TinyMce Allow all Html tag

Question

I'm using TinyMce and even though the danger of a script attack, I need to enable all html tags with the editor.

Currently, I'm use like:

valid_elements: "@[class],p[style],h3,h4,h5,h6,a[href|target],strong/b,"
              + "div[align],br,table,tbody,thead,tr,td,ul,ol,li,img[src]"

But always need to add something, I want to enable ALL HTML tags with all attributes. Is there such switch that Disables the HTML filtering?

This is a security nightmare waiting to happen... this means you will allow arbitrary HTML code into your program. This is an XSS dream! — avgvstvs, Oct 21 '15 at 17:12
In my case I'm using tinyMCE on a JxBrowser instance in a desktop application, which shouldn't be affected by XSS. I do understand the risk implied, but it would be nice if there was an option to allow all tags (even ) as input if you're *really really* sure. — Roger, Apr 05 '17 at 14:33
this solution also works in modx with TinyMCE Rich Text Editor. just put the ``*[*]`` in valid elements field in the mce system settings. Put this in accepted answer as a comment please, my points are not enough. — Gevorg Hakobyan, Jul 23 '17 at 22:09

score 75 · Accepted Answer · answered Jun 07 '11 at 14:55

75

You can set

valid_elements : '*[*]',

to allow all html tags.

answered Jun 07 '11 at 14:55

Thariama

14

I am using a variant of this one: value_elements:'+*[*]', since the plus sign enables me to have tags without childrens. Like in the context of the tinymce editor on a mezzanine/django/twitter-bootstrap combination. – sw. Aug 24 '12 at 18:38
13

@sw. you mean `valid_elements : '+*[*]',` – LeftyX May 01 '13 at 11:14
@LeftyX yes, sorry. It was valid_elements, no value_elements. – sw. May 02 '13 at 18:32
5

I added this but it still strips doctype, html and head – eozzy Feb 06 '15 at 11:10
@3zzy: doctype, html and head are no html tags that can be used under a BODY tag and are therefor removed by tinymce. The valid_elements definition is only applyable to html elements that can exist under a BODY tag. – Thariama Feb 06 '15 at 11:25
I moved style tags inside body and using @import but still the files are not loaded – eozzy Feb 06 '15 at 11:41
@3zzy: how did you do that - can i show me the code you used? – Thariama Feb 06 '15 at 11:57
Yes, style tags are being stripped with this. – Ben Racicot Mar 03 '15 at 14:42
3

how to keep `` tag in tinyMCE because its removing the ` – Deepti Kakade May 06 '15 at 04:53
Until a better option is offered, I generate the style tags with Javascript: `` – dmcontador Dec 15 '15 at 14:09
still removes anchor tags with onclick (or any javascript). – MC9000 Oct 27 '20 at 17:15

score 4 · Answer 2 · answered Sep 29 '17 at 14:42

4

To keep style tags, use valid_children : "+body[style]"

answered Sep 29 '17 at 14:42

David Caulfield

2 Answers2