Fixed Configuration Disallowing img[src] Attributes #2
Conversation
config/nova-tinymce-field.php
Outdated
| @@ -11,7 +11,7 @@ | |||
| 'init' => [ | |||
| 'allow_html_in_named_anchor' => false, | |||
| 'branding' => false, | |||
| 'extended_valid_elements' => 'a[href]', | |||
| 'extended_valid_elements' => 'a[href],img[*]', | |||
There was a problem hiding this comment.
While we're at it, want to enable everything on anchor tags, too? There are a lot of attributes like "target" and "rel" that are useful to add.
There was a problem hiding this comment.
So, I agree 100% on target/rel. The reason I did this is because when I was pasting links from Word, it kept adding this weird name="asdf1234hashxD" which for some reason rendered a weird icon on the left of all links.
Could we maybe compile a list of allowed attributes on <a> tags?
I would think these to start:
hrefreltarget
Anything else come to mind @elliottregan ?
There was a problem hiding this comment.
Ah, good catch.
How about data-*?
There was a problem hiding this comment.
Sounds good 👍
I confirmed locally that this works: a[data-*|href|rel|target] by manually adding all of those attributes and some others like random that I wanted to be deleted in the code view. All of the expected attributes were kept, and random was deleted 🐒
Overview
I allowed all
<img>element attributes in default TinyMCE configuration.My recent change to improve Word Paste Formatting broke the
Insert/Edit Imagetoolbar button. Attempting to insert an image into WYSIWIG content will fail because the html will be<img/>.This is caused by not whitelisting the
img[src]attribute, which is how the button inserts the image into the content.For good measure, I added the whitelist as
img[*](all attributes) so that if some plugin were to use thedata-srcattribute, it would not be stripped out. Alternatively we could also compile a list of attributes we want to allow on<img>tags 🐒