Purifier icon indicating copy to clipboard operation
Purifier copied to clipboard

Published 20 hours ago verified publisher icon mewebstudio

YouTube not working (iframe)

Open opheliadesign opened this issue 8 years ago • 6 comments

Hello,

I have been trying to get YouTube to work (iframe) with both this package and ezyang/htmlpurifier directly, I cannot seem to make either work. The iframe is always removed. Desperately need to be able to show videos, cannot figure out for the life of me why the solutions (including those in the default config) are not working.

My Purifier config:

<?php
/**
 * Ok, glad you are here
 * first we get a config instance, and set the settings
 * $config = HTMLPurifier_Config::createDefault();
 * $config->set('Core.Encoding', $this->config->get('purifier.encoding'));
 * $config->set('Cache.SerializerPath', $this->config->get('purifier.cachePath'));
 * if ( ! $this->config->get('purifier.finalize')) {
 *     $config->autoFinalize = false;
 * }
 * $config->loadArray($this->getConfig());
 *
 * You must NOT delete the default settings
 * anything in settings should be compacted with params that needed to instance HTMLPurifier_Config.
 *
 * @link http://htmlpurifier.org/live/configdoc/plain.html
 */

return [
    'encoding'      => 'UTF-8',
    'finalize'      => true,
    'cachePath'     => storage_path('app/purifier'),
    'cacheFileMode' => 0755,
    'settings'      => [
        'default' => [
            'HTML.Doctype'             => 'XHTML 1.0 Strict',
            'HTML.Allowed'             => 'p,span[style|class],a[href|title],abbr[title],acronym[title],b,strong,blockquote[cite],code,em,i,img[alt|title|class|src|height|width],h1,h2,h3,h3,ol,ul,li,table[class|style|summary|title],tr,td[abbr],hr',
            'CSS.AllowedProperties'    => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align',
            'AutoFormat.AutoParagraph' => true,
            'AutoFormat.RemoveEmpty'   => true,
        ],
        'test'    => [
            'Attr.EnableID' => true
        ],
        "youtube" => [
            "HTML.SafeIframe"      => 'true',
            "URI.SafeIframeRegexp" => "%^(http://|https://|//)(www.youtube.com/embed/|player.vimeo.com/video/)%",
        ],
    ],

];

Here is my attempt with the original package:

// HTMLPurifier
        $config = \HTMLPurifier_Config::createDefault();

        $config->set('HTML.Doctype', 'HTML 4.01 Transitional');
        $config->set('AutoFormat.RemoveEmpty.Predicate', [
            'colgroup' =>
                [],
            'th' =>
                [],
            'td' =>
                [],
            'o:p' =>
                []
        ]);
        $config->set('AutoFormat.RemoveEmpty', true);
        $config->set('AutoFormat.RemoveEmpty.RemoveNbsp', true);
        $config->set('HTML.Allowed', 'p,span[style|class],a[href|title],abbr[title],acronym[title],b,strong,blockquote[cite],code,em,i,iframe[src|width|height],img[alt|title|class|src|height|width],h1,h2,h3,h3,ol,ul,li,table[class|style],tr,td,hr');
        $config->set('HTML.SafeIframe', true);
        $config->set('URI.SafeIframeRegexp', '%^(\/\/www\.youtube(?:-nocookie)?\.com\/embed\/|\/\/player\.vimeo\.com\/)%');

        $def = $config->getHTMLDefinition(true);
        $def->addAttribute('iframe', 'allowfullscreen', 'Bool');

        $purifier = new \HTMLPurifier($config);

        return $purifier->purify($string);

opheliadesign avatar Aug 10 '16 20:08 opheliadesign

Hello opheliadesign, I had same problem, and i solved it by passing in 'youtube' as a second parametar in clean( ) function in my controller - $post->body = Purifier::clean($request->body, 'youtube'); My apllication is written in Laravel framework, i hope this will help...

vladasarac avatar Oct 13 '16 22:10 vladasarac

Hi,

what doctype have you set?

As mentioned in the docs: Whether or not to permit iframe tags in untrusted documents. This directive must be accompanied by a whitelist of permitted iframes, such as %URI.SafeIframeRegexp, otherwise it will fatally error. **This directive has no effect on strict doctypes, as iframes are not valid.**

grund3g avatar Dec 14 '16 10:12 grund3g

just for anyone stumbling into this as i did, once you add the 'youtube' per vladasarac's post then this package's youtube related config item will work as per the docs mentioned by grund3g.

ITwrx avatar Apr 27 '18 15:04 ITwrx

@vladasarac's solution works as of 01/2021 on Laravel 7 using Purifier version 3.2

Tiththa avatar Jan 16 '21 20:01 Tiththa

Just add 'youtube' at last as config, it worked for me in laravel 10: clean($request->body, 'youtube');

RakibSiddiquee avatar Aug 07 '23 12:08 RakibSiddiquee

Passing in 'youtube' as a second parameter won't have any affect without including a whitelist in the config. It will "work" because it doesn't do anything. You need to add iframe and parameters into the configuration, as well as the safeIframe settings.

'my-custom-purifier' => [
            'HTML.Doctype'             => 'HTML 4.01 Transitional',
            'HTML.Allowed'             => 'iframe[allowfullscreen|height|width|src],div,b,strong,i,em,u,a[href|title],ul,ol,li,p[style],br,span[style],img[width|height|alt|src]',
            'CSS.AllowedProperties'    => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align',
            'AutoFormat.AutoParagraph' => false,
            'AutoFormat.RemoveEmpty'   => true,
            "HTML.SafeIframe"      => 'true',
            "URI.SafeIframeRegexp" => "%^(http://|https://|//)(www.youtube.com/embed/|player.vimeo.com/video/)%",
        ],

kylelamoreaux avatar Feb 14 '24 12:02 kylelamoreaux