HtmlPurifier

I am trying to use htmlpurifier that comes with the framework for additional XSS security measures but am unable to understand how to use it. I am using it as a widget and what I’ve done is declared all the body content of my layout file to be in the purifier widget. The result is all my forms are gone and a few scripts don’t work. Can someone provide an example of how to use the html purifier properly.

Cheers,

bettor

That is not a good solution because it’s very bad to use htmlpurifier on every request in terms of performance. Try using it only on saving your data.

Hi Samdark,

Thanks for your advise.

Best,

bettor

I was looking at it too… is there any documentation how to use? I would like it to use in a comment form only allowing some common html link / code blocks




$p = new CHtmlPurifier();

$p->options = array('URI.AllowedSchemes'=>array(

  'http' => true,

  'https' => true,

  'mailto' => true,

  'ftp' => true,

  'nntp' => true,

  'news' => true,

  )

);

$text = $p->purify($text);



Will add this to API docs for next release.

Hi,

there is an extension that accommodates the use of htmlpurifier however its been behaving very unpredictably. I turned on $_POST purifying and now my posts don’t work. I will try to directly use samdark’s example. Thanks for that samdark.

Regards,

bettor

Addtionally, the merge PHP file is about 500+ KB, it is too large to upload.

You are uploading it only once. So it does not really matter if it takes one or maybe five minutes.