mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2024-12-22 08:21:52 +00:00
Add %HTML.Forms config directive (#260)
The %HTML.Forms directive enables Forms module regardless of the %HTML.Trusted value. This adds support for form elements without enabling other unsafe modules, such as Scripts, Iframe or Object. To achieve the same effect without this directive one has to explicitly list all enabled modules in %HTML.AllowedModules, and any not listed will be removed. This however is not very convenient, as the allowed modules may vary between doctypes. Resolves #213.
This commit is contained in:
parent
d148edbcf1
commit
3bdc031224
@ -480,6 +480,11 @@
|
||||
<line>330</line>
|
||||
</file>
|
||||
</directive>
|
||||
<directive id="HTML.Forms">
|
||||
<file name="HTMLPurifier/HTMLModule/Forms.php">
|
||||
<line>31</line>
|
||||
</file>
|
||||
</directive>
|
||||
<directive id="HTML.SafeIframe">
|
||||
<file name="HTMLPurifier/HTMLModule/Iframe.php">
|
||||
<line>28</line>
|
||||
|
File diff suppressed because one or more lines are too long
11
library/HTMLPurifier/ConfigSchema/schema/HTML.Forms.txt
Normal file
11
library/HTMLPurifier/ConfigSchema/schema/HTML.Forms.txt
Normal file
@ -0,0 +1,11 @@
|
||||
HTML.Forms
|
||||
TYPE: bool
|
||||
VERSION: 4.13.0
|
||||
DEFAULT: false
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
Whether or not to permit form elements in the user input, regardless of
|
||||
%HTML.Trusted value. Please be very careful when using this functionality, as
|
||||
enabling forms in untrusted documents may allow for phishing attacks.
|
||||
</p>
|
||||
--# vim: et sw=4 sts=4
|
@ -28,6 +28,10 @@ class HTMLPurifier_HTMLModule_Forms extends HTMLPurifier_HTMLModule
|
||||
*/
|
||||
public function setup($config)
|
||||
{
|
||||
if ($config->get('HTML.Forms')) {
|
||||
$this->safe = true;
|
||||
}
|
||||
|
||||
$form = $this->addElement(
|
||||
'form',
|
||||
'Form',
|
||||
|
@ -161,6 +161,13 @@ class HTMLPurifier_HTMLModule_FormsTest extends HTMLPurifier_HTMLModuleHarness
|
||||
$this->assertResult('<form action=""><input align="left" /></form>');
|
||||
}
|
||||
|
||||
public function testHTMLFormsConfigDirective()
|
||||
{
|
||||
$this->config->set('HTML.Trusted', false);
|
||||
$this->config->set('HTML.Forms', true);
|
||||
|
||||
$this->assertResult('<form action="..." method="post"><input type="text" /><textarea cols="20" rows="3"></textarea></form>');
|
||||
}
|
||||
}
|
||||
|
||||
// vim: et sw=4 sts=4
|
||||
|
Loading…
Reference in New Issue
Block a user