在 pre 标签内转换转义小于号答案

【问题标题】：Convert escaped less than sign inside pre tags在 pre 标签内转换转义小于号
【发布时间】：2016-12-17 03:15:03
【问题描述】：

我正在使用 HTMLPurifier 来转义我网站中的字符。有效地将所有&lt; 和&gt; 转换为&gt; 和&lt。我也想在站点内显示代码，但是当使用<pre><code>...</code></pre> 将代码放到站点上时，而不是将&gt; 和&lt 符号呈现为&lt; 和&gt;，它们仍然显示为编码的@987654330 @。

我知道 <pre> 标签是用来显示预先格式化的文本

我如何安全地转换这些符号（&gt; & &lt;），只有当包裹在 <pre><code>...</code></pre> 标签中以使用 JS/JQuery 呈现为（&lt; & &gt;）时？

&lt;php 'default' =&gt; 'local' 转换为 &lt;php 'default' =&gt; 'local'

注意：渲染 HTML 标签时不会发生这种情况。我相信这是由 HTMLPurifier 引起的。

HTML 正确呈现为

    <div>
      ...Some code here...
    </div>

更新 #1：

我在网站上使用 Markdown，我的 HTMLPurifier 配置如下：

    <?php
    /**
     * Ok, glad you are here
     * first we get a config instance, and set the settings
     * $config = HTMLPurifier_Config::createDefault();
     * $config->set('Core.Encoding', $this->config->get('purifier.encoding'));
     * $config->set('Cache.SerializerPath', $this->config->get('purifier.cachePath'));
     * if ( ! $this->config->get('purifier.finalize')) {
     *     $config->autoFinalize = false;
     * }
     * $config->loadArray($this->getConfig());
     *
     * You must NOT delete the default settings
     * anything in settings should be compacted with params that needed to instance HTMLPurifier_Config.
     *
     * @link http://htmlpurifier.org/live/configdoc/plain.html
     */

    return [
        'encoding'      => 'UTF-8',
        'finalize'      => true,
        'cachePath'     => storage_path('app/purifier'),
        'cacheFileMode' => 0755,
        'settings'      => [
            'default' => [
                'HTML.Doctype'             => 'HTML 4.01 Transitional',
                'HTML.Allowed'             => 'blockquote,h1,h2,h3,h4,h5,h6,pre,code,div[class],b,strong,i,em,a[href|title],ul,ol,li,p[style],br,span[style],img[width|height|alt|src]',
                'CSS.AllowedProperties'    => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align',
                'AutoFormat.AutoParagraph' => false,
                'AutoFormat.RemoveEmpty'   => true,
            ],
            'test'    => [
                'Attr.EnableID' => true
            ],
            "youtube" => [
                "HTML.SafeIframe"      => 'true',
                "URI.SafeIframeRegexp" => "%^(http://|https://|//)(www.youtube.com/embed/|player.vimeo.com/video/)%",
            ],
        ],

    ];

This is the method I'm using to call the Purifier

    public function store(Request $request)
        {
            //Validate the data
            $this->validate($request, array(
                'title' => 'required|max:255',
                'slug' => 'required|alpha_dash|min:5|max:255|unique:posts,slug',
                'category_id' =>'required|integer',
                'body' => 'required'
            ));
            //Store in the database
            $post = new Post;

            $post->title = $request->title;
            $post->slug = $request->slug;
            $post->category_id = $request->category_id;
            $post->body = Purifier::clean($request->body, "youtube");

            $post->save();

            $post->tags()->sync($request->tags, false);

            Session::flash('success', 'AWESOMESAUCE! Your post was saved successfully!');

            //redirect to another page
            return redirect()->route('posts.show', $post->id);

        }

更新 #2 (02/19/19)

这个问题导致我搜索以前的代码。问题来自 Markdown 解析器，它是 Parsedown 而不是 Purifier。净化器工作正常。我在下面添加了 Markdown 配置和使用代码：

