1. 首頁
  2. 問答
  3. HTMLPurifier iframe Vimeo和Youtube視頻

HTMLPurifier iframe Vimeo和Youtube視頻

2011-01-19 216 views
11

如何使用HTMLPurifier來過濾xss,而且還允許iframe Vimeo和Youtube視頻?HTMLPurifier iframe Vimeo和Youtube視頻

require_once 'htmlpurifier/library/HTMLPurifier.auto.php'; 
$config = HTMLPurifier_Config::createDefault(); 
$config->set('HTML.Trusted', true); 

$config->set('Filter.YouTube', true); 
$config->set('HTML.DefinitionID', '1'); 
$config->set('HTML.SafeObject', 'true'); 
$config->set('Output.FlashCompat', 'true'); 

$config->set('HTML.FlashAllowFullScreen', 'true'); 

$purifier = new HTMLPurifier($config); 
$temp = $purifier->purify($temp);

來源

2011-01-19 swamprunner7

回答

0

擺脫%HTML.Trusted,%Filter.YouTube和%HTML.DefinitionID。他們可能與SafeObject/FlashCompat交互不佳。

來源

2011-01-19 19:40:20

+0

iframe中仍然受阻反正沒梅特。你知道另一個好的解決方案,但支持iframe嗎? – swamprunner7 2011-01-19 21:14:53

+0

哦,是的,你將不得不單獨添加Iframe支持。以下是一種可能的方式:http://htmlpurifier.org/phorum/read.php?3,4646,4646#msg-4646當然,我們希望(最終)在覈心中正確添加對它的支持。 – 2011-01-19 22:00:53

+0

我試過這個解決方案,但我有問題,這裏是我的最後一個評論http://stackoverflow.com/questions/4135755/how-do-i-allow-script-object-param-embed-and-iframe-tags-in -htmlpurifier – swamprunner7 2011-01-19 23:13:41

8

我剛剛讀了this blog entry,併成功創建並使用了自定義過濾器。我做了一些修改的代碼,增加了Vimeo的支持:

/** 
* Based on: http://sachachua.com/blog/2011/08/drupal-html-purifier-embedding-iframes-youtube/ 
* Iframe filter that does some primitive whitelisting in a somewhat recognizable and tweakable way 
*/ 
class HTMLPurifier_Filter_MyIframe extends HTMLPurifier_Filter 
{ 
    public $name = 'MyIframe'; 

    /** 
    * 
    * @param string $html 
    * @param HTMLPurifier_Config $config 
    * @param HTMLPurifier_Context $context 
    * @return string 
    */ 
    public function preFilter($html, HTMLPurifier_Config $config, HTMLPurifier_Context $context) 
    { 
     $html = preg_replace('#<iframe#i', '<img class="MyIframe"', $html); 
     $html = preg_replace('#</iframe>#i', '</img>', $html); 
     return $html; 
    } 

    /** 
    * 
    * @param string $html 
    * @param HTMLPurifier_Config $config 
    * @param HTMLPurifier_Context $context 
    * @return string 
    */ 
    public function postFilter($html, HTMLPurifier_Config $config, HTMLPurifier_Context $context) 
    { 
     $post_regex = '#<img class="MyIframe"([^>]+?)>#'; 
     return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html); 
    } 

    /** 
    * 
    * @param array $matches 
    * @return string 
    */ 
    protected function postFilterCallback($matches) 
    { 
     // Domain Whitelist 
     $youTubeMatch = preg_match('#src="https?://www.youtube(-nocookie)?.com/#i', $matches[1]); 
     $vimeoMatch = preg_match('#src="http://player.vimeo.com/#i', $matches[1]); 
     if ($youTubeMatch || $vimeoMatch) { 
      $extra = ' frameborder="0"'; 
      if ($youTubeMatch) { 
       $extra .= ' allowfullscreen'; 
      } elseif ($vimeoMatch) { 
       $extra .= ' webkitAllowFullScreen mozallowfullscreen allowFullScreen'; 
      } 
      return '<iframe ' . $matches[1] . $extra . '></iframe>'; 
     } else { 
      return ''; 
     } 
    } 
}

添加過濾器到你的HTML過濾配置

$config->set('Filter.Custom', array(new HTMLPurifier_Filter_MyIframe()));

來源

2011-12-20 20:56:31 Sonny

2

這多少應該做的伎倆

$text = "<iframe width='560' height='315' src='//www.youtube.com/embed/RGLI7QBUitE?autoplay=1' frameborder='0' allowfullscreen></iframe>"; 

require_once 'htmlpurifier/library/HTMLPurifier.auto.php'; 
$config = HTMLPurifier_Config::createDefault(); 
$config->set('HTML.Trusted', true); 
$config->set('Filter.YouTube', true); 

echo $purifier->purify($text);

來源

2014-01-12 12:55:45

0

,如果你之前已經將其設置爲true也不要忘記設置

URI.DisableExternalResources: false

來源

2015-06-16 19:01:09 antongorodezkiy

1

對於任何人誰正在努力(如何啓用iframe和將allowFullScreen)

$config = \HTMLPurifier_Config::createDefault(); 
    $config->set('HTML.SafeIframe', true); 
    $config->set('URI.SafeIframeRegexp', '%^(https?:)?//(www\.youtube(?:-nocookie)?\.com/embed/|player\.vimeo\.com/video/)%'); //allow YouTube and Vimeo 
    // This line is important allow iframe in allowed elements or it will not work  
    $config->set('HTML.AllowedElements', array('iframe'));// <-- IMPORTANT 
    $config->set('HTML.AllowedAttributes','[email protected],[email protected]'); 

    $def = $config->getHTMLDefinition(true); 
    $def->addAttribute('iframe', 'allowfullscreen', 'Bool'); 

    $purifier = new \HTMLPurifier($config); 
    $purifiedHtml = $purifier->purify($html);

來源

2016-06-30 18:03:08 reverbnation

相關問題

 相關問題