HTML Purifier Config Best Practices
superflyman - September 21, 2009 - 00:39
| Project: | HTML Purifier |
| Version: | 6.x-2.0 |
| Component: | User interface |
| Category: | support request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Description
I just installed the HTML Purifier module and am just wondering what the best practices are... I am using Full HTML, checked off HTML Purifier (standard) and disabled HTML Corrector and HTML Filter. Is this the best approach? Please advice. Also, for performance purposes which filters are considered "highly dynamic" and should not be placed before HTML Purifier? Any help would be greatly appreciated... Thanks-
#1
That's correct. "Dynamic filters" are filters that, given a fixed user input, can have many outputs (the canonical example is a filter that puts in the current day and time). Since HTML Purifier caches it's filterings by input text, if one of these was put before HTML Purifier that would mean the cache wouldn't work.
#2
@ezyang
Thanks for the fast response and explanation.
As for the configuration, does it makes sense to disable the HTML Corrector and HTML Filter inputs?
#3
Yep. They have the same purpose as HTML Purifier.
#4
Can I just add to the questions already been asked...
1)
On the configure page of the 'standard' version, the HTML section has the null/disabled checkbox ticked.
Are we supposed to untick that and type something in to the textarea below?
Or does being ticked mean 'automatic protection'.
2)
Is there any advantage that the 'linkify' feature has over drupal's core 'URL filter'?
Is there any disadvantage (eg. no maximum url length)?
3)
I have DisableExternalResources and DisableResources set to NO, because the whole point of using a wysiwyg editor is to allow our trusted users to 'embed' images/media, whether uploaded to our server or hotlinked to another site. If a malicious user turns off javascript (and so accesses the text area directly), will html purifier still keep us relatively safe?
Thanks.
#5
Ticked means automatic protection. Unticked means you specify a more restrictive set of tags to allow,
Linkify is more correct, as it takes into account the contextual HTML in an extremely smart way, but you probably won't notice a difference.
The point of HTML Purifier is to make your HTML safe regardless of what is running client side. That is our "guarantee" (as far as guarantees from open-source projects go ;-)
#6
Thanks for the clarification.
Sorry, I should have been more clear. My last question should have been:
> If a malicious user turns off javascript (and so accesses the text area directly), will
> html purifier still keep us relatively safe with both DisableResources options set to NO?
But I assume your answer for that one still stands.
Cheers!
#7
Yes. You might be slightly misunderstanding DisableResources and DisableExternalResources; these prevent tags like img which make the browser perform an additional request (in the case of external resources, to a third-party website). While allowing such things has obvious privacy implications, it does not pose an XSS risk.