HTMLPurifier iframe Vimeo和Youtube视频

时间:2011-01-19 18:42:19

标签: php video iframe xss htmlpurifier

如何使用HTMLPurifier过滤xss,还允许使用iframe Vimeo和Youtube视频?

require_once 'htmlpurifier/library/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.Trusted', true);

$config->set('Filter.YouTube', true);
$config->set('HTML.DefinitionID', '1');
$config->set('HTML.SafeObject', 'true');
$config->set('Output.FlashCompat', 'true');

$config->set('HTML.FlashAllowFullScreen', 'true');

$purifier = new HTMLPurifier($config);
$temp = $purifier->purify($temp);

8 个答案:

答案 0 :(得分:29)

HTMLPurifier版本4.4.0具有允许YouTube和Vimeo iframe的新配置指令:

//allow iframes from trusted sources
$cfg->set('HTML.SafeIframe', true);
$cfg->set('URI.SafeIframeRegexp', '%^(https?:)?//(www\.youtube(?:-nocookie)?\.com/embed/|player\.vimeo\.com/video/)%'); //allow YouTube and Vimeo

答案 1 :(得分:9)

我刚刚阅读this blog entry,并成功创建并使用了自定义过滤器。我对代码进行了一些更改,并添加了Vimeo支持:

/**
 * Based on: http://sachachua.com/blog/2011/08/drupal-html-purifier-embedding-iframes-youtube/
 * Iframe filter that does some primitive whitelisting in a somewhat recognizable and tweakable way
 */
class HTMLPurifier_Filter_MyIframe extends HTMLPurifier_Filter
{
    public $name = 'MyIframe';

    /**
     *
     * @param string $html
     * @param HTMLPurifier_Config $config
     * @param HTMLPurifier_Context $context
     * @return string
     */
    public function preFilter($html, HTMLPurifier_Config $config, HTMLPurifier_Context $context)
    {
        $html = preg_replace('#<iframe#i', '<img class="MyIframe"', $html);
        $html = preg_replace('#</iframe>#i', '</img>', $html);
        return $html;
    }

    /**
     *
     * @param string $html
     * @param HTMLPurifier_Config $config
     * @param HTMLPurifier_Context $context
     * @return string
     */
    public function postFilter($html, HTMLPurifier_Config $config, HTMLPurifier_Context $context)
    {
        $post_regex = '#<img class="MyIframe"([^>]+?)>#';
        return preg_replace_callback($post_regex, array($this, 'postFilterCallback'), $html);
    }

    /**
     *
     * @param array $matches
     * @return string
     */
    protected function postFilterCallback($matches)
    {
        // Domain Whitelist
        $youTubeMatch = preg_match('#src="https?://www.youtube(-nocookie)?.com/#i', $matches[1]);
        $vimeoMatch = preg_match('#src="http://player.vimeo.com/#i', $matches[1]);
        if ($youTubeMatch || $vimeoMatch) {
            $extra = ' frameborder="0"';
            if ($youTubeMatch) {
                $extra .= ' allowfullscreen';
            } elseif ($vimeoMatch) {
                $extra .= ' webkitAllowFullScreen mozallowfullscreen allowFullScreen';
            }
            return '<iframe ' . $matches[1] . $extra . '></iframe>';
        } else {
            return '';
        }
    }
}

将过滤器添加到HTML Purifier配置

$config->set('Filter.Custom', array(new HTMLPurifier_Filter_MyIframe()));

答案 2 :(得分:4)

对于任何挣扎的人(如何启用iframe和allowfullscreen)

    $config = \HTMLPurifier_Config::createDefault();
    $config->set('HTML.SafeIframe', true);
    $config->set('URI.SafeIframeRegexp', '%^(https?:)?//(www\.youtube(?:-nocookie)?\.com/embed/|player\.vimeo\.com/video/)%'); //allow YouTube and Vimeo
    // This line is important allow iframe in allowed elements or it will not work    
    $config->set('HTML.AllowedElements', array('iframe'));// <-- IMPORTANT
    $config->set('HTML.AllowedAttributes','iframe@src,iframe@allowfullscreen');

    $def = $config->getHTMLDefinition(true);
    $def->addAttribute('iframe', 'allowfullscreen', 'Bool');

    $purifier = new \HTMLPurifier($config);
    $purifiedHtml = $purifier->purify($html);

答案 3 :(得分:3)

这应该可以解决问题

$text = "<iframe width='560' height='315' src='//www.youtube.com/embed/RGLI7QBUitE?autoplay=1' frameborder='0' allowfullscreen></iframe>";

require_once 'htmlpurifier/library/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.Trusted', true);
$config->set('Filter.YouTube', true);

echo $purifier->purify($text);

答案 4 :(得分:0)

摆脱%HTML.Trusted,%Filter.YouTube和%HTML.DefinitionID。他们可能与SafeObject / FlashCompat的交互不佳。

答案 5 :(得分:0)

使用drupal 7.19和htmlpurifier模块,您可以配置以下设置,而无需编写此代码。

请参阅http://drupal.org/node/711728#comment-5600344

答案 6 :(得分:0)

另外不要忘记设置

URI.DisableExternalResources: false

如果您之前已将其设置为true

答案 7 :(得分:0)

基于混响的回答,我意识到由于某种原因这行

$def->addAttribute('iframe', 'allowfullscreen', 'Bool');

无法正常工作而不是

allowfullscreen="allowfullscreen"

HTMLPurifier正在输出

allowfullscreen=""

虽然documentation表示Bool - Boolean attribute, with only one valid value: the name of the attribute,但我尝试使用Enum代替:

$def->addAttribute('iframe', 'allowfullscreen', 'Enum#allowfullscreen');

第三个参数表示allowfullscreen属性只有正确的值 - allowfullscreen,其他所有内容都将被忽略。这样,我们就会遇到与Bool相同的行为。幸运的是,它对我有用。

也许这个解决方案可以帮助别人。

相关问题
最新问题