Welcome! » Log In » Create A New Profile

Custom object element ignored and tag stripped

Posted by Andrea Turso 
Andrea Turso
Custom object element ignored and tag stripped
June 21, 2018 01:51PM


I've followed the documentation around adding custom element definitions. I'm doing this because I need to parse object tags which containing links to an SVG sprite. The markup should look more or less like this:

<object width="width" height="height" class="class_list">
    <svg class="class_list" preserveaspectratio="svg_aspect_ratio" width="widthII" height="heightII">
        <use xlink:href="#section_id"></use>

To keep things simple I have literally copy pasted the object element definition from HTMLPurifier_HTMLModule_SafeObject, expecting it'd work equivalently to its original counterpart in the built-in module.

My object element is configured as follows (I tried many variations on the theme, but none worked properly).

      $object = $this->addElement(
            'Optional: Flow | #PCDATA',
                // While technically not required by the spec, we're forcing
                // it to this value.
                'type' => 'Enum#application/x-shockwave-flash', // To which I might ask: why?
                'width' => 'Length',
                'height' => 'Length',
                'data' => 'URI#embedded',
                'codebase' => new HTMLPurifier_AttrDef_Enum(

Unfortunately the above declaration fails to purify simple stuff like this


I noticed that setting %HTML.SafeObject = TRUE allows the object tag to be appear in the output, but the object.type attribute is forced to shockwave flash, which is the wrong thing to do.

// FROM: library/HTMLPurifier/HTMLModule/SafeObject.php:33
// While technically not required by the spec, we're forcing
// it to this value.
'type' => 'Enum#application/x-shockwave-flash',


// FROM: library/HTMLPurifier/AttrTransform/SafeObject.php
if (!isset($attr['type'])) {
    $attr['type'] = 'application/x-shockwave-flash';
return $attr;

This is majorly annoying, especially because the default behaviour of %HTML.SafeObject cannot be changed so that the AttributeFilter stops messing with the object.type attribute.

So my questions are:

  1. Is it possible to create a new object definition that works without requiring %HTML.SafeObject = TRUE?
  2. Alternatively, is it possible to keep %HTML.SafeObject = TRUE but only disable HTMLPurifier_AttrTransform_SafeObject so it doesn't inject "type=application/shockwave-flash" willy nilly?
Re: Custom object element ignored and tag stripped
August 26, 2018 01:29AM

Yes, delete/modify the attribute definitions you don't want. 'type' => 'Enum#application/x-shockwave-flash', replace x-shockwave-flash with the content type you do want, or delete it entirely if you don't want a type.

Sorry, you do not have permission to post/reply in this forum.