Admin Control Panel v2.0

✎ Editing: configdoc.xml ← Back

<?xml version="1.0" encoding="UTF-8"?>
<configdoc>
 <title>HTML Purifier</title>
 <namespace id="Attr">
  <name>Attr</name>
  <directive id="Attr.AllowedClasses">
   <name>AllowedClasses</name>
   <aliases/>
   <constraints>
    <version>4.0.0</version>
    <type allow-null="yes">lookup</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">List of allowed class values in the class attribute. By default, this is null,
which means all classes are allowed.
</div>
   </description>
  </directive>
  <directive id="Attr.AllowedFrameTargets">
   <name>AllowedFrameTargets</name>
   <aliases/>
   <constraints>
    <type>lookup</type>
    <default>array()</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">Lookup table of all allowed link frame targets.  Some commonly used link
targets include _blank, _self, _parent and _top. Values should be
lowercase, as validation will be done in a case-sensitive manner despite
W3C's recommendation. XHTML 1.0 Strict does not permit the target attribute
so this directive will have no effect in that doctype. XHTML 1.1 does not
enable the Target module by default, you will have to manually enable it
(see the module documentation for more details.)
</div>
   </description>
  </directive>
  <directive id="Attr.AllowedRel">
   <name>AllowedRel</name>
   <aliases/>
   <constraints>
    <version>1.6.0</version>
    <type>lookup</type>
    <default>array()</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">List of allowed forward document relationships in the rel attribute. Common
values may be nofollow or print. By default, this is empty, meaning that no
document relationships are allowed.
</div>
   </description>
  </directive>
  <directive id="Attr.AllowedRev">
   <name>AllowedRev</name>
   <aliases/>
   <constraints>
    <version>1.6.0</version>
    <type>lookup</type>
    <default>array()</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">List of allowed reverse document relationships in the rev attribute. This
attribute is a bit of an edge-case; if you don't know what it is for, stay
away.
</div>
   </description>
  </directive>
  <directive id="Attr.ClassUseCDATA">
   <name>ClassUseCDATA</name>
   <aliases/>
   <constraints>
    <version>4.0.0</version>
    <type allow-null="yes">bool</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">If null, class will auto-detect the doctype and, if matching XHTML 1.1 or
XHTML 2.0, will use the restrictive NMTOKENS specification of class. Otherwise,
it will use a relaxed CDATA definition.  If true, the relaxed CDATA definition
is forced; if false, the NMTOKENS definition is forced.  To get behavior
of HTML Purifier prior to 4.0.0, set this directive to false.

