lincanbin/white-html-filter
Composer 安装命令:
composer require lincanbin/white-html-filter
包简介
A lightweight php-based HTML tag and attribute whitelist filter.
关键字:
README 文档
README
A php-based HTML tag and attribute whitelist filter.
XSS filtering based on regular or textual replacement is not safe. This filter uses the DOMDocument based on The Tokenization Algorithm, which is more secure.
Requirements
- PHP version 5.3.0 or higher.
Installation
Install this package via Composer.
composer require lincanbin/white-html-filter
Or edit your project's composer.json to require lincanbin/white-html-filter and then run composer update.
"require": { "lincanbin/white-html-filter": "~1.3" }
Usage
Basic Usage
Note: You should have composer's autoloader included
require 'vendor/autoload.php'(that's obvious.)
Instantiate WhiteHTMLFilter object
use lincanbin\WhiteHTMLFilter; $html = <<<html <iframe></iframe> <div class="contain"> <span style="color: #f00;"> test中文 </span> </div> <div class="contain" data-src="xxx" onclick="javascript:alert('xxx');"> <audio controls = "play"> <source src="horse.ogg" type="audio/ogg"> <source src="horse.mp3" type="audio/mpeg"> Your browser does not support the audio element. </audio> </div> <div class="contain"> <span style="color: #f00;" class="aabc">test</span> </div> <IMG SRC=javascript:alert('XSS')> html; $filter = new WhiteHTMLFilter(); $filter->loadHTML($html); $filter->clean(); var_dump($filter->outputHtml());
Configuration
- Remove allowed tags
use lincanbin\WhiteHTMLFilter; $filter = new WhiteHTMLFilter(); $filter->config->removeAllAllowTag(); //Or $filter->config->removeFromTagWhiteList('div'); $filter->config->removeFromTagWhiteList(array("div", "table"));
- Add new allowed tags
use lincanbin\WhiteHTMLFilter; $filter = new WhiteHTMLFilter(); $filter->config->removeAllAllowTag(); $filter->config->modifyTagWhiteList(array( "img" => array("alt", "src", "height", "width"), "a" => array("href", "rel", "target", "download", "type") ));
- Modify allowed HTML global attributes
use lincanbin\WhiteHTMLFilter; $filter = new WhiteHTMLFilter(); $filter->config->WhiteListHtmlGlobalAttributes = array( "class", "style", "title", "data-*" );
- Modify allowed css style (Leave blank to allow everything)
use lincanbin\WhiteHTMLFilter; $filter = new WhiteHTMLFilter(); $filter->config->WhiteListStyle = array( "color", "border", "background", "position" );
- Modify allowed css class (Leave blank to allow everything)
use lincanbin\WhiteHTMLFilter; $filter = new WhiteHTMLFilter(); $filter->config->WhiteListCssClass = array( "container", "title", "sub-title", "sider-bar" );
Use Custom Attribute Value Filter
use lincanbin\WhiteHTMLFilter; $html = <<<html <iframe width="560" height="315" src="https://www.youtube.com/embed/lBOwxXxesBo" frameborder="0" allowfullscreen> </iframe> <iframe width="560" height="315" src="https://www.94cb.com/" frameborder="0" allowfullscreen></iframe> html; $filter = new WhiteHTMLFilter(); $urlFilter = function($url) { $regex = '~ ^(?:https?://)? # Optional protocol (?:www[.])? # Optional sub-domain (?:youtube[.]com/embed/|youtu[.]be/) # Mandatory domain name (w/ query string in .com) ([^&]{11}) # Video id of 11 characters as capture group 1 ~x'; return (preg_match($regex, $url) === 1) ? $url : ''; }; $iframeRule = array( 'iframe' => array( 'src' => $urlFilter, 'width', 'height', 'frameborder', 'allowfullscreen' ) ); $filter->loadHTML($html); $filter->clean(); var_dump($filter->outputHtml());
Result:
<iframe width="560" height="315" src="https://www.youtube.com/embed/lBOwxXxesBo" frameborder="0" allowfullscreen=""></iframe> <iframe width="560" height="315" src="" frameborder="0" allowfullscreen=""></iframe>
Default Filter Configuration
Donate for White HTML Filter
- Alipay:
- Wechat:
-
Paypal:
License
Copyright 2017 Canbin Lin (lincanbin@hotmail.com)
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
lincanbin/white-html-filter 适用场景与选型建议
lincanbin/white-html-filter 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 15.33k 次下载、GitHub Stars 达 11, 最近一次更新时间为 2017 年 07 月 18 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「filter」 「html」 「xss」 「whitelist」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 lincanbin/white-html-filter 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 lincanbin/white-html-filter 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 lincanbin/white-html-filter 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
Texy converts plain text in easy to read Texy syntax into structurally valid (X)HTML. It supports adding of images, links, nested lists, tables and has full support for CSS. Texy supports hyphenation of long words (which reflects language rules), clickable emails and URL (emails are obfuscated again
An HTML/XHTML filter written in PHP. Checks on attribute values. Can be used to avoid Cross-Site Scripting (XSS), Buffer Overflows and Denial of Service attacks, among other things.
Nova searchable filter for belongsTo relationships.
Symfony DataGridBundle
HTML and form generation
Data provider for yii2
统计信息
- 总下载量: 15.33k
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 12
- 点击次数: 28
- 依赖项目数: 1
- 推荐数: 0
其他信息
- 授权协议: Apache-2.0
- 更新时间: 2017-07-18