= array(); } $post['classname'] = 'post'; } function comment_format(&$post) { global $conf, $uid, $gid, $forumlist; if (empty($post)) return; $forum = $post['fid'] ? forum_read($post['fid']) : ''; $thread = well_thread_read_cache($post['tid']); if ($thread) { //$post['fid'] = $thread['fid']; $post['closed'] = $thread['closed']; $post['subject'] = $thread['subject']; $post['url'] = $thread['url']; } else { $post['closed'] = 0; $post['subject'] = lang('thread_not_exists'); $post['url'] = ''; } $post['create_date_fmt'] = humandate($post['create_date']); //$post['message'] = stripslashes(htmlspecialchars_decode($post['message'])); $user = user_read_cache($post['uid']); $post['username'] = array_value($user, 'username'); $post['user_avatar_url'] = array_value($user, 'avatar_url'); $post['user'] = $user ? user_safe_info($user) : user_guest(); isset($post['floor']) || $post['floor'] = 0; // 权限判断 $post['allowupdate'] = 2 == array_value($forum, 'comment', 0) && ($uid == $post['uid'] || forum_access_mod($post['fid'], $gid, 'allowupdate')); $post['allowdelete'] = group_access($gid, 'allowuserdelete') && $uid == $post['uid'] || forum_access_mod($post['fid'], $gid, 'allowdelete'); $post['user_url'] = url('user-' . $post['uid'] . ($post['uid'] ? '' : '-' . $post['pid'])); if ($post['files'] > 0) { list($attachlist, $imagelist, $filelist) = well_attach_find_by_pid($post['pid']); // 使用图床 评论使用图床,mysql会过多,写死链接到内容是减轻mysql的过多的方法 if (2 == $conf['attach_on']) { foreach ($imagelist as $key => $attach) { $url = $conf['upload_url'] . 'website_attach/' . $attach['filename']; // 替换成图床 $post['message'] = FALSE !== strpos($post['message'], $url) && $attach['image_url'] ? str_replace($url, $attach['image_url'], $post['message']) : $post['message']; } } $post['filelist'] = $filelist; } else { $post['filelist'] = array(); } $post['classname'] = 'post'; } function comment_format_message(&$val) { global $conf; if (empty($val)) return; // 使用云储存 if (1 == $conf['attach_on'] && 1 == $val['attach_on']) { $val['message'] = str_replace('="upload/', '="' . file_path($val['attach_on']), $val['message']); } elseif (2 == $conf['attach_on'] && 2 == $val['attach_on']) { // 使用图床 list($attachlist, $imagelist, $filelist) = well_attach_find_by_tid($val['tid']); foreach ($imagelist as $key => $attach) { $url = $conf['upload_url'] . 'website_attach/' . $attach['filename']; // 替换成图床 $val['message'] = FALSE !== strpos($val['message'], $url) && $attach['image_url'] ? str_replace($url, $attach['image_url'], $val['message']) : $val['message']; } } else { $val['message'] = str_replace('="upload/', '="' . file_path($val['attach_on']), $val['message']); } //$val['message'] = stripslashes(htmlspecialchars_decode($val['message'])); } // 把内容中使用了云储存的附件链接替换掉 function comment_message_replace_url($pid, $message) { global $conf; if (0 == $conf['attach_on']) { $message = FALSE !== strpos($message, '="../upload/') ? str_replace('="../upload/', '="upload/', $message) : $message; $message = FALSE !== strpos($message, '="/upload/') ? str_replace('="/upload/', '="upload/', $message) : $message; } elseif (1 == $conf['attach_on']) { // 使用云储存 $message = str_replace('="' . $conf['cloud_url'] . 'upload/', '="upload/', $message); } elseif (2 == $conf['attach_on']) { // 使用图床 评论使用图床,mysql会过多,写死链接到内容是减轻mysql的过多的方法 list($attachlist, $imagelist, $filelist) = well_attach_find_by_pid($pid); foreach ($imagelist as $key => $attach) { $url = $conf['upload_url'] . 'website_attach/' . $attach['filename']; // 替换回相对链接 $message = $attach['image_url'] && FALSE !== strpos($message, $attach['image_url']) ? str_replace($attach['image_url'], $url, $message) : $message; } } return $message; } function comment_filter($val) { unset($val['userip']); return $val; } function comment_highlight_keyword($str, $k) { $r = str_ireplace($k, '' . $k . '', $str); return $r; } // //
function comment_message_format(&$s) { if (xn_strlen($s) < 100) return; $s = preg_replace('#.*?
#is', '', $s); $s = str_ireplace(array('
', '
', '
', '

