Htmlpurifier Iframe Vimeo and Youtube Video

HTMLPurifier Removing Allowfullscreen From YouTube Videos

"allowfullscreen" is not an attribute HTML Purifier inherently recognises for IFrames, which means that if you want to support it, you will need to customise your HTML Purifier module. Something like this should do it (this code was not tested, but should set you on the right path):

$config = HTMLPurifier_Config::createDefault();
// ...
$config->set('HTML.DefinitionID', 'enduser-customize.html tutorial');
$config->set('HTML.DefinitionRev', 1);
$config->set('Cache.DefinitionImpl', null); // remove this later!
$def = $config->getHTMLDefinition(true);
$def->addAttribute('iframe', 'allowfullscreen', 'Bool');

See if that helps you any? Some additional considerations were posted in this answer from 2016 here on stackoverflow, if you notice yourself getting stuck (but beware that if you use the HTML.AllowedElements and HTML.AllowedAttributes configurations, those are complete whitelists - if you use those directives to whitelist only iframe, any other HTML tags will be stripped).

HTMLPurifier stripping out YouTube

There were two issues with my original code. First, the regex was invalid - it did not account for http:. That was replaced with '%^(https?:)?(\/\/www\.youtube(?:-nocookie)?\.com\/embed\/|\/\/player\.vimeo\.com\/)%'

Secondly, $config->set('AutoFormat.RemoveEmpty', true); appears to be removing the iframe (which makes sense). Adding the following fixed this:

$config->set('AutoFormat.RemoveEmpty.Predicate', [
            'iframe' =>
                array (
                    0 => 'src',
                )
        ]);

Thanks to Edward Yang for his help on this!

HTML Purifier - iframe and scripts

You were half on the right track. If you set HTML.SafeIframe to true and URI.SafeIframeRegexp to the URLs you want to accept (%^https://(www.youtube.com/embed/|player.vimeo.com/video/)% works fine), an input example of:

<p>content...<p>
<iframe src="https://www.youtube.com/embed/blep"></iframe>
<script>alert('abc');</script>
<p>content2</p>

...turns into...

<p>content...</p><p>
<iframe src="https://www.youtube.com/embed/blep"></iframe>

</p><p>content2</p>

Explanation: HTML.SafeIframe allows the <iframe> tag, but HTML Purifier still expects a whitelist for the URLs that the iframe can contain, since otherwise an <iframe> opens too much malicious potential. URI.SafeIframeRegexp supplies the whitelist (in the form of a regex that needs to be matched).

See if that works for you!

Code

This is the code that made the transformation I just mentioned:

$dirty = '<p>content...<p>
<iframe src="https://www.youtube.com/embed/blep"></iframe>
<script>alert(\'abc\');</script>
<p>content2</p>';

$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.SafeIframe', true);
$config->set('URI.SafeIframeRegexp', '%^https://(www.youtube.com/embed/|player.vimeo.com/video/)%');

$purifier = new HTMLPurifier($config);

$clean = $purifier->purify($dirty);

Regarding HTML.Trusted

I implore you to never set HTML.Trusted to true if you don't fully trust each and every one of the people submitting the HTML.

Amongst other things, it allows forms in your input HTML to survive the purification unmolested, which (if you're purifying for a website, which I assume you are) makes phishing attacks trivial. It allows your input to use style tags which survive unscathed. There are some things it will still strip (any HTML tag that HTML Purifier doesn't actually know anything about, i.e. most HTML5 tags being some of them, various JavaScript attribute handlers as well), but there are enough attack vectors that you might as well not be purifying if you use this directive. As Ambush Commander once put it:

You shouldn't be using %HTML.Trusted anyway; it really ought to be named %HTML.Unsafe or something.

Allow embed/object/param HTML tags with HTMLPurifier?

The best solution you have is http://htmlpurifier.org/docs/enduser-youtube.html

Allowing YouTube embed with HTMLPurifier on Laravel 4 and mewebstudio/Purifier

HTMLPurifier already has a filter ready-made for Youtube videos, make sure you use it.

To use it make sure you have this line on your config:

'Filter.YouTube' => true

Your final config file would look like this:

return array(
    'encoding' => 'UTF-8',
    'finalize' => true,
    'preload'  => false,
    'settings' => array(
        'default' => array(
            'HTML.Doctype'             => 'XHTML 1.0 Strict',
            'HTML.Allowed'             => 'div[style],b,strong,i,em,a[href|title|style],ul,ol,li,p[style],br,span[style],
                                            img[width|height|alt|src],h1[style],h2[style],h3[style],h4[style],h5[style],table[class|style|summary],tr,td[abbr],tbody,thead',
            'CSS.AllowedProperties'    => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align',
            'HTML.SafeObject'          => true,
            'Output.FlashCompat'       => true,
            'HTML.SafeIframe'          => true,
            'URI.SafeIframeRegexp'     => '%^(http://|https://|//)(www.youtube.com/embed/|player.vimeo.com/video/)%',
            'AutoFormat.AutoParagraph' => true,
            'AutoFormat.RemoveEmpty'   => true,
            'HTML.Nofollow'            => true,
            'URI.Host'                 => 'domain.com',
            'Filter.YouTube'           => true
        ),
    ),
);

Yii1 - HtmlPurifier removes allowfullscreen attribute

There is already a useful link which will solve the answer.....We need to implement a custom class to allow the "allowfullscreen" attribute. This will add this attribute on purified iframe code.

Reference
http://sachachua.com/blog/2011/08/drupal-html-purifier-embedding-iframes-youtube/
Answered by Sonny
HTMLPurifier iframe Vimeo and Youtube video

Steps

1) Include the class from above url .

2) Set Filter.custom exactly in way shown in above url.

Setting Html Purifier options can be in different in frameworks.

---

Related Topics