374 line
14KB

  1. Install
  2. How to install HTML Purifier
  3. HTML Purifier is designed to run out of the box, so actually using the
  4. library is extremely easy. (Although... if you were looking for a
  5. step-by-step installation GUI, you've downloaded the wrong software!)
  6. While the impatient can get going immediately with some of the sample
  7. code at the bottom of this library, it's well worth reading this entire
  8. document--most of the other documentation assumes that you are familiar
  9. with these contents.
  10. ---------------------------------------------------------------------------
  11. 1. Compatibility
  12. HTML Purifier is PHP 5 and PHP 7, and is actively tested from PHP 5.0.5
  13. and up. It has no core dependencies with other libraries.
  14. These optional extensions can enhance the capabilities of HTML Purifier:
  15. * iconv : Converts text to and from non-UTF-8 encodings
  16. * bcmath : Used for unit conversion and imagecrash protection
  17. * tidy : Used for pretty-printing HTML
  18. These optional libraries can enhance the capabilities of HTML Purifier:
  19. * CSSTidy : Clean CSS stylesheets using %Core.ExtractStyleBlocks
  20. Note: You should use the modernized fork of CSSTidy available
  21. at https://github.com/Cerdic/CSSTidy
  22. * Net_IDNA2 (PEAR) : IRI support using %Core.EnableIDNA
  23. Note: This is not necessary for PHP 5.3 or later
  24. ---------------------------------------------------------------------------
  25. 2. Reconnaissance
  26. A big plus of HTML Purifier is its inerrant support of standards, so
  27. your web-pages should be standards-compliant. (They should also use
  28. semantic markup, but that's another issue altogether, one HTML Purifier
  29. cannot fix without reading your mind.)
  30. HTML Purifier can process these doctypes:
  31. * XHTML 1.0 Transitional (default)
  32. * XHTML 1.0 Strict
  33. * HTML 4.01 Transitional
  34. * HTML 4.01 Strict
  35. * XHTML 1.1
  36. ...and these character encodings:
  37. * UTF-8 (default)
  38. * Any encoding iconv supports (with crippled internationalization support)
  39. These defaults reflect what my choices would be if I were authoring an
  40. HTML document, however, what you choose depends on the nature of your
  41. codebase. If you don't know what doctype you are using, you can determine
  42. the doctype from this identifier at the top of your source code:
  43. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  44. "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  45. ...and the character encoding from this code:
  46. <meta http-equiv="Content-type" content="text/html;charset=ENCODING">
  47. If the character encoding declaration is missing, STOP NOW, and
  48. read 'docs/enduser-utf8.html' (web accessible at
  49. http://htmlpurifier.org/docs/enduser-utf8.html). In fact, even if it is
  50. present, read this document anyway, as many websites specify their
  51. document's character encoding incorrectly.
  52. ---------------------------------------------------------------------------
  53. 3. Including the library
  54. The procedure is quite simple:
  55. require_once '/path/to/library/HTMLPurifier.auto.php';
  56. This will setup an autoloader, so the library's files are only included
  57. when you use them.
  58. Only the contents in the library/ folder are necessary, so you can remove
  59. everything else when using HTML Purifier in a production environment.
  60. If you installed HTML Purifier via PEAR, all you need to do is:
  61. require_once 'HTMLPurifier.auto.php';
  62. Please note that the usual PEAR practice of including just the classes you
  63. want will not work with HTML Purifier's autoloading scheme.
  64. Advanced users, read on; other users can skip to section 4.
  65. Autoload compatibility
  66. ----------------------
  67. HTML Purifier attempts to be as smart as possible when registering an
  68. autoloader, but there are some cases where you will need to change
  69. your own code to accomodate HTML Purifier. These are those cases:
  70. PHP VERSION IS LESS THAN 5.1.2, AND YOU'VE DEFINED __autoload
  71. Because spl_autoload_register() doesn't exist in early versions
  72. of PHP 5, HTML Purifier has no way of adding itself to the autoload
  73. stack. Modify your __autoload function to test
  74. HTMLPurifier_Bootstrap::autoload($class)
  75. For example, suppose your autoload function looks like this:
  76. function __autoload($class) {
  77. require str_replace('_', '/', $class) . '.php';
  78. return true;
  79. }
  80. A modified version with HTML Purifier would look like this:
  81. function __autoload($class) {
  82. if (HTMLPurifier_Bootstrap::autoload($class)) return true;
  83. require str_replace('_', '/', $class) . '.php';
  84. return true;
  85. }
  86. Note that there *is* some custom behavior in our autoloader; the
  87. original autoloader in our example would work for 99% of the time,
  88. but would fail when including language files.
