everyone! Naturally I am still fighting with HTML Purifier…
大家!当然,我仍然在与HTML Purifier斗争......
So, my /config/purifier.php looks like:
所以,我的/config/purifier.php看起来像:
<?php defined('SYSPATH') or die('No direct access allowed.');
return array(
'settings' => array(
'HTML.Allowed' =>'a,b,strong,p,ul,ol,li,img[src],i,u,span,',
'HTML.MaxImgLength' => 250,
'CSS.MaxImgLength' => '250px'
),
);
?>
and, HTML Purifier overloads the Security::clean_xss() method to use its own filter.
并且,HTML Purifier重载Security :: clean_xss()方法以使用其自己的过滤器。
I have created two helper functions for data sanitation: clean_whitelist(), which strips anything not allowed by my HTML.Allowed setting in the config file. and clean_all(), which strips all tags and ignores fields that are passed in as ignore
我已经创建了两个用于数据卫生的辅助函数:clean_whitelist(),它可以删除配置文件中我的HTML.Allowed设置所不允许的任何内容。和clean_all(),它会删除所有标记并忽略作为ignore传入的字段
public static function clean_all(array $dirty_data, array $ignore) {
$config = Kohana::config('purifier');
$settings = $config['settings'];
$config->set('settings', array ('HTML.Allowed'=>''));
foreach($dirty_data as $key => $value) {
if( ! in_array($key, $ignore)) {
$dirty_data[$key] = Security::xss_clean($dirty_data[$key]);
}
}
return $dirty_data;
}
public static function clean_whitelist($dirty_data) {
return Security::xss_clean($dirty_data);
}
clean_whitelist() works as intended, but, clean_all still allows tags. Not entirely sure why, as when I var_dump a new load of Kohana::config('purifier')
after I have called $config->set
, the file it displays my HTML.Allowed => ''…
clean_whitelist()按预期工作,但是,clean_all仍然允许标记。不完全确定原因,就像我在调用$ config-> set之后var_dump一个新的Kohana :: config('purifier')加载时,它显示的文件我的HTML.Allowed =>''...
Any ideas on why it continues to use a whitelist as opposed to using the config file I've built at runtime?
关于为什么它继续使用白名单而不是使用我在运行时构建的配置文件的任何想法?
Thanks, as always, to anyone contributing!
一如既往地感谢任何贡献者!
1 个解决方案
#1
0
The Kohana HTMLPurifier module which you are using is probably caching the instance with the original configuration options.
您正在使用的Kohana HTMLPurifier模块可能使用原始配置选项缓存实例。
If you're using this module, check out this method from the source code.
如果您正在使用此模块,请从源代码中查看此方法。
#1
0
The Kohana HTMLPurifier module which you are using is probably caching the instance with the original configuration options.
您正在使用的Kohana HTMLPurifier模块可能使用原始配置选项缓存实例。
If you're using this module, check out this method from the source code.
如果您正在使用此模块,请从源代码中查看此方法。