Config of HTML Purifier - improve documentation!

Yes. HTML Purifier is designed to work out-of-the-box and be safe.

the default setup is disallowing img tags for me. What's the easy way to allow it? As far as I understand, 'allowed elements' require full list of valid tags + all their attributes, that's rather big list and I don't know where I can get prepared one. And I need just to add one img to html purifier setup.

Images should be allowed by default. Do you have any alternate modules turned on?

Hi! I'm trying to configure HTML Purifier to allow some of the elements that TinyMCE (unfortunately) utilizes, namely "a name=" anchors, and "a target=" for opening links in new windows (despite their deprecated status) and am having a bear of a time getting it to work. The advanced HTML Purifier setting allows for a whole bunch of config options but I seem to be unable to make it do what I'd like. I did search the HTML Purifier forum itself, but their method of configuring filters involves calling methods directly on an instantiated htmlpurifier object.

I did see that there is a spot for config files in modules/htmlpurifier/config ... I assume from the comments that I'd just copy the sample.php to, say, 1.php and then call my various $config->set(...) functions in the htmlpurifier_config_N($config) method. It's unclear to me though whether these config changes even take effect -- or if and how they intermingle with the changes made using the GUI. If somebody who's done this can shed some light on the process it would be greatly appreciated. Thanks in advance!

Additionally, using the GUI, I've added both AllowedFrameTargets (_blank, _self, _parent, etc) and below it, AllowedRel (external) and despite this, both seem to be stripped out during the filtering of the page. Doctype is set to XHTML 1.0 transitional.

Do you have any other filters enabled? Have you tried clearing the cache? It should work.

No other filters are enabled, and I've cleared the cache a number of times -- is it possible as mentioned above to override the settings in the GUI with a configuration file (filter #).php ?

I'd still like to see some documentation as per the initial request. For instance, it's hard for me to figure out whether or not I need to put both opening and closing tags in the ForbiddenAttributes box. For instance, I want to disable the font tag.

Do I put

<font>
</font>

or just
font?

Do I separate by commas, spaces, or carriage returns? It's not working anyway I do it, but I can't figure out if that's because I don't know how to use it or its broken. Yes, I cleared the cache.

What are the values of HTML.Allowed, HTML.AllowedAttributes and HTML.AllowedElements?

I got it working by putting quotes like this

"<font>"
"</font>"
"font"

Don't know which did the trick. I'll follow up later. Also, clearing the cache didnt' clear the filter cache. Resaving the node, however, did.

For the record, font w/o the double-quotes should be the correct value. I'm reclassifying this as a bug and seeing if I can reproduce.

BTW, Drupal probably maintains a cache separate from HTML Purifier's. I should probably clarify this.

I've got that question exactly #6 - htmlpurifier is removing some of my id="blah" tags from my images. i too have found the $cofig stuff and sample.php, but haven't been able to work out how/where/what and when. Have you solved your issues?

My apologies about this extremely late response. I've been fairly busy and haven't been on top of the queue.

I went and took a vanilla configured HTML Purifier filter and placed "font" inside ForbiddenElements, and saw that it disallowed font elements. So I'm marking this ticket as postponed and reclassified as a support request, since I can't reproduce. Could you try again with a clean filter instance and see if it works? If it still doesn't please open a new ticket, since this particular issue is a bit far from the original.

glowkeeper, I'm going to request that you open up a new support ticket. It's really hard to keep track of all these different requests on the same ticket.

ezyang,

Thank you for following up. I'm opening this for one little clarification. I hope the question isn't too annoying.

So you wrapped it in quotes? That is, was it
"font"
or
font

Thanks,
glass.dimly

No quotes. Don't forget to clear the cache!

I think the main point of this issue is missing or insufficient documentation, or just the lack of a link from the configuration page to a useful documentation page. Everything that has been explained in this thread should rather be explained in the interface, and/or on a doc page!

On htmlpurifier.org I am never sure how much of that info applies to the Drupal module. And the startpage is hardly a good starting point if you are looking for documentation about the config options.

I think it is in the spirit of the other posts if I reopen this as a feature request, asking for better documentation.

