htmlpurifier

how to configure HTML purifier to allow "callto:123" in an anchor href value?

Can someone point me to what it will take to allow an anchor tag like this to pass through htmlpurifier, untouched? :

<a href="callto:+1-800-555-1212" class="callUsBtn" style="">...</a>

With my config. settings, the callto:... value is not recognized as allowed, and so the whole href attribute is getting stripped. I guess I need to override the type (<-- or what to call that?) of the href value, from URI to CDATA (?), but do not know how. I hope there is a quicker/easier way than the directions found here: http://htmlpurifier.org/docs/enduser-customize.html (if even that would lead to a solution?).

Solution

  • Thanks to Edward's answer, I got it working.

    Try this:

    In your equivalent of here:
    /htmlpurifier-4_4_0/library/HTMLPurifier/URIScheme/

    add a file named: callto.php
    ...with these contents:

    <?php

// replicated this class/file from '../htmlpurifier-4_4_0/library/HTMLPurifier/URIScheme/mailto.php'

// VERY RELAXED! Shouldn't cause problems, ... but be careful!

/**
 * Validates 'callto:' phone number in URI to included only alphanumeric, hyphens, underscore, and optional leading "+"
 */

class HTMLPurifier_URIScheme_callto extends HTMLPurifier_URIScheme {

    public $browsable = false;
    public $may_omit_host = true;

    public function doValidate(&$uri, $config, $context) {
        $uri->userinfo = null;
        $uri->host     = null;
        $uri->port     = null;

        /* notes:
            where is the actual phone # parked?  Answer in $uri->path.  See here:

            echo '<pre style="color:pink;">';
            var_dump($uri);
            echo '</pre>';

            object(HTMLPurifier_URI)#490 (7) {
              ["scheme"]=>
              string(6) "callto"
              ["userinfo"]=>
              NULL
              ["host"]=>
              NULL
              ["port"]=>
              NULL
              ["path"]=>
              string(15) "+1-800-555-1212"
              ["query"]=>
              NULL
              ["fragment"]=>
              NULL
            }
        */

        // are the characters in the submitted <a> href's (URI) value (callto:)  from amongst a legal/allowed set?
            // my legal phone # chars:  alphanumeric, underscore, hyphen, optional "+" for the first character.  That's it.  But you can allow whatever you want.  Just change this:
            $validCalltoPhoneNumberPattern = '/^\+?[a-zA-Z0-9_-]+$/i'; // <---whatever pattern you want to force phone numbers to match
            $proposedPhoneNumber = $uri->path;
            if (preg_match($validCalltoPhoneNumberPattern, $proposedPhoneNumber) !== 1) {
                // submitted phone # inside the href attribute value looks bad; reject the phone number, and let HTMLpurifier remove the whole href attribute on the submitted <a> tag.
                return FALSE;
            } else {
                // submitted phone # inside the href attribute value looks OK; accept the phone number; HTMLpurifier should NOT strip the href attribute on the submitted <a> tag.
                return TRUE;
            }
    }

}

    ...and don't forget to update your HTMLpurifier config., from the default, to include something like this:

    $config->set('URI.AllowedSchemes', array ('http' => true, 'https' => true, 'mailto' => true, 'ftp' => true, 'nntp' => true, 'news' => true, 'callto' => true,));