I'm sorry for asking this here: HTMLPurifier isn't purifying submitted data, but it purifies a test echo.
4 20 Aug 2015 01:50 by u/Codewow
I've been googling this for weeks now and I have not figured out why it's not working. I've already tried asking some ProgrammingHelp subs and no one has ever replied... So here I am before I go to Reddit and dreadit.
$config = HTMLPurifier_Config::createDefault();
$config->set('CSS.AllowedProperties', array());
$config->set('CSS.ForbiddenProperties', array('height,width'));
$config->set('HTML.Allowed', 'u,p,b,i,span[style],p,strong,em,li,ul,ol,div[align],br,a[href],hr');
$config->set('HTML.AllowedAttributes', 'a.href,src,alt');
$config->set('HTML.ForbiddenAttributes', array('style'));
$purifier = new HTMLPurifier($config);
Based on this config set, it should work.
I echo out this on the same page without running it through $_POST:
echo $purifier->purify('<img src="" width="20" height="20" />');
And it works just fine.
But once I submit it through $_POST to the database it doesn't do anything to it. Or well, it didn't do anything to begin with.
Why could this be?
Here's a pastebin... please pick it apart and let me know if you find anything...
7 comments
0 u/WillyWillyBumBum 20 Aug 2015 03:30
What do you mean "submit it through
$_POST"? I don't think it supports$purifier->purify($_POST)if that's what you're doing. In any case, you'll have better luck on stack overflow.0 u/Codewow [OP] 20 Aug 2015 03:34
So I ran the data through the purifier, then submit it to the database through this:
I left out the other sections of the code for space and cleanliness. I'll attempt stackoverflow next. They usually direct me to an answer the doesn't work and close my question, so I have better luck on places like this.
0 u/tame 20 Aug 2015 05:18
So to be clear, your full code snippet looks like this?
For starters, I'd suggest using prepared statements and bind_param() instead of inserting escaped text directly into the SQL text. Yes, it'll work but IIRC, prepared statements are more efficient.
Next, I'd suggest changing your code to print $_POST['Story'] directly onto the page, and (if you want to stay with your string-interpolation approach to the SQL statement) print out the SQL as well. That should let you know whether it's a problem with inserting into the database (maybe your DB user doesn't have write access?) or with the $_POST variable.
Lastly I don't know if there's any real reason not to do it, but writing back to $_POST feels icky. I'd suggest using a different variable to hold the scrubbed HTML.
0 u/Codewow [OP] 20 Aug 2015 05:25
Nah that's not how it looks. For the full page here's a pastebin: http://pastebin.com/Vqcn7QbF
What it's posting to database:
Which shouldn't be the case. I removed the style attributes so they shouldn't be allowed and should automatically be removed. But they aren't... Which leads me to believe HTMLPurifier isn't actually purifying the data. And every time I try to echo to the same page it is completely broken and returns:
Completely different from what it submits to the database.
1 u/tame 20 Aug 2015 05:33
Ah ok, gotchya. Thanks for the full text, that makes it easier. :)
The problem is that you're purifying $Story into $clean_html, but then when you escape it, you're escaping the original $_POST['Story'] rather than escaping your purified $clean_html. So instead of this at line 86:
you want this:
Edit: Whoops, I got it swapped around too. Fixed now.
0 u/Codewow [OP] 20 Aug 2015 10:27
When I get home to fix this and this works I am going to cry... Such a stupid mistake that I couldn't notice...
Also I forgot to thank you. So thank you so much for pointing out my stupid mistake!
1 u/tame 20 Aug 2015 14:21
Glad to help! :) It's the simplest mistakes that are always the hardest to spot.