0

I have in the database the path to the files that i want to get outputed. like: 

<audio src="/yii2-biblioteca/frontend/web/uploads/audio/lya1.mp3" controls type="audio/mpeg">

and i am using: 

<?=HtmlPurifier::process($model->audio)?>

for the output.

I used the same thing for images and it's ok, it works, but for the audio and for the pdf embed not so much. At the beginning the pdf worked, i changed some things with a js funtion, it was not suppos to have a negative impact. I reversed all back to when it was good, but it's not working now.

the pdf exemple: <embed src="/yii2-biblioteca/frontend/web/uploads/pdf/dying.pdf" type="application/pdf" width="100%" height="100%" />

Improve this question
9
  • what is not working now? Commented Sep 2, 2018 at 14:59
  • For my images i used the same "path in the database" and HtmlPurifier::process in the file to get the output, but it's not working and i don't know why. i am throw back a bit because the embed pdf worked ok at some point and only the audio was the problem. The pdf is out of work now too. I don't know what i do wrong. Commented Sep 2, 2018 at 15:08
  • what i am trying to understand is that HtmlPurifier is removing some part of the path or the part f the tags, saying it is not working does not help much , what is the input to HtmlPurifier and what is gives you the output will help understand the issue , and by the way you should keep the paths in a constant using params.php file and only file name should be saved in the database. Commented Sep 2, 2018 at 15:12
  • You are right, it's not helping to scream "it is not working", but i don't know how to describe it, beacuase it's nothing of the output at all, it's blank. I tried to use different relative paths, thinking it could be from there. I used the same procedure for the images and if i go to my site, looking on inspect elements i could see the replacement of the "HtmlPurifier::process($model->image)" with the specific image path. But with the "HtmlPurifier::process($model->audio)" for the audio and "HtmlPurifier::process($model->pdf)" for the pdf it's empty. Commented Sep 2, 2018 at 15:46
  • ok , can you add the rendered output of the tag that is generated by the HtmlPurifier and the one you are expecting ? add it to your question by editing Commented Sep 2, 2018 at 15:48

1 Answer 1

Reset to default
1

Yii2's HTMLPurifier wrapper takes a second argument:

echo HtmlPurifier::process($html, [
    // options go here
]);

For <embed>, you should be able to use the HTML.SafeEmbed setting:

echo HtmlPurifier::process($html, [
    'HTML.SafeEmbed' => true,
]);

Unfortunately, for <audio>, the underlying problem here is that HTML Purifier isn't HTML5-aware, which is going to make adding that a lot more complicated.

There are user-supplied patches to allow HTML Purifier to understand HTML5, but as far as I know, none has been audited and so it's hard to say what this will do to the security of your site. (Arguably, HTML Purifier with userland supplied HTML5 definitions is still better than no HTML Purifier at all, though.)

I've given some rough instructions about how to make HTML Purifier (the library itself, not its Yii2 wrapper) aware of only the <audio> tag over on another question. Quoting the relevant pieces:

You'll have to look at the "Customize!" end-user documentation, where it will tell you how to add tags and attributes that HTML Purifier is not aware of.

To quote the most vivid code example from the linked documentation (this code teaches HTML Purifier about the <form> tag):

Time for some code:

$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.DefinitionID', 'enduser-customize.html tutorial');
$config->set('HTML.DefinitionRev', 1);
$config->set('Cache.DefinitionImpl', null); // remove this later!
$def = $config->getHTMLDefinition(true);
[...]
$form = $def->addElement(
    'form',   // name
    'Block',  // content set
    'Flow', // allowed children
    'Common', // attribute collection
    array( // attributes
        'action*' => 'URI',
        'method' => 'Enum#get|post',
        'name' => 'ID'
    )
);
$form->excludes = array('form' => true);

Each of the parameters corresponds to one of the questions we asked. Notice that we added an asterisk to the end of the action attribute to indicate that it is required. If someone specifies a form without that attribute, the tag will be axed. Also, the extra line at the end is a special extra declaration that prevents forms from being nested within each other.

Once you've followed those instructions to make your purifying routine aware of <audio>, adding the tag <audio> to your configuration whitelist will work.

So, in brief, if you want to be able to purify just <audio> tags without losing them altogether, you're going to have to do some research on the tags' capability and add the information to HTML Purifier.

You could base your code on what you can find in xemlock/htmlpurifier-html5's HTML5Definition.php file if you don't want to work on it from scratch.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

you should mark it as a duplicate rather than pasting the previous answers content here
@MuhammadOmerAslam I disagree this is a duplicate - it's asking about Yii2, <embed> and <audio>. I wrote about <audio> for raw HTML Purifier. That's overlap, not duplication.
Thank you for the answer! I will try SafeEmbed for the pdf, but at this moment i did something else with the audio tag. It may be stupid, but it does work. In the database i stored only the src path, not the entire tag and for the moment, it's ok. Again, thank you very much for your time and for you answer!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.