CHtmlPurifier

Package system.web.widgets
Inheritance class CHtmlPurifier » COutputProcessor » CFilterWidget » CWidget » CBaseController » CComponent
Implements IFilter
Since 1.0
Source Code framework/web/widgets/CHtmlPurifier.php
CHtmlPurifier is wrapper of HTML Purifier.

CHtmlPurifier removes all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist. It will also make sure the resulting code is standard-compliant.

CHtmlPurifier can be used as either a widget or a controller filter.

Note: since HTML Purifier is a big package, its performance is not very good. You should consider either caching the purification result or purifying the user input before saving to database.

Usage as a class:
$p = new CHtmlPurifier();
$p->options = array('URI.AllowedSchemes'=>array(
  'http' => true,
  'https' => true,
));
$text = $p->purify($text);


Usage as validation rule:
array('text','filter','filter'=>array($obj=new CHtmlPurifier(),'purify')),

Public Properties

Property Type Description Defined By
actionPrefix string the prefix to the IDs of the actions. CWidget
controller CController Returns the controller that this widget belongs to. CWidget
id string Returns the ID of the widget or generates a new one if requested. CWidget
isFilter boolean whether this widget is used as a filter. CFilterWidget
options mixed Get the options for the HTML Purifier instance. CHtmlPurifier
owner CBaseController Returns the owner/creator of this widget. CWidget
skin mixed the name of the skin to be used by this widget. CWidget
stopAction boolean whether to stop the action execution when this widget is used as a filter. CFilterWidget
viewPath string Returns the directory containing the view files for this widget. CWidget

Protected Properties

Property Type Description Defined By
purifier HTMLPurifier Get the HTML Purifier instance or create a new one if it doesn't exist. CHtmlPurifier

Public Methods

Method Description Defined By
__call() Calls the named method which is not a class method. CComponent
__construct() Constructor. CFilterWidget
__get() Returns a property value, an event handler list or a behavior based on its name. CComponent
__isset() Checks if a property value is null. CComponent
__set() Sets value of a component property. CComponent
__unset() Sets a component property to be null. CComponent
actions() Returns a list of actions that are used by this widget. CWidget
asa() Returns the named behavior object. CComponent
attachBehavior() Attaches a behavior to this component. CComponent
attachBehaviors() Attaches a list of behaviors to the component. CComponent
attachEventHandler() Attaches an event handler to an event. CComponent
beginCache() Begins fragment caching. CBaseController
beginClip() Begins recording a clip. CBaseController
beginContent() Begins the rendering of content that is to be decorated by the specified view. CBaseController
beginWidget() Creates a widget and executes it. CBaseController
canGetProperty() Determines whether a property can be read. CComponent
canSetProperty() Determines whether a property can be set. CComponent
createWidget() Creates a widget and initializes it. CBaseController
detachBehavior() Detaches a behavior from the component. CComponent
detachBehaviors() Detaches all behaviors from the component. CComponent
detachEventHandler() Detaches an existing event handler. CComponent
disableBehavior() Disables an attached behavior. CComponent
disableBehaviors() Disables all behaviors attached to this component. CComponent
enableBehavior() Enables an attached behavior. CComponent
enableBehaviors() Enables all behaviors attached to this component. CComponent
endCache() Ends fragment caching. CBaseController
endClip() Ends recording a clip. CBaseController
endContent() Ends the rendering of content. CBaseController
endWidget() Ends the execution of the named widget. CBaseController
evaluateExpression() Evaluates a PHP expression or callback under the context of this component. CComponent
filter() Performs the filtering. CFilterWidget
getController() Returns the controller that this widget belongs to. CWidget
getEventHandlers() Returns the list of attached event handlers for an event. CComponent
getId() Returns the ID of the widget or generates a new one if requested. CWidget
getIsFilter() Checks whether this widget is used as a filter. CFilterWidget
getOptions() Get the options for the HTML Purifier instance. CHtmlPurifier
getOwner() Returns the owner/creator of this widget. CWidget
getViewFile() Looks for the view script file according to the view name. CWidget
getViewPath() Returns the directory containing the view files for this widget. CWidget
hasEvent() Determines whether an event is defined. CComponent
hasEventHandler() Checks whether the named event has attached handlers. CComponent
hasProperty() Determines whether a property is defined. CComponent
init() Initializes the widget. COutputProcessor
onProcessOutput() Raised when the output has been captured. COutputProcessor
processOutput() Processes the captured output. CHtmlPurifier
purify() Purifies the HTML content by removing malicious code. CHtmlPurifier
raiseEvent() Raises an event. CComponent
render() Renders a view. CWidget
renderFile() Renders a view file. CBaseController
renderInternal() Renders a view file. CBaseController
run() Executes the widget. COutputProcessor
setId() Sets the ID of the widget. CWidget
setOptions() Set the options for HTML Purifier and create a new HTML Purifier instance based on these options. CHtmlPurifier
widget() Creates a widget and executes it. CBaseController

