CHtmlPurifier
Package | system.web.widgets |
---|---|
Inheritance | class CHtmlPurifier » COutputProcessor » CFilterWidget » CWidget » CBaseController » CComponent |
Implements | IFilter |
Since | 1.0 |
Source Code | framework/web/widgets/CHtmlPurifier.php |
CHtmlPurifier is wrapper of HTML Purifier.
CHtmlPurifier removes all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist. It will also make sure the resulting code is standard-compliant.
CHtmlPurifier can be used as either a widget or a controller filter.
Note: since HTML Purifier is a big package, its performance is not very good. You should consider either caching the purification result or purifying the user input before saving to database.
Usage as a class:
Usage as validation rule:
CHtmlPurifier removes all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist. It will also make sure the resulting code is standard-compliant.
CHtmlPurifier can be used as either a widget or a controller filter.
Note: since HTML Purifier is a big package, its performance is not very good. You should consider either caching the purification result or purifying the user input before saving to database.
Usage as a class:
$p = new CHtmlPurifier(); $p->options = array('URI.AllowedSchemes'=>array( 'http' => true, 'https' => true, )); $text = $p->purify($text);
Usage as validation rule:
array('text','filter','filter'=>array($obj=new CHtmlPurifier(),'purify')),
Public Properties
Property | Type | Description | Defined By |
---|---|---|---|
actionPrefix | string | the prefix to the IDs of the actions. | CWidget |
controller | CController | Returns the controller that this widget belongs to. | CWidget |
id | string | Returns the ID of the widget or generates a new one if requested. | CWidget |
isFilter | boolean | whether this widget is used as a filter. | CFilterWidget |
options | mixed | Get the options for the HTML Purifier instance. | CHtmlPurifier |
owner | CBaseController | Returns the owner/creator of this widget. | CWidget |
skin | mixed | the name of the skin to be used by this widget. | CWidget |
stopAction | boolean | whether to stop the action execution when this widget is used as a filter. | CFilterWidget |
viewPath | string | Returns the directory containing the view files for this widget. | CWidget |
Protected Properties
Property | Type | Description | Defined By |
---|---|---|---|
purifier | HTMLPurifier | Get the HTML Purifier instance or create a new one if it doesn't exist. | CHtmlPurifier |
Public Methods
Method | Description | Defined By |
---|---|---|
__call() | Calls the named method which is not a class method. | CComponent |
__construct() | Constructor. | CFilterWidget |
__get() | Returns a property value, an event handler list or a behavior based on its name. | CComponent |
__isset() | Checks if a property value is null. | CComponent |
__set() | Sets value of a component property. | CComponent |
__unset() | Sets a component property to be null. | CComponent |
actions() | Returns a list of actions that are used by this widget. | CWidget |
asa() | Returns the named behavior object. | CComponent |
attachBehavior() | Attaches a behavior to this component. | CComponent |
attachBehaviors() | Attaches a list of behaviors to the component. | CComponent |
attachEventHandler() | Attaches an event handler to an event. | CComponent |
beginCache() | Begins fragment caching. | CBaseController |
beginClip() | Begins recording a clip. | CBaseController |
beginContent() | Begins the rendering of content that is to be decorated by the specified view. | CBaseController |
beginWidget() | Creates a widget and executes it. | CBaseController |
canGetProperty() | Determines whether a property can be read. | CComponent |
canSetProperty() | Determines whether a property can be set. | CComponent |
createWidget() | Creates a widget and initializes it. | CBaseController |
detachBehavior() | Detaches a behavior from the component. | CComponent |
detachBehaviors() | Detaches all behaviors from the component. | CComponent |
detachEventHandler() | Detaches an existing event handler. | CComponent |
disableBehavior() | Disables an attached behavior. | CComponent |
disableBehaviors() | Disables all behaviors attached to this component. | CComponent |
enableBehavior() | Enables an attached behavior. | CComponent |
enableBehaviors() | Enables all behaviors attached to this component. | CComponent |
endCache() | Ends fragment caching. | CBaseController |
endClip() | Ends recording a clip. | CBaseController |
endContent() | Ends the rendering of content. | CBaseController |
endWidget() | Ends the execution of the named widget. | CBaseController |
evaluateExpression() | Evaluates a PHP expression or callback under the context of this component. | CComponent |
filter() | Performs the filtering. | CFilterWidget |
