This plugin enables a whitelist of HTML elements to be used. By default, no HTML elements and no attributes are allowed. For each HTML element, a whitelist of attributes can be set. Unsafe elements such as <script> and unsafe attributes such as onclick must be set using a different method that safe elements and attributes.

Examples

Allowing some safe HTML

$configurator = new s9e\TextFormatter\Configurator;
$configurator->HTMLElements->allowElement('b');
$configurator->HTMLElements->allowAttribute('b', 'class');
$configurator->HTMLElements->allowElement('i');

// Get an instance of the parser and the renderer
extract($configurator->finalize());

$text = '<b>Bold</b> and <i>italic</i> are allowed, but only <b class="important">bold</b> can use the "class" attribute, not <i class="important">italic</i>.';
$xml  = $parser->parse($text);
$html = $renderer->render($xml);

echo $html;
<b>Bold</b> and <i>italic</i> are allowed, but only <b class="important">bold</b> can use the "class" attribute, not <i>italic</i>.

Allowing unsafe HTML

The following will not work.

try
{
    $configurator = new s9e\TextFormatter\Configurator;
    $configurator->HTMLElements->allowElement('script');
}
catch (Exception $e)
{
    echo $e->getMessage(), "\n";
}

try
{
    $configurator = new s9e\TextFormatter\Configurator;
    $configurator->HTMLElements->allowElement('img');
    $configurator->HTMLElements->allowAttribute('img', 'onerror');
}
catch (Exception $e)
{
    echo $e->getMessage();
}
'script' elements are unsafe and are disabled by default. Please use s9e\TextFormatter\Plugins\HTMLElements\Configurator::allowUnsafeElement() to bypass this security measure
'onerror' attributes are unsafe and are disabled by default. Please use s9e\TextFormatter\Plugins\HTMLElements\Configurator::allowUnsafeAttribute() to bypass this security measure

Unsafe HTML can still be allowed using allowUnsafeElement() and allowUnsafeAttribute().

$configurator = new s9e\TextFormatter\Configurator;
$configurator->HTMLElements->allowUnsafeElement('script');
$configurator->HTMLElements->allowElement('b');
$configurator->HTMLElements->allowUnsafeAttribute('b', 'onmouseover');

// Get an instance of the parser and the renderer
extract($configurator->finalize());

$text = '<script>alert(1)</script><b onmouseover="alert(1)">Hover me</b>.';
$xml  = $parser->parse($text);
$html = $renderer->render($xml);

echo $html;
<script>alert(1)</script><b onmouseover="alert(1)">Hover me</b>.