通过 
搜索
搜索mikemix / zf2htmlpurifier
此包已弃用且不再维护。未建议替代包。
HTMLPurifier 作为 ZF2 过滤器
1.0.1
2015-11-16 13:24 UTC
Requires
- php: >=5.3.23
- ezyang/htmlpurifier: ^4.7.0
Requires (Dev)
- scrutinizer/ocular: ~1.1
- zendframework/zend-filter: ~2.4
README
将 HTML Purifier 作为 ZF2 过滤器使用。通过两个简单步骤保护自己免受 XSS 攻击。
安装
使用 Composer 安装 "mikemix/zf2htmlpurifier": "~1.0"
使用
在表单字段的过滤器链中包含 zf2htmlpurifier\Filter\HTMLPurifierFilter,例如
<?php namespace MyApp\Form; use Zend\Form\Form; use Zend\InputFilter\InputFilterProviderInterface; class ExampleForm extends Form implements InputFilterProviderInterface { public function init() { $this->add([ 'name' => 'field', ]); } public function getInputFilterSpecification() { return array( // other elements 'field' => array( 'required' => true, 'filters' => array( array('name' => 'zf2htmlpurifier\Filter\HTMLPurifierFilter'), ), ), ); } // or with modern php public function getInputFilterSpecification() { return [ // other elements 'field' => [ 'required' => true, 'filters' => [ ['name' => zf2htmlpurifier\Filter\HTMLPurifierFilter::class], ], ], ]; } } // in controller (ugly code example without Dependency Injection) $fm = $this->getServiceLocator()->get('FormElementManager'); $form = $fm->get(MyApp\Form\ExampleForm::class); $form->setData(['field' => '<a href="#" onlick="javascript:alert(xss)">link</a>']); $form->isValid(); // outputs: <a href="#">link</a> echo $form->getData('field');
微调 HTMLPurifier
您可以通过传递选项来配置 HTMLPurifier 库。
// the form public function getInputFilterSpecification() { return [ // other elements 'field' => [ 'required' => true, 'filters' => [ ['name' => zf2htmlpurifier\Filter\HTMLPurifierFilter::class, 'options' => ['config' => [ 'Cache.SerializerPath' => '/other/path', 'Some.Setting' => 'Setting value', ]]], ], ], ]; }
独立使用
它也可以作为独立类使用
$purifier = new \zf2htmlpurifier\Filter\HTMLPurifierFilter(); echo $purifier->filter('<a href="#" onlick="javascript:alert(xss)">link</a>');
待办事项
- 将其转换为模块,并通过配置文件定义默认的 HTMLPurifier 配置