Modifying htmlpurifier allowed tags for this markup

php xss htmlpurifier
sameold picture sameold · Jun 3, 2011 · Viewed 7.1k times · Source

My html purifier settings now allow only these tags

$configuration->set('HTML.Allowed', 'p,ul,ol,li');

I want to allow indentation of lists and my editor uses this html 

<ul style="margin-left: 40px;">

How should I change my HTMLPurifier Allowed tags? I thought to add style, but I think it would be better to specify exactly which style is allowed, which in this case would be margin-left. What is the right way to change the HTML.Allowed for this case?

Answer

Edward Z. Yang picture Edward Z. Yang · Jun 3, 2011

Allow the style attributes, and then modify the allowed CSS attributes using %CSS.AllowedProperties.

$configuration->set('HTML.Allowed', 'p,ul[style],ol,li');
$configuration->set('CSS.AllowedProperties', 'margin-left');

P.S. I'm surprised how many people don't understand how HTML Purifier works.

Related questions

HTMLPurifier iframe Vimeo and Youtube video

How can I use HTMLPurifier to filter xss but also to allow iframe Vimeo and Youtube video? require_once 'htmlpurifier/library/HTMLPurifier.auto.php'; $config = HTMLPurifier_Config::createDefault(); $config->set('HTML.Trusted', true); $config->set('Filter.YouTube', true); $…

Read More
How can I sanitize user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?

Read More
How to prevent XSS with HTML/PHP?

How do I prevent XSS (cross-site scripting) using just HTML and PHP? I've seen numerous other posts on this topic but I have not found an article that clear and concisely states how to actually prevent XSS.

Read More