Reputation: 5473
Single quotes rejected by html purifier
This is related to HTMLPurifier - adding to ignore list. I have added a couple tags to the whitelist. I have this code now -
$config->set('HTML', 'AllowedElements', array("customreport", "column", "columnseq"));
$def = $config->getHTMLDefinition(true);
$def->addElement("customreport", 'Block', 'Flow', 'Common', array());
$def->addElement("column", 'Block', 'Inline', 'Common', array());
$def->addElement("columnseq", 'Inline', 'Empty', 'Common', array('path'=>'CDATA', 'label'=>'CDATA'));
The problem is, if I send a html tag which has the attribute value in single-quotes, htmlpurifier changes it to double-quotes. For e.g.
<columnseq path='test' label='tlabel' />
It happens even on the demo site (http://htmlpurifier.org/demo.php), with test string
<A HREF='http://www.google.com/'>XSS</A>
Can this behavior be over-ridden?
Upvotes: 1
Views: 852
Answers (1)
Reputation: 26742
The canonicalization of attribute quoting to double-quotes was an intentional design decision stemming from the fact that when we construct our in-memory representation of the HTML, we only have an associative array of attribute names to values, and no information about what the original quoting style was. If you use the DOM style parser, there is no way to get that information either.
Upvotes: 3
Related Questions
- HTML Purifier - Escape disallowed tags instead of stripping
- PHP's htmlspeciachars not working on single quotes
- HTML Purifier & CodeIgniter quotation marks
- htmlspecialchars won't convert quotes
- php html multiple quotation marks invalid code
- HTMLPurifier inserts \ before quotes
- PHP misreads quotes in HTML string
- make HTMLPurifier omit double quotes around="attributes"
- How to Allow tags in HTML Purifier?
- HTML Purifier selectively eating special characters