craftcms
Stripping out HTML attributes regardless of settings
Description
HTML attributes added to the source HTML of a CKEditor field are being stripped out, regardless of config settings in the CP or in the HTML Purifier config file. Attributes such as target="_blank" for external links is critical functionality, yet still being removed. Class names and other attributes are removed from all elements as well. Unchecking "Purify HTML" in the field's advanced settings has no effect on this. I also tried adding every relevant setting I could find in the links the plugin provides at ckeditor.com and htmlpurifier.org, and they had no effect, even after clearing caches. For example, I tried re-enabling "Purify HTML" and adding settings (i.e. HTML.AllowedAttributes) to the field's selected HTMLPurifier's json file, and it made no difference. Neither did adding settings to the CKEditor Configs in the CP.
The docs at these links aren't specific to Craft, so its unclear what the preferred method is to handle this, or if all of these settings are even implemented. And I found this question asked multiple times in the Discord group with no responses, leading me to believe that there aren't many users clear on how to handle this.
I believe addressing this should be high priority since it blocks critical functionality like external linking, and because some site editors that understand code, need the ability to add HTML that's more complex than what the buttons and custom styles will easily allow.
Steps to reproduce
- Add rich text to an instance of CKEditor including a link.
- Click "Source" button to edit the HTML.
- Add a class attribute with a value to the link or any other element.
- Add target="_blank" to the link.
- Click the "Source" button again and the class and target attribute will instantly be removed.
Additional info
- Craft version: Pro 4.9.1
- PHP version: 8.0.25
- Database driver & version: MariaDB 10.10.2
- Plugins & versions: CKEditor 3.8.3
