Why does HTML Purifier ignore my runtime created configuration settings?

Question

everyone! Naturally I am still fighting with HTML Purifier…

So, my /config/purifier.php looks like:

<?php defined('SYSPATH') or die('No direct access allowed.');
return array(
    'settings' => array(
        'HTML.Allowed' =>'a,b,strong,p,ul,ol,li,img[src],i,u,span,',
  'HTML.MaxImgLength' => 250,
  'CSS.MaxImgLength' => '250px'
            ),
);
?>

and, HTML Purifier overloads the Security::clean_xss() method to use its own filter.

I have created two helper functions for data sanitation: clean_whitelist(), which strips anything not allowed by my HTML.Allowed setting in the config file. and clean_all(), which strips all tags and ignores fields that are passed in as ignore

 public static function clean_all(array $dirty_data, array $ignore) {
  $config = Kohana::config('purifier');
  $settings =  $config['settings'];
  $config->set('settings', array ('HTML.Allowed'=>''));
  foreach($dirty_data as $key => $value) {
   if( ! in_array($key, $ignore)) {
    $dirty_data[$key] = Security::xss_clean($dirty_data[$key]);
   }
  } 
  return $dirty_data;
 }

 public static function clean_whitelist($dirty_data) {
  return Security::xss_clean($dirty_data);
 }

clean_whitelist() works as intended, but, clean_all still allows tags. Not entirely sure why, as when I var_dump a new load of Kohana::config('purifier') after I have called $config->set, the file it displays my HTML.Allowed => ''…

Any ideas on why it continues to use a whitelist as opposed to using the config file I've built at runtime?

Thanks, as always, to anyone contributing!

Answer 1

The Kohana HTMLPurifier module which you are using is probably caching the instance with the original configuration options.

If you're using this module, check out this method from the source code.