Can someone point me to what it will take to allow an anchor tag like this to pass through htmlpurifier, untouched? :
<a href="callto:+1-800-555-1212" class="callUsBtn" style="">...</a>
With my config. settings, the callto:...
value is not recognized as allowed, and so the whole href
attribute is getting stripped. I guess I need to override the type (<-- or what to call that?) of the href
value, from URI
to CDATA
(?), but do not know how. I hope there is a quicker/easier way than the directions found here: http://htmlpurifier.org/docs/enduser-customize.html (if even that would lead to a solution?).
Thanks to Edward's answer, I got it working.
Try this:
In your equivalent of here:
/htmlpurifier-4_4_0/library/HTMLPurifier/URIScheme/
add a file named: callto.php
...with these contents:
<?php
// replicated this class/file from '../htmlpurifier-4_4_0/library/HTMLPurifier/URIScheme/mailto.php'
// VERY RELAXED! Shouldn't cause problems, ... but be careful!
/**
* Validates 'callto:' phone number in URI to included only alphanumeric, hyphens, underscore, and optional leading "+"
*/
class HTMLPurifier_URIScheme_callto extends HTMLPurifier_URIScheme {
public $browsable = false;
public $may_omit_host = true;
public function doValidate(&$uri, $config, $context) {
$uri->userinfo = null;
$uri->host = null;
$uri->port = null;
/* notes:
where is the actual phone # parked? Answer in $uri->path. See here:
echo '<pre style="color:pink;">';
var_dump($uri);
echo '</pre>';
object(HTMLPurifier_URI)#490 (7) {
["scheme"]=>
string(6) "callto"
["userinfo"]=>
NULL
["host"]=>
NULL
["port"]=>
NULL
["path"]=>
string(15) "+1-800-555-1212"
["query"]=>
NULL
["fragment"]=>
NULL
}
*/
// are the characters in the submitted <a> href's (URI) value (callto:) from amongst a legal/allowed set?
// my legal phone # chars: alphanumeric, underscore, hyphen, optional "+" for the first character. That's it. But you can allow whatever you want. Just change this:
$validCalltoPhoneNumberPattern = '/^\+?[a-zA-Z0-9_-]+$/i'; // <---whatever pattern you want to force phone numbers to match
$proposedPhoneNumber = $uri->path;
if (preg_match($validCalltoPhoneNumberPattern, $proposedPhoneNumber) !== 1) {
// submitted phone # inside the href attribute value looks bad; reject the phone number, and let HTMLpurifier remove the whole href attribute on the submitted <a> tag.
return FALSE;
} else {
// submitted phone # inside the href attribute value looks OK; accept the phone number; HTMLpurifier should NOT strip the href attribute on the submitted <a> tag.
return TRUE;
}
}
}
...and don't forget to update your HTMLpurifier config., from the default, to include something like this:
$config->set('URI.AllowedSchemes', array ('http' => true, 'https' => true, 'mailto' => true, 'ftp' => true, 'nntp' => true, 'news' => true, 'callto' => true,));