Some rational behind the auto-detection:
in previous versions of HTML Purifier, it was assumed that the form of
class was NMTOKENS, as specified by the XHTML Modularization (representing
XHTML 1.1 and XHTML 2.0).  The DTDs for HTML 4.01 and XHTML 1.0, however
specify class as CDATA.  HTML 5 effectively defines it as CDATA, but
with the additional constraint that each name should be unique (this is not
explicitly outlined in previous specifications).
</div>
   </description>
  </directive>
  <directive id="Attr.DefaultImageAlt">
   <name>DefaultImageAlt</name>
   <aliases/>
   <constraints>
    <version>3.2.0</version>
    <type allow-null="yes">string</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">This is the content of the alt tag of an image if the user had not
previously specified an alt attribute.  This applies to all images without
a valid alt attribute, as opposed to <a href="#Attr.DefaultInvalidImageAlt">%Attr.DefaultInvalidImageAlt</a>, which
only applies to invalid images, and overrides in the case of an invalid image.
Default behavior with null is to use the basename of the src tag for the alt.
</div>
   </description>
  </directive>
  <directive id="Attr.DefaultInvalidImage">
   <name>DefaultInvalidImage</name>
   <aliases/>
   <constraints>
    <type>string</type>
    <default>''</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">This is the default image an img tag will be pointed to if it does not have
a valid src attribute.  In future versions, we may allow the image tag to
be removed completely, but due to design issues, this is not possible right
now.
</div>
   </description>
  </directive>
  <directive id="Attr.DefaultInvalidImageAlt">
   <name>DefaultInvalidImageAlt</name>
   <aliases/>
   <constraints>
    <type>string</type>
    <default>'Invalid image'</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">This is the content of the alt tag of an invalid image if the user had not
previously specified an alt attribute.  It has no effect when the image is
valid but there was no alt attribute present.
</div>
   </description>
  </directive>
  <directive id="Attr.DefaultTextDir">
   <name>DefaultTextDir</name>
   <aliases/>
   <constraints>
    <type>string</type>
    <allowed>
     <value>ltr</value>
     <value>rtl</value>
    </allowed>
    <default>'ltr'</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">Defines the default text direction (ltr or rtl) of the document being
parsed.  This generally is the same as the value of the dir attribute in
HTML, or ltr if that is not specified.
</div>
   </description>
  </directive>
  <directive id="Attr.EnableID">
   <name>EnableID</name>
   <aliases>
    <alias>HTML.EnableAttrID</alias>
   </aliases>
   <constraints>
    <version>1.2.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">Allows the ID attribute in HTML.  This is disabled by default due to the
fact that without proper configuration user input can easily break the
validation of a webpage by specifying an ID that is already on the
surrounding HTML.  If you don't mind throwing caution to the wind, enable
this directive, but I strongly recommend you also consider blacklisting IDs
you use (<a href="#Attr.IDBlacklist">%Attr.IDBlacklist</a>) or prefixing all user supplied IDs
(<a href="#Attr.IDPrefix">%Attr.IDPrefix</a>).  When set to true HTML Purifier reverts to the behavior of
pre-1.2.0 versions.
</div>
   </description>
  </directive>
  <directive id="Attr.ForbiddenClasses">
   <name>ForbiddenClasses</name>
   <aliases/>
   <constraints>
    <version>4.0.0</version>
    <type>lookup</type>
    <default>array()</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">List of forbidden class values in the class attribute. By default, this is
empty, which means that no classes are forbidden. See also <a href="#Attr.AllowedClasses">%Attr.AllowedClasses</a>.
</div>
   </description>
  </directive>
  <directive id="Attr.IDBlacklist">
   <name>IDBlacklist</name>
   <aliases/>
   <constraints>
    <type>list</type>
    <default>array()</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">Array of IDs not allowed in the document.</div>
   </description>
  </directive>
  <directive id="Attr.IDBlacklistRegexp">
   <name>IDBlacklistRegexp</name>
   <aliases/>
   <constraints>
    <version>1.6.0</version>
    <type allow-null="yes">string</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">PCRE regular expression to be matched against all IDs. If the expression is
matches, the ID is rejected. Use this with care: may cause significant
degradation. ID matching is done after all other validation.
</div>
   </description>
  </directive>
  <directive id="Attr.IDPrefix">
   <name>IDPrefix</name>
   <aliases/>
   <constraints>
    <version>1.2.0</version>
    <type>string</type>
    <default>''</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">String to prefix to IDs.  If you have no idea what IDs your pages may use,
you may opt to simply add a prefix to all user-submitted ID attributes so
that they are still usable, but will not conflict with core page IDs.
Example: setting the directive to 'user_' will result in a user submitted
'foo' to become 'user_foo'  Be sure to set <a href="#HTML.EnableAttrID">%HTML.EnableAttrID</a> to true
before using this.
</div>
   </description>
  </directive>
  <directive id="Attr.IDPrefixLocal">
   <name>IDPrefixLocal</name>
   <aliases/>
   <constraints>
    <version>1.2.0</version>
    <type>string</type>
    <default>''</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">Temporary prefix for IDs used in conjunction with <a href="#Attr.IDPrefix">%Attr.IDPrefix</a>.  If you
need to allow multiple sets of user content on web page, you may need to
have a seperate prefix that changes with each iteration.  This way,
seperately submitted user content displayed on the same page doesn't
clobber each other. Ideal values are unique identifiers for the content it
represents (i.e. the id of the row in the database). Be sure to add a
seperator (like an underscore) at the end.  Warning: this directive will
not work unless <a href="#Attr.IDPrefix">%Attr.IDPrefix</a> is set to a non-empty value!
</div>
   </description>
  </directive>
 </namespace>
 <namespace id="AutoFormat">
  <name>AutoFormat</name>
  <directive id="AutoFormat.AutoParagraph">
   <name>AutoParagraph</name>
   <aliases/>
   <constraints>
    <version>2.0.1</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
  This directive turns on auto-paragraphing, where double newlines are
  converted in to paragraphs whenever possible. Auto-paragraphing:
</p>
<ul>
  <li>Always applies to inline elements or text in the root node,</li>
  <li>Applies to inline elements or text with double newlines in nodes
      that allow paragraph tags,</li>
  <li>Applies to double newlines in paragraph tags</li>
</ul>
<p>
  <code>p</code> tags must be allowed for this directive to take effect.
  We do not use <code>br</code> tags for paragraphing, as that is
  semantically incorrect.
</p>
<p>
  To prevent auto-paragraphing as a content-producer, refrain from using
  double-newlines except to specify a new paragraph or in contexts where
  it has special meaning (whitespace usually has no meaning except in
  tags like <code>pre</code>, so this should not be difficult.) To prevent
  the paragraphing of inline text adjacent to block elements, wrap them
  in <code>div</code> tags (the behavior is slightly different outside of
  the root node.)
</p>
</div>
   </description>
  </directive>
  <directive id="AutoFormat.Custom">
   <name>Custom</name>
   <aliases/>
   <constraints>
    <version>2.0.1</version>
    <type>list</type>
    <default>array()</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
  This directive can be used to add custom auto-format injectors.
  Specify an array of injector names (class name minus the prefix)
  or concrete implementations. Injector class must exist.
</p>
</div>
   </description>
  </directive>
  <directive id="AutoFormat.DisplayLinkURI">
   <name>DisplayLinkURI</name>
   <aliases/>
   <constraints>
    <version>3.2.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
  This directive turns on the in-text display of URIs in &lt;a&gt; tags, and disables
  those links. For example, <a href="http://example.com">example</a> becomes
  example (<a>http://example.com</a>).
</p>
</div>
   </description>
  </directive>
  <directive id="AutoFormat.Linkify">
   <name>Linkify</name>
   <aliases/>
   <constraints>
    <version>2.0.1</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
  This directive turns on linkification, auto-linking http, ftp and
  https URLs. <code>a</code> tags with the <code>href</code> attribute
  must be allowed.
</p>
</div>
   </description>
  </directive>
  <directive id="AutoFormat.PurifierLinkify.DocURL">
   <name>PurifierLinkify.DocURL</name>
   <aliases>
    <alias>AutoFormatParam.PurifierLinkifyDocURL</alias>
   </aliases>
   <constraints>
    <version>2.0.1</version>
    <type>string</type>
    <default>'#%s'</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
  Location of configuration documentation to link to, let %s substitute
  into the configuration's namespace and directive names sans the percent
  sign.
</p>
</div>
   </description>
  </directive>
  <directive id="AutoFormat.PurifierLinkify">
   <name>PurifierLinkify</name>
   <aliases/>
   <constraints>
    <version>2.0.1</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
  Internal auto-formatter that converts configuration directives in
  syntax <a>%Namespace.Directive</a> to links. <code>a</code> tags
  with the <code>href</code> attribute must be allowed.
</p>
</div>
   </description>
  </directive>
  <directive id="AutoFormat.RemoveEmpty.RemoveNbsp.Exceptions">
   <name>RemoveEmpty.RemoveNbsp.Exceptions</name>
   <aliases/>
   <constraints>
    <version>4.0.0</version>
    <type>lookup</type>
    <default>array (
  'td' =&gt; true,
  'th' =&gt; true,
)</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
  When <a href="#AutoFormat.RemoveEmpty">%AutoFormat.RemoveEmpty</a> and <a href="#AutoFormat.RemoveEmpty">%AutoFormat.RemoveEmpty</a>.RemoveNbsp
  are enabled, this directive defines what HTML elements should not be
  removede if they have only a non-breaking space in them.
</p>
</div>
   </description>
  </directive>
  <directive id="AutoFormat.RemoveEmpty.RemoveNbsp">
   <name>RemoveEmpty.RemoveNbsp</name>
   <aliases/>
   <constraints>
    <version>4.0.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
  When enabled, HTML Purifier will treat any elements that contain only
  non-breaking spaces as well as regular whitespace as empty, and remove
  them when <a href="#AutoForamt.RemoveEmpty">%AutoForamt.RemoveEmpty</a> is enabled.
</p>
<p>
  See <a href="#AutoFormat.RemoveEmpty">%AutoFormat.RemoveEmpty</a>.RemoveNbsp.Exceptions for a list of elements
  that don't have this behavior applied to them.
</p>
</div>
   </description>
  </directive>
  <directive id="AutoFormat.RemoveEmpty">
   <name>RemoveEmpty</name>
   <aliases/>
   <constraints>
    <version>3.2.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
  When enabled, HTML Purifier will attempt to remove empty elements that
  contribute no semantic information to the document. The following types
  of nodes will be removed:
</p>
<ul><li>
    Tags with no attributes and no content, and that are not empty
    elements (remove <code>&lt;a&gt;&lt;/a&gt;</code> but not
    <code>&lt;br /&gt;</code>), and
  </li>
  <li>
    Tags with no content, except for:<ul>
      <li>The <code>colgroup</code> element, or</li>
      <li>
        Elements with the <code>id</code> or <code>name</code> attribute,
        when those attributes are permitted on those elements.
      </li>
    </ul></li>
</ul>
<p>
  Please be very careful when using this functionality; while it may not
  seem that empty elements contain useful information, they can alter the
  layout of a document given appropriate styling. This directive is most
  useful when you are processing machine-generated HTML, please avoid using
  it on regular user HTML.
</p>
<p>
  Elements that contain only whitespace will be treated as empty. Non-breaking
  spaces, however, do not count as whitespace. See
  <a href="#AutoFormat.RemoveEmpty">%AutoFormat.RemoveEmpty</a>.RemoveNbsp for alternate behavior.
</p>
<p>
  This algorithm is not perfect; you may still notice some empty tags,
  particularly if a node had elements, but those elements were later removed
  because they were not permitted in that context, or tags that, after
  being auto-closed by another tag, where empty. This is for safety reasons
  to prevent clever code from breaking validation. The general rule of thumb:
  if a tag looked empty on the way in, it will get removed; if HTML Purifier
  made it empty, it will stay.
</p>
</div>
   </description>
  </directive>
  <directive id="AutoFormat.RemoveSpansWithoutAttributes">
   <name>RemoveSpansWithoutAttributes</name>
   <aliases/>
   <constraints>
    <version>4.0.1</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
  This directive causes <code>span</code> tags without any attributes
  to be removed. It will also remove spans that had all attributes
  removed during processing.
</p>
</div>
   </description>
  </directive>
 </namespace>
 <namespace id="CSS">
  <name>CSS</name>
  <directive id="CSS.AllowImportant">
   <name>AllowImportant</name>
   <aliases/>
   <constraints>
    <version>3.1.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">This parameter determines whether or not !important cascade modifiers should
be allowed in user CSS. If false, !important will stripped.
</div>
   </description>
  </directive>
  <directive id="CSS.AllowTricky">
   <name>AllowTricky</name>
   <aliases/>
   <constraints>
    <version>3.1.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">This parameter determines whether or not to allow "tricky" CSS properties and
values. Tricky CSS properties/values can drastically modify page layout or
be used for deceptive practices but do not directly constitute a security risk.
For example, <code>display:none;</code> is considered a tricky property that
will only be allowed if this directive is set to true.
</div>
   </description>
  </directive>
  <directive id="CSS.AllowedFonts">
   <name>AllowedFonts</name>
   <aliases/>
   <constraints>
    <version>4.3.0</version>
    <type allow-null="yes">lookup</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
    Allows you to manually specify a set of allowed fonts.  If
    <code>NULL</code>, all fonts are allowed.  This directive
    affects generic names (serif, sans-serif, monospace, cursive,
    fantasy) as well as specific font families.
</p>
</div>
   </description>
  </directive>
  <directive id="CSS.AllowedProperties">
   <name>AllowedProperties</name>
   <aliases/>
   <constraints>
    <version>3.1.0</version>
    <type allow-null="yes">lookup</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    If HTML Purifier's style attributes set is unsatisfactory for your needs,
    you can overload it with your own list of tags to allow.  Note that this
    method is subtractive: it does its job by taking away from HTML Purifier
    usual feature set, so you cannot add an attribute that HTML Purifier never
    supported in the first place.
</p>
<p>
    <strong>Warning:</strong> If another directive conflicts with the
    elements here, <em>that</em> directive will win and override.
</p>
</div>
   </description>
  </directive>
  <directive id="CSS.DefinitionRev">
   <name>DefinitionRev</name>
   <aliases/>
   <constraints>
    <version>2.0.0</version>
    <type>int</type>
    <default>1</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    Revision identifier for your custom definition. See
    <a href="#HTML.DefinitionRev">%HTML.DefinitionRev</a> for details.
</p>
</div>
   </description>
  </directive>
  <directive id="CSS.ForbiddenProperties">
   <name>ForbiddenProperties</name>
   <aliases/>
   <constraints>
    <version>4.2.0</version>
    <type>lookup</type>
    <default>array()</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
    This is the logical inverse of <a href="#CSS.AllowedProperties">%CSS.AllowedProperties</a>, and it will
    override that directive or any other directive.  If possible,
    <a href="#CSS.AllowedProperties">%CSS.AllowedProperties</a> is recommended over this directive,
    because it can sometimes be difficult to tell whether or not you've
    forbidden all of the CSS properties you truly would like to disallow.
</p>
</div>
   </description>
  </directive>
  <directive id="CSS.MaxImgLength">
   <name>MaxImgLength</name>
   <aliases/>
   <constraints>
    <version>3.1.1</version>
    <type allow-null="yes">string</type>
    <default>'1200px'</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
 This parameter sets the maximum allowed length on <code>img</code> tags,
 effectively the <code>width</code> and <code>height</code> properties.
 Only absolute units of measurement (in, pt, pc, mm, cm) and pixels (px) are allowed. This is
 in place to prevent imagecrash attacks, disable with null at your own risk.
 This directive is similar to <a href="#HTML.MaxImgLength">%HTML.MaxImgLength</a>, and both should be
 concurrently edited, although there are
 subtle differences in the input format (the CSS max is a number with
 a unit).
</p>
</div>
   </description>
  </directive>
  <directive id="CSS.Proprietary">
   <name>Proprietary</name>
   <aliases/>
   <constraints>
    <version>3.0.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    Whether or not to allow safe, proprietary CSS values.
</p>
</div>
   </description>
  </directive>
  <directive id="CSS.Trusted">
   <name>Trusted</name>
   <aliases/>
   <constraints>
    <version>4.2.1</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">Indicates whether or not the user's CSS input is trusted or not. If the
input is trusted, a more expansive set of allowed properties.  See
also <a href="#HTML.Trusted">%HTML.Trusted</a>.
</div>
   </description>
  </directive>
 </namespace>
 <namespace id="Cache">
  <name>Cache</name>
  <directive id="Cache.DefinitionImpl">
   <name>DefinitionImpl</name>
   <aliases>
    <alias>Core.DefinitionCache</alias>
   </aliases>
   <constraints>
    <version>2.0.0</version>
    <type allow-null="yes">string</type>
    <default>'Serializer'</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
This directive defines which method to use when caching definitions,
the complex data-type that makes HTML Purifier tick. Set to null
to disable caching (not recommended, as you will see a definite
performance degradation).

</div>
   </description>
  </directive>
  <directive id="Cache.SerializerPath">
   <name>SerializerPath</name>
   <aliases/>
   <constraints>
    <version>2.0.0</version>
    <type allow-null="yes">string</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    Absolute path with no trailing slash to store serialized definitions in.
    Default is within the
    HTML Purifier library inside DefinitionCache/Serializer. This
    path must be writable by the webserver.
</p>
</div>
   </description>
  </directive>
  <directive id="Cache.SerializerPermissions">
   <name>SerializerPermissions</name>
   <aliases/>
   <constraints>
    <version>4.3.0</version>
    <type>int</type>
    <default>493</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    Directory permissions of the files and directories created inside
    the DefinitionCache/Serializer or other custom serializer path.
</p>
</div>
   </description>
  </directive>
 </namespace>
 <namespace id="Core">
  <name>Core</name>
  <directive id="Core.AggressivelyFixLt">
   <name>AggressivelyFixLt</name>
   <aliases/>
   <constraints>
    <version>2.1.0</version>
    <type>bool</type>
    <default>true</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
    This directive enables aggressive pre-filter fixes HTML Purifier can
    perform in order to ensure that open angled-brackets do not get killed
    during parsing stage. Enabling this will result in two preg_replace_callback
    calls and at least two preg_replace calls for every HTML document parsed;
    if your users make very well-formed HTML, you can set this directive false.
    This has no effect when DirectLex is used.
</p>
<p>
    <strong>Notice:</strong> This directive's default turned from false to true
    in HTML Purifier 3.2.0.
</p>
</div>
   </description>
  </directive>
  <directive id="Core.AllowHostnameUnderscore">
   <name>AllowHostnameUnderscore</name>
   <aliases/>
   <constraints>
    <version>4.6.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
    By RFC 1123, underscores are not permitted in host names.
    (This is in contrast to the specification for DNS, RFC
    2181, which allows underscores.)
    However, most browsers do the right thing when faced with
    an underscore in the host name, and so some poorly written
    websites are written with the expectation this should work.
    Setting this parameter to true relaxes our allowed character
    check so that underscores are permitted.
</p>
</div>
   </description>
  </directive>
  <directive id="Core.CollectErrors">
   <name>CollectErrors</name>
   <aliases/>
   <constraints>
    <version>2.0.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
Whether or not to collect errors found while filtering the document. This
is a useful way to give feedback to your users. <strong>Warning:</strong>
Currently this feature is very patchy and experimental, with lots of
possible error messages not yet implemented. It will not cause any
problems, but it may not help your users either.
</div>
   </description>
  </directive>
  <directive id="Core.ColorKeywords">
   <name>ColorKeywords</name>
   <aliases/>
   <constraints>
    <version>2.0.0</version>
    <type>hash</type>
    <default>array (
  'maroon' =&gt; '#800000',
  'red' =&gt; '#FF0000',
  'orange' =&gt; '#FFA500',
  'yellow' =&gt; '#FFFF00',
  'olive' =&gt; '#808000',
  'purple' =&gt; '#800080',
  'fuchsia' =&gt; '#FF00FF',
  'white' =&gt; '#FFFFFF',
  'lime' =&gt; '#00FF00',
  'green' =&gt; '#008000',
  'navy' =&gt; '#000080',
  'blue' =&gt; '#0000FF',
  'aqua' =&gt; '#00FFFF',
  'teal' =&gt; '#008080',
  'black' =&gt; '#000000',
  'silver' =&gt; '#C0C0C0',
  'gray' =&gt; '#808080',
)</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
Lookup array of color names to six digit hexadecimal number corresponding
to color, with preceding hash mark. Used when parsing colors.  The lookup
is done in a case-insensitive manner.
</div>
   </description>
  </directive>
  <directive id="Core.ConvertDocumentToFragment">
   <name>ConvertDocumentToFragment</name>
   <aliases>
    <alias>Core.AcceptFullDocuments</alias>
   </aliases>
   <constraints>
    <type>bool</type>
    <default>true</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
This parameter determines whether or not the filter should convert
input that is a full document with html and body tags to a fragment
of just the contents of a body tag. This parameter is simply something
HTML Purifier can do during an edge-case: for most inputs, this
processing is not necessary.

</div>
   </description>
  </directive>
  <directive id="Core.DirectLexLineNumberSyncInterval">
   <name>DirectLexLineNumberSyncInterval</name>
   <aliases/>
   <constraints>
    <version>2.0.0</version>
    <type>int</type>
    <default>0</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
  Specifies the number of tokens the DirectLex line number tracking
  implementations should process before attempting to resyncronize the
  current line count by manually counting all previous new-lines. When
  at 0, this functionality is disabled. Lower values will decrease
  performance, and this is only strictly necessary if the counting
  algorithm is buggy (in which case you should report it as a bug).
  This has no effect when <a href="#Core.MaintainLineNumbers">%Core.MaintainLineNumbers</a> is disabled or DirectLex is
  not being used.
</p>
</div>
   </description>
  </directive>
  <directive id="Core.DisableExcludes">
   <name>DisableExcludes</name>
   <aliases/>
   <constraints>
    <version>4.5.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
  This directive disables SGML-style exclusions, e.g. the exclusion of
  <code>&lt;object&gt;</code> in any descendant of a
  <code>&lt;pre&gt;</code> tag.  Disabling excludes will allow some
  invalid documents to pass through HTML Purifier, but HTML Purifier
  will also be less likely to accidentally remove large documents during
  processing.
</p>
</div>
   </description>
  </directive>
  <directive id="Core.EnableIDNA">
   <name>EnableIDNA</name>
   <aliases/>
   <constraints>
    <version>4.4.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">Allows international domain names in URLs.  This configuration option
requires the PEAR Net_IDNA2 module to be installed.  It operates by
punycoding any internationalized host names for maximum portability.
</div>
   </description>
  </directive>
  <directive id="Core.Encoding">
   <name>Encoding</name>
   <aliases/>
   <constraints>
    <type>istring</type>
    <default>'utf-8'</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">If for some reason you are unable to convert all webpages to UTF-8, you can
use this directive as a stop-gap compatibility change to let HTML Purifier
deal with non UTF-8 input.  This technique has notable deficiencies:
absolutely no characters outside of the selected character encoding will be
preserved, not even the ones that have been ampersand escaped (this is due
to a UTF-8 specific <em>feature</em> that automatically resolves all
entities), making it pretty useless for anything except the most I18N-blind
applications, although <a href="#Core.EscapeNonASCIICharacters">%Core.EscapeNonASCIICharacters</a> offers fixes this
trouble with another tradeoff. This directive only accepts ISO-8859-1 if
iconv is not enabled.
</div>
   </description>
  </directive>
  <directive id="Core.EscapeInvalidChildren">
   <name>EscapeInvalidChildren</name>
   <aliases/>
   <constraints>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p><strong>Warning:</strong> this configuration option is no longer does anything as of 4.6.0.</p>

<p>When true, a child is found that is not allowed in the context of the
parent element will be transformed into text as if it were ASCII. When
false, that element and all internal tags will be dropped, though text will
be preserved.  There is no option for dropping the element but preserving
child nodes.</p>
</div>
   </description>
  </directive>
  <directive id="Core.EscapeInvalidTags">
   <name>EscapeInvalidTags</name>
   <aliases/>
   <constraints>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">When true, invalid tags will be written back to the document as plain text.
Otherwise, they are silently dropped.
</div>
   </description>
  </directive>
  <directive id="Core.EscapeNonASCIICharacters">
   <name>EscapeNonASCIICharacters</name>
   <aliases/>
   <constraints>
    <version>1.4.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">This directive overcomes a deficiency in <a href="#Core.Encoding">%Core.Encoding</a> by blindly
converting all non-ASCII characters into decimal numeric entities before
converting it to its native encoding. This means that even characters that
can be expressed in the non-UTF-8 encoding will be entity-ized, which can
be a real downer for encodings like Big5. It also assumes that the ASCII
repetoire is available, although this is the case for almost all encodings.
Anyway, use UTF-8!
</div>
   </description>
  </directive>
  <directive id="Core.HiddenElements">
   <name>HiddenElements</name>
   <aliases/>
   <constraints>
    <type>lookup</type>
    <default>array (
  'script' =&gt; true,
  'style' =&gt; true,
)</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
  This directive is a lookup array of elements which should have their
  contents removed when they are not allowed by the HTML definition.
  For example, the contents of a <code>script</code> tag are not
  normally shown in a document, so if script tags are to be removed,
  their contents should be removed to. This is opposed to a <code>b</code>
  tag, which defines some presentational changes but does not hide its
  contents.
</p>
</div>
   </description>
  </directive>
  <directive id="Core.Language">
   <name>Language</name>
   <aliases/>
   <constraints>
    <version>2.0.0</version>
    <type>string</type>
    <default>'en'</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
ISO 639 language code for localizable things in HTML Purifier to use,
which is mainly error reporting. There is currently only an English (en)
translation, so this directive is currently useless.
</div>
   </description>
  </directive>
  <directive id="Core.LexerImpl">
   <name>LexerImpl</name>
   <aliases/>
   <constraints>
    <version>2.0.0</version>
    <type allow-null="yes">mixed</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
  This parameter determines what lexer implementation can be used. The
  valid values are:
</p>
<dl>
  <dt><em>null</em></dt>
  <dd>
    Recommended, the lexer implementation will be auto-detected based on
    your PHP-version and configuration.
  </dd>
  <dt><em>string</em> lexer identifier</dt>
  <dd>
    This is a slim way of manually overridding the implementation.
    Currently recognized values are: DOMLex (the default PHP5
implementation)
    and DirectLex (the default PHP4 implementation). Only use this if
    you know what you are doing: usually, the auto-detection will
    manage things for cases you aren't even aware of.
  </dd>
  <dt><em>object</em> lexer instance</dt>
  <dd>
    Super-advanced: you can specify your own, custom, implementation that
    implements the interface defined by <code>HTMLPurifier_Lexer</code>.
    I may remove this option simply because I don't expect anyone
    to use it.
  </dd>
</dl>
</div>
   </description>
  </directive>
  <directive id="Core.MaintainLineNumbers">
   <name>MaintainLineNumbers</name>
   <aliases/>
   <constraints>
    <version>2.0.0</version>
    <type allow-null="yes">bool</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
  If true, HTML Purifier will add line number information to all tokens.
  This is useful when error reporting is turned on, but can result in
  significant performance degradation and should not be used when
  unnecessary. This directive must be used with the DirectLex lexer,
  as the DOMLex lexer does not (yet) support this functionality.
  If the value is null, an appropriate value will be selected based
  on other configuration.
</p>
</div>
   </description>
  </directive>
  <directive id="Core.NormalizeNewlines">
   <name>NormalizeNewlines</name>
   <aliases/>
   <constraints>
    <version>4.2.0</version>
    <type>bool</type>
    <default>true</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
    Whether or not to normalize newlines to the operating
    system default.  When <code>false</code>, HTML Purifier
    will attempt to preserve mixed newline files.
</p>
</div>
   </description>
  </directive>
  <directive id="Core.RemoveInvalidImg">
   <name>RemoveInvalidImg</name>
   <aliases/>
   <constraints>
    <version>1.3.0</version>
    <type>bool</type>
    <default>true</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
  This directive enables pre-emptive URI checking in <code>img</code>
  tags, as the attribute validation strategy is not authorized to
  remove elements from the document. Revert to pre-1.3.0 behavior by setting to false.
</p>
</div>
   </description>
  </directive>
  <directive id="Core.RemoveProcessingInstructions">
   <name>RemoveProcessingInstructions</name>
   <aliases/>
   <constraints>
    <version>4.2.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">Instead of escaping processing instructions in the form <code>&lt;? ...
?&gt;</code>, remove it out-right.  This may be useful if the HTML
you are validating contains XML processing instruction gunk, however,
it can also be user-unfriendly for people attempting to post PHP
snippets.
</div>
   </description>
  </directive>
  <directive id="Core.RemoveScriptContents">
   <name>RemoveScriptContents</name>
   <aliases/>
   <constraints>
    <version>2.0.0</version>
    <type allow-null="yes">bool</type>
    <default>NULL</default>
   </constraints>
   <deprecated>
    <version>2.1.0</version>
    <use>Core.HiddenElements</use>
   </deprecated>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
  This directive enables HTML Purifier to remove not only script tags
  but all of their contents.
</p>
</div>
   </description>
  </directive>
 </namespace>
 <namespace id="Filter">
  <name>Filter</name>
  <directive id="Filter.Custom">
   <name>Custom</name>
   <aliases/>
   <constraints>
    <version>3.1.0</version>
    <type>list</type>
    <default>array()</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
  This directive can be used to add custom filters; it is nearly the
  equivalent of the now deprecated <code>HTMLPurifier-&gt;addFilter()</code>
  method. Specify an array of concrete implementations.
</p>
</div>
   </description>
  </directive>
  <directive id="Filter.ExtractStyleBlocks.Escaping">
   <name>ExtractStyleBlocks.Escaping</name>
   <aliases>
    <alias>Filter.ExtractStyleBlocksEscaping</alias>
    <alias>FilterParam.ExtractStyleBlocksEscaping</alias>
   </aliases>
   <constraints>
    <version>3.0.0</version>
    <type>bool</type>
    <default>true</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
  Whether or not to escape the dangerous characters &lt;, &gt; and &amp;
  as \3C, \3E and \26, respectively. This is can be safely set to false
  if the contents of StyleBlocks will be placed in an external stylesheet,
  where there is no risk of it being interpreted as HTML.
</p>
</div>
   </description>
  </directive>
  <directive id="Filter.ExtractStyleBlocks.Scope">
   <name>ExtractStyleBlocks.Scope</name>
   <aliases>
    <alias>Filter.ExtractStyleBlocksScope</alias>
    <alias>FilterParam.ExtractStyleBlocksScope</alias>
   </aliases>
   <constraints>
    <version>3.0.0</version>
    <type allow-null="yes">string</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
  If you would like users to be able to define external stylesheets, but
  only allow them to specify CSS declarations for a specific node and
  prevent them from fiddling with other elements, use this directive.
  It accepts any valid CSS selector, and will prepend this to any
  CSS declaration extracted from the document. For example, if this
  directive is set to <code>#user-content</code> and a user uses the
  selector <code>a:hover</code>, the final selector will be
  <code>#user-content a:hover</code>.
</p>
<p>
  The comma shorthand may be used; consider the above example, with
  <code>#user-content, #user-content2</code>, the final selector will
  be <code>#user-content a:hover, #user-content2 a:hover</code>.
</p>
<p>
  <strong>Warning:</strong> It is possible for users to bypass this measure
  using a naughty + selector. This is a bug in CSS Tidy 1.3, not HTML
  Purifier, and I am working to get it fixed. Until then, HTML Purifier
  performs a basic check to prevent this.
</p>
</div>
   </description>
  </directive>
  <directive id="Filter.ExtractStyleBlocks.TidyImpl">
   <name>ExtractStyleBlocks.TidyImpl</name>
   <aliases>
    <alias>FilterParam.ExtractStyleBlocksTidyImpl</alias>
   </aliases>
   <constraints>
    <version>3.1.0</version>
    <type allow-null="yes">mixed</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
  If left NULL, HTML Purifier will attempt to instantiate a <code>csstidy</code>
  class to use for internal cleaning. This will usually be good enough.
</p>
<p>
  However, for trusted user input, you can set this to <code>false</code> to
  disable cleaning. In addition, you can supply your own concrete implementation
  of Tidy's interface to use, although I don't know why you'd want to do that.
</p>
</div>
   </description>
  </directive>
  <directive id="Filter.ExtractStyleBlocks">
   <name>ExtractStyleBlocks</name>
   <aliases/>
   <constraints>
    <version>3.1.0</version>
    <type>bool</type>
    <default>false</default>
    <external>
     <project>CSSTidy</project>
    </external>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
  This directive turns on the style block extraction filter, which removes
  <code>style</code> blocks from input HTML, cleans them up with CSSTidy,
  and places them in the <code>StyleBlocks</code> context variable, for further
  use by you, usually to be placed in an external stylesheet, or a
  <code>style</code> block in the <code>head</code> of your document.
</p>
<p>
  Sample usage:
</p>
<pre>
&lt;?php
    header('Content-type: text/html; charset=utf-8');
    echo '&lt;?xml version="1.0" encoding="UTF-8"?&gt;';
?&gt;
&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;
&lt;html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"&gt;
&lt;head&gt;
  &lt;title&gt;Filter.ExtractStyleBlocks&lt;/title&gt;
&lt;?php
    require_once '/path/to/library/HTMLPurifier.auto.php';
    require_once '/path/to/csstidy.class.php';

$dirty = '&lt;style&gt;body {color:#F00;}&lt;/style&gt; Some text';

$config = HTMLPurifier_Config::createDefault();
    $config-&gt;set('Filter', 'ExtractStyleBlocks', true);
    $purifier = new HTMLPurifier($config);

$html = $purifier-&gt;purify($dirty);

// This implementation writes the stylesheets to the styles/ directory.
    // You can also echo the styles inside the document, but it's a bit
    // more difficult to make sure they get interpreted properly by
    // browsers; try the usual CSS armoring techniques.
    $styles = $purifier-&gt;context-&gt;get('StyleBlocks');
    $dir = 'styles/';
    if (!is_dir($dir)) mkdir($dir);
    $hash = sha1($_GET['html']);
    foreach ($styles as $i =&gt; $style) {
        file_put_contents($name = $dir . $hash . "_$i");
        echo '&lt;link rel="stylesheet" type="text/css" href="'.$name.'" /&gt;';
    }
?&gt;
&lt;/head&gt;
&lt;body&gt;
  &lt;div&gt;
    &lt;?php echo $html; ?&gt;
  &lt;/div&gt;
&lt;/body&gt;
&lt;/html&gt;
</pre>
<p>
  <strong>Warning:</strong> It is possible for a user to mount an
  imagecrash attack using this CSS. Counter-measures are difficult;
  it is not simply enough to limit the range of CSS lengths (using
  relative lengths with many nesting levels allows for large values
  to be attained without actually specifying them in the stylesheet),
  and the flexible nature of selectors makes it difficult to selectively
  disable lengths on image tags (HTML Purifier, however, does disable
  CSS width and height in inline styling). There are probably two effective
  counter measures: an explicit width and height set to auto in all
  images in your document (unlikely) or the disabling of width and
  height (somewhat reasonable). Whether or not these measures should be
  used is left to the reader.
</p>
</div>
   </description>
  </directive>
  <directive id="Filter.YouTube">
   <name>YouTube</name>
   <aliases/>
   <constraints>
    <version>3.1.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
  <strong>Warning:</strong> Deprecated in favor of <a href="#HTML.SafeObject">%HTML.SafeObject</a> and
  <a href="#Output.FlashCompat">%Output.FlashCompat</a> (turn both on to allow YouTube videos and other
  Flash content).
</p>
<p>
  This directive enables YouTube video embedding in HTML Purifier. Check
  <a href="http://htmlpurifier.org/docs/enduser-youtube.html">this document
  on embedding videos</a> for more information on what this filter does.
</p>
</div>
   </description>
  </directive>
 </namespace>
 <namespace id="HTML">
  <name>HTML</name>
  <directive id="HTML.Allowed">
   <name>Allowed</name>
   <aliases/>
   <constraints>
    <version>2.0.0</version>
    <type allow-null="yes">itext</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    This is a preferred convenience directive that combines
    <a href="#HTML.AllowedElements">%HTML.AllowedElements</a> and <a href="#HTML.AllowedAttributes">%HTML.AllowedAttributes</a>.
    Specify elements and attributes that are allowed using:
    <code>element1[attr1|attr2],element2...</code>.  For example,
    if you would like to only allow paragraphs and links, specify
    <code>a[href],p</code>.  You can specify attributes that apply
    to all elements using an asterisk, e.g. <code>*[lang]</code>.
    You can also use newlines instead of commas to separate elements.
</p>
<p>
    <strong>Warning</strong>:
    All of the constraints on the component directives are still enforced.
    The syntax is a <em>subset</em> of TinyMCE's <code>valid_elements</code>
    whitelist: directly copy-pasting it here will probably result in
    broken whitelists. If <a href="#HTML.AllowedElements">%HTML.AllowedElements</a> or <a href="#HTML.AllowedAttributes">%HTML.AllowedAttributes</a>
    are set, this directive has no effect.
</p>
</div>
   </description>
  </directive>
  <directive id="HTML.AllowedAttributes">
   <name>AllowedAttributes</name>
   <aliases/>
   <constraints>
    <version>1.3.0</version>
    <type allow-null="yes">lookup</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    If HTML Purifier's attribute set is unsatisfactory, overload it!
    The syntax is "tag.attr" or "*.attr" for the global attributes
    (style, id, class, dir, lang, xml:lang).
</p>
<p>
    <strong>Warning:</strong> If another directive conflicts with the
    elements here, <em>that</em> directive will win and override. For
    example, <a href="#HTML.EnableAttrID">%HTML.EnableAttrID</a> will take precedence over *.id in this
    directive.  You must set that directive to true before you can use
    IDs at all.
</p>
</div>
   </description>
  </directive>
  <directive id="HTML.AllowedComments">
   <name>AllowedComments</name>
   <aliases/>
   <constraints>
    <version>4.4.0</version>
    <type>lookup</type>
    <default>array()</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">A whitelist which indicates what explicit comment bodies should be
allowed, modulo leading and trailing whitespace.  See also <a href="#HTML.AllowedCommentsRegexp">%HTML.AllowedCommentsRegexp</a>
(these directives are union'ed together, so a comment is considered
valid if any directive deems it valid.)
</div>
   </description>
  </directive>
  <directive id="HTML.AllowedCommentsRegexp">
   <name>AllowedCommentsRegexp</name>
   <aliases/>
   <constraints>
    <version>4.4.0</version>
    <type allow-null="yes">string</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">A regexp, which if it matches the body of a comment, indicates that
it should be allowed. Trailing and leading spaces are removed prior
to running this regular expression.
<strong>Warning:</strong> Make sure you specify
correct anchor metacharacters <code>^regex$</code>, otherwise you may accept
comments that you did not mean to! In particular, the regex <code>/foo|bar/</code>
is probably not sufficiently strict, since it also allows <code>foobar</code>.
See also <a href="#HTML.AllowedComments">%HTML.AllowedComments</a> (these directives are union'ed together,
so a comment is considered valid if any directive deems it valid.)
</div>
   </description>
  </directive>
  <directive id="HTML.AllowedElements">
   <name>AllowedElements</name>
   <aliases/>
   <constraints>
    <version>1.3.0</version>
    <type allow-null="yes">lookup</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
    If HTML Purifier's tag set is unsatisfactory for your needs, you can
    overload it with your own list of tags to allow.  If you change
    this, you probably also want to change <a href="#HTML.AllowedAttributes">%HTML.AllowedAttributes</a>; see
    also <a href="#HTML.Allowed">%HTML.Allowed</a> which lets you set allowed elements and
    attributes at the same time.
</p>
<p>
    If you attempt to allow an element that HTML Purifier does not know
    about, HTML Purifier will raise an error.  You will need to manually
    tell HTML Purifier about this element by using the
    <a href="http://htmlpurifier.org/docs/enduser-customize.html">advanced customization features.</a>
</p>
<p>
    <strong>Warning:</strong> If another directive conflicts with the
    elements here, <em>that</em> directive will win and override.
</p>
</div>
   </description>
  </directive>
  <directive id="HTML.AllowedModules">
   <name>AllowedModules</name>
   <aliases/>
   <constraints>
    <version>2.0.0</version>
    <type allow-null="yes">lookup</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    A doctype comes with a set of usual modules to use. Without having
    to mucking about with the doctypes, you can quickly activate or
    disable these modules by specifying which modules you wish to allow
    with this directive. This is most useful for unit testing specific
    modules, although end users may find it useful for their own ends.
</p>
<p>
    If you specify a module that does not exist, the manager will silently
    fail to use it, so be careful! User-defined modules are not affected
    by this directive. Modules defined in <a href="#HTML.CoreModules">%HTML.CoreModules</a> are not
    affected by this directive.
</p>
</div>
   </description>
  </directive>
  <directive id="HTML.Attr.Name.UseCDATA">
   <name>Attr.Name.UseCDATA</name>
   <aliases/>
   <constraints>
    <version>4.0.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">The W3C specification DTD defines the name attribute to be CDATA, not ID, due
to limitations of DTD.  In certain documents, this relaxed behavior is desired,
whether it is to specify duplicate names, or to specify names that would be
illegal IDs (for example, names that begin with a digit.) Set this configuration
directive to true to use the relaxed parsing rules.
</div>
   </description>
  </directive>
  <directive id="HTML.BlockWrapper">
   <name>BlockWrapper</name>
   <aliases/>
   <constraints>
    <version>1.3.0</version>
    <type>string</type>
    <default>'p'</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    String name of element to wrap inline elements that are inside a block
    context.  This only occurs in the children of blockquote in strict mode.
</p>
<p>
    Example: by default value,
    <code>&lt;blockquote&gt;Foo&lt;/blockquote&gt;</code> would become
    <code>&lt;blockquote&gt;&lt;p&gt;Foo&lt;/p&gt;&lt;/blockquote&gt;</code>.
    The <code>&lt;p&gt;</code> tags can be replaced with whatever you desire,
    as long as it is a block level element.
</p>
</div>
   </description>
  </directive>
  <directive id="HTML.CoreModules">
   <name>CoreModules</name>
   <aliases/>
   <constraints>
    <version>2.0.0</version>
    <type>lookup</type>
    <default>array (
  'Structure' =&gt; true,
  'Text' =&gt; true,
  'Hypertext' =&gt; true,
  'List' =&gt; true,
  'NonXMLCommonAttributes' =&gt; true,
  'XMLCommonAttributes' =&gt; true,
  'CommonAttributes' =&gt; true,
)</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    Certain modularized doctypes (XHTML, namely), have certain modules
    that must be included for the doctype to be an conforming document
    type: put those modules here. By default, XHTML's core modules
    are used. You can set this to a blank array to disable core module
    protection, but this is not recommended.
</p>
</div>
   </description>
  </directive>
  <directive id="HTML.CustomDoctype">
   <name>CustomDoctype</name>
   <aliases/>
   <constraints>
    <version>2.0.1</version>
    <type allow-null="yes">string</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
A custom doctype for power-users who defined there own document
type. This directive only applies when <a href="#HTML.Doctype">%HTML.Doctype</a> is blank.
</div>
   </description>
  </directive>
  <directive id="HTML.DefinitionID">
   <name>DefinitionID</name>
   <aliases/>
   <constraints>
    <version>2.0.0</version>
    <type allow-null="yes">string</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    Unique identifier for a custom-built HTML definition. If you edit
    the raw version of the HTMLDefinition, introducing changes that the
    configuration object does not reflect, you must specify this variable.
    If you change your custom edits, you should change this directive, or
    clear your cache. Example:
</p>
<pre>
$config = HTMLPurifier_Config::createDefault();
$config-&gt;set('HTML', 'DefinitionID', '1');
$def = $config-&gt;getHTMLDefinition();
$def-&gt;addAttribute('a', 'tabindex', 'Number');
</pre>
<p>
    In the above example, the configuration is still at the defaults, but
    using the advanced API, an extra attribute has been added. The
    configuration object normally has no way of knowing that this change
    has taken place, so it needs an extra directive: <a href="#HTML.DefinitionID">%HTML.DefinitionID</a>.
    If someone else attempts to use the default configuration, these two
    pieces of code will not clobber each other in the cache, since one has
    an extra directive attached to it.
</p>
<p>
    You <em>must</em> specify a value to this directive to use the
    advanced API features.
</p>
</div>
   </description>
  </directive>
  <directive id="HTML.DefinitionRev">
   <name>DefinitionRev</name>
   <aliases/>
   <constraints>
    <version>2.0.0</version>
    <type>int</type>
    <default>1</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    Revision identifier for your custom definition specified in
    <a href="#HTML.DefinitionID">%HTML.DefinitionID</a>.  This serves the same purpose: uniquely identifying
    your custom definition, but this one does so in a chronological
    context: revision 3 is more up-to-date then revision 2.  Thus, when
    this gets incremented, the cache handling is smart enough to clean
    up any older revisions of your definition as well as flush the
    cache.
</p>
</div>
   </description>
  </directive>
  <directive id="HTML.Doctype">
   <name>Doctype</name>
   <aliases/>
   <constraints>
    <type allow-null="yes">string</type>
    <allowed>
     <value>HTML 4.01 Transitional</value>
     <value>HTML 4.01 Strict</value>
     <value>XHTML 1.0 Transitional</value>
     <value>XHTML 1.0 Strict</value>
     <value>XHTML 1.1</value>
    </allowed>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">Doctype to use during filtering. Technically speaking this is not actually
a doctype (as it does not identify a corresponding DTD), but we are using
this name for sake of simplicity. When non-blank, this will override any
older directives like <a href="#HTML.XHTML">%HTML.XHTML</a> or <a href="#HTML.Strict">%HTML.Strict</a>.
</div>
   </description>
  </directive>
  <directive id="HTML.FlashAllowFullScreen">
   <name>FlashAllowFullScreen</name>
   <aliases/>
   <constraints>
    <version>4.2.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
    Whether or not to permit embedded Flash content from
    <a href="#HTML.SafeObject">%HTML.SafeObject</a> to expand to the full screen.  Corresponds to
    the <code>allowFullScreen</code> parameter.
</p>
</div>
   </description>
  </directive>
  <directive id="HTML.ForbiddenAttributes">
   <name>ForbiddenAttributes</name>
   <aliases/>
   <constraints>
    <version>3.1.0</version>
    <type>lookup</type>
    <default>array()</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
    While this directive is similar to <a href="#HTML.AllowedAttributes">%HTML.AllowedAttributes</a>, for
    forwards-compatibility with XML, this attribute has a different syntax. Instead of
    <code>tag.attr</code>, use <code>tag@attr</code>. To disallow <code>href</code>
    attributes in <code>a</code> tags, set this directive to
    <code>a@href</code>. You can also disallow an attribute globally with
    <code>attr</code> or <code>*@attr</code> (either syntax is fine; the latter
    is provided for consistency with <a href="#HTML.AllowedAttributes">%HTML.AllowedAttributes</a>).
</p>
<p>
    <strong>Warning:</strong> This directive complements <a href="#HTML.ForbiddenElements">%HTML.ForbiddenElements</a>,
    accordingly, check
    out that directive for a discussion of why you
    should think twice before using this directive.
</p>
</div>
   </description>
  </directive>
  <directive id="HTML.ForbiddenElements">
   <name>ForbiddenElements</name>
   <aliases/>
   <constraints>
    <version>3.1.0</version>
    <type>lookup</type>
    <default>array()</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
    This was, perhaps, the most requested feature ever in HTML
    Purifier. Please don't abuse it! This is the logical inverse of
    <a href="#HTML.AllowedElements">%HTML.AllowedElements</a>, and it will override that directive, or any
    other directive.
</p>
<p>
    If possible, <a href="#HTML.Allowed">%HTML.Allowed</a> is recommended over this directive, because it
    can sometimes be difficult to tell whether or not you've forbidden all of
    the behavior you would like to disallow. If you forbid <code>img</code>
    with the expectation of preventing images on your site, you'll be in for
    a nasty surprise when people start using the <code>background-image</code>
    CSS property.
</p>
</div>
   </description>
  </directive>
  <directive id="HTML.MaxImgLength">
   <name>MaxImgLength</name>
   <aliases/>
   <constraints>
    <version>3.1.1</version>
    <type allow-null="yes">int</type>
    <default>1200</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
 This directive controls the maximum number of pixels in the width and
 height attributes in <code>img</code> tags. This is
 in place to prevent imagecrash attacks, disable with null at your own risk.
 This directive is similar to <a href="#CSS.MaxImgLength">%CSS.MaxImgLength</a>, and both should be
 concurrently edited, although there are
 subtle differences in the input format (the HTML max is an integer).
</p>
</div>
   </description>
  </directive>
  <directive id="HTML.Nofollow">
   <name>Nofollow</name>
   <aliases/>
   <constraints>
    <version>4.3.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">If enabled, nofollow rel attributes are added to all outgoing links.
</div>
   </description>
  </directive>
  <directive id="HTML.Parent">
   <name>Parent</name>
   <aliases/>
   <constraints>
    <version>1.3.0</version>
    <type>string</type>
    <default>'div'</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    String name of element that HTML fragment passed to library will be
    inserted in.  An interesting variation would be using span as the
    parent element, meaning that only inline tags would be allowed.
</p>
</div>
   </description>
  </directive>
  <directive id="HTML.Proprietary">
   <name>Proprietary</name>
   <aliases/>
   <constraints>
    <version>3.1.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
    Whether or not to allow proprietary elements and attributes in your
    documents, as per <code>HTMLPurifier_HTMLModule_Proprietary</code>.
    <strong>Warning:</strong> This can cause your documents to stop
    validating!
</p>
</div>
   </description>
  </directive>
  <directive id="HTML.SafeEmbed">
   <name>SafeEmbed</name>
   <aliases/>
   <constraints>
    <version>3.1.1</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
    Whether or not to permit embed tags in documents, with a number of extra
    security features added to prevent script execution. This is similar to
    what websites like MySpace do to embed tags. Embed is a proprietary
    element and will cause your website to stop validating; you should
    see if you can use <a href="#Output.FlashCompat">%Output.FlashCompat</a> with <a href="#HTML.SafeObject">%HTML.SafeObject</a> instead
    first.</p>
</div>
   </description>
  </directive>
  <directive id="HTML.SafeIframe">
   <name>SafeIframe</name>
   <aliases/>
   <constraints>
    <version>4.4.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
    Whether or not to permit iframe tags in untrusted documents.  This
    directive must be accompanied by a whitelist of permitted iframes,
    such as <a href="#URI.SafeIframeRegexp">%URI.SafeIframeRegexp</a>, otherwise it will fatally error.
    This directive has no effect on strict doctypes, as iframes are not
    valid.
</p>
</div>
   </description>
  </directive>
  <directive id="HTML.SafeObject">
   <name>SafeObject</name>
   <aliases/>
   <constraints>
    <version>3.1.1</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
    Whether or not to permit object tags in documents, with a number of extra
    security features added to prevent script execution. This is similar to
    what websites like MySpace do to object tags.  You should also enable
    <a href="#Output.FlashCompat">%Output.FlashCompat</a> in order to generate Internet Explorer
    compatibility code for your object tags.
</p>
</div>
   </description>
  </directive>
  <directive id="HTML.SafeScripting">
   <name>SafeScripting</name>
   <aliases/>
   <constraints>
    <version>4.5.0</version>
    <type>lookup</type>
    <default>array()</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
    Whether or not to permit script tags to external scripts in documents.
    Inline scripting is not allowed, and the script must match an explicit whitelist.
</p>
</div>
   </description>
  </directive>
  <directive id="HTML.Strict">
   <name>Strict</name>
   <aliases/>
   <constraints>
    <version>1.3.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <deprecated>
    <version>1.7.0</version>
    <use>HTML.Doctype</use>
   </deprecated>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">Determines whether or not to use Transitional (loose) or Strict rulesets.
</div>
   </description>
  </directive>
  <directive id="HTML.TargetBlank">
   <name>TargetBlank</name>
   <aliases/>
   <constraints>
    <version>4.4.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">If enabled, <code>target=blank</code> attributes are added to all outgoing links.
(This includes links from an HTTPS version of a page to an HTTP version.)
</div>
   </description>
  </directive>
  <directive id="HTML.TidyAdd">
   <name>TidyAdd</name>
   <aliases/>
   <constraints>
    <version>2.0.0</version>
    <type>lookup</type>
    <default>array()</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
Fixes to add to the default set of Tidy fixes as per your level.
</div>
   </description>
  </directive>
  <directive id="HTML.TidyLevel">
   <name>TidyLevel</name>
   <aliases/>
   <constraints>
    <version>2.0.0</version>
    <type>string</type>
    <allowed>
     <value>none</value>
     <value>light</value>
     <value>medium</value>
     <value>heavy</value>
    </allowed>
    <default>'medium'</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>General level of cleanliness the Tidy module should enforce.
There are four allowed values:</p>
<dl>
    <dt>none</dt>
    <dd>No extra tidying should be done</dd>
    <dt>light</dt>
    <dd>Only fix elements that would be discarded otherwise due to
    lack of support in doctype</dd>
    <dt>medium</dt>
    <dd>Enforce best practices</dd>
    <dt>heavy</dt>
    <dd>Transform all deprecated elements and attributes to standards
    compliant equivalents</dd>
</dl>

</div>
   </description>
  </directive>
  <directive id="HTML.TidyRemove">
   <name>TidyRemove</name>
   <aliases/>
   <constraints>
    <version>2.0.0</version>
    <type>lookup</type>
    <default>array()</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
Fixes to remove from the default set of Tidy fixes as per your level.
</div>
   </description>
  </directive>
  <directive id="HTML.Trusted">
   <name>Trusted</name>
   <aliases/>
   <constraints>
    <version>2.0.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">Indicates whether or not the user input is trusted or not. If the input is
trusted, a more expansive set of allowed tags and attributes will be used.
See also <a href="#CSS.Trusted">%CSS.Trusted</a>.
</div>
   </description>
  </directive>
  <directive id="HTML.XHTML">
   <name>XHTML</name>
   <aliases>
    <alias>Core.XHTML</alias>
   </aliases>
   <constraints>
    <version>1.1.0</version>
    <type>bool</type>
    <default>true</default>
   </constraints>
   <deprecated>
    <version>1.7.0</version>
    <use>HTML.Doctype</use>
   </deprecated>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">Determines whether or not output is XHTML 1.0 or HTML 4.01 flavor.
</div>
   </description>
  </directive>
 </namespace>
 <namespace id="Output">
  <name>Output</name>
  <directive id="Output.CommentScriptContents">
   <name>CommentScriptContents</name>
   <aliases>
    <alias>Core.CommentScriptContents</alias>
   </aliases>
   <constraints>
    <version>2.0.0</version>
    <type>bool</type>
    <default>true</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">Determines whether or not HTML Purifier should attempt to fix up the
contents of script tags for legacy browsers with comments.
</div>
   </description>
  </directive>
  <directive id="Output.FixInnerHTML">
   <name>FixInnerHTML</name>
   <aliases/>
   <constraints>
    <version>4.3.0</version>
    <type>bool</type>
    <default>true</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
  If true, HTML Purifier will protect against Internet Explorer's
  mishandling of the <code>innerHTML</code> attribute by appending
  a space to any attribute that does not contain angled brackets, spaces
  or quotes, but contains a backtick.  This slightly changes the
  semantics of any given attribute, so if this is unacceptable and
  you do not use <code>innerHTML</code> on any of your pages, you can
  turn this directive off.
</p>
</div>
   </description>
  </directive>
  <directive id="Output.FlashCompat">
   <name>FlashCompat</name>
   <aliases/>
   <constraints>
    <version>4.1.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
  If true, HTML Purifier will generate Internet Explorer compatibility
  code for all object code.  This is highly recommended if you enable
  <a href="#HTML.SafeObject">%HTML.SafeObject</a>.
</p>
</div>
   </description>
  </directive>
  <directive id="Output.Newline">
   <name>Newline</name>
   <aliases/>
   <constraints>
    <version>2.0.1</version>
    <type allow-null="yes">string</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    Newline string to format final output with. If left null, HTML Purifier
    will auto-detect the default newline type of the system and use that;
    you can manually override it here. Remember, \r\n is Windows, \r
    is Mac, and \n is Unix.
</p>
</div>
   </description>
  </directive>
  <directive id="Output.SortAttr">
   <name>SortAttr</name>
   <aliases/>
   <constraints>
    <version>3.2.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
  If true, HTML Purifier will sort attributes by name before writing them back
  to the document, converting a tag like: <code>&lt;el b="" a="" c="" /&gt;</code>
  to <code>&lt;el a="" b="" c="" /&gt;</code>. This is a workaround for
  a bug in FCKeditor which causes it to swap attributes order, adding noise
  to text diffs. If you're not seeing this bug, chances are, you don't need
  this directive.
</p>
</div>
   </description>
  </directive>
  <directive id="Output.TidyFormat">
   <name>TidyFormat</name>
   <aliases>
    <alias>Core.TidyFormat</alias>
   </aliases>
   <constraints>
    <version>1.1.1</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
    Determines whether or not to run Tidy on the final output for pretty
    formatting reasons, such as indentation and wrap.
</p>
<p>
    This can greatly improve readability for editors who are hand-editing
    the HTML, but is by no means necessary as HTML Purifier has already
    fixed all major errors the HTML may have had. Tidy is a non-default
    extension, and this directive will silently fail if Tidy is not
    available.
</p>
<p>
    If you are looking to make the overall look of your page's source
    better, I recommend running Tidy on the entire page rather than just
    user-content (after all, the indentation relative to the containing
    blocks will be incorrect).
</p>
</div>
   </description>
  </directive>
 </namespace>
 <namespace id="Test">
  <name>Test</name>
  <directive id="Test.ForceNoIconv">
   <name>ForceNoIconv</name>
   <aliases/>
   <constraints>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">When set to true, HTMLPurifier_Encoder will act as if iconv does not exist
and use only pure PHP implementations.
</div>
   </description>
  </directive>
 </namespace>
 <namespace id="URI">
  <name>URI</name>
  <directive id="URI.AllowedSchemes">
   <name>AllowedSchemes</name>
   <aliases/>
   <constraints>
    <type>lookup</type>
    <default>array (
  'http' =&gt; true,
  'https' =&gt; true,
  'mailto' =&gt; true,
  'ftp' =&gt; true,
  'nntp' =&gt; true,
  'news' =&gt; true,
)</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">Whitelist that defines the schemes that a URI is allowed to have.  This
prevents XSS attacks from using pseudo-schemes like javascript or mocha.
There is also support for the <code>data</code> and <code>file</code>
URI schemes, but they are not enabled by default.
</div>
   </description>
  </directive>
  <directive id="URI.Base">
   <name>Base</name>
   <aliases/>
   <constraints>
    <version>2.1.0</version>
    <type allow-null="yes">string</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    The base URI is the URI of the document this purified HTML will be
    inserted into.  This information is important if HTML Purifier needs
    to calculate absolute URIs from relative URIs, such as when <a href="#URI.MakeAbsolute">%URI.MakeAbsolute</a>
    is on.  You may use a non-absolute URI for this value, but behavior
    may vary (<a href="#URI.MakeAbsolute">%URI.MakeAbsolute</a> deals nicely with both absolute and
    relative paths, but forwards-compatibility is not guaranteed).
    <strong>Warning:</strong> If set, the scheme on this URI
    overrides the one specified by <a href="#URI.DefaultScheme">%URI.DefaultScheme</a>.
</p>
</div>
   </description>
  </directive>
  <directive id="URI.DefaultScheme">
   <name>DefaultScheme</name>
   <aliases/>
   <constraints>
    <type>string</type>
    <default>'http'</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    Defines through what scheme the output will be served, in order to
    select the proper object validator when no scheme information is present.
</p>
</div>
   </description>
  </directive>
  <directive id="URI.DefinitionID">
   <name>DefinitionID</name>
   <aliases/>
   <constraints>
    <version>2.1.0</version>
    <type allow-null="yes">string</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    Unique identifier for a custom-built URI definition. If you  want
    to add custom URIFilters, you must specify this value.
</p>
</div>
   </description>
  </directive>
  <directive id="URI.DefinitionRev">
   <name>DefinitionRev</name>
   <aliases/>
   <constraints>
    <version>2.1.0</version>
    <type>int</type>
    <default>1</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    Revision identifier for your custom definition. See
    <a href="#HTML.DefinitionRev">%HTML.DefinitionRev</a> for details.
</p>
</div>
   </description>
  </directive>
  <directive id="URI.Disable">
   <name>Disable</name>
   <aliases>
    <alias>Attr.DisableURI</alias>
   </aliases>
   <constraints>
    <version>1.3.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    Disables all URIs in all forms. Not sure why you'd want to do that
    (after all, the Internet's founded on the notion of a hyperlink).
</p>