  89. AN __autoload FUNCTION IS DECLARED AFTER OUR AUTOLOADER IS REGISTERED
  90. spl_autoload_register() has the curious behavior of disabling
  91. the existing __autoload() handler. Users need to explicitly
  92. spl_autoload_register('__autoload'). Because we use SPL when it
  93. is available, __autoload() will ALWAYS be disabled. If __autoload()
  94. is declared before HTML Purifier is loaded, this is not a problem:
  95. HTML Purifier will register the function for you. But if it is
  96. declared afterwards, it will mysteriously not work. This
  97. snippet of code (after your autoloader is defined) will fix it:
  98. spl_autoload_register('__autoload')
  99. Users should also be on guard if they use a version of PHP previous
  100. to 5.1.2 without an autoloader--HTML Purifier will define __autoload()
  101. for you, which can collide with an autoloader that was added by *you*
  102. later.
  103. For better performance
  104. ----------------------
  105. Opcode caches, which greatly speed up PHP initialization for scripts
  106. with large amounts of code (HTML Purifier included), don't like
  107. autoloaders. We offer an include file that includes all of HTML Purifier's
  108. files in one go in an opcode cache friendly manner:
  109. // If /path/to/library isn't already in your include path, uncomment
  110. // the below line:
  111. // require '/path/to/library/HTMLPurifier.path.php';
  112. require 'HTMLPurifier.includes.php';
  113. Optional components still need to be included--you'll know if you try to
  114. use a feature and you get a class doesn't exists error! The autoloader
  115. can be used in conjunction with this approach to catch classes that are
  116. missing. Simply add this afterwards:
  117. require 'HTMLPurifier.autoload.php';
  118. Standalone version
  119. ------------------
  120. HTML Purifier has a standalone distribution; you can also generate
  121. a standalone file from the full version by running the script
  122. maintenance/generate-standalone.php . The standalone version has the
  123. benefit of having most of its code in one file, so parsing is much
  124. faster and the library is easier to manage.
  125. If HTMLPurifier.standalone.php exists in the library directory, you
  126. can use it like this:
  127. require '/path/to/HTMLPurifier.standalone.php';
  128. This is equivalent to including HTMLPurifier.includes.php, except that
  129. the contents of standalone/ will be added to your path. To override this
  130. behavior, specify a new HTMLPURIFIER_PREFIX where standalone files can
  131. be found (usually, this will be one directory up, the "true" library
  132. directory in full distributions). Don't forget to set your path too!
  133. The autoloader can be added to the end to ensure the classes are
  134. loaded when necessary; otherwise you can manually include them.
  135. To use the autoloader, use this:
  136. require 'HTMLPurifier.autoload.php';
  137. For advanced users
  138. ------------------
  139. HTMLPurifier.auto.php performs a number of operations that can be done
  140. individually. These are:
  141. HTMLPurifier.path.php
  142. Puts /path/to/library in the include path. For high performance,
  143. this should be done in php.ini.
  144. HTMLPurifier.autoload.php
  145. Registers our autoload handler HTMLPurifier_Bootstrap::autoload($class).
  146. You can do these operations by yourself--in fact, you must modify your own
  147. autoload handler if you are using a version of PHP earlier than PHP 5.1.2
  148. (See "Autoload compatibility" above).
  149. ---------------------------------------------------------------------------
  150. 4. Configuration
  151. HTML Purifier is designed to run out-of-the-box, but occasionally HTML
  152. Purifier needs to be told what to do. If you answer no to any of these
  153. questions, read on; otherwise, you can skip to the next section (or, if you're
  154. into configuring things just for the heck of it, skip to 4.3).
  155. * Am I using UTF-8?
  156. * Am I using XHTML 1.0 Transitional?
  157. If you answered no to any of these questions, instantiate a configuration
  158. object and read on:
  159. $config = HTMLPurifier_Config::createDefault();
  160. 4.1. Setting a different character encoding
  161. You really shouldn't use any other encoding except UTF-8, especially if you
  162. plan to support multilingual websites (read section three for more details).
  163. However, switching to UTF-8 is not always immediately feasible, so we can
  164. adapt.
  165. HTML Purifier uses iconv to support other character encodings, as such,
  166. any encoding that iconv supports <http://www.gnu.org/software/libiconv/>
  167. HTML Purifier supports with this code:
  168. $config->set('Core.Encoding', /* put your encoding here */);
  169. An example usage for Latin-1 websites (the most common encoding for English
  170. websites):
  171. $config->set('Core.Encoding', 'ISO-8859-1');
  172. Note that HTML Purifier's support for non-Unicode encodings is crippled by the
  173. fact that any character not supported by that encoding will be silently
  174. dropped, EVEN if it is ampersand escaped. If you want to work around
  175. this, you are welcome to read docs/enduser-utf8.html for a fix,
  176. but please be cognizant of the issues the "solution" creates (for this
  177. reason, I do not include the solution in this document).
