1

Topic: Allowing bitcoin and magnet URI scheme

How I can set to allow use of 'bitcoin' and 'magnet' scheme/protocol in 'href' attribute of an 'a' element?

I've tried this:

'schemes' => '*:http,https; href:magnet,bitcoin'

But don't work.

2

Re: Allowing bitcoin and magnet URI scheme

The value for 'schemes' is not appropriately set.

When an attribute is explicitly listed in the value, then filtering is dictated by the setting for the attribute, with no effect of the setting for *. That is, the set of attributes that * refers to no longer includes the listed attribute. In your case, to allow 'http' and 'https' in 'href', you will have to include them in the setting for 'href'. The htmLawed documentation indicates this. May be I need to clarify it.

//// Effect of various values for 'schemes'

//// INPUT

<a href="magnet:?xt=urn:btih:xyz">Magnet link</a>
<a href="bitcoin:xyz">Bitcoin link</a>
<a href="http://xyz">HTTP link</a>
<img src="http://xyz" alt="image" />

//// OUTPUTS

// *:http, https; href:magnet, bitcoin
<a href="magnet:?xt=urn:btih:xyz">Magnet link</a>
<a href="bitcoin:xyz">Bitcoin link</a>
<a href="denied:http://xyz">HTTP link</a>
<img src="http://xyz" alt="image" />

// *:http, https; href:magnet, bitcoin, http, https
<a href="magnet:?xt=urn:btih:xyz">Magnet link</a>
<a href="bitcoin:xyz">Bitcoin link</a>
<a href="http://xyz">HTTP link</a>
<img src="http://xyz" alt="image" />

// *:https; href:magnet, bitcoin, http
<a href="magnet:?xt=urn:btih:xyz">Magnet link</a>
<a href="bitcoin:xyz">Bitcoin link</a>
<a href="http://xyz">HTTP link</a>
<img src="denied:http://xyz" alt="image" />

// href:magnet, bitcoin, http
<a href="magnet:?xt=urn:btih:xyz">Magnet link</a>
<a href="bitcoin:xyz">Bitcoin link</a>
<a href="http://xyz">HTTP link</a>
<img src="http://xyz" alt="image" />

// *:*
<a href="magnet:?xt=urn:btih:xyz">Magnet link</a>
<a href="bitcoin:xyz">Bitcoin link</a>
<a href="http://xyz">HTTP link</a>
<img src="http://xyz" alt="image" />

// href:!
<a href="denied:magnet:?xt=urn:btih:xyz">Magnet link</a>
<a href="denied:bitcoin:xyz">Bitcoin link</a>
<a href="denied:http://xyz">HTTP link</a>
<img src="http://xyz" alt="image" />

// (no value specified)
<a href="denied:magnet:?xt=urn:btih:xyz">Magnet link</a>
<a href="denied:bitcoin:xyz">Bitcoin link</a>
<a href="http://xyz">HTTP link</a>
<img src="http://xyz" alt="image" />

3

Re: Allowing bitcoin and magnet URI scheme

Thanks for answer.
I've tried your solutions but no one don't work :(

Here's my full config:

$config = array(
    'safe' => true,
    'comment' => 1,
    'cdata' => 1,
    'deny_attribute' => 'class, on*',
    'schemes' => 'href:http,https,magnet,bitcoin',
);

Of course, I've tried all above your suggestions also: nothing...

Where i wrong?

4

Re: Allowing bitcoin and magnet URI scheme

I am not sure. Are you using the current version of htmLawed? Is the htmLawed deployed through a module? E.g., are you using htmLawed in Drupal through a module? Or is the htmLawed code used in code that you have written? It seems there is some bug in how htmLawed is getting called. The config. value that you are using is okay, and htmLawed works as expected (test code below).

$in = '
   <a href="magnet:?xt=urn:btih:xyz">Magnet link</a>
   <a href="bitcoin:xyz">Bitcoin link</a>
   <a href="http://xyz">HTTP link</a>
   <img src="http://xyz" alt="image" />
';

$config = array(
   'safe' => true,
   'comment' => 1,
   'cdata' => 1,
   'deny_attribute' => 'class, on*',
   'schemes' => 'href:http,https,magnet,bitcoin'
);

include('htmLawed.php');
echo
   'INPUT<br>',
   htmlspecialchars($in),
   '<br>OUTPUT<br>',
   htmlspecialchars(htmLawed($in, $config))
;