1 Topic by lifejourneyme

  • lifejourneyme
  • Member
  • Offline

Topic: Configuration problem with example

dear patnaik,

your program helped me a great deal in speeding the development of my new website, because when it comes to processing and cleaning input you want the best there is... so thanks alot for making it available to every one.

i have couple of questions if i may:
i set the configuration as following in my website:

                    'balance'=>1, 'cdata'=>1, 'clean_ms_char'=>0, 'comment'=>1, 
                    'css_expression'=>0, 'elements'=>'a, br, b, blockquote, em, font, 
                    li, ol, p, pre, s, big, small, span, strike, strong, sub, sup, tt, u, ul',
                    'hexdec_entity'=>0, 'keep_bad'=>0, 'no_deprecated_attr'=>2, 
                    'make_tag_strict'=>2, 'safe'=>1, 'tidy'=>1, 'valid_xhtml'=>1,
                    'deny_attribute' => 'on*'

            $output = htmLawed(trim($input) ,$html_config_full);

and this is the html code with all possible attributes i want to allow:

<p align="left" dir="ltr">I like <sup>to</sup> see a <span style="font-family: courier new,courier;"><strike>man</strike> proud of <span style="color: #008000;">the place i</span>n</span> which <sub>he</sub> <span style="font-size: x-large;">lives</span>.</p>
<p>&nbsp;</p>
<p align="right" dir="rtl">I <span style="font-size: x-large;">like to <u>see</u> a <b>man</b> <span style="color: #993366;">live so that his place</span> will be proud</span> of <a href="http://ted.com">him</a></p>
<ol>
<li>thank you</li>
<li>mr patnaik</li>
<li>For this Life Saving program</li>
</ol>
<p align="center"><span style="color: #993366;"><b>The best thing about the future is that it comes only one day at a time</b></span></p>
<ul>
<li>all the best,</li>
<li>ahmed</li>
</ul>

and this is the tinymce html allowed

        "a[href]," +
        "b[],"+
        "blockquote[],"+
        "em[],"+
        "li[dir],"+
        "ol[dir],"+
        "ul[dir],"+
        "p[align|dir],"+
        "pre[],"+
        "s[],"+
        "small[],"+
        "big[],"+
        "span[style|text-align|dir|font-color|font-weight|font-family|color|direction],"+
        "strike[],"+
        "strong[],"+
        "sub[],"+
        "sup[],"+
        "tt[],"+
        "u[]",

but the resutlt i get is this:

<p dir="" style="text-align: ;">I like <sup>to</sup> see a <span style=""><span style="text-decoration: line-through;">man</span> proud of <span style="">the place i</span>n</span> which <sub>he</sub> <span style="">lives</span>.</p>

<p>&nbsp;</p>
<p dir="" style="text-align: ;">I <span style="">like to <span style="text-decoration: underline;">see</span> a <b>man</b> <span style="">live so that his place</span> will be proud</span> of <a href="">him</a></p>
<ol>
 <li>thank you</li>

 <li>mr patnaik</li>
 <li>For this Life Saving program</li>
</ol>
<p style="text-align: ;"><span style=""><b>The best thing about the future is that it comes only one day at a time</b></span></p>
<ul>
 <li>all the best,</li>
 <li>ahmed</li>
</ul>

plese help,
where did i go wrong!
because really i just learned php and mysql recently i'v been studying for a year and half now just to make my own website the way i want it.

regards,

2 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Configuration problem with example

I tried your input example and htmLawed settings on the htmLawed demo site. The result was what one expects. I suspect the code you are using does not 'stripslash' the input appropriately. From the htmLawed documentation:

Note: If input is from a $_GET or $_POST value, and magic quotes are enabled on the PHP setup, run stripslashes() on the input before passing to htmLawed.

Another thing to note is that some of the settings you have are default htmLawed ones, and there is no need to specify them. The $config can thus be reduced to:

'cdata'=>1, 'comment'=>1,
'elements'=>'a, br, b, blockquote, em, font, li, ol, p, pre, s, big, small, span, strike, strong, sub, sup, tt, u, ul',
'hexdec_entity'=>0, 'keep_bad'=>0, 'no_deprecated_attr'=>2,
'make_tag_strict'=>2, 'safe'=>1, 'tidy'=>1, 'valid_xhtml'=>1

3 Reply by lifejourneyme

  • lifejourneyme
  • Member
  • Offline

Re: Configuration problem with example

ah :$, it worked like magic.

thank you thank you, i really tries my best to read every thing in the manual. i hope i havent wasted your time.

i have one more question if you may: i see in many examples that the style attribute is denied by some in their config, so i thought i should also deny the attribute of style and i used the font tag and had htmlawed transfer it to style but then when i edit the data again you can find that the test will have style instead of font tag which is then removed and i end up having to restyle the text again.

for instance: can i have a white list of attributes that i want and have rest of attributes stripped away, no need for them.

thanks alot for your time,

4 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Configuration problem with example

You mention an important observation. Indeed, htmLawed will convert 'font' to 'span' with a 'style' attribute. When 'style' is not permitted, re-editing will remove the 'style' from 'span'.