getController() | Returns the controller that this widget belongs to. | CWidget |
getEventHandlers() | Returns the list of attached event handlers for an event. | CComponent |
getId() | Returns the ID of the widget or generates a new one if requested. | CWidget |
getIsFilter() | Checks whether this widget is used as a filter. | CFilterWidget |
getOptions() | Get the options for the HTML Purifier instance. | CHtmlPurifier |
getOwner() | Returns the owner/creator of this widget. | CWidget |
getViewFile() | Looks for the view script file according to the view name. | CWidget |
getViewPath() | Returns the directory containing the view files for this widget. | CWidget |
hasEvent() | Determines whether an event is defined. | CComponent |
hasEventHandler() | Checks whether the named event has attached handlers. | CComponent |
hasProperty() | Determines whether a property is defined. | CComponent |
init() | Initializes the widget. | COutputProcessor |
onProcessOutput() | Raised when the output has been captured. | COutputProcessor |
processOutput() | Processes the captured output. | CHtmlPurifier |
purify() | Purifies the HTML content by removing malicious code. | CHtmlPurifier |
raiseEvent() | Raises an event. | CComponent |
render() | Renders a view. | CWidget |
renderFile() | Renders a view file. | CBaseController |
renderInternal() | Renders a view file. | CBaseController |
run() | Executes the widget. | COutputProcessor |
setId() | Sets the ID of the widget. | CWidget |
setOptions() | Set the options for HTML Purifier and create a new HTML Purifier instance based on these options. | CHtmlPurifier |
widget() | Creates a widget and executes it. | CBaseController |
Protected Methods
Method | Description | Defined By |
---|---|---|
createNewHtmlPurifierInstance() | Create a new HTML Purifier instance. | CHtmlPurifier |
getPurifier() | Get the HTML Purifier instance or create a new one if it doesn't exist. | CHtmlPurifier |
Events
Event | Description | Defined By |
---|---|---|
onProcessOutput | Raised when the output has been captured. | COutputProcessor |
Property Details
options property
public mixed getOptions()
public static setOptions(mixed $options)
Get the options for the HTML Purifier instance.
purifier property read-only
protected HTMLPurifier getPurifier()
Get the HTML Purifier instance or create a new one if it doesn't exist.
Method Details
createNewHtmlPurifierInstance() method
protected HTMLPurifier createNewHtmlPurifierInstance() | ||
{return} | HTMLPurifier |
Source Code: framework/web/widgets/CHtmlPurifier.php#124 (show)
protected function createNewHtmlPurifierInstance()
{
$this->_purifier=new HTMLPurifier($this->getOptions());
$this->_purifier->config->set('Cache.SerializerPath',Yii::app()->getRuntimePath());
return $this->_purifier;
}
Create a new HTML Purifier instance.
getOptions() method
public mixed getOptions() | ||
{return} | mixed | the HTML Purifier instance options |
Source Code: framework/web/widgets/CHtmlPurifier.php#104 (show)
public function getOptions()
{
return $this->_options;
}
Get the options for the HTML Purifier instance.
getPurifier() method
protected HTMLPurifier getPurifier() | ||
{return} | HTMLPurifier |
Source Code: framework/web/widgets/CHtmlPurifier.php#113 (show)
protected function getPurifier()
{
if($this->_purifier!==null)
return $this->_purifier;
return $this->createNewHtmlPurifierInstance();
}
Get the HTML Purifier instance or create a new one if it doesn't exist.
processOutput() method
public void processOutput(string $output) | ||
$output | string | the captured output to be processed |
Source Code: framework/web/widgets/CHtmlPurifier.php#68 (show)
public function processOutput($output)
{
$output=$this->purify($output);
parent::processOutput($output);
}
Processes the captured output. This method purifies the output using HTML Purifier.
purify() method
public mixed purify(mixed $content) | ||
$content | mixed | the content to be purified. |
{return} | mixed | the purified content |
Source Code: framework/web/widgets/CHtmlPurifier.php#79 (show)
public function purify($content)
{
if(is_array($content))
$content=array_map(array($this,'purify'),$content);
else
$content=$this->getPurifier()->purify($content);
return $content;
}
Purifies the HTML content by removing malicious code.
setOptions() method
public static setOptions(mixed $options) | ||
$options | mixed | the options for HTML Purifier |
{return} | static | the object instance itself |
Source Code: framework/web/widgets/CHtmlPurifier.php#93 (show)
public function setOptions($options)
{
$this->_options=$options;
$this->createNewHtmlPurifierInstance();
return $this;
}
Set the options for HTML Purifier and create a new HTML Purifier instance based on these options.
© 2008–2017 by Yii Software LLC
Licensed under the three clause BSD license.
http://www.yiiframework.com/doc/api/1.1/CHtmlPurifier