CHtmlPurifier
| Package | system.web.widgets |
|---|---|
| Inheritance | class CHtmlPurifier » COutputProcessor » CFilterWidget » CWidget » CBaseController » CComponent |
| Implements | IFilter |
| Since | 1.0 |
| Source Code | framework/web/widgets/CHtmlPurifier.php |
CHtmlPurifier is wrapper of HTML Purifier.
CHtmlPurifier removes all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist. It will also make sure the resulting code is standard-compliant.
CHtmlPurifier can be used as either a widget or a controller filter.
Note: since HTML Purifier is a big package, its performance is not very good. You should consider either caching the purification result or purifying the user input before saving to database.
Usage as a class:
Usage as validation rule:
CHtmlPurifier removes all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist. It will also make sure the resulting code is standard-compliant.
CHtmlPurifier can be used as either a widget or a controller filter.
Note: since HTML Purifier is a big package, its performance is not very good. You should consider either caching the purification result or purifying the user input before saving to database.
Usage as a class:
$p = new CHtmlPurifier();
$p->options = array('URI.AllowedSchemes'=>array(
'http' => true,
'https' => true,
));
$text = $p->purify($text);
Usage as validation rule:
array('text','filter','filter'=>array($obj=new CHtmlPurifier(),'purify')),
Public Properties
| Property | Type | Description | Defined By |
|---|---|---|---|
| actionPrefix | string | the prefix to the IDs of the actions. | CWidget |
| controller | CController | Returns the controller that this widget belongs to. | CWidget |
| id | string | Returns the ID of the widget or generates a new one if requested. | CWidget |
| isFilter | boolean | whether this widget is used as a filter. | CFilterWidget |
| options | mixed | Get the options for the HTML Purifier instance. | CHtmlPurifier |
| owner | CBaseController | Returns the owner/creator of this widget. | CWidget |
| skin | mixed | the name of the skin to be used by this widget. | CWidget |
| stopAction | boolean | whether to stop the action execution when this widget is used as a filter. | CFilterWidget |
| viewPath | string | Returns the directory containing the view files for this widget. | CWidget |
Protected Properties
| Property | Type | Description | Defined By |
|---|---|---|---|
| purifier | HTMLPurifier | Get the HTML Purifier instance or create a new one if it doesn't exist. | CHtmlPurifier |
Public Methods
| Method | Description | Defined By |
|---|---|---|
| __call() | Calls the named method which is not a class method. | CComponent |
| __construct() | Constructor. | CFilterWidget |
| __get() | Returns a property value, an event handler list or a behavior based on its name. | CComponent |
| __isset() | Checks if a property value is null. | CComponent |
| __set() | Sets value of a component property. | CComponent |
| __unset() | Sets a component property to be null. | CComponent |
| actions() | Returns a list of actions that are used by this widget. | CWidget |
| asa() | Returns the named behavior object. | CComponent |
| attachBehavior() | Attaches a behavior to this component. | CComponent |
| attachBehaviors() | Attaches a list of behaviors to the component. | CComponent |
| attachEventHandler() | Attaches an event handler to an event. | CComponent |
| beginCache() | Begins fragment caching. | CBaseController |
| beginClip() | Begins recording a clip. | CBaseController |
| beginContent() | Begins the rendering of content that is to be decorated by the specified view. | CBaseController |
| beginWidget() | Creates a widget and executes it. | CBaseController |
| canGetProperty() | Determines whether a property can be read. | CComponent |
| canSetProperty() | Determines whether a property can be set. | CComponent |
| createWidget() | Creates a widget and initializes it. | CBaseController |
| detachBehavior() | Detaches a behavior from the component. | CComponent |
| detachBehaviors() | Detaches all behaviors from the component. | CComponent |
| detachEventHandler() | Detaches an existing event handler. | CComponent |
| disableBehavior() | Disables an attached behavior. | CComponent |
| disableBehaviors() | Disables all behaviors attached to this component. | CComponent |
| enableBehavior() | Enables an attached behavior. | CComponent |
| enableBehaviors() | Enables all behaviors attached to this component. | CComponent |
| endCache() | Ends fragment caching. | CBaseController |
| endClip() | Ends recording a clip. | CBaseController |
| endContent() | Ends the rendering of content. | CBaseController |
| endWidget() | Ends the execution of the named widget. | CBaseController |
| evaluateExpression() | Evaluates a PHP expression or callback under the context of this component. | CComponent |
