So I want to allow users in one of my MT forums to embed videos. This means I have to tweak the Limit HTML Tags setting to include my own stuff.
Embedding a video requires object, param, and embed tags. It also requires several custom attributes: width, height, name, value, src, type, allowfullscreen, and allowscriptaccess.
Here’s what I put in the custom setting field:
a href,b,i,br/,p,strong,em,ul,ol,li,blockquote,pre,embed,object,param,* width,* height, * name, * value,* src,* type,* allowfullscreen,* allowscriptaccess
…but it doesn’t work. Can anyone see what I’m doing wrong?
Thanks!
Reported on Movable Type 4.2
What happens?
Aren't width, height, name etc attributes not tags.
Based on the fact that "a href" is listed, I bet you need to list "object width," "object height, "param name," etc. I don't see anything that indicates you can enter a wildcard like "*."
I'm following the syntax rules [described here](http://www.sixapart.com/movabletype/docs/3.3/d_configuration_directives/globalsanitizespec.html). That's where I got the idea for the wild card use with the attributes.
The result of what I've attempted is the video embed code simply doesn't show up (taken straight from [Vimeo](http://vimeo.com)).
Investigating a little by trying it, I do indeed see that the asterisk isn't being noted as a wildcard.
It doesn't actually work that way (look at the HTML output of a comment), nor does Sanitize.pm appear to deal with tags defined as such (well, the sanitization process deals with them correctly, but it doesn't get that far because parse_spec never adds wildcard attributes to the wildcard key).
Even looking at MT3, I don't think this ever worked. I submitted a bug report for this (http://bugs.movabletype.org/default.asp?86966).
Thanks, Dan.
I initially tried just using *only* the tags I needed, and when that didn't work, I figured I needed to add custom attributes.
In the meantime, I'm using:
It sort of makes me nervous to leave things wide open like that, but oh well. :)
Including "object width," "object height," etc should work. No?
I'm using this:
**a href,b,i,br/,p,strong,em,ul,ol,li,blockquote,pre,embed,object,param,object width,object height,param name,param value,embed src,embed type,embed allowfullscreen,embed allowscriptaccess,embed width,embed height**
...and it doesn't work.
I used this as my allowed HTML and got embeds to work:
a href,b,i,br/,p,strong,em,ul,ol,li,blockquote,pre,object width height,param name value,embed src type allowscriptaccess allowfullscreen
I'll give that a try. Thanks, Lisa!