-data 4096 Jan 26 03:45 .
drwxrwxr-x+ 11 alsciende www-data 4096 Jan 26 03:43 ..
drwxr-xr-x+ 2 www-data www-data 4096 Jan 26 03:45 HTML
The form type extension disables the trim
option when the purify_html
option is enabled, saying that the listener already trims.
But the trimmed value is not always written back to the event. If trimming makes it empty, the value is not replaced in the event.
In the readme a[target]
is whitelisted but HTML purifier needs additional configuration to actually allow the target attribute.
https://github.com/Exercise/HTMLPurifierBundle#whitelist-attributes
http://htmlpurifier.org/docs
http://htmlpurifier.org/live/configdoc/plain.html#Attr.AllowedFrameTargets
This could lead to some wrong configurations.
Maybe adding Attr.AllowedFrameTargets
to the example could improve this?
Since 3.0, parameter was typehinted to string
, which breaks stuff for everybody passing null there. Nullable getters are very widespread, please don't make us do
{{ activity.getNote ? activity.getNote|purify }}
on each instance. It's fine this typehint is present in HTMLPurifierRuntime, but twig filter should be a closure typehinted to ?string
that shouldn't pass null along to HTMLPurifierRuntime
Env / SF2.8
I'm trying to add config for allowing iframe from YouTube, here's my config.yml:
# HTMLPurifierBundle
exercise_html_purifier:
default:
Cache.SerializerPath: "%kernel.root_dir%/cache/htmlpurifier"
custom:
HTML.SafeIframe: true
URI.SafeIframeRegexp: '%^http://www.youtube.com/embed/%'
But I've got this error:
ParameterNotFoundException in ParameterBag.php line 84:
You have requested a non-existent parameter "^http://www.youtube.com/embed/".
What's wrong?
Thanks!
Method "Symfony\Component\DependencyInjection\Extension\Extension::getAlias()" might add "string" as a native return type declaration in the future. Do the same in child class "Exercise\HTMLPurifierBundle\DependencyInjection\ExerciseHTMLPurifierExtension" now to avoid errors or add an explicit @return annotation to suppress this message.
Method "Symfony\Component\Config\Definition\ConfigurationInterface::getConfigTreeBuilder()" might add "TreeBuilder" as a native return type declaration in the future. Do the same in implementation "Exercise\HTMLPurifierBundle\DependencyInjection\Configuration" now to avoid errors or add an explicit @return annotation to suppress this message.
Method "Symfony\Component\HttpKernel\CacheWarmer\WarmableInterface::warmUp()" might add "array" as a native return type declaration in the future. Do the same in implementation "Exercise\HTMLPurifierBundle\CacheWarmer\SerializerCacheWarmer" now to avoid errors or add an explicit @return annotation to suppress this message.
I installed this via composer and get this error. I'm using the latest version of symfony2.
Do I have to add the htmlpurifier library on my include path in some way?
Thanks.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.