Feature #7699

Allow safe HTML tags in static pages (content field)

Added by Jesús García Crespo over 7 years ago. Updated about 7 years ago.

Status:VerifiedStart date:12/11/2014
Priority:MediumDue date:
Assignee:Dan Gillean% Done:

0%

Category:Static pages
Target version:Release 2.2.0
Google Code Legacy ID: Tested version:
Sponsored:No Requires documentation:

Description

Tags allowed:

'div', 'span', 'p',
'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
'strong', 'em',
'abbr[title]', 'acronym', 'address',
'blockquote', 'cite', 'code',
'pre', 'br',
'a[href]', 'img[src]',
'ul', 'ol', 'li',
'dl', 'dt', 'dd',
'table', 'tr', 'td', 'th',
'tbody', 'thead', 'tfoot',
'col', 'colgroup', 'caption',
'b', 'i', 'tt',
'sub', 'sup', 'big', 'small', 'hr'

Attributes allowed:

'class', 'title', 'src', 'href'

It can be disabled in app.yml. Defaults to true:

htmlpurifier_enabled: true

History

#2 Updated by Jesús García Crespo over 7 years ago

Hey Dan, what are we going to do with the institution page customizable content field? Same behaviour?

#3 Updated by Dan Gillean over 7 years ago

Ohhhh I thought of one more use case to consider.

Some of our portal users have embedded youtube videos and the like - e.g. using iframe elements. If there are not additional security risks for those, I'd suggest we add them for both static pages and the institutional header area as allowed elements. Others have used embedded maps on static pages (also using iframes, etc).

If that's possible, I see no reason why the rules for the institution header can't be the same as the static pages.

#4 Updated by Jesús García Crespo over 7 years ago

  • Description updated (diff)

#5 Updated by Dan Gillean over 7 years ago

  • Requires documentation set to Yes

This will require some clear warnings in the docs about what elements are allowed and what are not, as well as a rewrite of some of our static page suggestions, found here:

To replace some of the examples we have previously included, our style guide should show examples that re-use existing Bootstrap CSS classes. Jesus has re-styled the demo homepage using Bootstrap CSS classes by way of example.

#6 Updated by Jesús García Crespo over 7 years ago

  • Status changed from New to QA/Review
  • Assignee changed from Jesús García Crespo to Dan Gillean

#7 Updated by Dan Gillean about 7 years ago

  • Status changed from QA/Review to Verified

Note: we decided to make this turned off by default, as enabling it will break many existing static pages for our user community. It can be enabled by changing the value of line 32 in config/app.yml to:

htmlpurifier_enabled: true

https://github.com/artefactual/atom/blob/0fb9a592a32d5c6215ecd606b530ddc7013e2b4b/config/app.yml#L32

Existing Bootstrap CSS classes can be used for certain styling elements (such as centering images) - examples will be added to the 2.2 documentation for static pages (link to location in current 2.1 documentation above). The home page of the demo site in 2.2 can also be referenced as an example.

#9 Updated by Dan Gillean about 7 years ago

  • Requires documentation deleted (Yes)

Also available in: Atom PDF