feat: added ability to enable/disable purifier

fuel/application/config/purifier.php

@@ -1,4 +1,8 @@
 <?php 
+
+// Determines whether to use purifier by default when saving data.
+$config['enabled'] = TRUE;
+
 // Purifier settings
 // http://htmlpurifier.org/live/configdoc/plain.html
 $config['settings'] = array(
@@ -11,6 +15,7 @@
 		'Attr.EnableID'            => TRUE,
 		'Attr.AllowedFrameTargets' => array('_blank'),
 		//'HTML.Allowed'             => 'h1,h2,h3,h4,h5,h6,div[id],b,strong,i,em,a[href|title|target|download|hreflang|type],ul[class],ol,li[class],p[style],br,span[style],img[width|height|alt|src|srcset|sizes]',
+		//'CSS.Trusted'              => TRUE,
 		//'CSS.AllowedProperties'    => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align,float,margin',
 		'AutoFormat.AutoParagraph' => FALSE, // This will cause errors if you globally apply this to input being saved to the database so we set it to false.
 		'AutoFormat.RemoveEmpty'   => TRUE,
@@ -22,6 +27,7 @@
 		'HTML.Doctype'             => 'XHTML 1.0 Strict',
 		'HTML.Allowed'             => 'p,a[href|title|target],abbr[title],acronym[title],b,strong,blockquote[cite],code,em,i,strike',
 		'CSS.AllowedProperties'    => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align,float,margin',
+		'CSS.Trusted'              => TRUE,
 		'AutoFormat.AutoParagraph' => TRUE, 
 		'AutoFormat.Linkify'       => TRUE,
 		'AutoFormat.RemoveEmpty'   => TRUE,

fuel/modules/fuel/config/fuel.php

@@ -287,7 +287,8 @@
 	'xss' => 'xss_clean', 
 	'php' => 'encode_php_tags', 
 	'template' => 'php_to_template_syntax', 
-	'entities' => 'htmlentities'
+	'entities' => 'htmlentities',
+	'purify' => 'html_purifier',
 );
 
 

fuel/modules/fuel/core/MY_Model.php

@@ -51,6 +51,7 @@ class MY_Model extends CI_Model {
 	public $default_date = 0; // default date value that get's passed to the model on save. Using 0000-00-00 will not work if it is a required field since it is not seen as an empty value
 	public $auto_trim = TRUE; // will trim on clean
 	public $auto_encode_entities = TRUE; // determines whether to automatically encode html entities. An array can be set instead of a boolean value for the names of the fields to perform the safe_htmlentities on
+	public $purify = FALSE; // determines whether to run purifier on the values before save
 	public $xss_clean = FALSE; // determines whether automatically run the xss_clean. An array can be set instead of a boolean value for the names of the fields to perform the xss_clean on
 	public $readonly = FALSE; // sets the model to readonly mode where you can't save or delete data
 	public $hidden_fields = array(); // fields to hide when creating a form
@@ -1407,6 +1408,17 @@ public function encode_and_clean(&$val, $k, $key = NULL)
 					$val = xss_clean(($val));
 				}
 			}
+
+			if ($this->purify)
+			{
+				if ((is_array($this->purify) AND in_array($key, $this->purify))
+					OR (is_string($this->purify) AND $key == $this->purify)
+					OR ($this->purify === TRUE)
+				)
+				{
+					$val = html_purify($val);
+				}
+			}
 		}
 		return $val;
 	}

fuel/modules/fuel/helpers/MY_string_helper.php

@@ -203,7 +203,7 @@ function strip_javascript($str)
 	 *
 	 * @param	string	string to evaluate
 	 * @param	boolean	determines whether to encode the ampersand or not
-	 * @param	boolean	determines whether to sanitize the string
+	 * @param	mixed	determines whether to sanitize the string
 	 * @return	string
 	 */
 	function safe_htmlentities($str, $protect_amp = TRUE, $sanitize = TRUE)
@@ -248,9 +248,17 @@ function safe_htmlentities($str, $protect_amp = TRUE, $sanitize = TRUE)
 		// sanitize
 		if ($sanitize)
 		{
-			//$str = strip_javascript($str);
-			// Better method
-			$str = html_purify($str);
+			$CI = &get_instance();
+			$CI->load->config('purifier', TRUE);
+			if ($CI->config->item('enabled', 'purifier'))
+			{
+				// Better method
+				$str = html_purify($str);
+			}
+			else
+			{
+				$str = strip_javascript($str);
+			}
 		}
 
 		return $str;