mikemix/zf2htmlpurifier

This package is abandoned and no longer maintained. No replacement package was suggested.

HTMLPurifier as ZF2 Filter

Maintainers

Details

github.com/mikemix/zf2htmlpurifier

Homepage

Source

Issues

Installs: 6 846

Dependents: 0

Suggesters: 0

Security: 0

Stars: 0

Watchers: 1

Forks: 0

Open Issues: 0

1.0.1 2015-11-16 13:24 UTC

Requires

Requires (Dev)

MIT 7f693d8fa97f8abda3a185e9830bc54520e34b92

zf2xssHtml Purifier

This package is auto-updated.

Last update: 2019-08-19 07:04:35 UTC

README

Scrutinizer Code Quality Code Coverage Build Status

HTML Purifier as ZF2 filter. Protect yourself from XSS attacks with two simple steps.

Install

Install with Composer "mikemix/zf2htmlpurifier": "~1.0"

Use

Include in form field's filter chain zf2htmlpurifier\Filter\HTMLPurifierFilter, for example:

<?php
namespace MyApp\Form;

use Zend\Form\Form;
use Zend\InputFilter\InputFilterProviderInterface;

class ExampleForm extends Form implements InputFilterProviderInterface
{
    public function init()
    {
        $this->add([
            'name' => 'field',
        ]);
    }
    
    public function getInputFilterSpecification()
    {
        return array(
            // other elements
            'field' => array(
                'required' => true,
                'filters' => array(
                    array('name' => 'zf2htmlpurifier\Filter\HTMLPurifierFilter'),
                ),
            ),
        );
    }

    // or with modern php

    public function getInputFilterSpecification()
    {
        return [
            // other elements
            'field' => [
                'required' => true,
                'filters' => [
                    ['name' => zf2htmlpurifier\Filter\HTMLPurifierFilter::class],
                ],
            ],
        ];
    }
}

// in controller (ugly code example without Dependency Injection)

$fm = $this->getServiceLocator()->get('FormElementManager');

$form = $fm->get(MyApp\Form\ExampleForm::class);
$form->setData(['field' => '<a href="#" onlick="javascript:alert(xss)">link</a>']);
$form->isValid();

// outputs: <a href="#">link</a>
echo $form->getData('field');

Fine tuning HTMLPurifier

You can pass options to configure the HTMLPurifier library.


// the form

    public function getInputFilterSpecification()
    {
        return [
            // other elements
            'field' => [
                'required' => true,
                'filters' => [
                    ['name' => zf2htmlpurifier\Filter\HTMLPurifierFilter::class, 'options' => ['config' => [
                        'Cache.SerializerPath' => '/other/path',
                        'Some.Setting' => 'Setting value',
                    ]]],
                ],
            ],
        ];
    }

Standalone usage

It can be used as standalone class as well:

$purifier = new \zf2htmlpurifier\Filter\HTMLPurifierFilter();

echo $purifier->filter('<a href="#" onlick="javascript:alert(xss)">link</a>');

TODO

  • Convert this to Module and allow defining default HTMLPurifier config via the configuration files