I have some HTML that I wrote locally and want to run it through HTML purifier. It is entirely generated by me so I know there are no XSS vulnerabilities. I am trying to run it through the purifier, but href='javascript:myFunc()' is parsed out no matter what I try.
My current setup is:
$string = file_get_contents($myHTMLFile);
$schemes = array (
'http' => true,
'https' => true,
'mailto' => true,
'ftp' => true,
'nntp' => true,
'news' => true,
'javascript' => true,
);
$config = HTMLPurifier_Config::createDefault();
$config->set('URL.AllowedSchemes', array($schemes));
$purifier = new HTMLPurifier($config);
$string = $purifier->purify($string);
This isn't working at all - all javascript is stripped out.
I have looked through all the various HTML Purifier config settings but can't find what I need. Are there any answers?
Thanks in advance