keith Pope-4 wrote: > > Personally I use htmlpurifier.org to clean my html, its designed to do > exactly what you describe and is maintained to provide max security. > You could then create your own filter to do this. > >
Thanks for that. HtmlPurifier looks great but seems overkill for the tiny subset of HTML generated by Dojo Editor! Anyway, I did as you suggested - hopefully the filter below will be useful for someone else. I'm pretty confident it will strip out truly malicious code; it won't currently prevent people putting in their own font styles, but I can live with that for now. I think it permits all the possibilities from the default config of Dojo Editor, but is easy to update if you find a tag which it does not. It would be nice to have something similar to this as a default filter in ZF for the editor element. <?php /* * Filter to strip out all HTML other than that generated by Dojo Editor. * * This assumes the default configuration for Dojo Editor, i.e. that you have not included * any plugins allowing additional functionality to the editor bar. * * Uses the huge HTMLPurifier library at http://htmlpurifier.org. I suspect this is massively overspeced * for what we need here, and there may be a significant performance hit from it. * * */ class My_Filter_DojoEditorHtmlPurifier implements Zend_Filter_Interface { /** * Defined by Zend_Filter_Interface * * Returns purified HTML * * @param string $value * @return string */ public function filter($value) { require_once 'HTMLPurifier/HTMLPurifier.auto.php'; $config = HTMLPurifier_Config::createDefault(); $config->set('HTML', 'Allowed', 'ul,ol,li,br,div[style],span[style]'); $purifier = new HTMLPurifier($config); $value = $purifier->purify( $value ); return($value); } } -- View this message in context: http://www.nabble.com/Zend_Form_Dojo-Editor-security-concern-%28escaping-output%29-tp22782919p22801743.html Sent from the Zend Framework mailing list archive at Nabble.com.
