Assume the following requirements:
- 1) I want to allow my users to embed videos
2) I want to let them do so without having to do anything more than paste a URL into a CKEditor dialog
3) I want HTMLPurifier to filter the embed
Mon, 09/27/2010 - 00:27
#1
Making CKEditor and HTMLPurifier coordinate on flash embed
2) I want to let them do so without having to do anything more than paste a URL into a CKEditor dialog
3) I want HTMLPurifier to filter the embed
Re: Making CKEditor and HTMLPurifier coordinate on flash emb
require HTMLPurifier.php first, then :
$config->set('HTML.SafeObject', true); $config->set('HTML.SafeEmbed', true); $config->set('Output.FlashCompat', true); $config->set('HTML.Trusted', true); $config->set('Filter.YouTube', true);Dunno if you need any of the other stuff, 'HTML.Trusted', true takes care of most, if not all of the things you have listed as allowed elements.
I wouldn't use the above for input available to users who are not accountable - like users who are not logged in.
Cheers for the extra params needed to make flash work properly, I was looking for those sort of but semi not caring because I don't use flash or embeds. I did just test all the above and it does work in both source and WYSIWYG mode.
You'll need to write a fake object plugin or edit the CKEditor flash dialog plugin to deal with the code after html purifier makes it valid because the little red box (The fake object) Doesn't show after htmlpurifier has had it's way with it. It's still there though, look at the source.
Thanks,
Zanpakutō
Re: Making CKEditor and HTMLPurifier coordinate on flash emb
Thanks for the reply, Zanpakuto.
Upon further investigation, the problem seems only to be happening in certain browsers, including Firefox.
A similar problem was reported by other users on the HTMLPurifier site http://htmlpurifier.org/phorum/read.php?2,4794, and it seems that Ambush Commander is actively working on it. I'll report back when the issue is resolved.
Before I close, I want to bring to your attention a couple of issues I see with your configuration.
First, I'll quote Ambush Commander from the thread linked above:
Re: Making CKEditor and HTMLPurifier coordinate on flash emb
EMBED is a valid HTML 5 tag and it is counter productive to filter it out here because without SafeEmbed true, htmlpurifier screws up the code generated by CKEditor's flash plugin.
That's hyperbole and if he thinks it should be called unsafe, he needs to change the API before he starts telling people to use it by the unsafe name. While it is slightly confusing to use the word trusted, It does exactly what I want it to do and that is to allow users who are trusted; because they have been provided with a login account, to post more types of tags than normal when HTML filtering is applied.
You need to realise here that the guy has very little interest in flash embeds and his software is designed to remove anything like that because he has deemed it categorically unsafe whilst using that to side step the issue that somewhere amongst all the embeds and objects, there is actually some valid code to be filtered out.
It's harsh to say this but I have come to the conclusion after reading those threads, that HTMLpurifier is not a suitable solution to the way I view the forward thinking web. Many of htmlfilter's rules are archaic, likely target browser specific bugs (Mainly IE I expect) many of which will now be fixed, so it is best to avoid it. Then you don't get tangled up in someone else's HTML filtering rules and their rhetoric about what you should or should not use on a web page.
It's probably going to be more productive to create something from W3C's unicorn and HTMLtidy, than rely on HTMLpurifier from now on, in my view.
The code I posted above works for me for now.
Thanks,
Zanpakutō