', '', '', '', '' . ''), "\r\n", $s); $s = str_ireplace(array(' '), " ", $s); $s = strip_tags($s); $s = preg_replace('#[\r\n]+#', "\n", $s); $s = xn_substr(trim($s), 0, 100); $s = str_replace("\n", '
', $s); } // 对内容进行引用 function comment_quote($quotepid) { $quotepost = comment_read($quotepid); if (empty($quotepost)) return ''; $uid = $quotepost['uid']; $s = $quotepost['message']; $s = comment_brief($s, 100); $userhref = url('user-' . $uid); $user = user_read_cache($uid); $r = '
' . $user['username'] . ' ' . $s . '
'; return $r; } // 获取内容的简介 0: html, 1: txt; 2: markdown; 3: ubb function comment_brief($s, $len = 100) { $s = strip_tags($s); $s = htmlspecialchars($s); $more = xn_strlen($s) > $len ? ' ... ' : ''; $s = xn_substr($s, 0, $len) . $more; return $s; } ?>javascript - How do I allow script, object, param, embed, and iframe tags in HTMLPurifier? - Stack Overflow

科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>javascript - How do I allow script, object, param, embed, and iframe tags in HTMLPurifier? - Stack Overflow

    javascript - How do I allow script, object, param, embed, and iframe tags in HTMLPurifier? - Stack Overflow

    programmeradmin12浏览0评论

    This is kind of a special bination of tags that I want to allow in HTMLPurifier, but can't seem to get the bination to work.

    I can get script tags to work, but then embed tags get removed (I enable the script tags with HTML.Trusted = true). When I get embed tags back in, script tags are stripped out (I remove HTML.Trusted). The following is my config:

            $config->set('HTML.Trusted', true);
        $config->set('HTML.SafeEmbed', true);
        $config->set('HTML.SafeObject', true);
        $config->set('Output.FlashCompat', true);

    I even tried adding in the following which made things worse:

            $config->set('HTML.Allowed', 'object[width|height|data],param[name|value],embed[src|type|allowscriptaccess|allowfullscreen|width|height],script[src|type]');

    Also, I can't seem to get iframes to work no matter what. I tried adding:

            $config->set('HTML.DefinitionID', 'enduser-customize.html iframe');
        $config->set('HTML.DefinitionRev', 1);
        $config->set('Cache.DefinitionImpl', null); // remove this later!
        $def = $config->getHTMLDefinition(true);
        $iframe = $def->addElement(
            'iframe',   // name
            'Block',  // content set
            'Empty', // allowed children
            'Common', // attribute collection
            array( // attributes
                'src*' => 'URI#embedded',
                'width' => 'Pixels#1000',
                'height' => 'Pixels#1000',
                'frameborder=' => 'Number',
                'name' => 'ID',
            )
        );
        $iframe->excludes = array('iframe' => true);

    Any help on getting the entire bo to work, or even script tags with object/param and embed would be GREATLY appreciated!!!

    Oh yeah, this is obviously not for all users, just "special" users.

    Thanks!

    PS - please don't link me to .html

    UPDATE

    I found a solution for adding iframes at the bottom of the thread here: .php?3,4646

    The current configuration is now:

            $config->set('HTML.Trusted', true);
        $config->set('HTML.SafeEmbed', true);
        $config->set('HTML.SafeObject', true);
        $config->set('Output.FlashCompat', true);
        $config->set('Filter.Custom',  array( new HTMLPurifier_Filter_MyIframe() ));

    UPDATE TO THE UPDATE

    If you're having trouble with my ment in the HTMLPurifier forum, it may be because I mean for the method to look like this:

    public function preFilter($html, $config, $context) {
    return preg_replace("/iframe/", "img class=\"MyIframe\" ", preg_replace("/<\/iframe>/", "", $html));
}

    This is kind of a special bination of tags that I want to allow in HTMLPurifier, but can't seem to get the bination to work.