One can selectively disallow 'style' as well as other attributes using the setting 'deny_attribute'. But for a white-list use, you have to use the '$spec' parameter (see documentation). Note that if you have a lot of tags (elements) and attributes to handle, it can be a little bit of work to compose the '$spec' value.

There is another thing to think of. Say, 'style' is permitted in 'span' (for taking care of the re-editing issue you mention). Then a user can possibly misuse it to sneak in styling that goes against your desires. This, however, may not be an issue for you. Otherwise, if you can write custom PHP code, you may be able to use the hook_tag functionality to take care of it.

Finally, if TinyMCE is the input editor, why don't you just disallow 'font'?

5 Reply by lifejourneyme

  • lifejourneyme
  • Member
  • Offline

Re: Configuration problem with example

thank you, well i disallowed font tag now and it is using style instead and all is good, but i fear what you said of users having styles either dangerous (if i allow style?!) and undesired meaning havong border-top for example or background-color or background-image from a remote site ;(. now at least from what i understand i can make a $spec variable and have any tag with its allowed attribute and i can leave their value blank right? so as i understand i cannot set the sub attributes of an attribute like style? because i did not find that in the $spec examples in the documentation. please forgive me for i am not well educated when it comes to web development terms.

regards,

6 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Configuration problem with example

I will give some clarifications.

In HTML standards, all tags can have only some specific attributes. There is an appendix in the htmLawed documentation which details that. When $spec or 'deny_attribute' is not specified, htmLawed will follow the standards, removing any rule-breaking attributes in the tag content (like 'cellpadding' inside 'a').

With 'deny_attribute' one can disallow attributes from all tags. E.g., with 'id' in 'deny_attribute', no tag will end up with an 'id'.

With $spec, tag-specific attribute restriction can be done (note that $spec does other things too, like checking the value of an attribute). Tags you don't want to worry about need not be mentioned in $spec.

Thus, to deny 'id' and 'style' for all tags, and to allow only 'src' and 'alt' for 'img' tag, disallow 'rel' for 'a' tag, and allow only 'class' for 'span', you can use:

$config = array('deny_attribute'=>'id, style', ... );
$spec = 'img=-*, src, alt; a=-rel; span=-*, class;';

Currently, it is not possible to bypass an effect of 'deny_attribute' through $spec. E.g., with 'style' in 'deny_attribute', 'style' for 'span' will be removed even if $spec specifies otherwise (like, 'span=style, ...').

7 Reply by lifejourneyme

  • lifejourneyme
  • Member
  • Offline

Re: Configuration problem with example

thanks alot for the clarification. i appreciate all the efforts you made with htmlawed and making now to help others.
i understand that i can allow span tag and allow style attribute, but i cannot specify what sub attributes if i can call it that like i want span -> style -> font-size, font-family and color only.

thank you for your time mr patnaik.
all the best to you,

8 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Configuration problem with example

htmLawed does not finely scan CSS properties ('sub-attributes') in 'style' attribute values (except to look for dynamic expressions and URLs).

However, you can use the 'hook_tag' functionality to make it do so. This forum post -- bioinformatics.org/phplabware/forum/viewtopic.php?id=67 -- has an example.

9 Reply by lifejourneyme

  • lifejourneyme
  • Member
  • Offline

Re: Configuration problem with example

i read the hook function, it will take me a while to understand and utilize that example to my benefit, but until then i suppose the settings you suggested is quite ok to start with, i can just go ahead and be sure that what i already have is safe, thanks to you ;)


thank you for your time and have a nice day,

10 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Configuration problem with example

patnaik wrote:

Currently, it is not possible to bypass an effect of 'deny_attribute' through $spec. E.g., with 'style' in 'deny_attribute', 'style' for 'span' will be removed even if $spec specifies otherwise (like, 'span=style, ...').

The new htmLawed release (1.1.7) now allows one to over-ride 'deny_attribute' effects through '$spec'. Thus, a globally denied attribute can be permitted element-specifically.

11 Reply by lifejourneyme

  • lifejourneyme
  • Member
  • Offline

Re: Configuration problem with example

you are kind enough to reply to this topic.
thank you i will use it to deny style from all elements but span tag

all the best,
ahmed