Forum List Message List New Topic
glewe
Drupal allow onclick
March 17, 2012 10:08AM

Hi guys,

I am adminstering a Drupal site where we use CKEditor and Filtered HTML using Advanced HTML Purifier for our editors. We want to allow the "onclick" attribute. I tried for hours and can't get it to work. I selected "Trusted" and added tags like input or button. I also allowed *[onclick]. However, the tags are accepted but all onclick attributes are always stripped.

Any ideas how I can get the onclick attribute through the filter?

Reply Quote
Ambush Commander
Re: Drupal allow onclick
March 17, 2012 12:45PM

Not possible (onclick is a clear and present XSS vulnerability.)

Reply Quote
Newer Topic Older Topic
Author:
Your Email:

Subject:

HTML input is enabled. Make sure you escape all HTML and angled brackets with < and >.

Auto-paragraphing is enabled. Double newlines will be converted to paragraphs; for single newlines, use the pre tag.

Allowed tags: a, abbr, acronym, b, blockquote, caption, cite, code, dd, del, dfn, div, dl, dt, em, i, ins, kbd, li, ol, p, pre, s, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, var.

For inputting literal code such as HTML and PHP for display, use CDATA tags to auto-escape your angled brackets, and pre to preserve newlines: 

<pre><![CDATA[
Place code here
]]></pre>

Power users, you can hide this notice with: 

.htmlpurifier-help {display:none;}

Message: