OlivierS wrote:@KPNOnline have a look at this thread, it might help.
Thanks OlivierS, I had a look at the thread before indeed.. But this encourages using a 'custom' set of allowed elements/attributes, or removing all html all together with utils.html.stripper.from.gdata.strip.... Message markup must be preserved and with custom elements/attributes there is still no guarantee lithium accepts it as a 'valid' message
Problem is, lets say someone makes a message, like this:
<img class="invalid" my-invalid-attr="invalid" src="/valid/valid.jpg"/>
The invalid attributes need to be stripped of, otherwise Lithium will not allow this message to be saved.
I could copy all the lithium allowed elements/attributes into a custom utils.html.stripper.from.owasp.. But problem then, if Lithium decides to change the rules regarding html/attributes, it would potentially brake as invalid message..
When using the default lithium TinyMCE editor, the backend 'cleans' the message if it contains illegal elements/attributes, sends it back to the client for review and users re-send the message. Is there a way to inherit that flow, by using the 'clean' method Lithium uses itself?
Thanks
