phphtmlpurifier

HTMLPurifier Removing Allowfullscreen From YouTube Videos

For some reason HTMLPurifier seems to be removing the allowfullscreen element from iframes and I'm not sure why, I've done some research and can't seem it find an answer that isn't several years old. Below is how I initiate my purifier.

require 'htmlpurify/library/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();

$config->set('HTML.TargetBlank', 'true');
$config->set('HTML.SafeIframe', true);
$config->set('URI.SafeIframeRegexp', '%^(https?:)?//(www\.youtube(?:-nocookie)?\.com/embed/|player\.vimeo\.com/video/)%');
$config->set('HTML.DefinitionID', 'usertag');
$config->set('HTML.DefinitionRev', 1);
if ($def = $config->maybeGetRawHTMLDefinition()) {
    $def->addElement('user', 'Block', 'Flow', 'Common', array('name' => 'ID'));
}

$purifier = new HTMLPurifier($config);

I'm purifying this <iframe title="YouTube Player" src="https://www.youtube.com/embed/J---aiyznGQ" width="560" height="315" frameborder="0" allowfullscreen></iframe> but it just removes the allowfullscreen element.

Is my regex wrong? Is there something I have added I shouldn't, or something I am missing?

Solution

  • "allowfullscreen" is not an attribute HTML Purifier inherently recognises for IFrames, which means that if you want to support it, you will need to customise your HTML Purifier module. Something like this should do it (this code was not tested, but should set you on the right path):

    $config = HTMLPurifier_Config::createDefault();
// ...
$config->set('HTML.DefinitionID', 'enduser-customize.html tutorial');
$config->set('HTML.DefinitionRev', 1);
$config->set('Cache.DefinitionImpl', null); // remove this later!
$def = $config->getHTMLDefinition(true);
$def->addAttribute('iframe', 'allowfullscreen', 'Bool');

    See if that helps you any? Some additional considerations were posted in this answer from 2016 here on stackoverflow, if you notice yourself getting stuck (but beware that if you use the HTML.AllowedElements and HTML.AllowedAttributes configurations, those are complete whitelists - if you use those directives to whitelist only iframe, any other HTML tags will be stripped).