HTML Purified
| Download: | html-purified.zip |
|---|---|
| Version: | 0.2.9 |
| Updated: | March 5, 2008 |
| Size: | 258.14 KB |
Support This Plugin!While this software is being provided free to use, it takes considerable time to develop and support. If you do find it particularly useful or want to request a feature then consider donating money as an incentive for me to carry on developing it. Thanks! |
|
| I have other plugins too! | |
HTML Purified replaces the default WordPress comments filters with HTML Purifier, a super HTML filtering library.
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications. HTML Purifier
Why would you want to do this? There is nothing fundamentally wrong with the way WordPress filters comments, and in fact there has been no security alert related to this. However, this doesn't detract from the desire to make things better, and the fact that HTML Purifier is much more thorough and exhaustive.
A comparison of HTML Purifier and KSES (the default WordPress filtering library) is shown below and taken from a fuller description at the HTML Purifier site.
| Library | Whitelist | Removal | Well-formed | Nesting | Attributes | XSS safe | Standards safe |
|---|---|---|---|---|---|---|---|
| kses | Yes | Yes | No | No | Partial | Probably | No |
| HTML Purifier | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
An additional feature of HTML Purifier is that it will produce valid well-formed XHTML code, something which KSES does not do.
Features:
- Configurable KSES or HTML Purifier
- Configurable list of HTML elements and attributes for both KSES and HTML purifier
- Additionally process comments with HTML Tidy
- URL blacklist
- Works in bbPress!
The plugin is available in the following languages:
- English
- Español - translated by José Cuesta
Version History
- 0.2.9 - Update plugin library. Now works in bbPress
- 0.2.7 - Add option for bbcode-style tags, update to HTML Purifier 2.1.3
- 0.2.5 - Add Spanish localization
- 0.2.4 - Fix cache directory write error
- 0.2.2 - Update HTML purifier to 2.1.1
Installation
The plugin is simple to install:
- Download html-purified.zip
- Unzip
- Upload
html-purifieddirectory to your/wp-content/pluginsdirectory - Go to the plugin management page and enable the plugin
- Configure the options from the Options/HTML Purified page
You can find full details of installing a plugin on the plugin installation page.
General Options
General options apply to both the default KSES filter, as well as HTML Purifier:
Allowed Tags
The allowed tags is a list of HTML tags and attributes that are allowed in comments. The list will be populated with defaults, and you can modify it as you see fit. One feature of the HTML Purified plugin is that any changes to this list will affect both KSES and HTML Purifier, and will be visible on your site (if displaying allowed tags is enabled in your comments form).
Filter admin users
WordPress does not normally filter comments by an administrator, and you can change this by enabling the 'filter admin users' option.
Footer display
Finally there is an option to display the number of purified comments in the footer of your site. Use of this is entirely optional, and provides some nice statistics and an incoming link for both myself and the author of HTML Purifier.
HTML Purifier Options
These options are specific to HTML Purifier:
Caching
HTML Purifier performs a deeper analysis of HTML than KSES, and this results in increased processing time. However, as this increase only happens when a comment is submitted it is not a problem. Should you want to, you can enable the HTML Purifier cache, which attempts to reduce the processing time by caching internal data structures. The purifier cache is stored in a subdirectory of the standard WordPress cache directory wp-content/cache/html-purified/. If you enable the cache you must make sure the web server has write-permissions to this directory. Caching is advised in most situations.
Document type
The document type should match the document type of your chosen theme. Most themes will be 'XHTML transitional', but you can verify this by viewing the HTML source of your site and looking at the first line:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
Tidy
As well as validating comments, HTML Purifier can also Tidy them. If you are unfamiliar, HTML Tidy is a popular tool that attempts to correct invalid, poorly formatted, and deprecated HTML. There are three levels of tidying that can be applied, and this reflects the amount of manipulation of the incoming comment. Select a level that suits the complexity of your comments, bearing in mind that the heavier the level the more likely a comment will be modified.
Note that this option does not require Tidy to be installed on your server, although the pretty-printing of HTML does. If you do not have Tidy installed on your server then pretty-printing will be silently ignored.
Blacklist
Finally, a URL blacklist is available. Any text entered into this blacklist will be used to filter the URLs contained within comments. For example, if you enter 'viagra', then any URL containing 'viagra' will be removed.
Support
Please direct all support questions to the HTML Purified support forum. Any support questions left on this page may not be answered.