Protected Methods

Method Description Defined By
createNewHtmlPurifierInstance() Create a new HTML Purifier instance. CHtmlPurifier
getPurifier() Get the HTML Purifier instance or create a new one if it doesn't exist. CHtmlPurifier

Events

Event Description Defined By
onProcessOutput Raised when the output has been captured. COutputProcessor

Property Details

options property

public mixed getOptions()
public static setOptions(mixed $options)

Get the options for the HTML Purifier instance.

purifier property read-only

protected HTMLPurifier getPurifier()

Get the HTML Purifier instance or create a new one if it doesn't exist.

Method Details

createNewHtmlPurifierInstance() method

protected HTMLPurifier createNewHtmlPurifierInstance()
{return} HTMLPurifier
Source Code: framework/web/widgets/CHtmlPurifier.php#124 (show)
protected function createNewHtmlPurifierInstance()
{
    
$this->_purifier=new HTMLPurifier($this->getOptions());
    
$this->_purifier->config->set('Cache.SerializerPath',Yii::app()->getRuntimePath());
    return 
$this->_purifier;
}

Create a new HTML Purifier instance.

getOptions() method

public mixed getOptions()
{return} mixed the HTML Purifier instance options
Source Code: framework/web/widgets/CHtmlPurifier.php#104 (show)
public function getOptions()
{
    return 
$this->_options;
}

Get the options for the HTML Purifier instance.

getPurifier() method

protected HTMLPurifier getPurifier()
{return} HTMLPurifier
Source Code: framework/web/widgets/CHtmlPurifier.php#113 (show)
protected function getPurifier()
{
    if(
$this->_purifier!==null)
        return 
$this->_purifier;
    return 
$this->createNewHtmlPurifierInstance();
}

Get the HTML Purifier instance or create a new one if it doesn't exist.

processOutput() method

public void processOutput(string $output)
$output string the captured output to be processed
Source Code: framework/web/widgets/CHtmlPurifier.php#68 (show)
public function processOutput($output)
{
    
$output=$this->purify($output);
    
parent::processOutput($output);
}

Processes the captured output. This method purifies the output using HTML Purifier.

purify() method

public mixed purify(mixed $content)
$content mixed the content to be purified.
{return} mixed the purified content
Source Code: framework/web/widgets/CHtmlPurifier.php#79 (show)
public function purify($content)
{
    if(
is_array($content))
        
$content=array_map(array($this,'purify'),$content);
    else
        
$content=$this->getPurifier()->purify($content);
    return 
$content;
}

Purifies the HTML content by removing malicious code.

setOptions() method

public static setOptions(mixed $options)
$options mixed the options for HTML Purifier
{return} static the object instance itself
Source Code: framework/web/widgets/CHtmlPurifier.php#93 (show)
public function setOptions($options)
{
    
$this->_options=$options;
    
$this->createNewHtmlPurifierInstance();
    return 
$this;
}

Set the options for HTML Purifier and create a new HTML Purifier instance based on these options.

© 2008–2017 by Yii Software LLC
Licensed under the three clause BSD license.
http://www.yiiframework.com/doc/api/1.1/CHtmlPurifier