However, the CSS doesn’t seem to take effect. In fact, when I look at the source to the page when I load it, I see that the class=“grid” and class=“grid-item” attributes are gone.
Is discourse stripping the class attributes? If so, can I prevent this from happening?
Thanks for the reply. This makes sense, and it appears I need to add a specific file with JavaScript indicating what to whitelist.
The only question I have left is how do I access the file system to create this file? We are not hosting our own discourse site, but are paying discourse to host it for us.
I understand. But if I am able to control the CSS, as I am in this case, it should be quite safe, no? I am still unsure how to add this whitelist file. We’re paying discourse for hosting. Surely we can get access to our underlying file system?
To add classes to the white-list you must use a plugin, the sanitization happens server side as well as client side. Custom plugins are an enterprise only feature for us.
If we allow arbitrary classes through all sorts of very strange things can be done by users, like creating a post with “animating and spinning” words, shifting text to a post that is not owned by the user or fixing text on the screen.
Our enterprise customers have the ability to deploy custom plugins. We do not give any customers the ability to directly SSH into running instances.