通过
进行搜索
进行搜索jizuscreed / white-html-filter
一个基于PHP的轻量级HTML标签和属性白名单过滤器。基于lincanbin/white-html-filter的分支,包含三个关键错误修复
v1.5
2020-09-05 20:21 UTC
Requires
- php: >=5.3.0
This package is auto-updated.
Last update: 2024-09-06 07:26:27 UTC
README
一个基于PHP的HTML标签和属性白名单过滤器。
基于正则或文本替换的XSS过滤不安全。此过滤器使用基于《Tokenization Algorithm》的DOMDocument,更安全。
需求
- PHP版本5.3.0或更高。
安装
通过Composer安装此包。
composer require lincanbin/white-html-filter
或者编辑你的项目中的composer.json文件,添加lincanbin/white-html-filter依赖,然后运行composer update。
"require": { "lincanbin/white-html-filter": "~1.3" }
使用方法
基本使用
注意:你应该包含Composer的自动加载器
require 'vendor/autoload.php'(这是显而易见的。)
实例化WhiteHTMLFilter对象
use lincanbin\WhiteHTMLFilter; $html = <<<html <iframe></iframe> <div class="contain"> <span style="color: #f00;"> test中文 </span> </div> <div class="contain" data-src="xxx" onclick="javascript:alert('xxx');"> <audio controls = "play"> <source src="horse.ogg" type="audio/ogg"> <source src="horse.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> </div> <div class="contain"> <span style="color: #f00;" class="aabc">test</span> </div> <IMG SRC=javascript:alert('XSS')> html; $filter = new WhiteHTMLFilter(); $filter->loadHTML($html); $filter->clean(); var_dump($filter->outputHtml());
配置
- 移除允许的标签
use lincanbin\WhiteHTMLFilter; $filter = new WhiteHTMLFilter(); $filter->config->removeAllAllowTag(); //Or $filter->config->removeFromTagWhiteList('div'); $filter->config->removeFromTagWhiteList(array("div", "table"));
- 添加新的允许标签
use lincanbin\WhiteHTMLFilter; $filter = new WhiteHTMLFilter(); $filter->config->removeAllAllowTag(); $filter->config->modifyTagWhiteList(array( "img" => array("alt", "src", "height", "width"), "a" => array("href", "rel", "target", "download", "type") ));
- 修改允许的HTML全局属性
use lincanbin\WhiteHTMLFilter; $filter = new WhiteHTMLFilter(); $filter->config->WhiteListHtmlGlobalAttributes = array( "class", "style", "title", "data-*" );
- 修改允许的CSS样式(留空以允许所有内容)
use lincanbin\WhiteHTMLFilter; $filter = new WhiteHTMLFilter(); $filter->config->WhiteListStyle = array( "color", "border", "background", "position" );
- 修改允许的CSS类(留空以允许所有内容)
use lincanbin\WhiteHTMLFilter; $filter = new WhiteHTMLFilter(); $filter->config->WhiteListCssClass = array( "container", "title", "sub-title", "sider-bar" );
使用自定义属性值过滤器
use lincanbin\WhiteHTMLFilter; $html = <<<html <iframe width="560" height="315" src="https://www.youtube.com/embed/lBOwxXxesBo" frameborder="0" allowfullscreen> </iframe> <iframe width="560" height="315" src="https://www.94cb.com/" frameborder="0" allowfullscreen></iframe> html; $filter = new WhiteHTMLFilter(); $urlFilter = function($url) { $regex = '~ ^(?:https?://)? # Optional protocol (?:www[.])? # Optional sub-domain (?:youtube[.]com/embed/|youtu[.]be/) # Mandatory domain name (w/ query string in .com) ([^&]{11}) # Video id of 11 characters as capture group 1 ~x'; return (preg_match($regex, $url) === 1) ? $url : ''; }; $iframeRule = array( 'iframe' => array( 'src' => $urlFilter, 'width', 'height', 'frameborder', 'allowfullscreen' ) ); $filter->loadHTML($html); $filter->clean(); var_dump($filter->outputHtml());
结果
<iframe width="560" height="315" src="https://www.youtube.com/embed/lBOwxXxesBo" frameborder="0" allowfullscreen=""></iframe> <iframe width="560" height="315" src="" frameborder="0" allowfullscreen=""></iframe>
默认过滤器配置
为White HTML Filter捐赠
- 支付宝
- 微信
许可证
Copyright 2017 Canbin Lin (lincanbin@hotmail.com)
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
https://apache.ac.cn/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.