Adding HTML classes in posts doesn't appear to work

boisy · May 8, 2017, 3:46am

I am trying to add an adaptive grid to our discourse site. In my custom CSS I have:

.grid {
  display: flex;
  flex-direction: row;
  flex-wrap: wrap;
  max-width: 1000px;
  margin-left: -5px;
  margin-right: -5px;
}

.grid-item {
  max-width: 160px;
  margin-bottom: 20px;
  margin-left: 5px;
  margin-right: 5px;
}

.grid-item img {
  width: 100%;
}

I have a post on our forum here: http://discuss.affectiva.com/t/face-metrics-in-the-emotion-sdk/51 that has the following:

<div class="grid">
  <div class="grid-item">
    <img src="/uploads/affectiva/original/1X/3532685ede3eaf46d50d77d6f545211c56192cc0.jpg" alt="" />
    <p class="thicker">Anger</p>
  </div>

However, the CSS doesn’t seem to take effect. In fact, when I look at the source to the page when I load it, I see that the class=“grid” and class=“grid-item” attributes are gone.

Is discourse stripping the class attributes? If so, can I prevent this from happening?

jomaxro · May 8, 2017, 3:54am

Yes it is. Most HTML in a post is sanitized for security reasons - you wouldn’t want arbitrary scripts to be executed.

You’ll need to whitelist the classes you wish to use. I’d suggest a close reading of this topic, it should help you out:
https://meta.discourse.org/t/whitelisting-some-html-tags/24280?u=jomaxro

boisy · May 8, 2017, 4:12am

Thanks for the reply. This makes sense, and it appears I need to add a specific file with JavaScript indicating what to whitelist.

The only question I have left is how do I access the file system to create this file? We are not hosting our own discourse site, but are paying discourse to host it for us.

codinghorror · May 8, 2017, 4:35am

Only very strict whitelisted HTML is allowed in Markdown. Adding arbitrary classes would be a security disaster.

boisy · May 8, 2017, 12:59pm

I understand. But if I am able to control the CSS, as I am in this case, it should be quite safe, no? I am still unsure how to add this whitelist file. We’re paying discourse for hosting. Surely we can get access to our underlying file system?

sam · May 8, 2017, 1:26pm

To add classes to the white-list you must use a plugin, the sanitization happens server side as well as client side. Custom plugins are an enterprise only feature for us.

If we allow arbitrary classes through all sorts of very strange things can be done by users, like creating a post with “animating and spinning” words, shifting text to a post that is not owned by the user or fixing text on the screen.

Our enterprise customers have the ability to deploy custom plugins. We do not give any customers the ability to directly SSH into running instances.

boisy · May 9, 2017, 7:05pm

Thanks for the clarification. We decided to move that particular page to another site.

Topic		Replies	Views
How to add a class attribute to a table created using markdown support	13	4880	June 7, 2018
What are the different ways to customize content inside a post (custom attributes and such) support	9	1888	May 17, 2022
Post HTML Element Class Being Removed support	11	2481	August 30, 2022
Following on from Adding Unique Class Names feature	19	4349	January 15, 2016
Add an ID or CLASS to an image (within a post) support	5	1218	May 11, 2019

Adding HTML classes in posts doesn't appear to work

Related Topics