如何使用 HTMLPurifier 过滤 xss 并允许 iframe Vimeo 和 Youtube 视频?
require_once 'htmlpurifier/library/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.Trusted', true);
$config->set('Filter.YouTube', true);
$config->set('HTML.DefinitionID', '1');
$config->set('HTML.SafeObject', 'true');
$config->set('Output.FlashCompat', 'true');
$config->set('HTML.FlashAllowFullScreen', 'true');
$purifier = new HTMLPurifier($config);
$temp = $purifier->purify($temp);
HTMLPurifier 4.4.0 版具有允许 YouTube 和 Vimeo iframe 的新配置指令:
//allow iframes from trusted sources
$cfg->set('HTML.SafeIframe', true);
$cfg->set('URI.SafeIframeRegexp', '%^(https?:)?//(www\.youtube(?:-nocookie)?\.com/embed/|player\.vimeo\.com/video/)%'); //allow YouTube and Vimeo
对于任何正在苦苦挣扎的人(如何启用 iframe 和 allowfullscreen)
$config = \HTMLPurifier_Config::createDefault();
$config->set('HTML.SafeIframe', true);
$config->set('URI.SafeIframeRegexp', '%^(https?:)?//(www\.youtube(?:-nocookie)?\.com/embed/|player\.vimeo\.com/video/)%'); //allow YouTube and Vimeo
// This line is important allow iframe in allowed elements or it will not work
$config->set('HTML.AllowedElements', array('iframe'));// <-- IMPORTANT
$config->set('HTML.AllowedAttributes','iframe@src,iframe@allowfullscreen');
$def = $config->getHTMLDefinition(true);
$def->addAttribute('iframe', 'allowfullscreen', 'Bool');
$purifier = new \HTMLPurifier($config);
$purifiedHtml = $purifier->purify($html);
我刚刚阅读了这篇博文,并成功创建并使用了自定义过滤器。我对代码进行了一些更改并添加了 Vimeo 支持:
/**
* Based on: http://sachachua.com/blog/2011/08/drupal-html-purifier-embedding-iframes-youtube/
* Iframe filter that does some primitive whitelisting in a somewhat recognizable and tweakable way
*/
class HTMLPurifier_Filter_MyIframe extends HTMLPurifier_Filter
{
public $name = 'MyIframe';
/**
*
* @param string $html
* @param HTMLPurifier_Config $config
* @param HTMLPurifier_Context $context
* @return string
*/
public function preFilter($html, HTMLPurifier_Config $config, HTMLPurifier_Context $context)
{
$html = preg_replace('#<iframe#i', '<img class="MyIframe"', $html);
$html = preg_replace('#</iframe>#i', '</img>', $html);
return $html;
}
/**
*
* @param string $html
* @param HTMLPurifier_Config $config
* @param HTMLPurifier_Context $context
* @return string
*/
public function postFilter($html, HTMLPurifier_Config $config, HTMLPurifier_Context $context)
{
$post_regex = '#<img class="MyIframe"([^>]+?)>#';
return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html);
}
/**
*
* @param array $matches
* @return string
*/
protected function postFilterCallback($matches)
{
// Domain Whitelist
$youTubeMatch = preg_match('#src="https?://www.youtube(-nocookie)?.com/#i', $matches[1]);
$vimeoMatch = preg_match('#src="http://player.vimeo.com/#i', $matches[1]);
if ($youTubeMatch || $vimeoMatch) {
$extra = ' frameborder="0"';
if ($youTubeMatch) {
$extra .= ' allowfullscreen';
} elseif ($vimeoMatch) {
$extra .= ' webkitAllowFullScreen mozallowfullscreen allowFullScreen';
}
return '<iframe ' . $matches[1] . $extra . '></iframe>';
} else {
return '';
}
}
}
将过滤器添加到您的 HTML Purifier 配置中
$config->set('Filter.Custom', array(new HTMLPurifier_Filter_MyIframe()));
这应该可以解决问题
$text = "<iframe width='560' height='315' src='//www.youtube.com/embed/RGLI7QBUitE?autoplay=1' frameborder='0' allowfullscreen></iframe>";
require_once 'htmlpurifier/library/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.Trusted', true);
$config->set('Filter.YouTube', true);
echo $purifier->purify($text);
根据reverbnation的回答,我意识到出于某种原因,这条线
$def->addAttribute('iframe', 'allowfullscreen', 'Bool');
没有正常工作,而不是
allowfullscreen="allowfullscreen"
HTMLPurifier 正在输出
allowfullscreen=""
尽管文档说Bool - Boolean attribute, with only one valid value: the name of the attribute,我尝试Enum改用:
$def->addAttribute('iframe', 'allowfullscreen', 'Enum#allowfullscreen');
第三个参数意味着该allowfullscreen属性将只有正确的值 -- allowfullscreen,其他所有内容都将被忽略。这样我们就有了与 with 相同的行为Bool。幸运的是,它对我有用。
也许这个解决方案会帮助某人。
使用 drupal 7.19 和 htmlpurifier 模块,您可以配置以下设置,而无需编写此代码。
摆脱 %HTML.Trusted、%Filter.YouTube 和 %HTML.DefinitionID。他们可能与 SafeObject/FlashCompat 交互不佳。
也不要忘记设置
URI.DisableExternalResources: false
如果你之前设置true过。