0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-01-03 05:11:52 +00:00

Add %HTML.Forms config directive (#260)

The %HTML.Forms directive enables Forms module regardless of the %HTML.Trusted
value. This adds support for form elements without enabling other unsafe
modules, such as Scripts, Iframe or Object.

To achieve the same effect without this directive one has to explicitly list
all enabled modules in %HTML.AllowedModules, and any not listed will be
removed. This however is not very convenient, as the allowed modules may vary
between doctypes.

Resolves #213.
This commit is contained in:
Mateusz Turcza 2020-06-29 02:26:33 +02:00 committed by GitHub
parent d148edbcf1
commit 3bdc031224
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 28 additions and 1 deletions

View File

@ -480,6 +480,11 @@
<line>330</line> <line>330</line>
</file> </file>
</directive> </directive>
<directive id="HTML.Forms">
<file name="HTMLPurifier/HTMLModule/Forms.php">
<line>31</line>
</file>
</directive>
<directive id="HTML.SafeIframe"> <directive id="HTML.SafeIframe">
<file name="HTMLPurifier/HTMLModule/Iframe.php"> <file name="HTMLPurifier/HTMLModule/Iframe.php">
<line>28</line> <line>28</line>

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,11 @@
HTML.Forms
TYPE: bool
VERSION: 4.13.0
DEFAULT: false
--DESCRIPTION--
<p>
Whether or not to permit form elements in the user input, regardless of
%HTML.Trusted value. Please be very careful when using this functionality, as
enabling forms in untrusted documents may allow for phishing attacks.
</p>
--# vim: et sw=4 sts=4

View File

@ -28,6 +28,10 @@ class HTMLPurifier_HTMLModule_Forms extends HTMLPurifier_HTMLModule
*/ */
public function setup($config) public function setup($config)
{ {
if ($config->get('HTML.Forms')) {
$this->safe = true;
}
$form = $this->addElement( $form = $this->addElement(
'form', 'form',
'Form', 'Form',

View File

@ -161,6 +161,13 @@ class HTMLPurifier_HTMLModule_FormsTest extends HTMLPurifier_HTMLModuleHarness
$this->assertResult('<form action=""><input align="left" /></form>'); $this->assertResult('<form action=""><input align="left" /></form>');
} }
public function testHTMLFormsConfigDirective()
{
$this->config->set('HTML.Trusted', false);
$this->config->set('HTML.Forms', true);
$this->assertResult('<form action="..." method="post"><input type="text" /><textarea cols="20" rows="3"></textarea></form>');
}
} }
// vim: et sw=4 sts=4 // vim: et sw=4 sts=4