| blob | fbd0f2adb0af6dd4180b5fc816da08c0ca30205f |
6 <meta name="description" content="Tutorial for customizing HTML Purifier's tag and attribute sets." />
11 </head><body>
20 <p>
21 HTML Purifier has this quirk where if you try to allow certain elements or
22 attributes, HTML Purifier will tell you that it's not supported, and that
23 you should go to the forums to find out how to implement it. Well, this
24 document is how to implement elements and attributes which HTML Purifier
25 doesn't support out of the box.
26 </p>
30 <p>
31 Before we even write any code, it is paramount to consider whether or
32 not the code we're writing is necessary or not. HTML Purifier, by default,
33 contains a large set of elements and attributes: large enough so that
35 that can be safely used by the general public is implemented.
36 </p>
38 <p>
39 So what needs to be implemented? (Feel free to skip this section if
40 you know what you want).
41 </p>
45 <p>
46 All of the modules listed below are based off of the
47 <a href="http://www.w3.org/TR/2001/REC-xhtml-modularization-20010410/abstract_modules.html#sec_5.2.">modularization of
49 resource.
50 </p>
52 <ul>
66 </ul>
68 <p>
69 If you don't recognize it, you probably don't need it. But the curious
70 can look all of these modules up in the above-mentioned document. Note
71 that inline scripting comes packaged with HTML Purifier (more on this
72 later).
73 </p>
77 <p>
78 As of HTMLPurifier 2.1.0, we have implemented the
80 which defines a set of tags
81 for publishing short annotations for text, used mostly in Japanese
82 and Chinese school texts, but applicable for positioning any text (not
83 limited to translations) above or below other corresponding text.
84 </p>
88 <p>
90 working draft, so any elements introduced in the
91 specification have not been implemented and will not be implemented
92 until we get a recommendation or proposal. Because XHTML 2.0 is
93 an entirely new markup language, implementing rules for it will be
94 no easy task.
95 </p>
99 <p>
102 in the wrong direction. It too is a working draft, and may change
103 drastically before publication, but it should be noted that the
105 </p>
109 <p>
110 There are a number of proprietary tags still in the wild. Many of them
112 but there is currently no implementation for any of them.
113 </p>
117 <p>
118 There are also a number of other XML languages out there that can
119 be embedded in HTML documents: two of the most popular are MathML and
120 SVG, and I frequently get requests to implement these. But they are
121 expansive, comprehensive specifications, and it would take far too long
123 as whitelisting tags and no further; come on, what about nesting!)
124 </p>
126 <p>
128 aware.
129 </p>
133 <p>
134 As you may imagine from the details above (don't be abashed if you didn't
135 read it all: a glance over would have done), there's quite a bit that
136 HTML Purifier doesn't implement. Recent architectural changes have
137 allowed HTML Purifier to implement elements and attributes that are not
138 safe! Don't worry, they won't be activated unless you set %HTML.Trusted
139 to true, but they certainly help out users who need to put, say, forms
140 on their page and don't want to go through the trouble of reading this
141 and implementing it themself.
142 </p>
144 <p>
145 So any of the above that you implement for your own application could
146 help out some other poor sap on the other side of the globe. Help us
147 out, and send back code so that it can be hammered into a module and
148 released with the core. Any code would be greatly appreciated!
149 </p>
153 <p>
154 Enough philosophical talk, time for some code:
155 </p>
157 <pre>$config = HTMLPurifier_Config::createDefault();
158 $config->set('HTML.DefinitionID', 'enduser-customize.html tutorial');
162 <p>
163 Assuming that HTML Purifier has already been properly loaded (hint:
165 the environment that you need to start customizing the HTML definition.
166 What's going on?
167 </p>
169 <ul>
170 <li>
171 The first three lines are regular configuration code:
172 <ul>
173 <li>
174 %HTML.DefinitionID is set to a unique identifier for your
175 custom HTML definition. This prevents it from clobbering
176 other custom definitions on the same installation.
177 </li>
178 <li>
179 %HTML.DefinitionRev is a revision integer of your HTML
180 definition. Because HTML definitions are cached, you'll need
181 to increment this whenever you make a change in order to flush
182 the cache.
183 </li>
184 </ul>
185 </li>
186 <li>
188 object that we will be tweaking. If the parameter was removed, we
189 would be retrieving a fully formed definition object, which is somewhat
190 useless for customization purposes.
191 </li>
192 </ul>
196 <p>
197 Those of you who have already been twiddling around with the raw
198 HTML definition object, you'll be noticing that you're getting an error
199 when you attempt to retrieve the raw definition object without specifying
200 a DefinitionID. It is vital to caching (see below) that you make a unique
201 name for your customized definition, so make up something right now and
202 things will operate again.
203 </p>
207 <p>
208 To make development easier, we're going to temporarily turn off
209 definition caching:
210 </p>
212 <pre>$config = HTMLPurifier_Config::createDefault();
213 $config->set('HTML.DefinitionID', 'enduser-customize.html tutorial');
218 <p>
219 A few things should be mentioned about the caching mechanism before
220 we move on. For performance reasons, HTML Purifier caches generated
223 A lot of processing is done in order to create these objects, so it
224 makes little sense to repeat the same processing over and over again
225 whenever HTML Purifier is called.
226 </p>
228 <p>
229 In order to identify a cache entry, HTML Purifier uses three variables:
230 the library's version number, the value of %HTML.DefinitionRev and
231 a serial of relevant configuration. Whenever any of these changes,
232 a new HTML definition is generated. Notice that there is no way
233 for the definition object to track changes to customizations: here, it
234 is up to you to supply appropriate information to DefinitionID and
235 DefinitionRev.
236 </p>
240 <p>
243 ask a few questions:
244 </p>
246 <ol>
251 </ol>
253 <p>
256 was required, we'd need to append an asterisk to the attribute name,
257 you'll see an example of this in the addElement() example).
258 </p>
260 <p>
261 The last question is a little trickier.
262 Lets allow the special values: _blank, _self, _target and _top.
264 valid values, although only one can be used at a time. To translate
265 this into code form, we write:
266 </p>
268 <pre>$config = HTMLPurifier_Config::createDefault();
269 $config->set('HTML.DefinitionID', 'enduser-customize.html tutorial');
271 $config->set('Cache.DefinitionImpl', null); // remove this later!
272 $def = $config->getHTMLDefinition(true);
275 <p>
277 The string is split into two parts, separated by a hash mark (#):
278 </p>
280 <ol>
283 </ol>
285 <p>
286 If that sounds vague and generic, it's because it is! HTML Purifier defines
287 an assortment of different attribute types one can use, and each of these
288 has their own specialized parameter format. Here are some of the more useful
289 ones:
290 </p>
293 <thead>
294 <tr>
298 </tr>
299 </thead>
300 <tbody>
301 <tr>
304 <td>
305 Attribute with a number of valid values, one of which may be used. When
306 s: is present, the enumeration is case sensitive.
307 </td>
308 </tr>
309 <tr>
312 <td>
313 Boolean attribute, with only one valid value: the name
314 of the attribute.
315 </td>
316 </tr>
317 <tr>
319 <td></td>
320 <td>
322 (the specification makes a semantic distinction between the two).
323 </td>
324 </tr>
325 <tr>
327 <td></td>
328 <td>
329 Attribute that specifies a unique ID
330 </td>
331 </tr>
332 <tr>
334 <td></td>
335 <td>
336 Attribute that specifies an integer pixel length
337 </td>
338 </tr>
339 <tr>
341 <td></td>
342 <td>
343 Attribute that specifies a pixel or percentage length
344 </td>
345 </tr>
346 <tr>
348 <td></td>
349 <td>
350 Attribute that specifies a number of name tokens, example: the
352 </td>
353 </tr>
354 <tr>
356 <td></td>
357 <td>
359 attribute
360 </td>
361 </tr>
362 <tr>
364 <td></td>
365 <td>
366 Attribute that specifies an positive integer number
367 </td>
368 </tr>
369 </tbody>
370 </table>
372 <p>
373 For a complete list, consult
374 <a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/AttrTypes.php"><code>library/HTMLPurifier/AttrTypes.php</code></a>;
375 more information on attributes that accept parameters can be found on their
376 respective includes in
377 <a href="http://repo.or.cz/w/htmlpurifier.git?a=tree;hb=HEAD;f=library/HTMLPurifier/AttrDef"><code>library/HTMLPurifier/AttrDef</code></a>.
378 </p>
380 <p>
381 Sometimes, the restrictive list in AttrTypes just doesn't cut it. Don't
382 sweat: you can also use a fully instantiated object as the value. The
383 equivalent, verbose form of the above example is:
384 </p>
386 <pre>$config = HTMLPurifier_Config::createDefault();
387 $config->set('HTML.DefinitionID', 'enduser-customize.html tutorial');
389 $config->set('Cache.DefinitionImpl', null); // remove this later!
