HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications. source: HTML Purifier.

Since ImpressCMS 1.1 HTML Purifier has been added to our core package. You can now use HTML purifier for cleaning and sanitizing your user's inputs, as well as create a nice list of blacklist/whitelist filters for different tasks.

At the moment you have to configure this manually so some php knowledge is required, but in future versions we will implement a full configuration page, so that the various filters can be created and edited directly from the admin interface with as little effort or knowledge of php at all.

ImpressCMS 1.3.2 was updated with HTMLPurifier 4.4, and includes support for iFrames.

Developer Info

API

You can find the API for HTMLPurifier here

Usage

The function in ImpressCMS for accessing the HTML Purifier library can be found in class/icms.htmlpurifier.php function icms_html_purifier($html, $config = 'system-global')

Before you can use icms_html_purifier($html, $config = 'system-global') you 1st need to call the purifier using:

$purifier = & icms_HTMLPurifier::getPurifierInstance();

now you can use htmlpurifier.

$dirty_html = $_POST['dirty html'];
$clean_w3c_valid_html = icms_html_purifier($dirty_html, $config='system-global');

or if you are displaying an HTML Area;

$clean_w3c_valid_html = $purifier->displayHTMLarea($dirty_html, $config = 'display');

or if you are previewing an HTML area;

$clean_slightly_w3c_valid_html = $purifier->previewHTMLarea($dirty_html, $config = 'preview');

if you specify a $config option, you can construct a custom set of configuration options for filtering the HTML through, or indeed any text that you pass through it. you could setup a list of blacklist filters to filter out bad URL etc, or even setup a whitelist of URL that are always allowed. There are many more different options to choose from.

There will be an interface for setting these various configs via the admin interface, so constructing more advanced config settings will be easily achievable without doing this manually. Currently there are only 3 config options available to use, these configurations are hardcoded, but this will change in time to a full user interface where you will be able to set multiple configurations via the admin interface. $config options available are:

  1. system-global - this is used as a global configuration throughout.
  2. display - this is used when you want to use a config for displaying HTML Textareas for output.
  3. preview - this is used when you want to use a config for previewing HTML TextAreas.

note. as of yet, functions displayHTMLarea() & previewHTMLarea() do not currently use xoopscode or smileys when using these functions directly.

If you require that xoopscodes be available to use & filtered, then for now you can use the module.textsanitizer class with the call

displayTarea($text, 1) & previewTarea($text, 1) 

In the above case, for HTMLPurifier to work with those functions you need to set $html to true, by adding a 1 after the $text in the function. for example

$text = $myts->displayTarea($text, 1);
Last modified on 2012/8/17 by Anonymous
Comments
The comments are owned by the poster. We aren't responsible for their content.