V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
yangajiujiuwob
V2EX  ›  程序员

purifier XSS 过滤器到底怎么添加白名单呢

  •  
  •   yangajiujiuwob · 2018-08-20 22:23:49 +08:00 · 1124 次点击
    这是一个创建于 2047 天前的主题,其中的信息可能已经有所发展或是发生改变。
    想添加个 video 标签白名单,但是 php 菜鸟,折腾半天也没搞定,求救

    <?php
    /**
    * Ok, glad you are here
    * first we get a config instance, and set the settings
    * $config = HTMLPurifier_Config::createDefault();
    * $config->set('Core.Encoding', $this->config->get('purifier.encoding'));
    * $config->set('Cache.SerializerPath', $this->config->get('purifier.cachePath'));
    * if ( ! $this->config->get('purifier.finalize')) {
    * $config->autoFinalize = false;
    * }
    * $config->loadArray($this->getConfig());
    *
    * You must NOT delete the default settings
    * anything in settings should be compacted with params that needed to instance HTMLPurifier_Config.
    *
    * @link http://htmlpurifier.org/live/configdoc/plain.html
    */

    return [

    'encoding' => 'UTF-8',
    'finalize' => true,
    'cachePath' => storage_path('app/purifier'),
    'settings' => [
    'default' => [
    'HTML.Doctype' => 'XHTML 1.0 Transitional',
    'HTML.Allowed' => 'div,b,font[color|style],strong,i,em,pre,a[href|title|target],ul,ol,li,p[style],br,span[style],img[width|height|alt|src|style|class],table[class|width],td,tr,blockquote,h1,h2,h3,h4,h4,h5,video[width|height|alt|src|style|class]',
    'CSS.AllowedProperties' => 'font,font-size,width,height,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align',
    'Attr.AllowedFrameTargets' =>'_blank',
    'AutoFormat.AutoParagraph' => true,
    'AutoFormat.RemoveEmpty' => true,
    ],
    'test' => [
    'Attr.EnableID' => true
    ],
    "youtube" => [
    "HTML.SafeIframe" => 'true',
    "URI.SafeIframeRegexp" => "%^( http://|https://|//)(www.youtube.com/embed/|player.vimeo.com/video/)%",
    ],
    ],

    ];
    1 条回复    2018-08-21 09:44:10 +08:00
    yangajiujiuwob
        1
    yangajiujiuwob  
    OP
       2018-08-21 09:44:10 +08:00
    悲剧啊,居然 0 回复,没有人知道么
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   我们的愿景   ·   实用小工具   ·   1544 人在线   最高记录 6543   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 27ms · UTC 23:58 · PVG 07:58 · LAX 16:58 · JFK 19:58
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.