From cc30e9945900d0fd50ea34bc71556fba425c7c02 Mon Sep 17 00:00:00 2001
From: tianya <yanghuxiao@vip.qq.com>
Date: Mon, 24 Mar 2025 22:04:37 +0800
Subject: [PATCH] Update filter.helper.php

---
 src/system/helpers/filter.helper.php | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/src/system/helpers/filter.helper.php b/src/system/helpers/filter.helper.php
index b471872d..642f3c91 100755
--- a/src/system/helpers/filter.helper.php
+++ b/src/system/helpers/filter.helper.php
@@ -33,10 +33,10 @@ if (!function_exists('HtmlReplace')) {
         static $purifier = null;
         $config = HTMLPurifier_Config::createDefault();
         $config->set('HTML.Allowed', ''); //只保留文本
+        $config->set('Cache.SerializerPath', DEDEDATA.'/cache');
+        $config->set('Core.Encoding', 'UTF-8');
+        $config->set('HTML.Allowed', '');
         if ($purifier === null) {
-            $config->set('Cache.SerializerPath', DEDEDATA.'/cache');
-            $config->set('Core.Encoding', 'UTF-8');
-            $config->set('HTML.Allowed', '');
             $purifier = new HTMLPurifier($config);
         }
         // 处理不同模式
@@ -53,8 +53,12 @@ if (!function_exists('HtmlReplace')) {
             $str = preg_replace("/\s+/", '', $str);
         } else {
             //仅替换网页危险标记
-            $config->set('HTML.ForbiddenElements', ['script', 'iframe', 'object', 'embed', 'form', 'input', 'button', 'textarea', 'select', 'meta', 'link']);
-            $str = $purifier->purify($str);
+            $configNew = HTMLPurifier_Config::createDefault();
+            $configNew->set('Cache.SerializerPath', DEDEDATA.'/cache');
+            $configNew->set('HTML.Allowed', 'p,b,strong,i,em,u,a[href|title],ul,ol,li,img[src|alt|width|height|style],video[src|alt|width|height|style],br,span[class]');
+            $configNew->set('HTML.ForbiddenElements', ['script', 'iframe', 'object', 'embed', 'form', 'input', 'button', 'textarea', 'select', 'meta', 'link']);
+            $purifierNew = new HTMLPurifier($configNew);
+            $str = $purifierNew->purify($str);
         }
         return addslashes($str);
     }
@@ -71,14 +75,13 @@ if (!function_exists('RemoveXSS')) {
         static $purifier = null;
         if ($purifier === null) {
             $config = HTMLPurifier_Config::createDefault();
+            $config->set('Core.Encoding', 'UTF-8');
             //启用缓存（提升性能）
             $config->set('Cache.SerializerPath', DEDEDATA.'/cache'); //生产环境建议设定缓存目录
             //允许的网页元素（可以根据需要调整）
-            $config->set('HTML.Allowed', 'p,b,strong,i,em,u,a[href|title],ul,ol,li,img[src|alt|width|height],br,span[class]');
+            $config->set('HTML.Allowed', 'p,b,strong,i,em,u,a[href|title],ul,ol,li,img[src|alt|width|height|style],video[src|alt|width|height|style],br,span[class]');
             //过滤JavaScript、CSS注入
             $config->set('CSS.AllowedProperties', []);
-            $config->set('URI.DisableExternalResources', true);
-            $config->set('URI.DisableResources', true);
             $purifier = new HTMLPurifier($config);
         }
         return $purifier->purify($val);