I am using below configuration to clean the input from user in my Yii project using its inbuilt support for HtmlPurifier
array(
'URI.AllowedSchemes' => array(
'http' => true,
'https' => true,
),
"HTML.SafeEmbed" => true,
'HTML.TargetBlank' => true,
"HTML.SafeIframe" => true,
"Filter.YouTube" => true,
'URI.SafeIframeRegexp' => '%^(https?:)?//(www\.youtube(?:-nocookie)?\.com/embed/|player\.vimeo\.com/video/)%'
),
Example:-
<iframe width="560" height="315" src="https://www.youtube.com/embed/Xe2nlti47kA" frameborder="0" allowfullscreen></iframe>
Above Url when saved after purifying gets converted to below iframe code
<iframe width="560" height="315" src="https://www.youtube.com/embed/Xe2nlti47kA" frameborder="0"></iframe>
How can we allow allowfullscreen attribute as safe ? Does any change in regex will solve this or need to apply a custom solution ?
There is already a useful link which will solve the answer.....We need to implement a custom class to allow the "allowfullscreen" attribute. This will add this attribute on purified iframe code.
Reference http://sachachua.com/blog/2011/08/drupal-html-purifier-embedding-iframes-youtube/ Answered by Sonny HTMLPurifier iframe Vimeo and Youtube video
Steps
1) Include the class from above url .
2) Set Filter.custom exactly in way shown in above url.
Setting Html Purifier options can be in different in frameworks.