Frappe's `sanitize_html` method escapes some HTML tags


I’m adding some customizations to Website > Web Page doctype. In order to be able to create a more easy way to build a website using frappe’s website module.

I’m generating HTML, CSS and JS code from my custom_app and saves it in the html_content field under the Web Page Doctype.

The problem is frappe’s sanitize_html method escapes some of the HTML tags and attributes like…

  • iframe tags
  • data-foo="bar" attributes

I took a sneak peek on sanitize_html method and I found it reads a list of acceptable tags, the problem is this list is hard-coded.

Can anyone provide a way to add some items to the acceptable list from my custom_app?

Thanks in advance.

I found that the white list is a global variable in the so I’ve added the 2 lines below in my custom_app’s file which appends the desired HTML tags and attributes to the whitelisted tags and attributes

frappe.utils.html_utils.acceptable_elements = frappe.utils.html_utils.acceptable_elements \
+ ["iframe"]
frappe.utils.html_utils.acceptable_attributes = frappe.utils.html_utils.acceptable_attributes \
+ ["data-toggle"]

Thank you. Saved the day for adding a YouTube demo video to my item pages.

1 Like