HTML Purificatore ifime Vimeo e Youtube video

Question

Come posso utilizzare HTMLPurifier per filtrare xss ma anche per consentire iframe Vimeo e Youtube video?

require_once 'htmlpurifier/library/HTMLPurifier.auto.php'; 
$config = HTMLPurifier_Config::createDefault(); 
$config->set('HTML.Trusted', true); 

$config->set('Filter.YouTube', true); 
$config->set('HTML.DefinitionID', '1'); 
$config->set('HTML.SafeObject', 'true'); 
$config->set('Output.FlashCompat', 'true'); 

$config->set('HTML.FlashAllowFullScreen', 'true'); 

$purifier = new HTMLPurifier($config); 
$temp = $purifier->purify($temp); 

Answer 1

Sbarazzarsi del% HTML.Trusted,% Filter.YouTube e% HTML.DefinitionID. Probabilmente stanno interagendo male con SafeObject/FlashCompat.

Answer 2

Ho appena letto this blog entry e ho creato e utilizzato correttamente il filtro personalizzato. Ho fatto alcune modifiche al codice e aggiunto il supporto Vimeo:

/** 
* Based on: http://sachachua.com/blog/2011/08/drupal-html-purifier-embedding-iframes-youtube/ 
* Iframe filter that does some primitive whitelisting in a somewhat recognizable and tweakable way 
*/ 
class HTMLPurifier_Filter_MyIframe extends HTMLPurifier_Filter 
{ 
    public $name = 'MyIframe'; 

    /** 
    * 
    * @param string $html 
    * @param HTMLPurifier_Config $config 
    * @param HTMLPurifier_Context $context 
    * @return string 
    */ 
    public function preFilter($html, HTMLPurifier_Config $config, HTMLPurifier_Context $context) 
    { 
     $html = preg_replace('#<iframe#i', '<img class="MyIframe"', $html); 
     $html = preg_replace('#</iframe>#i', '</img>', $html); 
     return $html; 
    } 

    /** 
    * 
    * @param string $html 
    * @param HTMLPurifier_Config $config 
    * @param HTMLPurifier_Context $context 
    * @return string 
    */ 
    public function postFilter($html, HTMLPurifier_Config $config, HTMLPurifier_Context $context) 
    { 
     $post_regex = '#<img class="MyIframe"([^>]+?)>#'; 
     return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html); 
    } 

    /** 
    * 
    * @param array $matches 
    * @return string 
    */ 
    protected function postFilterCallback($matches) 
    { 
     // Domain Whitelist 
     $youTubeMatch = preg_match('#src="https?://www.youtube(-nocookie)?.com/#i', $matches[1]); 
     $vimeoMatch = preg_match('#src="http://player.vimeo.com/#i', $matches[1]); 
     if ($youTubeMatch || $vimeoMatch) { 
      $extra = ' frameborder="0"'; 
      if ($youTubeMatch) { 
       $extra .= ' allowfullscreen'; 
      } elseif ($vimeoMatch) { 
       $extra .= ' webkitAllowFullScreen mozallowfullscreen allowFullScreen'; 
      } 
      return '<iframe ' . $matches[1] . $extra . '></iframe>'; 
     } else { 
      return ''; 
     } 
    } 
} 

aggiunta del filtro per il vostro purificatore di configurazione HTML

$config->set('Filter.Custom', array(new HTMLPurifier_Filter_MyIframe())); 

Answer 3

HTMLPurifier versione 4.4.0 ha nuove direttive di configurazione per consentire YouTube e Vimeo iframe:

//allow iframes from trusted sources 
$cfg->set('HTML.SafeIframe', true); 
$cfg->set('URI.SafeIframeRegexp', '%^(https?:)?//(www\.youtube(?:-nocookie)?\.com/embed/|player\.vimeo\.com/video/)%'); //allow YouTube and Vimeo 

• http://htmlpurifier.org/live/configdoc/plain.html#HTML.SafeIframe
• http://htmlpurifier.org/live/configdoc/plain.html#URI.SafeIframeRegexp

Answer 4

Utilizzando drupal 7.19 e il modulo htmlpurifier è possibile configurare le seguenti impostazioni senza dover scrivere questo codice.

Vedi http://drupal.org/node/711728#comment-5600344

Answer 5

Questo tanto dovrebbe fare il trucco

$text = "<iframe width='560' height='315' src='//www.youtube.com/embed/RGLI7QBUitE?autoplay=1' frameborder='0' allowfullscreen></iframe>"; 

require_once 'htmlpurifier/library/HTMLPurifier.auto.php'; 
$config = HTMLPurifier_Config::createDefault(); 
$config->set('HTML.Trusted', true); 
$config->set('Filter.YouTube', true); 

echo $purifier->purify($text); 

Answer 6

Inoltre, non dimenticare di impostare

URI.DisableExternalResources: false 

se hai impostato a true prima.

Answer 7

Per chi sta lottando (come abilitare iframe e allowfullscreen)

$config = \HTMLPurifier_Config::createDefault(); 
    $config->set('HTML.SafeIframe', true); 
    $config->set('URI.SafeIframeRegexp', '%^(https?:)?//(www\.youtube(?:-nocookie)?\.com/embed/|player\.vimeo\.com/video/)%'); //allow YouTube and Vimeo 
    // This line is important allow iframe in allowed elements or it will not work  
    $config->set('HTML.AllowedElements', array('iframe'));// <-- IMPORTANT 
    $config->set('HTML.AllowedAttributes','iframe@src,iframe@allowfullscreen'); 

    $def = $config->getHTMLDefinition(true); 
    $def->addAttribute('iframe', 'allowfullscreen', 'Bool'); 

    $purifier = new \HTMLPurifier($config); 
    $purifiedHtml = $purifier->purify($html);