ebrehault
(Eric Bréhault)
January 4, 2023, 4:57pm
1
Hi!
On a Plone 6 site (plone.org actually), I try to add an HTML snippet in a page.
I use the HTML Volto block, but when I save, the entire content is removed.
My snippet is a <script>
tag (which declares a web component) + the web component tag itself.
I assume it is considered as unsafe.
My question is: how can I allow unsafe HTML to be used in the HTML Volto block?
Thanks!
mekell
(me-kell)
January 4, 2023, 6:25pm
2
Set the registry key plone.valid_tags
by adding your tag (e.g. mytag
) see example below.
Consider also setting the values of plone.disable_filtering
, plone.nasty_tags
, and plone.custom_attributes
.
import requests
SITE_URL = "https://demo.plone.org/++api++/"
AUTH = ("admin", "****")
HEADERS = {
'Accept': 'application/json',
'Content-Type': 'application/json',
'Prefer': 'return=representation'
}
# get valid_tags
response = requests.get(SITE_URL + '@registry/plone.valid_tags', headers=HEADERS, auth=AUTH)
valid_tags = response.json()
# valid_tags -> ['a', 'abbr', 'acronym', 'address', 'article', ...]
# add 'mytag' to valid_tags
new_valid_tags = ['mytag'] + valid_tags
requests.patch(SITE_URL + '@registry', json={ 'plone.valid_tags': new_valid_tags }, headers=HEADERS, auth=AUTH)
# get current valid_tags
response = requests.get(SITE_URL + '@registry/plone.valid_tags', headers=HEADERS, auth=AUTH)
valid_tags = response.json()
# valid_tags -> ['mytag', 'a', 'abbr', 'acronym', 'address', 'article', ...]
1 Like
The HTML block content is saved as safe form. In retrospect, this mutation should have been applied on serialization rather then deserialization.