How to implement htmlpurifier

Question

I'm trying to implement HTMLPURIFIER, but after echoing out the HTML I'd like to purify, I still get
<img src="kay.JPG" alt="my picture" /> as part of the content that's displayed, meanwhile it's meant to display a picture. What am I doing wrong?

     function readmore_about_cs($row, $id) 

     {    
            $config = HTMLPurifier_Config::createDefault();
            // configuration goes here:
            $config->set('Core.Encoding', 'UTF-8'); 
            $config->set('HTML.Doctype', 'XHTML 1.0 Transitional'); 
            $purifier = new HTMLPurifier($config);

     if (isset($_GET['readmore'])) { 
     $nomore = ($row['about_church_of_christ_content']);
     $pure_html = $purifier->purify($nomore);
     echo htmlspecialchars($pure_html);
     } 
     else 
     {                         
     if (strlen(trim($row['about_church_of_christ_content'])) > 350) 
     {
     $shortText = substr(trim($row['about_church_of_christ_content']), 0, 650); 
     $shortText .= '..<a href="http://127.0.0.1/church/about_cs.php?id='.$id.'&readmore=1">More</a>'; 
     $pure_html = $purifier->purify($shortText);
     echo htmlspecialchars($shortText) ;
     }
    }
    }

score 0 · Answer 1 · answered Jun 23 '12 at 07:06

0

What's happening with you is the default behavior of HTMLPurifier, be warned that the following solution will create a hole in your security as you're basically allowing XSS attacks through the 'src' attribute.

Here's what you should add to your code:

// configuration goes here:
$config->set('HTML.Allowed','img[src], img[alt]');

answered Jun 23 '12 at 07:06

Adi

5,089
6
33
47

When I use HTML purifier, it returns only the code inside `` tag. How do I get the complete HTML returned? – Nimish David Mathew Apr 03 '20 at 12:14

How to implement htmlpurifier

1 Answers1