Set HTML.Trusted for HTMLPurifier.

This gives more control over the allowed elements and attributes to the admin user.
omeka · Apr 17, 2014 · d791293 · d791293
1 parent 06460a0
commit d791293
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/application/libraries/Omeka/Filter/HtmlPurifier.php b/application/libraries/Omeka/Filter/HtmlPurifier.php
@@ -19,7 +19,6 @@ class Omeka_Filter_HtmlPurifier implements Zend_Filter_Interface
         'Core.Encoding' => 'UTF-8',
         'Cache.DefinitionImpl' => null, // Caching disabled
         'Attr.AllowedFrameTargets' => array('_blank'),
-        'Core.Encoding' => 'UTF-8',
         'HTML.TidyLevel' => 'none',
         'HTML.AllowedElements' => array(
             'p', 'br', 'strong', 'em', 'span', 'div', 'ul', 'ol', 'li', 'a', 
@@ -30,7 +29,10 @@ class Omeka_Filter_HtmlPurifier implements Zend_Filter_Interface
         ),
         'HTML.AllowedAttributes' => array(
             '*.style', '*.class', 'a.href', 'a.title', 'a.target'
-        ),   
+        ),
+        // Note: this allows "unsafe" elements/attributes, but only when they
+        // are also in the Allowed lists configured by the user.
+        'HTML.Trusted' => true
     );
 
     /**