Limit HTML Tags: Buncha Custom Jazz

By Clifton on Dec 20, 2008 at 11:47 PM 9 Vote 0 Votes

So I want to allow users in one of my MT forums to embed videos. This means I have to tweak the Limit HTML Tags setting to include my own stuff.

Embedding a video requires object, param, and embed tags. It also requires several custom attributes: width, height, name, value, src, type, allowfullscreen, and allowscriptaccess.

Here’s what I put in the custom setting field:

a href,b,i,br/,p,strong,em,ul,ol,li,blockquote,pre,embed,object,param,* width,* height, * name, * value,* src,* type,* allowfullscreen,* allowscriptaccess

…but it doesn’t work. Can anyone see what I’m doing wrong?

Thanks!

Reported on Movable Type 4.2

9 Replies

| Add a Reply

Rob Kenny | December 21, 2008 2:18 AM | Reply

What happens?

Aren't width, height, name etc attributes not tags.
Dan Wolfgang | December 21, 2008 6:19 AM | Reply

Based on the fact that "a href" is listed, I bet you need to list "object width," "object height, "param name," etc. I don't see anything that indicates you can enter a wildcard like "*."
Clifton | December 21, 2008 9:53 AM | Reply

I'm following the syntax rules [described here](http://www.sixapart.com/movabletype/docs/3.3/d_configuration_directives/globalsanitizespec.html). That's where I got the idea for the wild card use with the attributes.

The result of what I've attempted is the video embed code simply doesn't show up (taken straight from [Vimeo](http://vimeo.com)).
Dan Wolfgang | December 22, 2008 9:25 AM | Reply

Investigating a little by trying it, I do indeed see that the asterisk isn't being noted as a wildcard.

It doesn't actually work that way (look at the HTML output of a comment), nor does Sanitize.pm appear to deal with tags defined as such (well, the sanitization process deals with them correctly, but it doesn't get that far because parse_spec never adds wildcard attributes to the wildcard key).

Even looking at MT3, I don't think this ever worked. I submitted a bug report for this (http://bugs.movabletype.org/default.asp?86966).
Clifton | December 22, 2008 10:41 AM | Reply

Thanks, Dan.

I initially tried just using *only* the tags I needed, and when that didn't work, I figured I needed to add custom attributes.

In the meantime, I'm using:

It sort of makes me nervous to leave things wide open like that, but oh well. :)
Dan Wolfgang | December 22, 2008 11:56 AM | Reply

Including "object width," "object height," etc should work. No?
Clifton | December 22, 2008 5:29 PM | Reply

I'm using this:

**a href,b,i,br/,p,strong,em,ul,ol,li,blockquote,pre,embed,object,param,object width,object height,param name,param value,embed src,embed type,embed allowfullscreen,embed allowscriptaccess,embed width,embed height**

...and it doesn't work.
Lisa Fogelman | January 8, 2009 11:35 AM | Reply

I used this as my allowed HTML and got embeds to work:

a href,b,i,br/,p,strong,em,ul,ol,li,blockquote,pre,object width height,param name value,embed src type allowscriptaccess allowfullscreen
Clifton | January 13, 2009 3:15 PM | Reply

I'll give that a try. Thanks, Lisa!