</div>
   </description>
  </directive>
  <directive id="URI.DisableExternal">
   <name>DisableExternal</name>
   <aliases/>
   <constraints>
    <version>1.2.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">Disables links to external websites.  This is a highly effective anti-spam
and anti-pagerank-leech measure, but comes at a hefty price: nolinks or
images outside of your domain will be allowed.  Non-linkified URIs will
still be preserved.  If you want to be able to link to subdomains or use
absolute URIs, specify <a href="#URI.Host">%URI.Host</a> for your website.
</div>
   </description>
  </directive>
  <directive id="URI.DisableExternalResources">
   <name>DisableExternalResources</name>
   <aliases/>
   <constraints>
    <version>1.3.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">Disables the embedding of external resources, preventing users from
embedding things like images from other hosts. This prevents access
tracking (good for email viewers), bandwidth leeching, cross-site request
forging, goatse.cx posting, and other nasties, but also results in a loss
of end-user functionality (they can't directly post a pic they posted from
Flickr anymore). Use it if you don't have a robust user-content moderation
team.
</div>
   </description>
  </directive>
  <directive id="URI.DisableResources">
   <name>DisableResources</name>
   <aliases/>
   <constraints>
    <version>4.2.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
    Disables embedding resources, essentially meaning no pictures. You can
    still link to them though. See <a href="#URI.DisableExternalResources">%URI.DisableExternalResources</a> for why
    this might be a good idea.
</p>
<p>
    <em>Note:</em> While this directive has been available since 1.3.0,
    it didn't actually start doing anything until 4.2.0.
</p>
</div>
   </description>
  </directive>
  <directive id="URI.Host">
   <name>Host</name>
   <aliases/>
   <constraints>
    <version>1.2.0</version>
    <type allow-null="yes">string</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    Defines the domain name of the server, so we can determine whether or
    an absolute URI is from your website or not.  Not strictly necessary,
    as users should be using relative URIs to reference resources on your
    website.  It will, however, let you use absolute URIs to link to
    subdomains of the domain you post here: i.e. example.com will allow
    sub.example.com.  However, higher up domains will still be excluded:
    if you set <a href="#URI.Host">%URI.Host</a> to sub.example.com, example.com will be blocked.
    <strong>Note:</strong> This directive overrides <a href="#URI.Base">%URI.Base</a> because
    a given page may be on a sub-domain, but you wish HTML Purifier to be
    more relaxed and allow some of the parent domains too.
</p>
</div>
   </description>
  </directive>
  <directive id="URI.HostBlacklist">
   <name>HostBlacklist</name>
   <aliases/>
   <constraints>
    <version>1.3.0</version>
    <type>list</type>
    <default>array()</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">List of strings that are forbidden in the host of any URI. Use it to kill
domain names of spam, etc. Note that it will catch anything in the domain,
so <tt>moo.com</tt> will catch <tt>moo.com.example.com</tt>.
</div>
   </description>
  </directive>
  <directive id="URI.MakeAbsolute">
   <name>MakeAbsolute</name>
   <aliases/>
   <constraints>
    <version>2.1.0</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    Converts all URIs into absolute forms. This is useful when the HTML
    being filtered assumes a specific base path, but will actually be
    viewed in a different context (and setting an alternate base URI is
    not possible). <a href="#URI.Base">%URI.Base</a> must be set for this directive to work.
</p>
</div>
   </description>
  </directive>
  <directive id="URI.Munge">
   <name>Munge</name>
   <aliases/>
   <constraints>
    <version>1.3.0</version>
    <type allow-null="yes">string</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">
<p>
    Munges all browsable (usually http, https and ftp)
    absolute URIs into another URI, usually a URI redirection service.
    This directive accepts a URI, formatted with a <code>%s</code> where
    the url-encoded original URI should be inserted (sample:
    <code>http://www.google.com/url?q=%s</code>).
</p>
<p>
    Uses for this directive:
</p>
<ul>
    <li>
        Prevent PageRank leaks, while being fairly transparent
        to users (you may also want to add some client side JavaScript to
        override the text in the statusbar). <strong>Notice</strong>:
        Many security experts believe that this form of protection does not deter spam-bots.
    </li>
    <li>
        Redirect users to a splash page telling them they are leaving your
        website. While this is poor usability practice, it is often mandated
        in corporate environments.
    </li>
</ul>
<p>
    Prior to HTML Purifier 3.1.1, this directive also enabled the munging
    of browsable external resources, which could break things if your redirection
    script was a splash page or used <code>meta</code> tags. To revert to
    previous behavior, please use <a href="#URI.MungeResources">%URI.MungeResources</a>.
</p>
<p>
    You may want to also use <a href="#URI.MungeSecretKey">%URI.MungeSecretKey</a> along with this directive
    in order to enforce what URIs your redirector script allows. Open
    redirector scripts can be a security risk and negatively affect the
    reputation of your domain name.
</p>
<p>
    Starting with HTML Purifier 3.1.1, there is also these substitutions:
</p>
<table>
    <thead>
        <tr>
            <th>Key</th>
            <th>Description</th>
            <th>Example <code>&lt;a href=""&gt;</code></th>
        </tr>
    </thead>
    <tbody>
        <tr>
            <td>%r</td>
            <td>1 - The URI embeds a resource<br />(blank) - The URI is merely a link</td>
            <td></td>
        </tr>
        <tr>
            <td>%n</td>
            <td>The name of the tag this URI came from</td>
            <td>a</td>
        </tr>
        <tr>
            <td>%m</td>
            <td>The name of the attribute this URI came from</td>
            <td>href</td>
        </tr>
        <tr>
            <td>%p</td>
            <td>The name of the CSS property this URI came from, or blank if irrelevant</td>
            <td></td>
        </tr>
    </tbody>
</table>
<p>
    Admittedly, these letters are somewhat arbitrary; the only stipulation
    was that they couldn't be a through f. r is for resource (I would have preferred
    e, but you take what you can get), n is for name, m
    was picked because it came after n (and I couldn't use a), p is for
    property.
</p>
</div>
   </description>
  </directive>
  <directive id="URI.MungeResources">
   <name>MungeResources</name>
   <aliases/>
   <constraints>
    <version>3.1.1</version>
    <type>bool</type>
    <default>false</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
    If true, any URI munging directives like <a href="#URI.Munge">%URI.Munge</a>
    will also apply to embedded resources, such as <code>&lt;img src=""&gt;</code>.
    Be careful enabling this directive if you have a redirector script
    that does not use the <code>Location</code> HTTP header; all of your images
    and other embedded resources will break.
</p>
<p>
    <strong>Warning:</strong> It is strongly advised you use this in conjunction
    <a href="#URI.MungeSecretKey">%URI.MungeSecretKey</a> to mitigate the security risk of an open redirector.
</p>
</div>
   </description>
  </directive>
  <directive id="URI.MungeSecretKey">
   <name>MungeSecretKey</name>
   <aliases/>
   <constraints>
    <version>3.1.1</version>
    <type allow-null="yes">string</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
    This directive enables secure checksum generation along with <a href="#URI.Munge">%URI.Munge</a>.
    It should be set to a secure key that is not shared with anyone else.
    The checksum can be placed in the URI using %t. Use of this checksum
    affords an additional level of protection by allowing a redirector
    to check if a URI has passed through HTML Purifier with this line:
</p>