390 $def = $config->getHTMLDefinition(true);
392 array('_blank','_self','_target','_top')
393 ));</strong></pre>
395 <p>
396 Trust me, you'll learn to love the shorthand.
397 </p>
401 <p>
402 Adding attributes is really small-fry stuff, though, and it was possible
403 to add them (albeit a bit more wordy) prior to 2.0. The real gem of
404 the Advanced API is adding elements. There are five questions to
405 ask when adding a new element:
406 </p>
408 <ol>
414 </ol>
416 <p>
417 It's a mouthful, and you'll be slightly lost if your not familiar with
418 the HTML specification, so let's explain them step by step.
419 </p>
423 <p>
424 The HTML specification defines two major content sets: Inline
425 and Block. Each of these
426 content sets contain a list of elements: Inline contains things like
429 </p>
431 <p>
432 These content sets amount to a macro mechanism for HTML definition. Most
433 elements in HTML are organized into one of these two sets, and most
434 elements in HTML allow elements from one of these sets. If we had
435 to write each element verbatim into each other element's allowed
436 children, we would have ridiculously large lists; instead we use
437 content sets to compactify the declaration.
438 </p>
440 <p>
441 Practically speaking, there are several useful values you can use here:
442 </p>
445 <thead>
446 <tr>
449 </tr>
450 </thead>
451 <tbody>
452 <tr>
455 </tr>
456 <tr>
459 </tr>
460 <tr>
462 <td>
465 </td>
466 </tr>
467 </tbody>
468 </table>
470 <p>
471 By specifying a valid value here, all other elements that use that
472 content set will also allow your element, without you having to do
474 your element manually.
475 </p>
479 <p>
480 Allowed children defines the elements that this element can contain.
481 The allowed values may range from none to a complex regexp depending on
482 your element.
483 </p>
485 <p>
486 If you've ever taken a look at the HTML DTD's before, you may have
487 noticed declarations like this:
488 </p>
492 <p>
496 omitted, though in XML this is not allowed.) In HTML Purifier,
498 we were discussing earlier come into play). There are three shorthand
499 content models you can specify:
500 </p>
503 <thead>
504 <tr>
507 </tr>
508 </thead>
509 <tbody>
510 <tr>
513 </tr>
514 <tr>
517 </tr>
518 <tr>
521 </tr>
522 </tbody>
523 </table>
525 <p>
526 This covers 90% of all the cases out there, but what about elements that
531 content models. The most common values are:
532 </p>
535 <thead>
536 <tr>
539 </tr>
540 </thead>
541 <tbody>
542 <tr>
545 </tr>
546 <tr>
549 </tr>
550 <tr>
553 </tr>
554 </tbody>
555 </table>
557 <p>
562 </p>
564 <p>
565 The second part specifies either valid elements or a regular expression.
566 Valid elements are separated with horizontal bars (|), i.e.
567 "<code>a | b | c</code>". Use #PCDATA to represent plain text.
568 Regular expressions are based off of DTD's style:
569 </p>
571 <ul>
578 </ul>
580 <p>
582 one <code>a</code> element, at most one <code>b</code> element,
583 one <code>c</code> or <code>d</code> element (but not both), one or more
584 <code>e</code> elements, and any number of <code>f</code> elements."
585 Regex veterans should be able to jump right in, and those not so savvy
586 can always copy-paste W3C's content model definitions into HTML Purifier
587 and hope for the best.
588 </p>
590 <p>
591 A word of warning: while the regex format is extremely flexible on
592 the developer's side, it is
594 match the specification, the entire contents of the element will
595 be nuked. This is why there is are specific content model types like
596 Optional and Required: while they could be implemented as <code>Custom:
597 (valid | elements)*</code>, the custom classes contain special recovery
598 measures that make sure as much of the user's original content gets
599 through. HTML Purifier's core, as a rule, does not use Custom.
600 </p>
602 <p>
603 One final note: you can also use Content Sets inside your valid elements
604 lists or regular expressions. In fact, the three shorthand content models
605 mentioned above are just that: abbreviations:
606 </p>
609 <thead>
610 <tr>
613 </tr>
614 </thead>
615 <tbody>
616 <tr>
619 </tr>
620 <tr>
623 </tr>
624 </tbody>
625 </table>
627 <p>
628 When the definition is compiled, Inline will be replaced with a
629 horizontal-bar separated list of inline elements. Also, notice that
630 it does not contain text: you have to specify that yourself.
