/** * Returns XHTML snippets filtered to remove XSS vectors using HTMLPurifier. * * This is expensive - best used before saving content as opposed to on display of content. * * Note we only run filters if the raw_html provided is a string - boolean, int, NULL, etc pass through untouched. * * We also skip tidy and purification in any of these cases: * * - $raw_html is empty * - is_numeric($raw_html) is true * * @param string $raw_html * @param string $config string identifying key of HTMLPurifier config as setup in config/htmlpurifier/setup.php * @param boolean default true should we run the HTML through tidy before using HTMLPurifier * @return string XSS-filtered XHTML */ function reason_sanitize_html($raw_html, $config = 'default', $tidy = true) { if (is_string($raw_html)) { if (!empty($raw_html) && !is_numeric($raw_html)) { $html = $tidy ? tidy($raw_html) : $raw_html; $purifier_config = reason_get_html_purifier_config($config); return get_safer_html_html_purifier($html, $purifier_config); } } return $raw_html; }
/** * Sanitizes HTML using HTMLPurifier - accepts custom config object. * * @param string html string needing sanitization * @param HTMLPurifier_Config custom configuation - if provided we use HTML Purifier regardless of HTML_SANITIZATION_FUNCTION value. * @return string sanitized html string * * @todo remove support for HTML_SANITIZATION_FUNCTION when Reason 4.5 is released. */ function carl_get_safer_html($raw_html, $config = NULL) { if (defined('HTML_SANITIZATION_FUNCTION') && is_null($config)) { $func_name = HTML_SANITIZATION_FUNCTION; return $func_name($raw_html); } else { return get_safer_html_html_purifier($raw_html, $config); } }