    I can get script tags to work, but then embed tags get removed (I enable the script tags with HTML.Trusted = true). When I get embed tags back in, script tags are stripped out (I remove HTML.Trusted). The following is my config:

            $config->set('HTML.Trusted', true);
        $config->set('HTML.SafeEmbed', true);
        $config->set('HTML.SafeObject', true);
        $config->set('Output.FlashCompat', true);

    I even tried adding in the following which made things worse:

            $config->set('HTML.Allowed', 'object[width|height|data],param[name|value],embed[src|type|allowscriptaccess|allowfullscreen|width|height],script[src|type]');

    Also, I can't seem to get iframes to work no matter what. I tried adding:

            $config->set('HTML.DefinitionID', 'enduser-customize.html iframe');
        $config->set('HTML.DefinitionRev', 1);
        $config->set('Cache.DefinitionImpl', null); // remove this later!
        $def = $config->getHTMLDefinition(true);
        $iframe = $def->addElement(
            'iframe',   // name
            'Block',  // content set
            'Empty', // allowed children
            'Common', // attribute collection
            array( // attributes
                'src*' => 'URI#embedded',
                'width' => 'Pixels#1000',
                'height' => 'Pixels#1000',
                'frameborder=' => 'Number',
                'name' => 'ID',
            )
        );
        $iframe->excludes = array('iframe' => true);

    Any help on getting the entire bo to work, or even script tags with object/param and embed would be GREATLY appreciated!!!

    Oh yeah, this is obviously not for all users, just "special" users.

    Thanks!

    PS - please don't link me to http://htmlpurifier/docs/enduser-customize.html

    UPDATE

    I found a solution for adding iframes at the bottom of the thread here: http://htmlpurifier/phorum/read.php?3,4646

    The current configuration is now:

            $config->set('HTML.Trusted', true);
        $config->set('HTML.SafeEmbed', true);
        $config->set('HTML.SafeObject', true);
        $config->set('Output.FlashCompat', true);
        $config->set('Filter.Custom',  array( new HTMLPurifier_Filter_MyIframe() ));

    UPDATE TO THE UPDATE

    If you're having trouble with my ment in the HTMLPurifier forum, it may be because I mean for the method to look like this:

    public function preFilter($html, $config, $context) {
    return preg_replace("/iframe/", "img class=\"MyIframe\" ", preg_replace("/<\/iframe>/", "", $html));
}
    • javascript
    • object
    • iframe
    • embed
    • htmlpurifier
    Share Improve this question edited Jan 20, 2011 at 8:05 shmuel613 asked Nov 9, 2010 at 16:02 shmuel613shmuel613 1,7341 gold badge15 silver badges17 bronze badges 2
    • HTML Purifier rocks! Why wouldn't I want to use it? ;) – shmuel613 Commented Feb 14, 2011 at 9:03
    • To be truly correct, you should probably be extending HTMLPurifier_Filter. The solution is otherwise great though; I am using this but whitelisting domains that I trust instead (e.g. youtube's new iframe embedding). – El Yobo Commented Mar 15, 2011 at 0:48
    Add a ment  | 

    1 Answer 1

    Reset to default 6

    Found the solution through the HTMLPurifier Google group (thank you Edward Z. Yang!!!). The solution to allow for object, embed, and script tags to exist on the page at the same time is to REMOVE "object, " from the $mon array in HTMLModuleManager.php __construct() method. This will of course make it so that no one can add object tags unless you specify it in your config.

    My final config is now: 

            $config->set('HTML.Trusted', true);
        $config->set('HTML.SafeObject', true);
        $config->set('Output.FlashCompat', true);
        $config->set('Filter.Custom',  array( new HTMLPurifier_Filter_SafeIframe() ));

    I really hope these instructions can help other developers who would like to use HTMLPurifier. Compared to what we were originally using to clean and scrub ining text from our wysiwyg editor, HTMLPurifier is approximately 85% faster!

    继续浏览有关 的文章

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论