为什么 HTML Purifier 忽略我的运行时创建的配置设置?
每个人!当然,我仍然在与 HTML Purifier 作斗争……
所以,我的 /config/purifier.php 看起来像:
<?php defined('SYSPATH') or die('No direct access allowed.');
return array(
'settings' => array(
'HTML.Allowed' =>'a,b,strong,p,ul,ol,li,img[src],i,u,span,',
'HTML.MaxImgLength' => 250,
'CSS.MaxImgLength' => '250px'
),
);
?>
并且,HTML Purifier 重载了 Security::clean_xss() 方法以使用自己的过滤器。
我创建了两个用于数据清理的辅助函数:clean_whitelist(),它会删除配置文件中的 HTML.Allowed 设置不允许的任何内容。 和 clean_all(),它会剥离所有标签并忽略作为忽略传入的字段
public static function clean_all(array $dirty_data, array $ignore) {
$config = Kohana::config('purifier');
$settings = $config['settings'];
$config->set('settings', array ('HTML.Allowed'=>''));
foreach($dirty_data as $key => $value) {
if( ! in_array($key, $ignore)) {
$dirty_data[$key] = Security::xss_clean($dirty_data[$key]);
}
}
return $dirty_data;
}
public static function clean_whitelist($dirty_data) {
return Security::xss_clean($dirty_data);
}
clean_whitelist() 按预期工作,但是 clean_all 仍然允许标签。不完全确定为什么,当我在调用 $config->set 之后 var_dump 新加载的 Kohana::config('purifier') 时,该文件显示我的 HTML.Allowed => ''…
关于为什么它继续使用白名单而不是使用我在运行时构建的配置文件有什么想法吗?
一如既往地感谢所有做出贡献的人!
everyone! Naturally I am still fighting with HTML Purifier…
So, my /config/purifier.php looks like:
<?php defined('SYSPATH') or die('No direct access allowed.');
return array(
'settings' => array(
'HTML.Allowed' =>'a,b,strong,p,ul,ol,li,img[src],i,u,span,',
'HTML.MaxImgLength' => 250,
'CSS.MaxImgLength' => '250px'
),
);
?>
and, HTML Purifier overloads the Security::clean_xss() method to use its own filter.
I have created two helper functions for data sanitation: clean_whitelist(), which strips anything not allowed by my HTML.Allowed setting in the config file.
and
clean_all(), which strips all tags and ignores fields that are passed in as ignore
public static function clean_all(array $dirty_data, array $ignore) {
$config = Kohana::config('purifier');
$settings = $config['settings'];
$config->set('settings', array ('HTML.Allowed'=>''));
foreach($dirty_data as $key => $value) {
if( ! in_array($key, $ignore)) {
$dirty_data[$key] = Security::xss_clean($dirty_data[$key]);
}
}
return $dirty_data;
}
public static function clean_whitelist($dirty_data) {
return Security::xss_clean($dirty_data);
}
clean_whitelist() works as intended, but, clean_all still allows tags. Not entirely sure why, as when I var_dump a new load of Kohana::config('purifier') after I have called $config->set, the file it displays my HTML.Allowed => ''…
Any ideas on why it continues to use a whitelist as opposed to using the config file I've built at runtime?
Thanks, as always, to anyone contributing!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您正在使用的 Kohana HTMLPurifier 模块可能正在使用原始配置选项缓存实例。
如果您正在使用此模块,请查看源代码中的此方法。
The Kohana HTMLPurifier module which you are using is probably caching the instance with the original configuration options.
If you're using this module, check out this method from the source code.