EnableHTML-Talk

Summary: Talk page for EnableHTML.
Maintainer:
Users: +2 (View / Edit)

This space is for User-contributed commentary and notes. Please include your name and a date along with your comment.

Comments

Be VERY careful when trying to use this with pages that already have hanging indents -- like PmWiki / BasicEditing. Hanging indents use -< as their indicator. If the next token looks like an html tag you want (eg. the phrase "A reverse arrow" will look like an anchor tag (<a>) ), then you may find pmwiki.php going into an infinite loop. --oPEO


This doesn't work with php5.5. You'll end up with a bunch of deprecation errors related to

Here's a revision that seems to work in php5.5. Feel free to modify or suggest changes. I'm hardly an expert coder. But I needed this recipe for a very old install of pmwiki. I realize there are security implications with this recipe. But the wiki is inside my company's firewall.

Anyway, here is my version that works with the latest pmwiki and php5.5:

  
function EnableHtml($tag) {
  Markup(
  "html-$tag",
  '>{$var}',
  '/&lt;(\/?('.$tag.')(?![a-z!])(([\'"]).*?\4|.*?)*?)&gt;/i',

  "MyHtml"
    );
  function MyHtml($matches) {
    return Keep(PSS('<'.$matches[1].'>'));
  }

} 

Note that the comment below about it not working isn't directed at my post. I added my comment above it so folks needing a working version could see it at the top of the page.

This is definitely working.


It doesn't seem to work.

I am not the first one to notice. Here is another unanswered question:

(Jan 3, 2007) I placed the enablehtml.php file into my cookbook directory in the hopes of allowing me to make new pages using HTML. Then I put include_once("$FarmD/cookbook/enablehtml.php"); in my local/config.php. Then beneath the "include_once..." line I put EnableHtml([a-z!]+) so that it enabled all HTML tags but upon doing so it made my page unviewable. Any help? Thanks a lot, Happy New Year.

Like this user, I followed the directions to the letter. I tried many variations, nothing worked. Maybe it worked with previous versions, but not anymore?


I'd like to point out a bug: using block elements may result in invalid XHTML. In HTML it's illegal to have <p><div>foo</p><p>bar</div></p>, but if one were to write:

<div>
foo

bar
</div>

it will come out poorly when PMWiki auto adds in p-tags. :/ --Carl


To create a HTML-only site, you'd have to disable PmWiki's own markup. This isn't advisable for the pages that come with the installation of PmWiki, but it's perfectly possible for the other pages.

Here's a sketch how to do that (warning: PHP ahead):

In config.php, you'd first check that the page isn't going to be served from wikilib.d (if it's from there, it's the unmodified version from the PmWiki installation page and will most likely contain PmWiki markup, and you don't want to break this). If the page exists in wiki.d, somebody edited or created it, so disabling PmWiki markup is OK; also, if the page is new (neither in wiki.d nor in wikilib.d), you can also disable PmWiki markup.

Disabling the markup can be done in several ways, none of them fully satisfactory:

  1. Call DisableMarkup('rule1', 'rule2', ...) for each rule defined in PmWiki. (The rule names can be picked off the existing Markup(...) calls in PmWiki, or by setting $EnableDiag = 1 in config.php and calling any PmWiki page with action=ruleset.) Do not remove actions with a name that starts with an underscore, and don't remove the 'restore' action (EnableHTML needs it).
    The downside here is that you'll have to review the list of rules with every PmWiki update, and that list is quite long.
  2. Get keys($MarkupRules);, then walk that array and call DisableMarkup(...); for each entry in the keys array that doesn't start with an underscore and isn't 'restore'. (Do not walk the $MarkupRules array directly: walking an array while deleting entries from it will most likely lead to nasty bugs.)
    This will break if PmWiki ever changes the way that markup rules are stored (not a very likely event, but anyway).

Joachim Durchholz April 20, 2005, at 11:42 AM


I'd like to have not just tags but also attributes filtered. That way, EnableHTML could be used to allow harmless HTML like < b > without (at the same time) doing potentially dangerous stuff like < b style="some nasty CSS here" >.

It would be even better to filter attributes and CSS settings, so that harmless CSS styles could be done but dangerous ones (such as margin with negative values and similar stuff that may break the layout) would be filtered.

This all is technically a bit difficult. Any serious effort at this should also consider the %...% markup that allows to set CSS styles directly - either it filters out dangerous CSS (in which case EnableHTML should reuse that code), or it doesn't (in which case a solution for both should be sought).

Joachim Durchholz April 20, 2005, at 11:42 AM


I'd like to add the code for a webring to my page; it has to be in HTML. How do I do that?

Use CustomMarkup. There's a specific example on that page. -- Susan

I'm having trouble using CustomMarkup. I want to be able to include a Statcounter.com javascript in my pages but when I try to use the Markup() code in stdmarkup.php (or config.php), it returns errors when I go to [(approve links) edit diff] (even using the example script) -Craig


You can enable some html tags without any attributes. Put the following into local/config.php

$AllowedHtmlTags = 'b|i';
Markup("html-tags",
  '>{$var}',
  '/&lt;('.$AllowedHtmlTags.')&gt;(.*?)&lt;\/('.$AllowedHtmlTags.')&gt;/',
  '<$1>$2</$3>');

Here's an alternative method.

