Topic: Allowing multiple classes
Hi,
I'm using Vanilla Forum which uses Htmlawed as part of its security measures and I'm facing an issue with allowing multiple classes to be defined on an element.
Vanilla is configured to automatically strip the `class` attribute (through `deny_attribute`) unless the class given matches a whitelist of classes (via `{tags}=class(oneof={...}`). That works for a single class, but in my case I need to allow an element to have multiple classes and I can't see a way to do that.
Looking at the Htmlawed source `oneof` uses a simple `==` between the allowed classes and the value - there is no option to split the class list up. I wondered about using `match`, but all of `hl_attrval` looks like it is an all or nothing - it can't manipulate the attribute's value to remove certain parts (the classes not on the whitelist).
Is there any way this might be possible?
This a continuation of a discussion in the Vanilla forum (https://vanillaforums.org/discussion/31804/htmlawed-and-allowing-classes#latest) - I think its probably more appropriate to ask here now that I've narrowed the issue down a little.
Thanks,
Allan