Add %HTML.Forms config directive

ezyang / htmlpurifier

Standards compliant HTML filter written in PHP

http://htmlpurifier.org

GNU Lesser General Public License v2.1

3.07k stars 327 forks source link

Add %HTML.Forms config directive #260

Closed xemlock closed 4 years ago

xemlock commented 4 years ago

The %HTML.Forms directive enables Forms module regardless of the %HTML.Trusted value. This adds support for form elements without enabling other unsafe modules, such as Scripts, Iframe or Object.

To achieve the same effect without this directive one has to explicitly list all enabled modules in %HTML.AllowedModules, and any not listed will be removed. This however is not very convenient, as the allowed modules may vary between doctypes.

Resolves #213.

glensc commented 4 years ago

@xemlock can you post an example in regards #213 how this is supposed to be used?

i.e currently I have:

https://github.com/eventum/eventum/blob/b556ea17cc9512bfb2dd06dd29fa847bcbd724e5/src/ServiceProvider/MarkdownServiceProvider.php#L137-L140

xemlock commented 4 years ago

Hi @glensc, It should be sufficient to replace these lines in your example:

$config->set('HTML.Trusted', true);
$config->set('HTML.ForbiddenElements', ['script', 'noscript']);

with the following:

$config->set('HTML.Forms', true);

I'm also currently working on another PR that would allow you to narrow the allowed input types.