Re: HTMLPurifier Admin Options - your opinions

Posted by Vaughan on 1265121524

Now, back on the original topic....

Just some crazy ideas -

What if we had some basic profiles for HTML Purifier - like:
1. No filtering, just tidy up the html
2. Only restrict the most easily exploited tags/attributes
3. Strict, but not paranoid
4. Paranoid
5. Custom


well not exactly the kind of responses i was actually looking for.

i was asking about the current options avasilable in preferences, to determine what people are changing from default, how they are changing them, and whether some of those options can be removed because they never ever get changed from their defaults.

i wasn't asking for feature improvements. lol

though to answer some of those points.

1. i supposed that could be done (though see reply '2').

2. yes this could be done, but remember purifier works on a whitelist basis, the forbidden tags subtract themselves from the allowed list. to make this work as we all want, we have to redo the fitering of the core completely, to make sure we can properly determine when & where content is being filtered.. specifically either Input filtering, where all filtering is done prior to writing to DB, or output filtering where all filtering is done on output. both have their pros & cons, but input filtering has far fewer cons. I may have a solution to that soon if it works out as i think it will.

3. well the options are there to change the strictness, but yes they are global. it is still a work in progress however (and i really should blog more), eventually my plan is to have different filtering methods and configs that can be based on group, individual user & module overrides (though core will be able to select if an option can be overridden by a module config value).

4. ""Just because you're paranoid, doesn't mean they aren't out to get you"" ;)

5. Custom, custom yes. as Niels mentioned custom XML import/export is on the way.

This Post was from: