dounai9592 2011-04-13 17:48 采纳率: 100%
浏览 62

如何使用HTML Purifier允许href ='javascript:myFunc()'?

I have some HTML that I wrote locally and want to run it through HTML purifier. It is entirely generated by me so I know there are no XSS vulnerabilities. I am trying to run it through the purifier, but href='javascript:myFunc()' is parsed out no matter what I try.

My current setup is:

$string = file_get_contents($myHTMLFile);
$schemes = array (
    'http' => true,
    'https' => true,
    'mailto' => true,
    'ftp' => true,
    'nntp' => true,
    'news' => true,
    'javascript' => true,
);
$config = HTMLPurifier_Config::createDefault();
$config->set('URL.AllowedSchemes', array($schemes));
$purifier = new HTMLPurifier($config);
$string = $purifier->purify($string);

This isn't working at all - all javascript is stripped out.

I have looked through all the various HTML Purifier config settings but can't find what I need. Are there any answers?

Thanks in advance

  • 写回答

1条回答 默认 最新

  • douxin5953 2011-04-13 23:09
    关注

    Simple answer: Don't use HTML Purifier on it. Use something like HTML Tidy instead.

    More complex answer: Don't use javascript: URLs; instead, attach class attributes to links you would like to have JavaScript, and then have a JavaScript handler look for links that have this class and attach the JavaScript code as an onClick handler.

    Even more complex answer: Create a new javascript URI scheme and program it only to accept the fixed string which is your function.

    评论

报告相同问题?

悬赏问题

  • ¥15 shape_predictor_68_face_landmarks.dat
  • ¥15 slam rangenet++配置
  • ¥15 对于相关问题的求解与代码
  • ¥15 ubuntu子系统密码忘记
  • ¥15 信号傅里叶变换在matlab上遇到的小问题请求帮助
  • ¥15 保护模式-系统加载-段寄存器
  • ¥15 电脑桌面设定一个区域禁止鼠标操作
  • ¥15 求NPF226060磁芯的详细资料
  • ¥15 使用R语言marginaleffects包进行边际效应图绘制
  • ¥20 usb设备兼容性问题