/** * Validate HTML. * * @param string $html * The source HTML. * @param string $allowed_tags * The allowed HTML tags. * @param string $allowed_css * The allowed css elements. * @param boolean $trusted * Whether this is from a trusted source like an admin user. * @param boolean $full_page * Whether to allow all HTML. * TODO: This currently skips all validation and returns the input. * * @return string * The sanitized HTML. */ public static function html($html, $allowed_tags = '', $allowed_css = '', $trusted = false, $full_page = false) { $purifier = HTMLPurifierWrapper::getInstance(); $config = HTMLPurifierConfig::createDefault(); if ($full_page) { return $html; } elseif ($trusted) { $config->set('CSS.Trusted', true); $config->set('HTML.Trusted', true); $config->set('Attr.EnableID', true); $allowed_tags = self::SCRUB_BASIC_HTML . ',' . self::SCRUB_ADVANCED_HTML; } else { $config->set('CSS.Trusted', false); $config->set('HTML.Trusted', false); $config->set('Attr.EnableID', false); if (!empty($allowed_tags) && $allowed_tags == '.') { $allowed_tags = self::SCRUB_BASIC_HTML . ',' . substr($allowed_tags, 1); } else { $allowed_tags = self::SCRUB_BASIC_HTML; } } if (empty($allowed_css) || $allowed_css[0] == '.') { $allowed_css = self::SCRUB_BASIC_CSS . ',' . substr($allowed_css, 1); } elseif ($allowed_css == '') { $allowed_css = self::SCRUB_BASIC_CSS; } $config->set('HTML.Allowed', $allowed_tags); $config->set('CSS.AllowedProperties', $allowed_css); $config->set('Core.EscapeNonASCIICharacters', true); return $purifier->purify($html, $config); }