laravel-4htmlpurifier

Laravel Package Purifer not work with iframe


It seems that even after adding the Config params to enable YouTube and Vimeo Iframes I still get an exception error. "Element 'iframe' is not supported[..]"

return array(
   'encoding' => 'UTF-8',
       'finalize' => true,
       'preload'  => false,
       'settings' => array(
       'default' => array(
              'HTML.Doctype'             => 'XHTML 1.0 Strict',
              'HTML.Allowed'             => 'blockquote,div,b,strong,i,em,a[href|title],ul,ol,li,p[style],br,span[style],img[width|height|alt|src]',
              'CSS.AllowedProperties'    => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align',
              "HTML.SafeIframe"          => 'true',
              "URI.SafeIframeRegexp"     => "%^(http://|https://|//)(www.youtube.com/embed/|player.vimeo.com/video/|api.soundcloud.com/tracks/)%",
        'AutoFormat.AutoParagraph' => true,
        'AutoFormat.RemoveEmpty'   => true,
    ),
),

Solution

  • Your issue is that you are using Doctype XHTML 1.0 Strict. In the documentation of HTML.SafeIframe it is stated that:

    Whether or not to permit iframe tags in untrusted documents. This directive must be accompanied by a whitelist of permitted iframes, such as %URI.SafeIframeRegexp, otherwise it will fatally error. This directive has no effect on strict doctypes, as iframes are not valid.

    So you should use Transitional instead. The following configuration will work correctly:

    return array(
        'encoding' => 'UTF-8',
        'finalize' => true,
        'preload'  => false,
        'settings' => array(
            'default' => array(
                'HTML.Doctype'             => 'XHTML 1.0 Transitional',
                'HTML.Allowed'             => 'iframe[src|width|height|class|frameborder],blockquote,div,b,strong,i,em,a[href|title],ul,ol,li,p[style],br,span[style],img[width|height|alt|src]',
                'CSS.AllowedProperties'    => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align',
                "HTML.SafeIframe"          => true,
                "URI.SafeIframeRegexp"     => "%^(http://|https://|//)(www.youtube.com/embed/|player.vimeo.com/video/|api.soundcloud.com/tracks/)%",
                'AutoFormat.AutoParagraph' => true,
                'AutoFormat.RemoveEmpty'   => true,
            ),
        ),
    );