Frappe's `sanitize_html` method escapes some HTML tags

mostafayasin · February 1, 2021, 10:56am

Hi,

I’m adding some customizations to Website > Web Page doctype. In order to be able to create a more easy way to build a website using frappe’s website module.

I’m generating HTML, CSS and JS code from my custom_app and saves it in the html_content field under the Web Page Doctype.

The problem is frappe’s sanitize_html method escapes some of the HTML tags and attributes like…

iframe tags
data-foo="bar" attributes

I took a sneak peek on sanitize_html method and I found it reads a list of acceptable tags, the problem is this list is hard-coded.

Can anyone provide a way to add some items to the acceptable list from my custom_app?

Thanks in advance.

mostafayasin · February 4, 2021, 2:15pm

I found that the white list is a global variable in the html_utils.py so I’ve added the 2 lines below in my custom_app’s __inti__.py file which appends the desired HTML tags and attributes to the whitelisted tags and attributes

frappe.utils.html_utils.acceptable_elements = frappe.utils.html_utils.acceptable_elements \
+ ["iframe"]
frappe.utils.html_utils.acceptable_attributes = frappe.utils.html_utils.acceptable_attributes \
+ ["data-toggle"]

Michael_Berna · May 11, 2022, 4:24am

Thank you. Saved the day for adding a YouTube demo video to my item pages.