Bugs & New Features
A full list of all bugs can be found in the HTML Purified issue tracker.
| Date | Current requested features |
|---|---|
| 05 Mar 2008 | Add htmlLawed |
| 05 Mar 2008 | Make HTML Purified work with WP-IDS |
A full list of all requested features can be found in the HTML Purified feature tracker.
Help me to save time by reading these instructions!
Please report bugs in the HTML Purified issue tracker.
Please make feature suggestions in the HTML Purified feature tracker.
Please direct all support questions to the HTML Purified support forum.
Comments (page 5 of 6)
Apr 19, 2008 4:02 pm
Ok... one more question - are you planning to release a new version that will work flawlesly in Wp 2.5? Thanks.
Apr 19, 2008 3:57 pm
Hello,
I tried this plugin in Wordpress 2.5 but it doesn't seem to work. It appears in options menu and everything seems alright but for example "allowed tag" don't work. I allowed just a, b, br /, em, i, strong and u tags but nothing changed - still can use all tags
Mar 5, 2008 8:40 am
Flux, kses.php is still needed by the rest of WordPress. Disabling it in HTML Purified only has an effect with regard to people submitting comments.
Dieter & Aship, I've added both of these to the features list
Feb 28, 2008 6:42 am
@John, sorry for asking this, but i renamed the kses.php and got this error
Warning: require(/var/www/htdocs/wp-includes/kses.php) [function.require]: failed to open stream: No such file or directory in /var/www/htdocs/wp-settings.php on line 199
Fatal error: require() [function.require]: Failed opening required '/var/www/htdocs/wp-includes/kses.php' (include_path='.:/var/www/htdocs/wp-content/plugins/wp:/var/www/htdocs/wp-content/plugins/wp') in /var/www/htdocs/wp-settings.php on line 199
Is this because Wordpress checks for kses.php? I ask this because you have the button which filter to choose but that does not mean to disable kses.php for 100%, right?
I use wp 2.3.3 with html-purified 0.28 and this works.
Feb 21, 2008 8:32 pm
I use WP 2.3.3. The html-purifier 0.28 doesn' t work for me together with the wp-ids v0.47. Stuff like this: XHTML: You can use these tags:.... doesn' t work. But disabling the html-purifier makes the WP intern kses feature possible. The counter counts, but i can' t see results. Also the cache worked.
I have know installed the svn version of the IDS which comes together with the htmlpurifier. The IDS works, but the htmlpurifier is some sort of mysteries for me. I can' t edit nothing, not even the allowed html tags, Maybe it is wrong installed, i don' t know. It seems to work. I changed the name of the Config.ini and the result was a error message. Well, i don` t know. Any ideas?
Feb 2, 2008 5:02 pm
WP internally uses the KSES PHP script (developed outside WP) to sanitize user input (to strip certain HTML tags, remove XSS, etc.). However, KSES has many bugs and lacks many features, and though it has 'evolved' into the much better htmLawed, WP doesn't use the new code. But htmLawed seems to be easily integrable in WP, and some WP admins/modders may want to give it a try for its extended features. Also, it is just one file and a tenth of HTMLPurifier in size and memory usage.
Feb 2, 2008 4:57 am
Hello John
"Allow BBCode-style tags:" is on, but I still can't use bbcodes or did I have to add them to "Allowed tags:" too?
Jan 2, 2008 9:10 pm
HTML Purified only works on comments, not posts, as the cleanup routine is too restrictive for most sites. HTML Purifier can be integrated anywhere you see fit using its API.
Jan 2, 2008 8:50 am
Hello John,
We are keen to include Word and Front Page cleanup in our new Foliopress WYSIWYG editor for Wordpress.
Is there an easy way to integrate your Wordpress HTML Purifier in the save routine from the Foliopress editor? (or any other Wordpress Editor)?
We don't want to destroy sophisticated code or legacy code in a website, but just to clean out the Word and Front Page junk.
The basic idea is that some bad tag triggers in the save routine will send in HTML purifier to do a specific cleanup which strips out the bad Word and Front Page tags.
As you well know, forms are particularly sensitive. We would want the filter settings to be particularly careful about breaking forms, erring on the side of caution.
Dec 20, 2007 6:20 am
I've released a new version that adds an option for bbcode-style tags, and updated the HTML Purifier library (which has better support for blockquotes)
Leave a comment