If you place this in your configuration file (updated for PHP5.5 and newer pmwiki)

Markup_e(
  'html',
  'fulltext',
  '/\\(:html:\\)(.*?)\\(:htmlend:\\)/si',
  "'<:block>'.Keep(str_replace(array('&gt;', '&lt;', '&amp;'),
  array('>', '<', '&'), PSS(\$m[1])))");

you'll be able to use (:html:) and (:htmlend:) directives to insert HTML markup in your wiki pages. If you don't want your HTML source to be inside a <p>paragraph</p> then the (:html:) directive should be at the beginning of a line, immediately preceding your raw HTML source. The (:htmlend:) directive belongs at the end of the last line of your HTML source. For example, this wiki source

Line above.
(:html:)<h2>Hi!</h2>
Some text.(:htmlend:)
Line below.

results in this output

<p>Line above.
</p><h2>Hi!</h2>
Some text.
<p>Line below.
</p>

You can also insert HTML code inline within a paragraph. For example, this wiki source

Text...(:html:)<span class='foo'>Hi!</span>(:htmlend:)...text.

results in this output

<p>Text...<span class='foo'>Hi!</span>...text.
</p>

Authors will be able to place any conceivable malicious code between (:html:) and (:htmlend:), so be sure to take appropriate precaution...

--Hagan (Thank you Hagan!!)

... and here's a good precaution to take: In your configuration file, put

array_unshift($EditFunctions, 'MaybeDisableEmbedhtml');
function MaybeDisableEmbedhtml($pagename,&$page,&$new)
{ if (!CondAuth($pagename,"admin"))
  { $ROSPatterns["/\\(:html:\\)/i"] = "[:html:]";
    $ROSPatterns["/\\(:htmlend:\\)/i"] = "[:htmlend:]";
  }
}

How this works: if someone is editing a page who doesn't have admin privileges, then it will strip all (:html:) and (:htmlend:) tags from their text, replacing them with square-bracket versions that do nothing. --Lucian Wischik, 23 November 2006, based on suggestions by PM

(The above solution also answers the following question:) "I'd like to restrict HTML tags to write-protected pages. How can I do?"
The idea is: My Web site is public. I do not want to allow people adding HTML tags in normal pages. But, if the page is protected by a password (write-protect), I am nearly sure that the page will not be modified by a hacker. And if I want to include something in a lot of pages, I can use the site/group/page header or footer.

Jean-Dom, 27 September 2005.


I'm confused. How do you rig it so that only admins, or certain users, or certain groups, may have permission to insert HTML?

Same here. Can somebody post a decent instruction on how to implement the html and htmlend tags safely? I only see snippets of code above. Where does one put what?

<<<<<<< Whoa! Trying to use EnableHtml made everything go blank... Using SimpleTab skin, maybe that can have something to do with it...

-Tryggve ---


Blue Hell? February 23, 2013, at 09:12 AM ~ took me a while to figger it out - be sure to use:

Markup(
  'html',
  'fulltext',
  '/\\(:html:\\)(.*?)\\(:htmlend:\\)/esi',
  "'<:block>' . Keep( str_replace( array( '&gt;', '&lt;', '&amp;'), array( '>', '<', '&'), PSS( '$1')))"
);

array_unshift($EditFunctions, 'MaybeDisableEmbedhtml');

function MaybeDisableEmbedhtml($pagename,&$page,&$new)
{ 
  global $ROSPatterns;

  if (!CondAuth($pagename,"admin"))
  { 
    $ROSPatterns["/\\(:html:\\)/i"] = "[:html:]";
    $ROSPatterns["/\\(:htmlend:\\)/i"] = "[:htmlend:]";
  }
}

otherwise it wont work and everyone can put in HTML (note the global thingie added). Just add this code fragment to your config.php file, near the end.

As an admin you can then add HTML. However, when the page is editable by others too when they save the page (:html:) and (:endhtml:) will be broken. To avoid that I made a special category for HTML stuff with restricted access, then the HTML stuff goes into a page in that group which then is included in the user editable page with (:include html.page:). This way they can still edit around the HTML inclusion without breaking anything.


The code provided for PHP5.5 doesn't work for me ... it gets rid of the "deprecated" errors, but any allowed tags simply display as text on the page. Is there updated code, or another way to allow HTML tags to be used (this is for a closed wiki, so no security concerns)? Thanks ~ Russ - September 10, 2015

The code in the orange frame was simply pasted and not correctly escaped, so PmWiki somewhat transformed it ("&lt;" appeared as "<" while it shouldn't have). Now it is properly escaped and should work. --Petko September 10, 2015, at 02:44 PM

-- Thanks, Petko! Russ

Could I suggest to have a reciepe for a tag like [html html] where everything inside the tag simply gets output to the final html page as is without further parsing/rendering... This would solve some issues you have with <a causing infinite loops, and it would have the benefit of not having some html tags enabled right in the middle of the wiki markup as this reciepie does... Toxic November 11, 2015, at 11:45 PM


following version works with PHP 7.2

	Markup('html', 'fulltext', '/\\(:html:\\)(.*?)\\(:htmlend:\\)/si',
		"MarkupHTML");
	function MarkupHTML($m){
		return '<:block>'.Keep(str_replace(array('&gt;','&lt;','&amp;'), array('>','<','&'), $m[1]));
	}
	if (!CondAuth($pagename,"admin"))	{
		$ROSPatterns["/\\(:html:\\)/i"] = "[:html:]";
		$ROSPatterns["/\\(:htmlend:\\)/i"] = "[:htmlend:]";
	}

Klonk June 26, 2018, at 07:13 PM

Talk page for the EnableHTML recipe (users).