I am using below configuration to clean the input from user in my Yii project using its inbuilt support for HtmlPurifier
array(
'URI.AllowedSchemes' => array(
'http' => true,
'https' => true,
),
"HTML.SafeEmbed" => true,
'HTML.TargetBlank' => true,
"HTML.SafeIframe" => true,
"Filter.YouTube" => true,
'URI.SafeIframeRegexp' => '%^(https?:)?//(www\.youtube(?:-nocookie)?\.com/embed/|player\.vimeo\.com/video/)%'
),
Example:-
<iframe width="560" height="315" src="https://www.youtube.com/embed/Xe2nlti47kA" frameborder="0" allowfullscreen></iframe>
Above Url when saved after purifying gets converted to below iframe code
<iframe width="560" height="315" src="https://www.youtube.com/embed/Xe2nlti47kA" frameborder="0"></iframe>
How can we allow allowfullscreen attribute as safe ? Does any change in regex will solve this or need to apply a custom solution ?