<pre>$checksum === hash_hmac("sha256", $url, $secret_key)</pre>

<p>
    If the output is TRUE, the redirector script should accept the URI.
</p>

<p>
    Please note that it would still be possible for an attacker to procure
    secure hashes en-mass by abusing your website's Preview feature or the
    like, but this service affords an additional level of protection
    that should be combined with website blacklisting.
</p>

<p>
    Remember this has no effect if <a href="#URI.Munge">%URI.Munge</a> is not on.
</p>
</div>
   </description>
  </directive>
  <directive id="URI.OverrideAllowedSchemes">
   <name>OverrideAllowedSchemes</name>
   <aliases/>
   <constraints>
    <type>bool</type>
    <default>true</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml">If this is set to true (which it is by default), you can override
<a href="#URI.AllowedSchemes">%URI.AllowedSchemes</a> by simply registering a HTMLPurifier_URIScheme to the
registry.  If false, you will also have to update that directive in order
to add more schemes.
</div>
   </description>
  </directive>
  <directive id="URI.SafeIframeRegexp">
   <name>SafeIframeRegexp</name>
   <aliases/>
   <constraints>
    <version>4.4.0</version>
    <type allow-null="yes">string</type>
    <default>NULL</default>
   </constraints>
   <description>
    <div xmlns="http://www.w3.org/1999/xhtml"><p>
    A PCRE regular expression that will be matched against an iframe URI.  This is
    a relatively inflexible scheme, but works well enough for the most common
    use-case of iframes: embedded video.  This directive only has an effect if
    <a href="#HTML.SafeIframe">%HTML.SafeIframe</a> is enabled.  Here are some example values:
</p>
<ul>
    <li><code>%^http://www.youtube.com/embed/%</code> - Allow YouTube videos</li>
    <li><code>%^http://player.vimeo.com/video/%</code> - Allow Vimeo videos</li>
    <li><code>%^http://(www.youtube.com/embed/|player.vimeo.com/video/)%</code> - Allow both</li>
</ul>
<p>
    Note that this directive does not give you enough granularity to, say, disable
    all <code>autoplay</code> videos.  Pipe up on the HTML Purifier forums if this
    is a capability you want.
</p>
</div>
   </description>
  </directive>
 </namespace>
</configdoc>

Cancel