<?php

/*
 * This file is part of Laravel Markdown.
 *
 * (c) Graham Campbell <graham@alt-three.com>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

return [

    /*
    |--------------------------------------------------------------------------
    | Enable View Integration
    |--------------------------------------------------------------------------
    |
    | This option specifies if the view integration is enabled so you can write
    | markdown views and have them rendered as html. The following extensions
    | are currently supported: ".md", ".md.php", and ".md.blade.php". You may
    | disable this integration if it is conflicting with another package.
    |
    | Default: true
    |
    */

    'views' => true,

    /*
    |--------------------------------------------------------------------------
    | CommonMark Extenstions
    |--------------------------------------------------------------------------
    |
    | This option specifies what extensions will be automatically enabled.
    | Simply provide your extension class names here.
    |
    | Default: []
    |
    */

    'extensions' => [],

    /*
    |--------------------------------------------------------------------------
    | Renderer Configuration
    |--------------------------------------------------------------------------
    |
    | This option specifies an array of options for rendering HTML.
    |
    | Default: [
    |              'block_separator' => "\n",
    |              'inner_separator' => "\n",
    |              'soft_break'      => "\n",
    |          ]
    |
    */

    'renderer' => [
        'block_separator' => "\n",
        'inner_separator' => "\n",
        'soft_break'      => "\n",
    ],

    /*
    |--------------------------------------------------------------------------
    | Enable Em Tag Parsing
    |--------------------------------------------------------------------------
    |
    | This option specifies if `<em>` parsing is enabled.
    |
    | Default: true
    |
    */

    'enable_em' => true,

    /*
    |--------------------------------------------------------------------------
    | Enable Strong Tag Parsing
    |--------------------------------------------------------------------------
    |
    | This option specifies if `<strong>` parsing is enabled.
    |
    | Default: true
    |
    */

    'enable_strong' => true,

    /*
    |--------------------------------------------------------------------------
    | Enable Asterisk Parsing
    |--------------------------------------------------------------------------
    |
    | This option specifies if `*` should be parsed for emphasis.
    |
    | Default: true
    |
    */

    'use_asterisk' => true,

    /*
    |--------------------------------------------------------------------------
    | Enable Underscore Parsing
    |--------------------------------------------------------------------------
    |
    | This option specifies if `_` should be parsed for emphasis.
    |
    | Default: true
    |
    */

    'use_underscore' => true,

    /*
    |--------------------------------------------------------------------------
    | Safe Mode
    |--------------------------------------------------------------------------
    |
    | This option specifies if raw HTML is rendered in the document. Setting
    | this to true will not render HTML, and false will.
    |
    | Default: false
    |
    */

    'safe' => true,

];

用法：

<img class="img-responsive" src="{{ asset('assets/img/' . $post->image) }}" alt="{{ $post->alt }}" />
    {!! Markdown::parse($post->body) !!}
    <hr />

【问题讨论】：

请在您的示例中添加更多真实的代码，以便为您的问题提供更好的解决方案
您能告诉我们 (1) 这些是在什么上下文中呈现的（例如，您是否在任何地方使用 WYSIWYG）？ (2) 纯化前和纯化后的source code 是什么样的？以及 (3) 您如何调用 HTML Purifier（尤其是它的配置）？
谢谢，我已经添加了配置代码以及我如何调用它。

标签： laravel htmlpurifier parsedown

【解决方案1】：

我已经解决了在 Purifier 配置中添加到 HTML.Allowed 属性的问题：

pre[class],code

然后我只使用以下代码清理代码：

$post->body = clean($request->body, "youtube");

如果您使用 TinyMCE 作为编辑器，您还必须添加属性 extended_valid_elements：

extended_valid_elements: 'a[href|target],pre[class],code',

【讨论】：

感谢您的评论。问题已更新。我进一步搜索并发现净化器正确地完成了它的工作，但我的 Markdown 解析器导致了这个问题。我已经用详细信息更新了问题。

【解决方案2】：

使用 htmlspecialchars() 函数进行归档，htmlspecialchars() 函数将预定义的字符“”（大于）转换为 HTML 实体：

<?php
$str = "This is some <b>bold</b> text.";
echo htmlspecialchars($str);
?>

这将打印：

This is some &lt;b&gt;bold&lt;/b&gt; text.

【讨论】：

谢谢，我相信这是 HTMLPurifier 在进一步调查以回答您的评论时出现的问题。我发现输入某些 HTML 元素时不会出现问题。