Right now, by default, Sanitize page is turned on and will remove such tags as <fieldset> and <legend> which are used by Drupal 7 for jQuery collapsible areas on the page.
Also, all <svg> is blocked, even though any Javascript it contained would have been stripped out anyway.
It would be good to allow the following tags: 'audio', 'canvas', 'embed', 'fieldset', 'legend', 'path', 'rect', 'source', 'svg', 'track','video'.
The 'object' tag should not be allowed added because of the <object data="javascript:..."> attack.

Comments

  • andrewfn committed 19063fa on 6.x-1.x 
    Issue #1917830 by andrewfn: Support some HTML5 tags when Sanitize page...
  • andrewfn committed bbc5d49 on 6.x-1.x
    Issue #1917830 by andrewfn: Support some HTML5 tags when 'Sanitize page...

  • andrewfn committed 02d2f34 on 7.x-1.x 
    Issue #1917830 by andrewfn: Support some HTML5 tags when Sanitize page...
  • andrewfn committed 9129cc6 on 7.x-1.x
    Issue #1917830 by andrewfn: Support some HTML5 tags when Sanitize page...
andrewfn’s picture

andrewfn commented
Issue summary: View changes
Status: Active » Closed (fixed)

Unfortunately filter_xss_admin() cannot be used because the code is somewhat old and does not allow HTML 5 tags. Until Drupal catches up, a copy of the function has been included but with the HTML 5 tags added.