Ability to switch to masterminds/html5 lexer for better HTML5 support using:

$config = \HTMLPurifier_HTML5Config::create();
$config->set('Core.LexerImpl', new \HTMLPurifier_Lexer_HTML5);

I'm looking at switching to this from ezyang/htmlpurifier due to growing need for HTML5 support.

Several years ago, lukusw tried to add HTML5 support to htmlpurifier for Drupal but I think the idea dropped priority and was never implemented. ezyang made some comments on lukusw's attempt which is probably what slowed the whole thing down: https://www.drupal.org/project/htmlpurifier/issues/1321490#comment-9509073

I've been comparing lukusw and your code based on ezyang comments:

• https://github.com/lukusw/php-htmlpurfier-html5/blob/master/htmlpurifier_html5.php#L40
• https://github.com/xemlock/htmlpurifier-html5/blob/e843e771f778618137f7e3fefbe2015621056c47/library/HTMLPurifier/HTMLModule/HTML5/Text.php#L23

With this in mind, I'm hoping you can answer the below questions:

All of the HTML5 content needs to be gated, so it is only available when a user specifies an HTML5 doctype. You could try to put all of the HTML5 definitions in a new HTMLModule.

✔️ looks good

section/nav/aside/article are not Block content but Sectioning content. Flow should be redefined to include Sectioning (similar to how HTMLPurifier/HTMLModule/Text.php does Flow)

❌ Doesn't look to have changed?

header and footer need to exclude header/footer/main descendants; see the 'excludes' attribute; also an example in Text.php (pre)

❌ Doesn't look to have changed?

Ditto with address, use the same technique

❌ Doesn't look to have changed?

hgroup got removed from the HTML5 spec, so doesn't belong here.

✔️ seems fine to keep it

The figure specification doesn't look right; I think you need an asterisk after the Flow. A plain spec 'Flow' is special-cased. I suspect your specifications also exclude plain text.

❔ not sure if you've done this?

figcaption is not Inline, give it false instead.

✔️ seems fine

I'm a little worried about video tag, but the definition you've given is probably OK. I'm not sure if it should be allowed by default. Definitely autoplay should not be allowed. The contents has the same problem as figure.

✔️ allows autoplay, but otherwise seems ok

We should already have the inline elements; are the existing definitions buggy?

✔️ not sure that this is relevant... Existing definitions are gated to XHTML 1.1, so would need gated definition for html5 spec (http://htmlpurifier.org/phorum/read.php?3,8291,8514#msg-8514)

For ins/del datetime, ideally we would apply the HTML5 parse a date or time string and validate it, see http://www.w3.org/TR/html5/infrastructure.html#parse-a-date-or-time-string

✔️ seems fine

iframe allowfullscreen isn't an HTML5 attribute. And it shouldn't be allowed by default anyway, should be gated by Tricky at least.

❌ Not gated by tricky?

This copies CommonAttributes changes in v4.15.0 from upstream, otherwise contenteditable="false" is not considered valid on HTML5 doc types.

It also bumps the requirements to match ezyang/htmlpurifier in v4.15.0

Hello I want to pass HTML form through purify process, this should by possible in vanilla htmlpurifier since 4.13.0 by "HTML.Forms" but it doesn't seems to work in this html5 extend. Example:

<?php
require 'vendor/autoload.php';

$config = HTMLPurifier_HTML5Config::createDefault();

$config->set('HTML.Trusted', FALSE);
$config->set('HTML.Forms', TRUE);

$purifier = new HTMLPurifier($config);

$dirty_html5 = '<form mnethod="post" action="#"><input></form>';
$clean_html5 = $purifier->purify($dirty_html5);
var_dump(htmlspecialchars($clean_html5));
----------------------
string(0) ""

from composer.lock:

"name": "ezyang/htmlpurifier",
"version": "v4.13.0",

"name": "xemlock/htmlpurifier-html5",
"version": "v0.1.11",

In case of vanilla "ezyang/htmlpurifier:v4.13.0:

<?php

require 'vendor/autoload.php';

$config = HTMLPurifier_Config::createDefault();

$config->set('HTML.Trusted', FALSE);
$config->set('HTML.Forms', TRUE);

$purifier = new HTMLPurifier($config);

$dirty_html5 = '<form mnethod="post" action="#"><input></form>';
$clean_html5 = $purifier->purify($dirty_html5);
var_dump(htmlspecialchars($clean_html5));
--------------------------
string(61) "<form action="#"><input /></form>" 

Not sure what's wrong there?

htmlpurifier has support for deprecated attributes and will convert them to their style equivalent

<table>
<tr bgcolor="#edeeef">
<td width="3"></td>
<td bgcolor="#f9fafa" width="1"></td>
<td bgcolor="#edeeef" width="1"></td>
<td bgcolor="#dbdee0" width="1"></td>
</tr></table>

When using this lib bgcolor seems to get nuked. I've tried added "HTML.TidyLevel" => "heavy", but it doesn't seem to do anything. http://htmlpurifier.org/docs/enduser-tidy.html makes reference to the doctype, so I'm wondering whether the HTML5 doctype has something to do with it not working?

Hi.

Thanks for the great library which saves developer lifetime :smile:

I'm using this config to override the Purifier configuration in a Symfony project with the exercise/htmlpurifier-bundle

The bundle creates the parent configuration than uses HTMLPurifier_Config::inherit() method to create the child one. The method implementation is taken from the parent class, not HTML5Config as the following.

    /**
     * Creates a new config object that inherits from a previous one.
     * @param HTMLPurifier_Config $config Configuration object to inherit from.
     * @return HTMLPurifier_Config object with $config as its parent.
     */
    public static function inherit(HTMLPurifier_Config $config)
    {
        return new HTMLPurifier_Config($config->def, $config->plist);
    }

As a result all the child configurations are HTMLPurifier_Config instances instead of HTMLPurifier_HTML5Config which causes errors as they don't support HTML5 tags.

I'm using a workaround inheriting the base class like:

class HTMLPurifier_AltHTML5Config extends \HTMLPurifier_HTML5Config
{
    public static function inherit(HTMLPurifier_Config $config)
    {
        return new static($config->def, $config->plist);
    }
}

But the 'inherit()' method should be overridden as well, I suppose.

Thanks again. Best wishes.

Would you accept a PR which adds contenteditable attribute support?

https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/contenteditable

In HTML5, captions may contain any flow content excluding descendent table elements- https://html.spec.whatwg.org/multipage/tables.html#the-caption-element

Meaning:

<table>
  <caption><h3>Monthly savings</h3></caption>
  <tr>
    <th>Month</th>
    <th>Savings</th>
  </tr>
  <tr>
    <td>January</td>
    <td>$100</td>
  </tr>
</table>

is perfectly valid HTML, but it results in the entire table being stripped out instead:

<h3>Monthly savings</h3>
  Month
    Savings
  January
    $100
  

Related issue: https://github.com/ezyang/htmlpurifier/issues/131

Hi,

I am using a combination of wkhtmltopdf and htmlpurifier-html5 to generate pdf's.

The problem that I am facing at the moment is that the inline style border-radius gets removed after passing the purify() function.

Any thoughts on why it could be doing this?

Thanks.

Currently the set of allowed <input> types doesn't include HTML5 values. Also, it would be useful to be able to narrow the set of allowed input types (as requested in ezyang/htmlpurifier#213).