Thanks.

...

My understanding that all of these options are documented on the configuration documentation page, which is linked to by all of the directives that you can access on the advanced page. So, either that documentation page needs to be improved (maybe with more examples or something), or I have to make the UI more obvious that you can click on any particular directive name to see what it does, or I have to just stick the documentation inline so that people who still don't notice the links still can see what's up.

Any comments here?

I have to admit, I was confused by the link display of Garland in Grey. It doesn't even show the cursor:pointer, for whatever reason.

I vote for this!

The documentation is horrible, confusing, missing the most obvious questions on installation and many more ...!
Though it seems to be the best solution out there, installing and using it can be very frustrating.

Please always remember/ keep in mind: A modul is as good as its ease of use!

For that reason improve (simplify) the documentation, please.
And in German we have a saying that rougly translated says: One example tells you more than thousands words (of explanation).

Thanks for this great module anyway.

Gunther

Hey guys,

Thanks for all your posts! We love the Drupal community and with all the constructive criticism, people like us figure out solutions to several websites globally. We do agree that better documentation is needed for HTML purifier and other modules, but at the same time, someone or even multiple someones need to allocate their time and sometimes resources to do that.

For us, we're fine with searching all over Drupal.org to fix target="_blank" to work with HTML purifier :) It does take time but answers still can be found. And only using Drupal for less than 2 years, we continue to learn new things even if it's something simple like clear the cache ;)

@ezyang we read a lot of your posts even on other threads and just want to say Thank You!

Regards,

The iGetcha Team :)

Here are some concrete improvements that are on the TODO list, taking into account all of your feedback from this list.

* Add text letting users know that they don't have to fill anything in; the default configuration is OK

* Clearer explanations on the configuration documentation page about what the behavior is in default cases, as well as sample inputs and outputs given some configuration.

* Better information about how text fields translate into PHP data types

* Warnings when someone enables a tag but doesn't enable the required attributes for that tag (looking specifically at img tags)

* Fix the lack of a "link" when you mouse over the link name. Maybe we could do something cute with a tooltip if you hover over, although my Javascript-fu isn't good enough to do something like that.

Inside the options panels for allowed html and forbidden html
Here is what's working for me:

-------------------

p[]
a[href]

-------------------

Adding in the actual tag name: example

font

--------------------

Then if you need attributes or not close off the tag with brackets.

font[]

or...

font[size | color]

Just treat it like an array.

~~ Hope that helps others! ~~

hi there

I have read through this long issue, tried all of the suggestions, and am still in the dark about why HTML Purifier was stripping out my images. I entered values in the Allowed HTML and Allowed Rel boxes, in various formats and as instructed in the docs, as well as stripping the input format down to just one filter, clearing the filter cache, and building it up again from defaults.

In the end I realised that the filter didn't like absolute image urls. I changed these, and hey presto, all of the images appeared.

I must say that the documentation is absolutely useless, at least for someone of my beginner's ability. This is all the more frustrating because, in so many other ways, HTML Purifier has been very valuable and is performing well for my site.

I would like if the filter didn't strip out images by default. And if it has to, give the beginner Drupal such as myself a clear, step-by-step and simple method of allowing them back in, which doesn't resort to diving into the code.

So thank you for the effort in creating and maintaining it, but the module needs a thorough re-working of the accompanying info before it gets my vote.

Very interesting thread. But I still cannot find how to configure this module. Or am I (still) missing something?

I've closed this thread because it's getting too difficult for me to keep track of all of the requests. Please open individual tickets for specific issues about the documentation. Thanks!

Here is a distilled list of issues that I've extracted from this thread. Please go to the relevant threads.

• #925300: Give better information about what HTML is allowed
• #925304: Warn if HTML Purifier is used with FCKEditor about name attributes
• #925306: Should external images be enabled by default?
• #925310: Configuration page should have inline examples
• #925324: Links to documentation don't have visual cue

Adding documentation for showing specifically how to add an attribute to an element would be exceptional.

I would like to know how to add "scope" to td/th elements to achieve 508 compliance. Anyone know where this is documented?