1 Topic by resonantentropy

  • resonantentropy
  • Member
  • Offline

Topic: Question regarding allowing in-document style tags

While I understand that inline style tags are against the HTML spec, I'm being pushed to allow them within a myspace-like website so that users can add their own styling to their profiles.

htmLawed appears a lot less cumbersome than HTML Purifier and something I could probably dig into and edit to allow the style tag (and perform some validation against).  My main interest isn't really in html validation, but more in XSS neutralizing.

Could you provide any pointers about where I might start and at which levels of parsing I might need to modify to allow this?  Any information would be greatly appreciated.

Thanks for your assistance!

2 Reply by resonantentropy

  • resonantentropy
  • Member
  • Offline

Re: Question regarding allowing in-document style tags

Actually, I got that working pretty easily (though I still need to implement sanitization of the style).

Though I do have another question.  I would like to enforce the object tag to have some specific param tags within it (such as allowscriptaccess="never").  This is easy to apply to embed as a required attribute.  But would it be possible to enforce as a tag within object?

Thanks again.

3 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Question regarding allowing in-document style tags

htmLawed currently cannot disallow specific elements inside specific parent elements when such a nesting is legal as per the standard specs. In some cases though one can effectively get the same effect by appropriately configuring htmLawed. E.g., since the 'param' element can nest only inside 'applet' and 'object', by denying the 'applet' element you can effectively restrict 'param' to 'object'.

But it seems you want a 'param' forced inside 'object'. That is something beyond htmLawed.

One option you can think of is to do a search-replace on htmLawed's output. E.g., with

$final = str_replace('</object>', '<param xyz /></object>', $processed);

Another option is to use Javascript to modify the DOM.

All this will of course be complex if you want to modify only specific and not all 'object' elements.

Later added:

htmLawed 1.1 introduces the ability to deploy hook functions to manipulate tags; see this post

4 Reply by Ambush Commander (edited by Ambush Commander 2008-03-08 19:25:25)

  • Ambush Commander
  • Member
  • Offline

Re: Question regarding allowing in-document style tags

Some users of HTML Purifier worked with me to create a plugin that experimentally adds support for exactly what you're talking about: Param insertion in object tags (http://htmlpurifier.org/phorum/read.php?2,1102,1102#msg-1104)