631 </p>
635 <p>
636 Congratulations: you have just gotten over the proverbial hump (Allowed
637 children). Common attributes is much simpler, and boils down to
641 which contains these five attributes that are found on almost every
642 HTML element in the specification.
643 </p>
645 <p>
646 There are a few more collections, but they're really edge cases:
647 </p>
650 <thead>
651 <tr>
654 </tr>
655 </thead>
656 <tbody>
657 <tr>
660 </tr>
661 <tr>
664 </tr>
665 </tbody>
666 </table>
668 <p>
669 Common is a combination of the above-mentioned collections.
670 </p>
673 Readers familiar with the modularization may have noticed that the Core
674 attribute collection differs from that specified by the <a
679 the DTD and XML Schemas supplied by W3C support our interpretation.
680 </p>
684 <p>
686 adding attributes</a>, read it now. The last parameter is simply
687 an array of attribute names to attribute implementations, in the exact
689 </p>
693 <p>
695 grab a reference implementation from over at the
697 </p>
700 <!ATTLIST FORM
701 %attrs; -- %coreattrs, %i18n, %events --
702 action %URI; #REQUIRED -- server-side form handler --
703 method (GET|POST) GET -- HTTP method used to submit the form--
705 accept %ContentTypes; #IMPLIED -- list of MIME types for file upload --
706 name CDATA #IMPLIED -- name of form for scripting --
707 onsubmit %Script; #IMPLIED -- the form was submitted --
708 onreset %Script; #IMPLIED -- the form was reset --
709 target %FrameTarget; #IMPLIED -- render in this frame --
710 accept-charset %Charsets; #IMPLIED -- list of supported charsets --
713 <p>
714 Juicy! With just this, we can answer four of our five questions:
715 </p>
717 <ol>
720 (this needs a little sleuthing, I find the easiest way is to search
725 <li>What attributes does the element allow that are specific to this element? <strong>A whole bunch, see ATTLIST;
726 we're going to do the vital ones: <code>action</code>, <code>method</code> and <code>name</code></strong></li>
727 </ol>
729 <p>
730 Time for some code:
731 </p>
733 <pre>$config = HTMLPurifier_Config::createDefault();
734 $config->set('HTML.DefinitionID', 'enduser-customize.html tutorial');
736 $config->set('Cache.DefinitionImpl', null); // remove this later!
737 $def = $config->getHTMLDefinition(true);
738 $def->addAttribute('a', 'target', new HTMLPurifier_AttrDef_Enum(
739 array('_blank','_self','_target','_top')
740 ));
742 'form', // name
743 'Block', // content set
744 'Flow', // allowed children
745 'Common', // attribute collection
746 array( // attributes
747 'action*' => 'URI',
748 'method' => 'Enum#get|post',
749 'name' => 'ID'
750 )
751 );
754 <p>
755 Each of the parameters corresponds to one of the questions we asked.
757 attribute to indicate that it is required. If someone specifies a
759 Also, the extra line at the end is a special extra declaration that
760 prevents forms from being nested within each other.
761 </p>
763 <p>
764 And that's all there is to it! Implementing the rest of the form
765 module is left as an exercise to the user; to see more examples
766 check the <a href="http://repo.or.cz/w/htmlpurifier.git?a=tree;hb=HEAD;f=library/HTMLPurifier/HTMLModule"><code>library/HTMLPurifier/HTMLModule/</code></a> directory
767 in your local HTML Purifier installation.
768 </p>
772 <p>
773 Perceptive users may have realized that, to a certain extent, we
774 have simply re-implemented the facilities of XML Schema or the
775 Document Type Definition. What you are seeing here, however, is
776 not just an XML Schema or Document Type Definition: it is a fully
777 expressive method of specifying the definition of HTML that is
778 a portable superset of the capabilities of the two above-mentioned schema
779 languages. What makes HTMLDefinition so powerful is the fact that
780 if we don't have an implementation for a content model or an attribute
781 definition, you can supply it yourself by writing a PHP class.
782 </p>
784 <p>
785 There are many facets of HTMLDefinition beyond the Advanced API I have
786 walked you through today. To find out more about these, you can
787 check out these source files:
788 </p>
790 <ul>
791 <li><a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/HTMLModule.php"><code>library/HTMLPurifier/HTMLModule.php</code></a></li>
792 <li><a href="http://repo.or.cz/w/htmlpurifier.git?a=blob;hb=HEAD;f=library/HTMLPurifier/ElementDef.php"><code>library/HTMLPurifier/ElementDef.php</code></a></li>
793 </ul>
795 </body></html>
797 <!-- vim: et sw=4 sts=4
798 -->