如何允许 href='javascript:myFunc()'使用 HTML 净化器？

发布于 2024-11-01 06:34:14 字数 688 浏览 0 评论 0原文

我有一些在本地编写的 HTML，想通过 HTML 净化器运行它。它完全是我生成的，所以我知道不存在 XSS 漏洞。我试图通过净化器运行它，但是无论我如何尝试， href='javascript:myFunc()' 都会被解析出来。

我当前的设置是：

$string = file_get_contents($myHTMLFile);
$schemes = array (
    'http' => true,
    'https' => true,
    'mailto' => true,
    'ftp' => true,
    'nntp' => true,
    'news' => true,
    'javascript' => true,
);
$config = HTMLPurifier_Config::createDefault();
$config->set('URL.AllowedSchemes', array($schemes));
$purifier = new HTMLPurifier($config);
$string = $purifier->purify($string);

这根本不起作用 - 所有 javascript 都被删除。

我已经查看了所有各种 HTML Purifier 配置设置，但找不到我需要的内容。有答案吗？

提前致谢

原文

I have some HTML that I wrote locally and want to run it through HTML purifier. It is entirely generated by me so I know there are no XSS vulnerabilities. I am trying to run it through the purifier, but href='javascript:myFunc()' is parsed out no matter what I try.

My current setup is:

$string = file_get_contents($myHTMLFile);
$schemes = array (
    'http' => true,
    'https' => true,
    'mailto' => true,
    'ftp' => true,
    'nntp' => true,
    'news' => true,
    'javascript' => true,
);
$config = HTMLPurifier_Config::createDefault();
$config->set('URL.AllowedSchemes', array($schemes));
$purifier = new HTMLPurifier($config);
$string = $purifier->purify($string);

This isn't working at all - all javascript is stripped out.

I have looked through all the various HTML Purifier config settings but can't find what I need. Are there any answers?

Thanks in advance

分享到QQ

分享到微博