Databases
StackOverflow2013
Postsdbo
POWhy does HTML Purifier ignore my runtime created configuration settings?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POWhy does HTML Purifier ignore my runtime created configuration settings?
    text
    copied!<p>everyone! Naturally I am still fighting with HTML Purifier…</p> <p>So, my /config/purifier.php looks like:</p> <pre><code>&lt;?php defined('SYSPATH') or die('No direct access allowed.'); return array( 'settings' =&gt; array( 'HTML.Allowed' =&gt;'a,b,strong,p,ul,ol,li,img[src],i,u,span,', 'HTML.MaxImgLength' =&gt; 250, 'CSS.MaxImgLength' =&gt; '250px' ), ); ?&gt; </code></pre> <p>and, HTML Purifier overloads the Security::clean_xss() method to use its own filter.</p> <p>I have created two helper functions for data sanitation: clean_whitelist(), which strips anything not allowed by my HTML.Allowed setting in the config file. and clean_all(), which strips all tags and ignores fields that are passed in as ignore</p> <pre><code> public static function clean_all(array $dirty_data, array $ignore) { $config = Kohana::config('purifier'); $settings = $config['settings']; $config-&gt;set('settings', array ('HTML.Allowed'=&gt;'')); foreach($dirty_data as $key =&gt; $value) { if( ! in_array($key, $ignore)) { $dirty_data[$key] = Security::xss_clean($dirty_data[$key]); } } return $dirty_data; } public static function clean_whitelist($dirty_data) { return Security::xss_clean($dirty_data); } </code></pre> <p>clean_whitelist() works as intended, but, clean_all still allows tags. Not entirely sure why, as when I var_dump a new load of <code>Kohana::config('purifier')</code> after I have called <code>$config-&gt;set</code>, the file it displays my HTML.Allowed => ''…</p> <p>Any ideas on why it continues to use a whitelist as opposed to using the config file I've built at runtime? </p> <p>Thanks, as always, to anyone contributing!</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload