Put video on first page ojs3

ctgraham · April 20, 2017, 12:53pm

Hmmm… yes, HTMLPurifier’s defaults will still prevent ids and script tags even if the allowed_html is modified.

This will require a code modification to the PKPString::stripUnsafeHtml() function in lib/pkp/classes/core/PKPString.inc.php:

github.com

pkp/pkp-lib/blob/ojs-stable-3_0_2/classes/core/PKPString.inc.php#L471-L490


	/**
	 * Strip unsafe HTML from the input text. Covers XSS attacks like scripts,
	 * onclick(...) attributes, javascript: urls, and special characters.
	 * @param $input string input string
	 * @return string
	 */
	static function stripUnsafeHtml($input) {
		require_once('lib/pkp/lib/vendor/ezyang/htmlpurifier/library/HTMLPurifier.path.php');
		require_once('HTMLPurifier.includes.php');
		static $purifier;
		if (!isset($purifier)) {
			$config = HTMLPurifier_Config::createDefault();
			$config->set('Core.Encoding', Config::getVar('i18n', 'client_charset'));
			$config->set('HTML.Doctype', 'HTML 4.01 Transitional');
			$config->set('HTML.Allowed', Config::getVar('security', 'allowed_html'));
			$config->set('Cache.SerializerPath', 'cache');
			$purifier = new HTMLPurifier($config);
		}
		return $purifier->purify($input);
	}

The configuration options are documented here:
http://htmlpurifier.org/live/configdoc/plain.html

You’re probably interested in “EnableID” and “SafeScripting”.