MyBB Community Forums

http://htmlpurifier.org/ Wrote:HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications. Tired of using BBCode due to the current landscape of deficient or insecure HTML filters? Have a WYSIWYG editor but never been able to use it? Looking for high-quality, standards-compliant, open-source components for that application you're building? HTML Purifier is for you!

This plugin adds support for HTMLPurifier in MyBB. It's Open Source, LGPL. To make it work, you have to upload both the plugin, as well as the library. If you allow HTML in posts, private messages, or signatures, the plugin will use the HTMLPurifier library to remove any bad or malicious code.

Download: http://mods.mybb.com/view/htmlpurifier
Alternative Download: https://github.com/frostschutz/HTMLPurifier-MyBB
Download the library itself: http://htmlpurifier.org/

Installation instructions:

• Upload htmlpurifier.php to inc/plugins/
  
• Download the HTMLPurifier Library from http://htmlpurifier.org/
  (use version 4.2.0 or newer)
  
• Upload the HTMLPurifier library to inc/plugins/htmlpurifier/
  (only the contents of the library/ folder)
  
• Create a directory cache/htmlpurifier and make it writable
  (plugin attempts to do this automatically, if cache/ is already writable)
  
• Activate the plugin
  

Notes:

• I can't vouch for the quality of the filtered HTML, as that is done by the external library.
  
• Because the filtering is highly expensive, it is only done as you post (before it goes into the database). Old posts won't be affected.
  
• Bad HTML can cause text to be filtered (and thereby lost) when posting.
  
• Signatures are only filtered when edited via the User CP. Mod CP / Admin CP edits are not affected.
  

Thanks a ton for this. I have HML enabled in ceetain forums for the admn group for RSS feeds. Having a filter as peace of mind is just great.

Very good for safety... Nice job!

When HTMLPurifier is ON, HTML in codeblock is parsed. That's not bug in MyBB ang HTML in Posts, because when I've deactivate HTMLPurifier, HTML in codeblock isn't parsed.

When MyCode is enabled, this plugin relies on MyBB to escape HTML inside code and php tags. MyBB doesn't do it for code tags [anymore] which I think is a bug in MyBB... if I "fix" this in the plugin it would mean filtering HTML inside code tags and thereby, making those tags nigh unusable in any HTML enabled forum. This isn't really an option and as such there's not anything I can do - it has to be fixed on MyBB's end.

Ok, I understand. I've checked few possibilities with running HTML on MyBB and conclusion is... bug in MyBB -> http://dev.mybb.com/issues/1680

Hi Thanks for the mods, But Sorry for being newb but I have a question. I am not understanding this part.

2. Upload the HTMLPurifier library to inc/plugins/htmlpurifier/
(only the contents of the library/ folder)

I downloaded HTMLPurifier 4.3.0 . In there I am seeing lots of files. Check the image below please

[attachment=24040]

Did you mean to upload all files showing in attachment in there to inc/plugins/htmlpurifier/
OR just the library folder files?

Kindly let me know

thanks!

"(only the contents of the library/ folder)"

If in doubt: Try it and see.

Is HTMLPurifier work correct on MyBB 1.6.5?

It should work, yes. Please report back if it doesn't.