Add %HTML.Forms config directive (#260)

The %HTML.Forms directive enables Forms module regardless of the %HTML.Trusted value. This adds support for form elements without enabling other unsafe modules, such as Scripts, Iframe or Object. To achieve the same effect without this directive one has to explicitly list all enabled modules in %HTML.AllowedModules, and any not listed will be removed. This however is not very convenient, as the allowed modules may vary between doctypes. Resolves #213.
2025-07-10 17:26:25 +02:00 · 2020-06-29 02:26:33 +02:00
parent d148edbcf1
commit 3bdc031224
5 changed files with 28 additions and 1 deletions
--- a/tests/HTMLPurifier/HTMLModule/FormsTest.php
+++ b/tests/HTMLPurifier/HTMLModule/FormsTest.php
@ -161,6 +161,13 @@ class HTMLPurifier_HTMLModule_FormsTest extends HTMLPurifier_HTMLModuleHarness
        $this->assertResult('<form action=""><input align="left" /></form>');
    }

+    public function testHTMLFormsConfigDirective()
+    {
+        $this->config->set('HTML.Trusted', false);
+        $this->config->set('HTML.Forms', true);
+
+        $this->assertResult('<form action="..." method="post"><input type="text" /><textarea cols="20" rows="3"></textarea></form>');
+    }
 }

 // vim: et sw=4 sts=4