Module: HTML Purifier

[ryan]

HTML Purifier is an HTML sanitization and validation module for ProcessWire. It serves as a front-end to the HTML Purifier PHP library. From htmlpurifier.org:

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.

Usage:

This module is something that you would use from a template file or another module. The syntax basically goes like this:

$purifier = $modules->get('MarkupHTMLPurifier');
$cleanHTML = $purifier->purify($dirtyHTML);

The default settings seem to be about right for most cases. However, you can also specify custom settings to HTML Purifier by performing set() calls before calling purify(). For example, UTF-8 encoding is assumed, so if you wanted ISO-8859-1 instead, you'd do:

$purifier->set('Core.Encoding', 'ISO-8859-1');

About this module:

The reason I made this module is that I'm currently working on a CKEditor module for ProcessWire. It supports a very nice inline mode that I'd like to use. But the problem with an inline mode is that the text you edit is real rendered HTML (rather than a textarea), so that could be a security problem (i.e. XSS). I researched into into how best to resolve that, and the HTML Purifier library kept coming up. So here this module is. The new CKEditor module will require it if you want to use inline mode. 

Download:

GitHub: https://github.com/ryancramerdesign/MarkupHTMLPurifier

Modules Directory: http://modules.processwire.com/modules/markup-htmlpurifier/

[Martijn Geerts]

Ryan on fire....

Love it !

[Soma]

Do you ever sleep?

[Joss]

This is seriously useful!

I was thinking about using WYSIHTML Bootstrap thingy on front end forms - this should be a perfect addition!

[Pete]

That's great ryan as in a module just the other day I was using Sanitizer which was getting me so far, but this should give some additional useful options

[onjegolders]

Joss, did you ever get anywhere with incorporating WYSIHTML5?

[renobird]

Thank you Ryan!

I'm importing hundreds of user profiles and the biography information is a nightmare.

This should clean it up nicely.  

[nurkka]

Hi,

how is it possible to modify the settings of the html purifier instance that is used by InputfieldCKEditor?
How can I get the correct instance $purifier?

$purifier->set('Attr.AllowedFrameTargets', array('_blank','_top'));

My goal is to allow link target "_top" *without* having to disable html purifier ...

[Soma]

Hi,

how is it possible to modify the settings of the html purifier instance that is used by InputfieldCKEditor?

How can I get the correct instance $purifier?

$purifier->set('Attr.AllowedFrameTargets', array('_blank','_top'));

My goal is to allow link target "_top" *without* having to disable html purifier ...

I wonder why nobody/Ryan answers here....

No it's not possible. I also ran into it.

InputfieldCKEditor.module does configure purifier hardcoded with the allowing the target _blank. Nothing else. But the thing is we can configure the Link Editor to use different targets. But when adding a new one like "_parent", it won't allow it as it's hardcoded.

In my opinion the InputfieldCKEditor.module should recognize the target config of Link Editor and add those to the allowed targets.