  178. 4.2. Setting a different doctype
  179. For those of you using HTML 4.01 Transitional, you can disable
  180. XHTML output like this:
  181. $config->set('HTML.Doctype', 'HTML 4.01 Transitional');
  182. Other supported doctypes include:
  183. * HTML 4.01 Strict
  184. * HTML 4.01 Transitional
  185. * XHTML 1.0 Strict
  186. * XHTML 1.0 Transitional
  187. * XHTML 1.1
  188. 4.3. Other settings
  189. There are more configuration directives which can be read about
  190. here: <http://htmlpurifier.org/live/configdoc/plain.html> They're a bit boring,
  191. but they can help out for those of you who like to exert maximum control over
  192. your code. Some of the more interesting ones are configurable at the
  193. demo <http://htmlpurifier.org/demo.php> and are well worth looking into
  194. for your own system.
  195. For example, you can fine tune allowed elements and attributes, convert
  196. relative URLs to absolute ones, and even autoparagraph input text! These
  197. are, respectively, %HTML.Allowed, %URI.MakeAbsolute and %URI.Base, and
  198. %AutoFormat.AutoParagraph. The %Namespace.Directive naming convention
  199. translates to:
  200. $config->set('Namespace.Directive', $value);
  201. E.g.
  202. $config->set('HTML.Allowed', 'p,b,a[href],i');
  203. $config->set('URI.Base', 'http://www.example.com');
  204. $config->set('URI.MakeAbsolute', true);
  205. $config->set('AutoFormat.AutoParagraph', true);
  206. ---------------------------------------------------------------------------
  207. 5. Caching
  208. HTML Purifier generates some cache files (generally one or two) to speed up
  209. its execution. For maximum performance, make sure that
  210. library/HTMLPurifier/DefinitionCache/Serializer is writeable by the webserver.
  211. If you are in the library/ folder of HTML Purifier, you can set the
  212. appropriate permissions using:
  213. chmod -R 0755 HTMLPurifier/DefinitionCache/Serializer
  214. If the above command doesn't work, you may need to assign write permissions
  215. to group:
  216. chmod -R 0775 HTMLPurifier/DefinitionCache/Serializer
  217. You can also chmod files via your FTP client; this option
  218. is usually accessible by right clicking the corresponding directory and
  219. then selecting "chmod" or "file permissions".
  220. Starting with 2.0.1, HTML Purifier will generate friendly error messages
  221. that will tell you exactly what you have to chmod the directory to, if in doubt,
  222. follow its advice.
  223. If you are unable or unwilling to give write permissions to the cache
  224. directory, you can either disable the cache (and suffer a performance
  225. hit):
  226. $config->set('Core.DefinitionCache', null);
  227. Or move the cache directory somewhere else (no trailing slash):
  228. $config->set('Cache.SerializerPath', '/home/user/absolute/path');
  229. ---------------------------------------------------------------------------
  230. 6. Using the code
  231. The interface is mind-numbingly simple:
  232. $purifier = new HTMLPurifier($config);
  233. $clean_html = $purifier->purify( $dirty_html );
  234. That's it! For more examples, check out docs/examples/ (they aren't very
  235. different though). Also, docs/enduser-slow.html gives advice on what to
  236. do if HTML Purifier is slowing down your application.
  237. ---------------------------------------------------------------------------
  238. 7. Quick install
  239. First, make sure library/HTMLPurifier/DefinitionCache/Serializer is
  240. writable by the webserver (see Section 5: Caching above for details).
  241. If your website is in UTF-8 and XHTML Transitional, use this code:
  242. <?php
  243. require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php';
  244. $config = HTMLPurifier_Config::createDefault();
  245. $purifier = new HTMLPurifier($config);
  246. $clean_html = $purifier->purify($dirty_html);
  247. ?>
  248. If your website is in a different encoding or doctype, use this code:
  249. <?php
  250. require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php';
  251. $config = HTMLPurifier_Config::createDefault();
  252. $config->set('Core.Encoding', 'ISO-8859-1'); // replace with your encoding
  253. $config->set('HTML.Doctype', 'HTML 4.01 Transitional'); // replace with your doctype
  254. $purifier = new HTMLPurifier($config);
  255. $clean_html = $purifier->purify($dirty_html);
  256. ?>
  257. vim: et sw=4 sts=4