Purifier and embedding Youtube

I have a 1.4.7 install using ckeditor with the youtube plugin for page editing. On that system, I can add Youtube embedding code and save to the back end. All is well.

I also have a 1.4.13 build with the same ckeditor and youtube plugins. On embedding Youtube code, and saving, the embedded code disappears. After adding the code manually to the fuel_page_variables record for the page, it gets picked up in the editor - until it's saved.

I've checked the ASF setting for ckeditor itself, that's correct and the same for both systems.

I'm guessing the only difference between the two systems is the new HTMLPurifier code? I have the config file in place and notice it has the option to allow Youtube embedding.

Anyone else noticing the same? Anyone got a solution?


  • It's happening somewhere inside MY_Model->clean()

  • Yes, definitely in MY_html_helper->html_purify()

  • There's been a few issues I've run into as well with using purifier. I've made some adjustments to the default config (fuel/application/config/purifier.php) actually yesterday for links with target="_blank". If you want to include javascript or iframes, merge in the develop branch and note the commented out areas in the purifier.php config file for iframes and javascript. Try that and see if it works.

    Additionally, in your model, you can set a property of public $auto_encode_entities = array('field1', 'field2') that determines what fields to encode. By default (which is TRUE) it does all fields.

  • No difference.

    It doesn't look like the purifier config is being picked up (I would have expected to see SafeIframe = 1 at least somewhere)?

    echo '<pre>'.print_r($purifier_config,true).'</pre>';
    $purifier = new \HTMLPurifier($purifier_config);
  • The new build is also removing empty tags too. Which buggers up the FontAwesome elements.

  • Should we be having cache files appear in libraries/HTMLPurifier/standalone/HTMLPurifier/DefinitionCache/Serializer/ too?
    If they're necessary, it would be better if they were placed in ./application/cache so they can be cleaned out by the Page cache tool?

  • The cache files in the repo should have been removed with the last push to develop branch the other day. I initially didn't even know they were being written and found them while hunting down unexpected behavior (which sounds like you may have encountered too). I agree, that it would be better to put in the application/cache but haven't looked into how to configure that (let me know if you find a way).

    The removing empty tags is probably due to the this in the purifier.php config:

    'AutoFormat.RemoveEmpty'   => TRUE,
  • I just pushed an update to develop branch to configure the cache directory to be fuel/application/cache/

  • I've already got 'AutoFormat.RemoveEmpty' => false,. I'm not convinced the config file getting loaded into the Purifier...

  • Do you have the latest one from develop? There is a problem with that on master.

  • Also, be sure that those cache files are deleted each time you change.

  • Yes, using the whole develop branch and removing cache files. Empty tabs still being removed. Youtube still disappearing:

    $config['settings'] = array(
        'default' => array(
            //'HTML.Trusted'             => TRUE, // For Javascript... must also add 'script' to HTML.Allowed
            'HTML.SafeIframe'          => TRUE, // For iframes
            'Attr.EnableID'            => TRUE,
            'Attr.AllowedFrameTargets' => array('_blank'),
            'HTML.Allowed'             => 'div[id],b,strong,i,em,a[href|title|target],ul,ol,li,p[style],br,span[style],img[width|height|alt|src]',
            //'CSS.AllowedProperties'    => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align,float,margin',
            'AutoFormat.AutoParagraph' => FALSE, // This will cause errors if you globally apply this to input being saved to the database so we set it to false.
            'AutoFormat.RemoveEmpty'   => false,
        'comment' => array(
            'HTML.Doctype'             => 'XHTML 1.0 Strict',
            'HTML.Allowed'             => 'p,a[href|title|target],abbr[title],acronym[title],b,strong,blockquote[cite],code,em,i,strike',
            'CSS.AllowedProperties'    => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align,float,margin',
            'AutoFormat.AutoParagraph' => TRUE,
            'AutoFormat.Linkify'       => TRUE,
            'AutoFormat.RemoveEmpty'   => false,
        'youtube' => array(
            'HTML.SafeIframe'          => TRUE,
            'URI.SafeIframeRegexp'     => "%^(http://|https://|//)(www.youtube.com/embed/|player.vimeo.com/video/)%",
  • All occurrences of URI.SafeIframeRegexp in $purifier_config at function html_purify() are empty.

    [AutoFormat.RemoveEmpty.Predicate] => Array
                                [colgroup] => Array
                                [th] => Array
                                [td] => Array
                                [iframe] => Array
                                        [0] => src
                        [AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions] => Array
                                [td] => 1
                                [th] => 1
                        [AutoFormat.RemoveEmpty.RemoveNbsp] => 
                        [AutoFormat.RemoveEmpty] => 
  • edited December 2020

    The empty tags problem is fixed. Some ckeditor foo has sorted that but purifier was removing the attributes:

    With ckeditor fixed and purifier switched off:
    <i class="fa fa-check"></i>

    With purifier switched on:

    In the config, I changed:
    'HTML.Allowed' => 'div[id],b,strong,i[class],em,a[href|title|target],ul,ol,li,p[style],br,span[style],img[width|height|alt|src]',

  • edited December 2020

    OK. I think I've got the little b***er.

        $config['settings'] = array(
            'default' => array(
                //'HTML.Trusted'             => TRUE, // For Javascript... must also add 'script' to HTML.Allowed
                'HTML.SafeIframe'          => true, // For iframes
              'URI.SafeIframeRegexp'     => "%^(http://|https://|//)(www.youtube.|player.vimeo.|maps.google.|www.slideshare.)%",
                'Attr.EnableID'            => true,
                'Attr.AllowedFrameTargets' => array('_blank'),
                'HTML.Allowed'             => 'div[id],b,strong,i[class],em,a[href|title|target],ul,ol,li,p[style],br,span[style],img[width|height|alt|src],iframe[src|width|height|class|frameborder]',
                //'CSS.AllowedProperties'    => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align,float,margin',
                'AutoFormat.AutoParagraph' => false, // This will cause errors if you globally apply this to input being saved to the database so we set it to false.
                'AutoFormat.RemoveEmpty'   => false,
              'HTML.Doctype' => 'HTML 4.01 Transitional',
              'URI.DisableExternalResources' => false,
              'Attr.AllowedFrameTargets' => '_blank, _self, _target, _parent',
              'Attr.EnableID'=> true,
              'AutoFormat.Linkify'=> true,

    I think HTMLpurifier defaults to "XHTML Strict" - which excludes iframes. Setting the Doctype to a "floppier" type seems to have allowed iframes through.

    I've added to HTML.Allowed and changed the Regexp for my needs. Not sure if those last x4 lines are needed but I saw them mentioned on various forums so they're there (for now).

  • Good to know. I'll add that DocType in the config. I ran into a similar issue with that XHTML and target="_blank" strangely.

Sign In or Register to comment.