Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

htmlLawed class whitelisting

I've searched around for this and I can't find any examples. Does anyone know how you create a whitelist of class names (and deny the rest) in htmlLawed?



  • Options

    you need to pass a function to $Config['hook_tag'] if you are not using safe styles there Already is such a function, which is a good example.

    there are two parameter of the function the element and the attributes array. You can detect class then check the values against a lookup.

    I also recommend applying name spacing/unique names, this stops people exploiters using common class names, that may vary in context.

    grep is your friend.

  • Options

    Thanks for the pointer @x00. Here's my code:

    First, make sure you have this line uncommented in class.htmlawed.plugin.php:

    $Config['hook_tag'] = 'HTMLawedHookTag';

    Then the Hook Tag function:

    function HTMLawedHookTag($Element, $Attributes) {
       $Attribs = '';
       $PermClasses = array('YOURCLASS', 'ANOTHERCLASS');
       foreach ($Attributes as $Key => $Value) {   
           if (strcasecmp($Key, 'class') == 0) {       
               if (!in_array($Value, $PermClasses))
          $Attribs .= " {$Key}=\"{$Value}\"";
       return "<{$Element}{$Attribs}>";
  • Options
    x00x00 MVP
    edited October 2013

    As you can have multiple classes per element you could split the value on white space, then if there is more than one class per element it with be matched. You would need an inner loop, then you would join them back together.

    grep is your friend.

  • Options
    50sQuiff50sQuiff ✭✭
    edited October 2013

    Not an issue for me, where I only have to add a few class combinations to the whitelist, but I think that's good advice.

Sign In or Register to comment.