mikemix / zf2htmlpurifier
HTMLPurifier as ZF2 Filter
Installs: 6 850
Dependents: 0
Suggesters: 0
Security: 0
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Requires
- php: >=5.3.23
- ezyang/htmlpurifier: ^4.7.0
Requires (Dev)
- scrutinizer/ocular: ~1.1
- zendframework/zend-filter: ~2.4
README
HTML Purifier as ZF2 filter. Protect yourself from XSS attacks with two simple steps.
Install
Install with Composer "mikemix/zf2htmlpurifier": "~1.0"
Use
Include in form field's filter chain zf2htmlpurifier\Filter\HTMLPurifierFilter
, for example:
<?php namespace MyApp\Form; use Zend\Form\Form; use Zend\InputFilter\InputFilterProviderInterface; class ExampleForm extends Form implements InputFilterProviderInterface { public function init() { $this->add([ 'name' => 'field', ]); } public function getInputFilterSpecification() { return array( // other elements 'field' => array( 'required' => true, 'filters' => array( array('name' => 'zf2htmlpurifier\Filter\HTMLPurifierFilter'), ), ), ); } // or with modern php public function getInputFilterSpecification() { return [ // other elements 'field' => [ 'required' => true, 'filters' => [ ['name' => zf2htmlpurifier\Filter\HTMLPurifierFilter::class], ], ], ]; } } // in controller (ugly code example without Dependency Injection) $fm = $this->getServiceLocator()->get('FormElementManager'); $form = $fm->get(MyApp\Form\ExampleForm::class); $form->setData(['field' => '<a href="#" onlick="javascript:alert(xss)">link</a>']); $form->isValid(); // outputs: <a href="#">link</a> echo $form->getData('field');
Fine tuning HTMLPurifier
You can pass options to configure the HTMLPurifier library.
// the form public function getInputFilterSpecification() { return [ // other elements 'field' => [ 'required' => true, 'filters' => [ ['name' => zf2htmlpurifier\Filter\HTMLPurifierFilter::class, 'options' => ['config' => [ 'Cache.SerializerPath' => '/other/path', 'Some.Setting' => 'Setting value', ]]], ], ], ]; }
Standalone usage
It can be used as standalone class as well:
$purifier = new \zf2htmlpurifier\Filter\HTMLPurifierFilter(); echo $purifier->filter('<a href="#" onlick="javascript:alert(xss)">link</a>');
TODO
- Convert this to Module and allow defining default HTMLPurifier config via the configuration files