Hi!
On a Plone 6 site (plone.org actually), I try to add an HTML snippet in a page.
I use the HTML Volto block, but when I save, the entire content is removed.
My snippet is a <script> tag (which declares a web component) + the web component tag itself.
I assume it is considered as unsafe.
My question is: how can I allow unsafe HTML to be used in the HTML Volto block?
Thanks!
Set the registry key plone.valid_tags by adding your tag (e.g. mytag) see example below.
Consider also setting the values of plone.disable_filtering, plone.nasty_tags, and plone.custom_attributes.
import requests
SITE_URL = "https://demo.plone.org/++api++/"
AUTH = ("admin", "****")
HEADERS = {
'Accept': 'application/json',
'Content-Type': 'application/json',
'Prefer': 'return=representation'
}
# get valid_tags
response = requests.get(SITE_URL + '@registry/plone.valid_tags', headers=HEADERS, auth=AUTH)
valid_tags = response.json()
# valid_tags -> ['a', 'abbr', 'acronym', 'address', 'article', ...]
# add 'mytag' to valid_tags
new_valid_tags = ['mytag'] + valid_tags
requests.patch(SITE_URL + '@registry', json={ 'plone.valid_tags': new_valid_tags }, headers=HEADERS, auth=AUTH)
# get current valid_tags
response = requests.get(SITE_URL + '@registry/plone.valid_tags', headers=HEADERS, auth=AUTH)
valid_tags = response.json()
# valid_tags -> ['mytag', 'a', 'abbr', 'acronym', 'address', 'article', ...]
The HTML block content is saved as safe form. In retrospect, this mutation should have been applied on serialization rather then deserialization.