1 Topic by YahavIL

  • YahavIL
  • Member
  • Offline

Topic: Stripping of attributes not specified in 'deny_attrib'

Hey

I have a situation in which HtmLawed is removing attributed altough they are not included at the deny_attribute parameter.
for example:
<blockquote align="center" >
the align gets removed.
<script async="1" crossorigin="anonymous" defer="1"..>
the crossorigin gets removed and the defer becomes: defer="defer"
<iframe allow="autoplay; encrypted-media" ..>
the entire allow attribute gets removed.

All of those are returned by the official Oembed of well known services such as twitter, youtube, facebook etc..

How can i allow those?

2 Reply by patnaik

  • patnaik
  • Administrator
  • Offline

Re: Stripping of attributes not specified in 'deny_attrib'

I am sorry about the delay in responding.

htmLawed removes an attribute from an element if it is not standard-compliant. E.g., the 'align' attribute is not "permitted" in the 'blockquote' element.

Regarding 'defer', it is a boolean attribute (its presence, regardless of value, is interpreted as true), and it can be present without a value within the 'script' element (<script defer>...). However, for XHTML compliance, which forbids such attribute minimization, htmLawed modifies such input to <script defer="defer">....

To have htmLawed permit non-standard attributes within certain types of HTML elements, you can consider using the '$spec' argument in the htmLawed function call (see last note in this documentation section).