mirrors/htmlpurifier
0
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-12-22 16:31:53 +00:00
Code Releases Activity
2df5896324
htmlpurifier/docs/config-ideas.txt
Edward Z. Yang 2df5896324 [1.2.0] Add more projected URI control values. 
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@523 48356398-32a2-884e-a903-53898d9a118a
2006-11-12 04:02:27 +00:00

57 lines
2.4 KiB
Plaintext
Raw Blame History

Configuration Ideas
Here are some theoretical configuration ideas that we could implement some
time. Note the naming convention: %Namespace.Directive
%Attr.IDPrefix - prefix all ids with this
%Attr.RewriteFragments - if there's %Attr.IDPrefix we may want to transparently
rewrite the URLs we parse too. However, we can only do it when it's a pure
anchor link, so it's not foolproof
%Attr.ClassBlacklist,
%Attr.ClassWhitelist,
%Attr.ClassPolicy - determines what classes are allowed. When
%Attr.ClassPolicy is set to Blacklist, only allow those not in
%Attr.ClassBlacklist. When it's Whitelist, only allow those in
%Attr.ClassWhitelist.
%Attr.LangAlphaOnly - designate whether or not to allow numerals in language
code subtags
* RFC 1766, the current standard referenced by XML, does not permit
numbers, but,
* RFC 3066, the superseding best practice standard since January 2001,
permits them.
We allow numbers by default, but you generally never see them
at all, which makes this a little more sane.
%Attr.MaxWidth,
%Attr.MaxHeight - caps for width and height related checks.
(a hack in Pixels for an image crashing attack could be replaced by this)
%URI.Munge - will munge all URIs to a different URI, which should redirect
the user to the applicable page. A urlencoded version of the URI
will replace any instances of %s in the string. One possible
string is 'http://www.google.com/url?q=%s'. Useful for preventing
pagerank from being sent to other sites
%URI.AddRelNofollow - will add rel="nofollow" to all links, preventing the
spread of ill-gotten pagerank
%URI.RelativeToAbsolute - transforms all relative URIs to absolute form
%URI.HostBlacklist - strings that if found in the host of a URI are disallowed
%URI.HostBlacklistRegex - regexes that if matching the host are disallowed
%URI.HostWhitelist - domain names that are excluded from the host blacklist
%URI.HostPolicy - determines whether or not its reject all and then whitelist
or allow all in then do specific blacklists with whitelist intervening.
'DenyAll' or 'AllowAll' (default)
%URI.DisableIPHosts - URIs that have IP addresses for hosts are disallowed.
Be sure to also grab unusual encodings (dword, hex and octal)
%URI.DisableExternalResources - disallow resource links (i.e. URIs that result
in immediate requests, such as src in IMG) to external websites
View Git Blame Copy Permalink