Allow more granular HTML filter options for HTML attributes, not just tags #6100
Comments
|
...I thought that we already allowed attributes in the HTML filter, by adding them within the tags. Or am I thinking Drupal 9/10? 🤔 |
|
...for example, the "Limit allowed HTML tags and correct faulty HTML" filter in D9/10 has the following allowed tags configured out of the box for the "Basic HTML" text format: Notice things like the following within that configuration:
Don't we allow the same? |
Just tested in a Backdrop demo sandbox:
I didn't test other attributes, but classes are allowed. However, the help text of the Allowed HMTL tags setting doesn't mention this feature. |
No, our default filters are all tags only. No other attributes. I created this issue because I really like the flexibility of the filter system in D9/10 and I want that for Backdrop too. I'm pretty sure we don't allow all attributes to be defined via the filter system like Drupal 9/10, as we don't include the changes from the Drupal issue, and didn't have our own dedicated issue for it. It's possible it happened without an issue or patch (especially if it was a simplified version that, for example, always allowed
I'd recommend using crazier class names, IDs on headings (as in @klonos's example) and other attributes like |
As a start, I have tested other classes, e.g. "blue", and IDs on headings, like in |
|
@jenlampton per default, attributes are allowed, only "style" and "on*" are stripped out, when displaying the filtered content. (Note: They're not removed from input. Only on output.) However, it's a bit unclear, whether it should be possible to also provide an attributes allowlist via Filter admin UI (as Drupal does). The filter module does support attribute allow/disallow (with some quirks, I can provide examples). And that's also documented. Additionally, there are some API examples |
Input filters are used to control what HTML tags a user can use. For example, the default "filtered input" filter may allow users to use
<a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>. This means that the node author can use tags such as<strong>to make some portion of the text bold as I've done here.The problem is that accessible HTML should use CSS for formatting. Most Rich Text editors do this properly by writing CSS instead of the (deprecated) HTML tags. But our input filter system strips CSS classes and style attributes, leaving HTML only. And pages don't display as intended by the Rich Text editor. The only way to fix this is to replace the CSS style directives with HTML. However, many of the HTML formatting tags have been deprecated (for example
<center> <font> <u> <i>are all deprecated). You can still use them, but it's not advisable. And there's just no way of accomplishing certain basic text formatting without CSS (for example, the CSS attribute"text-align: right"doesn't have an equivalent HTML tag).So, we need to rethink the
filter.module.Class attributes should not filtered. For example,
<p class="right">seems like reasonable HTML to allow. Is there any security risk here? I can't think of one.We need a way of specifying what attributes can or can not be used with the filter, rather than just what HTML tags can or can not be used. This is the tricky part, and will involve an entirely new way of defining filters.
See the comparable Drupal 8 issue.
The text was updated successfully, but these errors were encountered: