Modifying htmlpurifier allowed tags for this markup

Question

My html purifier settings now allow only these tags

$configuration->set('HTML.Allowed', 'p,ul,ol,li');

I want to allow indentation of lists and my editor uses this html

<ul style="margin-left: 40px;">

How should I change my HTMLPurifier Allowed tags? I thought to add style, but I think it would be better to specify exactly which style is allowed, which in this case would be margin-left. What is the right way to change the HTML.Allowed for this case?

Answer 1

Allow the style attributes, and then modify the allowed CSS attributes using %CSS.AllowedProperties.

$configuration->set('HTML.Allowed', 'p,ul[style],ol,li');
$configuration->set('CSS.AllowedProperties', 'margin-left');

P.S. I'm surprised how many people don't understand how HTML Purifier works.

Answer 2

At the least, you want to allow attributes for tags which purifier supports, like so:

$configuration->set('HTML.Allowed', 'p,ul[style],ol,li');

I'm not sure if you can also allow/restrict the content of the attributes, though.

Answer 3

I suggest you don't allow attributes at all. Allowing the style attribute causes an XSS vulnerability in IE7 (and possibly other versions, I am not sure at the moment) but the point is, it's too dangerous. You should parse the HTML yourself, and replace the users' with constant strings in your code. Allowing HTML is a really dangerous practice. For better security, you may want to try something like markdown or create your own very simple markup type language (like BBcode) for your users to use.

Answer 4

Like SamT said regarding the XSS vulnerability in IE7, be wary of allowing access to the style attribute because of a genius Microsoft move that allowed the use of javascript in CSS by way of "expression()" (also known as Dynamic Properties). http://msdn.microsoft.com/en-us/library/ms537634(v=vs.85).aspx

Regarding its removal in IE8, where Microsoft blatantly admits that it exposed users to additional vulnerabilities: http://blogs.msdn.com/b/ie/archive/2008/10/16/ending-expressions.aspx

example:

<a href="" style="width: expression(alert('XSS'));">blah</a>

The above would pop up a javascript alert box in MSIE 5 through 7. According to the docs on the MSDN, it should also work on IE8 when Quirks mode is active. It also might also occur on IE9 in quirks mode but I can't be sure.

If at all possible, avoid allowing access to the style attribute. You never know when another future browser will get the genius idea to add in the same mistake Microsoft made.