How can I allow elements with HTML Purifier?
I have tried $config->set('HTML.Allowed', 'audio');
, but now it will delete all other elements including <p>, <br>
etc.
I then tried $def->addAttribute('audio', 'src', 'CDATA');
but it's not working.
HTML.Allowed
is a whitelist of all allowed tags, so what you presumably want to do is concatenate $config->get('HTML.Allowed')
with ,audio
as a value.
That said, HTML Purifier's approach to security is HTML flavour aware - as in, rather than just whitelist tags and attributes, it also ensures that tags make sense in the context they're in and attribute values look as expected, which means it has to actually understand the HTML definition you're feeding it. For example, you don't want a <td>
-tag embedded in a <div>
-tag, that makes no sense; and you wouldn't want width="foo"
in your HTML, that also makes no sense.
Since as far as I know, HTML Purifier still does not yet know its way around HTML5, the <audio>
tag is probably not one it is inherently aware of. You'll have to look at the "Customize!" end-user documentation, where it will tell you how to add tags and attributes that HTML Purifier is not aware of.
To quote the most vivid code example from the linked documentation (this code teaches HTML Purifier about the <form>
tag):
Time for some code:
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.DefinitionID', 'enduser-customize.html tutorial');
$config->set('HTML.DefinitionRev', 1);
$config->set('Cache.DefinitionImpl', null); // remove this later!
$def = $config->getHTMLDefinition(true);
[...]
$form = $def->addElement(
'form', // name
'Block', // content set
'Flow', // allowed children
'Common', // attribute collection
array( // attributes
'action*' => 'URI',
'method' => 'Enum#get|post',
'name' => 'ID'
)
);
$form->excludes = array('form' => true);
Each of the parameters corresponds to one of the questions we asked. Notice that we added an asterisk to the end of the action attribute to indicate that it is required. If someone specifies a form without that attribute, the tag will be axed. Also, the extra line at the end is a special extra declaration that prevents forms from being nested within each other.
Once you've followed those instructions to make your purifying routine aware of <audio>
, adding the tag <audio>
to your configuration whitelist will work.