如何使用 mews/purifier 显示正确的 html?

How to show correct html with mews/purifier?

提问人:mstdmstd 提问时间:7/21/2023 更新时间:7/22/2023 访问量:41

问:

在 laravel 8 中使用 mews/purifier 3.4,我在我的刀片文件内容中写了表定义:

<div class="news-view-content">
    {!! \Purifier::clean($news->content) !!}
</div>

在我的浏览器中,我看到没有表定义的html代码:

<p>2014 b</p>
<p>1112131421222324</p>

<p>&nbsp;</p>

如果不使用 \Purifier::clean 方法,我会看到带有表定义的 html 代码:

<div class="news-view-content">
    <p>2014 b</p>
    <figure class="table">
        <table>
            <tbody>
            <tr>
                <td>11</td>
                <td>12</td>
                <td>13</td>
                <td>14</td>
            </tr>
            <tr>
                <td>21</td>
                <td>22</td>
                <td>23</td>
                <td>24</td>
            </tr>
            </tbody>
        </table>
    </figure>
    <p>&nbsp;</p>

</div>

我打开了 config/purifier.php 文件并在 custom_definition=>elements 块下添加了 1 行带有表规则:

<?php

return [
    'encoding'           => 'UTF-8',
    'finalize'           => true,
    'ignoreNonStrings'   => false,
    'cachePath'          => storage_path('app/purifier'),
    'cacheFileMode'      => 0755,


    'settings'      => [
        'default' => [
            'HTML.Doctype'             => 'HTML 4.01 Transitional',
            'HTML.Allowed'             => 'div,b,strong,i,em,u,a[href|title],ul,ol,li,p[style],br,span[style],img[width|height|alt|src]',
            'CSS.AllowedProperties'    => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align',
            'AutoFormat.AutoParagraph' => false,
            'AutoFormat.RemoveEmpty'   => true,
        ],
        'test'    => [
            'Attr.EnableID' => 'true',
        ],
        "youtube" => [
            "HTML.SafeIframe"      => 'true',
            "URI.SafeIframeRegexp" => "%^(http://|https://|//)(www.youtube.com/embed/|player.vimeo.com/video/)%",
        ],
        'custom_definition' => [
            'id'  => 'html5-definitions',
            'rev' => 1,
            'debug' => false,
            'elements' => [
                // http://developers.whatwg.org/sections.html
                ['section', 'Block', 'Flow', 'Common'],
                ['nav',     'Block', 'Flow', 'Common'],
                ['article', 'Block', 'Flow', 'Common'],
                ['aside',   'Block', 'Flow', 'Common'],
                ['header',  'Block', 'Flow', 'Common'],
                ['footer',  'Block', 'Flow', 'Common'],

                // I ADDED THIS RULE
                ['table',  'Block', 'Flow', 'Common'],


                // Content model actually excludes several tags, not modelled here
                ['address', 'Block', 'Flow', 'Common'],
                ['hgroup', 'Block', 'Required: h1 | h2 | h3 | h4 | h5 | h6', 'Common'],

                // http://developers.whatwg.org/grouping-content.html
                ['figure', 'Block', 'Optional: (figcaption, Flow) | (Flow, figcaption) | Flow', 'Common'],
                ['figcaption', 'Inline', 'Flow', 'Common'],

                // http://developers.whatwg.org/the-video-element.html#the-video-element
                ['video', 'Block', 'Optional: (source, Flow) | (Flow, source) | Flow', 'Common', [
                    'src' => 'URI',
                    'type' => 'Text',
                    'width' => 'Length',
                    'height' => 'Length',
                    'poster' => 'URI',
                    'preload' => 'Enum#auto,metadata,none',
                    'controls' => 'Bool',
                ]],
                ['source', 'Block', 'Flow', 'Common', [
                    'src' => 'URI',
                    'type' => 'Text',
                ]],

                // http://developers.whatwg.org/text-level-semantics.html
                ['s',    'Inline', 'Inline', 'Common'],
                ['var',  'Inline', 'Inline', 'Common'],
                ['sub',  'Inline', 'Inline', 'Common'],
                ['sup',  'Inline', 'Inline', 'Common'],
                ['mark', 'Inline', 'Inline', 'Common'],
                ['wbr',  'Inline', 'Empty', 'Core'],

                // http://developers.whatwg.org/edits.html
                ['ins', 'Block', 'Flow', 'Common', ['cite' => 'URI', 'datetime' => 'CDATA']],
                ['del', 'Block', 'Flow', 'Common', ['cite' => 'URI', 'datetime' => 'CDATA']],
            ],
            'attributes' => [
                ['iframe', 'allowfullscreen', 'Bool'],
                ['table', 'height', 'Text'],
                ['td', 'border', 'Text'],
                ['th', 'border', 'Text'],
                ['tr', 'width', 'Text'],
                ['tr', 'height', 'Text'],
                ['tr', 'border', 'Text'],
            ],
        ],
        'custom_attributes' => [
            ['a', 'target', 'Enum#_blank,_self,_target,_top'],
        ],
        'custom_elements' => [
            ['u', 'Inline', 'Inline', 'Common'],
        ],
    ],


];

但是清除缓存后,我仍然看到html代码:

<div class="news-view-content">
    <p>2014 b</p>
    1112131421222324<p>&nbsp;</p>
</div>

我是否要使用 whicg 规则来呈现表 html ?

Laravel HTMLPurifier

评论

答:

1赞 pinkgothic 7/22/2023 #1

这里发生的主要事情是,您的定义目前是这样的:HTML.Allowed

div,b,strong,i,em,u,a[href|title],ul,ol,li,p[style],br,span[style],img[width|height|alt|src]

它不见了。,table,tbody,tr,td,figure

值得注意的一点是,HTML Purifier 不支持开箱即用,因此即使您将其添加到允许列表中,如果没有自定义定义,它仍然会被剥离,因为 HTML Purifier 只允许它知道的事情(出于安全原因)。figure

值得庆幸的是,它已经在您的 :figurecustom_definition => elements

                // http://developers.whatwg.org/grouping-content.html
                ['figure', 'Block', 'Optional: (figcaption, Flow) | (Flow, figcaption) | Flow', 'Common'],

因此,一旦将其添加到允许列表,它应该可以工作。

评论

0赞 mstdmstd 7/22/2023
谢谢!它有效!您能否提供描述这些规则的参考?
1赞 pinkgothic 7/24/2023
HTML Purifier 的配置描述如下: htmlpurifier.org/live/configdoc/plain.html 和您在 HTML Purifier 周围使用的包装器部分,似乎是 Laravel 特有的利用 htmlpurifier.org/docs/enduser-customize.html 的方式。希望对您有所帮助!custom_definition

上一个:为什么带有 mews/purifier 的 youtube 链接不支持元素“iframe”?

下一个:将净化包与 Laravel 一起使用后,不显示 ID