| filter() | Performs the filtering. | CFilterWidget |
| getController() | Returns the controller that this widget belongs to. | CWidget |
| getEventHandlers() | Returns the list of attached event handlers for an event. | CComponent |
| getId() | Returns the ID of the widget or generates a new one if requested. | CWidget |
| getIsFilter() | Checks whether this widget is used as a filter. | CFilterWidget |
| getOptions() | Get the options for the HTML Purifier instance. | CHtmlPurifier |
| getOwner() | Returns the owner/creator of this widget. | CWidget |
| getViewFile() | Looks for the view script file according to the view name. | CWidget |
| getViewPath() | Returns the directory containing the view files for this widget. | CWidget |
| hasEvent() | Determines whether an event is defined. | CComponent |
| hasEventHandler() | Checks whether the named event has attached handlers. | CComponent |
| hasProperty() | Determines whether a property is defined. | CComponent |
| init() | Initializes the widget. | COutputProcessor |
| onProcessOutput() | Raised when the output has been captured. | COutputProcessor |
| processOutput() | Processes the captured output. | CHtmlPurifier |
| purify() | Purifies the HTML content by removing malicious code. | CHtmlPurifier |
| raiseEvent() | Raises an event. | CComponent |
| render() | Renders a view. | CWidget |
| renderFile() | Renders a view file. | CBaseController |
| renderInternal() | Renders a view file. | CBaseController |
| run() | Executes the widget. | COutputProcessor |
| setId() | Sets the ID of the widget. | CWidget |
| setOptions() | Set the options for HTML Purifier and create a new HTML Purifier instance based on these options. | CHtmlPurifier |
| widget() | Creates a widget and executes it. | CBaseController |
Protected Methods
| Method | Description | Defined By |
|---|---|---|
| createNewHtmlPurifierInstance() | Create a new HTML Purifier instance. | CHtmlPurifier |
| getPurifier() | Get the HTML Purifier instance or create a new one if it doesn't exist. | CHtmlPurifier |
Events
| Event | Description | Defined By |
|---|---|---|
| onProcessOutput | Raised when the output has been captured. | COutputProcessor |
Property Details
options property
public mixed getOptions()
public static setOptions(mixed $options)Get the options for the HTML Purifier instance.
purifier property read-only
protected HTMLPurifier getPurifier()Get the HTML Purifier instance or create a new one if it doesn't exist.
Method Details
createNewHtmlPurifierInstance() method
|
||
| {return} | HTMLPurifier | |
Source Code: framework/web/widgets/CHtmlPurifier.php#124 (show)
protected function createNewHtmlPurifierInstance()
{
$this->_purifier=new HTMLPurifier($this->getOptions());
$this->_purifier->config->set('Cache.SerializerPath',Yii::app()->getRuntimePath());
return $this->_purifier;
}Create a new HTML Purifier instance.
getOptions() method
|
||
| {return} | mixed | the HTML Purifier instance options |
Source Code: framework/web/widgets/CHtmlPurifier.php#104 (show)
public function getOptions()
{
return $this->_options;
}Get the options for the HTML Purifier instance.
getPurifier() method
|
||
| {return} | HTMLPurifier | |
Source Code: framework/web/widgets/CHtmlPurifier.php#113 (show)
protected function getPurifier()
{
if($this->_purifier!==null)
return $this->_purifier;
return $this->createNewHtmlPurifierInstance();
}Get the HTML Purifier instance or create a new one if it doesn't exist.
processOutput() method
|
||
| $output | string | the captured output to be processed |
Source Code: framework/web/widgets/CHtmlPurifier.php#68 (show)
public function processOutput($output)
{
$output=$this->purify($output);
parent::processOutput($output);
}Processes the captured output. This method purifies the output using HTML Purifier.
purify() method
|
||
| $content | mixed | the content to be purified. |
| {return} | mixed | the purified content |
Source Code: framework/web/widgets/CHtmlPurifier.php#79 (show)
public function purify($content)
{
if(is_array($content))
$content=array_map(array($this,'purify'),$content);
else
$content=$this->getPurifier()->purify($content);
return $content;
}Purifies the HTML content by removing malicious code.
setOptions() method
|
||
| $options | mixed | the options for HTML Purifier |
| {return} | static | the object instance itself |
Source Code: framework/web/widgets/CHtmlPurifier.php#93 (show)
public function setOptions($options)
{
$this->_options=$options;
$this->createNewHtmlPurifierInstance();
return $this;
}Set the options for HTML Purifier and create a new HTML Purifier instance based on these options.
© 2008–2017 by Yii Software LLC
Licensed under the three clause BSD license.
http://www.yiiframework.com/doc/api/1.1/CHtmlPurifier