How can I allow elements with HTML Purifier?
I have tried $config->set('HTML.Allowed', 'audio');
, but now it will delete all other elements including <p>, <br>
etc.
I then tried $def->addAttribute('audio', 'src', 'CDATA');
but it's not working.
HTML.Allowed
is a whitelist of all allowed tags, so what you presumably want to do is concatenate$config->get('HTML.Allowed')
with,audio
as a value.That said, HTML Purifier's approach to security is HTML flavour aware - as in, rather than just whitelist tags and attributes, it also ensures that tags make sense in the context they're in and attribute values look as expected, which means it has to actually understand the HTML definition you're feeding it. For example, you don't want a
<td>
-tag embedded in a<div>
-tag, that makes no sense; and you wouldn't wantwidth="foo"
in your HTML, that also makes no sense.Since as far as I know, HTML Purifier still does not yet know its way around HTML5, the
<audio>
tag is probably not one it is inherently aware of. You'll have to look at the "Customize!" end-user documentation, where it will tell you how to add tags and attributes that HTML Purifier is not aware of.To quote the most vivid code example from the linked documentation (this code teaches HTML Purifier about the
<form>
tag):Once you've followed those instructions to make your purifying routine aware of
<audio>
, adding the tag<audio>
to your configuration whitelist will work.