With Htmlpurifier, How To Add A Couple Attributes To The Default Whitelist, E.g. 'onclick'

May 08, 2024 Post a Comment

Two questions: I have been reading docs and SO posts.. and know how to do it the long way (defining each and every element and attribute myself), but all I want to do is add 2 or 3

Solution 1:

You're losing onclick because HTML Purifier doesn't know about that attribute, and if HTML Purifier passed everything through when you turned on %HTML.Trusted you might as well just not use HTML Purifier at all.
HTML Purifier has attribute collections for just this case; 'Common' is probably the right one to insert them into.

But... why? The real name of %HTML.Trusted really should be %HTML.UnsafeMakeMyApplicationVulnerable

Solution 2:

HTMLPurifier does not support onClick and similar java script related attributes to any HTML element as a default behaviour.So if you wish to allow such attribute any way, you may add such attribute to specific element in following way.

$config = HTMLPurifier_Config::createDefault();
$def = $config->maybeGetRawHTMLDefinition()
$def->addAttribute('a', 'onclick', 'Text');

But be careful, this may lead to xss attack as you are allowing any java script code to be there in that attribute.

Baca Juga

Html5 Guru

With Htmlpurifier, How To Add A Couple Attributes To The Default Whitelist, E.g. 'onclick'

Solution 1:

Solution 2:

Post a Comment for "With Htmlpurifier, How To Add A Couple Attributes To The Default Whitelist, E.g. 'onclick'"